Auditing, Fine Grained Access, Data Vault or Triggers on Updates/Deletes ?

Similar Messages

• How to pass the context from Portal to Database for fine grain access?

  Hi,
  I am developing an omniportlet and I need to pass on the context of the logged in user to the database so that when the user tries to access data in the omniportlet, he can see data relevant to him only. Does anyone know how to do that?
  I have set up a light weight user scott and also has a schema in the database by the same name (scott)..
  what I am trying is when the user logs in as scott in the portal site and runs an omniportlet, he should be dynamically be logged in to scott the schema so that the data visible to him can be restricted. Same should happen for other users as well.
  Does anyone know in which table in the PORTAL schema is this connection information stored, so that I can override it using some API..?
  Thanks,
  Abhi

  I had tried sending the user_name in the sql and that works fine. but my requirement is that the user should login to his schema and only his schema directly and automatically.. such that even if an omniportlet is created using some default schema, when user logs in he can access only the schema meant for him..
  e.g. While running the omniportlet when logged-in as user scott, he should be logged-in to scott schema in the database, so that the fine grain access can be enabled ..
  Edited by: user6386347 on Mar 12, 2009 12:15 PM

• FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징

  제품 : ORACLE SERVER
  작성날짜 : 2005-11-24
  FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징
  =======================================================================
  PURPOSE
  row leve의 security 및 context관리 방법인 FGAC에 대한 간단한 개념 및 사용방법은
  <bul 23026>에 제시하였다.
  이 문서에는 FGAC를 위한 dbms_rls package의 8i ~ 10g까지의 version별 특징을
  정리하며, STATIC_POLICY와 POLCICY_TYPE parameter에 대해서는 예제를 이용하여
  자세히 살펴보도록 한다.
  Explanation & Examples
  dbms_rls.add_policy를 사용할 때 일반적으로 주는 value값의 예제는 다음과 같다.
  이중 대부분은 default값을 이용하여, 일반적으로는 앞의 5개의 parameter만
  value를 주면 된다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  > object_schema => 'SCOTT', -
  > object_name => 'EMP', -
  > policy_name => 'POL1', -
  > function_schema => 'SYS', -
  > policy_function => 'PREDICATE', -
  > statement_types => 'SELECT', -
  > static_policy => false, -
  > policy_type => DBMS_RLS.DYNAMIC
  > long_predicate => false);
  1. FGAC의 version별 특징
  (1) sec_relevant_cols/sec_relevant_cols_opt : 10G
  위에 기술한 add_policy procedure의 parameter외에 10g에서 추가된
  parameter로 다음 두 parameter가 존재한다.
  이 parameter는 해당되는 column이 조회될때만 policy가 작동하게 하기 위한
  것으로 metalink.oracle.com site에서 <Note 250795.1> 를 살펴보면 사용 방법
  및 예제를 확인 가능하다.
  - sec_relevant_cols
  - sec_relevant_cols_opt
  (2) long_predicate : 10G
  default는 false이며, true로 지정하는 경우 predicate이 4000 bytes이상이
  될 수 있다.
  (3) statement_types : 10G부터 INDEX type추가
  9i까지는 SELECT, INSERT, UPDATE, DELETE에 대해서는 FGAC를 적용할 수
  있었으나, 10g부터는 INDEX type도 지정 가능하다.
  index를 지정하는 경우, function-based index 생성을 제한할 수 있으며,
  자세한 예제는 metalink.oracle.com site에서 <Note 315687.1>를 조회하여
  확인할 수 있다.
  (4) EXEMPT ACCESS POLICY 권한 : 9i
  특정 user가 모든 fine-grained access control policy의 영향을 받지
  않도록 하려면 exempt access policy권한을 grant하면 되며, 이것은 9i부터
  소개되었다.
  SQL> grant exempt access policy to scott;
  와 같은 방식으로 권한을 부여하면 되며, 이에 대한 자세한 예제는
  metalink.oracle.com site에서 <Note 174799.1>를 통해 확인 가능하다.
  (5) synonym에 대한 policy설정 : 9.2
  synonym에 대해서 VPD (Virtudal Private Database)에 대한 policy를 설정하는
  것이 가능해 졌으며 이에 대해서는 metalink.oracle.com에서 <Note 174368.1>를
  조회하여 자세한 방법 및 예제를 살펴볼 수 있다.
  (6) static_policy : 8.1.7.4
  static_policy paramter는 8i에는 없던 것으로 9i에서 도입되면서, 8.1.7.4에도
  반영되었다. default값은 false이며, 8173까지는 항상 false인 형태로 동작한다.
  즉, policy function이 매번 object를 access할때마다 실행된다.
  8.1.7.4부터는 이 parameter를 true로 설정할 수 있는대, 이렇게 되면
  해당 session에서 policy function이 한번 실행되고 그 function이 shared pool에
  cache되어 있으면 재실행없이 그대로 사용된다.
  10g부터는 (7)번에 설명하는 policy_type parameter가 추가되어,
  이 parameter에 true로 지정하는 대신, static_type은 false로 두고,
  policy_type을 dbms_rls.static 으로 지정하면,
  9i와 8174에서 static_policy를 true로 한것과 같은 결과가 나타난다.
  (7) policy_type: 10g
  다음과 같이 5가지 value가 가능하며, 이 중 default는 dynamic이다.
  - STATIC
  policy fuction에 포함된 predicate이 runtime환경에 따라 다른 결과를 내지
  않는 경우 사용하게 된다. 예를 들어 sysdate의해 다른 결과를 return하는
  경우에는 사용하면 사용하면 문제가 될 수 있다.
  static을 사용하는 경우 policy function은 한번 실행되어 SGA에 올라온 다음
  이후 같은 session에서 같은 object를 사용시에는 재실행 없이 해당 predicate의
  결과를 그대로 사용한다.
  - SHARD_STATIC
  STATIC과 같으나, 이 값은 다른 object에 대해서도 같은 predicate function이
  사용되는 경우, 먼저 cache된 predicate을 찾아서 있으면 그 값을 이용한다.
  STATIC의 경우는 다른 object 사이에서는 공유하지 않으며 같은 object에
  대해서만 cache된 값을 사용한다.
  - CONTEXT_SENSITIVE
  한 session에서 context가 변경되면 그때 predicate를 재 실행시킨다.
  WAS(web application server)를 사용하는 경우 connection pooling방법을
  기본적으로 사용하는대, 이 경우 하나의 session을 여러 사용자가 이어서
  교대로 사용하는 방식이 된다. 이 경우 middle tier단에서 context를 설정해
  주면 context가 변경될때마다 predicate를 새로 실행시켜 변경된 sysdate나
  session_user등의 값을 다시 계산하게 되는것이다.
  jdbc에서 context설정에 관한 예제는 metalink.oracle.com에서
  <Note 110604.1>에서 확인가능하다.
  - SHARED_CONTEXT_SENSITIVE
  context_sensitive와 동일하며, 단 shared_static과 마찬가지로 여러 object에
  대해서 같은 predicate을 사용하는 경우 다른 object에 대한 같은 predicate이
  cache되어 있는지를 먼저 살펴본다.
  존재하면 session private application context가 변경되기 전까지 그 predicate의
  결과를 그대로 사용한다.
  - DYNAMIC
  이 값이 default값이다. 즉, predicate function이나 시스템이나 환경에
  영향을 받는다고 판단하여 statement가 실행될때마다 매번 predicate function을
  재 실행하여 환경에 맞는 값을 return하여 준다.
  아래에서 sysdate 값에 따라 다른 결과를 return하게 되어 있는
  predicate을 이용한 예제를 통해 정확한 메카니즘을 확인한다.
  2. static_policy 및 policy_type의 value에 따른 policy function의 작동예제
  (a) STATIC_POLICY => TRUE and POLICY_TYPE => NULL
  (1) 기존에 pol1 policy가 존재하는 경우 다음과 같이 drop시킨다.
  SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
  (2) 다음과 같이 predicate function을 scott user로 만들어둔다.
  SQL> create or replace function PREDICATE (obj_schema varchar2, obj_name varchar2)
  2 return varchar2 is d_predicate varchar2(2000);
  3 begin
  4 if to_char(sysdate, 'HH24') >= '06' and to_char(sysdate, 'MI')<'05' then
  5 d_predicate := 'ename = sys_context (''USERENV'' , ''SESSION'');
  6 else d_predicate := 'sal>=3000';
  7 end if;
  8 return d_predicate;
  9 end predicate;
  10 /
  (3) pol1을 새로 add시킨다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  object_schema => 'SCOTT', -
  object_name => 'EMP', -
  policy_name => 'POL1', -
  function_schema => 'SCOTT', -
  policy_function => 'PREDICATE', -
  statement_types => 'SELECT', -
  static_policy => TRUE, -
  policy_type => NULL);
  (4) adams user에서 scott.emp를 조회해 본다.
  단 다음과 같이 scott.emp에 대한 select권한을 king에게 주어야 한다.
  SQL>grant select on emp to king;
  SQL>!date
  Thu Nov 24 14:01:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  5분이후가 되어 predicate function의 if조건을 만족하지 않아도,
  king user는 같은 값을 emp table에 대해서 return한다.
  SQL>!date
  Thu Nov 24 14:10:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  (b) STATIC_POLICY => FALSE and POLICY_TYPE => DBMS_RLS.DYNAMIC
  (1) 기존의 policy를 다음과 같이 drop시킨다.
  SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
  (2) pol1을 새로 add시키는대 이대 static_policy와 policy_type을 다음과 같이
  변경한다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  object_schema => 'SCOTT', -
  object_name => 'EMP', -
  policy_name => 'POL1', -
  function_schema => 'SCOTT', -
  policy_function => 'PREDICATE', -
  statement_types => 'SELECT', -
  static_policy => flase, -
  policy_type => dbms_rls.dynamic);
  (3) king user에서 조회해본다.
  predicate function은 위의 2-(a)에서 실행한 것을 그대로 사용한다.
  즉 (a)를 실행하지 않은 경우, 조회전에 (a)-(2)번을 실행해야 한다.
  SQL>!date
  Thu Nov 24 15:01:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  5분 이후가 되어 다시한번 king user에서 실행해본다.
  SQL>!date
  Thu Nov 24 15:10:13 EST 2005
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7788 SCOTT ANALYST 7566 19-APR-87 3000
  20
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  7902 FORD ANALYST 7566 03-DEC-81 3000
  20
  RELATED DOCUMENTS
  <Note 281970.1> 10g Enhancement on STATIC_POLICY with POLICY_TYPE Behaviors
  in DBMS_RLS.ADD_POLICY Procedure
  <Note 281829.1> Evolution of Fine Grain Access Control FGAC Feature From 8i
  to 10g

  first you could use default column values, not a trigger, which is more expensive.
  if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it )

• Fine Grained Access ERROR on INSERT when generating unique keys

  I'm using VPD/Fine Grained Access Control (FGAC) to implement security on my 9i backend. I created a security policy function that returns the predicate 'owner = USER'; - each of the tables has an additional column titled OWNER which contains the name of the logged-in user. Every time a user inserts a record, a BEFORE INSERT trigger fires (for every row) and inserts the USER name into the OWNER column. This is fairly straightforward and ensures that users can see only their rows. Using the DBMS_RLS.add_policy procedure, I attached the security policy to several tables and made it effective upon SELECT, UPDATE, INSERT, and DELETE statements.
  However, the frontend Java application (custom-made) generates unique IDs (sequences are not used) by selecting max(ID)+1 from the primary key columns of the tables. The problem is that the predicate is appended to the SELECT max(ID)+1 query to limit the max(ID) to only those rows where 'owner = USER'. Therefore, the max(ID) generated is not the largest ID for the entire table, but only the largest among the USER rows.
  So unless that USER happens to have the the largest ID in the whole table (and it has worked then), a primary-key violation error will be returned and the INSERT operation will be aborted.
  How can I allow every USER to select from AND get the absolute largest ID from the PK column without allowing that user to select records that don't belong to him? If I had developed the application, I would have made use of sequences on the back-end to generate unique primary key IDs. Unfortunately, I don't have this option and must work with the application as is.
  NOTE: the front-end Java application understands only the base table names, NOT Views created by me on the server. If the answer to this problem involves views, how can I make use of them on the backend when the front-end code does not recognize them?
  Any help is greatly appreciated!
  Michael

  first you could use default column values, not a trigger, which is more expensive.
  if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it )

• Got ORA-00439:  feature not enabled: Fine-grained access control

  Trying to implement VPD, I've got ORA-00439 when implementing Fine-grained access control. Will this be available on XE?

  Hi,
  lewisc: Yes. I mean "persistent package variables" and I know this feature is available in any version of Oracle. But, I don't know how It works whith HTMLDB when using "HTMLDB Authentication Scheme".
  i.e.: when I connect to an HTMLDB Application, I can see a new session on
  V$SESSION with username=ANONYMOUS with SID=xxx and SERIAL#=yyyy.
  1.-Will HTMLDB use the same session until User Press "logout" link?
  2.-Will this particular Database session be exclusive or shared for any HTMLDB sessions?
  3.-If I Logout from HTMLDB App, then Login again, Will HTMLDB reuse the same session?
  or will create a new one?
  -About VPD.
  VPD is a Personal Edition feature too. All features of EE is
  available on Personal Edition except RAC and a few others
  specials features.
  After all:
  Maybe with these examples you can see my question.
  CREATE OR REPLACE VIEW myviewname
  AS
  SELECT *
  FROM mytablename
  WHERE somecolumn = V('Fxxx_HTMLDB_ITEM_NAME')
  CREATE OR REPLACE TRIGGER mytriggername
  BEFORE
  INSERT
  ON mytablename
  FOR EACH ROW
  BEGIN
  :new.mycolumn1 := V('Fxxx_HTMLDB_ITEM_NAME');
  END;
  Can these two examples work? If so, maybe there is something wrong in my applications.
  Thanks GaryM for your issues and I already know this can be done that way

• Fine Grain Access Control gives ORA-02014

  Using Fine Grain Access Control on Oracle 8i 8.1.6, when a policy is enabled on a table then queries of the form "select * from table for update nowait" give "ORA-02014 cannot select FOR UPDATE from view with DISTINCT, GROUP BY, etc.".
  Similar queries without the "for update nowait" work OK.
  Does anyone have a fix or workaround?
  null

  I ran into this. If you're using a function to add to/add a where clause to your statement, when the where clause gets appended to the end and generates an error. You should be seeing trace files in the udump area of oracle that show you the actual sql line that is being created in error. I modified my function to add the FOR UPDATE NOWAIT in the correct place.

• Fine Grained Access Control

  I have three tables
  1. Grade table where information for each grade is maintained
  like basic, increments.
  2. graderole - here i have defined roles which can access each
  grade
  3. userrole users for each role.
  eg:
  userrole table has one user as ops$ravi who has access to 'MM'
  role
  graderole table has multiple records for role 'MM' who can
  access some grades.
  zarine_test table where all grades and its basic and increments
  are defined.
  I want ops$ravi to access only grades as per graderole table
  i.e. JM to MM grade
  I have tried this command with three tables.
  Some times it does not even allows me to login as ops$ravi
  saying that
  ERROR: ORA-00604: error occurred at recursive SQL level 1
  ORA-01031: insufficient privileges
  ORA-06512: at "SYS.DBMS_SESSION", line 58
  ORA-06512: at "OPS$PERDBA.CONTEXTPACKAGE", line 8
  ORA-06512: at line 2
  At one other instance, it allows to login as user but we get a
  error like FUNCTION POLICY NOT PROPERLY DEFINED FOR TABLE
  These are the steps I have followed:
  1. Create context perdba_ctxt      
  CREATE OR REPLACE CONTEXT perdba_ctxt USING
  perdba.contextpackage;
  CREATE OR REPLACE PACKAGE contextpackage AS
       PROCEDURE setcontext;
  END;
  2. Create context package
  Get login'ed users role from the initial group set for him eg:
  ops$ravi will fetch 'MM' group
  -- create context package body fg6
  CREATE OR REPLACE PACKAGE BODY contextpackage IS
  PROCEDURE setcontext IS
       l_persons_id     varchar2(30);
       l_logged_person     VARCHAR2(30);
       l_user_role     VARCHAR2(30);
       l_job          VARCHAR2(35);
  BEGIN
       DBMS_SESSION.SET_CONTEXT('PERDBA_CTXT','SETUP','TRUE');
       l_logged_person:= SYS_CONTEXT('USERENV','SESSION_USER');
       SELECT SUBSTR(initial_rsrc_consumer_group,1,4) INTO
  l_user_role FROM dba_users WHERE username = l_logged_person;
       IF l_user_role = 'MM' THEN
  BEGIN
            DBMS_SESSION.SET_CONTEXT
  ('PERDBA_CTXT','ROLE','MM');
            SELECT username INTO l_persons_id
            FROM userrole
            WHERE userNAME = SYS_CONTEXT
  ('USERENV','SESSION_USER');
            DBMS_SESSION.SET_CONTEXT
  ('PERDBA_CTXT','PERSONS_ID','L_PERSONS_ID');
       EXCEPTION
            WHEN NO_DATA_FOUND THEN
            DBMS_SESSION.SET_CONTEXT
  ('PERDBA_CTXT','PERSONS_ID',0);
       END;
       ELSIF l_user_role = 'CGM' THEN
  BEGIN
            DBMS_SESSION.SET_CONTEXT
  ('PERDBA_CTXT','ROLE','CGM');
            SELECT username INTO l_persons_id
            FROM userrole
            WHERE userNAME = SYS_CONTEXT
  ('USERENV','SESSION_USER');
            DBMS_SESSION.SET_CONTEXT
  ('PERDBA_CTXT','PERSONS_ID','L_PERSONS_ID');
       EXCEPTION
            WHEN NO_DATA_FOUND THEN
            DBMS_SESSION.SET_CONTEXT
  ('PERDBA_CTXT','PERSONS_ID',0);
       END;
       END IF;
       DBMS_SESSION.SET_CONTEXT('PERDBA_CTXT','SETUP','FALSE');
       END SETCONTEXT;
       END CONTEXTPACKAGE;
  3. create security package     
  CREATE OR REPLACE PACKAGE securitypackage AS
  FUNCTION gradeselectsecurity(OWNER IN VARCHAR2, OBJECT_NAME IN
  VARCHAR2)
  RETURN VARCHAR2;
  END SECURITYPACKAGE;
  4. create security package body     
  Here this condition will get attached to select when user log's
  in
  CREATE OR REPLACE PACKAGE BODY securitypackage IS
  FUNCTION gradeselectsecurity(OWNER IN VARCHAR2, OBJECT_NAME IN
  VARCHAR2)
  RETURN VARCHAR2 IS
  l_predicate VARCHAR2(200);
  l_get_role VARCHAR2(20);
  BEGIN
  l_predicate:='1=2';
  l_get_role := SYS_CONTEXT('PERDBA_CTXT','ROLE');
  DBMS_OUTPUT.PUT_LINE(L_GET_ROLE);
  IF (RTRIM(LTRIM(l_get_role)) = 'MM') THEN
  l_predicate := 'grd_id IN (SELECT GRD_ID FROM GRADEROLE
                 WHERE USERROLE = (SELECT USERROLE FROM
  userROLE WHERE USERROLE = ''MM'' AND USERNAME
  = ''OPS$PERDBA''))';
  --L_GET_ROLE AND
  --USERNAME = ''OPS$PERDBA''))';
  --SYS_CONTEXT(''PERDBA_CTXT'',''PERSONS_ID'')))';
  -This script does not work., thats why i fixed values as MM and
  ops$perdba
  END IF;
  RETURN l_predicate;
  END gradeselectsecurity;
  END SecurityPackage;
  5. create consumer group
  BEGIN
  DBMS_RESOURCE_MANAGER.CLEAR_PENDING_AREA();
  DBMS_RESOURCE_MANAGER.CREATE_PENDING_AREA();
  DBMS_RESOURCE_MANAGER.CREATE_CONSUMER_GROUP(CONSUMER_GROUP
  => 'MM', COMMENT => 'GROUP FOR GRADES JM TO MM');
  DBMS_RESOURCE_MANAGER.VALIDATE_PENDING_AREA();
  DBMS_RESOURCE_MANAGER.SUBMIT_PENDING_AREA();
  DBMS_RESOURCE_MANAGER.CLEAR_PENDING_AREA();
  END;
  6. create users          
  CREATE USER ops$ravi idetified by ravi
       default tablespace pay3_ts
       temporary tablespace temp_pay3_ts;
  grant connect , resource to ops$ravi;
  grant create session to ops$ravi;
  grant select on dba_users to ops$ravi;
  user ops$cgm also created in the same fashion.
  7. Assign initial consumer group
  -- assign initial consumer group
  BEGIN
  DBMS_RESOURCE_MANAGER_PRIVS.GRANT_SWITCH_CONSUMER_GROUP
  ('OPS$RAVI','MM',TRUE);
  DBMS_RESOURCE_MANAGER.SET_INITIAL_CONSUMER_GROUP
  ('OPS$RAVI','MM');
  END;
  8. Attach security policy
  --attach security policy fg11
  BEGIN
  DBMS_RLS.ADD_POLICY(     'OPS$PERDBA',
                 'ZARINE_TEST',
                 'GRADE_SELECT_POLICY',
                 'OPS$PERDBA',
                 'SECURITYPACKAGE.GRADESELECTSECURITY',
                 'SELECT',
                 TRUE
  END;
  12. create context trigger
  -- create context trigger fg12
  CREATE OR REPLACE TRIGGER PERDBA.setsecuritycontext
  AFTER LOGON ON DATABASE
  BEGIN
       PERDBA.CONTEXTPACKAGE.SETCONTEXT;
  --null;
  END;

  you have mistyped the username/schemaname, it is ops$perdba, not perdba

• DBMS_RLS를 이용한 FINE GRANED ACCESS CONTROL (FGAC)의 개념 및 사용방법 (8I ~ 10G)

  제품 : ORACLE SERVER
  작성날짜 : 2005-11-23
  DBMS_RLS를 이용한 FINE GRANED ACCESS CONTROL (FGAC)의 개념 및 사용방법 (8I ~ 10G)
  =====================================================================
  PURPOSE
  여러 사용자가 같은 테이블을 조회하더라도, 각 사용자마다 자신의 정보만을
  표시해 준다거나, 특정 시간 범위 내에서는 다른 조건의 데이타만 보여지는 등
  row level의 security및 context를 지정하는 것이 8i부터
  FGAC (Fine Graned Access Control)을 통해 가능해졌다.
  이것은 VPD (Virtual Private Database)라는 용어로도 언급되어지는대,
  dbms_rls pacakge를 통해 policy 및 predicate을 생성하여 사용되어진다.
  Explanation & Examples
  FGAC는 row level로 security 및 context를 부여하는 것으로 결국 tranparent하게
  수행하는 SQL문장에 where절 조건을 추가하는 것이다.
  이렇게 추가되는 where 조건을 predicate이라고 부른다.
  1. FGAC의 간단한 예제
  scott의 emp table에 대해서 login한 username과 같은 ename에 대한 정보만을
  보여주는 예제를 제시한다. super_user라는 role을 가진 user에 대해서는
  전체 emp table이 모두 display되는 방법도 첨부한다.
  (1) dbms_rls package에 대한 실행 권한을 scott에게 부여한다.
  SQL> grant execute on dbms_rls to scott;
  (2) emp table의 ename에 해당하는 user몇명을 생성하고 권한을 부여한다.
  SQL> create user king identified by king;
  SQL> create user adams identified by adams;
  SQL> grant connect to king, adams, james;
  SQL> connect scott/tiger
  SQL> grant select on emp to king, adams, james, eykim;
  (3) scott user에서 다음과 같이 predicate을 포함한 function을 생성한다.
  SQL> connect scott/tiger
  SQL> create or replace function predicate
  (obj_schema varchar2, obj_name varchar2)
  return varchar2 is d_predicate varchar2(2000);
  BEGIN
  d_predicate := 'ename = sys_context (''USERENV'', ''SESSION_USER'')';
  RETURN d_predicate;
  END predicate;
  policy이 제대로 만들어졌는지 다음과 같이 scott user에서 확인한다.
  SQL> select predicate('dummy','dummy') from dual;
  PREDICATE('DUMMY','DUMMY')
  ename = sys_context ('USERENV', 'SESSION_USER')
  (4) 다음 문장을 system 혹은 scott user에서 실행한다.
  이때 parameter의 의미는, object_schema, object_name, policy_name,
  function_schema, policy_function 순이다. 이 외의 parameter가 더 있지만
  나머지는 default값을 이용한다.
  SQL> exec dbms_rls.add_policy('scott', 'emp', 'pol1', 'scott', 'predicate');
  기존의 같은 policy name이 존재하는 경우에는 다음과 같이 지우고 새로 생성할
  수 있다.
  SQL> exec dbms_rls.drop_policy( 'SCOTT', 'EMP', 'pol1' );
  (5) king/scott등 user로 접속하여 emp table을 조회해 본다.
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  SQL> connect scott/tiger
  SQL> select * from emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7788 SCOTT ANALYST 7566 19-APR-87 3000
  20
  (6) emp table의 ename에 속해있지 않은 user로 접속하여 조회해 본다.
  eykim user에 대해서 emp table의 select권한은 (2)번 단계에서 제공되었다.
  SQL> connect eykim/eykim
  SQL> select * from scott.emp;
  no rows selected
  (7) super_user라는 role을 생성하고 이 role을 가진 사용자는 모두 데이타가 조회
  가능하도록 policy function을 변경하여 본다.
  SQL> grant select on dba_role_privs to scott;
  SQL> create or replace function predicate (obj_schema varchar2, obj_name varchar2)
  return varchar2 is d_predicate varchar2(2000);
  counter number;
  begin
  select count(*) into counter
  from dba_role_privs
  where granted_role='SUPER_USER'
  and grantee = sys_context ('USERENV', 'SESSION_USER');
  if counter = 1 then
  d_predicate := '';
  else
  d_predicate := 'ename = sys_context (''USERENV'', ''SESSION_USER'')';
  end if;
  return d_predicate;
  end predicate;
  (8) king user에게 super_user role을 부여한 후 (5)번과 어떻게 결과가 다르게
  나오는지 확인한다.
  SQL> create role super_user;
  SQL> grant super_user to king;
  SQL> connect king/king
  SQL> select * from emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7369 SMITH CLERK 7902 17-DEC-80 800
  20
  7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300
  30
  7902 FORD ANALYST 7566 03-DEC-81 3000
  20
  7934 MILLER CLERK 7782 23-JAN-82 1300
  10
  14 rows selected.
  RELATED DOCUMENTS
  <Note 67977.1> Oracle8i Fine Grained Access Control - Working Examples

• Should I use the fine-grained auditing?

  I need to record the changes (of data) made to serveral tables by users. For example, I have to check the before and after images of the changes and what kind of transactions they do to cause the changes. Sould I program the logging procedure in the application or should I use the fine-grained auditing function of oracle to do it. I am not sure what this built-in function can do for me. Can anyone give me some advice on this? Thks.
  A beginner

  Why Fine-Grained Auditing?
  You may want to check standard auditing if it is suitable for you
  http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cfgaudit.htm#BABCFIHB
  I don't think you can get pre and post update values of the affected data with Auditing.
  FGA is useful when you want to audit just a "subset" of the data in the table.
  (for instance, audit everyone that wants to get all records from EMP table where SALARY > 100000)
  Message was edited by:
  tekicora

• Fine Grained Audit records to syslog

  Hello experts,
  I am working on Standard Auditing and Fine Grained Auditing on 11.2.0.3 databases on Red Hat x86_64.
  I am trying to send Fine Grained Audit records to syslog as for my Standard Audit records with audit_trail set to OS, but can't find any appropriate option.
  When I create FGA policies with the ADD_POLICY procedure of the DBMS_FGA package, the audit_trail parameter can only be set to DB or XML, as stated in [PL/SQL Packages and Types Reference|http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_fga.htm#CDEIECAG].
  Does somebody know if it is possible to send FGA audit records to syslog directly:
  1. without using any additional product (e.g. Oracle Audit Vault)?
  2. without doing manual extraction from fga_log$ or DBA_COMMON_AUDIT_TRAIL?
  Thanks for any suggestion.

  Hi,
  Well, i did not used FGA yet.
  I used audit_Trail=db and the query SELECT username,extended_timestamp,owner,obj_name,action_name,sql_text FROM dba_audit_trail WHERE to_char(extended_timestamp, 'DD/MM/RR') = to_char(SYSDATE - 1, 'DD/MM/RR') ORDER BY timestamp)
  Then i wrote a procedure, and exported the results using utl_file .
  And i scheduled this procedure to run daily.
  It works pretty good, if you like the solution as ask for details.
  Hope that helps,
  Regards.

• Fine-grained auditing

  Is there any way to audit more than one table using fine-grained auditing in oracle 10.2.0.
  Thnks in advance.

  sonidba wrote:
  Is there any way to audit more than one table using fine-grained auditing in oracle 10.2.0.
  Thnks in advance.Read this
  Re: use multiple tables in FGA Add_policy?

• How to know if Fine Grain Auditing is used

  I have to migrate a exsisting database to a new plattaform.The old database is a Enterprise Edition and the new must be a Standard  Edition.
  But first I must make sure that none of the functions of the Enterpise edition is being used.
  How I can know if the database is using the Fine Grain Auditing?
  thanks

  Thank you. Furthermore you can find a lot of resource about it.
  Regards
  http://www.oracle.com/technetwork/database/security/index-083815.html

• Function-based index error due to fine-grained security

  Hi, i'm working on Oracle version 9.2.0.5.
  I'm trying to create a function-based index but i'm getting an error due to fine-grained security. I checked resource_view but if i'm not wrong I should have all necessary roles. I also added xdbadmin to this user to be sure.
  I tried also to alter my session but it didn't worked.
  Connected to Oracle9i Enterprise Edition Release 9.2.0.5.0
  Connected as test_ste
  SQL>
  SQL> create index fbidx_schede_xml
    2  on schede_progetti_xml p
    3  (p.PROGETTO.extract('/Project/Elenco_unita/Unita/Responsabile/Cognome/text()').getStringVal());
  create index fbidx_schede_xml
  on schede_progetti_xml p
  (p.PROGETTO.extract('/Project/Elenco_unita/Unita/Responsabile/Cognome/text()').getStringVal())
  ORA-28133: full table access is restricted by fine-grained security
  ORA-06512: at "SYS.XMLTYPE", line 0
  ORA-06512: at line 1
  SQL>
  SQL> alter session set query_rewrite_enabled = true;
  Session altered
  SQL> alter session set query_rewrite_integrity = trusted;
  Session altered
  SQL> create index fbidx_schede_xml
    2  on schede_progetti_xml p
    3  (p.PROGETTO.extract('/Project/Elenco_unita/Unita/Responsabile/Cognome/text()').getStringVal());
  create index fbidx_schede_xml
  on schede_progetti_xml p
  (p.PROGETTO.extract('/Project/Elenco_unita/Unita/Responsabile/Cognome/text()').getStringVal())
  ORA-28133: full table access is restricted by fine-grained security
  ORA-06512: at "SYS.XMLTYPE", line 0
  ORA-06512: at line 1
  SQL> select * from user_role_privs;
  USERNAME                       GRANTED_ROLE                   ADMIN_OPTION DEFAULT_ROLE OS_GRANTED
  TEST_STE                      CONNECT                        NO           YES          NO
  TEST_STE                      CTXAPP                         NO           YES          NO
  TEST_STE                      RESOURCE                       NO           YES          NO
  TEST_STE                      XDBADMIN                       NO           YES          NO
  SQL> This are ACL on my schema:
    <ACL>
      <acl description="Private:All privileges to OWNER only and not accessible to others" xmlns="http://xmlns.oracle.com/xdb/acl.xsd" xmlns:dav="DAV:"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/xdb/acl.xsd                           http://xmlns.oracle.com/xdb/acl.xsd">
        <ace>
          <principal>dav:owner</principal>
          <grant>true</grant>
          <privilege>
            <all/>
          </privilege>
        </ace>
      </acl>
    </ACL>I tried to create a similar function-based index on Oracle 10.2.0.3 without any problem and without touching any ACL, is an Oracle 9.2.0.5 problem?
  Thanks for your attention.

  I didn't really (production wise)work yet with VPD. I know a lot is based on DBMS_RLS and I guess (IF it is VPD related) it should be to hard to find in the doc's how you could check what is beyond your privileges. As a DBA I noticed that even the dba account SYSTEM isn't always allow to export the full content for the tables anymore.
  There is a privilege that grants you all access that you need, despite the fact that you are not allowed to read certain rows from a table. Look it up.
  In all, as I said, it looks like account is not allowed to see all data from a table. In that respect it sounds logical that you also are, in that case, not allowed to build a function based index on that data

• The newest version of iTunes is awful when it comes to Cloud syncing-file management. I'm constantly frustrated with what iTunes 'chooses to eliminate from my mobile device and settings aren't fine-grained enough to allow for real user control.

  I'm endlessly frustrated with iTunes Cloud syncing, something that was supposed to make lenjoying my music easier. I routinely find that, though itunes and podcasts have been split, iTunes arbitrairily removes music files or in progress podcast in favor of 'new' podcasts. The settings are just not fine-grained enough to allow true user control and so we are instead subjected to 'Apple knows best' protocols. I understand and appreciate the level of exacting control Apple excercises over their ecosystem, however, more and more often I see them tightening control over things that should be user control while dropping the ball on aesthetic desisions made in producing their own software (see the hideous pull down tab for iTunes to access Podcast, TV shows, Music, etc.
  I would like to see features like those in Mail and the Podcasting apps implemented in iTunes afor the management of content on mobile devices, for instance it would be great to swipe to delete files that you know longer want on your device, at both the album and song level. Another issues is the new pushiness of iRadio and iTunes Store, the app now seems to default to the iRadio page (versus the last page Albums, songs, etc. that the user was navigating, or in the instance of the iTunes Store push, if I doon't have all the tracks of an album i own on my mobile device 'complete my album' takes you to iTunes store rather than showing the 'cloud' download icon next to missing tracks. These are the tactics I expect from Google, not Apple (pushing commerce over quality user experience).
  Fix these things Apple, please.

• How do I access  data from one user account to another?

  I want to access data from a different user account. How do I make all the files available?

  I have another post here in the forum that explains in detail about the rez problem. It was read by a lot of people with no responses. 1 thing that might be important is that I was using a Wacom drawing tablet when this problem started. I removed the Wacom software and no help.
  My Apple 23" Cinema display has very large icons but the display prefs says it is at 1920 x 1200. It's not just a low screen rez but the dock and all icons will scroll on the screen when I move the mouse.
  The resolution will not change to anything else. The rez is fine on other user names.
  I have booted from the Apple DVD and run disk repair, repaired disk permissions. Booted and run Tech Tool.
  Booted from the Disk Warrior cd and ran that.
  I have zapped the PRAM. I have plugged the display into the other port on the video card.
  When I change to the problem user name it is fine for about 1 second and then changes to the "problem". I have never seen this before and I have been using a Mac since 1990.
  It's a G-5. Dual 2.0 ghz. 2.5 gb ram. OS 10.5.8. Apple keyboard. Logitech mouse and
  Thanks.