VPD 9i
Hi all!
I have a problem and I would like to get your oppinion.
The customer wants implement VPD. The database is Oracle 9i (9.2.0.7) on RHEL4AS Server. Initially, this step was included in Database Migration to Oracle 10g, but, the application runs very slowly! After this situation, the IT Manager wants to implement VPD in 9i and then migrate your database to 10g, after the application have been modified by development team.
But, in Oracle 9i, the procedure ADD_POLICY in DBMS_RLS package haven't SEC_RELEVANT_COLS and SEC_RELEVANT_COLS_OPT options. How can I implement VPD in vertical and horizontal levels in Oracle 9i?
Thanks!
Marcus Vinicius
In 9i, VPD didn't allow you to selectively permit access to particular columns in a table, just particular rows. In 9i, you could create a series of views that expose different sets of columns, grant appropriate users appropriate access on one of these views, and create appropriate private synonyms that point to the appropriate view in each user's schema. That's probably more work than figuring out how to fix the performance issues that followed the 10g migration.
Justin
Similar Messages
-
Best practice for VPD and remote tables
Not specifically an HTMLDB question, but here goes...
HTMLDB 1.6 on 9.2.0.4 connecting over database link (fixed username/password) to 9.2.0.4
I've currently "wrapped" access to the remote tables in views, i.e. view "T" in the HTMLDB parsing schema LOCAL_USER is defined as "SELECT * FROM T@remote"
I'd like to put VPD controls on my backend tables, but I don't get how v('APP_USER') (or even APP_USER put into an application context) would be seen by the remote database.
Should I just put VPD policies on LOCAL_USER's views and call it a day?
Thanks for input!
-JohnIf you implemented the VPD in the remote database, what would your VPD be restricting? All queries would apply the policy based on the DB link fixed username resulting in all users of the HTML DB application having same policy restrictions.
The policy in the remote database does not has access to the value of v('APP_USER'). That value is only available in the database that has HTML DB. You would have to write APIs in the remote database in PL/SQL functions/procedures to pass in the V('APP_USER') value to the remote database. This is doable, but cumbersome.
If you want to have your policy modify your WHERE clause on the fly based on your HTML DB user account, then I would implement the VPD in the database which has your HTML DB repository. I am not sure which of the two scenarios below occur when doing a SELECT * FROM T.
1.) The query goes across the database link, gets all the data out of table T in the remote database, passes back to the HTML DB database, and applies the policy WHERE clause modification in the HTML DB database.
2.) The query applies the policy WHERE clause modification to the view, goes across the database link with the WHERE clause modified, and gets only the data allowed based on the policy from the remote database.
You should test this out to find out for performance purposes what query is actually performed on the remote database.
As always if anyone sees anything inaccurate in what I have written, please correct me.
Mike -
I am trying to use VPD in our application. It works fine if I directly use SQL select statement. However I can not get the right reocrd set if the SQL statement in stored procedures, functions, or package. Your kind reply will be highly appreciated.
Find the issue.
If I logon into system use sys as sysdba and then grant exempt access policy to one user, then i get the problem. If I logon the current schema using one user with DBA roles, and then grant exempt access policy to one user, the whole system works fine now.
Thanks a lot. -
Hi - we're trying to implement a VPD on our company database at the moment and were wondering if a single sign-on architecture on our middle tier could be successfully tied to a VPD on the database tier. We have a number of clients, both internal and external, who will be accessing the database via the web and we need to control who sees what. Could you advise on the feasibility of this approach? Thanks
Hi Derick,
I want to make our discussion into 2 parts
1) Sign on
2) Viewing data based on the Heirarchy
1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
2) We can make the second point possible in two ways One is with providing restriction at universe level
and the other one is through the use of flash variables.
Using flash variables:
The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
I hope this is what you ar looking for....
If so i have more points to acheive such scenario.
Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
Regards,
AnjaniKumar C.A. -
How to get Win NT userid for setting VPD application context?
We are planning to implement row-level security using VPD. For that to happen, we need to capture the Windows NT userid since all the applications connect through a generic Oracle userid which will not help us.
Has anyone done this before? Your responses are appreciated.
Thanks.SELECT osuser
FROM v$session
WHERE audsid = (SELECT USERENV ('sessionid') FROM dual) -
Effect of RLS policy (VPD) on execution plan of a query
Hi
I have been working on tuning of few queries. A RLS policy is defined on most of the tables which appends an extra where condition (something like AREA_CODE=1). I am not able to understand the effect of this extra where clause on the execution plan of the query. In the execution plan there is no mention of the clause added by VPD. In 10046 trace it does show the policy function being executed but nothing after that.
Can someone shed some light on the issue that has VPD any effect on the execution plan of the query ? Also would it matter whether the column on which VPD is applied, was indexed or non-indexed ?
Regards,
Amardeep SidhuAmardeep Sidhu wrote:
I have been working on tuning of few queries. A RLS policy is defined on most of the tables which appends an extra where condition (something like AREA_CODE=1). I am not able to understand the effect of this extra where clause on the execution plan of the query. In the execution plan there is no mention of the clause added by VPD. In 10046 trace it does show the policy function being executed but nothing after that.
VPD is supposed to be invisible - which is why you get minimal information about security predicates in the standard trace file. However, if you reference a table with a security preidcate in your query, the table is effectively replaced by an inline view of the form: "select * from original_table where {security_predicate}", and the result is then optimised. So the effects of the security predicate is just the same as you writing the predicate into the query.
Apart from your use of v$sql_plan to show the change in plan and the new predicates, you can see the effects of the predicates by setting event 10730 with 10046. In current versions of Oracle this causes the substitute view being printed in the trace file.
Bear in mind that security predicates can be very complex - including subqueries - so the effect isn't just that of including the selectivity of "another simple predicate".
Can someone shed some light on the issue that has VPD any effect on the execution plan of the query ? Also would it matter whether the column on which VPD is applied, was indexed or non-indexed ?
Think of the effect of changing the SQL by hand - and how you would need to optimise the resultant query. Sometimes you do need to modify your indexing to help the security predicates, sometimes it won't make enough difference to matter.
Regards
Jonathan Lewis
http://jonathanlewis.wordpress.com
http://www.jlcomp.demon.co.uk
"Science is more than a body of knowledge; it is a way of thinking"
Carl Sagan
To post code, statspack/AWR report, execution plans or trace files, start and end the section with the tag {noformat}{noformat} (lowercase, curly brackets, no spaces) so that the text appears in fixed format. -
How to use vpd to restrict rows by application and schema_name?
We have a need to reuse a schema name many times in a test/dev. environment. Normally we just create a new instance so development can test their apps. using the same schema_name, let's call it test_user. This is very tedious and time consuming to create many db's and sometimes we don't have the hardware to support so many db's. So I was wondering if I could use vpd and an application_context to restrict the rows & columns that can be seen. But instead of restricting it by schema_name I want to restrict it by schema_name and another env. variable like app_name or something similar. So when the middle layer connects with test_user user name and the app is called accts_payable they see parts of the rows that pertain to them. But if the middle layer connects with the test_user user name and the app is called accts_payable2 they see completely different rows. Any help would be appreciated.
Thanks,
GeorgeI was hoping someone else had already been down this path so I don't have to re-invent the wheel. But it looks like I'm going to go down that path. I did find something in the manual that may help but again it's not exactly what I was hoping for so I will have to test it. It mentions using dbms_session to set the application name in the environment like this:
Consider the application server, AppSvr, that has assigned the client identifier 12345 to client SCOTT. It then issues the following statement to indicate that, for this client identifier, there is an application context called RESPONSIBILITY with a value of 13 in the HR namespace.
DBMS_SESSION.SET_CONTEXT( 'HR', 'RESPONSIBILITY' , '13', 'SCOTT', '12345' );
Thanks for your help on this. If anyone else has been through a similar situation please reply.
Thanks,
George -
Trying to implement a VPD policy but got the following error ORA-20001
hey good day,
I'm trying to implement a VPD policy to my application. After I have performed the below task (Label 1) in oracle 10g database. When I'm about to access my application page in ApEx 3.2.1 I got the following error
ORA-20001: get_dbms_sql_cursor error ORA-28110: policy function or package CHARLES.VPD_PREDICATE has error
any form of assistance will be greatly appreciated.
thanks in advance
Label 1
USER is "VPD_ADMIN"
SQL> create or replace context empnum_ctx using set_empnum_ctx_pkg;
Context created.
SQL> CREATE OR REPLACE PACKAGE set_empnum_ctx_pkg IS
2 PROCEDURE set_empnum;
3 END;
4 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY set_empnum_ctx_pkg IS
2 PROCEDURE set_empnum IS
3 emp_id NUMBER;
4 BEGIN
5 SELECT EMPNUM INTO emp_id FROM CHARLES.INSTRUCTOR
6 WHERE upper(username) = nvl(v('APP_USER'), USER);
7 DBMS_SESSION.SET_CONTEXT('empnum_ctx', 'empnum', emp_id);
8
9 EXCEPTION
10 WHEN NO_DATA_FOUND THEN NULL;
11 END;
12 END;
13 /
Package body created.
SQL> create or replace package vpd_policy as
2 function vpd_predicate(object_schema in varchar2 default null, object_name in varchar2 default null)
3 return varchar2;
4 end;
5 /
Package created.
SQL> create or replace package body vpd_policy as function vpd_predicate(
2 object_schema in varchar2 default null, object_name in varchar2 default null)
3 return varchar2 as
4
5 BEGIN
6 if (USER = 'ADMIN') and (v('APP_USER') is null) or
7 (USER = 'MICHAEL.GRAY') and (v('APP_USER') is NULL) then
8 return '';
9 else
10 return '(
11 exists (
12 select "INSTRUCTOR"."EMPNUM" as "EMPNUM",
13 "INSTRUCTOR"."FIRSTNAME" as "FIRSTNAME",
14 "INSTRUCTOR"."LASTNAME" as "LASTNAME",
15 "LOAD"."COURSEID" as "COURSEID",
16 "COURSE"."CREDIT" as "CREDIT",
17 "COURSE"."HPW" as "HPW",
18 "LOAD"."CAMPID" as "CAMPID",
19 "LOAD"."YR" as "YR",
20 "INSTRUCTOR"."POS" as "POS",
21 "INSTRUCTOR"."USERNAME" as "USERNAME",
22 "INSTRUCTOR"."DEPARTMENT_NAME" as "DEPARTMENT_NAME",
23 "LOAD"."SEMESTER" as "SEMESTER"
24 from "COURSE" "COURSE",
25 "INSTRUCTOR" "INSTRUCTOR",
26 "LOAD" "LOAD"
27 where "INSTRUCTOR"."EMPNUM"="LOAD"."EMPNUM"
28 and "LOAD"."COURSEID"="COURSE"."COURSEID"
29 and department_name = (
30 select department_name from departments
31 where upper (assigned_to) = nvl(v(''APP_USER''),USER) )
32 )
33
34 or upper(username) = nvl(v(''APP_USER''), USER)
35 ) ';
36
37 END IF;
38 END vpd_predicate;
39 END vpd_policy;
40 /
Package body created.
SQL> begin
2 dbms_rls.add_policy(
3 object_schema => 'charles',
4 object_name => 'load',
5 policy_name => 'Loading Policy',
6 function_schema => 'charles',
7 policy_function => 'vpd_predicate',
8 statement_types => 'select, update, insert, delete');
9 end;
10 /
PL/SQL procedure successfully completed.ORA-20001 isn't an Oracle error message it was coded into your application by a developer: Look it up.
Consider too the following:
EXCEPTION
WHEN NO_DATA_FOUND THEN NULL;so if the employee identifier is not found ... is this really what you want? If an employee isn't valid shouldn't you know it? -
VPD - How to make the where clause a correlated query
Hi,
My VPD function has the following where clause:
where_clause:= ' project_id in (select object_id from pa_project_classes p'||
' where p.class_category='||''''||l_cat||''''||
' and p.CLASS_CODE='||''''||l_class||''''||
' and p.OBJECT_TYPE=''PA_PROJECTS'''||
The problem is that the subquery is not using the unique key defined on the table pa_project_classes. What I need is something as follows:
where_clause:= ' project_id in (select object_id from pa_project_classes p'||
' where p.class_category='||''''||l_cat||''''||
' and p.CLASS_CODE='||''''||l_class||''''||
' and p.OBJECT_TYPE=''PA_PROJECTS'''||
' and p.object_id=mainquery.project_id ||
The problem is that since the table pa_project_classes also has a column project_id, I have to prefix the column name by the alias of the main query like 'mainquery.project_id'. However this seems impossible as main query is not unknown .
I would be grateful if you could suggest any workaround or solution.
ThanksJust have a look over these two statements if it solves your problem
one time where clause
Set_Block_Property('BLOCK_NAME',ONETIME_WHERE,your form item);
dynamic where clause
set_block_property('BLOCK_NAME'default_where, your form itme)
you can where clause at run time from any procedure or some triggers -
VPD "Lost" after validation fails
Hi,
We have a custom in house VPD. In the application security section, under VPD, we call a procedure which sets our security context client_id in order to be used to make context references within secure views.
In our page we have a simple select list which is run against a "secure" view. Once the user selects a value they hit continue to go on. A validation is put in place to make sure that a value has been selected.
If the validation fails, we go back to the page and the validation error message displays (as it should) however the select list has no values. After doing a lot of testing, references to any view that uses the VPD returns no values when a validation fails.
We've done some test and it appears that the following happens:
- On a page submit the VPD function gets called (as per the application security / vpd)
- Validations are performed
- If validation fails, run: dbms_session.clear_identifier;
- Load the page along with the appropriate error messages.
Is this correct? Is their anyway around this?
We have tried to set an application process to run before header which would run the same function as that called in the VPD section, however the process isn't run when a validation fails.
Thank you,
MartinAPEX sets client identifier to: APP_USER:APP_SESSION. CLIENT_INFO is set to just APP_USER. Try the following query from the SQL Workshop as well as a region on a page to give you a better idea of what APEX sets:select sys_context('USERENV','CURRENT_SCHEMA') CURRENT_SCHEMA,sys_context('USERENV','SESSION_USER') SESSION_USER,
sys_context('USERENV','MODULE') module,sys_context('USERENV','ACTION') action,
sys_context('USERENV','CLIENT_INFO') CLIENT_INFO, sys_context('USERENV','CLIENT_IDENTIFIER') CLIENT_IDENTIFIER
from dualI would probably include the IP Address of your HTTP Servers in the policy to make sure it's not someone connecting from SQL*Plus: sys_context('USERENV', 'IP_ADDRESS')
Tyler -
How to use VPD in Java/Struts JSP portlet with SSO
DB = 10.1.0 (Standard Edition)
Portal = 9.0.4.1
10gAS = 9.4.0.1 (EE)
I am in the beginning stages of developing some portlets that will be Java/Struts JSP based. We use SSO and have implemented some VPD security in our DB by creating some views that use SYS_CONTEXT('USERENV','CURRENT_USERID').
These Java portlets connect to the DB using a defined JDBC connection for the OC4J container they are deployed in. The problem I'm having is that the call to SYS_CONTEXT is returning the user of the JDBC connection and not the SSO user. So far I have been unable to find any documentation that will point me in the right direction to get this configured properly.
Deployment and configuration are as follows. Deploy war file to custom container on app server. In the configuration of the OC4J contain the app used the containers default JDBC connection using the oracle.jdbc.pool.OracleDataSource class. Max and Min open connections are blank.
In the portal configuration under Navigator - Providers tab we defined a new Registered Provider. In the Connections tab for the provider we Specify the URL Http://hpsrv02.simsol.com:7777/discovery-portlets/providers. Under "Specify how the user's identity will be set by the Portal..." the "The user has the same identity in the Web providers application as in the Single Sign-On identity" is selected. Under "User/Session Information" User is selected and Login Frequency is set to "Once per user session". Then we created a new portal page and created a new portlet with the new provider.
Just an FYI I do have Discoverer working with VPD and any report portlet, dynamic page portlet and any other type of portlet I created all work correctly with VPD it is just the java/struts one that is not working.
So does any one have any insight into what configuration steps I have missed?
Any help is much appreciated,
Ed KlingerEd,
Your java code must get the SSO username (it's just a HTTP header variable) :
ie: code sample...
Enumeration e = request.getHeaderNames();
while (e.hasMoreElements()) {
String name = (String)e.nextElement();
String value = request.getHeader(name);
out.println("<br> "+name + " = " + value);
if (name.toUpperCase().trim().equals("OSSO-USER-DN")){
dn_user=value;
out.println("<br>******** USER DN = "+dn_user);
Then, the SSO username can be used in the VPD policy.
Note that there is a difference between the sso username and the database username . SSO username is not known by database (CURRENT_USERID will return a database username)
Discoverer worked OK in your case with the SYS_CONTEXT (.. CURRENT_USERID) because authentication is made by database user, probably. -
Row level security in OBIEE 11g: Which is better: VPD or RPD
We can apply row level security in OBIEE by 2 ways.
1. by Creating Initialize Block in RPD
2. or Applying VPD in Database, which restricts source tables
Which one is more efficient and why?
Thanks,
Sunil Jenayou will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.
-
PL/Sql RESULT_CACHE Function under VPD environment
Hi,
Imagine that I have a VPD environment that depending on the user the data returned from the table in a schema is different than returned to other user. for instance:
The VPD filters the data by company_id in this table
table persons
company_id number(4),
person_id number(4)
person varchar2(100)
now imagine that I connect as scott and scott belongs company_id 1000. If scott runs select * from schema.persons he will see this
1000 123 ANNA
1000 124 MARY
1000 125 SCOTT
If I connect as JOHN and JOHN belongs to company_id 1111. If scott runs select * from schema.persons he will see this
1111 123 ALBERT
1111 124 KEVIN
1111 125 JOHN
This is the VPD environment I have...
So, does RESULT_CACHE functions works well under this type of environment? RESULT_CACHE is shared between sessions... but in this case the sessions of scott and john see always different results. Is there any option of implementing RESULT_CACHE by username?
Regards
RicardoIt appears that the result cache functionality can work with Virtual Private Database. Check out the following links:
Adventures with VPD I: Result Cache
Concepts: Result Cache -
Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)
Environment: Business Objects XI R2; Oracle 10g
Functional Requirement:
Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
What do we need from the Business Objects support team?
1. Review the 2 attempted solutions that we have tried to implement
2. Propose solutions/answers to open questions for each of the attempted solutions
3. Propose any alternate solution that will help us implement the Function Requirement stated above
Attempted Solution 1: Connection String uses Oracle Proxy User
The connection string that is specified in the Universe is the following:
app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
app_user = generic application user
end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
Open Question for Solution 1:
i. What happens when multiple proxy users try to connect on at the same time? Business Objects shares the generic app_user connect string. However, every user that logs on will have their own unique proxy user credentials. Will there be any contention involved? If so, what kind of errors can we expect?
ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open. In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user? If so, then our security will not work. Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
Attempted Solution 2: Using the ConnectInit parameter
Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
Therefore, we tried to set the parameter in the Universe using several different options:
ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
Open Questions for Solution 2:
How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
Note: Arroba word is being used instead of the symbol in order to avoid following error message:
We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.the connectinit setting should look something like this:
declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
The vpd_setup procedure (in Oracle) should look like this:
CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
BEGIN
DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
END vpd_setup;
Then you can retrieve the value of the context variable in your vpd functions
and set the vpd. -
Converting a delete statement using VPD policies and context
Hello,
I'm trying to convert a delete statement in a update statement using VPD policies and context.
+/* Supose the user 'user1' already exists. This is an application user */+
conn user1/pwd
create table user1.test_a (
id number(4),
description varchar2(100),
deleted number(1)
+);+
alter table user1.test_a add constraint test_a_pk primary key (id);
insert into user1.test_a (1, 'abc', 0);
insert into user1.test_a (2, 'def', 0);
commit;
I'd like to convert each physical deletion into a logical deletion: statements like "delete from user1.test_a where id = 1" must be converted into "update user1.test_a set deleted = 1 where id = 1".
I've found the following way: I will create a policy to avoid physical deletion. Additionally, the policy function should update the deletion flag too.
conn user1/pwd
+/* Create context package */+
create or replace package user1.pkg_security_context is
procedure p_set_ctx(
i_test_a_id in user1.test_a.id %type
+);+
end;
+/+
create or replace package body user1.pkg_security_context is
procedure p_set_ctx (
i_test_a_id in user1.test_a.id %type
+) is+
begin
dbms_session.set_context( 'user1_ctx', 'test_a_id', i_test_a_id );
end;
end;
+/+
show errors
+/* Create trigger to set the context before deletion */+
create or replace trigger user1.test_a_bef_trg
before delete on user1.test_a
for each row
declare
pragma autonomous_transaction;
begin
-- only commits the preceding update, not the delete that fired the trigger.
commit;
user1.pkg_security_context.p_set_ctx( :old.id );
end;
+/+
show errors
create context user1_ctx using user1.pkg_security_context;
+/* Policy function */+
create or replace function user1.f_policy_chk_dels (
object_schema in varchar2,
object_name in varchar2
+) return varchar2+
is
out_string varchar2(400) default '1=2 ';
+/*+
* out_string is the return value.
* - 'WHERE 1=2' means 'nothing to access'
begin
if ( loc_logged_usr_authorized > 0 ) then
+/*+
* Set the flag deleted to 1
update user1.test_a set deleted = 1 where id = sys_context( 'user1_ctx', 'test_a_id' );
out_string := out_string || 'or 1=1 ';
end if;
return out_string;
end;
+/+
show errors
+/*+
* Create policy
begin
dbms_rls.add_policy(
object_schema => 'user1' ,
object_name => 'test_a' ,
policy_name => 'policy_chk_dels' ,
function_schema => 'user1' , -- function schema
policy_function => 'f_policy_chk_dels' , -- policy function
statement_types => 'DELETE'
+);+
end;
+/+
When I try to delete a record of the table test_a:
conn user1/pwd
SQL> delete from ilogdia.oplsimulaciones sim where sim.id = 9999;
+0 rows deleted+
No rows has been deleted, but the update stmt does not work. That means, the "deleted" flag has not been updated.
Any ideas?
Thank you in advance.
Marco A. Serrano
Edited by: albrotar on Oct 15, 2012 8:42 AM
Edited by: albrotar on Oct 15, 2012 8:42 AM
Edited by: albrotar on Oct 15, 2012 8:43 AMThe policy function is applied once per statement execution. The policy function executes first and the UPDATE statement, presumably, updates no rows because the context is not yet populated. The row-level populates the context (I'm assuming that your session can even see context values populated by an autonomous transaction-- I would guess it could but I'd have to test that) after the UPDATE statement is already complete. The COMMIT in the row-level trigger is also pointless-- it only applies to changes made by the current autonomous transaction, of which there are none-- it cannot apply to changes made in other autonomous transactions. Declaring the row-level trigger to use autonomous transactions doesn't seem to accomplish anything other than to open the question of whether the values set in the context by the autonomous transaction are visible in the caller's transaction.
Even if this, somehow, did work, using autonomous transactions would be a very bad idea since Oracle is free to roll-back a partially executed statement (and the work done by its triggers) and re-execute it. Oracle does that with some regularity to maintain write consistency.
Justin -
Evaluate_Analytic function not working with VPD enabled
Experts,
One of the column formula has evaluate_analytic function in the report. The report works fine with no errors when Virtual Private Database is not checked in the Physical Layer's datasource object, but the same report fails with the below error message when VPD is checked.
Please share your thoughts on how to resolve the error. Your response is greatly appreciated.
This is the error message in the answers:
Odbc driver returned an error (SQLExecDirectW).
Error Details
Error Codes: OPR4ONWY:U9IM8TAC:OI2DL65P
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. [nQSError: 42015] Cannot function ship the following expression: Evaluate_Analytic( MIN(%1) OVER(PARTITION BY %2),([ D901.c3, D901.c4] )).Please have your System Administrator look at the log for more details on this error. (HY000)
This is in OBIEE 11.1.1.6 version. I haven't tested in old versions.
Regards,
Tom
Edited by: Tom Lype on Oct 1, 2012 2:17 PMI found the solution myself. Hopefully it should help others.
If your fact table is within a data source object which has VPD enabled in the physical layer, all other tables(dimensions) mapped to it should be from a data source object which has VPD checked. I might be wrong but at least in my case after I copied over two tables from a data source (no VPD checked) into the new data source (VPD checked), my evaluate_analytic function is working with no errors. The parameters for the evaluate_analytic function are from those two tables.
Regards,
Tom
Maybe you are looking for
-
System-wide crashes, WoW at center
I was playing a Strand of the Ancients last night when WoW suddenly crashed. No new addons; the application had been stable for weeks or months. When WoW crashed, other programs I was running (Firefox, Word, etc) also crashed. I restarted and tried t
-
Modifying the Breakdown Duration with the help of a BAPI
Hi, I am using BAPI_ALM_NOTIF_DATA_MODIFY to modify a notification. This BAPI allows to modify everything but the Breakdown duration.Any idea why is that? Or is there a workaround? From a SAP Note it seems for MCI7 - Brekdown Analysis report would sh
-
Seeburger AS2 message signatures
Hi, I have deployed the Seeburger AS2 adapter and it seems to work fin. I would like to get a hold on the original signed messages both outgoing and ingoing direction. I have configured the dump parameter for seeburger, which gives 5-6 messages pr me
-
Frontrow and AVI files crashing
Hi all, I am trying to play Avi files through Frontrow however FR just keeps crashing when it accesses the avi file. I can play all of the avi files through QT (Version 7) after downloading DivX and AC3 codec's. I assumed that as it is playing fine i
-
Nokia Video Manager - Upside down and back to fron...
Have been trying to convert some avi(DivX) files to watch on my N95 using the Nokia Video Manager. Converts the files fine and all but they are upside down and back to front??? Have seen that a few people on the net have had the same problem but have