I have a view name customer and I want to restrict following SQL command
select * from customer;
I want to create a view where user must have where clause and only it is executable
select * from customer where address='ABC';
Use contexts.
create context where_condition using your_context_pkg;
Then use the context in the view:
create view customer_v as
select * from customer
where address = sys_context('where_condition', 'addreess')
You have to provide a PL/SQL package, named your_context_pkg, where the context value is set with dbms_session.set_context(...).
The way you put it, you'd recreate the view as
create or replace view customer as
select whatever
from bunch_of_tables
where address is not null --> add this
If you need this feature for security reasions, familiarize yourself with role based security (RBS).
Related
i'm having this situation whereby user are using Dbeaver to access to DB2. There is some views created. At the moment user have the ability to use the Dbeaver to see the view DDL (back end code).
Question : how/is there any way to prevent the user see the view DDL?
much appreciate you advice
Look at the Db2 Obfuscation facility.
CALL DBMS_DDL.CREATE_WRAPPED ('CREATE OR REPLACE VIEW TEST_OBFUSCATED AS SELECT TABNAME FROM SYSCAT.TABLES WHERE TABSCHEMA LIKE ''SYS%''');
SELECT TEXT
FROM SYSCAT.VIEWS
WHERE VIEWSCHEMA = CURRENT SCHEMA AND VIEWNAME = 'TEST_OBFUSCATED';
TEXT
CREATE OR REPLACE VIEW TEST_OBFUSCATED WRAPPED SQL11014 long_meaningless_string
You may use this view as any other one in the same way, but its text is not visible for everyone.
Moreover, you can use this "strange" obfuscated statement to create the view from scratch. There is a scalar function which helps you to get this obfuscated statement without creation it first.
VALUES DBMS_DDL.WRAP ('CREATE OR REPLACE VIEW TEST_OBFUSCATED AS SELECT TABNAME FROM SYSCAT.TABLES WHERE TABSCHEMA LIKE ''SYS%''')
If someone still needs to view the real view text, you may use Row and column access control (RCAC) on the SYSIBM.SYSVIEWS table.
If you want your users to be able to select from a view, they must be able to obtain the definition of that view.
You can wrap the query against the view in a set-returning user-defined function, which has all privileges of its creator, presumably a DBA, and grant other users only the EXECUTE privilege on that function. You will then be able to revoke from your users the privileges to read system catalog tables that you don't want them to read.
Details in the manual.
I want to create a view that containt a column which refers to the owner of this view. Something like that:
create or replace view scott.owner_v
as
select something() owner from dual;
Note: something() shouldn't necessary be a function or package reference. It can be anything that gives a desired output.
So querying select owner from scott.owner_v under JEREMY user, for example, would return SCOTT and when I compile such view in HR schema I get HR in owner column.
Maybe seems dumb to query SCOTT.owner_v to get SCOTT but I need it in terms of building DWH referring to different sources which are situated in different schemas. So then I would build dynamically a new view which is on a "higher" level that collects data from all schemas with extra column like owner which shows a source of data. I can put this column when building this "higher" view but I want to keep it as simple as it can be.
Obviously, I tried to place into a view the following parameters
sys_context('USERENV','CURRENT_USER')
sys_context('USERENV','CURRENT_SCHEMA')
user
but it refers to current logged user not to owner of the view.
Any help appreciated.
Just create local functions which returns own schemas in all schemas where do you want to create views:
create or replace function local_obj_owner return varchar2 as
begin
return $$PLSQL_UNIT_OWNER;
end;
/
Then add it into your views:
create view test_view as
select
local_obj_owner as view_owner,
dummy
from dual;
Try
select owner from all_views where view_name = 'OWNER_V';
and/or some alternatives (USER_VIEWS, DBA_VIEWS, ALL_OBJECS, ...).
There are some changes on the core product on which I'm working and some tables become now views and they are not working anymore because a view cannot be referenced with the schema name in front.
For example, the below will return an error: ORA-00942: table or view does not exist
select * from my_schema.my_view;
while a direct select from the view works fine
select * from my_view;
In case of a table, both scenarios above are working fine, is just the view that doesn't accept schema_name in front.
Why is that? Are there any decent workarounds?
EDIT: the selects are executed with my_schema user
Thanks all for your help, especially #mathguy.
Basically the problem was that my_view was in fact a public synonym for my_view_r which was the actual view and being public, you cannot call it using the schema name in front like I was trying. eg:
select * from my_schema.my_view;
Maybe it will be helpful for others that are facing this issue in the future, the workaround would be to create a private synonym to the same view (my_view_r) using the schema name like below:
create synonym my_schema.my_view for my_view_r;
This is the only way to call a synonym using the schema name.
It's a grant issue.
grant all on my_view to my_schema
Make sure your schema really is the owner by running:
Select * from all_objects where object_name = 'my_view';
I have a view stvytro with owner baninst1. There is a public synonym of the same name. The following both work:
select * from STVYTRO;
select * from baninst1.stvytro;
I have set of oracle database view creation script files, which needs schema name as dynamic parameter while getting executed bt maven-sql-plugin. How do I pass this parameter using "sql-maven-plugin".
This is an example :
CREATE OR REPLACE VIEW MY_VIEW AS SELECT * FROM FROM &SCHEMA_NAME.MY_TABLE.
Here I want to pass &SCHEMA_NAME from sql-plugin, is it possible to do?
is there another way to do this? I want to restrict the user to his own module and associated results. First intention was to create a view because this gives the possibility to use a WHERE clause in combination with USER which givs me the username of the connected user.
CREATE OR REPLACE FORCE VIEW "ADMIN_STUDENT"."MODULE_LEADER" ("MCODE", "MLECTURER")
AS
SELECT "MCODE",
"MLECTURER"
FROM MODULE
WHERE MLECTURER = USER;
Check out Oracle Virtual Private Database or Oracle Label Security
Alternatively, add use SYS_CONTEXT('USERENV', 'SESSION_USER') in the view definition.