Before you ask, with "horizontally" I mean restricting access to a subset of rows in a table, with "vertically" I mean restricting access to a subset of columns in a table.
See this scenario, a table holding product data, named product_master and two users, one with full access and another one which we want to limit.
Specifically we want to allow this second user to see only products flagged as "enabled" (horizontal limitation, only a subset of rows) and, for those products, we want to be shure that he can only change (update) the product description.
How can we achieve this?
With a mix of grant management and updateable views, let's see this setup in action:
Structure for table product_master is:
CREATE TABLE PRODUCT_MASTER( PRODUCT_CODE CHAR(5) NOT NULL, IS_ENABLED CHAR(1), PRODUCT_DESCR Varchar(50), CONSTRAINT PRODUCT_MASTER_PK PRIMARY KEY (PRODUCT_CODE) ); GRANT DELETE, INSERT, REFERENCES, SELECT, UPDATE ON PRODUCT_MASTER TO SYSDBA WITH GRANT OPTION;
As you can see only sysdba has access to this table, nothing is granted to user pippo or public role.
We said that pippo should be able to update the product description, so I'll give him appropriate grants for this:
GRANT UPDATE ON PRODUCT_MASTER TO PIPPO;
Ok, right now pippo can update the product table, then comes the hard part, allowing him to see and update only enabled products, those rows of the product master table that have the enabled field set to 'Y'.
This will be accomplished with an updateable view and proper grants, let's see it in action:
CREATE VIEW ENABLED_PRODUCTS (PRODUCT_CODE, PRODUCT_DESCR)AS /* write select statement here */ SELECT pm.PRODUCT_CODE, pm.PRODUCT_DESCR FROM product_master pm WHERE IS_ENABLED = 'Y' WITH CHECK OPTION;
The two important things here are the where condition in the select and the "with check option" clause.
The related grants to complete the magic are:
GRANT SELECT, UPDATE ON ENABLED_PRODUCTS TO PIPPO; GRANT DELETE, INSERT, REFERENCES, SELECT, UPDATE ON ENABLED_PRODUCTS TO SYSDBA WITH GRANT OPTION;
Hope this helps
No comments:
Post a Comment