Fine Grained Access Control
上传者:方继明|上传时间:2015-04-26|密次下载
Fine Grained Access Control
FGAC 精细化访问控制
Fine Grained Access Control
Arup Nanda, Proligence, Inc.
Introduction
Just as a picture is worth thousand words, it’s my belief that even the most complex of concepts or features can be easily explained through an example, where the reader has the ability to test out the concepts while reading them online. Following my own convictions, I will explain the concepts and uses of this powerful feature of the database using an example of a hospital database.
The application that the hospital uses must adhere to the HIPAA regulations and one of the mandates is to allow viewing of patient data only to the people who need them and have authorization for. This means the doctors can access the data on just those patients they are treating, not all. In the old days, this could have been done using a simple filtering predicate in the application queries. This is not practical for a variety of reasons – the primary of which is the modification of a large number of SQL statements inside the application. In case of third party canned applications, this is even more difficult, with the source code controlled in a different place outside the control of the hospital.
The other problem is security – what if the user just bypasses the applications and queries the data directly from the database? This sidesteps the filtering predicate inside the code, allowing full access to the data. Obviously the solution calls for the filtering predicate to be applied automatically, regardless of how the access is made.
One of the approaches is to use a view on the table with a filtering predicate built in, and allowing users to access the view instead of the base table. This accomplishes the security requirement, but with the proliferation of the views, it might be impractical to maintain this setup. In addition, if the need ever comes to restrict the access by the owner itself, this
solution will not work, since the owner can select from the base table. Using views also forces us to use a predicate that is static, not generated at the runtime.
The perfect solution comes from Oracle’s implementation of Fine Grained Access Control (FGAC). It is also known as Row Level Security (RLS) or Virtual Private Database (VPD). In this article we will explore the use of this powerful feature in the form of an example setup, to bolster the understanding. We will also learn how to use another advanced feature – application contexts in a database setup.
Setup
You can download the scripts to create all the objects used in this article and populate the data from my website, http://wendang.chazidian.com/pubsupp.
In our example, we have used the case of an overly simplified hospital database. Typically hospitals have several doctors and each patient is assigned a doctor. The tables are owned by the schema HOSPITAL. The table DOCTORS holds the information on doctors as follows.
Name Null? Type ----------------- -------- ------------ DOCTOR_ID NOT NULL NUMBER DOCTOR_NAME VARCHAR2(20) GROUP_ID NUMBER
FGAC 精细化访问控制
The primary key of the table is DOCTOR_ID. It’s assumed that the column DOCTOR_NAME contains the doctor’s login id to the database. A group may consist of several doctors. The column GROUP_ID specifies the group the doctor belongs to.
The other important table holds information on patients visiting the hospital, named PATIENTS, shown below.
Name Null? Type ----------------- -------- ------------ PATIENT_ID NOT NULL NUMBER DOCTOR_ID NUMBER PATIENT_NAME VARCHAR2(20) DISEASE VARCHAR2(20)
The column PATIENT_ID is the primary key of the table. The column DOCTOR_ID is a foreign key to the table DOCTORS shown above. For the purpose of simplicity, let’s assume that the relationship between DOCTORS to PATIENTS is one-to-many, whereas in the real life, it is probably many-to-many.
Here is how the data looks like in the table DOCTORS.
DOCTOR_ID DOCTOR_NAME GROUP_ID ---------- -------------------- ---------- 1 DRADAM 1 2 DRBARB 2 3 DRCHARLIE 2
And here is the data in table PATIENTS.
PATIENT_ID DOCTOR_ID PATIENT_NAME DISEASE ---------- ---------- -------------------- ----------- 1 1 LARRY EGO 2 1 BILL CONTROL 3 2 SCOTT FICKLENESS 4 3 CRAIG LOWVISION 5 3 LOU GREED
Corresponding to all the names of the doctors, we need to have the userids created in Oracle in the same name. Therefore, we have the users named DRADAMS, DRBARB and DRCHARLIE, all with SELECT, INSERT, UPDATE and DELETE privileges on the tables DOCTORS and PATIENTS.
Building the FGAC Setup
In the existing application, the following statement is a call made to the database to see the patient data.
SELECT * FROM PATIENTS;
With the new requirements in mind, the call must be changed to
SELECT * FROM PATIENTS WHERE DOCTOR_ID = <id of the doctor logged in>
We somehow have to make a system where the application need not be changed, and the first call will automatically select only the records related to the doctor currently logged in, not all. In other words, we have to generate a filtering predicate,
FGAC 精细化访问控制
i.e. a WHERE clause to be appended to he query automatically. Building this predicate is the first step. The following function returns a string that can be applied to the query as a WHERE clause.
create or replace function get_doctor_id ( p_schema_name in varchar2, p_table_name in varchar2 ) return varchar2 is l_doctor_id number; begin select doctor_id into l_doctor_id from doctors where doctor_name = USER; return 'doctor_id = '||l_doctor_id; end;
Note how the function returns the string DOCTOR_ID = <id> where <id> is the numerical ID of the doctor who is logged in now, as returned by the function call USER above.
This special function is called a policy function and is the building block of a FGAC setup. Note that this has exactly two input arguments, for the schema and the table on which it will be applied and has exactly one return value, the string that will be used as a WHERE clause. The structure of the policy function must be exactly this and is not flexible. The logic can be changed inside, though.
Next step is to build a policy to be placed on a table. This policy is the one that restricts the rows accessible to the users. It does so by applying the output of the policy function. The following code segment sets up a policy on the table PATIENTS.
begin dbms_rls.add_policy ( object_schema => 'HOSPITAL', object_name => 'PATIENTS', policy_name => 'PATIENT_VIEW_POLICY', policy_function => 'GET_DOCTOR_ID', function_schema => 'HOSPITAL', statement_types => 'SELECT, INSERT, UPDATE, DELETE', update_check => true, enable => true ); end;
Here we have defined a policy named PATIENT_VIEW_POLICY on the table PATIENTS in schema HOSPITAL. The policy calls the function GET_DOCTOR_ID as shown in the parameter policy_function. This policy is applied to all types of DML statements on the table – SELECT, INSERT, UPDATE and DELETE. The other options will be explained later.
Once the policy is in place, logon to the database as the user DRADAM and select from the table
SQL> select * from hospital.patients
FGAC 精细化访问控制
PATIENT_ID DOCTOR_ID PATIENT_NAME DISEASE ---------- ---------- -------------------- -------- 1 1 LARRY EGO 2 1 BILL CONTROL
Well what happened? There are only two rows selected from the table; but we know for a fact that the table has five rows. However, only patients 1 and 2 are supposed to be seen by the user DRADAM, and only those were displayed. The most important point to note here is that the user did not specify any where clause. Yet, the filtering predicate was applied automatically, by the policy using the output from the policy function.
The user’s original query
SELECT * FROM PATIENTS
was rewritten to
SELECT * FROM
(SELECT * FROM PATIENTS)
WHERE DOCTOR_ID = 1
What if the user deletes the table, as seen below?
SQL> delete hospital.patients; 2 rows deleted.
Note, only 2 rows are deleted, not all the five. The same principle hold true – the filtering predicate is applied
automatically to the query. If the user updates the table,
SQL> update hospital.patients set disease = null; 2 rows updated.
Again, only 2 rows are updated, not all five.
Another user, DRBARB is allowed to see only patient 2. If she logs in and uses the same query:
SQL> select * from hospital.patients; PATIENT_ID DOCTOR_ID PATIENT_NAME DISEASE ---------- ---------- -------------------- ------------ 3 2 SCOTT FICKLENESS
Notice how only one row was returned, even though the table has 5. Dr Barb was authorized to see patient 3 only and that is what she saw.
The policy is applied regardless of how the table is accessed – through a trigger, a procedure, an application, anything. It is as if the table contains only two rows for the user DRADAMS, not the five which are actually there. This facility
creates a window where the user always sees the rows he is supposed to see, not all, something akin to a private view of the table. By applying the same policy to all the tables in a database, the users can see the data which they are authorized to see only, as if they have a private database inside a real database. Hence the Fine Grained Access Control is also known as Virtual Private Database feature.
FGAC 精细化访问控制
Note how the content of the table changes depending upon the user logged in, eliminating the need for application changes. This powerful feature makes applications developed only once; the policy dictates the filtering predicate.
In addition to example given above, FGAC has other uses in hosting companies, where multiple users share the same database and in some cases the same table. FGAC allows the creation of several virtual databases, not physically different ones – making the setup simpler and less expensive to maintain.
Bypassing the Restrictions
Sometimes it might be required to bypass the restrictions. For instance, we may decide to remove restrictions from the owner of the tables. To do this, we will pass a NULL as the return value to be used as a predicate. If the value is NULL, the policy allows all rows to be visible without restrictions. The policy function can then be rewritten as follows.
create or replace function get_doctor_id ( p_schema_name in varchar2, p_table_name in varchar2 ) return varchar2 is l_doctor_id number; begin if (p_schema_name = USER) then return null; end if;
select doctor_id into l_doctor_id from doctors where doctor_name = USER; return 'doctor_id = '||l_doctor_id; end;
Note the newly added segment shown in bold. If the current user is the schema owner of the table, then the policy function returns NULL, i.e. no filtering predicate is applied to the query.
There is a special type of system privilege called EXEMPT ACCESS POLICY used to exempt a specific user from being subject to any kind of restriction on any of the tables. The DBA role is granted this system privilege by default; hence a user with DBA role accessing data will not be restricted by any policy – a very important point to keep in mind while designing applications involving FGAC.
Other Dependent Tables
So far we have talked about only one table. Suppose there is another table in the database to hold information on
treatments given to patients. Since a patient may be given treatment more than once, the table TREATMENTS, shown below, has column to record the dates, too.
Name Null? Type ----------------- -------- ------------ PATIENT_ID NUMBER TREATMENT_DT DATE TREATMENT VARCHAR2(30)
Here are the sample data in this table.
下载文档
热门试卷
- 2016年四川省内江市中考化学试卷
- 广西钦州市高新区2017届高三11月月考政治试卷
- 浙江省湖州市2016-2017学年高一上学期期中考试政治试卷
- 浙江省湖州市2016-2017学年高二上学期期中考试政治试卷
- 辽宁省铁岭市协作体2017届高三上学期第三次联考政治试卷
- 广西钦州市钦州港区2016-2017学年高二11月月考政治试卷
- 广西钦州市钦州港区2017届高三11月月考政治试卷
- 广西钦州市钦州港区2016-2017学年高一11月月考政治试卷
- 广西钦州市高新区2016-2017学年高二11月月考政治试卷
- 广西钦州市高新区2016-2017学年高一11月月考政治试卷
- 山东省滨州市三校2017届第一学期阶段测试初三英语试题
- 四川省成都七中2017届高三一诊模拟考试文科综合试卷
- 2017届普通高等学校招生全国统一考试模拟试题(附答案)
- 重庆市永川中学高2017级上期12月月考语文试题
- 江西宜春三中2017届高三第一学期第二次月考文科综合试题
- 内蒙古赤峰二中2017届高三上学期第三次月考英语试题
- 2017年六年级(上)数学期末考试卷
- 2017人教版小学英语三年级上期末笔试题
- 江苏省常州西藏民族中学2016-2017学年九年级思想品德第一学期第二次阶段测试试卷
- 重庆市九龙坡区七校2016-2017学年上期八年级素质测查(二)语文学科试题卷
- 江苏省无锡市钱桥中学2016年12月八年级语文阶段性测试卷
- 江苏省无锡市钱桥中学2016-2017学年七年级英语12月阶段检测试卷
- 山东省邹城市第八中学2016-2017学年八年级12月物理第4章试题(无答案)
- 【人教版】河北省2015-2016学年度九年级上期末语文试题卷(附答案)
- 四川省简阳市阳安中学2016年12月高二月考英语试卷
- 四川省成都龙泉中学高三上学期2016年12月月考试题文科综合能力测试
- 安徽省滁州中学2016—2017学年度第一学期12月月考高三英语试卷
- 山东省武城县第二中学2016.12高一年级上学期第二次月考历史试题(必修一第四、五单元)
- 福建省四地六校联考2016-2017学年上学期第三次月考高三化学试卷
- 甘肃省武威第二十三中学2016—2017学年度八年级第一学期12月月考生物试卷
网友关注
- 拥护党的路线、方针、政策,忠于祖国,热爱
- 考研政治复习重点资料,每天一小时轻松拿高分
- 《浙江省建筑工程预算定额》定额库(2010版)
- 宪法的程序性国家法、宪法论论文
- 贯彻平安方针,落实平安义务。-李长满[优质文档]
- [宝典]室庐设计要点77815
- [精品]国际经济法概论精讲 国际服务贸易法
- [精品]国际经济法概论精讲国际货物贸易法
- 【精品】拨打漫游地(元分钟)52
- 绿色建筑
- 桐庐社会福利中心改建工程联系单费用一览表
- 2016考研政治 这样复习保你拿高分
- 环境工程微生物复习资料
- 监理规划规范本
- 何家湾隧道实施性施工组织设计
- 论公民宪法财产权保护中国家义务
- 施工组织设计方案
- z论宪法的权威 _233网校论文中心_国家法、宪法论文_法学论文
- 220KV变电站电气部分初步设计
- 数学系宣传贯彻党和国家的路线、方针、政策,
- 南京医科大学2014年硕士研究生招生简章
- 施工组织设计_9
- 2016考研政治 五大科目如何抓住点
- 5、河道施工组织设计
- 遂昌县汤公园智能化供水设备工程询价询价工程遂昌县遂昌县
- 2011年中央有关“三农”工作的重大方针政策(可编辑)
- 东北石油大学体育部2013考研备考手册
- 2011系统强化(刑法总则)韩友谊
- 考研的心态下一站,遇到最好的自己----跨考考研
- 结构设计计算方法参考
网友关注视频
- 冀教版英语三年级下册第二课
- 冀教版小学数学二年级下册1
- 冀教版小学数学二年级下册第二周第2课时《我们的测量》宝丰街小学庞志荣.mp4
- 化学九年级下册全册同步 人教版 第25集 生活中常见的盐(二)
- 沪教版八年级下次数学练习册21.4(2)无理方程P19
- 精品·同步课程 历史 八年级 上册 第15集 近代科学技术与思想文化
- 北师大版数学四年级下册第三单元第四节街心广场
- 【部编】人教版语文七年级下册《老山界》优质课教学视频+PPT课件+教案,安徽省
- 青岛版教材五年级下册第四单元(走进军营——方向与位置)用数对确定位置(一等奖)
- 外研版英语三起5年级下册(14版)Module3 Unit2
- 冀教版小学数学二年级下册第二周第2课时《我们的测量》宝丰街小学庞志荣
- 沪教版牛津小学英语(深圳用) 五年级下册 Unit 10
- 北师大版八年级物理下册 第六章 常见的光学仪器(二)探究凸透镜成像的规律
- 8.对剪花样_第一课时(二等奖)(冀美版二年级上册)_T515402
- 化学九年级下册全册同步 人教版 第18集 常见的酸和碱(二)
- 外研版八年级英语下学期 Module3
- 30.3 由不共线三点的坐标确定二次函数_第一课时(市一等奖)(冀教版九年级下册)_T144342
- 外研版英语三起6年级下册(14版)Module3 Unit2
- 【部编】人教版语文七年级下册《逢入京使》优质课教学视频+PPT课件+教案,辽宁省
- 每天日常投篮练习第一天森哥打卡上脚 Nike PG 2 如何调整运球跳投手感?
- 冀教版小学英语四年级下册Lesson2授课视频
- 苏科版八年级数学下册7.2《统计图的选用》
- 人教版历史八年级下册第一课《中华人民共和国成立》
- 七年级英语下册 上海牛津版 Unit5
- 沪教版牛津小学英语(深圳用) 五年级下册 Unit 12
- 第五单元 民族艺术的瑰宝_16. 形形色色的民族乐器_第一课时(岭南版六年级上册)_T1406126
- 沪教版牛津小学英语(深圳用) 六年级下册 Unit 7
- 冀教版英语四年级下册第二课
- 苏教版二年级下册数学《认识东、南、西、北》
- 3月2日小学二年级数学下册(数一数)
精品推荐
- 2016-2017学年高一语文人教版必修一+模块学业水平检测试题(含答案)
- 广西钦州市高新区2017届高三11月月考政治试卷
- 浙江省湖州市2016-2017学年高一上学期期中考试政治试卷
- 浙江省湖州市2016-2017学年高二上学期期中考试政治试卷
- 辽宁省铁岭市协作体2017届高三上学期第三次联考政治试卷
- 广西钦州市钦州港区2016-2017学年高二11月月考政治试卷
- 广西钦州市钦州港区2017届高三11月月考政治试卷
- 广西钦州市钦州港区2016-2017学年高一11月月考政治试卷
- 广西钦州市高新区2016-2017学年高二11月月考政治试卷
- 广西钦州市高新区2016-2017学年高一11月月考政治试卷
分类导航
- 互联网
- 电脑基础知识
- 计算机软件及应用
- 计算机硬件及网络
- 计算机应用/办公自动化
- .NET
- 数据结构与算法
- Java
- SEO
- C/C++资料
- linux/Unix相关
- 手机开发
- UML理论/建模
- 并行计算/云计算
- 嵌入式开发
- windows相关
- 软件工程
- 管理信息系统
- 开发文档
- 图形图像
- 网络与通信
- 网络信息安全
- 电子支付
- Labview
- matlab
- 网络资源
- Python
- Delphi/Perl
- 评测
- Flash/Flex
- CSS/Script
- 计算机原理
- PHP资料
- 数据挖掘与模式识别
- Web服务
- 数据库
- Visual Basic
- 电子商务
- 服务器
- 搜索引擎优化
- 存储
- 架构
- 行业软件
- 人工智能
- 计算机辅助设计
- 多媒体
- 软件测试
- 计算机硬件与维护
- 网站策划/UE
- 网页设计/UI
- 网吧管理