Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

Similar Messages

• How to implement row level security using external tables

  Hi All Gurus/ Masters,
  I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
  I can use a filter condition in my user level so that he can access his data only.
  But when i have 4 tables in external tables
  users
  groups
  usergroups
  webgrups
  Then in which table I need to give the filter conditions..
  Pl let me know this ...

  You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
  Hope this helps

• How to use Oracle Virtual Private Database (VPD) with EclipseLink JPA

  My project required to use VPD in database to isolate data access based on different user type. How can I use EclipseLink JPA with VPD? For instance, how I could set up server context in database for each database session? Thanks for any help.

  There is some information on Oracle proxy authentication here,
  http://wiki.eclipse.org/EclipseLink/Examples/JPA/Oracle/Proxy
  VPD usage would be very similar.
  James : http://www.eclipselink.org : http://en.wikibooks.org/wiki/Java_Persistence

• Oracle Virtual Private Database (VPD), Column Level Security

  Hello,
  About Oracle Virtual Private Database (VPD), is it possible to set a Column Level Security without setting a Row Level Security (without using any predicate)?
  Thanks,
  Herve.

  Thanks, Zoran.
  A colleague shared with me a link containing a function without returning a predicate (in using SYS_CONTEXT function to skip row restriction).
  Herve.
  Link

• Tips on Implementing Row Level Security

  Dear All,I am currently trying to implement row level security in Hyperion Intelligent version 8.2. The user guide is straight forward on explaining the steps. However, when I tried it, the row level security does not filter the information at all eventhough I have set the row level security setting in System Administration. Is there Anyone who can share their problems and experience when implementing row level security in Hyperion Intelligent version 8?Regards,Ricky

  I don't believe you need the bqy file anymore, as you set up the ODBC to connect to the database of the EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR).
  (I don't have an EPM instance with IR installed to check currently).
  Note: from the docs quoted earlier:
  If you want to implement row-level security in Reporting and Analysis, keep these points in mind:
  At least one Hyperion Interactive Reporting Data Access Service instance must be configured to access the data source storing your row-level security information.
  The database client library should be installed on the computer where the Hyperion Interactive Reporting Data Access Service is running.
  The data source for the Reporting and Analysis repository that has the row-level security table information should be configured.
  For security reasons, the user name and password to access the data source should differ from that used for the Reporting and Analysis user account.
  Regards, Iain

• SAP Lumira - Implementing row level security

  Hi All,
  I aware that SAP Lumira 1.17 onward allows to share the datasets, stories to SAP Lumira Server as well as SAP BI Platform (4.1 SP3 onward).
  But I would like to know if there is any way of implementing Row level security for this published contents i.e. datasets or stories. e.g. If user A (may be an administrator with access to all the regions) creates dataset and story and shares it with other users over SAP Lumira Server or SAP BI Platform. But when user B accesses these contents on any platform, SAP Lumira server or SAP BI Platform, he should be able to see data only as per his access (his own region). Can something of this sort be implemented?
  Thanks,
  Abhijit

  Hi,
  Sorry for the delay in getting back to you.
  As per my understanding - as of today, we respect Row-level security when acquiring (fetching) the data from universe into Lumira desktop (also, contexts and business-security profiles i.e. columns)
  now, when that desktop user has 'designed' the Lumira document, all of the above: row-level, contexts and security profiles  are 'locked-down' into that artefact when shared onwards. (i.e. to Lum Server and hence, BI Platform)
  once this content is being access from the BI Launchpad, refresh-on-demand is possible from the story, as well as scheduling of dataset on which it is based.
  According this blog by Greg Wcislo (the product owner for the Add-on)  Lumira integration for BI4 functionality detailed. note that features such as 'refresh on open' and 'changing design-time parameters' (i.e. prompts) are not yet supported,  but very much in future scope / plans.
  I believe that one of the other mid-term goals is to architect a 'Lumira server-side universe refresh' (i.e. so that the processing is handled 100% by Lumira server) rather than querying across BIPlatform services then replicating a dataset to HANA (which is currently the process flow)
  I hope this helps.
  Regards,
  H

• How to implement row level security?

  Hi all,
  There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
  Many Thanks
  Amy

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• Row Level Security using BO SDK - Dynamic Group and Criteria (where clauses)

  To the Universe Gurus out there:
  I have a rather daunting task of implementing a Row Level Security on a number of tables within our project using BO XI R2 SP2 with SQLServer 2005. Given the nature of the requirements around this (listed below), I am going to go with BO SDK to accomplish the creation of Restrictions. That said, I need some insight into some of the problem areas I have listed below. Any help is much appreciated.
  Background:
  We have 11 tables that are to be restricted.
  Each table is accessible to potentially 1..* group of users only.
  For eg SALES is accessible to ALL_SALES members only.
  Each row within each table is accessible to 1..* groups of users only. The restriction will occur on 2 columns Jurisdiction and LineID on SALES table.
  For eg
  1)Rows with NY Jurisdiction and LineID=123 are accessible to NY_SALES_ADMIN group only initially.
  2)NY_ADMIN will then approve that the above rows be open to NY_SALES_INTERNAL group only. This approval in turn will call upon the BO SDK to add a new restriction for the group with appropriate where clause.
  3)At a later point, the above rows will be opened to NY_SALES_EXTERNAL group also.
  This same concept holds good a number of jurisdiction (more or less static) and a dynamic number of LineIDs. So, if 10000 rows of data corresponding to new LineID 999 and Jurisdiction AK are in the table now, they are initially accessible only to AK_SALES_ADMIN group only. No one else should be able to access it.
  Results:
  1) With the way I laid out the business rules above, I am ending up with 528 groups.
  2) There is a restriction created for a unique combination of Jurisdiction and LineID for each table.
  Problems/Questions:
  How can I restrict access to the new rows to one group only. I know that I can let a certain group only look at certain data but how can I restrict that all others cannot look at the same.
  AK_SALES_ADMIN can look at LineID=999 and Jurisdiction='AK'.
  Do I use an Everyone group based restriction? If so, my Everyone group will end up with tons of restrictions. How will they be resolved in terms of priority.
  Am I even thinking of this the right way or is there a more noble way to do this?
  Regards

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• Help with implementing Row Level Security in Interactive Reporting

  We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
  The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
  I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?

  The 3 tables used with the RLS are stored in the same schema as your repository by default.
  The RLS store all the Rules for any database that you are using.
  You define the rules based on the tablename (owner.tablename) and the column name.

• What if I implement data level security using Selection formula?

  Hi All,
  I have a requirement to implement data level security for all the reports, the thing is, we donot have a front end application developed in java/.net or any other language, so we have only two options (as per me, if you think there are other alternatives then please share).
  1) Implement security at the database level (that is use user roles in where clause which will make the where clause really complicated and hence the performance of the query will eventually decrease).
  2) Retrieve the data with the flags of user role/permission on data. Use these flags in selection formula to select the needed records as per the user login.
  I have already in middle of implementing the second method, thought to take suggestion from you guys, I appreciate if you could tell me the drawbacks of the method I am using, and if there is an alternative method you could think of.
  Thanks,
  -Azhar

  Standaone Crystal Reports does not have any security option except to use Trusted Authentication when connecting to the DB. We use Microsofts NT or MS SQL Server Authentication only.
  Doing this in CR Designer using flags and formula will never be secure, the user could simply change the formula etc...
  Check with your DBA on how to configure AD authentication and then enable or add each user to SQL server. You may need to configure and mantain this manually depending on how you ahve your network configured.
  Thank you
  Don

• Use of Virtual Private Database

  Hello
  our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
  i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
  any white paper or document is welcome.
  thanks
  Vijay

  Hello,
  I am also looking for the same information. Though there is lot of info on setting up VPD for Oracle users, there is no material/document which describes how VPD can be implemented for 3-Tier application. I use an Application server to connect to Oracle 9i.
  Did you get any leads?
  Thanks,
  Srinivasan
  Hello
  our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
  i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
  any white paper or document is welcome.
  thanks
  Vijay

• Row-Level Security announced for Azure SQL Database

  The announcement:
  Next generation of Azure SQL Database service in staged general availability; Row-Level Security in public preview
  We’ve announced the general availability of the latest update to Azure SQL Database (V12). This service update is now generally available in the North Europe and West Europe datacenters, will be generally available across regions in the United States on February
  9, 2015, and will be rolled out worldwide by March 1, 2015. General availability pricing will take effect for servers on V12 worldwide on April 1, 2015. This service update introduces near-complete SQL Server engine compatibility, greater support for larger
  databases, and expanded Premium performance.
  The description topic is at
  http://msdn.microsoft.com/library/dn765131 Row-level filtering of data selected from a table is enacted through a security predicate filter defined as an inline table valued function. The function is then invoked and enforced by a security policy. Also
  see the Transact-SQL topic CREATE SECURITY POLICY at
  http://msdn.microsoft.com/library/dn765135
  Rick Byham, Microsoft, SQL Server Books Online, Implies no warranty

  Hi Rick,
  Thanks for your information.
  Thanks,
  Lydia Zhang
  Lydia Zhang
  TechNet Community Support

• Less expensive options to Virtual Private Database (VPD)

  Are there any options that can achieve the same result (i.e., row-level security)?
  VPD apparently requires the Enterprise Edition of the database. $40,000 is difficult for a small business.
  I've been heading down the path of Standard One Edition, and planned on significant use of VPD. However; I recently found out the above news and am a little bit stuck as I have already developed much of the application in APEX.
  I'm looking for solutions that wouldn't require major rework in my APEX application, if there are any.

  VPD basically rewrites the SQL to add in extra filter predicates based on your criteria. So SELECT * FROM fred.table_name gets rewritten to something like
  SELECT * FROM fred.table_name WHERE client = SYS_CONTEXT('...','...');
  Simple VPD can be replicated with views. You would rename table_name to table_name_data, and create a view table_name as select * from table_name_data WHERE client = SYS_CONTEXT('...','...');
  Complex VPD (applying multiple predicates depending on different criteria) can follow the same theory but increases the view complexity a lot.
  I'd add that either mechanism adds a layer of complexity into query optimization and therefore into the testing process.

• How to implement row-level security in Discoverer?

  Dear all,
  I have a scenario that I have 2 folders containing sales and inventory data stored by product lines.
  The 2 folders are constructed by 2 SQL statements.
  There exists a set of tables controlling which product line's sales and inventory data a person can read.
  A function is written previously that returns the WHERE clause based on user_id, employee_id and the other parameter.
  So, can you suggest how to integrate the 2 components in Discoverer?
  thanks
  George
  My blog: http://hktour.blogspot.com

  hi Rod,
  Thanks for your suggestions.
  I took your 1st option, ie.
  "You can use VPD at the database level to secure the tables."
  I have a view BUDGET_V with the following columns:
  PERIOD_YEAR
  PERIOD_MONTH
  PRODUCT_LINE
  BUDGET_AMOUNT
  Every salesman can only read the budget amount of certain product lines.
  I built the security function which will be binded to the view BUDGET_V (see below)
  FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
  return varchar2
  as
  begin
  if (user = p_schema) then
  return '';
  else
  return viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
  end if;
  end;
  The security function actually calls my own security function viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE') which take the user id and employee id of the apps user and returns the predicate.
  Then, I bind the security function security_policy_function() to the view BUDGET_V with
  begin
  dbms_rls.add_policy
  object_schema => 'APPS',
  object_name => 'BUDGET_V',
  policy_name => 'MY_POLICY',
  function_schema => 'APPS',
  policy_function => 'security_policy_function',
  statement_types => 'select',
  update_check => FALSE,
  enable => TRUE
  end;
  The problem now is that if I query the view in Discoverer as a Apps user (say "A"), it returns all the records in the view without any filtering (user "A" is supposed be able to read certain product lines).
  I try to verify whether the security function work or not. So, I hardcoded FND_GLOBAL.USER_ID and FND_GLOBAL.EMPLOYEE_ID as 1234 and 6789 which are the user_id and employee_id of user "A". (see below)
  FUNCTION security_policy_function( p_schema in varchar2, p_object in varchar2)
  return varchar2
  as
  begin
  if (user = p_schema) then
  return '';
  else
  return viewProductLine(1234, 6789, 'BUDGET_V.PRODUCT_LINE');
  end if;
  end;
  This time, Discoverer returns only the records with product lines visible to user "A".
  So, I guess there is problem in the function call in viewProductLine(FND_GLOBAL.USER_ID, FND_GLOBAL.EMPLOYEE_ID, 'BUDGET_V.PRODUCT_LINE');
  Can you give me some light on this issue?
  thanks
  George (HK)
  My blog at http://hktour.blogspot.com

• Row Level Security - using a policy function.

  Hi,
  I am trying to implement RLS within our database and am getting the following error message:
  ORA-28112: failed to execute policy function
  Looking around the web, these seems to point to un-handled exception in my function, but I cannot seem to find anything untoward.
  I have tested the function and can confrim that it is returning the desired predicate where appropriate..
  Here is the function..
    FUNCTION Fnc_Rls_Control(Pin_Schema IN VARCHAR2) RETURN VARCHAR2 IS
      -- Author:  MLLOYD
      -- Purpose: Policy function that supplies a predicate to limit access to tables based
      --          on the site code
      -- Created: 30/12/2010
      -- Revision History
      -- Date            Version        Comments
      -- 30/12/2010         1           Created
      CURSOR Cur_Rls_Site IS
        SELECT s.Site_Code
        FROM   All_Users u
        INNER  JOIN Rls_Discoverer_User_Role Ur
        ON     Ur.User_Id = u.User_Id
        INNER  JOIN Rls_Discoverer_Roles r
        ON     r.Role_Id = Ur.Role_Id
        INNER  JOIN Rls_Discoverer_Role_Sites Rs
        ON     Rs.Role_Id = r.Role_Id
        INNER  JOIN Commons.t_Site_Codes s
        ON     s.Siteid = Rs.Site_Id
        WHERE  u.Username = USER;
      Rec_Rls_Site Cur_Rls_Site%ROWTYPE;
      Lcl_Predicate    VARCHAR2(2000);
      Lcl_Return_Value VARCHAR2(2000);
    BEGIN
      Lcl_Predicate    := NULL;
      Lcl_Return_Value := NULL;
      -- CHECK IF USER IS OWNER OF SCHEMA, IF SO, NO PREDICATE 
      IF Pin_Schema = USER THEN
        Lcl_Return_Value := NULL;
      ELSE
        -- OBTAIN SITE CODES AVAILABLE TO USER
        OPEN Cur_Rls_Site;
        LOOP
          FETCH Cur_Rls_Site
            INTO Rec_Rls_Site;
          EXIT WHEN Cur_Rls_Site%NOTFOUND;
          Lcl_Predicate := Lcl_Predicate || q'(')' || Rec_Rls_Site.Site_Code ||
  q'(')' || ',';
        END LOOP;
        IF Lcl_Predicate IS NULL THEN
          Lcl_Return_Value := NULL;
        ELSE
          -- REMOVE TRAILING COMMA
          Lcl_Predicate := Rtrim(Lcl_Predicate,
          -- BUILD FINAL PREDICATE
          Lcl_Return_Value := 'SITE_CODE IN (' || Lcl_Predicate || ')';
        END IF;
        CLOSE Cur_Rls_Site;
      END IF;
      RETURN Lcl_Return_Value;
    EXCEPTION
      WHEN OTHERS THEN
        IF Cur_Rls_Site%ISOPEN THEN
          CLOSE Cur_Rls_Site;
          RETURN Lcl_Return_Value;
        END IF;
    END Fnc_Rls_Control;
    -- ************************************************************************************I have applied this to a specifc table using the following:
  -- ADD POLICY
  BEGIN
    DBMS_RLS.ADD_POLICY (
      object_schema    => 'REPORTING',
      object_name      => 'URS_OP_VISIT_STATISTICS',
      policy_name      => 'ACCESS_POLICY',
      function_schema  => 'REPORTING',
      policy_function  => 'PKG_REPORTING.FNC_RLS_CONTROL',
      statement_types  => 'SELECT'
  END;Have I missed anything obvious?
  Regards
  Mark

  Policy function must have two IN paranters on varchar2 type and return varchar2 .
  So add second parametr to you function.
  Simple example
  CREATE OR REPLACE FUNCTION auth_orders(
  schema_var IN VARCHAR2,
  table_var  IN VARCHAR2
  RETURN VARCHAR2
  IS 
  return_val VARCHAR2 (400);
  BEGIN
  return_val := 'SALES_REP_ID = 159';
  RETURN return_val;
  END auth_orders;
  /First parametr is schema_name second parametr is object name. So you can have one universal function that on IN parameters return appropriate where condition.