Oracle Label Security
Amazon RDS supports Oracle Label Security for the Enterprise Edition of Oracle Database through the use of the OLS option.
Most database security controls access at the object level. Oracle Label Security provides fine-grained control of
access to individual table rows. For example, you can use Label Security to enforce regulatory compliance with a
policy-based administration model. You can use Label Security policies to control access to sensitive data, and
restrict access to only users with the appropriate clearance level. For more information, see Introduction to Oracle Label Security
Topics
Prerequisites for Oracle Label Security
Familiarize yourself with the following prerequisites for Oracle Label Security:
-
Your DB instance must use the Bring Your Own License model. For more information, see RDS for Oracle licensing options.
-
You must have a valid license for Oracle Enterprise Edition with Software Update License and Support.
-
Your Oracle license must include the Label Security option.
-
You must be using the non-multitenant (non-CDB) database architecture. For more information, see Single-tenant configuration of the CDB architecture.
Adding the Oracle Label Security option
The general process for adding the Oracle Label Security option to a DB instance is the following:
Create a new option group, or copy or modify an existing option group.
Add the option to the option group.
Important
Oracle Label Security is a permanent and persistent option.
Associate the option group with the DB instance.
After you add the Label Security option, as soon as the option group is active, Label Security is active.
To add the label security option to a DB instance
-
Determine the option group you want to use. You can create a new option group or use an existing option group. If you want to use an existing option group, skip to the next step. Otherwise, create a custom DB option group with the following settings:
-
For Engine, choose oracle-ee.
-
For Major engine version, choose the version of your DB instance.
For more information, see Creating an option group.
-
-
Add the OLS option to the option group. For more information about adding options, see Adding an option to an option group.
Important
If you add Label Security to an existing option group that is already attached to one or more DB instances, all the DB instances are restarted.
-
Apply the option group to a new or existing DB instance:
-
For a new DB instance, you apply the option group when you launch the instance. For more information, see Creating an Amazon RDS DB instance.
-
For an existing DB instance, you apply the option group by modifying the instance and attaching the new option group. When you add the Label Security option to an existing DB instance, a brief outage occurs while your DB instance is automatically restarted. For more information, see Modifying an Amazon RDS DB instance.
-
Using Oracle Label Security
To use Oracle Label Security,
you create policies that control access
to specific rows in your tables.
For more information, see
Creating an Oracle Label Security policy
When you work with Label Security, you perform all actions as the LBAC_DBA role. The master user for your DB instance is granted the LBAC_DBA role. You can grant the LBAC_DBA role to other users so that they can administer Label Security policies.
For the following releases, make sure to grant access to the OLS_ENFORCEMENT
package to any new
users who require access to Oracle Label Security:
-
Oracle Database 19c using the non-CDB architecture
-
Oracle Database 12c Release 2 (12.2)
To grant access to the OLS_ENFORCEMENT
package, connect to the DB instance as the master user and
run the following SQL statement:
GRANT ALL ON LBACSYS.OLS_ENFORCEMENT TO
username
;
You can configure Label Security through the Oracle Enterprise Manager (OEM) Cloud Control. Amazon RDS supports the OEM Cloud Control through the Management Agent option. For more information, see Oracle Management Agent for Enterprise Manager Cloud Control.
Removing the Oracle Label Security option (not supported)
Starting with Oracle Database 12c Release 2 (12.2), Oracle Label Security is a permanent and persistent option. Because the option is permanent, you can't remove it from an option group. If you add Oracle Label Security to an option group and associate it with your DB instance, you can later associate a different option group with your DB instance, but this group must also contain the Oracle Label Security option.
Troubleshooting
The following are issues you might encounter when you use Oracle Label Security.
Issue | Troubleshooting suggestions |
---|---|
When you try to create a policy,
you see an error message similar to the following:
|
A known issue with Oracle's Label Security feature prevents users with usernames of 16 or 24 characters from running Label Security commands. You can create a new user with a different number of characters, grant LBAC_DBA to the new user, log in as the new user, and run the OLS commands as the new user. For additional information, please contact Oracle support. |