Oracle PL/SQL Programming Guide to Oracle 8i Features

Oracle PL/SQL Programming Guide to Oracle 8i FeaturesSearch this book
Previous: 8.1 FGAC ComponentsChapter 8
Deploying Fine-Grained Access Control		Next: 8.3 SET_CONTEXT: Setting Context and Attribute Values
 

8.2 CREATE CONTEXT: Creating Contexts

Application contexts facilitate the implementation of fine-grained access control. They allow you to implement security policies with functions and then associate those security policies with applications. Each application can have its own application-specific context. Users are not allowed to arbitrarily change their context (for example, through SQL*Plus).

A context is a named set of attribute/value pairs associated with a PL/SQL package. A context is attached to, and is global within, a session. Your application can use a context to set values that are then accessed from within your code and, specifically, from within code that is used to generate WHERE clause predicates for fine-grained access control.

Suppose you are building a human resources application. You might create a context called HRINFO and define the following attributes for that context:

position
organizational_unit
country

You can then set values for each of these attributes from within your PL/SQL programs.

Oracle provides a Data Definition Language (DDL) statement to create the context used to validate and secure an application. The format of this statement is as follows:

CREATE [OR REPLACE] CONTEXT namespace USING [schema.]plsql_package;

You may deduce from this statement that a context has two attributes. Parameters are summarized in Table 8.1.


Table 8.1: CREATE_CONTEXT Parameters

Parameter

Description

namespace

The name of the context. Context namespaces are always stored in the schema SYS.

schema

Name of the schema owning the PL/SQL package. If this name is not included, Oracle uses the currently connected schema.

plsql_package

A package that can be used to set or modify the attributes of the associated context.

To create a context namespace, you must have the CREATE ANY CONTEXT system privilege. Here is the format for this grant: 

GRANT CREATE ANY CONTEXT TO schema_name;

TIP: To make it easier for you to construct contexts and the code to support them, Oracle does not verify the existence of the schema or the validity of the package at the time you create the context.

By the way, you do not have to use contexts only with the FGAC feature; they can be used simply to give you a more general and flexible way of setting and obtaining attributes for a session. I'll explore that capability in the later section, Section 8.4, "SYS_CONTEXT and LIST_CONTEXT: Obtaining Context Information."

Previous: 8.1 FGAC ComponentsOracle PL/SQL Programming Guide to Oracle 8i FeaturesNext: 8.3 SET_CONTEXT: Setting Context and Attribute Values
8.1 FGAC ComponentsBook Index8.3 SET_CONTEXT: Setting Context and Attribute Values
The Oracle Library Navigation

Copyright (c) 2000 O'Reilly & Associates. All rights reserved.

Library Home Oracle PL/SQL Programming, 2nd. Ed. Guide to Oracle 8i Features Oracle Built-in Packages Advanced PL/SQL Programming with Packages Oracle Web Applications Oracle PL/SQL Language Pocket Reference Oracle PL/SQL Built-ins Pocket Reference