Hi!
After having seen a lot of three tier applications managing security outside
the database we'd like, when designing our own app, use the database for this.
So, every user is a database user, belongs to a department and can read and
insert documents.
What we've got then is a small number of CAD locations, another small number
of manufacturing locations and a lot of projects. Each project is designed
at one CAD location and manufactured at one manufacturing location.
What we've thought about is to have a master table containing the CAD
and manufacturing location for each project. Then, all document and
other tables reference that table.
When someone from CAD inserts or updates project data, the corresponding
manufacturer should be able to see it. But we don't want CAD to think
about the manufacturer for each document. In theory, the fact that
document X references project Y should be enough for security.
In our opinion that would lead to
- one compartment per project
- each manufacturing location having a lot of compartments in their
permissions (do several hundred compartments have a performance penalty?)
- moving manufacturing of a project from one location to another would be easy

On the other hand we could have the manufacturing location in the group part
of the label and set it via a labeling function. In that case, every insert
would fetch the manufacturing location from the project master table and
create the appropriate label. However, I see no way to change all labels
if the manufacturing location gets changed in the project master table. I
would like to avoid doing this with a trigger.

Is there any other way? Maybe with a predicate? But as far as I can see
it would have to use a correlated subquery and it would have to know the
alias of the outer table.

Any other ideas?

Lots of Greetings!
Volker
--
For email replies, please substitute the obvious.

On Feb 4, 3:26*pm, Volker Hetzer <firstname.lastn... (AT) ieee (DOT) org> wrote:
Is the label a column in one of your tables or Oracle Label security,
which is an extra cost item?

A coordinated subquery always has to know the outer table_name or
alias used in the SQL so why is that a problem? Is you application
based on dynamic SQL? From the description given I see no reason why
dynamic SQL would be necessary.

What is the full version of Oracle?

HTH -- Mark D Powell --

On Feb 4, 3:26*pm, Volker Hetzer <firstname.lastn... (AT) ieee (DOT) org> wrote:
Is the label a column in one of your tables or Oracle Label security,
which is an extra cost item?

A coordinated subquery always has to know the outer table_name or
alias used in the SQL so why is that a problem? Is you application
based on dynamic SQL? From the description given I see no reason why
dynamic SQL would be necessary.

What is the full version of Oracle?

HTH -- Mark D Powell --

On Feb 4, 3:26*pm, Volker Hetzer <firstname.lastn... (AT) ieee (DOT) org> wrote:
Is the label a column in one of your tables or Oracle Label security,
which is an extra cost item?

A coordinated subquery always has to know the outer table_name or
alias used in the SQL so why is that a problem? Is you application
based on dynamic SQL? From the description given I see no reason why
dynamic SQL would be necessary.

What is the full version of Oracle?

HTH -- Mark D Powell --

On Feb 4, 3:26*pm, Volker Hetzer <firstname.lastn... (AT) ieee (DOT) org> wrote:
Is the label a column in one of your tables or Oracle Label security,
which is an extra cost item?

A coordinated subquery always has to know the outer table_name or
alias used in the SQL so why is that a problem? Is you application
based on dynamic SQL? From the description given I see no reason why
dynamic SQL would be necessary.

What is the full version of Oracle?

HTH -- Mark D Powell --

Mark D Powell schrieb:

[reordered your answer a bit]
We have a 10.2.0.3.0 enterprise edition running and think about
starting with that.

would be a better term. So far a fixed label seems to create more problems
than it solves. I'm still reading up on it and yesterday evening
discovered something called "fine grained access control". It looks like a
much better fit, with the predicate functions. I still have to play
around with it a bit. But how does it work with DML? How would the policy
modify an insert statement? Or does it evaluate the predicate with the
values from the insert? Can I use ld and :new like with triggers?


edition. The costly part is about encryption and non-password authentication
stuff as far as I see. But we'll check explicitly with our contract guys.
Anyway I'll ask about FGA too.

no problem and after that the main thing is that someone firing
up sqlplus can't see the rows.

Lots of Greetings!
Volker
--
For email replies, please substitute the obvious.

Mark D Powell schrieb:

[reordered your answer a bit]
We have a 10.2.0.3.0 enterprise edition running and think about
starting with that.

would be a better term. So far a fixed label seems to create more problems
than it solves. I'm still reading up on it and yesterday evening
discovered something called "fine grained access control". It looks like a
much better fit, with the predicate functions. I still have to play
around with it a bit. But how does it work with DML? How would the policy
modify an insert statement? Or does it evaluate the predicate with the
values from the insert? Can I use ld and :new like with triggers?


edition. The costly part is about encryption and non-password authentication
stuff as far as I see. But we'll check explicitly with our contract guys.
Anyway I'll ask about FGA too.

no problem and after that the main thing is that someone firing
up sqlplus can't see the rows.

Lots of Greetings!
Volker
--
For email replies, please substitute the obvious.

Mark D Powell schrieb:

[reordered your answer a bit]
We have a 10.2.0.3.0 enterprise edition running and think about
starting with that.

would be a better term. So far a fixed label seems to create more problems
than it solves. I'm still reading up on it and yesterday evening
discovered something called "fine grained access control". It looks like a
much better fit, with the predicate functions. I still have to play
around with it a bit. But how does it work with DML? How would the policy
modify an insert statement? Or does it evaluate the predicate with the
values from the insert? Can I use ld and :new like with triggers?


edition. The costly part is about encryption and non-password authentication
stuff as far as I see. But we'll check explicitly with our contract guys.
Anyway I'll ask about FGA too.

no problem and after that the main thing is that someone firing
up sqlplus can't see the rows.

Lots of Greetings!
Volker
--
For email replies, please substitute the obvious.

Mark D Powell schrieb:

[reordered your answer a bit]
We have a 10.2.0.3.0 enterprise edition running and think about
starting with that.

would be a better term. So far a fixed label seems to create more problems
than it solves. I'm still reading up on it and yesterday evening
discovered something called "fine grained access control". It looks like a
much better fit, with the predicate functions. I still have to play
around with it a bit. But how does it work with DML? How would the policy
modify an insert statement? Or does it evaluate the predicate with the
values from the insert? Can I use ld and :new like with triggers?


edition. The costly part is about encryption and non-password authentication
stuff as far as I see. But we'll check explicitly with our contract guys.
Anyway I'll ask about FGA too.

no problem and after that the main thing is that someone firing
up sqlplus can't see the rows.

Lots of Greetings!
Volker
--
For email replies, please substitute the obvious.

Volker Hetzer wrote:
VPD pops to mind; like
select true
where exists (select vendor from projects)
or whatever your exact constellation is.
--

Regards,
Frank van Bortel

Top-posting in UseNet newsgroups is one way to shut me up