Oracle Virtual Private Database (VPD), Column Level Security

Similar Messages

• Virtual private database: "dynamic" colum level security

  Hi all,
  I have to find a solution to enfore security on a table with sensitive human resource data. For each column in that table we assigned a sensitivity category like public, private, sensitive or highly sensitive. Now we want depending on the user that queries the table, to mask the fetched columns according to the user's assigned security level.
  Example:
  Table T with:
  Column A (public)
  Column B (private)
  Column C (sensitive)
  Column D (highly sensitive)
  User 1 (with assigned security level as "public") can only see column A; columns B,C,D are masked.
  User 2 (with assigned security level as "private") can only see columns A and B; columns C,D are masked.
  User 3 (with assigned security level as "sensitive") can see columns A,B and C; column D is masked.
  User 4 (with assigned security level as "highly sensitive") can see all columns; nothing is masked.
  Is it possible to achieve that using VPD in an oracle 10g database? As far as I know we can define security relevant columns in a policy but these are fixed! :-(
  Is it possible to dynamically change the releveant security columns or am i forced to choose another solution?
  Many thanks,
  Sebastien

  Billy,
  Just after posting my earlier reply, I decided to go through, in detail, what I had suggested. Then I realized that my reply was not correct for OP's question. My mistake! (when am I going to learn to "practice before I preach"?:( )
  Sebastian,
  My apologies for incorrect reply.
  Billy's suggestion is correct. In fact, Tom comes to rescue here (again). Here he describes how a similar requirement can be addressed by using combination of views and application contexts. You do not need to use DBMS_RLS. In a nutshell, you can
  a) create a view that uses application contexts, on base table
  b) set the value of application context (to level i.e. PUBLIC/PRIVATE etc.) when user logs in
  c) revoke SELECT priviledges on base table
  d) only grant SELECT access on the view.
  I guess this is pretty straightforward.

• How to use Oracle Virtual Private Database (VPD) with EclipseLink JPA

  My project required to use VPD in database to isolate data access based on different user type. How can I use EclipseLink JPA with VPD? For instance, how I could set up server context in database for each database session? Thanks for any help.

  There is some information on Oracle proxy authentication here,
  http://wiki.eclipse.org/EclipseLink/Examples/JPA/Oracle/Proxy
  VPD usage would be very similar.
  James : http://www.eclipselink.org : http://en.wikibooks.org/wiki/Java_Persistence

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• Oracle Virtual Private Database and Weblogic.

  Hi All,
  I am using Oracle 11gR2 and weblogic 10.3.5.
  I would like to use Virtual Private Database feature in my project. I read the documentation and I understood the concept. I made a few tests on my dev environment and it seems to work fine.
  Now, I would like to use VPD with weblogic (we are also using Hibernate) as all my users connect to the database through weblogic.
  My question is how can get the name of my non-database users (so coming from weblogic) and automatically set them  to my context ?
  Many thanks for your help.

  Anyone on this one ?
  Many thanks !

• Less expensive options to Virtual Private Database (VPD)

  Are there any options that can achieve the same result (i.e., row-level security)?
  VPD apparently requires the Enterprise Edition of the database. $40,000 is difficult for a small business.
  I've been heading down the path of Standard One Edition, and planned on significant use of VPD. However; I recently found out the above news and am a little bit stuck as I have already developed much of the application in APEX.
  I'm looking for solutions that wouldn't require major rework in my APEX application, if there are any.

  VPD basically rewrites the SQL to add in extra filter predicates based on your criteria. So SELECT * FROM fred.table_name gets rewritten to something like
  SELECT * FROM fred.table_name WHERE client = SYS_CONTEXT('...','...');
  Simple VPD can be replicated with views. You would rename table_name to table_name_data, and create a view table_name as select * from table_name_data WHERE client = SYS_CONTEXT('...','...');
  Complex VPD (applying multiple predicates depending on different criteria) can follow the same theory but increases the view complexity a lot.
  I'd add that either mechanism adds a layer of complexity into query optimization and therefore into the testing process.

• HIPAA, Sarbanes-Oxley and Oracle Virtual Private Database

  Is ORACLE VPD compatible with HIPAA, Sarbanes-Oxley?
  Is ORACLE VPD incompatible with a certification?
  Thanks in advance,
  Alexandre Bailly

  user8716187 wrote:
  Is ORACLE VPD compatible with HIPAA, Sarbanes-Oxley?
  Is ORACLE VPD incompatible with a certification?
  This forum is used is discussions about Certifications issued by Oracle (OCA,OCP,OCE,OCP) to people who have satisified the Certification Requirements.
  Sox etc are not disccused here.
  The following link may or may not be useful [http://www.oracle.com/technology/deploy/security/index.html]
  I suspect the database general forum mkay be the best place for your question ... others may know a better forum.
  In general this is often discussed under security.
  Also 11gR2 has features which may better support some aspect of socks compliance.

• Virtual Private Databases (VPD) + LDAP server

  Does anyone know:-
  1) Is using an LDAP directory server (for user authentication and authorization) compatible with VPD?
  2) Does VPD require use of OracleAS or is the
  technology compatible with any J2EE server that supports LDAP for authentication and authorization?
  Many thanks,
  Lee.

  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Lee ([email protected]):
  Does anyone know:-
  1) Is using an LDAP directory server (for user authentication and authorization) compatible with VPD?
  VPD is orthogonal with LDPA technology, though in 9i, there is more integration so you can use them together. Check out CONTEXT INITIALIZED GLOBALLY documentation.
  2) Does VPD require use of OracleAS or is the
  technology compatible with any J2EE server that supports LDAP for authentication and authorization?
  Yes. VPD is access control, not authen. you need to use something to tell VPD what access control you like.
  Many thanks,
  Lee.<HR></BLOCKQUOTE>
  null

• Virtual Private Database (VPD) on 9iR2

  DBA's have set up a VPD on some tables.
  I have the role SELECT ANY DICTIONARY, but do not seem to be able to see the table SYS.V$VPD_POLICY (this i think would allow me to see what tables VPD polices where set against)
  The V$VPD_POLICY table does not seem to be generally documented in books etc.
  Can anyone give me any advice or leads.
  Many thanks
  Richard

  There is SELECT_CATALOG_ROLE role, SELECT ANY DICTIONARY is not a role, but a system privilege. Anyway, if you have this privilege you should be able to see that view :
  $ sqlplus test/test
  SQL*Plus: Release 9.2.0.4.0 - Production on Sun Nov 27 12:01:50 2005
  Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
  Connected to:
  Oracle9i Enterprise Edition Release 9.2.0.4.0 - Production
  With the Partitioning, OLAP and Oracle Data Mining options
  JServer Release 9.2.0.4.0 - Production
  SQL> desc v$vpd_policy
  ERROR:
  ORA-04043: object "SYS"."V_$VPD_POLICY" does not exist
  SQL> conn / as sysdba
  Connected.
  SQL> grant select any dictionary to test;
  Grant succeeded.
  SQL> conn test/test
  Connected.
  SQL> desc v$vpd_policy
  Name                                      Null?    Type
  ADDRESS                                            RAW(4)
  PARADDR                                            RAW(4)
  SQL_HASH                                           NUMBER
  CHILD_NUMBER                                       NUMBER
  OBJECT_OWNER                                       VARCHAR2(30)
  OBJECT_NAME                                        VARCHAR2(30)
  POLICY_GROUP                                       VARCHAR2(30)
  POLICY                                             VARCHAR2(30)
  POLICY_FUNCTION_OWNER                              VARCHAR2(30)
  PREDICATE                                          VARCHAR2(4000)
  SQL>                                                                                        You can see privileges / roles you have been granted :
  SQL> conn / as sysdba
  Connected.
  SQL> select * from dba_sys_privs where grantee = 'TEST';
  GRANTEE                        PRIVILEGE                                ADM
  TEST                           SELECT ANY DICTIONARY                    NO
  SQL> select * from dba_role_privs where grantee = 'TEST';
  GRANTEE                        GRANTED_ROLE                   ADM DEF
  TEST                           CONNECT                        NO  YES
  TEST                           RESOURCE                       NO  YES
  SQL>

• Virtual Private Database - VPD

  I have been trying to enforce security policies through oracle's fine grained access control (DBMS_RLS).
  When trying to access object the error
  ORA-28112: Fail to execute policy function
  received, but I can see predicate value generated by secure_person from as
  DECLARE
  RetVal VARCHAR2(200);
  BEGIN
  RetVal := Secure_Person();
  dbms_output.put_line(retval);
  END;
  any hint
  regards
  SH

  There'll be a dump file in the directory indicated by USER_DUMP_DEST. What does that tell you?
  Cheers, APC

• Row level access, virtual private database, label security

  Hello All,
  I'm experiencing an issue.... I've a datawarehouse where some tables, for examples orders are shared for two different countries. Difference is made simply with a field country may contain country_id.
  So using OBI and publisher I need to permit to some user to query only country with id 1, other country with id 2 and other both countries.
  There's a way to achieve this result without implement VPD or OLS? Do you have any hint?
  Thanks
  Stefano

  Hi,
  it must be useful
  http://obieeblog.wordpress.com/2008/12/29/obiee-and-virtual-private-database-vpd/
  thanks
  karthick

• Using VPD (Virtual Private Database) with Discoverer for Dummies

  Firstly could you please excuse me for the title of the thread, but it’s all I could come up with. For those of you who are looking at me with a strange look of disgust, please view thread that started it all: BIS vs DBI vs Noetix .
  Otherwise I’m hoping to gain a greater understanding of how VPD can be used to enhance Discoverer and it’s performance. I've just read that :
  “Oracle 8i introduced the notion of a Virtual Private Database (VPD). A VPD offers Fine-Grained Access Control (FGAC) for secure separation of data. This ensures that users only have access to data that pertains to them. Using this option, one could even store multiple companies' data within the same schema, without them knowing about it.
  VPD configuration is done via the DBMS_RLS (Row Level Security) package. Select from SYS.V$VPD_POLICY to see existing VPD configuration.”
  With Regards to Discoverer, I would like to ask the following:
  -When would be best to use VPD in Discoverer?
  -Pro’s and Con’s of VPD?
  -Tips / Tricks?
  -and anything else Michael would like to add (I don’t believe there is a post limit, although this could change in the future)
  I've found a few handy links:
  http://www.adp-gmbh.ch/ora/security/vpd/index.html
  http://www.oracle.com/technology/oramag/oracle/04-mar/o24tech_security.html
  As Metalink support would say : I Looking forward to your ‘Positive’ comments. ;-)
  Lance

  Lance,
  You sure do raise some interesting questions here.
  I've noticed from some of your previous posts that you are using views to link Discoverer through to apps. I have found this very interesting document that may help with your queries; http://www.oracle.com/technology/deploy/security/oracle9ir2/pdf/VPD9ir2twp.pdf
  If you scroll down to the section "Additional VPD Capabilities" and read the following sub-topics, this might enable you to base your Discoverer reports on views that contain VPD policies.
  I trust "My Positive Comment" may help!!
  Merry Christmas
  Si ;-)
  P.s This also may come in handy if running 10g http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/apdvpoli.htm
  Message was edited by:
  Simon Pittaway

• About virtual private databases

  I've read in the documentation that:
  Oracle Virtual Private Database enforces security, to a fine level of granularity, directly on database tables, views, or synonyms. Because you attach security policies directly to these database objects, and the policies are automatically applied whenever a user accesses data, there is no way to bypass security.Ok, but i cannot specify a policy using a trigger on a table, let's say? So, instead of using VPD to dynamically generate a policy and append it to the where clause, i should specify a where condition in the trigger and based on which user loggs on, to select only specific data. What's the advantages of using VPD instead of specifying those conditions in other way?
  Thanks

  Roger22 wrote:
  What's the advantages of using VPD instead of specifying those conditions in other way?Single schema. Single set of tables. Used by 100's of customers. While guaranteeing that one customer cannot CRUD data of any other customers. And this guarantee is at SQL level. So while having full SQL access to the schema objects, that customer will see that schema as only containing his data and nothing else.
  This in a nutshell is a VPDB.
  And it is impossible to provide that guarantee at SQL level using any other way.
  Views and triggers? Not as robust. Not as a secure. Not as flexible. A lot more moving parts that means an increase in complexity and potential problems and bugs.

• Virtual Private Database Policy

  Hallo,
  I have the oracle express 11.2.0.2 Database right now and want to enable the Oracle Virtual Private Database Security Policy.
  Afaik this is only available on the Oracle Enterprise 11.2.0.3. Is there a way to simply upgrade (probably update) my express version so i can use this feature. Or am I wrong and I can actually use the VPD in my Version.
  best regards
  Matthias Schnell

  Personally, i'd try using the DBUA first.
  Install 11gR2 "Software Only" into a new ORACLE_HOME
  run the DBUA program from that directory
  Introduction to the Upgrade Process for Oracle Database
  MK

• Column Level Security Using VPD under oracle 11g

  Hi
  I am using an example from Oracle Database 10g: Advance Security -- Virtual Private Databases
  1. The Application Context -- that sets the session environment for the use is ok.
  2. The Logon Trigger that executes the above is ok. It had been tested.
  3. The Security Policy that returns a predicate after checking the output of the Application Context is ok.
  4. The security policy applied to the STOCK_TRX table is ok.
  5. Select and Insert from the database work.
  However, after dropping both the insert and select policy, I am having problem getting a select policy to work with column-level VPD. I will get the ORA-28104 -- input value for statement type is not valid and ORA-06512 at SYS.DBMS_RLS line 20. See code below
  begin
  DBMS_RLS.ADD_POLICY
  ('PRACTICE', 'STOCK_TRX', 'STOCK_TRX_SELECT_POLICY', 'PRACTICE', 'SECURITY_PACKAGE.STOCK_TRX_SELECT_SECURITY', 'PRICE');
  end;
  Note:
  PRICE is the sec_relevant_cols
  STOCK_TRX is the table
  Can you please help.
  Thx

  The syntax for row level security is not the same for columns level security. All the parameters to the DBMS_RLS.ADD_Policy() function should be preceded by the type of the parameter for:
  begin
  DBMS_RLS.ADD_POLICy(object_schema=>PRACTICE, ... sec_relevant_cols=>'PRICE);
  end;
  I did not know this before. I thought they were there in the example for explanatory reasons. I decided to answer the question for myself because I know others have the same interpretation.