Re: Fine-grained Access Control and constraint violations

In this foul year of our lord 8 Aug 2003 12:01:15 -0500, gters_at_zdas.com (Gters) proclaimed:

>>Fix the design, not hunt around for workarounds that really will be clunky.
>>
>>~QM
>sometimes it is not possible to redesign, you inherit a poorrly designed db
>and can't change it.

Bingo.

>
>you stated
>
> The
>> procedure that checks the name is executed with definer rights,
>> unfortunately those rights do no extend to the row-level security
>> policies, as these are based on CURRENT_USER which is the actual
>> logged-in user in all cases.
>
>Have you looked at the 8i feature of have procedures take on Invoker rights
>rather than Definer rights? That way the user can see what they need to.
>Need to determine if it works with FGAC

Well... since our fine-grained access relies on getting the name/ID of the currently logged-in user, it does not matter if the procedures run with Invoker or with Definer rights... the username will be the same and hence the access level as well.

Our current idea is to grant EXEMPT ACCESS POLICY to the Definer of our procedures, and have selected procedures tun with Definer rights rather than Invoker rights. This way, these procedures will bypass security, while still leaving the system well-secured against the users themselves. Only problem is, EXEMPT ACCESS POLICY is not availably on Oracle 8i

Jared of Europa
-*-
"I have often deprived myself of the necessities of life, but I have never consented to give up a luxury." Received on Fri Aug 08 2003 - 15:15:55 CDT