3 Replies Latest reply on May 9, 2011 5:29 PM by alwu-Oracle

    RDF and OLS

      Hi, I need secure some predicates in my model. I use Resource-Level Security.
      I've got three users - admin can read and write everything, doctor - can read secured predicates and researcher - can't read secured predicates. I store application table in Venca's schema (privileged user). My steps are:
      1. I create user Venca and users admin, doctor, researcher
      create user venca identified by pass; - same way other users
      grant create session, resource to venca,admin, doctor, researcher;

      2. I create policy pravidlo
      execute SA_SYSDBA.CREATE_POLICY ('pravidlo', 'CTXT1');
      and levels:
      EXEC sa_components.create_level ('pravidlo', 1001,'P','Public Level');
      EXEC sa_components.create_level ('pravidlo', 2001,'C','Confidential Level');
      EXEC sa_components.create_level ('pravidlo', 3001,'S','Sensitive Level');
      and labels:
      EXEC sa_label_admin.create_label('pravidlo', '10000','S', TRUE);
      EXEC sa_label_admin.create_label('pravidlo', '10100','P', TRUE);
      EXEC sa_label_admin.create_label('pravidlo', '10200','C', TRUE);
      and set privileges:
      execute SA_USER_ADMIN.SET_USER_PRIVS('pravidlo','admin_u','FULL'); -- admin full access
      execute SA_USER_ADMIN.SET_USER_PRIVS('pravidlo','venca','FULL'); -- venca full access
      execute sa_user_admin.set_user_labels('pravidlo','venca','S','S','P','S','P'); -- I set levels for Venca because he imports RDFs from file using Jena based program and I want set all resources to label P - Public.
      execute sa_user_admin.set_user_labels('pravidlo','doctor_u','P','P','P','P','P');
      execute sa_user_admin.set_user_labels('pravidlo','research_u','S','S','P','S','P');
      and apply policy:
      execute SEM_RDFSA.APPLY_OLS_POLICY('pravidlo',sem_rdfsa.SECURE_PREDICATE);

      and here is the problem: I want to set predicat's http://mysample.com/ontology/onto.owl#secThing label to level S (Sensitive level).
      I use statement:
      execute sem_rdfsa.set_predicate_label('model', '<http://mysample.com/ontology/onto.owl#secThing>', 'S');
      but there is a problem with part "onto*bold*.*bold*owl" - the dot makes error report (I translated it to English)
      ORA-55359: unauthorized operation with policy PRAVIDLO - AVPT-12406
      ORA-06512: on "MDSYS.SEM_RDFSA", line 595
      ORA-06512: on line 1
      If I try delete the dot, statement is executed with no errors. How should I enter the predicate URI? In SPARQL i use a prefix for http://mysample.com/ontology/onto.owl#, but I think here I have to enter whole the URI.

      My another questions:
      1) Is there a way how to read labels of all resources and predicates? (I don't know if their labels are set correctly on import.)
      2) What is the right order of actions - import data to model, apply policy, set predicate label?
      3) How can I set label 'P' to all predicates and resources?

      Thanks for your answers.
        • 1. Re: RDF and OLS

          The Resource-Level Security has been deprecated. We recommend using triple level security.


          Zhe Wu
          • 2. Re: RDF and OLS
            I didn't find this information in the documentation. So how can I solve my situation?
            I need to label my triples - some with label P and some with S - based on predicate value. Let's say I have two predicates http://mysample.com/ontology/onto.owl#predOne and http://mysample.com/ontology/onto.owl#predTwo. Triples with predicate predOne must have label P and triples with predicate predTwo label S. How can I set this labels to triples? I don't care if it will be done during import or after import of triples.
            • 3. Re: RDF and OLS

              Assume you can switch to Triple level OLS security. Here is a way to achieve what you want.

              Say user A owns two labels P and S.

              User A uses label P to insert triples with predicates http://mysample.com/ontology/onto.owl#predOne.
              User A uses label S to insert triples with predicates http://mysample.com/ontology/onto.owl#predTwo.

              If you have a good justification to stay with resource level security, please email me at
              alan dot wu at oracle dot com.