Oracle Database Vault can control the maximum allowable data for a label in a database session by merging the labels of Oracle Database Vault factors that are associated to an Oracle Label Security policy. In brief, a label acts as an identifier for the access privileges of a database table row. A policy is a name associated with the labels, rules, and authorizations that govern access to table rows. See Oracle Label Security Administrator's Guide for more information about row labels and policies.
Use the following steps to define factors that contribute to the maximum allowable data label of an Oracle Label Security policy:
Integrating Oracle Database Vault with Oracle Label Security
1. Log in to Oracle Database Vault Administrator using a database account granted with the DV_OWNER role.
At a minimum, you must have the DV_ADMIN role. "Starting Oracle Database Vault Administrator" on page 2-2 explains how to log in.
2. Make the user LBACSYS account an owner of the realm.
The LBACSYS account is created in Oracle Label Security if you installed that product using the custom installation option. Before you can create an Oracle Label Security policy for use with Oracle Database Vault, you must make LBACSYS an owner for the realm you plan to use. See "Defining Realm Authorization" on page 3-5 for more information.
3. In the Administration page, under Database Vault Feature Administration, click Label Security Integration.
4. In the Label Security Policies page:
■ To create a new label security policy, click Create.
■ To edit an existing label security policy, select it from the list and then click Edit.
5. Enter the following settings and then click OK:
■ General
■ Label Security Policy Factors
General
Under General, enter the following settings:
■ Label Security Policy: From the list, select the Oracle Label Security policy that you want to use.
■ Algorithm: Optionally change the label-merging algorithm for cases when Oracle Label Security has merged two labels. In most cases, you may want to select LII - Minimum Level/Intersection/Intersection. This setting is the most commonly used method that Oracle Label Security administrators use when they want to merge two labels.
For more information on these label-merging algorithms, see Oracle Label Security Administrator's Guide. If you want to use the DVSYS.DBMS_MACADM package to specify a merge algorithm, see Table E–67, " Merge Algorithm Codes" on page E-39 for a full listing of possible merge algorithms.
■ Label for Initialization Errors: Optionally enter a label for initialization errors.
The label specified for initialization errors is set when a configuration error or run-time error occurs during session initialization. You can use this setting to assign the session a data label that prevents access or updates to any data the policy protects until the issue is resolved.
Label Security Policy Factors
To select a factor to associate with an Oracle Label Security policy:
1. In the Available Factors list under Label Security Policy Factors, select the factor that you want to associate with the Oracle Label Security policy.
2. Click Move to move the factor to the Selected Factors list.
Integrating Oracle Database Vault with Oracle Label Security
After you associate a factor with an Oracle Label Security policy, you can label the factor identities using the labels for the policy. "Adding an Identity to a Factor" on page 4-8 provides detailed information.
Example of Integrating Oracle Database Vault with Oracle Label Security
You can use Oracle Database Vault factors in conjunction with Oracle Label Security and Oracle Virtual Private Database (VPD) technology to restrict access to sensitive data. You can restrict this data so that it is only exposed to a database session when the correct combination of factors exists, defined by the security administrator, for any given database session.
To demonstrate how you can integrate Oracle Database Vault with Oracle Label Security, assume that you must create the following access controls for your company:
■ Allow access to sensitive accounting data to database sessions that originate from the corporate Intranet
■ Prevent access to this data to database sessions that originate over the corporate VPN network
To do so, you can create a factor named Network, whose identity values are Intranet and Remote. These values are resolved based on values of a second factor, Client_IP, which stores the IP address of the computer making the connection. Because of the interdependency of the two factors, the Network factor is considered a parent factor and the Client_IP factor is its child factor. You establish this interdependency by creating an identity map. Then finally, you associate an Oracle Label Security label with the Intranet and Remote identities in Network.
To accomplish this, follow these steps:
■ Step 1: Create the Network Factor
■ Step 2: Create Identity Maps for the Network Intranet and Remote Identities
■ Step 3: Associate the Network Factor with an Oracle Label Security Policy
■ Step 4: Test the Configuration
Step 1: Create the Network Factor
First, create the Network factor:
1. In the Oracle Database Vault Administrator home page, select Factors.
2. In the Factors page, select Create.
3. In the Create Factors page, enter the following settings:
■ Name: Network
■ Description: Example factor for application access through network.
■ Factor Type: Physical
Note: You can select multiple factors by holding down the Ctrl key as you click each factor that you want to select.
Note: If you do not associate an Oracle Label Security policy with factors, then Oracle Database Vault maintains the default Oracle Label Security behavior for the policy.
Integrating Oracle Database Vault with Oracle Label Security
■ Factor Identification: By Factors
■ Evaluation: For Session.
■ Factor Labeling: By Self
■ Retrieval Method: Leave this field blank.
■ Validation Method: Leave this field blank.
4. Click OK.
The Network factor appears in the Factors page listing. Now you are ready to create its identities, Intranet and Remote.
5. In the Factors page, select Network and then click Edit.
6. In the Edit Factor page, go to the Identities section and click Create.
7. In the Create Identity page, enter the following settings:
■ Value: Intranet
■ Trust Level: Select Very Trusted.
■ Label Identity: EMPLOYEE_POLICY - HIGHLY_SENSITIVE
8. Click OK.
9. Repeat Step 6 and Step 7 to create the Remote identity, using the following settings:
■ Value: Remote
■ Trust Level: Select Trusted.
■ Label Identity: EMPLOYEE_POLICY - SENSITIVE
10. Click OK.
You do not need to create the Client_IP factor; it is supplied with Oracle Database Vault.
Step 2: Create Identity Maps for the Network Intranet and Remote Identities
Next, you are ready to create an identity map for each of the Network factor Intranet and Remote identities. This map links the Network and Client_IP factors, by
identifying the Network as the parent factor and Client_IP as its child factor.
First, create the identity map for the Intranet identity:
1. In the Factors page in Oracle Database Vault Administrator, select Network and then click Edit.
2. In the Edit Factor page, under Identities, select Intranet and then click Edit.
3. In the Edit Identity page, under Map Identity, click Create.
4. In the Create Identity Map page, enter the following settings:
■ Contributing Factor: Client_IP
■ Map Condition: Select Like. Then enter the following values:
– Low Value: 192.168.10%
– High Value: Leave this field blank.
5. Click OK.
Integrating Oracle Database Vault with Oracle Label Security
6. Create a second mapping by repeating Step 3 and Step 4, using the following settings:
■ Contributing Factor: Client_IP
■ Map Condition: Select Is Null. Then enter the following values:
– Low Value: NULL
– High Value: Leave this field blank.
The second mapping handles situations in which a user logs in from the database host computer, the Client_IP factor will be null.
The settings should appear as follows:
Next, create an identity map for the Remote identity by using the following settings:
■ Contributing Factor: Client_IP
■ Map Condition: Select Like. Then enter the following values:
– Low Value: 192.168.67%
– High Value: Leave this field blank.
Once you have completed this mapping, you can check the values for the Network factor by executing the following statement in SQL*Plus from a corporate and remote/VPN network connection or session:
SQL> SELECT dvf.f$network FROM dual
---Remote
Step 3: Associate the Network Factor with an Oracle Label Security Policy
Finally, you are ready to associate the Network factor with an Oracle Label Security policy.
Follow these steps:
1. In the Administration page, under Database Vault Feature Administration, click Label Security Integration.
2. In the Label Security Policies page, click Create.
3. In the Create Label Security Policy page, enter the following settings:
■ Label Security Policy: Select EMPLOYEE_POLICY.
■ Algorithm: Select LII - Minimum Level/Intersection/Intersection.
■ Label for Initialization Errors: Leave this setting blank.
■ Label Security Policy Factors: Select Network and click Move to move it to the Selected Factors list.
4. Click OK.
Step 4: Test the Configuration
To test this configuration, try logging on from both the local Intranet connection and a remote connection.
First, try the connection from the local Intranet connection. As you can see, you have access to all the records in HR.EMPLOYEES:
SQL> SELECT COUNT(*) FROM HR.EMPLOYEES;
COUNT(*)