tags:

views:

39

answers:

2
+2  Q: 

Oracle: make WORM (write-once, read-many) table?

Context: logging table changes, and we don't want to accidentally mess up the log entries. This is an internal, non-financial app, so we're not worried about hostile modification.

I thought I could just revoke delete/update, but it turns out you can't do that to yourself:

ORA-01749: you may not GRANT/REVOKE privileges to/from yourself

What's the most canonical way to do this?

+1  A: 

Make a BEFORE UPDATE and/or a BEFORE DELETE trigger on the table, which will ALWAYS raise an exception.

Adam Hawkes  2010-10-26 20:28:22
-1: triggers can be disabled
Jeffrey Kemp  2010-10-27 02:04:38
+3  A: 

You should not use triggers to enforce security requirements.

You should create the table owned by another schema, then only grant the necessary privileges (e.g. INSERT).

Jeffrey Kemp  2010-10-27 02:04:02
Now you need another schema for logging. In some cases that is acceptable, but not always.
Adam Hawkes  2010-10-27 03:15:36
The standard would be this. The trigger is ok, but I would say this is a better solution. You can even abstract the actual insert through a procedure, and only grant access on the proc, making sure that even inserted records are right+proper.
REW  2010-10-27 04:41:41
@Adam, schemas are cheap. I routinely request extra schemas from the DBAs whenever the design calls for them. I can't think of any reason why extra schemas would be a problem for anyone.
Jeffrey Kemp  2010-10-27 07:38:15
+1: doing it right.
Vincent Malgrat  2010-10-27 09:12:13
I'm not disagreeing with you! I'm just saying that some pointy-haired-bosses demand things like "one-schema-for-one-application" even if that is not the right way. Yes, they're cheap, as are appropriate tables and columns and most other things when done properly. Sometimes the issues are political, not technical.
Adam Hawkes  2010-10-27 12:04:36
@Adam - yes, too true, too often, unfortunately...
Jeffrey Kemp  2010-10-28 01:27:28

related questions

Is there a Way to use Linq to Oracle
NHibernate and Oracle connect through Windows Authenication
Boolean Field in Oracle
How do you manage schema upgrades to a production database?
How do I deal with quotes ' in SQL
When do you use table clusters?
Oracle write to file
MS SQL Server 2008 "linked server" to Oracle : schema not showing
Develop on local Oracle instance
Resources for an Oracle beginner
What strategies have you employed to improve web application performance?
Automate Syncing Oracle Tables With MySQL Tables
Best way to encapsulate complex Oracle PL/SQL cursor logic as a view?
What Content Management does your workplace use?
What is the difference between oracle's 'yy' and 'rr' date mask?
SQL/Query tools?
How to make Pro*C cope with #warning directives?
Oracle SQL Developer not responsive when trying to view tables (or suggest an Oracle Mac client)
How big would such a database be?
Oracle - What TNS Names file am I using?
What is a good way to open large files across a WAN?
How do I find the high water mark (for sessions) on Oracle 9i
SQL Case Statement Syntax?
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?