Notes on #oracle #webinar “Label Based Access Controls in Oracle Database 11g”

Notes on the Oracle webinar, Label Based Access Controls in Oracle Database 11g by Kamal Tbeileh.

Agenda is:

  • Business requirements
  • Implementation challenges
  • Oracle Label Security solution

Business Requirements

The principal business requirements are data subsetting and multi-tenancy. The example is given for subsetting data by country. That is, US users can see and modify US data only. Similarly for other countries.

Multi-tenancy has a similar functionality to VPD (Virtual Private Database). Different organisations can use the same physical database while maintaining separation of data at the logical level. The Oracle Label Security is touted as superior as there is no coding needed as for FGAC (Fine Grained Access Control) which is used to implement VPD.

Implementation Challenges

Challenges of implementing security, especially data subsetting and multi-tenancy, in applications are:

  • Not in design of application
  • Application bypass (for example, power users, and application support teams)
  • Performance and scalability is difficult at the application layer especially with the administration of groups

Slide #6

Oracle’s solution is to use the database kernel to enforce security policies.

Oracle Label Security

The recommended product is Oracle Label Security.

  • Transparent through hidden column
  • Scalable through one to many mapping.
  • Extensible up to 9999 unique subsets
  • Secure through the Oracle database kernel

Slide #7

The implementation cycle is:

  • Create Label Security Policy
  • Define Data Sub-Set Labels
  • Identify Data Sub-Set Owners
  • Apply Policy and Label Data Sets
  • Enable Policy and Set Enforcement

Slide #8

The procedure is:

  • Apply policy to application tables
  • Customize enforcement based on requirements
  • Enable policy enforcement
  • Now users will see only their data subset

Slide #15


It looks like Oracle is touting Oracle Label Security against two (2) competitors: Java code for application security; and PL/SQL code for FGAC.

From the Oracle store, I got a quote for a four (4) processor perpetual licence for Oracle Label Security of AUD54,548.64 (including first year support). Apparently, I get a discount as well.

According to the PeopleBank Australia report, Sydney IT&T Salary Index for June 2012:

Position Level Permanent Salary
Developer – Java / J2EE Senior $120,000
Oracle Developer Senior $110,000

Assuming that salary is about 50% of the total cost of a programmer, then the first year cost of Oracle Label Security on a four (4) processor server is equivalent to about three (3) months of a senior development programmer time. This is the break-even point for a one year pay back period.

Since the most of the cost is in the first year, a longer pay back period would equate to a shorter amount of programmer time. This could be a reasonable option for most organisations to purchase Oracle Label Security.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s