Summary

Fine-grained access control brings security to the insides of the data tables. Need to know governs the handling of data in both the digital and non-digital information worlds. Within the database, views are an effective technique for implementing fine-grained access control in support of protecting sensitive data on a need-to-know basis.

Views can be used for various definitions of column security. They can remove entire columns from the user’s access or mask a column’s values. The database also provides column security through object privileges on insert and update operations. Views can be easily defined and managed and often implemented transparently for almost all simple security requirements. Views can be used with both Oracle built-in functions and user-defined functions to provide fine-grained access control and should always be one of the first security solutions to be considered.

However, views aren’t always a perfect solution. The performance degradation of views with user-defined PL/SQL functions, especially when used with row-level security, may make them impractical for certain situations. A view-based security solution can be difficult to manage as the number and complexity of the views increases. Many of the benefits can be diminished if the view solution requires copious numbers of Instead-of triggers.

In the next chapter, you’ll see another effective technique for providing fine-grained access control: Virtual Private Database provides row-level security in a manner that supports the complex security policies that often inspire the use of views with PL/SQL functions, but does so in a way that maintains better performance characteristics and is easier to manage.