Skip Headers

Oracle® Label Security Administrator's Guide
10g Release 1 (10.1)

Part Number B10774-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Feedback

Go to previous page
Previous
Go to next page
Next
View PDF

6
Creating an Oracle Label Security Policy

This chapter explains how to create an Oracle Label Security policy. It contains these sections:

Oracle Label Security Administrative Task Overview

To create and implement an Oracle Label Security policy, you perform the following tasks, which are described in the next few chapters:

Step 1: Create the Policy

Create a policy by defining:

To do this in Oracle Policy Manager, you can use the Create Policy icon or the Policy property sheet.

Alternatively, you can use the SA_SYSDBA.CREATE_POLICY command line procedure.

See Also:

"Creating a Policy with SA_SYSDBA.CREATE_POLICY"

Step 2: Define the Components of the Labels

Define the levels, compartments, and groups that form the components of the new policy's labels.

To do this in Oracle Policy Manager, go to Oracle Label Security Policies--> policyname-->Labels and use the Labels property sheet.

Alternatively, you can use the SA_COMPONENTS package on the command line.

See Also:

"Using the SA_COMPONENTS Package to Define Label Components"

Step 3: Identify the Set of Valid Data Labels

Specify the set of valid labels to support the policy. From all the possible combinations of levels, compartments, and groups, you must define labels that can be assigned to data.

Alternatively, applications that need to create data labels dynamically at runtime can use the TO_DATA_LABEL function.


Note:

When Oracle Label Security is installed to work with Oracle Internet Directory (OID), dynamic label generation is not allowed, because labels are managed centrally in OID, using olsadmintool commands. (See Appendix B, "Command-line Tools for Label Security Using Oracle Internet Directory".)

Therefore, when Oracle Label Security is directory-enabled, this function, TO_DATA_LABEL, is not available and will generate an error message if used.


To use Oracle Policy Manager to define labels that can be assigned to data, go to Oracle Label Security Policies--> policyname-->Labels and use the Labels property sheet.

See Also:

"Using the SA_LABEL_ADMIN Package to Specify Valid Labels"

"Inserting Labels Using TO_DATA_LABEL"

Step 4: Apply the Policy to Tables and Schemas

Protect individual database tables and schemas by applying the policy to them. In the process, you can customize the level of enforcement of the policy for each table and schema, to reflect your application security requirements.

To do this with Oracle Policy Manager, go to Oracle Label Security Policies--> policyname-->Protected Objects. Select either Schemas or Tables, and use the corresponding property sheet.

Alternatively, you can use the SA_POLICY_ADMIN package.

See Also:

Chapter 9, "Applying Policies to Tables and Schemas"

Step 5: Authorize Users

For individual users, define the authorizations that each person will use for session access. If users do not have appropriate authorizations, they cannot access protected data.

You can optionally assign special privileges that particular users need to do their job. Note that Oracle Label Security privileges may only be necessary to perform special job functions.

To do this with Oracle Policy Manager, go to Oracle Label Security Policies--> policyname-->Authorizations-->Users and use the User property sheet.

Alternatively, you can use the SA_POLICY_ADMIN package.

See Also:

Chapter 7, "Administering User Labels and Privileges"

Step 6: Create and Authorize Trusted Program Units (Optional)

Create any necessary stored trusted program units, and set their labels and privileges.

To do this with Oracle Policy Manager, go to Oracle Label Security Policies--> policyname-->Authorizations-->Program Units and use the User property sheet.

Alternatively, you can use the SA_USER_ADMIN package.

See Also:

Chapter 10, "Administering and Using Trusted Stored Program Units"

Step 7: Configure Auditing (Optional)

Configure monitoring of the administrative tasks and use of privileges, if desired.

Alternatively, you can use the SA_AUDIT_ADMIN package to set auditing options for policies, users, and program units.

See Also:

Chapter 11, "Auditing Under Oracle Label Security"

Organizing the Duties of Oracle Label Security Administrators

You can manage the administration of an Oracle Label Security policy in various ways. The policy_DBA role is created when you create a new policy, and every individual who needs to perform administrative functions must be granted this role. However, you can grant EXECUTE privileges on the administrative packages to different users, so that each administrator can be restricted to a subset of the administrative functions.

For example, you could grant EXECUTE privilege on SA_COMPONENTS and SA_LABEL_ADMIN to one user or role to manage the label definitions, and grant EXECUTE on SA_USER_ADMIN to a different user or role to manage user labels and privileges. Alternatively, you could grant EXECUTE on all of the administrative packages to the policy_DBA role, so that anyone with the policy_DBA role could perform all of the administrative tasks.

Choosing an Oracle Label Security Administrative Interface

You can perform Oracle Label Security development and administrative tasks using either of two interfaces:

Oracle Label Security Packages

Oracle Label Security packages provide a direct, command-line interface for ease of administration. These include:

Table 6-1 Oracle Label Security Administrative Packages

Package

Purpose

SA_SYSDBA

To create, alter, and drop Oracle Label Security policies

SA_COMPONENTS

To define the levels, compartments, and groups for the policy

SA_LABEL_ADMIN

To perform standard label policy administrative functions, such as creating labels

SA_POLICY_ADMIN

To apply policies to schemas and tables

SA_USER_ADMIN

To manage user authorizations for levels, compartments, and groups, as well as program unit privileges. Also to administer user privileges.

SA_AUDIT_ADMIN

To set options to audit administrative tasks and use of privileges



Oracle Label Security Demonstration File

For a demonstration showing how to create and develop an Oracle Label Security policy using the supplied packages, refer to the olsdemo.sql file in your ORACLE_HOME/rdbms/demo directory.

Oracle Policy Manager

You can use Oracle Policy Manager, an extension to Oracle Enterprise Manager, to administer Oracle Label Security. Figure 6-1 is a representative screenshot that illustrates the Oracle Policy Manager interface. Please see the online help for instructions on how to use this graphical user interface.

Figure 6-1 Oracle Policy Manager Interface

Text description of opm1test.gif follows

Text description of the illustration opm1test.gif

Using the SA_SYSDBA Package to Manage Security Policies

This section explains how to manage a policy using the SA_SYSDBA package. To do this in Oracle Policy Manager, use the Create Policy icon or the Policy property sheet.

Who Can Use the SA_SYSDBA Package

To use the SA_SYSDBA package to create, alter, and drop policies a user must have:

Who Can Administer a Policy

When you create a policy, a role named policy_DBA is automatically created. You can use this role to control the users who are authorized to execute the policy's administrative procedures.

For example, after you have created a human resources policy named HR, an HR_DBA role is automatically created. To use any administrative packages, a user would need to have the HR_DBA role. If Joan is the administrator of the HR policy, and David is the administrator of the FIN policy, then Joan has the HR_DBA role and David has the FIN_DBA role. Each person can only administer the policy for which he or she has the policy_DBA role.

The user who creates the policy is automatically granted the policy_DBA role with the ADMIN option, and can grant the role to others.

Valid Characters for Policy Specifications

Valid characters for all policy specifications include alphanumeric characters and underscores, as well as any valid character from your database character set.

Creating a Policy with SA_SYSDBA.CREATE_POLICY

Use the CREATE_POLICY procedure to create a new Oracle Label Security policy, define a policy-specific column name, and specify a set of default policy options.

Syntax:

PROCEDURE CREATE_POLICY (
   policy_name       IN VARCHAR2,
   column_name       IN VARCHAR2 DEFAULT NULL,
   default_options   IN VARCHAR2 DEFAULT NULL);
Table 6-2 Parameters for SA_SYSDBA.CREATE_POLICY 
Parameter Name Parameter Description

policy_name

Specifies the policy name, which must be unique within the database. It can have a maximum of 30 characters, but only the first 26 characters in the policy_name are significant. Two policies may not have the same first 26 characters in the policy_name.

column_name

Specifies the name of the column to be added to tables protected by the policy. If NULL, the default name "SA_LABEL" is used. Two Oracle Label Security policies cannot share the same column name.

default_options

Specifies the default options to be used when the policy is applied and no table- or schema-specific options are specified. Includes enforcement options and the option to hide the label column.

See Also:

Modifying Policy Options with SA_SYSDBA.ALTER_POLICY

Use the ALTER_POLICY procedure to set and modify policy default options.

Syntax:

PROCEDURE ALTER_POLICY (
   policy_name       IN  VARCHAR2,
   default_options   IN  VARCHAR2 DEFAULT NULL);
Table 6-3 Parameters for SA_SYSDBA.ALTER_POLICY 
Parameter Name Parameter Description

policy_name

Specifies the policy name

default_options

Specifies the default options to be used when the policy is applied and no table- or schema-specific options are specified. Includes enforcement options and the option to hide the label column.

Disabling a Policy with SA_SYSDBA.DISABLE_POLICY

Use the DISABLE_POLICY procedure to turn off enforcement of a policy, without removing it from the database. The policy is not enforced for all subsequent access to the database.

To disable a policy means that no access control is enforced on the tables and schemas protected by the policy. The administrator can continue to perform administrative operations while the policy is disabled.

Syntax:

PROCEDURE DISABLE_POLICY (policy_name IN VARCHAR2);
Table 6-4 Parameters for SA_SYSDBA.DISABLE_POLICY 
Parameter Name Parameter Description

policy_name

Specifies the policy to be disabled


Note:

This feature is extremely powerful, and should be used with caution. When a policy is disabled, anyone who connects to the database can access all the data normally protected by the policy. Your site therefore should establish guidelines for use of this feature.


Normally, a policy should not be disabled in order to manage data. At times, however, an administrator may need to disable a policy in order to perform application debugging tasks. In this case, the database should be run in single-user mode. In a development environment, for example, you may need to observe data processing operations without the policy turned on. When you re-enable the policy, all of the selected enforcement options become effective again.

Enabling a Policy with SA_SYSDBA.ENABLE_POLICY

Use the ENABLE_POLICY procedure to enforce access control on the tables and schemas protected by the policy. A policy is automatically enabled when it is created. After creation or enabling, the policy is enforced for all subsequent access to tables protected by the policy

Syntax:

PROCEDURE ENABLE_POLICY (policy_name IN VARCHAR2);
Table 6-5 Parameters for SA_SYSDBA.ENABLE_POLICY 
Parameter Name Parameter Description

policy_name

Specifies the policy to be enabled

Removing a Policy with SA_SYSDBA.DROP_POLICY

Use the DROP_POLICY procedure to remove the policy and all of its associated user labels and data labels from the database. It purges the policy from the system entirely. You can optionally drop the label column from all tables controlled by the policy.

Syntax:

PROCEDURE DROP_POLICY (policy_name IN VARCHAR2,
   drop_column  BOOLEAN DEFAULT FALSE);
Table 6-6 Parameters for SA_SYSDBA.DROP_POLICY 
Parameter Name Parameter Description

policy_name

Specifies the policy to be dropped

drop_column

Indicates that the policy column should be dropped from protected tables (TRUE)

Using the SA_COMPONENTS Package to Define Label Components

This package manages the component definitions of an Oracle Label Security label. Each policy defines the components differently. This section contains these topics:

Using Overloaded Procedures

Oracle Label Security makes use of overloaded subprogram names. That is, the same name is used for several different procedures whose formal parameters differ in number, order, or datatype family.

For example, you can call the SA_COMPONENTS.ALTER_LEVEL procedure this way:

PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2,
   level_num       IN INTEGER,
   new_short_name  IN VARCHAR2 DEFAULT NULL,
   new_long_name   IN VARCHAR2 DEFAULT NULL);

or this way:

PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2,
   short_name      IN VARCHAR2,

new_long_name IN VARCHAR2);

Because the processing in these two procedures is the same, it is logical to give them the same name. PL/SQL determines which of the two procedures is being called by checking their formal parameters. In the preceding example, the version of initialize used by PL/SQL depends on whether you call the procedure with a level_num or short_name parameter.

Creating a Level with SA_COMPONENTS.CREATE_LEVEL

Use the CREATE_LEVEL procedure to create a level and specify its short name and long name. The numeric values assigned to the level_num determine the sensitivity ranking (that is, a lower number indicates less sensitive data).

Syntax:

PROCEDURE CREATE_LEVEL (policy_name IN VARCHAR2,
   level_num         IN INTEGER,
   short_name        IN VARCHAR2,
   long_name         IN VARCHAR2);
Table 6-7 Parameters for SA_COMPONENTS.CREATE_LEVEL  
Parameter Name Parameter Description

policy_name

Specifies the policy

level_num

Specifies the level number (0-9999)

short_name

Specifies the short name for the level (up to 30 characters)

long_name

Specifies the long name for the level (up to 80 characters)

Modifying a Level with SA_COMPONENTS.ALTER_LEVEL

Use the ALTER_LEVEL procedure to change the short name and/or long name associated with a level.

Once they are defined, level numbers cannot be changed. If a level is used in any existing label, then its short name cannot be changed, but its long name can be changed.

Syntax:

PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2,
   level_num       IN INTEGER,
   new_short_name  IN VARCHAR2 DEFAULT NULL,
   new_long_name   IN VARCHAR2 DEFAULT NULL);

PROCEDURE ALTER_LEVEL (policy_name IN VARCHAR2,
   short_name      IN VARCHAR2,
   new_long_name   IN VARCHAR2);
Table 6-8 Parameters for SA_COMPONENTS.ALTER_LEVEL 
Parameter Name Parameter Description

policy_name

Specifies the policy

level_num

Specifies the number of the level to be altered

short_name

Specifies the short name for the level (up to 30 characters)

new_short_name

Specifies the new short name for the level (up to 30 characters)

new_long_name

Specifies the new long name for the level (up to 80 characters)

Removing a Level with SA_COMPONENTS.DROP_LEVEL

Use the DROP_LEVEL procedure to remove a level. If the level is used in any existing label, it cannot be dropped.

Syntax:

PROCEDURE DROP_LEVEL (policy_name IN VARCHAR2,
   level_num   IN INTEGER);

PROCEDURE DROP_LEVEL (policy_name IN VARCHAR2,
   short_name  IN VARCHAR2);
Table 6-9 Parameters for SA_COMPONENTS.DROP_LEVEL 
Parameter Name Parameter Description

policy_name

Specifies the policy

level_num

Specifies the number of an existing level for the policy

short_name

Specifies the short name for the level (up to 30 characters)

Creating a Compartment with SA_COMPONENTS.CREATE_COMPARTMENT

Use the CREATE_COMPARTMENT procedure to create a compartment and specify its short name and long name. The comp_num determines the order in which compartments are listed in the character string representation of labels.

Syntax:

PROCEDURE CREATE_COMPARTMENT (policy_name IN VARCHAR2,
   comp_num    IN INTEGER,
   short_name  IN VARCHAR2,
   long_name   IN VARCHAR2);
Table 6-10 Parameters for SA_COMPONENTS.CREATE_COMPARTMENT
Parameter Name Parameter Description

policy_name

Specifies the policy

comp_num

Specifies the compartment number (0-9999)

short_name

Specifies the short name for the compartment (up to 30 characters)

long_name

Specifies the long name for the compartment (up to 80 characters)

Modifying a Compartment with SA_COMPONENTS.ALTER_COMPARTMENT

Use the ALTER_COMPARTMENT procedure to change the short name and/or long name associated with a compartment.

Once set, the comp_num cannot be changed. If the comp_num is used in any existing label, then its short name cannot be changed, but its long name can be changed.

Syntax:

PROCEDURE ALTER_COMPARTMENT (policy_name IN VARCHAR2,
   comp_num          IN INTEGER,
   new_short_name    IN VARCHAR2 DEFAULT NULL,
   new_long_name     IN VARCHAR2 DEFAULT NULL);

PROCEDURE ALTER_COMPARTMENT (policy_name IN VARCHAR2,
   short_name        IN VARCHAR2,
   new_long_name     IN VARCHAR2);
Table 6-11 Parameters for SA_COMPONENTS.ALTER_COMPARTMENT 
Parameter Name Parameter Description

policy_name

Specifies the policy

comp_num

Specifies the number of the compartment to be altered

short_name

Specifies the short name of the compartment to be altered (up to 30 characters)

new_short_name

Specifies the new short name of the compartment (up to 30 characters)

new_long_name

Specifies the new long name of the compartment (up to 80 characters).

Removing a Compartment with SA_COMPONENTS.DROP_COMPARTMENT

Use the DROP_COMPARTMENT procedure to remove a compartment. If the compartment is used in any existing label, it cannot be dropped.

Syntax:

PROCEDURE DROP_COMPARTMENT (policy_name IN VARCHAR2,
   comp_num    IN INTEGER);

PROCEDURE DROP_COMPARTMENT (policy_name IN VARCHAR2,
   short_name  IN VARCHAR2);
Table 6-12 Parameters for SA_COMPONENTS.DROP_COMPARTMENT 
Parameter Name Parameter Description

policy_name

Specifies the policy

comp_num

Specifies the number of an existing compartment for the policy

short_name

Specifies the short name of an existing compartment for the policy

Creating a Group with SA_COMPONENTS.CREATE_GROUP

Use the CREATE_GROUP procedure to create a group and specify its short name and long name, and optionally a parent group.

Syntax:

PROCEDURE CREATE_GROUP (policy_name IN VARCHAR2,
   group_num   IN INTEGER,
   short_name  IN VARCHAR2,
   long_name   IN VARCHAR2,
   parent_name IN VARCHAR2 DEFAULT NULL);
Table 6-13 Parameters for SA_COMPONENTS.CREATE_GROUP 
Parameter Name Parameter Description

policy_name

Specifies the policy

group_num

Specifies the group number (0-9999)

short_name

Specifies the short name for the group (up to 30 characters)

long_name

Specifies the long name for the group (up to 80 characters)

parent_name

Specifies the short name of an existing group as the parent group. If NULL, the group is a top-level group.

Note that the group number affects the order in which groups will be displayed when labels are selected.

See Also:

"Groups"

Modifying a Group with SA_COMPONENTS.ALTER_GROUP

Use the ALTER_GROUP procedure to change the short name and/or long name associated with a group.

Once set, the group_num cannot be changed. If the group is used in any existing label, then its short name cannot be changed, but its long name can be changed.

Syntax:

PROCEDURE ALTER_GROUP (policy_name IN VARCHAR2,
   group_num      IN INTEGER,
   new_short_name IN VARCHAR2 DEFAULT NULL,
   new_long_name  IN VARCHAR2 DEFAULT NULL);

PROCEDURE ALTER_GROUP (policy_name IN VARCHAR2,
   short_name     IN VARCHAR2,
   new_long_name  IN VARCHAR2);
Table 6-14 Parameters for SA_COMPONENTS.ALTER_GROUP 
Parameter Name Parameter Description

policy_name

Specifies the policy

group_num

Specifies the existing group number to be altered

short_name

Specifies the existing group short name to be altered

new_short_name

Specifies the new short name for the group (up to 30 characters)

new_long_name

Specifies the new long name for the group (up to 80 characters)

Modifying a Group Parent with SA_COMPONENTS.ALTER_GROUP_PARENT

The ALTER_GROUP_PARENT procedure changes the parent group associated with a particular group.

Syntax:

PROCEDURE ALTER_GROUP_PARENT (policy_name IN VARCHAR2,
   group_num   IN INTEGER,
   parent_name IN VARCHAR2);

PROCEDURE ALTER_GROUP_PARENT (policy_name IN VARCHAR2,
   group_num   IN INTEGER,
   parent_num  IN INTEGER);

PROCEDURE ALTER_GROUP_PARENT (policy_name IN VARCHAR2,
   short_name  IN VARCHAR2,
   parent_name IN VARCHAR2);
Table 6-15 Parameters for SA_COMPONENTS.ALTER_GROUP_PARENT
Parameter Name Parameter Description

policy_name

Specifies the policy

group_num

Specifies the existing group number to be altered

short_name

Specifies the existing group short name to be altered

parent_num

Specifies the number of an existing group as the parent group

parent_name

Specifies the short name of an existing group as the parent group

Removing a Group with SA_COMPONENTS.DROP_GROUP

Use the DROP_GROUP procedure to remove a group. If the group is used in existing labels, it cannot be dropped.

Syntax:

PROCEDURE DROP_GROUP (policy_name IN VARCHAR2,
   group_num   IN INTEGER);

PROCEDURE DROP_GROUP (policy_name IN VARCHAR2,
   short_name  IN VARCHAR2);
Table 6-16 Parameters for SA_COMPONENTS.DROP_GROUP 
Parameter Name Parameter Description

policy_name

Specifies the policy

group_num

Specifies the number of an existing group for the policy

short_name

Specifies the short name of an existing group

Using the SA_LABEL_ADMIN Package to Specify Valid Labels

The SA_LABEL_ADMIN package provides an administrative interface to manage the labels used by a policy. To do this, a user must have EXECUTE privilege for the SA_LABEL_ADMIN package and have been granted the policy_DBA role.

This section includes:

Creating a Valid Data Label with SA_LABEL_ADMIN.CREATE_LABEL

Use the SA_LABEL_ADMIN.CREATE_LABEL procedure to create a valid data label. You must manually specify a label tag value from 1 to 8 digits long.

Syntax:

PROCEDURE CREATE_LABEL (
   policy_name IN VARCHAR2,
   label_tag   IN INTEGER,
   label_value IN VARCHAR2,
   data_label  IN BOOLEAN DEFAULT TRUE);
Table 6-17 Parameters for SA_LABEL_ADMIN.CREATE_LABEL
Parameter Name Parameter Description
policy_name Specifies the name of an existing policy
label_tag Specifies an unique integer value representing the sort order of the label, relative to other policy labels (0-99999999)
label_value Specifies the character string representation of the label to be created
data_label TRUE if the label can be used to label row data. Use this to define the label as valid for data.

When specifying labels, use the short name of the level, compartment and group.

When you identify valid labels, you specify which of all the possible combinations of levels, compartments, and groups can potentially be used to label data in tables.


Note:

If you create a new label by using the TO_DATA_LABEL procedure, a system-generated label tag of 10 digits will be generated automatically.

However, When Oracle Label Security is installed to work with Oracle Internet Directory (OID), dynamic label generation is not allowed, because labels are managed centrally in OID, using olsadmintool commands. (See Appendix B, "Command-line Tools for Label Security Using Oracle Internet Directory".)

Therefore, when Oracle Label Security is directory-enabled, the TO_DATA_LABEL function is not available and will generate an error message if used.


See Also:

"The Policy Label Column and Label Tags"

Modifying a Label with SA_LABEL_ADMIN.ALTER_LABEL

Use the ALTER_LABEL procedure to change the character string label definition associated with a label tag. Note that the label tag itself cannot be changed.

If you change the character string associated with a label tag, the sensitivity of the data in the rows changes accordingly. For example, if the label character string TS:A with an associated label tag value of 4001 is changed to the label TS:B, then access to the data changes accordingly. This is true even though the label tag value (4001) has not changed. In this way you can change the data's sensitivity without the need to update all the rows.

Note that, when you specify a label to alter, you can refer to it either by its label tag or by its character string value.

Syntax:

PROCEDURE ALTER_LABEL (
   policy_name       IN VARCHAR2,
   label_tag         IN INTEGER,
   new_label_value   IN VARCHAR2 DEFAULT NULL,
   new_data_label    IN BOOLEAN  DEFAULT NULL);

PROCEDURE ALTER_LABEL (
   policy_name       IN VARCHAR2,
   label_value       IN VARCHAR2,
   new_label_value   IN VARCHAR2 DEFAULT NULL,
   new_data_label    IN BOOLEAN  DEFAULT NULL);
Table 6-18 Parameters for SA_LABEL_ADMIN.ALTER_LABEL 
Parameter Name Parameter Description

policy_name

Specifies the name of an existing policy

label_tag

Identifies the integer tag assigned to the label to be altered

label_value

Identifies the existing character-string representation of the label to be altered

new_label_value

Specifies the new character string representation of the label value. If NULL, the existing value is not changed.

new_data_label

TRUE if the label can be used to label row data. If NULL, the existing value is not changed.

Deleting a Label with SA_LABEL_ADMIN.DROP_LABEL

Use the SA_LABEL_ADMIN.DROP_LABEL procedure to delete a specified policy label. Any subsequent reference to the label (in data rows, or in user or program unit labels) will raise an invalid label error.

Syntax:

PROCEDURE DROP_LABEL (
   policy_name       IN VARCHAR2,
   label_tag         IN INTEGER);

PROCEDURE DROP_LABEL (
   policy_name       IN VARCHAR2,
   label_value       IN VARCHAR2);
Table 6-19 Parameters for SA_LABEL_ADMIN.DROP_LABEL  
Parameter Name Parameter Description

policy_name

Specifies the name of an existing policy

label_tag

Specifies the integer tag assigned to the label to be dropped

label_value

Specifies the string value of the label to be dropped


Caution:

Do not drop a label that is in use anywhere in the database.


Use this procedure only while setting up labels, prior to data population. If you should inadvertently drop a label that is being used, you can recover by disabling the policy, fixing the problem, and then re-enabling the policy.