Re: Data Security Choices

<the_omegamon_at_yahoo.com> wrote in message news:1110992852.663672.206090_at_g14g2000cwa.googlegroups.com...
> Greetings All,
>
> I am looking for opinions on the 'best' pick for implementing
> a data security scheme. For example, I have some choices that are
> available that may have some tradeoffs against one another. My first
> line of thought is choices between the following:
>
> Roles
> VPD
> Packages
>
> Roles can provide the flexibility of grouping users into
> seperate groups where permissions can be consolidated but still
> need to be maintained via grant and revoke. Additional work
> would probably be needed to create row level security.
>
> VPD will allow transparent access to data via a policy scheme
> (or schemes) that is transparent to any accessing application. VPD
> too still needs to have traditional access via the GRANT command
> (one could probably argue that PUBLIC would be sufficient if VPD
> was properly configured).
>
> Packages have the ability to act as the gatekeeper for access
> to the data by encapsulation. Flexibility suffers here since base
> table access would not be available to an ad-hoc query user. Some
> benefits of this approach are performance, functional cohesion,
> insulation from the details of the data as well as a place for
> central management.
>
> Please correct me if I have a misunderstanding functionality
> anywhere above. At the moment, I am leaning towards the package
> option or perhaps a hybrid solution of VPD and packages. All
> thoughts appreciated.
>

Have you read through Oracle's Security Overview manual ? It's essential reading and might help clear up some of your issues/questions.

Cheers

Richard Received on Thu Mar 17 2005 - 07:18:19 CST