RE: column level security

 What about this:

Oracle Announcement:

       Oracle Security Product Management has released new security alerts
       today. 

       Please note that you must log into MetaLink at
       http://metalink.oracle.com to review this document. Use MetaLink's
       advanced search option to retrieve the document by identification
       number.

       USER PRIVILEGES VULNERABILITY IN ORACLE9i DATABASE SERVER 
       Document Identification Number 185074.1 

       Thank you for using MetaLink. 
       Oracle Support Services 

  The following is an example of the error:

       connect  system/****@database <mailto:system/****@database> 
       CREATE USER us1 IDENTIFIED BY us11 DEFAULT TABLESPACE users TEMPORARY

       TABLESPACE temp; 
       CREATE USER us2 IDENTIFIED BY us12 DEFAULT TABLESPACE users TEMPORARY

       TABLESPACE temp; 
       Grant Create  Session To us1; 
       Grant Create  Session To us2; 
       Grant Create Table To us1; 
       grant unlimited tablespace to us1; 
       Grant Create View To us2; 

       Connect us1/us11_at_database <mailto:us1/us11_at_database>; 
       Create Table t1(c1 Number(1)); 
       Insert Into t1(c1) Values(9); 
       Create Table t2(c1 Number(1)); 
       Insert Into t2(c1) Values(9); 

       commit; 
       Connect us2/us11_at_database <mailto:us2/us11_at_database>; 

       SQL> Select * From us1.t1; 
       ORA-00942: table or view does not exist 
       -- this is expected 

       SQL> Select * From us1.t2; 
       ORA-00942: table or view does not exist 
       -- this one too 

       SQL> Create View aa As Select * From us1.t1; 
       ORA-00942: table or view does not exist 
       -- and this one 

       SQL> Create View aa As Select t1.c1 As t1_c1, t2.c1 As t2_c1 


       >From us1.t1 Left Outer Join us1.t2 On t1.c1 = t2.c1; 


       View created 
       -- now this one is NOT !!!!! 
       SQL> select * from aa; 

       T1_C1 T2_C1 
       ---- ---- 
          9    9 

       This effectively means that LEFT OUTER JOIN allows to create views 
       on tables that are normally not visible (provided that unprivileged
user 
       knows table and column names). 

-----Original Message-----
To: Multiple recipients of list ORACLE-L Sent: 4/23/02 10:18 AM

Ok so i've been asked to research column level security, from what I can find, we're still stuck with this:  

if userA needs to see cols 1,3,5 of tableA and

   userB needs to see cols 1,2,3,4 of tableA.  

We're still stuck with doing private views?  

we dont need row level security so a VPD is kinda overkill, right?  

thanks, joe  

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Khedr, Waleed
  INET: Waleed.Khedr_at_FMR.COM

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).