Oracle® Label Security Administrator's Guide 11g Release 2 (11.2) Part Number E10745-01 |
|
|
View PDF |
This appendix discusses using Oracle Label Security in an Oracle Real Application Clusters (RAC) environment. It includes the following sections:
Using Oracle Label Security Policy Functions in an Oracle RAC Environment
Using Transparent Application Failover in Oracle Label Security
Policy changes made on one instance are available to other instances in the Oracle RAC immediately. It is not necessary to restart the other instances to pick up the changes.
Important changes made on one database instance are automatically propagated to the other instances. One example would be creating a new policy. Another would be altering the policy options.
Propagating such changes ensures two valuable protections:
That all users of the table are subject to the same policy
That if any instance fails, continuation of its work by other instances will use the same policies and parameters that were in force immediately prior to that failure. So, if a policy had been enabled or disabled, it would be seen as such in all instances.
If an administrator changes policy information in one instance by using the policy functions listed in Table C-1, Oracle Label Security stores the relevant information about whatever that function call changed. The new information is immediately available to the other active instances in the Oracle RAC, enabling uniformity among users of the affected policies.
Table C-1 Policy Functions Preserving Status in an Oracle RAC Environment
Policy Functions | Comments |
---|---|
sa_sysdba.create_policy() |
Creates a new policy |
sa_sysdba.drop_policy() |
Drops an existing policy |
sa_sysdba.enable_policy() |
Enables an existing policy |
sa_sysdba.disable_policy() |
Disables an existing policy |
sa_sysdba.alter_policy() |
Alters an existing policy |
Session information is preserved on Transparent Application Failover. Any changes to the session's information by way of session functions listed in Table C-2 are preserved on Transparent Application Failover.
For example, suppose a user Scott
is logged on with default label Top Secret
. If he calls sa_session.set_label() to change his session label to Secret
, and a failover to another instance occurs, he will see no change but his session label remains Secret
.
Preserving current user session information means that the access permissions and restrictions on what data that user can see or affect remain as they were. Despite the failover, the user can see and affect only the tables and rows accessible before the failover. If preservation were not the case, failing over to another instance could cause or enable the user to see a different set of data.
Whenever one of the session functions listed in Table C-2 is used, Oracle Label Security stores the relevant information about whatever was changed by that function call.
Table C-2 Session Functions Preserving Status in an Oracle RAC Environment