Development team requested permission to update on a table. This table has very sensitive information, apart it need the appropriate authorization, and after talking with the development team is determined to need only modify two columns of this table. So I propose to give them updat privilege only on these two columns. The person from development put a strange face and told me; “I ignored that could be given access to the columns, we always request access on the entire table”.
Often as easy or simple for all parties is to give access to the entire table, but this is not a good rule of security. It is also true that there must be a security (often this task is transfered to the DBA) but for the administrator of the database will not be easy to identify which columns have sensitive data and what not, especially in large environments. DBA is the responsibility of the management of the data, but no knowledge thereof.
The following command gives the OK to select the columns col1 and col4 test table;
-- desde el usuario propietario de la tabla grant UPDATE (COL2, COL4) ON PROBE2 TO SCOTT;
If we try to access another column in the table that we have permission we will return error;
ORA-01031: privilegios insuficientes
Other ways are using VPD, VIEWS (Simple views allow update them).
HTH – Antonio NAVARRO