Application contexts facilitate the implementation of fine-grained access control. They allow you to implement security policies with functions and then associate those security policies with applications. Each application can have its own application-specific context. Users are not allowed to arbitrarily change their context (for example, through SQL*Plus).
A context is a named set of attribute/value pairs associated with a PL/SQL package. A context is attached to, and is global within, a session. Your application can use a context to set values that are then accessed from within your code and, specifically, from within code that is used to generate WHERE clause predicates for fine-grained access control.
Suppose you are building a human resources application. You might create a context called HRINFO and define the following attributes for that context:
position organizational_unit country
You can then set values for each of these attributes from within your PL/SQL programs.
CREATE [OR REPLACE] CONTEXT namespace USING [ schema .] plsql_package ;
You may deduce from this statement that a context has two attributes. Parameters are summarized in Table 8.1 .
GRANT CREATE ANY CONTEXT TO schema_name ;
By the way, you do not have to use contexts only with the FGAC feature; they can be used simply to give you a more general and flexible way of setting and obtaining attributes for a session. I'll explore that capability in the later section, Section 8.4, "SYS_CONTEXT and LIST_CONTEXT: Obtaining Context Information ."
Copyright (c) 2000 O'Reilly & Associates. All rights reserved.