Skip to Main Content

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question, Kaare.

Asked: December 05, 2014 - 2:09 pm UTC

Last updated: December 08, 2014 - 3:44 pm UTC

Version: 11.2.0

Viewed 10K+ times! This question is

You Asked

Hi Tom!

I need to create a view by using a dynamic database link.

I am working in a database with only one Oracle-user, PWPROD. This database is managed from another program called ProjectWise. In this program I have several users. I know the name of the current user of this program (called PWUSER), and now I need to connect to another database (called VDS.WORLD), where this user IS created and are granted different roles. I want to do this by using a dynamic database link so that the PWUSER will only get access to the tables and so which are granted to him in the other database. I try to describe what I need by the following description of tables, database links, function and the "desired view". Hope it makes sense. 

create table userlinks (pwuser varchar2(30), dblinkname varchar2(30));
insert into userlinks values ('KFC','KFC_LINK');
insert into userlinks values ('JSM','JSM_LINK');

create table current_user (pwuser varchar2(30));
insert into current_user values ('KFC');

CREATE DATABASE LINK "KFC_LINK.WORLD" CONNECT TO KFC 
IDENTIFIED BY kfcpassword USING 'VDS.WORLD';
CREATE DATABASE LINK "JSM_LINK.WORLD" CONNECT TO JSM 
IDENTIFIED BY jsmpassword USING 'VDS.WORLD';

create or replace function current_user_fn
return
  varchar2 is current_dblink varchar2(30);
begin
  select dblinkname into current_dblink from userlinks where username = (select pwuser from current_user);
  return current_dblink;
end;

And now, the view I desire:
create view ABC_LOCAL as
select * from ABC@call(current_user_fn);

I know that this doesn't work, by hope it decribes my needs?

My wish is, that when the current PWUSER is KFC, then the view is based on
create view ABC_LOCAL as
select * from ABC@KFC_LINK;
and when the PWUSER is JSM, then the view is based on
create view ABC_LOCAL as
select * from ABC@JSM_LINK;



and Tom said...

sounds like you want a SINGLE database link and that database link would be a current_user link and you would use real users in the database.
https://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_5005.htm#SQLRF01205

that is - KFC would log into the database as KFC so that "select user from dual" would return KFC. Likewise JSM would log in as JSM and select user from dual would return JSM for them.



otherwise, you will have to use dynamic sql with different database link names in the dynamically executed sql. There is no such capability as you outline above.

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

User connection is not an option

Kaare Friis-Christensen, December 08, 2014 - 8:46 am UTC

Unfortunately it is not possible to connect to a named user on the connecting database. The system ProjectWise controls access through the Oracle user PWPROD. Each user logs on to the system ProjectWise and thus have an indirect user name (which can be stored in a table). I had hoped this could be used to create a dynamic view, where the database link followed this user.

The reason why I seek this solution obviously has something to do with rights. I do not want all the users who log on to the system ProjectWise will have access to everything. Therefore, it is my desire to differentiate through various database links (possibly role-based).

I have a large portfolio of programs that are based on having a database connection and access to various tables and views. It will not be possible to change all these programs individually. Eg. I will have to get access the to the table AMT by a direct call to AMT. Therefore, I would like to have created a view in the PWPROD scheme named AMT and it was in this context I would like that rights could be controlled through the database link so that when, for example, stored KFC in the table CURRENT_USER the connection was made with a database link with rights to write in the table and when instead stored JSM in CURRENT_USER a connection with only read options was used.

If it is not feasible with such a dynamic view, I hope for any good idea how to solve my needs.
Tom Kyte
December 08, 2014 - 3:12 pm UTC

you cannot get there from here. You will have to use dynamic sql if you want different connections for different sessions. You cannot have a single view. There is no such thing as a dynamic view.

You want your cake and to eat it too. You don't want to use database users, yet you want to use database users. You cannot have it both ways.

If you are using a loopback link to attempt to limit access - you are going to have a bad day. Performance will be less than stellar. No doubt. No question.


sorry, but you cannot have users but not have users. It doesn't work like that, not in Oracle, not in X.

I would reconsider your usage of a product that does not support your security needs from the very beginning. ProjectWise doesn't do what you want to do - It does not have security for you. We cannot make a project that uses a single superuser to do everything do anything less. sorry. Every user will have the privs of PWPROD - by the design of ProjectWise.

the best you could do is implement virtual private database (VPD). You would have to provide all of the access control however - you would have to programatically figure out what each session is allowed to access

one db link + secure application roles

Michael, December 08, 2014 - 9:52 am UTC

Kaare, I think this would be an use case for secure application roles.

+ only one (fixed user) database link
+ several secure application roles on remote database
+ set remote context based on your actual needs

Cheers, Michael
Tom Kyte
December 08, 2014 - 3:44 pm UTC

it isn't a remote database, it is a loopback link. This is going to be painfully slow. They are trying to use a loopback link to limit what people have access to.

but the user will be connected as PWPROD, it'll have everything already anyway. I don't see where this user is trying to go. The application will be connected as PWPROD - there will be nothing stopping the application from using any of the privileges of PWPROD.

and how to you teach these applications (which cannot be changed, as stated above) to set the role? If they can set the role, then they can set the role to anything they want.

the person asking the question states:


I have a large portfolio of programs that are based on having a database connection and access to
various tables and views.


And they are trying to force these legacy applications into a framework that says "you shall have one account". And they want these applications to automagically fix themselves "It will not be possible to change all these programs individually."

Magic unfortunately still does not exist. Sometimes we must technically evaluate our framework (projectwise does not meet their requirement) or change code.



more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library