Label Security Limitations

Similar Messages

• Using non-alphabetical symbols in Oracle Label Security API

  I decide to use Oracle Label Security Release 9.0.1 , but I have some problems in realization . When I try to use function sa_policy_admin.apply_table_policy with
  following parameters:
  sa_policy_admin.apply_table_policy(
  POLICY_NAME => 'policy1',
  SCHEMA_NAME => 'domain1\user1',
  TABLE_NAME => 'table1'
  I receive messages :
  ORA-00604: error occurred at recursive SQL level 1
  ORA-00911: invalid character
  ORA-00911: invalid character
  ORA-06512: at "LBACSYS.LBAC_POLICY_ADMIN", line 251
  ORA-06512: at line 2
  Tell me please , may be there are any limitations on parameter SCHEMA_NAME in function ,
  because this function can't understand symbol "\".
  Note 1: It is obligatory to use symbol "\" in schema_name ,
  because I have to connect to DB as external user (user of Windows 2000 Server).
  Note 2: ORA-00911 invalid character
  Cause: Special characters are valid only in certain places. If special characters other than $, _, and # are used in a name and the name is not enclosed in double quotation marks ("), this message will be issued. One exception to this rule is for database names; in this case, double quotes are stripped out and ignored.
  Action: Remove the invalid character from the statement or encl[i]Long postings are being truncated to ~1 kB at this time.

  Yes I have with 10gr3
  It can be made to work but perhaps not in the way you want (per user?). Your label security will need to have policies based on something.
  I did a proof of concept using Security Group column as the 'label'. Then applied VPD policies based on which network the request came from (1 DB rac node in each network).
  In my case I wanted to show ALL content to a secure network but a subset of content to the lower security network. For this use case it is ideal.
  It worked flawlessly...not supported though
  Apparently OLS is on roadmap or UCM (WCC) so ask Oracle and see if you can find out if it is slated for any particular release yet.
  Tim

• How to install Oracle Label Security in Oracle Database 10g EE

  Hello All
  I just want to know how to install Oracle Label Security in Oracle 10g Database EE.
  I read in Oracle Enterprise Manager Grid Control Installation and Basic Configuration that Label Security must be installed before installing Enterprise Manager Grid Control.
  I have Oracle Database 10g Release 1 (10.1.0.1) on my Windows XP System, and I patch it to 10.1.0.3.
  M.
  Sorry about my English.

  Options is to connect to Oracle Policy Manager or use Oracle Internet Directory (OID)to administer Oracle Label Security.
  Find more ways in the Documentation here:
  http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm

• Enabling Oracle Label Security on 9.2.0.7 database

  Hi there,
  I have installed the option Oracle Label Security and patched it to 9.2.0.7. I have then run the script $ORAHOME\rdbms\admin\catols.sql . Which re-starts the database.
  But when I run the below example I get the below error.
  SQL> CONNECT lbacsys/lbacsys
  Connected.
  SQL> EXECUTE SA_SYSDBA.CREATE_POLICY( -
  'FACILITY','FACLAB','READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE');
  BEGIN SA_SYSDBA.CREATE_POLICY( 'FACILITY','FACLAB','READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE'); END;
  ERROR at line 1:
  ORA-00439: feature not enabled: Oracle Label Security
  ORA-06512: at "LBACSYS.LBAC_SYSDBA", line 107
  ORA-06512: at "LBACSYS.SA_SYSDBA", line 43
  ORA-06512: at line 1
  I have also noticed that in the v$option view shows the
  PARAMETER VALUE
  Oracle Label Security FALSE
  I have compared the number of objects to metalink article 171155.1 How to Install / Deinstall Oracle Label Security and all the objects seem to be in the schema.
  Also I check the version and saw below.
  SQL> conn dba/
  Connected.
  SQL> COL comp_name FORMAT A32
  SQL> COL version FORMAT A16
  SQL> SELECT
  2 comp_id
  3 ,comp_name
  4 ,version
  5 FROM dba_registry
  6 where comp_id='OLS';
  COMP_ID COMP_NAME VERSION
  OLS Oracle Label Security 9.2.0.7.0
  1 rows selected.
  SQL>
  Anyone know how I can enable Oracle Label Security is that it works?
  TIA
  Ed

  I still have some old 9.2.0.8 databases running on both HP-UX and AIX and have clients on 10.2g which doesn't manifest any problem .

• Advance Replication and Oracle Label Security

  Has anyone been able to configure both Advance Replication and Oracle Label Security to work together?

  This is currently not supported in Streams. I have an enhancement request in with Oracle for this functionality. This won't be seen in 11g R2 either.
  Has anyone done Label Security with Advance Replication?

• Can/How does Label Security integrate with Documentum Trusted Content Serv

  How easy wouldit be to use Oracle Label Security to manage all information in the Oracle dabase including Documentum metadata so that a single security policy cn be defined..at least for the information stored in the Oracle database.
  How does the documentum security tag get mapped to an OLS label?
  Customer needs only a high level understanding...
  Steve Flournoy

  I am not familiar with documentum but you can use OLS for:
  Row level security based on labels added to the tables you want to protect. Apply the labels to the documentum metadata tables and you have implemented OLS. The Documentum tags can be mapped to OLS labels in Oracle Policy Manager:
  Set up the OLS labels just like the documentum security tags in Oracle Policy Manager .
  For even more customization use Application Contexts and Virtual Private Database Policies.

• OID-Integrated Label Security with HTMLDB?

  Hi,
  I've followed the how-to document to integrate Oracle Label Security with Oracle Internet Directory.(http://www.oracle.com/technology/deploy/security/database-security/howtos/ols_oid-how-to.html).
  I've successfully created a label security policy for the HR.LOCATIONS table. I would like that same policy to be effective on any query regions in an HTMLDB application.
  I created a test application in HTMLDB, and changed the authentication scheme to be LDAP. It uses Oracle Internet Directory to authenticate the users, and this works successfully.
  However, when I login with an OID user that has been assigned to use the policy, I get no rows returned.
  What is a good way to integrate my label security policy with my htmldb applicaton so that it works within HTMLDB and outside of HTMLDB?
  I saw the technote to use VPD, but when I tried this, it caused my label security policy to stop working. I somehow made it conflict...(http://www.oracle.com/technology/pub/notes/technote_htmldb_vpd.html)
  I guess I'm just not sure what the VPD function should look like after I've already created a Label Security Policy.
  I basically want it to look at the APP_USER and then apply the policy appropriately.
  Thanks,
  Nora

  Scott,
  It still worked in SQLPLUS when I typed 'set role none' first.
  The way I granted PROFILE_ACCESS was through a label security command:
  SQL> exec sa_user_admin.set_user_privs('senspolicy','parse_schema','FULL,PROFILE_ACCESS');
  It seems like this is the only way..
  It just seems strange that it works in SQLPLUS. I'm trying to figure out what other permissions I need for HTMLDB.
  Thanks again,
  Nora
  SQL*Plus: Release 10.2.0.1.0 - Production on Wed May 16 16:38:20 2007
  Copyright (c) 1982, 2005, Oracle. All rights reserved.
  Enter user-name: parse_schema/<password>@testls
  Connected to:
  Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
  With the Partitioning, Oracle Label Security, OLAP and Data Mining options
  SQL> set role none;
  Role set.
  SQL> select count(*) from hr.locations;
  COUNT(*)
  23
  SQL> exec sa_session.set_access_profile('senspolicy','PUB');
  PL/SQL procedure successfully completed.
  SQL> select count(*) from hr.locations;
  COUNT(*)
  17
  SQL>

• Using Content Manager with OLS - Oracle Label Security

  There are two entries in this forum with OLS - the last one in 2005.
  Has any one successfully deployed UCM with OLS?
  Thanks,
  Paul

  Yes I have with 10gr3
  It can be made to work but perhaps not in the way you want (per user?). Your label security will need to have policies based on something.
  I did a proof of concept using Security Group column as the 'label'. Then applied VPD policies based on which network the request came from (1 DB rac node in each network).
  In my case I wanted to show ALL content to a secure network but a subset of content to the lower security network. For this use case it is ideal.
  It worked flawlessly...not supported though
  Apparently OLS is on roadmap or UCM (WCC) so ask Oracle and see if you can find out if it is slated for any particular release yet.
  Tim

• How to install "Oracle Label Security" on "Oracle Developers Day" VM?

  Hello,
  I downloaded and started the "Oracle Developers Day" pre-built virtual machine using VirtualBox.
  I need to install Oracle Label Security in order to make some tests with it. So:
  1) Do we have the installation folder of Oracle Enterprise Edition somewhere on the VM?
  2) If not, how can I install OLS? Do I have to use shared folder to mount the installation media? How can I mount the installation folder, which I downloaded and stored on the host machine? Could you, please, provide step-by-step example?
  Thank you in advance.
  Beroetz

  Options is to connect to Oracle Policy Manager or use Oracle Internet Directory (OID)to administer Oracle Label Security.
  Find more ways in the Documentation here:
  http://download-uk.oracle.com/docs/cd/B19306_01/network.102/b14267/toc.htm

• Has anybody used Label Security  in Oracle 9i?

   

  Label security does not appear to work on the IFS. All the references I can find are to ACLs rather than labels.
  See http://technet.oracle.com/doc/ifs/user_guide/access.htm#1010140
  for details of setting up user defined ACLs.
  Regards
  Kevin
  www.braintree.co.uk

• Downloading Label Security

  Is Oracle Label Security for 9i (solaris) available for download and if so where?
  Thanks
  Tom

  If the Mcafee is still available, then make sure you use your mother in Laws computer not your own.
  toekneem
  http://www.no2nuisancecalls.net
  (EASBF)

• OLS Label Security: how users can view own level/compartment/group choices?

  I have an application using OLS (Oracle Label Security) Virtual Database (VDB) for security; to allow users to only view rows to which they have access.
  I'm creating a list of values (LOV) to allow the user to change the level or compartment of a database record to a different value for which they still have access. The views that show these values is DBA_SA_USER_LEVELS (and COMPARTMENTS, GROUPS) but this view is only visible to DBA users, not the regular user. We are considering giving regular users access to this view, or granting SELECT_ALL_TABLES as suggested in an article I read. However, this approach seems to loosen security, not maintain it.
  How can I allow a user to get a list of levels, compartments or groups available to them without loosening the security on the DBA_* views?
  thanks,
  Scott

  Bump

• Label security on VPD?

  I have a question on label security.(i am new in Oracle security area)
  The 9i Label Security is built on VPD(virtual private database). Does this means you have to set up VPD before you use the Label Security?
  I am trying to run the Label Security demo/sample(in ALlSchema.zip), and I saw the tables has DN field which is used in VPD demo. I guess if i want to use Lable security i have to use VPD too, but it is not metioned in the demo/sample that the VPD is required.
  Thanks in advance for any help.
  Tim

  label security automatically sets up VPD. you should not need to worry about how label security is implemented.
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by [email protected]:
  I have a question on label security.(i am new in Oracle security area)
  The 9i Label Security is built on VPD(virtual private database). Does this means you have to set up VPD before you use the Label Security?
  I am trying to run the Label Security demo/sample(in ALlSchema.zip), and I saw the tables has DN field which is used in VPD demo. I guess if i want to use Lable security i have to use VPD too, but it is not metioned in the demo/sample that the VPD is required.
  Thanks in advance for any help.
  Tim<HR></BLOCKQUOTE>
  null

• Trying to use Oracle Label Security with a XMLType

  Hi everybody.
  I'm trying to apply some of the Oracle Label Security functionalities to a table created from the annotations of a XML Schema
  (Below I show part of this XML Schema:
  <?xml version="1.0" encoding="UTF-8"?>
  <xs:schema xmlns:xdb="http://xmlns.oracle.com/xdb"
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  elementFormDefault="qualified"
  attributeFormDefault="unqualified">
  <xs:element name="FILE_INFO" xdb:SQLType="FILE_INFO" xdb:defaultTable="TABLE_FILE_INFO">
  <xs:complexType>
  <xs:choice>
  <xs:element name="FILE_INFO_DICOM"
  type="FILE_INFO_DICOM_TYPE" />
  <xs:element name="FILE_INFO_ANALYZE"
  type="FILE_INFO_ANALYZE_TYPE" />
  </xs:choice>
  </xs:complexType>
  </xs:element>
  <xs:complexType name="FILE_INFO_DICOM_TYPE" xdb:SQLType="FILE_INFO_DICOM_TYPE">
  <xs:sequence>
  <xs:element name="ELEMENT_INFO_DICOM"
  type="ELEMENT_INFO_DICOM_TYPE"
  minOccurs="0"
  maxOccurs="unbounded"
  xdb:defaultTable="TABLE_ELEMENT_INFO_DICOM"
  xdb:SQLInline ="false"/>
  </xs:sequence>
  </xs:complexType>
  <xs:complexType name="ELEMENT_INFO_DICOM_TYPE" xdb:SQLType="ELEMENT_INFO_DICOM_TYPE">
  <xs:all>
  <xs:element name="Description" type="xs:string" minOccurs="0" maxOccurs="1" />
  <xs:element name="GroupTag" type="xs:string" minOccurs="0" maxOccurs="1" />
  <xs:element name="ElementTag" type="xs:string" minOccurs="0" maxOccurs="1" />
  <xs:element name="VR" type="xs:string" minOccurs="0" maxOccurs="1"/>
  <xs:element name="Value" type="xs:string" minOccurs="0" maxOccurs="1"/>
  </xs:all>
  </xs:complexType>
  ................etc
  I've created a security policy that I have tested on relational tables (not based on any object type) and works correctly.
  BEGIN
  SA_POLICY_ADMIN.APPLY_TABLE_POLICY(policy_name => 'policy1',
  schema_name => 'oe',
  table_name => 'TABLE_FILE_INFO',
  table_options => 'LABEL_DEFAULT, READ_CONTROL, WRITE_CONTROL',
  label_function => NULL,
  predicate => NULL);
  END;
  When I try to apply this policy to the XMLSchema-created table (TABLE_FILE_INFO) I get next error messages:
  ORA-22856: cannot add columns to object tables
  ORA-00604 error occurred at recursive SQL level 1
  ORA-12445: cannot change HIDDEN property of column.
  ORA-06512: in "LBACSYS.LBAC_POLICY_ADMIN", line 257
  ORA-06512: in line 2
  I suppose that the main problem is that the apply_plicy procedure is trying to add an extra column to a table created from a defined type.
  So my questions are: It's that true? Is it possible to apply a policy to the content of XML documents, I mean, if I want to restrict that some users see some subset of a XML document based on a specific policy, is there anything similar to Oracle Label security for XML? (as defined with the annotations in the XML Schema, some elements will be mapped to rows of a XMLType-based table when a XML document is inserted into the XMLDB repository (marked to follow the previous XML Schema of course)
  Hope someone can help to solve my doubts...
  Thanks,
  Marcos.

  Have you ever answered this question? If not, have you tried to use the "HIDE" property on your table_options?

• Adv Replication AND Label Security

  Has anybody implemented Adv Replication AND Label Security?
  I am looking for any advice and warnings.

  Your replication administrator accounts (REPADMIN,etc) will need to have the OLS READ (or FULL) privilege for the policy on the replicated tables so that the predicate is not added. These users will see and replicate everything, there is no way (in Adv. Rep) to replicate data based on the OLS label (say, to only replicate things that are S instead of TS).
  As long as your replication admins have full privilege (or potentially the system privilege EXEMPT ACCESS POLICY, but this bypasses all policies/vpds and shouldn't be used unless you need to and understand the impacts), everything will work out just fine.
  Likely you are aware but if you intend to have the data protected on the target(s), it will need a copy of the policy and the policy applied to the tables as well. You can use database managed OLS and manage the policy in both (or all) places, or evaluate central management of the policy in OID. As much as the OID method has its advanages, I would stick to managing the policy in the database (and automating distributing the changes to different environments) unless you have another good reason to use OID.