 |
|
Oracle Tips by Burleson |
Chapter 2 Introduction
to Oracle Security
p.description as procedure_description
from
claims c, procedures p
SEE CODE
DEPOT FOR FULL SCRIPT
(
select member_id
from allowed_members
SEE
CODE DEPOT FOR FULL SCRIPT
and
p.proc_code = c.proc_code;
This is simply a selection of the columns
CLAIM_ID and CLAIM_AMOUNT from the claims table, joined with the
procedures table to get the description of the procedures. However,
the claims the user sees are limited to only those members whose
records the user is authorized for. This list of allowable members
is maintained in a separate table called allowed_members. This query
selects data from the claim tables only for those allowable claims.
In this way we can ensure that the user does not see the data of
those members he or she is not authorized for.
But, we tend to ensure this simply by assuming
that the user will write a query like the above one. What if the
user deliberately, or inadvertently, omits the clause where
MEMBER_ID in …? Then he or she will see claims for all the members,
not just those he or she is authorized for.
To eliminate this problem, the DBA can create a
view like:
The above text is
an excerpt from:
Oracle Privacy Security Auditing
The
Final Word on Oracle Security
This is the only authoritative
book on Oracle Security, Oracle Privacy, and Oracle Auditing written
by two of the world’s leading Oracle Security experts.
This indispensable book is only $39.95 and has an
immediate download of working security scripts:
http://rampant-books.com/book_2003_2_audit.htm
|
Download your Oracle scripts now:
www.oracle-script.com
The
definitive Oracle Script collection for every Oracle professional DBA
|
|
