Using Oracle Label Security with Oracle E-Business Suite
By Steven Chan (Oracle Development) on Feb 06, 2013
Most security administrators know how to use E-Business Suite responsibilities to manage access to data and functionality. The majority of EBS customers will never need anything beyond those standard capabilities. Some organisations may need specialised security to complement the EBS responsibility model. Oracle Label Security may appropriate for certain specialised requirements.
Oracle Label Security allows administrators to classify every row in a table, ensuring that access to sensitive data is restricted to users with the appropriate clearance level. OLS can be used to enforce regulatory compliance with a policy-based administration model to support custom data classification schemes for implementing “need to know” access. Labels can be used as factors within Oracle Database Vault command rules for multi-factor authorization polices.
Supported but not certified
It is possible to use Oracle Label Security with the E-Business Suite. Custom OLS policies will -- by design -- change the end-user behavior of EBS. It is possible for an OLS policy to break EBS, so we can't offer the standard technology certification in this case. What is certified is "the approach" of using OLS to implement custom security policies over EBS relational data. We do not certify specific versions of OLS, nor do we certify specific OLS policies.
From a support perspective, we treat OLS policies like any other EBS customization, namely:
- We can only issue EBS patches for issues that can be reproduced in environments without custom OLS policies.
- If you report an issue that can't be reproduced in vanilla, uncustomized environments, our default guidance will be to disable the custom OLS policies.
- We cannot review your OLS policies or make recommendations on how to create custom OLS policies.
How do I define OLS policies in EBS environments?
This rather-elderly Note explains techniques for adding OLS policy initialization logic to EBS session initialization. Although this Note is written specifically for Oracle9i Label Security and EBS 11i, the techniques documented here remain valid today to later database and EBS releases:
- Enabling Oracle Label Security in Oracle E-Business Suite (Note 2334599.1)
- Database Vault 11gR2 184.108.40.206 Certified with Oracle E-Business Suite
(this article also applies to all future database certifications for EBS, including 220.127.116.11)
- Scrambling Sensitive Data in E-Business Suite Release 12 Cloned Environments
- Webcast Replay Available: E-Business Suite Data Protection
- To Customize or Not to Customize?