Policy Manager

[leonard905]

Hi,

Any pros and cons in using policy manager for row level security? Any performance tips.

thanks,

[jmodic]

It is only a management tool, nothing else. It can't have any performance impact whatsoever - it is totaly irrelevant if you manage security policies by this tool or manualy by using DBMS_RLS. The optimizer will never know which method you used!

[gopi]

Probably more info than you asked for but:

I use Policy Manager all the time...when I was learning OLS, I insisted upon myself to learn the code first and see the effect in the graphical.....I also use P/M to drop stuff although I also have code too. The more I become Knowledgeable using code, the more I like to use the grapgical because I want to be in control of my database and not depend on a user interface. The pro is that it is easy to use....the con is that you don't learn the code.

I know you didn't ask for it but here is some code, run it as LBACSYS and then see the effect in the P/M....of course change the schema, tables and objects to your own.


--PART I (SQL Plus)
exec SA_SYSDBA.drop_policy('WMS_DETAILS');
-- Create the POLICY
BEGIN
SA_SYSDBA.create_policy(policy_name=>'WMS_DETAILS',
column_name => 'wms_label',default_options => 'ALL_CONTROL,HIDE');
END;
/
grant wms_details_dba to scott, prod_owner;
/
-- SYSTEM should not have to worry about OLS!
exec sa_user_admin.set_user_privs ('WMS_DETAILS','SYSTEM','full');
-- create the LEVELs
exec sa_components.create_level('WMS_DETAILS',500,'SEN','SENSITIVE');
exec sa_components.create_level('WMS_DETAILS',300,'INT','INTERMEDIATE');
exec sa_components.create_level('WMS_DETAILS',100,'GEN','GENERAL');
/
--I don't use compartments in my OLS algorithm
--create groups
exec sa_components.create_group('WMS_DETAILS',450,'L450','CUST1');
exec sa_components.create_group('WMS_DETAILS',460,'L460','CUST2');
exec sa_components.create_group('WMS_DETAILS',500,'L500','CUST3');
-- Now protect the tables
BEGIN
SA_POLICY_ADMIN.APPLY_TABLE_POLICY (
POLICY_NAME => 'WMS_DETAILS',
SCHEMA_NAME => 'prod_owner',
TABLE_NAME => 'CUSTOMER_INFORMATION',
TABLE_OPTIONS => 'ALL_CONTROL,HIDE',
LABEL_FUNCTION => NULL, PREDICATE => NULL);
END;
/

--PART III -- set the user level label
exec sa_user_admin.set_user_labels('WMS_DETAILS','SCOTT','GEN::L500','GEN::L500','GEN','GEN::L500','GEN:: L500');


You should look in Policy Manager after each command to see it's effect.

[jmodic]

Funny thread, I belive few comments are required....

- leonard905 was asking about usage of Policy Manager to manage RLS (Row Level Security)
- I was giving some comments about that (mostly irrelevant/inacurate, see below)
- gopi was talking about using Policy Manager to manage OLS (Oracle Label Security)

Few facts, just to avoid some possible confusion:
- OLS and RLS are two totaly different concepts
- Policy Manager can only be used to manage OLS, not for RLS !!!! (thats why I said my previous comments were irrelevant/inacurate - I discovered that only uppon further checking in manuals)
- Policies in RLS can only be managed manualy using DBMS_RLS API, at least for current Oracle releases

So the conclusion:
- leonard905's original question makes no sence
- my reply makes even less sence
- gopis reply makes sence, however it is irrelevant in the context of the original question


Go figure...

[gopi]

ooops..

I guess this thread is not a candidate for "thread of the month"