Column Level Security Using VPD under oracle 11g
Hi
I am using an example from Oracle Database 10g: Advance Security -- Virtual Private Databases
1. The Application Context -- that sets the session environment for the use is ok.
2. The Logon Trigger that executes the above is ok. It had been tested.
3. The Security Policy that returns a predicate after checking the output of the Application Context is ok.
4. The security policy applied to the STOCK_TRX table is ok.
5. Select and Insert from the database work.
However, after dropping both the insert and select policy, I am having problem getting a select policy to work with column-level VPD. I will get the ORA-28104 -- input value for statement type is not valid and ORA-06512 at SYS.DBMS_RLS line 20. See code below
begin
DBMS_RLS.ADD_POLICY
('PRACTICE', 'STOCK_TRX', 'STOCK_TRX_SELECT_POLICY', 'PRACTICE', 'SECURITY_PACKAGE.STOCK_TRX_SELECT_SECURITY', 'PRICE');
end;
Note:
PRICE is the sec_relevant_cols
STOCK_TRX is the table
Can you please help.
Thx
The syntax for row level security is not the same for columns level security. All the parameters to the DBMS_RLS.ADD_Policy() function should be preceded by the type of the parameter for:
begin
DBMS_RLS.ADD_POLICy(object_schema=>PRACTICE, ... sec_relevant_cols=>'PRICE);
end;
I did not know this before. I thought they were there in the example for explanatory reasons. I decided to answer the question for myself because I know others have the same interpretation.
Similar Messages
-
Oracle Virtual Private Database (VPD), Column Level Security
Hello,
About Oracle Virtual Private Database (VPD), is it possible to set a Column Level Security without setting a Row Level Security (without using any predicate)?
Thanks,
Herve.Thanks, Zoran.
A colleague shared with me a link containing a function without returning a predicate (in using SYS_CONTEXT function to skip row restriction).
Herve.
Link -
Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)
Environment: Business Objects XI R2; Oracle 10g
Functional Requirement:
Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
What do we need from the Business Objects support team?
1. Review the 2 attempted solutions that we have tried to implement
2. Propose solutions/answers to open questions for each of the attempted solutions
3. Propose any alternate solution that will help us implement the Function Requirement stated above
Attempted Solution 1: Connection String uses Oracle Proxy User
The connection string that is specified in the Universe is the following:
app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
app_user = generic application user
end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
Open Question for Solution 1:
i. What happens when multiple proxy users try to connect on at the same time? Business Objects shares the generic app_user connect string. However, every user that logs on will have their own unique proxy user credentials. Will there be any contention involved? If so, what kind of errors can we expect?
ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open. In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user? If so, then our security will not work. Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
Attempted Solution 2: Using the ConnectInit parameter
Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
Therefore, we tried to set the parameter in the Universe using several different options:
ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
Open Questions for Solution 2:
How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
Note: Arroba word is being used instead of the symbol in order to avoid following error message:
We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.the connectinit setting should look something like this:
declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
The vpd_setup procedure (in Oracle) should look like this:
CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
BEGIN
DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
END vpd_setup;
Then you can retrieve the value of the context variable in your vpd functions
and set the vpd. -
Column Level Security - Grand Total row
Hello All, I have a question about Column Level Security in a report where Grand Total is turned on. I am working inside of the OOTB Paint rpd and I am looking at the 'Finish Sales Trend for Current Year' report on the Brand Analysis dashboard page. Inside of the Admin Tool I added column level security on the Units presentation column in the Sales Measures table. I implemented security that will not allow the Central Region Manager group to view the Units column. When I access the report I noticed that the Grand Total row of the table is slightly skewed because the Units column is hidden. The Grand Total row is showing, however all the results are off by 1 cell.
The forum is not allowing me to attach pictures to this post.
Thanks for your helpHi User,
It is an bug refer the metalink,
Bug.9576412 - GRAND TOTAL NOT WORKING WHEN COLUMN LEVEL SECURITY IS IMPLEMENTED
For eg:
consieder a report with following columns,
Year Product Measure1 Measure2
In this if for measure1 the column level security is enabled (user1 who is not supposed to see the data).
Then grand total value of measure2 will be in the grand total of measure1. (for user1)
When column level security is enabled, that column will be pushed to the end of the table view.
So that it is happening.
By using case statements with groups or users we can get it work without enabling the column level security.
Thanks,
Vino -
Hi,
While changing PROJECT_INACCESSIBLE_COLUMN_AS_NULL to YES in NQSConfig file to implement the column level security, we get an error saying 'A general error has occurred. [nQSError: 46036] Internal Assertion: Condition m_CountFields == static_cast<int32>(m_ColumnNameVector.size()), file .\Src\SQCSCacheStorageListStream.cpp, line 221. (HY000)' while running the reports.
Can anyone help in resolving the same.
Thanks in Advance,
Durgeswari.Don't confuse database user with application user, your
implement use specific security. You will create tables to keep
your application data dictionary. Then you can do anything you
want to. good luck.
tip Keep your application design simple as much as posible it
good for your life. -
Can't find column level security in BO 3.1
I am trying to implement column level security in Web Intelligence in Business Objects 3.1.
After studying articles on google I found that it can be achieved using Business Security Profile but when I searched I couldn't find any such profile or setting in BO 3.1.
Can anyone please guide me in correct direction on how to achieve the same in BO 3.1
Please also let me know the will there be any compatibility issues as Development environment is in BO 3.1 and Production environemt is BO 4.0.
Thanks for your time
SivaHi Siva,
You can use "Manage Access Restriction" option to acheive column level security in Business Objects 3.1 universe.
See below document for more detail-
Implying Security on Business Object XI 3.1 Universe having SAP BW as Source
~Anuj -
How to implement row level security using external tables
Hi All Gurus/ Masters,
I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
I can use a filter condition in my user level so that he can access his data only.
But when i have 4 tables in external tables
users
groups
usergroups
webgrups
Then in which table I need to give the filter conditions..
Pl let me know this ...You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
Hope this helps -
Grand Total not displaying correctly on Column level security.
Hi All,
I have implemented the Column level security for three columns. But in dashboard report. The grand total is not displaying correctly. The grand total values are still displayed for the hidden columns.
Is there any work around for this.
The sample how my report looks like after column level security is.
ColumnA Metric1 Metric2 Metrics3(to be hidden)
A 100 200
B 150 100
GrandTotal 250 300 400( this includes the value of A = 300, B = 100).
Regards,
BhavikAny pointers please.
-
Can we use hints in oracle 11g version ?
can we use hints in oracle 11g version ? is it working ??
Why do you ask these questions? Have you looked at the SQL Reference Guide and Performance Tuning Guide for your Oracle version - both which covers using hints?
Have you see a statement that is not supported? Or does not work?
Or are you simply doing idle speculation and expecting forum members to spend their free time in answering a basic question where the answer is ridiculously simply to find? -
Will Performance degrade due to Column Level Security
Hi All,
I have report with 40 Columns, of which more than 20 columns are restricted to many users on the Dashboards.
This security is controlled by assigning permissions to those columns in RPD presentation Layer.
And setting the PROJECT_INACCESSIBLE_COLUMNS_AS_NULL to YES in NQSConfig.ini
Will the performance of reports degrade due to this type of design.
Is there any solid evidence?
Thanks
KaushikHi,
I dont see any performance hinderance because of the column level security.
But remember in the pivot table you can still see the column without values. And its a bug. Would serve good for table views.
Hope this helped/ answered
Regards
MuRam -
Row Level Security using BO SDK - Dynamic Group and Criteria (where clauses)
To the Universe Gurus out there:
I have a rather daunting task of implementing a Row Level Security on a number of tables within our project using BO XI R2 SP2 with SQLServer 2005. Given the nature of the requirements around this (listed below), I am going to go with BO SDK to accomplish the creation of Restrictions. That said, I need some insight into some of the problem areas I have listed below. Any help is much appreciated.
Background:
We have 11 tables that are to be restricted.
Each table is accessible to potentially 1..* group of users only.
For eg SALES is accessible to ALL_SALES members only.
Each row within each table is accessible to 1..* groups of users only. The restriction will occur on 2 columns Jurisdiction and LineID on SALES table.
For eg
1)Rows with NY Jurisdiction and LineID=123 are accessible to NY_SALES_ADMIN group only initially.
2)NY_ADMIN will then approve that the above rows be open to NY_SALES_INTERNAL group only. This approval in turn will call upon the BO SDK to add a new restriction for the group with appropriate where clause.
3)At a later point, the above rows will be opened to NY_SALES_EXTERNAL group also.
This same concept holds good a number of jurisdiction (more or less static) and a dynamic number of LineIDs. So, if 10000 rows of data corresponding to new LineID 999 and Jurisdiction AK are in the table now, they are initially accessible only to AK_SALES_ADMIN group only. No one else should be able to access it.
Results:
1) With the way I laid out the business rules above, I am ending up with 528 groups.
2) There is a restriction created for a unique combination of Jurisdiction and LineID for each table.
Problems/Questions:
How can I restrict access to the new rows to one group only. I know that I can let a certain group only look at certain data but how can I restrict that all others cannot look at the same.
AK_SALES_ADMIN can look at LineID=999 and Jurisdiction='AK'.
Do I use an Everyone group based restriction? If so, my Everyone group will end up with tons of restrictions. How will they be resolved in terms of priority.
Am I even thinking of this the right way or is there a more noble way to do this?
Regardsthe connectinit setting should look something like this:
declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
The vpd_setup procedure (in Oracle) should look like this:
CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
BEGIN
DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
END vpd_setup;
Then you can retrieve the value of the context variable in your vpd functions
and set the vpd. -
Can't install Data Guard using DBCA in Oracle 11g Release 2
I have installed Oracle database 11g Release 2 successfully. I have installed Label Security using DBCA, now when I am installing Database Vault using DBCA, it gives message "ORA-01017: invalid username/password; logon denied" and exists back to DBCA.
What step I am missing? please suggest.
Regards and thx,Hi,
I had the same issue too. I installed it on my desktop (server class option). Everything else including EM is working fine. However I got around the issue to an extent by manually running the catalog scripts for database vault. It should be located under $ORACLE_HOME/rdbms/admin. You have to run the script catmac.sql. There is a catch though. You need to go through the contents of the script and execute the other scripts manually by supplying username and passwords (yes, it sucks!!) but I don't find any help on metalink for this issue.
Currently I am trying to create the realms but I am denied permission due to lack of "OPERATOR TARGET" privileges.
If someone can lead me to the correct place where I can look for what is missing, it would be great.
Thank you
Kumar Ramalingam -
How to check the row level security in TOAD for oracle
Hi ,
for ex, i have 2 types of users
normal user and super user
super user can see the group set (some column name) created by normal user
but normal user can not see the set created by super user
this set crestion aslso has 3 types "U','P',S'
P & S can be viewed by even normal user
but U should not
so here we are having some row level security for the normal user .....
So, in TOAD for oracle how to check that......
Let me know if i'm not clearLike
I'm the super user....
And some records are inserted to a table by different users ('a' , 'b', etc....)
So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
how to see in TOAD where such type of scripts (filter conditions) are written..... -
Urgent: row level security with VPD
Has any one implemented the row level security in Virtual private database(VPD) for Discoverer.
Please let me know how well does it work with discoverer and are there any flip sides that one needs to be aware of.
Thanksauthenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
Init block for authenticating / authorizing and session variables are different, i guess you are mixing both. -
Object Level security not working on OBIEE 11g 11.1.1.7
Hi,
I am experiencing problems with object level security applied on application role in 11.1.1.7 version. If i create a user and assign that user to a application role and give that application role permission to Access Answers in Manage previleges, it is not working. If i directly add a user to permission list in Manage previleges section then user is able to access the answers. I added that application role in "Access to Answers" section in Manage previleges section. Permission for Authenticated users is denied.
We recently upgraded from 11.1.1.5 to 11.1.1.7. Please can someone confirm if it a bug in 11.1.1.7 or it is because of the upgrade process.
Regards,
SandeepHello Sandeep,
I have just verified the below scenario as you said but didnt find any issue.
I have just created a User, Group and Applictaion Role under default authentication provider . Assigned user under group and group under newly created application role and provided access to answers for new application role under manage privilages and I am able see it.
This might not be a 11.1.1.7 bug check it from upgrade end.
Regards,
Srikanth
Maybe you are looking for
-
IPhone 6 plus speaker is not working on phone
Speaker not working on phone calls
-
Is there any way i can speed up iOS 4.2.1 on my iPhone 3G ?
Ever since I updated to 4.2.1 my phone has been slow, is there a way to make it faster, or is there aa way to revert back to 3.1.3
-
D2k report query , want to develop in obiee 10g
Hi, I have a d2k report query, the result what i am getting in d2k report can i get the same result in obiee 10g. my query in d2k report auery is like : select a.vndr#,b.vndr_name,a.cust_type_cd,c.cust_type_e_dsct,a.branch_cd,d.branch_e_name,(sum(nvl
-
Hi all. Problem description: Why the following code doesn't display the text/contents of the <LastName> node? I've been thinking about this problem for several hours and still can't figure it out. Please HELP!!!!!!!!!!!!!!!!!!! IT's urgent!!!!!! Many
-
Hi everyone. I am new to the forums, so let me be as mprecise as possible. i know the basic functionalities of Labview with MPC block etc. However, i dont know how to go ahead with implementing MPC control for a system whose state space model i posse