B
Command-line Tools for Label Security Using Oracle Internet Directory

When Oracle Label Security is used with Oracle Internet Directory, security admini strators must use certain commands to create and alter label security attributes stored in the directory.

This Appendix describes these commands and the parameters they require. They perform updates, inserts and deletes of en tries in the directory and are implemented through a script named "olsadmintool", which you invoke from $ORACLE_HOME/bin/olsadmintool . This Appendix contains the sections and tables listed below.

Table B-1 lists all the commands, in categories, with links to their explanations. Some of these commands replace PL/SQL procedures (indicated in Table B-1) that are used for the indicated purpo ses when Oracle Label Security is used without Oracle Internet Directory. Sites already using Oracle Label Security that add Oracle I nternet Directory must replace the use of those PL/SQL procedures by switching to use these new commands instead.
Table B-2 then lists the commands alphabetically, with links t o their explanations.
Command Explanations, afte r Table B-2, provides the individual explanations and examples of the commands and their paramete rs, in alphabetical order.
Relating Parameters to Co mmands for olsadmintool follows Table B-2 with Summaries in Table B-3 and Table B-4. These tables present summaries of the commands' use of parameters by listing the commands and their parameters in tabular format, enabling you to see patterns of parameter usage.
Table B-5 then gives a detailed exp lanation for each parameter, in alphabetical order, and lists the commands in which it is used.

Examples of Using olsadmintool shows typical uses of the tool and the results of the specific examples shown.

Table B-1 Oracle Label Security Commands in Categories &nb sp;

SA_COMPONENTS.DROP_LEVEL

< td class="Formal">

None; new.

Command Category	Purpose of Comm and	Command	Replaces PL/SQL Statement
Policies	Create Policy	olsadmintool createpolicy	SA_SYSDBA.CREATE_POLICY
	Alter a Level	olsadmintool alterpolicy	SA_SYSDBA.ALTER_POLICY
	Drop a Policy	olsadmi ntool droppolicy	SA_SYSDBA.DROP_POLICY
	Add Policy Creator	olsadmintool addpolcreator	None; new
	Drop Policy Creator	olsadmintool droppolcreat or	None; new
Levels in a Policy	Create a Level	olsadmintool createlevel	SA_COMPONENTS.CREATE_LEVEL
	Alter a Level	olsadmintool alterlevel	SA_COMPONENTS.ALTER_LEVEL
	Drop a Level	olsadmintool droplevel
Groups in a Policy	< p class="TB"> Create a Group	olsadmintool creategroup	SA_COMPONENTS.CREATE_GROUP
	Alter a Group	olsadmintool altergroup	SA_COMPONENTS.ALTER_GROUP
	(also a g roup parent)		SA_ COMPONENTS.ALTER_GROUP_PARENT
&nb sp;	Drop a Group	olsadmintool dropgroup	SA_C OMPONENTS.DROP_GROUP
Compartments in a Policy	Create a Compartment	olsadmintool createcompartment	SA_COMPONENTS.CREATE_COMPARTMENT
	Alter a Co mpartment	olsadmintool altercompartment	SA_COMPONENTS.ALTER_COMPARTMENT
	Drop a Compartment	olsadmintool dropcompartment	SA_COMPONENTS.DROP_COMPARTMENT
Data Labels	Create a Label	olsadmintool createlabel	SA_LABEL_ADMIN.CREATE_LABEL
	Alter a Label	olsadmintool alterlabel	SA_LABEL_ADMIN.ALTER_LABEL
	Drop a Label	olsadmintool droplabel	SA_LABEL_ADMIN.DROP_LABEL
Users	Add a User to a Profile	olsadmintool adduser	None; new
	D rop a User	olsadmintool dropuser	SA_USER_ADMIN.DROP_USER_ACCESS
Profiles	Create a Profile	olsadmintool createprofile	Replaces the use of several methods. ^{Foot 1}
	List Profiles	olsadmintool listprofile	None; new
	Describe a Profile	olsadmintool describeprofile	None; new
	Drop a Profile	olsad mintool dropprofile	None; new
Policy Administrators	Drop Policy Administrator < /td>	olsadmintool addadmin
	Drop Policy Administrator	ols admintool dropadmin	None; new.
Policy Access	Set Audit Options	olsadmintool addpolaccess	None; new.
	Relating Parameters to Commands for olsadmintool	olsadmintool droppolaccess	None; new.
Auditing	< a name="675184"> Set Audit Options	olsadmintool audit	SA_AUDIT_ADMIN.AUDIT
	;	olsadmintool noaudit	SA_AUDIT_ADMIN.NOAUDIT
Help	G et Help for olsadmintool	ols admintool command --help	Non e; new

¹ Replace s several methods in SA_USER_ADMIN: SET_LEVELS, SET_USER_PRIVILEGES, and SET_DEFAULT_LABEL

Table B-2 olsadmintool Commands Li nked to Their Explanations

Create a Level

< tr class="Formal" align="left" valign="top">

Purpose of Command (Links in Alphab etical Order)	Command
Add a User to a Profile	olsadmintool adduser
Add Policy Administrators	olsadmintool addadmin
Add Policy Creator	olsadmintool addpolcreator
Alter a Compartment	< p class="TB">olsadmintool altercompartment
Alter a Group	olsadmintool altergroup
Alter a Label	olsadmintool alterlabel
Alter a Level	olsadmintool alterlevel
Alter a Level	olsadmintool alterpolicy
Cancel Aud it Options	olsadmintool noaudit
Create a Compartment	olsadmintool createcompartment
Create a Group	olsadmintool creategroup
Create a Label	olsadmintool createlabel
olsadmintool createlevel
Create a Profile	olsadmintool createprofile
Create Policy	olsadmintool createpolicy
Describe a Profile	ol sadmintool describeprofile
Drop a Compartment	olsadmin tool dropcompartment
Drop a Group	olsadmintool dropgro up
Drop a Label	olsadmintool droplabel
Drop a Level	olsadmintool droplevel
Drop a Policy	olsadmintool droppolicy
Drop a Profile	olsadmintool dropprofile
Drop a User	olsadmintool dropuser
Drop Policy Administrator	olsadmintool dropadmin
Drop Policy Creator	olsadmintool droppolcreator
Get Help for an olsadmintool Command	olsadmintool <command name> --help
List Profiles	olsadmintool listprofile
Set Audit Options	olsadmintool audit

Command Explanations

In the command explanations that follow, some parameters are optional, which is indicated by enclosing such a parameter withi n square brackets. The two most common examples are [ -b <admin context> ] and [-p <port>], indicating that it is optiona l to specify either the administrative context for the command or the port through which to connect to Oracle Internet Directory. (De fault port is 389.)

The use of two dashes (--, no space) is required for all parameters othe r than b, h, p, D, and w, which are preceded by a single dash. The double dash indicates the need to specify the full or long version of the name or parameter being used.

Each command appears in this listing on multiple lines for readability, but in reality would be issued as a single long string on the command line.

Add a User to a Profile

olsadmintool a
dduser --polname <policy name> --profname <profilename> --userdn 
<enterprise user DN>
[ -b <admin context> ]
 -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the `adduser` command

< /a>

Use the adduser command to add an enterprise user to a profile within a policy. Provide the profile and policy names and the user DN.^{Foot 1}

Example of the adduser command

olsadmintool adduser --polname tradesecret --profname topsales --userdn 
'cn=perot'
-b 'cn=EDS' -h ford -p
1890 -D cn=lbacsys -w lbacsyspwrd

S ee Also:

Please refer to the Oracle Advanced Security Administrator's Guide, Chapter 13, Administering Enterprise User Security, for further concepts, tools, steps, and procedures.

Add Policy Administrators

olsadmintool addadmi
n --polname <policy name> --admindn <admin DN>
[ -b <admin context>] -h <OID host> [-p <port>] -D <b
ind DN> -w <bind password>

Descripti on of the addadmin command

Use the addadmin command to add an enterprise user to the administrative group for a policy, so that s/he is able to create, modify or delete the specified policy's metadata. Provide the pol icy name and the new administrator's DN. ^{Command Footnote}

Example of the addadmin command



olsadmintool addadmin --polname defense --admindn 'cn=scott,c=us'
-h yippee -D cn=lbacsys -w lbacsys

Add Policy Creator

olsadmintool addpolcreator --userdn <user DN> [ -b <admin context> ] -h <OID host&g t; [-p <port>] -D <bind DN> -w <bind password>

Description of the addpolcreator command

Use the addpolcreator c ommand to enable the specified user to create policies. Provide the DN for the user. ^{Command Footnote}

Example of the addpolcreator command< /font>

olsadmintool addpolcreator --userdn 'cn=scott' -h yippee -D cn=lbacsys -w 
lbacsys
<
a name="662339">

Alter a Compartment

olsadmintool altercompartment --polname <policy name> --shortname <short 
compa
rtment name> --longname <new long compartment name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D &l
t;bind DN> -w <bind password>

Descri ption of the altercompartment command

Use the altercompartment command to change the long name of a compartment. Provide the name of the policy, the short name of the compartment, and the new long name of the compartm ent. ^{Command Footnote}

Example of the altercompartment command


olsadm
intool altercompartment --polname defense --shortname A --longname 'Allied 
Forces' -h yippee -D cn=defense_admin -w welcome1

Alter a Group

olsadmintool altergroup --polname <policy name> --shortname <short group name>
--longnam
e <new long group name> [--parentname <new short group name> ]
[ -b <admin context> ] -h <OID host> [-p <p
ort>] -D <bind DN> -w <bind password>

Description of the altergroup command

Use the altergroup command to change t he long name for a group component or parent group. Provide the name of the policy, the short name of the group, the long name of the group, and optionally the short name for the parent group. ^{Command Footnote}

Example of the altergroup command


olsadmintool altergroup --polname defense --shortname US --longname 'United 
States of Ame
rica' --parentname 'Earth' -h yippee -D cn=defense_admin -w 
welcome1

Alter a Label

olsadmintool alterlabel
 --polname <policy name> --tag <tag number> --value <new 
label value>
[ -b <admin context> ] -h <OID host
> [-p <port>] -D <bind DN> -w <bind password>

Description of the alterlabel command

Use the alterlabel comma nd to change the character string defining the label associated with a label tag. Provide the policy name, the numeric tag of the lab el, and the new character string representing the label. ^{Command Footnote}

Example of the alterlabel command


olsadmintool alterlabel --polname defense --tag 100 --value 'TS:A:US' -h yippee 
-D cn=defens
e_admin -w welcome1

Alt er a Level

olsadmintool alterlevel --polname <policy name> --shortname <sho
rt level name> 
--longname <new long level name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <b
ind DN> -w <bind password>

Descripti on of the alterlevel command

Use the alterlevel command to change the long name of a level. Provide the name of the policy, the short name of the level, and the new long name of the level. ^{Command Footnote}

Example of the al terlevel command


olsadmintool alterlevel --polname defense --s
hortname TS
--longname 'VERY TOP SECRET' -h yippee -D cn=defense_admin -w welcome1

Alter Policy

olsadmintoo
l alterpolicy --name <policy name> --options <new options>
[ -b <admin context> ] -h <OID host> [-p <port&
gt;] -D <bind DN> -w <bind password>

Description of the alterpolicy command

Use the alterpolicy command to alter the options of a policy. Provide the name of the policy and the new options. ^{Command Footnot
e}

Example of the alterpolicy command

olsadmintool alterpolicy --name defense --options 'READ_CONTROL,
INSERT_CONTROL'
 -h yippee -D cn=defense_admin -w welcome1

Cancel Audit Options

olsadmintool noaudit --poln
ame <policy name> --options <audit option name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <
;bind DN> -w <bind password>

Descrip tion of noaudit command

Use the noaudit command to cancel the audit options for a po licy. Provide the policy name and the options that are no longer to be audited. ^{Command Footnote<
/sup>}

Example of the noaudit command


olsadmintool noaudit --polname defense --options 'APPLY,PRIVILEGES'
-h yi
ppee -D cn=defense_admin -w welcome1

Create a Compartment

olsadmintool createcompartment --polname <poli
cy name> --tag <tag number> 
--shortname <short compartment name> --longname <long compartment name>
[ -b <ad
min context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the createcompartment command

Use the createcompartment command to create a new compartment component. Provide the name of the policy, the tag nume ric value of the compartment, the short name of the compartment, and the long name of the compartment. ^{Command Footnote}

Example of the crea tecompartment command


olsadmintool createcompartment --polname
 defense --tag 100 --shortname A 
--longname Alpha -h yippee -D cn=defense_admin -w welcome1

Create a Group

olsadmintool creategroup --polname <policy name> --tag <tag number> --shortname 
<short group name> --longname <
;long group name>
[--parentname <parent group name>]
[ -b <admin context> ] -h <OID host> [-p <port>] -D &
lt;bind DN> -w <bind password>

Descr iption of the creategroup command

Use the creategroup command to create a new group component. Provide the name of the policy, the tag numeric value of the group, the short name of the group, the long name of the grou p, and the parent group name (optional). ^{Command Footnote}

Example of the creategroup command

<
/a>
olsadmintool creategroup --polname defense --tag 55 --shortname US
--longname 'United States' -h yippee -D c
n=defense_admin -w welcome1

Create a Label

olsadmintool createlabel --polname <policy name> --tag <
;tag number> --value 
<label value>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w
 <bind password>

Description of the cre atelabel command

Use the createlabel command to create a valid data label. Provide t he policy name, the numeric tag of the label to be created, and the character string representation of the label.^{Command Footnote}

Example o f the createlabel command


olsadmintool createlabel --polname d
efense --tag 100 --value 'TS:A,B:US,CA'
-h yippee -D cn=defense_admin -w welcome1

Create a Level

olsadminto
ol createlevel --polname <policy name> --tag <tag number> --shortname 
<short level name> --longname <long level
 name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the createlevel command

Use the createlevel command to create a new level component. Provide the name of the policy, the tag n umeric value, the short name of the level, and the long name of the level. ^{Command Footnote}

Example of the createlevel command


olsadmintool createlevel --polname defense --tag 100 --shortname TS
--long
name 'TOP SECRET' -h yippee -D cn=defense_admin -w welcome1

Create a Profile

olsadmintool createprofile --p
olname <policy name> --profname <profile name> 
--maxreadlabel <max read label> --maxwritelabel <max write label
> 
--minwritelabel <min write label> --defreadlabel <default read label> 
--defrowlabel <default row label> --pr
ivileges <privileges separated by comma>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN>
-w <bind password>

Description of the c reateprofile command

Use the createprofile command to create a new profile. Provide the policy name, the profile name, and either privileges, labels, or both privileges and labels. (A user profil e can have either null label information or null privilege information, but not both null at the same time.) For labels, specify the maximum label users in this profile can use to read data, the maximum label users in this profile can use to write data, the minimum label users in this profile can use to write data, the default label for reading, the default row label for writing. For privileges, enclose in quotes the list of privileges, separated by commas, for members of this profile. ^{Command F
ootnote}

Example of the createprofile c ommand


olsadmintool createprofile --polname topsecret --profna
me topsales 
--maxreadlabel 'TS:A,B:US,CA' --maxwritelabel 'TS:A,B:US,CA' --minwritelabel 
'C:A,B:US,CA' --defreadlabel 'TS:A,B:US,CA
' --defrowlabel 'C:A,B:US,CA'
--privileges 'READ,COMPACCESS,WRITEACROSS'
-b EDS -h ford -p 1890 -D cn=lbacsys -w lbacsyspwrd

Create Policy

olsadmintool createpolicy --name <policy name> --colname <column name> --options 
<opt
ions separated by commas>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind passwo
rd>

Description of the createpolicy comman d

Use the createpolicy command to create a policy. Provide the name of the policy, t he name of its label column, and the options. ^{Command Footnote}

< h5 class="SH3">Example of the createpolicy command


olsadmintool createpolicy --name defense --colname defense_col --options 'READ_
CONTROL,UPDATE_CONTROL
' -h yippee -p 389 -D cn=defense_admin -w welcome1

Describe a Profile

olsadmintool describeprofile --polnam
e <policy name> --profname <profile name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind
DN> -w <bind password>

Description o f the `describeprofile` command

Us e the describeprofile command to see the contents of the specified profile in the specified policy. Provide the policy name and the n ame of the profile. ^{Command Footnote}

Example of the `describeprofile` command


olsadmintool describeprofile --polname defense --profname contractors
-h yippee -D cn=defense_a
dmin -w welcome1

Drop a Compartment

olsadmintool dropcompartment --polname <policy name> --shortname
<short 
compartment name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind pas
sword>

Description of the `dr opcompartment` command

Use the dropcompartment command to remove a co mpartment component. Provide the name of the policy and the short name of the compartment. ^{Command Fo
otnote}

Example of the `dr opcompartment` command


olsadmintool dropcompart
ment --polname defense --shortname A
-h yippee -D cn=defense_admin -w welcome1

Drop a Group

olsadmintool dr
opgroup --polname <policy name> --shortname <short group name>
[ -b <admin context> ] -h <OID host> [-p <p
ort>] -D <bind DN> -w <bind password>

Description of the `dropgroup` command

Use the d ropgroup command to remove a group component. Provide the policy name and the short group name. ^{Comma
nd Footnote}

Example of the dropgroup command


olsadmintool dropgroup --
polname defense --shortname US
-h yippee -D cn=defense_admin -w welcome1

Drop a Label

olsadmintool droplabe
l --polname <policy name> --value <label value>
-h yippee [-p <port>] -D <bind DN> -w <bind password>
<
/pre>


Description of the droplabel command

 
Use the droplabel command to drop a label from the policy. Prov
ide the policy name and the string representation of the label. ^{Command Footnote}
 
Example of the droplabel com
mand

olsadmintool droplabel --polname defense --value 'TS:A:US
'
h yippee -D cn=defense_admin -w welcome1




Drop a Level
olsadmintool droplevel --polname <policy name>
; --shortname <short level name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <b
ind password>



Description of the <
code>droplevel command
 
Use the droplevel command to remove a level c
omponent from a specified policy. Provide the name of the policy and the short name of the level. ^{Com
mand Footnote}
 
Example of the <
code>droplevel command

olsadmintool droplevel
--polname defense --shortname TS
-h yippee -D cn=defense_admin -w welcome1




Drop a Policy
olsadmintool dropp
olicy --name <policy name>
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind pa
ssword>



Description of the d
roppolicy command
 
Use the droppolicy command to drop a policy. Provi
de the name of the policy to be dropped.^{Command Footnote} For directory-enabled installation
s of Oracle Label Security, see also Subscribing Policies in Directory-Enabled Label Security in <
a href="admpolcy.htm#1011245">Chapter 9, "Applying Policies to Tables and Schemas".
 
Example of the droppolicy command

olsadmintool droppolicy --name defense -h yippee -D cn=defense_admin -w welcome1




Drop a Profile
<
pre class="CE">olsadmintool dropprofile --polname <policy name> --profname <profile name>
[ -b <a
dmin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the dropprofile command

Use the dropprofile command to remove the specified profile. Provide t he policy name and the name of the profile to be dropped.^{Command Footnote}

Note:

Dr opping a profile removes the authorization on that policy for all the users in the dropped profile. They will be unable to see data p rotected by that policy.

Example of the `dropprofile` command


olsadmintool dropprofile --name defense --profname employees
-h yippee -D cn=defense_admin -w welcome1

Drop a User

olsadmintool dropuser --polname <policy name> --profname <profilename>
--userdn <enterprise user DN&g
t;
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the dropuser command

Use the dropuser command to drop a user from the specified profile in the specified policy . Provide the policy name, the name of the profile, and the DN of the user. ^{Command Footnote}

Example of the `dropuser` command

olsadmintool dropuser --polname defense --prof name contractors --userdn 'cn=hanssen,c=us' -h yippee -D cn=defense_admin -w welcome1

Drop Policy Administrator

olsadmintool dropadmin --polname <policy name> --admindn <admin DN> [ -b <admin context> ] -h <OID host> ; [-p <port>] -D <bind DN> -w <bind password>

Description of the dropadmin command

Use the dropadmin command to remove an enterprise user from the administrative group of a policy, so that s/he is no longer able to create, modify or delete the specified policy's metadata. Provide the policy name and the DN of the administrator to be removed from the administrative group. ^{Command Footnote}
Example of the dropadmin command

olsadmintool dropadmin --polname defense --admindn 'cn=scott,c=us' -h yippee -D cn=lbacsys -w lbacsys

Drop Policy Cre ator

olsadmintool droppolcreator --userdn <user DN> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>
Description of the droppolcreator command

Use the droppolcreator command to cancel the ability of the specified user to create policies. Provide th e user's DN. ^{Command Footnote}

Example of the droppolcreator command

olsadmintool droppolcreator --userdn 'cn-scott,c=us' -b UA -h yippee -p 1890 -D <bind DN> -w < bind password>

Get H elp for an olsadmintool Command

olsadmintool <command name> --help

List Profiles

olsadmintool listprofile --polname <policy name> [ -b <admin context> ] -h <OID host> [-p <port>] -D < bind DN> -w <bind password>

Descript ion of the listprofile command

Use the listprofile command to see a list of all profiles in a given policy. Provide the policy name. ^{Command Footnote}

Example of the listprofile command

olsadmintool listprofile --polname defense -b CIA -h yippee -D cn=defense_admi n -w welcome1

Set Audit Options

olsadmintool audit --polname <policy name> --options <audit option name> --type <audit option type> --success <audit success type> [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the audit command

Use the audit command to set the audi t options for a policy. Provide the policy name, the options to be audited, the type of audit and the type of success to be audited. ^{Command Footnote}

Example of the audit command

olsadmintool audit --p olname defense --options 'APPLY,PRIVILEGE' --type session --success success -h yippee -D cn=defense_admin -w welcome1

Relating Parameters to Commands for olsadmintool

All olsadmintool commands must specify conn ection parameters: the OID host, the bind DN, the bind password and optionally the port through which the connection to Oracle Intern et Directory is to be made. (The default port is 389.)

All olsadmintool commands may specify , as needed, the subscriber/administrative-context using the -b flag.

The fact that specifyi ng a parameter is optional, such as a port or an administrative context, is shown by enclosing the parameter within square brackets. The two most common examples are [ -b <admin context> ] and [-p <port>].

Since e very command must specify a host, bind DN, and password, and may if needed also specify an administrative context, Table B-3 uses the abbreviation CON to represent all of these connection parameters as a group:

[ -b <admin context> ] h <OID host> [-p <port>] -D <bind DN> -w <bind password>
<
/pre>


Summaries


 
Table B-3 summarizes the command
s in the following categories:


<
strong class="Bold">Policies: creating, altering, or dropping policies or their components, that is, levels, groups, and com
partments.
Data labels: creating, altering, or dr
opping them.
Administrators and policy creators:
adding or dropping them.
Users: adding or droppin
g users from a profile.
Auditing options: setting
 the options for what to audit for a policy
Profiles: creating, listing, describing, or dropping them.

Defa
ult read or row labels: setting them.

 
In Tab
le B-3 and Table B-4, the column headings show only the parameters, not the keywords tha
t must precede them. For example, Table B-3 shows "policyname" and "column-name" as parameters fo
r the createpolicy command, without showing the keywords that must precede them (--name and --colname). These keywords <
u>are shown as required in each of the command descriptions, such as at Create Policy.
 
Table B-5 explains the individual parameters that are used as colum
n headings in the summaries of Table B-3 and Table B-4.
<
a name="676889"> 
In all these tables, X means required, and O means unused or omitted.
 
 Table B-3 Summary: o
lsadmintool Command Parameters  

<
td class="Formal">olsadmintool droppolicy
<
td class="Formal">Alter data label



 Command Category

 Commands & Parameters










 
Policies
 
Command
 
policy


name
 
column-

name
 
optionsP
 
CON
 
 

 
 
olsadmintool createpolicy
 
X
 
X
 
X
 
X
 
 

&nb
sp;
 
olsadmintool alterpolicy
 
X
 
O
 
X
 
X
 
 

  

 
X
 
O
 
O 
 
X
 
&n
bsp;

 
Within a Policy, Create:
 
Command<
/strong>
 
policy

name
 
tag
 
short

name
 
long

name
 
CON
 
parent

name

 
a level
 
olsadmintool createlevel
 
X
 
X
 
X
 
X


X
 
O

 
a group
 
olsadmintool creategroup
 
X
 
X
 
X
 
X
 
<
p class="TB">X
 
[
X ]

 
a compartment
 
olsadmintool createcompartme
nt
 
X
 
X
 
X
 
X

 
X
 
O

 
Within a Policy, Alter:
 
 
 
&
nbsp;
 
 
 

 
a level
 
olsadmintool alterleve
l
 
X
 
O
 
X

 
X
 
X
 
O


 
a gr
oup or group parent
 
olsadmintool altergroup
 
X
 
O
 
X
 
X
 
X
 
[X]

 
 
Command
 
policy

name
 
tag
 
short

name

 
long

name
 
CON
 
parent

name


 
a compartment
 
<
p class="TB">olsadmintool altercompartment
 
X
 
O
 
X
 
X
 
X
 
O


 
Within a Policy, Drop:
 
 
 
 
 
 
 

 
level
 
olsadmintool dr
oplevel
 
X

 
O
 
X
 
O
 
X
 
O

 
group
 
olsadmintool dropgroup
 
X
 
O
 
X
 
O
 
X
 
O

 
compartment
 
olsadmin
tool dropcompartment
 
X
 
O
 
X
 
O


X
 
O

 

 
 
 
 
 
 

 

 
Data Labels
 
Command
 
pol
icy

name
 
tag
 
value
 
CON
 
 

 
Create label
 
olsadmintool createlabel
 
X
 
X
 
X
 
X
 
 
 

 
olsadmintool alterlabel
 
X

 
X
 
X
 
X
 
 

 
Drop data label
 
olsadmintool droplabel
 
X
 
O
 
X
 
X
 
 

 
Policy Administrators
 
Command

 
policy

name
 
userDN
 
CON
 
 
 

 
Add an Admin
 
olsadmintool addadmin
 
X
 
X
 
X
 
 
 

 
Drop an Admin
 
olsadmintool dropadmin
 
X
 
X
 
X
 
 
 

 
Policy Creation
 
olsadmintool addpolcreator
 
O
 
X
 
X
 
&n
bsp;
 

<
a name="667852"> 
 
olsadmintool droppolcreator<
/td>
 
O
 
X
 
X
 
 
 

 
 
 

 
 
 
 
 

 
Users
 
Command
 
policy

name
 
profile

name
 
userDN

 
CON
 
 

 
Add a User
 
olsadmi
ntool adduser
 
X
 
X
 
X
 
X
 
 

 
Drop a User
 
olsadmintool dropuser
 
X
 
X

 
X
 
X
 
 

&nbs
p;
 
 
 
 
 
 
 

 
Auditing
 
olsadmintool audit
 
X
 
optionsA
 
type

 
success
 
CON
 

 
 
olsad
mintool noaudit
 
X
 
X
 
X
 
X
 
X
 

 
Help on olsadmintool
 
olsadmintool <commandmame>

-- hel
p
 
O
 
O
 
O
 
O
 
O
  
 
 Table B-4 Summary of Profile & Default Command Parameters  

 
Drop a Profile


 Profile Action
 Profile Command
 Policy

Name
 Prof
ile

Name
 Max

Read

Label
 Max

Write

Label
 Min

Write


Label
 Def

Read

Label
 Def

Row

Label
 Priv's
 CON


 
Create a Profile^{Foot 1}
 
olsadmin

tool create

profile
<
a name="677327"> 
X
 

X
 
X<
/td>
 
X
 
X
 
X
 
X
 
X
 
X

 
List Profiles
 
olsadmin

tool list

profile
 
X
 
O
 
O
 
O
 
O
 
O
 
O
 
O
 
X

 
Describe a Profile
 
olsadmin

tool describe

profile
 
X
 
X
<
a name="677375"> 
O
 
O

 
O
 
O
 
O
 
O
 
X

 
olsadmin

tool drop

profile
 
<
strong class="Bold">X
 
X

 
O
 
O<
/td>
 
O
 
O

 
O
 
O
 
X


¹ In createprofile, specifying both privileges and lab
els is not required: a profile can specify labels, privileges, or both.

 
Examples of Using olsadmintool

 
The 12 subsections that follow illustrate using the olsadmintool commands in typical
tasks needed to set up Oracle Label Security in an Oracle Internet Directory environment. Each command appears in this listing on mul
tiple lines for readability, but in reality would be issued as a single long string on the command line. The summarized results of ex
ecuting all these commands appear in Results of These Examples, which follows the last example.

Make Other Users Policy Creators
Create Policies With Valid Options
Create Policy Administrators
Create Some Compartments
Create Some Groups
Create S
ome Labels
Create A Profile
Add A User To The Above Profile
Add Another User To The Above Profile
Set Some Audit Options
 
Make Other Users Policy Creators

ORACLE_HOME/bin/olsadmintool addpolcreator --userdn 'cn=snamudur,c=us'
 -b 'ou=Americas,o=Oracle,c=US' -h yi
ppee -p 389 -D 'cn=lbacsys,c=us' -w lbacsys



Create Policies With Valid Options

ORACLE_HOME/bin/olsadmintool createpolicy --name Policy1 --colname pol1
--options READ_CONTROL,WRITE_CONTROL -b 'ou=Americas,o=Orac
le,c=US'
-h yippee -p 389 -D 'cn=snamudur,c=us' -w snamudur

ORACLE_HOME/bin/olsadmintool c
reatepolicy --name Policy2 --colname pol2
--options READ_CONTROL -b 'ou=Americas,o=Oracle,c=US'
-h yippee -p 389 -D 'cn=lbacsys,c=us'
 -w lbacsys



Create Policy Administrators

ORACLE_HOME/bin/olsadmintool addadmi
n --polname Policy1
 --admindn 'cn=shwong,c=us' -b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 
'cn=snamudur,c=us' -w snamudur

ORACLE_HOME/bin/olsadmintool addadmin --polname Policy2
--admindn 'cn=shwong,c=us' -b 'ou=Am
ericas,o=Oracle,c=US' -h yippee -p 389 -D 
'cn=lbacsys,c=us' -w lbacsys




Create Some Levels

<
pre class="CE">ORACLE_HOME/bin/olsadmintool createlevel --polname Policy1 --tag 100
--shortname TS --longname "T
OP SECRET" -b 'ou=Americas,o=Oracle, c=US'
-h yippee -p 389 -D 'cn=shwong,c=us' -w shwong


ORACLE_HOME/bin/olsadmintool createlevel --polname Policy1 --tag 99
--shortname S --longname SECRET -b 'ou=Americas,o=Oracle,c=US'
-h
 yippee -p 389 -D 'cn=shwong,c=us' -w shwong

ORACLE_HOME/bin/olsadmintool createlevel --po
lname Policy1 --tag 98
--shortname U --longname UNCLASSIFIED -b 'ou=Americas,o=Oracle,c=US'
-h yippee -p 389 -D 'cn=shwong,c=us' -w s
hwong

Cr eate Some Compartments

ORACLE_HOME/bin/olsadmintool createcompartment --polname Policy1 --tag 100 --shortname A --longname ALPHA -b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 D 'cn=shwong,c=us' -w sh wong ORACLE_HOME/bin/olsadmintool createcompartment --polname Policy1 --tag 99 --shortname B --longname BETA -b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Create Some Groups

Create Some Labels

ORACLE_HOME/bin/olsadmintool createl abel --polname Policy1 --tag 100 --value TS:A:G1 -b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong ORACLE_HOME/bin/olsadmintool createlabel --polname Policy1 --tag 101 --value TS:A,B:G2 -b 'ou=Am ericas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Create A Profile

ORACLE_HOME/bin/olsadmintool createprofile --polname Policy1 --profname Profile1 --maxreadlabel TS:A:G1 --maxwritelabel TS:A :G1 --minwritelabel U:: --defreadlabel U:A:G1 --defrowlabel U:A:G1 --privileges WRITEUP,READ -b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Add A User To The Above Profile

ORACLE_ HOME/bin/olsadmintool adduser --polname Policy1 --profname Profile1 --userdn cn=nina,ou=Asia,o=microsoft,l=seattle,st=WA,c=US -b 'ou= Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Add Another User To The Above Profile

ORACLE_HOME/bin/olsadmintool adduser --polname Policy1 --profname Profile1 --userdn cn=daniel,ou=Fran ce,o=oracle,l=madison,st=WI,c=US -b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Set Some Audit Options< /h4>
ORACLE_HOME/bin/olsadmintool audit --polname Policy1 --option 'SET,APPLY' -- type SESSION --success BOTH -b 'ou=Americas,o=Oracle,c=US' -h yippee -p 389 -D 'cn=shwong,c=us' -w shwong

Results of These Examples
As a result of running the 12 sets of olsadmintool commands above, this sample Oracle Label Security site has the following structure:

Policy creators: User snamudur

Policies: Policy1 and Policy2.

Policy Administrators: User shwong

Leve ls, Compartments, and Groups: See Table B-5, "Label Component Definitions from Using olsadmintool Com mands"
Table B-5 Label Component Definitions from Using olsadmintool Commands
Lab el Component < tbody> < td class="Formal">
100

Tag Short Name Long Name

Level

100

TS

TOP SECRET

99

S

SECRET

98

U

UNCLASSIFIED

Compartment

100
< /a>
A

ALPHA

99

B

BETA

Group

G1

GROUP1

99
< a name="672049">
G2

GROUP2

< p class="TB">98

G3

GROUP3

Data labels: Tag 100 for TS:A:G1 and tag 101 for TS:A,B:G2

Users: Nina, from the Asia group of Microsoft, based in Seattle, Washington, managed under the Americas organization of the US Oracle organization, and Daniel, from the France group of Oracle in Madison, Wisconsin, managed under the same organization.< /li>
Profiles: See Table&nb sp;B-6, "Contents of Profile1 from Using olsadmintool Commands"
Table B-6 Contents of Profile1 from Using olsadmintool Commands< /h5>

Profile Element Contents Long-name Expansion or Meaning

MaxReadLabel

TS:A:G1

TOP SECRET:ALPHA:GROUP1

MaxWriteLabel

TS:A:G1

TOP SECRET:ALPHA:GROUP1

MinWriteLabel

U::

UNCLASSIFIED (not restricted to any compartments or gro ups)

DefReadLabel

U:A:G1

UNCLASSIFIED:ALPHA:GROUP1

DefRowLabel

U:A:G1

UNCLASSIFIED:ALPHA:GROUP1

Privileges

WRITE_UP, READ

User can read any row and raise the level of rows he writes.
.

Auditing options: SET, APPL Y, SESSION, and BOTH

¹ Command Footnote
Every command must include the directory hostname, the bind DN, and the bind password. Any command may, as needed, also supply the subscriber admin- istrative context (optional), the directory port number (also optional), or both. See also Table B-3, "Summary: olsadmintool Command Parameters" for add itional details on these parameters.

B Command-line Tools for Label Security Using Oracle Internet Directory

Table B-1 Oracle Label Security Commands in Categories &nb sp;

Table B-2 olsadmintool Commands Li nked to Their Explanations

Command Explanations

Add a User to a Profile

Description of the adduser command

Add Policy Administrators

Descripti on of the addadmin command

Example of the addadmin command

Add Policy Creator

Description of the addpolcreator command

Example of the addpolcreator command< /font>

Alter a Compartment

Descri ption of the altercompartment command

Example of the altercompartment command

Alter a Group

Description of the altergroup command

Example of the altergroup command

Alter a Label

Description of the alterlabel command

Example of the alterlabel command

Alt er a Level

Descripti on of the alterlevel command

Example of the al terlevel command

Alter Policy

Description of the alterpolicy command

Example of the alterpolicy command

Cancel Audit Options

Descrip tion of noaudit command

Example of the noaudit command

Create a Compartment

Description of the createcompartment command

Example of the crea tecompartment command

Create a Group

Descr iption of the creategroup command

Example of the creategroup command

Create a Label

Description of the cre atelabel command

Example o f the createlabel command

Create a Level

Description of the createlevel command

Example of the createlevel command

Create a Profile

Description of the c reateprofile command

Example of the createprofile c ommand

Create Policy

Description of the createpolicy comman d

Describe a Profile

Description o f the describeprofile command

Example of the describeprofile command

Drop a Compartment

Description of the dr opcompartment command

Example of the dr opcompartment command

Description of the dropgroup command

Example of the dropgroup command

Drop a Label

Description of the droplabel command

Example of the droplabel com mand

Drop a Level

Description of the < code>droplevel command

Example of the < code>droplevel command

Drop a Policy

Description of the d roppolicy command

Example of the droppolicy command

Drop a Profile

Example of the dropprofile command

Drop a User

Description of the dropuser command

Example of the dropuser command

Drop Policy Administrator

Description of the dropadmin command

Example of the dropadmin command

Drop Policy Cre ator

Description of the droppolcreator command

Example of the droppolcreator command

Get H elp for an olsadmintool Command

List Profiles

Descript ion of the listprofile command

Example of the listprofile command

Set Audit Options

B
Command-line Tools for Label Security Using Oracle Internet Directory

Description of the `adduser` command

Description o f the `describeprofile` command

Example of the `describeprofile` command

Description of the `dr opcompartment` command

Example of the `dr opcompartment` command

Description of the `dropgroup` command

Description of the `droplabel` `command`

Example of the `droplabel` com mand

`Description of the < code>droplevel` command

Description of the `d roppolicy` command

Example of the `droppolicy` command

Example of the `dropprofile` command

Example of the `dropuser` command

Description of the `dropadmin` command

Example of the `dropadmin` command

Description of the `droppolcreator` command

Example of the `droppolcreator` command