Row-level security problem using VPD

Similar Messages

• Row level security without using VPD

  I am wondering if there is a way to have row level security in APEX without having to use the virtual private database (VPD). I cannot afford the Enterprise Edition license that is required for VPD.
  I need a way to customize the list of rows that appear for each user on a report page.
  For example, I only want managers to be able to see their employees and not employees of other managers.
  Thanks for your help !
  -Reid

  While it wont provide all the features that Oracle RLS does, you can leverage Oracle 'Contexts' to provide a form of Row Level Security.
  This article describes how
  http://www.dbazine.com/oracle/or-articles/jlewis15
  Within APEX you can set your application to call the 'context' setting function in the 'VPD' section of the 'Edit Security Attributes' page.
  Varad

• Row level security problem.

  Hy all, I'm new to Oracle and though i've google it a lot I didn't manage to find a solution to this problem:
  I'm using sql developer and Oracle 10g.
  I have this two tables :
  CREATE TABLE HR_employees
  (codHR NUMBER(3) CONSTRAINT pk_hr PRIMARY KEY,
  coddep NUMBER(4) not null,
  DB_user VARCHAR2(10),
  and
  CREATE TABLE Candid
  (codcan NUMBER(2) CONSTRAINT PK_candidat PRIMARY KEY,
  codHr NUMBER(3) NOT NULL,
  CONSTRAINT FK_CODHR FOREIGN KEY (codHR) REFERENCES HR_employees (codHR) );
  I tried to implement row level security on them by using two views:
  CREATE OR REPLACE VIEW employees_v AS
  SELECT * FROM hr_employees
  WHERE DB_user = user
  UNION
  SELECT * FROM hr_employees
  WHERE codhr=(SELECT codhr FROM hr_employees WHERE db_user=user );
  AND coddep IN (4000,5000);
  CREATE OR REPLACE VIEW candid_v AS
  SELECT cand.*
  FROM candid cand , hr_employees hr
  WHERE cand.codhr= hr.codhr
  AND hr.db_user=user
  UNION
  SELECT cand.* FROM candid cand, hr_employees hr
  WHERE hr.coddep=(SELECT H.coddep FROM hr_employees H
  WHERE H.db_user=user
  AND H.coddep IN (4000,5000) );
  What I want to do is to disconnect and connect with another user from SQL Developer and see different fields based on the user and the department, Sql developer doesn't seem to recognize the user connected to the database..everytime I receive a no row selected statement, only when I connect with SYS and put the actual username WHERE H.db_user='SYS' they seem to work. I have created the tables with SYS and granted Select on the views to the users, the users don't have privilegies on the actual tables.
  Sorry for the bad english,it's a foreign language to me ,
  I hope you can help me

  Hi,
  Damorgan is right: "Row level security has nothing to do with views" in the sense that the two are independent. You can have row-level security with or without views, and you can have views with or without row-level security. dbms_rls is a very useful and powerful way to implement row-level security, and you should check it out, but it's not necessarily the answer to all row-level security problems.
  I'm not sure I understand your problem beyond the need to restrict user A's access to two tables.
  If which rows user A is allowed to see depends on the results of queries from those same tables, including rows that user A is not allowed to see (that is, you need to do sub-queries with some other user's (let's call this user B's) privileges), then you can do those sub-queries in stored procedures.
  Stored procuderes can run with the privileges of the procedure owner, regardless of who is calling them. Using a function called user_codhr owned by user B, you could define a view like this:
  CREATE OR REPLACE VIEW employees_v AS
  SELECT * FROM hr_employees
  WHERE DB_user = user
  OR    (   codhr = user_codhr
        AND coddep IN (4000,5000)
        );If the results of the function will be the same throughout the session, you can call it once, at the beginning of your session, and save the results in a SYS_CONTEXT varaible or a global temporary table.
  If you need more help, post a more detailed example of the problem, such as "With this data in the table, B should see all rows but A should see only ...".

• Row-level security(VPD) problem

  Hi,
  ADF BC, Jdeveloper 11.1.1.3.0
  We want to implement Row-level security in ADF by VPD, and do following:
  1, create VPD policy according to the following sample
  http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/10g/r2/prod/security/vpd/vpd_otn.htm
  2, Override prepareSession(), and set user info by dbms_application_info.set_client_info; in policy function get the user info, and implement filter logic.
  The confusing problem is: When first user login, data has been filtered right. But, when the second user or third user login, it gets the first user's data.
  We also use SQL Trace, and find the second user's operation(SQL) are not recorded in SQL trace file, the view object may not query database. We test clearCache(), viewCriteria with 'Query Execution Mode: Database', and etc, but can not solve the problem.
  I appreciate your suggestion.
  thanks

  So how did you tell Weblogic not to cache the SQL statement? I will be using VPD in a new application, and I definitely want to avoid the problem you had.

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• Row Level Security (VPD)

  We are enhancing our corporate security model using VPD fine grain access to allow more flexible policies. This will provide different levels of row level access on each set of mart fact tables (Health Board level access on Mart A, GP Practice level on Mart B etc). We also want different column level security (masking) on common dimensions depending on which mart is being queried, e.g. a user might be allowed to see confidential patient columns when querying Mart A, but not on Mart B.
  OID groups hold user attributes, and we can retrieve these via logon trigger and policy functions and then set user contexts accordingly.
  When a query is submitted to the database (via Business Objects), it triggers the policy function on a particular mart fact table(s), which applies the particular row level constraint based upon the users context. So far so good. Problem is, when any dimension policy functions are being triggered (at the same time), they need to know which particular Mart is being queried, so that they can retrieve the correct user context to apply either confidential or non-confidential column masking.
  I basically need a means of interrogating the SQL before (or as) it reaches the dimension policy functions, from which the function can identify the Mart from the named tables in the SQL FROM list. Is there a way of doing this, or some other mechanism entirely for delivering this level of access control?
  One solution is to have a separate dimension view specific to each Mart. A particular view would join to a particular mart (in Business Objects), and the policy function amended for each. However we would rather avoid this as it could mean up to 20 + views for each dimension, and require a substantial maintenance overhead.
  Thanks
  Simon
  Edinburgh

  Why would you want a situation where USER1 cannot see any of the data in the table but owns a procedure that allows him to update any row in the table? That would basically defeat the purpose of using VPD-- if USER1 can circumvent the VPD policy in this procedure, USER1 can circumvent the policy in any procedure and can create procedures that allow him to view and manipulate the data.
  Can you provide a bit more background about what problem you're trying to solve? Why does USER1 need to own the procedure if USER1 isn't allowed to see any of the data? Are you trying to write a procedure that will apply the caller's VPD policy (i.e. when USER2 calls the procedure, he can only update the rows that his VPD policy allows him to see)? Or do you want the procedure code to bypass the VPD policy entirely? Why are you fine with granting USER2 the ability to bypass the VPD policy but you are not OK granting USER1 that same privilege?
  Justin

• Row Level Security using BO SDK - Dynamic Group and Criteria (where clauses)

  To the Universe Gurus out there:
  I have a rather daunting task of implementing a Row Level Security on a number of tables within our project using BO XI R2 SP2 with SQLServer 2005. Given the nature of the requirements around this (listed below), I am going to go with BO SDK to accomplish the creation of Restrictions. That said, I need some insight into some of the problem areas I have listed below. Any help is much appreciated.
  Background:
  We have 11 tables that are to be restricted.
  Each table is accessible to potentially 1..* group of users only.
  For eg SALES is accessible to ALL_SALES members only.
  Each row within each table is accessible to 1..* groups of users only. The restriction will occur on 2 columns Jurisdiction and LineID on SALES table.
  For eg
  1)Rows with NY Jurisdiction and LineID=123 are accessible to NY_SALES_ADMIN group only initially.
  2)NY_ADMIN will then approve that the above rows be open to NY_SALES_INTERNAL group only. This approval in turn will call upon the BO SDK to add a new restriction for the group with appropriate where clause.
  3)At a later point, the above rows will be opened to NY_SALES_EXTERNAL group also.
  This same concept holds good a number of jurisdiction (more or less static) and a dynamic number of LineIDs. So, if 10000 rows of data corresponding to new LineID 999 and Jurisdiction AK are in the table now, they are initially accessible only to AK_SALES_ADMIN group only. No one else should be able to access it.
  Results:
  1) With the way I laid out the business rules above, I am ending up with 528 groups.
  2) There is a restriction created for a unique combination of Jurisdiction and LineID for each table.
  Problems/Questions:
  How can I restrict access to the new rows to one group only. I know that I can let a certain group only look at certain data but how can I restrict that all others cannot look at the same.
  AK_SALES_ADMIN can look at LineID=999 and Jurisdiction='AK'.
  Do I use an Everyone group based restriction? If so, my Everyone group will end up with tons of restrictions. How will they be resolved in terms of priority.
  Am I even thinking of this the right way or is there a more noble way to do this?
  Regards

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• Row level security in OBIEE 11g: Which is better: VPD or RPD

  We can apply row level security in OBIEE by 2 ways.
  1. by Creating Initialize Block in RPD
  2. or Applying VPD in Database, which restricts source tables
  Which one is more efficient and why?
  Thanks,
  Sunil Jena

  you will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.

• Urgent: row level security with VPD

  Has any one implemented the row level security in Virtual private database(VPD) for Discoverer.
  Please let me know how well does it work with discoverer and are there any flip sides that one needs to be aware of.
  Thanks

  authenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
  Init block for authenticating / authorizing and session variables are different, i guess you are mixing both.

• VPD (Row Level Security) Implementation at Middle Layer

  Hi All,
  Is there any provison to implement Row Level Security at the Entity Object level?
  We have a table where in some rows need to be displayed based on the user logged in.
  We are aware of the VPD implementation using a function and adding a policy.
  We are looking for implementing VPD at the Middle Tier.
  Any help in this regard will be greatly appreciated.
  Thanks in Advance,
  Raghu

  Raghu,
  Assuming you are talking about ADF Entity Objects - yes. The standard way of doing this would be to over-ride prepareSession() in your Application Module to set whatever information you may need in the database session in order to identify your user and use that information in your VPD policy. If you Google about, you can find some good information, including [url http://blogs.oracle.com/jheadstart/2007/11/row_level_security_using_vpd_a.html]this (it's for JHeadstart, but the concept applies just fine).
  John

• Suggestion required for using row level security

  We have a scenario to provide row level security to some of the transaction tables like HR_EMPLOYEE which has a foreign key column DEPT_ID to HR_DEPARTMENTS table. This table may grow up to about 5 million records. There could be regular SELECT operations on this table and not so frequent UPDATES compared to the SELECT operation.
  We were looking at the following approaches...
  Table :
  HR_EMPLOYEE
       EMPNO
       DEPT_ID
       LAST_NAME
       FIRST_NAME
  1. Enable Oracle Label Security policy on this table and use static predicates.
  In this approach we add the OLS policy column (POLICY_COLUMN) and add predicate to access data.
  e.g. we will be giving access to global data by predicate like
  OR POLICY_COLUMN =CHAR_TO_LABEL('POLICY_NAME','C::DEPT1')
  where C::DEPT is the OLS Label
  2. Using VPD policy. We donot add any column, instead use the existing column DEPT_ID to provide row label security. In this approach the DEPT_ID is to be compared against an additional table and DOMINATES function will be used to verify the permission for the user to access the data.
  e.g. In this approach, the policy function is like
  'DOMINATES(char_to_label(''POLICY_NAME'', SA_SESSION.LABEL(''POLICY_NAME''))
  ,char_to_label(''POLICY_NAME'', POLICY_PKG.GET_LABEL_FROM_DEPTID(DEPT_ID))) = 1'
  The GET_LABEL_FROM_DEPTID function returns the OLS label for the corresponding department. This is compared with the user's session label and appropriate rows are given access.
  Can someone suggest on which of the above approaches is more performance effective considering the number of records and the additional OLS column added to the table.

  Hi there,
  would you be able to describe as detailed as possible what you want to achieve? From my first glimpse at your code, it seems as if you are using both OLS and VPD in a rather extraordinary way.
  Best, Peter

• How to implement row level security using external tables

  Hi All Gurus/ Masters,
  I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
  I can use a filter condition in my user level so that he can access his data only.
  But when i have 4 tables in external tables
  users
  groups
  usergroups
  webgrups
  Then in which table I need to give the filter conditions..
  Pl let me know this ...

  You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
  Hope this helps

• Row Level Security in OBIEE using OID as authentication Mechanism

  Hi OBIEE Gurus,
  I am trying to implement Row Level Security in OBIEE . Currently I have setup OBIEE to have OID do the user authentication.
  I want to implement RLS by doing the following :
  1. Have Security Groups defined in OID and assign users with group membership.
  2. Import these Security Groups into OBIEE metadata
  3. Apply filters to these Security Groups
  4. Run Answers requests to see if RLS works or not
  Please let me know if this approach works. If this is not the right way or most efficient way to do this, please let me know if there is any document I can follow to accomplish this.
  Appreciate your help.
  Edited by: drakesh on Sep 26, 2008 7:09 AM

  Follow the steps in the following link to set up OID and Row level security:
  http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
  Instructions for the link above:
  1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
  2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
  Otherwise follow Matt's view
  Thanks,
  Amrita

• How to implement row level security?

  Hi all,
  There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
  Many Thanks
  Amy

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• How to apply row level security against the database administrator

  I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
  There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
  HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
  Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
  Is there additional ways to achieve the aim?

  Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
  If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
  This includes DBAs.
  The simple fact of being DBA doesn't guarantee the exemption.
  Everything goes to depend of the VPD config.