Fine-grained auditing

Is there any way to audit more than one table using fine-grained auditing in oracle 10.2.0.
Thnks in advance.

sonidba wrote:
Is there any way to audit more than one table using fine-grained auditing in oracle 10.2.0.
Thnks in advance.Read this
Re: use multiple tables in FGA Add_policy?

Similar Messages

  • Should I use the fine-grained auditing?

    I need to record the changes (of data) made to serveral tables by users. For example, I have to check the before and after images of the changes and what kind of transactions they do to cause the changes. Sould I program the logging procedure in the application or should I use the fine-grained auditing function of oracle to do it. I am not sure what this built-in function can do for me. Can anyone give me some advice on this? Thks.
    A beginner

    Why Fine-Grained Auditing?
    You may want to check standard auditing if it is suitable for you
    http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cfgaudit.htm#BABCFIHB
    I don't think you can get pre and post update values of the affected data with Auditing.
    FGA is useful when you want to audit just a "subset" of the data in the table.
    (for instance, audit everyone that wants to get all records from EMP table where SALARY > 100000)
    Message was edited by:
    tekicora

  • Fine Grained Audit records to syslog

    Hello experts,
    I am working on Standard Auditing and Fine Grained Auditing on 11.2.0.3 databases on Red Hat x86_64.
    I am trying to send Fine Grained Audit records to syslog as for my Standard Audit records with audit_trail set to OS, but can't find any appropriate option.
    When I create FGA policies with the ADD_POLICY procedure of the DBMS_FGA package, the audit_trail parameter can only be set to DB or XML, as stated in [PL/SQL Packages and Types Reference|http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_fga.htm#CDEIECAG].
    Does somebody know if it is possible to send FGA audit records to syslog directly:
    1. without using any additional product (e.g. Oracle Audit Vault)?
    2. without doing manual extraction from fga_log$ or DBA_COMMON_AUDIT_TRAIL?
    Thanks for any suggestion.

    Hi,
    Well, i did not used FGA yet.
    I used audit_Trail=db and the query SELECT username,extended_timestamp,owner,obj_name,action_name,sql_text FROM dba_audit_trail WHERE to_char(extended_timestamp, 'DD/MM/RR') = to_char(SYSDATE - 1, 'DD/MM/RR') ORDER BY timestamp)
    Then i wrote a procedure, and exported the results using utl_file .
    And i scheduled this procedure to run daily.
    It works pretty good, if you like the solution as ask for details.
    Hope that helps,
    Regards.

  • How to know if Fine Grain Auditing is used

    I have to migrate a exsisting database to a new plattaform.The old database is a Enterprise Edition and the new must be a Standard  Edition.
    But first I must make sure that none of the functions of the Enterpise edition is being used.
    How I can know if the database is using the Fine Grain Auditing?
    thanks

    Thank you. Furthermore you can find a lot of resource about it.
    Regards
    http://www.oracle.com/technetwork/database/security/index-083815.html

  • Fine grained auditing on table, but I don't want it on view

    I have a table which contains sensitive information, and I want to audit all queries on it except the web account 'EJBUSER', so I created the below policy:
    begin
    dbms_fga.add_policy( policy_name => 'STAFF_LOGON_QRY_POLICY'',
    object_schema => 'CPY',
    object_name => 'STAFF_LOGON',
    statement_types => 'SELECT',
    audit_condition => 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') != ''EJBUSER'' ');
    end;
    This does exactly what I want, but I also have a view off this STAFF_LOGON table (below) which users can query to see their own details.
    create or replace view CPY.V_STAFF_LOGON
    as
    select * from cpy.staff_logon
    where user_name = user;
    When a user queries this view, it also writes an entry to the dba_fga_audit_trail, but I only want to see queries against the base table, not the view.
    Is it possible to fga audit the base table only, and not the view?
    Edited by: stuartu on Feb 17, 2010 11:36 AM
    Edited by: stuartu on Feb 17, 2010 12:01 PM

    But does this delete the whole account from the cloud, or just from my device. I must make sure my husband doesn't loose all his business contacts which are in the iCloud device. Thanks.

  • Fine Grained Auditing FGA - Which procedure or package caused the DML ?

    Hi All,
    I'm using FGA at column level. I'm trying to figure out all PL/SQL Subprograms like procedures, functions, packages, etc, which issued the SQL_TEXT in the dba_fga_audit_trail view.
    e.g.
    begin
    sys.dbms_fga.add_policy(
    object_schema => 'SCOTT',
    object_name => 'EMP',
    policy_name => 'SCOTT_EMP_POLICY',
    audit_condition => null,
    audit_column => 'SALARY',
    statement_types => 'UPDATE');
    end;
    The dba_fga_audit_trail view successfully displays all Update Statements in the SQL_TEXT column. However, as to which PL/SQL Subprogram it was issued from - this I don't know.
    Is there any way to determine this? Maybe through another system view?
    I tried replacing the SQL_TEXT with a lot of '%' for every space and every bind variable characters, so that I can do a LIKE in the DBA_SOURCE view, . . . but this didn't 100% worked.
    Many Thanks,
    Henry Wu

    Hi,
    Personnally i've never seen an automatic way for doing this...
    What you cando (but it can be very fastidious) is to declare constants (or IDs) for your differents package/procedure/function names and add them to your different DMLs commands.
    procedure TheProc is
    CurrentProc constant varchar2(100):='TheProc';
    begin
    update mytable set .... , proc_name=CurrentProc
    end;this is an old post but it might interrest you:
    Get current procedure

  • Error in using fibne grained auditing

    Hello,
    I am trying to implement fine grained auditing on SAL column of my Employees table as I suspect that someone is updating values.
    I am using the system user to implement this. But when I try to use the following syntax I am getting an error "ORA-00900: invalid SQL statement"
    EXEC DBMS_FGA.ADD_POLICY(object_schema =>'hr',object_name =>'employees',policy_name =>'chk_pol',audit_condition =>'1=1',audit_column=>'salary');
    Can anyone help me out in correcting this error.
    Regards,
    Faiz Qureshi
    Email : [email protected]

    begin
    dbms_fga.add_policy
    (object_schema => 'scott',
    object_name => 'emp',
    policy_name => 'chk_pol',
    audit_condition => '1=1',
    audit_column => 'sal');
    end;
    SQL> /
    PL/SQL procedure successfully completed.
    *I used sal column and emp as a table name.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       

  • The newest version of iTunes is awful when it comes to Cloud syncing-file management. I'm constantly frustrated with what iTunes 'chooses to eliminate from my mobile device and settings aren't fine-grained enough to allow for real user control.

    I'm endlessly frustrated with iTunes Cloud syncing, something that was supposed to make lenjoying my music easier. I routinely find that, though itunes and podcasts have been split, iTunes arbitrairily removes music files or in progress podcast in favor of 'new' podcasts. The settings are just not fine-grained enough to allow true user control and so we are instead subjected to 'Apple knows best' protocols. I understand and appreciate the level of exacting control Apple excercises over their ecosystem, however, more and more often I see them tightening control over things that should be user control while dropping the ball on aesthetic desisions made in producing their own software (see the hideous pull down tab for iTunes to access Podcast, TV shows, Music, etc.
    I would like to see features like those in Mail and the Podcasting apps implemented in iTunes afor the management of content on mobile devices, for instance it would be great to swipe to delete files that you know longer want on your device, at both the album and song level. Another issues is the new pushiness of iRadio and iTunes Store, the app now seems to default to the iRadio page (versus the last page Albums, songs, etc. that the user was navigating, or in the instance of the iTunes Store push, if I doon't have all the tracks of an album i own on my mobile device 'complete my album' takes you to iTunes store rather than showing the 'cloud' download icon next to missing tracks. These are the tactics I expect from Google, not Apple (pushing commerce over quality user experience).
    Fix these things Apple, please.

  • How to pass the context from Portal to Database for fine grain access?

    Hi,
    I am developing an omniportlet and I need to pass on the context of the logged in user to the database so that when the user tries to access data in the omniportlet, he can see data relevant to him only. Does anyone know how to do that?
    I have set up a light weight user scott and also has a schema in the database by the same name (scott)..
    what I am trying is when the user logs in as scott in the portal site and runs an omniportlet, he should be dynamically be logged in to scott the schema so that the data visible to him can be restricted. Same should happen for other users as well.
    Does anyone know in which table in the PORTAL schema is this connection information stored, so that I can override it using some API..?
    Thanks,
    Abhi

    I had tried sending the user_name in the sql and that works fine. but my requirement is that the user should login to his schema and only his schema directly and automatically.. such that even if an omniportlet is created using some default schema, when user logs in he can access only the schema meant for him..
    e.g. While running the omniportlet when logged-in as user scott, he should be logged-in to scott schema in the database, so that the fine grain access can be enabled ..
    Edited by: user6386347 on Mar 12, 2009 12:15 PM

  • Function-based index error due to fine-grained security

    Hi, i'm working on Oracle version 9.2.0.5.
    I'm trying to create a function-based index but i'm getting an error due to fine-grained security. I checked resource_view but if i'm not wrong I should have all necessary roles. I also added xdbadmin to this user to be sure.
    I tried also to alter my session but it didn't worked.
    Connected to Oracle9i Enterprise Edition Release 9.2.0.5.0
    Connected as test_ste
    SQL>
    SQL> create index fbidx_schede_xml
      2  on schede_progetti_xml p
      3  (p.PROGETTO.extract('/Project/Elenco_unita/Unita/Responsabile/Cognome/text()').getStringVal());
    create index fbidx_schede_xml
    on schede_progetti_xml p
    (p.PROGETTO.extract('/Project/Elenco_unita/Unita/Responsabile/Cognome/text()').getStringVal())
    ORA-28133: full table access is restricted by fine-grained security
    ORA-06512: at "SYS.XMLTYPE", line 0
    ORA-06512: at line 1
    SQL>
    SQL> alter session set query_rewrite_enabled = true;
    Session altered
    SQL> alter session set query_rewrite_integrity = trusted;
    Session altered
    SQL> create index fbidx_schede_xml
      2  on schede_progetti_xml p
      3  (p.PROGETTO.extract('/Project/Elenco_unita/Unita/Responsabile/Cognome/text()').getStringVal());
    create index fbidx_schede_xml
    on schede_progetti_xml p
    (p.PROGETTO.extract('/Project/Elenco_unita/Unita/Responsabile/Cognome/text()').getStringVal())
    ORA-28133: full table access is restricted by fine-grained security
    ORA-06512: at "SYS.XMLTYPE", line 0
    ORA-06512: at line 1
    SQL> select * from user_role_privs;
    USERNAME                       GRANTED_ROLE                   ADMIN_OPTION DEFAULT_ROLE OS_GRANTED
    TEST_STE                      CONNECT                        NO           YES          NO
    TEST_STE                      CTXAPP                         NO           YES          NO
    TEST_STE                      RESOURCE                       NO           YES          NO
    TEST_STE                      XDBADMIN                       NO           YES          NO
    SQL> This are ACL on my schema:
      <ACL>
        <acl description="Private:All privileges to OWNER only and not accessible to others" xmlns="http://xmlns.oracle.com/xdb/acl.xsd" xmlns:dav="DAV:"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/xdb/acl.xsd                           http://xmlns.oracle.com/xdb/acl.xsd">
          <ace>
            <principal>dav:owner</principal>
            <grant>true</grant>
            <privilege>
              <all/>
            </privilege>
          </ace>
        </acl>
      </ACL>I tried to create a similar function-based index on Oracle 10.2.0.3 without any problem and without touching any ACL, is an Oracle 9.2.0.5 problem?
    Thanks for your attention.

    I didn't really (production wise)work yet with VPD. I know a lot is based on DBMS_RLS and I guess (IF it is VPD related) it should be to hard to find in the doc's how you could check what is beyond your privileges. As a DBA I noticed that even the dba account SYSTEM isn't always allow to export the full content for the tables anymore.
    There is a privilege that grants you all access that you need, despite the fact that you are not allowed to read certain rows from a table. Look it up.
    In all, as I said, it looks like account is not allowed to see all data from a table. In that respect it sounds logical that you also are, in that case, not allowed to build a function based index on that data

  • Fine-Grained Password Policy problem

    Hi All,
    I'm testing a Fine-Grained Password Policy for a group of users.
    I created a test PSO using ASDI Edit and applied the PSO to a global security group.
    Test user has been added to this group.
    The PSO settings include "Enforce password history: 5"
    The user has changed the password.
    After 24h when I logged in as the user and changed the password - for example: Password1.
    After another 24 hours I changed the password to Password2.
    One day later I've been asked to change the password again.
    In theory I shouldn't be able to use any of the 5 previous passwords (password history = 5) but when I entered Password1 it was accepted.
    Do you know where can be the problem ?
    System info: Windows Server 2008 R2 (forest/domain level is also 2008)
    Regards,
    Marcin

    This is very interesting. I don't have any lab to repro though... So I can't look at it closer.
    From an LDAP perspective, when you change your password on AD, you have to comply with the password history policy. This requirement is send by the server to the client thanks to the supported control: LDAP_SERVER_POLICY_HINTS_OID that you can see just by
    looking at the RootDSE of one of your DC (http://msdn.microsoft.com/en-us/library/cc223320.aspx Used with an LDAP operation to enforce password history policies during password set). I am
    aware of issues with AD-LDS not honoring it, but not AD... I am not sure if the situation described with FIM here matches your issue:
    http://support.microsoft.com/kb/2443871 in this article:
    "The "Enforce password history" and "Minimum password age" Group Policy settings do not work when you reset the password for a Windows Server 2008 R2-based or a Windows Server 2008-based computer."
    But it would mean that it also affects users not having a FGGP (because this isn't specific to FGGP), ad the minimum password age as well. If you have a chance to try this in a lab, let us now... In the mean time, if you can share logs or code from your
    app? Like the section that does the password change?
    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  • Fine Grained Access ERROR on INSERT when generating unique keys

    I'm using VPD/Fine Grained Access Control (FGAC) to implement security on my 9i backend. I created a security policy function that returns the predicate 'owner = USER'; - each of the tables has an additional column titled OWNER which contains the name of the logged-in user. Every time a user inserts a record, a BEFORE INSERT trigger fires (for every row) and inserts the USER name into the OWNER column. This is fairly straightforward and ensures that users can see only their rows. Using the DBMS_RLS.add_policy procedure, I attached the security policy to several tables and made it effective upon SELECT, UPDATE, INSERT, and DELETE statements.
    However, the frontend Java application (custom-made) generates unique IDs (sequences are not used) by selecting max(ID)+1 from the primary key columns of the tables. The problem is that the predicate is appended to the SELECT max(ID)+1 query to limit the max(ID) to only those rows where 'owner = USER'. Therefore, the max(ID) generated is not the largest ID for the entire table, but only the largest among the USER rows.
    So unless that USER happens to have the the largest ID in the whole table (and it has worked then), a primary-key violation error will be returned and the INSERT operation will be aborted.
    How can I allow every USER to select from AND get the absolute largest ID from the PK column without allowing that user to select records that don't belong to him? If I had developed the application, I would have made use of sequences on the back-end to generate unique primary key IDs. Unfortunately, I don't have this option and must work with the application as is.
    NOTE: the front-end Java application understands only the base table names, NOT Views created by me on the server. If the answer to this problem involves views, how can I make use of them on the backend when the front-end code does not recognize them?
    Any help is greatly appreciated!
    Michael

    first you could use default column values, not a trigger, which is more expensive.
    if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it )

  • FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징

    제품 : ORACLE SERVER
    작성날짜 : 2005-11-24
    FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징
    =======================================================================
    PURPOSE
    row leve의 security 및 context관리 방법인 FGAC에 대한 간단한 개념 및 사용방법은
    <bul 23026>에 제시하였다.
    이 문서에는 FGAC를 위한 dbms_rls package의 8i ~ 10g까지의 version별 특징을
    정리하며, STATIC_POLICY와 POLCICY_TYPE parameter에 대해서는 예제를 이용하여
    자세히 살펴보도록 한다.
    Explanation & Examples
    dbms_rls.add_policy를 사용할 때 일반적으로 주는 value값의 예제는 다음과 같다.
    이중 대부분은 default값을 이용하여, 일반적으로는 앞의 5개의 parameter만
    value를 주면 된다.
    SQL> exec DBMS_RLS.ADD_POLICY ( -
    > object_schema => 'SCOTT', -
    > object_name => 'EMP', -
    > policy_name => 'POL1', -
    > function_schema => 'SYS', -
    > policy_function => 'PREDICATE', -
    > statement_types => 'SELECT', -
    > static_policy => false, -
    > policy_type => DBMS_RLS.DYNAMIC
    > long_predicate => false);
    1. FGAC의 version별 특징
    (1) sec_relevant_cols/sec_relevant_cols_opt : 10G
    위에 기술한 add_policy procedure의 parameter외에 10g에서 추가된
    parameter로 다음 두 parameter가 존재한다.
    이 parameter는 해당되는 column이 조회될때만 policy가 작동하게 하기 위한
    것으로 metalink.oracle.com site에서 <Note 250795.1> 를 살펴보면 사용 방법
    및 예제를 확인 가능하다.
    - sec_relevant_cols
    - sec_relevant_cols_opt
    (2) long_predicate : 10G
    default는 false이며, true로 지정하는 경우 predicate이 4000 bytes이상이
    될 수 있다.
    (3) statement_types : 10G부터 INDEX type추가
    9i까지는 SELECT, INSERT, UPDATE, DELETE에 대해서는 FGAC를 적용할 수
    있었으나, 10g부터는 INDEX type도 지정 가능하다.
    index를 지정하는 경우, function-based index 생성을 제한할 수 있으며,
    자세한 예제는 metalink.oracle.com site에서 <Note 315687.1>를 조회하여
    확인할 수 있다.
    (4) EXEMPT ACCESS POLICY 권한 : 9i
    특정 user가 모든 fine-grained access control policy의 영향을 받지
    않도록 하려면 exempt access policy권한을 grant하면 되며, 이것은 9i부터
    소개되었다.
    SQL> grant exempt access policy to scott;
    와 같은 방식으로 권한을 부여하면 되며, 이에 대한 자세한 예제는
    metalink.oracle.com site에서 <Note 174799.1>를 통해 확인 가능하다.
    (5) synonym에 대한 policy설정 : 9.2
    synonym에 대해서 VPD (Virtudal Private Database)에 대한 policy를 설정하는
    것이 가능해 졌으며 이에 대해서는 metalink.oracle.com에서 <Note 174368.1>를
    조회하여 자세한 방법 및 예제를 살펴볼 수 있다.
    (6) static_policy : 8.1.7.4
    static_policy paramter는 8i에는 없던 것으로 9i에서 도입되면서, 8.1.7.4에도
    반영되었다. default값은 false이며, 8173까지는 항상 false인 형태로 동작한다.
    즉, policy function이 매번 object를 access할때마다 실행된다.
    8.1.7.4부터는 이 parameter를 true로 설정할 수 있는대, 이렇게 되면
    해당 session에서 policy function이 한번 실행되고 그 function이 shared pool에
    cache되어 있으면 재실행없이 그대로 사용된다.
    10g부터는 (7)번에 설명하는 policy_type parameter가 추가되어,
    이 parameter에 true로 지정하는 대신, static_type은 false로 두고,
    policy_type을 dbms_rls.static 으로 지정하면,
    9i와 8174에서 static_policy를 true로 한것과 같은 결과가 나타난다.
    (7) policy_type: 10g
    다음과 같이 5가지 value가 가능하며, 이 중 default는 dynamic이다.
    - STATIC
    policy fuction에 포함된 predicate이 runtime환경에 따라 다른 결과를 내지
    않는 경우 사용하게 된다. 예를 들어 sysdate의해 다른 결과를 return하는
    경우에는 사용하면 사용하면 문제가 될 수 있다.
    static을 사용하는 경우 policy function은 한번 실행되어 SGA에 올라온 다음
    이후 같은 session에서 같은 object를 사용시에는 재실행 없이 해당 predicate의
    결과를 그대로 사용한다.
    - SHARD_STATIC
    STATIC과 같으나, 이 값은 다른 object에 대해서도 같은 predicate function이
    사용되는 경우, 먼저 cache된 predicate을 찾아서 있으면 그 값을 이용한다.
    STATIC의 경우는 다른 object 사이에서는 공유하지 않으며 같은 object에
    대해서만 cache된 값을 사용한다.
    - CONTEXT_SENSITIVE
    한 session에서 context가 변경되면 그때 predicate를 재 실행시킨다.
    WAS(web application server)를 사용하는 경우 connection pooling방법을
    기본적으로 사용하는대, 이 경우 하나의 session을 여러 사용자가 이어서
    교대로 사용하는 방식이 된다. 이 경우 middle tier단에서 context를 설정해
    주면 context가 변경될때마다 predicate를 새로 실행시켜 변경된 sysdate나
    session_user등의 값을 다시 계산하게 되는것이다.
    jdbc에서 context설정에 관한 예제는 metalink.oracle.com에서
    <Note 110604.1>에서 확인가능하다.
    - SHARED_CONTEXT_SENSITIVE
    context_sensitive와 동일하며, 단 shared_static과 마찬가지로 여러 object에
    대해서 같은 predicate을 사용하는 경우 다른 object에 대한 같은 predicate이
    cache되어 있는지를 먼저 살펴본다.
    존재하면 session private application context가 변경되기 전까지 그 predicate의
    결과를 그대로 사용한다.
    - DYNAMIC
    이 값이 default값이다. 즉, predicate function이나 시스템이나 환경에
    영향을 받는다고 판단하여 statement가 실행될때마다 매번 predicate function을
    재 실행하여 환경에 맞는 값을 return하여 준다.
    아래에서 sysdate 값에 따라 다른 결과를 return하게 되어 있는
    predicate을 이용한 예제를 통해 정확한 메카니즘을 확인한다.
    2. static_policy 및 policy_type의 value에 따른 policy function의 작동예제
    (a) STATIC_POLICY => TRUE and POLICY_TYPE => NULL
    (1) 기존에 pol1 policy가 존재하는 경우 다음과 같이 drop시킨다.
    SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
    (2) 다음과 같이 predicate function을 scott user로 만들어둔다.
    SQL> create or replace function PREDICATE (obj_schema varchar2, obj_name varchar2)
    2 return varchar2 is d_predicate varchar2(2000);
    3 begin
    4 if to_char(sysdate, 'HH24') >= '06' and to_char(sysdate, 'MI')<'05' then
    5 d_predicate := 'ename = sys_context (''USERENV'' , ''SESSION'');
    6 else d_predicate := 'sal>=3000';
    7 end if;
    8 return d_predicate;
    9 end predicate;
    10 /
    (3) pol1을 새로 add시킨다.
    SQL> exec DBMS_RLS.ADD_POLICY ( -
    object_schema => 'SCOTT', -
    object_name => 'EMP', -
    policy_name => 'POL1', -
    function_schema => 'SCOTT', -
    policy_function => 'PREDICATE', -
    statement_types => 'SELECT', -
    static_policy => TRUE, -
    policy_type => NULL);
    (4) adams user에서 scott.emp를 조회해 본다.
    단 다음과 같이 scott.emp에 대한 select권한을 king에게 주어야 한다.
    SQL>grant select on emp to king;
    SQL>!date
    Thu Nov 24 14:01:13 EST 2005
    SQL> connect king/king
    SQL> select * from scott.emp;
    EMPNO ENAME JOB MGR HIREDATE SAL COMM
    DEPTNO
    7839 KING PRESIDENT 17-NOV-81 5000
    10
    5분이후가 되어 predicate function의 if조건을 만족하지 않아도,
    king user는 같은 값을 emp table에 대해서 return한다.
    SQL>!date
    Thu Nov 24 14:10:13 EST 2005
    SQL> connect king/king
    SQL> select * from scott.emp;
    EMPNO ENAME JOB MGR HIREDATE SAL COMM
    DEPTNO
    7839 KING PRESIDENT 17-NOV-81 5000
    10
    (b) STATIC_POLICY => FALSE and POLICY_TYPE => DBMS_RLS.DYNAMIC
    (1) 기존의 policy를 다음과 같이 drop시킨다.
    SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
    (2) pol1을 새로 add시키는대 이대 static_policy와 policy_type을 다음과 같이
    변경한다.
    SQL> exec DBMS_RLS.ADD_POLICY ( -
    object_schema => 'SCOTT', -
    object_name => 'EMP', -
    policy_name => 'POL1', -
    function_schema => 'SCOTT', -
    policy_function => 'PREDICATE', -
    statement_types => 'SELECT', -
    static_policy => flase, -
    policy_type => dbms_rls.dynamic);
    (3) king user에서 조회해본다.
    predicate function은 위의 2-(a)에서 실행한 것을 그대로 사용한다.
    즉 (a)를 실행하지 않은 경우, 조회전에 (a)-(2)번을 실행해야 한다.
    SQL>!date
    Thu Nov 24 15:01:13 EST 2005
    SQL> connect king/king
    SQL> select * from scott.emp;
    EMPNO ENAME JOB MGR HIREDATE SAL COMM
    DEPTNO
    7839 KING PRESIDENT 17-NOV-81 5000
    10
    5분 이후가 되어 다시한번 king user에서 실행해본다.
    SQL>!date
    Thu Nov 24 15:10:13 EST 2005
    SQL> select * from scott.emp;
    EMPNO ENAME JOB MGR HIREDATE SAL COMM
    DEPTNO
    7788 SCOTT ANALYST 7566 19-APR-87 3000
    20
    7839 KING PRESIDENT 17-NOV-81 5000
    10
    7902 FORD ANALYST 7566 03-DEC-81 3000
    20
    RELATED DOCUMENTS
    <Note 281970.1> 10g Enhancement on STATIC_POLICY with POLICY_TYPE Behaviors
    in DBMS_RLS.ADD_POLICY Procedure
    <Note 281829.1> Evolution of Fine Grain Access Control FGAC Feature From 8i
    to 10g

    first you could use default column values, not a trigger, which is more expensive.
    if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it )

  • Enhancement request for more fine-grained templates

    JHeadstart version : 10.1.2.0
    I like to have the possibility to define templates on the level of table rows. If I am correct, currently the 'lowest' level of a .jtt template is the $FORM_ITEMS$ token. According to the userguide this token "is used to indicate the place where a form must be generated". My question is now: How can I influence this generation process? For example, I want to embed text-items within <c:if's in order to conditionally set a text-item attribute. Am I right to conclude that on this "deeper" level of a jsp (for instance table-row level), it is not possible to define templates?
    If so, I want to request an enhancement for a further 'fine-graining' of the templating technique.
    Thanks and greetings, Erik
    Message was edited by:
    ekerkhov

    Erik,
    Yes, this is not possible in he current release.
    Your enhancement request has already been implemented for the JDev10.1.3/Faces release. We will the support two kinds of tokens, one that outputs all items as it is today ($FORM_ITEMS$ or $TABLE_ITEMS$), and one token that refers to an individual item. This reference can be bpoth on index number and name:
    FORM_ITEM_1 or
    FORM_ITEM_DepartmentName
    This will allow you to layout the items exactly as you want.
    Note that in the 10.1.3 release, we will also support item-level templates where you can add code to conditonally render items.
    Steven Davelaar,
    JHeadstart Team.

  • Fine-grained control with Magic Trackpad?

    One thing I find difficult with the Magic Trackpad is making very small adjustments to slider controls in apps such as image and audio editors. I'm referring to the sort of sliders that are sensitive to mouse scroll wheels.
    Aside from keeping a mouse connected to operate these controls, or going back and forth to System Preferences to change the tracking speed, are there any ways to do this more easily with a trackpad? For example, a utility that lets you switch to fine-grained movement with the trackpad when you hold down a certain key?

    you do not invalidate the session, but the session object is
    unavailable only on that page.That is my understanding of how this works.
    In effect it removes the implicit call to request.getSession(true) that every jsp makes to populate the variable "session"
    If I use the <c:url> tag on page 2 using a cookieless browser the link
    is still encoded with the session? Sorry, don't know that one.
    The <url> tag will still call response.encodeURL() of course.
    I'm not sure if it would pick up the presence of the sessionid or not though.
    The session is definitely still there.
    The cookie (if present) is obviously still there.
    The sessionId is sent as part of the request.
    Theoretically it SHOULD pick it up and encode it still if present. I've never tried it myself though.
    Good luck,
    evnafets

Maybe you are looking for

  • Server 2012 R2 RDS – cannot log off user session

    We have a 2 server RDS RemoteApp Farm. One server is constantly leaving user sessions in a disconnected state without the ability to kill the session (rebooting is the only way); this is happing 1-2 times per week. Servers have been configured to kil

  • Rescue

    I was trying to clean up my hard drive to make my computer a little faster because it was running terribly slow.  In doing so, I somehow - with one keystroke - completely wiped out my operating system.  And to make it worse, I cannot find my Lenovo r

  • Listening to ipod touch in car- bluetooth or FM?

    hello, i would like to listen to 3rd gen i-touch in the car. I have a motorola HF850 car hands free kit (bought from carphone warehouse) and hoped this would pair with the touch, but no luck. Have tried performing 'device discovery' on car kit, bluet

  • Can i just upgrade to the OS X Mavericks from a 10.6.8 Snow leopard?

    wondering if i need to upgrade to mountain lion first or I can just jump straight to Mavericks? Plus, will any data be lost?

  • Best computer for ID

    I don't know if this is the right forum for this but here goes. I am running a Dual 1.25 GHZ processor, and was wondering how much faster one of the new Apple line will help. has anyone made an upgrade and found the new speed significant to justify b