Skip Headers

Oracle® Label Security Administrator's Guide
10g Release 1 (10.1)
Part Number B10774-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Feedback
Go to prev ious page
Previous		 Go to next page
Next
 View PDF

7
Administering User Labels and Privileges

In Oracle Label Security, you can set authorizations for users, and grant privileges to users or stored program units by means of the available Oracle Label Security packages, or Oracle Policy Manager.

Introduction to User Label and Privilege Management

To manage user labels and privileges, you must have EXECUTE privilege for the SA_USER_ADMIN package, and must have been granted th e policy_DBA role.

To perform these functions with Oracle Policy Ma nager, go to Oracle Label Security Policies--> policyname-->Authorizations-->Users and use the User property sheet.

The SA_USER_ADM IN package provides the functions to manage the Oracle Label Security user security attributes. It contains several procedures to man age user labels by component: that is, specifying user levels, compartments, and groups. For convenience, there are additional proced ures that accept character string representations of full labels, rather than components. Note that the level, compartment and group parameters use the short name defined for each component.

All of the label and privilege in formation is stored in Oracle Label Security data dictionary tables. When a user connects to the database, his session labels are est ablished based on the information stored in the Oracle Label Security data dictionary.

Note that a user can be authorized under multiple policies.

Managing User Labels by Component, with SA_USER_ADMIN

The following SA_USER_ADMIN procedures enable you to manage user labels by label component:

SA_USER_ADMIN.SET_LEVELS< /font>

The SET_LEVELS procedure assigns a minimum and maximum level to a us er and identifies default values for the user's session label and row label.

Syntax:

PROCEDURE SET_LEVELS (policy_name IN VARCHAR2,
   user_name
   IN VARCHAR2,
   max_level        IN VARCHAR2,
   min_level        IN VARCHAR2 DEFAULT
NULL,
   def_level        IN VARCHAR2 DEFAULT NULL,
   row_level        IN VARCHAR2 DEFAU
LT NULL);
Ta ble 7-1 Parameters for SA_USER_ADMIN.SET_LEVELS  

Parameter

 < p class="THC" align="center">Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

max_level

 < /a>

The highest level for read and write access

min_level

The lowest level for write access

def_level

S pecifies the default level (equal to or greater than the minimum level, and equal to or less than the maximum level)

row_level

Specifies the row level (equal to or greater than the minimum lev el, and equal to or less than the default level)

SA_USER_ADMIN.SET_COMPARTMENTS

The SET_COMPARTMENTS procedure assigns compartments to a user and identifies default values for the user 's session label and row label.

  • If write_co mps are NULL, they are set to the read_comps.
  • If the def_comps are NULL, they are set to the read_comps.
  • If the row_comps are NULL, they are set to the components in def _comps that are authorized for write access.

All users must have their levels se t before their authorized compartments can be established.

The write compartments, if speci fied, must be a subset of the read compartments. (The write compartments are those to which the user should have write access.)

< a name="1012276">

Syntax:

PROCEDURE SET_CO
MPARTMENTS (policy_name IN VARCHAR2,
  user_name     IN VARCHAR2,
  read_comps    IN VARC
HAR2,
  write_comps   IN VARCHAR2 DEFAULT NULL,
  def_comps     IN VARCHAR2 DEFAULT NULL,

  row_comps     IN VARCHAR2 DEFAULT NULL);
Table 7-2 Parameters for SA_USER_ADMIN.SET_COMPARTMENTS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

read_comps

A comma-delimited list of compartments authorized f or read access

< em class="Italic">write_comps

A comma-delimited list of compar tments authorized for write access (subset of read_comps)

def_comps

Specifies the default compartments. This must be a subset of read_comps.

row_comps

Specifies the row compartments. This must be a subse t of write_comps and the def_comps.

< /a>

SA_USER_ADMIN.SET_GROUPS< /h3>

The SET_GROUPS procedure assigns groups to a user and identifies default va lues for the user's session label and row label.

  • If the write_groups are NULL, they are set to the read_groups.
  • If the def_groups are NULL, they are set to the read_groups.
  • If the row_groups are NULL, they are set to the groups in def_groups that are authorized for write access.

All users mu st have their levels set before their authorized groups can be established.

Syntax:

PROCEDURE SET_GROUPS (policy_name IN VARCHAR2,
  user_name        IN VARCHAR2,
  read_groups      IN VARCHAR2,
  write_groups     IN VA
RCHAR2 DEFAULT NULL,
  def_group        IN VARCHAR2 DEFAULT NULL,
  row_groups       IN V
ARCHAR2 DEFAULT NULL);

Table 7-3 Parameters for SA_USER_ADMIN.SET_GROUPS  

Parameter

Meaning
< em class="Italic">policy_name Specifies the policy
user_name Specifies the user name
read_groups A comma-delimited list of g roups authorized for read
write_groups< /em> A comma-delimited list of groups authorized for write. This must be a subset of read_ groups.
def_groups Specifies the default groups. This must be a subset of read_groups.
row_groups Specifies the row groups. This must be a subset of write_groups and def_groups.

SA_USER_ADMIN.ALTE R_COMPARTMENTS

The ALTER_COMPARTMENTS procedure changes the write ac cess, the default label indicator, and/or the row label indicator for each of the compartments in the list.

Syntax:

PROCEDURE ALTER_COMPARTMENTS (policy
_name IN VARCHAR2,
user_name    IN VARCHAR2,
comps        IN VARCHAR2,

access_mode  IN VARCHAR2 DEFAULT NULL,
in_def       IN VARCHAR2 DEFAULT NULL,
in_row
      IN VARCHAR2 DEFAULT NULL);
Table 7-4 Parameters for SA_USER_ADMIN.ALTER_COMPARTMENTS  
< /tr>

Parameter

Meaning

policy_name

Specifies the policy

user_n ame

Specifies the user name

comps

A comma-delimited list of compartments to modify

access_mode

One of two public variables that contain string values that can specify the type of a ccess authorized. The variable names, values, and meaning are as follows:

SA_UTL.READ_ONLY R EAD_ONLY Indicates no write access

SA_UTL.READ_WRITE READ_WRITE Indicates write is authorize d

If access_mode is NULL, then access_mode for the compartment is un altered.

in_def

Specifies whether these compartments should be in the default compartments (Y/N)

If in_def is NULL, then in_def for the compartment is unaltered.

< /a>

in_row

Specifies whether these compartments should be in the row label (Y/N)

If in_row is NU LL, then in_row for the compartment is unaltered.

SA_USER_ADMIN.ADD_COMPARTMENTS

This procedure adds compartments to a user's authorizations, indicating whether the compartments are au thorized for write as well as read.

Syntax:

PROCEDURE ADD_COMPARTMENTS (policy_name IN VARCHAR2,
user_name      IN VARCHAR2,
comps          IN VARCHAR2,
access_model   IN VARCHAR2 DEFAULT NULL,
in_
def         IN VARCHAR2 DEFAULT NULL,
in_row         IN VARCHAR2 DEFAULT NULL);
Table 7-5 Parameters for SA_USER_ADMIN.ADD_ COMPARTMENTS  

Parameter

Meaning
policy_name Specifies the policy
user_name Specifies the user nam e
comps A comma-delimited list of read compartments to add
access_mode

One of two public variables that contain str ing values that can specify the type of access authorized. The variable names, values, and meaning are as follows:

SA_UTL.READ_ONLY READ_ONLY Indicates no write access

SA_UTL.READ_WRIT E READ_WRITE Indicates write is authorized

If access_mode is NULL, t hen it is set to SA_UTL.READ_ONLY.

< /a>

in_def

Specifies whether these compartments should be in the default compartments (Y/N)

If in_def is NULL, then it is set to Y.

in_row

Specifies whethe r these compartments should be in the row label (Y/N)

If in_row is N ULL, then it is set to N.

SA_USER_ADMIN.DROP_COMPARTMENTS

The DROP_COMPARTMENTS procedure drops the specified compartments from a user's authorizations.

Syntax:

PROCEDURE DROP_COMPARTMENTS (policy_name I
N VARCHAR2,
  user_name       IN VARCHAR2,
  comps           IN VARCHAR2);
Table 7-6 Parameters for S A_USER_ADMIN.DROP_COMPARTMENTS  

Specifies the policy

Para meter

Meaning

policy_name

user_name

Specifies the user name

comps

A comma-delimited list of compartments to drop

SA_USER_ADMIN.DROP_ALL_COMPARTMENTS

The DROP_ALL_COMPARTMENTS procedure drops all compartments from a user's authorizations.

Syntax:

PROCEDURE DROP_ALL_COMPAR
TMENTS (policy_name IN VARCHAR2,
     user_name     IN VARCHAR2);
Table 7-7 Parameters for SA_USER_ADMIN.DROP_ALL_COMPARTME NTS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

SA_USER_ADMIN.ADD_GROUPS

Th e ADD_GROUPS procedure adds groups to a user, indicating whether the groups are authorized for write as well as read.

Syntax:

PROCEDURE ADD_GROUPS (poli
cy_name IN VARCHAR2,
  user_name         IN VARCHAR2,
  groups            IN VARCHAR2,
  access_mode       IN VARCHAR2 DEFAULT NULL,
  in_def            IN VARCHAR2 DEFAULT NULL,

  in_row            IN VARCHAR2 DEFAULT NULL);
Table 7-8 Parameters for SA_USER_ADMIN.ADD_GROUPS  

Parameter

Meaning

policy_name

S pecifies the policy

user_name

Specifies the user name

gr oups

A comma-delimited list of read groups to add

access_mo de

One of two public variables that contain string values that can specify the type of access authorized. The variable names, values, and meaning are as follows:

SA_UTL.READ_ONLY READ_ONLY Indicates no write access

SA_UTL.READ_WRITE READ_WRITE In dicates write is authorized

If access_mode is NULL, then access_mode is set to SA_UTL.READ_ONLY.

< p class="TB">in_def

Specifies whether these groups should be in the default groups (Y/N)

If in_def is NULL, the n it is set to Y.

in_row

Specifies whether these groups sho uld be in the row label (Y/N)

If in_row is NULL, then it is set to N .

SA_USER_ADMIN.ALTER_GROUPS

The ALTER_GROUPS proce dure changes the write access, the default label indicator, and/or the row label indicator for each of the groups in the list.

Syntax:

PROCEDURE ALTER_G
ROUPS (policy_name IN VARCHAR2,
  user_name        IN VARCHAR2,
  groups           IN VAR
CHAR2,
  access_mode      IN VARCHAR2 DEFAULT NULL,
  in_def           IN VARCHAR2 DEFAUL
T NULL,
  in_row           IN VARCHAR2 DEFAULT NULL);
Table 7-9 Parameters for SA_USER_ADMIN.ALTER_GROUPS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user na me

groups

A comma-delimited list of groups to alter

acce ss_mode

Two public variables contain string values that can sp ecify the type of access authorized. The variable names, values, and meaning are as follows:

SA_UTL.READ_ONLY READ_ONLY Indicates no write access

SA_UTL.READ_WRITE READ_WRITE Indicates write is authorized

If access_mode is NULL, then access_mode for th e group is unaltered.

in_def

Specifies whether these groups should be in the default groups (Y/N)

If in_def is NULL, then in_de f for the group is unaltered.

in_row

Specifies whether thes e groups should be in the row label (Y/N)

If in_row is NULL, then in _row for the group is unaltered.

SA_USER_ADMIN.DROP_GROUPS

The DROP_GROUPS procedure drops the specified groups from a user's authorizations.

Syntax:

PROCEDURE DROP_GROUPS (policy_name IN VARCHAR2,
  user_name   IN VARCHAR2,
  groups      IN VARCHAR2);
Table 7-10 Parameters for SA_USER_ADMIN.DROP_GROUPS  
< td class="Formal">

policy_name

Parameter

Meaning

Specifies the policy

user_name

Spe cifies the user name

groups

A comma-delimited list of group s to drop

SA_USER_ADMIN.DROP_ALL_GROUPS

The DROP_AL L_GROUPS procedure drops all groups from a user's authorizations.

Synt ax:

PROCEDURE DROP_ALL_GROUPS (policy_name IN VARCHAR2,
  us
er_name  IN VARCHAR2);
Table 7-11 Parameters for SA_USER_ADMIN.DROP_ALL_GROUPS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

Managing User Labels by Label String, with SA_USER_ADMIN

The following SA_USER_ADMIN procedures e nable you to manage user labels by specifying the complete character label string:

SA_USER_ADMIN.SET_USER_LABELS

The SET_USER_LABELS procedure sets the user's levels, compartments, and groups using a set of labels, instead of the individual c omponents.

Syntax:


PROCEDURE SET_USER_LABELS (
  policy_name      IN VARCHAR2,
  user_name        IN VARCHAR
2,
  max_read_label   IN VARCHAR2,
  max_write_label  IN VARCHAR2 DEFAULT NULL,
  min_write_label  IN VARCHAR2 DEFAULT NULL,
  def_label        IN VARCHAR2 DEFAULT NULL,
  row_label        IN VARCHAR2 DEFAULT NULL);
Table 7-12 Parameters for SA_USER_ADMIN.SET_USER_LABELS  

Parameter

Meaning

max_read_label

Sp ecifies the label string to be used to initialize the user's maximum authorized read label. Composed of the user's maximum level, com partments authorized for read access, and groups authorized for read access.

max_write_label

Specifies the label string to be used to initialize the user's maximum authorized write label. Comp osed of the user's maximum level, compartments authorized for write access, and groups authorized for write access. If the max_write_label is not specified, it is set to the max_read_label.

min_write_label

< /td>

Specifies the label string to be used to initialize the user's minimum authorized write label. Contains only the level, with no compartments or groups. If the min_write_label is no t specified, it is set to the lowest defined level for the policy, with no compartments or groups.

def_label

Specifies the label string to be used to initialize the user's session label, inclu ding level, compartments, and groups (a subset of max_read_label). If the default_label is not specified, it is set to the max_read_label.

policy_name

Specifies the policy

user_name

Specifies the user name

row_label

Specifies the label st ring to be used to initialize the program's row label. Includes level, components, and groups: subsets of max_writ e_label and def_label. If row_label is not specified, it is set to the def_label, with only the compartments and groups authorized for write access.

SA_USER_ADMIN.SET_DEFAULT_LABEL

The SET_DEFAUL T_LABEL procedure sets the user's initial session label to the one specified.

Syntax:

PROCEDURE SET_DEFAULT_LABELS (
  policy_name
  IN VARCHAR2,
  user_name    IN VARCHAR2,
  def_label    IN VARCHAR2);
Table 7-13 Parameters for SA_ USER_ADMIN.SET_DEFAULT_LABEL  

Parame ter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

def_label

Specifies the label string to be used to initialize the user's default labels. This label may contain any compartments and groups tha t are authorized for read access.

As long as the row label will s till be dominated by the new write label, the user can set the session label to:

  • Any level equal to or less than his maximum, and equal to or greater than his minimum label
  • Include any compartments in the authorized compartment list
  • Include any groups in the authorized group list. (Subgroups of authorized groups are implicitly included in the author ized list.)

The row label must be dominated by the new write label that will result f rom resetting the session label. If this condition is not true, the SET_DEFAULT_LABEL procedure will fail.

For example, suppose the current row label is S:A,B, and that you have write access to both compartments. If you atte mpt to set the new default label to C:A,B the SET_LABEL procedure will fail. This is because the new write label would be C:A,B, whic h does not dominate the current row label.

To successfully reset the session label in this case, you must first lower the row label to a value that will be dominated by the resulting session label.

< table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a n ote" title="This is a layout table to format a note"> See Also:

"Changing the Session Label with SA_SESSION.SET_LABEL"

"Session Labels and Inverse Groups"



SA_USER_ADMIN.SET_ROW_LABEL

Use the SET_ROW_LABEL procedure to set the user's initial row label to the one specified.

Syntax:

PROCEDURE SET_ROW_LABEL (
  policy_name   IN VARCHAR2,
  user_name     IN VARCHAR2,
  row_label     IN VARCHAR2);
Table 7-14 Parameters for SA_USER_ADMIN.SET_ROW_LABEL  
< td class="Formal">

policy_name

Parameter

Meaning

Specifies the policy

user_name

Spe cifies the user name

row_label

Specifies the label string t o be used to initialize the user's row label. The label must contain only those compartments and groups from the default label that a re authorized for write access.

The user can set the row label in dependently, but only to:

  • A level that is less than or equal t o the level of the session label, and greater than or equal to the user's minimum level
  • Include a subset of the compartments and groups from the session label, for which the user is authorized to have write acce ss

If you try to set the row label to an invalid value, the operation is disallowed, and the row label value is unchanged.

See Also:

"Changing the Row Label with SA_SESS ION.SET_ROW_LABEL"



SA_USER_ADMIN.DROP_USER_ACCESS

Use the DROP_USER_ACCESS procedure to remove all Oracle Label Security authorizations and privileges from the specified user. This procedure must be issued from the command line. It is not available in Oracle Policy Man ager.

Syntax:

PROCE
DURE DROP_USER_ACCESS (
  policy_name      IN VARCHAR2,
  user_name        IN VARCHAR2);
Table 7-15 Parameters for SA_USER_ADMIN.DROP_USER_ACCESS  

Parameter

Meaning

policy_name

Specifies the policy

user_name

Specifies the user name

Managing User Privileges with SA_USER_ADMIN.SET_US ER_PRIVS

The SET_USER_PRIVS procedure sets policy-specific privilege s for users. These privileges do not become effective in the current session; rather, they become effective the next time the user lo gs in. The new set of privileges replaces any existing privileges. A NULL value for the privileges parameter removes the user's privi leges for the policy.

To assign policy privileges to users, you must have EXECUTE privilege for the SA_USER_ADMIN package, and must have been granted the policy_DBA role.

< p class="BP">To use Oracle Policy Manager to perform these functions, go to the Privileges tab of the User property sheet.

Syntax:

PROCEDURE SET_USER_PR
IVS (
  policy_name     IN VARCHAR2,
  user_name       IN VARCHAR2,
  privileges      IN VARCHAR2);
Table 7-16 Parameters for SA_USER_ADMIN.SET_USER_PRIVS  

Parameter

Meaning

policy_name

Specifies the policy name of an e xisting policy

< em class="Italic">user_name

The name of the user to be granted privileges

privileges

A character string of policy-specifi c privileges separated by commas

See Also:

"Managing Progr am Unit Privileges with SET_PROG_PRIVS"

Setting Labels & Privileges with S A_SESSION.SET_ACCESS_PROFILE

The SET_ACCESS_PROFILE procedure sets t he Oracle Label Security authorizations and privileges of the database session to those of the specified user. (Note that the origina ting user retains the PROFILE_ACCESS privilege.)

The user executing the SA_SESSION.SET_ACCE SS_PROFILE procedure must have the PROFILE_ACCESS privilege. Note that the logged-in database user (the Oracle userid) does not chang e. That user assumes only the authorizations and privileges of the specified user. By contrast, the Oracle Label Security user name < em class="Italic">is changed.

This administrative procedure is useful for various task s:

  • With SET_ACCESS_PROFILE, the administrator can see the resu lt of the authorization and privilege settings for a particular user.
  • Applicat ions need to have proxy accounts connect as (and assume the identity of) application users, for purposes of accessing labeled data. W ith the SET_ACCESS_PROFILE privilege, the proxy account can act on behalf of the application users.

Syntax:

PROCEDURE SET_ACCESS_PROFILE (policy_n
ame IN VARCHAR2
  user_name   IN VARCHAR2);
Table 7-17 Parameters for SA_SESSION.SET_ACCESS_PROFILE  

Parameter

Meaning

policy_name

The name of an existing policy

user_name

Name of the user whose authorizations and privileges should be assumed

< h2 class="H1">Returning User Name with SA_SESSION.SA_USER_NAME

The SA_USER_NAME function returns the name of the current Oracle Label Security user, as set by the SET_ACCESS_PROFILE procedure (or as established at login). This is how you can determine the identity of the curr ent user in relation to Oracle Label Security, rather than in relation to your Oracle login name.

Syntax:

FUNCTION SA_USER_NAME (policy_name IN VARCHAR2
)
RETURN VARCHAR2;
Table 7-18 Parameters for SA_SESSION.SA_USER_NAME  

Parameter

Meaning

policy_name

The name of an existing polic y

Using Oracle Label Security Views

This section de scribes views you can use to see the user authorization and privilege assignments made by the administrator.

Note that the views are designed to display these values from two different perspectives. The DBA_SA_USERS view is optimized for users of the command-line interface. The component views are optimized for users of the Oracle Policy Manager administr ative tool.

View to Display All User Security Attributes: DBA_SA_USERS

< a name="1012891">

The DBA_SA_USERS view displays the values assigned for privileges, levels, compartments, and gro ups all together--corresponding to how you enter these values through the SA_USER_ADMIN command-line interface. The values include:

USER_PRIVILEGES

MAX_READ_LABEL

MAX_WRITE_LABEL

MIN_WRITE_LABEL

DEFAULT_READ_LABEL

DEFAULT_WRITE_LABEL

DEFA ULT_ROW_LABEL

USER_LABELS

MAX_READ_LABEL

MAX_WRITE_LABEL

MIN_WRIT E_LABEL

DEFAULT_READ_LABEL

DEFAULT_WRITE_LABEL< /p>

DEFAULT_ROW_LABEL

This information is stor ed in data dictionary tables, and used to establish session and row labels when a user logs in.

Note:

The field USER_LABE LS in DBA_SA_USERS is retained solely for backward compatibility and will be removed in the next release.

< /div>

Views t o Display User Authorizations by Component

The following views displ ay individually each component of the label, corresponding to how you enter these values through Oracle Policy Manager.

Table 7-19 Oracle Label Security Views  

View

Contents

DBA_SA_USER_LEVELS

Displays the levels assigned to the user: minimum level, maximum level, default level , and level for the row label

DBA_SA_USER_COMPARTMENTS

Displays the compartments as signed to the user

DBA_SA_USER_GROUPS

Displays the groups assigned to the user

< /td>


Go to p revious page
Previous		 Go to next page
Next
 Oracle
Copyright © 2000, 2003 Oracle Corporation
All Rights Reserved.
Go to Documentation Home
Home< /font>		 Go t o Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Ind ex		 Go to Master Index
Master Index		 Go to Feedback page
Feedb ack