Object security

In Oracle, if a user creates an object such as a table, the user becomes the owner of the object, and only the owner can access the object. Other users can only access the object if they have been granted privileges to do so. In an LN environment, in which many users access the same tables in the Oracle database, a mechanism has been developed to allow multiple users to share these tables.

To allow various LN users to share the same Oracle table, you can use a group concept. An LN group maps users to a database in Oracle and ensures that members of the group have sufficient privileges to access data in the group’s tables.

The LN Oracle driver uses an Oracle role to implement the LN group concept. Whenever the group user creates a new table, select, insert, delete, and update privileges are granted to the Oracle role. Any user associated with the role automatically inherits these privileges and can individually perform these operations on the group table.

If you add new users, you only must associate the users with the Oracle role. These users automatically inherit all privileges currently granted to the role without the need to grant privileges on every group object in the database to the user. If the user is dropped from the role, these privileges are revoked, and the user no longer has access to tables in that role. If you explicitly grant the user privileges to operate on the tables, if you drop the user from the role, you must also explicitly revoke these rights. If you grant privileges to the role, you can greatly reduce the overhead of adding users, which also provides flexibility and ease of maintenance.

In the DDL statements generated by the driver, object names are not qualified by the owner name. Ownership is determined by the session (group or user) in which the create table runs. If you create objects identified as belonging to the group, the user who creates the object must log onto Oracle as the group user; in this case, the group owns the table, and permissions are granted on the group to provide access to all group users.