Re: Label security - Beginners question...

From: Mark D Powell <Mark.Powell_at_eds.com>
Date: Mon, 4 Feb 2008 12:41:07 -0800 (PST)
Message-ID: <bacbdb1d-cda3-4961-a5ea-dff023434612@k2g2000hse.googlegroups.com>

On Feb 4, 3:26�pm, Volker Hetzer <firstname.lastn..._at_ieee.org> wrote:
> Hi!
> After having seen a lot of three tier applications managing security outside
> the database we'd like, when designing our own app, use the database for this.
> So, every user is a database user, belongs to a department and can read and
> insert documents.
> What we've got then is a small number of CAD locations, another small number
> of manufacturing locations and a lot of projects. Each project is designed
> at one CAD location and manufactured at one manufacturing location.
> What we've thought about is to have a master table containing the CAD
> and manufacturing location for each project. Then, all document and
> other tables reference that table.
> When someone from CAD inserts or updates project data, the corresponding
> manufacturer should be able to see it. But we don't want CAD to think
> about the manufacturer for each document. In theory, the fact that
> document X references project Y should be enough for security.
> In our opinion that would lead to
> � - one compartment per project
> � - each manufacturing location having a lot of compartments in their
> permissions (do several hundred compartments have a performance penalty?)
> � - moving manufacturing of a project from one location to another would be easy
>
> On the other hand we could have the manufacturing location in the group part
> of the label and set it via a labeling function. In that case, every insert
> would fetch the manufacturing location from the project master table and
> create the appropriate label. However, I see no way to change all labels
> if the manufacturing location gets changed in the project master table. I
> would like to avoid doing this with a trigger.
>
> Is there any other way? Maybe with a predicate? But as far as I can see
> it would have to use a correlated subquery and it would have to know the
> alias of the outer table.
>
> Any other ideas?
>
> Lots of Greetings!
> Volker
> --
> For email replies, please substitute the obvious.

Is the label a column in one of your tables or Oracle Label security, which is an extra cost item?

A coordinated subquery always has to know the outer table_name or alias used in the SQL so why is that a problem? Is you application based on dynamic SQL? From the description given I see no reason why dynamic SQL would be necessary.

What is the full version of Oracle?

HTH -- Mark D Powell -- Received on Mon Feb 04 2008 - 14:41:07 CST

This message: [ Message body ]
Next message: Mike: "Req: DBA's Required in VA"
Previous message: Volker Hetzer: "Label security - Beginners question..."
In reply to: Volker Hetzer: "Label security - Beginners question..."
Next in thread: Volker Hetzer: "Re: Label security - Beginners question..."
Reply: Volker Hetzer: "Re: Label security - Beginners question..."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message