/*
|| Listing 2: OLS Policy Maintenance.sql
||
|| Supplies sample scripts for maintenance of an Oracle Label Security (OLS)
|| security policy.
||
|| Author: Jim Czuprynski
||
|| Usage Notes:
|| This script is provided to demonstrate various features of 
|| Oracle Label Security (OLS) and should be carefully proofread
|| before executing it against any existing Oracle database to insure
|| that no potential damage can occur.
||
*/

CONNECT lbacsys/lbacsys;

-----
-- Policy Maintenance
-----
-- Alter an existing security policy's options
BEGIN
   SA_SYSDBA.ALTER_POLICY (
       policy_name =>'SADM'
      ,default_options => 'ALL_CONTROL'
   );
END;
/
-- Disable an existing security policy
BEGIN
   SA_SYSDBA.DISABLE_POLICY (
       policy_name =>'SADM'
   );
END;
/
-- Re-enable a disabled, existing security policy
BEGIN
   SA_SYSDBA.ENABLE_POLICY (
       policy_name =>'SADM'
   );
END;
/

-----
-- Security Components Maintenance
-- Note that once a Component is in use, only its long name 
-- may be changed.
-----
-- Change an existing Level's attributes
BEGIN
   SA_COMPONENTS.ALTER_LEVEL (
       policy_name =>'SADM'
      ,short_name => 'UN'  
      ,new_long_name => 'UNSECURED INFO'
   );
END;
/
-- Change a existing Compartment's attributes
BEGIN
   SA_COMPONENTS.ALTER_COMPARTMENT (
       policy_name =>'SADM'
      ,short_name => 'AC'  
      ,new_long_name => 'ACCTS RECEIVABLE'
   );
END;
/
-- Change a existing Group's attributes
BEGIN
   SA_COMPONENTS.ALTER_GROUP (
       policy_name =>'SADM'
      ,short_name => 'NE'  
      ,new_long_name => 'NORTHEASTERN UNITED STATES'
   );
END;
/
-- Change a existing Group's parent
BEGIN
   SA_COMPONENTS.ALTER_GROUP_PARENT (
       policy_name =>'SADM'
      ,group_num => 60
      ,parent_num => 10  
   );
END;
/

-----
-- Label Maintenance
-----
-- Alter the character string label definition for an existing label tag
BEGIN
   SA_LABEL_ADMIN.ALTER_LABEL (
       policy_name =>'SADM'
      ,label_tag => 30150
      ,new_label_value => 'CW:SA:EU,CW:SA:NW'
      ,new_data_label => TRUE
   );
END;
/

-----
-- User Labels Management
-- Note that the following SA_USER_ADMIN functions allow maintenance of 
-- user labels by label string:
-- SET_USER_LABELS
-- SET_DEFAULT_LABEL
-- SET_ROW_LABEL
-- SET_DEFAULT_LABEL
-----
-- Assign a user's security levels 
BEGIN
   SA_USER_ADMIN.SET_LEVELS (
       policy_name =>'SADM'
      ,user_name => 'RGNMGR1'
      ,max_level => 'TS'
      ,min_level => 'UN'
      ,def_level => 'UN'
      ,row_level => 'UN'
   );
END;
/
-- Assign a user's security compartments
BEGIN
   SA_USER_ADMIN.SET_COMPARTMENTS (
       policy_name =>'SADM'
      ,user_name => 'RGNMGR1'
      ,read_comps => 'SA'
      ,write_comps => NULL
      ,def_comps => NULL
      ,row_comps => NULL
   );
END;
/
-- Assign a user's security groups
BEGIN
   SA_USER_ADMIN.SET_GROUPS (
       policy_name =>'SADM'
      ,user_name => 'RGNMGR1'
      ,read_groups => 'NE,EU'
      ,write_groups => NULL
      ,def_groups => NULL
      ,row_groups => NULL
   );
END;
/
-- Modify a user's read or write access for security compartment(s)
BEGIN
   SA_USER_ADMIN.ALTER_COMPARTMENTS (
       policy_name =>'SADM'
      ,user_name => 'RGNMGR1'
      ,comps => 'SA'
      ,access_mode => SA_UTL.READ_ONLY
      ,in_def => 'Y'
      ,in_row => 'Y'
   );
END;
/
-- Modify a user's read or write access for security group(s)
BEGIN
   SA_USER_ADMIN.ALTER_GROUPS (
       policy_name =>'SADM'
      ,user_name => 'RGNMGR1'
      ,groups => 'NE,EU'
      ,access_mode => SA_UTL.READ_ONLY
      ,in_def => 'Y'
      ,in_row => 'Y'
   );
END;
/

-----
-- Maintain Security Policies already applied to tables and schemas
-----
-- Disable a policy already applied to a table
BEGIN
   SA_POLICY_ADMIN.DISABLE_TABLE_POLICY (
       policy_name =>'SADM'
      ,schema_name => 'SALESADM'
      ,table_name => 'sales_zones'
   );
END;
/
-- Re-enable a disabled policy already applied to a table
BEGIN
   SA_POLICY_ADMIN.ENABLE_TABLE_POLICY (
       policy_name =>'SADM'
      ,schema_name => 'SALESADM'
      ,table_name => 'sales_zones'
   );
END;
/
-- Disable a policy already applied to a schema
BEGIN
   SA_POLICY_ADMIN.DISABLE_SCHEMA_POLICY (
       policy_name =>'SADM'
      ,schema_name => 'SALESADM'
   );
END;
/
-- Re-enable a disabled policy already applied to a schema
BEGIN
   SA_POLICY_ADMIN.ENABLE_SCHEMA_POLICY (
       policy_name =>'SADM'
      ,schema_name => 'SALESADM'
   );
END;
/