Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Question: DMBS_RLS Row-level Security Policies

Re: Question: DMBS_RLS Row-level Security Policies

From: Mike Jay <mikejay_at_mitre.org>
Date: Wed, 03 Oct 2001 14:32:46 -0400
Message-ID: <3BBB59CE.A529C3C@mitre.org> 





So I had hoped and expected as well for my 8.1.6 Solaris 5.7 system per:



Oracle8i Supplied PL/SQL Packages Reference
Release 2 (8.1.6)


A76936-01


DBMS_RLS, 2 of 2 


(on-line documentation)



Usage notes under DBMS_RLS.ADD_POLICY paragraph states:



"Dynamic predicates generated out of different policies for the same
object have the combined effect of a conjunction (ANDed) of all the
predicates."



Again, I am new to this "Fine-Grained Access" business, but I am
confused by what I see in the trace logs in that only one policy is
firing given a statement type.



Does anyone have an experience where multiple policies for a given table
and statement type works as documented?



The policy functions reside in the same package, moreover, the package
functions unit test such that the VARCHAR2 values for each function
return the expected value.



Baffled,


mikejay



Jonathan Lewis wrote:


> 

> According to the manual (8.1.5 supplied

> pl/sql packages) page 41-5:

> 

> "

>     Dynamic predicates generated out of

>     different policies for the same object have

>     the combined effect of a conjunction (ANDed)

>     of all the predicates.

> "

> 

> so you should be able to have multiple active

> policies all firing and being 'added'. I can't remember

> if I tested this or not.

> 

> --

> Jonathan Lewis

> http://www.jlcomp.demon.co.uk

> 

> Host to The Co-Operative Oracle Users' FAQ

> http://www.jlcomp.demon.co.uk/faq/ind_faq.html

> 

> Author of:

> Practical Oracle 8i: Building Efficient Databases

> 

> Screen saver or Life saver: http://www.ud.com

> Use spare CPU to assist in cancer research.

> 

> Mike Jay wrote in message <3BBB36C1.4554E72_at_mitre.org>...

> >Off to the book store ;)

> >

> >Using 'ALTER SYSTEM' in my test instance, I found that only one policy

> >function per statements_type would fire.

> >

> >That is, for MyOwner.MyTable the user MyUser will SELECT against

> >the table, but be subject to only one policy with respect to

> >the SELECT statement_type EVEN THOUGH two policies pertaining to

> >SELECT are defined.

> >

> >Does this make sense based on y'all's experience?

> >

Received on Wed Oct 03 2001 - 13:32:46 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US