ZPR Artifacts: Security Attribute Namespaces and Security Attributes

Learn about the Zero Trust Packet Routing artifacts, security attribute namespaces, and security attributes.

A security attribute namespace is a container for a set of security attributes. Security attribute namespaces let you logically organize and secure security attributes.

A security attribute is a label that can be referenced in ZPR policy to control access to supported resources. You reference security attributes when you create Zero Trust Packet Routing (ZPR) policies to protect resources from unauthorized access or unauthorized data exfiltration.

Administrators must set up security attribute namespaces and security attributes in a tenancy before users can apply security attributes to resources.

You can mange security attribute namespaces and security attributes through the Console, CLI, or API. See Managing Security Attribute Namespaces and Managing Security Attributes.

Security Attribute Namespaces

A security attribute namespace is a container for a set of security attributes.

When you enable Zero Trust Packet Routing (ZPR), ZPR creates a security attribute namespace in the tenancy named oracle-zpr with an example security attribute named sensitivity. If the security attribute namespace of a security attribute is omitted, ZPR defaults to the oracle-zpr security attribute namespace.

Security attribute namespace names have specific naming conventions. The only valid characters for security attribute namespace names are:

  • 0-9
  • A-Z
  • a-z
  • - (en dash)
  • _ (underscore)

A security attribute namespace name must be unique across all security attribute namespaces in the tenancy and can't be changed. Also, you can't use a name that's in an ACTIVE status.

A security attribute namespace can have the following statuses:

ACTIVE
The namespace is active.
INACTIVE
The namespace has been deactivated.
DELETING
The namespace is in the process of being deleted.
DELETED
The namespace is deleted.

Every security attribute namespace must have a description. Descriptions don't have to be unique, and they can be updated later.

Only an inactive security attribute namespace can be deleted. To change the status of a security attribute namespace to inactive, you must retire it.

When you retire a security attribute namespace, all the security attributes in the namespace are retired too. To reactivate the security attributes, you must reactivate each one individually after you reactivate the security attribute namespace.

See Managing Security Attribute Namespaces for operations you can perform to manage security attribute namespaces.

Security Attributes

A security attribute is a label that can be referenced in ZPR policy to control access to supported resources.

When you enable Zero Trust Packet Routing (ZPR), ZPR creates an example security attribute named sensitivity in the oracle-zpr security attribute namespace. You can change or delete the sensitivity security attribute.

Security Attribute Basics

You can apply up to 3 security attributes to each supported resource. See Limits for more information about limits in Zero Trust Packet Routing (ZPR).

Security attribute names have the same naming conventions as security attribute namespaces. The only valid characters for security attribute names are:

  • 0-9
  • A-Z
  • a-z
  • - (en dash)
  • _ (underscore)

Security attribute names must begin with an a-z letter and they must be unique within the same security attribute namespace. Security attribute names aren't case-sensitive, which means, for example,mySecurityAttribute and mysecurityattribute aren't allowed in the same namespace. If you specify a name that's already in use in the security attribute namespace, you receive an error.

Every security attribute must have a description. Descriptions don't have to be unique, and they can be updated later.

Each security attribute is assigned a status depending on where the security attribute is in its lifecycle:

ACTIVE
The security attribute is active.
INACTIVE
The security attribute has been deactivated.
DELETING
The security attribute is in the process of being deleted.
DELETED
The security attribute is deleted.
RETIRED
The security attribute is retired.

When you no longer need a security attribute, you can delete it. To delete a security attribute, you first must retire it. Only a retired a security attribute can be deleted.

See Managing Security Attributes for operations you can perform to manage security attributes.

Security Attribute Values

To further organize resources, you assign values to a security attribute.

For example, to organize its resources, a company applies the following security attributes:

  • applications
  • networks
  • databases

To further categorize resources, the company sets the following value types on the security attributes:

  • applications
    • hr-app
    • payroll-app
    • benefits-app
  • networks
    • front-network
    • back-network
  • databases
    • autonomous-databases
    • cloud-autonomous-vmclustersouth
    • cloud-vmclusters
    • db-systems

ZPR provides the following options for applying value types to security attributes:

Static
The user enters a value.
List of values
The user selects from a list of supplied values.

You can set value types when you create or update a security attribute. Value types are optional.