FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징

제품 : ORACLE SERVER
작성날짜 : 2005-11-24
FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징
=======================================================================
PURPOSE
row leve의 security 및 context관리 방법인 FGAC에 대한 간단한 개념 및 사용방법은
<bul 23026>에 제시하였다.
이 문서에는 FGAC를 위한 dbms_rls package의 8i ~ 10g까지의 version별 특징을
정리하며, STATIC_POLICY와 POLCICY_TYPE parameter에 대해서는 예제를 이용하여
자세히 살펴보도록 한다.
Explanation & Examples
dbms_rls.add_policy를 사용할 때 일반적으로 주는 value값의 예제는 다음과 같다.
이중 대부분은 default값을 이용하여, 일반적으로는 앞의 5개의 parameter만
value를 주면 된다.
SQL> exec DBMS_RLS.ADD_POLICY ( -
> object_schema => 'SCOTT', -
> object_name => 'EMP', -
> policy_name => 'POL1', -
> function_schema => 'SYS', -
> policy_function => 'PREDICATE', -
> statement_types => 'SELECT', -
> static_policy => false, -
> policy_type => DBMS_RLS.DYNAMIC
> long_predicate => false);
1. FGAC의 version별 특징
(1) sec_relevant_cols/sec_relevant_cols_opt : 10G
위에 기술한 add_policy procedure의 parameter외에 10g에서 추가된
parameter로 다음 두 parameter가 존재한다.
이 parameter는 해당되는 column이 조회될때만 policy가 작동하게 하기 위한
것으로 metalink.oracle.com site에서 <Note 250795.1> 를 살펴보면 사용 방법
및 예제를 확인 가능하다.
- sec_relevant_cols
- sec_relevant_cols_opt
(2) long_predicate : 10G
default는 false이며, true로 지정하는 경우 predicate이 4000 bytes이상이
될 수 있다.
(3) statement_types : 10G부터 INDEX type추가
9i까지는 SELECT, INSERT, UPDATE, DELETE에 대해서는 FGAC를 적용할 수
있었으나, 10g부터는 INDEX type도 지정 가능하다.
index를 지정하는 경우, function-based index 생성을 제한할 수 있으며,
자세한 예제는 metalink.oracle.com site에서 <Note 315687.1>를 조회하여
확인할 수 있다.
(4) EXEMPT ACCESS POLICY 권한 : 9i
특정 user가 모든 fine-grained access control policy의 영향을 받지
않도록 하려면 exempt access policy권한을 grant하면 되며, 이것은 9i부터
소개되었다.
SQL> grant exempt access policy to scott;
와 같은 방식으로 권한을 부여하면 되며, 이에 대한 자세한 예제는
metalink.oracle.com site에서 <Note 174799.1>를 통해 확인 가능하다.
(5) synonym에 대한 policy설정 : 9.2
synonym에 대해서 VPD (Virtudal Private Database)에 대한 policy를 설정하는
것이 가능해 졌으며 이에 대해서는 metalink.oracle.com에서 <Note 174368.1>를
조회하여 자세한 방법 및 예제를 살펴볼 수 있다.
(6) static_policy : 8.1.7.4
static_policy paramter는 8i에는 없던 것으로 9i에서 도입되면서, 8.1.7.4에도
반영되었다. default값은 false이며, 8173까지는 항상 false인 형태로 동작한다.
즉, policy function이 매번 object를 access할때마다 실행된다.
8.1.7.4부터는 이 parameter를 true로 설정할 수 있는대, 이렇게 되면
해당 session에서 policy function이 한번 실행되고 그 function이 shared pool에
cache되어 있으면 재실행없이 그대로 사용된다.
10g부터는 (7)번에 설명하는 policy_type parameter가 추가되어,
이 parameter에 true로 지정하는 대신, static_type은 false로 두고,
policy_type을 dbms_rls.static 으로 지정하면,
9i와 8174에서 static_policy를 true로 한것과 같은 결과가 나타난다.
(7) policy_type: 10g
다음과 같이 5가지 value가 가능하며, 이 중 default는 dynamic이다.
- STATIC
policy fuction에 포함된 predicate이 runtime환경에 따라 다른 결과를 내지
않는 경우 사용하게 된다. 예를 들어 sysdate의해 다른 결과를 return하는
경우에는 사용하면 사용하면 문제가 될 수 있다.
static을 사용하는 경우 policy function은 한번 실행되어 SGA에 올라온 다음
이후 같은 session에서 같은 object를 사용시에는 재실행 없이 해당 predicate의
결과를 그대로 사용한다.
- SHARD_STATIC
STATIC과 같으나, 이 값은 다른 object에 대해서도 같은 predicate function이
사용되는 경우, 먼저 cache된 predicate을 찾아서 있으면 그 값을 이용한다.
STATIC의 경우는 다른 object 사이에서는 공유하지 않으며 같은 object에
대해서만 cache된 값을 사용한다.
- CONTEXT_SENSITIVE
한 session에서 context가 변경되면 그때 predicate를 재 실행시킨다.
WAS(web application server)를 사용하는 경우 connection pooling방법을
기본적으로 사용하는대, 이 경우 하나의 session을 여러 사용자가 이어서
교대로 사용하는 방식이 된다. 이 경우 middle tier단에서 context를 설정해
주면 context가 변경될때마다 predicate를 새로 실행시켜 변경된 sysdate나
session_user등의 값을 다시 계산하게 되는것이다.
jdbc에서 context설정에 관한 예제는 metalink.oracle.com에서
<Note 110604.1>에서 확인가능하다.
- SHARED_CONTEXT_SENSITIVE
context_sensitive와 동일하며, 단 shared_static과 마찬가지로 여러 object에
대해서 같은 predicate을 사용하는 경우 다른 object에 대한 같은 predicate이
cache되어 있는지를 먼저 살펴본다.
존재하면 session private application context가 변경되기 전까지 그 predicate의
결과를 그대로 사용한다.
- DYNAMIC
이 값이 default값이다. 즉, predicate function이나 시스템이나 환경에
영향을 받는다고 판단하여 statement가 실행될때마다 매번 predicate function을
재 실행하여 환경에 맞는 값을 return하여 준다.
아래에서 sysdate 값에 따라 다른 결과를 return하게 되어 있는
predicate을 이용한 예제를 통해 정확한 메카니즘을 확인한다.
2. static_policy 및 policy_type의 value에 따른 policy function의 작동예제
(a) STATIC_POLICY => TRUE and POLICY_TYPE => NULL
(1) 기존에 pol1 policy가 존재하는 경우 다음과 같이 drop시킨다.
SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
(2) 다음과 같이 predicate function을 scott user로 만들어둔다.
SQL> create or replace function PREDICATE (obj_schema varchar2, obj_name varchar2)
2 return varchar2 is d_predicate varchar2(2000);
3 begin
4 if to_char(sysdate, 'HH24') >= '06' and to_char(sysdate, 'MI')<'05' then
5 d_predicate := 'ename = sys_context (''USERENV'' , ''SESSION'');
6 else d_predicate := 'sal>=3000';
7 end if;
8 return d_predicate;
9 end predicate;
10 /
(3) pol1을 새로 add시킨다.
SQL> exec DBMS_RLS.ADD_POLICY ( -
object_schema => 'SCOTT', -
object_name => 'EMP', -
policy_name => 'POL1', -
function_schema => 'SCOTT', -
policy_function => 'PREDICATE', -
statement_types => 'SELECT', -
static_policy => TRUE, -
policy_type => NULL);
(4) adams user에서 scott.emp를 조회해 본다.
단 다음과 같이 scott.emp에 대한 select권한을 king에게 주어야 한다.
SQL>grant select on emp to king;
SQL>!date
Thu Nov 24 14:01:13 EST 2005
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
5분이후가 되어 predicate function의 if조건을 만족하지 않아도,
king user는 같은 값을 emp table에 대해서 return한다.
SQL>!date
Thu Nov 24 14:10:13 EST 2005
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
(b) STATIC_POLICY => FALSE and POLICY_TYPE => DBMS_RLS.DYNAMIC
(1) 기존의 policy를 다음과 같이 drop시킨다.
SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
(2) pol1을 새로 add시키는대 이대 static_policy와 policy_type을 다음과 같이
변경한다.
SQL> exec DBMS_RLS.ADD_POLICY ( -
object_schema => 'SCOTT', -
object_name => 'EMP', -
policy_name => 'POL1', -
function_schema => 'SCOTT', -
policy_function => 'PREDICATE', -
statement_types => 'SELECT', -
static_policy => flase, -
policy_type => dbms_rls.dynamic);
(3) king user에서 조회해본다.
predicate function은 위의 2-(a)에서 실행한 것을 그대로 사용한다.
즉 (a)를 실행하지 않은 경우, 조회전에 (a)-(2)번을 실행해야 한다.
SQL>!date
Thu Nov 24 15:01:13 EST 2005
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
5분 이후가 되어 다시한번 king user에서 실행해본다.
SQL>!date
Thu Nov 24 15:10:13 EST 2005
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7788 SCOTT ANALYST 7566 19-APR-87 3000
20
7839 KING PRESIDENT 17-NOV-81 5000
10
7902 FORD ANALYST 7566 03-DEC-81 3000
20
RELATED DOCUMENTS
<Note 281970.1> 10g Enhancement on STATIC_POLICY with POLICY_TYPE Behaviors
in DBMS_RLS.ADD_POLICY Procedure
<Note 281829.1> Evolution of Fine Grain Access Control FGAC Feature From 8i
to 10g

first you could use default column values, not a trigger, which is more expensive.
if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it )

Similar Messages

  • DBMS_RLS를 이용한 FINE GRANED ACCESS CONTROL (FGAC)의 개념 및 사용방법 (8I ~ 10G)

    제품 : ORACLE SERVER
    작성날짜 : 2005-11-23
    DBMS_RLS를 이용한 FINE GRANED ACCESS CONTROL (FGAC)의 개념 및 사용방법 (8I ~ 10G)
    =====================================================================
    PURPOSE
    여러 사용자가 같은 테이블을 조회하더라도, 각 사용자마다 자신의 정보만을
    표시해 준다거나, 특정 시간 범위 내에서는 다른 조건의 데이타만 보여지는 등
    row level의 security및 context를 지정하는 것이 8i부터
    FGAC (Fine Graned Access Control)을 통해 가능해졌다.
    이것은 VPD (Virtual Private Database)라는 용어로도 언급되어지는대,
    dbms_rls pacakge를 통해 policy 및 predicate을 생성하여 사용되어진다.
    Explanation & Examples
    FGAC는 row level로 security 및 context를 부여하는 것으로 결국 tranparent하게
    수행하는 SQL문장에 where절 조건을 추가하는 것이다.
    이렇게 추가되는 where 조건을 predicate이라고 부른다.
    1. FGAC의 간단한 예제
    scott의 emp table에 대해서 login한 username과 같은 ename에 대한 정보만을
    보여주는 예제를 제시한다. super_user라는 role을 가진 user에 대해서는
    전체 emp table이 모두 display되는 방법도 첨부한다.
    (1) dbms_rls package에 대한 실행 권한을 scott에게 부여한다.
    SQL> grant execute on dbms_rls to scott;
    (2) emp table의 ename에 해당하는 user몇명을 생성하고 권한을 부여한다.
    SQL> create user king identified by king;
    SQL> create user adams identified by adams;
    SQL> grant connect to king, adams, james;
    SQL> connect scott/tiger
    SQL> grant select on emp to king, adams, james, eykim;
    (3) scott user에서 다음과 같이 predicate을 포함한 function을 생성한다.
    SQL> connect scott/tiger
    SQL> create or replace function predicate
    (obj_schema varchar2, obj_name varchar2)
    return varchar2 is d_predicate varchar2(2000);
    BEGIN
    d_predicate := 'ename = sys_context (''USERENV'', ''SESSION_USER'')';
    RETURN d_predicate;
    END predicate;
    policy이 제대로 만들어졌는지 다음과 같이 scott user에서 확인한다.
    SQL> select predicate('dummy','dummy') from dual;
    PREDICATE('DUMMY','DUMMY')
    ename = sys_context ('USERENV', 'SESSION_USER')
    (4) 다음 문장을 system 혹은 scott user에서 실행한다.
    이때 parameter의 의미는, object_schema, object_name, policy_name,
    function_schema, policy_function 순이다. 이 외의 parameter가 더 있지만
    나머지는 default값을 이용한다.
    SQL> exec dbms_rls.add_policy('scott', 'emp', 'pol1', 'scott', 'predicate');
    기존의 같은 policy name이 존재하는 경우에는 다음과 같이 지우고 새로 생성할
    수 있다.
    SQL> exec dbms_rls.drop_policy( 'SCOTT', 'EMP', 'pol1' );
    (5) king/scott등 user로 접속하여 emp table을 조회해 본다.
    SQL> connect king/king
    SQL> select * from scott.emp;
    EMPNO ENAME JOB MGR HIREDATE SAL COMM
    DEPTNO
    7839 KING PRESIDENT 17-NOV-81 5000
    10
    SQL> connect scott/tiger
    SQL> select * from emp;
    EMPNO ENAME JOB MGR HIREDATE SAL COMM
    DEPTNO
    7788 SCOTT ANALYST 7566 19-APR-87 3000
    20
    (6) emp table의 ename에 속해있지 않은 user로 접속하여 조회해 본다.
    eykim user에 대해서 emp table의 select권한은 (2)번 단계에서 제공되었다.
    SQL> connect eykim/eykim
    SQL> select * from scott.emp;
    no rows selected
    (7) super_user라는 role을 생성하고 이 role을 가진 사용자는 모두 데이타가 조회
    가능하도록 policy function을 변경하여 본다.
    SQL> grant select on dba_role_privs to scott;
    SQL> create or replace function predicate (obj_schema varchar2, obj_name varchar2)
    return varchar2 is d_predicate varchar2(2000);
    counter number;
    begin
    select count(*) into counter
    from dba_role_privs
    where granted_role='SUPER_USER'
    and grantee = sys_context ('USERENV', 'SESSION_USER');
    if counter = 1 then
    d_predicate := '';
    else
    d_predicate := 'ename = sys_context (''USERENV'', ''SESSION_USER'')';
    end if;
    return d_predicate;
    end predicate;
    (8) king user에게 super_user role을 부여한 후 (5)번과 어떻게 결과가 다르게
    나오는지 확인한다.
    SQL> create role super_user;
    SQL> grant super_user to king;
    SQL> connect king/king
    SQL> select * from emp;
    EMPNO ENAME JOB MGR HIREDATE SAL COMM
    DEPTNO
    7369 SMITH CLERK 7902 17-DEC-80 800
    20
    7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300
    30
    7902 FORD ANALYST 7566 03-DEC-81 3000
    20
    7934 MILLER CLERK 7782 23-JAN-82 1300
    10
    14 rows selected.
    RELATED DOCUMENTS
    <Note 67977.1> Oracle8i Fine Grained Access Control - Working Examples

  • Got ORA-00439:  feature not enabled: Fine-grained access control

    Trying to implement VPD, I've got ORA-00439 when implementing Fine-grained access control. Will this be available on XE?

    Hi,
    lewisc: Yes. I mean "persistent package variables" and I know this feature is available in any version of Oracle. But, I don't know how It works whith HTMLDB when using "HTMLDB Authentication Scheme".
    i.e.: when I connect to an HTMLDB Application, I can see a new session on
    V$SESSION with username=ANONYMOUS with SID=xxx and SERIAL#=yyyy.
    1.-Will HTMLDB use the same session until User Press "logout" link?
    2.-Will this particular Database session be exclusive or shared for any HTMLDB sessions?
    3.-If I Logout from HTMLDB App, then Login again, Will HTMLDB reuse the same session?
    or will create a new one?
    -About VPD.
    VPD is a Personal Edition feature too. All features of EE is
    available on Personal Edition except RAC and a few others
    specials features.
    After all:
    Maybe with these examples you can see my question.
    CREATE OR REPLACE VIEW myviewname
    AS
    SELECT *
    FROM mytablename
    WHERE somecolumn = V('Fxxx_HTMLDB_ITEM_NAME')
    CREATE OR REPLACE TRIGGER mytriggername
    BEFORE
    INSERT
    ON mytablename
    FOR EACH ROW
    BEGIN
    :new.mycolumn1 := V('Fxxx_HTMLDB_ITEM_NAME');
    END;
    Can these two examples work? If so, maybe there is something wrong in my applications.
    Thanks GaryM for your issues and I already know this can be done that way

  • Fine Grain Access Control gives ORA-02014

    Using Fine Grain Access Control on Oracle 8i 8.1.6, when a policy is enabled on a table then queries of the form "select * from table for update nowait" give "ORA-02014 cannot select FOR UPDATE from view with DISTINCT, GROUP BY, etc.".
    Similar queries without the "for update nowait" work OK.
    Does anyone have a fix or workaround?
    null

    I ran into this. If you're using a function to add to/add a where clause to your statement, when the where clause gets appended to the end and generates an error. You should be seeing trace files in the udump area of oracle that show you the actual sql line that is being created in error. I modified my function to add the FOR UPDATE NOWAIT in the correct place.

  • Fine Grained Access Control

    I have three tables
    1. Grade table where information for each grade is maintained
    like basic, increments.
    2. graderole - here i have defined roles which can access each
    grade
    3. userrole users for each role.
    eg:
    userrole table has one user as ops$ravi who has access to 'MM'
    role
    graderole table has multiple records for role 'MM' who can
    access some grades.
    zarine_test table where all grades and its basic and increments
    are defined.
    I want ops$ravi to access only grades as per graderole table
    i.e. JM to MM grade
    I have tried this command with three tables.
    Some times it does not even allows me to login as ops$ravi
    saying that
    ERROR: ORA-00604: error occurred at recursive SQL level 1
    ORA-01031: insufficient privileges
    ORA-06512: at "SYS.DBMS_SESSION", line 58
    ORA-06512: at "OPS$PERDBA.CONTEXTPACKAGE", line 8
    ORA-06512: at line 2
    At one other instance, it allows to login as user but we get a
    error like FUNCTION POLICY NOT PROPERLY DEFINED FOR TABLE
    These are the steps I have followed:
    1. Create context perdba_ctxt      
    CREATE OR REPLACE CONTEXT perdba_ctxt USING
    perdba.contextpackage;
    CREATE OR REPLACE PACKAGE contextpackage AS
         PROCEDURE setcontext;
    END;
    2. Create context package
    Get login'ed users role from the initial group set for him eg:
    ops$ravi will fetch 'MM' group
    -- create context package body fg6
    CREATE OR REPLACE PACKAGE BODY contextpackage IS
    PROCEDURE setcontext IS
         l_persons_id     varchar2(30);
         l_logged_person     VARCHAR2(30);
         l_user_role     VARCHAR2(30);
         l_job          VARCHAR2(35);
    BEGIN
         DBMS_SESSION.SET_CONTEXT('PERDBA_CTXT','SETUP','TRUE');
         l_logged_person:= SYS_CONTEXT('USERENV','SESSION_USER');
         SELECT SUBSTR(initial_rsrc_consumer_group,1,4) INTO
    l_user_role FROM dba_users WHERE username = l_logged_person;
         IF l_user_role = 'MM' THEN
    BEGIN
              DBMS_SESSION.SET_CONTEXT
    ('PERDBA_CTXT','ROLE','MM');
              SELECT username INTO l_persons_id
              FROM userrole
              WHERE userNAME = SYS_CONTEXT
    ('USERENV','SESSION_USER');
              DBMS_SESSION.SET_CONTEXT
    ('PERDBA_CTXT','PERSONS_ID','L_PERSONS_ID');
         EXCEPTION
              WHEN NO_DATA_FOUND THEN
              DBMS_SESSION.SET_CONTEXT
    ('PERDBA_CTXT','PERSONS_ID',0);
         END;
         ELSIF l_user_role = 'CGM' THEN
    BEGIN
              DBMS_SESSION.SET_CONTEXT
    ('PERDBA_CTXT','ROLE','CGM');
              SELECT username INTO l_persons_id
              FROM userrole
              WHERE userNAME = SYS_CONTEXT
    ('USERENV','SESSION_USER');
              DBMS_SESSION.SET_CONTEXT
    ('PERDBA_CTXT','PERSONS_ID','L_PERSONS_ID');
         EXCEPTION
              WHEN NO_DATA_FOUND THEN
              DBMS_SESSION.SET_CONTEXT
    ('PERDBA_CTXT','PERSONS_ID',0);
         END;
         END IF;
         DBMS_SESSION.SET_CONTEXT('PERDBA_CTXT','SETUP','FALSE');
         END SETCONTEXT;
         END CONTEXTPACKAGE;
    3. create security package     
    CREATE OR REPLACE PACKAGE securitypackage AS
    FUNCTION gradeselectsecurity(OWNER IN VARCHAR2, OBJECT_NAME IN
    VARCHAR2)
    RETURN VARCHAR2;
    END SECURITYPACKAGE;
    4. create security package body     
    Here this condition will get attached to select when user log's
    in
    CREATE OR REPLACE PACKAGE BODY securitypackage IS
    FUNCTION gradeselectsecurity(OWNER IN VARCHAR2, OBJECT_NAME IN
    VARCHAR2)
    RETURN VARCHAR2 IS
    l_predicate VARCHAR2(200);
    l_get_role VARCHAR2(20);
    BEGIN
    l_predicate:='1=2';
    l_get_role := SYS_CONTEXT('PERDBA_CTXT','ROLE');
    DBMS_OUTPUT.PUT_LINE(L_GET_ROLE);
    IF (RTRIM(LTRIM(l_get_role)) = 'MM') THEN
    l_predicate := 'grd_id IN (SELECT GRD_ID FROM GRADEROLE
                   WHERE USERROLE = (SELECT USERROLE FROM
    userROLE WHERE USERROLE = ''MM'' AND USERNAME
    = ''OPS$PERDBA''))';
    --L_GET_ROLE AND
    --USERNAME = ''OPS$PERDBA''))';
    --SYS_CONTEXT(''PERDBA_CTXT'',''PERSONS_ID'')))';
    -This script does not work., thats why i fixed values as MM and
    ops$perdba
    END IF;
    RETURN l_predicate;
    END gradeselectsecurity;
    END SecurityPackage;
    5. create consumer group
    BEGIN
    DBMS_RESOURCE_MANAGER.CLEAR_PENDING_AREA();
    DBMS_RESOURCE_MANAGER.CREATE_PENDING_AREA();
    DBMS_RESOURCE_MANAGER.CREATE_CONSUMER_GROUP(CONSUMER_GROUP
    => 'MM', COMMENT => 'GROUP FOR GRADES JM TO MM');
    DBMS_RESOURCE_MANAGER.VALIDATE_PENDING_AREA();
    DBMS_RESOURCE_MANAGER.SUBMIT_PENDING_AREA();
    DBMS_RESOURCE_MANAGER.CLEAR_PENDING_AREA();
    END;
    6. create users          
    CREATE USER ops$ravi idetified by ravi
         default tablespace pay3_ts
         temporary tablespace temp_pay3_ts;
    grant connect , resource to ops$ravi;
    grant create session to ops$ravi;
    grant select on dba_users to ops$ravi;
    user ops$cgm also created in the same fashion.
    7. Assign initial consumer group
    -- assign initial consumer group
    BEGIN
    DBMS_RESOURCE_MANAGER_PRIVS.GRANT_SWITCH_CONSUMER_GROUP
    ('OPS$RAVI','MM',TRUE);
    DBMS_RESOURCE_MANAGER.SET_INITIAL_CONSUMER_GROUP
    ('OPS$RAVI','MM');
    END;
    8. Attach security policy
    --attach security policy fg11
    BEGIN
    DBMS_RLS.ADD_POLICY(     'OPS$PERDBA',
                   'ZARINE_TEST',
                   'GRADE_SELECT_POLICY',
                   'OPS$PERDBA',
                   'SECURITYPACKAGE.GRADESELECTSECURITY',
                   'SELECT',
                   TRUE
    END;
    12. create context trigger
    -- create context trigger fg12
    CREATE OR REPLACE TRIGGER PERDBA.setsecuritycontext
    AFTER LOGON ON DATABASE
    BEGIN
         PERDBA.CONTEXTPACKAGE.SETCONTEXT;
    --null;
    END;

    you have mistyped the username/schemaname, it is ops$perdba, not perdba

  • Fine Grained Access ERROR on INSERT when generating unique keys

    I'm using VPD/Fine Grained Access Control (FGAC) to implement security on my 9i backend. I created a security policy function that returns the predicate 'owner = USER'; - each of the tables has an additional column titled OWNER which contains the name of the logged-in user. Every time a user inserts a record, a BEFORE INSERT trigger fires (for every row) and inserts the USER name into the OWNER column. This is fairly straightforward and ensures that users can see only their rows. Using the DBMS_RLS.add_policy procedure, I attached the security policy to several tables and made it effective upon SELECT, UPDATE, INSERT, and DELETE statements.
    However, the frontend Java application (custom-made) generates unique IDs (sequences are not used) by selecting max(ID)+1 from the primary key columns of the tables. The problem is that the predicate is appended to the SELECT max(ID)+1 query to limit the max(ID) to only those rows where 'owner = USER'. Therefore, the max(ID) generated is not the largest ID for the entire table, but only the largest among the USER rows.
    So unless that USER happens to have the the largest ID in the whole table (and it has worked then), a primary-key violation error will be returned and the INSERT operation will be aborted.
    How can I allow every USER to select from AND get the absolute largest ID from the PK column without allowing that user to select records that don't belong to him? If I had developed the application, I would have made use of sequences on the back-end to generate unique primary key IDs. Unfortunately, I don't have this option and must work with the application as is.
    NOTE: the front-end Java application understands only the base table names, NOT Views created by me on the server. If the answer to this problem involves views, how can I make use of them on the backend when the front-end code does not recognize them?
    Any help is greatly appreciated!
    Michael

    first you could use default column values, not a trigger, which is more expensive.
    if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it )

  • How to pass the context from Portal to Database for fine grain access?

    Hi,
    I am developing an omniportlet and I need to pass on the context of the logged in user to the database so that when the user tries to access data in the omniportlet, he can see data relevant to him only. Does anyone know how to do that?
    I have set up a light weight user scott and also has a schema in the database by the same name (scott)..
    what I am trying is when the user logs in as scott in the portal site and runs an omniportlet, he should be dynamically be logged in to scott the schema so that the data visible to him can be restricted. Same should happen for other users as well.
    Does anyone know in which table in the PORTAL schema is this connection information stored, so that I can override it using some API..?
    Thanks,
    Abhi

    I had tried sending the user_name in the sql and that works fine. but my requirement is that the user should login to his schema and only his schema directly and automatically.. such that even if an omniportlet is created using some default schema, when user logs in he can access only the schema meant for him..
    e.g. While running the omniportlet when logged-in as user scott, he should be logged-in to scott schema in the database, so that the fine grain access can be enabled ..
    Edited by: user6386347 on Mar 12, 2009 12:15 PM

  • Bypassing FGAC(Fined Grained Access Control) as a user

    Hi experts,
    Can anyone tell me how i can bypass the FGAC restrictions as a user. Is there any SQL command or function i have to run as a user? I will appreciate your suggestions.

    I am using the database of another college. They have given me the user account to work in their database. Is there anyway i can bypass the FGAC restrictions because i have restrictions on tables . i cannot display the all table records in my report. Please help.

  • Auditing, Fine Grained Access, Data Vault or Triggers on Updates/Deletes ?

    I would like to track changes on two separate tables whenever there are any changes, or deletes made to these tables. The tracking would be .....
    Values in the table Before and After any change has been made.
    The APEX User who made the change.
    The DTG of the change.
    Something to this effect.
    Anybody got any ideas ? I have read through the FGA and not convinced that is the way to go.
    Thanks in advance,
    ANON

    Hi Anon,
    I actually use triggers to create what I call "History Records" - every insert/update/delete triggers the creation of a new record in a history table. Others would call this an Audit Trail.
    One thing that Tom doesn't really make clear is how you would go about doing the same thing without using triggers. If the intention would be to use PL/SQL code, for example, then you need to call this somehow. You could do this on an Apex page readily enough, but what happens if the data is updated directly in SQL? You could run the same PL/SQL code, perhaps, but only if you knew it needed to be done. I would suggest that this is more of a maintenance headache than forgetting that you have triggers - especially as the SQL Workshop will show you objects related to your tables but trying to find a piece of PL/SQL code within Apex is not so easy (but still doable, of course). Also, you would have to create the same PL/SQL code on every page that the record could be edited. Though, having said that, with proper documentation, this shouldn't be an issue.
    The only headache I had with triggers was "mutating tables" (where you try to grab some data from the same table that is being updated - this is not allowed) - but as you are simply writing data into another table, then the only real issue would be keeping the columns the same between the two tables and ensuring that the trigger accounts for them all.
    An alternative to this, is to never allow updates to data. Effectively, this means that every "Update" becomes an "Insert". Tricky to set up, but still doable - though this, by necessity, requires careful use of primary keys and sequence numbers or datetimestamps to ensure that the user only sees the latest version of any "record" (that is, the last record for any given primary key). This, of course, has to be controlled within Apex.
    There are probably other methods as well, but I'd start with triggers
    Andy

  • Dbms_rls.add_policy with Oracle 10g Express Edition

    SQL> begin
    2 dbms_rls.add_policy(
    3 object_schema => 'VPD',
    4 object_name => 'TRANSACTIONS',
    5 policy_name => 'VPD_TEST_POLICY',
    6 function_schema => 'VPD',
    7 policy_function => 'VPD_POLICY.VPD_PREDICATE',
    8 statement_types => 'select, insert, update, delete',
    9 update_check => TRUE,
    10 enable => TRUE,
    11 static_policy => FALSE);
    12 end;
    13 /
    Gives an ORA error as follows
    ERROR at line 1:
    ORA-00439: feature not enabled: Fine-grained access control
    ORA-06512: at "SYS.DBMS_RLS", line 20
    ORA-06512: at line 2
    i'am using Oracle 10g Express Edition
    Please get back as soon as possible

    It should more appropriate to post your question into Oracle Database Express Edition (XE)<br>
    <br>
    Nicolas.

  • Query: Best practice SAN switch (network) access control rules?

    Dear SAN experts,
    Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
    I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
    Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
    In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
    For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
    These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
    So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
    regards,
    Will.

    Hi William,
    That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
    Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
    for zones there are a few best practices:
    * Default Zone: Don't use it. unless you're running Ficon.
    * Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
    * Don't mix zoning types:  You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
    * Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
    * LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
    * Read-Only exists, but again any modern array should be able to make a lun read-only.
    * QoS on Zoning: Isn't really an ACL method, more of a congestion control.
    VSANs are a way to separate your physical fabric into several logical fabrics.  There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other.  A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
    When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
    Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
    They are quite logical to use  and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
    I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
    http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
    To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
    http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
    That's a very brief summary of the most important access-control-related Best Practices that come to mind.  If any of this isn't clear to you or you require more detail, let me know. HTH!

  • User management and Access Control in HCM Cloud

    Hello,
    Information is scarce about User management and Access Control in Oracle Cloud generally. Today, I have two questions :
    - How can I bridge HCM Cloud user store with my on-premise IDM or security repository in order to allow identty governance to flow to HCM Cloud service ?
    The only information I got was that you can declare manually and by bulk import through files my users. This is not really interresting as I have an automatic IDM with workflows and identity control on provisioning and de-provisioning.
    Is there a SPML or proprietary endpoint to do it automatically ? What are the prerequisites ? Do I have to implement OIM on my side ?
    - Once my users are created, how can I do webSSO from my internal security repositories to the HCM Cloud service ?
    I do not want to distribute new set of login / passwords to my users. Is it possible to do Identity Federation (SAML 2.0 or WS-Fed) with HCM Cloud service ? What are the prerequisites ? Do I have to implement OAM on my side ?
    I accept all pieces of information you can give me on this topic to help me understand the funcitonalites, limits and options offered by Oracle Cloud and more precisely by HCM Cloud service.
    Best regards,

    OIDDAS has limited capability of access control and information hiding. Presently, the permissions and privileges can be set at a realm level, and fine grained access control / information hiding cannot be done.
    At present, the only way to restrict view and access control is by appplying ACLs (which is not the safest bet).

  • HRMS Data access control

    Hi,
    Can fine grained access control (VPD) be used to implement access control security policy for HRMS sensitive data. The business requirement is that the HRMS data should not be visible to any querying tool other than Oracle applications core HRMS forms.
    What kind of a security policy be enforced to achive this and are there any compatibility issues/limitations of this.
    Thanks in advance,
    Regards,
    Mahesh
    null

    you are right, access control is very application dependent, and is therefore not a good target to turn into a generic framework.
    In my opinion the king of security frameworks is Spring Security, so you could take a look at that.
    [http://static.springsource.org/spring-security/site/|http://static.springsource.org/spring-security/site/]
    Other than that, I have used a simple setup using Javaserver Faces. I had a user bean with a set of boolean flags indicating the user's capabilities (directly mapped to a database table) and in the components I would have rendered="#{user.userRole}" attributes where necessary, to conditionally switch off elements when the user wasn't allowed to see it, in some cases rendering a readonly view in stead.
    Its a chore to test, but quite easy to maintain and to read IMO.

  • The newest version of iTunes is awful when it comes to Cloud syncing-file management. I'm constantly frustrated with what iTunes 'chooses to eliminate from my mobile device and settings aren't fine-grained enough to allow for real user control.

    I'm endlessly frustrated with iTunes Cloud syncing, something that was supposed to make lenjoying my music easier. I routinely find that, though itunes and podcasts have been split, iTunes arbitrairily removes music files or in progress podcast in favor of 'new' podcasts. The settings are just not fine-grained enough to allow true user control and so we are instead subjected to 'Apple knows best' protocols. I understand and appreciate the level of exacting control Apple excercises over their ecosystem, however, more and more often I see them tightening control over things that should be user control while dropping the ball on aesthetic desisions made in producing their own software (see the hideous pull down tab for iTunes to access Podcast, TV shows, Music, etc.
    I would like to see features like those in Mail and the Podcasting apps implemented in iTunes afor the management of content on mobile devices, for instance it would be great to swipe to delete files that you know longer want on your device, at both the album and song level. Another issues is the new pushiness of iRadio and iTunes Store, the app now seems to default to the iRadio page (versus the last page Albums, songs, etc. that the user was navigating, or in the instance of the iTunes Store push, if I doon't have all the tracks of an album i own on my mobile device 'complete my album' takes you to iTunes store rather than showing the 'cloud' download icon next to missing tracks. These are the tactics I expect from Google, not Apple (pushing commerce over quality user experience).
    Fix these things Apple, please.

  • EP 6.0 SP2 KM Access control and version problems

    Hi,
    We have installed EP 6.0 SP2 and have configured KM. We have created a File system repository pointing to a shared folder in the local drive. Now, we are facing the following 2 problems:
    1. Access Control for Resources (folders and files) are not working..i.e, even though, we have given 'Read' access to a particular folder for a given portal user, he is still able to delete, rename, etc. How do we tackle this? Is there any property to be set for ACL to work.
    ACL Manager Cache : ca_rsrc_acl
    Security Manager  : AclSecurityManager
    are used for this particular file system repository.
    2. For the very same file system repository, we are not able to get the option 'versioning' for any of the folders. while for other folders in Content Management (CM) repository, 'versioning' property appears. Why is this so? Is there any setting to be done for the property 'versioning' to appear for a file system repository?
    Any help in this regard is highly appreciated.
    Thanks in advance,
    Pavithra

    Hi,
    Thanks so much for the quick response. It was quite helpful. The problem is that while trying to set up W2Ksecurity manager, the system component monitor shows the following error:
    Startup Error:  Exception during start up of sub-manager: The W2kSecurityManager can only be run under Windows 2000 operating systems.
    Portal server is installed on Microsoft Windows 2003 server. But the file system repository is mapped to a shared drive whose host machine runs Microsoft windows 2000 professional.
    My Questions:
    1. Do I have to have Microsoft Windows 2000 ONLY for portal installation.
    2. Can I not have a shared folder mapped to another local machine's directory
    3. Also, Any ideas on whats the max length of file path for KM..Because, its likely that the file path length may extend to more than 200 characters..
    Please help me in this regard.
    Thanks in advance.
    Pavithra

Maybe you are looking for

  • "Ipod Cannot be Synced" -Please Help!!!

    I must have spend hours reading forums and discussion boards trying to fix this.. No matter what I do to my Ipod or computer I get a "(My) Ipod could not be synced. Required disk could not be found." Please help me out!!

  • How to get the password of a password protected Excel Sheet using java/jxl

    Hi , how to get the password of a password protected Excel Sheet using java / jxl program. plz any one help me . Ramesh P [email protected]

  • Westell 7500 - can't remote access into work from laptops (desktop ok), no TiVO connection either

    I successfully set up my "upgraded" Verizon DSL service and modem two weeks ago (have had internet connection on desktop and laptops since) but with that transition I lost the ability to remote access into my work computer from home and to have my Ti

  • FM MPLAN_CHANGE to change matenance plan

    Hi, I'm trying to use the Function module MPLAN_CHANGE to update the value of the field STADT (Start Of Cycle) for a particular WARPL(maintenance plan). But its not updating the database table (MPLA), but instead, its storing the value in some tempor

  • DISABLE F8 AT BOOT TIME

    Hi all, i am using win 7 sp1. i want to disable F8 key in order to restrict any possible access to "Advance Boot Menu". 'bcdedit /set {default} displaybootmenu no' doesnot disable F8. any help will be appreciated.  thanks.