In oracle database there are three methods for implementing row/column level security :
- views and access control over these views.
- Virtual Private Database.
- Oracle Label Security.
But all of them use the user account utilized to logging into database.
The context of my question is :
user --> webServer --> EJBserver --> DataBase
In a application server (oracleAS, jobss, etc) you create a connection pool for connecting againts database. This connection pool utilize a predefined user/password for all the connection.
But each user use a different user/pass for logging into web application.
So...
Is there any maner to implement row/level security in this context, using account utilized in web application inestead of account utilized in connection pool?
thanks.
Technically, the three would be:
o grants (grant select on columns, grant on objects in general)
o views used to filter data (and you grant on views, so views is a refinement of grants here)
o fine grained access control (which you can code yourself OR use off the shelf implementations such as label security)
And of them, only "grants" "use the user account". You grant PRIV on OBJECT to SCHEMA or ROLE.
Views, a view can look at anything it wants - like the IP_ADDRESS of the requestor, like context information supplied to the database by the middle tier (eg: middle tier grabs connection, middle tier KNOWS who is really logged on, middle tier invokes dbms_session.set_context/set_identifier to TELL US).
Fine Grained access control is like a dynamic view, it too can use this context information.
start here:
http://docs.oracle.com/cd/B19306_01/network.102/b14266/apdvcntx.htm#i1009020 but read that document in full for a good overview of what is available to you.