ORA-12445 When Applying a Label Function on a Table Protected by an OLS Policy (Doc ID 231777.1)

Last updated on AUGUST 01, 2023

Applies to:

Symptoms

When inserting new rows in a table protected by an Oracle Label Security policy, the internal column used to store the label tag information is not automatically updated. It is left to NULL value. Therefore the OLS administrator applies a labeling function on the table.


SQL> connect lbacsys/pass
SQL> grant execute on TO_LBAC_DATA_LABEL to <user> with grant option;

1- The owner of the protected table is creating the labeling function:

SQL> connect <user>/<password> 
SQL>

CREATE OR REPLACE FUNCTION <Schema_name>.<Function_Name> (<variable> <datatype>)  Return LBACSYS.LBAC_LABEL as 
    i_label varchar2(80);
Begin
-- Determine Sensitivity Level
  if to_char(sysdate,'YYYY') - to_char(end_date,'YYYY') > 5
    then i_label := 'S:';
  else i_label := 'HS:';
  end if; 
  return TO_LBAC_DATA_LABEL('FACILITY',i_label);
end;
/

2- The OLS administrator applies the policy on the table to be protected:

SQL> connect lbacsys/pass
SQL> BEGIN
sa_policy_admin.apply_table_policy (
POLICY_NAME => '<Policy_Name>',
SCHEMA_NAME => '<Schema_name>',
TABLE_NAME => '<Table_Name>',
TABLE_OPTIONS => NULL,
LABEL_FUNCTION => '<Schema_name>.<Function_Name>(:end_date)',
PREDICATE => NULL);
End;
/
BEGIN
*
ERROR at line 1:
ORA-12445: cannot change HIDDEN property of column
ORA-12432: LBAC error:
ORA-12433: create trigger failed, policy not applied
ORA-06512: at "LBACSYS.<Policy_Name>", line 257
ORA-06512: at line 2

3- Here are the actions suggested to solve the issue:

$ oerr ora 12445
12445, 00000, "cannot change HIDDEN property of column"
// *Cause: You tried to specify a different HIDE option for a table
// with an existing policy column.
// *Action: Drop the column from the table and reapply the policy with the new
// HIDE option.

Changes

Cause