tags:

views:

96

answers:

2
+4  Q: 

Column-level privileges vs. legacy application

Hello,

I got a request to implement Column-level privileges, for example:

GRANT UPDATE("column1") ON "TABLE" TO ROLE;

But I found that client applications ( in Delphi+ODAC ) always emits SQL updates like:

update TABLE set column1=:column1,column2=:column2,column3=:column3,...etc
where id_c=:id_c;

what causes Oracle to always throw ORA-01031: insufficient privileges, even if only column1 was changed. The obvious solution is to change the client application so that it emits SQL updates only with changed columns, but it looks like quite a lot of coding.

Is there any more elegant solution possible?

Edit: I forgot to mention that there is considerable number of hardcoded insert/update queries in my Delphi sources. ODAC cannot help in this case.

+2  A: 

You can create a view and an INSTEAD OF UPDATE trigger on that view:

CREATE VIEW myview ON mytable
AS
SELECT  *
FROM    table

CREATE TRIGGER trg_myview_iu
INSTEAD OF UPDATE
ON myview
FOR EACH ROW
BEGIN
        UPDATE  mytable
        SET     column1 = :NEW.column1
        WHERE   id_c = :NEW.id_c;
END;

If you want to process a column only if its value had not changed, then you'll have to write several UPDATE statements:

CREATE TRIGGER trg_myview_iu
INSTEAD OF UPDATE
ON myview
FOR EACH ROW
BEGIN
        IF :NEW.column1 <> :OLD.column1 THEN -- add `NULL` processing options if necessary
                UPDATE  mytable
                SET     column1 = :NEW.column1
                WHERE   id_c = :NEW.id_c;
        END IF;
        IF :NEW.column2 <> :OLD.column2 THEN
                UPDATE  mytable
                SET     column2 = :NEW.column2
                WHERE   id_c = :NEW.id_c;
        END IF;
        …
END;

This is far from being efficient, though.

In Oracle, the UPDATE executes even if the actual value of the column does not change. This means that the row gets locked, triggers fire etc.

Quassnoi  2010-01-26 15:24:03
Thanks! But this is not well maintainable. What if customer later decides he wants a new role that will include column2, for example? And then another one? Will I have to update the code every time?
Juraj  2010-01-26 15:50:29
@Juraj, you missed Quassnoi's point. His view selects * (all columns) from the table. The trigger only updates the columns that have actually changed (albeit one column at a time, which is very inefficient, but the only practical way to solve your problem). You only need to update the code if the *structure* of the underlying table changes, not if you just change some role grants.
Jeffrey Kemp  2010-01-27 00:20:38
Of course, if user A doesn't have update privilege on a column, but tries to change it anyway, they'll still get ORA-01031 - which is a good thing.
Jeffrey Kemp  2010-01-27 00:21:57
Another approach would be to construct the UPDATE statement using dynamic SQL - this would have the advantage of only requiring a single UPDATE statement, but might increase the usage of the shared pool depending on how many different combinations of columns are updated.
Jeffrey Kemp  2010-01-27 00:23:50
Now I see the point. Constructing the surrogate SQL statement with only changed columns and passing it into EXECUTE IMMEDIATE seems doable. Server has enough unused SGA memory and CPU power left so it shouldn't be a problem.
Juraj  2010-01-27 11:24:42
+1  A: 

I don't know about the ODAC components or library, but can't you not set some property like: update only: changed fields or all fields ?

This seems such a waste of time to include all columns even when not changed. I should think most client libraries offer this option.

Of course, if you have set some SQL property of sn TQuery-alike component, you should create the sql statement yourself (also based on only the changed columns).

Edelcom  2010-01-26 15:59:09

related questions

Is there a Way to use Linq to Oracle
NHibernate and Oracle connect through Windows Authenication
Boolean Field in Oracle
How do you manage schema upgrades to a production database?
How do I deal with quotes ' in SQL
When do you use table clusters?
Oracle write to file
MS SQL Server 2008 "linked server" to Oracle : schema not showing
Develop on local Oracle instance
Resources for an Oracle beginner
What strategies have you employed to improve web application performance?
Automate Syncing Oracle Tables With MySQL Tables
Best way to encapsulate complex Oracle PL/SQL cursor logic as a view?
What Content Management does your workplace use?
What is the difference between oracle's 'yy' and 'rr' date mask?
SQL/Query tools?
How to make Pro*C cope with #warning directives?
Oracle SQL Developer not responsive when trying to view tables (or suggest an Oracle Mac client)
How big would such a database be?
Oracle - What TNS Names file am I using?
What is a good way to open large files across a WAN?
How do I find the high water mark (for sessions) on Oracle 9i
SQL Case Statement Syntax?
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?