Quoting Bruno Wolff III <bruno@wolff.to>:
> On Mon, Jan 05, 2004 at 11:32:42 +0500,
> Michael Gill <mgill@pointdx.com> wrote:
> >
> > I think I have found the simple solution by separating the user from the
> > owner of the tables, however!
> >
> > I have simply created tables and functions in the owner's schema(A),
> > then granted execution to the other user(B). My brief testing indicates
> > that B cannot access or describe A's objects, yet can execute the
> > function that retrieves data and returns a ref cursor.
> >
>
> This won't work as they can still get at the system catalog which will
> allow them to see the schema.
>
You're correct. There doesn't seem to be a way to restrict a user from reading
the system tables.
To limit the client to only accessing the data through functions, I'm looking at
creating a java-based api to wrap all accesses to the db. The client machine
wouldn't need a db password, merely asking for DML through the api.