FGAC/VPD可以從安全方面限制用戶在行級別的訪問權限，對于安全性考慮的應用有很大幫助。

另外，在一些特別特殊的情況下，可以通過它改寫用戶SQL的謂詞(where condition)。

這里step by step做一個例子，以供以后參考。

SQL> show user

USER is "HR"

SQL> create table testfgac as select * from dba_tables;

Table created.

1.建立一個context用來保存希望保存的屬性。

SQL>grant administer database trigger,create any trigger,create session,resource,create any procedure to hr

這里用USERNAME來代表當前用戶是否是定義的“DB_OWNER”

SQL> create context syscontext using context_package;

Context created.

SQL> create or replace procedure context_package

( username in varchar2)

as

begin

dbms_session.set_context (

'SYSCONTEXT',

'USERNAME',

username

);

end;

Procedure created.

2.在sys用戶下建立一個login trigger，如果當前用戶是'hr'，那么設立它的username是hr.SQL> create or replace trigger context_trig

after logon on database

declare

username varchar2(50);

begin

select decode(sys_context('USERENV','SESSION_USER'),'HR',

'DB_OWNER','NOT_DB_OWNER')

into username from dual;

context_package(username);

exception

when NO_DATA_FOUND then

null;

when OTHERS then

raise;

end;

Trigger created.

3.查看login trigger生效沒有SQL>? show user

USER is "SYS"

SQL>? select sys_context('SYSCONTEXT','username') myrole from dual;

MYROLE

--------------------

NOT_DB_OWNER

SQL> conn hr/hr

Connected.

SQL>? select sys_context('SYSCONTEXT','username') myrole from dual;

MYROLE

--------------------

DB_OWNER

4.最重要的一步，建立一個function用來作為返回你想修改的謂詞。本例a是對hr用戶返回空謂詞，對其它用戶返回'LAST_ANALYZED<=sysdate-1';本例b是對用戶返回owner='session_user'串。

a,SQL>? create or replace function return_secure

(my_owner in varchar2,

my_obj in varchar2)

return varchar2

as

ret varchar2(2000);

begin

select decode(sys_context('SYSCONTEXT','username'),'DB_OWNER',null,'LAST_ANALYZED<=sysdate-1') into ret from dual;

return ret;

end;

Function created.

b,SQL>? create or replace function return_sec

(my_owner in varchar2,

my_obj in varchar2)

return varchar2

as

ret varchar2(2000);

begin

select 'owner='||chr(39)||sys_context('USERENV','SESSION_USER')||chr(39) into ret from dual;

return ret;

end;

Function created.

5.在sys用戶下，加上policy,對dml語句和select都生效SQL>? begin

dbms_rls.add_policy (

OBJECT_SCHEMA => 'HR',

object_name => 'TESTFGAC',

policy_name => 'my_p',

policy_function => 'RETURN_SECURE',

statement_types => 'INSERT, UPDATE, DELETE, SELECT',

update_check??? => TRUE

);

end;

/

PL/SQL procedure successfully completed.

SQL>? begin

dbms_rls.drop_policy (

OBJECT_SCHEMA => 'HR',

object_name => 'TESTFGAC',

policy_name => 'my_p');

end;

/

begin

dbms_rls.add_policy (

OBJECT_SCHEMA => 'HR',

object_name => 'TESTFGAC',

policy_name => 'my_p',

policy_function => 'RETURN_SEC',

statement_types => 'INSERT, UPDATE, DELETE, SELECT',

update_check??? => TRUE

);

end;

/

6.測試SQL> conn hr/hr

Connected.

SQL> select sys_context('SYSCONTEXT','username') username from dual;

USERNAME

------------------------

DB_OWNER

SQL> select count(*) from HR.TESTFGAC;

COUNT(*)

----------

1043

SQL> conn scott/tiger

Connected.

SQL> select count(*) from hr.TESTFGAC;

COUNT(*)

----------

934

創作挑戰賽新人創作獎勵來咯，堅持創作打卡瓜分現金大獎

總結

以上是生活随笔為你收集整理的细粒度权限控制 linux,FGAC(细粒度访问控制)/VPD的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。