B Command-line Tools for Label Security Using Oracle Internet Directory

When Oracle Label Security is used with Oracle Internet Directory, security administrators must use certain commands to create and alter label security attributes stored in the directory.

This Appendix describes these commands and the parameters they require. They perform updates, inserts and deletes of entries in the directory and are implemented through a script named olsadmintool, which you call from $ORACLE_HOME/bin/olsadmintool. This Appendix contains the following sections and tables:

Table B-1 Oracle Label Security Commands in Categories

Command Category Purpose of Command Command Replaces PL/SQL Statement

Policies

Create Policy

olsadmintool createpolicy

SA_SYSDBA.CREATE_POLICY

 

Alter a Level

olsadmintool alterpolicy

SA_SYSDBA.ALTER_POLICY

 

Drop a Policy

olsadmintool droppolicy

SA_SYSDBA.DROP_POLICY

 

Add Policy Creator

olsadmintool addpolcreator

None; new

 

Drop Policy Creator

olsadmintool droppolcreator

None; new

Levels in a Policy

Create a Level

olsadmintool createlevel

SA_COMPONENTS.CREATE_LEVEL

 

Alter a Level

olsadmintool alterlevel

SA_COMPONENTS.ALTER_LEVEL

 

Drop a Level

olsadmintool droplevel

SA_COMPONENTS.DROP_LEVEL

Groups in a Policy

Create a Group

olsadmintool creategroup

SA_COMPONENTS.CREATE_GROUP

 

Alter a Group

olsadmintool altergroup

SA_COMPONENTS.ALTER_GROUP

 

(also a group parent)

olsadmintool altergroupparent

SA_COMPONENTS.ALTER_GROUP_PARENT

 

Drop a Group

olsadmintool dropgroup

SA_COMPONENTS.DROP_GROUP

Compartments in a Policy

Create a Compartment

olsadmintool createcompartment

SA_COMPONENTS.CREATE_COMPARTMENT

 

Alter a Compartment

olsadmintool altercompartment

SA_COMPONENTS.ALTER_COMPARTMENT

 

Drop a Compartment

olsadmintool dropcompartment

SA_COMPONENTS.DROP_COMPARTMENT

Data Labels

Create a Label

olsadmintool createlabel

SA_LABEL_ADMIN.CREATE_LABEL

 

Alter a Label

olsadmintool alterlabel

SA_LABEL_ADMIN.ALTER_LABEL

 

Drop a Label

olsadmintool droplabel

SA_LABEL_ADMIN.DROP_LABEL

Users

Add a User to a Profile

olsadmintool adduser

None; new

 

Drop a User

olsadmintool dropuser

SA_USER_ADMIN.DROP_USER_ACCESS

Profiles

Create a Profile

olsadmintool createprofile

Replaces the use of several methods. Foot 1 

 

List Profiles

olsadmintool listprofile

None; new

 

Describe a Profile

olsadmintool describeprofile

None; new

 

Drop a Profile

olsadmintool dropprofile

None; new

Policy Administrators

Drop Policy Administrator

olsadmintool addadmin

None; new

 

Drop Policy Administrator

olsadmintool dropadmin

None; new

Policy Access

Set Audit Options

olsadmintool addpolaccess

None; new

 

Relating Parameters to Commands for olsadmintool

olsadmintool droppolaccess

None; new

Auditing

Set Audit Options

olsadmintool audit

SA_AUDIT_ADMIN.AUDIT

   

olsadmintool noaudit

SA_AUDIT_ADMIN.NOAUDIT

Help

Get Help for olsadmintool

olsadmintool command --help

None; new


Footnote 1 Replaces several methods in SA_USER_ADMIN: SET_LEVELS, SET_USER_PRIVILEGES, and SET_DEFAULT_LABEL

Table B-2 olsadmintool Commands Linked to Their Explanations

Purpose of Command (Links in Alphabetical Order) Command

Add a User to a Profile

olsadmintool adduser

Add Policy Administrators

olsadmintool addadmin

Add Policy Creator

olsadmintool addpolcreator

Alter a Compartment

olsadmintool altercompartment

Alter a Group

olsadmintool altergroup

Alter a Group's Parent

olsadmintool altergroupparent

Alter a Label

olsadmintool alterlabel

Alter a Level

olsadmintool alterlevel

Alter a Level

olsadmintool alterpolicy

Cancel Audit Options

olsadmintool noaudit

Create a Compartment

olsadmintool createcompartment

Create a Group

olsadmintool creategroup

Create a Label

olsadmintool createlabel

Create a Level

olsadmintool createlevel

Create a Profile

olsadmintool createprofile

Create Policy

olsadmintool createpolicy

Describe a Profile

olsadmintool describeprofile

Drop a Compartment

olsadmintool dropcompartment

Drop a Group

olsadmintool dropgroup

Drop a Label

olsadmintool droplabel

Drop a Level

olsadmintool droplevel

Drop a Policy

olsadmintool droppolicy

Drop a Profile

olsadmintool dropprofile

Drop a User

olsadmintool dropuser

Drop Policy Administrator

olsadmintool dropadmin

Drop Policy Creator

olsadmintool droppolcreator

Get Help for an olsadmintool Command

olsadmintool <command name> --help

List Profiles

olsadmintool listprofile

Set Audit Options

olsadmintool audit


B.1 Command Explanations

In the command explanations that follow, some parameters are optional, which is indicated by enclosing such a parameter within brackets. The two most common examples are [ -b <admin context> ] and [-p <port>], indicating that it is optional to specify either the administrative context for the command or the port through which to connect to Oracle Internet Directory. (Default port is 389.)

The use of two dashes (--, no space) is required for all parameters other than b, h, p, D, and w, which are preceded by a single dash. The double dash indicates the need to specify the full or long version of the name or parameter being used. If any such name or parameter contains spaces, it must be enclosed by double quotation marks, for example, "this is an extremely long name or parameter."

Each command appears in this listing on multiple lines for readability, but in reality, would be given out as a single long string on the command line.

Add a User to a Profile

olsadmintool adduser --polname <policy name> --profname <profilename> --userdn <enterprise user DN>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the adduser command Use the adduser command to add an enterprise user to a profile within a policy. Provide the profile and policy names and the user DN.Foot 1  Enterprise users are normal Oracle Internet Directory users with the additional capability of connecting to the database. Users added to a profile must be enterprise users.

Example of the adduser command 

olsadmintool adduser --polname tradesecret --profname topsales --userdn "cn=perot" -b "cn=EDS" -h ford -p 1890 -D cn=lbacsys -w lbacsyspwrd

See Also:

Rxefer to the Oracle Database Advanced Security Administrator's Guide, Chapter 13, Administering Enterprise User Security, for further concepts, tools, steps, and procedures.

Add Policy Administrators

olsadmintool addadmin --polname <policy name> --admindn <admin DN>  [ -b <admin context>] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the addadmin command 

Use the addadmin command to add an enterprise user to the administrative group for a policy, so that the user is able to create, modify, or delete the specified policy's metadata. Provide the policy name and the new administrator's DN. This group should contain only enterprise users.

Example of the addadmin command 

olsadmintool addadmin --polname defense --admindn "cn=scott,c=us"  -h yippee -D cn=lbacsys -w lbacsys

Add Policy Creator

olsadmintool addpolcreator --userdn <user DN>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the addpolcreator command 

Use the addpolcreator command to enable the specified user to create policies. Provide the DN for the user.

Example of the addpolcreator command

olsadmintool addpolcreator --userdn "cn=scott" -h yippee -D cn=lbacsys -w lbacsys

Alter a Compartment

olsadmintool altercompartment --polname <policy name> --shortname <short compartment name> --longname <new long compartment name>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the altercompartment command Use the altercompartment command to change the long name of a compartment. Provide the name of the policy, the short name of the compartment, and the new long name of the compartment.

Example of the altercompartment command 

olsadmintool altercompartment --polname defense --shortname A --longname "Allied Forces" -h yippee -D cn=defense_admin -w welcome1

Alter a Group

olsadmintool altergroup --polname <policy name> --shortname <short group name>  --longname <"new long group name">  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the altergroup command Use the altergroup command to change the long name for a group component or parent group. Provide the name of the policy, the short name of the group, and the long name of the group.

Example of the altergroup command 

olsadmintool altergroup --polname defense --shortname US --longname "United States of America"  -h yippee -D cn=defense_admin -w welcome1

Alter a Group's Parent

olsadmintool altergroupparent --polname <policy name> --shortname <short group name> [--parentname <new parent group name> ] [--clearparent] --longname <"new long group name"> [--parentname <new short group name> ] [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the altergroupparent command Use the altergroupparent command to change or remove the parent group of a group. Provide the name of the policy, the short name of the group, and either the short name of the parent group or the clearparent flag, but not both.

Examples of the altergroupparent command 

olsadmintool altergroupparent --polname defense --shortname US --parentname "Earth" -h yippee -p 5678 -D cn=defense_admin -w welcome1
or
olsadmintool altergroupparent --polname defense --shortname US --clearparent 
-h yippee -p 5678 -D cn=defense_admin -w welcome1

Alter a Label

olsadmintool alterlabel --polname <policy name> --tag <tag number> --value <new label value>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the alterlabel command Use the alterlabel command to change the character string defining the label associated with a label tag. Provide the policy name, the numeric tag of the label, and the new character string representing the label.

Example of the alterlabel command 

olsadmintool alterlabel --polname defense --tag 100 --value "TS:A:US" -h yippee -D cn=defense_admin -w welcome1

Alter a Level

olsadmintool alterlevel --polname <policy name> --shortname <short level name> --longname <"new long level name"> 
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the alterlevel command Use the alterlevel command to change the long name of a level. Provide the name of the policy, the short name of the level, and the new long name of the level.

Example of the alterlevel command 

olsadmintool alterlevel --polname defense --shortname TS 
--longname "VERY TOP SECRET" -h yippee -D cn=defense_admin -w welcome1

Alter Policy

olsadmintool alterpolicy --name <policy name> --options <new options> 
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

where <new options> can be any combination of the following entries:
INVERSE_GROUP, HIDE, LABEL_DEFAULT, LABEL_UPDATE, CHECK_CONTROL, READ_CONTROL,WRITE_CONTROL,INSERT_CONTROL, DELETE_CONTROL, UPDATE_CONTROL, ALL_CONTROL, or NO_CONTROL

Description of the alterpolicy command Use the alterpolicy command to alter the options of a policy. Provide the name of the policy and the new options.

Example of the alterpolicy command 

olsadmintool alterpolicy --name defense --options "READ_CONTROL,INSERT_CONTROL" -h yippee -D cn=defense_admin -w welcome1

Cancel Audit Options

olsadmintool noaudit --polname <policy name> --options <audit option name> 
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

where <audit option name> can be any combination of APPLY, REMOVE, SET, PRIVILEGE

Description of the noaudit command Use the noaudit command to cancel the audit options for a policy. Provide the policy name and the options that are no longer to be audited.

Example of the noaudit command 

olsadmintool noaudit --polname defense --options "APPLY,PRIVILEGES" -h yippee -D cn=defense_admin -w welcome1

Create a Compartment

olsadmintool createcompartment --polname <policy name> --tag <tag number> --shortname <short compartment name> --longname <"long compartment name"> 
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the createcompartment command Use the createcompartment command to create a new compartment component. Provide the name of the policy, the tag numeric value of the compartment, the short name of the compartment, and the long name of the compartment.

Example of the createcompartment command 

olsadmintool createcompartment --polname defense --tag 100 --shortname A --longname Alpha -h yippee -D cn=defense_admin -w welcome1

Create a Group

olsadmintool creategroup --polname <policy name> --tag <tag number> --shortname <short group name> --longname <"long group name">  [--parentname <parent group name>] [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the creategroup command Use the creategroup command to create a new group component. Provide the name of the policy, the tag numeric value of the group, the short name of the group, the long name of the group, and the parent group name (optional).

Example of the creategroup command 

olsadmintool creategroup --polname defense --tag 55 --shortname US  --longname "United States" -h yippee -D cn=defense_admin -w welcome1

Create a Label

olsadmintool createlabel --polname <policy name> --tag <tag number> --value <label value>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the createlabel command Use the createlabel command to create a valid data label. Provide the policy name, the numeric tag of the label to be created, and the character string representation of the label.

Example of the createlabel command 

olsadmintool createlabel --polname defense --tag 100 --value "TS:A,B:US,CA" 
-h yippee -D cn=defense_admin -w welcome1

Create a Level

olsadmintool createlevel --polname <policy name> --tag <tag number> --shortname <short level name> --longname <"long level name">  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the createlevel command Use the createlevel command to create a new level component. Provide the name of the policy, the tag numeric value, the short name of the level, and the long name of the level.

Example of the createlevel command 

olsadmintool createlevel --polname defense --tag 100 --shortname TS  --longname "TOP SECRET" -h yippee -D cn=defense_admin -w welcome1

Create a Profile

olsadmintool createprofile --polname <policy name> --profname <profile name> --maxreadlabel <max read label> --maxwritelabel <max write label> --minwritelabel <min write label> --defreadlabel <default read label> --defrowlabel <default row label> --privileges <privileges separated by comma>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the createprofile command Use the createprofile command to create a new profile. Provide the policy name, the profile name, and either privileges, labels, or both privileges and labels. (A user profile can have either null label information or null privilege information, but not both null at the same time.) For labels, specify the maximum label users in this profile can use to read data, the maximum label users in this profile can use to write data, the minimum label users in this profile can use to write data, the default label for reading, the default row label for writing. For privileges, enclose in quotation marksthe list of privileges, separated by commas, for members of this profile.

Example of the createprofile command 

olsadmintool createprofile --polname topsecret --profname topsales --maxreadlabel "TS:A,B:US,CA" --maxwritelabel "TS:A,B:US,CA" --minwritelabel "C:A,B:US,CA" --defreadlabel "TS:A,B:US,CA" --defrowlabel "C:A,B:US,CA"  --privileges "READ,COMPACCESS,WRITEACROSS" -b EDS -h ford -p 1890 -D cn=lbacsys -w lbacsyspwrd

Create Policy

olsadmintool createpolicy --name <policy name> --colname <column name> --options <options separated by commas>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

where <new options> can be any combination of the following entries: INVERSE_GROUP, HIDE, LABEL_DEFAULT, LABEL_UPDATE, CHECK_CONTROL, READ_CONTROL, WRITE_CONTROL,INSERT_CONTROL, DELETE_CONTROL, UPDATE_CONTROL, ALL_CONTROL, or  NO_CONTROL

Description of the createpolicy command Use the createpolicy command to create a policy. Provide the name of the policy, the name of its label column, and the options.

Example of the createpolicy command 

olsadmintool createpolicy --name defense --colname defense_col --options "READ_CONTROL,UPDATE_CONTROL" -h yippee -p 389 -D cn=defense_admin -w welcome1

Describe a Profile

olsadmintool describeprofile --polname <policy name> --profname <profile name>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the describeprofile command 

 Use the describeprofile command to see the contents of the specified profile in the specified policy. Provide the policy name and the name of the profile.

Example of the describeprofile command 

olsadmintool describeprofile --polname defense --profname contractors  -h yippee -D cn=defense_admin -w welcome1

Drop a Compartment

olsadmintool dropcompartment --polname <policy name> --shortname <short compartment name>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the dropcompartment command Use the dropcompartment command to remove a compartment component. Provide the name of the policy and the short name of the compartment.

Example of the dropcompartment command 

olsadmintool dropcompartment --polname defense --shortname A 
-h yippee -D cn=defense_admin -w welcome1

Drop a Group

olsadmintool dropgroup --polname <policy name> --shortname <short group name> 
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the dropgroup command Use the dropgroup command to remove a group component. Provide the policy name and the short group name.

Example of the dropgroup command 

olsadmintool dropgroup --polname defense --shortname US 
-h yippee -D cn=defense_admin -w welcome1

Drop a Label

olsadmintool droplabel --polname <policy name> --value <label value> 
-h yippee [-p <port>] -D <bind DN> -w <bind password>

Description of the droplabel command Use the droplabel command to drop a label from the policy. Provide the policy name and the string representation of the label.

Example of the droplabel command 

olsadmintool droplabel --polname defense --value "TS:A:US" 
h yippee -D cn=defense_admin -w welcome1

Drop a Level

olsadmintool droplevel --polname <policy name> --shortname <short level name> 
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the droplevel command Use the droplevel command to remove a level component from a specified policy. Provide the name of the policy and the short name of the level.

Example of the droplevel command 

olsadmintool droplevel --polname defense --shortname TS 
-h yippee -D cn=defense_admin -w welcome1

Drop a Policy

olsadmintool droppolicy --name <policy name> 
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the droppolicy command Use the droppolicy command to drop a policy. Provide the name of the policy to be dropped. For directory-enabled installations of Oracle Label Security, refer to "Subscribing Policies in Directory-Enabled Label Security".

Example of the droppolicy command 

olsadmintool droppolicy --name defense -h yippee -D cn=defense_admin -w welcome1

Drop a Profile

olsadmintool dropprofile --polname <policy name> --profname <profile name> 
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the dropprofile command Use the dropprofile command to remove the specified profile. Provide the policy name and the name of the profile to be dropped.

Note:

Dropping a profile removes the authorization on that policy for all the users in the dropped profile. The users will be unable to see data protected by that policy.

Example of the dropprofile command 

olsadmintool dropprofile --name defense --profname employees 
-h yippee -D cn=defense_admin -w welcome1

Drop a User

olsadmintool dropuser --polname <policy name> --profname <profilename> 
--userdn <enterprise user DN>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the dropuser command Use the dropuser command to drop a user from the specified profile in the specified policy. Provide the policy name, the name of the profile, and the DN of the user.

Example of the dropuser command 

olsadmintool dropuser --polname defense --profname contractors --userdn "cn=hanssen,c=us" -h yippee -D cn=defense_admin -w welcome1

Drop Policy Administrator

olsadmintool dropadmin --polname <policy name> --admindn <admin DN> 
[ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the dropadmin command Use the dropadmin command to remove an enterprise user from the administrative group of a policy, so that the user is no longer able to create, modify, or delete the specified policy's metadata. Provide the policy name and the DN of the administrator to be removed from the administrative group.

Example of the dropadmin command 

olsadmintool dropadmin --polname defense --admindn "cn=scott,c=us" 
-h yippee -D cn=lbacsys -w lbacsys

Drop Policy Creator

olsadmintool droppolcreator --userdn <user DN>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the droppolcreator command Use the droppolcreator command to cancel the ability of the specified user to create policies. Provide the user's DN.

Example of the droppolcreator command 

olsadmintool droppolcreator --userdn "cn-scott,c=us"  -b UA -h yippee -p 1890 -D <bind DN> -w <bind password>

Get Help for an olsadmintool Command

olsadmintool <command name> --help

List Profiles

olsadmintool listprofile --polname <policy name>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

Description of the listprofile command Use the listprofile command to see a list of all profiles in a given policy. Provide the policy name.

Example of the listprofile command 

olsadmintool listprofile --polname defense -b CIA  -h yippee -D cn=defense_admin -w welcome1

Set Audit Options

olsadmintool audit --polname <policy name> --options <audit option name> --type <audit option type> --success <audit success type>  [ -b <admin context> ] -h <OID host> [-p <port>] -D <bind DN> -w <bind password>

where <audit option name> can be any combination of APPLY, REMOVE, SET, PRIVILEGE, type can be "session" or "access", and success can be "successful", "not successful" or "both".

Description of the audit command Use the audit command to set the audit options for a policy. Provide the policy name, the options to be audited, the type of audit, and the type of success to be audited.

Example of the audit command 

olsadmintool audit --polname defense --options "APPLY,PRIVILEGE" --type session  --success success -h yippee -D cn=defense_admin -w welcome1

B.2 Relating Parameters to Commands for olsadmintool

All olsadmintool commands must specify connection parameters: the OID host, the bind DN, the bind password, and optionally, the port through which the connection to Oracle Internet Directory is to be made. (The default port is 389.)

All olsadmintool commands may specify, as needed, the subscriber/administrative-context using the -b flag.

The fact that specifying a parameter is optional, such as a port or an administrative context, is shown by enclosing the parameter within brackets. The two most common examples are [ -b <admin context> ] and [-p <port>].

Since every command must specify a host, bind DN, and password, and may, if needed, also specify an administrative context, Table B-3, "Summary: olsadmintool Command Parameters" uses the abbreviation CON to represent all of these connection parameters as a group:

[ -b <admin context> ] h <OID host> [-p <port>] -D <bind DN> -w <bind password>

B.2.1 Summaries

Table B-3, "Summary: olsadmintool Command Parameters" summarizes the commands in the following categories:

  • Policies: creating, altering, or dropping policies or their components, that is, levels, groups, and compartments

  • Data labels: creating, altering, or dropping them

  • Administrators and policy creators: adding or dropping them

  • Users: adding or dropping users from a profile

  • Auditing options: setting the options for what to audit for a policy

  • Profiles: creating, listing, describing, or dropping them

  • Default read or row labels: setting them

In Table B-3, "Summary: olsadmintool Command Parameters" and Table B-4, "Summary of Profile and Default Command Parameters", the column headings show only the parameters, not the keywords that must precede them. For example, Table B-3, "Summary: olsadmintool Command Parameters" shows policyname and column-name as parameters for the createpolicy command, without showing the keywords that must precede them (--name and --colname). These keywords are shown as required in each of the individual command descriptions, such as at Create Policy.

Table B-3, "Summary: olsadmintool Command Parameters" explains the individual parameters that are used as column headings in the summaries of Table B-3, "Summary: olsadmintool Command Parameters" and Table B-4, "Summary of Profile and Default Command Parameters".

In all these tables:

  • X means required, and O means unused or omitted.

  • OptionsP means policy enforcement options, that is, any combination of the following entries, separated by a comma:

    • INVERSE_GROUP

    • HIDE

    • LABEL_DEFAULT

    • LABEL_UPDATE

    • CHECK_CONTROL

    • READ_CONTROL

    • WRITE_CONTROL

    • INSERT_CONTROL

    • DELETE_CONTROL

    • UPDATE_CONTROL

    • ALL_CONTROL

    • NO_CONTROL

  • OptionsA means audit options, that is, any comma-separated combination of the following entries: SET, APPLY, REMOVE, or PRIVILEGE.

Table B-3 Summary: olsadmintool Command Parameters

Command Category Commands & Parameters





Policies

Command

policy name

column- name

optionsP

CON

   
 

olsadmintool createpolicy

X

X

X

X

   
 

olsadmintool alterpolicy

X

O

X

X

   
 

olsadmintool droppolicy

X

O

O

X

   

Within a Policy, Create:

Command

policy name

tag

short name

long name

CON

parent name

a level

olsadmintool createlevel

X

X

X

X

X

O

a group

olsadmintool creategroup

X

X

X

X

X

[ X ]

a compartment

olsadmintool createcompartment

X

X

X

X

X

O

Within a Policy, Alter:

             

a level

olsadmintool alterlevel

X

O

u

u

u

O

a group or group parent

olsadmintool altergroup

X

O

X

X

X

O

 

olsadmintool altergroupparent

X

O

X

O

X

[X]

 

Command

policy name

tag

short name

long name

CON

parent name

a compartment

olsadmintool altercompartment

X

O

X

X

X

O

Within a Policy, Drop:

             

level

olsadmintool droplevel

X

O

X

O

X

O

group

olsadmintool dropgroup

X

O

X

O

X

O

compartment

olsadmintool dropcompartment

X

O

X

O

X

O

               

Data Labels

Command

policy name

tag

value

CON

   

Create label

olsadmintool createlabel

X

X

X

X

   

Alter data label

olsadmintool alterlabel

X

X

X

X

   

Drop data label

olsadmintool droplabel

X

O

X

X

   

Policy Administrators

Command

policy name

userDN

CON

     

Add an Admin

olsadmintool addadmin

X

X

X

     

Drop an Admin

olsadmintool dropadmin

X

X

X

     

Policy Creation

olsadmintool addpolcreator

O

X

X

     
 

olsadmintool droppolcreator

O

X

X

     
               

Users

Command

policy name

profile name

userDN

CON

   

Add a User

olsadmintool adduser

X

X

X

X

   

Drop a User

olsadmintool dropuser

X

X

X

X

   
               

Auditing

olsadmintool audit

X

optionsA

type

success

CON

 
 

olsadmintool noaudit

X

X

X

X

X

 

Help on olsadmintool

olsadmintool <commandname> -- help

O

O

O

O

O

 

Table B-4 Summary of Profile and Default Command Parameters

Profile Action Profile Command Policy Name Profile Name Max Read Label Max Write Label Min Write Label Def Read Label Def Row Label Priv's CON

Create a ProfileFoot 1 

olsadmin tool create profile

X

X

X

X

X

X

X

X

X

List Profiles

olsadmin tool list profile

X

O

O

O

O

O

O

O

X

Describe a Profile

olsadmin tool describe profile

X

X

O

O

O

O

O

O

X

Drop a Profile

olsadmin tool drop profile

X

X

O

O

O

O

O

O

X


Footnote 1 In createprofile, specifying both privileges and labels is not required: a profile can specify labels, privileges, or both.

B.3 Examples of Using olsadmintool

The subsections that follow illustrate using the olsadmintool commands in typical tasks needed to set up Oracle Label Security in an Oracle Internet Directory environment. Each command appears in this listing on multiple lines for readability, but in reality, would be given out as a single long string on the command line. The summarized results of carrying out all these commands appear in Results of These Examples, which follows the last example.

B.3.1 Make Other Users Policy Creators

ORACLE_HOME/bin/olsadmintool addpolcreator --userdn "cn=snamudur,c=us"  -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=lbacsys,c=us" -w lbacsys

B.3.2 Create Policies with Valid Options

ORACLE_HOME/bin/olsadmintool createpolicy --name Policy1 --colname pol1  --options READ_CONTROL,WRITE_CONTROL -b "ou=Americas,o=Oracle,c=US"  -h yippee -p 389 -D "cn=snamudur,c=us" -w snamudur

ORACLE_HOME/bin/olsadmintool createpolicy --name Policy2 --colname pol2  --options READ_CONTROL -b "ou=Americas,o=Oracle,c=US"  -h yippee -p 389 -D "cn=lbacsys,c=us" -w lbacsys

B.3.3 Create Policy Administrators

ORACLE_HOME/bin/olsadmintool addadmin --polname Policy1  --admindn "cn=shwong,c=us" -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=snamudur,c=us" -w snamudur

ORACLE_HOME/bin/olsadmintool addadmin --polname Policy2  --admindn "cn=shwong,c=us" -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=lbacsys,c=us" -w lbacsys

B.3.4 Create Some Levels

ORACLE_HOME/bin/olsadmintool createlevel --polname Policy1 --tag 100  --shortname TS --longname "TOP SECRET" -b "ou=Americas,o=Oracle, c=US"  -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

ORACLE_HOME/bin/olsadmintool createlevel --polname Policy1 --tag 99  --shortname S --longname SECRET -b "ou=Americas,o=Oracle,c=US"   -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

ORACLE_HOME/bin/olsadmintool createlevel --polname Policy1 --tag 98  --shortname U --longname UNCLASSIFIED -b "ou=Americas,o=Oracle,c=US"   -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

B.3.5 Create Some Compartments

ORACLE_HOME/bin/olsadmintool createcompartment --polname Policy1 --tag 100 --shortname A --longname ALPHA -b "ou=Americas,o=Oracle,c=US"   -h yippee -p 389 D "cn=shwong,c=us" -w shwong

ORACLE_HOME/bin/olsadmintool createcompartment --polname Policy1 --tag 99  --shortname B --longname BETA -b "ou=Americas,o=Oracle,c=US"   -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

B.3.6 Create Some Groups

ORACLE_HOME/bin/olsadmintool creategroup --polname Policy1 --tag 100  --shortname G1 --longname GROUP1  -b "ou=Americas,o=Oracle,c=US"  -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

ORACLE_HOME/bin/olsadmintool creategroup --polname Policy1 --tag 99  --shortname G2 --longname GROUP2  -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

ORACLE_HOME/bin/olsadmintool creategroup --polname Policy1 --tag 98  --shortname G3 --longname GROUP3  -b "ou=Americas,o=Oracle,c=US"  -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

B.3.7 Create Some Labels

ORACLE_HOME/bin/olsadmintool createlabel --polname Policy1 --tag 100  --value TS:A:G1  -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

ORACLE_HOME/bin/olsadmintool createlabel --polname Policy1 --tag 101  --value TS:A,B:G2  -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

B.3.8 Create a Profile

ORACLE_HOME/bin/olsadmintool createprofile --polname Policy1 --profname Profile1  --maxreadlabel TS:A:G1 --maxwritelabel TS:A:G1 --minwritelabel U::  --defreadlabel U:A:G1 --defrowlabel U:A:G1 --privileges WRITEUP,READ  -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

B.3.9 Add a User to the Profile

ORACLE_HOME/bin/olsadmintool adduser --polname Policy1 --profname Profile1  --userdn cn=nina,ou=Asia,o=microsoft,l=seattle,st=WA,c=US  -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

B.3.10 Add Another User to the Profile

ORACLE_HOME/bin/olsadmintool adduser --polname Policy1 --profname Profile1  --userdn cn=daniel,ou=France,o=oracle,l=madison,st=WI,c=US   -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

B.3.11 Set Some Audit Options

ORACLE_HOME/bin/olsadmintool audit --polname Policy1 --option "SET,APPLY"  --type SESSION --success BOTH  -b "ou=Americas,o=Oracle,c=US" -h yippee -p 389 -D "cn=shwong,c=us" -w shwong

B.3.12 Results of These Examples

As a result of running the sets of olsadmintool commands outlined, this sample Oracle Label Security site has the following structure:

Table B-5 Label Component Definitions from Using olsadmintool Commands

Label Component Tag Short Name Long Name

Level

100

TS

TOP SECRET

 

99

S

SECRET

 

98

U

UNCLASSIFIED

Compartment

100

A

ALPHA

 

99

B

BETA

Group

100

G1

GROUP1

 

99

G2

GROUP2

 

98

G3

GROUP3


  • Data labels: Tag 100 for TS:A:G1 and tag 101 for TS:A,B:G2

  • Users: Nina, from the Asia group of Microsoft, based in Seattle, Washington, managed under the Americas organization of the US Oracle organization, and Daniel, from the France group of Oracle in Madison, Wisconsin, managed under the same organization.

  • Profiles: Refer to Table B-6, "Contents of Profile1 from Using olsadmintool Commands".

Table B-6 Contents of Profile1 from Using olsadmintool Commands

Profile Element Contents Long-name Expansion or Meaning

MaxReadLabel

TS:A:G1

TOP SECRET:ALPHA:GROUP1

MaxWriteLabel

TS:A:G1

TOP SECRET:ALPHA:GROUP1

MinWriteLabel

U::

UNCLASSIFIED (not restricted to any compartments or groups)

DefReadLabel

U:A:G1

UNCLASSIFIED:ALPHA:GROUP1

DefRowLabel

U:A:G1

UNCLASSIFIED:ALPHA:GROUP1

Privileges

WRITE_UP, READ

User can read any row and raise the level of rows the user writes.


  • Auditing options: SET, APPLY, SESSION, and BOTH



Footnote Legend

Footnote 1: Command FootnoteEvery command must include the directory host name, the bind DN, and the bind password. Any command may, as needed, also supply the subscriber administrative context (optional), the directory port number (also optional), or both. See also Table B-3, "Summary: olsadmintool Command Parameters" for additional details on these parameters.