如何简单实现控制用户查询数据
地址:http://www.wlive.net/archives/21
需求:
在实际应用中,由于数据库某些用户必须拥有SELECT ANY TABLE权限,这就促使了这些用户能够顺利访问其它表数据的权限,出于业务数据安全考虑,对于某些关键表,只能是特定用户才能访问,也就是说即便是拥有SELECT ANY TABLE权限的用户,也禁止访问这些关键表的数据
实现方法:
通过ORACLE提高的DBMS_RLS包,能够轻松简单实现以上要求,下面引自官方文档对这个包的简单叙述
The DBMS_RLS package enables you to administer security policies by using its
procedures for adding, enabling, refreshing, or dropping policies, policy groups, or
application contexts. You need to specify the table, view, or synonym to which you are
adding a policy, as well as the data pertinent to that policy, such as the policy name.
Such data also includes names for the policy group and the function implementing the
policy. You can also specify the types of statements the policy controls (SELECT,
INSERT, UPDATE, DELETE, CREATE INDEX, or ALTER INDEX). Table 15–2 lists the
procedures in the DBMS_RLS package.
实现的步骤:
1 创建DBMS_RLS调用的函数
2 创建DBMS_RLS控制访问的策略
具体实现过程:
SQL> create or replace function cf_vpd_bulk (oschema varchar2,oname varchar2)
2 return varchar2 is
3 v_rs varchar2(2000);
4 begin
5 if sys_context(’userenv’,’session_user’)=’XJWH’ then
6 v_rs:=’1=1′;
7 else
8 raise_application_error (-20000, ‘Invalid value’, TRUE);
9 end if;
10 return v_rs;
11 end;
12 /
Function created.
创建函数cf_vpd_bulk,指定只有XJWH用户才能顺利访问表数据
SQL> exec dbms_rls.add_policy(OBJECT_SCHEMA=>’XJWH’,OBJECT_NAME=>’BULK’, STATEMENT_TYPES=>’SELECT’,POLICY_NAME=>’VDP_BULK’,FUNCTION_SCHEMA=>’SYS’,POLICY_FUNCTION=>’CF_VPD_BULK’);
PL/SQL procedure successfully completed.
创建DBMS_RLS控制访问的策略,注意上面STATEMENT_TYPES指定了只对SELECT这个类型生效,STATEMENT_TYPES有SELECT, UPDATE, DELETE,or INSERT四种类型,默认是所有类型。由于表BULK允许其它用户往里面插数据,禁止SELECT,所以这里指定了SELECT 类型。
测试效果:
SQL> show user
USER is “XJWH”
SQL> select *from bulk where a=5;
A B
———- ———-
5 6
5 6
5 6
5 6
4 rows selected.
SQL> connect spreader/spreader
Connected.
SQL> select *from xjwh.bulk where a=5;
select *from xjwh.bulk where a=5
*
ERROR at line 1:
ORA-28112: failed to execute policy function
通过以上方式实现控制数据访问,简单容易,对于函数的环境,策略的添加条件还可以根本业务的不同需求进行改动。
--EOF--