System conflicts in Oracle forced access

The following articles mainly describe the comparison of the Control Model of Oracle forced access and DM forced access, this topic describes the differences between the control model of forced Oracle access and DM access in terms of system conflicts and system permissions. The following describes the specific content of the article.

System conflict

(1) conflict with the view: the user's mark of the user accessing the view accesses the base table, that is, the base table is directly marked to be protected.

(2) conflict with the integrity of the Reference: Do not scan the internally generated reference table to apply the LBAC read Oracle mandatory access rules; Do not scan the internally generated referenced table to apply the LBAC read access rules; when the CASCADE operation is performed on the referenced table, the LBAC write rule is applied.

(3) conflict with CHECK constraints: When verifying CHECK constraints, LBAC read rules are not applied.

(4) conflict with primary key and unique key constraint: LBAC rules are not applied when a primary key or unique key constraint is verified. (If the reasoning information is a problem, add a column tag to the column with the unique key)

(5) conflict with index coverage: System Optimization: If the index is used to retrieve data, if the index column contains a tag column, the optimization is executed; otherwise, the optimization is not performed.

(6) It can be combined with a horizontal partition.

System Permissions

(1) security administrator permission (SECADM). This permission is required to perform the following operations.

Create and delete tag Components

Create and delete security policies

Create and delete security tags

Grant and revoke security tags

Grant and revoke permission Exemption

Grant and revoke SETSESSIONUSER Permissions

SYSADM is the only user that can grant SECADM permissions. It is not inherent in the ability of Oracle to forcibly access a protected table.

(2) SETSESSIONUSER permission

Changing the current user's authorization ID to a different authorization ID means that the user is switched to Oracle to forcibly access different data. SETSESSIONUSER can be granted to a user or group. This permission allows the owner to switch the ID to any user ID with this permission. The switch statement is set session authorization.

Article by: http://www.programbbs.com/doc/class10-1.htm