To be able to grant and revoke access for an object group to a user, first an object group and a user need to be created.
This can be done by following the steps in the follwoing two HowTo Guides:
¶ 1 Granting Access to an Object Group for a User
After having successfully created an object group and a user one can grant access to that object group for that User by using the script API_SCURTY.GRANT_USER_OG_ACCESS. The name of the object group and of the user name need to be exactly as the one just created. These two parameters are also the only mandatory ones. The other two parameter are optional and can be used to only allow the user read access for the objects belonging to the object group or also write access and to give or forbid access to senistive columns of objects belonging to this object group. However, if the access for the object group is already only set to read access, setting the first parameter to write will have no impact.
¶ Example
EXECUTE SCRIPT API_SCURTY.GRANT_USER_OG_ACCESS (
'TEST_OG' -- p_object_group
,'testuser' -- p_user_name
,null -- p_rw_access
,null -- p_scol_access
);
After successfully granting access to the object group 'TEST_OG' for the user 'testuser' one can see this entry in the table SCURTY.REP_USER_OG_ACCESS.
| OBJECT_GROUP | USER_NAME | RW_ACCESS | SCOL_ACCESS |
|---|---|---|---|
| TEST_OG | TESTUSER | false | false |
¶ 2 Revoking Access to an Object Group for a User
To revoke an access to an object group for a specific user the script API_SCURTY.REVOKE_USER_OG_ACCESS can be used. One has to only provide the user, the access should be revoked for, and the object group, to which the access should be revoked.
¶ Example
EXECUTE SCRIPT API_SCURTY.REVOKE_USER_OG_ACCESS (
'TEST_OG' -- p_object_group
,'testuser' -- p_user_name
);
After issuing the command above, the access to the object group should be revoked for the user provided in the statement above. Therefore the entry of the table SCURTY.REP_USER_OG_ACCESS above should now be gone as well.