Row level constraint

is there any row level constraint in oracle.
if it is possible plz send me the statment of that constraint.
OR how to implment row level secuirty.
best wishes

Duplicate ... lets stick with the other one in this forum,.

Similar Messages

Row Level Security (VPD)

We are enhancing our corporate security model using VPD fine grain access to allow more flexible policies. This will provide different levels of row level access on each set of mart fact tables (Health Board level access on Mart A, GP Practice level on Mart B etc). We also want different column level security (masking) on common dimensions depending on which mart is being queried, e.g. a user might be allowed to see confidential patient columns when querying Mart A, but not on Mart B.
OID groups hold user attributes, and we can retrieve these via logon trigger and policy functions and then set user contexts accordingly.
When a query is submitted to the database (via Business Objects), it triggers the policy function on a particular mart fact table(s), which applies the particular row level constraint based upon the users context. So far so good. Problem is, when any dimension policy functions are being triggered (at the same time), they need to know which particular Mart is being queried, so that they can retrieve the correct user context to apply either confidential or non-confidential column masking.
I basically need a means of interrogating the SQL before (or as) it reaches the dimension policy functions, from which the function can identify the Mart from the named tables in the SQL FROM list. Is there a way of doing this, or some other mechanism entirely for delivering this level of access control?
One solution is to have a separate dimension view specific to each Mart. A particular view would join to a particular mart (in Business Objects), and the policy function amended for each. However we would rather avoid this as it could mean up to 20 + views for each dimension, and require a substantial maintenance overhead.
Thanks
Simon
Edinburgh

Why would you want a situation where USER1 cannot see any of the data in the table but owns a procedure that allows him to update any row in the table? That would basically defeat the purpose of using VPD-- if USER1 can circumvent the VPD policy in this procedure, USER1 can circumvent the policy in any procedure and can create procedures that allow him to view and manipulate the data.
Can you provide a bit more background about what problem you're trying to solve? Why does USER1 need to own the procedure if USER1 isn't allowed to see any of the data? Are you trying to write a procedure that will apply the caller's VPD policy (i.e. when USER2 calls the procedure, he can only update the rows that his VPD policy allows him to see)? Or do you want the procedure code to bypass the VPD policy entirely? Why are you fine with granting USER2 the ability to bypass the VPD policy but you are not OK granting USER1 that same privilege?
Justin

Sequence in parent and row level security

Hi,
I have a column with "seq in parent" for the "autogen type" property in Designer.
I also have row level security (RLS) (or fine grained access control) on this column's table.
Since there are data that could not be seen because of the RLS and the sequence is "seq in parent", i get the error :
ORA-00001: unique constraint (string.string) violated
Cause: An UPDATE or INSERT statement attempted to insert a duplicate key.
Example : User A inserts a row and the sequence is 1. User B who cannot see the row inserted by A, inserts its own row. The sequence inserted by B also gets 1 instead of 2 (because he cannot see the existing sequence 1). The sequence is duplicated, hence the error.
Is there a turnaround for this ?
Thank you.

You could consider using a 'real' sequence instead of seq-in-parent. I think seq-in-parent is using something like 'SELECT MAX(seq) FROM'... and that could also fail (depending on the moment this statement is issued) when 2 users are inserting a record.
HTH
Roel

Row level security problem.

Hy all, I'm new to Oracle and though i've google it a lot I didn't manage to find a solution to this problem:
I'm using sql developer and Oracle 10g.
I have this two tables :
CREATE TABLE HR_employees
(codHR NUMBER(3) CONSTRAINT pk_hr PRIMARY KEY,
coddep NUMBER(4) not null,
DB_user VARCHAR2(10),
and
CREATE TABLE Candid
(codcan NUMBER(2) CONSTRAINT PK_candidat PRIMARY KEY,
codHr NUMBER(3) NOT NULL,
CONSTRAINT FK_CODHR FOREIGN KEY (codHR) REFERENCES HR_employees (codHR) );
I tried to implement row level security on them by using two views:
CREATE OR REPLACE VIEW employees_v AS
SELECT * FROM hr_employees
WHERE DB_user = user
UNION
SELECT * FROM hr_employees
WHERE codhr=(SELECT codhr FROM hr_employees WHERE db_user=user );
AND coddep IN (4000,5000);
CREATE OR REPLACE VIEW candid_v AS
SELECT cand.*
FROM candid cand , hr_employees hr
WHERE cand.codhr= hr.codhr
AND hr.db_user=user
UNION
SELECT cand.* FROM candid cand, hr_employees hr
WHERE hr.coddep=(SELECT H.coddep FROM hr_employees H
WHERE H.db_user=user
AND H.coddep IN (4000,5000) );
What I want to do is to disconnect and connect with another user from SQL Developer and see different fields based on the user and the department, Sql developer doesn't seem to recognize the user connected to the database..everytime I receive a no row selected statement, only when I connect with SYS and put the actual username WHERE H.db_user='SYS' they seem to work. I have created the tables with SYS and granted Select on the views to the users, the users don't have privilegies on the actual tables.
Sorry for the bad english,it's a foreign language to me ,
I hope you can help me

Hi,
Damorgan is right: "Row level security has nothing to do with views" in the sense that the two are independent. You can have row-level security with or without views, and you can have views with or without row-level security. dbms_rls is a very useful and powerful way to implement row-level security, and you should check it out, but it's not necessarily the answer to all row-level security problems.
I'm not sure I understand your problem beyond the need to restrict user A's access to two tables.
If which rows user A is allowed to see depends on the results of queries from those same tables, including rows that user A is not allowed to see (that is, you need to do sub-queries with some other user's (let's call this user B's) privileges), then you can do those sub-queries in stored procedures.
Stored procuderes can run with the privileges of the procedure owner, regardless of who is calling them. Using a function called user_codhr owned by user B, you could define a view like this:
CREATE OR REPLACE VIEW employees_v AS
SELECT * FROM hr_employees
WHERE DB_user = user
OR    (   codhr = user_codhr
      AND coddep IN (4000,5000)
      );If the results of the function will be the same throughout the session, you can call it once, at the beginning of your session, and save the results in a SYS_CONTEXT varaible or a global temporary table.
If you need more help, post a more detailed example of the problem, such as "With this data in the table, B should see all rows but A should see only ...".

Row Level Security not working for SAP R/3

Hi Guys
We have an environment where the details are as mentioned below:
1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
2. The SAP roles are imported in Business Objects CMC.
3. Crystal Reports are published on the Enterprise as well.
3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
Any help in this issue is greatly appreciated.
Thanks and Regards
Kamal

Hi,
In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server. This is a server side tool which the Integration solution for SAP offers as a transport.
This tool defined which tables are to be restricted based on authorizations.
However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview. If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
thanks
Mike

Pl sql row level locking with wait ?

Hi,
I am using oracle 10g.
I am new to Oracle locks. I have two tables Table1(id_no, employee, salary) and Table2(id_no, employee, salary).
I need to pull any requested row from Table1 into Table2 only once on demand. I have a procedure to pull data and there could be more than one requests try to call same procedure to pull a row from Table1 into Table2 at any given time.
I coded below to achieve row level lock. if one transaction gets row level lock on Table1 at 2, so other Transactions should wait till the lock is released at line 2 or 5 to avoid duplicates.
But below code is not working, I am getting duplicates when I call this using two concurrent java threads.
How do I control this concurrency issue so that I can avoid duplicate entries in Table2. Could any one please help?
1.begin
2.select 0 into emp_cnt
3.from Table1 where id=id_no
4.for update;
5.update Table1 set employee='xyz'
6.where id=id_no;
7.select count(*) into table2_cnt from Table2 where id=id_no;
8.if(table2_cnt =0) then
9.code to insert above row from Table1 to Table2;
10.end if;
11.commit;
12.End;
Edited by: 980916 on Jan 9, 2013 5:48 PM

Welcome to the forums and welcome to Oracle.
Lets establish one thing right from the beginning ... the Oracle Database is not a Microsoft product.
There is no general reason to use row level locks, you should not want to use row level locks, you don't need row level locks, and you will almost never have any valid reason to consider row level locks.
That said there are two situations were it may be necessary to lock a row prior to an update or delete (possibly in a merge) and in those cases you want to use the built-in SELECT FOR UPDATE syntax. (Demo here: http://www.morganslibrary.org/reference/deadlocks.html#dlfu). But we should be clear here ... one rarely needs to use this locking mechanism as the chances of a collision in a well designed application are essentially zero.
Also as you are new to Oracle please explore the dynamic performance view V$RESERVED_WORDS and do not name objects, columns, etc. with reserved word names not that there is an excuse in any product to name a column "ID." Something Joe Celko has railed about for decades and a tradition I think we should all follow.
In the case of your posted code example (btw please read the FAQ and learn how to use tags) the solution is SELECT FOR UPDATE if locking can be justified which is unlikely.
Edited by: damorgan on Jan 9, 2013 6:11 PM

How to get a row level share lock

Is it possible to acquire a row-level share lock, which would do all of the following?
1. Prevent others from updating that row.
2. Allow others to read that row.
3. Allow others to update other rows in the same table.
I have the following scenario where two transactions need to lock eachother out:
Set-up:
Insert into TABLE_A(value_a) values ('ok');
Insert into TABLE_B(value_b) values ('ok');
Transaction A:
Select value_b from TABLE_B
If value_b = 'ok', update TABLE_A set value_a = 'not ok'
Transaction B:
Select value_a from TABLE_A
If value_a = 'ok', update TABLE_B set value_b = 'not ok'
If transaction A runs first then the end result is "not ok" only in TABLE_A.
If transaction B runs first then the end result is "not ok" only in TABLE_B.
If the two transactions run concurrently, it is possible to get "not ok" in both tables. This is what I would like to prevent.
One way to get what I want is to use "select for update":
Transaction A:
Select value_a from TABLE_A for update
Select value_b from TABLE_B for update
If value_b = 'ok', update TABLE_A set value_a = 'not ok'
Transaction B:
Select value_a from TABLE_A for update
Select value_b from TABLE_B for update
If value_b = 'ok', update TABLE_B set value_a = 'not ok'
This way both transactions won't perform their update unless they know that the result if their select will still be the same after they commit. However, by using "select for update" Transaction A has gained an exclusive lock on the TABLE_B row. If a Transaction C with the same contents as Transaction A happens concurrently, then the two will block eachother even though all they both want is to read data from the same table.
Another way is to use "lock table", however using that would block out not only writes to a specific row, but writes to all rows in the table. (In my example there is only one row, but obviously that's just a simplified example.)
I have looked at the "serializable" isolation level, but that doesn't seem to help because the queries and updates involve more than one table.
I know that "reads don't block writes" is a fundamental part of the Oracle design that makes Oracle what it is, but is there any way I can explicitly make it happen anyway? Or can anyone see some other solution to what I'm trying to achieve?

Let me give a more real-world example to show what I'm talking about.
Imagine a simple bug-reporting OLTP application. Each bug has 3 fields:
1. Description
2. Resolution
3. Status (open/closed)
The application also has some rules:
A. If the Status is "closed", Description and Resolution cannot be changed.
B. In order to change the Status to "closed", both a Description and Resolution must be specified.
Now as long as only one person at a time updates a bug, everything is fine. However, if one person switches the Status to "closed" while another concurrently blanks out the Resolution you end up with a closed bug that has no Resolution. This is why some locking is necessary.
If Description, Resolution, and Status are all stored in the same table row, then it makes sense for each transaction to simply select the whole row FOR UPDATE, and then UPDATE it after it ensures all the rules are passed. However, in my fictional bug-reporting application they are all stored in separate tables. Now, the transaction that is making the change to Resolution could lock the row in the Status table FOR UPDATE (as everyone so far has suggested). Transactions making a similar change to the Description should then also lock the row in the Status table FOR UPDATE for the same reason. The end result of this is that Description changes and Resolution changes lock eachother out (can't happen concurrently, are serialized) when they don't need to be. Description changes and Resolution changes don't affect eachother, but because they both need to (exclusively) lock the same row, they are serialized.
If there was a way to acquire a share lock on the row in the Status table, then Description and Resolution changes would use that and not affect eachother. Status changes would still acquire an exclusive lock on the row, and would be blocked by (and block any further) concurrent Description and Resolution changes. This would be ideal.

Row level locks

Hi All,
Version - Oracle Database 10g Enterprise Edition Release 10.2.0.2.0
I have a card's data in a table. Whenver a two different sessions/threads selects the data sometimes they get the same card.
Now I need to lock the record. If Thred-1 selects then it will lock the first records and thread-2 must select the second record as the first record is locked by thread-1.
I have written a piece of code , at first session it locks one record and when second session select it selects no records.
I have takem MIN group function because I want the cards to be selected in order.
Can you please tell where is my code went wrong or need some changes. Data and code is given below.
SQL> SELECT * FROM crm_pps_cards_sz ORDER BY 1;
CARD_NO          PIN SERIAL_NUMBER DATE_CREATED DATE_MERGED DATE_ALLOCATED DATE_REGISTERED
6338079966430591 9985 9950013661    12/06/2011
6338079973369543 6858 9950013660    12/06/2011
6338079978994154 7144 9950013655    12/06/2011
6338079981471778 7631 9950013654    12/06/2011
6338079986365041 7849 9950013657    12/06/2011
SQL>
Thread - 1
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.2.0
Connected as crm
SQL> set serveroutput on
SQL>
SQL> DECLARE
2    l_rec crm_pps_cards_sz%ROWTYPE;
3    CURSOR c IS
4      SELECT * FROM crm_pps_cards_sz t WHERE t.card_no =
5      (SELECT MIN(card_no) card FROM crm_pps_cards_sz)
6      FOR UPDATE NOWAIT SKIP LOCKED;
7
8 BEGIN
9    OPEN c;
10    FETCH c
11      INTO l_rec;
12    CLOSE c;
13    dbms_output.put_line('Card Allocated ' || l_rec.card_no);
14
15 END;
16 /
Card Allocated 6338079966430591
PL/SQL procedure successfully completed
SQL>
Thread - 2
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.2.0
Connected as crm
SQL> set serveroutput on
SQL>
SQL> DECLARE
2    l_rec crm_pps_cards_sz%ROWTYPE;
3    CURSOR c IS
4      SELECT * FROM crm_pps_cards_sz t WHERE t.card_no =
5      (SELECT MIN(card_no) card FROM crm_pps_cards_sz)
6      FOR UPDATE NOWAIT SKIP LOCKED;
7
8 BEGIN
9    OPEN c;
10    FETCH c
11      INTO l_rec;
12    CLOSE c;
13    dbms_output.put_line('Card Allocated ' || l_rec.card_no);
14
15 END;
16 /
Card Allocated
PL/SQL procedure successfully completed
SQL> My concern is that it must allocate in the order
6338079966430591
6338079973369543
....

It is because MIN(ard_no) is able to find value from table which is locked by you thread 1 and thread 1 mentioned NOWAIT thus it thread 2 went out without getting anything.
Please check my reply to your duplicate thread "row level locking" .

Row Level Restrictions on DeskI Report not working under InfoView

When running/refreshing DesktopIntelligence XI r3 (Full Client) reports under InfoView, the row-level restrictions applied in the universe are not being included in the SQL (additional filtering is NOT happening). However, if a user creates a report using the same universe in WebIntelligence or if the user runs the same report in DesktopIntelligence, the row-level restrictions are working.
It strikes me that the problem has to do with security rights granted (or not granted), but I can't figure out which settings would allow the proper running of a DeskI report under InfoView.
Thanks for any assistance rendered!

Mike,
Do people connect to Infoview and Deski using the same authentication method and the same username?
How does this compare to how your data restrictions are configured?
Are you using @Variable('BOUSER') restrictions? Have you taken domain into account e.g. "Domain\UserName" vs "UserName"?

Relationship between header and row level data.

Hi all
I need to know how to relate a field in the header level and the row level...
On my row level i want the route id to be related to the route name field at the header level...instead of showing this route id it must show only the header so...based on the row level data the header must change...
I tried insertin the field but when i do a relate to on either fields its showing me only fields on that catagory ( Header only or Row Level only)
Thanks

The Header is evaluated and printed first and then only Repetitive area is computed and printed. You cannot try to arrive header based on the Repetitive area.
Please explain in detail which screen etc.. so that we can suggest some work arounds

SBO - Approval Procedures at row level

Does anyone know how to create an approval procedure that is triggered by a row field. For example if I want an approval procedure that verifies discount percentage in row level.
There must be a workaround, cause I know this is not a functionality in SBO.
Thanks,
Hernán Baudrit

The way you could solve this is to create a UDF at Header level and link a formatted search which loops through the number of rows in the transaction and returns TRUE if for example the Discount % is greater than allowed.
The coding should be something as follows:
Declare @Counter as integer
Set @Couter = 0
Declare @TempTable TABLE (STAT varchar(50)) -- Temporary table holding results of loop
Declare @LoopFor as integer
Set @LoopFor = (select (*) from (select T1.DocEntry
                                                          from INV1 T0 join OINV T1 on T0.DocEntry = T1.DocEntry
                                                                  where T0.DocNum = $[OINV.DocNum])
While @Counter < @LoopFor
BEGIN
      Declare @Disc as integer
       Set @Disc = ( select T1.DiscPrcnt
                                        from INV1 T0 join OINV T1 on T0.DocEntry = T1.DocEntry
                                                   where T0.DocNum = $[OINV.DocNum]) and T1.LineNum = @Counter
     IF @Disc > 20
     BEGIN
              INSERT @TempTable VALUES ('TRUE')
     END ELSE INSERT @TempTable VALUES ('FALSE')
@Counter = @Counter + 1
END
SELECT Distinct 'TRUE' from @TempTable where STAT = 'TRUE'
Please note that the coding is not 100% accurate but should give you an idea of how to work around the problem.
Next you should write a simple validation query on the value of the UDF to check whether it is set to 'True'.
I hope this helps.

How to restrict table data at a row level?

Hi everybody,
I need create a database user and restrict his data access to certain tables.
What is the best way to do this?
Eg Table Emp has two columns, sal and dept. Sal has three distinct values: 500, 1000, 1500.
I need to make it so that new_user can only see the data in table emp where the sal value = 500.
Many thanks
Rup

You can use row-level security (VPD) for this sort of thing, so you assign a policy to the table that restricts which rows a particular user can see.
You can also roll your own solution by creating a view on the table and granting the user access to that view rather than direct access to the table.
Justin

Flex updates at a row level in a grid

I needs to updates row level in a grid for frequent basis, Also i don't want to Refresh the Grid.
Is there any method i can use ?
Using flex Grid -> updates at a row level in a grid

I mean DataGrid. I am trying to change the data rows based on realtime data feed.
First time i'll add all the Employees in the Grid. Later i'll get indivual request will change only Status column.
Is there is any other way i can update with out refresh in datagrid.
<mx:DataGrid
id="dg" height="260" width="900" x="0" y="20">
<mx:columns>
<mx:DataGridColumn headerText="EmpID" dataField="EmpID" width="10" visible="false"/>
<mx:DataGridColumn headerText="Emp Name" dataField="Emp Name" width="110"/>
<mx:DataGridColumn headerText="Status" dataField="Status" width="80"/>
</mx:columns>
</mx:DataGrid>

Row level security at universe design level

Hi,
I am creating a Universe layer on top of non SAP OLAP cube ( from MS Analysis Services 2005 ) .
My concern is that can we maintain the row level or data level security at universe design level or if i am using that universe in creation of WEBI report so is there any possiblity to maintain this security at WEBI level.
Regards,
Mishra Vibhav.

Thanks for the reply.
Much Appriciated.
My only concern is that i read in the Universe Designer developer guide that it does the row level security so can eloborate a bit about how we maintain at Universe level.
Warm Regrads,
Mishra Vibhav

How to implement row level secuirty at universe level

Hi All
How can we implement row level security in universe ?
John

HI,
Can we try this?
Open designer >>tools>>Manage security>Manage access retrictions
Click on "new" under available restrictions area .
Select "rows" tab click add select the table and an appropriate where condition.
Click ok .
Add a user\group on which the retriction is to be imposed Click Ok.
Hope this will help
Kultar

Row level constraint

Similar Messages

Maybe you are looking for