How to Disable Oracle Label Security | OLS
OLS and the Audit table AUD$:
●● Installation of Label Security causes the audit table SYS.AUD$ to be dropped and recreated in the SYSTEM schema. Its existing contents are copied into the new SYSTEM.AUD$ table.
●● If you deinstall Label Security, AUD$ is recreated in the SYS schema and dropped from the SYSTEM schema. Again the contents are copied from one to the other before dropping.
Starting as of version 11.2.0.1, when you install the Enterprise Edition, all options that belong to it are always installed, the available Options selections in the installer only decides if they should be enabled or not, to enable or disable OLS afterwards, you can use chopt.
chopt enable lbac
chopt disable lbac
This works on both Unix/Linux and Windows type Operating system.
If you want to disable OLS for a particular policy in 11gR2 you can use following command:
SA_AUDIT_ADMIN.NOAUDIT ('AROLS', 'XXCTO', 'APPLY, REMOVE');
Syntax:
PROCEDURE AUDIT (
policy_name IN VARCHAR2,
users IN VARCHAR2 DEFAULT NULL,
option IN VARCHAR2 DEFAULT NULL,
type IN VARCHAR2 DEFAULT NULL,
success IN VARCHAR2 DEFAULT NULL);
Disabling Oracle Label Security for 12c
If Oracle Database Vault has been enabled, then do not disable Oracle Label Security.
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';
SELECT PARAMETER, VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
sqlplus '/as sysdba'
EXEC LBACSYS.OLS_ENFORCEMENT.DISABLE_OLS;
SHUTDOWN IMMEDIATE
STARTUP
For Oracle Real Application Cluster (Oracle RAC) environment or a multitenant environment, repeat these steps for each Oracle RAC node or PDB on which you enabled Oracle Label Security.
EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;
Removal of OLS Data Dictionary:
This 9i method still works for higher versions.
cd $ORACLE_HOME/rdbms/admin/
sqlplus "/ as sysdba"
START catnools.sql
For 11gR2 it doesn't require downtime.
For 12c it requires downtime.
OLS and the Audit table AUD$:
●● Installation of Label Security causes the audit table SYS.AUD$ to be dropped and recreated in the SYSTEM schema. Its existing contents are copied into the new SYSTEM.AUD$ table.
●● If you deinstall Label Security, AUD$ is recreated in the SYS schema and dropped from the SYSTEM schema. Again the contents are copied from one to the other before dropping.
Starting as of version 11.2.0.1, when you install the Enterprise Edition, all options that belong to it are always installed, the available Options selections in the installer only decides if they should be enabled or not, to enable or disable OLS afterwards, you can use chopt.
chopt enable lbac
chopt disable lbac
This works on both Unix/Linux and Windows type Operating system.
If you want to disable OLS for a particular policy in 11gR2 you can use following command:
SA_AUDIT_ADMIN.NOAUDIT ('AROLS', 'XXCTO', 'APPLY, REMOVE');
Syntax:
PROCEDURE AUDIT (
policy_name IN VARCHAR2,
users IN VARCHAR2 DEFAULT NULL,
option IN VARCHAR2 DEFAULT NULL,
type IN VARCHAR2 DEFAULT NULL,
success IN VARCHAR2 DEFAULT NULL);
Disabling Oracle Label Security for 12c
If Oracle Database Vault has been enabled, then do not disable Oracle Label Security.
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';
SELECT PARAMETER, VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
sqlplus '/as sysdba'
EXEC LBACSYS.OLS_ENFORCEMENT.DISABLE_OLS;
SHUTDOWN IMMEDIATE
STARTUP
For Oracle Real Application Cluster (Oracle RAC) environment or a multitenant environment, repeat these steps for each Oracle RAC node or PDB on which you enabled Oracle Label Security.
EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;
Removal of OLS Data Dictionary:
This 9i method still works for higher versions.
cd $ORACLE_HOME/rdbms/admin/
sqlplus "/ as sysdba"
START catnools.sql
For 11gR2 it doesn't require downtime.
For 12c it requires downtime.
No comments:
Post a Comment