An approach to Oracle security tagging

Oracle provides the function of security tags, that is, OLS, which is often said to enforce access control. The model is based on the BLP security model and is extended.

The elements of the BLP model are security levels and scopes, that is, the security level and scope of the subject object can be set to control the flow of data, that is, read down, write up rules. That is, users can read data below the user's security level, and write data that is higher than the user's security level (there are, of course, scope conventions, not described here).

Oracle extends the BLP model, and users can set multiple security levels through the following interfaces:

Sa_user_admin. Set_levels

Syntax:

PROCEDURE set_levels (Policy_name in VARCHAR2,

User_name

In VARCHAR2,

Max_level

In VARCHAR2,

Min_level

In VARCHAR2 DEFAULT NULL,

Def_level

In VARCHAR2 DEFAULT NULL,

Row_level

In VARCHAR2 DEFAULT NULL);

Parameter meaning

POLICY_NAME Specifies the policy

USER_NAME Specifies the user name

Max_level the highest level for read and write access

Min_level the lowest level for write access

DEF_LEVEL Specifies the default level

ROW_LEVEL Specifies the row level

As you can see, user tags can specify the maximum, minimum, default, and row-level four levels of security. These security levels are bound.

Min_level<=max_levelmin_level<=def_level<=max_levelmin_level<=row_level<=def_level

If this rule is violated, the execution of this function will fail. Having learned so much, we practice, log in as Lbacsys, execute the following statement

--Create a policy P1 and add a security level to the policy, with the higher the number representing the greater the security level.

--l1<l2<l3<l4

EXEC sa_sysdba.create_policy (' P1 ', ' label_col ');

EXEC sa_components.create_level (' P1 ', ten, ' L1 ', ' L1 ');

EXEC sa_components.create_level (' P1 ', ', ' L2 ', ' L2 ');

EXEC sa_components.create_level (' P1 ', ' L3 ', ' L3 ');

EXEC sa_components.create_level (' P1 ', +, ' L4 ', ' L4 ');

--Set user tags to user sysman

EXEC sa_user_admin.set_levels (' P1 ', ' Sysman ', ' L2 ', ' L1 ', ' L2 ', ' L2 ');

According to the above description, the four security levels set up here meet the requirements. We can view the user's tags through the dba_sa_user_labels view.

Sql> SELECT user_name, LABELS from Dba_sa_user_labels;

User_name

--------------------------------------------------------------------------------

LABELS

--------------------------------------------------------------------------------

Sysman

Max Read label= ' L2 ', max write label= ' L2 ', MIN write label= ' L1 ', DEFAULT read LABEL

= ' L2 ', default WRITE label= ' L2 ', default ROW label= ' L2 '

You can see min WRITE LABEL = L1