Re: How to implement this security model?

"Aaron" <aaron.kurz_at_acs-inc.com> wrote in message news:bfb346c4.0405261118.7dfc5cb9_at_posting.google.com...
> Running Oracle 9i (9.2.0.4) on Solaris
>
> We need to be able to allow end-users to add and drop columns from a
> particular table, but need to restrict their drops to only the columns
> which they (end-users) have added.

Out of interest, can I ask why users are to be permitted to do column-based DDL on-the-fly?

Sybrand and Daniel aren't always the subtlest when it comes to calling a doozy of an idea a doozy, but they are pretty good at spotting them, and I'd agree with them in this case. But if you explain your actual business requirement, maybe we'll all be forced to say, 'yup, it has to be that way'. Or maybe we could suggest some other mechanism to achieve the same broad end-result.

Even if you could come up with a mechanism that would work, every time they do such DDL, they are going to invalidate large amounts of your library cache, just to mention one area of concern. That means your re-parse rate is going to go through the roof, and you'll have CPU usage rates following it. Not to mention library cache latch contention. When Sybrand and Daniel mention this model is unscaleable, that is at least one of the things they will be thinking of. So if you/we could devise an alternative mechanism, that would be a better idea all round, I would have thought.

Regards
HJR
> In other words, we have a table
> with columns which must remain, but the end-user should be able to add
> and remove his own columns at will.
>
> I thought DBMS_RLS might be a path to take, but it doesn't seem to
> have an ADD_POLICY for ALTER statement.
>
> Any idea's would be appreciated.
>
> Thanks.
Received on Fri May 28 2004 - 01:23:32 CDT