Moran R.
Table of contents :
Part I Concepts……Page 25
1 Introduction to Oracle Label Security……Page 27
Introduction to Computer Security……Page 28
Security Policies……Page 29
Discretionary Access Control……Page 30
How Label-Based Access Control Works with Discretionary Access Control……Page 31
Oracle9i Enterprise Edition: Virtual Private Database Technology……Page 32
Oracle Label Security: An Out-of-the-Box VPD Policy……Page 33
Features of Oracle Label Security……Page 34
Overview of Oracle Label Security Policy Functionality……Page 35
Data Labels……Page 36
Policy Enforcement Options……Page 37
Oracle Label Security Distributed Capabilities……Page 38
2 Understanding Data Labels and User Labels……Page 39
Introduction to Label-Based Security……Page 40
Label Component Definitions and Valid Characters……Page 41
Levels……Page 42
Compartments……Page 44
Groups……Page 46
Industry Examples of Levels, Compartments, and Groups……Page 48
Label Syntax and Type……Page 49
How Data Labels and User Labels Work Together……Page 50
Administering Labels……Page 52
3 Understanding Access Controls and Privileges……Page 53
Introduction to Access Mediation……Page 54
The Row Label……Page 55
Session Label Example……Page 56
Authorizations Set by the Administrator……Page 57
Authorized Levels……Page 58
Authorized Compartments……Page 59
Authorized Groups……Page 60
Computed Session Labels……Page 61
Difference Between Read and Write Operations……Page 62
Propagation of Read/Write Authorizations on Groups……Page 63
The Oracle Label Security Algorithm for Read Access……Page 64
The Oracle Label Security Algorithm for Write Access……Page 66
Privileges Defined by Oracle Label Security Policies……Page 69
FULL……Page 70
COMPACCESS……Page 71
PROFILE_ACCESS……Page 72
WRITEACROSS……Page 73
Access Mediation and Views……Page 74
Access Mediation and Program Unit Execution……Page 75
Access Mediation and Policy Enforcement Options……Page 76
Multiple Oracle Label Security Policies in a Distributed Environment……Page 77
Part II Using Oracle Label Security Functionality……Page 79
4 Working with Labeled Data……Page 81
Hiding the Policy Label Column……Page 82
Example 2: Numeric Column Datatype with Hidden Column……Page 83
Manually Defining Label Tags to Order Labels……Page 84
Manually Defining Label Tags to Manipulate Data……Page 85
Automatically Generated Label Tags……Page 86
Converting a Character String to a Label Tag, with CHAR_TO_LABEL……Page 87
LABEL_TO_CHAR Examples……Page 88
Retrieving All Columns from a Table When Policy Label Column Is Hidden……Page 89
Using Numeric Label Tags in WHERE Clauses……Page 90
Ordering by Character Representation of Label……Page 91
Finding Least Upper Bound with LEAST_UBOUND……Page 92
Finding Greatest Lower Bound with GREATEST_LBOUND……Page 93
Merging Labels with the MERGE_LABEL Function……Page 94
Inserting Labels Using Numeric Label Tag Values……Page 96
Inserting Data When the Policy Label Column Is Hidden……Page 97
Inserting Labels Using TO_DATA_LABEL……Page 98
SA_SESSION Functions to Change Session and Row Labels……Page 99
Changing the Session Label with SA_SESSION.SET_LABEL……Page 100
Changing the Row Label with SA_SESSION.SET_ROW_LABEL……Page 101
Saving Label Defaults with SA_SESSION.SAVE_DEFAULT_LABELS……Page 102
USER_SA_SESSION View to Return All Security Attributes……Page 103
Functions to Return Individual Security Attributes……Page 104
Part III Administering an Oracle Label Security Application……Page 105
5 Creating an Oracle Label Security Policy……Page 107
Step 2: Define the Components of the Labels……Page 108
Step 5: Authorize Users……Page 109
Step 7: Configure Auditing (Optional)……Page 110
Organizing the Duties of Oracle Label Security Administrators……Page 111
Oracle Label Security Demonstration File……Page 112
Oracle Policy Manager……Page 113
Who Can Administer a Policy……Page 114
Creating a Policy with SA_SYSDBA.CREATE_POLICY……Page 115
Disabling a Policy with SA_SYSDBA.DISABLE_POLICY……Page 116
Removing a Policy with SA_SYSDBA.DROP_POLICY……Page 117
Using the SA_COMPONENTS Package to Define Label Components……Page 118
Using Overloaded Procedures……Page 119
Creating a Level with SA_COMPONENTS.CREATE_LEVEL……Page 120
Modifying a Level with SA_COMPONENTS.ALTER_LEVEL……Page 121
Creating a Compartment with SA_COMPONENTS.CREATE_COMPARTMENT……Page 122
Modifying a Compartment with SA_COMPONENTS.ALTER_COMPARTMENT……Page 123
Removing a Compartment with SA_COMPONENTS.DROP_COMPARTMENT……Page 124
Creating a Group with SA_COMPONENTS.CREATE_GROUP……Page 125
Modifying a Group with SA_COMPONENTS.ALTER_GROUP……Page 126
Modifying a Group Parent with SA_COMPONENTS.ALTER_GROUP_PARENT……Page 127
Using the SA_LABEL_ADMIN Package to Specify Valid Labels……Page 128
Creating a Valid Data Label with SA_LABEL_ADMIN.CREATE_LABEL……Page 129
Modifying a Label with SA_LABEL_ADMIN.ALTER_LABEL……Page 130
Deleting a Label with SA_LABEL_ADMIN.DROP_LABEL……Page 131
6 Administering User Labels and Privileges……Page 133
Introduction to User Label and Privilege Management……Page 134
Managing User Labels by Component, with SA_USER_ADMIN……Page 135
SA_USER_ADMIN.SET_LEVELS……Page 136
SA_USER_ADMIN.SET_COMPARTMENTS……Page 137
SA_USER_ADMIN.SET_GROUPS……Page 138
SA_USER_ADMIN.ALTER_COMPARTMENTS……Page 139
SA_USER_ADMIN.DROP_COMPARTMENTS……Page 140
SA_USER_ADMIN.ADD_GROUPS……Page 141
SA_USER_ADMIN.DROP_GROUPS……Page 142
Managing User Labels by Label String, with SA_USER_ADMIN……Page 143
SA_USER_ADMIN.SET_USER_LABELS……Page 144
SA_USER_ADMIN.SET_DEFAULT_LABEL……Page 145
SA_USER_ADMIN.SET_ROW_LABEL……Page 146
Managing User Privileges with SA_USER_ADMIN.SET_USER_PRIVS……Page 147
Returning User Name with SA_SESSION.SA_USER_NAME……Page 148
View to Display All User Security Attributes: DBA_SA_USERS……Page 149
Views to Display User Authorizations by Component……Page 150
7 Implementing Policy Options and Labeling Functions……Page 151
Overview of Policy Enforcement Options……Page 152
The HIDE Policy Column Option……Page 154
CHECK_CONTROL: Checking Data Labels……Page 155
INSERT_CONTROL, UPDATE_CONTROL, and DELETE_CONTROL……Page 156
The Overriding Enforcement Options……Page 157
Guidelines for Using the Policy Enforcement Options……Page 158
Exemptions from Oracle Label Security Policy Enforcement……Page 159
Approaches to Data Labeling……Page 160
How Labeling Functions Work……Page 161
Specifying a Labeling Function……Page 162
Inserting Labels When a Labeling Function is Specified……Page 163
Enforcement Control Options and UPDATE……Page 164
Updating Child Rows in Tables with Declarative Referential Integrity Enabled……Page 166
Policy Options and Labeling Functions: Deleting Labeled Data……Page 167
SQL Predicates Used with an Oracle Label Security Policy……Page 168
Effect of Multiple SQL Predicates Under Oracle Label Security……Page 169
8 Applying Policies to Tables and Schemas……Page 171
Policy Administration Terminology……Page 172
Policy Administration Functions for Tables and Schemas……Page 173
Applying a Policy with SA_POLICY_ADMIN.APPLY_TABLE_POLICY……Page 174
Removing a Policy with SA_POLICY_ADMIN.REMOVE_TABLE_POLICY……Page 175
Disabling a Policy with SA_POLICY_ADMIN.DISABLE_TABLE_POLICY……Page 176
Re-enabling a Policy with SA_POLICY_ADMIN.ENABLE_TABLE_POLICY……Page 177
Applying a Policy with SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY……Page 178
Altering Enforcement Options: SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY……Page 179
Disabling a Policy with SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY……Page 180
Policy Issues for Schemas……Page 181
9 Administering and Using Trusted Stored Program Units……Page 183
Introduction to Trusted Stored Program Units……Page 184
Trusted Stored Program Unit Example……Page 185
Managing Program Unit Privileges with SET_PROG_PRIVS……Page 186
Recreating Trusted Stored Program Units……Page 187
Executing Trusted Stored Program Units……Page 188
SA_UTL.DATA_LABEL……Page 189
SA_UTL.SET_ROW_LABEL……Page 190
LEAST_UBOUND……Page 191
10 Auditing Under Oracle Label Security……Page 193
Overview of Oracle Label Security Auditing……Page 194
Enabling Systemwide Auditing: AUDIT_TRAIL Initialization Parameter……Page 195
Auditing Options for Oracle Label Security……Page 196
Enabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.AUDIT……Page 197
Disabling Oracle Label Security Auditing with SA_AUDIT_ADMIN.NOAUDIT……Page 199
Examining Audit Options with the DBA_SA_AUDIT_OPTIONS View……Page 201
Finding Label Audit Status with AUDIT_LABEL_ENABLED……Page 202
Dropping the View with SA_AUDIT_ADMIN.DROP_VIEW……Page 203
Auditing Privileged Operations……Page 204
11 Using Oracle Label Security with a Distributed Database……Page 205
An Oracle Label Security Distributed Configuration……Page 206
Connecting to a Remote Database Under Oracle Label Security……Page 208
Establishing Session Label and Row Label for a Remote Session……Page 209
Setting Label Tags in a Distributed Environment……Page 210
Setting Numeric Form of Label Components in a Distributed Environment……Page 211
Using Oracle Label Security Policies in a Distributed Environment……Page 212
Replication Functionality Supported by Oracle Label Security……Page 213
Row Level Security Restriction on Replication Under Oracle Label Security……Page 214
How Materialized View Contents Are Determined……Page 215
Partial Materialized Views……Page 216
Requirements for the Owner of the Materialized View……Page 217
Requirements for Creating Complete Multilevel Materialized Views……Page 218
How to Refresh Materialized Views……Page 219
12 Performing DBA Functions Under Oracle Label Security……Page 221
Using the Import Utility with Oracle Label Security……Page 222
Verifying Import User Authorizations……Page 223
Defining Data Labels for Import……Page 224
Importing Tables with Hidden Columns……Page 225
Oracle Label Security Input to SQL*Loader……Page 226
Creating Indexes on the Policy Label Column……Page 228
Planning a Label Tag Strategy to Enhance Performance……Page 230
Partitioning Data Based on Numeric Label Tags……Page 232
Creating Additional Databases After Installation……Page 233
Part IV Appendix……Page 235
A Advanced Topics in Oracle Label Security……Page 237
Non-Comparable Labels……Page 238
Using Dominance Functions……Page 239
DOMINATED_BY Standalone Function……Page 240
SA_UTL.DOMINATED_BY……Page 241
SA_UTL.STRICTLY_DOMINATED_BY……Page 242
OCIAttrGet……Page 243
OCIAttrSet……Page 244
OCI Example……Page 245
B Reference……Page 251
ALL_SA_AUDIT_OPTIONS……Page 252
ALL_SA_GROUPS……Page 253
ALL_SA_POLICIES……Page 254
ALL_SA_TABLE_POLICIES……Page 255
ALL_SA_USER_LEVELS……Page 256
DBA_SA_COMPARTMENTS……Page 257
DBA_SA_GROUP_HIERARCHY……Page 258
DBA_SA_POLICIES……Page 259
DBA_SA_TABLE_POLICIES……Page 260
DBA_SA_USER_GROUPS……Page 261
DBA_SA_USER_PRIVS……Page 262
Oracle Label Security Auditing Views……Page 263
Oracle Label Security Deinstallation Restriction……Page 264
Hidden Columns Restriction……Page 265
Index……Page 267
Reviews
There are no reviews yet.