Statement issued at remote database:
GRANT SELECT, DELETE ON scott.emp TO user1;
Statements issued at local database:
CREATE DATABASE LINK hr.acme.com
CONNECT TO user1 IDENTIFIED BY password
USING 'db_string';
CREATE VIEW admin.emp_view AS
SELECT * FROM scott.emp@hr.acme.com;
CREATE PROCEDURE admin.fire_emp (enum NUMBER) AS
BEGIN
DELETE FROM scott.emp@hr.acme.com
WHERE empno = enum;
END;
CREATE SYNONYM admin.emp_syn FOR scott.emp@hr.acme.com;
Views are a good choice for location transparency if unlimited local object privilege management is a requirement. For example, assume the local security administrator needs to selectively grant object privileges for several remote tables. The remote administrator can create a powerful user account that is granted many privileges for many remote tables. Then, the local administrator can create a private database link that connects to the powerful remote account and, in the same schema, create views to "mirror" the remote tables. The local administrator controls local privilege management for the remote tables by granting privileges on the local views. Also note that in this example, many users can use a private database link.
In general, procedures aid in security. Users who call a procedure can only perform the controlled operations of the procedure. Privileges for objects referenced within a procedure do not need to be explicitly granted to the calling users. Much like views, procedures are a good choice for location transparency if unlimited local privilege management is a requirement.
For example, assume the local security administrator needs to selectively allow users to query and update several remote tables. The remote administrator can create a powerful user account that grants many object privileges. Then, the local administrator can create a private database link that connects to the powerful remote account and, in the same schema, create procedures to query and modify the remote tables, as desired. The local administrator can control how local users can access the remote tables by selectively granting the EXECUTE privilege for the local procedures, thus controlling local privilege management for remote objects.
Unlike a database link referenced in a view or procedure definition, a database link referenced in a synonym is resolved by first looking for a private link owned by the schema in effect at the time the reference to the synonym is parsed. Therefore, to ensure the desired object resolution, it is especially important to specify the underlying object's schema in the definition of a synonym.