Oracle Label Security Licensing
Oracle Label Security is a separately licensed Enterprise Edition option that enforces row level access control using data classification labels. It is licensed on the same metric and core count as the database it runs on, so every processor or named user licensed for the database must also carry a Label Security licence. Configuring a policy is recorded in the feature usage views, which makes unlicensed use a conclusive audit finding.
Oracle Label Security is a specialist access control option that appears most often in government, defence, healthcare, and other environments with formal data classification requirements, and it is licensed with the same full footprint rule as every other Enterprise Edition extra. This article explains what Label Security does, how it is licensed, why a single configured policy is enough to create an audit finding, and how a buyer side estate keeps it contained. It sits beneath the database licensing pillar and pairs with the Database Vault analysis.
What is Oracle Label Security?
Label Security enforces access control at the row level by attaching a sensitivity label to each row and comparing it against the label authorisations of the user requesting access. It implements the kind of multi level security model used in classified environments, where a row marked confidential is visible only to users cleared to that level, and it does so inside the database rather than in application code.
It is genuinely useful for organisations with regulatory or contractual data classification obligations, which is precisely why it gets enabled. A compliance requirement to enforce classification at the data layer is met by configuring a Label Security policy, and a chargeable option is now in use, recorded permanently, with no procurement event marking the decision.
How is Oracle Label Security licensed?
Label Security is licensed on the same metric as the underlying database and for the same quantity. If the database is licensed by Processor, Label Security must be licensed for the identical processor count, calculated with the same core factor. If the database is licensed by Named User Plus, Label Security is licensed for the same named user count, subject to the same Named User Plus minimums.
There is no partial licensing. You cannot license Label Security for only the cores that serve classified data; the moment a policy is configured and applied on a database, the entire database footprint must carry the option licence. This all or nothing rule is identical to the one that governs Partitioning and the other extra cost options.
| Database metric | Label Security licensed as | Quantity required |
|---|---|---|
| Processor | Processor | Identical core count, same core factor |
| Named User Plus | Named User Plus | Identical user count, same minimums |
| Standard Edition | Not available | Option is Enterprise Edition only |
Why Label Security is not part of the base licence
As with the other security options, there is a common assumption that an access control feature must be included in the database an organisation already owns. It is not. Label Security is a priced option with its own price list entry, granted by no part of the base Enterprise Edition licence. It ships inside the standard software distribution and can be configured without a separate download or key, which is what makes its cost so easy to overlook.
The pattern is the recurring one across Oracle option licensing: ready to enable software, a technical action that requires no unlock, and only the agreement and the feature usage record between the organisation and a finding. Recognising that a classification control still carries a commercial cost is the discipline that applies across the whole options and packs set.
How does Oracle detect Label Security usage?
Oracle detects Label Security through the feature tracking views, principally DBA_FEATURE_USAGE_STATISTICS, which records whether Label Security has been configured and used, with first and last usage dates. This is the same conclusive mechanism that drives the database options audit: the database reports its own usage, leaving nothing to argue about.
Because the record persists, a Label Security policy configured years ago to meet a classification mandate will surface in an Oracle review with a usage history attached. The detection does not care whether the policy protects one table or the whole schema; the enablement itself is the finding.
Label Security versus Virtual Private Database
Label Security is often discussed alongside Virtual Private Database, and the distinction matters for licensing. Virtual Private Database is a feature of Enterprise Edition that lets developers attach security policies to tables programmatically, and it is included in the base Enterprise Edition licence at no extra charge. Label Security is a packaged, label based implementation of row level security that sits on top of that capability and is separately licensed.
The practical consequence is that an organisation can implement row level security using Virtual Private Database without incurring an option charge, but the moment it adopts the Label Security product to do the same job with classification labels, it owes the option for the full footprint. Knowing which capability is in use, and whether the simpler included feature would meet the requirement, is a material cost decision, related to the separation of duties choices covered in the Database Vault analysis.
Where Label Security is most often found
Label Security concentrates in sectors with formal classification obligations: government and defence, where multi level security is a mandate; healthcare, where patient data sensitivity drives row level controls; and regulated financial and pharmaceutical environments. In these settings the option is frequently enabled to satisfy a specific contractual or regulatory clause, which means the usage is both deliberate and, too often, unlicensed.
The risk profile is therefore distinctive. The organisations most likely to use Label Security are also the ones most likely to face an audit driven by a merger, a renewal, or a deployment scan, and the most likely to have enabled the option under compliance pressure without a licensing review. Folding the option into the entitlement baseline alongside the Enterprise Edition position is the only way to be sure the deployment matches the contract.
How to contain Label Security exposure
Containment rests on monitoring and policy. The estate should query the feature usage views on a schedule so any new Label Security configuration is detected promptly. Where usage is found and not licensed, the choices are to license it, to disable the policies and meet the requirement with included Virtual Private Database functionality where that is sufficient, or to consolidate the classified workload onto a database that already carries the licence.
The preventive control is a rule that configuring Label Security requires a licensing sign off, enforced through privileges and change management, and a deliberate evaluation of whether the included row level security features would satisfy the classification requirement before the option is adopted. Where Label Security is genuinely required, licensing it knowingly is the right answer, but the decision should be made with the full footprint cost visible. This modelling is the work the database licensing service brings to option management, and it is far cheaper than an audit defence settlement.
The buyer side view
The buyer side position on Label Security is that a classification control is a commercial commitment, and the included Virtual Private Database feature should be evaluated before the priced option is adopted. Monitor the feature usage views, treat any Label Security configuration as a licensing event, and decide deliberately between the option and the included alternative. Done as a standing discipline, this keeps a specialist control available where it is paid for and prevents the compliance driven enablement that becomes an audit finding. To model your own option exposure, start with the database pillar, review the database licensing white paper, or request a consultation.
Common questions.
Is Oracle Label Security included in Enterprise Edition?
No. Label Security is a separately licensed option on top of Database Enterprise Edition. It is not included in the base licence and is not available on Standard Edition. Configuring a Label Security policy requires a licence for the same metric and quantity as the database itself.
Does one Label Security policy require a full option licence?
Yes. There is no partial licensing. The moment a Label Security policy is configured and applied on a database, the entire database footprint must be licensed for the option, regardless of how many tables it protects. The feature usage views record the configuration either way.
What is the difference between Label Security and Virtual Private Database?
Virtual Private Database is a row level security feature included in the base Enterprise Edition licence at no extra charge. Label Security is a separately licensed product that implements label based row level access control on top of that capability. Using Virtual Private Database avoids the option charge that Label Security incurs.
How does Oracle detect Label Security usage?
Oracle reads the DBA_FEATURE_USAGE_STATISTICS view, which records whether Label Security has been configured and used, with first and last usage dates. This record is harvested during a review and is conclusive, making unlicensed Label Security a reliable audit finding.