Re: Label security - Beginners question...

From: Volker Hetzer <>
Date: Tue, 05 Feb 2008 13:41:15 +0100
Message-ID: <fo9lh7$kba$>

Mark D Powell schrieb:
> On Feb 4, 3:26 pm, Volker Hetzer <> wrote:

>> Hi!
>> After having seen a lot of three tier applications managing security outside
>> the database we'd like, when designing our own app, use the database for this.
>> So, every user is a database user, belongs to a department and can read and
>> insert documents.

[rest skipped]

[reordered your answer a bit]
 > What is the full version of Oracle?
Thanks for reminding me of the customs here! :-) We have a enterprise edition running and think about starting with that.

> Is the label a column in one of your tables or Oracle Label security,
We think about using label security, although "row level security" would be a better term. So far a fixed label seems to create more problems than it solves. I'm still reading up on it and yesterday evening discovered something called "fine grained access control". It looks like a much better fit, with the predicate functions. I still have to play around with it a bit. But how does it work with DML? How would the policy modify an insert statement? Or does it evaluate the predicate with the values from the insert? Can I use :old and :new like with triggers?

> which is an extra cost item?

 From what I've seen in the documentation it's part of the enterprise edition. The costly part is about encryption and non-password authentication stuff as far as I see. But we'll check explicitly with our contract guys. Anyway I'll ask about FGA too.

> A coordinated subquery always has to know the outer table_name or
> alias used in the SQL so why is that a problem? Is you application
> based on dynamic SQL? From the description given I see no reason why
> dynamic SQL would be necessary.

You are right, it's not really necessary. During development errors are no problem and after that the main thing is that someone firing up sqlplus can't see the rows.

Lots of Greetings!

For email replies, please substitute the obvious.
Received on Tue Feb 05 2008 - 06:41:15 CST

Original text of this message