dbms_rls.add_policy (
object_schema => 'HR',
object_name => 'EMPLOYEES',
policy_name => 'EMP_SELECT_RESTRICT',
function_schema => 'VPD',
policy_function => 'get_predicates.emp_select_restrict',
statement_types => 'SELECT',
update_check => TRUE,
enable => TRUE
);
Because we did not set static_policy, it defaults to FALSE, meaning that the policy is dynamic and
is checked every time a select statement is parsed. This is the only behavior available before
Oracle Database 10g.
Using the subprogram ENABLE_POLICY is an easy way to disable the policy temporarily
without having to rebind the policy to the table later:
dbms_rls.enable_policy(
object_schema => 'HR',
object_name => 'EMPLOYEES',
policy_name => 'EMP_SELECT_RESTRICT',
enable => FALSE
);
If multiple policies are specified for the same object, an AND condition is added between
each predicate. If you need to have an OR condition between predicates for multiple policies
instead, the policy most likely needs to be revised. The logic for each policy needs to be
combined within a single policy with an OR condition between each part of the predicate.
Creating a VPD
In this section, we??™ll step through a complete implementation of a VPD from beginning to end.
This example relies on the sample schemas installed with Oracle Database 10g and 11g. To be
specific, we are going to implement an FGAC policy on the HR.EMPLOYEES table to restrict
access based on manager status and the employee??™s department number.
Pages:
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531