Oracle Label Security: Row-Level Data Classification
Oracle Label Security (OLS) provides a row-level access control mechanism that allows database administrators to assign sensitivity labels to individual rows in Oracle Database tables and restrict user access based on those labels and the user's associated clearance level. OLS is modelled on the Bell-LaPadula mandatory access control model — originally developed for government intelligence systems — adapted for commercial database environments.
The typical use cases are: separating national or regional data so that users in one jurisdiction cannot access data from another, enforcing need-to-know classification in financial institutions (where front-office staff should not see back-office risk data), and meeting data sovereignty requirements where healthcare patient records must be segmented by department or site. OLS enables this row-level separation without requiring separate databases or complex application-level filtering logic.
Oracle Label Security: Core Capabilities
- Data labels — labels assigned to rows using the SA_LABEL_ADMIN package; each label has a level (sensitivity rank), compartments (categories), and groups (organisational units); rows with labels can only be accessed by users whose authorisation includes a matching or higher label
- User authorisations — users are assigned maximum label, minimum label, default label, row label, and compartment/group authorisations through SA_USER_ADMIN; label checking occurs transparently at the database layer, below the application
- Label policies — OLS policies are attached to individual tables; each policy defines enforcement mode (READ, INSERT, UPDATE, DELETE), label column name, and the label components in use
- Integration with Oracle Audit Vault and Database Firewall — OLS label information is available to Oracle's audit and monitoring infrastructure; provides forensic evidence trail for regulated environments
- SA_SYSDBA, SA_ADMIN, SA_USER_ADMIN packages — the PL/SQL interface for Oracle Label Security administration; any use of these packages requires the OLS licence
Oracle Label Security is a separately licensed Oracle Database EE option at $17,500 per processor. It is not included in any Oracle Database SE2 configuration. Annual support at 22% adds $3,850 per processor annually. In a mid-size production cluster (10 processors after Core Factor Table reduction), OLS costs $175,000 in licences plus $38,500 in annual support.
Oracle Database Vault: Privileged User Access Controls
Oracle Database Vault addresses a compliance requirement that Oracle Label Security does not: restricting the access of privileged database users — DBAs, SYS, SYSTEM — to sensitive application data. In standard Oracle Database configurations, a DBA with the DBA role can query any table in the database. Oracle Database Vault creates "realms" — protected zones within the database — that prevent even privileged users from accessing data within those zones without explicit authorisation.
The regulatory driver for Database Vault is separation of duties requirements. SOX compliance, for example, requires that IT operations staff (DBAs) should not be able to access financial transaction data that they have not been authorised to see. PCI-DSS requires that privileged users cannot access cardholder data without specific authorisation and audit logging. Database Vault enables organisations to meet these separation-of-duties requirements at the database layer without restructuring the application architecture.
Oracle Database Vault: Core Capabilities
- Realms — protected areas of the database containing objects (schemas, tables, procedures) that are off-limits to privileged users not explicitly authorised for the realm; realms prevent access by SYS, SYSTEM, and DBA-role users
- Command rules — rules that control when specific SQL commands (CREATE USER, GRANT, ALTER SYSTEM, etc.) can be executed; prevents DBAs from making privilege escalation changes during business hours, for example
- Simulation mode — allows Database Vault policies to be configured without enforcement, logging violations for analysis before enabling enforcement; used for policy testing
- Secure application roles — roles that can only be granted by the Database Vault realm owner, not by DBAs; prevents privilege escalation through role grants
- Database Vault Owner and Account Manager — the two mandatory Database Vault accounts that separate DBA operations administration from Database Vault security administration; mandatory for Database Vault activation
- Privilege Analysis — a Database Vault component that analyses and reports on actual privilege usage to identify over-provisioned users and excess privileges; requires Database Vault licence
Database Vault activation trigger: Unlike some options that are triggered by a parameter setting, Oracle Database Vault is triggered by running the dvca.sql configuration script and enabling the Database Vault components. Activation creates the DVSYS and DVF schemas in DBA_REGISTRY. If these schemas appear in your database, you need a Database Vault licence — either standalone Oracle Database Vault or as part of the Oracle Database Security bundle.
Oracle Database Security: The Bundle Option
Oracle Database Security is a bundle product that includes both Oracle Label Security and Oracle Database Vault in a single licence. Oracle's pricing rationale is that organisations deploying both security options receive a combined option at a lower total cost than purchasing them individually. This bundle pricing also makes Oracle Database Security a common audit target — if Oracle LMS finds either OLS or Database Vault in your estate, it will argue that you need the full Oracle Database Security bundle if you have both.
$17,500
Oracle Label Security per processor
$23,000
Oracle Database Vault per processor
$23,000
Oracle Database Security bundle (OLS + Vault)
Note the pricing: Oracle Database Security (the bundle) is $23,000 per processor — the same as Oracle Database Vault alone. This means that if you are licensing Oracle Database Vault, adding Oracle Label Security through the bundle adds zero additional cost. If your compliance requirements need both OLS and Database Vault, the Oracle Database Security bundle at $23,000 per processor is always the correct product to licence.
Conversely, if you only need Oracle Label Security (not Database Vault), the standalone OLS licence at $17,500 per processor is cheaper than the $23,000 bundle. Oracle sales teams sometimes recommend the bundle to customers who only need OLS — a $5,500/processor over-licensing scenario that our Oracle licence optimisation service frequently identifies and resolves.
Are you over-licensed on Oracle security options?
If you are paying for the Oracle Database Security bundle but only using Label Security or only using Database Vault, you may be paying $5,500/processor more than required. Our Oracle licence optimisation service identifies these over-licensing scenarios alongside compliance gaps.
Get a Confidential Assessment →
How Regulatory Compliance Programmes Accidentally Trigger These Options
The most common scenario for unbudgeted Oracle Label Security or Database Vault licence exposure is a compliance remediation project that implements these Oracle features without including Oracle licence costs in the project budget. This happens because information security teams are responsible for the technical implementation but procurement teams are responsible for Oracle licences — and the communication between them about Oracle option licensing does not happen consistently.
Specific scenarios we encounter regularly:
Common Compliance-Driven Oracle Security Option Licence Triggers
- GDPR data residency implementation using Oracle Label Security — an EU GDPR compliance project assigns country-level OLS labels to customer data rows to enforce data residency requirements; OLS is deployed across production databases; the Oracle licence cost was not included in the GDPR project budget; LMS audit surfaces $500K+ in back-licence claims two years later
- SOX separation of duties using Oracle Database Vault — a SOX compliance project enables Database Vault to prevent DBAs from accessing financial transaction tables; Database Vault is deployed across ERP and financial databases; the project team assumed Database Vault was included in the EE licence; it is not
- PCI-DSS privileged access controls using Database Vault — a PCI-DSS audit recommendation leads to Database Vault implementation for cardholder data environment databases; Database Vault is deployed and auditor requirements are met; Oracle licence cost is not captured
- Healthcare data classification using OLS for HIPAA — a HIPAA compliance programme classifies patient data rows with sensitivity labels using OLS; the compliance team selects OLS based on Oracle documentation and consultant recommendation without budget approval for the Oracle option licence
- Database Vault deployed by consulting firm without licence disclosure — an Oracle-certified implementation partner deploys Database Vault as part of a database hardening engagement; the partner's statement of work does not include Oracle licence procurement; the enterprise discovers the unlicensed option deployment when the partner's engagement ends
The recurring theme is that Oracle option licence costs are not embedded in the technical implementation process — a compliance or security project can deploy Oracle features without triggering a procurement review. Our compliance review service includes a review of recently deployed Oracle features to identify licence gaps before Oracle LMS does.
How Oracle LMS Detects Label Security and Database Vault
Oracle LMS detects both Oracle Label Security and Oracle Database Vault through DBA_REGISTRY queries and schema-specific checks. The detection methodology is relatively straightforward — both options create distinct schemas that are registered in DBA_REGISTRY when deployed.
Oracle LMS Detection: Label Security
- DBA_REGISTRY for LBAC or OLS component — OLS deployment registers the LBACSYS schema in DBA_REGISTRY; LMS queries SELECT COMP_NAME FROM DBA_REGISTRY WHERE COMP_ID = 'OLS'; presence confirms OLS is installed
- ALL_SA_POLICY_GROUPS query — LMS queries Oracle Label Security system tables (SA_* views) to determine whether label policies have been created and are actively applied to tables
- LBACSYS schema objects in DBA_OBJECTS — presence of LBACSYS schema objects with non-default status confirms OLS installation and basic configuration
- SA_POLICY views for active table policies — LMS queries ALL_SA_TABLE_POLICIES to identify tables where OLS label enforcement is active; this is the usage evidence that corroborates the installation detection
Oracle LMS Detection: Database Vault
- DBA_REGISTRY for DVSYS component — Database Vault deployment registers DVSYS schema in DBA_REGISTRY; LMS queries SELECT COMP_NAME FROM DBA_REGISTRY WHERE COMP_ID = 'DV'; presence confirms Database Vault is installed
- DVSYS and DVF schemas in DBA_USERS — Database Vault creates two mandatory schemas (DVSYS and DVF) during configuration; their presence in DBA_USERS confirms Database Vault activation
- V$OPTION for Database Vault — LMS queries V$OPTION for 'Oracle Database Vault'; returns TRUE when Database Vault is configured
- DBA_DV_REALM query for active realms — LMS queries DBA_DV_REALM to determine whether Database Vault realms have been defined and are in enforcement mode; active realms confirm active Database Vault use
The critical distinction for audit defence is the same as for other options: installation evidence versus active usage evidence. For Oracle Label Security, active policy application to tables is the usage evidence. For Database Vault, active realms in enforcement mode are the usage evidence. If OLS schemas are installed but no policies are applied to any table, or if Database Vault is installed but in simulation mode with no active realms, there is scope to challenge Oracle's claim that the full option licence is owed.
Facing an Oracle security options audit claim?
We have successfully challenged Oracle Label Security and Database Vault audit claims by demonstrating that features were deployed but not actively enforcing access controls — or were deployed during a test phase that preceded a decision not to proceed. Our audit defence team has the technical depth and the adversarial credibility to push back.
Talk to a Former Oracle Insider →
Overlap with Oracle Advanced Security Option
Oracle Advanced Security Option (ASO) is another separately licensed database security option ($15,000 per processor for EE) that covers Transparent Data Encryption (TDE) and network encryption. It is commonly conflated with Oracle Label Security and Database Vault in conversations about Oracle security options because all three are positioned at the security and compliance buyer persona. They are, however, technically distinct options with different capabilities and different licence triggers.
Oracle Database Security Options: Quick Comparison
- Oracle Advanced Security Option (ASO) — $15,000/processor — transparent data encryption (TDE) for tablespace and column encryption, network encryption, and database authentication services; triggered by enabling TDE or Oracle Native Network Encryption with the encryption algorithm setting; covered in our Advanced Security article
- Oracle Label Security (OLS) — $17,500/processor — row-level data access control using sensitivity labels; triggered by installing the LBACSYS schema and creating OLS policies applied to tables
- Oracle Database Vault — included in Database Security bundle — privileged user (DBA) access restrictions through realm-based controls; triggered by DVSYS schema installation and realm creation
- Oracle Database Security (bundle) — $23,000/processor — includes both Oracle Label Security and Oracle Database Vault; best value when both OLS and Database Vault are required
- Oracle Audit Vault and Database Firewall (AVDF) — separate product licence — centralised database activity monitoring and audit vault; not a database option; licensed as a separate server product with its own metric and pricing
An enterprise deploying TDE for GDPR data-at-rest encryption (ASO), row-level data classification for data residency (OLS), and privileged user access controls for SOX separation of duties (Database Vault via the bundle) would need three separately licensed security components. At list price on a 10-processor estate, that totals $150,000 (ASO) + $230,000 (Database Security bundle) = $380,000 in security option licences plus $83,600 in annual support. Oracle's security compliance options are not cheap — and they are routinely under-budgeted in compliance projects.
Defending Against Oracle Security Options Audit Claims
Oracle security options audit claims require a combination of technical documentation and commercial negotiation strategy. The technical record establishes what was deployed and what was actually in use at the time of audit measurement. The commercial strategy uses Oracle's desire to expand cloud commitments to trade audit settlement for improved contract terms.
Oracle Security Options Audit Defence Strategies
- Document the compliance justification and deployment scope — if Label Security or Database Vault was deployed for a specific regulatory compliance requirement (GDPR, SOX, HIPAA), document the scope of deployment; regulators often mandate specific databases or data types, not an entire estate; challenge any LMS claim that all databases require security option licences when only a subset is subject to the relevant compliance requirement
- Challenge simulation mode vs enforcement mode distinctions — if Database Vault was configured in simulation mode (logging violations without enforcement) as part of a compliance assessment, the technical argument is that no privileged user access was restricted; simulation mode is a planning and testing tool, not an active access control deployment
- Verify OLS policy application scope — if Oracle Label Security policies are applied to tables in only a subset of databases in your estate, the licence requirement applies to the processors running those specific databases, not the entire Oracle estate; LMS sometimes claims estate-wide licence requirements based on OLS deployment in a subset of databases
- Review for bundle over-claim — if Oracle LMS is claiming the Oracle Database Security bundle ($23,000/processor) but only Oracle Label Security is deployed (not Database Vault), push back; the $17,500/processor standalone OLS licence applies, not the $23,000 bundle
- Negotiate compliance-to-cloud conversion — Oracle has a strong interest in converting security compliance workloads to OCI, where Oracle's Autonomous Database includes many security features (TDE, audit logging, privilege analysis) as part of the service pricing; use the audit finding as leverage for an OCI commercial arrangement rather than paying Oracle's back-licence claim
Key Takeaways: Oracle Label Security and Database Security Licensing
- Oracle Label Security ($17,500/processor) provides row-level data classification — triggered by installing the LBACSYS schema and applying OLS policies to database tables
- Oracle Database Vault is part of the Oracle Database Security bundle ($23,000/processor) — triggered by DVSYS schema installation and enabling Database Vault realms
- The Oracle Database Security bundle includes both OLS and Database Vault at $23,000/processor — the same price as Database Vault alone; always use the bundle if you need both
- Compliance projects (GDPR, SOX, HIPAA, PCI-DSS) frequently deploy these options without including Oracle licence costs in the project budget — a common post-project audit risk
- Oracle LMS detects both options through DBA_REGISTRY and schema presence queries; active policy/realm usage evidence strengthens Oracle's claim beyond installation
- Oracle Advanced Security Option (TDE, network encryption) is a separate $15,000/processor option — different capabilities, different licence trigger, different audit detection methods
- Licence scope challenges — limiting licence requirements to processors running databases where security controls are actively deployed — consistently reduce the size of security options audit claims
Oracle Database Licensing Masterclass
Every Oracle Database option — Label Security, Database Vault, Advanced Security, In-Memory, Diagnostics Pack, Partitioning — explained with pricing, licence triggers, and audit defence strategies.
Download Free White Paper →
Related Oracle Database Security Licensing Articles
Stay Informed
Oracle Licensing Intelligence
Audit alerts, security option licensing updates, and negotiation tactics — direct to your inbox. Read by Oracle stakeholders at 500+ enterprises.
Written by the Oracle Licensing Experts team — former Oracle executives, LMS auditors, and contract managers who now work exclusively for enterprise buyers. Not affiliated with Oracle Corporation.