8.2 CREATE CONTEXT: Creating ContextsApplication contexts facilitate the implementation of fine-grained access control. They allow you to implement security policies with functions and then associate those security policies with applications. Each application can have its own application-specific context. Users are not allowed to arbitrarily change their context (for example, through SQL*Plus). A context is a named set of attribute/value pairs associated with a PL/SQL package. A context is attached to, and is global within, a session. Your application can use a context to set values that are then accessed from within your code and, specifically, from within code that is used to generate WHERE clause predicates for fine-grained access control. Suppose you are building a human resources application. You might create a context called HRINFO and define the following attributes for that context: position organizational_unit country You can then set values for each of these attributes from within your PL/SQL programs. Oracle provides a Data Definition Language (DDL) statement to create the context used to validate and secure an application. The format of this statement is as follows: CREATE [OR REPLACE] CONTEXT namespace USING [ schema .] plsql_package ; You may deduce from this statement that a context has two attributes. Parameters are summarized in Table 8.1 .
To create a context namespace, you must have the CREATE ANY CONTEXT system privilege. Here is the format for this grant: GRANT CREATE ANY CONTEXT TO schema_name ;
By the way, you do not have to use contexts only with the FGAC feature; they can be used simply to give you a more general and flexible way of setting and obtaining attributes for a session. I'll explore that capability in the later section, Section 8.4, "SYS_CONTEXT and LIST_CONTEXT: Obtaining Context Information ." Copyright (c) 2000 O'Reilly & Associates. All rights reserved. |
|