Oracle Label Security, the easy way to secure your data

4

Besides VPD (as described in my previous posts) and views with functions you can also secure your data using Oracle Label Security (OLS). OLS, in contrast to the other 2 options: is easier, you do not need to write a line of code to implement row level security.

What is it?
OLS is a way to manage the access of secure data.
You can give levels of security to a record; “this record needs to be secured but that record even more�. In fact it looks a bit like the security used in the spy movies like James Bond 007. In these movies Miss Moneypenny has a level 3 clearance and James Bond a level 5 while M has a level 7 clearance.
OLS allows you to define a security policy and lets you implement this policy by marking the records with security labels. These labels are stored in a special column which is added to the table. When the user tries to access the data the OLS engine compares the security label of the user with the labels on the rows to check if the user is allowed to access the data.

Example:
The emp table contains 10 records of which we mark 3 as medium secure, 5 as secret and 2 as top secret.
When Miss Moneypenny access the emp table she will be able to retrieve the 3 records marked as medium secure.
James Bond will be able to access the records Miss Moneypenny is able to retrieve plus the additional 5 secret records. He is however not able to see the 2 as top secret marked records.
M is able to retrieve all records since she/he has the highest clearance and is therefore able to retrieve them all.

How to install and implement?
OLS is not default installed when you perform a default Enterprise Edition installation. To install it you will need to select it as an additional option when you install the database. In order to implement OLS you will need to perform 5 steps:

• creation of the OLS policy
• definition of the OLS label components
• creation of the actual OLS labels to use
• apply the OLS security labels to the tables
• assign the OLS to be used by the users.

All these steps can be executed in two ways:
• with the use of the Oracle Policy Manager. The policy manager is a gui to maintain the security
• with the use of a set of PL/SQL packages

In a later post I will discribe these steps in detail with real data but for the moment I would like to point the reader to the Oracle Label Security Administration Guide which contains examples on how to implement OLS.

Summarize
• OLS provides you with a gui to administer and maintain policies.
• You do not need to write a line of code to implement OLS, this makes it easy to use and maintain.
• OLS has been given an EAL4 evaluation and was tested under the Common Criteria (ISO15408). This means that it is compliant with the highest standards of the U.S. Intelligent Agencies and the U.S. Department of Defence.
• OLS is an out of the box solution.

Share.

About Author

4 Comments

  1. That is not a very polite way to ask for help (I suggest using ‘please’ and ‘could you …’. And you could be more specific…

  2. Hi Susan,
    I do not fully get your question.
    OLS is fully implemented on the database if your BC4J application makes use of Oracle users you can implement it without problems. OLS is transparent to the end-user. Check the Oracle Label Security Administration Guide for further information on how to implement this functionality.

    Cheers,
    Marcos