2. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Objectives
After completing this lesson, you should be able to
implement a simple Oracle Label Security policy by:
• Describe Oracle Label Security
• Install Oracle Label Security
• Creating policies
• Defining labels
• Setting up user authorizations
• Applying policies to tables
3. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Access Control: Overview
Oracle provides two complementary access control
models:
• Discretionary access control (DAC)
– Allows only grant and revoke
– Controls access on an entire object
– Controls access by privilege
• Row-level security
– Allows sophisticated access rules
– Supplements DAC
– Is provided by the Virtual Private Database and
Oracle Label Security
DAC and row-level security dictate row access.
4. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Discretionary Access Control
Joe
Fred
GRANT SELECT ON emp TO JOE;
REVOKE SELECT ON emp FROM FRED;
6. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
How Sensitivity Labels Are Used
Labels Data
Users
Data sensitivity
Authorizations
Secret
Top Secret
Access mediation
7. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Installing Oracle Label Security
To install Oracle Label Security, perform the following
steps:
1. Use the Custom Install option of Oracle Universal
Installer (OUI) to add Oracle Label Security
components.
2. Use the Database Configuration Assistant (DBCA)
to configure Oracle Label Security.
8. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Oracle Label Security: Features
Oracle Label Security provides:
• Row-level security based on the VPD technology
• A complete infrastructure for managing label
security policies, sensitivity labels, and user
security clearances
• Oracle Policy Manager, a graphical user interface
for managing Oracle Label Security
• Integration with Oracle Identity Management
starting in Oracle Database 10g Release 1
9. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Comparing Oracle Label Security
and the VPD
The VPD provides:
• API for implementing row-level security by using
application context and PL/SQL
Oracle Label Security provides:
• A system evaluated under Common Criteria EAL 4
• All required packages for access mediation
• Complete data dictionary for managing policies,
sensitivity labels, and user clearances
• A complete user interface for managing Oracle
Label Security
• Integration with Oracle Identity Management
10. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
When to Use Oracle Label Security
VPD
Uses existing user
attributes
Uses natural data
attributes
Oracle Label Security
Uses created user labels
Uses assigned data
labels
11. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Implementing the Oracle Label
Security Policy
The steps to implement an Oracle Label Security
solution are:
1. Develop a strategy to understand the security
problem.
2. Analyze the data levels in the application
3. Create policies.
4. Define labels.
5. Assign user authorizations.
6. Apply policies.
7. Review and document your policy decisions.
12. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Analyzing the Needs
• Identify application tables that need Oracle Label
Security:
– Majority of the tables do not require Oracle Label
Security.
– Use existing tools when possible.
– Do not apply Oracle Label Security to everything.
– Identify important application queries where
possible.
• Discretionary access control (DAC) is sufficient
for most tables:
– Database roles
– Secure application roles
– Stored procedures and functions
13. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating Policies
Create the policy to contain the label information:
• Policy name is FACILITY.
• Policy label column is FACLAB.
BEGIN
SA_SYSDBA.CREATE_POLICY(
POLICY_NAME =>'FACILITY',
COLUMN_NAME => 'FACLAB',
DEFAULT_OPTIONS =>
'READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE');
END;
14. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Defining Labels: Overview
• Labels have three parts:
– Level
– Group
– Compartment
• Each part must be defined.
• The label is defined on the basis of the
combinations of the parts.
15. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Defining Levels
PPUBLIC100
CCONFIDENTIAL200
SSENSITIVE300
HSHIGHLY_SENSITIVE400
Short FormLong FormNumeric Form
• The data level is set to SENSITIVE.
• These levels are part of the label that is assigned
to users and data.
17. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Defining Groups
Numeric
Form
Long Form Short
Form
Parent
1000 WESTERN_REGION WR
1100 WR_SALES WR_SAL WR
1200 WR_FINANCE WR_FIN WR
1210 WR_ACCT_PAYABLE WR_AP WR_FIN
• The group is WR_FINANCE.
• The data label shows WR_FIN in the
level:compartment:group group field.
18. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating Groups
BEGIN
SA_COMPONENTS.CREATE_GROUP(
POLICY_NAME =>'FACILITY',
GROUP_NUM => 1000,
SHORT_NAME => 'WR_SAL',
LONG_NAME => 'WR_SALES',
PARENT_NAME => 'WR');
END;
19. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Defining Compartments
Numeric Form Long Form Short Form
85 Financial FIN
65 Chemical CH
45 Operations OP
• Compartments are OP, CH, and FIN.
• The second field in the data label shows OP, CH,
and FIN.
21. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Identifying Data Labels
The administrator creates a set of data labels that are
actually used from the components already defined.
LEVEL:COMPARMENT:GROUP
----------------------------------------------
SENSITIVE:FINANCIAL,CHEMICAL:WESTERN_REGION
CONFIDENTIAL:FINANCIAL:WR_SALES
SENSITIVE::
HIGHLY_SENSITIVE:FINANCIAL:
SENSITIVE::WESTERN_REGION
22. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating Data Labels
BEGIN
SA_LABEL_ADMIN.CREATE_LABEL(
POLICY_NAME =>'FACILITY',
LABEL_TAG => 201000,
LABEL_VALUE => 'S::WR');
END;
23. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Assigning User Authorization Labels
A user is assigned:
• Maximum and minimum labels
• A default session label
• A row label for inserts
BEGIN
SA_USER_ADMIN.SET_USER_LABELS (
POLICY_NAME =>'FACILITY',
USER_NAME => 'MYCO_MGR',
MAX_READ_LABEL =>'S::US,EU,ASIA');
END;
24. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Access Mediation
User session label
Row data label
SQL request
Access mediation
SQL results
25. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Adding Labels to Data
• Labels are defined by the administrator.
• Access mediation requires all rows to have labels.
• Labels are set on rows.
27. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Applying the Policy to a Table
• Add the FACILITY policy to the LOCATIONS table.
• TABLE_OPTION => NULL implies that the policy
default options are used.
BEGIN
SA_POLICY_ADMIN.APPLY_TABLE_POLICY (
POLICY_NAME => 'FACILITY',
SCHEMA_NAME => 'HR',
TABLE_NAME => 'LOCATIONS',
TABLE_OPTIONS => NULL,
LABEL_FUNCTION => NULL);
END;
28. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Oracle Label Security Privileges
Oracle Label Security supports these privileges that
allow authorized users to bypass certain parts of the
policy:
• READ
• FULL
• COMPACCESS
• SET_ACCESS_PROFILE
29. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Example: READ Privilege
Labeled data rows
User Label Authorizations
None
READ
privilege
SELECT
All rows returned
30. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Example: FULL Privilege
Labeled data rows
User Label Authorizations
Any
FULL
privilege
Any DML
All rows affected
31. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Example: COMPACCESS Privilege
Labeled data rows
User Label Authorizations
Compartment = OP
COMPACCESS
privilege
Data label
Compartment = OP, Group=Any
32. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Using SET_ACCESS_PROFILE
The SA_SESSION.SET_ACCESS_PROFILE function in
Oracle Label Security:
• Allows an application session to assume a
different Oracle Label Security authorization
• Is used when application users do not have real
database accounts
Note: Users who are assigned Oracle Label Security
authorizations do not need to be real database users.
SQL>connect appuser/mypassword
SQL>execute set_access_profile(‘finance’,’team1’);
33. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Trusted Stored Package Units
To create a trusted stored package unit, you must:
• Grant the Oracle Label Security privileges to a
program unit
• Have the special policy_DBA role
• Use OPM or the SA_USER_ADMIN package to grant
privileges
SQL> EXECUTE SA_USER_ADMIN.SET_PROG_PRIVS(-
2> POLICY_NAME=>‘HR’,-
3> SCHEMA_NAME=>’MYSCHEMA’,-
4> PROGRAM_UNIT_NAME =>’SUM_PURCHASES’,-
5> PRIVILEGE=>’READ’);
34. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Exporting with Oracle Label Security
• Only rows with labels authorized for read access
are exported.
• The label columns can be exported.
• The LBACSYS schema cannot be exported.
35. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Importing with Oracle Label Security
• Precreate the Oracle Label Security policies and
tables.
• Labels and tag values must be the same.
36. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Performance Tips
• Analyze the LBACSYS schema.
• Apply a bitmap index on the policy label column.
• Plan a label tag strategy.
• Partition on the basis of the label.
• Allow time to tune your application after applying
Oracle Label Security.
37. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Summary
In this lesson, you should have learned how to:
• Describe the main features of Oracle Label
Security
• Install and configure Oracle Label Security
• Install and configure Oracle Label Security
• Use Oracle Policy Manager
• Create and implement a simple Oracle Label
Security policy
38. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Q&A