Oracle Database

Page 268

Configuring an Oracle Virtual Private Database Policy

You can apply multiple driving contexts to the same table, view, or synonym, and each of them will be processed individually. This enables you to configure multiple active sets of policies to be enforced. Consider, for example, a hosting company that hosts Benefits and Financial applications, which share some database objects. Both applications are striped for hosting using a SUBSCRIBER policy in the SYS_DEFAULT policy group. Data access is partitioned first by subscriber ID, then by whether the user is accessing the Benefits or Financial applications (determined by a driving context). Suppose that Company A, which uses the hosting services, wants to apply a custom policy that relates only to its own data access. You could add an additional driving context (such as COMPANY A SPECIAL) to ensure that the additional, special policy group is applied for data access for Company A only. You would not apply this under the SUBSCRIBER policy, because the policy relates only to Company A, and it is more efficient to segregate the basic hosting policy from other policies.

Example of Implementing a Policy Group To create a policy group, you must first create a driving context to identify the effective policy group. Then, you can add policies to the policy groups as required. The following steps show how to implement a policy group: ■

Step 1: Create the Components for This Example

Step 2: Create the Driving Application Context

Step 3: Add a Policy to the Default Policy Group

Step 4: Add a Policy to the HR Policy Group

Step 5: Add a Policy to the FINANCE Policy Group

The following example shows how to perform these tasks. Step 1: Create the Components for This Example In SQL*Plus, run the following statements: DROP USER finance CASCADE; CREATE USER finance IDENTIFIED BY beancounter4u; GRANT RESOURCE TO apps; DROP TABLE apps.benefit; CREATE TABLE apps.benefit (c NUMBER);

Step 2: Create the Driving Application Context To create the driving application context, you create a namespace by using the CREATE CONTEXT SQL statement. Remember that you need CREATE ANY CONTEXT privileges to use this statement. 1.

Create the namespace for the driving application context: CREATE OR REPLACE CONTEXT appsctx USING apps.apps_security_init;

2.

Create the package that administers the driving context: CREATE OR REPLACE PACKAGE apps.apps_security_init IS PROCEDURE setctx (policy_group VARCHAR2); END; CREATE OR REPLACE PACKAGE BODY apps.apps_security_init AS PROCEDURE setctx ( policy_group varchar2 ) IS BEGIN

8-12

Oracle Database Security Guide

Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.