Examples: Creating Oracle Virtual Private Database Policies
1.
Log on as user OE. CONNECT oe Enter password: password Connected.
2.
Enter the following SELECT statement: SELECT COUNT(*) FROM ORDERS; COUNT(*) --------7
The policy is in effect for user OE: As you can see, only 7 of the 105 rows in the orders table are returned. But users with administrative privileges still have access to all the rows in the table. 3.
Log back on as user SYS. CONNECT SYS/AS SYSDBA Enter password: password Connected.
4.
Enter the follow SELECT statement: SELECT COUNT(*) FROM ORDERS; COUNT(*) --------105
Step 5: Remove the Components for This Example 1.
As user SYS, remove the function and policy as follows: DROP FUNCTION auth_orders; EXEC DBMS_RLS.DROP_POLICY('OE','ORDERS','ORDERS_POLICY');
2.
If you need to lock and expire the OE account, enter the following statement: ALTER USER OE ACCOUNT LOCK PASSWORD EXPIRE;
Example of Implementing a Policy with a Database Session-Based Application Context This example uses a database session-based application context to implement a policy in which customers can see only their own orders. This example creates the following layers of security: 1.
When a user logs on, database session-based application context permits only users who are customers to log on.
2.
After a customer has logged on, an Oracle Virtual Private Database policy restricts this user to see only his orders.
3.
As a further restriction, Oracle Virtual Private Database policy permits the user to only view his orders. He cannot add, modify, or remove orders.
The steps to create this example are as follows: ■
Step 1: Create User Accounts and Sample Tables
■
Step 2: Create a Database Session-Based Application Context Using Oracle Virtual Private Database to Control Data Access 8-23