Data Security Choices

Greetings All,

    I am looking for opinions on the 'best' pick for implementing a data security scheme. For example, I have some choices that are available that may have some tradeoffs against one another. My first line of thought is choices between the following:

    Roles
    VPD
    Packages

    Roles can provide the flexibility of grouping users into seperate groups where permissions can be consolidated but still need to be maintained via grant and revoke. Additional work would probably be needed to create row level security.

    VPD will allow transparent access to data via a policy scheme
(or schemes) that is transparent to any accessing application. VPD
too still needs to have traditional access via the GRANT command
(one could probably argue that PUBLIC would be sufficient if VPD
was properly configured).

    Packages have the ability to act as the gatekeeper for access to the data by encapsulation. Flexibility suffers here since base table access would not be available to an ad-hoc query user. Some benefits of this approach are performance, functional cohesion, insulation from the details of the data as well as a place for central management.

    Please correct me if I have a misunderstanding functionality anywhere above. At the moment, I am leaning towards the package option or perhaps a hybrid solution of VPD and packages. All thoughts appreciated.

Thanks in Advance, Received on Wed Mar 16 2005 - 11:07:16 CST