Oracle Label Security Licensing: Cost, Compliance and Audit Risk

What Oracle Label Security Is

Oracle Label Security is a separately licensed database security option that adds row-level access control to Oracle Database Enterprise Edition. It operates by assigning sensitivity labels to individual data rows and access labels to database users, then enforcing access rules based on the relationship between those labels. Unlike standard Oracle database security, which controls access at the table, view, or object level, OLS controls access at the individual record level — a single table can contain rows that are visible to different user groups based on label classification.

The practical use cases for OLS are concentrated in regulated industries and multi-tenant environments. Government and defence organisations use OLS to enforce data classification schemes such as Confidential, Secret, and Top Secret at the database row level. Healthcare organisations use it to enforce patient data compartmentalisation. Financial institutions use it to separate trading desk data from compliance team data within the same database schema. Multi-jurisdiction organisations use OLS to enforce regional data residency rules by labelling rows with country or region identifiers and restricting access to appropriately authorised users.

OLS is technically separate from Oracle Database Vault, which controls administrative access and privileged user abuse. The two options are often deployed together in high-security environments but are licensed independently.

Oracle Label Security Licensing Requirements

Oracle Label Security is a licensed option for Oracle Database Enterprise Edition when deployed on-premises. It is not included in the Oracle Database Enterprise Edition base licence. It is also not included in Oracle Database Standard Edition 2, which cannot be combined with separately licensed options.

Metric Alignment Rule

Oracle Label Security must be licensed using the same metric as the underlying Oracle Database Enterprise Edition. If the database is licensed per Processor, OLS must be licensed per Processor for each physical processor on the server where the database runs. If the database is licensed per Named User Plus (NUP), OLS must be licensed per NUP for the same number of named users licensed for the database, subject to Oracle's minimum NUP requirements (25 NUPs per Processor for database options, unless a lower minimum applies under a specific order).

This metric alignment rule has a practical consequence for organisations that have licensed their database by Processor and then added OLS: the processor count for OLS must match the processor count for the database. An organisation cannot license the database for 16 processors and OLS for 8 processors — both must cover the same physical hardware.

Multi-Server Deployments

For organisations running Oracle RAC (Real Application Clusters), OLS must be licensed for every node in the cluster, not just the nodes where the OLS-protected tables reside. Because RAC operates across all nodes in the cluster, Oracle's licensing rules require all nodes to be licensed for any option deployed on any node. A four-node RAC cluster requires OLS licensing for all four nodes even if OLS is actively configured on only one.

Pricing and Support Cost Calculation

Oracle's published list pricing for Oracle Label Security as of the 2025 price list is $11,500 per Processor and $230 per Named User Plus. These are perpetual licence fees. Annual support is charged at 22 percent of the licence cost, subject to Oracle's standard 8 percent annual escalation.

On-Premises Cost Example

An organisation running Oracle Database Enterprise Edition on a two-socket server with two processors (each processor containing multiple cores, but Oracle counts physical processors for this option) that has activated Oracle Label Security faces the following exposure at list price. Perpetual licence cost: 2 processors × $11,500 = $23,000. Annual support in year one: $23,000 × 22% = $5,060. Annual support in year two (after 8% escalation): $5,065 × 1.08 = $5,465. Five-year total cost of ownership including licence and support: approximately $50,000 at list price before further escalation.

For an enterprise with 20 database servers each running two processors, the perpetual licence exposure for unlicensed OLS is $460,000 plus cumulative support. Oracle's audit team will typically seek backdated support fees for the period during which OLS was in use without a licence, compounding the total settlement demand.

Named User Plus Cost Example

An organisation licensing Oracle Database Enterprise Edition per NUP for 500 named users that activates OLS faces: 500 NUPs × $230 = $115,000 perpetual licence cost. Year-one support: $115,000 × 22% = $25,300. The NUP metric is often less expensive per unit for smaller organisations but requires careful management to ensure the licensed user count matches actual database access rights.

Where Oracle Label Security Is Included at No Extra Charge

Oracle Label Security is included without additional licence cost in several specific Oracle products and cloud service tiers. Understanding these inclusions is essential before purchasing OLS as a standalone option.

Oracle Database Personal Edition

Oracle Database Personal Edition is a single-user database product intended for development and individual use. OLS is included in Personal Edition at no additional charge. However, Personal Edition cannot be used in production multi-user environments, which limits its practical relevance for organisations that need OLS for production data classification.

Oracle Cloud Infrastructure — High Performance and Extreme Performance Tiers

In Oracle's Cloud Infrastructure (OCI), Oracle Label Security is included at no additional charge in the Enterprise Edition – High Performance and Enterprise Edition – Extreme Performance database service tiers. It is also included in Oracle Exadata Cloud Service. Organisations migrating Oracle Database workloads that use OLS from on-premises to OCI can therefore eliminate the separate OLS option cost by selecting the appropriate OCI service tier — provided the workload requirements align with those tiers.

This inclusion is a meaningful cost consideration for organisations evaluating OCI migration. If a workload requires OLS and is currently on-premises, the combined licence and support cost for OLS should be factored into the OCI migration business case. The elimination of OLS option fees may offset a portion of the cloud consumption cost, depending on utilisation patterns.

Oracle Autonomous Database

Oracle Label Security is also included in Oracle Autonomous Database (including Autonomous Data Warehouse and Autonomous Transaction Processing). Organisations running analytical workloads that require row-level security on Autonomous Database do not need to purchase OLS separately.

Oracle Label Security as an Audit Risk

Oracle Label Security is one of the most commonly unintentionally activated database options in enterprise Oracle estates. The Oracle Database installation media includes OLS files as part of the standard installation, and database administrators may activate OLS without realising it constitutes a separately licensed product. In Oracle's LMS (License Management Services, now GLAS) scripts, OLS activation is detected automatically during an audit scan.

How OLS Is Activated Unintentionally

OLS can be activated when a DBA runs the Oracle security configuration scripts as part of database hardening, applies a security benchmark such as the CIS Oracle Database Benchmark that recommends OLS configuration steps, or installs Oracle Database Vault (which can prompt OLS configuration during setup). In each scenario, the DBA may be following a security best practice without understanding that the resulting configuration constitutes use of a separately licensed option.

Oracle's audit scripts query the database dictionary for OLS-specific objects, policy configurations, and label definitions. Any database where these objects exist is flagged as having OLS deployed, regardless of whether OLS is actively enforcing access control on production data. The presence of the objects is sufficient for Oracle to assert that the option is in use and requires a licence.

Managing the Audit Risk

The most effective approach to managing OLS audit risk is a proactive database option review. This involves running Oracle's own discovery queries — or equivalent ITAM tool queries — against your database estate to identify all databases where OLS objects are present. Where OLS is present but not in active use for a business purpose, the remediation is to remove the OLS objects from the database before the next Oracle audit cycle. Oracle does not require a licence for OLS if it has been removed from the database prior to the audit measurement date.

Where OLS is in active use and is providing a material security function, the options are: purchase the OLS licence to establish compliance, migrate the database to an OCI service tier where OLS is included, or assess whether an alternative row-level security mechanism within Oracle Database (such as Oracle Virtual Private Database, which is included in Enterprise Edition) could replace OLS functionality without requiring the separate option.

Oracle Label Security vs Oracle Virtual Private Database

A common question from organisations evaluating OLS is how it differs from Oracle Virtual Private Database (VPD), also known as Fine-Grained Access Control (FGAC). VPD is included in Oracle Database Enterprise Edition at no additional charge and provides row-level filtering through policy functions. The distinction matters for both functional and licensing purposes.

VPD filters rows by dynamically appending WHERE clauses to SQL queries based on application context. It is highly flexible and can implement complex access rules but requires custom PL/SQL policy functions for each table and each access scenario. Administration is done in SQL and PL/SQL. VPD does not maintain a persistent label hierarchy — it evaluates access at query time based on session context.

OLS provides a structured label hierarchy that persists in the database independent of application code. Labels are assigned to rows at insert time and can be maintained across transactions. OLS includes built-in label component management, policy administration, and audit integration. For organisations that need to implement a formal data classification scheme that aligns with external standards — such as government security classifications or healthcare data sensitivity tiers — OLS provides a more structured framework than VPD. For organisations that need flexible row filtering without formal label management, VPD may be sufficient and has no additional licence cost.

Key Actions for Oracle Database Administrators and SAM Teams

Based on the licensing requirements and audit risks described above, organisations should take the following steps to establish and maintain OLS compliance. First, conduct a full database option discovery scan across all Oracle Database Enterprise Edition instances to identify where OLS is present, whether or not it is in active use. Second, for any database where OLS is present but not required, remove the OLS configuration objects and document the removal as part of your ITAM records. Third, for databases where OLS is in active use, verify that current entitlements include the OLS option at the correct metric and quantity. Fourth, review OCI migration candidates where OLS is in use on-premises, as migration to High Performance or Extreme Performance tiers eliminates the separate OLS licence cost. Fifth, establish a change management control that requires licensing sign-off before any database security option — including OLS and Oracle Database Vault — is activated in a production environment.