Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Multiple OLS policy on a single table
        
(Message started by: Pete Finnigan on Jan 13th, 2008, 7:40pm)
Title: Multiple OLS policy on a single table
Post by Pete Finnigan on Jan 13th, 2008, 7:40pm
I have created an OLS policy and successfully implemented it on my five tables. Then I created one more OLS policy and tried to implement it on one of the five tables in addition to other policy. Second policy was also successfully created and applied to the table but when I tried to update the rows for the second policy it is not letting me update the rows with the data labels. Also after applying the second policy to the table, users who were able to access the data previously are no longer able to access data anymore. When I had only one policy on the table my users were able to access the data as they were supposed to. What am I doing wrong? I am stuck. I searched the forum for this but could not find any similar problem…. Please help me debug. If anything else is required, please let me know and I will try to provide it.

Thanks in advance…

I am putting my script here so it is easier to see what is going on. Here is my script:

EXEC sa_sysdba.create_policy ('DBSEC','Row_LBL','ALL_CONTROL');
EXEC sa_components.create_level ('DBSEC', 1001,'Public','Public Level');
EXEC sa_components.create_level ('DBSEC', 2001,'Sensitive','Sensitive Level');
EXEC sa_components.create_level ('DBSEC', 3001,'Confidential','Confidential Level');

EXEC sa_components.create_compartment ('DBSEC', 102,'HR', 'Human Resource');
EXEC sa_components.create_compartment ('DBSEC', 202,'SLS', 'Sales');
EXEC sa_components.create_compartment ('DBSEC', 302,'MRKT', 'Marketiing');

EXEC sa_components.create_group ('DBSEC', 40,'P','President');
EXEC sa_components.create_group ('DBSEC', 10,'MGR', 'Manager','P');
EXEC sa_components.create_group ('DBSEC', 20,'WEST','WEST_REGION','MGR');
EXEC sa_components.create_group ('DBSEC', 30,'EAST','EAST_REGION','MGR');

EXEC sa_label_admin.create_label('DBSEC', '10110','Public:SLS', TRUE);
EXEC sa_label_admin.create_label('DBSEC', '20220','Sensitive:SLS',TRUE);
EXEC sa_label_admin.create_label('DBSEC', '20330','Sensitive:HR,SLS:MGR', TRUE);
EXEC sa_label_admin.create_label('DBSEC', '20440','Confidential:HR,SLS:P',TRUE);
EXEC SA_POLICY_ADMIN.APPLY_TABLE_POLICY('DBSEC','db668a10','Employee',NULL);
EXEC SA_POLICY_ADMIN.APPLY_TABLE_POLICY('DBSEC','db668a10','Department',NULL);

BEGIN
SA_USER_ADMIN.SET_USER_LABELS
(policy_name => 'DBSEC',
user_name => 'President',
max_read_label => 'Confidential:HR,SLS:P');

SA_USER_ADMIN.SET_USER_LABELS
(policy_name => 'DBSEC',
user_name => 'Salesman1',
max_read_label => 'Public:SLS');
END;
/
EXEC SA_USER_ADMIN.SET_USER_PRIVS ('DBSEC','DB668A10','FULL,PROFILE_ACCESS');
conn db668a10/xyz
UPDATE Employee SET ROW_LBL = CHAR_TO_LABEL('DBSEC','Public:SLS') WHERE Dpt_NO = 40;
UPDATE Employee SET ROW_LBL = CHAR_TO_LABEL('DBSEC','Sensitive:HR,SLS:MGR') WHERE Dpt_NO = 10;
UPDATE Employee SET ROW_LBL = CHAR_TO_LABEL('DBSEC','Confidential:HR,SLS:P') WHERE Emp_ID = 10475;
UPDATE Department SET ROW_LBL = CHAR_TO_LABEL('DBSEC','Public:SLS') WHERE Dpt_NO = 40;
UPDATE Department SET ROW_LBL = CHAR_TO_LABEL('DBSEC','Confidential:HR,SLS:P') WHERE Dpt_NO = 10;

-- Second Policy
EXEC sa_sysdba.create_policy ('DOC','ROWLBL','ALL_CONTROL');
EXEC sa_components.create_level ('DOC', 4001,'Public','Public Level');
EXEC sa_components.create_level ('DOC', 5001,'Sensitive','Sensitive Level');
EXEC sa_components.create_level ('DOC', 6001,'Confidential','Confidential Level');
EXEC sa_components.create_compartment ('DOC', 502,'HR', 'Human Resource');
EXEC sa_label_admin.create_label('DOC', '20500','Public:HR', TRUE);
EXEC sa_label_admin.create_label('DOC', '20600','Sensitive:HR', TRUE);
EXEC SA_POLICY_ADMIN.APPLY_TABLE_POLICY('DOC','db668a10','Department',NULL);
BEGIN
SA_USER_ADMIN.SET_USER_LABELS
(policy_name => 'DOC',
user_name => 'HRmgr',
max_read_label => 'Sensitive:HR');
END;
/
EXEC SA_USER_ADMIN.SET_USER_PRIVS ('DOC','DB668A10','FULL,PROFILE_ACCESS');
conn db668a10/lakhmi8
UPDATE Department SET ROWLBL = CHAR_TO_LABEL('DOC','Public:HR') WHERE Dpt_NO = 10;

Here is the output I get after applying second policy:

SQL> UPDATE Department SET ROWLBL = CHAR_TO_LABEL('DOC','Public:HR') WHERE Dpt_NO = 10;

0 rows updated.

SQL> DESC Department;
Name                                      Null?    Type
----------------------------------------- -------- ----------------------------
DPT_NO                                             NUMBER(6)
DPT_NAME                                  NOT NULL CHAR(17)
MGR_ID                                             NUMBER(6)
HQ_CITY                                            CHAR(10)
ROW_LBL                                            NUMBER(10)
ROWLBL                                             NUMBER(10)


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board