Task
Retrofit an existing application to use a multi-tenant approach. It shall be possible to create tenants and each user's session should reference exactly one active tenant. Each tenant should only be able to see and update his partition of the database schema.
Approach
- Create an Oracle application context that contains the tenant id
- Add a tenant id column to any table that should be scoped
- Create a predicate function that returns "tenant_id = sys_context('tenant_context', 'tenant_id')" for SELECT, INSERT, UPDATE and delete
- Add an appropiate policy via dbms_rls to register the predicate function
This works like a charm without touching the existing application for SELECT, UPDATE and DELETE
Question
When inserting the tenant_id column doesn't get set and a security exception comes up. Is there any way that is as sleek as the predicate function to always set security related fields? I'd rather not add triggers to 300+ tables.