Forum Stats

  • 3,839,355 Users
  • 2,262,485 Discussions


Oracle Label Security, SET_COMPARTMENTS

bb_as Member Posts: 13 Red Ribbon
edited Jun 11, 2021 6:16AM in Database Security - General


I'm trying to learn Oracle Label Security. I build a minimalist example with only one Level ('S' for standard), only one compartment ('DSP') and without groups.

There are two users, 'admin' and 'user'.

'admin' should have read/write access, 'user' should have read-only access.

Therefore I call SA_USER_ADMIN.SET_COMPARTMENTS like this:


     POLICY_NAME => 'mypolicy',

     USER_NAME  => 'admin',

     READ_COMPS => 'DSP',



The call for 'user' is almost the same, but without WRITE_COMPS, because he shouldn't have any write access. But he can write without problem! The OLS Admin guide says: "If write_comps are NULL, then they are set to the read_comps." This is totally confusing for me. Why does 'null' default to 'all'? How can I have a user without write access?

Bonus question: is the policy editor only available in Enterprise Edition, or also in Oracle 18 XE?