Application contexts facilitate the implementation of fine-grained access control. They allow you to implement security policies with functions and then associate those security policies with applications. Each application can have its own application-specific context. Users are not allowed to arbitrarily change their context (for example, through SQL*Plus).
A context is a named set of attribute/value pairs associated with a PL/SQL package. A context is attached to, and is global within, a session. Your application can use a context to set values that are then accessed from within your code and, specifically, from within code that is used to generate WHERE clause predicates for fine-grained access control.
Suppose you are building a human resources application. You might create a context called HRINFO and define the following attributes for that context:
position organizational_unit country
You can then set values for each of these attributes from within your PL/SQL programs.
Oracle provides a Data Definition Language (DDL) statement to create the context used to validate and secure an application. The format of this statement is as follows:
CREATE [OR REPLACE] CONTEXT namespace USING [schema.]plsql_package;
You may deduce from this statement that a context has two attributes. Parameters are summarized in Table 8.1.
Parameter | Description |
---|---|
namespace | The name of the context. Context namespaces are always stored in the schema SYS. |
Name of the schema owning the PL/SQL package. If this name is not included, Oracle uses the currently connected schema. | |
A package that can be used to set or modify the attributes of the associated context. |
To create a context namespace, you must have the CREATE ANY CONTEXT system privilege. Here is the format for this grant:
GRANT CREATE ANY CONTEXT TO schema_name;
TIP: To make it easier for you to construct contexts and the code to support them, Oracle does not verify the existence of the schema or the validity of the package at the time you create the context.
By the way, you do not have to use contexts only with the FGAC feature; they can be used simply to give you a more general and flexible way of setting and obtaining attributes for a session. I'll explore that capability in the later section, Section 8.4, "SYS_CONTEXT and LIST_CONTEXT: Obtaining Context Information."
Copyright (c) 2000 O'Reilly & Associates. All rights reserved.