Additional authorization methods are provided for database administrators, due to the extreme
power that a database administrator has. Because a DBA can shut down and start up a database,
an additional level of authorization is provided.
Authorization goes well beyond simple access to a table or a report; it also includes the rights
to use system resources in the database as well as privileges to perform certain actions in the
database. A given database user might only be allowed to use 15 seconds of CPU time per session
or can only be idle for five minutes before being disconnected from the database. Another database
user might be granted the privilege to create or drop tables in any other user??™s schema, but not be
able to create synonyms or view data dictionary tables. Fine-grained access control gives the DBA
more control over how database objects are accessed. For example, standard object privileges will
either give a user access to an entire row of a table or not at all; using fine-grained access control,
a DBA can create a policy implemented by a stored procedure that restricts access based on time
of day, where the request originates, which column of the table is being accessed, or all three.
At the end of the section on database authorization, we will present a short example of a Virtual
Private Database (VPD) to provide methods for defining, setting, and accessing application attributes
along with the predicates (usually WHERE clauses) to control which data is accessible or returned
to the user of the application.
Pages:
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470