Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Need a FGAC Clue

Re: Need a FGAC Clue

From: Jonathan Lewis <jonathan_at_jlcomp.demon.co.uk>
Date: Fri, 6 Sep 2002 08:20:47 +0100
Message-ID: <al9l5u$j4g$2$830fa795@news.demon.co.uk> 







It is possible that the reason you have only
seen FGAC through individual user ids is that
the standard examples use a logon trigger to
set a system_context - using the user's id
to select values for that context.



You do not need to use a trigger to set the
system_context; in your case, you could


simply ensure that each time the application
starts to handle queries for a different user,
it calls the dbms_session.set_context


procedure (through the nominated package),
passing in that user's identity.



There is an overhead in cursor invalidation that
is likely to have some side-effects, though, and
by changing your strategy you may find that
you have far more non-sharable cursors in your
SGA. FGAC may not be your best route.



--
Regards

Jonathan Lewis
http://www.jlcomp.demon.co.uk

Next Seminar dates:
(see http://www.jlcomp.demon.co.uk/seminar.html )

____England______September 24/26, November 12/14

____USA__________November 7/9 (MI), 19/21 (TX)

The Co-operative Oracle Users' FAQ
http://www.jlcomp.demon.co.uk/faq/ind_faq.html








Phil Singer wrote in message <3D782250.383F4BC0_at_chartermi.net>...


>If someone could be so kind as to give me a clue,

>I would be so graitful.....

>

>I have several web applications, each with over

>10,000 users.  When the application gets

>accessed, it 'sees' a userid provided by the

>web server.  This ID is authenticated thru a

>company single log-on system, and it really can

>be trusted to ensure that whoever logged onto

>the corporate intranet was who he or she claimed

>to be, and that that person is now accessing

>my application.

>

>This application accesses Oracle through a

>single proxy Id.  Creating the Ids in Oracle,

>is not an option.  Therefore, the application

>validates what a user can see and do in the

>application by querying tables which match

>the corporate Id (from the web server) to

>functions and rules within the application.

>

>I would like to replace all of this with

>fine grained access control.

>

>My problem is that all the examples I have seen

>all have the user being validated having an

>Oracle account.  I've done enough snooping

>to think that it can be used in the above

>situation, but I have not yet found any examples

>of how it is done.   So, if someone can be so

>kind as to point me toward a reference where

>this has been done, I will be grateful.  (Will

>even buy a book if that is where the example

>is found).

>

>

>Thanks.

>--

>Phil Singer                |    psinger1_at_chartermi.net

>Oracle DBA                 |    Ford FPDS



Received on Fri Sep 06 2002 - 02:20:47 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US