OLS and VPD sec_relevant_cols

Similar Messages

• OLS    AND    VPD Column Masking.

  I have gone over a couple of sources on OLS and VPD.
  BTW I am working with Oracle 11g R1.
  What I am trying to accomplish is cell level protection. Where cell is defined as the intersection between a row and a column.
  OLS will get me the proper row restrictions.
  VPD has the ability to do Column Masking.
  Has anyone mix the two to accomplish cell level protection?
  Basic examples would be GREATLY appreciated.

  Hi again. Thank you for your reply, but I wanted to achieve cell-level security as I'm trying to create conception of fine-grained processing data with different levels of confidentiality. Here is what I have:
  - I created 3 levels of confidentiality: J < P < T (Unclassified < Confidential < Secret)
  - I created a table and here is how it looks for different users:
  User with T-level authorization:
  !http://img709.imageshack.us/img709/1847/screentj.png!
  User with P-level authorization (can't see T-level data):
  !http://img704.imageshack.us/img704/4002/screenp.png!
  I did that by creating two policies on two columns with data:
  CREATE OR REPLACE FUNCTION f_data01 (schema in varchar2, tab in varchar2) -- or "CREATE OR REPLACE FUNCTION f_data02" for second column
    RETURN varchar2 AS
      predicate         varchar2(2000);        -- the VPD 'where' clause
      session_lab        varchar2(4000);        -- the current user's session label
      session_tag        number;            -- numerical expression of session label
      t_sa_user_name    varchar2(2000);        -- only users with Labels are examined, others don't get access.
  BEGIN
    session_lab := sa_session.label('cells');        -- the current user's session label for that policy
    session_tag := char_to_label('cells',session_lab);    -- numerical expression of session label
    predicate := 'dominates(' || session_tag || ',CDATA01)=1'; -- or "predicate := 'dominates(' || session_tag || ',CDATA02)=1';" for second column
    return predicate;
  END;I asked if it is possible to create one policy with variable instead of column name (ex. CDATA01) or if there is another way to get that effect.
  And is it good practice to put column with labels in one table with data?
  Thank you in advance.
  Edited by: arc.undcvr on 2010-01-23 22:50

• Portal 902 and VPD

  Hi,
  Portal 902 is supposed to be integrated with VPD. Is there any documentation on this integration? I have looked all over Technet and also the Portal online documentation, and cannot find anything, except for some stuff in Metalink on VPD in 309. Any clues anyone?
  Regards,
  Steve West

  The integration refers to the ability to DB users to Portal users. See the following note for implementation details for Portal and VPD. R2 should be no different.
  Note:177471.1

• Single Sign-On and VPDs

  Hi - we're trying to implement a VPD on our company database at the moment and were wondering if a single sign-on architecture on our middle tier could be successfully tied to a VPD on the database tier. We have a number of clients, both internal and external, who will be accessing the database via the web and we need to control who sees what. Could you advise on the feasibility of this approach? Thanks

  Hi Derick,
  I want to make our discussion into 2 parts
  1) Sign on
  2) Viewing data based on the Heirarchy
  1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
  2) We can make the second point possible in two ways One is with providing restriction at universe level
  and the other one is through the use of flash variables.
  Using flash variables:
  The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
  I hope this is what you ar looking for....
  If so i have more points to acheive such scenario.
  Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
  Regards,
  AnjaniKumar C.A.

• Multimaster Replication and VPD in Oracle 10g R2

  Hello,
  I would like to know if MlitiMaster Replication supports the VPD(Virtual Private Database) Row level or column level access control? if so could some one point me to the right documentation? i searched Metalink and googled but unable to find any info regarding the support of VPD to replication.
  Thank you....

  Justin,
  we have streams and replication in our environment. our databases on window 2003 server and oracle 10gR2. my question is we are planning to implement the VPD on few tables which are already in replication group. We use 'REPADMIN' for replication. will it propagate the data for VPD columns that are in replication environment? how will this impact performance wise? I am trying to find also some Pros and Cons too.
  Thank you.

• SSO - Discoverer and VPD

  Hi,
  I have row-level-security implemented in the database and the policy applied to few tables in a schema. When I query this table logging into the db using Toad/sqlplus as different users I see the security policy applied and the right rows of data returned. This is good...
  However, from discoverer... here's what we have. We have SSO enabled for discoverer. Created a public connection for user with "exempt policy". In other words the user doesn't have the policy applied and hence gets all the rows from the tables above said tables. The workbook is shared with users who should see different data. I have used CLIENT_IDENTIFIER and have a database logon trigger set to the client_id. For some reason only from discoverer I get a policy predicate user when logging in as the same user that's fine from toad/sqlplus. I have registered functions in the EUL. However, should I have eul_trigger$post_login in discoverer or the database trigger should do?
  We are expecting this:
  A workbook created with a public connection user (with exempot policy) shares with regular users. The regular users see what they need to see based on vpd policy. Also we want to implement the dashboard for these workbooks and we have SSO on portal as well.
  I am not sure what am missing... If someone can help me with this, that's highly appreciated.
  Thanks in advance,
  -Esther

  Hi Rod,
  Firstly, I am not sure why you have exempt policy for your public connection user.
  You can create a policy that uses the CLIENT_IDENTIFIER when the Discoverer user connects with the public user and uses the database user when a connection is made by other users.
  Got rid of the exempt policy after your message... "policy that uses the CLIENT_IDENTIFIER when the Discoverer user connects with the public user ".. Would be great if you can pl elaborate on this point. Policy function that I have is pasted to the bottom of this message... I have a feeling this is what am missing... your help is highly appreciated!Alternatively, you could use a database trigger on your public connection user (or an eul_trigger$post_login) to check the CLIENT_IDENTIFIER and set a context to define the row-level-security to be implemented. Then you can use this context in your workbook conditions.
  For now I'd prefer to take the policy route and not the trigger. If it works with policy that'd be great.Thanks a lot for your help!
  -Esther
  Policy code:
  CREATE OR REPLACE PACKAGE BODY tgt_grp_role AS
  FUNCTION get_tgt_grp_role (
  p_schema IN VARCHAR2
  ,p_table IN VARCHAR2 )
  RETURN VARCHAR2 AS
  l_retstr VARCHAR2 ( 2000 );
  l_user VARCHAR2 ( 120 );
  BEGIN
  /*If the user logged in is KPI or DISCOEUL_TRANSACTIONAL or DISCOEUL_HYBRID (i.e.EUL Owners)
            or public connection user, give access to all the KPI groups and all data. */
  IF p_schema = USER
  OR USER IN
  ( 'DISCOEUL_TRANSACTIONAL'
  ,'DISCOEUL_HYBRID'
  ,'KPI_DASHBOARD_USER' ) THEN
  l_retstr := NULL;
  ELSE
  /* For any other KPI user pick up all the target groups the user belongs to
  and return the string to the policy function i.e.GET_TGT_GRP_ROLE */
  l_user :=
  SYS_CONTEXT ( 'userenv', 'client_identifier' );
  FOR group_rec IN ( SELECT target_group_role
  FROM d_kpi_users
  WHERE nt_user_id = l_user) LOOP
  l_retstr :=
  l_retstr || ',''' || group_rec.target_group_role || '''';
  END LOOP;
  l_retstr := LTRIM ( l_retstr, ',' );
  l_retstr :=
  'TARGET_GROUP_ROLE IN (' || l_retstr || ')';
  END IF;
  RETURN l_retstr;
  EXCEPTION
  WHEN OTHERS THEN
  RETURN '1=0';
  END;
  END;

• JHS and VPD

  I'm using ADF 11.1.1.6 and JHeadstart 11.1.1.4. An application, being upgraded to ADF and JHS, uses a virtual private database to restrict rows to logged in users based on their organisation.
  I found a fairly old article on the JHeadstart blog, [Row Level Security using VPD and ADF |https://blogs.oracle.com/jheadstart/entry/row_level_security_using_vpd_a] , and was wondering if this is still considered a valid approach or whether there is now, in 11g, a more declarative way. If the latter, can someone direct me to some relevant documentation?
  Thanks,
  David.

  This falls in the 20% category where you need to code something. Usually, this is just done in the AM base class so you don't need to worry about individual AMs.
  I'm using this approach for a current project.
  Happy coding!
  BradW

• Oracle 11.2 and VPD

  Dear all
  i have database on oracle 10.2 some table contain VPD ,
  i move this schema to oracle 11.2
  and define all context and polices , but when i run select agents these table i have this error ora-3113 and ora-3114
  why this happen? any explained for this issue
  Edited by: Hshihadah on Jan 27, 2011 1:08 AM

  $ oerr ora 3113
  03113, 00000, "end-of-file on communication channel"
  // *Cause: The connection between Client and Server process was broken.
  // *Action: There was a communication error that requires further investigation.
  //          First, check for network problems and review the SQL*Net setup.
  //          Also, look in the alert.log file for any errors. Finally, test to
  //          see whether the server process is dead and whether a trace file
  //          was generated at failure time.
  $This is possibly an Oracle bug. You need to investigate database instance alert log and possible trace files.

• Peoplesoft Enterprise with OLS or VPD/FGAC/RLS

  I know that the EBusiness Suite 11i and 12i have been certified (with Patches) for VPD.
  I can't find information on Certification / Patches / Implementation of Peoplesoft Enterprise (particularly say Peoplesoft Financials Modules) with Oracle Label Security or with VPD/FGAC/RLS.
  Is there such information on metalink3 ? Has anyone implemented/enhanced Peoplesoft in this manner ?

  Well, generally the level security is application embedded and configured, very rarely database level implemented (because mainly only one database user is used). The report should be run through the application query which comes with row level security.
  But it is supported, even Database Vault.
  Nicolas.

• Workspace Login and VPD

  I have an application that implements VPD using a database package and the policies use application logins. If I login to the workspace (as ADMIN) and use the SQL browser, then I fire the policy with the username ADMIN which is not an application user and the SQL fails
  Is there any way to use the SQL workshop and pass a username through to the VPD?

  Can you explain this in a little more detail? You can base your VPD Policy upon the user that is executing the SQL like the sample below...
  Here is a sample I have tested... Not sure if this is what your looking for..
  create or replace function
  vpd_user
  -- Function must have the following parameters
  (schema in varchar2, tab in varchar2)
  -- Function will return a string that is used as a WHERE clause
  return varchar2
  as
  v_user varchar2(100);
  out_string varchar2(4000) default null;
  begin
  -- get session user
  v_user := UPPER(nvl(v('APP_USER'),USER));
  -- create where clause when user is authorized to see parts of the table
  if (v_user = 'SOME_USER') then
  out_string := out_string || 'the where criteria you want to append to a user's query...';
  end if;
  return out_string;
  end;

• AQ and VPD support

  Hi All,
  I am trying to make AQ working with VPD (Virtual Private Database).
  What I've done is the following.
  1. Enqueue some items in the queue with correlation=1
  2. Create a VPD rule 'CORRID = 1' against the underlying queue table
  3. Try to select against underlying queue table - everything is ok (only items with corrid = 1 are shown) (same for the aq$ view)
  4. Dequeue item from a queue - all items are dequeued (no matter if corrid is 1 or other).
  5. Everything works if deque option correlation = 1, but the ordering is "random"
  My queue is ordered by Priority and Enqueue Time.
  I want to make AQ working with VPD and benefit still on current message ordering.
  Any ideas are very welcome!
  Thanks

  I will move this to other forum category that is more popular.

• JPA (Eclispelink/toplink) and VPD

  I have so far stumbled only on this link for implementing VPD in JPA :http://wiki.eclipse.org/EclipseLink/Examples/JPA/Auditing
  Is there any other link which explains how to achieve row level security(VPD) using JPA?

  user8093550 wrote:
  We are injecting this(EM) into our session bean, so, i guess we are not essentially using EntityManagerFactory - how can we achieve this without an EMF? Is it possible?
  If you are using JPA 2.0 you can inject the EM and set the properties using em.setProperty.
  If you are using EE5 you'd need to use EclipseLink specific APIs ((org.eclipse.persistence.internal.jpa.EntityManagerImpl)em.getDelegate()).setProperties( ....You'll need to test this out though because you may need to call em.clear to force a new EntityManager to be created if your setProperties was executed when the EM had already been created.
  Also, how does this work, i mean, if i set VPD once during user login, and then does the entitymanager keep this sanctity all throughout the user's session?Since the settings are tied to an EntityManager I would think that they are applied for all operations through an EntityManager.
  Be sure to read this carefully before you start though: http://wiki.eclipse.org/Introduction_to_EclipseLink_Sessions_%28ELUG%29#Isolated_Client_Sessions_and_Oracle_Virtual_Private_Database_.28VPD.29

• Forms 9i and VPD

  Hi :)
  I'm loocking for method how to catch in form policy (VPD) which restrict update or delete on current record.
  When I'm performing update/dlete form don't see that policy and normally proceeds update/delete and commit -but after requery there is no change in data (good- policy works) but form don't tells to user "You can't do this".
  Please help me resolve this problem -thanks very much.
  Artur

  Artur,
  the problem you describe is one we discussed more often recently.
  The situation is that something not in control by Forms performs changes to the actual transaction state (VPD). In fact the policy works, which means that everything is fine as far as the business goes.
  Seeing it from the Forms runtime angle: Forms does send its cached records that are marked as dirty to the database for commit. The database doesn't report any errors because there are none and thus Forms puts out a message with the number of records passed as successfully submitted.
  To change the message behavior yourself, you will have to raise a PLSQL Exception when Forms commits the data and the policy preventing it.
  This then should bubble up to Forms where it is intercepted for proper alerting (haven't tried, but this sounds plausible).
  I'll point one of the developers to this question in case I overlooked something.
  Frank

• ApplicationModule - connection and VPD

  My company is looking at changing our Web development over to JDeveloper creating BC4J Struts based applications. I'm using JDeveloper to write a few small apps to see how the development process will go. I have a question on the ApplicationModule connection and using our current VPD:
  We connect to the database with a user unique to each Web application. We then pass in a username that is retrieved from the HTTP header and set the context with that using our custom VPD. The username passed in is not a database user - the username is looked up in a table to verify the user type and the appropriate restrictions are set in the VPD. My question is how do I pass this username from the header to the ApplicationModule to set the context upon connection? Please help! Thanks

  I have searched the forum but without sucess.
  look my code
  import javax.sql.*;
  import java.sql.*;
  public class Test{
       public static void main (String args[]){
            try{
                 Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
            catch (Exception e){
                 System.out.print(e.toString());
  }I dont know what to do now.
  Do i need to install any drivers?
  doesnt Jsdk have drivers to acess a paradox table?

• Toplink and VPD

  Hi,
  In a three-tier architecture, has anyone successfully implemented VPD in combination with Toplink and a ConnectionPool?
  When all my web-users are connecting to the database with the same (connection pool) credentials, how, when and where do I tell my database who is really logged in (web-user) and thus how to set the specific VPD for that web-user?
  Thanks. I already read another post on this forum mentioning that VPD support would be included in an upcoming release of TopLink.
  Re: toplink and Oracle VPD
  I also heard of a patch to download. Can anyone verify this?

  Just to add an extra question: Is it true that when one is using chained Toplink actions in a request-response cycle that each action will fetch its own connection from the pool and thus for each time a connection is fetched the VPD needs to be set again?
  This in contrast with BC4J, where all actions in a request-response cycle will share the same application module and thus the same connection.
  Bottom line: how to configure Toplink so that for each fetched connection it tells the database: "Hey, its me again, please set the application context (VPD) to my own personal values, so I will only see my own records"?
  . And to clean it up nicely: just before the connection is released to the pool: "Ok, I'm done, please reset the application context, so other users will not be bothered by my context".
  Hard to believe nobody has tried this before.