Forum Stats

  • 3,839,355 Users
  • 2,262,485 Discussions
  • 7,900,946 Comments

Discussions

Oracle Label Security, SET_COMPARTMENTS

bb_as
bb_as Member Posts: 13 Red Ribbon
edited Jun 11, 2021 6:16AM in Database Security - General

Hi,

I'm trying to learn Oracle Label Security. I build a minimalist example with only one Level ('S' for standard), only one compartment ('DSP') and without groups.

There are two users, 'admin' and 'user'.

'admin' should have read/write access, 'user' should have read-only access.

Therefore I call SA_USER_ADMIN.SET_COMPARTMENTS like this:

SA_USER_ADMIN.SET_COMPARTMENTS(

     POLICY_NAME => 'mypolicy',

     USER_NAME  => 'admin',

     READ_COMPS => 'DSP',

     WRITE_COMPS => 'DSP'

     );

The call for 'user' is almost the same, but without WRITE_COMPS, because he shouldn't have any write access. But he can write without problem! The OLS Admin guide says: "If write_comps are NULL, then they are set to the read_comps." This is totally confusing for me. Why does 'null' default to 'all'? How can I have a user without write access?

Bonus question: is the policy editor only available in Enterprise Edition, or also in Oracle 18 XE?