Using Oracle
dbms_session
For the VPD to properly use the security
policy to add the where clause to the end
user's SQL, Oracle must know details about
the authority of the user. This is done at
sign-on time using Oracle's dbms_session
package. At sign-on, a database logon
trigger executes, setting the application
context for the user by calling
dbms_session.set_context. The set_context
procedure can be used to set any number of
variables about the end user, including the
application name, the user's name, and
specific row restriction information. Once
this data is collected, the security policy
will use this information to build the
run-time where clause to append to the end
user's SQL statement. The set_context
procedure sets several parameters that are
used by the VPD, and accepts three
arguments:
dbms_session.set_context(namespace,
attribute, value)
For example, let's assume that we have a
publication table and we want to restrict
access based on the type of end user.
Managers will be able to view all books for
their publishing company, while authors may
only view their own books. Let's assume that
user JSMITH is a manager and user MAULT is
an author. At login time, the Oracle
database logon trigger would generate the
appropriate values and execute the
statements shown in Listing A:
dbms_session.set_context('publishing_application',
'role_name', 'manager');
dbms_session.set_context('publishing_application',
'user_name', 'jsmith');
dbms_session.set_context('publishing_application',
'company', 'rampant_techpress');
dbms_session.set_context('publishing_application',
'role_name', 'author');
dbms_session.set_context('publishing_application',
'user_name', 'mault');
dbms_session.set_context('publishing_application',
'company', 'rampant_techpress');
|
|
