Access control really begins when the application is started and continues through the entire session. We have divided the control approach into the following three steps.
We want to prevent unauthorized users from even seeing the application display.
The application can supplement the views. For performance reasons, we may have the application directly access the base table and we may restrict access to the rows in a manner similar to the view.
We have the application initiate a process that is completed entirely within the database. The approach will avoid hardcoding the password in the application and will not require the user to know the password.
Before you can control what the user can do, you must know something about the user. This is typically the user’s login name. Through the login name, you should be able to obtain the user’s organization information, the type of job the user performs, and so on. You must also know something about the application. This information should be complementary to the information you know about the user. In this application, we are able to get the user’s information because the login names are part of the record in the EMPLOYEE table.
Because all access is role-based, the application can check the roles the user has and compare those to the roles assigned to the application in the ...