Oracle SA_SYSDBA
Version 21c

General Information
Library Note Morgan's Library Page Header
ACE Director Alum Daniel Morgan, founder of Morgan's Library, is scheduling complimentary technical Workshops on Database Security for the first 30 Oracle Database customers located anywhere in North America, EMEA, LATAM, or APAC that send an email to asra_us@oracle.com. Request a Workshop for your organization today.
Purpose Manages Oracle Label Security policies, such as creating, altering and or disabling.
AUTHID CURRENT_USER
Dependencies
LBAC_LGSTNDBY_UTIL LBAC_STANDARD LBAC_SYSDBA
Documented Yes
Exceptions
Error Code Reason
ORA-12458 Oracle Label Security not enabled
First Available 10.1
Policy Enforcement Options
ALL_CONTROL LABEL_DEFAULT READ_CONTROL
CHECK_CONTROL LABEL_UPDATE UPDATE_CONTROL
DELETE_CONTROL NO_CONTROL WRITE_CONTROL
INSERT_CONTROL    
Security Model Owned by LBACSYS with no privileges granted.
-- sys must perform the following

GRANT inherit privileges ON USER sys TO lbacsys;
GRANT lbac_dba to SYS;
Source {ORACLE_HOME}/rdbms/admin/prvtolsdd.plb
Subprograms
ALTER_POLICY DISABLE_POLICY ENABLE_POLICY
CREATE_POLICY DROP_POLICY  
 
ALTER_POLICY
Alter an OLS policy sa_sysdba.alter_policy(
policy_name     IN VARCHAR2,
default_options IN VARCHAR2,
column_name     IN VARCHAR2);
exec sa_sysdba.alter_policy('DATA_ACCESS', 'READ_CONTROL, DELETE_CONTROL');
 
CREATE_POLICY
Creates a new Oracle Label Security policy, defines a policy-specific column name, and specifies default policy options.

After creating a policy, a role for it is created and granted to. The format of the role name is policy_DBA (for example, my_ols_pol_DBA).		 sa_sysdba.create_policy(
policy_name     IN VARCHAR2,
column_name     IN VARCHAR2,
default_options IN VARCHAR2);
exec lbacsys.sa_sysdba.create_policy(
  policy_name     => 'DATA_ACCESS',
  column_name     => 'OLS_COL',
  default_options => 'READ_CONTROL, WRITE_CONTROL');
 
DISABLE_POLICY
Disable an OLS policy sa_sysdba.disable_policy(policy_name IN VARCHAR2);
exec lbacsys.sa_sysdba.disable_policy('DATA_ACCESS');
 
DROP_POLICY
Drop an OLS policy sa_sysdba.drop_policy(
policy_name IN VARCHAR2,
drop_column IN BOOLEAN);
exec lbacsys.sa_sysdba.drop_policy('DATA_ACCESS', TRUE);
 
ENABLE_POLICY
Enable an OLS policy sa_sysdba.enable_policy(policy_name IN VARCHAR2);
exec lbacsys.sa_sysdba.enable_policy('DATA_ACCESS');

Related Topics
Built-in Functions
Built-in Packages
Database Security
LBAC$SA_LABELS
LBAC_EVENTS
LBAC_EXP
LBAC_POLICY_ADMIN
LBAC_POLICY_ADMIN_INT
LBAC_SESSION
LBAC_STANDARD
LBAC_SYSDBA
OLS$DATAPUMP
OLS_ENFORCEMENT
OLS_UTIL_WRAPPER
Oracle Label Security (OLS)
SA_COMPONENTS
SA_LABEL_ADMIN
SA_USER_ADMIN
TO_LABEL_LIST
What's New In 21c
What's New In 23c

Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2023 Daniel A. Morgan All Rights Reserved
  DBSecWorx