Re: Label security - Beginners question...
Date: Tue, 05 Feb 2008 13:41:15 +0100
Message-ID: <fo9lh7$kba$1@nntp.fujitsu-siemens.com>
Mark D Powell schrieb:
> On Feb 4, 3:26 pm, Volker Hetzer <firstname.lastn..._at_ieee.org> wrote:
>> Hi! >> After having seen a lot of three tier applications managing security outside >> the database we'd like, when designing our own app, use the database for this. >> So, every user is a database user, belongs to a department and can read and >> insert documents.
[rest skipped]
[reordered your answer a bit]
> What is the full version of Oracle?
Thanks for reminding me of the customs here! :-)
We have a 10.2.0.3.0 enterprise edition running and think about
starting with that.
> Is the label a column in one of your tables or Oracle Label security,
We think about using label security, although "row level security"
would be a better term. So far a fixed label seems to create more problems
than it solves. I'm still reading up on it and yesterday evening
discovered something called "fine grained access control". It looks like a
much better fit, with the predicate functions. I still have to play
around with it a bit. But how does it work with DML? How would the policy
modify an insert statement? Or does it evaluate the predicate with the
values from the insert? Can I use :old and :new like with triggers?
> which is an extra cost item?
From what I've seen in the documentation it's part of the enterprise
edition. The costly part is about encryption and non-password authentication
stuff as far as I see. But we'll check explicitly with our contract guys.
Anyway I'll ask about FGA too.
> A coordinated subquery always has to know the outer table_name or
> alias used in the SQL so why is that a problem? Is you application
> based on dynamic SQL? From the description given I see no reason why
> dynamic SQL would be necessary.
You are right, it's not really necessary. During development errors are
no problem and after that the main thing is that someone firing
up sqlplus can't see the rows.
Lots of Greetings!
Volker
-- For email replies, please substitute the obvious.Received on Tue Feb 05 2008 - 06:41:15 CST