Edit D:\app\Administrator\product\11.2.0\dbhome_1\oc4j\j2ee\oc4j_applications\applications\em\em\online_help\tdpsg\tdpsg_privileges006.htm
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> <meta http-equiv="Content-Style-Type" content="text/css" /> <meta http-equiv="Content-Script-Type" content="text/javascript" /> <title>About Secure Application Roles</title> <meta name="generator" content="Oracle DARB XHTML Converter (Mode = ohj/ohw) - Version 5.1" /> <meta name="date" content="2009-06-02T18:13:3Z" /> <meta name="robots" content="noarchive" /> <meta name="doctitle" content="About Secure Application Roles" /> <meta name="relnum" content="11g Release 2 (11.2)" /> <meta name="partnum" content="E10575-01" /> <link rel="copyright" href="./dcommon/html/cpyr.htm" title="Copyright" type="text/html" /> <link rel="stylesheet" href="./dcommon/css/blafdoc.css" title="Oracle BLAFDoc" type="text/css" /> <link rel="contents" href="toc.htm" title="Contents" type="text/html" /> <link rel="prev" href="tdpsg_privileges005.htm" title="Previous" type="text/html" /> <link rel="next" href="tdpsg_privileges007.htm" title="Next" type="text/html" /> <script src="./callback.js" type="text/javascript"></script> <noscript>Your browser does not support JavaScript. This help page requires JavaScript to render correctly.</noscript> </head> <body> <div class="zz-skip-header"><a href="#BEGIN">Skip Headers</a></div> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="100%"> <col width="86%" /> <col width="*" /> <tr valign="bottom"> <td align="left"></td> <td align="center"><a href="tdpsg_privileges005.htm"><img src="./dcommon/gifs/leftnav.gif" alt="Previous" /><br /> <span class="icon">Previous</span></a> </td> <td align="center"><a href="tdpsg_privileges007.htm"><img src="./dcommon/gifs/rightnav.gif" alt="Next" /><br /> <span class="icon">Next</span></a></td> </tr> </table> <p><a id="BABCDIBA" name="BABCDIBA"></a><a id="TDPSG30321" name="TDPSG30321"></a></p> <div class="sect2"><!-- infolevel="all" infotype="General" --> <h1>About Secure Application Roles</h1> <a name="BEGIN" id="BEGIN"></a> <p><a id="sthref224" name="sthref224"></a><a id="sthref225" name="sthref225"></a>A secure application role is a role that can be enabled only by an authorized PL/SQL package. This package defines one or more security policies that control access to the application. Both the role and the package are typically created in the schema of the person who creates them, which is typically a security administrator. A security administrator is a database administrator who is responsible for maintaining the security of the database.</p> <p>The advantage of using a secure application role is you can create additional layers of security for application access, in addition to the privileges that were granted to the role itself. <a id="sthref226" name="sthref226"></a>Secure application roles strengthen security because passwords are not embedded in application source code or stored in a table. This way, the decisions the database makes are based on the implementation of your security policies. Because these definitions are stored in one place, the database, rather than in your applications, you modify this policy once instead of modifying the policy in each application. No matter how many users connect to the database, the result is always the same, because the policy is bound to the role.</p> <p><a id="sthref227" name="sthref227"></a>A secure application role has the following components:</p> <ul> <li> <p><span class="bold">The secure application role itself.</span> You create the role using the <code>CREATE ROLE</code> statement with the <code>IDENTIFIED USING</code> clause to associate it with the PL/SQL package. Then, you grant the role the privileges you typically grant a role.</p> </li> <li> <p><span class="bold">A PL/SQL package, procedure, or function associated with the secure application role.</span> The PL/SQL package sets a condition that either grants the role or denies the role to the person trying to log in to the database. You must create the PL/SQL package, procedure, or function using invoker's rights, not definer's rights. Invoker's rights enable the user to have <code>EXECUTE</code> privileges on all objects that the package accesses. An invoker's right procedure executes with the privileges of the current user, that is, the user who invokes the procedure. These procedures are not bound to a particular schema. They can be run by a variety of users and enable multiple users to manage their own data by using centralized application logic. To create the invoker's rights package, use the <code>AUTHID CURRENT_USER</code> clause in the declaration section of the procedure code.</p> <p>The PL/SQL package also must contain a <code>SET ROLE</code> statement or <code>DBMS_SESSION.SET_ROLE</code> call to enable (or disable) the role for the user.</p> <p>After you create the PL/SQL package, you must grant the appropriate users <code>EXECUTE</code> privileges on the package.</p> </li> <li> <p><span class="bold">A way to execute the PL/SQL package when the user logs on.</span> To execute the PL/SQL package, you must call it directly from the application before the user tries to use the privileges the role grants. You cannot use a logon trigger to execute the PL/SQL package automatically when the user logs on.</p> </li> </ul> <p>When a user logs in to the application, the policies in the package perform the checks as needed. If the user passes the checks, then the role is granted, which enables access to the application. If the user fails the checks, then the user is prevented from accessing the application.</p> <div class="helpinfonotealso"> <h2>Related Topics</h2> <p><a href="tdpsg_privileges001.htm#CHDGJDIA">About Privilege Management</a></p> </div> </div> <!-- class="sect2" --> <!-- Start Footer --> <div class="footer"> <table class="simple oac_no_warn" summary="" cellspacing="0" cellpadding="0" width="100%"> <col width="86%" /> <col width="*" /> <tr> <td align="left"><span class="copyrightlogo">Copyright © 2006, 2009, Oracle and/or its affiliates. All rights reserved.</span><br /> <a href="./dcommon/html/cpyr.htm"><span class="copyrightlogo">Legal Notices</span></a></td> <td align="center"><a href="tdpsg_privileges005.htm"><img src="./dcommon/gifs/leftnav.gif" alt="Previous" /><br /> <span class="icon">Previous</span></a> </td> <td align="center"><a href="tdpsg_privileges007.htm"><img src="./dcommon/gifs/rightnav.gif" alt="Next" /><br /> <span class="icon">Next</span></a></td> </tr> </table> </div> <!-- class="footer" --> </body> </html>
Ms-Dos/Windows
Unix
Write backup
jsp File Browser version 1.2 by
www.vonloesch.de