Index

A  B  C  D  E  F  G  H  I  L  M  N  O  P  R  S  T  U  V  W 

A

access control
discretionary, 3.5.4
understanding, 3
access mediation
and views, 3.5.5
enforcement options, 3.5.7
introduction, 3.1
label evaluation, 3.4
program units, 3.5.6
ADD_GROUPS procedure
inverse groups, 13.8.3
ALL_CONTROL option, 8.1.3, 8.1.3, 8.1.4, 8.1.8
ALL_SA_AUDIT_OPTIONS view, F.1.2.1, F.1.2.1
ALL_SA_COMPARTMENTS view, F.1.2.2, F.1.2.2, F.1.2.16
ALL_SA_DATA_LABELS view, F.1.2.3, F.1.2.3, F.1.2.17
ALL_SA_GROUPS view, F.1.2.4, F.1.2.4, F.1.2.18
ALL_SA_LABELS view, F.1.2.5, F.1.2.5, F.1.2.20
ALL_SA_LEVELS view, F.1.2.6, F.1.2.6, F.1.2.21
ALL_SA_POLICIES view, F.1.2.7, F.1.2.7
ALL_SA_PROG_PRIVS view, F.1.2.8, F.1.2.8
ALL_SA_SCHEMA_POLICIES view, F.1.2.9, F.1.2.9
ALL_SA_TABLE_POLICIES view, F.1.2.10, F.1.2.10
ALL_SA_USER_LABELS view, F.1.2.12, F.1.2.12
ALL_SA_USER_LEVELS view, F.1.2.13, F.1.2.13
ALL_SA_USER_PRIVS view, F.1.2.14, F.1.2.14
ALL_SA_USERS view, F.1.2.11, F.1.2.11
ALTER_GROUP_PARENT
inverse groups, 13.8.10
ALTER_GROUPS procedure
inverse groups, 13.8.4
ALTER_POLICY procedure
inverse groups, 13.8.2
ANALYZE command, 12.4.1
APPLY_SCHEMA_POLICY procedure
with inverse groups, 13.3.1
APPLY_TABLE_POLICY procedure
with inverse groups, 13.3.1
architecture, Oracle Label Security, 1.6
AS SYSDBA clause, 12.5
AUDIT_LABEL_ENABLED function, E.1.3
AUDIT_TRAIL parameter, 10.2
auditing
audit trails, 10.1, 10.2, E.1.4
creating audit view, E.1.4
disabling, E.1.7
disabling policy specific, E.1.6
dropping audit view, E.1.5
enabling
SA_AUDIT_ADMIN.AUDIT procedure, E.1.1
finding audit options, F.1.2.1
finding if labels are recorded, E.1.3
Oracle Label Security, 10.1, 10.4
recording policy labels, E.1.2
SA_AUDIT_ADMIN package, E.1
SA_AUDIT_ADMIN.AUDIT_LABEL procedure, E.1.2
SA_AUDIT_ADMIN.AUDIT_LABEL_ENABLED function, E.1.3
SA_AUDIT_ADMIN.CREATE_VIEW procedure, E.1.4
SA_AUDIT_ADMIN.DROP_VIEW procedure, E.1.5
SA_AUDIT_ADMIN.NOAUDIT procedure, E.1.6
SA_AUDIT_ADMIN.NOAUDIT_LABEL procedure, E.1.7
strategy, 10.5.1
systemwide, 10.2
types of, 5.9.8
views, E.1.4

B

B-tree indexes, 12.4.2

C

CDBs
Oracle Label Security, 1.8.2
CHAR_TO_LABEL function, 6.3.1, 6.5.1, 6.5.5
CHECK_CONTROL option
and label update, 8.4.2, 8.4.3
and labeling functions, 8.3.1
definition, 8.1.3, 8.1.4
with other options, 8.1.9
CHECK_WRITE function, E.8.3
child rows
deleting, 8.5
inserting, 8.3.3
updating, 8.4.4
Cloud Control login, 5.9.1
COMPACCESS privilege, 3.5.1, 3.5.2.3, 5.5.1
inverse groups, 13.3.5, 13.6
compartments
altering, E.2.1
creating, E.2.5
definition, 2.3.3, 5.3.4
deleting, E.2.8
example, 2.3.3, 5.3.4
finding, F.1.2.27
finding compartments user can read in session, E.5.1
finding compartments user can write to in session, E.5.2
finding user information, F.1.2.2
SA_COMPONENTS.ALTER_COMPARTMENT procedure, E.2.1
SA_COMPONENTS.CREATE_COMPARTMENT procedure, E.2.5
SA_COMPONENTS.DROP_COMPARTMENT procedure, E.2.8
SA_USER_ADMIN package, E.7
SA_USER_ADMIN.ADD_COMPARTMENTS procedure, E.7.1
SA_USER_ADMIN.ALTER_COMPARTMENTS, E.7.3
SA_USER_ADMIN.DROP_COMPARTMENTS procedure, E.7.7
SA_USER_ADMIN.SET_COMPARTMENTS procedure, E.7.10
setting authorizations, 3.3.1.2, 5.4.4
components
SA_COMPONENT package, E.2
SA_USER_ADMIN.DROP_ALL_COMPARTMENTS procedure, E.7.5
CON, C.2
configuration of Oracle Label security
finding status, F.1.2.32
connection parameters, C.2
CREATE FUNCTION statement, 9.2.1
CREATE PACKAGE BODY statement, 9.2.1
CREATE PACKAGE statement, 9.2.1
CREATE PROCEDURE statement, 9.2.1
CREATE TABLE AS SELECT statement, F.2.1
CREATE_GROUP procedure
inverse groups, 13.8.9
CREATE_POLICY procedure
inverse groups, 13.8.1
CREATE_VIEW procedure, F.1.3
creating databases, 12.5

D

data
label-based access, 2.1, 2.1
data dictionary tables, 2.2, 12.4.1, 12.5, F.1.1
data labels
checking if label is data label, E.8.4
finding label and tag information, F.1.2.3
SA_UTL.DATA_LABEL function, E.8.4
Data Pump export
row labels, 12.1.2
Data Pump import, 12.2
database links, 11.2
databases, creating additional, 12.5
DBA_OLS_STATUS view, F.1.2.32, F.1.2.32
DBA_policyname_AUDIT_TRAIL view, F.1.3
DBA_SA_AUDIT_OPTIONS view, F.1.2.15, F.1.2.15
DBA_SA_COMPARTMENTS view, 12.2.2.2, F.1.2.16
DBA_SA_DATA_LABELS view, F.1.2.17
DBA_SA_GROUP_HIERARCHY view, F.1.2.19, F.1.2.19
DBA_SA_GROUPS view, 12.2.2.2, F.1.2.18
DBA_SA_LABELS view, 12.2.2.2, F.1.2.20
DBA_SA_LEVELS view, 12.2.2.2, F.1.2.21
DBA_SA_POLICIES view, F.1.2.22, F.1.2.22
DBA_SA_PROG_PRIVS view, F.1.2.23, F.1.2.23
DBA_SA_SCHEMA_POLICIES view, 8.1.11, F.1.2.24, F.1.2.24
DBA_SA_TABLE_POLICIES view, 8.1.11, F.1.2.25, F.1.2.25
DBA_SA_USER_COMPARTMENTS view, F.1.2.27, F.1.2.27
DBA_SA_USER_GROUPS view, F.1.2.28, F.1.2.28
DBA_SA_USER_LABELS view, F.1.2.29, F.1.2.29
DBA_SA_USER_LEVELS view, F.1.2.30, F.1.2.30
DBA_SA_USER_PRIVS view, F.1.2.31, F.1.2.31
DBA_SA_USERS view, F.1.2.26, F.1.2.26
default port, C.2
default row label, E.5.18
deinstallation, A
DELETE_CONTROL option, 8.1.3, 8.1.4, 8.5
DELETERESTRICT option, 8.5
deleting labeled data, 8.5
demobld.sql file, 1.7.1.1
disabling OLS, A.3
discretionary access control (DAC), 3.5.4
distributed databases
connecting to, 11.2
multiple policies, 3.6.2
Oracle Label Security configuration, 11.1
remote session label, 11.3
dominance
definition, 3.4.2, 3.4.2
functions
about, B.1.3.1
greatest lower bound, 6.4.4.2
inverse groups, 13.9
least upper bound, 6.4.4.1
overview, B.1.1
DOMINATED_BY function, B.1.3.9
DOMINATES function, B.1.1, B.1.3.7
DROP USER CASCADE restriction, F.2.4
dropping for specified compartments, E.7.7
duties
of security administrators, 1.4

E

enabling OLS, A.3
enforcement options
and UPDATE, 8.4.2
combinations of, 8.1.9
exemptions, 8.1.10
guidelines, 8.1.9
INVERSE_GROUP, 13.3.1
list of, 8.1.2
overview, 8.1.1
viewing, 8.1.11
EXEMPT ACCESS POLICY privilege, 8.1.10, 8.1.10
Export utility
LBACSYS restriction, F.2.3
policy enforcement, 8.1.10
row labels, 3.5.2.1, 12.2.2.2

F

FULL privilege, 3.5.1, 3.5.2.2, 3.5.2.4, 5.5.1
function call, D.1, D.2

G

granularity
to data access, 3.4.3
GREATEST_LBOUND function
inverse groups, 13.8.14
groups
altering, E.2.2
altering parent groups, E.2.3
creating group parent, E.2.6
definition, 2.3.4, 5.3.6
deleting, E.2.9
example, 2.3.4, 5.3.6
finding for entire database, F.1.2.28
finding hierarchy of parent-child relationships, F.1.2.19
finding policy groups, F.1.2.4
hierarchical, 2.3.4, 2.3.4, 2.5, 2.5, 5.3.6, 5.3.6, F.1.2.19
inverse, 13.2
parent, 2.3.4, 2.3.4, 2.3.4, 3.4.1.2, 3.4.1.2, 5.3.6, 5.3.6, 5.3.6, 13.3.4
read/write access, 3.4.1.2
SA_COMPONENTS.ALTER_GROUP procedure, E.2.2
SA_COMPONENTS.ALTER_GROUP_PARENT procedure, E.2.3
SA_COMPONENTS.CREATE_GROUP procedure, E.2.6
SA_COMPONENTS.DROP_GROUP, E.2.9
SA_SESSION.GROUP_READ function, E.5.3
SA_SESSION.GROUP_WRITE function, E.5.4
SA_USER_ADMIN package, E.7
SA_USER_ADMIN.ADD_GROUPS procedure, E.7.2
SA_USER_ADMIN.ALTER_GROUPS procedure, E.7.4
SA_USER_ADMIN.DROP_ALL_GROUPS procedure, E.7.6
SA_USER_ADMIN.DROP_GROUPS procedure, E.7.8
SA_USER_ADMIN.SET_GROUPS procedure, E.7.12
setting authorizations, 3.3.1.3, 5.4.6

H

HIDE, 6.1.1.1, E.6.1, E.6.2
HIDE option
default, E.6.2
discussion of, 8.1.5
example, 6.1.1.1
importing hidden column, 12.2.2.5
inserting data, 6.5.4
not exported, 12.1.2
per-table basis, 6.3.2.2
PL/SQL restriction, F.2.6
schema level, 8.1.2

I

impdp. See Data Pump import
Import utility
importing labeled data, 12.2.2.1.2, 12.2.2.2
importing policies, 12.1.2
importing unlabeled data, 12.2.2.4
with Oracle Label Security, 12.2.2
indexes, 12.4.2, 12.4.2
INITIAL_LABEL variable, B.3
INITIAL_ROW_LABEL variable, B.3
initialization parameters
AUDIT_TRAIL, 10.2
INSERT_CONTROL option, 8.1.3, 8.1.4, 8.3.1
inserting labeled data, 6.5, 8.3
INTO TABLE clause, 12.3.2
inverse groups
and label components, 13.3.2
COMPACCESS privilege, 13.3.5, 13.6
computed labels, 13.3.3
dominance, 13.9
implementation of, 13.3
introduction, 13.2
Max Read Groups, 13.3.3.2
Max Write Groups, 13.3.3.2
parent-child unsupported, 13.3.4
read algorithm, 13.4
session labels, 13.7
SET_DEFAULT_LABEL, 13.7.1
SET_LABEL, 13.7.2
SET_ROW_LABEL, 13.7.1, 13.7.2
user privileges, 13.3.5
write algorithm, 13.5
INVERSE_GROUP enforcement option
behavior of procedures, 13.8
implementation, 13.3.1

L

label components
defining, E.2
in distributed environment, 11.4
industry examples, 2.3.5
interrelation, 2.5
label evaluation process
COMPACCESS read, 3.5.2.3
COMPACCESS write, 3.5.2.3
inverse groups, COMPACCESS, 13.6
LABEL_UPDATE, 8.4.2
read access, 3.4.2
read access, inverse groups, 13.4
write access, 3.4.3
write access, inverse groups, 13.5
label tags
converting from string, 6.3.1
converting to string, 6.3.2
distributed environment, 11.4.1
example, 6.1.2.1
inserting data, 6.5.2
introduction, 2.4, 5.3.9
manually defined, 6.1.2.1, 6.1.2.2
strategy, 12.4.3
using in WHERE clauses, 6.4.1
LABEL_DEFAULT option
and labeling functions, 8.2.1, 8.2.2
authorizing compartments, 3.3.1.2
authorizing groups, 3.3.1.3
definition, 8.1.3
importing unlabeled data, 12.2.2.4
inserting labeled data, 6.5.3
with enforcement options, 8.1.9, 8.1.9
with SA_SESSION.SET_ROW_LABEL, E.5.18
LABEL_TO_CHAR function, 6.3.2, 6.3.2.1, 6.4.3
LABEL_UPDATE option
and labeling functions, 8.1.6.2, 8.2.2
and privileges, 8.1.6.2
and WRITE_CONTROL, 8.1.7.2
and WRITEDOWN, 3.5.3
and WRITEUP, 3.5.1, 3.5.1, 3.5.1, 3.5.3, 5.5.1, 5.5.1, 5.5.1
definition, 8.1.3, 8.1.4
evaluation process, 8.4.2
with enforcement options, 8.1.9
label-based security, 2.1
labeling functions
ALL_CONTROL and NO_CONTROL, 8.1.8
and CHECK_CONTROL, 8.3.1
and LABEL_DEFAULT, 8.1.6.2, 8.2.1
and LABEL_DEFAULTlLABEL_DEFAULT option
and labeling functions, 8.1.6.1
and LABEL_UPDATE, 8.1.6, 8.1.6.3
and LBACSYS, 8.2.2
creating, 8.2.3
example, 8.2.1
how they work, 8.2.2
importing unlabeled data, 12.2.2.4
in force, 8.1.6
inserting data, 6.5.3
introduction, 3.5.7
override manual insert, 8.3.2
specifying, 8.2.4
testing, 8.2.2
UPDATE, 8.4.3
using, 8.2.1
with enforcement options, 8.1.9, 8.1.9
labels, E.8.4, E.8.9
administering, 2.6
altering, E.3.1
and performance, 3.5.2.1
checking if a data label, E.8.4
checking if changed, E.8.1
creating, E.3.2
data and user, 2.5
deleting, E.3.3
finding greatest lower bound, E.8.5
finding least upper bound, E.8.6
finding tags and types of, F.1.2.5
merging, 6.4.5
non-comparable, B.1.2
relationships between, B.1
restoring default for session, E.5.12
SA_LABEL_ADMIN package, E.3
SA_LABEL_ADMIN.ALTER_LABEL procedure, E.3.1
SA_LABEL_ADMIN.CREATE_LABEL procedure, E.3.2
SA_LABEL_ADMIN.DROP_LABEL procedure, E.3.3
SA_SESSION.LABEL function, E.5.5
SA_SESSION.MAX_READ_LABEL function, E.5.7
SA_SESSION.MAX_WRITE_LABEL function, E.5.8
SA_SESSION.MIN_WRITE_LABEL function, E.5.10
SA_SESSION.RESTORE_DEFAULT_LABELS, E.5.12
SA_SESSION.SET_LABEL procedure, E.5.14
SA_SESSION.SET_ROW_LABEL procedure, E.5.18
SA_USER_ADMIN package, E.7
SA_USER_ADMIN.SET_USER_LABELS procedure, E.7.16
SA_UTL.CHECK_LABEL_CHANGE function, E.8.1
SA_UTL.GREATEST_LBOUND function, E.8.5
SA_UTL.LEAST_UBOUNDfunction, E.8.6
SA_UTL.SET_LABEL procedure, E.8.9
saving default session label, E.5.16
setting row label, E.5.18
syntax, 2.4, 5.3.8
valid, 2.4, 5.3.9, 6.1.2
with inverse groups, 13.3.3
LBAC_LABEL data type, 8.2.2
LBACSYS
export, 12.1.1
import, 12.1.1
login, 5.9.1
LBACSYS default user account
about, 4.2
best practice guideline, 4.2
enabling, 4.2
LBACSYS schema
and labeling functions, 8.2.2
creating additional databases, 12.5
data dictionary tables, 12.4.1
export restriction, F.2.3
LEAST_UBOUND function, 6.4.5
inverse groups, 13.8.13
levels
about, 5.3.2
altering levels, E.2.4
creating, E.2.7
definition, 2.3.2, 5.3.2
deleting, E.2.10
example, 2.3.2, 5.3.2
finding, F.1.2.6
SA_COMPONENTS.ALTER_LEVEL procedure, E.2.4
SA_COMPONENTS.CREATE_LEVEL procedure, E.2.7
SA_COMPONENTS.DROP_LEVEL procedure, E.2.10
SA_SESSION.MAX_LEVEL function, E.5.6
SA_SESSION.MIN_LEVEL function, E.5.9
SA_USER_ADMIN.SET_LEVELS procedure, E.7.13
setting authorizations, 3.3.1.1, 5.4.2
logging into Oracle Label Security
from Cloud Control, 4.3.1
from SQL*Plus, 4.3.2
login
Cloud Control, 5.9.1
LBACSYS, 5.9.1

M

materialized views, 11.6.1.1, 11.6.3.2
Max Read Groups, 13.3.3.2
Max Write Group, 13.3.3.2, 13.3.3.2
MERGE_LABEL function, 6.4.5, 6.4.5
multitenant container databases. See CDBs

N

NO_CONTROL option, 8.1.3, 8.1.4, 8.1.8
NOAUDIT procedure, E.1.6
NUMBER data type, 6.1.1

O

object privileges
and Oracle Label Security privileges, 3.5.4
and trusted stored program units, 3.5.6, 9.1.1
OCI interface, B.3
OCI_ATTR_APPCTX_LIST, B.3
OCI_ATTR_APPCTX_SIZE, B.3
OCIAttrSet, B.3, B.3
OCIParamGet, B.3
OLS_DOMINATED_BY function, B.1.3.5
OLS_DOMINATES function, B.1.3.2
OLS_GLBD function, 6.4.4.2
OLS_GREATEST_LBOUND function, 6.4.4.2
OLS_LABEL_DOMINATES function
about, B.1.3.3
in Data Redaction policies, B.1.3.3
in Database Vault policies, B.1.3.3
OLS_LEAST_UBOUND function, 6.4.4.1
OLS_LUBD function, 6.4.4.1
OLS_STRICTLY_DOMINATED_BY function, B.1.3.6
OLS_STRICTLY_DOMINATES function, B.1.3.4
OptionsA, C.2.1
Oracle Data Redaction
using OLS_LABEL_DOMINATES function with, B.1.3.3
Oracle Database Vault
using OLS_LABEL_DOMINATES function with, B.1.3.3
Oracle Enterprise Manager
administering labels, 2.6
Oracle Internet Directory
configuring OLS after switchover to standby database, 7.11.5
integration with OLS, 1.8.1
OID with Oracle Data Guard, 7.11.5
Oracle Label Security
about, 7.1
administrator duties in, 7.9
bootstrapping databases, 7.10
configuring, about, 7.2
configuring, permission for, 7.2.1
configuring, steps, 7.2.2
integrated capabilities of, 7.5
PL/SQL procedures for policy administrators, 7.14
policy attributes in, 7.6
profiles, about, 7.4
provisioning profiles, about, 7.11.2
provisioning profiles, changing database connection information, 7.11.4
provisioning profiles, managing, 7.11.3
removing OID-enabled OLS from database, 7.3
restrictions on new data label creation, 7.8
security roles and permitted actions, 7.12
subscribing policies in, 7.7
superseded PL/SQL statements, 7.13
synchronizing database with OID, 7.11.1
un-registering database, 7.2.3
Oracle Label Security
about, 1.1
benefits, 1.2
privileges required to use, 1.3
registering, 4.1.1
Oracle Label Security (OLS)
integration with Oracle Internet Directory, 1.8.1
Oracle Label Security data dictionary views
about, F.1.2
ALL_SA_AUDIT_OPTIONS, F.1.2.1
ALL_SA_COMPARTMENTS, F.1.2.2, F.1.2.16
ALL_SA_DATA_LABELS, F.1.2.3, F.1.2.17
ALL_SA_GROUPS, F.1.2.4, F.1.2.18
ALL_SA_LABELS, F.1.2.5, F.1.2.20
ALL_SA_LEVELS, F.1.2.6, F.1.2.21
ALL_SA_POLICIES, F.1.2.7
ALL_SA_PROG_PRIVS, F.1.2.8
ALL_SA_SCHEMA_POLICIES, F.1.2.9
ALL_SA_TABLE_POLICIES, F.1.2.10
ALL_SA_USER_LABELS, F.1.2.12
ALL_SA_USER_LEVELS, F.1.2.13
ALL_SA_USER_PRIVS, F.1.2.14
ALL_SA_USERS, F.1.2.11
DBA_OLS_STATUS, F.1.2.32
DBA_SA_AUDIT_OPTIONS, F.1.2.15
DBA_SA_GROUP_HIERARCHY, F.1.2.19
DBA_SA_POLICIES, F.1.2.22
DBA_SA_PROG_PRIVS, F.1.2.23
DBA_SA_SCHEMA_POLICIES, F.1.2.24
DBA_SA_TABLE_POLICIES, F.1.2.25
DBA_SA_USER_COMPARTMENTS, F.1.2.27
DBA_SA_USER_GROUPS, F.1.2.28
DBA_SA_USER_LABELS, F.1.2.29
DBA_SA_USER_LEVELS, F.1.2.30
DBA_SA_USER_PRIVS, F.1.2.31
DBA_SA_USERS, F.1.2.26
USER_SA_SESSION, F.1.2.33
Oracle Label Security profiles, 7.4
ORDER BY clause, 6.4.1, 6.4.2

P

packages
Oracle Label Security, 1.7.1
SA_AUDIT_ADMIN, E.1
SA_COMPONENTS, E.2
SA_LABEL_ADMIN, E.3
SA_POLICY_ADMIN, E.4
SA_SESSION, E.5
SA_SYSDBA, E.6
SA_USER_ADMIN, E.7
SA_UTL, E.8
trusted stored program units, 9.1
partitioning, 6.1.2.2, 12.4.4
PDBs
Oracle Label Security, 1.8.2
performance, Oracle Label Security
ANALYZE command, 12.4
indexes, 12.4.2
label tag strategy, 12.4.3
partitioning, 12.4.4
READ privilege, 3.5.2.1
PL/SQL
recreating labels for import, 12.2.2.2
SA_UTL package, 9.3, E.8
trusted stored program units, 9.1
pluggable databases. See PDBs
policies
enforcement guidelines, 8.1.9
enforcement options, 3.5.7, 6, 8.1.1, 8.1.2, 8.1.9
finding for current user, F.1.2.7
finding for entire database, F.1.2.22
finding information about schema policies, F.1.2.9
finding information about table policies, F.1.2.10
finding privileges for program units, F.1.2.8
multiple, 2.2, 6.1.2, F.2.2
OID subscription, E.4.8
OID unsubscription, E.4.9
privileges, 3.5.4, E.7.17
SA_POLICY_ADMIN package, E.4
SA_POLICY_ADMIN.POLICY_SUBSCRIBE procedure, E.4.8
SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE procedure, E.4.9
SA_USER_ADMIN.SET_PROG_PRIVS procedure, E.7.14
setting program unit privileges, E.7.14
terminology, 5.6.1
policies, schema
altering, E.4.1
applying, E.4.2
deleting, E.4.10
disabling, E.4.4
enabling, E.4.6
SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY procedure, E.4.1
SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY procedure, E.4.2
SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY policy, E.4.6
SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY procedure, E.4.10
policies, schema, disabling
SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY procedure, E.4.4
policies, table
applying, E.4.3
deleting, E.4.11
disabling, E.4.5
enabling, E.4.7
SA_POLICY_ADMIN.APPLY_TABLE_POLICY procedure, E.4.3
SA_POLICY_ADMIN.DISABLE_TABLE_POLICY procedure, E.4.5
SA_POLICY_ADMIN.ENABLE_TABLE_POLICY procedure, E.4.7
SA_POLICY_ADMIN.REMOVE_TABLE_POLICY procedure, E.4.11
policy label column
indexing, 12.4.2
inserting data when hidden, 6.5.4
introduction, 6.1.1, 6.1.1
retrieving, 6.3.2.1
retrieving hidden, 6.3.2.2
storing label tag, 2.4, 5.3.9
policy management
altering policies, E.6.1
creating policies, E.6.2
deleting policies, E.6.4
disabling policies, E.6.3
enabling policies, E.6.5
SA_SYSDBA package, E.6
SA_SYSDBA.ALTER_POLICY procedure, E.6.1
SA_SYSDBA.CREATE_POLICY procedure, E.6.2
SA_SYSDBA.DISABLE_POLICY procedure, E.6.3
SA_SYSDBA.DROP_POLICY policy, E.6.4
SA_SYSDBA.ENABLE_POLICY procedure, E.6.5
policy_DBA role, 2.2, E.3, E.7.17
about, 1.4
auditing policy_DBA role users, E.1.1
how to use, 1.4
required for Data Pump import operations, 12.2.2.1.2
required for label management, E.3
required for Oracle Label Security auditing, E.1
required for SA_USER_ADMIN.SET_PROG_PRIVS procedure, E.7.14
required for SA_USER_ADMIN.SET_USER_PRIVS procedure, E.7.17
predicates
access mediation, 3.5.7
errors, 8.6.1
label tag performance strategy, 12.4.3
multiple, 8.6.2
used with policy, 8.6.1
privileges
COMPACCESS, 3.5.1, 3.5.2.3, 5.5.1
FULL, 3.5.1, 3.5.2.2, 3.5.2.4, 5.5.1
Oracle Label Security, 1.3, 3.5.1
PROFILE_ACCESS, 3.5.1, 3.5.2.4, 5.5.1
program units, 3.5.6
READ, 3.5.1, 3.5.2.1, 5.5.1
row label, 3.5.3
SA_USER_ADMIN.SET_USER_PRIVS procedure, E.7.17
trusted stored program units, 9.2.5
WRITEACROSS, 3.5.1, 3.5.3, 3.5.3.3, 5.5.1
WRITEDOWN, 3.5.1, 3.5.3, 3.5.3.2, 3.5.6, 5.5.1
WRITEUP, 3.5.1, 3.5.3, 3.5.3.1, 5.5.1
PROFILE_ACCESS privilege, 3.5.1, 3.5.2.4, 5.5.1
program units
finding policy privileges for, F.1.2.8
policy privileges, E.7.14
propagated, D.1

R

RAC, D.1
read access
algorithm, 3.4.2, 3.5.2.2
introduction, 3.4.1.1
read label, 3.3.2
READ privilege, 3.5.1, 3.5.2.1, 5.5.1
READ_CONTROL option
algorithm, 3.4.2
and CHECK_CONTROL, 8.1.6.3
and child rows, 8.3.3
definition, 8.1.3, 8.1.4
referential integrity, 8.4.4
with other options, 8.1.9
with predicates, 8.6.1
reading down, 3.4.2
referential integrity, 8.3.3, 8.4.4, 8.5
registering Oracle Label Security, 4.1.1
releasability, 13.2
remote users, 11.2
REPADMIN account, 11.6.1.1, 11.6.3.1, 11.6.3.2
replication
materialized views (snapshots), 11.6.1.1, 11.6.3.2, 11.6.4
with Oracle Label Security, 11.6, 11.6.1.2
replication administrator, 11.6.3.1
restrictions, Oracle Label Security, F.2
row labels
default, 3.3.1.2, 3.3.1.3, 3.3.2, D.2, E.5, E.5.18, E.8.10
example, 3.2.3
finding current, E.8.8
in distributed environment, 11.3
inserting, 6.5.1
LABEL_DEFAULT option, 6.5, 8.1.6.1
privileges, 3.5.3
restoring, E.5.12
SA_USER_ADMIN.SET_ROW_LABEL procedure, E.7.15
SA_UTL.NUMERIC_ROW_LABEL function, E.8.8
SA_UTL.SET_ROW_LABEL procedure, E.8.10
saving defaults, E.5.16
setting, E.5.18, E.8.10
setting compartments, E.7.10
setting for current database session, E.8.10
setting for user’s initial use, E.7.15
setting groups, E.7.12
setting levels, E.7.13
understanding, 3.2.2
updating, 3.5.3
viewing, E.8.8

S

SA_AUDIT_ADMIN
procedures, listed, E.1
SA_AUDIT_ADMIN PL/SQL package
about, E.1
SA_AUDIT_ADMIN.AUDIT procedure, E.1.1
SA_AUDIT_ADMIN.AUDIT_LABEL procedure, E.1.2
SA_AUDIT_ADMIN.AUDIT_LABEL_ENABLED procedure, E.1.3
SA_AUDIT_ADMIN.CREATE_VIEW procedure, E.1.4
SA_AUDIT_ADMIN.DROP_VIEW procedure, E.1.5
SA_AUDIT_ADMIN.NOAUDIT procedure, E.1.6
SA_AUDIT_ADMIN.NOAUDIT_LABEL procedure, E.1.7
SA_COMPONENTS
procedures, listed, E.2
SA_COMPONENTS package, E.2
SA_COMPONENTS PL/SQL package
about, E.2
SA_COMPONENTS.ALTER_COMPARTMENT procedure, E.2.1
SA_COMPONENTS.ALTER_GROUP procedure, E.2.2
SA_COMPONENTS.ALTER_GROUP_PARENT procedure, E.2.3
SA_COMPONENTS.ALTER_LEVEL procedure, E.2.4
SA_COMPONENTS.CREATE_COMPARTMENT procedure, E.2.5
SA_COMPONENTS.CREATE_GROUP procedure, E.2.6
SA_COMPONENTS.CREATE_LEVEL procedure, E.2.7
SA_COMPONENTS.DROP_COMPARTMENT procedure, E.2.8
SA_COMPONENTS.DROP_GROUP procedure, E.2.9
SA_COMPONENTS.DROP_LEVEL procedure, E.2.10
SA_LABEL_ADMIN
procedures, listed, E.3
SA_LABEL_ADMIN PL/SQL package
about, E.3
SA_LABEL_ADMIN.ALTER_LABEL procedure, E.3.1
SA_LABEL_ADMIN.CREATE_LABEL procedure, E.3.2
SA_LABEL_ADMIN.DROP_LABEL procedure, E.3.3
SA_POLICY_ADMIN
procedures, listed, E.4
SA_POLICY_ADMIN PL/SQL package
about, E.4
SA_POLICY_ADMIN.ALTER_SCHEMA_POLICY procedure, E.4.1
SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY procedure, E.4.2
SA_POLICY_ADMIN.APPLY_TABLE_POLICY procedure, E.4.3
SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY procedure, E.4.4
SA_POLICY_ADMIN.DISABLE_TABLE_POLICY procedure, E.4.5
SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY procedure, E.4.6
SA_POLICY_ADMIN.ENABLE_TABLE_POLICY procedure, E.4.7
SA_POLICY_ADMIN.POLICY_SUBSCRIBE procedure, E.4.8
SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE procedure, E.4.9
SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY procedure, E.4.10
SA_POLICY_ADMIN.REMOVE_TABLE_POLICY procedure, E.4.11
SA_SESSION
procedures and functions, listed, E.5
SA_SESSION PL/SQL package
about, E.5
SA_SESSION.COMP_READ function, E.5.1
SA_SESSION.COMP_WRITE function, E.5.2
SA_SESSION.GROUP_READ function, E.5.3
SA_SESSION.GROUP_WRITE function, E.5.4
SA_SESSION.LABEL function, E.5.5
SA_SESSION.MAX_LEVEL function, E.5.6
SA_SESSION.MAX_READ_LABEL function, E.5.7
SA_SESSION.MAX_WRITE_LABEL function, E.5.8
SA_SESSION.MIN_LEVEL function, E.5.9
SA_SESSION.MIN_WRITE_LABEL function, E.5.10
SA_SESSION.PRIVS function, E.5.11
SA_SESSION.RESTORE_DEFAULT_LABELS procedure, E.5.12
SA_SESSION.ROW_LABEL function, E.5.13
SA_SESSION.SA_USER_NAME function, E.5.15, E.5.15
SA_SESSION.SAVE_DEFAULT_LABELS procedure, E.5.16
SA_SESSION.SET_ACCESS_PROFILE procedure, E.5.15, E.5.17
SA_SESSION.SET_LABEL procedure, E.5.14
and SA_SESSION.RESTORE_DEFAULT_LABELS, E.5.12
SA_SESSION.SET_ROW_LABEL procedure, E.5.18
SA_SYSDBA
procedures, listed, E.6
SA_SYSDBA PL/SQL package
about, E.6
SA_SYSDBA.ALTER_POLICY procedure, E.6.1
SA_SYSDBA.CREATE_POLICY procedure, E.6.2
SA_SYSDBA.DISABLE_POLICY procedure, E.6.3
SA_SYSDBA.DROP_POLICY procedure, E.6.4
SA_SYSDBA.ENABLE_POLICY procedure, E.6.5
SA_USER_ADMIN package
administering stored program units, E.7.14
overview, 2.2
procedures, listed, E.7
SA_USER_ADMIN PL/SQL package
about, E.7
SA_USER_ADMIN.ADD_COMPARTMENTS procedure, E.7.1
SA_USER_ADMIN.ADD_GROUPS procedure, E.7.2
SA_USER_ADMIN.ALTER_COMPARTMENTS procedure, E.7.3
SA_USER_ADMIN.ALTER_GROUPS procedure, E.7.4
SA_USER_ADMIN.DROP_ALL_COMPARTMENTS procedure, E.7.5
SA_USER_ADMIN.DROP_ALL_GROUPS procedure, E.7.6
SA_USER_ADMIN.DROP_COMPARTMENTS procedure, E.7.7
SA_USER_ADMIN.DROP_GROUPS procedure, E.7.8
SA_USER_ADMIN.DROP_USER_ACCESS procedure, E.7.9
SA_USER_ADMIN.SET_COMPARTMENTS procedure, E.7.10
SA_USER_ADMIN.SET_DEFAULT_LABEL procedure, E.7.11
SA_USER_ADMIN.SET_GROUPS procedure, E.7.12
SA_USER_ADMIN.SET_LEVELS procedure, E.7.13
SA_USER_ADMIN.SET_PROG_PRIVS procedure, E.7.14
SA_USER_ADMIN.SET_ROW_LABEL procedure, E.7.15
SA_USER_ADMIN.SET_USER_LABELS procedure, E.7.16
SA_USER_ADMIN.SET_USER_PRIVS procedure, E.7.17
SA_UTL package
dominance functions, B.1.3.7
overview, 9.3
procedures and functions, listed, E.8
SA_UTL PL/SQL package
about, E.8
SA_UTL.CHECK_LABEL_CHANGE function, E.8.1
SA_UTL.CHECK_READ function, E.8.2
SA_UTL.CHECK_WRITE function, E.8.3
SA_UTL.DATA_LABEL function, E.8.4, E.8.4
SA_UTL.GREATEST_LBOUND function, E.8.5
SA_UTL.LEAST_UBOUND function, E.8.6
SA_UTL.NUMERIC_LABEL function, E.8.7
SA_UTL.NUMERIC_ROW_LABEL function, E.8.8
SA_UTL.SET_LABEL procedure, E.8.9
SA_UTL.SET_ROW_LABEL procedure, E.8.10
schemas
applying policies to, 8.1.9, E.6.1
default policy options, E.6.2
restrictions on shared, F.2.5
session labels
changing, E.5.14
computed, 3.3.2
distributed database, 11.3
example, 3.2.3
finding, E.8.7
OCI interface, B.3
restoring to default, E.5.12
SA_UTL.SET_LABEL, E.8.9
saving defaults, E.5.16
setting compartments, E.7.10
setting groups, E.7.12
setting user initial, E.7.11
understanding, 3.2.1
sessions
compartments readable by user, E.5.1
compartments writeable by user, E.5.2
finding current OLS user, E.5.15
finding row label, E.5.13
finding security attributes for, F.1.2.33
finding session label number, E.8.7
finding session privileges, E.5.11
SA_SESSION package, E.5
SA_SESSION.COMP_READ function, E.5.1
SA_SESSION.COMP_WRITE function, E.5.2
SA_SESSION.GROUP_READ function, E.5.3
SA_SESSION.GROUP_WRITE function, E.5.4
SA_SESSION.LABEL function, E.5.5
SA_SESSION.MAX_LEVEL function, E.5.6
SA_SESSION.MAX_READ_LABEL function, E.5.7
SA_SESSION.MAX_WRITE_LABEL function, E.5.8
SA_SESSION.MIN_LEVEL function, E.5.9
SA_SESSION.MIN_WRITE_LABEL function, E.5.10
SA_SESSION.PRIVS, E.5.11
SA_SESSION.RESTORE_DEFAULT_LABELS procedure, E.5.12
SA_SESSION.ROW_LABEL function, E.5.13
SA_SESSION.SA_USER_NAME function, E.5.15
SA_SESSION.SAVE_DEFAULT_LABELS procedure, E.5.16
SA_SESSION.SET_ACCESS_PROFILE procedure, E.5.17
SA_SESSION.SET_LABEL procedure, E.5.14
SA_USER_ADMIN.SET_COMPARTMENTS procedure, E.7.10
SA_USER_ADMIN.SET_DEFAULT_LABEL procedure, E.7.11
SA_USER_ADMIN.SET_LEVELS procedure, E.7.13
SA_UTL.SET_LABEL procedure, E.8.9
SA_UTL.SET_ROW_LABEL procedure, E.8.10
saving default session label, E.5.16
setting label for, E.8.9
setting OLS privileges for user, E.5.17
setting row label for, E.8.10
SET_ACCESS_PROFILE procedure, F.2.5
SET_DEFAULT_LABEL procedure
inverse groups, 13.7.1, 13.8.7
SET_GROUPS procedure
inverse groups, 13.8.5
SET_LABEL procedure
definition, E.5
inverse groups, 13.7.2, 13.8.11
on remote database, 11.3
SET_PROG_PRIVS function, E.7.14
SET_ROW_LABEL procedure, 13.7.2.1, 13.7.2.2, E.5
inverse groups, 13.7.1, 13.7.2, 13.8.8, 13.8.12
SET_USER_LABELS procedure
inverse groups, 13.8.6
setting label for database session, E.8.9
shared schema restrictions, F.2.5
SQL*Loader, 12.3
STRICTLY_DOMINATED_BY function, B.1.3.10
STRICTLY_DOMINATES function, B.1.3.8
SYS account
policy enforcement, 8.1.10
SYS_CONTEXT
and labeling functions, 8.2.2
variables, B.3
SYSDBA privilege, 10.2
system privileges, 3.5.4, 3.5.5, 3.5.6

T

table rows
checking if user can read, E.8.2
checking if user can write to, E.8.3
SA_UTL.CHECK_READ function, E.8.2
SA_UTL.CHECK_WRITE function, E.8.3
TO_DATA_LABEL function, 6.5.5, E.3.2
TO_LBAC_DATA_LABEL function, 8.2.2
TO_LBAC_DATA_LABEL function, example of using, E.8.9
triggers, 8.2.2
trusted program units
about, 5.5.1
trusted stored program units
creating, 9.2.1
error handling, 9.2.5
example, 9.1.2
executing, 9.2.5
introduction, 9.1
privileges, 3.5.6, 9.2.5
re-compiling, 9.2.3
replacing, 9.2.4

U

unified audit trail, 10.4
UPDATE_CONTROL option, 8.1.3, 8.1.4, 8.4.2
updating labeled data, 8.4
user authorizations, E.7.7
adding for compartments, E.7.1
adding for groups, E.7.2
altering for compartments, E.7.3
altering for groups, E.7.4
compartments, 3.3.1.2, 5.4.4
dropping for all compartments, E.7.5
dropping for all groups, E.7.6
dropping for specified groups, E.7.8
groups, 3.3.1.3, 5.4.6
levels, 3.3.1.1, 5.4.2
removing all OLS privileges from user, E.7.9
SA_USER_ADMIN.SET_USER_PRIVS procedure, E.7.17
understanding, 3.3, 5.4.1
USER_SA_SESSION view, F.1.2.33
users
finding label-specific information of, F.1.2.12
finding level-specific information of, F.1.2.13
finding policy-specific privileges of, F.1.2.14
finding privileges of OLS users, F.1.2.11
LBACSYS default user account, 4.2
utilities
SA_UTL package, E.8

V

views
access mediation, 3.5.5
ALL_SA_AUDIT_OPTIONS, F.1.2.1
ALL_SA_COMPARTMENTS, F.1.2.2
ALL_SA_GROUPS, F.1.2.4
ALL_SA_LABELS, F.1.2.3, F.1.2.5
ALL_SA_LEVELS, F.1.2.6
ALL_SA_POLICIES, F.1.2.7
ALL_SA_PROG_PRIVS, F.1.2.8
ALL_SA_SCHEMA_POLICIES, F.1.2.9
ALL_SA_TABLE_POLICIES, F.1.2.10
ALL_SA_USER_LABELS, F.1.2.12
ALL_SA_USER_LEVELS, F.1.2.13
ALL_SA_USER_PRIVS, F.1.2.14
ALL_SA_USERS, F.1.2.11
DBA_OLS_STATUS, F.1.2.32
DBA_SA_AUDIT_OPTIONS, F.1.2.15
DBA_SA_COMPARTMENTS, F.1.2.16
DBA_SA_DATA_LABELS, F.1.2.17
DBA_SA_GROUP_HIERARCHY, F.1.2.19
DBA_SA_GROUPS, F.1.2.18
DBA_SA_LABELS, F.1.2.20
DBA_SA_LEVELS, F.1.2.21
DBA_SA_POLICIES, F.1.2.22
DBA_SA_PROG_PRIVS, F.1.2.23
DBA_SA_SCHEMA_POLICIES, 8.1.11, F.1.2.24
DBA_SA_TABLE_POLICIES, 8.1.11, F.1.2.25
DBA_SA_USER_COMPARTMENTS, F.1.2.27
DBA_SA_USER_GROUPS, F.1.2.28
DBA_SA_USER_LABELS, F.1.2.29
DBA_SA_USER_LEVELS, F.1.2.30
DBA_SA_USER_PRIVS, F.1.2.31
DBA_SA_USERS, F.1.2.26

W

write access
algorithm, 3.4.3, 3.5.2.2
introduction, 3.4.1
write label, 3.3.2
WRITE_CONTROL option
algorithm, 3.4.3
definition, 8.1.3, 8.1.4
introduction, 8.1.7.2
LABEL_UPDATE, 8.1.7.2
with INSERT, UPDATE, DELETE, 8.1.7.2
with other options, 8.1.9
WRITEACROSS privilege, 3.5.1, 3.5.3.3, 5.5.1, 8.1.3, 8.1.6.2, 8.4.2
WRITEDOWN privilege, 3.5.1, 3.5.3.2, 3.5.6, 5.5.1, 8.1.3, 8.1.6.2, 8.4.2
WRITEUP privilege, 3.5.1, 3.5.3, 3.5.3.1, 5.5.1