3 Replies Latest reply on Jun 18, 2010 4:12 PM by jjengel

    oracle label security on semantic data

      Has anyone successfully setup ols on semantic data?

      I'm attempting to set this up however I am running into issues. When I set up my ols policy and apply it to my rdf table that contains the sdo_rdf_triple_s data type I can successfully filter the rows returned based on various security and user label combinations. This works for this query

      select a.triple.get_subject as "subject" from ncidata where id =1;

      However if I use a query as such

      select s,p from table (sem_match('?s ?p <http://urilinkname>)',null,null,null));

      I get results back. The object that I am querying on (http://urilinkname) is the same.

      Why is OLS not filtering this out with the sem_match.

      I then tried to apply the ols policy to a resource by using the sem_rdfsa_apply_ols_policy however I never get any rows back from this even when the policy is disabled (exec sem_rdfsa.disable_ols_policy)

      I am hoping someone has done this or can point me to some better documentation than what Oracle provides in chapter 5 of their 11.2 semantic technologies manual.

        • 1. Re: oracle label security on semantic data

          If you have access to My Oracle Support, we have a new patch released that provides an option for triple-level Oracle Label Security. We consider this option to be easier to use and more performant (especially w.r.t running inference in the presence of OLS) than the resource-level RDF OLS. For instance, there is no need to explicitly or implicitly assign labels to individual resources with this option. You can email me at vladimir dot kolovski at oracle dot com for more information.

          If you don't want (or can't) to use the patch, then here's some more information on the handling of RDF OLS. In general, the Oracle RDF store has application tables and an internal table to store the triples. RDF OLS is only applied to the internal table (this is what SEM_MATCH queries against).
          So, if you're using SEM_MATCH to retrieve data, you don't need to apply OLS to the application table. Now, the reason you can't see those triples using SEM_MATCH is that triples with null labels are not visible by anybody other than policy DBAs. I would suggest to applying the ols policy (apply_ols_policy) first, then inserting the triples.

          • 2. Re: oracle label security on semantic data

            I'll give the patch a shot. What I did notice is that once I applied the policy using apply_ols_policy, I could not insert any triples. I kept getting policy violations no matter what user. First I tried inserting as rdf_data_store user when that didn't work I tried lbacsys, mdsys and sys. All got the same error.

            Is the label policy supposed to be applied using SA_POLICY_ADMIN.APPLY_TABLE_POLICY as well as sem_rdfsa.apply_ols_policy? Didn't see much in the docs. I did try both ways however and same results. I am not at work so I cannot give specific error messages. I'll touch base tomorrow. Thanks for the response!
            • 3. Re: oracle label security on semantic data
              Forget the 2nd part of my last post. I read your post a little more slowly and see that the policy does not have to be applied to the table if using apply_ols_policy.