Oracle Label Security, Part 2: Implementation - Page 2
September 18, 2003
The Scenario: Sales Force Administration
Now that OLS is installed, it is time to turn attention to demonstrating its powerful features. In this and following articles, I will use OLS to illustrate how to implement the following business functional requirements for a new sales force administration application.
Let's assume that a growing company based in the United States has decided to formalize the management of its sales force along geographic boundaries:
So far, this looks like a fairly standard implementation for a sales force. We know that database objects are needed to store information about the Regions and Districts that make up the sales force. It is the next set of requirements that make OLS an attractive option:
To demonstrate these requirements for the new Sales Administration system:
A Sample OLS Implementation
Now that we have a realistic sample schema and sufficient data loaded to illustrate, let's turn our attention to applying OLS to these objects. OLS provides several packages that allow me to create and maintain the necessary objects that enforce its security. Except where otherwise noted in the following examples, I will be running scripts from the OLS administrator login (LBACSYS)
Creating a New Security Policy
My first step is to establish an OLS security policy. This policy will encompass all of the OLS settings and assignments that will enforce the security. Via the SA_SYSDBA.CREATE_POLICY function, I will create a new policy named SADM (Sales Administration), and I will specify the name of the column (SADM_LBL) that will be added to each table that I will need to secure. For the sake of security, I will also tell the security policy to hide the SADM_LBL from the prying eyes of developers or more advanced users who might be writing queries against database tables.
See Listing 2.1 for the script used to create the security policy.
Creating Security Components: Levels, Compartments, and Groups
Now that I have created the security policy, my next step is to create the necessary components for enforcement.
First, I will create a set of security levels that specify the sensitivity of the data being protected. OLS allows me to specify:
Via the OLS package procedure SA_COMPONENTS.CREATE_LABEL, here are the security levels I have set up for this policy:
See Listing 2.2 for the script used to create the security levels.
Next, I will create a set of security compartments. Compartments are used to restrict the areas to which data is restricted. OLS allows me to specify:
Here are the security compartments I have set up for this policy using the OLS package procedure SA_COMPONENTS.CREATE_COMPARTMENT:
See Listing 2.3 for the script used to create the security compartments.
Finally, I will create a set of security groups. Groups are used to limit data access to the owners of the data; they can also store hierarchical relationships. OLS allows me to specify:
Via the OLS package procedure SA_COMPONENTS.CREATE_GROUP, I've set up the following security groups for this policy:
See Listing 2.4 for the script used to create the security groups.