Re: Implementing Data-Level Security

From: Andrew Protasov <protasov_at_percombank.kiev.ua>
Date: 1997/02/11
Message-ID: <AAe-2nsKb6@percombank.kiev.ua>#1/1

    Hello Anup,

    I think that it is bad practice to make INSERT, UPDATE or DELETE from client side due to security problems. Front-end must call only PL/SQL stored functions or procedures to perform data modifications according to business rules. PL/SQL code can check data security by means of joint views. The same views can be used in SELECT statements to guarantee read security. The only problem with such approach is that it is very labour intensive.

                                        Andrew Protasov

>
> In my original post, I did not quite state my requirements clearly. I need
> to control SELECT, INSERT, UPDATE and DELETE based on the user.
>
> I received a number of replies suggesting row-level trigger control or views
> based on joins. However, triggers cannot control SELECTS, whereas views with
> joins cannot be used to INSERT/UPDATE/DELETE (I am still on 7.1).
>
> A combination of the above methods will result in INSERT/UPDATE/DELETE from
> the table, but SELECT from the view. This will complicate life for the users
> as well as programmers, and keeping security checks will be even more difficult.
>
> So, is there a way out other than views with nested loops?
>

 [cut]
>
> Anup.
Received on Tue Feb 11 1997 - 00:00:00 CST