先创建一个ACL
06:05:39 SQL> declare
ace_list xs$ace_list;
begin
ace_list := xs$ace_list(
xs$ace_type(privilege_list=>xs$name_list('select'),granted=>true,principal_name=>'employee_role'),
xs$ace_type(privilege_list=>xs$name_list('select','view_sensitive_info'),granted=>true,principal_name=>'manager_role'));
xs_acl.create_acl(name=>'hracl',ace_list=>ace_list,sec_class=>'employees_sc');
end;
/
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.05
06:13:43 SQL> create table employees(department_id number,first_name varchar2(20),last_name varchar2(20),salary number);
Table created.
Elapsed: 00:00:00.01
06:17:42 SQL> declare
realm_cons xs$realm_constraint_list;
column_cons xs$column_constraint_list;
begin
realm_cons := xs$realm_constraint_list(xs$realm_constraint_type(realm=>'department_id in (60,100)',acl_list=>xs$name_list('hracl')));
column_cons := xs$column_constraint_list(xs$column_constraint_type(column_list=> xs$list('salary'),privilege=>'view_sensitive_info'));
xs_data_security.create_policy(
name=>'employees_ds',realm_constraint_list=>realm_cons,column_constraint_list=>column_cons);
xs_data_security.apply_objec06:17:56 2 t_policy(policy=>'employees_ds',schema=>'pdbadmin',object=>'employees',statement_types=>'select',owner_bypass=>true);
end;
/
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.10