Writing to OLS Protected Tables

While the preceding examples performed a few insert operations, the major emphasis until now has been on read protection of the data. The READ_CONTROL option placed on tables uses Oracle’s VPD technology to limit the records returned by queries. Inserts, updates, and deletes of data, collectively known in the OLS world as write control, use VPD and after-row database triggers to enforce the security policies.

User authorizations are defined by combinations of levels, compartments, and groups. There are specific algorithms followed by OLS to control how data is accessed for SELECT, INSERT, UPDATE, and DELETE operations. The Oracle Label Security Administrator’s Guide produces an excellent explanation with flow diagrams for these algorithms; search for “Label Evaluation Process” in Chapter 3 of the guide for more information.