Skip Headers

Oracle® Label Security Administrator's Guide
10g Release 1 (10.1)
Part Number B10 774-01
Go to Documentation Home< br> Home Go to Book List
Book List		 Go to Table of Contents
Contents 		Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page< br> Feedback
Go to previous p age
Previous		 Go to next page
Next
 View PDF

6
Creating an Oracle Label Security Policy

This chapter explains how to create an Oracle Label Security policy. It contains these sections:

Oracle Label Security Administrative Task Overview

To create and implement an Oracle Label Security policy, you perform the following tasks, which are describe d in the next few chapters:

Step 1: Create the Policy

Create a policy by defining:

To do this in Oracle Policy Manager, you can use the Create Policy icon or the Policy property sheet.

Alternatively, you can us e the SA_SYSDBA.CREATE_POLICY command line procedure.

< strong class="NH">See Also:

"Creating a Policy with SA_SYSDBA.CREATE_POLICY"

Step 2: Define the C omponents of the Labels

Define the levels, compartments, and groups that form the components of the new policy's labels.

To do this in Oracle Policy Manager, g o to Oracle Label Security Policies--> policyname--> Labels and use the Labels property sheet.

Alternatively, you can use the SA_COMPON ENTS package on the command line.

Se e Also:

"Using the SA_COMPONENTS Package to Defi ne Label Components"

Specify the set of valid labels to support the policy. From all the possible com binations of levels, compartments, and groups, you must define labels that can be assigned to data.

Alternatively, applications that need to create data labels dynamically at runtime can use the TO_DATA_LABEL function.

< a name="1014044">
Note: < p class="NB">When Oracle Label Security is installed to work with Oracle Internet Directory (OID), dynamic label generation is not al lowed, because labels are managed centrally in OID, using olsadmintool commands. (See Appendix B, "Co mmand-line Tools for Label Security Using Oracle Internet Directory".)

Therefore, when O racle Label Security is directory-enabled, this function, TO_DATA_LABEL, is not available and will generate an error message if used.

To use Oracle Policy Manager to define labels that can be ass igned to data, go to Oracle Label Security Policies--> policyname-->Labels and use the Labels property sheet.

See Also:

"Using the SA_LABEL_ADMIN Package to Specify Valid Labels"

< a href="worklabe.htm#1008993">"Inserting Labels Using TO_DATA_LABEL"

Step 4: Ap ply the Policy to Tables and Schemas

Protect individual database tab les and schemas by applying the policy to them. In the process, you can customize the level of enforcement of the policy for each tab le and schema, to reflect your application security requirements.

To do this with Oracle Po licy Manager, go to Oracle Label Security Policies--> policyname-->Protected Objects. Select either Schemas or Tables, and use the corresponding property sheet.

Alternatively, you can use the SA_POLICY_ADMIN package.

< table class="NoteAlso" border="0" width="80%" cellpadding="0" cellspacing="0" dir="ltr" summary="This is a layout table to format a n ote" title="This is a layout table to format a note"> See Also:

Chapter 9, "Applying Policies to Tables and Schemas"

Step 5: Authorize Users

For individual users, define the authorizations that each person will use for session acces s. If users do not have appropriate authorizations, they cannot access protected data.

You can optionally assign special privileges that particular users need to do their job. Note that Oracle Label Security privileges may o nly be necessary to perform special job functions.

To do this with Oracle Policy Manager, g o to Oracle Label Security Policies--> policyname--> Authorizations-->Users and use the User property sheet.

Alternatively, you can use the SA_POLICY_ADMIN package.

See Also:

Chapter 7, "Administering User Labels and Privileges"

Step 6: Create and Authorize Trusted Program Units (Optional)

Create any necessary stored trusted program units, and set their labels and privileges.

To do this with Oracle Policy Manager, go to Oracle Label Security Policies--> policyname-->Authorizations-->Program Units and use the User proper ty sheet.

Alternatively, you can use the SA_USER_ADMIN package.

See Also:

Chapter 10, "Administering and Using Trusted Stored Program Units"

Step 7: Co nfigure Auditing (Optional)

Configure monitoring of the administrati ve tasks and use of privileges, if desired.

  • Configure policy-w ide auditing.

    To do this with Oracle Policy Manager, go to Oracle Label Security Policies--> policyname-->Auditing and use the Aud iting tab page of the Policy property sheet.

  • Configure auditing on a user- by-user basis.

    To do this with Oracle Policy Manager, go to Oracle Label Security Policies-->Authorizations-->Users--> username. Use the Auditing tab page of the User property sheet.

Alternatively, you can use the SA_AUDIT_ADMIN package t o set auditing options for policies, users, and program units.

See Also:

Chapter 1 1, "Auditing Under Oracle Label Security"

Organizing the Duties of Oracle Label Security Administrators

You can manage the administration of an Oracle Label Security policy in variou s ways. The policy_DBA role is created when you create a new policy, and every individual who needs to perfor m administrative functions must be granted this role. However, you can grant EXECUTE privileges on the administrative packages to dif ferent users, so that each administrator can be restricted to a subset of the administrative functions.

< p class="BP">For example, you could grant EXECUTE privilege on SA_COMPONENTS and SA_LABEL_ADMIN to one user or role to manage the lab el definitions, and grant EXECUTE on SA_USER_ADMIN to a different user or role to manage user labels and privileges. Alternatively, y ou could grant EXECUTE on all of the administrative packages to the policy_DBA role, so that anyone with the policy_DBA role could perform all of the administrative tasks.

Choosing an Oracle Label Security Administrative Interf ace

You can perform Oracle Label Security development and administra tive tasks using either of two interfaces:

Oracle Label Security Packages

Oracle Label S ecurity packages provide a direct, command-line interface for ease of administration. These include:

Table 6-1 Oracle Label Se curity Administrative Packages

SA_USER_ADMIN

Package

Purpose

SA_SYSDBA

To create, alter, and drop Oracle Label Security policies

SA_COMPONENTS

To define the levels, compartments, and groups for the policy

SA_LABEL_ADMIN

To perform standard label policy administrative functions, such as creating labels

SA_POLICY_ADMIN

To apply policies to schemas and tables

To manage user authorizations for levels, compartments, and groups, as well as program unit privileges. Also to administer user pri vileges.

SA_AUDI T_ADMIN

To set options to audit administrative tasks and use of pri vileges



Oracle Label Security Demonstration File

For a demonstration showing how to create and develop an Oracle Label Security policy using the supplied packages, refer to the olsdemo.sql file in your ORACLE_HOME/rdbms/demo directory.

Oracle Policy Manager

You can use Oracle Policy Manager, an extension to Oracle Enterprise Manager, to administer Oracle Label Security. Figure 6-1 is a representative screenshot that illustrates the Oracle Policy Manager interface. Please see the online help for instructions on how to use this graphical user interface.

Figure 6-1 Oracle Policy Manager Interface

Text description of opm1test.gif follows

Text descri ption of the illustration opm1test.gif

< font face="Arial, Helvetica, sans-serif" color="#330099">Using the SA_SYSDBA Package to Manage Security Policies

This section explains how to manage a policy using the SA_SYSDBA package. To do this in Oracle Policy Manager, use the Create Policy icon or the Policy property sheet.

Who Can Use the SA_SYSDBA Package

To use the SA_SYSDBA package to create, alter, and drop policies a user must have:

  • The LBAC_DBA role
  • EXECUTE privilege on the SA_SYSDBA package

Who Can Administer a Policy

When you create a policy, a role named policy_DBA is automatically created. You can use this role to control the users who are authorized to execute the policy's administrative procedures.

For example, after you have created a human resources policy named HR, an HR_DBA role is automatically created. To use any administrative packages, a user would need to have the HR_DBA role. If Joan is the administrator of the HR policy, and David is the administrator of the FIN policy, then Joan has the HR_DBA role and David has the FIN_DBA role. Each person can only administer the po licy for which he or she has the policy_DBA role.

The user who crea tes the policy is automatically granted the policy_DBA role with the ADMIN option, an d can grant the role to others.

Valid Characters for Policy Specifications

Va lid characters for all policy specifications include alphanumeric characters and underscores, as well as any valid character from you r database character set.

Creating a Policy with SA_SYSDBA.CREATE_POLICY

Use the CREATE_POLICY procedure to create a new Oracle Label Security policy, define a policy-specific column name, and specify a set of default policy options.

Syntax:

PROCEDURE CREATE_POLICY (
   policy_name       IN VARCHAR2,
   column_name
     IN VARCHAR2 DEFAULT NULL,
   default_options   IN VARCHAR2 DEFAULT NULL);
Table 6-2 Parameters for SA_SYSDBA.CREATE_PO LICY 
Parameter Name Parameter Description

policy_name

Specifies the policy na me, which must be unique within the database. It can have a maximum of 30 characters, but only the first 26 characters in the policy_ name are significant. Two policies may not have the same first 26 characters in the policy_name.

column_name

Specifies the name of the column to be added to tables protected by the policy. If NULL, the default name "SA_LABEL" is used. Two Oracle Label Security policies cannot share the same column name.

default_options

Specifies the default options to be used when the policy is app lied and no table- or schema-specific options are specified. Includes enforcement options and the option to hide the label column.

Modifying Policy Options with SA_SYSDBA.ALTER_POLICY

< !--/TOC=h2-->

Use the ALTER_POLICY procedure to set and modify policy default options.

Syntax:

PROCEDURE ALTER_POL
ICY (
   policy_name       IN  VARCHAR2,
   default_options   IN  VARCHAR2 DEFAULT NULL);
Table 6-3 P arameters for SA_SYSDBA.ALTER_POLICY 
Parameter Name Parameter Description

policy_name

Specifies the policy name

< /a>

default_options

Specifie s the default options to be used when the policy is applied and no table- or schema-specific options are specified. Includes enforcem ent options and the option to hide the label column.

Disabling a Policy with SA_SYSDBA.DISABL E_POLICY

Use the DISABLE_POLICY procedure to turn off enforcement of a policy, without removing it from the database. The policy is not enforced for all subsequent access to the database.

To disable a policy means that no access control is enforced on the tables and schemas protected by the policy. The administrator can continue to perform administrative operations while the policy is disabled.

Syntax:

PROCEDURE DISABLE_POLICY (policy_name
IN VARCHAR2);
Table 6-4 Parameters for SA_SYSDBA.DISABLE_POLICY 

policy_name

Parameter Name< /strong> Parameter Description

Specifies the policy to be disabled

Note:

This f eature is extremely powerful, and should be used with caution. When a policy is disabled, anyone who connects to the database can acc ess all the data normally protected by the policy. Your site therefore should establish guidelines for use of this feature.

< /td>

Normally, a policy should not be disabled in order to manage data. At t imes, however, an administrator may need to disable a policy in order to perform application debugging tasks. In this case, the datab ase should be run in single-user mode. In a development environment, for example, you may need to observe data processing operations without the policy turned on. When you re-enable the policy, all of the selected enforcement options become effective again.

Enabling a Policy with SA_SYSDBA.ENABLE_POLICY

Use the ENABLE_POLICY procedure to enf orce access control on the tables and schemas protected by the policy. A policy is automatically enabled when it is created. After cr eation or enabling, the policy is enforced for all subsequent access to tables protected by the policy

Syntax:

PROCEDURE ENABLE_POLICY (policy_name IN V
ARCHAR2);
Ta ble 6-5 Parameters for SA_SYSDBA.ENABLE_POLICY 
Parameter Name Parameter Description

policy_name

 < /a>

Specifies the policy to be enabled

Removing a Policy with SA_SYSDBA.DROP_POLICY

Use the DROP_POLICY procedure to remove the policy and all of its associated user lab els and data labels from the database. It purges the policy from the system entirely. You can optionally drop the label column from a ll tables controlled by the policy.

Syntax:

PROCEDURE DROP_POLICY (policy_name IN VARCHAR2,
   drop_column  BOOLEAN DEFAULT FALSE)
;
Table 6-6 Parameters for SA_SYSDBA.DROP_POLICY 
Parameter Name Parameter Description

policy_name

Specifies the policy to be dropped

drop_column

Ind icates that the policy column should be dropped from protected tables (TRUE)

Using the SA_COMPONENTS Package to Defi ne Label Components

This package manages the component definitions o f an Oracle Label Security label. Each policy defines the components differently. This section contains these topics:

Us ing Overloaded Procedures

Oracle Label Security makes use of overloa ded subprogram names. That is, the same name is used for several different procedures whose formal parameters differ in number, order , or datatype family.

For example, you can call the SA_COMPONENTS.ALTER_LEVEL procedure thi s way:

PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2,
   level_num
     IN INTEGER,
   new_short_name  IN VARCHAR2 DEFAULT NULL,
   new_long_name   IN VARCH
AR2 DEFAULT NULL);

or this way:

PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2,
   short_name      IN VARCHAR2,

new_long_name IN VARCHAR2);

Because the processing in these two proc edures is the same, it is logical to give them the same name. PL/SQL determines which of the two procedures is being called by checki ng their formal parameters. In the preceding example, the version of initialize used by PL/SQL depends on whether you ca ll the procedure with a level_num or short_name parameter.

Use the CREATE_LEVEL procedure to create a level and specify its short name and long name. The numeric values assigned to the level_num determine the sensitivity ranking (that is, a low er number indicates less sensitive data).

Syntax:

PROCEDURE CREATE_LEVEL (policy_name IN VARCHAR2,
   level_num         IN INTEGER
,
   short_name        IN VARCHAR2,
   long_name         IN VARCHAR2);
Table 6-7 Parameters for SA_CO MPONENTS.CREATE_LEVEL  
Parameter Name Paramete r Description

policy_name

Speci fies the policy

level_num

Specifies the level number (0-999 9)

short_name

Specifies the short name for the level (up to 30 characters)

long_name

Specifies the long name for the l evel (up to 80 characters)

Modifying a Level with SA_COMPONENTS.ALTER_LEVEL

Use the ALTER_LEVEL procedure to change the short name and/or long name associated with a level.

Once they are defined, level numbers cannot be changed. If a level is used in any existing label, then its short name cannot be changed, but its long name can be changed.

Syntax:

PROCEDURE ALTER_LEVEL (poli
cy_name IN VARCHAR2,
   level_num       IN INTEGER,
   new_short_name  IN VARCHAR2 DEFAUL
T NULL,
   new_long_name   IN VARCHAR2 DEFAULT NULL);

PROCEDURE AL
TER_LEVEL (policy_name IN VARCHAR2,
   short_name      IN VARCHAR2,
   new_long_name   IN
 VARCHAR2);
Table 6-8 Parameters for SA_COMPONENTS.ALTER_LEVEL 
Parameter Name Parameter Description

policy_name

Specifies the policy

level_num

Speci fies the number of the level to be altered

short_name

Speci fies the short name for the level (up to 30 characters)

new_short_name

Specifies the new short name for the level (up to 30 characters)

new_long_name

Specifies the new long name for the level (up to 80 characters)

Removing a Level wit h SA_COMPONENTS.DROP_LEVEL

Use the DROP_LEVEL procedure to remove a level. If the level is used in any existing label, it cannot be dropped.

Syntax:

PROCEDURE DROP_LEVEL (policy_name IN VARCHAR2,

 level_num   IN INTEGER);

PROCEDURE DROP_LEVEL (policy_name IN VARCHAR2,
   short_name  IN VARCHAR2);
Table 6-9 Parameters for SA_COMPONENTS.DROP_LEVEL 
< strong>Parameter Name Parameter Description

policy_name

Specifies the policy

level_num

Specifies the number of an existing level for the policy

short_name

Specifies the short name for the level (up to 30 characters)

Creating a Compartment with SA_COMPONENTS.CREATE_COM PARTMENT

Use the CREATE_COMPARTMENT procedure to create a compartmen t and specify its short name and long name. The comp_num determines the order in which compartments are liste d in the character string representation of labels.

Syntax: 

PROCEDURE CREATE_COMPARTMENT (policy_name IN VARCHAR2,
   comp_num
IN INTEGER,
   short_name  IN VARCHAR2,
   long_name   IN VARCHAR2);
Table 6-10 Parameters for SA_COM PONENTS.CREATE_COMPARTMENT
Parameter Name Parameter Description

policy_name

Specifi es the policy

comp_num

Specifies the compartment number (0- 9999)

short_name

Specifies the short name for the compartme nt (up to 30 characters)

long_name

Specifies the long name for the compartment (up to 80 characters)

Modifying a Compartment with SA_COMPONENTS.ALTER_COMPARTMENT

< !--/TOC=h2-->

Use the ALTER_COMPARTMENT procedure to change the short name and/or long name ass ociated with a compartment.

Once set, the comp_num cannot be change d. If the comp_num is used in any existing label, then its short name cannot be chang ed, but its long name can be changed.

Syntax:

PROCEDURE ALTER_COMPARTMENT (policy_name IN VARCHAR2,
   com
p_num          IN INTEGER,
   new_short_name    IN VARCHAR2 DEFAULT NULL,
   new_long_nam
e     IN VARCHAR2 DEFAULT NULL);

PROCEDURE ALTER_COMPARTMENT (policy_name IN VARCHAR2,
<
a name="1010126">   short_name        IN VARCHAR2,
   new_long_name     IN VARCHAR2);
Table 6-11 Parameters for SA_COMP ONENTS.ALTER_COMPARTMENT 
Parameter Name Parame ter Description

policy_name

Spe cifies the policy

comp_num

Specifies the number of the comp artment to be altered

short_name

Specifies the short name o f the compartment to be altered (up to 30 characters)

new_short_name

Specifies the new short name of the compartment (up to 30 characters)

new_long_name

Specifies the new long name of the compartment (up to 80 characters).

Removing a Compartment with SA_COMPONENTS.DROP_COMPARTMENT

Use the DROP_COMPART MENT procedure to remove a compartment. If the compartment is used in any existing label, it cannot be dropped.

Syntax:

PROCEDURE DROP_COMPARTMENT (poli
cy_name IN VARCHAR2,
   comp_num    IN INTEGER);

PROCEDURE DROP_CO
MPARTMENT (policy_name IN VARCHAR2,
   short_name  IN VARCHAR2);
< a name="1014615">Table 6-12 Parameters for SA_COMPONENTS.DROP_COMPARTMENT&n bsp;
Parameter Name Parameter Description

policy_name

Specifies the policy

comp_ num

Specifies the number of an existing compartment for the po licy

short_name

Specifies the short name of an existing com partment for the policy

Creating a Group with SA_COMPONENTS.CREATE_GROUP

Use the CREATE_GROUP procedure to create a group and specify its short name and long name, and optionally a par ent group.

Syntax:


PROCEDURE CREATE_GROUP (policy_name IN VARCHAR2,
   group_num   IN INTEGER,
   short_name
  IN VARCHAR2,
   long_name   IN VARCHAR2,
   parent_name IN VARCHAR2 DEFAULT NULL);



Table 6-13 Param
eters for SA_COMPONENTS.CREATE_GROUP 






 Parameter Name

 Parameter Description




 

policy_name

 

Specifies the policy



 

group_num

 

Specifies the group
 number (0-9999)



 

short_name

 

Specifies the short name for th
e group (up to 30 characters)



 

long_name

 

Specifies the long
name for the group (up to 80 characters)



 

parent_name

 

Specif
ies the short name of an existing group as the parent group. If NULL, the group is a top-level group.

<
a name="1010215"> 

Note that the group number affects the order in which groups will be displayed when labels are s
elected.

 






See Also: <
a name="1010225"> 

"Groups"



 

Modify
ing a Group with SA_COMPONENTS.ALTER_GROUP


 

Use the ALTER_GROUP proce
dure to change the short name and/or long name associated with a group.

 

Once set, the group_num cannot be changed. If the group is used in any existing label, then its short name ca
nnot be changed, but its long name can be changed.

 

Syntax:


PROCEDURE ALTER_GROUP (policy_name IN VARCHAR2,
   group_num      IN INTEGER,
   new_short_name IN VARCHAR2 DEFAULT NULL,
   new_lo
ng_name  IN VARCHAR2 DEFAULT NULL);

PROCEDURE ALTER_GROUP (policy_name IN VARCHAR2,
   short_name     IN VARCHAR2,
   new_long_name  IN VARCHAR2);




Table 6-14 Parameters for SA_COMPONENTS.AL
TER_GROUP 






 Parameter Name
 Parameter Description





 
<
p class="TB">policy_name

 

Specifies the poli
cy



 

group_num

 

Specifies the existing group number to be alte
red



short_name
 

Specifies the existing group short name to be altered



new_short_name



Specifies the new short name for the group (up to 30 characters)



new_long_name
 

Specifi
es the new long name for the group (up to 80 characters)

 


Modifying a Group Parent with SA_COMPONENTS.ALTER_GROUP_PAR
ENT


 

The ALTER_GROUP_PARENT procedure changes the parent group associ
ated with a particular group.

 

Syntax:


PROCEDURE ALTER_GROUP_PARENT (policy_name IN VARCHAR2,
   group_num   IN INTEGER,
   parent_name IN VARCHAR2);

PROCEDURE ALTER_GROUP_PARENT (policy_name IN VA
RCHAR2,
   group_num   IN INTEGER,
   parent_num  IN INTEGER);

PROCEDURE ALTER_GROUP_PARENT (policy_name IN VARCHAR2,
   short_name  IN VARCHAR2,
   parent_name IN VARCHAR2);




Table 6-15 Parameters for SA_COMPONENTS.ALTER_GROUP_PARENT

 

Specifies the policy




 Parameter Name
 Parameter Description




 

policy_name





 

group_num

 

Specifies the existing group number to be altered



 

short_name

 

Specifies the existing group short name to be altered



 

parent_num

 

Specifies the number of an existing group as the parent group



 

parent_name

 

Specifies the short name of an existing group as the parent group

 


Removing a Group with SA_COMPONENTS.DROP_GROUP


 

Use the DROP_GROUP pr
ocedure to remove a group. If the group is used in existing labels, it cannot be dropped.

 

<
strong class="Bold">Syntax:


PROCEDURE DROP_GROUP (policy_name IN VARCHAR2,
   group_num   IN INTEGER);

PROCEDURE DROP_GROUP (policy_name IN VARCHAR2
,
   short_name  IN VARCHAR2);




Table 6-16 Parameters for SA_COMPONENTS.DROP_GROUP 







 Parameter Name
 Parameter Description




 

policy_name

 

Specifies the policy



 

group_num

 

Specifies the number of an existing group for the policy



 

short_name

 

Specifies the short name of an existing group

 

Using the SA_LABEL_ADMIN
Package to Specify Valid Labels


 

The SA_LABEL_ADMIN package provides
an administrative interface to manage the labels used by a policy. To do this, a user must have EXECUTE privilege for the SA_LABEL_AD
MIN package and have been granted the policy_DBA role.

 

This section
 includes:


 

Creating a Valid Data Label with SA_LABEL_ADMIN.CREATE_LABEL


 

Use the SA_LABEL_ADMIN.CREATE_LABEL procedure to create a valid data label. You must m
anually specify a label tag value from 1 to 8 digits long.

 

Syntax:


PROCEDURE CREATE_LABEL (
   policy_name IN VARCHAR2,
   label_tag   IN INTEGER,
   label_value IN VARCHAR2,
   data_label  IN BOOL
EAN DEFAULT TRUE);




Table 6-17 Parameters for SA_LABEL_ADMIN.CREATE_LABEL







 Parameter Na
me
 Parameter Description





policy_name
Specifies the name of an existing policy


label_tag
Specifies an
 unique integer value representing the sort order of the label, relative to other policy labels (0-99999999)



label_value
Specifies the characte
r string representation of the label to be created



data_label
TRUE if the label can be used to label row data. Use this to define the label as
valid for data.

 

When specifying labels, use the short name of the lev
el, compartment and group.

 

When you identify valid labels, you specify which of all the pos
sible combinations of levels, compartments, and groups can potentially be used to label data in tables.

 
<
div align="center">







Note:  

If you crea
te a new label by using the TO_DATA_LABEL procedure, a system-generated label tag of 10 digits will be generated automatically. 


However, When Oracle Label Security is installed to work with Oracle Internet Directory (OID), dy
namic label generation is not allowed, because labels are managed centrally in OID, using olsadmintool commands. (See Appendix B, "Command-line Tools for Label Security Using Oracle Internet Directory".) 



Therefore, when Oracle Label Security is directory-enabled, the TO_DATA_LABEL function is not available and will gener
ate an error message if used.
See Also:

"The Policy Lab el Column and Label Tags"

Modifying a Label with SA_LABEL_ADMIN.ALTER_LABEL

Use the ALTER_LABEL procedure to change the character string label defi nition associated with a label tag. Note that the label tag itself cannot be changed.

If yo u change the character string associated with a label tag, the sensitivity of the data in the rows changes accordingly. For example, if the label character string TS:A with an associated label tag value of 4001 is changed to the label TS:B, then access to the data c hanges accordingly. This is true even though the label tag value (4001) has not changed. In this way you can change the data's sensit ivity without the need to update all the rows.

Note that, when you specify a label to alter , you can refer to it either by its label tag or by its character string value.

Syntax:

PROCEDURE ALTER_LABEL (
   policy_name
   IN VARCHAR2,
   label_tag         IN INTEGER,
   new_label_value   IN VARCHAR2 DEFAULT
 NULL,
   new_data_label    IN BOOLEAN  DEFAULT NULL);

PROCEDURE A
LTER_LABEL (
   policy_name       IN VARCHAR2,
   label_value       IN VARCHAR2,
   new_label_value   IN VARCHAR2 DEFAULT NULL,
   new_data_label    IN BOOLEAN  DEFAULT NULL);



Table 6-18 Par
ameters for SA_LABEL_ADMIN.ALTER_LABEL 






 Parameter Name
 
Parameter Description




 

policy_name

 

Specifies the name of an existing policy



 

label_tag

 

Identifies the integer tag assigned to the label to be altered



 

label_value

<
/a> 

Identifies the existing character-string representation of the label to be altered



 

new_label_value

 

Specifies the new character string representation of the label value. If N
ULL, the existing value is not changed.



 

new_data_label

 

TRUE
 if the label can be used to label row data. If NULL, the existing value is not changed.

 

Deleting a Label with SA_LA
BEL_ADMIN.DROP_LABEL


 

Use the SA_LABEL_ADMIN.DROP_LABEL procedure to
delete a specified policy label. Any subsequent reference to the label (in data rows, or in user or program unit labels) will raise a
n invalid label error.

 

Syntax:


PROCEDURE DROP_LABEL (
   policy_name       IN VARCHAR2,
   label_tag
 IN INTEGER);

PROCEDURE DROP_LABEL (
   policy_name       IN VARCH
AR2,
   label_value       IN VARCHAR2);




Table 6-19 Parameters for SA_LABEL_ADMIN.DROP_LABEL  







 Parameter Name
<
a name="1014803"> Parameter Description



 

policy_n
ame

 

Specifies the name of an existing policy



 

label_tag


 

Specifies the integer tag assigned to the label to be dropped
<
/td>



 

l
abel_value

 

Specifies the string value of the label to be dropp
ed

 









Caution:  

Do not drop a label that is in use anywhere
 in the database.



 

Use this procedure only while setti
ng up labels, prior to data population. If you should inadvertently drop a label that is being used, you can recover by disabling the
 policy, fixing the problem, and then re-enabling the policy.
Go to previous page
Previous		 Go to next page
Next
Oracle
Copyright © 2000, 2003 Oracle Corporation
All Rights Reserv ed.
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Feedback