Row Level Security - using a policy function.
Hi,
I am trying to implement RLS within our database and am getting the following error message:
ORA-28112: failed to execute policy function
Looking around the web, these seems to point to un-handled exception in my function, but I cannot seem to find anything untoward.
I have tested the function and can confrim that it is returning the desired predicate where appropriate..
Here is the function..
FUNCTION Fnc_Rls_Control(Pin_Schema IN VARCHAR2) RETURN VARCHAR2 IS
-- Author: MLLOYD
-- Purpose: Policy function that supplies a predicate to limit access to tables based
-- on the site code
-- Created: 30/12/2010
-- Revision History
-- Date Version Comments
-- 30/12/2010 1 Created
CURSOR Cur_Rls_Site IS
SELECT s.Site_Code
FROM All_Users u
INNER JOIN Rls_Discoverer_User_Role Ur
ON Ur.User_Id = u.User_Id
INNER JOIN Rls_Discoverer_Roles r
ON r.Role_Id = Ur.Role_Id
INNER JOIN Rls_Discoverer_Role_Sites Rs
ON Rs.Role_Id = r.Role_Id
INNER JOIN Commons.t_Site_Codes s
ON s.Siteid = Rs.Site_Id
WHERE u.Username = USER;
Rec_Rls_Site Cur_Rls_Site%ROWTYPE;
Lcl_Predicate VARCHAR2(2000);
Lcl_Return_Value VARCHAR2(2000);
BEGIN
Lcl_Predicate := NULL;
Lcl_Return_Value := NULL;
-- CHECK IF USER IS OWNER OF SCHEMA, IF SO, NO PREDICATE
IF Pin_Schema = USER THEN
Lcl_Return_Value := NULL;
ELSE
-- OBTAIN SITE CODES AVAILABLE TO USER
OPEN Cur_Rls_Site;
LOOP
FETCH Cur_Rls_Site
INTO Rec_Rls_Site;
EXIT WHEN Cur_Rls_Site%NOTFOUND;
Lcl_Predicate := Lcl_Predicate || q'(')' || Rec_Rls_Site.Site_Code ||
q'(')' || ',';
END LOOP;
IF Lcl_Predicate IS NULL THEN
Lcl_Return_Value := NULL;
ELSE
-- REMOVE TRAILING COMMA
Lcl_Predicate := Rtrim(Lcl_Predicate,
-- BUILD FINAL PREDICATE
Lcl_Return_Value := 'SITE_CODE IN (' || Lcl_Predicate || ')';
END IF;
CLOSE Cur_Rls_Site;
END IF;
RETURN Lcl_Return_Value;
EXCEPTION
WHEN OTHERS THEN
IF Cur_Rls_Site%ISOPEN THEN
CLOSE Cur_Rls_Site;
RETURN Lcl_Return_Value;
END IF;
END Fnc_Rls_Control;
-- ************************************************************************************I have applied this to a specifc table using the following:
-- ADD POLICY
BEGIN
DBMS_RLS.ADD_POLICY (
object_schema => 'REPORTING',
object_name => 'URS_OP_VISIT_STATISTICS',
policy_name => 'ACCESS_POLICY',
function_schema => 'REPORTING',
policy_function => 'PKG_REPORTING.FNC_RLS_CONTROL',
statement_types => 'SELECT'
END;Have I missed anything obvious?
Regards
Mark
Policy function must have two IN paranters on varchar2 type and return varchar2 .
So add second parametr to you function.
Simple example
CREATE OR REPLACE FUNCTION auth_orders(
schema_var IN VARCHAR2,
table_var IN VARCHAR2
RETURN VARCHAR2
IS
return_val VARCHAR2 (400);
BEGIN
return_val := 'SALES_REP_ID = 159';
RETURN return_val;
END auth_orders;
/First parametr is schema_name second parametr is object name. So you can have one universal function that on IN parameters return appropriate where condition.
Similar Messages
-
Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)
Environment: Business Objects XI R2; Oracle 10g
Functional Requirement:
Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
What do we need from the Business Objects support team?
1. Review the 2 attempted solutions that we have tried to implement
2. Propose solutions/answers to open questions for each of the attempted solutions
3. Propose any alternate solution that will help us implement the Function Requirement stated above
Attempted Solution 1: Connection String uses Oracle Proxy User
The connection string that is specified in the Universe is the following:
app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
app_user = generic application user
end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
Open Question for Solution 1:
i. What happens when multiple proxy users try to connect on at the same time? Business Objects shares the generic app_user connect string. However, every user that logs on will have their own unique proxy user credentials. Will there be any contention involved? If so, what kind of errors can we expect?
ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open. In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user? If so, then our security will not work. Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
Attempted Solution 2: Using the ConnectInit parameter
Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
Therefore, we tried to set the parameter in the Universe using several different options:
ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
Open Questions for Solution 2:
How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
Note: Arroba word is being used instead of the symbol in order to avoid following error message:
We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.the connectinit setting should look something like this:
declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
The vpd_setup procedure (in Oracle) should look like this:
CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
BEGIN
DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
END vpd_setup;
Then you can retrieve the value of the context variable in your vpd functions
and set the vpd. -
How to implement row level security using external tables
Hi All Gurus/ Masters,
I want to implement row level security using external tables, as I'm not sure how to implement that. and I'm aware of using it by RPD level authentication.
I can use a filter condition in my user level so that he can access his data only.
But when i have 4 tables in external tables
users
groups
usergroups
webgrups
Then in which table I need to give the filter conditions..
Pl let me know this ...You pull the Group into a repository variable using a session variable init block, then reference that variable in the data filters either in the LTS directly or in the security management as Filters. You reference it with the syntax VALUEOF("NQ_SESSION.Variable Name")
Hope this helps -
Row Level Security using BO SDK - Dynamic Group and Criteria (where clauses)
To the Universe Gurus out there:
I have a rather daunting task of implementing a Row Level Security on a number of tables within our project using BO XI R2 SP2 with SQLServer 2005. Given the nature of the requirements around this (listed below), I am going to go with BO SDK to accomplish the creation of Restrictions. That said, I need some insight into some of the problem areas I have listed below. Any help is much appreciated.
Background:
We have 11 tables that are to be restricted.
Each table is accessible to potentially 1..* group of users only.
For eg SALES is accessible to ALL_SALES members only.
Each row within each table is accessible to 1..* groups of users only. The restriction will occur on 2 columns Jurisdiction and LineID on SALES table.
For eg
1)Rows with NY Jurisdiction and LineID=123 are accessible to NY_SALES_ADMIN group only initially.
2)NY_ADMIN will then approve that the above rows be open to NY_SALES_INTERNAL group only. This approval in turn will call upon the BO SDK to add a new restriction for the group with appropriate where clause.
3)At a later point, the above rows will be opened to NY_SALES_EXTERNAL group also.
This same concept holds good a number of jurisdiction (more or less static) and a dynamic number of LineIDs. So, if 10000 rows of data corresponding to new LineID 999 and Jurisdiction AK are in the table now, they are initially accessible only to AK_SALES_ADMIN group only. No one else should be able to access it.
Results:
1) With the way I laid out the business rules above, I am ending up with 528 groups.
2) There is a restriction created for a unique combination of Jurisdiction and LineID for each table.
Problems/Questions:
How can I restrict access to the new rows to one group only. I know that I can let a certain group only look at certain data but how can I restrict that all others cannot look at the same.
AK_SALES_ADMIN can look at LineID=999 and Jurisdiction='AK'.
Do I use an Everyone group based restriction? If so, my Everyone group will end up with tons of restrictions. How will they be resolved in terms of priority.
Am I even thinking of this the right way or is there a more noble way to do this?
Regardsthe connectinit setting should look something like this:
declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
The vpd_setup procedure (in Oracle) should look like this:
CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
BEGIN
DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
END vpd_setup;
Then you can retrieve the value of the context variable in your vpd functions
and set the vpd. -
ADFBC 10.1.3.3 Row Level Security
Hello.
Till now, we have implemented Row Level Security through a database function, and using this function in all our view objects where clause.
We would like to remove this database function, and implement this kind of security with ADFBC. Is this possible ? VPD is not an option. We are trying to make our product database independent.
In general terms, we would need to check some conditions before creating the viewObjects rowset. I believe ADFBC does provide us with a mechanism to achieve this, but I'm not aware of how to do it.
Any help would be great.
Thanks a lot.
JohnThanks for the response Frank.
Our row level security is if a certain user, has the rights to view a specific database row. We have all this security mapped to the database. Today we have a database function that receives some parameters (to identify which entity usecase is beeing queried) and returns yes or no, depending on the user rights.
I'm not sure how to achieve this using the RowImpl class. It's my understanding that this a rowImpl class is always created when checking the row from the view object (hasNext() for example). But how do I fetch the current row, check if the user has the rights to view this row and return the fully filled row, or if he doesn't have access to this row, I would need to remove this row from the rowset. Is it possible to do this, just by implementing the rowimpl class of my View Object ? If so, which methods should I override to achieve this ?
Thanks again -
Row-level Security Filters applied to Columns and Tables only? no Areas?
Good day all,
Just quick question (obiee 10.3.3.2) - Is there a way to edit row-level security using Whole subject areas (instead of bringing in the individual Fact tables and applying filters by copying/pasting them).
Follow up question - if I have nested facts in presentation layer (ones preceding with "-" - do I specifically add them to conditions, or would they be inherited by only including parent fact)?
Thanks!
Message was edited by:
wildmightI'm not sure how that would help; by using the Faculty_ID Session Variable I can identify the CRN and Term of all courses a faculty member is teaching. But I don't think that has to do with the problem I am having?
-
Row-level security problem using VPD
Hi all,
I've implemented row-level security for my application using the following procedure:
1) Created a procedure for setting the context for the application:
PROCEDURE set_empno
IS
emp_id NUMBER;
BEGIN
BEGIN
SELECT empno
INTO emp_id
FROM SCOTT.EMP
WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
EXCEPTION
WHEN OTHERS THEN emp_id := 0;
END;
END;
2) Created the application context:
CREATE CONTEXT emp_sel_context USING secman.app_security_context;
In which secman is my security schema and app_security_context is the name of above procedure package.
3) Created a function to access the application context:
FUNCTION emp_sec(E1 VARCHAR2, E2 VARCHAR2) RETURN VARCHAR2
IS
e_predicate VARCHAR2(2000);
BEGIN
e_predicate := 'empno = SYS_CONTEXT(''emp_sel_context'', ''empno'')';
RETURN e_predicate;
END;
END;
4) Created a logon trigger:
CREATE OR REPLACE
TRIGGER INIT_CONTEXT AFTER
LOGON ON DATABASE
BEGIN
SECMAN.APP_SECURITY_CONTEXT.SET_EMPNO;
END;
5) Added a policy on scott.emp like this:
begin
dbms_rls.add_policy (
object_schema => 'SCOTT',
object_name => 'EMP',
policy_name => 'EMP_SEL_POLICY',
function_schema => 'SECMAN',
policy_function => 'EMP_SECURITY.EMP_SEC',
statement_types => 'SELECT',
update_check => TRUE
end;
My problem is that when a user queries the EMP table the above procedure does not work and 'no rows selected' is returned for each user that queries the table. Does anybody know which part of my procedure is wrong?
Any helps is really appreciated.
S/\EE|)i,
I suggest:
create another table emp1(logon with scott),this table only include empno,ename,then insert a few record,then modify
procedure set_empno as
PROCEDURE set_empno
IS
emp_id NUMBER;
BEGIN
BEGIN
SELECT empno
INTO emp_id
FROM SCOTT.EMP1
WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
EXCEPTION
WHEN OTHERS THEN emp_id := 0;
END;
END;
certainly ,you should grant select on emp1 to the user who will be test.
lixinzhu
2007/09/17 -
Suggestion required for using row level security
We have a scenario to provide row level security to some of the transaction tables like HR_EMPLOYEE which has a foreign key column DEPT_ID to HR_DEPARTMENTS table. This table may grow up to about 5 million records. There could be regular SELECT operations on this table and not so frequent UPDATES compared to the SELECT operation.
We were looking at the following approaches...
Table :
HR_EMPLOYEE
EMPNO
DEPT_ID
LAST_NAME
FIRST_NAME
1. Enable Oracle Label Security policy on this table and use static predicates.
In this approach we add the OLS policy column (POLICY_COLUMN) and add predicate to access data.
e.g. we will be giving access to global data by predicate like
OR POLICY_COLUMN =CHAR_TO_LABEL('POLICY_NAME','C::DEPT1')
where C::DEPT is the OLS Label
2. Using VPD policy. We donot add any column, instead use the existing column DEPT_ID to provide row label security. In this approach the DEPT_ID is to be compared against an additional table and DOMINATES function will be used to verify the permission for the user to access the data.
e.g. In this approach, the policy function is like
'DOMINATES(char_to_label(''POLICY_NAME'', SA_SESSION.LABEL(''POLICY_NAME''))
,char_to_label(''POLICY_NAME'', POLICY_PKG.GET_LABEL_FROM_DEPTID(DEPT_ID))) = 1'
The GET_LABEL_FROM_DEPTID function returns the OLS label for the corresponding department. This is compared with the user's session label and appropriate rows are given access.
Can someone suggest on which of the above approaches is more performance effective considering the number of records and the additional OLS column added to the table.Hi there,
would you be able to describe as detailed as possible what you want to achieve? From my first glimpse at your code, it seems as if you are using both OLS and VPD in a rather extraordinary way.
Best, Peter -
Row level security without using VPD
I am wondering if there is a way to have row level security in APEX without having to use the virtual private database (VPD). I cannot afford the Enterprise Edition license that is required for VPD.
I need a way to customize the list of rows that appear for each user on a report page.
For example, I only want managers to be able to see their employees and not employees of other managers.
Thanks for your help !
-ReidWhile it wont provide all the features that Oracle RLS does, you can leverage Oracle 'Contexts' to provide a form of Row Level Security.
This article describes how
http://www.dbazine.com/oracle/or-articles/jlewis15
Within APEX you can set your application to call the 'context' setting function in the 'VPD' section of the 'Edit Security Attributes' page.
Varad -
Row Level Security in OBIEE using OID as authentication Mechanism
Hi OBIEE Gurus,
I am trying to implement Row Level Security in OBIEE . Currently I have setup OBIEE to have OID do the user authentication.
I want to implement RLS by doing the following :
1. Have Security Groups defined in OID and assign users with group membership.
2. Import these Security Groups into OBIEE metadata
3. Apply filters to these Security Groups
4. Run Answers requests to see if RLS works or not
Please let me know if this approach works. If this is not the right way or most efficient way to do this, please let me know if there is any document I can follow to accomplish this.
Appreciate your help.
Edited by: drakesh on Sep 26, 2008 7:09 AMFollow the steps in the following link to set up OID and Row level security:
http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/
Instructions for the link above:
1.In place of Edit Data Source as database you have to select LDAP,define the groups and default initializer as filter expression.
2.A more simpler approach ,is to create the groups explicitely using the Security Manager in BI Administrator, add filters to those groups, and assign users to those groups.
Otherwise follow Matt's view
Thanks,
Amrita -
How to apply row level security against the database administrator
I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
Is there additional ways to achieve the aim?Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
This includes DBAs.
The simple fact of being DBA doesn't guarantee the exemption.
Everything goes to depend of the VPD config. -
Row-level security(VPD) problem
Hi,
ADF BC, Jdeveloper 11.1.1.3.0
We want to implement Row-level security in ADF by VPD, and do following:
1, create VPD policy according to the following sample
http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/10g/r2/prod/security/vpd/vpd_otn.htm
2, Override prepareSession(), and set user info by dbms_application_info.set_client_info; in policy function get the user info, and implement filter logic.
The confusing problem is: When first user login, data has been filtered right. But, when the second user or third user login, it gets the first user's data.
We also use SQL Trace, and find the second user's operation(SQL) are not recorded in SQL trace file, the view object may not query database. We test clearCache(), viewCriteria with 'Query Execution Mode: Database', and etc, but can not solve the problem.
I appreciate your suggestion.
thanksSo how did you tell Weblogic not to cache the SQL statement? I will be using VPD in a new application, and I definitely want to avoid the problem you had.
-
Column Level Security Using VPD under oracle 11g
Hi
I am using an example from Oracle Database 10g: Advance Security -- Virtual Private Databases
1. The Application Context -- that sets the session environment for the use is ok.
2. The Logon Trigger that executes the above is ok. It had been tested.
3. The Security Policy that returns a predicate after checking the output of the Application Context is ok.
4. The security policy applied to the STOCK_TRX table is ok.
5. Select and Insert from the database work.
However, after dropping both the insert and select policy, I am having problem getting a select policy to work with column-level VPD. I will get the ORA-28104 -- input value for statement type is not valid and ORA-06512 at SYS.DBMS_RLS line 20. See code below
begin
DBMS_RLS.ADD_POLICY
('PRACTICE', 'STOCK_TRX', 'STOCK_TRX_SELECT_POLICY', 'PRACTICE', 'SECURITY_PACKAGE.STOCK_TRX_SELECT_SECURITY', 'PRICE');
end;
Note:
PRICE is the sec_relevant_cols
STOCK_TRX is the table
Can you please help.
ThxThe syntax for row level security is not the same for columns level security. All the parameters to the DBMS_RLS.ADD_Policy() function should be preceded by the type of the parameter for:
begin
DBMS_RLS.ADD_POLICy(object_schema=>PRACTICE, ... sec_relevant_cols=>'PRICE);
end;
I did not know this before. I thought they were there in the example for explanatory reasons. I decided to answer the question for myself because I know others have the same interpretation. -
VPD (Row Level Security) Implementation at Middle Layer
Hi All,
Is there any provison to implement Row Level Security at the Entity Object level?
We have a table where in some rows need to be displayed based on the user logged in.
We are aware of the VPD implementation using a function and adding a policy.
We are looking for implementing VPD at the Middle Tier.
Any help in this regard will be greatly appreciated.
Thanks in Advance,
RaghuRaghu,
Assuming you are talking about ADF Entity Objects - yes. The standard way of doing this would be to over-ride prepareSession() in your Application Module to set whatever information you may need in the database session in order to identify your user and use that information in your VPD policy. If you Google about, you can find some good information, including [url http://blogs.oracle.com/jheadstart/2007/11/row_level_security_using_vpd_a.html]this (it's for JHeadstart, but the concept applies just fine).
John -
Row level security in discoverer desktop
currently, I have designed a business area on one of my star schema, and I created several other business area in order to allow different level of users to view the pre-defined reports on discoverer desktop. and I want different users to view different data from my star schema tables. So I created some criteria on those business area.
e.g. condition on bus_area1 : sales_manager="man01",
condition on bus_area2 : sales_manager="man02"
in short, i want to enable record level security by using discoverer's conditions.
but unfortunately, even I un-checked "Create/Edit Query" privileges on discoverer administrator for those users, they still can modify the worksheet. So they can just remove my condition and to view data that they shouldnot be able to see..
can any one tell me how to solve this problem, or how to do row level security in discoverer?
What can I do if I want to disable "edit worksheet" in discoverer desktop from users??
thanks in advance..
MarcoMarco,
Probably the best way to achieve row-level security is to upgrade to 9.0.4.1 and take advantage of the new functionality of Discoverer to pass the SSO user to the DB query. You would apply Oracle Fine Grained Security/VPD/striping on the DB tables using a policy based on SSO userid. Then using Disco 9.0.4.1 the user would see only the data they are privileged to see. However this works only in a web environment (Discoverer Plus, Viewer and Portlets) not for Desktop.
Discoverer Product Management - mpd
Maybe you are looking for
-
Input search help not working in portal correctly, works in R/3 fine?
Hi All, We have created a custom iview which is based on a BSP. One of the input fields has search help provided, which is simply a list of all employees. When we execute the BSP from r/3 it works perfectly fine but when we execute if from portal,
-
Newbie converting from a Palm to iPod touch - calendar, contacts, etc.
I'm a brand new iPod Touch (and Apple) user, and have the iPT 4G. I've a Palm Tx I'd like to convert data from, AND continue using the Palm Desktop unless there is something similar that will let me sync and see (on a PC) my To Dos, Memos, Calendar,
-
Hi all, We have a dilemma between the accounting department and the purchasing department. We create first a material purchase order with tcode ME21N and Account Assignment Category u201CQu201D .Later when we run the tcode MIGO the following moveme
-
I need java to access a website. What version do I want?
I need java for my iPad. What version do I want and do I get it at Apple?
-
Required to create PI category CS11 and how make it working in co60.
There is a requirement to proess instruction category "CS11". That is PI category to display BOM level by level. What kind of setting need to be done. I could see from the existing PI category, within PI category there are list of several characteris