Row level security problem.

Hy all, I'm new to Oracle and though i've google it a lot I didn't manage to find a solution to this problem:
I'm using sql developer and Oracle 10g.
I have this two tables :
CREATE TABLE HR_employees
(codHR NUMBER(3) CONSTRAINT pk_hr PRIMARY KEY,
coddep NUMBER(4) not null,
DB_user VARCHAR2(10),
and
CREATE TABLE Candid
(codcan NUMBER(2) CONSTRAINT PK_candidat PRIMARY KEY,
codHr NUMBER(3) NOT NULL,
CONSTRAINT FK_CODHR FOREIGN KEY (codHR) REFERENCES HR_employees (codHR) );
I tried to implement row level security on them by using two views:
CREATE OR REPLACE VIEW employees_v AS
SELECT * FROM hr_employees
WHERE DB_user = user
UNION
SELECT * FROM hr_employees
WHERE codhr=(SELECT codhr FROM hr_employees WHERE db_user=user );
AND coddep IN (4000,5000);
CREATE OR REPLACE VIEW candid_v AS
SELECT cand.*
FROM candid cand , hr_employees hr
WHERE cand.codhr= hr.codhr
AND hr.db_user=user
UNION
SELECT cand.* FROM candid cand, hr_employees hr
WHERE hr.coddep=(SELECT H.coddep FROM hr_employees H
WHERE H.db_user=user
AND H.coddep IN (4000,5000) );
What I want to do is to disconnect and connect with another user from SQL Developer and see different fields based on the user and the department, Sql developer doesn't seem to recognize the user connected to the database..everytime I receive a no row selected statement, only when I connect with SYS and put the actual username WHERE H.db_user='SYS' they seem to work. I have created the tables with SYS and granted Select on the views to the users, the users don't have privilegies on the actual tables.
Sorry for the bad english,it's a foreign language to me ,
I hope you can help me

Hi,
Damorgan is right: "Row level security has nothing to do with views" in the sense that the two are independent. You can have row-level security with or without views, and you can have views with or without row-level security. dbms_rls is a very useful and powerful way to implement row-level security, and you should check it out, but it's not necessarily the answer to all row-level security problems.
I'm not sure I understand your problem beyond the need to restrict user A's access to two tables.
If which rows user A is allowed to see depends on the results of queries from those same tables, including rows that user A is not allowed to see (that is, you need to do sub-queries with some other user's (let's call this user B's) privileges), then you can do those sub-queries in stored procedures.
Stored procuderes can run with the privileges of the procedure owner, regardless of who is calling them. Using a function called user_codhr owned by user B, you could define a view like this:
CREATE OR REPLACE VIEW employees_v AS
SELECT * FROM hr_employees
WHERE DB_user = user
OR    (   codhr = user_codhr
      AND coddep IN (4000,5000)
      );If the results of the function will be the same throughout the session, you can call it once, at the beginning of your session, and save the results in a SYS_CONTEXT varaible or a global temporary table.
If you need more help, post a more detailed example of the problem, such as "With this data in the table, B should see all rows but A should see only ...".

Similar Messages

  • Row-level security problem using VPD

    Hi all,
    I've implemented row-level security for my application using the following procedure:
    1) Created a procedure for setting the context for the application:
    PROCEDURE set_empno
    IS
    emp_id NUMBER;
    BEGIN
    BEGIN
    SELECT empno
    INTO emp_id
    FROM SCOTT.EMP
    WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
    DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
    EXCEPTION
    WHEN OTHERS THEN emp_id := 0;
    END;
    END;
    2) Created the application context:
    CREATE CONTEXT emp_sel_context USING secman.app_security_context;
    In which secman is my security schema and app_security_context is the name of above procedure package.
    3) Created a function to access the application context:
    FUNCTION emp_sec(E1 VARCHAR2, E2 VARCHAR2) RETURN VARCHAR2
    IS
    e_predicate VARCHAR2(2000);
    BEGIN
    e_predicate := 'empno = SYS_CONTEXT(''emp_sel_context'', ''empno'')';
    RETURN e_predicate;
    END;
    END;
    4) Created a logon trigger:
    CREATE OR REPLACE
    TRIGGER INIT_CONTEXT AFTER
    LOGON ON DATABASE
    BEGIN
    SECMAN.APP_SECURITY_CONTEXT.SET_EMPNO;
    END;
    5) Added a policy on scott.emp like this:
    begin
    dbms_rls.add_policy (
    object_schema => 'SCOTT',
    object_name => 'EMP',
    policy_name => 'EMP_SEL_POLICY',
    function_schema => 'SECMAN',
    policy_function => 'EMP_SECURITY.EMP_SEC',
    statement_types => 'SELECT',
    update_check => TRUE
    end;
    My problem is that when a user queries the EMP table the above procedure does not work and 'no rows selected' is returned for each user that queries the table. Does anybody know which part of my procedure is wrong?
    Any helps is really appreciated.
    S/\EE|)

    i,
    I suggest:
    create another table emp1(logon with scott),this table only include empno,ename,then insert a few record,then modify
    procedure set_empno as
    PROCEDURE set_empno
    IS
    emp_id NUMBER;
    BEGIN
    BEGIN
    SELECT empno
    INTO emp_id
    FROM SCOTT.EMP1
    WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
    DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
    EXCEPTION
    WHEN OTHERS THEN emp_id := 0;
    END;
    END;
    certainly ,you should grant select on emp1 to the user who will be test.
    lixinzhu
    2007/09/17

  • Row-level security(VPD) problem

    Hi,
    ADF BC, Jdeveloper 11.1.1.3.0
    We want to implement Row-level security in ADF by VPD, and do following:
    1, create VPD policy according to the following sample
    http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/10g/r2/prod/security/vpd/vpd_otn.htm
    2, Override prepareSession(), and set user info by dbms_application_info.set_client_info; in policy function get the user info, and implement filter logic.
    The confusing problem is: When first user login, data has been filtered right. But, when the second user or third user login, it gets the first user's data.
    We also use SQL Trace, and find the second user's operation(SQL) are not recorded in SQL trace file, the view object may not query database. We test clearCache(), viewCriteria with 'Query Execution Mode: Database', and etc, but can not solve the problem.
    I appreciate your suggestion.
    thanks

    So how did you tell Weblogic not to cache the SQL statement? I will be using VPD in a new application, and I definitely want to avoid the problem you had.

  • Setting up Row Level Security in EPM 11.1.1.3

    I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
    i) Enable row level security in Workspace.
    Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
    Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
    Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
    Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
    Any log I can inspect for the connectivity error?
    ii) Configure Row Level Security setting
    I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
    thank you very much.

    I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
    i) Enable row level security in Workspace.
    Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
    Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
    Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
    Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
    Any log I can inspect for the connectivity error?
    ii) Configure Row Level Security setting
    I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
    thank you very much.

  • Row level security with session variables, not a best practice?

    Hello,
    We are about to implement row level security in our BI project using OBIEE, and the solution we found most convenient for our requirement was to use session variables with initalization blocks.
    The problem is that this method is listed as a "non best practice" in the Oracle documentation.
    Alternative Security Administration Options - 11g Release 1 (11.1.1)
    (This appendix describes alternative security administration options included for backward compatibility with upgraded systems and are not considered a best practice.)
    Managing Session Variables
    System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables. Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. For more information about how session variable and initialization blocks are used by Oracle Business Intelligence, see "Using Variables in the Oracle BI Repository" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
    How confusing... what is the best practice then?
    Thank you for your help.
    Joao Moreira

    authenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
    Init block for authenticating / authorizing and session variables are different, i guess you are mixing both.

  • How to implement row level security?

    Hi all,
    There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
    Many Thanks
    Amy

    Here are two options to achieve what you want.
    A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
    1. create a security codes table. Say for example
    001 - company a
    002 - company b
    2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
    3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
    4. update all data in the tables according to which company they belong to.
    5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
    With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
    B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
    Table name = Employee.
    Create a view employee_a on employee
    create a view employee_b on employee
    Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
    create synonym employee on employee_a in x schema.
    create synonym employee on employee_b on y schema.
    This i have not tried but believe should work.
    Hope one of these options serve your purpose.

  • Parent-child hierarcy - row level security

    Hi,
    Im using OBI 11.1.1.5 and have a problem about row-level security in parent-child dimension.
    I have created a parent-child dimension, simlar to:
    a1
    --a1.1
    ----a1.1.1
    ----a1.1.2
    --a1.2
    ----a1.2.1
    By using a session variable 'SESVAR1', I want to restrict the visible hierarcy. For instance user 'a1.1' should only see:
    a1.1
    --a1.1.1
    --a1.1.2
    To do this I created a parent-child closure table with the whole dataset. Then I created a physical table using select statement with my session variable in repository. Whenever I viewed data in repository, it showed the correct set.
    I created a parent-child dimension, using the original parent-child closure table. But since current distance values are different from the original hierarcy, I can not managed to build a security such a security system with this method.
    How can I build a security system, that a member can only see its child hierarchy only?
    Thanks for answers and links...
    Edited by: user4516917 on 16.Nis.2012 06:54
    Edited by: user4516917 on 16.Nis.2012 06:55

    According to searches I made in support.oracle and google, it seems that it is not possible to view just a branch of a parent-child tree. Because the closure table is static. Therefore, you can not change the distances of objects dynamically.
    This parent-child ability is very frustrating for me. As I understand, parent-child dimension ability can only be used in read-only sources. Any filtering or dynamic changes does not seem possible in this structure. Any changes on parent-child table requires parent-child relation table to be rebuilt.
    I couldnt find any functionality of indexcol or choose functions in parent-child dimensions. I think they can only be used in level based dimensions.
    Any comments appriciated..

  • How to apply row level security against the database administrator

    I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
    There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
    HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
    Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
    Is there additional ways to achieve the aim?

    Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
    If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
    This includes DBAs.
    The simple fact of being DBA doesn't guarantee the exemption.
    Everything goes to depend of the VPD config.

  • Row-level Security Filters applied to Columns and Tables only? no Areas?

    Good day all,
    Just quick question (obiee 10.3.3.2) - Is there a way to edit row-level security using Whole subject areas (instead of bringing in the individual Fact tables and applying filters by copying/pasting them).
    Follow up question - if I have nested facts in presentation layer (ones preceding with "-" - do I specifically add them to conditions, or would they be inherited by only including parent fact)?
    Thanks!
    Message was edited by:
    wildmight

    I'm not sure how that would help; by using the Faculty_ID Session Variable I can identify the CRN and Term of all courses a faculty member is teaching. But I don't think that has to do with the problem I am having?

  • OBIEE Row-Level Security Inquiry

    I had discussed a security requirement with one of our resources and it seems like a simple concept but for some reason I can’t think of simple way to implement in OBIEE.
    If we have a fact table with a security column that has values which state what groups can see the data in that row (Multiple groups separated by semi-colons). The data in the row is layed out like this:
    Group 1;Group 2;Group 3;Group 4
    There is a user and group mapping table as well where if I pull a user (Say User1) the data in the column for their group assignments would look like:
    Group 3;Group 10; Group 11
    Since this user is in Group 3 they can see the values in that row of the fact table above (Because Group 3 appears in both).
    Now I can run a session variable to get the user groups but how to then correlate to what rows they can see in that fact table is where I am stuck.
    Can I solicit any suggestions?

    They are various problems with your approach. To start with let's how OBIEE would like you to have the data:
    State Sales
    1 99
    2 30
    3 50
    Then your user to group table should be like this:
    User State
    1 1
    1 2
    1 3
    2 1
    3 3
    You would then do an row-wise Init Block to populate the GROUP variable. Then you simply do a filter in your BMM layer State = VALUEOF(NQ_SESSION.GROUP). Note that GROUP is that a list of groups so OBIEE will take care to convert this to SQL correctly. Now the way you have your data I don't think you can easily do row-level security. Basically what you need is to have your Group as dimension in your fact. What you have a is concatenated value which is useless. Also your user to group mapping table needs to be flat so you can do the row-wise init block. Hope it helps.

  • [Security]   Row-level security in ADF

    Hi all,
    I want to implement row-level security in my application, the scenario is like this:
    There are several users that connect to the application
    These users are authenticated in some way (XML file, OID, DB)
    When each user wants to access (Select, Update, Delete) an ADF Table, either updatable or read-only, a predefined 'where condition' based on that table and the operation the user wants to do, must be concatenated to his DML, transparent from the user.
    So if for example a user queries the Emp Salary table only records with salary < 10K/Month will be fetched from the underlying table. This should be done automatically and not hard-coded in the application.
    I have tried VPD and it has some useful features but my problems are:
    1) Where and how to define the 'where conditions'?
    2) How to attach the 'where conditions' to the executing DML?
    3) What is the best way to make DB know which user is really executing DMLs? (Not a single Application Server admin user)
    4) What is the best authentication approach?
    Any helps will be really appreciated.
    S/\EE|)

    Hi,
    yes you can. Database proxy user is setup in the prepare session method as well and EUS can be configured to take the J2EE username to then re-connect the app to teh database schema
        public void prepareSession(SessionData SessionData)
           super.prepareSession(SessionData);
           oconn = ((PrxyTransactionImpl)this.getDBTransaction()).getPrxyConnection();
           // Specify the user that connects through the proxy user and its roles
           Properties prop = new Properties();
           prop.put(OracleConnection.PROXY_USER_NAME,"hr");
           //prop.put(OracleConnection.PROXY_ROLES, roles);
           String appContext = "Begin ctxhrpckg.set_userinfo('"+getApplicationUserName()+"'); END;";
           java.sql.CallableStatement st= null;
          // Open the proxy session (DB-authenticated users)
          try
            oconn.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, prop);
            st = getDBTransaction().createCallableStatement(appContext,0);
            st.execute();
          catch (SQLException e)
            e.printStackTrace();
    package oracle.sample.dbprxy.adfbc;
    import oracle.jbo.server.DBTransactionImpl2;
    import oracle.jbo.server.DatabaseTransactionFactory;
    * TransactionFactory that returns PrxTransactionImpl, which is a subclass of
    * DBTransactionImpl2
    * @author Frank Nimphius
    public class PrxyDatabaseTransactionFactory extends DatabaseTransactionFactory
      public PrxyDatabaseTransactionFactory()
        super();
       * Override the create method to return an instance of PrxyTransactionImpl instead
       * of DBTransactionImpl2
       * @return PrxyTransactionImpl
      public DBTransactionImpl2 create()
        return new PrxyTransactionImpl();
    package oracle.sample.dbprxy.adfbc;
    import oracle.jbo.server.DBTransactionImpl2;
    import oracle.jdbc.OracleConnection;
    public class PrxyTransactionImpl
      extends DBTransactionImpl2
      public PrxyTransactionImpl()
        super();
       * The DBTransactionImpl2 does not expose the connection in a public
       * method. This class is a wrapper to expose the connection to the
       * BC app, so it can be accessed in the ApplicationModuleImpl class
       * @return OracleConnection - SQL Connection
      public OracleConnection getPrxyConnection()
        return (OracleConnection) this.getJdbcConnection();
    }Note that for EUS ApplicationModule pooling should be disabled
    Frank

  • Row Level Security using BO SDK - Dynamic Group and Criteria (where clauses)

    To the Universe Gurus out there:
    I have a rather daunting task of implementing a Row Level Security on a number of tables within our project using BO XI R2 SP2 with SQLServer 2005. Given the nature of the requirements around this (listed below), I am going to go with BO SDK to accomplish the creation of Restrictions. That said, I need some insight into some of the problem areas I have listed below. Any help is much appreciated.
    Background:
    We have 11 tables that are to be restricted.
    Each table is accessible to potentially 1..* group of users only.
    For eg SALES is accessible to ALL_SALES members only.
    Each row within each table is accessible to 1..* groups of users only. The restriction will occur on 2 columns Jurisdiction and LineID on SALES table.
    For eg
    1)Rows with NY Jurisdiction and LineID=123 are accessible to NY_SALES_ADMIN group only initially.
    2)NY_ADMIN will then approve that the above rows be open to NY_SALES_INTERNAL group only. This approval in turn will call upon the BO SDK to add a new restriction for the group with appropriate where clause.
    3)At a later point, the above rows will be opened to NY_SALES_EXTERNAL group also.
    This same concept holds good a number of jurisdiction (more or less static) and a dynamic number of LineIDs. So, if 10000 rows of data corresponding to new LineID 999 and Jurisdiction AK are in the table now, they are initially accessible only to AK_SALES_ADMIN group only. No one else should be able to access it.
    Results:
    1) With the way I laid out the business rules above, I am ending up with 528 groups.
    2) There is a restriction created for a unique combination of Jurisdiction and LineID for each table.
    Problems/Questions:
    How can I restrict access to the new rows to one group only. I know that I can let a certain group only look at certain data but how can I restrict that all others cannot look at the same.
    AK_SALES_ADMIN can look at LineID=999 and Jurisdiction='AK'.
    Do I use an Everyone group based restriction? If so, my Everyone group will end up with tons of restrictions. How will they be resolved in terms of priority.
    Am I even thinking of this the right way or is there a more noble way to do this?
    Regards

    the connectinit setting should look something like this:
    declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
    The vpd_setup procedure (in Oracle) should look like this:
    CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
    BEGIN
      DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
    END vpd_setup;
    Then you can retrieve the value of the context variable in your vpd functions
    and set the vpd.

  • Crystal Reports - ECC Tables - Row level security on Multiple tables

    Hi Experts,
    We are implementing Crystal Reports directly reporting on ECC Tables.  Lot of information on row-level security has been provided by experts Ingo Hilgefort, Don Williamsand Mike Seblani, but not related to multiple tables or Wild cards
    Requirement:
    Crystal Users should have access to ALL the tables in ECC, but restricted by Company code, plant, Sales Organization, Purchasing Organization fields to what ever table it applies to. Example: MARC table should be restricted by Plant, BSEG table should be restricted by Plant and company code, GLT0 table should be restricted by Company code..etc
    Users should ONLY see their Organization related data.
    Solution Developed:
    1. We created custom authorization object with BUKRS and WERKS
    2. In  /CRYSTAL/RLS  we used Wild Cards *, +  rather than specific table  and referenced the custom authorization object with =BUKRS and =WERKS  in the Field Value
    3. Enabled global lock
    4. Custom Authorization object was added to user-profiles with corresponding restrictions
    *Observation:*
    1. This security works when a crystal report was developed on a ECC table which has both BUKRS and WERKS
    2. This setup DOES NOT work when a crystal report developed on a table with either one of BUKRS or WERKS
        Example: Does not work on MARC table - error message "Database connection error: /CRYSTAL/OSQL_EXECUTE_QUERY Message: field T0~BUKRS" unknown"
       Does not work on GLT0 table - error message "Database connection error: /CRYSTAL/OSQL_EXECUTE_QUERY Message: field T0~WERKS unknown"
    Trouble Shooting:
    In the "where clause" of the internal ABAP code generated for MARC, system is checking for BUKRS - which  should not be the expected result
    ANYTHING WRONG IN THE SECURITY SETUP ? PLEASE ADVICE
    Note: Document "BusinessObjects XI Release 2, Integration Kit for SAP, Installation Guide" does not talk much about this multiple table restriction. Any other document to be referred to ?

    I'm not sure how that would help; by using the Faculty_ID Session Variable I can identify the CRN and Term of all courses a faculty member is teaching. But I don't think that has to do with the problem I am having?

  • How to Migrate Row Level Security Configuration

    Hi Guys,
    Does anybody know how to migrate row level security configuration? I suppose PeopleSoft provided a data mover script, like securityexport.dms.
    Thank you in advance,
    Bob

    Here are two options to achieve what you want.
    A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
    1. create a security codes table. Say for example
    001 - company a
    002 - company b
    2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
    3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
    4. update all data in the tables according to which company they belong to.
    5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
    With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
    B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
    Table name = Employee.
    Create a view employee_a on employee
    create a view employee_b on employee
    Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
    create synonym employee on employee_a in x schema.
    create synonym employee on employee_b on y schema.
    This i have not tried but believe should work.
    Hope one of these options serve your purpose.

  • Row-level security at the Database level

    We need Row-level security at the Database level, where the user who logs in to Crystal reports, should be able to fetch only those rows from the database that he is entitled to see. For this, the login name of the user is passed to a stored procedure which sets the context of the DB session and restricts the data retrieved.
    We are not looking for row-level security where the data is first retrieved and then filtered based on the user login name. However, we are definitely looking for a way to set a context for a database session based on the user login name, even before we start fetching data. So effectively, the user who logs in will fetch only those rows which he is supposed to see.
    Issue:
    We face a problem of not being able to pass a variable (something like 'BOUSER' for BO which works, whereas, 'CurrentCEUserName' for Crystal Reports, which doesn't work), to the database stored procedure to set the context.
    Please let us know if we can use 'CurrentCEUserName' variable in Crystal in the same way as 'BOUSER' is used in ConnectInit for BO? We would like to know how we could pass any variable in Crystal Reports which holds the user login information to a stored procedure.
    Also, please suggest alternate ways to achieve this security restriction, if any.

    Hi
    A previous database had a personnel table with their station name, district and region, with a field holding their logon name.  We also had an activity table with the fields referring to the activity, and a field of Station, district and region it occured in.
    By linking the individual rows in an activity table to the personnel table on the station name field, we then used the CurrentCEUserName to filter on the personnel.  This returned only the records in the activity table where the station the activity took place at was the same as the station associated with the selected personnel who has logged on.
    The additional bonus was if we linked it on District or region we had the same result but at a greater level. ie all activity in the logged on personell's District or if linked on region, then their region.
    The personnel table was maintained by the system administrators, so maintenance was low.
    I hope this helps.
    Kevin

Maybe you are looking for

  • BEx analyzer 7.0 Report for last 3 months and current month

    I need to create a report for a key figure (net value) and character (material), 0calday Output format: column1 : net value - previous year column2 : net value - current year column3 : net value - current quarter (separate columns for 3 months) colum

  • On a Mac Java applets not working on FF 31, have not worked since FF26; how to fix?

    KeepVid, Quietube, Pin It, and placeholders on most websites instead of Java applets. Running Mavericks and Mountain Lion on an iMac and MacAir, and the applets don't work on either - they haven't worked since FF26. Plug-in is installed, and "always

  • How should I add a new physical network interface to the system?

    Hello: I am about to test my own NIC driver. I have used add_drv to add my driver. I have assigned an IP address to the sytem in the /etc/hosts file and corresponding network mask in the /etc/netmasks file, too. But when I tried to ping this IP addre

  • 648 MAX BEEP ALARM

    MSI 648 MAX L P4 2.4G 533FSB 128 CORSAIR DDR CAS 2 MSI MX440 SE-T System was running fine.  I changed from an Intel C 1.7 to a P4 2.4G Proc.  When I booted up, I got a Hi/Lo beep tone at 1 second intervals.  The system runs ok.  There is no other pro

  • TS3367 How do I change the phone number in FaceTime on my iPad?

    Somehow my daughters phone number is in my settings. I need to change to mine so that I can receive messages and FaceTime on my iPad how do you change it?