This chapter discusses using Oracle Label Security packages to administer user labels and privileges. You can also use the Web interface provided by Oracle Enterprise Manager Database Control to administer these. This is discussed in Chapter 4, "Getting Started with Oracle Label Security".
This chapter includes the following topics:
To manage user labels and privileges, you must have the EXECUTE privilege for the SA_USER_ADMIN package, and must have been granted the policy_DBA role.
The SA_USER_ADMIN package provides the functions to manage the Oracle Label Security user security attributes. It contains several procedures to manage user labels by component: that is, specifying user levels, compartments, and groups. For convenience, there are additional procedures that accept character string representations of full labels, rather than components. Note that the level, compartment and group parameters use the short name defined for each component.
All of the label and privilege information is stored in Oracle Label Security data dictionary tables. When a user connects to the database, his session labels are established based on the information stored in the Oracle Label Security data dictionary.
The following SA_USER_ADMIN procedures enable you to manage user labels by label component:
The SET_LEVELS procedure assigns a minimum and maximum level to a user and identifies default values for the user's session label and row label.
If the min_level is NULL, then it is set to the lowest defined level for the policy.
If the def_level is not specified, then it is set to the max_level.
If the row_level is not specified, then it is set to the def_level.
Syntax:
PROCEDURE SET_LEVELS (policy_name IN VARCHAR2, user_name IN VARCHAR2, max_level IN VARCHAR2, min_level IN VARCHAR2 DEFAULT NULL, def_level IN VARCHAR2 DEFAULT NULL, row_level IN VARCHAR2 DEFAULT NULL);
Table 8-1 Parameters for SA_USER_ADMIN.SET_LEVELS
Parameter | Meaning |
---|---|
policy_name |
Specifies the policy |
user_name |
Specifies the user name |
max_level |
The highest level for read and write access |
min_level |
The lowest level for write access |
def_level |
Specifies the default level (equal to or greater than the minimum level, and equal to or less than the maximum level) |
row_level |
Specifies the row level (equal to or greater than the minimum level, and equal to or less than the default level) |
The SET_COMPARTMENTS procedure assigns compartments to a user and identifies default values for the user's session label and row label.
If write_comps are NULL, then they are set to the read_comps.
If the def_comps are NULL, then they are set to the read_comps.
If the row_comps are NULL, then they are set to the components in def_comps that are authorized for write access.
All users must have their levels set before their authorized compartments can be established.
The write compartments, if specified, must be a subset of the read compartments. (The write compartments are those to which the user should have write access.)
Syntax:
PROCEDURE SET_COMPARTMENTS (policy_name IN VARCHAR2, user_name IN VARCHAR2, read_comps IN VARCHAR2, write_comps IN VARCHAR2 DEFAULT NULL, def_comps IN VARCHAR2 DEFAULT NULL, row_comps IN VARCHAR2 DEFAULT NULL);
Table 8-2 Parameters for SA_USER_ADMIN.SET_COMPARTMENTS
Parameter | Meaning |
---|---|
policy_name |
Specifies the policy |
user_name |
Specifies the user name |
read_comps |
A comma-delimited list of compartments authorized for read access |
write_comps |
A comma-delimited list of compartments authorized for write access (subset of read_comps) |
def_comps |
Specifies the default compartments. This must be a subset of read_comps. |
row_comps |
Specifies the row compartments. This must be a subset of write_comps and def_comps. |
The SET_GROUPS procedure assigns groups to a user and identifies default values for the user's session label and row label.
If the write_groups are NULL, they are set to the read_groups.
If the def_groups are NULL, they are set to the read_groups.
If the row_groups are NULL, they are set to the groups in def_groups that are authorized for write access.
All users must have their levels set before their authorized groups can be established.
Syntax:
PROCEDURE SET_GROUPS (policy_name IN VARCHAR2, user_name IN VARCHAR2, read_groups IN VARCHAR2, write_groups IN VARCHAR2 DEFAULT NULL, def_group IN VARCHAR2 DEFAULT NULL, row_groups IN VARCHAR2 DEFAULT NULL);
Table 8-3 Parameters for SA_USER_ADMIN.SET_GROUPS
Parameter | Meaning |
---|---|
policy_name |
Specifies the policy |
user_name |
Specifies the user name |
read_groups |
A comma-delimited list of groups authorized for read |
write_groups |
A comma-delimited list of groups authorized for write. This must be a subset of read_groups. |
def_groups |
Specifies the default groups. This must be a subset of read_groups |
row_groups |
Specifies the row groups. This must be a subset of write_groups and def_groups. |
The ALTER_COMPARTMENTS procedure changes the write access, the default label indicator, and the row label indicator for each of the compartments in the list.
Syntax:
PROCEDURE ALTER_COMPARTMENTS (policy_name IN VARCHAR2, user_name IN VARCHAR2, comps IN VARCHAR2, access_mode IN VARCHAR2 DEFAULT NULL, in_def IN VARCHAR2 DEFAULT NULL, in_row IN VARCHAR2 DEFAULT NULL);
Table 8-4 Parameters for SA_USER_ADMIN.ALTER_COMPARTMENTS
This procedure adds compartments to a user's authorizations, indicating whether the compartments are authorized for write as well as read.
Syntax:
PROCEDURE ADD_COMPARTMENTS (policy_name IN VARCHAR2, user_name IN VARCHAR2, comps IN VARCHAR2, access_model IN VARCHAR2 DEFAULT NULL, in_def IN VARCHAR2 DEFAULT NULL, in_row IN VARCHAR2 DEFAULT NULL);
Table 8-5 Parameters for SA_USER_ADMIN.ADD_COMPARTMENTS
The DROP_COMPARTMENTS procedure drops the specified compartments from a user's authorizations.
Syntax:
PROCEDURE DROP_COMPARTMENTS (policy_name IN VARCHAR2, user_name IN VARCHAR2, comps IN VARCHAR2);
The DROP_ALL_COMPARTMENTS procedure drops all compartments from a user's authorizations.
Syntax:
PROCEDURE DROP_ALL_COMPARTMENTS (policy_name IN VARCHAR2, user_name IN VARCHAR2);
The ADD_GROUPS procedure adds groups to a user, indicating whether the groups are authorized for write as well as read.
Syntax:
PROCEDURE ADD_GROUPS (policy_name IN VARCHAR2, user_name IN VARCHAR2, groups IN VARCHAR2, access_mode IN VARCHAR2 DEFAULT NULL, in_def IN VARCHAR2 DEFAULT NULL, in_row IN VARCHAR2 DEFAULT NULL);
Table 8-8 Parameters for SA_USER_ADMIN.ADD_GROUPS
The ALTER_GROUPS procedure changes the write access, the default label indicator, and the row label indicator for each of the groups in the list.
Syntax:
PROCEDURE ALTER_GROUPS (policy_name IN VARCHAR2, user_name IN VARCHAR2, groups IN VARCHAR2, access_mode IN VARCHAR2 DEFAULT NULL, in_def IN VARCHAR2 DEFAULT NULL, in_row IN VARCHAR2 DEFAULT NULL);
Table 8-9 Parameters for SA_USER_ADMIN.ALTER_GROUPS
The DROP_GROUPS procedure drops the specified groups from a user's authorizations.
Syntax:
PROCEDURE DROP_GROUPS (policy_name IN VARCHAR2, user_name IN VARCHAR2, groups IN VARCHAR2);
The following SA_USER_ADMIN procedures enable you to manage user labels by specifying the complete character label string:
The SET_USER_LABELS procedure sets the user's levels, compartments, and groups using a set of labels, instead of the individual components.
Syntax:
PROCEDURE SET_USER_LABELS ( policy_name IN VARCHAR2, user_name IN VARCHAR2, max_read_label IN VARCHAR2, max_write_label IN VARCHAR2 DEFAULT NULL, min_write_label IN VARCHAR2 DEFAULT NULL, def_label IN VARCHAR2 DEFAULT NULL, row_label IN VARCHAR2 DEFAULT NULL);
Table 8-12 Parameters for SA_USER_ADMIN.SET_USER_LABELS
Parameter | Meaning |
---|---|
max_read_label |
Specifies the label string to be used to initialize the user's maximum authorized read label. Composed of the user's maximum level, compartments authorized for read access, and groups authorized for read access. |
max_write_label |
Specifies the label string to be used to initialize the user's maximum authorized write label. Composed of the user's maximum level, compartments authorized for write access, and groups authorized for write access. If max_write_label is not specified, then it is set to max_read_label. |
min_write_label |
Specifies the label string to be used to initialize the user's minimum authorized write label. Contains only the level, with no compartments or groups. If min_write_label is not specified, then it is set to the lowest defined level for the policy, with no compartments or groups. |
def_label |
Specifies the label string to be used to initialize the user's session label, including level, compartments, and groups (a subset of max_read_label). If default_label is not specified, then it is set to max_read_label. |
policy_name |
Specifies the policy |
user_name |
Specifies the user name |
row_label |
Specifies the label string to be used to initialize the program's row label. Includes level, components, and groups: subsets of max_write_label and def_label. If row_label is not specified, then it is set to def_label, with only the compartments and groups authorized for write access. |
The SET_DEFAULT_LABEL procedure sets the user's initial session label to the one specified.
Syntax:
PROCEDURE SET_DEFAULT_LABELS ( policy_name IN VARCHAR2, user_name IN VARCHAR2, def_label IN VARCHAR2);
Table 8-13 Parameters for SA_USER_ADMIN.SET_DEFAULT_LABEL
Parameter | Meaning |
---|---|
policy_name |
Specifies the policy |
user_name |
Specifies the user name |
def_label |
Specifies the label string to be used to initialize the user's default labels. This label may contain any compartments and groups that are authorized for read access. |
As long as the row label will still be dominated by the new write label, the user can set the session label to:
Any level equal to or less than his maximum, and equal to or greater than his minimum label
Include any compartments in the authorized compartment list
Include any groups in the authorized group list. (Subgroups of authorized groups are implicitly included in the authorized list.)
The row label must be dominated by the new write label that will result from resetting the session label. If this condition is not true, then the SET_DEFAULT_LABEL procedure will fail.
For example, suppose the current row label is S:A,B, and that you have write access to both compartments. If you attempt to set the new default label to C:A,B, then the SET_LABEL procedure will fail. This is because the new write label would be C:A,B, which does not dominate the current row label.
To successfully reset the session label in this case, you must first lower the row label to a value that will be dominated by the resulting session label.
Use the SET_ROW_LABEL procedure to set the user's initial row label to the one specified.
Syntax:
PROCEDURE SET_ROW_LABEL ( policy_name IN VARCHAR2, user_name IN VARCHAR2, row_label IN VARCHAR2);
Table 8-14 Parameters for SA_USER_ADMIN.SET_ROW_LABEL
Parameter | Meaning |
---|---|
policy_name |
Specifies the policy |
user_name |
Specifies the user name |
row_label |
Specifies the label string to be used to initialize the user's row label. The label must contain only those compartments and groups from the default label that are authorized for write access. |
The user can set the row label independently, but only to:
A level that is less than or equal to the level of the session label, and greater than or equal to the user's minimum level
Include a subset of the compartments and groups from the session label, for which the user is authorized to have write access
If you try to set the row label to an invalid value, then the operation is disallowed, and the row label value is unchanged.
Use the DROP_USER_ACCESS procedure to remove all Oracle Label Security authorizations and privileges from the specified user. This procedure must be issued from the command line.
Syntax:
PROCEDURE DROP_USER_ACCESS ( policy_name IN VARCHAR2, user_name IN VARCHAR2);
The SET_USER_PRIVS procedure sets policy-specific privileges for users. These privileges do not become effective in the current session. However, they become effective the next time the user logs in. The new set of privileges replaces any existing privileges. A NULL value for the privileges parameter removes the user's privileges for the policy.
To assign policy privileges to users, you must have the EXECUTE privilege for the SA_USER_ADMIN package, and must have been granted the policy_DBA role.
Syntax:
PROCEDURE SET_USER_PRIVS ( policy_name IN VARCHAR2, user_name IN VARCHAR2, privileges IN VARCHAR2);
The SET_ACCESS_PROFILE procedure sets the Oracle Label Security authorizations and privileges of the database session to those of the specified user. (Note that the originating user retains the PROFILE_ACCESS privilege.)
The user executing the SA_SESSION.SET_ACCESS_PROFILE procedure must have the PROFILE_ACCESS privilege. Note that the logged-in database user (the Oracle userid) does not change. That user assumes only the authorizations and privileges of the specified user. By contrast, the Oracle Label Security user name is changed.
This administrative procedure is useful for various tasks:
With SET_ACCESS_PROFILE, the administrator can see the result of the authorization and privilege settings for a particular user.
Applications need to have proxy accounts connect as (and assume the identity of) application users, for purposes of accessing labeled data. With the SET_ACCESS_PROFILE privilege, the proxy account can act on behalf of the application users.
Syntax:
PROCEDURE SET_ACCESS_PROFILE (policy_name IN VARCHAR2 user_name IN VARCHAR2);
The SA_USER_NAME function returns the name of the current Oracle Label Security user, as set by the SET_ACCESS_PROFILE procedure (or as established at login). This is how you can determine the identity of the current user in relation to Oracle Label Security, rather than in relation to your Oracle login name.
Syntax:
FUNCTION SA_USER_NAME (policy_name IN VARCHAR2) RETURN VARCHAR2;
This section describes views you can use to see the user authorization and privilege assignments made by the administrator.
The DBA_SA_USERS view displays the values assigned for privileges, levels, compartments, and groups all together, corresponding to how you enter these values through the SA_USER_ADMIN command-line interface. The values include:
USER_PRIVILEGES
MAX_READ_LABEL
MAX_WRITE_LABEL
MIN_WRITE_LABEL
DEFAULT_READ_LABEL
DEFAULT_WRITE_LABEL
DEFAULT_ROW_LABEL
USER_LABELS
MAX_READ_LABEL
MAX_WRITE_LABEL
MIN_WRITE_LABEL
DEFAULT_READ_LABEL
DEFAULT_WRITE_LABEL
DEFAULT_ROW_LABEL
This information is stored in data dictionary tables, and used to establish session and row labels when a user logs in.
Note:
The field USER_LABELS in DBA_SA_USERS is retained solely for backward compatibility and will be removed in the next release.The following views individually display each component of the label: