sec_relevant_cols Enforces column-level VPD, new to Oracle 10g. Applies to tables
and views only. Protected columns are specified in a list with either
commas or spaces as delimiters. The policy is applied only if the
specified sensitive columns are in the query or DML statement. By
default, all columns are protected.
sec_relevant_cols_opt Allows rows in a column-level VPD filtered query to still appear in
the result set, with NULL values returned for the sensitive columns.
The default for this parameter is NULL; otherwise, you must specify
DBMS_RLS.ALL_ROWS to show all columns with NULLs for the
sensitive columns.
TABLE 9-15 DBMS_RLS.ADD_POLICY Parameters
320 Oracle Database 11g DBA Handbook
Using the parameter sec_relevant_cols is handy when you don??™t mind if users see part of a
row, just not the columns that might contain confidential information, such as a Social Security
Number or a salary. In our example later in this chapter, we??™ll build on the first security policy we
define to filter out sensitive data for most employees of the company.
In the following example, we??™re applying a policy named EMP_SELECT_RESTRICT to the table
HR.EMPLOYEES. The schema VPD owns the policy function get_predicates.emp_select_restrict.
The policy explicitly applies to SELECT statements on the table; however, with UPDATE_CHECK
set to TRUE, update or delete commands will also be checked when rows are updated or inserted
into the table.
Pages:
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530