How to apply row level security against the database administrator

I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
Is there additional ways to achieve the aim?

Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
This includes DBAs.
The simple fact of being DBA doesn't guarantee the exemption.
Everything goes to depend of the VPD config.

Similar Messages

  • Row-level security at the Database level

    We need Row-level security at the Database level, where the user who logs in to Crystal reports, should be able to fetch only those rows from the database that he is entitled to see. For this, the login name of the user is passed to a stored procedure which sets the context of the DB session and restricts the data retrieved.
    We are not looking for row-level security where the data is first retrieved and then filtered based on the user login name. However, we are definitely looking for a way to set a context for a database session based on the user login name, even before we start fetching data. So effectively, the user who logs in will fetch only those rows which he is supposed to see.
    Issue:
    We face a problem of not being able to pass a variable (something like 'BOUSER' for BO which works, whereas, 'CurrentCEUserName' for Crystal Reports, which doesn't work), to the database stored procedure to set the context.
    Please let us know if we can use 'CurrentCEUserName' variable in Crystal in the same way as 'BOUSER' is used in ConnectInit for BO? We would like to know how we could pass any variable in Crystal Reports which holds the user login information to a stored procedure.
    Also, please suggest alternate ways to achieve this security restriction, if any.

    Hi
    A previous database had a personnel table with their station name, district and region, with a field holding their logon name.  We also had an activity table with the fields referring to the activity, and a field of Station, district and region it occured in.
    By linking the individual rows in an activity table to the personnel table on the station name field, we then used the CurrentCEUserName to filter on the personnel.  This returned only the records in the activity table where the station the activity took place at was the same as the station associated with the selected personnel who has logged on.
    The additional bonus was if we linked it on District or region we had the same result but at a greater level. ie all activity in the logged on personell's District or if linked on region, then their region.
    The personnel table was maintained by the system administrators, so maintenance was low.
    I hope this helps.
    Kevin

  • How To Apply Row level security ??

    Hi all,
    I want to apply row level security on one of my custom objects created in PO schema in R12. How to do that??
    Thanks and Regards
    Raj

    Thank You Gaurav
    --Raj                                                                                                                                                                                                                                       

  • How to implement row level security?

    Hi all,
    There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
    Many Thanks
    Amy

    Here are two options to achieve what you want.
    A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
    1. create a security codes table. Say for example
    001 - company a
    002 - company b
    2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
    3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
    4. update all data in the tables according to which company they belong to.
    5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
    With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
    B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
    Table name = Employee.
    Create a view employee_a on employee
    create a view employee_b on employee
    Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
    create synonym employee on employee_a in x schema.
    create synonym employee on employee_b on y schema.
    This i have not tried but believe should work.
    Hope one of these options serve your purpose.

  • How to Migrate Row Level Security Configuration

    Hi Guys,
    Does anybody know how to migrate row level security configuration? I suppose PeopleSoft provided a data mover script, like securityexport.dms.
    Thank you in advance,
    Bob

    Here are two options to achieve what you want.
    A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
    1. create a security codes table. Say for example
    001 - company a
    002 - company b
    2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
    3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
    4. update all data in the tables according to which company they belong to.
    5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
    With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
    B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
    Table name = Employee.
    Create a view employee_a on employee
    create a view employee_b on employee
    Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
    create synonym employee on employee_a in x schema.
    create synonym employee on employee_b on y schema.
    This i have not tried but believe should work.
    Hope one of these options serve your purpose.

  • How to implement row level security using external tables

    Hi All Gurus/ Masters,
    I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
    I can use a filter condition in my user level so that he can access his data only.
    But when i have 4 tables in external tables
    users
    groups
    usergroups
    webgrups
    Then in which table I need to give the filter conditions..
    Pl let me know this ...

    You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
    Hope this helps

  • How to Apply Row level restrictions On objects

    Hi All,
    I am working on universe designer(BO 3.1) .....
    I would like to apply row level restrictions on a cloumn of table based on the user who is running the report .
    can any one please help me on this..
    Thanks in Advance.............

    Hi
    Universe access and row-level security can also be managed at the group or individual user level from within the design environment.
    Find the below video row level restrictions
    http://www.youtube.com/watch?v=6yM0OLK6QlI
    Create a data security profile that restricts access to specific rows: Information design tool 4.x - YouTube
    Implementing row level security in IDT using Data Security Profile
    And You cannot set row-level security authorizations in an OLAP universe.
    User security can be defined at the most granular level for the following content objects.
    Folders and sub-folders
    Reports
    Categories
    Events
    Program Files
    Publications

  • How to enforce row level security on MSAS Cube

    We have to enforce row level security on MSAS Cube based on BOUSER.
    We are using a security table which contains BOUSER ID and Location ID
    We need help in joining the security table with MSAS Cube.
    Thanks

    HI,
    I haven't worked with cubes. But the will the knowledge I have in Universe, could probably help you.
    As you already have a table which maintains BOUSERID and location id, you could probably join location id with MSAS cube id.
    If you don't want to use this userdefined security table, you can use the inbuilt Row level security option.
    Go to Tools -> Manage access REstrcitions --> Create a new restriction --> Rows tabe ---> give a expression with BOUSER
    Hope this helps.

  • Applying row-level security to crystal report instance

    Hi
    we have created crystal reports based on sap r/3 data using open sql driver and imposed row level security and published to BOE.The user when opens report with view on demand can see the data which he is supposed to see.
    Is it possible to schedule a single instance of the crystal report and then all the users access the instance and see the data that they are supposed to see.If not what is the other way out.
    Thanks in advance.
    Kamal

    Hi,
    I didn't try it so far
    but I found this Link:
    http://neverknewthat.wordpress.com/2007/11/06/row-level-security-trick-with-crystal-reports/
    -> create Instance with full authorization
    -> Join CR-Result with Customer-Table: User Authorization
    Max

  • Column masking row level security in Peoplesoft Databases

    Hi
    How about the credibility of using VPD( for column masking,row level security) in People soft Databases?where the sensitive data is redundant across 100's of tables.
    My intention is to use the VPD across all the tables that contain the sensitive data ( ssn,bank accno, etc)
    Appreciate your help.
    Chelli

    Hi.
    I also have a trouble like yours,but mine is more simple.
    I'd tried to solve,and find that it's really hard and must lost a lot of time to solve,because some table have 2,3 or more derive information that to use VPD is not easy.
    Can i ask for any aspect to solve problem like this.
    Thanks for any answer and support.
    Thinhbk.

  • How  to  know  ddl  operations  done  against the  database

    hi,
    we are using oracle 10g.
    i am new to oracle dba how i know what are the DDL operations done against the database in oracle , i can i track that one and is there any view to store that informations

    Hello,
    I would recommend you to read Oracle documentation for using auditing DDL statements and more
    http://download.oracle.com/docs/cd/B19306_01/server.102/b14220/security.htm#sthref2913
    http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_4007.htm#SQLRF01107
    Regards
    OrionNet

  • How to apply Table level Break in the WEBi Report

    Hi,
    How we can apply the table level break in the WebI Report.
    I know a bit bt i dont know its right or wrong.. Initally we normally create a table(with the values(which has 2rows(1: for naming  and 2: for associating the object with it at down of it  ie., one above and one below)) and at the top of that present table we will insert a "ROW ABOVE" to the naming row and then we insert a "Row below" to the object values  and drag the first coloumn of the first row almost invisible(naming row) and then the same in next row(objects associating values for naming)... is this ryt.. if NO  thn let meknow the various ways to do it..
    Thank you in Advance....

    Hi,
    what is your requirement. if to show subtotal then create one table and select one column and apply break.
    Thanks,
    Amit

  • How to implement row-level security in Discoverer?

    Dear all,
    I have a scenario that I have 2 folders containing sales and inventory data stored by product lines.
    The 2 folders are constructed by 2 SQL statements.
    There exists a set of tables controlling which product line's sales and inventory data a person can read.
    A function is written previously that returns the WHERE clause based on user_id, employee_id and the other parameter.
    So, can you suggest how to integrate the 2 components in Discoverer?
    thanks
    George
    My blog: http://hktour.blogspot.com

    hi Rod,
    Thanks for your suggestions.
    I took your 1st option, ie.
    "You can use VPD at the database level to secure the tables."
    I have a view BUDGET_V with the following columns:
    PERIOD_YEAR
    PERIOD_MONTH
    PRODUCT_LINE
    BUDGET_AMOUNT
    Every salesman can only read the budget amount of certain product lines.
    I built the security function which will be binded to the view BUDGET_V (see below)
    FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
    return varchar2
    as
    begin
    if (user = p_schema) then
    return '';
    else
    return viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
    end if;
    end;
    The security function actually calls my own security function viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE') which take the user id and employee id of the apps user and returns the predicate.
    Then, I bind the security function security_policy_function() to the view BUDGET_V with
    begin
    dbms_rls.add_policy
    object_schema => 'APPS',
    object_name => 'BUDGET_V',
    policy_name => 'MY_POLICY',
    function_schema => 'APPS',
    policy_function => 'security_policy_function',
    statement_types => 'select',
    update_check => FALSE,
    enable => TRUE
    end;
    The problem now is that if I query the view in Discoverer as a Apps user (say "A"), it returns all the records in the view without any filtering (user "A" is supposed be able to read certain product lines).
    I try to verify whether the security function work or not. So, I hardcoded FND_GLOBAL.USER_ID and FND_GLOBAL.EMPLOYEE_ID as 1234 and 6789 which are the user_id and employee_id of user "A". (see below)
    FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
    return varchar2
    as
    begin
    if (user = p_schema) then
    return '';
    else
    return viewProductLine(1234, 6789, 'BUDGET_V.PRODUCT_LINE');
    end if;
    end;
    This time, Discoverer returns only the records with product lines visible to user "A".
    So, I guess there is problem in the function call in viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
    Can you give me some light on this issue?
    thanks
    George (HK)
    My blog at http://hktour.blogspot.com

  • How to check the row level security in TOAD for oracle

    Hi ,
    for ex, i have 2 types of users
    normal user and super user
    super user can see the group set (some column name) created by normal user
    but normal user can not see the set created by super user
    this set crestion aslso has 3 types "U','P',S'
    P & S can be viewed by even normal user
    but U should not
    so here we are having some row level security for the normal user .....
    So, in TOAD for oracle how to check that......
    Let me know if i'm not clear

    Like
    I'm the super user....
    And some records are inserted to a table by different users ('a' , 'b', etc....)
    So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
    how to see in TOAD where such type of scripts (filter conditions) are written.....

  • Row level security not working if I hit the aggregate

    I have applied row level security on presentation layer , however it does not work if the report hit the aggregate any idea on this...

    Hi Ingo,
    Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
    This custom auth object is maintained for the PA0001 table.
    This object is added at the role level with the restricted access to the Company Code..

Maybe you are looking for

  • Unable to send or receive emails on my blackberry curve 9320

    Hi, for the last 2 days i have unable to send or receive emails on my phone, i have contacted vodafone and they have not been able to help. I would also like to add that when i click on OPTIONS  - SECURITY - SECURITY STATUS INFORMATION my 4 email acc

  • Transfering slide shows on to cd

    Hi everyone, This is my first time on the board. I hope someone out there can help me. I just learned how to put music to my slide shows that I've created on iphoto. Now I would like to transfer them on to dvd so that I can share them with friends. I

  • Passwords with an asterisk (*) aren't recognized?

    I use "strong" web passwords with weird characters, and am finding that any password that uses an asterisk is rejected by the website when I type it into the iPhone. I wonder whether the same would happen with other shift-number characters. If I chan

  • Nikon 1 Raw(Nef) - Aperture

    Hello, after importing Black/White Photos into Aperture, the Photos are converted in color. Why?

  • Display pattern not working - add $ for a numeric/decimal field

    I've designed a form which has fields where I need to display currency(US) values. I've made the fields as numeric type. I've added the display pattern as num.currency{} and also tried with num{($z,zzz,zzz9.99)}. But nothing seems to be working. The