CREATE CONTEXT: Creating Contexts

Application contexts facilitate the implementation of fine-grained access control. They allow you to implement security policies with functions and then associate those security policies with applications. Each application can have its own application-specific context. Users are not allowed to arbitrarily change their context (for example, through SQL*Plus).

A context is a named set of attribute/value pairs associated with a PL/SQL package. A context is attached to, and is global within, a session. Your application can use a context to set values that are then accessed from within your code and, specifically, from within code that is used to generate WHERE clause predicates for fine-grained access control.

Suppose you are building a human resources application. You might create a context called HRINFO and define the following attributes for that context:

position organizational_unit country

You can then set values for each of these attributes from within your PL/SQL programs.

Oracle provides a Data Definition Language (DDL) statement to create the context used to validate and secure an application. The format of this statement is as follows:

CREATE [OR REPLACE] CONTEXT namespace USING [schema.]plsql_package;

You may deduce from this statement that a context has two attributes. Parameters are summarized in Table 8.1.

To create a context namespace, you must have the CREATE ANY CONTEXT system privilege. Here is the format for this grant:

GRANT CREATE ANY CONTEXT TO schema_name;

TIP: To make it easier for you to construct contexts and the code to support them, Oracle does not verify the existence of the schema or the validity of the package at the time you create the context.

'll explore that capability in the later section, "SYS_CONTEXT and LIST_CONTEXT: Obtaining Context Information."