Controlling Access to Data Using Routines
You can use a Stored Procedure Language (SPL) routine to control access to individual tables and columns in the database. You can accomplish various degrees of access control through a routine. (SPL Routines are fully described in Chapter 14, "Creating and Using SPL Routines.") A powerful feature of Stored Procedure Language (SPL) is the ability to designate a routine as a DBA-privileged routine. When you write a DBA-privileged routine, you can allow users who have few or no table privileges to have DBA privileges when they execute the routine. In the routine, users can carry out very specific tasks with their temporary DBA privilege. The DBA-privileged feature lets you accomplish the following tasks:
Restricting Reads of Data
The routine in the following example hides the SQL syntax from users, but it requires that users have the Select privilege on the customer table. If you want to restrict what users can select, write your routine to work in the following environment:
If you want users to read only the name, address, and telephone number of a customer, you can modify the routine (in this case, a function) as the following example shows:
Restricting Changes to Data
Using stored routines, you can restrict changes made to a table. Simply channel all changes through a stored routine. The stored routine makes the changes, rather than users making the changes directly. If you want to limit users to deleting one row at a time to ensure that they do not accidentally remove all the rows in the table, set up the database with the following privileges:
Write a stored routine (in this case, a procedure) similar to the following one, which deletes rows from the customer table using a WHERE clause with the customer_num that the user provides:
Monitoring Changes to Data
Using stored routines, you can create a record of changes made to a database. You can record changes made by a particular user, or you can make a record of each time a change is made.
You can monitor all the changes made to the database by a single user. Simply channel all changes through stored routines that keep track of changes that each user makes. If you want to record each time the user acctclrk modifies the database, set up the database with the following privileges:
Write a stored routine similar to the following one, which uses a customer number the user provides to update a table. If the user happens to be acctclrk, a record of the deletion is put in the file updates.
To monitor all the deletions made through the routine, remove the IF statement and make the SYSTEM statement more general. If you change the previous routine to record all deletions, it looks like the routine shown next.
Restricting Object Creation
To put restraints on what objects are built and how they are built, use stored routines within the following setting:
Your routine might include the creation of one or more tables and associated indexes, as the following example shows:
To use the all_objects routine to control additions of columns to tables, revoke the Resource privilege on the database from all users. When users try to create a table, index, or view using an SQL statement outside your routine, they cannot do so. When users execute the routine, they have a temporary DBA privilege so the CREATE TABLE statement, for example, succeeds, and you are guaranteed that every column that is added has a constraint that is placed on it. In addition, objects that users create are owned by that user. For the all_objects routine, whoever executes the routine owns the two tables and the index.
|
