6 Creating an Oracle Label Security Policy

This chapter explains how to create an Oracle Label Security policy. It contains these sections:

Oracle Label Security Administrative Task Overview
Organizing the Duties of Oracle Label Security Administrators
Choosing an Oracle Label Security Administrative Interface
Oracle Policy Manager
Using the SA_SYSDBA Package to Manage Security Policies
Using the SA_COMPONENTS Package to Define Label Components
Using the SA_LABEL_ADMIN Package to Specify Valid Labels

6.1 Oracle Label Security Administrative Task Overview

To create and implement an Oracle Label Security policy, you perform the following tasks, which are described in the next few chapters:

Step 1: Create the Policy
Step 2: Define the Components of the Labels
Step 3: Identify the Set of Valid Data Labels
Step 4: Apply the Policy to Tables and Schemas
Step 5: Authorize Users
Step 6: Create and Authorize Trusted Program Units (Optional)
Step 7: Configure Auditing (Optional)

6.1.1 Step 1: Create the Policy

Create a policy by defining:

The policy name
The column name for policy labels
The default options for the policy

To do this in Oracle Policy Manager, you can use the Create Policy icon or the Policy page.

Alternatively, you can use the SA_SYSDBA.CREATE_POLICY command-line procedure.

6.1.2 Step 2: Define the Components of the Labels

Define the levels, compartments, and groups that form the components of the new policy's labels.

To do this in Oracle Policy Manager, go to Oracle Label Security Policies, policyname, Labels and use the Labels page.

Alternatively, you can use the SA_COMPONENTS package on the command line.

6.1.3 Step 3: Identify the Set of Valid Data Labels

Specify the set of valid labels to support the policy. From all the possible combinations of levels, compartments, and groups, you must define labels that can be assigned to data.

Alternatively, applications that need to create data labels dynamically at runtime can use the TO_DATA_LABEL function.

Note:

When Oracle Label Security is installed to work with Oracle Internet Directory, dynamic label generation is not allowed, because labels are managed centrally in Oracle Internet Directory, using olsadmintool commands. Refer to Appendix B, "Command-line Tools for Label Security Using Oracle Internet Directory".)

So, when Oracle Label Security is directory-enabled, this function, TO_DATA_LABEL, is not available and will generate an error message if used.

To use Oracle Policy Manager to define labels that can be assigned to data, go to Oracle Label Security Policies, policyname, Labels and use the Labels page.

"Inserting Labels Using TO_DATA_LABEL"

6.1.4 Step 4: Apply the Policy to Tables and Schemas

Protect individual database tables and schemas by applying the policy to them. In the process, you can customize the level of enforcement of the policy for each table and schema, to reflect your application security requirements.

To do this with Oracle Policy Manager, go to Oracle Label Security Policies, policyname, Protected Objects. Select either Schemas or Tables, and use the corresponding property sheet.

Alternatively, you can use the SA_POLICY_ADMIN package.

6.1.5 Step 5: Authorize Users

For individual users, define the authorizations that each person will use for session access. If users do not have appropriate authorizations, they cannot access protected data.

You can optionally assign special privileges that particular users need to do their job. Note that Oracle Label Security privileges may only be necessary to perform special job functions.

To do this with Oracle Policy Manager, go to Oracle Label Security Policies, policyname, Authorizations, Users and use the User page.

Alternatively, you can use the SA_POLICY_ADMIN package.

6.1.6 Step 6: Create and Authorize Trusted Program Units (Optional)

Create any necessary stored trusted program units, and set their labels and privileges.

To do this with Oracle Policy Manager, go to Oracle Label Security Policies, policyname, Authorizations, Program Units and use the User property sheet.

Alternatively, you can use the SA_USER_ADMIN package.

6.1.7 Step 7: Configure Auditing (Optional)

Configure monitoring of the administrative tasks and use of privileges, if desired.

Configure policywide auditing.

To do this with Oracle Policy Manager, go to Oracle Label Security Policies, policyname, Auditing and use the Auditing tab page of the Policy paget.
Configure auditing on a user-by-user basis.

To do this with Oracle Policy Manager, go to Oracle Label Security Policies, Authorizations, Users, username. Use the Auditing tab page of the User property sheet.

Alternatively, you can use the SA_AUDIT_ADMIN package to set auditing options for policies, users, and program units.

6.2 Organizing the Duties of Oracle Label Security Administrators

You can manage the administration of an Oracle Label Security policy in various ways. The policy_DBA role is created when you create a new policy, and every individual who needs to perform administrative functions must be granted this role. However, you can grant EXECUTE privileges on the administrative packages to different users, so that each administrator can be restricted to a subset of the administrative functions.

For example, you could grant EXECUTE privilege on SA_COMPONENTS and SA_LABEL_ADMIN to one user or role to manage the label definitions, and grant EXECUTE on SA_USER_ADMIN to a different user or role to manage user labels and privileges. Alternatively, you could grant EXECUTE on all of the administrative packages to the policy_DBA role, so that anyone with the policy_DBA role could perform all of the administrative tasks.

6.3 Choosing an Oracle Label Security Administrative Interface

You can perform Oracle Label Security development and administrative tasks using either of two interfaces:

Oracle Label Security Packages
Oracle Policy Manager

6.3.1 Oracle Label Security Packages

Oracle Label Security packages provide a direct, command-line interface for ease of administration. These include:

Table 6-1 Oracle Label Security Administrative Packages

Package	Purpose
SA_SYSDBA	To create, alter, and drop Oracle Label Security policies
SA_COMPONENTS	To define the levels, compartments, and groups for the policy
SA_LABEL_ADMIN	To perform standard label policy administrative functions, such as creating labels
SA_POLICY_ADMIN	To apply policies to schemas and tables
SA_USER_ADMIN	To manage user authorizations for levels, compartments, and groups, as well as program unit privileges. Also to administer user privileges.
SA_AUDIT_ADMIN	To set options to audit administrative tasks and use of privileges

6.3.1.1 Oracle Label Security Demonstration File

For a demonstration showing how to create and develop an Oracle Label Security policy using the supplied packages, refer to the olsdemo.sql file in your ORACLE_HOME/rdbms/demo directory.

6.3.2 Oracle Policy Manager

You can use Oracle Policy Manager, an extension to Oracle Enterprise Manager, to administer Oracle Label Security. Figure 6-1, "Oracle Policy Manager Interface" is a representative screenshot that illustrates the Oracle Policy Manager interface. Please refer to the online help for instructions on how to use this graphical user interface.

Figure 6-1 Oracle Policy Manager Interface

Description of "Figure 6-1 Oracle Policy Manager Interface"

6.4 Using the SA_SYSDBA Package to Manage Security Policies

This section explains how to manage a policy using the SA_SYSDBA package. To do this in Oracle Policy Manager, use the Create Policy icon or the Policy property sheet.

Who Can Use the SA_SYSDBA Package
Who Can Administer a Policy
Valid Characters for Policy Specifications
Creating a Policy with SA_SYSDBA.CREATE_POLICY
Modifying Policy Options with SA_SYSDBA.ALTER_POLICY
Disabling a Policy with SA_SYSDBA.DISABLE_POLICY
Enabling a Policy with SA_SYSDBA.ENABLE_POLICY
Removing a Policy with SA_SYSDBA.DROP_POLICY

6.4.1 Who Can Use the SA_SYSDBA Package

To use the SA_SYSDBA package to create, alter, and drop policies, a user must have:

The LBAC_DBA role
EXECUTE privilege on the SA_SYSDBA package

6.4.2 Who Can Administer a Policy

When you create a policy, a role named policy_DBA is automatically created. You can use this role to control the users who are authorized to run the policy's administrative procedures.

For example, after you have created a human resources policy named HR, an HR_DBA role is automatically created. To use any administrative packages, a user would need to have the HR_DBA role. If Joan is the administrator of the HR policy, and David is the administrator of the FIN policy, then Joan has the HR_DBA role and David has the FIN_DBA role. Each person can administer that policy for which he or she has the policy_DBA role.

The user who creates the policy is automatically granted the policy_DBA role with the ADMIN option, and the user can grant the role to others.

6.4.3 Valid Characters for Policy Specifications

Valid characters for all policy specifications include alphanumeric characters and underscores, as well as any valid character from your database character set.

6.4.4 Creating a Policy with SA_SYSDBA.CREATE_POLICY

Use the CREATE_POLICY procedure to create a new Oracle Label Security policy, define a policy-specific column name, and specify a set of default policy options.

Syntax:

PROCEDURE CREATE_POLICY (
   policy_name       IN VARCHAR2,
   column_name       IN VARCHAR2 DEFAULT NULL,
   default_options   IN VARCHAR2 DEFAULT NULL);

Table 6-2 Parameters for SA_SYSDBA.CREATE_POLICY

Parameter Name	Parameter Description
policy_name	Specifies the policy name, which must be unique within the database. It can have a maximum of 30 characters, but only the first 26 characters in the policy_name are significant. Two policies may not have the same first 26 characters in the policy_name.
column_name	Specifies the name of the column to be added to tables protected by the policy. If NULL, the default name "SA_LABEL" is used. Two Oracle Label Security policies cannot share the same column name.
default_options	Specifies the default options to be used when the policy is applied and no table- or schema-specific options are specified. Includes enforcement options and the option to hide the label column.

See Also:

Regarding policy enforcement options for tables: "Applying a Policy with SA_POLICY_ADMIN.APPLY_TABLE_POLICY"
Regarding HIDE, "Choosing Policy Options" and "The HIDE Policy Column Option".
"SYSDBA.CREATE_POLICY with Inverse Groups".

6.4.5 Modifying Policy Options with SA_SYSDBA.ALTER_POLICY

Use the ALTER_POLICY procedure to set and modify policy default options.

Syntax:

PROCEDURE ALTER_POLICY (
   policy_name       IN  VARCHAR2,
   default_options   IN  VARCHAR2 DEFAULT NULL);

Table 6-3 Parameters for SA_SYSDBA.ALTER_POLICY

Parameter Name	Parameter Description
policy_name	Specifies the policy name
default_options	Specifies the default options to be used when the policy is applied and no table- or schema-specific options are specified. Includes enforcement options and the option to hide the label column.

6.4.6 Disabling a Policy with SA_SYSDBA.DISABLE_POLICY

Use the DISABLE_POLICY procedure to turn off enforcement of a policy, without removing it from the database. The policy is not enforced for all subsequent access to the database.

To disable a policy means that no access control is enforced on the tables and schemas protected by the policy. The administrator can continue to perform administrative operations while the policy is disabled.

Syntax:

PROCEDURE DISABLE_POLICY (policy_name IN VARCHAR2);

Table 6-4 Parameters for SA_SYSDBA.DISABLE_POLICY

Parameter Name	Parameter Description
policy_name	Specifies the policy to be disabled

Note:

This feature is extremely powerful, and should be used with caution. When a policy is disabled, anyone who connects to the database can access all the data normally protected by the policy. So, your site should establish guidelines for use of this feature.

Normally, a policy should not be disabled in order to manage data. At times, however, an administrator may need to disable a policy to perform application debugging tasks. In this case, the database should be run in single-user mode. In a development environment, for example, you may need to observe data processing operations without the policy turned on. When you reenable the policy, all of the selected enforcement options become effective again.

6.4.7 Enabling a Policy with SA_SYSDBA.ENABLE_POLICY

Use the ENABLE_POLICY procedure to enforce access control on the tables and schemas protected by the policy. A policy is automatically enabled when it is created. After creation or enabling, the policy is enforced for all subsequent access to tables protected by the policy.

Syntax:

PROCEDURE ENABLE_POLICY (policy_name IN VARCHAR2);

Table 6-5 Parameters for SA_SYSDBA.ENABLE_POLICY

Parameter Name	Parameter Description
policy_name	Specifies the policy to be enabled

6.4.8 Removing a Policy with SA_SYSDBA.DROP_POLICY

Use the DROP_POLICY procedure to remove the policy and all of its associated user labels and data labels from the database. It purges the policy from the system entirely. You can optionally drop the label column from all tables controlled by the policy.

Syntax:

PROCEDURE DROP_POLICY (policy_name IN VARCHAR2,
   drop_column  BOOLEAN DEFAULT FALSE);

Table 6-6 Parameters for SA_SYSDBA.DROP_POLICY

Parameter Name	Parameter Description
policy_name	Specifies the policy to be dropped
drop_column	Indicates that the policy column should be dropped from protected tables (TRUE)

6.5 Using the SA_COMPONENTS Package to Define Label Components

This package manages the component definitions of an Oracle Label Security label. Each policy defines the components differently. This section contains these topics:

Creating a Level with SA_COMPONENTS.CREATE_LEVEL
Modifying a Level with SA_COMPONENTS.ALTER_LEVEL
Removing a Level with SA_COMPONENTS.DROP_LEVEL
Creating a Compartment with SA_COMPONENTS.CREATE_COMPARTMENT
Modifying a Compartment with SA_COMPONENTS.ALTER_COMPARTMENT
Removing a Compartment with SA_COMPONENTS.DROP_COMPARTMENT
Creating a Group with SA_COMPONENTS.CREATE_GROUP
Modifying a Group with SA_COMPONENTS.ALTER_GROUP
Modifying a Group Parent with SA_COMPONENTS.ALTER_GROUP_PARENT
Removing a Group with SA_COMPONENTS.DROP_GROUP
See Also:
- Chapter 2, "Understanding Data Labels and User Labels"
- "Using Oracle Label Security Views" for information about displaying the label definitions you have set

6.5.1 Using Overloaded Procedures

Oracle Label Security makes use of overloaded subprogram names. That is, the same name is used for several different procedures whose formal parameters differ in number, order, or datatype family.

For example, you can call the SA_COMPONENTS.ALTER_LEVEL procedure this way:

PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2,
   level_num       IN INTEGER,
   new_short_name  IN VARCHAR2 DEFAULT NULL,
   new_long_name   IN VARCHAR2 DEFAULT NULL);

or this way:

PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2,
   short_name      IN VARCHAR2,

new_long_name IN VARCHAR2);

Because the processing in these two procedures is the same, it is logical to give them the same name. PL/SQL determines which of the two procedures is being called by checking their formal parameters. In the preceding example, the version of initialize used by PL/SQL depends on whether you call the procedure with a level_num or short_name parameter.

6.5.2 Creating a Level with SA_COMPONENTS.CREATE_LEVEL

Use the CREATE_LEVEL procedure to create a level and specify its short name and long name. The numeric values assigned to the level_num parameter determine the sensitivity ranking (that is, a lower number indicates less sensitive data).

Syntax:

PROCEDURE CREATE_LEVEL (policy_name IN VARCHAR2,
   level_num         IN INTEGER,
   short_name        IN VARCHAR2,
   long_name         IN VARCHAR2);

Table 6-7 Parameters for SA_COMPONENTS.CREATE_LEVEL

Parameter Name	Parameter Description
policy_name	Specifies the policy
level_num	Specifies the level number (0-9999)
short_name	Specifies the short name for the level (up to 30 characters)
long_name	Specifies the long name for the level (up to 80 characters)

6.5.3 Modifying a Level with SA_COMPONENTS.ALTER_LEVEL

Use the ALTER_LEVEL procedure to change the short name and long name associated with a level.

Once they are defined, level numbers cannot be changed. If a level is used in any existing label, then its short name cannot be changed, but its long name can be changed.

Syntax:

PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2,
   level_num       IN INTEGER,
   new_short_name  IN VARCHAR2 DEFAULT NULL,
   new_long_name   IN VARCHAR2 DEFAULT NULL);

PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2,
   short_name      IN VARCHAR2,
   new_long_name   IN VARCHAR2);

Table 6-8 Parameters for SA_COMPONENTS.ALTER_LEVEL

Parameter Name	Parameter Description
policy_name	Specifies the policy
level_num	Specifies the number of the level to be altered
short_name	Specifies the short name for the level (up to 30 characters)
new_short_name	Specifies the new short name for the level (up to 30 characters)
new_long_name	Specifies the new long name for the level (up to 80 characters)

6.5.4 Removing a Level with SA_COMPONENTS.DROP_LEVEL

Use the DROP_LEVEL procedure to remove a level. If the level is used in any existing label, then it cannot be dropped.

Syntax:

PROCEDURE DROP_LEVEL (policy_name IN VARCHAR2,
   level_num   IN INTEGER);

PROCEDURE DROP_LEVEL (policy_name IN VARCHAR2,
   short_name  IN VARCHAR2);

Table 6-9 Parameters for SA_COMPONENTS.DROP_LEVEL

Parameter Name	Parameter Description
policy_name	Specifies the policy
level_num	Specifies the number of an existing level for the policy
short_name	Specifies the short name for the level (up to 30 characters)

6.5.5 Creating a Compartment with SA_COMPONENTS.CREATE_COMPARTMENT

Use the CREATE_COMPARTMENT procedure to create a compartment and specify its short name and long name. The comp_num parameter determines the order in which compartments are listed in the character string representation of labels.

Syntax:

PROCEDURE CREATE_COMPARTMENT (policy_name IN VARCHAR2,
   comp_num    IN INTEGER,
   short_name  IN VARCHAR2,
   long_name   IN VARCHAR2);

Table 6-10 Parameters for SA_COMPONENTS.CREATE_COMPARTMENT

Parameter Name	Parameter Description
policy_name	Specifies the policy
comp_num	Specifies the compartment number (0-9999)
short_name	Specifies the short name for the compartment (up to 30 characters)
long_name	Specifies the long name for the compartment (up to 80 characters)

6.5.6 Modifying a Compartment with SA_COMPONENTS.ALTER_COMPARTMENT

Use the ALTER_COMPARTMENT procedure to change the short name and long name associated with a compartment.

Once set, the comp_num parameter cannot be changed. If the comp_num parameter is used in any existing label, then its short name cannot be changed but its long name can be changed.

Syntax:

PROCEDURE ALTER_COMPARTMENT (policy_name IN VARCHAR2,
   comp_num          IN INTEGER,
   new_short_name    IN VARCHAR2 DEFAULT NULL,
   new_long_name     IN VARCHAR2 DEFAULT NULL);

PROCEDURE ALTER_COMPARTMENT (policy_name IN VARCHAR2,
   short_name        IN VARCHAR2,
   new_long_name     IN VARCHAR2);

Table 6-11 Parameters for SA_COMPONENTS.ALTER_COMPARTMENT

Parameter Name	Parameter Description
policy_name	Specifies the policy
comp_num	Specifies the number of the compartment to be altered
short_name	Specifies the short name of the compartment to be altered (up to 30 characters)
new_short_name	Specifies the new short name of the compartment (up to 30 characters)
new_long_name	Specifies the new long name of the compartment (up to 80 characters).

6.5.7 Removing a Compartment with SA_COMPONENTS.DROP_COMPARTMENT

Use the DROP_COMPARTMENT procedure to remove a compartment. If the compartment is used in any existing label, then it cannot be dropped.

Syntax:

PROCEDURE DROP_COMPARTMENT (policy_name IN VARCHAR2,
   comp_num    IN INTEGER);

PROCEDURE DROP_COMPARTMENT (policy_name IN VARCHAR2,
   short_name  IN VARCHAR2);

Table 6-12 Parameters for SA_COMPONENTS.DROP_COMPARTMENT

Parameter Name	Parameter Description
policy_name	Specifies the policy
comp_num	Specifies the number of an existing compartment for the policy
short_name	Specifies the short name of an existing compartment for the policy

6.5.8 Creating a Group with SA_COMPONENTS.CREATE_GROUP

Use the CREATE_GROUP procedure to create a group and specify its short name and long name, and optionally a parent group.

Syntax:

PROCEDURE CREATE_GROUP (policy_name IN VARCHAR2,
   group_num   IN INTEGER,
   short_name  IN VARCHAR2,
   long_name   IN VARCHAR2,
   parent_name IN VARCHAR2 DEFAULT NULL);

Table 6-13 Parameters for SA_COMPONENTS.CREATE_GROUP

Parameter Name	Parameter Description
policy_name	Specifies the policy
group_num	Specifies the group number (0-9999)
short_name	Specifies the short name for the group (up to 30 characters)
long_name	Specifies the long name for the group (up to 80 characters)
parent_name	Specifies the short name of an existing group as the parent group. If NULL, then the group is a top-level group.

Note that the group number affects the order in which groups will be displayed when labels are selected.

See Also:

"Groups"

6.5.9 Modifying a Group with SA_COMPONENTS.ALTER_GROUP

Use the ALTER_GROUP procedure to change the short name and long name associated with a group.

Once set, the group_num parameter cannot be changed. If the group is used in any existing label, then its short name cannot be changed, but its long name can be changed.

Syntax:

PROCEDURE ALTER_GROUP (policy_name IN VARCHAR2,
   group_num      IN INTEGER,
   new_short_name IN VARCHAR2 DEFAULT NULL,
   new_long_name  IN VARCHAR2 DEFAULT NULL);

PROCEDURE ALTER_GROUP (policy_name IN VARCHAR2,
   short_name     IN VARCHAR2,
   new_long_name  IN VARCHAR2);

Table 6-14 Parameters for SA_COMPONENTS.ALTER_GROUP

Parameter Name	Parameter Description
policy_name	Specifies the policy
group_num	Specifies the existing group number to be altered
short_name	Specifies the existing group short name to be altered
new_short_name	Specifies the new short name for the group (up to 30 characters)
new_long_name	Specifies the new long name for the group (up to 80 characters)

6.5.10 Modifying a Group Parent with SA_COMPONENTS.ALTER_GROUP_PARENT

The ALTER_GROUP_PARENT procedure changes the parent group associated with a particular group.

Syntax:

PROCEDURE ALTER_GROUP_PARENT (policy_name IN VARCHAR2,
   group_num   IN INTEGER,
   parent_name IN VARCHAR2);

PROCEDURE ALTER_GROUP_PARENT (policy_name IN VARCHAR2,
   group_num   IN INTEGER,
   parent_num  IN INTEGER);

PROCEDURE ALTER_GROUP_PARENT (policy_name IN VARCHAR2,
   short_name  IN VARCHAR2,
   parent_name IN VARCHAR2);

Table 6-15 Parameters for SA_COMPONENTS.ALTER_GROUP_PARENT

Parameter Name	Parameter Description
policy_name	Specifies the policy
group_num	Specifies the existing group number to be altered
short_name	Specifies the existing group short name to be altered
parent_num	Specifies the number of an existing group as the parent group
parent_name	Specifies the short name of an existing group as the parent group

6.5.11 Removing a Group with SA_COMPONENTS.DROP_GROUP

Use the DROP_GROUP procedure to remove a group. If the group is used in an existing label, it cannot be dropped.

Syntax:

PROCEDURE DROP_GROUP (policy_name IN VARCHAR2,
   group_num   IN INTEGER);

PROCEDURE DROP_GROUP (policy_name IN VARCHAR2,
   short_name  IN VARCHAR2);

Table 6-16 Parameters for SA_COMPONENTS.DROP_GROUP

Parameter Name	Parameter Description
policy_name	Specifies the policy
group_num	Specifies the number of an existing group for the policy
short_name	Specifies the short name of an existing group

6.6 Using the SA_LABEL_ADMIN Package to Specify Valid Labels

The SA_LABEL_ADMIN package provides an administrative interface to manage the labels used by a policy. To do this, a user must have the EXECUTE privilege for the SA_LABEL_ADMIN package and have been granted the policy_DBA role.

This section includes:

Creating a Valid Data Label with SA_LABEL_ADMIN.CREATE_LABEL
Modifying a Label with SA_LABEL_ADMIN.ALTER_LABEL
Deleting a Label with SA_LABEL_ADMIN.DROP_LABEL

6.6.1 Creating a Valid Data Label with SA_LABEL_ADMIN.CREATE_LABEL

Use the SA_LABEL_ADMIN.CREATE_LABEL procedure to create a valid data label. You must manually specify a label tag value from 1 to 8 digits long.

Syntax:

PROCEDURE CREATE_LABEL (
   policy_name IN VARCHAR2,
   label_tag   IN INTEGER,
   label_value IN VARCHAR2,
   data_label  IN BOOLEAN DEFAULT TRUE);

Table 6-17 Parameters for SA_LABEL_ADMIN.CREATE_LABEL

Parameter Name	Parameter Description
policy_name	Specifies the name of an existing policy
label_tag	Specifies a unique integer value representing the sort order of the label, relative to other policy labels (0-99999999)
label_value	Specifies the character string representation of the label to be created
data_label	TRUE if the label can be used to label row data. Use this to define the label as valid for data.

When specifying labels, use the short name of the level, compartment, and group.

When you identify valid labels, you specify which of all the possible combinations of levels, compartments, and groups can potentially be used to label data in tables.

Note:

If you create a new label by using the TO_DATA_LABEL procedure, a system-generated label tag of 10 digits will be generated automatically.

However, when Oracle Label Security is installed to work with Oracle Internet Directory, dynamic label generation is not permitted, because labels are managed centrally in Oracle Internet Directory, using olsadmintool commands. Refer to Appendix B, "Command-line Tools for Label Security Using Oracle Internet Directory".

So, when Oracle Label Security is directory-enabled, the TO_DATA_LABEL function is not available and will generate an error message if used.

6.6.2 Modifying a Label with SA_LABEL_ADMIN.ALTER_LABEL

Use the ALTER_LABEL procedure to change the character string label definition associated with a label tag. Note that the label tag itself cannot be changed.

If you change the character string associated with a label tag, the sensitivity of the data in the rows changes accordingly. For example, if the label character string TS:A with an associated label tag value of 4001 is changed to the label TS:B, then access to the data changes accordingly. This is true even when the label tag value (4001) has not changed. In this way, you can change the data's sensitivity without the need to update all the rows.

Ensure that when you specify a label to alter, you can refer to it either by its label tag or by its character string value.

Syntax:

PROCEDURE ALTER_LABEL (
   policy_name       IN VARCHAR2,
   label_tag         IN INTEGER,
   new_label_value   IN VARCHAR2 DEFAULT NULL,
   new_data_label    IN BOOLEAN  DEFAULT NULL);

PROCEDURE ALTER_LABEL (
   policy_name       IN VARCHAR2,
   label_value       IN VARCHAR2,
   new_label_value   IN VARCHAR2 DEFAULT NULL,
   new_data_label    IN BOOLEAN  DEFAULT NULL);

Table 6-18 Parameters for SA_LABEL_ADMIN.ALTER_LABEL

Parameter Name	Parameter Description
policy_name	Specifies the name of an existing policy
label_tag	Identifies the integer tag assigned to the label to be altered
label_value	Identifies the existing character string representation of the label to be altered
new_label_value	Specifies the new character string representation of the label value. If NULL, the existing value is not changed.
new_data_label	TRUE if the label can be used to label row data. If NULL, the existing value is not changed.

6.6.3 Deleting a Label with SA_LABEL_ADMIN.DROP_LABEL

Use the SA_LABEL_ADMIN.DROP_LABEL procedure to delete a specified policy label. Any subsequent reference to the label (in data rows, or in user or program unit labels) will raise an invalid label error.

Syntax:

PROCEDURE DROP_LABEL (
   policy_name       IN VARCHAR2,
   label_tag         IN INTEGER);

PROCEDURE DROP_LABEL (
   policy_name       IN VARCHAR2,
   label_value       IN VARCHAR2);

Table 6-19 Parameters for SA_LABEL_ADMIN.DROP_LABEL

Parameter Name	Parameter Description
policy_name	Specifies the name of an existing policy
label_tag	Specifies the integer tag assigned to the label to be dropped
label_value	Specifies the string value of the label to be dropped

Caution:

Do not drop a label that is in use anywhere in the database.

Use this procedure only while setting up labels, prior to data population. If you should inadvertently drop a label that is being used, you can recover it by disabling the policy, fixing the problem, and then re-enabling the policy.