As their name denotes, rulesets are a collection of rules that in turn consist of logical statements, which might evaluate to true or false. Because of their capacity for evaluation, rulesets can be associated with command rules, realm authorization, and factor assignment, as well as secure application roles.
In this recipe we will create two rulesets:
emp_detail_view
from the vw_america
and vw_europe
users only, and no other user will be allowed to select from this view.Rules sets can be defined by using the PL/SQL Oracle Database Vault administrative packages or by using DVA:
ODVA_OWNER
in DVA Console.Reporting from HR Views
You are not allowed to report from this view
, and for Custom Event Handler Option select Handler disabledEvaluate VW_AMERICA user
as the name and SYS_CONTEXT('USERENV','SESSION_USER')='VW_AMERICA'
as the rule expression, as follows:Evaluate VW_EUROPE user
as the name and SYS_CONTEXT('USERENV', 'SESSION_USER')= 'VW_EUROPE'
as the rule expression, as follows: SELECT
command rule defined in the previous recipe. It will be associated with the Report from HR views
ruleset.HR
user and issue a SELECT
against EMP_DETAILS_VIEW
, as follows: SQL> conn HR Enter password: Connected. SQL> select first_name,last_name from emp_Details_view where employee_id=100; select first_name,last_name from hr.emp_Details_view where employee_id=100 * ERROR at line 1: ORA-47306: 20998: You are not allowed to report from this view
As we can see, the ruleset is in effect.
vw_america
and issue the same SELECT
as that used in the previous step, as follows:SQL> conn vw_america Enter password: Connected. SQL> select first_name,last_name from hr.emp_Details_view where employee_id=100; FIRST_NAME LAST_NAME -------------------- ------------------------- Steven King
vw_europe
and issue the SELECT
again:SQL> conn vw_europe Enter password: Connected. SQL> select first_name,last_name from hr.emp_Details_view where employee_id=100; FIRST_NAME LAST_NAME -------------------- ------------------------- Steven King SQL>
Next, we will create a ruleset associated with the CREATE VIEW
command rule.
Create views for end of the month reporting
as NameYou are not allowed to create reports until the end of the month
in the Fail Message box, and for Custom Event Handler Option choose Handler disabled:Evaluate HR user
as the name and SYS_CONTEXT('USERENV','SESSION_USER')='HR'
as the rule expression as follows, and click on the OK button.Create views for end of the month reporting
ruleset.CREATE VIEW
command rule with the Create views for end of the month reporting
ruleset, as follows:HR
and try to create a view named salaries_and_commisions
, as follows:SQL> conn HR Enter password: Connected. SQL> create or replace view salaries_and_commissions as select first_name,last_name,salary,commission_pct from employees where commission_pct is not null; create or replace view salaries_and_commissions as select first_name,last_name,salary,commission_pct from employees where commission_pct is not null * ERROR at line 1: ORA-47306: 20999: You are not allowed to create reports until the end of the month SQL>
SQL> select sysdate from dual; SYSDATE --------- 16-APR-12 SQL>
ALTER SYSTEM SET FIXED_DATE=<desired date>
:SQL> select sysdate from dual; SYSDATE --------- 30-APR-12 SQL>
salaries_and_commissions
view:SQL> create or replace view salaries_and_commissions as select first_name,last_name,salary,commission_pct from employees where commission_pct is not null; View created. SQL>
Since we have changed the system date to the last day of the month and are connected as the user HR
, the view is created. After testing, you should reset the system date back to the current date.
The rules contained in a ruleset will be evaluated based on Evaluation Options that can be set to All True or Any True. If we use All True, then all the rules will be evaluated, and if one rule is returning FALSE
, then the evaluation stops there and the operation will be denied. Otherwise if all the rules return TRUE
, then the overall return will also be TRUE
and the operation is allowed. If we use Any True, the evaluation stops at the first occurrence of the TRUE
condition for any of the rules defined in the ruleset.
3.143.22.23