User Profiles  «Prev  Next»

Lesson 4 Limiting access to a role
Objective Limit access to a role.

Limiting access to a Role using Security Schemes

Question: How can you limit access to a Role using Security Schemes in Oracle?
In Oracle, you can limit access to a role using security schemes. A security scheme is a set of security policies and rules that are applied to a database object or schema to restrict access to that object or schema.
Here are the steps to limit access to a role using security schemes in Oracle:
  1. Create a security scheme: First, create a security scheme that defines the security policies and rules that will be applied to the role. For example, you might create a security scheme that restricts access to certain tables or views, or that limits the operations that can be performed on those objects.
  2. Assign the security scheme to a role: Next, assign the security scheme to the role that you want to restrict access to. This can be done using the "ALTER ROLE" command, with the "SET" option to specify the security scheme.
  3. Test the security scheme: Finally, test the security scheme by attempting to access the objects or operations that are restricted by the scheme. If the security scheme is working correctly, you should receive an error message or be denied access to the restricted object or operation.

Here is an example of how to limit access to a role using security schemes in Oracle:
CREATE SECURITY POLICY policy1
FILTER WHERE table_name = 'table1'
BLOCK SELECT, UPDATE, DELETE;

CREATE SECURITY SCHEME scheme1
ADD POLICY policy1;

ALTER ROLE my_role SET SECURITY scheme1;

In this example, we create a security policy called "my_policy" that restricts access to the "my_table" table, blocking the SELECT, UPDATE, and DELETE operations. We then create a security scheme called "my_scheme" that includes the "my_policy" policy. Finally, we assign the "my_scheme" security scheme to the "my_role" role using the "ALTER ROLE" command. Overall, using security schemes to limit access to a role in Oracle can help to improve the security and integrity of a database system, by restricting access to sensitive objects or operations to authorized users only.
Roles are a powerful way to implement security schemes. They are widely used to grant entire sets of privileges to application users. However, just as you might want to allow only certain actions in the context of an application, you might want to allow access only to certain roles within an application context.

Limit access Syntax

To limit access to a particular command, use the SQL statement
INSERT INTO PRODUCT_PROFILE(product, userid, attribute, char_value) 
VALUES(‘SQL*Plus’, userid, ‘ROLES’, role_name);

where userid is a character string representing the user ID for the user you wish to restrict and role_name is a character string representing the name of the role you wish to disable. You must issue this command while logged on as SYSTEM.

SET ROLE ALL EXCEPT role_list

SQL*Plus implements the limitations on roles in a fairly simplistic way. When SQL*Plus is started by a particular user, it checks the PRODUCT_PROFILE table for restricted roles and issues the following command:

SET ROLE ALL EXCEPT role_list;

where role_list is a list of the roles that have been specifically disabled in the table.
This implementation poses some potential problems. The first is that a user can reactivate a particular role once he or she is in SQL*Plus–even with the simple command:
SET ROLE ALL;

Disable SET ROLE command

To prevent this, you should also disable the SET ROLE command for a user if you are limiting the roles the user will be allowed to use with SQL*Plus. It is possible that a user could enable a role through the use of PL/SQL, but this is somewhat complicated, so only a fairly determined or sophisticated user could use this workaround.
You should also make sure that you are disabling a role that exists for a particular user when you insert a restriction into the PRODUCT_PROFILE table. If the user does not have access to a particular role, the SET ROLE ALL EXCEPT command will fail, which in turn will fail to impose any role restrictions on the user. In the next lesson, you will learn how to use wildcards to specify restrictions.

Product Profiles - Quiz

Click the Quiz link below to test your knowledge of product profiles.
Product Profiles - Quiz