External and Initialized Globally

Oracle Database also supports application contexts that have their values derived from external sources. The motivation for external context is that the values will be automatically populated for the user. The external sources can be a job queue process, a database link, or a program using the OCI interface. The directory server can also be used to automatically set a context. When used in conjunction with Enterprise Users, the database automatically places any attribute values defined in the inetOrgPerson object inside a namespace called the SYS_LDAP_USER_DEFAULT.

To illustrate how easy this is to use, create a view based on the EMP table that restricts users’ access to records that fall within their department. The view will use the department number that is stored for the Enterprise User in the directory server:

sec_mgr@KNOX10g> CREATE TABLE people$ AS SELECT * FROM scott.emp;    Table created.    sec_mgr@KNOX10g> CREATE VIEW people    2    AS   3     SELECT *   4       FROM people$   5     WHERE deptno =   6             SYS_CONTEXT ('sys_ldap_user_default',   7                          'departmentnumber');    View created.   

Now, grant access to the shared schema to which the Enterprise Users will connect. Assume the users are mapped to the DB_SUBTREE schema:

sec_mgr@KNOX10g> GRANT SELECT ON people TO db_subtree;    Grant succeeded.   

You can view the Enterprise Users with the Enterprise Security Manager as illustrated in Figure 9-1. Note that the window allows you to view the users’ information and includes their department number. The department number attribute is pictured here for the Knox user and has a value of 10. This value can be set with the OiDDAS application or with the Oracle Directory Manager application.

image from book
Figure 9-1: Attributes in the inetOrgPerson LDAP object are automatically populated in the SYS_LDAP_USER_DEFAULT namespace.

To show how the value is automatically populated, log on as the Enterprise User and query the view just created.

sec_mgr@KNOX10g> conn knox/oracle10g  Connected.  db_subtree@KNOX10g> SELECT ename, deptno FROM sec_mgr.people;    ENAME       DEPTNO  ----------  ------ CLARK        10  KING         10  MILLER       10   

The database also supports the ability to create application specific attributes that are also stored in the LDAP directory. On login, the attributes are automatically applied to an application context. This again only works for Enterprise Users. Details on how to configure this can be found in the Oracle Database Security Guide 10g.



Effective Oracle Database 10g Security by Design
Effective Oracle Database 10g Security by Design
ISBN: 0072231300
EAN: 2147483647
Year: 2003
Pages: 111

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net