4. Exclude Objects from any Access¶
Esspecially internal objects should never be part of an object group. You may exclude them in general and need not exclude them in each and every object group again.
4.1. Add a rule to exclude specific objects¶
To exclude specific objects use API_SCURTY.ADD_EXCL_OBJ_DISCOVER_RULE. All exclude pattern are mandatory parameters and they are all set by default to ‘.*’. Change at least one of them as otherwise this would mean that each and every schema, object and comment will be excluded.
In the example below the schema ‘PSV_TEST_TA’ is excluded totally.
Example
1EXECUTE SCRIPT API_SCURTY.ADD_EXCL_OBJ_DISCOVER_RULE(
2 'PSV_TEST_TA' -- p_schema_excl_pattern
3 ,'.*' -- p_object_excl_pattern
4 ,'.*' -- p_comment_excl_pattern
5 ,'excl-test' -- p_rule_comment
6);
After issuing this script an entry is added to the table REP_EXCL_OBJ_DISCOVER_RULES.
RULE_ID |
SCHEMA_EXCL_PATTERN |
OBJECT_EXCL_PATTERN |
COMMENT_EXCL_PATTERN |
RULE_COMMENT |
|---|---|---|---|---|
37 |
PSV_TEST_TA |
.* |
.* |
excl-test |
4.2. Change an Exclude Rule¶
To change an already existing exclude rule use the script API_SCURTY.CHANGE_EXCL_OBJ_DISCOVER_RULE. Checkout the rule id from REP_EXCL_OBJ_DISCOVER_RULES, in this case rule id 37. Providing NULL leaves the parameters as is, while a blank (’ ‘) restores the default value.
In this example the pattern for excluding schemas and comments will stay the same, however, the pattern to exclude objects will be modified as well as the rule comment.
::{admonition] Example
1EXECUTE SCRIPT API_SCURTY.CHANGE_EXCL_OBJ_DISCOVER_RULE(
2 37 -- p_rule_id
3 ,null -- p_schema_excl_pattern
4 ,'.*_TAB.*' -- p_object_excl_pattern
5 ,null -- p_comment_excl_pattern
6 ,'excl-test-change' -- p_rule_comment
7);
By running the command above the entry in the table REP_EXCL_OBJ_DISCOVER_RULES will change as follows:
RULE_ID |
SCHEMA_EXCL_PATTERN |
OBJECT_EXCL_PATTERN |
COMMENT_EXCL_PATTERN |
RULE_COMMENT |
|---|---|---|---|---|
37 |
PSV_TEST_TA |
.* |
.* |
excl-test-change |
Remove an Exclude Rule
To remove a rule execute API_SCURTY.REMOVE_EXCL_OBJ_DISCOVER_RULE.
Example
1EXECUTE SCRIPT API_SCURTY.REMOVE_EXCL_OBJ_DISCOVER_RULE(
2 37 -- p_rule_id
3);
After issuing the command above the entry of the esclude rule with the rule id 37 will be removed from the table REP_EXCL_OBJ_DISCOVER_RULES.