OLS Consideration Factors

OLS is a very powerful security tool; however, there are a few situations of which you should be aware. The frequently asked question is, “Will OLS work with my existing applications?” The answer is definitely maybe.

There are two determining factors. The first involves the addition of the column to existing tables. Adding this column, even if hidden, could render your applications unsupported. In some cases, it may not be technically possible to alter the table and add the column without breaking something.

The second factor, which also resides with VPD, is that in providing row-level security, OLS may fool the application into thinking the data is corrupted. For an application that expects to see all the data, the transparent filtering of data records could be misinterpreted as a data integrity problem. There is no easy answer as to whether OLS will break or not break an existing application.

The other major impediment to implementing labels lies in the limits of the labels themselves. The limits on the components and labels make OLS unsuitable for certain security policies, especially when the labels are to be matched to a user community (i.e., a distinct label for each user) and the user community far exceeds 10,000. Additionally, while you can have up to 10,000 levels, compartments, and groups, the label’s character representation—for example, MGR:SALES:US—is constrained to 4,000 characters. In some cases, this limitation is reached long before the levels, compartments, or groups are exhausted.