Re: tough choices

"Howard J. Rogers" <hjr_at_dizwell.com> wrote in message news:<40dc009f$0$18196$afc38c87_at_news.optusnet.com.au>...
> "Serge Rielau" <srielau_at_ca.eye-be-em.com> wrote in message
> news:cbgou8$dmp$1_at_hanover.torolab.ibm.com...
>
>
> > > * Security Policies (policies attached to tables and views that
> > > determine what rows can be accessed based on information known about the
> > > user)
> > Can be handled with views. Let the DBMS do what the DBMS does best.
>
> Mark can answer for himself, but no this sort of thing can't reasonably be
> handled with views. I have a sales table. I want customers to access it...
> but they must only see their own rows. If all I've got are views, I've got
> to create a different view for each user. And change my application so it
> references the right view at the right time as new views are added because
> new customers are acquired. Views just won't cut it.

I wouldn't dispute that FGAC is a better way to achieve this, but it isn't true that if you used views you would need a view per user. Long ago in Oracle 7 I worked on a project that implemented access control via views that looked something like:

create view emp_view as
select * from emp
where deptno in
( select deptno
  from users
  where username = USER
);

Only one view was required per table. Of course, the predicate was actually rather more complex than that, but you should get the idea. Received on Fri Jun 25 2004 - 10:39:11 CDT