Re: Label security - Beginners question...

From: Mark D Powell <>
Date: Wed, 6 Feb 2008 13:36:16 -0800 (PST)
Message-ID: <>

On Feb 5, 7:41 am, Volker Hetzer <> wrote:
> Mark D Powell schrieb:> On Feb 4, 3:26 pm, Volker Hetzer <> wrote:
> >> Hi!
> >> After having seen a lot of three tier applications managing security outside
> >> the database we'd like, when designing our own app, use the database for this.
> >> So, every user is a database user, belongs to a department and can read and
> >> insert documents.
> [rest skipped]
> [reordered your answer a bit]
>  > What is the full version of Oracle?
> Thanks for reminding me of the customs here! :-)
> We have a enterprise edition running and think about
> starting with that.
> > Is the label a column in one of your tables or Oracle Label security,
> We think about using label security, although "row level security"
> would be a better term. So far a fixed label seems to create more problems
> than it solves. I'm still reading up on it and yesterday evening
> discovered something called "fine grained access control". It looks like a
> much better fit, with the predicate functions. I still have to play
> around with it a bit. But how does it work with DML? How would the policy
> modify an insert statement? Or does it evaluate the predicate with the
> values from the insert? Can I use :old and :new like with triggers?
> > which is an extra cost item?
>  From what I've seen in the documentation it's part of the enterprise
> edition. The costly part is about encryption and non-password authentication
> stuff as far as I see. But we'll check explicitly with our contract guys.
> Anyway I'll ask about FGA too.
> > A coordinated subquery always has to know the outer table_name or
> > alias used in the SQL so why is that a problem?  Is you application
> > based on dynamic SQL?  From the description given I see no reason why
> > dynamic SQL would be necessary.
> You are right, it's not really necessary. During development errors are
> no problem and after that the main thing is that someone firing
> up sqlplus can't see the rows.
> Lots of Greetings!
> Volker
> --
> For email replies, please substitute the obvious.

Besides the Oracle RLS (row level security) feature also called VPD which is what Frank mentioned do not forget that plan old views can often be used to good effect for security uses along with application use and setting of roles combined with having and following good policies on object privilege granting.

HTH -- Mark D Powell -- Received on Wed Feb 06 2008 - 15:36:16 CST

Original text of this message