Chapter 8. Deploying Fine-Grained Access Control

Team-Fly    

  
Oracle PL/SQL Programming Guide to Oracle 8 i Features
By Steven Feuerstein
Table of Contents


Fine-grained access control (FGAC) is a new feature in Oracle8 i that allows you to implement security policies with functions and then use those security policies to implement row-level security on tables and views. The database server automatically enforces these security policies, no matter how the data is accessedthrough SQL*Plus or the Internet, as an ad hoc query, or as an update processed through an Oracle Forms application.

What, you might ask, is a security policy ? Consider the following very simple scenario (I'll expand upon this scenario in the full example at the end of this chapter). Suppose that I have tables of hospital patients and their doctors defined as follows :

 CREATE TABLE patient (           patient_id NUMBER,               name VARCHAR2(100),              dob DATE,                        doctor_id INTEGER    );  CREATE TABLE doctor (    doctor_id NUMBER,    name VARCHAR2(100)    ); 

Now suppose that I want to let a doctor see only her own patients when she issues a query against the table. More than that, I don't want to let a doctor modify patient records unless those records belong to that doctor's patients.

You could achieve much of what is needed through the creation of a set of views, and many organizations have been doing just that for years . The view-based approach can become quite complex, especially if you want to make it foolproof. Wouldn't it be so much more elegant if you could just let any doctor connect to her schema in Oracle, issue the following query:

 SELECT * FROM patient; 

and then make certain that the doctor sees information only about her patients? With this approach, you embed all the rules needed to enforce the appropriate privacy and security rules into the database itself as a security policy so that it is transparent to users of the data structures. Oracle uses that policy to modify the WHERE clause of any SQL statement executed against the table,thereby restricting access to data. This process is illustrated in Figure 8.1.

Figure 8.1. Automatic application of a security policy (WHERE clause predicate)
figs/o8if.0801.gif

With Oracle8 i 's fine-grained access control, you can apply different policies to SELECT, INSERT, UPDATE, and DELETE operations and use security policies only where you need them (for example, on salary information). You can also design and enforce more than one policy for a table, and can even construct layers of policies (one policy building on top of an existing policy) to handle complex situations.


Team-Fly    
Top


Oracle PL. SQL Programming. Guide to Oracle8i Features
Oracle PL/SQL Programming: Guide to Oracle8i Features
ISBN: B000H2MK2W
EAN: N/A
Year: 1998
Pages: 107

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net