Some thoughts about VPD (Virtual Private Database)

Similar Messages

• Using VPD (Virtual Private Database) with Discoverer for Dummies

  Firstly could you please excuse me for the title of the thread, but it’s all I could come up with. For those of you who are looking at me with a strange look of disgust, please view thread that started it all: BIS vs DBI vs Noetix .
  Otherwise I’m hoping to gain a greater understanding of how VPD can be used to enhance Discoverer and it’s performance. I've just read that :
  “Oracle 8i introduced the notion of a Virtual Private Database (VPD). A VPD offers Fine-Grained Access Control (FGAC) for secure separation of data. This ensures that users only have access to data that pertains to them. Using this option, one could even store multiple companies' data within the same schema, without them knowing about it.
  VPD configuration is done via the DBMS_RLS (Row Level Security) package. Select from SYS.V$VPD_POLICY to see existing VPD configuration.”
  With Regards to Discoverer, I would like to ask the following:
  -When would be best to use VPD in Discoverer?
  -Pro’s and Con’s of VPD?
  -Tips / Tricks?
  -and anything else Michael would like to add (I don’t believe there is a post limit, although this could change in the future)
  I've found a few handy links:
  http://www.adp-gmbh.ch/ora/security/vpd/index.html
  http://www.oracle.com/technology/oramag/oracle/04-mar/o24tech_security.html
  As Metalink support would say : I Looking forward to your ‘Positive’ comments. ;-)
  Lance

  Lance,
  You sure do raise some interesting questions here.
  I've noticed from some of your previous posts that you are using views to link Discoverer through to apps. I have found this very interesting document that may help with your queries; http://www.oracle.com/technology/deploy/security/oracle9ir2/pdf/VPD9ir2twp.pdf
  If you scroll down to the section "Additional VPD Capabilities" and read the following sub-topics, this might enable you to base your Discoverer reports on views that contain VPD policies.
  I trust "My Positive Comment" may help!!
  Merry Christmas
  Si ;-)
  P.s This also may come in handy if running 10g http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/apdvpoli.htm
  Message was edited by:
  Simon Pittaway

• SES with VPD (Virtual Private Database)?

  I am trying to use SES to search a database with row-level security enabled in the form of VPD. My plan is to have SES index the database as a user with read permissions on all data, and likely use Query-Time Authorization to filter results.
  The trouble is, I cannot see how to have SES call the set_app_ctx() procedure at crawl time to set the application context (in my test case, with user name). As such, nothing is indexed. I am using the Database crawler to index the source. Is this possible at all using the Database crawler?
  Thanks in advance.

  Thanks for your reply.
  I don't know an awful lot about VPD either ;-). But I don't see how I could embed the call in the select.
  I will investigate implementing a custom crawler, but I have been led to believe that doing so is anything but trivial. It would be handy if I could extend the included Database crawler, or see the source code for it...

• Can VPD (Virtual Private Database) being defined in EBS'S responsibility level?

  Hi all,
      I would like to have a restriction of customer data when querying EBS Customer Form (ARXCUDCI.fmb).
     E.g  when I login to new created responsibility, having 1 access Standard Customer from menu. When I search on Customer, only Sales_Channel_Type = RTL is allowed to be displayed. Can i leverage VPD feature to do this restriction of data? It's just only this new responsibility to have this restriction, the rest of responsibilities are allowed to query all type of customers.
    Form personalization is not a best approach of doing above which i am been tested.
  Hope someone can give some advice about this?
  Regards,
  Lygine

  Hi;
  Please check below which could be helpful for your issue:
  https://blogs.oracle.com/stevenChan/entry/virtual_private_database_in_eb
  Also see:
  How do I open a form specific to particular user?
  http://forums.oracle.com/forums/thread.jspa?threadID=2154178&tstart=0
  Regard
  Helios

• Using for update clause in VPD(Virtual Private Databases)

  Hi,
  We are using for update clause in our procedure to explicitly lock rows in a particular table as shown below:
  SELECT AMOUNT FROM INTERFACE_TABLE
  INTO T_Amount
  WHERE ROWID = :B1
  FOR UPDATE OF BANK_ACCOUNT_NUM NOWAIT;
  But this statement is giving the following error in VPD:
  ORACLE error 1733 in FDPSTP
  Cause: FDPSTP failed due to ORA-01733: virtual column not allowed here.
  We need to lock rows in that particular table until the commit is issued,so as to prevent the updation of the rows which are being processed.
  Is there any other way in which this can be achieved.
  Thanks & Regards,
  Brahmendra Kashyap

  From the docs, which you didn't read:
  ORA-01733 virtual column not allowed here
  Cause: An attempt was made to use an INSERT, UPDATE, or DELETE statement on an expression in a view.
  Action: INSERT, UPDATE, or DELETE data in the base tables, instead of the view.
  Can you explain why you didn't read the docs? I'm just curious why so many people do absolutely nothing to resolve their problem (they would learn Oracle by doing so) and request to be spoon fed.
  Sybrand Bakker
  Senior Oracle DBA
  Experts: those who did read the documentation.

• VPD(Virtual Private Database)

  Exists some possibility to implement tools for the configuration and development of VPD inside of the SQL Developer?

  But I think that you know what he is and pra that she serves...
  In this in case that, you must also know that some particularitities exist.
  For example, so that security in row level is made, we need to define which will be the politics of applied security, which the restriction that will be made (seemed with clause WHERE).
  After this, we must select the columns, the ones relevant that will be masked.
  And finally, to add the politics functions.
  Manually, to create and to modify or to give any maintenance well is complicated.
  For this, the SQL Developer, by means of its graphical interface, would go to decide the problem definitively.
  Perhaps if it will not be possible to add the functionalities of the VPD, was interesting to create some thing for the application contexts.
  I spoke in VPD and in application contexts because, generally, who has the version Enterprise Edition uses the VPD, but who only has the version Stantard or Standard One, applies politics of security in row level by means of views, triggers and contexts of application.
  Message was edited by:
  ARF

• (VPD) Virtual Private Database Question?

  Hi All,
  I have a question regarding VPD, I want to implement Column level security, senario is: (Oracle 9i, 10g)
  TABLE
  =======
  CUSTOMER
  (cust_id, name , address, phone, email ) etc
  There is one user "PIN"in which all objects are created and stored, and others users has granted rights through synonyms created on their schemas,
  my question is: All users can access/fetch all rows of customer table but they should not see address and phone fields?, these 2 fields should be NULL for them, is it possible to implement this security policy through VPD?
  prompt reply would be appreciated.
  regards
  qamar
  Edited by: qamarsyed on Nov 5, 2008 12:43 PM

  From the same example, I created the function to exclude all department numbers from DEPT table and I got what you were looking for. But based on your requirement, this function can prove to be costly.
  SQL> ed
  Wrote file afiedt.buf
    1  CREATE OR REPLACE FUNCTION pf_job (oowner IN VARCHAR2, ojname IN VARCHAR2)
    2  RETURN VARCHAR2 AS
    3    con VARCHAR2 (200);
    4  BEGIN
    5    con := 'deptno not in (select deptno from dept)';
    6    RETURN (con);
    7* END pf_job;
  SQL> /
  Function created.And here is the output from other user.
  SQL> /
      DEPTNO      EMPNO ENAME             SAL       COMM
          20       7369 SMITH
          30       7499 ALLEN
          30       7521 WARD
          20       7566 JONES
          30       7654 MARTIN
          30       7698 BLAKE
          10       7782 CLARK
          20       7788 SCOTT
          10       7839 KING
          30       7844 TURNER
          20       7876 ADAMS
          30       7900 JAMES
          20       7902 FORD
          10       7934 MILLER
  14 rows selected.
  SQL>

• Oracle Virtual Private Database (VPD), Column Level Security

  Hello,
  About Oracle Virtual Private Database (VPD), is it possible to set a Column Level Security without setting a Row Level Security (without using any predicate)?
  Thanks,
  Herve.

  Thanks, Zoran.
  A colleague shared with me a link containing a function without returning a predicate (in using SYS_CONTEXT function to skip row restriction).
  Herve.
  Link

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• About Virtual Private Database

  Hi All,
  Oracle provided two ways to implement D.B securities.
  1. RBAM(Role base access model)
  2. RLS(Row level security)
  So the quey is which one is best method for implementation of securities in database suppose we don't have any requirement for row level restricitions.
  wanted to see the prons and cons for both methods.
  Thanks a lot for your help!
  Thanks
  Sandeep

  Hi Sandeep,
  Row level security (RLS) and Virtual Private Database (VDP) are the same thing which provides a database applied row level filtering mechanism through some context that is set for the database connection. As you don't believe you need this then I suppose this is redundant.
  Role based security is based around a system of grants and privileges between database users/schemas. This is becoming increasingly redundant these days from a database applications point of view because many (maybe most) applications designed these days have users connect to the database using a common database user and must therefor control user access through application controlled mechanisms.
  So it also depends on your application on whether Role based security is of any use to you, or if you have to create your own security mechanism in your application. Which you have to do anyway for application objects that aren't database owned, such as screens, reports, buttons, fields, tabs etc.
  Regards
  Andre

• About virtual private databases

  I've read in the documentation that:
  Oracle Virtual Private Database enforces security, to a fine level of granularity, directly on database tables, views, or synonyms. Because you attach security policies directly to these database objects, and the policies are automatically applied whenever a user accesses data, there is no way to bypass security.Ok, but i cannot specify a policy using a trigger on a table, let's say? So, instead of using VPD to dynamically generate a policy and append it to the where clause, i should specify a where condition in the trigger and based on which user loggs on, to select only specific data. What's the advantages of using VPD instead of specifying those conditions in other way?
  Thanks

  Roger22 wrote:
  What's the advantages of using VPD instead of specifying those conditions in other way?Single schema. Single set of tables. Used by 100's of customers. While guaranteeing that one customer cannot CRUD data of any other customers. And this guarantee is at SQL level. So while having full SQL access to the schema objects, that customer will see that schema as only containing his data and nothing else.
  This in a nutshell is a VPDB.
  And it is impossible to provide that guarantee at SQL level using any other way.
  Views and triggers? Not as robust. Not as a secure. Not as flexible. A lot more moving parts that means an increase in complexity and potential problems and bugs.

• Use of Virtual Private Database

  Hello
  our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
  i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
  any white paper or document is welcome.
  thanks
  Vijay

  Hello,
  I am also looking for the same information. Though there is lot of info on setting up VPD for Oracle users, there is no material/document which describes how VPD can be implemented for 3-Tier application. I use an Application server to connect to Oracle 9i.
  Did you get any leads?
  Thanks,
  Srinivasan
  Hello
  our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
  i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
  any white paper or document is welcome.
  thanks
  Vijay

• Virtual Private Database

  Hi All,
  We are using Oracle 11g R2 and we would like to implement Virtual Private Database.
  We have an application connected to LDAP with serveral users. The users are also created in Weblogic. The Application is using only with Oracle schema with many tables.
  Unfortunately the application we are using do not implement Row Level Security so we thought about using VPD but as I understood you can implement it in creating multiples users schemas in the database, however in our case we have only one schema.
  The question is then is it possible to implement VPD with only one Oracle schema and different application users ?
  Many thanks.

  Re: Virtual Private Database
  Chiwatel 25 juin 2013 19:25 (en réponse à JustinCave)
  Hi Karan,
  Do you know how to do this (calling the package associated with the context) with Weblogic (and hibernate) by any chance ?
  Many thanks.

• Virtual private database / procedure with AUTHID DEFINER

  Dear all,
  short question (11.2.0.3 EE): is virtual private database (dbms_rls) working together with a procedure defined as AUTHID=DEFINER?
  We have the following scenario:
  User A owns table AA (mandantid number, name varchar2(20))
  Data:
  100, ABC
  102, XYZ
  User B has access to table A.AA with RLS in place seeing the record 100,ABC only.
  So far, this works correct.
  Now there is a procedure owned by B:
  create or replace procedure BB AUTHID DEFINER is
       num     number;
  begin
       select count(*) into num from A.AA;
       dbms_output.put_line('num='||to_char(num));
  end BB;
  /Execution of procedure BB by B itself returns 1 (correct)
  Now the part that causes problems:
  There is another user X, calling procedure B.BB. Actually I thought, the output of the procedure would be 1, since it runs under DEFINER, but actually it's 0.
  Why?
  Thanks for any hints on this
  Regards
  Christoph

  What is your policy function? How does it determine what rows to show?
  A common approach to building a VPD policy would be to create a context that the user populates by calling some procedure (i.e. a login procedure that you've implemented) and then refer to the value in the context in your VPD policy. If that's what your VPD policy is doing, my wager is that the problem is that when B is executing the procedure, the context is already populated appropriately but when some other user executes the procedure, the context is empty. If the policy function is using something like the USER function, that would also explain why it behaves differently for different callers.
  Justin

• Row level access, virtual private database, label security

  Hello All,
  I'm experiencing an issue.... I've a datawarehouse where some tables, for examples orders are shared for two different countries. Difference is made simply with a field country may contain country_id.
  So using OBI and publisher I need to permit to some user to query only country with id 1, other country with id 2 and other both countries.
  There's a way to achieve this result without implement VPD or OLS? Do you have any hint?
  Thanks
  Stefano

  Hi,
  it must be useful
  http://obieeblog.wordpress.com/2008/12/29/obiee-and-virtual-private-database-vpd/
  thanks
  karthick