Oracle英文版培訓(xùn)課件之Security：L14-ImpletmentOLS

ImplementingOracleLabelSecurityObjectivesAftercompletingthislesson,youshouldbeabletoimplementasimpleOracleLabelSecuritypolicyby:CreatingpoliciesDefininglabelsSettingupuserauthorizationsApplyingpoliciestotablesImplementingtheOracleLabel

SecurityPolicyThestepstoimplementanOracleLabelSecuritysolutionare:1. Developastrategytounderstandthesecurityproblem.2. Analyzethedatalevelsintheapplication3. Createpolicies.4. Definelabels.5. Assignuserauthorizations.6. Applypolicies.7. Reviewanddocumentyourpolicydecisions.(hidden)AnalyzingtheNeedsIdentifyapplicationtablesthatneedOracleLabelSecurity:MajorityofthetablesdonotrequireOracleLabelSecurity.Useexistingtoolswhenpossible.DonotapplyOracleLabelSecuritytoeverything.Identifyimportantapplicationquerieswherepossible.Discretionaryaccesscontrol(DAC)issufficientformosttables:DatabaserolesSecureapplicationrolesStoredproceduresandfunctionsCreatingPoliciesCreatethepolicytocontainthelabelinformation:PolicynameisFACILITY.PolicylabelcolumnisFACLAB.BEGINSA_SYSDBA.CREATE_POLICY(POLICY_NAME=>'FACILITY',COLUMN_NAME=>'FACLAB',DEFAULT_OPTIONS=>'READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE');END;DefiningLabels:OverviewLabelshavethreeparts:LevelGroupCompartmentEachpartmustbedefined.Thelabelisdefinedonthebasisofthecombinationsoftheparts.DefiningLevelsPPUBLIC100CCONFIDENTIAL200SSENSITIVE300HSHIGHLY_SENSITIVE400ShortFormLongFormNumericFormThedatalevelissettoSENSITIVE.Theselevelsarepartofthelabelthatisassignedtousersanddata.CreatingLevelsBEGINSA_COMPONENTS.CREATE_LEVEL(POLICY_NAME=>'FACILITY',LEVEL_NUMBER=>'100',SHORT_NAME=>'P',LONG_NAME=>'PUBLIC');END;DefiningGroupsNumericFormLongFormShortFormParent1000WESTERN_REGIONWR1100WR_SALESWR_SALWR1200WR_FINANCEWR_FINWR1210WR_ACCT_PAYABLEWR_APWR_FINThegroupisWR_FINANCE.ThedatalabelshowsWR_FINinthelevel:compartment:group

groupfield.CreatingGroupsBEGINSA_COMPONENTS.CREATE_GROUP(POLICY_NAME=>'FACILITY',GROUP_NUMBER=>'1000',SHORT_NAME=>'WR_SAL',LONG_NAME=>'WR_SALES',PARENT_NAME=>'WR');END;DefiningCompartmentsNumericFormLongFormShortForm85FinancialFIN65ChemicalCH45OperationsOPCompartmentsareOP,CH,andFIN.ThesecondfieldinthedatalabelshowsOP,CH,andFIN.CreatingCompartmentsBEGINSA_COMPONENTS.CREATE_COMPARTMENT(POLICY_NAME=>'FACILITY',COMP_NUMBER=>'85',SHORT_NAME=>'FIN',LONG_NAME=>'Financial');END;IdentifyingDataLabelsTheadministratorcreatesasetofdatalabelsthatareactuallyusedfromthecomponentsalreadydefined.LEVEL:COMPARMENT:GROUP

----------------------------------------------SENSITIVE:FINANCIAL,CHEMICAL:WESTERN_REGIONCONFIDENTIAL:FINANCIAL:WR_SALESSENSITIVE::HIGHLY_SENSITIVE:FINANCIAL:

SENSITIVE::WESTERN_REGION

CreatingDataLabelsBEGINSA_LABEL_ADMIN.CREATE_LABEL(POLICY_NAME=>'FACILITY',LABEL_TAG=>'201000',LABEL_VALUE=>'S::WR');END;AssigningUserAuthorizationLabelsAuserisassigned:MaximumandminimumlabelsAdefaultsessionlabelArowlabelforinsertsBEGINSA_USER_ADMIN.SET_USER_LABELS(

POLICY_NAME=>'FACILITY',

USER_NAME=>'MYCO_MGR',

MAX_READ_LABEL=>'S::US,EU,ASIA');END;(hidden)AccessMediationUsersessionlabelRowdatalabelSQLrequestAccessmediationSQLresultsAdministeringLabelsUsingOraclePolicyManager,theadministratorcan:DefineandmanagelabelsApplypolicytotablesorschemasAssignlabelstousersSetuserlabelprivilegesAddingLabelstoDataLabelsaredefinedbytheadministrator.Accessmediationrequiresallrowstohavelabels.Labelsaresetonrows.Policy-EnforcementOptionsAccess-controlenforcement:READ_CONTROLWRITE_CONTROLLabel-managementenforcement:LABEL_DEFAULTLABEL_UPDATECHECK_CONTROLOptionstooverrideenforcement:ALL_CONTROLNO_CONTROLApplyingthePolicytoaTableAddtheFACILITYpolicytotheLOCATIONStable.TABLE_OPTION=>NULLimpliesthatthepolicydefaultoptionsareused.BEGINSA_POLICY_ADMIN.APPLY_TABLE_POLICY(POLICY_NAME=>'FACILITY',SCHEMA_NAME=>'HR',TABLE_NAME=>'LOCATIONS',TABLE_OPTIONS=>NULL,LABEL_FUNCTION=>NULL);END;OracleLabelSecurityPrivileges

OracleLabelSecuritysupportstheseprivilegesthatallowauthorizeduserstobypasscertainpartsofthepolicy:READFULLCOMPACCESSSET_ACCESS_PROFILEExample:READPrivilegeLabeleddatarowsUserLabelAuthorizationsNoneREADprivilegeSELECTAllrowsreturnedExample:FULLPrivilegeLabeleddatarowsUserLabelAuthorizationsAnyFULLprivilegeAnyDMLAllrowsaffectedExample:COMPACCESSPrivilegeLabeleddatarowsUserLabelAuthorizationsCompartment=OPCOMPACCESSprivilegeDatalabelCompartment=OP,Group=AnyUsingSET_ACCESS_PROFILETheSA_SESSION.SET_ACCESS_PROFILEfunctioninOracleLabelSecurity:AllowsanapplicationsessiontoassumeadifferentOracleLabelSecurityauthorizationIsusedwhenapplicationusersdonothaverealdatabaseaccountsNote:UserswhoareassignedOracleLabelSecurityauthorizationsdonotneedtoberealdatabaseusers.SQL>connectappuser/mypasswordSQL>executeset_access_profile(‘finance’,’team1’);TrustedStoredPackageUnitsTocreateatrustedstoredpackageunit,youmust:GranttheOracleLabelSecurityprivilegestoaprogramunitHavethespecialpolicy_DBAroleUseOPMortheSA_USER_ADMINpackagetograntprivilegesSQL>EXECUTESA_USER_ADMIN.SET_PROG_PRIVS(-2>POLICY_NAME=>‘HR’,-3>SCHEMA_NAME=>’MYSCHEMA’,-4>PROGRAM_UNIT_NAME=>’SUM_PURCHASES’,-5>PRIVILEGE=>’READ’);ExportingwithOracleLabelSecurityOnlyrowswithlabelsauthorizedforre