SlideShare ist ein Scribd-Unternehmen logo

Oracle security 06-implementing oracle label security

Zhaoyang Wang
Zhaoyang Wang

Oracle security 06-implementing oracle label security

Technologie
1 von 38
Downloaden Sie, um offline zu lesen
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Implementing Oracle Label Security
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Objectives After completing this lesson, you should be able to implement a simple Oracle Label Security policy by: • Describe Oracle Label Security • Install Oracle Label Security • Creating policies • Defining labels • Setting up user authorizations • Applying policies to tables
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Access Control: Overview Oracle provides two complementary access control models: • Discretionary access control (DAC) – Allows only grant and revoke – Controls access on an entire object – Controls access by privilege • Row-level security – Allows sophisticated access rules – Supplements DAC – Is provided by the Virtual Private Database and Oracle Label Security DAC and row-level security dictate row access.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Discretionary Access Control Joe Fred GRANT SELECT ON emp TO JOE; REVOKE SELECT ON emp FROM FRED;
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Label Security Discretionary access control SQL request Label security policy Object privileges Row-level security
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com How Sensitivity Labels Are Used Labels Data Users Data sensitivity Authorizations Secret Top Secret Access mediation
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Installing Oracle Label Security To install Oracle Label Security, perform the following steps: 1. Use the Custom Install option of Oracle Universal Installer (OUI) to add Oracle Label Security components. 2. Use the Database Configuration Assistant (DBCA) to configure Oracle Label Security.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Label Security: Features Oracle Label Security provides: • Row-level security based on the VPD technology • A complete infrastructure for managing label security policies, sensitivity labels, and user security clearances • Oracle Policy Manager, a graphical user interface for managing Oracle Label Security • Integration with Oracle Identity Management starting in Oracle Database 10g Release 1
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Comparing Oracle Label Security and the VPD The VPD provides: • API for implementing row-level security by using application context and PL/SQL Oracle Label Security provides: • A system evaluated under Common Criteria EAL 4 • All required packages for access mediation • Complete data dictionary for managing policies, sensitivity labels, and user clearances • A complete user interface for managing Oracle Label Security • Integration with Oracle Identity Management
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com When to Use Oracle Label Security VPD Uses existing user attributes Uses natural data attributes Oracle Label Security Uses created user labels Uses assigned data labels
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Implementing the Oracle Label Security Policy The steps to implement an Oracle Label Security solution are: 1. Develop a strategy to understand the security problem. 2. Analyze the data levels in the application 3. Create policies. 4. Define labels. 5. Assign user authorizations. 6. Apply policies. 7. Review and document your policy decisions.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Analyzing the Needs • Identify application tables that need Oracle Label Security: – Majority of the tables do not require Oracle Label Security. – Use existing tools when possible. – Do not apply Oracle Label Security to everything. – Identify important application queries where possible. • Discretionary access control (DAC) is sufficient for most tables: – Database roles – Secure application roles – Stored procedures and functions
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Policies Create the policy to contain the label information: • Policy name is FACILITY. • Policy label column is FACLAB. BEGIN SA_SYSDBA.CREATE_POLICY( POLICY_NAME =>'FACILITY', COLUMN_NAME => 'FACLAB', DEFAULT_OPTIONS => 'READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE'); END;
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Labels: Overview • Labels have three parts: – Level – Group – Compartment • Each part must be defined. • The label is defined on the basis of the combinations of the parts.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Levels PPUBLIC100 CCONFIDENTIAL200 SSENSITIVE300 HSHIGHLY_SENSITIVE400 Short FormLong FormNumeric Form • The data level is set to SENSITIVE. • These levels are part of the label that is assigned to users and data.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Levels BEGIN SA_COMPONENTS.CREATE_LEVEL( POLICY_NAME =>'FACILITY', LEVEL_NUM => 100, SHORT_NAME => 'P', LONG_NAME => 'PUBLIC'); END;
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Groups Numeric Form Long Form Short Form Parent 1000 WESTERN_REGION WR 1100 WR_SALES WR_SAL WR 1200 WR_FINANCE WR_FIN WR 1210 WR_ACCT_PAYABLE WR_AP WR_FIN • The group is WR_FINANCE. • The data label shows WR_FIN in the level:compartment:group group field.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Groups BEGIN SA_COMPONENTS.CREATE_GROUP( POLICY_NAME =>'FACILITY', GROUP_NUM => 1000, SHORT_NAME => 'WR_SAL', LONG_NAME => 'WR_SALES', PARENT_NAME => 'WR'); END;
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Compartments Numeric Form Long Form Short Form 85 Financial FIN 65 Chemical CH 45 Operations OP • Compartments are OP, CH, and FIN. • The second field in the data label shows OP, CH, and FIN.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Compartments BEGIN SA_COMPONENTS.CREATE_COMPARTMENT( POLICY_NAME =>'FACILITY', COMP_NUM => 85, SHORT_NAME => 'FIN', LONG_NAME => 'Financial'); END;
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Identifying Data Labels The administrator creates a set of data labels that are actually used from the components already defined. LEVEL:COMPARMENT:GROUP ---------------------------------------------- SENSITIVE:FINANCIAL,CHEMICAL:WESTERN_REGION CONFIDENTIAL:FINANCIAL:WR_SALES SENSITIVE:: HIGHLY_SENSITIVE:FINANCIAL: SENSITIVE::WESTERN_REGION
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Data Labels BEGIN SA_LABEL_ADMIN.CREATE_LABEL( POLICY_NAME =>'FACILITY', LABEL_TAG => 201000, LABEL_VALUE => 'S::WR'); END;
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Assigning User Authorization Labels A user is assigned: • Maximum and minimum labels • A default session label • A row label for inserts BEGIN SA_USER_ADMIN.SET_USER_LABELS ( POLICY_NAME =>'FACILITY', USER_NAME => 'MYCO_MGR', MAX_READ_LABEL =>'S::US,EU,ASIA'); END;
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Access Mediation User session label Row data label SQL request Access mediation SQL results
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Adding Labels to Data • Labels are defined by the administrator. • Access mediation requires all rows to have labels. • Labels are set on rows.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Policy-Enforcement Options • Access-control enforcement: – READ_CONTROL – WRITE_CONTROL • Label-management enforcement: – LABEL_DEFAULT – LABEL_UPDATE – CHECK_CONTROL • Options to override enforcement: – ALL_CONTROL – NO_CONTROL
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Applying the Policy to a Table • Add the FACILITY policy to the LOCATIONS table. • TABLE_OPTION => NULL implies that the policy default options are used. BEGIN SA_POLICY_ADMIN.APPLY_TABLE_POLICY ( POLICY_NAME => 'FACILITY', SCHEMA_NAME => 'HR', TABLE_NAME => 'LOCATIONS', TABLE_OPTIONS => NULL, LABEL_FUNCTION => NULL); END;
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Label Security Privileges Oracle Label Security supports these privileges that allow authorized users to bypass certain parts of the policy: • READ • FULL • COMPACCESS • SET_ACCESS_PROFILE
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Example: READ Privilege Labeled data rows User Label Authorizations None READ privilege SELECT All rows returned
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Example: FULL Privilege Labeled data rows User Label Authorizations Any FULL privilege Any DML All rows affected
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Example: COMPACCESS Privilege Labeled data rows User Label Authorizations Compartment = OP COMPACCESS privilege Data label Compartment = OP, Group=Any
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Using SET_ACCESS_PROFILE The SA_SESSION.SET_ACCESS_PROFILE function in Oracle Label Security: • Allows an application session to assume a different Oracle Label Security authorization • Is used when application users do not have real database accounts Note: Users who are assigned Oracle Label Security authorizations do not need to be real database users. SQL>connect appuser/mypassword SQL>execute set_access_profile(‘finance’,’team1’);
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Trusted Stored Package Units To create a trusted stored package unit, you must: • Grant the Oracle Label Security privileges to a program unit • Have the special policy_DBA role • Use OPM or the SA_USER_ADMIN package to grant privileges SQL> EXECUTE SA_USER_ADMIN.SET_PROG_PRIVS(- 2> POLICY_NAME=>‘HR’,- 3> SCHEMA_NAME=>’MYSCHEMA’,- 4> PROGRAM_UNIT_NAME =>’SUM_PURCHASES’,- 5> PRIVILEGE=>’READ’);
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Exporting with Oracle Label Security • Only rows with labels authorized for read access are exported. • The label columns can be exported. • The LBACSYS schema cannot be exported.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Importing with Oracle Label Security • Precreate the Oracle Label Security policies and tables. • Labels and tag values must be the same.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Performance Tips • Analyze the LBACSYS schema. • Apply a bitmap index on the policy label column. • Plan a label tag strategy. • Partition on the basis of the label. • Allow time to tune your application after applying Oracle Label Security.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Summary In this lesson, you should have learned how to: • Describe the main features of Oracle Label Security • Install and configure Oracle Label Security • Install and configure Oracle Label Security • Use Oracle Policy Manager • Create and implement a simple Oracle Label Security policy
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Q&A

Empfohlen

Oracle Berkeley Db 11g R2
Oracle Berkeley Db 11g R2Oracle Berkeley Db 11g R2
Oracle Berkeley Db 11g R2Prem Kumar
 
Osobní bezpečnost na internetu
Osobní bezpečnost na internetuOsobní bezpečnost na internetu
Osobní bezpečnost na internetuDCIT, a.s.
 
Oracle security 02-administering user security
Oracle security 02-administering user securityOracle security 02-administering user security
Oracle security 02-administering user securityZhaoyang Wang
 
Oracle db subprograms
Oracle db subprogramsOracle db subprograms
Oracle db subprogramsSimon Huang
 
Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)DCIT, a.s.
 
Secure Technical Implementation Guide for databases by Martin Obst
Secure Technical Implementation Guide for databases by Martin ObstSecure Technical Implementation Guide for databases by Martin Obst
Secure Technical Implementation Guide for databases by Martin ObstCarsten Muetzlitz
 
Oracle security 08-oracle network security
Oracle security 08-oracle network securityOracle security 08-oracle network security
Oracle security 08-oracle network securityZhaoyang Wang
 
1 z0 052
1 z0 0521 z0 052
1 z0 052Wasim Ahmed
 

Empfohlen

Oracle Berkeley Db 11g R2
Oracle Berkeley Db 11g R2Oracle Berkeley Db 11g R2
Oracle Berkeley Db 11g R2Prem Kumar
 
Osobní bezpečnost na internetu
Osobní bezpečnost na internetuOsobní bezpečnost na internetu
Osobní bezpečnost na internetuDCIT, a.s.
 
Oracle security 02-administering user security
Oracle security 02-administering user securityOracle security 02-administering user security
Oracle security 02-administering user securityZhaoyang Wang
 
Oracle db subprograms
Oracle db subprogramsOracle db subprograms
Oracle db subprogramsSimon Huang
 
Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)Auditing security of Oracle DB (Karel Miko)
Auditing security of Oracle DB (Karel Miko)DCIT, a.s.
 
Secure Technical Implementation Guide for databases by Martin Obst
Secure Technical Implementation Guide for databases by Martin ObstSecure Technical Implementation Guide for databases by Martin Obst
Secure Technical Implementation Guide for databases by Martin ObstCarsten Muetzlitz
 
Oracle security 08-oracle network security
Oracle security 08-oracle network securityOracle security 08-oracle network security
Oracle security 08-oracle network securityZhaoyang Wang
 
1 z0 052
1 z0 0521 z0 052
1 z0 052Wasim Ahmed
 
海通证券金融云思考与实践(数据技术嘉年华2017)
海通证券金融云思考与实践(数据技术嘉年华2017)海通证券金融云思考与实践(数据技术嘉年华2017)
海通证券金融云思考与实践(数据技术嘉年华2017)Zhaoyang Wang
 
云管理平台助力海通金融云建设
云管理平台助力海通金融云建设云管理平台助力海通金融云建设
云管理平台助力海通金融云建设Zhaoyang Wang
 
海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)
海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)
海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)Zhaoyang Wang
 
Oracle Compute Cloud Service快速实践
Oracle Compute Cloud Service快速实践Oracle Compute Cloud Service快速实践
Oracle Compute Cloud Service快速实践Zhaoyang Wang
 
Oracle Compute Cloud Service介绍
Oracle Compute Cloud Service介绍Oracle Compute Cloud Service介绍
Oracle Compute Cloud Service介绍Zhaoyang Wang
 
Oracle cloud 使用云市场快速搭建小型电商网站
Oracle cloud 使用云市场快速搭建小型电商网站Oracle cloud 使用云市场快速搭建小型电商网站
Oracle cloud 使用云市场快速搭建小型电商网站Zhaoyang Wang
 
Oracle cloud ravello介绍及测试账户申请
Oracle cloud ravello介绍及测试账户申请Oracle cloud ravello介绍及测试账户申请
Oracle cloud ravello介绍及测试账户申请Zhaoyang Wang
 
Oracle cloud 云介绍及测试账户申请
Oracle cloud 云介绍及测试账户申请Oracle cloud 云介绍及测试账户申请
Oracle cloud 云介绍及测试账户申请Zhaoyang Wang
 
New awesome features in MySQL 5.7
New awesome features in MySQL 5.7New awesome features in MySQL 5.7
New awesome features in MySQL 5.7Zhaoyang Wang
 
Performance Tuning Tool01-Statspack
Performance Tuning Tool01-StatspackPerformance Tuning Tool01-Statspack
Performance Tuning Tool01-StatspackZhaoyang Wang
 
SQL Tuning02-Intorduction to the CBO Optimizer
SQL Tuning02-Intorduction to the CBO OptimizerSQL Tuning02-Intorduction to the CBO Optimizer
SQL Tuning02-Intorduction to the CBO OptimizerZhaoyang Wang
 
SQL Tuning04-Interpreting Execution Plans
SQL Tuning04-Interpreting Execution PlansSQL Tuning04-Interpreting Execution Plans
SQL Tuning04-Interpreting Execution PlansZhaoyang Wang
 
SQL Tuning01-Introduction to SQL Tuning
SQL Tuning01-Introduction to SQL TuningSQL Tuning01-Introduction to SQL Tuning
SQL Tuning01-Introduction to SQL TuningZhaoyang Wang
 
MySQL Fulltext Search Tutorial
MySQL Fulltext Search TutorialMySQL Fulltext Search Tutorial
MySQL Fulltext Search TutorialZhaoyang Wang
 
Data Organization in InnoDB
Data Organization in InnoDBData Organization in InnoDB
Data Organization in InnoDBZhaoyang Wang
 
Oracle enterprise manager cloud control 12c release 5 installation on oracle ...
Oracle enterprise manager cloud control 12c release 5 installation on oracle ...Oracle enterprise manager cloud control 12c release 5 installation on oracle ...
Oracle enterprise manager cloud control 12c release 5 installation on oracle ...Zhaoyang Wang
 
Oracle enterprise manager cloud control 12c r5 agent installation
Oracle enterprise manager cloud control 12c r5 agent installationOracle enterprise manager cloud control 12c r5 agent installation
Oracle enterprise manager cloud control 12c r5 agent installationZhaoyang Wang
 
Why use MySQL
Why use MySQLWhy use MySQL
Why use MySQLZhaoyang Wang
 
MYSQLCLONE Introduction
MYSQLCLONE IntroductionMYSQLCLONE Introduction
MYSQLCLONE IntroductionZhaoyang Wang
 
Interpreting execution plans
Interpreting execution plansInterpreting execution plans
Interpreting execution plansZhaoyang Wang
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Weitere ähnliche Inhalte

Mehr von Zhaoyang Wang

海通证券金融云思考与实践(数据技术嘉年华2017)
海通证券金融云思考与实践(数据技术嘉年华2017)海通证券金融云思考与实践(数据技术嘉年华2017)
海通证券金融云思考与实践(数据技术嘉年华2017)Zhaoyang Wang
 
云管理平台助力海通金融云建设
云管理平台助力海通金融云建设云管理平台助力海通金融云建设
云管理平台助力海通金融云建设Zhaoyang Wang
 
海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)
海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)
海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)Zhaoyang Wang
 
Oracle Compute Cloud Service快速实践
Oracle Compute Cloud Service快速实践Oracle Compute Cloud Service快速实践
Oracle Compute Cloud Service快速实践Zhaoyang Wang
 
Oracle Compute Cloud Service介绍
Oracle Compute Cloud Service介绍Oracle Compute Cloud Service介绍
Oracle Compute Cloud Service介绍Zhaoyang Wang
 
Oracle cloud 使用云市场快速搭建小型电商网站
Oracle cloud 使用云市场快速搭建小型电商网站Oracle cloud 使用云市场快速搭建小型电商网站
Oracle cloud 使用云市场快速搭建小型电商网站Zhaoyang Wang
 
Oracle cloud ravello介绍及测试账户申请
Oracle cloud ravello介绍及测试账户申请Oracle cloud ravello介绍及测试账户申请
Oracle cloud ravello介绍及测试账户申请Zhaoyang Wang
 
Oracle cloud 云介绍及测试账户申请
Oracle cloud 云介绍及测试账户申请Oracle cloud 云介绍及测试账户申请
Oracle cloud 云介绍及测试账户申请Zhaoyang Wang
 
New awesome features in MySQL 5.7
New awesome features in MySQL 5.7New awesome features in MySQL 5.7
New awesome features in MySQL 5.7Zhaoyang Wang
 
Performance Tuning Tool01-Statspack
Performance Tuning Tool01-StatspackPerformance Tuning Tool01-Statspack
Performance Tuning Tool01-StatspackZhaoyang Wang
 
SQL Tuning02-Intorduction to the CBO Optimizer
SQL Tuning02-Intorduction to the CBO OptimizerSQL Tuning02-Intorduction to the CBO Optimizer
SQL Tuning02-Intorduction to the CBO OptimizerZhaoyang Wang
 
SQL Tuning04-Interpreting Execution Plans
SQL Tuning04-Interpreting Execution PlansSQL Tuning04-Interpreting Execution Plans
SQL Tuning04-Interpreting Execution PlansZhaoyang Wang
 
SQL Tuning01-Introduction to SQL Tuning
SQL Tuning01-Introduction to SQL TuningSQL Tuning01-Introduction to SQL Tuning
SQL Tuning01-Introduction to SQL TuningZhaoyang Wang
 
MySQL Fulltext Search Tutorial
MySQL Fulltext Search TutorialMySQL Fulltext Search Tutorial
MySQL Fulltext Search TutorialZhaoyang Wang
 
Data Organization in InnoDB
Data Organization in InnoDBData Organization in InnoDB
Data Organization in InnoDBZhaoyang Wang
 
Oracle enterprise manager cloud control 12c release 5 installation on oracle ...
Oracle enterprise manager cloud control 12c release 5 installation on oracle ...Oracle enterprise manager cloud control 12c release 5 installation on oracle ...
Oracle enterprise manager cloud control 12c release 5 installation on oracle ...Zhaoyang Wang
 
Oracle enterprise manager cloud control 12c r5 agent installation
Oracle enterprise manager cloud control 12c r5 agent installationOracle enterprise manager cloud control 12c r5 agent installation
Oracle enterprise manager cloud control 12c r5 agent installationZhaoyang Wang
 
MYSQLCLONE Introduction
MYSQLCLONE IntroductionMYSQLCLONE Introduction
MYSQLCLONE IntroductionZhaoyang Wang
 
Interpreting execution plans
Interpreting execution plansInterpreting execution plans
Interpreting execution plansZhaoyang Wang
 

Mehr von Zhaoyang Wang (20)

海通证券金融云思考与实践(数据技术嘉年华2017)
海通证券金融云思考与实践(数据技术嘉年华2017)海通证券金融云思考与实践(数据技术嘉年华2017)
海通证券金融云思考与实践(数据技术嘉年华2017)
 
云管理平台助力海通金融云建设
云管理平台助力海通金融云建设云管理平台助力海通金融云建设
云管理平台助力海通金融云建设
 
海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)
海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)
海通证券数据库备份恢复云平台实践(OTN Tour Shanghai 2017)
 
Oracle Compute Cloud Service快速实践
Oracle Compute Cloud Service快速实践Oracle Compute Cloud Service快速实践
Oracle Compute Cloud Service快速实践
 
Oracle Compute Cloud Service介绍
Oracle Compute Cloud Service介绍Oracle Compute Cloud Service介绍
Oracle Compute Cloud Service介绍
 
Oracle cloud 使用云市场快速搭建小型电商网站
Oracle cloud 使用云市场快速搭建小型电商网站Oracle cloud 使用云市场快速搭建小型电商网站
Oracle cloud 使用云市场快速搭建小型电商网站
 
Oracle cloud ravello介绍及测试账户申请
Oracle cloud ravello介绍及测试账户申请Oracle cloud ravello介绍及测试账户申请
Oracle cloud ravello介绍及测试账户申请
 
Oracle cloud 云介绍及测试账户申请
Oracle cloud 云介绍及测试账户申请Oracle cloud 云介绍及测试账户申请
Oracle cloud 云介绍及测试账户申请
 
New awesome features in MySQL 5.7
New awesome features in MySQL 5.7New awesome features in MySQL 5.7
New awesome features in MySQL 5.7
 
Performance Tuning Tool01-Statspack
Performance Tuning Tool01-StatspackPerformance Tuning Tool01-Statspack
Performance Tuning Tool01-Statspack
 
SQL Tuning02-Intorduction to the CBO Optimizer
SQL Tuning02-Intorduction to the CBO OptimizerSQL Tuning02-Intorduction to the CBO Optimizer
SQL Tuning02-Intorduction to the CBO Optimizer
 
SQL Tuning04-Interpreting Execution Plans
SQL Tuning04-Interpreting Execution PlansSQL Tuning04-Interpreting Execution Plans
SQL Tuning04-Interpreting Execution Plans
 
SQL Tuning01-Introduction to SQL Tuning
SQL Tuning01-Introduction to SQL TuningSQL Tuning01-Introduction to SQL Tuning
SQL Tuning01-Introduction to SQL Tuning
 
MySQL Fulltext Search Tutorial
MySQL Fulltext Search TutorialMySQL Fulltext Search Tutorial
MySQL Fulltext Search Tutorial
 
Data Organization in InnoDB
Data Organization in InnoDBData Organization in InnoDB
Data Organization in InnoDB
 
Oracle enterprise manager cloud control 12c release 5 installation on oracle ...
Oracle enterprise manager cloud control 12c release 5 installation on oracle ...Oracle enterprise manager cloud control 12c release 5 installation on oracle ...
Oracle enterprise manager cloud control 12c release 5 installation on oracle ...
 
Oracle enterprise manager cloud control 12c r5 agent installation
Oracle enterprise manager cloud control 12c r5 agent installationOracle enterprise manager cloud control 12c r5 agent installation
Oracle enterprise manager cloud control 12c r5 agent installation
 
Why use MySQL
Why use MySQLWhy use MySQL
Why use MySQL
 
MYSQLCLONE Introduction
MYSQLCLONE IntroductionMYSQLCLONE Introduction
MYSQLCLONE Introduction
 
Interpreting execution plans
Interpreting execution plansInterpreting execution plans
Interpreting execution plans
 

Kürzlich hochgeladen

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Oracle security 06-implementing oracle label security

  • 1. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Implementing Oracle Label Security
  • 2. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Objectives After completing this lesson, you should be able to implement a simple Oracle Label Security policy by: • Describe Oracle Label Security • Install Oracle Label Security • Creating policies • Defining labels • Setting up user authorizations • Applying policies to tables
  • 3. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Access Control: Overview Oracle provides two complementary access control models: • Discretionary access control (DAC) – Allows only grant and revoke – Controls access on an entire object – Controls access by privilege • Row-level security – Allows sophisticated access rules – Supplements DAC – Is provided by the Virtual Private Database and Oracle Label Security DAC and row-level security dictate row access.
  • 4. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Discretionary Access Control Joe Fred GRANT SELECT ON emp TO JOE; REVOKE SELECT ON emp FROM FRED;
  • 5. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Label Security Discretionary access control SQL request Label security policy Object privileges Row-level security
  • 6. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com How Sensitivity Labels Are Used Labels Data Users Data sensitivity Authorizations Secret Top Secret Access mediation
  • 7. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Installing Oracle Label Security To install Oracle Label Security, perform the following steps: 1. Use the Custom Install option of Oracle Universal Installer (OUI) to add Oracle Label Security components. 2. Use the Database Configuration Assistant (DBCA) to configure Oracle Label Security.
  • 8. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Label Security: Features Oracle Label Security provides: • Row-level security based on the VPD technology • A complete infrastructure for managing label security policies, sensitivity labels, and user security clearances • Oracle Policy Manager, a graphical user interface for managing Oracle Label Security • Integration with Oracle Identity Management starting in Oracle Database 10g Release 1
  • 9. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Comparing Oracle Label Security and the VPD The VPD provides: • API for implementing row-level security by using application context and PL/SQL Oracle Label Security provides: • A system evaluated under Common Criteria EAL 4 • All required packages for access mediation • Complete data dictionary for managing policies, sensitivity labels, and user clearances • A complete user interface for managing Oracle Label Security • Integration with Oracle Identity Management
  • 10. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com When to Use Oracle Label Security VPD Uses existing user attributes Uses natural data attributes Oracle Label Security Uses created user labels Uses assigned data labels
  • 11. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Implementing the Oracle Label Security Policy The steps to implement an Oracle Label Security solution are: 1. Develop a strategy to understand the security problem. 2. Analyze the data levels in the application 3. Create policies. 4. Define labels. 5. Assign user authorizations. 6. Apply policies. 7. Review and document your policy decisions.
  • 12. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Analyzing the Needs • Identify application tables that need Oracle Label Security: – Majority of the tables do not require Oracle Label Security. – Use existing tools when possible. – Do not apply Oracle Label Security to everything. – Identify important application queries where possible. • Discretionary access control (DAC) is sufficient for most tables: – Database roles – Secure application roles – Stored procedures and functions
  • 13. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Policies Create the policy to contain the label information: • Policy name is FACILITY. • Policy label column is FACLAB. BEGIN SA_SYSDBA.CREATE_POLICY( POLICY_NAME =>'FACILITY', COLUMN_NAME => 'FACLAB', DEFAULT_OPTIONS => 'READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE'); END;
  • 14. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Labels: Overview • Labels have three parts: – Level – Group – Compartment • Each part must be defined. • The label is defined on the basis of the combinations of the parts.
  • 15. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Levels PPUBLIC100 CCONFIDENTIAL200 SSENSITIVE300 HSHIGHLY_SENSITIVE400 Short FormLong FormNumeric Form • The data level is set to SENSITIVE. • These levels are part of the label that is assigned to users and data.
  • 16. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Levels BEGIN SA_COMPONENTS.CREATE_LEVEL( POLICY_NAME =>'FACILITY', LEVEL_NUM => 100, SHORT_NAME => 'P', LONG_NAME => 'PUBLIC'); END;
  • 17. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Groups Numeric Form Long Form Short Form Parent 1000 WESTERN_REGION WR 1100 WR_SALES WR_SAL WR 1200 WR_FINANCE WR_FIN WR 1210 WR_ACCT_PAYABLE WR_AP WR_FIN • The group is WR_FINANCE. • The data label shows WR_FIN in the level:compartment:group group field.
  • 18. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Groups BEGIN SA_COMPONENTS.CREATE_GROUP( POLICY_NAME =>'FACILITY', GROUP_NUM => 1000, SHORT_NAME => 'WR_SAL', LONG_NAME => 'WR_SALES', PARENT_NAME => 'WR'); END;
  • 19. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Compartments Numeric Form Long Form Short Form 85 Financial FIN 65 Chemical CH 45 Operations OP • Compartments are OP, CH, and FIN. • The second field in the data label shows OP, CH, and FIN.
  • 20. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Compartments BEGIN SA_COMPONENTS.CREATE_COMPARTMENT( POLICY_NAME =>'FACILITY', COMP_NUM => 85, SHORT_NAME => 'FIN', LONG_NAME => 'Financial'); END;
  • 21. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Identifying Data Labels The administrator creates a set of data labels that are actually used from the components already defined. LEVEL:COMPARMENT:GROUP ---------------------------------------------- SENSITIVE:FINANCIAL,CHEMICAL:WESTERN_REGION CONFIDENTIAL:FINANCIAL:WR_SALES SENSITIVE:: HIGHLY_SENSITIVE:FINANCIAL: SENSITIVE::WESTERN_REGION
  • 22. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Data Labels BEGIN SA_LABEL_ADMIN.CREATE_LABEL( POLICY_NAME =>'FACILITY', LABEL_TAG => 201000, LABEL_VALUE => 'S::WR'); END;
  • 23. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Assigning User Authorization Labels A user is assigned: • Maximum and minimum labels • A default session label • A row label for inserts BEGIN SA_USER_ADMIN.SET_USER_LABELS ( POLICY_NAME =>'FACILITY', USER_NAME => 'MYCO_MGR', MAX_READ_LABEL =>'S::US,EU,ASIA'); END;
  • 24. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Access Mediation User session label Row data label SQL request Access mediation SQL results
  • 25. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Adding Labels to Data • Labels are defined by the administrator. • Access mediation requires all rows to have labels. • Labels are set on rows.
  • 26. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Policy-Enforcement Options • Access-control enforcement: – READ_CONTROL – WRITE_CONTROL • Label-management enforcement: – LABEL_DEFAULT – LABEL_UPDATE – CHECK_CONTROL • Options to override enforcement: – ALL_CONTROL – NO_CONTROL
  • 27. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Applying the Policy to a Table • Add the FACILITY policy to the LOCATIONS table. • TABLE_OPTION => NULL implies that the policy default options are used. BEGIN SA_POLICY_ADMIN.APPLY_TABLE_POLICY ( POLICY_NAME => 'FACILITY', SCHEMA_NAME => 'HR', TABLE_NAME => 'LOCATIONS', TABLE_OPTIONS => NULL, LABEL_FUNCTION => NULL); END;
  • 28. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Label Security Privileges Oracle Label Security supports these privileges that allow authorized users to bypass certain parts of the policy: • READ • FULL • COMPACCESS • SET_ACCESS_PROFILE
  • 29. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Example: READ Privilege Labeled data rows User Label Authorizations None READ privilege SELECT All rows returned
  • 30. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Example: FULL Privilege Labeled data rows User Label Authorizations Any FULL privilege Any DML All rows affected
  • 31. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Example: COMPACCESS Privilege Labeled data rows User Label Authorizations Compartment = OP COMPACCESS privilege Data label Compartment = OP, Group=Any
  • 32. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Using SET_ACCESS_PROFILE The SA_SESSION.SET_ACCESS_PROFILE function in Oracle Label Security: • Allows an application session to assume a different Oracle Label Security authorization • Is used when application users do not have real database accounts Note: Users who are assigned Oracle Label Security authorizations do not need to be real database users. SQL>connect appuser/mypassword SQL>execute set_access_profile(‘finance’,’team1’);
  • 33. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Trusted Stored Package Units To create a trusted stored package unit, you must: • Grant the Oracle Label Security privileges to a program unit • Have the special policy_DBA role • Use OPM or the SA_USER_ADMIN package to grant privileges SQL> EXECUTE SA_USER_ADMIN.SET_PROG_PRIVS(- 2> POLICY_NAME=>‘HR’,- 3> SCHEMA_NAME=>’MYSCHEMA’,- 4> PROGRAM_UNIT_NAME =>’SUM_PURCHASES’,- 5> PRIVILEGE=>’READ’);
  • 34. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Exporting with Oracle Label Security • Only rows with labels authorized for read access are exported. • The label columns can be exported. • The LBACSYS schema cannot be exported.
  • 35. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Importing with Oracle Label Security • Precreate the Oracle Label Security policies and tables. • Labels and tag values must be the same.
  • 36. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Performance Tips • Analyze the LBACSYS schema. • Apply a bitmap index on the policy label column. • Plan a label tag strategy. • Partition on the basis of the label. • Allow time to tune your application after applying Oracle Label Security.
  • 37. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Summary In this lesson, you should have learned how to: • Describe the main features of Oracle Label Security • Install and configure Oracle Label Security • Install and configure Oracle Label Security • Use Oracle Policy Manager • Create and implement a simple Oracle Label Security policy
  • 38. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Q&A