Urgent: row level security with VPD
Has any one implemented the row level security in Virtual private database(VPD) for Discoverer.
Please let me know how well does it work with discoverer and are there any flip sides that one needs to be aware of.
Thanks
authenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
Init block for authenticating / authorizing and session variables are different, i guess you are mixing both.
Similar Messages
-
Row level security with session variables, not a best practice?
Hello,
We are about to implement row level security in our BI project using OBIEE, and the solution we found most convenient for our requirement was to use session variables with initalization blocks.
The problem is that this method is listed as a "non best practice" in the Oracle documentation.
Alternative Security Administration Options - 11g Release 1 (11.1.1)
(This appendix describes alternative security administration options included for backward compatibility with upgraded systems and are not considered a best practice.)
Managing Session Variables
System session variables obtain their values from initialization blocks and are used to authenticate Oracle Business Intelligence users against external sources such as LDAP servers or database tables. Every active BI Server session generates session variables and initializes them. Each session variable instance can be initialized to a different value. For more information about how session variable and initialization blocks are used by Oracle Business Intelligence, see "Using Variables in the Oracle BI Repository" in Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition.
How confusing... what is the best practice then?
Thank you for your help.
Joao Moreiraauthenticating / authorizing part is take care by weblogic and then USER variable initialized and you may use it for any initblocks for security.
Init block for authenticating / authorizing and session variables are different, i guess you are mixing both. -
Hi.
Currently we are running oracle 8.0.5 (client/server mode). We will very soon swith to 9iAS 3-tier web interface with oracle8i database, but before that we would like to know if row-level security or VPD is also supported by oracle8i database.
People here, in my company, still don't have the full picture about oracle9i and they prefer to install oracle8i for stability reasons. Do you recommend us to go for oracle9i instead?Hi,
Row-level security is very much supported in
8i (8.1.6.x) using the dbms_rls package.
You can search the documentation on OTN for examples and more information. A note of caution, be careful where and how you plan to use it, due to performance implications, expecially if you are trying to filter a large number of rows. -
Hy all, I'm new to Oracle and though i've google it a lot I didn't manage to find a solution to this problem:
I'm using sql developer and Oracle 10g.
I have this two tables :
CREATE TABLE HR_employees
(codHR NUMBER(3) CONSTRAINT pk_hr PRIMARY KEY,
coddep NUMBER(4) not null,
DB_user VARCHAR2(10),
and
CREATE TABLE Candid
(codcan NUMBER(2) CONSTRAINT PK_candidat PRIMARY KEY,
codHr NUMBER(3) NOT NULL,
CONSTRAINT FK_CODHR FOREIGN KEY (codHR) REFERENCES HR_employees (codHR) );
I tried to implement row level security on them by using two views:
CREATE OR REPLACE VIEW employees_v AS
SELECT * FROM hr_employees
WHERE DB_user = user
UNION
SELECT * FROM hr_employees
WHERE codhr=(SELECT codhr FROM hr_employees WHERE db_user=user );
AND coddep IN (4000,5000);
CREATE OR REPLACE VIEW candid_v AS
SELECT cand.*
FROM candid cand , hr_employees hr
WHERE cand.codhr= hr.codhr
AND hr.db_user=user
UNION
SELECT cand.* FROM candid cand, hr_employees hr
WHERE hr.coddep=(SELECT H.coddep FROM hr_employees H
WHERE H.db_user=user
AND H.coddep IN (4000,5000) );
What I want to do is to disconnect and connect with another user from SQL Developer and see different fields based on the user and the department, Sql developer doesn't seem to recognize the user connected to the database..everytime I receive a no row selected statement, only when I connect with SYS and put the actual username WHERE H.db_user='SYS' they seem to work. I have created the tables with SYS and granted Select on the views to the users, the users don't have privilegies on the actual tables.
Sorry for the bad english,it's a foreign language to me ,
I hope you can help meHi,
Damorgan is right: "Row level security has nothing to do with views" in the sense that the two are independent. You can have row-level security with or without views, and you can have views with or without row-level security. dbms_rls is a very useful and powerful way to implement row-level security, and you should check it out, but it's not necessarily the answer to all row-level security problems.
I'm not sure I understand your problem beyond the need to restrict user A's access to two tables.
If which rows user A is allowed to see depends on the results of queries from those same tables, including rows that user A is not allowed to see (that is, you need to do sub-queries with some other user's (let's call this user B's) privileges), then you can do those sub-queries in stored procedures.
Stored procuderes can run with the privileges of the procedure owner, regardless of who is calling them. Using a function called user_codhr owned by user B, you could define a view like this:
CREATE OR REPLACE VIEW employees_v AS
SELECT * FROM hr_employees
WHERE DB_user = user
OR ( codhr = user_codhr
AND coddep IN (4000,5000)
);If the results of the function will be the same throughout the session, you can call it once, at the beginning of your session, and save the results in a SYS_CONTEXT varaible or a global temporary table.
If you need more help, post a more detailed example of the problem, such as "With this data in the table, B should see all rows but A should see only ...". -
Row level security in OBIEE 11g: Which is better: VPD or RPD
We can apply row level security in OBIEE by 2 ways.
1. by Creating Initialize Block in RPD
2. or Applying VPD in Database, which restricts source tables
Which one is more efficient and why?
Thanks,
Sunil Jenayou will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.
-
Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)
Environment: Business Objects XI R2; Oracle 10g
Functional Requirement:
Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
What do we need from the Business Objects support team?
1. Review the 2 attempted solutions that we have tried to implement
2. Propose solutions/answers to open questions for each of the attempted solutions
3. Propose any alternate solution that will help us implement the Function Requirement stated above
Attempted Solution 1: Connection String uses Oracle Proxy User
The connection string that is specified in the Universe is the following:
app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
app_user = generic application user
end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
Open Question for Solution 1:
i. What happens when multiple proxy users try to connect on at the same time? Business Objects shares the generic app_user connect string. However, every user that logs on will have their own unique proxy user credentials. Will there be any contention involved? If so, what kind of errors can we expect?
ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open. In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user? If so, then our security will not work. Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
Attempted Solution 2: Using the ConnectInit parameter
Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
Therefore, we tried to set the parameter in the Universe using several different options:
ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
Open Questions for Solution 2:
How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
Note: Arroba word is being used instead of the symbol in order to avoid following error message:
We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.the connectinit setting should look something like this:
declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
The vpd_setup procedure (in Oracle) should look like this:
CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
BEGIN
DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
END vpd_setup;
Then you can retrieve the value of the context variable in your vpd functions
and set the vpd. -
Row-level security(VPD) problem
Hi,
ADF BC, Jdeveloper 11.1.1.3.0
We want to implement Row-level security in ADF by VPD, and do following:
1, create VPD policy according to the following sample
http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/10g/r2/prod/security/vpd/vpd_otn.htm
2, Override prepareSession(), and set user info by dbms_application_info.set_client_info; in policy function get the user info, and implement filter logic.
The confusing problem is: When first user login, data has been filtered right. But, when the second user or third user login, it gets the first user's data.
We also use SQL Trace, and find the second user's operation(SQL) are not recorded in SQL trace file, the view object may not query database. We test clearCache(), viewCriteria with 'Query Execution Mode: Database', and etc, but can not solve the problem.
I appreciate your suggestion.
thanksSo how did you tell Weblogic not to cache the SQL statement? I will be using VPD in a new application, and I definitely want to avoid the problem you had.
-
Row-level security problem using VPD
Hi all,
I've implemented row-level security for my application using the following procedure:
1) Created a procedure for setting the context for the application:
PROCEDURE set_empno
IS
emp_id NUMBER;
BEGIN
BEGIN
SELECT empno
INTO emp_id
FROM SCOTT.EMP
WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
EXCEPTION
WHEN OTHERS THEN emp_id := 0;
END;
END;
2) Created the application context:
CREATE CONTEXT emp_sel_context USING secman.app_security_context;
In which secman is my security schema and app_security_context is the name of above procedure package.
3) Created a function to access the application context:
FUNCTION emp_sec(E1 VARCHAR2, E2 VARCHAR2) RETURN VARCHAR2
IS
e_predicate VARCHAR2(2000);
BEGIN
e_predicate := 'empno = SYS_CONTEXT(''emp_sel_context'', ''empno'')';
RETURN e_predicate;
END;
END;
4) Created a logon trigger:
CREATE OR REPLACE
TRIGGER INIT_CONTEXT AFTER
LOGON ON DATABASE
BEGIN
SECMAN.APP_SECURITY_CONTEXT.SET_EMPNO;
END;
5) Added a policy on scott.emp like this:
begin
dbms_rls.add_policy (
object_schema => 'SCOTT',
object_name => 'EMP',
policy_name => 'EMP_SEL_POLICY',
function_schema => 'SECMAN',
policy_function => 'EMP_SECURITY.EMP_SEC',
statement_types => 'SELECT',
update_check => TRUE
end;
My problem is that when a user queries the EMP table the above procedure does not work and 'no rows selected' is returned for each user that queries the table. Does anybody know which part of my procedure is wrong?
Any helps is really appreciated.
S/\EE|)i,
I suggest:
create another table emp1(logon with scott),this table only include empno,ename,then insert a few record,then modify
procedure set_empno as
PROCEDURE set_empno
IS
emp_id NUMBER;
BEGIN
BEGIN
SELECT empno
INTO emp_id
FROM SCOTT.EMP1
WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
EXCEPTION
WHEN OTHERS THEN emp_id := 0;
END;
END;
certainly ,you should grant select on emp1 to the user who will be test.
lixinzhu
2007/09/17 -
Help with implementing Row Level Security in Interactive Reporting
We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?The 3 tables used with the RLS are stored in the same schema as your repository by default.
The RLS store all the Rules for any database that you are using.
You define the rules based on the tablename (owner.tablename) and the column name. -
VPD (Row Level Security) Implementation at Middle Layer
Hi All,
Is there any provison to implement Row Level Security at the Entity Object level?
We have a table where in some rows need to be displayed based on the user logged in.
We are aware of the VPD implementation using a function and adding a policy.
We are looking for implementing VPD at the Middle Tier.
Any help in this regard will be greatly appreciated.
Thanks in Advance,
RaghuRaghu,
Assuming you are talking about ADF Entity Objects - yes. The standard way of doing this would be to over-ride prepareSession() in your Application Module to set whatever information you may need in the database session in order to identify your user and use that information in your VPD policy. If you Google about, you can find some good information, including [url http://blogs.oracle.com/jheadstart/2007/11/row_level_security_using_vpd_a.html]this (it's for JHeadstart, but the concept applies just fine).
John -
Row level security without using VPD
I am wondering if there is a way to have row level security in APEX without having to use the virtual private database (VPD). I cannot afford the Enterprise Edition license that is required for VPD.
I need a way to customize the list of rows that appear for each user on a report page.
For example, I only want managers to be able to see their employees and not employees of other managers.
Thanks for your help !
-ReidWhile it wont provide all the features that Oracle RLS does, you can leverage Oracle 'Contexts' to provide a form of Row Level Security.
This article describes how
http://www.dbazine.com/oracle/or-articles/jlewis15
Within APEX you can set your application to call the 'context' setting function in the 'VPD' section of the 'Edit Security Attributes' page.
Varad -
Reports XI: Infoview behavior with Row Level Security
Post Author: pwilliamsbssp
CA Forum: General
I have a report that is based off a business view that has project information with an additional table used to assign report users to certain clients (each project has a client). A filter is used to assign the report user to the current ce username.The report is scheduled by the administrator login. Each user goes to view their report on Infoview and is able to view data for only those clients specifically assigned. This functionality seems to work fine - everyone views one instance of the report and InfoView assigns the row level security.However, I'm running into a problem viewing report histories when adding or changing client assignments. The historical reports come up either blank or with erroneous information (such as the current week's information instead of the previous week's data saved with the instance of the report). I have not found a logical link between the behavior of the historical reports and the specific users. Some can see one week and not another while others have the reverse, regardless of their security assignments.Does anyone understand the behavior of view historical reports with row-level security? I have no idea what data/metadata is saved with each report instance and when the row-level security is being read. Is it read when viewing the report? or, is it specific to the structure of the data when the report was run?With other reports using the same row-level security model I'm able to view the historical reports although it has the client assignments at the time the report was created. But, at least I'm able to view the reports.Any insight welcome.Patrick WilliamsPost Author: pwilliamsbssp
CA Forum: General
Bump. Anyone is welcome to tackle this question. Please. -
How to implement row level security?
Hi all,
There is a database which is for 3 companies to use it and how to use row level security to make sure that they can only manipluate their own data? For example, "employee" table, for each company they just can see their own employees information. How to use dynamic view to do it?
Many Thanks
AmyHere are two options to achieve what you want.
A. You can do this by coding, that's if you are ready to. Are you? If yes then try the steps below:
1. create a security codes table. Say for example
001 - company a
002 - company b
2. create a security table that will list all users and which company they should have access to. You can also implement this by roles.
3. alter all tables in the application schema to add a security code column. This will be a foreign key reference to table created in 1 above.
4. update all data in the tables according to which company they belong to.
5. write a procedure or package that does a validity check whenever a user requests for data. This procedure/package determines which company data the user has access/rights to.
With this, you should be able to achieve what you want if you do not want to spend on VPD and FGAC. The problem comes where there are users who would have cross access to data from both companies. In this regard, then you have to modify your security table a little bit to handle this.
B. This option i will admit is not so clean. You can also achieve this by two different views for every table in the application schema. And on each of these views, create a private synonym for every user. For illustration purposes:
Table name = Employee.
Create a view employee_a on employee
create a view employee_b on employee
Let's say you have users x and y. X has access to employees of company a and y has access to employees of company b. You can now create private synonyms for each of these users as follows:
create synonym employee on employee_a in x schema.
create synonym employee on employee_b on y schema.
This i have not tried but believe should work.
Hope one of these options serve your purpose. -
ADFBC 10.1.3.3 Row Level Security
Hello.
Till now, we have implemented Row Level Security through a database function, and using this function in all our view objects where clause.
We would like to remove this database function, and implement this kind of security with ADFBC. Is this possible ? VPD is not an option. We are trying to make our product database independent.
In general terms, we would need to check some conditions before creating the viewObjects rowset. I believe ADFBC does provide us with a mechanism to achieve this, but I'm not aware of how to do it.
Any help would be great.
Thanks a lot.
JohnThanks for the response Frank.
Our row level security is if a certain user, has the rights to view a specific database row. We have all this security mapped to the database. Today we have a database function that receives some parameters (to identify which entity usecase is beeing queried) and returns yes or no, depending on the user rights.
I'm not sure how to achieve this using the RowImpl class. It's my understanding that this a rowImpl class is always created when checking the row from the view object (hasNext() for example). But how do I fetch the current row, check if the user has the rights to view this row and return the fully filled row, or if he doesn't have access to this row, I would need to remove this row from the rowset. Is it possible to do this, just by implementing the rowimpl class of my View Object ? If so, which methods should I override to achieve this ?
Thanks again -
Row level security.... yes or no in HTMLDB???
Hi Guys,
This is just a little confusing... in the application developer of HTMLDB, it has a section to implement VPD features, but when I come round to doing pete finnigans (http://www.securityfocus.com/infocus/1743) RLS tutorial, i get the following error when creating the vpd policy:
ORA-00439: feature not enabled: Fine-grained access control.
So can I get row level security to work in Oracle XE or do I have to integrate Oracle 10g EE with HTMLDb to get this to work?
If so... how do I do that?
Best Regards
Shahram ShiraziVirtual private database / fine grained access control is not supported in Oracle XE, it is an Enterprise Edition feature.
http://download-uk.oracle.com/docs/cd/B25329_01/doc/license.102/b25456/toc.htm#BABECIEG
Re: Got ORA-00439: feature not enabled: Fine-grained access control
~Dietmar.
Maybe you are looking for
-
For years, prior to upgrading to FireFox 7, following games on Yahoo Sports was easy due to the auto refresh of the screens every 10 or 15 seconds. Now with FireFox 7, that feature seems to be inactive ... there is no auto refresh of the screen. Is t
-
How to change the background of new tab
the background of the new tabs is white. i want to change it to the picture of my persona. is that possibles !!?? if yes than how? if not than why not!?
-
Workflow display related issues
Hi This issue is related to workflow display. We are not able to see vendor number, Invoice number etc for idocs coming from a particular vendor. However we are able see these details for idocs coming from all other vendors. We compared control recor
-
Changes not showing up on subscribed address book
We have our address book in the office shared to all of us with .Mac. The problem is, when we make changes on the original address book, they're not showing up for those who subscribe. How do I fix this?
-
Macbook Pro 15" reaching 101c during games
Hello, I recently purchased my first Mac, a 15" (The 1GB Nvidia 2.6 intel NON Retina model) and although I don't intent it to be used alot for gaming, I have a few games I installed and tried out. The games run great, steady FPS and no lag so I'm gl