15 Configure End-User Contexts and Attributes
Use the SQL statements in this chapter to create, drop, read, and modify end-user context definitions and their attributes. These context definitions serve as templates that the database uses at runtime to enforce fine-grained authorization policies through data grants.
- End-user security context
(runtime values within a database session):
The session-level object the database creates
automatically when an application sends an
EndUserSecurityContextpayload. It holds the active end user's identity, their enabled data roles, and all live attribute values. It is created, attached, and destroyed automatically by the database server. - End-user context (database-side
definition / template): A database schema
object you create with the
CREATE END USER CONTEXTcommand that defines a set of attributes, their data types, their default values, and optional PL/SQL routines to populate them. At runtime, the database uses it as a template for JSON-style name-value pairs and instantiates it on first use in the current end-user security context — either when the application payload is attached or when an attribute is required for authorization checks.
The relationship between the two is this: if your data
grants or application logic reference custom context attributes (for
example,
ORA_END_USER_CONTEXT.hr.hcm_context.emp_id), you
must first create the corresponding end-user context definition in
the database before those attributes are available within a runtime
end-user security context.
Note:
To queryORA_END_USER_CONTEXT directly or to
use it in data grant predicates, you must set the database
instance's COMPATIBLE initialization
parameter to 20.0 or greater.