Oracle 行级安全设置?

Mar*_*son 1 oracle row-level-security

如何配置表,以便用户可以修改该用户“拥有”的行,但不能修改其他用户“拥有”的行?

Mat*_*Mat 5

您可以使用statement_type仅限于update(或更可能是updatedelete,也许insert也是)的行级安全策略。有关详细信息,请参阅DMBS_RLS.ADD_POLICY文档。

虚拟场景:任务列表,只有任务所有者可以修改他们的任务。

create table owners(owner_id int primary key
                  , owner_name varchar2(10));
create table tasks(task_id int primary key
                 , owner_id int
                 , description varchar2(20)
                 , completion number);

insert into owners(owner_id, owner_name) values (1, 'Mat');
insert into owners(owner_id, owner_name) values (2, 'Mark');
insert into tasks(task_id, owner_id, description, completion)
       values (100, 1, 'Task for Mat', 0);
insert into tasks(task_id, owner_id, description, completion)
       values (200, 2, 'Task for Mark', 0);
commit;
Run Code Online (Sandbox Code Playgroud)

政策功能:

create or replace 
function tasks_update_policy(schema varchar2, tab varchar2)
return varchar2
is
  owner_id  number;
begin
  select owner_id into owner_id 
    from owners
    where lower(owner_name) = lower(sys_context('userenv','session_user'));
  return 'owner_id = ' || owner_id;
exception
  when no_data_found then
    return '1=2';  -- deny unregistered users
end;
Run Code Online (Sandbox Code Playgroud)

政策实施:

begin
  dbms_rls.add_policy(object_schema => 'MAT'
        , object_name => 'TASKS'
        , policy_name => 'Tasks_update_policy'
        , policy_function => 'tasks_update_policy'
        , statement_types => 'update,delete,insert'   -- policy restriction
        , update_check => true);
end;
/
Run Code Online (Sandbox Code Playgroud)

以我自己的身份登录时:

SQL> select * from mat.tasks;

   TASK_ID   OWNER_ID DESCRIPTION      COMPLETION
---------- ---------- -------------------- ----------
       100      1 Task for Mat          0
       200      2 Task for Mark         0

SQL> update mat.tasks set completion = 20 where task_id = 100 ;

1 row updated.

SQL> update mat.tasks set completion = 20 where task_id = 200 ;

0 rows updated.
Run Code Online (Sandbox Code Playgroud)

当连接为“标记”时:

SQL> insert into mat.tasks values (101, 1, 'More work for Mat', 0);
insert into mat.tasks values (101, 1, 'More work for Mat', 0)
                *
ERROR at line 1:
ORA-28115: policy with check option violation
Run Code Online (Sandbox Code Playgroud)