This chapter contains:
This section contains:
Checking if Oracle Label Security Has Been Registered and Enabled
Registering and Enabling Oracle Label Security from SQL*Plus
When you install Oracle Database, by default Oracle Label Security is not enabled. You must register it with the database. Afterwards, you must enable the default Oracle Label Security user account, LBACSYS
.
After you register Oracle Label Security, you can disable and re-enable it when necessary.
If you are using a multitenant environment, then only register Oracle Label Security in the pluggable databases (PDBs) in which you plan to create Oracle Label Security policies. Because Oracle Label Security is not designed to protect data dictionary objects, you cannot create policies in the root.
Log into the database instance as user SYS
with the SYSDBA
administrative privilege.
sqlplus sys as sysdba
Enter password: password
If you are using a multitenant environment, then connect to the appropriate PDB.
For example, to connect to the PDB hrpdb
:
CONNECT SYS@hrpdb AS SYSDBA
Enter password: password
To find the available PDBs, query the DBA_PDBS
data dictionary view. To check the current PDB, run the show con_name
command.
Run the following query to find if Oracle Label Security has been registered:
SELECT STATUS FROM DBA_OLS_STATUS WHERE NAME = 'OLS_CONFIGURE_STATUS';
If the output is TRUE,
then Oracle Label Security is registered. If the output is FALSE
, then you must register Oracle Label Security.
If Oracle Label Security has been registered, then check if it is enabled. The PARAMETER
column is case sensitive, so use the case shown here.
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';
If it returns TRUE
, then Oracle Label Security is enabled. Go to "Enabling the LBACSYS Oracle Label Security User Account". If the output is FALSE
, then you must enable Oracle Label Security.
Note:
If Oracle Label Security is registered, it may or may not be enabled. You can query theV$OPTION
dynamic view to find if it is enabled. See "Checking if Oracle Label Security Is Enabled or Disabled" for more information.Log into the database instance as user SYS
with the SYSDBA
administrative privilege.
For example:
sqlplus sys as sysdba
Enter password: password
If you are using a multitenant environment, then connect to the appropriate PDB.
For example, to connect to the PDB hrpdb
:
CONNECT SYS@hrpdb AS SYSDBA
Enter password: password
To find the available PDBs, query the DBA_PDBS
data dictionary view. To check the current PDB, run the show con_name
command.
Register and enable Oracle Label Security as follows.
EXEC LBACSYS.CONFIGURE_OLS; -- This procedure registers Oracle Label Security. EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS; -- This procedure enables it.
Connect as user SYS
with the SYSOPER
privilege.
CONNECT SYS AS SYSOPER -- Or, CONNECT SYS@hrpdb AS SYSOPER Enter password: password
Restart the database.
For example:
SHUTDOWN IMMEDIATE STARTUP
You can both register and enable Oracle Label Security using Database Configuration Assistant.
Start Database Configuration Assistant (DBCA).
UNIX: Run the following command:
$ORACLE_HOME/bin/dbca
Windows: From the Start menu, click All Programs. Then click Oracle - ORACLE_HOME, then Configuration and Migration Tools, and then Database Configuration Assistant.
The Welcome screen appears.
Click Next.
The Operations screen appears.
Select Configure Database Options. Click Next.
The Database screen appears.
From the list, select the database where you need to configure and enable OLS. Click Next.
The Database Content screen appears.
Select Oracle Label Security. Click Next.
The Connection Mode screen appears.
Select either Dedicated Server Mode or Shared Server Mode. Click Finish.
A dialog box is displayed informing you that the operation will require the database to be restarted.
Click OK.
A confirmation dialog box is displayed.
Click OK.
The DBCA progress screen is displayed.
After the operation is complete, you are prompted to perform another operation. Click No to exit DBCA.
After you complete the registration process, the default user account, LBACSYS
, is granted the LBAC_DBA
database role, which provides the privileges necessary to manage Oracle Label Security. By default, LBACSYS
is created as a locked account with its password expired.
Log into the database instance as a user who has been granted the ALTER USER
system privilege (for example, the SYSTEM
user).
For example:
sqlplus system -- Or, sqlplus system@hrpdb for the hrpdb pluggable database (PDB) Enter password: password
If Oracle Database Vault is enabled, then log in as a user who has been granted the DV_ACCTMGR
role.
Enter this statement:
ALTER USER LBACSYS ACCOUNT UNLOCK IDENTIFIED BY password;
Replace password
with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.
After you unlock user LBACSYS
and provide a password, as a good practice, you may want to reserve this account as a back-up user account. For day-to-day use, consider granting the LBAC_DBA
database role to trusted users who you want to administer Oracle Label Security.
If you plan to use Enterprise Manager Cloud Control to administer Oracle Label Security, then ensure that any users to whom you have granted the LBAC_DBA
role also have the SELECT ANY DICTIONARY
privilege. By default, the LBACSYS
user already has this privilege.
This section contains:
From Enterprise Manager Cloud Control, you use the Oracle Label Security pages to create and manage Oracle Label Security policies.
To access the Oracle Label Security pages from Cloud Control:
Ensure that you have configured the Cloud Control target databases that you plan to use with Oracle Label Security.
See the Oracle Enterprise Manager online help and Oracle Enterprise Manager Advanced Configuration for more information about configuring target databases.
Point your browser to the Cloud Control login page.
For example:
https://myserver.example.com:7799/em
Log into Cloud Control as user SYSMAN
.
In the Cloud Control home page, from the Targets menu, select Databases.
In the Databases page, select the link for the database to which you want to connect.
The Database home page appears.
From the Security menu, select Label Security.
The Database Login page appears.
Enter the following information:
Username: Enter the user name of a user who has been granted the LBAC_DBA
database role, or enter LBACSYS
.
Password: Enter the password.
Role: Select NORMAL from the list.
Save As: Select this check box if you want these credentials to be automatically filled in for you the next time that this page appears. The credentials are stored in Enterprise Manager in a secured manner. Access to these credentials depends on the user who is currently logged in.
To use Oracle Label Security from SQL*Plus, connect as user LBACSYS
or as a user who has been granted the LBAC_DBA
database role. To find if a user has been granted this role, query the GRANTEE
and GRANTED_ROLE
columns of the DBA_ROLE_PRIVS
data dictionary view.
For example:
sqlplus psmith_ols -- Or, sqlplus psmith_ols@hrpdb for a PDB named hrpdb Enter password: password
To find the available PDBs, query the DBA_PDBS
data dictionary view. To check the current PDB, run the show con_name
command.