I have also been on a project which used fine-grained access control. The project was a reporting application for a large organisation and one of the problems we found we dealing with the various levels of security. The organisation has ~10,000 cost centres and some users could see only a very small branch, whilst others could see the entire structure, whilst others could see almost everything except for a few very high level branches. There was also a different way of providing security (ie: not cost centre related) and many users had a combination of both to be applied.
One of the biggest "gotchas" was performance tuning the application. Because of the complexity of our security implementation we initially fell in the trap of tuning the query with no security added (a couple of users had the clause "and 1 = 1"). Naturally when other users connected the explain plan changed and performance was pretty average. It took a while to index all tables in such a way that it worked well for every type of security clause. So, yes there can be a performance hit and that hit can vary dramatically depending on what type of clause you are adding. Having said that, it did work and was transparent to the front end, allowing users to create their own queries / reports and still be bound by the security model. Cheers, Mark. [EMAIL PROTECTED] .tenet.edu To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> Sent by: cc: [EMAIL PROTECTED] Subject: RE: SQL question avoiding 2 views and not in 14/12/2002 10:03 Please respond to ORACLE-L Lisa, A couple of years ago, when I was a consultant, I implemented Application Context and Fine-Grained Access Control, AKA Row Level Security for a client. Since it causes a predicate to be appended to the Where clause of every SQL statement issued against the tables having a Security Policy, I guess performance could be impacted if you didn't index the columns referenced by the appended predicates. We never noticed a bit of degradation in our testing, but we were careful about the indexing. I left that project before it went into production, so I don't know the ultimate outcome. However, I'd sure use FGAC again, if the need arises, it works very well. Actually, I probably *will* use it on a couple of our 3rd Party apps here which don't enforce security to the degree that we require. I'll let y'all know how it performs. Jack C. Applewhite Database Administrator Austin Independent School District Austin, Texas 512.414.9715 (wk) 512.935.5929 (pager) [EMAIL PROTECTED] "Koivu, Lisa" <Lisa.Koivu@efair To: Multiple recipients of list ORACLE-L field.com> <[EMAIL PROTECTED]> Sent by: cc: [EMAIL PROTECTED] Subject: RE: SQL question avoiding 2 views and not in 12/13/2002 03:38 PM Please respond to ORACLE-L Has anyone used context and fine-grained security? I seem to remember the performance hit was not minimal when using this functionality. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<---->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Privileged/Confidential information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail or by telephone on (61 3) 9612-6999. Please advise immediately if you or your employer does not consent to Internet e-mail for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of Transurban City Link Ltd shall be understood as neither given nor endorsed by it. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<---->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mark Richard INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).