Reputation: 91
Oracle Row Level Security in multi-tenant app / default values for new records
Task
Retrofit an existing application to use a multi-tenant approach. It shall be possible to create tenants and each user's session should reference exactly one active tenant. Each tenant should only be able to see and update his partition of the database schema.
Approach
- Create an Oracle application context that contains the tenant id
- Add a tenant id column to any table that should be scoped
- Create a predicate function that returns "tenant_id = sys_context('tenant_context', 'tenant_id')" for SELECT, INSERT, UPDATE and delete
- Add an appropiate policy via dbms_rls to register the predicate function
This works like a charm without touching the existing application for SELECT, UPDATE and DELETE
Question
When inserting the tenant_id column doesn't get set and a security exception comes up. Is there any way that is as sleek as the predicate function to always set security related fields? I'd rather not add triggers to 300+ tables.
Upvotes: 3
Views: 872
Answers (1)
Reputation: 91
Sometimes asking a question provides the answer. I wasn't aware that you may use non-constant expressions in column's default values, so
alter table XXX
add column tenant_id default sys_context('tenant_context', 'tenant_id');
actually solves my problem.
Upvotes: 4
Related Questions
- How to idempotently define row-level security policies in PostgreSQL?
- Oracle row level security by column value, not by user id
- How to implement row level security for a multi-tenant SAAS app
- How to implement row level security in ASP.NET boilerplate?
- What is a difference between BEFORE and AFTER dml operations ? (Row-Level Security)
- Row-level security in a client-database scenario
- How to enable row level security by default?
- Multi tenant app with shared data and dynamic tables
- Multi-Tenant how to overwrite default values?
- Composite keys in a Multi-tenant database