tags:

views:

29

answers:

1
Q: 

Looking for tips on debugging Oracle row-level security functions

I'm looking for tips in debugging some of my row-level security predicates in an Oracle database. These predicates use a few concepts to determine whether the current user can see a record:

  • current user's Oracle username
  • current user's assigned Oracle roles
  • current user's affiliation with a record in one or more tables

I'm having trouble debugging this kind of thing on real data because I can't figure out a good way to simulate actually seeing what a specific user could see. So, I'm looking for tips. Is there a good basic framework for this kind of thing?

Here's an example of one of my predicates:

predicate := 'project_id in (' ||
    '(select upr.projectid project_id ' ||
    'from  chemreg.usergroups_projects_vu upr, ' ||
    '      chemreg.usergroups_personnel_vu upe, ' ||
    '      chemreg.personnel pe ' ||
    'where upr.usergroupid = upe.usergroup_id ' ||
    '      and upe.personnel_id = pe.person_id ' ||
    '      and upper(pe.username) = USER) ' ||
    'union ' ||
    '(select project_id from chemreg.project ' ||
    'where active = ''Y'' and private = ''N'' ) )';
A: 

If you're trying to work out why some rows are appearing when they shouldn't, and/or why some rows are not appearing when they should, try this:

  1. Remove all the row-level security predicates.
  2. Run the queries, but add in the row-level security predicates by hand.
  3. Check the results.

You can then easily change the predicates one by one (e.g. comment out individual bits) until you work out why they are giving the unexpected results.

Jeffrey Kemp  2010-10-07 00:19:04
I guess the complicating thing is the current user context. So, if my predicate joins on some view like user_role_privs, then I'm still not getting the whole picture, unless I actually log in as that person. I guess I'm having more trouble simulating the actual user's environment. I know I could create test users with the right roles and such, but it's the relationships between the users, their data, and their roles -- that whole package -- that makes it tricky for me. What I have been doing is finding a user willing to let me change their password and log in as them for a couple hours.
Chris Farmer  2010-10-07 12:08:27
You're asking a user for their password? You're not debugging in production are you?
Jeffrey Kemp  2010-10-08 05:22:12

related questions

Is there a Way to use Linq to Oracle
NHibernate and Oracle connect through Windows Authenication
Boolean Field in Oracle
How do you manage schema upgrades to a production database?
How do I deal with quotes ' in SQL
When do you use table clusters?
Oracle write to file
MS SQL Server 2008 "linked server" to Oracle : schema not showing
Develop on local Oracle instance
Resources for an Oracle beginner
What strategies have you employed to improve web application performance?
Automate Syncing Oracle Tables With MySQL Tables
Best way to encapsulate complex Oracle PL/SQL cursor logic as a view?
What Content Management does your workplace use?
What is the difference between oracle's 'yy' and 'rr' date mask?
SQL/Query tools?
How to make Pro*C cope with #warning directives?
Oracle SQL Developer not responsive when trying to view tables (or suggest an Oracle Mac client)
How big would such a database be?
Oracle - What TNS Names file am I using?
What is a good way to open large files across a WAN?
How do I find the high water mark (for sessions) on Oracle 9i
SQL Case Statement Syntax?
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?