Question: I need to have
a VPD security policy accept multiple objects, like this:
CREATE OR
REPLACE FUNCTION
SECFUNC (
p_object_schema in varchar2,
p_object_name in varchar2,
p_fund in varchar2,
p_org in varchar2)
Even though I can create the
dbms_rls.add_policy function, how can I create a policy with multiple input
values?
EXEC
DBMS_RLS.ADD_POLICY(
'MSMITH', LEDGER',
'SecByFund', 'SYS',
'SECFUNC',
'SELECT');
Answer: Good question!
I would start by examining the dbms_rls.shared_static option. Also note
this VPD security policy
article where the author says it is possible to have multiple policies for
each object and it is possible to define policy groups for objects, but it does
not say how to share the same policy between multiple tables.
However, VPD's allow
Multiple security and can place more than one policy on each object, as well
as stack them on other base policies. This makes VPD perfect for Web
applications that are deployed for many companies.
Using the Oracle 10g Static Policy Type
When you use static policies,
VPD always enforces the same predicate for access control, regardless of the
runtime environment. However, if you set the policy_type parameter to
shared_static, the policy is applied to multiple objects.
The book "Oracle
10g new features" has examples of using advanced VPD features.
Michael Armstrong-Smith noted this novel
solution:
I was trying to do was to create a VPD policy where the
contents of FUND and ORG, both columns in the same table, had to be
referenced inside the VPD function in order to determine whether a TRUE
predicate (1=1) or a FALSE predicate (1=2) would be returned.
My problem is that I was unable to pass a column name or ROWID into the VPD
function, therefore I was unable to check whether the row was or was not
accessible. Unlike most VPD situations, the predicate would change not only
based upon the USER and the user's role but would also change depending upon
the content of data within the row itself.
As I say, in the end I created a solution that returns a predicate string
containing a subquery and a boolean expression, something like:
FUND = FUND AND (SELECT FUND_CODE
FROM SEC_TABLE WHERE SEC_TABLE.USERID = UID AND SEC_TABLE.ORG_CODE = ORG and
SEC_TABLE.FUND_CODE = FUND) IS NOT NULL
My VPD predicate just looks like the above with the code being evaluated
against each row. Both FUND and ORG come from the row being checked, while
FUND_CODE and ORG_CODE are in my security table which has a primary key of
USERID, FUND_CODE and ORG_CODE.
and include the URL for the page.
