Oracle® Label Security Administrator's Guide 11g Release 2 (11.2) Part Number E10745-03 |
|
|
PDF · Mobi · ePub |
Managing Oracle Label Security metadata in a centralized LDAP repository provides many benefits. Policies and user label authorizations can be easily provisioned and distributed throughout the enterprise. In addition, when employees are terminated, their label authorizations can be revoked in one place and the change automatically propagated throughout the enterprise. This chapter describes the integration between Oracle Label Security and Oracle Internet Directory, in the following sections:
Configuring Oracle Internet Directory-Enabled Label Security
Integrated Capabilities When Label Security Uses the Directory
Oracle Label Security Policy Attributes in Oracle Internet Directory
Previous releases of Oracle Label Security have relied on the Oracle Database as the central repository for policy and user label authorizations. This architecture leveraged the scalability and high availability of the Oracle Database, but did not leverage the identity management infrastructure, which includes the Oracle Internet Directory. This directory is part of Oracle Identity Management Platform. Integrating your installation of Oracle Label Security with Oracle Internet Directory allows label authorizations to be part of your standard provisioning process.
These advantages accrue also to directory-stored information about policies, user labels, and privileges that Oracle Label Security assigns to users. These labels and privileges are specific to the installation's policies defining access control on tables and schemas.If a site is not using Oracle Internet Directory, then such information is stored locally in the database.
The following Oracle Label Security information is stored in the directory:
Policy information, namely policy name, column name, policy enforcement options, and audit options
User profiles identifying their labels and privileges
Policy label components: levels, compartments, groups
Policy data labels
Database-specific metadata is not stored in the directory. Examples include
Lists of schemas or tables, with associated policy information, and
Program units, with associated policy privileges
The following three notes identify important aspects of integrating your installation of Oracle Label Security with Oracle Internet Directory:
Note:
Oracle will continue to support both the database and directory-based architectures for Oracle Label Security. However, a single database environment cannot host both architectures. Administrators must decide whether to use the centralized LDAP administration model or the database-centric model.Note:
Managing Oracle Label Security policies directly in the directory is done using a new command-line tool, the Oracle Label Security administration tool (olsadmintool
), described in Appendix B, "Command-line Tools for Label Security Using Oracle Internet Directory".
Starting this release, you can also use the graphical user interface provided by Oracle Enterprise Manager Database Control to manage Oracle Label Security. Detailed documentation can be found in Oracle Enterprise Manager help.
For sites that use Oracle Internet Directory, databases retrieve Oracle Label Security policy information from the directory. Administrators use the olsadmintool
policy administration tool or the Enterprise Manager graphical user interface to operate directly on the directory to insert, alter, or remove metadata as needed. Because enterprise users can log in to multiple databases using the credentials stored in Oracle Internet Directory, it is logical to store their Oracle Label Security policy authorizations and privileges there as well. An administrator can then modify these authorizations and privileges by updating such metadata in the directory.
For distributed databases, centralized policy management removes the need for replicating policies, because the appropriate policy information is available in the directory. Changes are effective without further effort, synchronized with policy information in the databases by means of the Directory Integration Platform.
See Also:
Synchronization using the Directory Integration Platform is described in the Oracle Internet Directory Administrator's Guide.Figure 6-1, "Diagram of Oracle Label Security Metadata Storage in Oracle Internet Directory" illustrates the structure of metadata storage in Oracle Internet Directory.
Figure 6-2, "Oracle Label Security Policies Applied through Oracle Internet Directory" illustrates applying different policies stored in Oracle Internet Directory to the databases accessed by different enterprise users. Determining the policy to be applied is controlled by the directory entries corresponding to the user and the accessed database.
Figure 6-1 Diagram of Oracle Label Security Metadata Storage in Oracle Internet Directory
Figure 6-2 Oracle Label Security Policies Applied through Oracle Internet Directory
In this example, the directory has information about two Oracle Label Security policies, Alpha, applying to database DB1, and Beta, applying to database DB2 Although both policies are known to each database, only the appropriate one is applied in each case. In addition, enterprise users who are to access rows protected by Oracle Label Security are listed in profiles within the Oracle Label Security attributes in Oracle Internet Directory.
As Figure 6-2, "Oracle Label Security Policies Applied through Oracle Internet Directory" shows, the connections between different databases and the directory are established over either SSL or SASL. The database always binds to the directory as a known identity using password-based authentication. Links between databases and their clients (such as a sqlplus session, any PL/SQL programs , and so on) can use either SSL or non-SSL connections. The example of Figure 6-2, "Oracle Label Security Policies Applied through Oracle Internet Directory" assumes that users are logged on through password authentication. The choice of connection type depends on the enterprise user model.
The Oracle Label Security policy administration tool operates directly on metadata in Oracle Internet Directory. Changes in the directory are then propagated to the Oracle Directory Integration and Provisioning server, which is configured to send changes to the databases at specific time intervals.
The databases update the policy information in Oracle Internet Directory only when policies are being applied to tables or schemas. These updates ensure that policies that are in use will not be dropped from the directory.
See Also:
Oracle Database Enterprise User Security Administrator's Guide for more information on enterprise domains, user models and authentication activities
Oracle Internet Directory Administrator's Guide for detailed information on Oracle Internet Directory
You can configure a database for Oracle Internet Directory-enabled Label Security at any time after database creation or during custom database creation. Oracle Internet Directory-enabled label security relies on the Entrerprise User security feature.
See Also:
"Enterprise User Security Configuration Tasks and Troubleshooting" in the Oracle Database Enterprise User Security Administrator's Guide, for prerequisites and steps to configure a database for directory usage, and
"Database Configuration Assistant" in the Oracle Database Enterprise User Security Administrator's Guide, for information about DBCA, the Database Configuration Assistant.
Users who perform Oracle Internet Directory enabled Oracle Label Security using the Database Configuration Assistant (DBCA) need additional privileges. The following steps describe what permissions are needed, and how to grant them:
Use Enterprise Manager to add the user to the OracleDBCreators group.
See Also:
"Managing Identity Management Realm Administrators" in the Oracle Database Enterprise User Security Administrator's Guide for more information on adding a user to an administrative groupAdd the user to the Provisioning Admins group. This is necessary because DBCA creates a DIP provisioning profile for Oracle Label Security. Use ldapmodify command with the following .ldif file to add a user to the Provisioning Admins group:
dn: cn=Provisioning Admins,cn=changelog subscriber, cn=oracle internet directory changetype: modify add: uniquemember uniquemember: DN of the user who is to be added
Add the user to the policyCreators group using the olsadmintool
command line tool . DBCA bootstraps the database with the Oracle Label Security policy information from Oracle Internet Directory, and only policyCreators can perform this bootstrap.
If the database is already registered with the Oracle Internet Directory using DBCA, use Enterprise Manager to add the user to the OracleDBAdmins group of that database.
Note that the permissions specified earlier are also needed by the administrator who unregisters the database that has Oracle Internet Directory enabled Oracle Label Security configuration.
To achieve this goal, do the following major tasks:
Register your database in the directory using DBCA (Database Configuration Assistant).
See Also:
"Registering Your Database with the Directory" in the Oracle Database Enterprise User Security Administrator's GuideAfter your database is registered in the directory, configure Label Security:
Start DBCA, select Configure database options in a database, and click Next.
Select a database and click Next.
Regarding the option of unregistering the database or keeping it registered, select Keep the database registered.
If the database is registered with Oracle Internet Directory, the Database options screen shows a customize button beside the Label Security check box. Select the Label Security option and click Customize.
This customize dialog has two configuration options, for standalone Oracle Label Security or for Oracle Internet Directory-enabled Oracle Label Security. Click OID-enabled Label security configuration and enter the Oracle Internet Directory credentials of an appropriate administrator. Click Ok.
Continue with the remaining DBCA steps and click Finish when it appears.
Note:
You can configure a standalone Oracle Label Security on a database that is registered with Oracle Internet Directory. Select the standalone option in step e.When configuring for Oracle Internet Directory-enabled Oracle Label Security, DBCA also does the following things in addition to registering the database:
Creates a provisioning profile for propagating Label Security policy changes to to the database. This Directory Integration Platform (DIP) provisioning profile is enabled by default.
Installs the required packages on the database side for Oracle Internet Directory-enabled Oracle Label Security.
Bootstraps the database with all the existing Label Security policy information in the Oracle Internet Directory.
See Also:
Bootstrapping Databases for more information.Registering the database and configuring Oracle Label Security can be done in one invocation of DBCA.
Start DBCA.
Select Configure database options in a database and click Next.
Select a database and click Next.
Click Register the database.
Enter the Oracle Internet Directory credentials of an appropriate administrator, and the corresponding password for the database wallet that will be created.
The Database options screen shows a Customize button beside the Label Security check box. Select the Label Security option and click Customize.
The Customize dialog box is displayed, showing two configuration options, for standalone Oracle Label Security or for Oracle Internet Directory-enabled Oracle Label Security.
Click OID-enabled Label Security Configuration.
Continue with the remaining DBCA steps and click Finish.
Use the command line tool oidprovtool
to set the password for the DIP user and update the interface connect information in the DIP provisioning profile for that database with the new password.
See:
Oracle Directory Integration and Provisioning (DIP) Provisioning Profiles for more detailsUpon creation, the DIP profile uses a schedule value of 3600 seconds by default, meaning that Oracle Label Security changes are propagated to the database every hour. You can use oidprovtool
to change this value if deployment considerations require that.
Once the the database is configured for Oracle Internet Directory-enabled Oracle Label Security, further considerations regarding enterprise user security may apply.
See Also:
Oracle Database Enterprise User Security Administrator's Guide for further concepts, tools, steps, and proceduresTo perform this task, you use DBCA, which does the following things:
Deletes the DIP provisioning profile for the database created for Oracle Label Security.
Installs the required packages for standalone Oracle Label Security, so that at the end of unregistration, Oracle Internet Directory enabled Oracle Label Security becomes standalone Oracle Label Security.
Note:
Specific instructions for DB unregistration appear in the Oracle Database Enterprise User Security Administrator's Guide. No special steps are required when Oracle Internet Directory-enabled Oracle Label Security is configured.Note:
If a database has standalone Oracle Label Security, it cannot be converted to Oracle Internet Directory-enabled Oracle Label Security. You need to drop Oracle Label Security from the database and then use DBCA again to configure Oracle Internet Directory-enabled Oracle Label Security.To remove Oracle Internet Directory-enabled Oracle Label Security from a database, first unregister the database using DBCA, and then run the following script:
$ORACLE_HOME/rdbms/admin/catnools.sql
A user profile is a set of user authorizations and privileges. Profiles are maintained as part of each Oracle Label Security policy stored in the Directory.
If a user is added to a profile, then the authorizations and privileges defined in that profile for that particular policy are aquired by the user, which include the following attributes:
Five label authorizations:
maximum read label
maximum write label
minimum write label
default read label
default row label
Privileges
The list of enterprise users to whom these authorizations apply
See Also:
Oracle Label Security Policy Attributes in Oracle Internet Directory
"Getting Started with Enterprise User Security" in the Oracle Database Enterprise User Security Administrator's Guide for more infomation on creating and managing enterprise users
Oracle Enterprise Manager help for information on creating and administering Oracle Label Security profiles and policies
An enterprise user can belong to only one profile, or none.
The integration of Oracle Label Security and Oracle Internet Directory enables the following capabilities:
User/administrator actions
Storing multiple Oracle Label Security policies in Oracle Internet Directory
Managing Oracle Label Security policies and options in the directory, including
creating or dropping a policy
changing policy options
changing audit settings
Creating label components for any Oracle Label Security policies by
creating or removing levels, compartments, or groups
assigning numeric values to levels, compartments, or groups
changing long names of levels, compartments, or groups
creating children groups
Managing enterprise users configured as users of any Oracle Label Security policies, including
assigning or removing enterprise users to/from profiles within policies
assigning policy-specific privileges to enterprise users, or removing them
changing policy label authorizations assigned to enterprise users
Managing all user/administrator actions and capabilities by means of an integrated set of command line tools that monitor and manage Oracle Label Security policies in Oracle Internet Directory.
Automatic results of Oracle Label Security
Limiting database policy usage to directory-defined policies only (no local policies defined or applied)
Synchronizing changes to policies in the directory with the databases using Oracle Label Security (to apply after enterprise users reconnect)
After changes are propagated by the Directory Integration Platform, having immediate access to enterprise users' Oracle Label Security attributes when these users log on to any database using Oracle Label Security, assuming they are configured within any Oracle Label Security policies. These attributes include users' label authorizations and users' privileges.
In Oracle Internet Directory, Oracle-related metadata is stored under cn=OracleContext. Within Label Security, each policy holds the information and parameters shown in Figure 6-1, "Diagram of Oracle Label Security Metadata Storage in Oracle Internet Directory":
When Oracle Label Security is used without Oracle Internet Directory, it supports automatic creation of data labels by means of a label function. However, when Oracle Label Security is used with Oracle Internet Directory, such functions can create labels only using data labels that are already defined in the directory.
Table 6-1 Contents of Each Policy
Type of Entry | Contents | Meaning/Sample Usage/References |
---|---|---|
Policy Name |
The name assigned to this policy at its creation |
Used in olsadmintool commands such as |
Column Name |
The name of the column that will hold the label values relevant to this policy |
Column is added to database. Refer to "The Policy Label Column and Label Tags" "The HIDE Policy Column Option" Used in
|
Enforcement Options |
Any combination of the following entries:
|
Refer to the discussions in Chapter 9, "Implementing Policy Enforcement Options and Labeling Functions" and Appendix E, "Reference". Used in
and |
Options |
Enabled: |
Used in
|
Levels |
Name and number for each level |
Used in |
Compartments |
Name and number for each compartment |
Used in |
Groups |
Name, number, and parent for each group |
Used in |
Profiles |
Maximum and default read labels, maximum and minimum write labels, default row label, list of users, and a set of privileges from this list:
|
Policies can have one or more profiles, each of which can be assigned to many users. Profiles reduce the need to set up label authorizations for individual users. All users with the same set of labels and privileges are grouped in a single profile. Each profile represents a different set of labels, privileges, and users. Each profile in a policy is unique. |
Data Labels |
Full name and number for each valid data label |
Refer to Restrictions on New Data Label Creation. |
Administrators |
Name of each administrator authorized to modify the parameters within this policy. |
Policy administrators can modify parameters within a policy. They are not necessarily also policy creators, who have the right to create or remove policies or policy administrators. Refer to Security Roles and Permitted Actions. |
When Oracle Label Security is used with Oracle Internet Directory, data labels must be pre-defined in the directory.
They cannot be created dynamically by a label function, as is possible when label security is not integrated with the directory.
Administrators listed within a policy are those individuals authorized to do the following policy-specific administrative tasks:
Modify existing policy options and audit settings.
Enable or disable auditing for a policy.
Create or remove levels, compartments, groups or children groups.
Modify full/long names for levels, compartment, or groups.
Define or modify enterprise user settings, in this policy, for:
Privileges
Maximum or minimum levels
Read, write, or row access for levels, compartments, or groups
Label profiles
Remove enterprise users from a policy.
There is a higher level of administrators, called policy creators, who can create and remove Oracle Label Security policies and the policy administrators named within them.
After a new database is registered with Oracle Internet Directory, the administrator can install Oracle Internet Directory enabled Oracle Label Security on that database. This installation process automatically creates a Directory Integration Platform (DIP) provisioning profile enabling policy information to be periodically refreshed in the future by downloading it to the database. Refer to Oracle Directory Integration and Provisioning (DIP) Provisioning Profiles.
When configuring the database for Oracle Internet Directory enabled Oracle Label Security, the DBCA tool puts all the policy information in Oracle Internet Directory into the database. At any point, the administrator can decide to bootstrap the database with the policy information again, using the bootstrap utility script at $ORACLE_HOME/bin/olsoidsync
. The parameters it requires are as follows:
olsoidsync --dbconnectstring <"database connect string in host:port:sid format"> --dbuser <database user> --dbuserpassword <database user password> [-c] [-r] [-b <admin context>] -h <OID host> [-p <port>] -D <bind DN> -w <bind password> For example,
olsoidsync --dbconnectstring yippee:1521:ora101 --dbuser lbacsys --dbuserpassword lbacsys -c -b "ou=Americas,o=Oracle,c=US" -h yippee -D cn=policycreator -w Easy2rem
The olsoidsync
command pulls policy information from Oracle Internet Directory and populates the information in the database. Users must provide the database TNS name, the database user name, the database user's password, the administrative context (if any), the Oracle Internet Directory host name, the bind DN and bind password, and optionally the Oracle Internet Directory port number.
The optional -c
switch causes the command to drop all the existing policies in the database and refresh it with policy information from Oracle Internet Directory.
The optional -r
switch causes the command to drop all the policy metadata (without dropping the policies themselves) and refresh the policies with new metadata from Oracle Internet Directory.
Without these two switches, the command will only create new policies from Oracle Internet Directory, and will halt on any errors encountered during the refresh.
Oracle Label Security metadata in the directory is synchronized with the databases using the Oracle Directory Provisioning Integration Service of the Directory Integration Platform.
Changes to the label security data in the directory are conveyed by the provisioning integration service in the form of provisioning events. A software agent receives these events and generates appropriate SQL or PL/SQL statements to update the database. After these statements are processed, Oracle Label Security data dictionaries are updated to match the changes already made in the directory.
Oracle Label Security subscribes itself to the Provisioning Integration Service automatically during installation. The provisioning service stores the information associated with each database in the form of a provisioning profile. The software agent uses the identity of the user "DIP" to connect to the database, and the password "DIP", when synchronizing the changes in Oracle Internet Directory with the database.
If the password for the user DIP is changed, that information must be updated in the provisioning profile of the provisioning integration service.
The steps to change the database connection information in the DIP profile are as follows:
Disable the provisioning profile. This temporarily stops the propagation of label security changes in the directory to the database, but no data is lost. Once the profile is enabled, any label security changes that happened in the directory since the profile was disabled are synchronized with the database.
Update the database connection information in the profile.
Enable the profile.
Note:
The database character set must be compatible with Oracle Internet Directory for Oracle Internet Directory-enabled Oracle Label Security to work correctly. Only then can there be successful synchronization of the Label Security metadata in Oracle Internet Directory with the Database.Please refer to Chapters 2 and 3 of Oracle Database Globalization Support Guide for more information about Character sets and Globalization Support parameters.
The DIP server synchronizes policy changes in the directory with the connected databases, using a separate DIP provisioning profile created for each database. This profile is created automatically as part of the installation process for Oracle Internet Directory-enabled Oracle Label Security. The administrator can use the provisioning tool oidprovtool
to modify the password for a database profile, using the script $ORACLE_HOME/bin/oidprovtool. Each such profile contains the following information:
Table 6-2 Elements in a DIP Provisioning Profile
Element | Name for This Element When Invoking oidprovtool |
---|---|
The LDAP host name |
ldap_host |
The LDAP port number |
ldap_port |
The user DN and password to bind to Oracle Internet Directory to retrieve policy information |
ldap_user ldap_user_password |
The database DN |
application_dn |
The organization DN, that is, the administrative context in which changes are being made |
|
The callback function to be invoked, that is, LBACSYS.OLS_DIP_NTFY |
|
The database connect information, which is the hostname of the database, the port number used to connect to the database, the database SID, the database user name and password |
|
Event subscriptions, including all MODIFY, ADD and DELETE events under cn=LabelSecurity in Oracle Internet Directory |
operation |
The time interval between synchronizations |
|
Here is an example of using oidprovtool
, followed by an explanation of the parameters in this example:
oidprovtool operation=modify ldap_host=yippee ldap_port=389 ldap_user=cn=defense_admin ldap_user_password=Easy2rem application_dn="cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US" organization_dn="ou=Americas,o=Oracle,c=US" interface_name=LBACSYS.OLS_DIP_NTFY interface_type=PLSQL interface_connect_info=yippee:1521:db1:dip:newdip schedule=60 event_subscription= "ENTRY:cn=LabelSecurity,cn=Products,cn=OracleContext, ou=Americas,o=Oracle,c=US:ADD(*)" event_subscription= "ENTRY:cn=LabelSecurity,cn=Products, cn=OracleContext,ou=Americas, o=Oracle,c=US:MODIFY(*)" event_subscription="ENTRY:cn=LabelSecurity,cn=Products, cn=OracleContext, ou=Americas,o=Oracle,c=US:DELETE"
This sample oidprovtool
command creates and enables a new DIP provisioning profile with the following attributes:
Oracle Internet Directory in host yippee using port 389
Oracle Internet Directory user bind DN: cn=defense_admin with password Easy2rem
Database DN: cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US
Organization DN (administrative context): ou=Americas,o=Oracle,c=US
Database on host yippee, listening on port 1521
Oracle SID: db1
Database user: dip with new password newdip
Interval to synchronize directory with connected databases : 60 seconds
All the ADD, MODIFY and DELETE events under cn=LabelSecurity to be sent to DIP
To start the DIP server, use $ORACLE_HOME/bin/oidctl. For example:
oidctl server=odisrv connect=db2 config=0 instance=0 start
This command will start the DIP server by connecting to db2 (the Oracle Internet Directory database) with config set 0 and instance number 0.
See also:
Oracle Internet Directory Administrator's Guide for more information on DIP provisioning profilesYou can change the password for the interface_connect_info
, which is the database password, by using the oidprovtool modify command, but first you must disable the profile. After changing the password, you then reenable the profile.
You can disable the Oracle Label Security provisioning profile using oidprovtool
, specifying the disable operation and the first six original parameters shown here. (The other original parameters are not needed.) The command form is:
oidprovtool operation=disable ldap_host=< > ldap_port=< > ldap_user_dn=< > ldap_user_password=< > application_dn=< > organization_dn=< >
Using parameters from the example given in the previous section, this command would look like this:
oidprovtool operation=disable ldap_host=yippee ldap_port=389
ldap_user=cn=defense_admin ldap_user_password=Easy2rem application_dn="cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US" organization_dn="ou=Americas,o=Oracle,c=US"
To modify the password in the connection information, use the oidprovtool
command, specifying the modify
operation, the first six original parameters, and the new DIPuser password given in the connection info. The command form is:
oidprovtool operation=modify ldap_host=< > ldap_port=< >
ldap_user_dn=< > ldap_user_password=< > application_dn=< > organization_dn=< > interface_connect_info=< new_connect _info >
Using parameters from the example given in the previous section, this command would look like this:
oidprovtool operation=modify ldap_host=yippee ldap_port=389
ldap_user=cn=defense_admin ldap_user_password=Easy2rem application_dn="cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US" organization_dn="ou=Americas,o=Oracle,c=US" interface_connect_info=yippee:1521:db1:dip:NewestDIPpassword
Similarly, you can re-enable the Directory Integration Platform provisioning profile using oidprovtool as follows, again specifying the desired operation and the first six original parameters. (The other original parameters are not needed.) The command form is:
oidprovtool operation=enable ldap_host=< > ldap_port=< > ldap_user_dn=< >
ldap_user_password=< > application_dn=< > organization_dn=< >
Again using parameters from the example given in the previous section, this command would look like this:
oidprovtool operation=enable ldap_host=yippee ldap_port=389
ldap_user=cn=defense_admin ldap_user_password=Easy2rem application_dn="cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US" organization_dn="ou=Americas,o=Oracle,c=US"
To manage Oracle Label Security policies in Oracle Internet Directory, certain entities are given access control rights in the directory. The access control mechanisms are provided by Oracle Internet Directory.
Table 6-3 describes, in abstract terms, these entities and the tasks they are enabled to perform.
Table 6-4, "Access Levels Allowed by Users in OID", lists the specific access level operations permitted or disallowed for policy creators, policy administrators, and label security users.
Table 6-3 Tasks That Certain Entities Can Perform
Entity | Tasks This Entity Can Perform |
---|---|
Policy creators |
Create new (or delete existing) policies, create new (or remove existing) policy administrators. |
Policy administrators |
For Policies: modify existing policy options and audit settings, enable or disable auditing for a policy. For Label components: create, modify, or remove levels, compartments and groups, such as by changing their full or long names or (for groups) by creating or deleting their children groups. For enterprise users: remove enterprise users from a policy, modify enterprise users' maximum or minimum levels, their read, write, and row access for compartments or groups, their privileges for a policy, and their label profiles. |
Table 6-4 Access Levels Allowed by Users in OID
Entries | Policy Creators | Policy Administrators | Databases |
---|---|---|---|
cn=Policies |
can modify |
no access |
no access |
cn=Admins,cn=Policy1 |
can modify |
no access |
no access |
uniqueMember: cn=Policy1 |
can browse |
can browse |
can modify |
cn=PolicyCreators |
no accessFoot 1 |
no access |
no access |
cn=Levels,cn=Policy1 |
can browse and delete |
can modify |
no access |
cn=Compartments,cn=Policy1 |
can browse and delete |
can modify |
no access |
cn=Groups,cn=Policy1 |
can browse and delete |
can modify |
no access |
cn=AuditOptions,cn=Policy1 |
can browse and delete |
can modify |
no access |
cn=Profiles,cn=Policy1 |
can browse and delete |
can modify |
no access |
cn=Labels,cn=Policy1 |
can browse and delete |
can modify |
no access |
cn=DBServers |
no accessFoot 2 |
no access |
no access |
Footnote 1 The group cn=OracleContextAdmins is the owner of the group cn=PolicyCreators, so members in cn=OracleContextAdmins can modify cn=PolicyCreators.
Footnote 2 The group cn=OracleDBCreators is the owner of the group cn=DBServers, so members in cn=OracleDBCreators can modify cn=DBServers.
A member of the Policy Creators group can only create, browse, and delete Oracle Label Security policies.
This user cannot perform policy administrative tasks, such as creating label components and adding users, even if explicitly added to the Policy Admins group of that policy. In short, a policy creator cannot be the administrator of any policy.
When Oracle Internet Directory is enabled with Oracle Label Security, the procedures listed in the following table are superseded. Only LBACSYS is allowed to run these procedures.
For some of the procedures listed in the table, the functionality they provided is replaced by the olsadmintool
command named in the second column (and explained in Appendix E, "Reference").
Table 6-5 Procedures Superseded by olsadmintool When Using Oracle Internet Directory
Disabled Procedure | Replaced by olsadmintool Command |
---|---|
SA_SYSDBA.CREATE_POLICY |
olsadmintool createpolicy |
SA_SYSDBA.ALTER_POLICY |
olsadmintool alterpolicy |
SA_SYSDBA.DROP_POLICY |
olsadmintool droppolicy |
SA_COMPONENTS.CREATE_LEVEL |
olsadmintool createlevel |
SA_COMPONENTS.ALTER_LEVEL |
olsadmintool alterlevel |
SA_COMPONENTS.DROP_LEVEL |
olsadmintool droplevel |
SA_COMPONENTS.CREATE_COMPARTMENT |
olsadmintool createcompartment |
SA_COMPONENTS.ALTER_COMPARTMENT |
olsadmintool altercompartment |
SA_COMPONENTS.DROP_COMPARTMENT |
olsadmintool dropcompartment |
SA_COMPONENTS.CREATE_GROUP |
olsadmintool creategroup |
SA_COMPONENTS.ALTER_GROUP |
olsadmintool altergroup |
SA_COMPONENTS.ALTER_GROUP_PARENT |
olsadmintool altergroup |
SA_COMPONENTS.DROP_GROUP |
olsadmintool dropgroup |
SA_USER_ADMIN.SET_LEVELS |
None |
SA_USER_ADMIN.SET_COMPARTMENTS |
None |
SA_USER_ADMIN.SET_GROUPS |
None |
SA_USER_ADMIN.ADD_COMPARTMENTS |
None |
SA_USER_ADMIN.ALTER_COMPARTMENTS |
None |
SA_USER_ADMIN.DROP_COMPARTMENTS |
None |
SA_USER_ADMIN.DROP_ALL_COMPARTMENTS |
None |
SA_USER_ADMIN.ADD_GROUPS |
None |
SA_USER_ADMIN.ALTER_GROUPS |
None |
SA_USER_ADMIN.DROP_GROUPS |
None |
SA_USER_ADMIN.DROP_ALL_GROUPS |
None |
SA_USER_ADMIN.SET_USER_LABELS |
olsadmintool createprofile; olsadmintool adduser; olsadmintool dropprofile; olsadmintool dropuser; |
SA_USER_ADMIN.SET_DEFAULT_LABEL |
|
SA_USER_ADMIN.SET_ROW_LABEL |
|
SA_USER_ADMIN.DROP_USER_ACCESS |
|
SA_USER_ADMIN.SET_USER_PRIVS |
olsadmintool createprofile; olsadmintool adduser;olsadmintool dropprofile; olsadmintool dropuser; |
SA_AUDIT_ADMIN.AUDIT |
olsadmintool audit |
SA_AUDIT_ADMIN.NOAUDIT |
olsadmintool noaudit |
SA_AUDIT_ADMIN.AUDIT_LABEL |
None |
SA_AUDIT_ADMIN.NOAUDIT_LABEL |
None |
The following procedures are allowed to be run only by policy administrators (enterprise users defined in Oracle Internet Directory):
SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY
SA_POLICY_ADMIN.APPLY_TABLE_POLICY
SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY
SA_POLICY_ADMIN.DISABLE_TABLE_POLICY
SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY
SA_POLICY_ADMIN.ENABLE_TABLE_POLICY
SA_POLICY_ADMIN.GRANT_PROG_PRIVS
SA_POLICY_ADMIN.POLICY_SUBSCRIBE
SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE
SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY
SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
SA_POLICY_ADMIN.SET_PROG_PRIVS
SA_POLICY_ADMIN.REVOKE_PROG_PRIVS