Summary

Fine-grained access control (FGAC) brings security to the insides of your data tables. The technology enabler for FGAC is application contexts.

Application context are an efficient and flexible mechanism for storing security related information. The Oracle Database provides many default attributes in the USERENV namespace. These attributes are automatically populated and generally provide useful information about the user’s environment—IP address, authentication method, and more. The Client Identifier is also part of the USERENV namespace. This attribute can be set by a user or application and has the added benefit of being recorded in the audit trails.

The ability to define your own name-value contexts allows for many creative security solutions. Application context values can be created and managed locally. Each context is held in the user’s private memory regions and is therefore secure for each database session. Local application contexts are ideal for performing security functions. They are secure because they are private for the session, and they can only be manipulated by the namespace manager. They are fast because the values are stored in memory. They are flexible because they can be set to any user-defined string.

You can also define global application contexts. This allows the sharing of information, in a secure manner, across database schemas and database sessions. The database provides various ways in which global contexts can be defined and used. Global contexts are a great utility in connection pooled applications and shared schema designs.

The Oracle Database also supports contexts initialized by external sources. When the source is initialized by the directory, the design supports Oracle’s centralized user management strategy, which is a critical component to the Identity Management functionality.

11 further investigate ways to use application context to provide fine-grained access control for tables, views, and synonyms.