| From: | "Jim C(dot) Nasby" <jim(at)nasby(dot)net> |
|---|---|
| To: | Mike Mascari <mascarm(at)mascari(dot)com> |
| Cc: | John DeSoi <jd(at)icx(dot)net>, pgsql List <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: row-level security model |
| Date: | 2004-04-01 15:55:02 |
| Message-ID: | 20040401155502.GG74840@nasby.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, Mar 31, 2004 at 03:53:22PM -0500, Mike Mascari wrote:
> 2) PostgreSQL allows the use of functions in WHERE clauses that can
> modify the database. Oracle does not. A side effect is that if a
> user has the ability to write a function, regardless of whether or
> not the language is trusted, they can by-pass the use of views as
> security:
>
> http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=3D02B372.B6A4EFB6%40mascari.com&rnum=2&prev=/groups%3Fq%3DMike%2BMascari%2Bsecurity%2Bhole%26ie%3DUTF-8%26oe%3DUTF-8%26hl%3Den
Yes, but Oracle has much more advanced support for row-level security.
Look for Fine-Grain Access Controll in the docs.
Also, Oracle does allow for DML in SELECT queries; look up autonomous
transactions.
--
Jim C. Nasby, Database Consultant jim(at)nasby(dot)net
Member: Triangle Fraternity, Sports Car Club of America
Give your computer some brain candy! www.distributed.net Team #1828
Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2004-04-01 15:55:24 | Re: A simple question about Read committed isolation level |
| Previous Message | John Liu | 2004-04-01 15:43:06 | Re: select distinct w/order by |