Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Oracle Label Security

Amazon RDS supports Oracle Label Security for Oracle Enterprise Edition, version 12c, through the use of the OLS option.

Most database security controls access at the object level. Oracle Label Security provides fine-grained control of access to individual table rows. For example, you can use Label Security to enforce regulatory compliance with a policy-based administration model. You can use Label Security policies to control access to sensitive data, and restrict access to only users with the appropriate clearance level. For more information, see Introduction to Oracle Label Security in the Oracle documentation.

Prerequisites for Oracle Label Security

The following are prerequisites for using Oracle Label Security:

  • Your DB instance must use the Bring Your Own License model. For more information, see Oracle Licensing.

  • You must have a valid license for Oracle Enterprise Edition with Software Update License and Support.

  • Your Oracle license must include the Label Security option.

Adding the Oracle Label Security Option

The general process for adding the Oracle Label Security option to a DB instance is the following:

  1. Create a new option group, or copy or modify an existing option group.

  2. Add the option to the option group.

  3. Associate the option group with the DB instance.

After you add the Label Security option, as soon as the option group is active, Label Security is active.

To add the Label Security option to a DB instance

  1. Determine the option group you want to use. You can create a new option group or use an existing option group. If you want to use an existing option group, skip to the next step. Otherwise, create a custom DB option group with the following settings:

    1. For Engine, choose oracle-ee.

    2. For Major Engine Version, choose 12.1.

    For more information, see Creating an Option Group.

  2. Add the OLS option to the option group. For more information about adding options, see Adding an Option to an Option Group.

    Important

    If you add Label Security to an existing option group that is already attached to one or more DB instances, all the DB instances are restarted.

  3. Apply the option group to a new or existing DB instance:

Using Oracle Label Security

To use Oracle Label Security, you create policies that control access to specific rows in your tables. For more information, see Creating an Oracle Label Security Policy in the Oracle documentation.

When you work with Label Security, you perform all actions as the LBAC_DBA role. The master user for your DB instance is granted the LBAC_DBA role. You can grant the LBAC_DBA role to other users so that they can administer Label Security policies.

You can configure Label Security through the Oracle Enterprise Manager (OEM) Cloud Control. Amazon RDS supports the OEM Cloud Control through the Management Agent option. For more information, see Oracle Management Agent for Enterprise Manager Cloud Control.

Removing the Oracle Label Security Option

You can remove Oracle Label Security from a DB instance.

To remove Label Security from a DB instance, do one of the following:

  • To remove Label Security from multiple DB instances, remove the Label Security option from the option group they belong to. This change affects all DB instances that use the option group. When you remove Label Security from an option group that is attached to multiple DB instances, all the DB instances are restarted. For more information, see Removing an Option from an Option Group.

  • To remove Label Security from a single DB instance, modify the DB instance and specify a different option group that doesn't include the Label Security option. You can specify the default (empty) option group, or a different custom option group. When you remove the Label Security option, a brief outage occurs while your DB instance is automatically restarted. For more information, see Modifying a DB Instance Running the Oracle Database Engine.

Troubleshooting

The following are issues you might encounter when you use Oracle Label Security.

Issue Troubleshooting Suggestions

When you try to create a policy, you see an error message similar to the following: insufficient authorization for the SYSDBA package.

A known issue with Oracle's Label Security feature prevents users with usernames of 16 or 24 characters from running Label Security commands. You can create a new user with a different number of characters, grant LBAC_DBA to the new user, log in as the new user, and run the OLS commands as the new user. For additional information, please contact Oracle support.

Related Topics