Using for update clause in VPD(Virtual Private Databases)

Similar Messages

• How to unlock a row if i use FOR UPDATE clause

  In procedure if we use FOR UPDATE clause, it will lock particular row and allow only one client to update whereas other client can only fetch data in the same row at that time.
  My question is when will it unlock the row, what should we do to unlock the row while writing procedure. Take this example here im using FOR UPDATE clause for client_count, when ll it unlock that particular row in this procedure.
  create or replace PROCEDURE newprocedur(inMerid IN VARCHAR2,outCount OUT NUMBER) AS
  CURSOR c1 IS
  select CLIENT_COUNT from OP_TMER_CONF_PARENT where MER_ID = inMerid FOR UPDATE OF CLIENT_COUNT;
  BEGIN
  Open c1;
  loop
  fetch c1 into outCount;
  exit when c1%NOTFOUND;
  outCount:=outCount+1;
  update OP_TMER_CONF_PARENT set CLIENT_COUNT = outCount where current of c1;
  end loop;
  close c1;
  END;

  Hi,
  Basically you are incrementing client_count by 1 , Why you have to fetch row one by one and update? you could just finish that in a single update
  UPDATE OP_TMER_CONF_PARENT
  SET CLIENT_COUNT = CLIENT_COUNT+1
  WHERE MER_ID     = inMerid This will increment client_count of all rows by one for the given mer_id;
  After updating you have to make the changes permanent so that other users will see the changes you have made.
  To lock the row before update you can use same select statement in you cursor
  SELECT CLIENT_COUNT
  FROM OP_TMER_CONF_PARENT
  WHERE MER_ID = inMerid FOR UPDATE OF CLIENT_COUNT;You can further modify the procedure to let other users know if the row is being updated.
  Regards
  Yoonas

• Using VPD (Virtual Private Database) with Discoverer for Dummies

  Firstly could you please excuse me for the title of the thread, but it’s all I could come up with. For those of you who are looking at me with a strange look of disgust, please view thread that started it all: BIS vs DBI vs Noetix .
  Otherwise I’m hoping to gain a greater understanding of how VPD can be used to enhance Discoverer and it’s performance. I've just read that :
  “Oracle 8i introduced the notion of a Virtual Private Database (VPD). A VPD offers Fine-Grained Access Control (FGAC) for secure separation of data. This ensures that users only have access to data that pertains to them. Using this option, one could even store multiple companies' data within the same schema, without them knowing about it.
  VPD configuration is done via the DBMS_RLS (Row Level Security) package. Select from SYS.V$VPD_POLICY to see existing VPD configuration.”
  With Regards to Discoverer, I would like to ask the following:
  -When would be best to use VPD in Discoverer?
  -Pro’s and Con’s of VPD?
  -Tips / Tricks?
  -and anything else Michael would like to add (I don’t believe there is a post limit, although this could change in the future)
  I've found a few handy links:
  http://www.adp-gmbh.ch/ora/security/vpd/index.html
  http://www.oracle.com/technology/oramag/oracle/04-mar/o24tech_security.html
  As Metalink support would say : I Looking forward to your ‘Positive’ comments. ;-)
  Lance

  Lance,
  You sure do raise some interesting questions here.
  I've noticed from some of your previous posts that you are using views to link Discoverer through to apps. I have found this very interesting document that may help with your queries; http://www.oracle.com/technology/deploy/security/oracle9ir2/pdf/VPD9ir2twp.pdf
  If you scroll down to the section "Additional VPD Capabilities" and read the following sub-topics, this might enable you to base your Discoverer reports on views that contain VPD policies.
  I trust "My Positive Comment" may help!!
  Merry Christmas
  Si ;-)
  P.s This also may come in handy if running 10g http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/apdvpoli.htm
  Message was edited by:
  Simon Pittaway

• Some thoughts about VPD (Virtual Private Database)

  You may be interested in some of the brief articles I recently published on Virtual Private Database. You will find them here:
  Pop-quiz: VPD policy that depends on a table with a policy…- http://technology.amis.nl/blog/index.php?p=812
  Another Pop-Quiz: Whose VPD policy is used when executing SQL in a (definer rights) package? - http://technology.amis.nl/blog/index.php?p=817
  best regards,
  Lucas

  But I think that you know what he is and pra that she serves...
  In this in case that, you must also know that some particularitities exist.
  For example, so that security in row level is made, we need to define which will be the politics of applied security, which the restriction that will be made (seemed with clause WHERE).
  After this, we must select the columns, the ones relevant that will be masked.
  And finally, to add the politics functions.
  Manually, to create and to modify or to give any maintenance well is complicated.
  For this, the SQL Developer, by means of its graphical interface, would go to decide the problem definitively.
  Perhaps if it will not be possible to add the functionalities of the VPD, was interesting to create some thing for the application contexts.
  I spoke in VPD and in application contexts because, generally, who has the version Enterprise Edition uses the VPD, but who only has the version Stantard or Standard One, applies politics of security in row level by means of views, triggers and contexts of application.
  Message was edited by:
  ARF

• VPD(Virtual Private Database)

  Exists some possibility to implement tools for the configuration and development of VPD inside of the SQL Developer?

  But I think that you know what he is and pra that she serves...
  In this in case that, you must also know that some particularitities exist.
  For example, so that security in row level is made, we need to define which will be the politics of applied security, which the restriction that will be made (seemed with clause WHERE).
  After this, we must select the columns, the ones relevant that will be masked.
  And finally, to add the politics functions.
  Manually, to create and to modify or to give any maintenance well is complicated.
  For this, the SQL Developer, by means of its graphical interface, would go to decide the problem definitively.
  Perhaps if it will not be possible to add the functionalities of the VPD, was interesting to create some thing for the application contexts.
  I spoke in VPD and in application contexts because, generally, who has the version Enterprise Edition uses the VPD, but who only has the version Stantard or Standard One, applies politics of security in row level by means of views, triggers and contexts of application.
  Message was edited by:
  ARF

• SES with VPD (Virtual Private Database)?

  I am trying to use SES to search a database with row-level security enabled in the form of VPD. My plan is to have SES index the database as a user with read permissions on all data, and likely use Query-Time Authorization to filter results.
  The trouble is, I cannot see how to have SES call the set_app_ctx() procedure at crawl time to set the application context (in my test case, with user name). As such, nothing is indexed. I am using the Database crawler to index the source. Is this possible at all using the Database crawler?
  Thanks in advance.

  Thanks for your reply.
  I don't know an awful lot about VPD either ;-). But I don't see how I could embed the call in the select.
  I will investigate implementing a custom crawler, but I have been led to believe that doing so is anything but trivial. It would be handy if I could extend the included Database crawler, or see the source code for it...

• (VPD) Virtual Private Database Question?

  Hi All,
  I have a question regarding VPD, I want to implement Column level security, senario is: (Oracle 9i, 10g)
  TABLE
  =======
  CUSTOMER
  (cust_id, name , address, phone, email ) etc
  There is one user "PIN"in which all objects are created and stored, and others users has granted rights through synonyms created on their schemas,
  my question is: All users can access/fetch all rows of customer table but they should not see address and phone fields?, these 2 fields should be NULL for them, is it possible to implement this security policy through VPD?
  prompt reply would be appreciated.
  regards
  qamar
  Edited by: qamarsyed on Nov 5, 2008 12:43 PM

  From the same example, I created the function to exclude all department numbers from DEPT table and I got what you were looking for. But based on your requirement, this function can prove to be costly.
  SQL> ed
  Wrote file afiedt.buf
    1  CREATE OR REPLACE FUNCTION pf_job (oowner IN VARCHAR2, ojname IN VARCHAR2)
    2  RETURN VARCHAR2 AS
    3    con VARCHAR2 (200);
    4  BEGIN
    5    con := 'deptno not in (select deptno from dept)';
    6    RETURN (con);
    7* END pf_job;
  SQL> /
  Function created.And here is the output from other user.
  SQL> /
      DEPTNO      EMPNO ENAME             SAL       COMM
          20       7369 SMITH
          30       7499 ALLEN
          30       7521 WARD
          20       7566 JONES
          30       7654 MARTIN
          30       7698 BLAKE
          10       7782 CLARK
          20       7788 SCOTT
          10       7839 KING
          30       7844 TURNER
          20       7876 ADAMS
          30       7900 JAMES
          20       7902 FORD
          10       7934 MILLER
  14 rows selected.
  SQL>

• Can VPD (Virtual Private Database) being defined in EBS'S responsibility level?

  Hi all,
      I would like to have a restriction of customer data when querying EBS Customer Form (ARXCUDCI.fmb).
     E.g  when I login to new created responsibility, having 1 access Standard Customer from menu. When I search on Customer, only Sales_Channel_Type = RTL is allowed to be displayed. Can i leverage VPD feature to do this restriction of data? It's just only this new responsibility to have this restriction, the rest of responsibilities are allowed to query all type of customers.
    Form personalization is not a best approach of doing above which i am been tested.
  Hope someone can give some advice about this?
  Regards,
  Lygine

  Hi;
  Please check below which could be helpful for your issue:
  https://blogs.oracle.com/stevenChan/entry/virtual_private_database_in_eb
  Also see:
  How do I open a form specific to particular user?
  http://forums.oracle.com/forums/thread.jspa?threadID=2154178&tstart=0
  Regard
  Helios

• For update clause

  Hi all
  in cursor with select for update clause we can reference column list. like
  select.......
  from....
  for update [of column_reference]
  I want to know that what is the use of specifying column nane in for update clause?
  because its main purpose is to lock rows before update or delete, and complete row will be locked not only that column, then what is the use of mentioning it.
  Secondly, I want to know that when we perform dml then automatically locks occur, then why we use for update clause.???
  third,
  when locks occur, when we open cursor or when update or delete???

  If you've got FireFox, you can add tahiti.oracle.com and asktom.oracle.com to the list of search engines you have available in the upper right-hand corner. I can't tell you how addicted I am to that little piece of heaven.
  Justin

• System.prefs -- FOR UPDATE clause

  When moving to a new mysql database, it gave me the error that it
  doesn't suppport the "FOR UPDATE" clause. Turns out the database was an
  older one. I tried to add the
       <mysql>
            <select-for-update>false</select-for-update>
       </mysql>
  section to system.prefs, but no matter where I put it, it had no effect.
  The documentation wasn't exactly clear where it goes. Now, I'm not
  using the default database -- I'm specifying a named database. I'm
  guessing that this option isn't working with named databases in the
  systems.prefs file. Could you clarify this?
  Thanks,
  Dan

  Worked like a champ! Thanks again, Patrick.
  Dan
  Patrick Linskey wrote:
  On 6/6/02 3:56 AM, "Dan Finkelstein" <[email protected]> wrote:
  When moving to a new mysql database, it gave me the error that it
  doesn't suppport the "FOR UPDATE" clause. Turns out the database was an
  older one. I tried to add the
  <mysql>
  <select-for-update>false</select-for-update>
  </mysql>
  section to system.prefs, but no matter where I put it, it had no effect.
  The documentation wasn't exactly clear where it goes. Now, I'm not
  using the default database -- I'm specifying a named database. I'm
  guessing that this option isn't working with named databases in the
  systems.prefs file. Could you clarify this?
  If you're using a named db, you should do
  <db>
  <your name here>
  <select-for-update>false</select-for-update>
  </your name here>
  </db>
  Note that turning off select for update is bad, because it essentially
  defeats pessimistic locking, and you probably shouldn't ever see an error if
  you aren't using pessimistic locking. So, I'd recommend that you use
  optimistic locking with old MySQL installs instead.
  Thanks,
  Dan

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• ERROR using SQL Server 2000, FOR UPDATE clause problem

  Hi All,
  Because our main target for RDBMS mostly SqlServer2000, I try to use ADF BC with one. I successfully run the BC with Tester, scrolling up and down, BUT when i try to make changes and do commit, I receive ERROR, I have tried both JDBC Driver from Microsoft and jTDS, both FAILS.
  I have set the 'Default Locking Mode ..' to 'optimistic'
  (default is 'pessimistic'), it doesn't help.
  Here is the error :
  With Microsoft JDBC Driver :
  (oracle.jbo.DMLException) JBO-26080: Error while selecting entity for Departments
  ----- LEVEL 1: DETAIL 0 -----
  (java.sql.SQLException) [Microsoft][SQLServer 2000 Driver for JDBC][SQLServer] FOR UPDATE cannot be specified on a READ ONLY cursor.
  With jTDS JDBC Driver :
  (oracle.jbo.DMLException) JBO-26080: Error while selecting entity for Departments
  ----- LEVEL 1: DETAIL 0 -----
  (java.sql.SQLException) Line 1: FOR UPDATE clause allowed only for DECLARE CURSOR.
  Pls any body help...
  Thank you,
  Krist

  Krist,
  we added a new SQL Flavor 'SQLServer' in JDeveloper 10.1.2
  This was implemented to handle special SQL syntax of SQLServer, different from SQL92 (among others the FOR UPDATE problem you're facing).
  For new projects, you can select this flavor during their creation. For projects that were defined with Flavor SQL92, you can switch to SQLServer at runtime by setting the parameter jbo.SQLBuilder=SQLServer (in your Application Module configuration or as a java option -Djbo.SQLBuilder=...)
  Regards,
  Didier.

• Use of Virtual Private Database

  Hello
  our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
  i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
  any white paper or document is welcome.
  thanks
  Vijay

  Hello,
  I am also looking for the same information. Though there is lot of info on setting up VPD for Oracle users, there is no material/document which describes how VPD can be implemented for 3-Tier application. I use an Application server to connect to Oracle 9i.
  Did you get any leads?
  Thanks,
  Srinivasan
  Hello
  our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
  i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
  any white paper or document is welcome.
  thanks
  Vijay

• Can VPD Virtual Private DB in 10g replace Oracle Apps security rules?

  I read the recent article in Oracle Magazine called 'Testing Database Security', especially the section on Virtual Private Database (VPD), caught my attention. Can this feature of the 10g database be used by the Oracle Apps to restrict access to data through the apps login? We just moved to 10g.
  Our current data security is enabled by leveraging security rules attached to responsibilities. Our security rules restrict by operating unit, of which there are 89. It would be great if VPD could be used, as it might replace the need to create 89 separate security rules. We would maintain just one set of policies.
  Does anyone know if this can be used on the applications level? If anyone has done this, do you know of a documentation link that would help?
  Thanks for your insight.

  Sebes,
  Thanks for the link...it sounds like it may be part of the Oracle future landscape, but for now, we will have to live with security rules.
  Sincerely,
  Brenda

• RE: for update clause

  Hi,
  If you are using Forte as 2-tier tools, there shouldn't be any problem in
  using select ... for update. The sql is actually passed through to your
  back-end database. So everything should work the same, provided that every
  user has his own database session ( like by using DBResourceMgr to create
  DBSession at run-time for each user. )
  However, if you are building multi-tier application, there is no simple
  answer to your question. The problem is common to all 3-tier application
  since the application / database layer is shared among many users. If you
  start a transaction from client side, use select ... for update to lock a
  record, allow user to change data, then update and end the transaction, you
  are not just locking up a record, but also a database session. In such
  model, you will run out of DBSession very soon.
  What we did here is to use a "lock count", which exists is every table.
  When client retrieves a record, it won't start a transaction there. A
  transaction is started only on the server and after client commits its
  changes to the server. Data consistency is checked by checking the lock
  count in the update where clause.
  It looks dumb, but it's the only solution that we can reach after consulting
  a lot of white paper and Forte consultants. Moreover, Forte consultant also
  said its bad to start a transaction on client side.
  I do hope that there is a better solution out there in handling 3-tier
  applications too. Afterall, this lock count thing is clumsy.
  Peter Sham.
  -----Original Message-----
  From: Phong Tran [SMTP:[email protected]]
  Sent: Thursday, March 18, 1999 6:50 AM
  To: [email protected]
  Subject: for update clause
  dear forte-users,
  I notice the "for update" clause can only used with cursor.
  Just wonder why you can not use it with "sql select ...." statement.
  Also as I understand it, one way to protect the data consistency is
  through
  the mutex lock but then you turn the object to a single-threaded to
  serialize access even though you access different rows in a
  database
  table. The fact is you only want access on a particular row.
  Does anyone know the best way to lock a row (or rows) in the
  database ?
  If you have to rely on the "for update" clause in the cursor
  definition for
  the locking, then you almost end up with a lot of cursors.
  Example: the method ReadnWriteDB(ordeId) accesses a specific row
  but since the orderOBj serializes access, other tasks have to wait.
  OrderObj: OrderMgr = new(IsShared = TRUE, IsTransactional = TRUE);
  method GetOrderInfo() of the TransactionSO.
  begin transaction
  OrderObj.ReadnWriteDB(orderId);
  end transaction;
  From Client:
  Begin
  start task TransactionSO.GetOrderInfo(orderId);
  end;
  Phong
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive
  <URL:http://pinehurst.sageit.com/listarchive/>
  To unsubscribe, email '[email protected]' with
  'unsubscribe forte-users' as the body of the message.
  Searchable thread archive <URL:http://pinehurst.sageit.com/listarchive/>

  Which application front end are you using.
  Also, you'll get the same error if your Query runs too long, and/or your rollbacks are too small.