Oracle® Label Security Administrator's Guide 11g Release 2 (11.2) Part Number E10745-01 |
|
|
View PDF |
This chapter explains how to create an Oracle Label Security policy. It contains these sections:
To create and implement an Oracle Label Security policy, you perform the following tasks, which are described in the next few chapters:
The policy name
The column name for policy labels
The default options for the policy
You can use Oracle Enterprise Manager Database Control interface to create a policy.
To create a policy using Oracle Enterprise Manager:
Log in to Oracle Enterprise Manager Database Control using the LBACSYS
account.
Click the Server tab.
Click Oracle Label Security under Security. The Label Security Policies page appears.
Click Create to start creating a new label security policy.
The Create Label Security Policy page appears.
Define the policy's name, label column, and the default policy enforcement options.
Name: Enter a name for the policy, for example, ACCESS_LOCATIONS
.
Label Column: Enter a name for the label column, for example, OLS_COLUMN
. Later on, when you apply the policy to a table, the label column is added to that table. By default, the data type of the policy label column is NUMBER(10)
. You can also use an existing table column of the NUMBER(10)
data type as the label column.
Hide Label Column: Select to hide the column. When you first create the policy, you may want to disable Hide Label Column during the development phase of the policy. When the policy is satisfactory and ready for use by users, hide the column so that it is transparent to applications.
Enabled: Toggle to enable or disable the policy.
Enforcement Options: The default policy enforcement options are used when the policy is applied. Ensure that these meet the needs of the application to which you are applying the policy.
Select from the following options:
Apply No Policy Enforcements (NO_CONTROL)
Apply Policy Enforcements
For all queries (READ_CONTROL)
For Insert operations (INSERT_CONTROL)
For Update Operations (UPDATE_CONTROL)
Use session's default label for label column update (LABEL_DEFAULT)
Operations that update the label column (LABEL_UPDATE)
Update and Insert operations so that they are read accessible (CHECK_CONTROL)
Click OK.
The new policy appears in the Oracle Label Security Policies page.
Alternatively, you can use the SA_SYSDBA.CREATE_POLICY command-line procedure to create a policy.
Define the levels, compartments, and groups that form the components of the new policy's labels.
To create the label components using Oracle Enterprise Manager:
In the Oracle Label Security Policies page, select the policy you just created. Click Edit.
In the Edit Label Security Policy page, select the Label Components tab.
Click Add 5 Rows under Levels to add levels for the policy. Enter a Long Name, Short Name, and Numeric Tag for each level that you create. The numeric tag corresponds to the sensitivity of the level. To create more levels, you can click Add 5 Rows again. Use the same steps to create compartments and rows. For compartments and groups, the numeric tags do not correspond to sensitivity.
At a minimum, you must create one level, such as SECRET. Creating compartments and groups is optional.
The level numbers indicate the level of sensitivity for their corresponding labels. A greater number implies greater sensitivity. Select a numeric range that can be expanded later on, in case your security policy needs more levels. For example, if you have created levels PUBLIC (7000) and SENSITIVE (8000), and you now want to create an intermediate level called CONFIDENTIAL, then you can assign the numeric value 7500 to this level.
Compartments identify categories associated with data, providing a finer level of granularity within a level. For example, a single table might have data corresponding to different departments that you might like to separate using compartments. Compartments are optional.
Groups identify organizations owning or accessing the data. Groups are useful for the controlled dissemination of data and for timely reaction to organizational change. Groups are optional.
Click Apply.
Alternatively, you can use the SA_COMPONENTS package on the command line to create the label components.
Specify the set of valid labels to support the policy. From all the possible combinations of levels, compartments, and groups, you must define labels that can be assigned to data.
To create data labels for a policy:
In the Label Security Policies page, select the policy that needs to have labels linked to levels.
In the Actions box, select Data Labels. Click Go.
The Data Labels page appears.
Click Add.
The Create Data Label page appears.
Enter the following information:
Numeric Tag: Enter a number that uniquely identifies the label. This number should be unique across all policies.
Level: Select a level from the list.
You can optionally select Compartments to add to the label. To add compartments, click Add under Compartments. Select the compartments to be added to the label. Click Select to add the compartments.
You can optionally select Groups to add to the label. To add groups, click Add under Groups. Select the groups to be added to the label. Click Select to add the groups.
Click OK in the Create Data Label page.
The data label appears in the Data Labels page.
Alternatively, you can use the SA_LABEL_ADMIN package to create the label components.
Applications that need to create data labels dynamically at runtime can use the TO_DATA_LABEL function.
Note:
When Oracle Label Security is installed to work with Oracle Internet Directory, dynamic label generation is not allowed, because labels are managed centrally in Oracle Internet Directory, usingolsadmintool
commands. Refer to Appendix B, "Command-line Tools for Label Security Using Oracle Internet Directory".)
So, when Oracle Label Security is directory-enabled, this function, TO_DATA_LABEL, is not available and will generate an error message if used.
Protect individual database tables and schemas by applying the policy to them. In the process, you can customize the level of enforcement of the policy for each table and schema, to reflect your application security requirements.
To apply the policy to a database table:
In the Label Security Policies page, select the policy that needs to be applied to a table.
Select Apply from the Actions box. Click Go.
The Apply page appears.
Select the Tables tab to apply the policy to a table.
Note:
Select the Schemas tab if you are applying the policy to a schema.The process is same as applying the policy to a table.Click Create.
The Add Table page appears.
Next to the Table box, click the flashlight icon.
In the Search and Select window, enter the following information under Search:
Schema: Enter the name of the schema in which the table appears. Leaving this field empty displays tables in all schemas.
Name: Optionally, enter the name of the table. Leaving this box empty displays all the tables within the schema.
To narrow the search by using wildcards, use the percent (%) sign. For example, enter O%
to search for all tables beginning with the letter O.
Select the table and click Select.
The Add Table page appears.
Enter the following information:
Policy Enforcement Options: Select enforcement options as needed. These options will apply to the table on top of the enforcement options that you selected when you created the policy in Step 1: Create the Policy.
To make no change from those enforcement options, that is, to use the same enforcement options created earlier, select Use Default Policy Enforcement. To add more enforcement options, select from the other options listed.
Labeling Function: Optionally, specify a labeling function to automatically compute the label to be associated with a new or updated row. That function is always invoked thereafter to provide the data labels written under that policy, because active labeling functions take precedence over any alternative means of supplying a label.
Predicate: Optionally, specify an additional predicate to combine (using AND
or OR
) with the label-based predicate for READ_CONTROL
.
Click OK.
Alternatively, you can use the SA_POLICY_ADMIN package to apply policies to tables and schemas.
For individual users, define the authorizations that each person will use for session access. If users do not have appropriate authorizations, they cannot access protected data.
You can optionally assign special privileges that particular users need to do their job. Note that Oracle Label Security privileges may only be necessary to perform special job functions.
To authorize users for the OLS policy:
In the Label Security Policies page, select the policy that needs authorization.
In the Actions box, select Authorization. Click Go.
The Authorization page appears. Make sure that the Users tab is selected.
Click Add Users.
The Add Users page appears.
Add users as follows:
Under Database Users, click Add. In the Search and Select window, select users that you want and then click Select.
Under Non Database Users, click Add 5 Rows, and then add the user names of the non-database users that you want to add. Most application users are considered non-database users. A non-database user does not exist in the database. This can be any user name that meets the Oracle Label Security naming standards and can fit into the VARCHAR2
(30) length field. However, be aware that Oracle Database does not automatically configure the associated security information for the non-database user when the application connects to the database. In this case, the application needs to call an Oracle Label Security function to assume the label authorizations of the specified user who is not a real database user.
In the Create User page, select the user that you want to authorize. Click Next. If you have multiple users that need the same authorizations, then select all users who need the same authorizations. Click Next.
The Privileges step appears.
Next, you can assign privileges to the user you selected in the preceding step. Privileges allow a database user to bypass certain controls enforced by the policy. Select the privileges you want to grant. Click Next.
If you do not wish to assign any privilege to the user, click Next without selecting any privileges.
The Labels, Compartments, and Groups step appears.
Next, you need to create the user label for the user. Under Levels, use the flashlight icon to select data to enter for the following fields:
Maximum Level: Enter the highest level for read and write access for this user.
Minimum Level: Enter the lowest level for write access.
Default Level: Enter the default level when the user logs in.
This value is equal to or greater than the minimum level and equal to or less than the maximum level.
Row Level: Enter the level given to the row when user writes to the table.
Click Add under Compartments, to add compartments to the user label. Select the compartments to add. Click Select.
For each compartment that you add, you can select the following properties:
Write: Allows the user to write to data that has the compartment as part of it's label
Default: Adds the compartment to the user's default session label
Row: Adds the compartment to the data label when the user writes to the table
Click Add under Groups, to add groups to the user label. Select the groups and click Select.
For each group that you add, you can select the following properties:
Write: Allows the user to write to data that has the group as part of it's label
Default: Adds the group to the user's default session label
Row: Adds the group to the data label when the user writes to the table
Click Next.
The Audit step appears.
Next, you can choose to set the policy audit options for the selected user. You can set audit options for the following operations:
Policy Applied:
Audit On Success By audits successful application of the policy to a table or schema. Select ACCESS to audit by access or SESSION to audit by session.
Audit On Failure By audits failed application of the policy to a table or schema. Select ACCESS to audit by access or SESSION to audit by session.
Policy Removed:
Audit On Success By audits successful removal of the policy from a table or schema. Select ACCESS to audit by access or SESSION to audit by session.
Audit On Failure By audits failed removal of the policy from a table or schema. Select ACCESS to audit by access or SESSION to audit by session.
Labels And Privileges Set:
Audit On Success By audits successful setting of user authorizations and privileges. Select ACCESS to audit by access or SESSION to audit by session.
Audit On Failure By audits failed setting of user authorizations and privileges. Select ACCESS to audit by access or SESSION to audit by session.
All Policy Specific Privileges:
Audit On Success By audits successful use of policy privileges. Select ACCESS to audit by access or SESSION to audit by session.
Audit On Failure By audits failed use of policy privileges. Select ACCESS to audit by access or SESSION to audit by session.
Click Next.
You can review the policy authorization settings. Click Finish to create the policy authorization. Alternatively, you can click Back to modify the authorization settings.
Alternatively, you can use the SA_POLICY_ADMIN package to authorize users.
Trusted program units are functions, procedures, or packages that are granted Oracle Label Security privileges. You create a trusted stored program unit in the same way that you create a standard procedure, function, or package, that is by using the CREATE PROCEDURE
, CREATE FUNCTION
, or CREATE PACKAGE
and CREATE PACKAGE BODY
statements. The program unit becomes trusted when you grant Oracle Label Security privileges to it.
To set privileges for a program unit:
In the Label Security Policies page, select the policy that needs authorization.
In the Actions box, select Authorization. Click Go.
The Authorization page appears.
Click the Trusted Program Units tab.
Click Add to add Oracle Label Security privileges for a procedure, function, or package.
The Create Program Unit page appears.
Enter the name of the procedure, function, or package, for which the privileges need to be granted, in the Program Unit field. You can also use the Search icon to search for the procedure, function, or package.
Select one or more policy-specific privileges that need to be granted to the program unit. Click OK.
The trusted program unit is added to the Authorizations page.
Alternatively, you can use the SA_USER_ADMIN package to authorize trusted program units.
Configure monitoring of the administrative tasks and use of privileges, if desired.
To configure audit settings for an existing Oracle Label Security policy:
In the Label Security Policies page, select the policy that you need to configure.
Click Edit.
The Edit Label Security Policy Settings page appears.
Click the Advanced tab. You can edit the audit settings under the Audit section.
Select Include Label In Audit trail under Audit Labels, if you wish to include user session labels in the audit table.
Select the Operation, to audit, under Audit Settings. You can choose from the following operations:
Policy Applied: Audits application of the policy to a table or schema.
Policy Removed: Audits removal of the policy from a table or schema.
Labels And Privileges Set: Audits setting of user authorizations and privileges.
All Policy Specific Privileges: Audits use of policy privileges.
Click Add under Policy Applied to add users that will be audited for the Operation you selected in the preceding step.
The Search and Select window appears.
Select the users that you need to add. Click Select.
Select values for Audit on Success By and Audit on Failure By, for each user that you added.
For each user that you added, you can choose to audit successful and failed instances of the chosen operation. You can also choose to audit by access or session.
Repeat steps 5 to 8 for each operation that you choose to audit.
You can manage the administration of an Oracle Label Security policy in various ways. The policy_DBA role is created when you create a new policy, and every individual who needs to perform administrative functions must be granted this role. However, you can grant EXECUTE privileges on the administrative packages to different users, so that each administrator can be restricted to a subset of the administrative functions.
For example, you could grant EXECUTE privilege on SA_COMPONENTS and SA_LABEL_ADMIN to one user or role to manage the label definitions, and grant EXECUTE on SA_USER_ADMIN to a different user or role to manage user labels and privileges. Alternatively, you could grant EXECUTE on all of the administrative packages to the policy_DBA role, so that anyone with the policy_DBA role could perform all of the administrative tasks.
You can perform Oracle Label Security development and administrative tasks using either of two interfaces:
Oracle Label Security packages provide a direct, command-line interface for ease of administration. These include:
Table 7-1 Oracle Label Security Administrative Packages
Package | Purpose |
---|---|
SA_SYSDBA |
To create, alter, and drop Oracle Label Security policies |
SA_COMPONENTS |
To define the levels, compartments, and groups for the policy |
SA_LABEL_ADMIN |
To perform standard label policy administrative functions, such as creating labels |
SA_POLICY_ADMIN |
To apply policies to schemas and tables |
SA_USER_ADMIN |
To manage user authorizations for levels, compartments, and groups, as well as program unit privileges. Also to administer user privileges. |
SA_AUDIT_ADMIN |
To set options to audit administrative tasks and use of privileges |
You can use the Web interface provided by Oracle Enterprise Manager Database Control to administer Oracle Label Security. Figure 7-1 is a representative screenshot that illustrates the Oracle Enterprise Manager interface.
Figure 7-1 Using Enterprise Manager to Configure Oracle Label Security Policies
See Also:
Chapter 4, "Getting Started with Oracle Label Security" for details on using Enterprise Manager for adminstering Oracle Label Security
Enterprise Manager Online Help for details on using the Enterprise Manager Database Control interface
This section explains how to manage a policy using the SA_SYSDBA package. It includes the following topics:
To use the SA_SYSDBA package to create, alter, and drop policies, a user must have:
When you create a policy, a role named policy_DBA is automatically created. You can use this role to control the users who are authorized to run the policy's administrative procedures.
For example, after you have created a human resources policy named HR, an HR_DBA role is automatically created. To use any administrative packages, a user would need to have the HR_DBA role. If Joan is the administrator of the HR policy, and David is the administrator of the FIN policy, then Joan has the HR_DBA role and David has the FIN_DBA role. Each person can administer that policy for which he or she has the policy_DBA role.
The user who creates the policy is automatically granted the policy_DBA role with the ADMIN option, and the user can grant the role to others.
Valid characters for all policy specifications include alphanumeric characters and underscores, as well as any valid character from your database character set.
Use the CREATE_POLICY procedure to create a new Oracle Label Security policy, define a policy-specific column name, and specify a set of default policy options.
Syntax:
PROCEDURE CREATE_POLICY ( policy_name IN VARCHAR2, column_name IN VARCHAR2 DEFAULT NULL, default_options IN VARCHAR2 DEFAULT NULL);
Table 7-2 Parameters for SA_SYSDBA.CREATE_POLICY
See Also:
Regarding policy enforcement options for tables: "Applying a Policy with SA_POLICY_ADMIN.APPLY_TABLE_POLICY"
Regarding HIDE, "Choosing Policy Options" and "The HIDE Policy Column Option".
Use the ALTER_POLICY procedure to set and modify policy default options.
Syntax:
PROCEDURE ALTER_POLICY ( policy_name IN VARCHAR2, default_options IN VARCHAR2 DEFAULT NULL);
Table 7-3 Parameters for SA_SYSDBA.ALTER_POLICY
Use the DISABLE_POLICY procedure to turn off enforcement of a policy, without removing it from the database. The policy is not enforced for all subsequent access to the database.
To disable a policy means that no access control is enforced on the tables and schemas protected by the policy. The administrator can continue to perform administrative operations while the policy is disabled.
Syntax:
PROCEDURE DISABLE_POLICY (policy_name IN VARCHAR2);
Table 7-4 Parameters for SA_SYSDBA.DISABLE_POLICY
Parameter Name | Parameter Description |
---|---|
policy_name |
Specifies the policy to be disabled |
Note:
This feature is extremely powerful, and should be used with caution. When a policy is disabled, anyone who connects to the database can access all the data normally protected by the policy. So, your site should establish guidelines for use of this feature.Normally, a policy should not be disabled in order to manage data. At times, however, an administrator may need to disable a policy to perform application debugging tasks. In this case, the database should be run in single-user mode. In a development environment, for example, you may need to observe data processing operations without the policy turned on. When you reenable the policy, all of the selected enforcement options become effective again.
Use the ENABLE_POLICY procedure to enforce access control on the tables and schemas protected by the policy. A policy is automatically enabled when it is created. After creation or enabling, the policy is enforced for all subsequent access to tables protected by the policy.
Syntax:
PROCEDURE ENABLE_POLICY (policy_name IN VARCHAR2);
Use the DROP_POLICY procedure to remove the policy and all of its associated user labels and data labels from the database. It purges the policy from the system entirely. You can optionally drop the label column from all tables controlled by the policy.
Syntax:
PROCEDURE DROP_POLICY (policy_name IN VARCHAR2, drop_column BOOLEAN DEFAULT FALSE);
This package manages the component definitions of an Oracle Label Security label. Each policy defines the components differently. This section contains these topics:
Creating a Compartment with SA_COMPONENTS.CREATE_COMPARTMENT
Modifying a Compartment with SA_COMPONENTS.ALTER_COMPARTMENT
Modifying a Group Parent with SA_COMPONENTS.ALTER_GROUP_PARENT
Removing a Group with SA_COMPONENTS.DROP_GROUP
See Also:
"Using Oracle Label Security Views" for information about displaying the label definitions you have set
Oracle Label Security makes use of overloaded subprogram names. That is, the same name is used for several different procedures whose formal parameters differ in number, order, or datatype family.
For example, you can call the SA_COMPONENTS.ALTER_LEVEL procedure this way:
PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2, level_num IN INTEGER, new_short_name IN VARCHAR2 DEFAULT NULL, new_long_name IN VARCHAR2 DEFAULT NULL);
or this way:
PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2, short_name IN VARCHAR2,
new_long_name IN VARCHAR2);
Because the processing in these two procedures is the same, it is logical to give them the same name. PL/SQL determines which of the two procedures is being called by checking their formal parameters. In the preceding example, the version of initialize
used by PL/SQL depends on whether you call the procedure with a level_num
or short_name
parameter.
Use the CREATE_LEVEL procedure to create a level and specify its short name and long name. The numeric values assigned to the level_num parameter determine the sensitivity ranking (that is, a lower number indicates less sensitive data).
Syntax:
PROCEDURE CREATE_LEVEL (policy_name IN VARCHAR2, level_num IN INTEGER, short_name IN VARCHAR2, long_name IN VARCHAR2);
Table 7-7 Parameters for SA_COMPONENTS.CREATE_LEVEL
Parameter Name | Parameter Description |
---|---|
policy_name |
Specifies the policy |
level_num |
Specifies the level number (0-9999) |
short_name |
Specifies the short name for the level (up to 30 characters) |
long_name |
Specifies the long name for the level (up to 80 characters) |
Use the ALTER_LEVEL procedure to change the short name and long name associated with a level.
Once they are defined, level numbers cannot be changed. If a level is used in any existing label, then its short name cannot be changed, but its long name can be changed.
Syntax:
PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2, level_num IN INTEGER, new_short_name IN VARCHAR2 DEFAULT NULL, new_long_name IN VARCHAR2 DEFAULT NULL); PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2, short_name IN VARCHAR2, new_long_name IN VARCHAR2);
Table 7-8 Parameters for SA_COMPONENTS.ALTER_LEVEL
Parameter Name | Parameter Description |
---|---|
policy_name |
Specifies the policy |
level_num |
Specifies the number of the level to be altered |
short_name |
Specifies the short name for the level (up to 30 characters) |
new_short_name |
Specifies the new short name for the level (up to 30 characters) |
new_long_name |
Specifies the new long name for the level (up to 80 characters) |
Use the DROP_LEVEL procedure to remove a level. If the level is used in any existing label, then it cannot be dropped.
Syntax:
PROCEDURE DROP_LEVEL (policy_name IN VARCHAR2, level_num IN INTEGER); PROCEDURE DROP_LEVEL (policy_name IN VARCHAR2, short_name IN VARCHAR2);
Use the CREATE_COMPARTMENT procedure to create a compartment and specify its short name and long name. The comp_num parameter determines the order in which compartments are listed in the character string representation of labels.
Syntax:
PROCEDURE CREATE_COMPARTMENT (policy_name IN VARCHAR2, comp_num IN INTEGER, short_name IN VARCHAR2, long_name IN VARCHAR2);
Table 7-10 Parameters for SA_COMPONENTS.CREATE_COMPARTMENT
Parameter Name | Parameter Description |
---|---|
policy_name |
Specifies the policy |
comp_num |
Specifies the compartment number (0-9999) |
short_name |
Specifies the short name for the compartment (up to 30 characters) |
long_name |
Specifies the long name for the compartment (up to 80 characters) |
Use the ALTER_COMPARTMENT procedure to change the short name and long name associated with a compartment.
Once set, the comp_num parameter cannot be changed. If the comp_num parameter is used in any existing label, then its short name cannot be changed but its long name can be changed.
Syntax:
PROCEDURE ALTER_COMPARTMENT (policy_name IN VARCHAR2, comp_num IN INTEGER, new_short_name IN VARCHAR2 DEFAULT NULL, new_long_name IN VARCHAR2 DEFAULT NULL); PROCEDURE ALTER_COMPARTMENT (policy_name IN VARCHAR2, short_name IN VARCHAR2, new_long_name IN VARCHAR2);
Table 7-11 Parameters for SA_COMPONENTS.ALTER_COMPARTMENT
Parameter Name | Parameter Description |
---|---|
policy_name |
Specifies the policy |
comp_num |
Specifies the number of the compartment to be altered |
short_name |
Specifies the short name of the compartment to be altered (up to 30 characters) |
new_short_name |
Specifies the new short name of the compartment (up to 30 characters) |
new_long_name |
Specifies the new long name of the compartment (up to 80 characters). |
Use the DROP_COMPARTMENT procedure to remove a compartment. If the compartment is used in any existing label, then it cannot be dropped.
Syntax:
PROCEDURE DROP_COMPARTMENT (policy_name IN VARCHAR2, comp_num IN INTEGER); PROCEDURE DROP_COMPARTMENT (policy_name IN VARCHAR2, short_name IN VARCHAR2);
Use the CREATE_GROUP procedure to create a group and specify its short name and long name, and optionally a parent group.
Syntax:
PROCEDURE CREATE_GROUP (policy_name IN VARCHAR2, group_num IN INTEGER, short_name IN VARCHAR2, long_name IN VARCHAR2, parent_name IN VARCHAR2 DEFAULT NULL);
Table 7-13 Parameters for SA_COMPONENTS.CREATE_GROUP
Parameter Name | Parameter Description |
---|---|
policy_name |
Specifies the policy |
group_num |
Specifies the group number (0-9999) |
short_name |
Specifies the short name for the group (up to 30 characters) |
long_name |
Specifies the long name for the group (up to 80 characters) |
parent_name |
Specifies the short name of an existing group as the parent group. If NULL, then the group is a top-level group. |
Note that the group number affects the order in which groups will be displayed when labels are selected.
See Also:
"Groups"Use the ALTER_GROUP procedure to change the short name and long name associated with a group.
Once set, the group_num parameter cannot be changed. If the group is used in any existing label, then its short name cannot be changed, but its long name can be changed.
Syntax:
PROCEDURE ALTER_GROUP (policy_name IN VARCHAR2, group_num IN INTEGER, new_short_name IN VARCHAR2 DEFAULT NULL, new_long_name IN VARCHAR2 DEFAULT NULL); PROCEDURE ALTER_GROUP (policy_name IN VARCHAR2, short_name IN VARCHAR2, new_long_name IN VARCHAR2);
Table 7-14 Parameters for SA_COMPONENTS.ALTER_GROUP
Parameter Name | Parameter Description |
---|---|
policy_name |
Specifies the policy |
group_num |
Specifies the existing group number to be altered |
short_name |
Specifies the existing group short name to be altered |
new_short_name |
Specifies the new short name for the group (up to 30 characters) |
new_long_name |
Specifies the new long name for the group (up to 80 characters) |
The ALTER_GROUP_PARENT procedure changes the parent group associated with a particular group.
Syntax:
PROCEDURE ALTER_GROUP_PARENT (policy_name IN VARCHAR2, group_num IN INTEGER, parent_name IN VARCHAR2); PROCEDURE ALTER_GROUP_PARENT (policy_name IN VARCHAR2, group_num IN INTEGER, parent_num IN INTEGER); PROCEDURE ALTER_GROUP_PARENT (policy_name IN VARCHAR2, short_name IN VARCHAR2, parent_name IN VARCHAR2);
Table 7-15 Parameters for SA_COMPONENTS.ALTER_GROUP_PARENT
Parameter Name | Parameter Description |
---|---|
policy_name |
Specifies the policy |
group_num |
Specifies the existing group number to be altered |
short_name |
Specifies the existing group short name to be altered |
parent_num |
Specifies the number of an existing group as the parent group |
parent_name |
Specifies the short name of an existing group as the parent group |
Use the DROP_GROUP procedure to remove a group. If the group is used in an existing label, it cannot be dropped.
Syntax:
PROCEDURE DROP_GROUP (policy_name IN VARCHAR2, group_num IN INTEGER); PROCEDURE DROP_GROUP (policy_name IN VARCHAR2, short_name IN VARCHAR2);
The SA_LABEL_ADMIN package provides an administrative interface to manage the labels used by a policy. To do this, a user must have the EXECUTE privilege for the SA_LABEL_ADMIN package and have been granted the policy_DBA role.
This section includes:
Use the SA_LABEL_ADMIN.CREATE_LABEL procedure to create a valid data label. You must manually specify a label tag value from 1 to 8 digits long.
Syntax:
PROCEDURE CREATE_LABEL ( policy_name IN VARCHAR2, label_tag IN INTEGER, label_value IN VARCHAR2, data_label IN BOOLEAN DEFAULT TRUE);
Table 7-17 Parameters for SA_LABEL_ADMIN.CREATE_LABEL
Parameter Name | Parameter Description |
---|---|
policy_name |
Specifies the name of an existing policy |
label_tag |
Specifies a unique integer value representing the sort order of the label, relative to other policy labels (0-99999999) |
label_value |
Specifies the character string representation of the label to be created |
data_label |
TRUE if the label can be used to label row data. Use this to define the label as valid for data. |
When specifying labels, use the short name of the level, compartment, and group.
When you identify valid labels, you specify which of all the possible combinations of levels, compartments, and groups can potentially be used to label data in tables.
Note:
If you create a new label by using the TO_DATA_LABEL procedure, a system-generated label tag of 10 digits will be generated automatically.However, when Oracle Label Security is installed to work with Oracle Internet Directory, dynamic label generation is not permitted, because labels are managed centrally in Oracle Internet Directory, using olsadmintool
commands. Refer to Appendix B, "Command-line Tools for Label Security Using Oracle Internet Directory".
So, when Oracle Label Security is directory-enabled, the TO_DATA_LABEL function is not available and will generate an error message if used.
See Also:
"The Policy Label Column and Label Tags"Use the ALTER_LABEL procedure to change the character string label definition associated with a label tag. Note that the label tag itself cannot be changed.
If you change the character string associated with a label tag, the sensitivity of the data in the rows changes accordingly. For example, if the label character string TS:A with an associated label tag value of 4001 is changed to the label TS:B, then access to the data changes accordingly. This is true even when the label tag value (4001) has not changed. In this way, you can change the data's sensitivity without the need to update all the rows.
Ensure that when you specify a label to alter, you can refer to it either by its label tag or by its character string value.
Syntax:
PROCEDURE ALTER_LABEL ( policy_name IN VARCHAR2, label_tag IN INTEGER, new_label_value IN VARCHAR2 DEFAULT NULL, new_data_label IN BOOLEAN DEFAULT NULL); PROCEDURE ALTER_LABEL ( policy_name IN VARCHAR2, label_value IN VARCHAR2, new_label_value IN VARCHAR2 DEFAULT NULL, new_data_label IN BOOLEAN DEFAULT NULL);
Table 7-18 Parameters for SA_LABEL_ADMIN.ALTER_LABEL
Parameter Name | Parameter Description |
---|---|
policy_name |
Specifies the name of an existing policy |
label_tag |
Identifies the integer tag assigned to the label to be altered |
label_value |
Identifies the existing character string representation of the label to be altered |
new_label_value |
Specifies the new character string representation of the label value. If NULL, the existing value is not changed. |
new_data_label |
TRUE if the label can be used to label row data. If NULL, the existing value is not changed. |
Use the SA_LABEL_ADMIN.DROP_LABEL procedure to delete a specified policy label. Any subsequent reference to the label (in data rows, or in user or program unit labels) will raise an invalid label error.
Syntax:
PROCEDURE DROP_LABEL ( policy_name IN VARCHAR2, label_tag IN INTEGER); PROCEDURE DROP_LABEL ( policy_name IN VARCHAR2, label_value IN VARCHAR2);
Table 7-19 Parameters for SA_LABEL_ADMIN.DROP_LABEL
Parameter Name | Parameter Description |
---|---|
policy_name |
Specifies the name of an existing policy |
label_tag |
Specifies the integer tag assigned to the label to be dropped |
label_value |
Specifies the string value of the label to be dropped |
Caution:
Do not drop a label that is in use anywhere in the database.
Use this procedure only while setting up labels, prior to data population. If you should inadvertently drop a label that is being used, you can recover it by disabling the policy, fixing the problem, and then re-enabling the policy.