技术头条 - 一个快速在微博传播文章的方式     搜索本站
您现在的位置首页 --> Oracle --> oracle列级权限控制

oracle列级权限控制

浏览:2023次  出处信息

客户有个需求,一张150多个字段的表,客户要求只将部分字段给扫描公司的人看,这个需求用视图就可以很容易实现,客户又要求,这些字段,扫描公司只可以修改其中的个别字段,我之前还真没遇到这样在列级别做权限控制的需求,做了个实验,感觉很有意思,记录下测试过程。
1.创建测试表并插入点测试数据:

SQL> create table test( id number,table_name varchar2(50),
     owner varchar2(50),TABLESPACE_NAME varchar2(50));
Table created.
SQL> insert into test select rownum,table_name,owner,
     TABLESPACE_NAME from dba_tables;
5490 rows created.
SQL> commit;
Commit complete.

2.创建测试用户并赋予基本权限:

SQL> CONN / AS SYSDBA
Connected.
SQL> create user stream identified by stream default tablespace users;
User created.
SQL> grant connect,resource to stream;
Grant succeeded.

3.赋予测试用户列级权限:

SQL> conn auth/auth
Connected.
SQL> grant update (id) on test to stream;
Grant succeeded.
SQL> grant insert (table_name) on test to stream;
Grant succeeded.
SQL> 
SQL> grant select on test to stream;
Grant succeeded.

4.查询列级权限设置信息:

SQL> select GRANTEE,OWNER,TABLE_NAME,COLUMN_NAME,GRANTOR,PRIVILEGE,
     GRANTABLE from user_col_privs;
GRANTEE   OWNER   TABLE_NAME COLUMN_NAME   GRANTOR   PRIVILEGE   GRA
-------   -----   ---------- -----------   -------   ---------   ---
STREAM    AUTH    TEST       TABLE_NAME    AUTH      INSERT      NO
AUT       AUTH    TEST       ID            AUTH      INSERT      NO
AUT       AUTH    TEST       ID            AUTH      UPDATE      NO
STREAM    AUTH    TEST       ID            AUTH      UPDATE      NO

5.登陆测试用户验证SELECT权限:

SQL> conn stream/stream
Connected.
SQL> select * from(select * from auth.test order by 1) where rownum< =10;
        ID TABLE_NAME           OWNER      TABLESPACE
---------- -------------------- ---------- ----------
         1 ICOL$                SYS        SYSTEM
         2 IND$                 SYS        SYSTEM
         3 COL$                 SYS        SYSTEM
         4 CLU$                 SYS        SYSTEM
         5 TAB$                 SYS        SYSTEM
         6 LOB$                 SYS        SYSTEM
         7 COLTYPE$             SYS        SYSTEM
         8 SUBCOLTYPE$          SYS        SYSTEM
         9 NTAB$                SYS        SYSTEM
        10 REFCON$              SYS        SYSTEM
10 rows selected.

6.验证列级UPDATE权限控制:

SQL> update auth.test set owner='STREAM'  where id =1;
update auth.test set owner='STREAM'  where id =1
            *
ERROR at line 1:
ORA-01031: insufficient privileges

可见,不允许修改测试表的OWNER字段的值,报ORA-01031:权限不足,由于上文赋予了测试用户对修改测试表ID字段的修改权限,修改ID字段是可以的。

SQL> update auth.test set id=10 where id=1;
1 row updated.
SQL> rollback;
Rollback complete.

7.验证列级INSERT权限控制:

SQL> insert into auth.test values(1,'stream','stream','users');   
insert into auth.test values(1,'stream','stream','users')
                 *
ERROR at line 1:
ORA-01031: insufficient privileges

可见,整行插入是不被允许的,也是权限不够,由于上文赋予了测试用户对修改测试表TABLE_NAME字段的插入权限,所以插入TABLE_NAME字段是可以的,但是前提是其他字段没有NOT NULL约束。

SQL> insert into auth.test(table_name) values ('stream');
1 row created.
SQL> rollback;
Rollback complete.
QQ技术交流群:445447336,欢迎加入!
扫一扫订阅我的微信号:IT技术博客大学习
© 2009 - 2024 by blogread.cn 微博:@IT技术博客大学习

京ICP备15002552号-1