Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
![]() |
![]() |
Home -> Community -> Mailing Lists -> Oracle-L -> RE: column level security
What about this:
Oracle Announcement:
Oracle Security Product Management has released new security alerts today. Please note that you must log into MetaLink at http://metalink.oracle.com to review this document. Use MetaLink's advanced search option to retrieve the document by identification number. USER PRIVILEGES VULNERABILITY IN ORACLE9i DATABASE SERVER Document Identification Number 185074.1 Thank you for using MetaLink. Oracle Support Services
The following is an example of the error:
connect system/****@database <mailto:system/****@database> CREATE USER us1 IDENTIFIED BY us11 DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp; CREATE USER us2 IDENTIFIED BY us12 DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp; Grant Create Session To us1; Grant Create Session To us2; Grant Create Table To us1; grant unlimited tablespace to us1; Grant Create View To us2; Connect us1/us11_at_database <mailto:us1/us11_at_database>; Create Table t1(c1 Number(1)); Insert Into t1(c1) Values(9); Create Table t2(c1 Number(1)); Insert Into t2(c1) Values(9); commit; Connect us2/us11_at_database <mailto:us2/us11_at_database>; SQL> Select * From us1.t1; ORA-00942: table or view does not exist -- this is expected SQL> Select * From us1.t2; ORA-00942: table or view does not exist -- this one too SQL> Create View aa As Select * From us1.t1; ORA-00942: table or view does not exist -- and this one SQL> Create View aa As Select t1.c1 As t1_c1, t2.c1 As t2_c1
>From us1.t1 Left Outer Join us1.t2 On t1.c1 = t2.c1;
View created -- now this one is NOT !!!!! SQL> select * from aa; T1_C1 T2_C1 ---- ---- 9 9 This effectively means that LEFT OUTER JOIN allows to create views on tables that are normally not visible (provided that unprivileged user knows table and column names).
-----Original Message-----
To: Multiple recipients of list ORACLE-L
Sent: 4/23/02 10:18 AM
Ok so i've been asked to research column level security, from what I can find, we're still stuck with this:
if userA needs to see cols 1,3,5 of tableA and
userB needs to see cols 1,2,3,4 of tableA.
We're still stuck with doing private views?
we dont need row level security so a VPD is kinda overkill, right?
thanks, joe
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Khedr, Waleed INET: Waleed.Khedr_at_FMR.COM Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Tue Apr 23 2002 - 09:53:33 CDT
![]() |
![]() |