其中牵涉到几个名词,解释一下:
��Y�WuEATU `?6% H��$ Policy:就是安全策略,一个安全策略是level,compartment,group,label的集合。
0��`Dw�*C| Level:等级,这是最基础的安全控制等级,必须设置。
VV((@]d`"" Compartment:分隔(这不是官方翻译),提供第二级的安全控制,是可选的。
[c)H�d#*<l Group:组(这不是官方翻译),提供第三级的安全控制,是可选的。
=suGw^s3\< Label:标签,最终体现到每一行上的安全标签,必须设置。只有用户被赋予的标签和此行上的标签相同或者等级更高的时候,该行才能够被用户存取。
�= r]~��/B 1。创建策略:
yjJ!��}V � \.,gP'DRe EXEC sa_sysdba.create_policy('DOC_POLICY','DOC_LABEL');
��1-bwi:g� 3l^fbl�*j0 ?pu}�dH5|> 2。创建敏感等级:
jO.lrJwg$b >X�VuKN;E EXEC sa_components.create_level('DOC_POLICY', 1000, 'PUBLIC', 'Public Level');
' �J1+Q`$S EXEC sa_components.create_level('DOC_POLICY', 2000, 'INTERNAL', 'Internal Level');
3。创建分隔: o?pf��~G0K
c?�(��a<Q�
EXEC sa_components.create_compartment('DOC_POLICY', 200, 'FIN', 'FINANCE'); e9>'3Q\+bj
EXEC sa_components.create_compartment('DOC_POLICY', 100, 'HR', 'HUMAN_RESOURCE'); �,P�&T"Qk>
�F' b>�}M*
fF|U��h�5x
4。创建分组: � {Ct��}�m
�i ;}Me�/�
EXEC sa_components.create_group('DOC_POLICY', 10, 'ALL', 'ALL_REGIONS'); C'Syk`L=/&
EXEC sa_components.create_group('DOC_POLICY', 20, 'WEST','WEST_REGION', 'ALL'); vT t[&78�a
EXEC sa_components.create_group('DOC_POLICY', 30, 'EAST', 'EAST_REGION', 'ALL'); � C7s2gt�l
((级别:分隔:组) 组成标签)(就是对于某个部门某个区域的用户的数据(记录)分别分配一个不同的标记,也就是标签的数字号,对用户也分配同样的标记)
5。创建标签: TA(I�/M��/
w."vv�lw�>
EXEC sa_label_admin.create_label('DOC_POLICY', '10000', 'PUBLIC', TRUE); JsdpX�_�YB
EXEC sa_label_admin.create_label('DOC_POLICY', '20200','INTERNAL:HR:WEST', TRUE); &��M�v�p")
EXEC sa_label_admin.create_label('DOC_POLICY', '20400','INTERNAL:FIN:EAST', TRUE); �6�LP !4nA
EXEC sa_label_admin.create_label('DOC_POLICY', '30900','INTERNAL:HR,FIN:ALL', TRUE);
7。向用户分配标签: 7@M�_l��Hg
� �aN,s$<�
EXEC sa_user_admin.set_user_labels - j�%+DyHD*K
( policy_name => 'DOC_POLICY' - �<`Q��2<&@
, user_name => 'TEST' - _�\\~W@+U�
, max_read_label => 'INTERNAL:HR,FIN:ALL' - Ov&�EB��a�
, max_write_label => 'INTERNAL:HR,FIN:ALL' - k�qT�~.cIJ
, min_write_label => 'PUBLIC' - pfK2y"��hn
, def_label => 'INTERNAL:HR,FIN:ALL' - oJcIl.Sr9�
, row_label => 'PUBLIC'); %=cNFk7�};
EXEC sa_user_admin.set_user_labels - V�hDv�=)�u
( policy_name => 'DOC_POLICY' - [u={�N}t��
, user_name => 'HR' - DUAH\�g/Xp
, max_read_label => 'INTERNAL:HR:WEST' - L6}{vqr��l
, max_write_label => 'INTERNAL:HR:WEST' - X`rJVSojh�
, min_write_label => 'PUBLIC' - ~2r|>�+ �_
, def_label => 'INTERNAL:HR:WEST' - "<5�Y$PM+:
, row_label => 'PUBLIC'); W:2k9�spPr
EXEC sa_user_admin.set_user_labels - $'|t^�S3O�
( policy_name => 'DOC_POLICY' - Qpa�O`*3b�
, user_name => 'SCOTT' - H �_�zaI}`
, max_read_label => 'PUBLIC' - �xk 2�5 b�
, max_write_label => 'PUBLIC' - �FA|GN.�=*
, min_write_label => 'PUBLIC' - �'J�~}]d@L
, def_label => 'PUBLIC' - P�,4@=�U��
, row_label => 'PUBLIC'); GsH{d=��D0
INSERT INTO ts.document VALUES(1, 'SHARE_WARE',CHAR_TO_LABEL('DOC_POLICY','PUBLIC')); Z �XIh*�iv
INSERT INTO ts.document VALUES (2, 'WEST_PAYROLL', 20200); �J�<Oi~�Ef
INSERT INTO ts.document VALUES (3, 'EAST_SALES', 20400); cG& �a6wy
INSERT INTO ts.document VALUES (4, 'COMP_PAYROLL', 30900);
京公网安备 11010802021500号