Oracle Label Security
======================
Labels and policy enforcement depend on the factors explained in the following sections:
Data Labels
Label Authorizations
Policy Privileges
Policy Enforcement Options
Data Labels
---------------
In Oracle Label Security, each row of a table can be labeled based on its level of confidentiality. Every label contains three components:
a single level (sensitivity) ranking
zero or more horizontal compartments or categories
zero or more hierarchical groups
A label can be any one of the following four combinations of components:
a single level component, with no groups or compartments, such as U::
a level and a set of compartments with no groups, such as U:Alpha, Beta:
a level and a set of groups with no compartments, such as U::FIN, ASIA
a level with both compartments and groups, such as U:Beta, Psi:ASIA, FIN
Label Authorizations
-----------------------
Users can be granted label authorizations that determine the kind of access (read or write) they have to the rows that are labeled. When a label has been applied to a
row, only users authorized for access to that label can see it or possibly change it. No user can access or affect rows for which that user lacks necessary
authorization. If a row has multiple labels, then a user must have the required authorizations for each such label to see or alter that row.
Policy Privileges
------------------
Policy privileges enable a user or stored program unit to bypass some aspects of the label-based access control policy
Policy Enforcement Options
----------------------------
In Oracle Label Security, administrators or application developers can apply different policy enforcement options for maximum flexibility in controlling the DML operations users can perform.
Summary: Four Aspects of Label-Based Row Access
-------------------------------------------------
When label-based access is enforced within a protected table, access to a row requires a user's label to meet certain criteria determined by policy definitions. These
access controls act as a secondary access mediation check, after the discretionary access controls implemented by the application developers.
In summary, Oracle Label Security provides four aspects of label-based access control:
A user's label indicates the information that a user is permitted to access, and determines the type of access (read or write) the user is allowed to perform.
A row's label indicates the sensitivity of the information that the row contains, and can also indicate its ownership and its affiliation with similar data.
A user's policy privileges can enable bypassing some aspects of a label-based access control policy.
A table's policy enforcement options determine various aspects of how access controls are enforced for read and write operations.
Label Components
------------------
Sensitivity Label Components
Component Description Examples
Level A single specification of the labeled data's CONFIDENTIAL (1), SENSITIVE (2), HIGHLY_SENSITIVE (3)
sensitivity within the ordered ranks established
Compartments Zero or more categories associated with the labeled data FINANCIAL, STRATEGIC, NUCLEAR
Groups Zero or more identifiers for organizations owning or accessing the data EASTERN_REGION, WESTERN_REGION
Creating Policies
====================
PROCEDURE CREATE_POLICY (
policy_name IN VARCHAR2,
column_name IN VARCHAR2 DEFAULT NULL,
default_options IN VARCHAR2 DEFAULT NULL);
BEGIN
SA_SYSDBA.CREATE_POLICY(
POLICY_NAME =>'FACILITY',
COLUMN_NAME => 'FACLAB',
DEFAULT_OPTIONS =>'READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE');
END;
Creating Levels
==================
PROCEDURE CREATE_LEVEL (
policy_name IN VARCHAR2,
level_num IN INTEGER,
short_name IN VARCHAR2,
long_name IN VARCHAR2);
BEGIN
SA_COMPONENTS.CREATE_LEVEL(
POLICY_NAME =>'FACILITY',
level_num => '100',
SHORT_NAME => 'P',
LONG_NAME => 'PUBLIC');
END;
/
BEGIN
SA_COMPONENTS.CREATE_LEVEL(
POLICY_NAME =>'FACILITY',
level_num => '200',
SHORT_NAME => 'C',
LONG_NAME => 'CONFIDENTIAL');
END;
/
BEGIN
SA_COMPONENTS.CREATE_LEVEL(
POLICY_NAME =>'FACILITY',
level_num => '300',
SHORT_NAME => 'S',
LONG_NAME => 'SENSITIVE');
END;
/
BEGIN
SA_COMPONENTS.CREATE_LEVEL(
POLICY_NAME =>'FACILITY',
level_num => '400',
SHORT_NAME => 'HS',
LONG_NAME => 'HIGHLY_SENSITIVE');
END;
/
Creating Groups
==================
PROCEDURE CREATE_GROUP (
policy_name IN VARCHAR2,
group_num IN INTEGER,
short_name IN VARCHAR2,
long_name IN VARCHAR2,
parent_name IN VARCHAR2 DEFAULT NULL);
BEGIN
SA_COMPONENTS.CREATE_GROUP(
POLICY_NAME =>'FACILITY',
GROUP_NUM => '1000',
SHORT_NAME => 'WR_SAL',
LONG_NAME => 'WR_SALES',
PARENT_NAME => 'WR');
END;
BEGIN
SA_COMPONENTS.CREATE_GROUP('FACILITY',1000,'WR','WESTERN_REGION');
SA_COMPONENTS.CREATE_GROUP('FACILITY',1100,'WR_SAL','WR_SALES','WR');
SA_COMPONENTS.CREATE_GROUP('FACILITY',1200,'WR_FIN','WR_FINANCE','WR');
SA_COMPONENTS.CREATE_GROUP('FACILITY',1210,'WR_AP','WR_ACCT_PAYABLE','WR_FIN');
END;
/
Defining Compartments
======================
PROCEDURE CREATE_COMPARTMENT (
policy_name IN VARCHAR2,
comp_num IN INTEGER,
short_name IN VARCHAR2,
long_name IN VARCHAR2);
BEGIN
SA_COMPONENTS.CREATE_COMPARTMENT(
POLICY_NAME =>'FACILITY',
COMP_NUM => '85',
SHORT_NAME => 'FIN',
LONG_NAME => 'Financial');
END;
/
BEGIN
SA_COMPONENTS.CREATE_COMPARTMENT(
POLICY_NAME =>'FACILITY',
COMP_NUM => '65',
SHORT_NAME => 'CH',
LONG_NAME => 'Chemical');
END;
/
BEGIN
SA_COMPONENTS.CREATE_COMPARTMENT(
POLICY_NAME =>'FACILITY',
COMP_NUM => '45',
SHORT_NAME => 'OP',
LONG_NAME => 'Operations');
END;
/
Creating Data Labels
======================
the administrator might create valid labels such as these:
SENSITIVE:FINANCIAL,CHEMICAL:EASTERN_REGION,WESTERN_REGION
CONFIDENTIAL:FINANCIAL:VP_GRP
SENSITIVE
HIGHLY_SENSITIVE:FINANCIAL
SENSITIVE::WESTERN_REGION
Syntax
PROCEDURE CREATE_LABEL (
policy_name IN VARCHAR2,
label_tag IN INTEGER,
label_value IN VARCHAR2,
data_label IN BOOLEAN DEFAULT TRUE);
Example:
BEGIN
SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',1000,'P');
SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',2101,'S::WR_FIN');
SA_LABEL_ADMIN.CREATE_LABEL('FACILITY',3101,'HS::WR');
END;
Assigning User Authorization Labels
======================================
Syntax
PROCEDURE SET_USER_LABELS (
policy_name IN VARCHAR2,
user_name IN VARCHAR2,
max_read_label IN VARCHAR2,
max_write_label IN VARCHAR2 DEFAULT NULL,
min_write_label IN VARCHAR2 DEFAULT NULL,
def_label IN VARCHAR2 DEFAULT NULL,
row_label IN VARCHAR2 DEFAULT NULL);
max_read_label: Specifies the label string to be used to initialize the user’s maximum
authorized read label. Composed of the user’s maximum level. Compartments authorized for
read access, and groups authorized for read access
max_write_label: Specifies the label string to be used to initialize the user’s maximum
authorized write label. Composed of the user’s maximum level. Compartments authorized for
write access, and groups authorized for write access. If max_write_label is not specified, it
is set to max_read_label.
min_write_label: Specifies the label string to be used to initialize the user’s minimum
authorized write label. Contains only the level, with no compartments or groups. If
min_write_label is not specified, it is set to the lowest defined level for the policy, with no
compartments or groups.
def_label: Specifies the label string to be used to initialize the user’s session label, including
level, compartments, and groups (a subset of max_read_label). If default_label is not
specified, it is set to max_read_label.
policy_name: Specifies the policy
user_name: Specifies the username
row_label: Specifies the label string to be used to initialize the program’s row label. Includes
level, components, and groups: subsets of max_write_label and def_label. If row_label is not specified, it is set to def_label, with only the compartments and groups
authorized for write access.
BEGIN
SA_USER_ADMIN.SET_USER_LABELS (
POLICY_NAME =>'FACILITY',
USER_NAME => 'scott',
MAX_READ_LABEL =>'S::WR_FIN');
END;
Applying the Policy to a Table
================================
• Add the FACILITY policy to the LOCATIONS table.
• TABLE_OPTION => NULL implies that the policy default options are used.
PROCEDURE APPLY_TABLE_POLICY (
policy_name IN VARCHAR2,
schema_name IN VARCHAR2,
table_name IN VARCHAR2,
table_options IN VARCHAR2 DEFAULT NULL,
label_function IN VARCHAR2 DEFAULT NULL,
predicate IN VARCHAR2 DEFAULT NULL);
BEGIN
SA_POLICY_ADMIN.APPLY_TABLE_POLICY (
POLICY_NAME => 'FACILITY',
SCHEMA_NAME => 'HR',
TABLE_NAME => 'EMPLOYEES',
TABLE_OPTIONS => NULL,
LABEL_FUNCTION => NULL);
END;
/
SQL> DESC HR.EMPLOYEES
Name Null? Type
----------------------------------------- -------- ----------------------------
EMPLOYEE_ID NOT NULL NUMBER(6)
FIRST_NAME VARCHAR2(20)
LAST_NAME NOT NULL VARCHAR2(25)
EMAIL NOT NULL VARCHAR2(25)
PHONE_NUMBER VARCHAR2(20)
HIRE_DATE NOT NULL DATE
JOB_ID NOT NULL VARCHAR2(10)
SALARY NUMBER(8,2)
COMMISSION_PCT NUMBER(2,2)
MANAGER_ID NUMBER(6)
DEPARTMENT_ID NUMBER(4)
SQL> UPDATE HR.EMPLOYEES SET FACLAB='3101';
27 rows updated.
SQL> COMMIT;
Commit complete.
SQL>
SQL>
SQL> SELECT FACLAB FROM HR.EMPLOYEES
FACLAB
----------
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
3101
27 rows selected.
SQL> SELECT LABEL_TO_CHAR(3101) FROM DUAL;
LABEL_TO_CHAR(3101)
---------------------------------------------
HS::WR
SQL> SELECT CHAR_TO_LABEL('FACILITY','HS::WR') FROM DUAL;
CHAR_TO_LABEL('FACILITY','HS::WR')
----------------------------------
3101
SQL> UPDATE HR.EMPLOYEES SET FACLAB='2101' WHERE MANAGER_ID=146;
6 rows updated.
SQL> COMMIT;
Commit complete.
SQL> SELECT LABEL_TO_CHAR(FACLAB) FROM HR.EMPLOYEES;
LABEL_TO_CHAR(FACLAB)
------------------------------------------------------------------------
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
S::WR_FIN
S::WR_FIN
S::WR_FIN
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
HS::WR
27 rows selected.
SQL> grant select on HR.EMPLOYEES to scott;
SQL> CONN SCOTT/TIGER;
Connected.
SQL> SELECT LABEL_TO_CHAR(FACLAB) FROM HR.EMPLOYEES ;
LABEL_TO_CHAR(FACLAB)
----------------------------------------------------------
S::WR_FIN
S::WR_FIN
S::WR_FIN
SQL> SELECT COUNT(*) FROM HR.EMPLOYEES ;
COUNT(*)
----------
3
SQL> Select SA_SESSION.LABEL('FACILITY') FROM DUAL;
SA_SESSION.LABEL('FACILITY')
---------------------------------------------------
S::WR_FIN,WR_AP
Converting a Character String to a Label Tag, with CHAR_TO_LABEL
====================================================================
Use the CHAR_TO_LABEL function to convert a character string to a label tag. This function returns the label tag for the specified character string.
Syntax:
FUNCTION CHAR_TO_LABEL (
policy_name IN VARCHAR2,
label_string IN VARCHAR2)
RETURN NUMBER;
Example:
INSERT INTO emp (empno,hr_label)
VALUES (999, CHAR_TO_LABEL('HR','S:A,B:G5');
Here, HR is the label policy name, S is a sensitivity level, A,B compartments, and G5 a group
Converting a Label Tag to a Character String, with LABEL_TO_CHAR
==================================================================
When you query a table or view, you automatically retrieve all of the rows in the table or view that satisfy the qualifications of the query and are dominated by your label. If the policy label column is not hidden, then the label tag value for each row is displayed. You must use the LABEL_TO_CHAR function to display the character string value of each label.
Note that all conversions must be explicit. There is no automatic casting to and from tag and character string representations.
Syntax:
FUNCTION LABEL_TO_CHAR (label IN NUMBER)
RETURN VARCHAR2;
Inserting Labeled Data
===========================
When you insert data into a table protected by a policy under Oracle Label Security, a numeric label value tag must be supplied, usually in the INSERT statement itself. To do this, you must explicitly specify the tag for the desired label or explicitly convert the character string representation of the label into the correct tag. Note that this does not mean generating new label tags, but referencing the correct tag. When Oracle Label Security is using Oracle Internet Directory, the only permissible labels (and corresponding tags) are those pre-defined by the administrator and already in Oracle Internet Directory.
The only times an INSERT statement may omit a label value are:
1.if the LABEL_DEFAULT enforcement option was specified when the policy was applied, or
2.if no enforcement options were specified when the policy was applied and LABEL_DEFAULT was specified when the policy was created, or
3.if the statement applying the policy named a labeling function.
In cases 1 and 2, the user's session default row label is used as the inserted row's label. In case 3, the inserted row's label is created by that labeling function.
Policy Enforcement Options
============================
Access-control enforcement controls read and write access to the data. The policies can be set for each type of data manipulation language (DML):
• READ_CONTROL enforces the policy for all queries, controlling which data rows are accessible for SELECT, UPDATE, and DELETE. If READ_CONTROL is OFF on a policy, then
for any table protected by the policy, all rows are accessible to all users.
• WRITE_CONTROL determines the ability to insert, update, and delete data in a row. If this option is active, it enforces INSERT_CONTROL, UPDATE_CONTROL, and
DELETE_CONTROL. You can apply INSERT_CONTROL, UPDATE_CONTROL, and DELETE_CONTROL separately.
Label-management enforcement ensures that data labels written for inserted or updated rows do not violate policies set for such labels:
• LABEL_DEFAULT uses the session’s default row label value unless the user explicitly specifies a label on INSERT.
• LABEL_UPDATE applies policy enforcement to the UPDATE operations that set or change the value of a label attached to a row. The WRITEUP, WRITEDOWN, and WRITEACROSS
privileges are only enforced if the LABEL_UPDATE option is active. Note that any label function that is in force overrides the LABEL_UPDATE option.
• CHECK_CONTROL applies the READ_CONTROL policy enforcement to the INSERT and UPDATE statements to ensure that the new row label is read-accessible by the user that is changing the label.
Options to override enforcement can suspend or apply all other enforcement options:
• ALL_CONTROL applies all enforcement options.
• NO_CONTROL applies no enforcement options. A labeling function or a SQL predicate can still be applied. In the absence of a label function, data rows that are
inserted do not have a label. If enforcement options are later turned on, the unlabeled rows are not visible unless the user has the READ or FULL access authorization.
Oracle Label Security Privileges
===================================
READ Allows read access to all data protected by the policy
FULL Allows full read and write access to all data protected by the policy
COMPACCESS Allows a session access to data authorized by the row's compartments, independent of the row's groups
PROFILE_ACCESS Allows a session to change its labels and privileges to those of a different user
WRITEUP Allows users to set or raise only the level, within a row label, up to the maximum level authorized
for the user. (Active only if LABEL_UPDATE is active.)
WRITEDOWN Allows users to set or lower the level, within a row label, to any level equal to or greater than
the minimum level authorized for the user. (Active only if LABEL_UPDATE is active.)
WRITEACROSS Allows a user to set or change groups and compartments of a row label, but does not allow changes to
the level. (Active only if LABEL_UPDATE is active.)
execute SA_USER_ADMIN.SET_USER_PRIVS ('ACCESS_LOCATIONS','HR','FULL');