Using for update clause in VPD(Virtual Private Databases)
Hi,
We are using for update clause in our procedure to explicitly lock rows in a particular table as shown below:
SELECT AMOUNT FROM INTERFACE_TABLE
INTO T_Amount
WHERE ROWID = :B1
FOR UPDATE OF BANK_ACCOUNT_NUM NOWAIT;
But this statement is giving the following error in VPD:
ORACLE error 1733 in FDPSTP
Cause: FDPSTP failed due to ORA-01733: virtual column not allowed here.
We need to lock rows in that particular table until the commit is issued,so as to prevent the updation of the rows which are being processed.
Is there any other way in which this can be achieved.
Thanks & Regards,
Brahmendra Kashyap
From the docs, which you didn't read:
ORA-01733 virtual column not allowed here
Cause: An attempt was made to use an INSERT, UPDATE, or DELETE statement on an expression in a view.
Action: INSERT, UPDATE, or DELETE data in the base tables, instead of the view.
Can you explain why you didn't read the docs? I'm just curious why so many people do absolutely nothing to resolve their problem (they would learn Oracle by doing so) and request to be spoon fed.
Sybrand Bakker
Senior Oracle DBA
Experts: those who did read the documentation.
Similar Messages
-
How to unlock a row if i use FOR UPDATE clause
In procedure if we use FOR UPDATE clause, it will lock particular row and allow only one client to update whereas other client can only fetch data in the same row at that time.
My question is when will it unlock the row, what should we do to unlock the row while writing procedure. Take this example here im using FOR UPDATE clause for client_count, when ll it unlock that particular row in this procedure.
create or replace PROCEDURE newprocedur(inMerid IN VARCHAR2,outCount OUT NUMBER) AS
CURSOR c1 IS
select CLIENT_COUNT from OP_TMER_CONF_PARENT where MER_ID = inMerid FOR UPDATE OF CLIENT_COUNT;
BEGIN
Open c1;
loop
fetch c1 into outCount;
exit when c1%NOTFOUND;
outCount:=outCount+1;
update OP_TMER_CONF_PARENT set CLIENT_COUNT = outCount where current of c1;
end loop;
close c1;
END;Hi,
Basically you are incrementing client_count by 1 , Why you have to fetch row one by one and update? you could just finish that in a single update
UPDATE OP_TMER_CONF_PARENT
SET CLIENT_COUNT = CLIENT_COUNT+1
WHERE MER_ID = inMerid This will increment client_count of all rows by one for the given mer_id;
After updating you have to make the changes permanent so that other users will see the changes you have made.
To lock the row before update you can use same select statement in you cursor
SELECT CLIENT_COUNT
FROM OP_TMER_CONF_PARENT
WHERE MER_ID = inMerid FOR UPDATE OF CLIENT_COUNT;You can further modify the procedure to let other users know if the row is being updated.
Regards
Yoonas -
Using VPD (Virtual Private Database) with Discoverer for Dummies
Firstly could you please excuse me for the title of the thread, but it’s all I could come up with. For those of you who are looking at me with a strange look of disgust, please view thread that started it all: BIS vs DBI vs Noetix .
Otherwise I’m hoping to gain a greater understanding of how VPD can be used to enhance Discoverer and it’s performance. I've just read that :
“Oracle 8i introduced the notion of a Virtual Private Database (VPD). A VPD offers Fine-Grained Access Control (FGAC) for secure separation of data. This ensures that users only have access to data that pertains to them. Using this option, one could even store multiple companies' data within the same schema, without them knowing about it.
VPD configuration is done via the DBMS_RLS (Row Level Security) package. Select from SYS.V$VPD_POLICY to see existing VPD configuration.”
With Regards to Discoverer, I would like to ask the following:
-When would be best to use VPD in Discoverer?
-Pro’s and Con’s of VPD?
-Tips / Tricks?
-and anything else Michael would like to add (I don’t believe there is a post limit, although this could change in the future)
I've found a few handy links:
http://www.adp-gmbh.ch/ora/security/vpd/index.html
http://www.oracle.com/technology/oramag/oracle/04-mar/o24tech_security.html
As Metalink support would say : I Looking forward to your ‘Positive’ comments. ;-)
LanceLance,
You sure do raise some interesting questions here.
I've noticed from some of your previous posts that you are using views to link Discoverer through to apps. I have found this very interesting document that may help with your queries; http://www.oracle.com/technology/deploy/security/oracle9ir2/pdf/VPD9ir2twp.pdf
If you scroll down to the section "Additional VPD Capabilities" and read the following sub-topics, this might enable you to base your Discoverer reports on views that contain VPD policies.
I trust "My Positive Comment" may help!!
Merry Christmas
Si ;-)
P.s This also may come in handy if running 10g http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/apdvpoli.htm
Message was edited by:
Simon Pittaway -
Some thoughts about VPD (Virtual Private Database)
You may be interested in some of the brief articles I recently published on Virtual Private Database. You will find them here:
Pop-quiz: VPD policy that depends on a table with a policy - http://technology.amis.nl/blog/index.php?p=812
Another Pop-Quiz: Whose VPD policy is used when executing SQL in a (definer rights) package? - http://technology.amis.nl/blog/index.php?p=817
best regards,
LucasBut I think that you know what he is and pra that she serves...
In this in case that, you must also know that some particularitities exist.
For example, so that security in row level is made, we need to define which will be the politics of applied security, which the restriction that will be made (seemed with clause WHERE).
After this, we must select the columns, the ones relevant that will be masked.
And finally, to add the politics functions.
Manually, to create and to modify or to give any maintenance well is complicated.
For this, the SQL Developer, by means of its graphical interface, would go to decide the problem definitively.
Perhaps if it will not be possible to add the functionalities of the VPD, was interesting to create some thing for the application contexts.
I spoke in VPD and in application contexts because, generally, who has the version Enterprise Edition uses the VPD, but who only has the version Stantard or Standard One, applies politics of security in row level by means of views, triggers and contexts of application.
Message was edited by:
ARF -
VPD(Virtual Private Database)
Exists some possibility to implement tools for the configuration and development of VPD inside of the SQL Developer?
But I think that you know what he is and pra that she serves...
In this in case that, you must also know that some particularitities exist.
For example, so that security in row level is made, we need to define which will be the politics of applied security, which the restriction that will be made (seemed with clause WHERE).
After this, we must select the columns, the ones relevant that will be masked.
And finally, to add the politics functions.
Manually, to create and to modify or to give any maintenance well is complicated.
For this, the SQL Developer, by means of its graphical interface, would go to decide the problem definitively.
Perhaps if it will not be possible to add the functionalities of the VPD, was interesting to create some thing for the application contexts.
I spoke in VPD and in application contexts because, generally, who has the version Enterprise Edition uses the VPD, but who only has the version Stantard or Standard One, applies politics of security in row level by means of views, triggers and contexts of application.
Message was edited by:
ARF -
SES with VPD (Virtual Private Database)?
I am trying to use SES to search a database with row-level security enabled in the form of VPD. My plan is to have SES index the database as a user with read permissions on all data, and likely use Query-Time Authorization to filter results.
The trouble is, I cannot see how to have SES call the set_app_ctx() procedure at crawl time to set the application context (in my test case, with user name). As such, nothing is indexed. I am using the Database crawler to index the source. Is this possible at all using the Database crawler?
Thanks in advance.Thanks for your reply.
I don't know an awful lot about VPD either ;-). But I don't see how I could embed the call in the select.
I will investigate implementing a custom crawler, but I have been led to believe that doing so is anything but trivial. It would be handy if I could extend the included Database crawler, or see the source code for it... -
(VPD) Virtual Private Database Question?
Hi All,
I have a question regarding VPD, I want to implement Column level security, senario is: (Oracle 9i, 10g)
TABLE
=======
CUSTOMER
(cust_id, name , address, phone, email ) etc
There is one user "PIN"in which all objects are created and stored, and others users has granted rights through synonyms created on their schemas,
my question is: All users can access/fetch all rows of customer table but they should not see address and phone fields?, these 2 fields should be NULL for them, is it possible to implement this security policy through VPD?
prompt reply would be appreciated.
regards
qamar
Edited by: qamarsyed on Nov 5, 2008 12:43 PMFrom the same example, I created the function to exclude all department numbers from DEPT table and I got what you were looking for. But based on your requirement, this function can prove to be costly.
SQL> ed
Wrote file afiedt.buf
1 CREATE OR REPLACE FUNCTION pf_job (oowner IN VARCHAR2, ojname IN VARCHAR2)
2 RETURN VARCHAR2 AS
3 con VARCHAR2 (200);
4 BEGIN
5 con := 'deptno not in (select deptno from dept)';
6 RETURN (con);
7* END pf_job;
SQL> /
Function created.And here is the output from other user.
SQL> /
DEPTNO EMPNO ENAME SAL COMM
20 7369 SMITH
30 7499 ALLEN
30 7521 WARD
20 7566 JONES
30 7654 MARTIN
30 7698 BLAKE
10 7782 CLARK
20 7788 SCOTT
10 7839 KING
30 7844 TURNER
20 7876 ADAMS
30 7900 JAMES
20 7902 FORD
10 7934 MILLER
14 rows selected.
SQL> -
Can VPD (Virtual Private Database) being defined in EBS'S responsibility level?
Hi all,
I would like to have a restriction of customer data when querying EBS Customer Form (ARXCUDCI.fmb).
E.g when I login to new created responsibility, having 1 access Standard Customer from menu. When I search on Customer, only Sales_Channel_Type = RTL is allowed to be displayed. Can i leverage VPD feature to do this restriction of data? It's just only this new responsibility to have this restriction, the rest of responsibilities are allowed to query all type of customers.
Form personalization is not a best approach of doing above which i am been tested.
Hope someone can give some advice about this?
Regards,
LygineHi;
Please check below which could be helpful for your issue:
https://blogs.oracle.com/stevenChan/entry/virtual_private_database_in_eb
Also see:
How do I open a form specific to particular user?
http://forums.oracle.com/forums/thread.jspa?threadID=2154178&tstart=0
Regard
Helios -
Hi all
in cursor with select for update clause we can reference column list. like
select.......
from....
for update [of column_reference]
I want to know that what is the use of specifying column nane in for update clause?
because its main purpose is to lock rows before update or delete, and complete row will be locked not only that column, then what is the use of mentioning it.
Secondly, I want to know that when we perform dml then automatically locks occur, then why we use for update clause.???
third,
when locks occur, when we open cursor or when update or delete???If you've got FireFox, you can add tahiti.oracle.com and asktom.oracle.com to the list of search engines you have available in the upper right-hand corner. I can't tell you how addicted I am to that little piece of heaven.
Justin -
System.prefs -- FOR UPDATE clause
When moving to a new mysql database, it gave me the error that it
doesn't suppport the "FOR UPDATE" clause. Turns out the database was an
older one. I tried to add the
<mysql>
<select-for-update>false</select-for-update>
</mysql>
section to system.prefs, but no matter where I put it, it had no effect.
The documentation wasn't exactly clear where it goes. Now, I'm not
using the default database -- I'm specifying a named database. I'm
guessing that this option isn't working with named databases in the
systems.prefs file. Could you clarify this?
Thanks,
DanWorked like a champ! Thanks again, Patrick.
Dan
Patrick Linskey wrote:
On 6/6/02 3:56 AM, "Dan Finkelstein" <[email protected]> wrote:
When moving to a new mysql database, it gave me the error that it
doesn't suppport the "FOR UPDATE" clause. Turns out the database was an
older one. I tried to add the
<mysql>
<select-for-update>false</select-for-update>
</mysql>
section to system.prefs, but no matter where I put it, it had no effect.
The documentation wasn't exactly clear where it goes. Now, I'm not
using the default database -- I'm specifying a named database. I'm
guessing that this option isn't working with named databases in the
systems.prefs file. Could you clarify this?
If you're using a named db, you should do
<db>
<your name here>
<select-for-update>false</select-for-update>
</your name here>
</db>
Note that turning off select for update is bad, because it essentially
defeats pessimistic locking, and you probably shouldn't ever see an error if
you aren't using pessimistic locking. So, I'd recommend that you use
optimistic locking with old MySQL installs instead.
Thanks,
Dan -
Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)
Environment: Business Objects XI R2; Oracle 10g
Functional Requirement:
Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
What do we need from the Business Objects support team?
1. Review the 2 attempted solutions that we have tried to implement
2. Propose solutions/answers to open questions for each of the attempted solutions
3. Propose any alternate solution that will help us implement the Function Requirement stated above
Attempted Solution 1: Connection String uses Oracle Proxy User
The connection string that is specified in the Universe is the following:
app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
app_user = generic application user
end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
Open Question for Solution 1:
i. What happens when multiple proxy users try to connect on at the same time? Business Objects shares the generic app_user connect string. However, every user that logs on will have their own unique proxy user credentials. Will there be any contention involved? If so, what kind of errors can we expect?
ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open. In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user? If so, then our security will not work. Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
Attempted Solution 2: Using the ConnectInit parameter
Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
Therefore, we tried to set the parameter in the Universe using several different options:
ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
Open Questions for Solution 2:
How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
Note: Arroba word is being used instead of the symbol in order to avoid following error message:
We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.the connectinit setting should look something like this:
declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
The vpd_setup procedure (in Oracle) should look like this:
CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
BEGIN
DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
END vpd_setup;
Then you can retrieve the value of the context variable in your vpd functions
and set the vpd. -
ERROR using SQL Server 2000, FOR UPDATE clause problem
Hi All,
Because our main target for RDBMS mostly SqlServer2000, I try to use ADF BC with one. I successfully run the BC with Tester, scrolling up and down, BUT when i try to make changes and do commit, I receive ERROR, I have tried both JDBC Driver from Microsoft and jTDS, both FAILS.
I have set the 'Default Locking Mode ..' to 'optimistic'
(default is 'pessimistic'), it doesn't help.
Here is the error :
With Microsoft JDBC Driver :
(oracle.jbo.DMLException) JBO-26080: Error while selecting entity for Departments
----- LEVEL 1: DETAIL 0 -----
(java.sql.SQLException) [Microsoft][SQLServer 2000 Driver for JDBC][SQLServer] FOR UPDATE cannot be specified on a READ ONLY cursor.
With jTDS JDBC Driver :
(oracle.jbo.DMLException) JBO-26080: Error while selecting entity for Departments
----- LEVEL 1: DETAIL 0 -----
(java.sql.SQLException) Line 1: FOR UPDATE clause allowed only for DECLARE CURSOR.
Pls any body help...
Thank you,
KristKrist,
we added a new SQL Flavor 'SQLServer' in JDeveloper 10.1.2
This was implemented to handle special SQL syntax of SQLServer, different from SQL92 (among others the FOR UPDATE problem you're facing).
For new projects, you can select this flavor during their creation. For projects that were defined with Flavor SQL92, you can switch to SQLServer at runtime by setting the parameter jbo.SQLBuilder=SQLServer (in your Application Module configuration or as a java option -Djbo.SQLBuilder=...)
Regards,
Didier. -
Use of Virtual Private Database
Hello
our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
any white paper or document is welcome.
thanks
VijayHello,
I am also looking for the same information. Though there is lot of info on setting up VPD for Oracle users, there is no material/document which describes how VPD can be implemented for 3-Tier application. I use an Application server to connect to Oracle 9i.
Did you get any leads?
Thanks,
Srinivasan
Hello
our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
any white paper or document is welcome.
thanks
Vijay -
Can VPD Virtual Private DB in 10g replace Oracle Apps security rules?
I read the recent article in Oracle Magazine called 'Testing Database Security', especially the section on Virtual Private Database (VPD), caught my attention. Can this feature of the 10g database be used by the Oracle Apps to restrict access to data through the apps login? We just moved to 10g.
Our current data security is enabled by leveraging security rules attached to responsibilities. Our security rules restrict by operating unit, of which there are 89. It would be great if VPD could be used, as it might replace the need to create 89 separate security rules. We would maintain just one set of policies.
Does anyone know if this can be used on the applications level? If anyone has done this, do you know of a documentation link that would help?
Thanks for your insight.Sebes,
Thanks for the link...it sounds like it may be part of the Oracle future landscape, but for now, we will have to live with security rules.
Sincerely,
Brenda -
Hi,
If you are using Forte as 2-tier tools, there shouldn't be any problem in
using select ... for update. The sql is actually passed through to your
back-end database. So everything should work the same, provided that every
user has his own database session ( like by using DBResourceMgr to create
DBSession at run-time for each user. )
However, if you are building multi-tier application, there is no simple
answer to your question. The problem is common to all 3-tier application
since the application / database layer is shared among many users. If you
start a transaction from client side, use select ... for update to lock a
record, allow user to change data, then update and end the transaction, you
are not just locking up a record, but also a database session. In such
model, you will run out of DBSession very soon.
What we did here is to use a "lock count", which exists is every table.
When client retrieves a record, it won't start a transaction there. A
transaction is started only on the server and after client commits its
changes to the server. Data consistency is checked by checking the lock
count in the update where clause.
It looks dumb, but it's the only solution that we can reach after consulting
a lot of white paper and Forte consultants. Moreover, Forte consultant also
said its bad to start a transaction on client side.
I do hope that there is a better solution out there in handling 3-tier
applications too. Afterall, this lock count thing is clumsy.
Peter Sham.
-----Original Message-----
From: Phong Tran [SMTP:[email protected]]
Sent: Thursday, March 18, 1999 6:50 AM
To: [email protected]
Subject: for update clause
dear forte-users,
I notice the "for update" clause can only used with cursor.
Just wonder why you can not use it with "sql select ...." statement.
Also as I understand it, one way to protect the data consistency is
through
the mutex lock but then you turn the object to a single-threaded to
serialize access even though you access different rows in a
database
table. The fact is you only want access on a particular row.
Does anyone know the best way to lock a row (or rows) in the
database ?
If you have to rely on the "for update" clause in the cursor
definition for
the locking, then you almost end up with a lot of cursors.
Example: the method ReadnWriteDB(ordeId) accesses a specific row
but since the orderOBj serializes access, other tasks have to wait.
OrderObj: OrderMgr = new(IsShared = TRUE, IsTransactional = TRUE);
method GetOrderInfo() of the TransactionSO.
begin transaction
OrderObj.ReadnWriteDB(orderId);
end transaction;
From Client:
Begin
start task TransactionSO.GetOrderInfo(orderId);
end;
Phong
To unsubscribe, email '[email protected]' with
'unsubscribe forte-users' as the body of the message.
Searchable thread archive
<URL:http://pinehurst.sageit.com/listarchive/>
To unsubscribe, email '[email protected]' with
'unsubscribe forte-users' as the body of the message.
Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>Which application front end are you using.
Also, you'll get the same error if your Query runs too long, and/or your rollbacks are too small.
Maybe you are looking for
-
OAF : How can we design the page in oaf in a matrix format
Hi friends : I am new to OAf starting to learn OAF ... i am using jdeveloper 9i version 9.0.3.5 i want to know can we design a PG in oaf ... FOr example if i hav six fieldname that is personId ,firstname ,lastname,email,phoneno,address .... if i want
-
Loading transactonal data before go-live
Dear colleagues, In my actual project we have an unexpected and strange requirement wich is to load all the postings that they have done during the year before go-live in their legacy system (we are going live on may). Therefore we have divided the i
-
Query required for xml processing.
This data is present in clob i need to extract the below mentioned field. expected query is select extractvalue( xmltype(table1.column1), '/UserProfileSnapshot/UserInfo/Attribute[@name="Users.Display Name"]' ) from table1 first line is incorrect <?xm
-
External Script Recorder - Where can I get it.
I have seen an external SAP GUI Scripting Sample Recorder mentioned on several of the help topics on the SDN. With this tool, you are supposed to be able to see and interact with the script code as it is being recorded. One post had a link for downl
-
Administrator option in Analytics
I am not sure what was change but I can no longer see the Administation option in analytics with the highest level login we have or any other for that matter. Any ideas how to fix this? We use external table authentication. I've tried adding all appl