包dbms_rls只適用oracle enterprise edition,他實現精細的訪問控制;
並且精細的訪問控制是通過sql語句中動態增加謂詞(where 子句)實現的;
可以使不同的數據庫用戶執行相同的sql語句,操作同一張表上的不同數據;
– 1,add_policy
/*
該過程用於給表,視圖,或同義詞增加一個安全策略;
當執行該操作結束後,會自動提交事務;
*/
dbms_rls.add_policy(object_schema => ,object_name => ,policy_name => ,
function_schema => ,policy_function => ,statement_types =>,
update_check => ,enable => ,static_policy =>
);
– 2,drop_policy
/*
該過程用於給表,視圖,或同義詞刪除安全策略;
當執行該操作結束後,會自動提交事務;
*/
dbms_rls.drop_policy(object_schema => ,object_name => ,policy_name => );
– 3,refrsh_policy
/*
該過程用於刷新與安全策略修改相關的所有sql語句,並是oracle重新解析相關sql語句
當執行該操作結束後,會自動提交事務;
*/
dbms_rls.refresh_policy(object_schema => ,object_name => ,policy_name => );
– 4,enable_policy
/*
該過程用於激活或禁止特定的安全策略
當執行該操作結束後,會自動提交事務;
*/
dbms_rls.enable_policy(object_schema => ,object_name => ,policy_name => ,enable => );
– 5,create_policy_group
/*
該過程用於建立安全策略組
*/
dbms_rls.create_policy_group(
object_schema =>,object_name => ,policy_group =>
);
– 6,add_grouped_policy
/*
該過程用於增加與特定策略組相關的安全策略;
*/
dbms_rls.add_grouped_policy(
object_schema => ,object_name => ,
policy_group => ,policy_name =>
);
– 7,add_policy_context
/*
該過程用於爲應用安全策略增加上下文;
*/
dbms_rls.add_policy_context(
object_schema =>,
object_name => ,
namespace => ,
attribute =>
);
– 8,delete_policy_group
/*
該過程用於刪除安全策略分組
*/
dbms_rls.delete_policy_group(
object_schema => ,
object_name => ,
policy_group =>
);
– 9,drop_grouped_policy
/*
該過程刪除特定策略組的安全策略
*/
dbms_rls.drop_grouped_policy(
object_schema => ,
object_name => ,
policy_group => ,
policy_name =>
);
– 10,drop_policy_context
/*
該過程刪除上下文
*/
dbms_rls.drop_policy_context(
object_schema => ,
object_name => ,
namespace => ,
attribute =>
);
– 11,enable_grouped_policy
/*
該過程激活或禁止特定策略組的安全策略;
*/
dbms_rls.enable_grouped_policy(
object_schema => ,
object_name => ,
group_name => ,
policy_name => ,
enable =>
);
– 12,refrsh_grouped_policy
/*
該過程刷新特定策略組的安全策略的相關sql語句,並重新解析sql語句;
*/
dbms_rls.refresh_grouped_policy(
object_schema => ,
object_name => ,
group_name => ,
policy_name =>
);
/*
使用dbms_rls實現精細訪問控制;
不同用戶只能訪問不同部門的員工;
*/
–1,建立應用上下文
create or replace context cz_emp using scott.ctx;
–2,建立包過程設置的應用上下文
create or replace package scott.ctx
as
procedure set_depno;
end;
create or replace package body scott.ctx as
procedure set_depno
is
no number(6);
begin
if sys_context('cz_emp','session_user')='test' then
dbms_session.set_context('cz_emp','deptno',10);
else if sys_context('cz_emp','session_user')='system' then
dbms_session.set_context('cz_emp','deptno',20);
else
dbms_session.set_context('cz_emp','deptno',30);
end if;
end;
end scott.ctx;
--3,建立登陸觸發器
create or replace trigger tri_login
after logon on database
call scott.ctx.set_depno
–4,建立策略函數
create or replace package scott.emp_security as
function emp_sec(p1 varchar2,p2 varchar2 ) return varchar2;
end;
create or replace package body scott.emp_security as
function emp_sec(p1 varchar2,p2 varchar2 ) return varchar2
is
v_date varchar2(2000);
begin
if user not in (‘SYS’,’SCOTT’) then
v_date := ’ depno = sys_context(”cz_emp”,”deptno”)’;
return v_date;
end if;
return ‘1=1’;
end;
end ;
–5,增加策略
begin
dbms_rls.add_policy(‘SCOTT’,’EMP’,’emp_policy’,’SCOTT’,’scott.emp_security.emp_sec’,’select’);
end;
select deptno,ename from scott.emp [where ….];