Column Level VPD

Hello all,
Am I correct in thinking that if the parameters below are added to the policy, column masking will be invoked:
,sec_relevant_cols => 'sensitive_column_name'
,sec_relevant_cols_opt => DBMS_RLS.ALL_ROWS
As 'sensitive_column_name' has been marked as securty relevant, is the value always returned as NULL or can I return the actual value for appropriate users?
Thanks,
Rhys David

By making use of sec_relevant_cols_opt => DBMS_RLS.ALL_ROWS, all rows will get displayed. However, sensitive column values will be returned as NULL.
If a query references a sensitive column, then the default action of column-level Oracle Virtual Private Database restricts the number of rows returned. With column-masking behavior, all rows get displayed, even those that reference sensitive columns. However, the sensitive columns display as NULL values. To enable column-masking, set the sec_relevant_cols_opt parameter of the DBMS_RLS.ADD_POLICY procedure.
Coming to your second point:
Rhys David wrote:
As 'sensitive_column_name' has been marked as securty relevant, is the value always returned as NULL or can I return the actual value for appropriate users?Actual values will be displayed for the appropriate users(as implemented in your policy function) for all the other users who are not supposed to have access to the sensitive column NULL will be displayed.
Cheers,
AA

Similar Messages

Q : Using column level VPD policies with Oracle Jdeveloper ADF BC ?

For one of our big customer, we already successfully developped a new java application using Oracle Jdeveloper with ADF, ADF BC and the Virtual Private Database (VPD) with row level policies.
Our customer has new business requirements that could be fullfilled using column level VPD policies.
Has someone already successfully (or not) developped a business application using column level VPD policies with ADF, ADF BC on Oracle 10g R2 database and OracleAS 10g (10.1.2) ?
Is it supported by Oracle ? what are the pitfalls, difficulties, problems you've met ?
Is it a viable solution and if not, why ?
Thanks in advance.
Rémy

Tomas,
my 2 cent:
if you know how to get the info from the db during run time you should be able to overwrite the frameworks message bundle look to get the description from the db instead of from the resource bundle.
Or you load all descriptions from the db into a resource bundle and use the keys in the tooltip directly.
Timo

Column Level Security Using VPD under oracle 11g

Hi
I am using an example from Oracle Database 10g: Advance Security -- Virtual Private Databases
1. The Application Context -- that sets the session environment for the use is ok.
2. The Logon Trigger that executes the above is ok. It had been tested.
3. The Security Policy that returns a predicate after checking the output of the Application Context is ok.
4. The security policy applied to the STOCK_TRX table is ok.
5. Select and Insert from the database work.
However, after dropping both the insert and select policy, I am having problem getting a select policy to work with column-level VPD. I will get the ORA-28104 -- input value for statement type is not valid and ORA-06512 at SYS.DBMS_RLS line 20. See code below
begin
DBMS_RLS.ADD_POLICY
('PRACTICE', 'STOCK_TRX', 'STOCK_TRX_SELECT_POLICY', 'PRACTICE', 'SECURITY_PACKAGE.STOCK_TRX_SELECT_SECURITY', 'PRICE');
end;
Note:
PRICE is the sec_relevant_cols
STOCK_TRX is the table
Can you please help.
Thx

The syntax for row level security is not the same for columns level security. All the parameters to the DBMS_RLS.ADD_Policy() function should be preceded by the type of the parameter for:
begin
DBMS_RLS.ADD_POLICy(object_schema=>PRACTICE, ... sec_relevant_cols=>'PRICE);
end;
I did not know this before. I thought they were there in the example for explanatory reasons. I decided to answer the question for myself because I know others have the same interpretation.

Oracle Virtual Private Database (VPD), Column Level Security

Hello,
About Oracle Virtual Private Database (VPD), is it possible to set a Column Level Security without setting a Row Level Security (without using any predicate)?
Thanks,
Herve.

Thanks, Zoran.
A colleague shared with me a link containing a function without returning a predicate (in using SYS_CONTEXT function to skip row restriction).
Herve.
Link

VPD Update policy at column level

Hi,
I have a table abc and I have applied a policy for update. Now the user who has no access is unable to update the table abc. Can I just restrict the user from updating a specific column ( user_id column in the table abc), rather than restricting the user from updating all columns?
Thanks.

hi,
You can use sec_relevant_cols parameter of the DBMS_RLS.ADD_POLICY procedure
begin
dbms_rls.add_policy (
object_schema => 'SCOTT',
object_name => 'EMP',
policy_name => 'VPD_TEST_POLICY',
function_schema => 'SCOTT',
policy_function => 'TEST_VPD',
statement_types => 'select, insert, update, delete',
sec_relevant_cols => 'sal,comm');
end;
you can see this doc
http://www.in-oracle.com/Oracle-DBA/DBA-I/vpd-virtual-private-database.php
or
You can also use views to enforce column-level security, showing only which columns in a table may be updated. For example, assume that you must design roles based a table where only managers may view or update the salary column of the employee table (column restriction).
1 - You can grant the end-user access to only those columns you wish to update:
grant update (col1, col2) on mytab to fred;
2 - You might create a view with only those columns that you want to allow updates, the table appears to the end-user as-if it contains only those columns. By granting access only to that view (and not the base table), you can effectively implement column-level security and restrict which columns in a table may be changed.
regards,
Edited by: dataseven on 04.Eki.2012 23:22

Row and Column Level Select Permission

Hello Friends,
I am using Oracle Oracle9i Enterprise Edition Release 9.2.0.1.0 and Windows XP. I have two questions. How to set :
1. Row Level Select Permission?
2.Column Level Select Permission?
1. I have a table having 100 records in it. I don’t want to allow all the user to see them; means, if user1, user2 and user3 are going to select * from mytable then only they can get all the rows; while other users (including sys) should not able to get all rows, they should be capable of from 11th record.
Though it can be managed by using another table, but I am just finding the other solution.
2. Likewise, if I don’t want to allow to fetch all the columns; suppose column4 is having confidential info and only be visible by user1,user2 and user3 only, not by any othr user; what should I do?
Please guide and help me.
Regards

You would need to use Virtual Private Database (VPD)/ row level security (RLS) to apply row-level security policies to the table. The DBMS_RLS package is used for this
http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14258/d_rls.htm#sthref6168
Unfortunately, column-level security wasn't available in 9.2. You would need to upgrade to Oracle 10g to get that functionality. Before that, you would have to create views that selected appropriate subsets of columns and grant permissions on those views to different users.
Justin

Column Level restriction on Oracle 9i User

i want to implement the column level restriction on oracle 9i users but it is not implementing. can u help me in this regard.

Use Fine-Grained Access Control/Virtual Private Database (VPD)
http://download-east.oracle.com/docs/cd/B10501_01/appdev.920/a96590/adgsec02.htm

Column level dump

Hi
Is it possible to take column level dump by exp or expdp? Can we take dump of particular column of table?

shd, Anantha is correct in that no direct method exists to take a column level dump.
Depending on why you want to extract only one or selected columns of a table you might use CTAS (Create Table as Select) to build a table with only the target columns and then export that table. The export/import utilities do support changing the table owner so the above should give you a way to get the data you want in an export providing the space exists to run the CTAS.
If database space is limited and the target table is large then another alternate might be to use SQLPlus to just query the target columns spooling the data into a file. The sqlldr utility can then be used to load the data into a table.
If you do not mind having all the table columns present but having data only in selected columns then on 10g using the traditional exp utility and a username set up to run the export the VPD feature should allow you to exact data only in certain columns with NULLs being provided for all non-desired columns. Depending on why and how often you would want to export only specific columns this might be an option.
HTH -- Mark D Powell --

Grant specific column level privilege

without vpd how i will grant specific column level privilege to a particular user.

grant update(id) on a to scott;
it is working fine.
anybody can gv othr suggestn

Column level filter at RPD level - OBIEE 11g

Hi all,
How do i add a filter at the column level in logical layer for one of the metric , it has the following calculation
case when id in (1,2,3,4,5,5) and category='AS' then case when points=10 or points=9 then 1 else 0 end end
I want the metric to reused for other id's as well... so i want to put case when id in (1,2,3,4,5,5) in filter of the column. how do i achieve it? plz help
Thanks,
Lona

Your question is not clear, I assume you want points to be reused for other ids, so try this
case when id in (1,2,3,4,5,5) and category='AS' then
case when points in (10 ,9) then 1
else 0
end
else points
end
if helps mark
~ http://cool-bi.com

How to apply 'disableColumnReordering="true"' at column level.

Hi Experts,
I am using jdev 11.1.1.5.0.
I have a requirement, not to move(drag) the column within a table. I got succeeded to apply this on table level so that all columns are fixed, but not able to fix it at column level.
So, is there any way or a property to fix this at column level.?
Please help out me.
Thanks & Regards,
Bittu..!

Hi
You can use at column level frozen="true" but this will not disable reordering. This specifies whether the column is frozen. In the table columns until the frozen column are locked with the header and not scrolled with the rest of the columns. Frozen attribute is honored only on the top level column,since it is not possible to freeze a child column by itself without its parent being frozen
See if this helps to your requirements.
Reference: http://jdevadf.oracle.com/adf-richclient-demo/docs/tagdoc/af_column.html
Nikolay

Column level access in Crystal Report Server

Hi,I have three fields in my Crystal Report. The crystal report will be exported to PDF by my customised web application. The application has a built in user security and access control model. However if user 1 logs in he should see all the 3 columns(database fields) on the exported PDF. If user 2 logs in he should see only first 2 columns as he has access to only those. We would also be using Crystal Report Server.I know this could be done in Crystal Report itself but is there any way to leverage column level access (and also row level) functionality using Crystal Report Server. The Crystal Report reports off an ODBC Datasource.It would be great if any one could help me in this regard. Cheers.  

If you were running the same version designer and server, you could open your reports straight from the repository, and save them straight back. Then you wouldnt have multiple versions of RPTs flying about.
I have just purchased a new licence for 2008 and an 2008 upgrade for a Xr2.
I don't think I completely understand, but we do have Crystal Reports 2008 and Crystal Reports Server 2008 available for purchase.

Grand Total not displaying correctly on Column level security.

Hi All,
I have implemented the Column level security for three columns. But in dashboard report. The grand total is not displaying correctly. The grand total values are still displayed for the hidden columns.
Is there any work around for this.
The sample how my report looks like after column level security is.
ColumnA Metric1 Metric2 Metrics3(to be hidden)
A 100 200
B 150 100
GrandTotal 250 300 400( this includes the value of A = 300, B = 100).
Regards,
Bhavik

Any pointers please.

In SharePoint Calendar lists, fields [Start Time] and [End Time] do not exist at the Site Column level.

<header style="box-sizing:border-box;color:#777777;line-height:1;font-size:13px;padding-right:46px;margin-bottom:3px;font-family:'Helvetica Neue', arial, sans-serif;">
</header>
I'm doing SP app development and have the following problem.
I need to check Start time and End Time in SharePoint Calendar using CAML query and then add a new event to Calendar list using the Start time and End Time that user has entered in 2 datapickers
in the form.
function AddCalendarListItems() {
var SD = document.getElementById("datepicker1").value;
var SThh = document.getElementById("St1").value;
var STmm = document.getElementById("St2").value;
var ED = document.getElementById("datepicker2").value;
var EThh = document.getElementById("Et1").value;
var ETmm = document.getElementById("Et2").value;
var T = document.getElementById("Title").value;
var S1 = SThh;
SD = SD.slice(6, 10) + "-" + SD.slice(0, 2) + "-" + SD.slice(3, 5) + "T" + SThh + STmm + ":00Z";
ED = ED.slice(6, 10) + "-" + ED.slice(0, 2) + "-" + ED.slice(3, 5) + "T" + EThh + ETmm + ":00Z";
//alert("SD= " + SD + " , ED= " + ED);
var siteUrl = SiteCollurl + "/SharePointApp11";
var clientContext = new SP.ClientContext(siteUrl);
var oList = clientContext.get_web().get_lists().getByTitle('Calendar');
var ListItemCInfo = new SP.ListItemCreationInformation();
var newEvent = oList.addItem(ListItemCInfo);
newEvent.set_item("Title", T);
newEvent.set_item("EventDate", SD);
newEvent.set_item("EndDate", ED);
newEvent.update();
clientContext.executeQueryAsync(Function.createDelegate(this, this.onQueryAddCalendarSucceeded2), Function.createDelegate(this, this.onQueryAddCalendarFailed2));
function onQueryAddCalendarSucceeded2(sender, args) {
alert("Success");
function onQueryAddCalendarFailed2(sender, args) {
alert('Add new item to the calendar failed. ' + args.get_message() + '\n' + args.get_stackTrace());
But I receive the following error:
Add new item to the Calendar failed. Column 'Start time' does not exist. It may have been deleted by another user.
I've checked and 'Start time' does exist. So it seems in SharePoint Calendar lists, field [Start Time] and [End Time] exist but do not exist at the Site Column level.
Please advise.

Hi Khojasteh,
Use “EventDate” for Start Time field, and “EndDate” for End Time field. They are the internal name of the two fields, you can check it in the column settings page url like “Field=EndDate”.
If it isn’t the issue, please debug the code, in which line the error occurs.
Thanks,
Qiao
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Qiao Wei
TechNet Community Support

Rank on column-level Grand total column in pivot table - Need help

Hi ,
I have developed the report, which is having a pivot view. In pivot view i have a column level grand total. I need to apply the rank for the grand total column..
will that be possible.. if possible let me know..
Thanks
Kishore

MAY BE IT IS NOT POSSIBLE IN PIVOT VIEW< AS WE DONT HAVE FORMULA EDIT OPTION FOR COLUMNS IN PIVOT VIEW.......
Thanks & Regards
Rushi

Column Level VPD

Similar Messages

Maybe you are looking for