![]() It does not indicate a parent-child relationship, or greater or less sensitivity. The numeric form does not indicate any kind of ranking. The numeric form of the group can range from 0 to 9999, and it must be unique for each policy. Table 2-7 Forms of Specifying Groups Form Figure 2-2, "Label Matrix" shows how compartments can be used to categorize data. When you analyze the sensitivity of data, you may find that some compartments are only useful at specific levels. For example, you can specify HIGHLY_SENSITIVE and CONFIDENTIAL levels with no compartments, and a SENSITIVE level that does contain compartments. Not all labels need to have compartments. Oracle Label Security permits defining up to 10,000 compartments. A label can contain zero or more compartments. The long form of the compartment name scan have up to 80 characters.Ĭompartments are optional. By contrast, if the number assigned to the FINCL compartment were 5, the character string format of the label would look like this: The display order follows the order of the numbers assigned to the compartments: 45 is lower than 65, and 65 is lower than 85. When this label is displayed in string format, it looks like this: For example, assume a label is created that has all three compartments listed in Table 2-4, and a level of SENSITIVE. Instead, it controls the display order of the short form compartment name in the label character string. The numeric form of the compartment does not indicate greater or less sensitivity. It is unrelated to the numbers used for the levels. The numeric form can range from 0 to 9999. Table 2-5 Forms of Specifying Compartments Form If only levels are used, a level 40 user (in this example) can access or alter any data row whose level is 40 or less. Other sets of levels that users commonly define include TOP_SECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED or TRADE_SECRET, PROPRIETARY, COMPANY_CONFIDENTIAL, PUBLIC_DOMAIN. ![]() When users manipulate the labels, they use only the short form of the component names. The short form can contain up to 30 characters.Īlthough the administrator defines both long and short names for the level (and for each of the other label components), only the short form of the name is displayed upon retrieval. The long form of the level name can contain up to 80 characters. You can then insert additional levels between two preexisting levels, at a later date. A good strategy is to use even increments (such as 50 or 100) between levels. In Table 2-2, 40 (HIGHLY_SENSITIVE) is a higher level than 30, 20, and 10.Īdministrators should avoid using sequential numbers for the numeric form of levels. Sensitivity is ranked by this numeric value, so you must assign higher numbers to levels that are more sensitive, and lower numbers to levels that are less sensitive. The numeric form of the level can range from 0 to 9999. Table 2-3 Forms of Specifying Levels Form The administrator can choose to display or hide this column. When an Oracle Label Security policy is applied to a database table, a column is added to the table to contain each row's label. Policy privileges are covered in Chapter 8, "Administering User Labels and Privileges" The particular type of access, such as reading or writing the data, is covered in Chapter 3, "Understanding Access Controls and Privileges". Note that the discussion here concerns access to data. Users can be given specific rights (privileges) to perform special operations or to access data beyond their label authorizations. Each user is assigned a range of levels, compartments, and groups, and each session can operate within that authorized range to access labeled data within that range. A data row label indicates the level and nature of the row's sensitivity and specifies the additional criteria that a user must meet to gain access to that row.Ī user label specifies that user's sensitivity level plus any compartments and groups that constrain the user's access to labeled data.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |