Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: configuring oracle RLS to work with roles instead of users
doron_almog_at_msn.com (Doron) wrote in message news:<995517bc.0306061226.27c6e5c_at_posting.google.com>...
> hi,
> has anyone configured oracle RLS to work with roles instead of users? if so how?
RLS is not restricted to user level at all. It all depends on how you write the function that implements the policy. You can pretty much set up any kind of logic you want in the function. Here is a simple example. I want only users with SELECT_CATALOG_ROLE role privilege to be able to see data in jyang.tyu table...
SQL> select * from tyu;
C1
0 1 2
SQL>
SQL> begin
2 dbms_rls.drop_policy(object_schema => 'JYANG',
3 object_name => 'TYU', 4 policy_name => 'TYU_POLICY');5 end;
PL/SQL procedure successfully completed.
SQL> create or replace function rls_func(p1 varchar2, p2 varchar2)
2 return varchar2 as
3 l_where varchar2(30);
4 cnt number;
5 begin
6 select count(1) into cnt from user_role_privs
7 where username=sys_context('USERENV','SESSION_USER')
8 and granted_role='SELECT_CATALOG_ROLE';
9 if cnt=1 then
10 l_where:='';
11 else
12 l_where:='1=2';
13 end if;
14 return l_where;
15 end;
16 /
Function created.
SQL>
SQL> begin
2 dbms_rls.add_policy(object_schema => 'JYANG', 3 object_name => 'TYU', 4 policy_name => 'TYU_POLICY', 5 function_schema =>'JYANG', 6 policy_function => 'RLS_FUNC', 7 statement_types => 'SELECT');8 end;
PL/SQL procedure successfully completed.
SQL> select * from tyu;
C1
0 1 2
SQL> grant select on tyu to scott;
Grant succeeded.
SQL> conn scott/tiger_at_athena
Connected.
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEFOS_
------------------------------ ------------------------------ --- --- --- SCOTT CONNECT NO YES NO SCOTT PLUSTRACE NO YES NO SCOTT RESOURCE NO YESNO
SQL> select * from jyang.tyu;
no rows selected
SQL>