Row Level Security (VPD)

Similar Messages

• Row-level security(VPD) problem

  Hi,
  ADF BC, Jdeveloper 11.1.1.3.0
  We want to implement Row-level security in ADF by VPD, and do following:
  1, create VPD policy according to the following sample
  http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/10g/r2/prod/security/vpd/vpd_otn.htm
  2, Override prepareSession(), and set user info by dbms_application_info.set_client_info; in policy function get the user info, and implement filter logic.
  The confusing problem is: When first user login, data has been filtered right. But, when the second user or third user login, it gets the first user's data.
  We also use SQL Trace, and find the second user's operation(SQL) are not recorded in SQL trace file, the view object may not query database. We test clearCache(), viewCriteria with 'Query Execution Mode: Database', and etc, but can not solve the problem.
  I appreciate your suggestion.
  thanks

  So how did you tell Weblogic not to cache the SQL statement? I will be using VPD in a new application, and I definitely want to avoid the problem you had.

• Row level security in OBIEE 11g: Which is better: VPD or RPD

  We can apply row level security in OBIEE by 2 ways.
  1. by Creating Initialize Block in RPD
  2. or Applying VPD in Database, which restricts source tables
  Which one is more efficient and why?
  Thanks,
  Sunil Jena

  you will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• Urgent: row level security with VPD

  Has any one implemented the row level security in Virtual private database(VPD) for Discoverer.
  Please let me know how well does it work with discoverer and are there any flip sides that one needs to be aware of.
  Thanks

  authenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
  Init block for authenticating / authorizing and session variables are different, i guess you are mixing both.

• VPD (Row Level Security) Implementation at Middle Layer

  Hi All,
  Is there any provison to implement Row Level Security at the Entity Object level?
  We have a table where in some rows need to be displayed based on the user logged in.
  We are aware of the VPD implementation using a function and adding a policy.
  We are looking for implementing VPD at the Middle Tier.
  Any help in this regard will be greatly appreciated.
  Thanks in Advance,
  Raghu

  Raghu,
  Assuming you are talking about ADF Entity Objects - yes. The standard way of doing this would be to over-ride prepareSession() in your Application Module to set whatever information you may need in the database session in order to identify your user and use that information in your VPD policy. If you Google about, you can find some good information, including [url http://blogs.oracle.com/jheadstart/2007/11/row_level_security_using_vpd_a.html]this (it's for JHeadstart, but the concept applies just fine).
  John

• Row level security without using VPD

  I am wondering if there is a way to have row level security in APEX without having to use the virtual private database (VPD). I cannot afford the Enterprise Edition license that is required for VPD.
  I need a way to customize the list of rows that appear for each user on a report page.
  For example, I only want managers to be able to see their employees and not employees of other managers.
  Thanks for your help !
  -Reid

  While it wont provide all the features that Oracle RLS does, you can leverage Oracle 'Contexts' to provide a form of Row Level Security.
  This article describes how
  http://www.dbazine.com/oracle/or-articles/jlewis15
  Within APEX you can set your application to call the 'context' setting function in the 'VPD' section of the 'Edit Security Attributes' page.
  Varad

• Row-level security problem using VPD

  Hi all,
  I've implemented row-level security for my application using the following procedure:
  1) Created a procedure for setting the context for the application:
  PROCEDURE set_empno
  IS
  emp_id NUMBER;
  BEGIN
  BEGIN
  SELECT empno
  INTO emp_id
  FROM SCOTT.EMP
  WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
  DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
  EXCEPTION
  WHEN OTHERS THEN emp_id := 0;
  END;
  END;
  2) Created the application context:
  CREATE CONTEXT emp_sel_context USING secman.app_security_context;
  In which secman is my security schema and app_security_context is the name of above procedure package.
  3) Created a function to access the application context:
  FUNCTION emp_sec(E1 VARCHAR2, E2 VARCHAR2) RETURN VARCHAR2
  IS
  e_predicate VARCHAR2(2000);
  BEGIN
  e_predicate := 'empno = SYS_CONTEXT(''emp_sel_context'', ''empno'')';
  RETURN e_predicate;
  END;
  END;
  4) Created a logon trigger:
  CREATE OR REPLACE
  TRIGGER INIT_CONTEXT AFTER
  LOGON ON DATABASE
  BEGIN
  SECMAN.APP_SECURITY_CONTEXT.SET_EMPNO;
  END;
  5) Added a policy on scott.emp like this:
  begin
  dbms_rls.add_policy (
  object_schema => 'SCOTT',
  object_name => 'EMP',
  policy_name => 'EMP_SEL_POLICY',
  function_schema => 'SECMAN',
  policy_function => 'EMP_SECURITY.EMP_SEC',
  statement_types => 'SELECT',
  update_check => TRUE
  end;
  My problem is that when a user queries the EMP table the above procedure does not work and 'no rows selected' is returned for each user that queries the table. Does anybody know which part of my procedure is wrong?
  Any helps is really appreciated.
  S/\EE|)

  i,
  I suggest:
  create another table emp1(logon with scott),this table only include empno,ename,then insert a few record,then modify
  procedure set_empno as
  PROCEDURE set_empno
  IS
  emp_id NUMBER;
  BEGIN
  BEGIN
  SELECT empno
  INTO emp_id
  FROM SCOTT.EMP1
  WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
  DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
  EXCEPTION
  WHEN OTHERS THEN emp_id := 0;
  END;
  END;
  certainly ,you should grant select on emp1 to the user who will be test.
  lixinzhu
  2007/09/17

• How to implement row level security?

  Hi all,
  There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
  Many Thanks
  Amy

  Here are two options to achieve what you want.
  A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
  1. create a security codes table. Say for example
  001 - company a
  002 - company b
  2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
  3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
  4. update all data in the tables according to which company they belong to.
  5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
  With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
  B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
  Table name = Employee.
  Create a view employee_a on employee
  create a view employee_b on employee
  Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
  create synonym employee on employee_a in x schema.
  create synonym employee on employee_b on y schema.
  This i have not tried but believe should work.
  Hope one of these options serve your purpose.

• ADFBC 10.1.3.3 Row Level Security

  Hello.
  Till now, we have implemented Row Level Security through a database function, and using this function in all our view objects where clause.
  We would like to remove this database function, and implement this kind of security with ADFBC. Is this possible ? VPD is not an option. We are trying to make our product database independent.
  In general terms, we would need to check some conditions before creating the viewObjects rowset. I believe ADFBC does provide us with a mechanism to achieve this, but I'm not aware of how to do it.
  Any help would be great.
  Thanks a lot.
  John

  Thanks for the response Frank.
  Our row level security is if a certain user, has the rights to view a specific database row. We have all this security mapped to the database. Today we have a database function that receives some parameters (to identify which entity usecase is beeing queried) and returns yes or no, depending on the user rights.
  I'm not sure how to achieve this using the RowImpl class. It's my understanding that this a rowImpl class is always created when checking the row from the view object (hasNext() for example). But how do I fetch the current row, check if the user has the rights to view this row and return the fully filled row, or if he doesn't have access to this row, I would need to remove this row from the rowset. Is it possible to do this, just by implementing the rowimpl class of my View Object ? If so, which methods should I override to achieve this ?
  Thanks again

• How to apply row level security against the database administrator

  I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
  There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
  HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
  Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
  Is there additional ways to achieve the aim?

  Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
  If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
  This includes DBAs.
  The simple fact of being DBA doesn't guarantee the exemption.
  Everything goes to depend of the VPD config.

• Row-Level Security

  Hi.
  Currently we are running oracle 8.0.5 (client/server mode). We will very soon swith to 9iAS 3-tier web interface with oracle8i database, but before that we would like to know if row-level security or VPD is also supported by oracle8i database.
  People here, in my company, still don't have the full picture about oracle9i and they prefer to install oracle8i for stability reasons. Do you recommend us to go for oracle9i instead?

  Hi,
  Row-level security is very much supported in
  8i (8.1.6.x) using the dbms_rls package.
  You can search the documentation on OTN for examples and more information. A note of caution, be careful where and how you plan to use it, due to performance implications, expecially if you are trying to filter a large number of rows.

• Row level security.... yes or no in HTMLDB???

  Hi Guys,
  This is just a little confusing... in the application developer of HTMLDB, it has a section to implement VPD features, but when I come round to doing pete finnigans (http://www.securityfocus.com/infocus/1743) RLS tutorial, i get the following error when creating the vpd policy:
  ORA-00439: feature not enabled: Fine-grained access control.
  So can I get row level security to work in Oracle XE or do I have to integrate Oracle 10g EE with HTMLDb to get this to work?
  If so... how do I do that?
  Best Regards
  Shahram Shirazi

  Virtual private database / fine grained access control is not supported in Oracle XE, it is an Enterprise Edition feature.
  http://download-uk.oracle.com/docs/cd/B25329_01/doc/license.102/b25456/toc.htm#BABECIEG
  Re: Got ORA-00439:  feature not enabled: Fine-grained access control
  ~Dietmar.

• [Security]   Row-level security in ADF

  Hi all,
  I want to implement row-level security in my application, the scenario is like this:
  There are several users that connect to the application
  These users are authenticated in some way (XML file, OID, DB)
  When each user wants to access (Select, Update, Delete) an ADF Table, either updatable or read-only, a predefined 'where condition' based on that table and the operation the user wants to do, must be concatenated to his DML, transparent from the user.
  So if for example a user queries the Emp Salary table only records with salary < 10K/Month will be fetched from the underlying table. This should be done automatically and not hard-coded in the application.
  I have tried VPD and it has some useful features but my problems are:
  1) Where and how to define the 'where conditions'?
  2) How to attach the 'where conditions' to the executing DML?
  3) What is the best way to make DB know which user is really executing DMLs? (Not a single Application Server admin user)
  4) What is the best authentication approach?
  Any helps will be really appreciated.
  S/\EE|)

  Hi,
  yes you can. Database proxy user is setup in the prepare session method as well and EUS can be configured to take the J2EE username to then re-connect the app to teh database schema
      public void prepareSession(SessionData SessionData)
         super.prepareSession(SessionData);
         oconn = ((PrxyTransactionImpl)this.getDBTransaction()).getPrxyConnection();
         // Specify the user that connects through the proxy user and its roles
         Properties prop = new Properties();
         prop.put(OracleConnection.PROXY_USER_NAME,"hr");
         //prop.put(OracleConnection.PROXY_ROLES, roles);
         String appContext = "Begin ctxhrpckg.set_userinfo('"+getApplicationUserName()+"'); END;";
         java.sql.CallableStatement st= null;
        // Open the proxy session (DB-authenticated users)
        try
          oconn.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, prop);
          st = getDBTransaction().createCallableStatement(appContext,0);
          st.execute();
        catch (SQLException e)
          e.printStackTrace();
  package oracle.sample.dbprxy.adfbc;
  import oracle.jbo.server.DBTransactionImpl2;
  import oracle.jbo.server.DatabaseTransactionFactory;
  * TransactionFactory that returns PrxTransactionImpl, which is a subclass of
  * DBTransactionImpl2
  * @author Frank Nimphius
  public class PrxyDatabaseTransactionFactory extends DatabaseTransactionFactory
    public PrxyDatabaseTransactionFactory()
      super();
     * Override the create method to return an instance of PrxyTransactionImpl instead
     * of DBTransactionImpl2
     * @return PrxyTransactionImpl
    public DBTransactionImpl2 create()
      return new PrxyTransactionImpl();
  package oracle.sample.dbprxy.adfbc;
  import oracle.jbo.server.DBTransactionImpl2;
  import oracle.jdbc.OracleConnection;
  public class PrxyTransactionImpl
    extends DBTransactionImpl2
    public PrxyTransactionImpl()
      super();
     * The DBTransactionImpl2 does not expose the connection in a public
     * method. This class is a wrapper to expose the connection to the
     * BC app, so it can be accessed in the ApplicationModuleImpl class
     * @return OracleConnection - SQL Connection
    public OracleConnection getPrxyConnection()
      return (OracleConnection) this.getJdbcConnection();
  }Note that for EUS ApplicationModule pooling should be disabled
  Frank

• Row Level Security using BO SDK - Dynamic Group and Criteria (where clauses)

  To the Universe Gurus out there:
  I have a rather daunting task of implementing a Row Level Security on a number of tables within our project using BO XI R2 SP2 with SQLServer 2005. Given the nature of the requirements around this (listed below), I am going to go with BO SDK to accomplish the creation of Restrictions. That said, I need some insight into some of the problem areas I have listed below. Any help is much appreciated.
  Background:
  We have 11 tables that are to be restricted.
  Each table is accessible to potentially 1..* group of users only.
  For eg SALES is accessible to ALL_SALES members only.
  Each row within each table is accessible to 1..* groups of users only. The restriction will occur on 2 columns Jurisdiction and LineID on SALES table.
  For eg
  1)Rows with NY Jurisdiction and LineID=123 are accessible to NY_SALES_ADMIN group only initially.
  2)NY_ADMIN will then approve that the above rows be open to NY_SALES_INTERNAL group only. This approval in turn will call upon the BO SDK to add a new restriction for the group with appropriate where clause.
  3)At a later point, the above rows will be opened to NY_SALES_EXTERNAL group also.
  This same concept holds good a number of jurisdiction (more or less static) and a dynamic number of LineIDs. So, if 10000 rows of data corresponding to new LineID 999 and Jurisdiction AK are in the table now, they are initially accessible only to AK_SALES_ADMIN group only. No one else should be able to access it.
  Results:
  1) With the way I laid out the business rules above, I am ending up with 528 groups.
  2) There is a restriction created for a unique combination of Jurisdiction and LineID for each table.
  Problems/Questions:
  How can I restrict access to the new rows to one group only. I know that I can let a certain group only look at certain data but how can I restrict that all others cannot look at the same.
  AK_SALES_ADMIN can look at LineID=999 and Jurisdiction='AK'.
  Do I use an Everyone group based restriction? If so, my Everyone group will end up with tons of restrictions. How will they be resolved in terms of priority.
  Am I even thinking of this the right way or is there a more noble way to do this?
  Regards

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.