5
Oracle Label Security Using Oracle Internet Directory

Managing Oracle Label Security metadata in a centralized LDAP repository provides many benefits. Policies and user label authorizations can be easily provisioned and distributed throughout the enterprise. In addition, when employees are terminated their label authorizations can be revoked in one place and the change automatically propagated throughout the enterprise. This chapter describes the integration between Oracle Label Security and Oracle Internet Directory, in the following sections:

• Introducing Label Management on Oracle Internet Directory
• Configuring Oracle Internet Directory-Enabled Label Security
• Oracle Label Security Profiles
• Integrated Capabilities When Label Security Uses the Directory
• Oracle Label Security Policy Attributes in Oracle Internet Directory
• Restrictions on New Data Label Creation
• Two Types of Administrators
• Bootstrapping Databases
• Synchronizing the Database and Oracle Internet Directory
• Security Roles and Permitted Actions
• Superseded PL/SQL Statements
• Procedures for Policy Administrators Only

Introducing Label Management on Oracle Internet Directory

Previous releases of Oracle Label Security have relied on the Oracle database as the central repository for policy and user label authorizations. This architecture leveraged the scalability and high availability of the Oracle database, but didn't leverage the identity management infrastructure, which includes the Oracle Internet Directory. This directory is part of Oracle's Identity Management Platform. Integrating your installation of Oracle Label Security with the Oracle Internet Directory allows label authorizations to be part of your standard provisioning process.

These advantages accrue also to directory-stored information about policies, user labels, and privileges that Oracle Label Security assigns to users. These labels and privileges are specific to the installation's policies defining access control on tables and schemas. (When a site is not using Oracle Internet Directory, then such information is stored locally in the database.)

The following Oracle Label Security information is stored in the directory:

Database-specific metadata is not stored in the directory. Examples include

The following three notes identify important aspects of integrating your installation of Oracle Label Security with Oracle Internet Directory:

For sites that use Oracle Internet Directory, databases retrieve Oracle Label Security policy information from the directory. Administrators use the olsadmintool policy administration tool to operate directly on the directory to insert, alter, or remove metadata as needed. Since enterprise users can log in to multiple databases using the credentials stored in Oracle Internet Directory, it is logical to store their Oracle Label Security policy authorizations and privileges there as well. An administrator can then modify these authorizations and privileges simply by updating these metadata in the directory. (Other aspects of managing enterprise users are done by the Enterprise Security Manager.)

For distributed databases, centralized policy management removes the need for replicating policies, since the appropriate policy information is available in the directory. Changes are effective without further effort, synchronized with policy information in the databases by means of the Directory Integration Platform.

Figure 5-1 illustrates the structure of metadata storage in Oracle Internet Directory.

Figure 5-2 illustrates applying different policies stored in Oracle Internet Directory to the databases accessed by different enterprise users. Determining the policy to be applied is controlled by the directory entries corresponding to the user and the accessed database.

Figure 5-1 Diagram of Oracle Label Security Metadata Storage in Oracle Internet Directory

Text description of the illustration aso-type.gif

Figure 5-2 Oracle Label Security Policies Applied through Oracle Internet Directory

Text description of the illustration policies.gif

In this example, the directory has information about two Oracle Label Security policies: Alpha, applying to database DB1, and Beta, applying to database DB2 Although both policies are known to each database, only the appropriate one is applied in each case. In addition, enterprise users who are to access rows protected by Oracle Label Security are listed in profiles within the Oracle Label Security attributes in Oracle Internet Directory.

As Figure 5-2 shows, the connections between different databases and the directory are established over either SSL or SASL. The database always binds to the directory as a known identity using password-based authentication. Links between databases and their clients (such as a sqlplus session, any PL/SQL programs , and so on) can use either SSL or non-SSL connections. The example of Figure 5-2 assumes that users are logged on through password authentication. The choice of connection type depends on the enterprise user model.

The Oracle Label Security policy administration tool operates directly on metadata in Oracle Internet Directory. Changes in the directory are then propagated to the Directory Integration Platform (DIP) Server, which is configured to send changes to the databases at specific time intervals.

The databases update the policy information in Oracle Internet Directory only when policies are being applied to tables or schemas. These updates ensure that policies that are in use will not be dropped from the directory.

Configuring Oracle Internet Directory-Enabled Label Security

You can configure a database for OID-enabled Label Security at any time after database creation or during custom database creation. OID-enabled label security relies on the Entrerprise User security feature.

Registering a Database and Configuring OID-enabled OLS

To achieve this goal, do the following major tasks:

Task 1. Configure Your Oracle Home for Directory Usage.

Task 2 : Configure the Database for OID-Enabled OLS

1. Register your database in the directory using DBCA (Database Configuration Assistant).

   See Also: Oracle Advanced Security Administrator's Guide

2. After your database is registered in the directory, configure Label Security:
   1. Start DBCA, select Configure database options in a database, and choose Next.
   2. Select a database and choose Next.
   3. Regarding the option of unregistering the database or keeping it registered, select Keep the database registered.
   4. If the database is registered with OID, the Database options screen shows a customize button beside the Label Security checkbox: Select the Label Security option and click Customize.
   5. This customize dialog has two configuration options, for standalone OLS or for OID-enabled OLS. Click OID-enabled Label security configuration and enter the OID credentials of an appropriate administrator. Click Ok.
   6. Continue with the remaining DBCA steps and click Finish when it appears.

      Notes: You can configure a standalone OLS on a database that is registered with OID: choose the standalone option in step e.

When configuring for OID-enabled OLS, DBCA also does the following things in addition to registering the database:

1. Creates a provisioning profile for propagating Label Security policy changes to to the database. This Directory Integration Platform (DIP) provisioning profile is enabled by default.
2. Installs the required packages on the database side for OID-enabled OLS.
3. Bootstraps the database with all the existing Label Security policy information in the OID.

   See Also: Bootstrapping Databases for more information.

Alternate Method for Task 2, Configuring Database for OID-Enabled OLS

Registering the database and configuring OLS can be done in one invocation of DBCA.

1. Start DBCA.
2. Select Configure database options in a database and choose Next.
3. Select a database and choose Next.
4. Click Register the database.
5. Enter the OID credentials of an appropriate administrator, and the corresponding password for the database wallet that will be created.
6. The Database options screen shows a Customize button beside the Label Security checkbox. Select the Label Security option and click Customize.

   The Customize dialog appears, showing two configuration options, for standalone OLS or for OID-enabled OLS.

7. Click OID-enabled Label security configuration.
8. Continue with the remaining DBCA steps and click Finish when it appears.

Task3: Set the DIP Password and Connect Data

1. Use the command line tool oidprovtool to set the password for the DIP user and update the interface connect information in the DIP provisioning profile for that database with the new password.

   See: Directory Integration Platform (DIP) Provisioning Profiles for more details.

2. Upon creation, the DIP profile uses a schedule value of 3600 seconds by default, meaning that Oracle Label Security changes are propagated to the database every hour. You can use oidprovtool to change this value if deployment considerations require that.

Once the the database is configured for OID-enabled OLS, further considerations regarding enterprise user security may apply.

Unregistering a Database with OID-enabled OLS

To perform this task, you use DBCA, which does the following things:

1. Deletes the DIP provisioning profile for the database created for OLS.
2. Installs the required packages for standalone OLS, so that at the end of unregistration, OID-enabled OLS becomes standalone OLS.

   Note: Specific instructions for DB unregistration appear in the Oracle Advanced Security Administrator's Guide. No special steps are required when OID-enabled OLS is configured.

   Note: If a database has standalone OLS, it cannot be converted to OID-enabled OLS. You need to drop OLS from the database and then use DBCA again to configure OID-enabled OLS.

Oracle Label Security Profiles

A user profile is a set of user authorizations and privileges. Profiles are maintained as part of each Oracle Label Security policy stored in the Directory.

If a user is added to a profile, he acquires the authorizations and privileges defined in that profile for that particular policy, which include the following attributes:

• Five label authorizations:
  • maximum read label
  • maximum write label
  • minimum write label
  • default read label
  • default row label
• Privileges
• The list of enterprise users to whom these authorizations apply

  See Also: Oracle Label Security Policy Attributes in Oracle Internet Directory For more infomation on creating and managing enterprise users, see Chapter 13 of the Oracle Advanced Security Administrator's Guide

An enterprise user can belong to only one profile, or none.

Integrated Capabilities When Label Security Uses the Directory

The integration of Oracle Label Security and Oracle Internet Directory enables the following capabilities:

• User/administrator actions
  • Storing multiple Oracle Label Security policies in Oracle Internet Directory
  • Managing Oracle Label Security policies and options in the directory, including
    • creating or dropping a policy
    • changing policy options
    • changing audit settings
  • Creating label components for any Oracle Label Security policies by
    • creating or removing levels, compartments, or groups
    • assigning numeric values to levels, compartments, or groups
    • changing long names of levels, compartments, or groups
    • creating children groups
  • Managing enterprise users configured as users of any Oracle Label Security policies, including
    • assigning or removing enterprise users to/from profiles within policies
    • assigning policy-specific privileges to enterprise users, or removing them
    • changing policy label authorizations assigned to enterprise users
  • Managing all user/administrator actions and capabilities by means of an integrated set of command line tools that monitor and manage Oracle Label Security policies in Oracle Internet Directory.
• Automatic results of Oracle Label Security
  • Limiting database policy usage to directory-defined policies only (no local policies defined or applied)
  • Synchronizing changes to policies in the directory with the databases using Oracle Label Security (to apply after enterprise users reconnect)
  • After changes are propagated by the Directory Integration Platform, having immediate access to enterprise users' Oracle Label Security attributes when these users log on to any database using Oracle Label Security, assuming they are configured within any Oracle Label Security policies. These attributes include users' label authorizations and users' privileges.

Oracle Label Security Policy Attributes in Oracle Internet Directory

In Oracle Internet Directory, Oracle-related metadata is stored under cn=OracleContext. Within Label Security, each policy holds the information and parameters shown in Table 5-1:

When Oracle Label Security is used without Oracle Internet Directory, it supports automatic creation of data labels by means of a label function. However, when Oracle Label Security is used with Oracle Internet Directory, such functions can create labels only using data labels that are already defined in the directory.

Table 5-1 Contents of Each Policy  

Type of Entry	Contents	Meaning/Sample Usage/References
Policy Name	The name assigned to this policy at its creation	Used in olsadmintool commands such as olsadmintool createpolicy (see Appendix B)
Column Name	The name of the column that will hold the label values relevant to this policy	Column is added to database: See Chapter 4 (The Policy Label Column and Label Tags & Inserting Labeled Data); & The HIDE Policy Column Option in Chapter 8; & Appendix B. Used in olsadmintool createpolicy
Enforcement Options	Any combination of the following entries: LABEL_DEFAULT, LABEL_UPDATE, CHECK_CONTROL, READ_CONTROL, WRITE_CONTROL, INSERT_CONTROL, DELETE_CONTROL, UPDATE_CONTROL, ALL_CONTROL, or NO_CONTROL	See the discussions in Chapter 8 and Appendix B. Used in olsadmintool createpolicy and olsadmintool alterpolicy
Options	Enabled: TRUE or FALSE, Type: ACCESS or SESSION, Success: SUCCESSFUL, UNSUCCESSFUL, or BOTH.	Used in olsadmintool audit
Levels	Name and number for each level	Used in olsadmintool create/alter/droplevel
Compartments	Name and number for each compartment	Used in olsadmintool create/alter/drop compartment
Groups	Name, number, and parent for each group	Used in olsadmintool create/alter/dropgroup
Profiles	Maximum and default read labels, maximum and minimum write labels, default row label, list of users, and a set of privileges from this list: READ, FULL, WRITEUP, WRITEDOWN, WRITEACROSS, PROFILE_ACCESS, or COMPACCESS	Policies can have one or more profiles, each of which can be assigned to many users. Profiles reduce the need to set up label authorizations for individual users. All users with the same set of labels and privileges are grouped in a single profile. Each profile represents a different set of labels, privileges, and users. Each profile in a policy is unique.
Data Labels	Full name and number for each valid data label	See Restrictions on New Data Label Creation.
Administrators	Name of each administrator authorized to modify the parameters within this policy.	Policy administrators can modify parameters within a policy. They are not necessarily also policy creators, who have the right to create or remove policies or policy administrators: See Security Roles and Permitted Actions.

Restrictions on New Data Label Creation

When Oracle Label Security is used with Oracle Internet Directory, data labels must be pre-defined in the directory.

They cannot be created "on the fly" by a label function, as is possible when label security is not integrated with the directory.

Two Types of Administrators

Administrators listed within a policy are those individuals authorized to do the following policy-specific administrative tasks:

• Modify existing policy options and audit settings.
• Enable or disable auditing for a policy.
• Create or remove levels, compartments, groups or children groups.
• Modify full/long names for levels, compartment, or groups.
• Define or modify enterprise user settings, in this policy, for:
  • Privileges
  • Maximum or minimum levels
  • Read, write, or row access for levels, compartments, or groups
  • Label profiles
• Remove enterprise users from a policy.

There is a higher level of administrators, called policy creators, who can create and remove Oracle Label Security policies and the policy administrators named within them.

Bootstrapping Databases

After a new database is registered with Oracle Internet Directory (OID), the administrator can install OID-enabled Oracle Label Security (OLS) on that database. This installation process automatically creates a Directory Integration Platform (DIP) provisioning profile enabling policy information to be periodically refreshed in the future by downloading it to the database. See Directory Integration Platform (DIP) Provisioning Profiles.

When configuring the database for OID enabled OLS, the DBCA tool puts all the policy information in OID into the database. At any point, the administrator can decide to bootstrap the database with the policy information again, using the bootstrap utility script at $ORACLE_HOME/bin/olsoidsync. The parameters it requires are as follows:

olsoidsync --dbtnsname <database TNS name> --dbuser <database user> 
--dbuserpassword <database user password> [-c] [-r]
[-b <admin context>] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

For example, 

olsoidsync --dbtnsname db1 --dbuser lbacsys
--dbuserpassword lbacsys -c
-b 'ou=Americas,o=Oracle,c=US' -h yippee -D cn=policycreator -w welcome1

The olsoidsync command pulls policy information from OID and populates the information in the database. Users must provide the database TNS name, the database username, the database user's password, the administrative context (if any), the OID hostname, the bind DN and bind password, and optionally the OID port number.

The optional "-c" switch causes the command to drop all the existing policies in the database and refresh it with policy information from OID.

The optional "-r" switch causes the command to drop all the policy metadata (without dropping the policies themselves) and refresh the policies with new metadata from OID.

Without these two switches, the command will only create new policies from OID, and will halt on any errors encountered during the refresh.

Synchronizing the Database and Oracle Internet Directory

Oracle Label Security metadata in the directory is synchronized with the databases using the Oracle Directory Provisioning Integration Service of the Directory Integration Platform.

Changes to the label security data in the directory are conveyed by the provisioning integration service in the form of provisioning events. A software agent receives these events and generates appropriate SQL or PL/SQL statements to update the database. After these statements are executed, Oracle Label Security data dictionaries are updated to match the changes already made in the directory.

Oracle Label Security subscribes itself to the Provisioning Integration Service automatically during installation. The provisioning service stores the information associated with each database in the form of a provisioning profile. The software agent uses the identity of the user "DIP" to connect to the database, and the password "DIP", when synchronizing the changes in OID with the database.

If the password for the user DIP is changed, that information needs to be updated in the provisioning profile of the provisioning integration service.

The steps to change the database connection information in the DIP profile are as follows:

1. Disable the provisioning profile. (This temporarily stops the propagation of label security changes in directory to the database, but no data is lost. Once the profile is enabled, any label security changes that happened in the directory since the profile was disabled are synchronized with the database.)
2. Update the database connection information in the profile.
3. Enable the profile.

   Note: The database character set must be compatible with Oracle Internet Directory (OID) for OID-enabled Oracle Label Security (OLS) to work correctly. Only then can there be successful synchronization of the Label Security metadata in OID with the Database. Please refer to Chapters 2 and 3 of Oracle Database Globalization Support Guide for more information on Character sets and Globalization Support parameters.

   See Also: Disabling, Changing, and Enabling a Provisioning Profile Please refer to Chapter 29 of the Oracle Internet Directory Administrator's Guide for more information on enabling and disabling of provisioning profiles.

Directory Integration Platform (DIP) Provisioning Profiles

The DIP server synchronizes policy changes in the directory with the connected databases, using a separate DIP provisioning profile created for each database. This profile is created automatically as part of the installation process for OID-enabled Oracle Label Security. The administrator can use the provisioning tool oidprovtool to modify the password for a database profile, using the script $ORACLE_HOME/bin/oidprovtool. Each such profile contains the following information:

Table 5-2 Elements in a DIP Provisioning Profile  

Element	Name for This Element When Invoking oidprovtool
The LDAP host name	ldap_host
The LDAP port number	ldap_port
The user DN and password to bind to OID to retrieve policy information	ldap_user ldap_user_password
The database DN	application_dn
The organization DN, that is, the administrative context in which changes are being made	organization_dn
The callback function to be invoked, that is, LBACSYS.OLS_DIP_NTFY	interface_name
The database connect information, which is the hostname of the database, the port number used to connect to the database, the database SID, the database user name and password	interface_connect_info
Event subscriptions, including all MODIFY, ADD and DELETE events under cn=LabelSecurity in OID	operation
The time interval between synchronizations	schedule

Here is an example of using oidprovtool, followed by an explanation of the parameters in this example:

oidprovtool operation=modify ldap_host=yippee ldap_port=389
ldap_user=cn=defense_admin ldap_user_password=welcome1
application_dn='cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US'
organization_dn='ou=Americas,o=Oracle,c=US' interface_name=LBACSYS.OLS_DIP_NTFY 
interface_type=PLSQL interface_connect_info=yippee:1521:db1:dip:newdip 
schedule=60 event_subscription= 
'ENTRY:cn=LabelSecurity,cn=Products,cn=OracleContext, 
ou=Americas,o=Oracle,c=US:ADD(*)' event_subscription= 
'ENTRY:cn=LabelSecurity,cn=Products, cn=OracleContext,ou=Americas, 
o=Oracle,c=US:MODIFY(*)' event_subscription='ENTRY:cn=LabelSecurity,cn=Products, 
cn=OracleContext, ou=Americas,o=Oracle,c=US:DELETE'

This sample oidprovtool command creates and enables a new DIP provisioning profile with the following attributes:

• OID in host yippee using port 389
• OID user bind DN: cn=defense_admin with password welcome1
• Database DN: cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US
• Organization DN (administrative context): ou=Americas,o=Oracle,c=US
• Database on host yippee, listening on port 1521
• Oracle SID: db1
• Database user: dip with new password newdip
• Interval to synchronize directory with connected databases : 60 seconds
• All the ADD, MODIFY and DELETE events under cn=LabelSecurity to be sent to DIP

To start the DIP server, use $ORACLE_HOME/bin/oidctl. For example:

oidctl server=odisrv connect=db2 config=0 instance=0 start

This command will start the DIP server by connecting to db2 (the OID database) with config set 0 and instance number 0.

Disabling, Changing, and Enabling a Provisioning Profile

You can change the password for the interface_connect_info, which is the database password, by using the oidprovtool modify command, but first you must disable the profile. After changing the password, you then re-enable the profile.

You can disable the Oracle Label Security provisioning profile using oidprovtool, specifying simply the disable operation and the first six original parameters shown here. (The other original parameters are not needed.) The command form is:

oidprovtool operation=disable ldap_host=< > ldap_port=< > ldap_user_dn=< >  
   ldap_user_password=< > application_dn=< >  organization_dn=< >

Using parameters from the example given in the previous section, this command would look like this:

oidprovtool operation=disable ldap_host=yippee ldap_port=389

ldap_user=cn=defense_admin ldap_user_password=welcome1 
application_dn='cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US'
organization_dn='ou=Americas,o=Oracle,c=US'

To modify the password in the connection information, use the oidprovtool command, specifying the modify operation, the first six original parameters, and the new DIPuser password given in the connection info. The command form is:

oidprovtool operation=modify  ldap_host=< > ldap_port=< >

ldap_user_dn=< >  ldap_user_password=< > application_dn=< >
organization_dn=< >   interface_connect_info=< new_connect _info >

Using parameters from the example given in the previous section, this command would look like this:

oidprovtool operation=modify ldap_host=yippee ldap_port=389

ldap_user=cn=defense_admin ldap_user_password=welcome1
application_dn='cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US' 
organization_dn='ou=Americas,o=Oracle,c=US' 
interface_connect_info=yippee:1521:db1:dip:NewestDIPpassword 

Similarly, you can re-enable the Directory Integration Platform provisioning profile using oidprovtool as follows, again specifying simply the desired operation and the first six original parameters. (The other original parameters are not needed.) The command form is:

oidprovtool operation=enable  ldap_host=< > ldap_port=< >  ldap_user_dn=< >  

ldap_user_password=< > application_dn=< >   organization_dn=< >

Again using parameters from the example given in the previous section, this command would look like this:

oidprovtool operation=enable ldap_host=yippee ldap_port=389 

ldap_user=cn=defense_admin ldap_user_password=welcome1 
application_dn='cn=db1,cn=OracleContext,ou=Americas,o=Oracle,c=US' 
organization_dn='ou=Americas,o=Oracle,c=US'

Security Roles and Permitted Actions

To manage Oracle Label Security policies in Oracle Internet Directory, certain entities are given access control rights in the directory. The access control mechanisms are provided by Oracle Internet Directory.

Table 5-3 describes, in abstract terms, these entities and the tasks they are enabled to perform.

Table 5-4, "Access Levels Allowed by Users in OID", lists the specific access level operations permitted or disallowed for policy creators, policy administrators, and label security users.

Table 5-3 Tasks That Certain Entities Can Perform

Entity	Tasks This Entity Can Perform
Policy creators	Create new (or delete existing) policies; create new (or remove existing) policy administrators.
Policy administrators	For Policies: modify existing policy options and audit settings; enable or disable auditing for a policy. For Label components: create, modify, or remove levels, compartments and groups, such as by changing their full or long names or (for groups) by creating or deleting their children groups. For enterprise users: remove enterprise users from a policy; modify enterprise users' maximum or minimum levels, their read, write, and row access for compartments or groups, their privileges for a policy, and their label profiles

Table 5-4 Access Levels Allowed by Users in OID

Entries	Policy Creators	Policy Administrators	Databases
cn=Policies	can modify	no access	no access
cn=Admins,cn=Policy1	can modify	no access	no access
uniqueMember: cn=Policy1	can browse	can browse	can modify
cn=PolicyCreators	no accessFoot 1	no access	no access
cn=Levels,cn=Policy1	can browse and delete	can modify	no access
cn=Compartments,cn=Policy1	can browse and delete	can modify	no access
cn=Groups,cn=Policy1	can browse and delete	can modify	no access
cn=AuditOptions,cn=Policy1	can browse and delete	can modify	no access
cn=Profiles,cn=Policy1	can browse and delete	can modify	no access
cn=Labels,cn=Policy1	can browse and delete	can modify	no access
cn=DBServers	no accessFoot 2	no access	no access

1 The group cn=OracleContextAdmins is the owner of the group cn=PolicyCreators, hence members in cn=OracleContextAdmins can modify cn=PolicyCreators. 2 The group cn=OracleDBCreators is the owner of the group cn=DBServers, hence members in cn=OracleDBCreators can modify cn=DBServers.

Superseded PL/SQL Statements

When Oracle Internet Directory is enabled with Oracle Label Security, the procedures listed in Table 5-5 are superseded. Only LBACSYS is allowed to execute these procedures.

For some of the procedures listed in the table, the functionality they provided is replaced by the olsadmintool command named in the second column (and explained in Appendix B).

Table 5-5 Procedures Superseded by olsadmintool When Using Oracle Internet Directory  

Disabled Procedure	Replaced by olsadmintool Command
SA_SYSDBA.CREATE_POLICY	olsadmintool createpolicy
SA_SYSDBA.ALTER_POLICY	olsadmintool alterpolicy
SA_SYSDBA.DROP_POLICY	olsadmintool droppolicy
SA_COMPONENTS.CREATE_LEVEL	olsadmintool createlevel
SA_COMPONENTS.ALTER_LEVEL	olsadmintool alterlevel
SA_COMPONENTS.DROP_LEVEL	olsadmintool droplevel
SA_COMPONENTS.CREATE_COMPARTMENT	olsadmintool createcompartment
SA_COMPONENTS.ALTER_COMPARTMENT	olsadmintool altercompartment
SA_COMPONENTS.DROP_COMPARTMENT	olsadmintool dropcompartment
SA_COMPONENTS.CREATE_GROUP	olsadmintool creategroup
SA_COMPONENTS.ALTER_GROUP	olsadmintool altergroup
SA_COMPONENTS.ALTER_GROUP_PARENT	olsadmintool altergroup
SA_COMPONENTS.DROP_GROUP	olsadmintool dropgroup
SA_USER_ADMIN.SET_LEVELS	None
SA_USER_ADMIN.SET_COMPARTMENTS	None
SA_USER_ADMIN.SET_GROUPS	None
SA_USER_ADMIN.ADD_COMPARTMENTS	None
SA_USER_ADMIN.ALTER_COMPARTMENTS	None
SA_USER_ADMIN.DROP_COMPARTMENTS	None
SA_USER_ADMIN.DROP_ALL_COMPARTMENTS	None
SA_USER_ADMIN.ADD_GROUPS	None
SA_USER_ADMIN.ALTER_GROUPS	None
SA_USER_ADMIN.DROP_GROUPS	None
SA_USER_ADMIN.DROP_ALL_GROUPS	None
SA_USER_ADMIN.SET_USER_LABELS	olsadmintool createprofile; olsadmintool adduser; olsadmintool dropprofile; olsadmintool dropuser;
SA_USER_ADMIN.SET_DEFAULT_LABEL	None
SA_USER_ADMIN.SET_ROW_LABEL	None
SA_USER_ADMIN.DROP_USER_ACCESS	olsadmintool dropuser
SA_USER_ADMIN.SET_USER_PRIVS	olsadmintool createprofile; olsadmintool adduser; olsadmintool dropprofile; olsadmintool dropuser;
SA_AUDIT_ADMIN.AUDIT	olsadmintool audit
SA_AUDIT_ADMIN.NOAUDIT	olsadmintool noaudit
SA_AUDIT_ADMIN.AUDIT_LABEL	None
SA_AUDIT_ADMIN.NOAUDIT_LABEL	None

Procedures for Policy Administrators Only

The following procedures are allowed to be executed only by policy administrators (enterprise users defined in Oracle Internet Directory):

• SA_POLICY_ADMIN.APPLY_SCHEMA_POLICY
• SA_POLICY_ADMIN.APPLY_TABLE_POLICY
• SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY
• SA_POLICY_ADMIN.DISABLE_TABLE_POLICY
• SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY
• SA_POLICY_ADMIN.ENABLE_TABLE_POLICY
• SA_POLICY_ADMIN.GRANT_PROG_PRIVS
• SA_POLICY_ADMIN.POLICY_SUBSCRIBE
• SA_POLICY_ADMIN.POLICY_UNSUBSCRIBE
• SA_POLICY_ADMIN.REMOVE_SCHEMA_POLICY
• SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
• SA_POLICY_ADMIN.SET_PROG_PRIVS
• SA_POLICY_ADMIN.REVOKE_PROG_PRIVS