Databases Reference
In-Depth Information
At a high level, a label represents a sensitivity level. At closer look, it has
a few elements and comprises several components. Note that labels do not
have to incorporate every one of these components. Only the sensitivity
level is mandated, but these additional components allow you to finely tune
data-level security. Labels can include:
A sensitivity level that is usually one of a hierarchy of values (i.e., data
that is top secret is by nature also classified)
A category or compartment used to segregate data; compartments are
used when data security is based on a “need-to-know basis”
A group component that can be used to record data ownership
An inverse group component that can be used to control dissemina-
tion of information
The inverse group component differs from the group component in that
it defines a set of groups to which users must be assigned before they can
access the data. As an example, a row may be labeled with the groups
NAVY, AIR FORCE, meaning that any user belonging to
either
the NAVY
or the AIR FORCE groups (and having the appropriate sensitivity level)
can access the information. However, if you label a row with the inverse
groups NAVY, AIR FORCE then only users assigned to
both
of these
groups can access this data; a user belonging to only the NAVY group (even
with the right sensitivity level) will not be able to see this data.
Label security is available through custom installation of Enterprise
Edition. In Oracle 8i this was only available for Solaris, but as of Oracle
9i this is available on all platforms. Once installed you need to use the
database configuration tool to create the necessary data dictionary objects
for label security. The initial database administrator account for label
security is called LBACSYS, and you will need to unlock it after the
installation. You can administer label security by issuing commands in
SQL*Plus (or other tools) logged in as LBACSYS or by using the Policy
Manager (available in the Integrated Management Tools submenu on
Windows or as the
oemapp
utility in UNIX). Whenever you create a
policy, you will have to specify a column name; this column will be
appended to the application table but can be hidden from describe state-
ments for better security. You should also always create a bitmap index on
the label security column; the percentage of the unique labels compared
Search WWH ::
Custom Search