Using VPD for Column Masking

Hi ,
Arup nanda demostrate [http://www.oracle.com/technology/pub/articles/10gdba/week14_10gdba.html]
how to use Column Masking using VPD.
I would like to use TDE+VPD for PCI DSS requirements.
In order to protect the data from been stolen i am going to use TDE.
Regarding the VPD , i need to allow few user to see the entire credir card number , and for some user to see just
the last 4 digits of the credit card.
As far as i understood from the link above , all i can do is to mask column valus to null value.
I thought using dbms_crypto , but Tom Kyte suggested hir
[http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1631574900346651898]
not to do it.
My question is if it somehow possible to see just the last 4 digit using VPD.
Thanks

No you can't, Column level VPD is not ment to give a masking solution, I have filled a request to oracle to enhance VPD to support this feature, I didn't get any answer for it.
You will have to find a nother way, VPD is not it.
I suggest you to add another column to your tables that holds the credit card number, the new column will hold the masked value of the credit card - write PL/SQL function to do it, and update the table, then use simple views to control what data each user will see.
Oded
[www.dbsnaps.com]
[www.orbiumsoftware.com]

Similar Messages

  • What restrictions apply to VPD functions for column masking?

    I want to understand the restrictions that apply to VPD functions when used for column masking, compared with their use for Row-Level Security.
    According to the Oracle Database Security Guide (11g Release 1)
    Column-masking conditions generated by the policy function must be simple Boolean expressions, unlike regular Oracle Virtual Private Database predicates.
    I have long understood the above as implying that column-masking conditions should not contain sub-queries (i.e. inner selects).
    However, we tested using a condition with a select inside another select (2-level nesting) and yet it worked. We were on 11g Release 2, by the way.
    So, I wonder, does anyone have experience with using sub-queries in column-masking conditions? Or, alternatively, does anyone have more information on what Oracle means with "regular VPD predicates" and "simple Boolean expressions" (of course, in the context of VPD)?
    Thanks,
    Pablo

    Thanks Harm,
    that was very useful.
    According to the grammar of CASE expressions, <predicate> is generated by the non-terminal "condition". This is the same non-terminal used for WHERE clauses in SELECT statements, and thus <predicate> can contain any number of nested SELECTs.
    Cheers,
    Pablo

  • JPA Problem using alias for columns in a query

    Hello, I am having some problems with a query that I am trying to use in my JEE project. This query doesnt return an entity but a group of values. I created a class representing the result and a query with the jpa constructor expression but it is not working.
    The problem is that in the query I added some alias to the results, and when I try to run the project it says that it cannot parse the query.
    My Query:
    Query query = em.createQuery("SELECT NEW vo.VOOperacionesAgrupadas (o.nemotecnico as nemotecnico, o.esCompra as esCompra, i.equivUltimo as equivUltimo, sum(o.saldo) as saldo, sum(o.utilidad) as utilidad, sum(o.tasaCompraVenta)/count(o.nemotecnico) as promedioTasaCompra, (i.equivUltimo-sum(o.tasaCompraVenta)/count(o.nemotecnico))*100 as puntosBasicos) FROM Operaciones o, Instrumentos i WHERE o.idUsuario = :idUsuario AND o.nemotecnico = i.nemotecnico AND o.estaCerrada = 'false' Group by o.nemotecnico, o.esCompra, i.equivUltimo"); When I use that the server returns :
    Exception Description: Syntax error parsing the query [SELECT NEW vo.VOOperacionesAgrupadas (o.nemotecnico as nemotecnico, o.esCompra as esCompra, i.equivUltimo as equivUltimo, sum(o.saldo) as saldo, sum(o.utilidad) as utilidad, sum(o.tasaCompraVenta)/count(o.nemotecnico) as promedioTasaCompra, (i.equivUltimo-sum(o.tasaCompraVenta)/count(o.nemotecnico))*100 as puntosBasicos) FROM Operaciones o, Instrumentos i WHERE o.idUsuario = :idUsuario AND o.nemotecnico = i.nemotecnico AND o.estaCerrada = 'false' Group by o.nemotecnico, o.esCompra, i.equivUltimo], line 1, column 53: syntax error at [as].
    Internal Exception: MismatchedTokenException(8!=82)
    GRAVE: java.lang.IllegalArgumentException: An exception occurred while creating a query in EntityManager:
    Exception Description: Syntax error parsing the query [SELECT NEW vo.VOOperacionesAgrupadas (o.nemotecnico as nemotecnico, o.esCompra as esCompra, i.equivUltimo as equivUltimo, sum(o.saldo) as saldo, sum(o.utilidad) as utilidad, sum(o.tasaCompraVenta)/count(o.nemotecnico) as promedioTasaCompra, (i.equivUltimo-sum(o.tasaCompraVenta)/count(o.nemotecnico))*100 as puntosBasicos) FROM Operaciones o, Instrumentos i WHERE o.idUsuario = :idUsuario AND o.nemotecnico = i.nemotecnico AND o.estaCerrada = 'false' Group by o.nemotecnico, o.esCompra, i.equivUltimo], line 1, column 53: syntax error at [as].
    Internal Exception: MismatchedTokenException(8!=82)
    at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
    at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
    at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
    at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
    at java.lang.Thread.run(Thread.java:619)
    Caused by: Exception [EclipseLink-8024] (Eclipse Persistence Services - 2.0.1.v20100213-r6600): org.eclipse.persistence.exceptions.JPQLException
    Exception Description: Syntax error parsing the query [SELECT NEW vo.VOOperacionesAgrupadas (o.nemotecnico as nemotecnico, o.esCompra as esCompra, i.equivUltimo as equivUltimo, sum(o.saldo) as saldo, sum(o.utilidad) as utilidad, sum(o.tasaCompraVenta)/count(o.nemotecnico) as promedioTasaCompra, (i.equivUltimo-sum(o.tasaCompraVenta)/count(o.nemotecnico))*100 as puntosBasicos) FROM Operaciones o, Instrumentos i WHERE o.idUsuario = :idUsuario AND o.nemotecnico = i.nemotecnico AND o.estaCerrada = 'false' Group by o.nemotecnico, o.esCompra, i.equivUltimo], line 1, column 53: syntax error at [as].
    Internal Exception: MismatchedTokenException(8!=82)
    at org.eclipse.persistence.exceptions.JPQLException.syntaxErrorAt(JPQLException.java:362)
    at org.eclipse.persistence.internal.jpa.parsing.jpql.JPQLParser.handleRecognitionException(JPQLParser.java:304)
    at org.eclipse.persistence.internal.jpa.parsing.jpql.JPQLParser.addError(JPQLParser.java:245)
    at org.eclipse.persistence.internal.jpa.parsing.jpql.JPQLParser.reportError(JPQLParser.java:362)
    at org.eclipse.persistence.internal.libraries.antlr.runtime.BaseRecognizer.recoverFromMismatchedElement(Unknown Source)
    at org.eclipse.persistence.internal.libraries.antlr.runtime.BaseRecognizer.recoverFromMismatchedToken(Unknown Source)
    at org.eclipse.persistence.internal.libraries.antlr.runtime.BaseRecognizer.mismatch(Unknown Source)
    at org.eclipse.persistence.internal.libraries.antlr.runtime.BaseRecognizer.match(Unknown Source)
    at org.eclipse.persistence.internal.jpa.parsing.jpql.antlr.JPQLParser.constructorExpression(JPQLParser.java:2635)
    at org.eclipse.persistence.internal.jpa.parsing.jpql.antlr.JPQLParser.selectExpression(JPQLParser.java:2045)
    at org.eclipse.persistence.internal.jpa.parsing.jpql.antlr.JPQLParser.selectItem(JPQLParser.java:1351)
    at org.eclipse.persistence.internal.jpa.parsing.jpql.antlr.JPQLParser.selectClause(JPQLParser.java:1266)
    at org.eclipse.persistence.internal.jpa.parsing.jpql.antlr.JPQLParser.selectStatement(JPQLParser.java:352)
    at org.eclipse.persistence.internal.jpa.parsing.jpql.antlr.JPQLParser.document(JPQLParser.java:276)
    at org.eclipse.persist
    GRAVE: ence.internal.jpa.parsing.jpql.JPQLParser.parse(JPQLParser.java:133)
    at org.eclipse.persistence.internal.jpa.parsing.jpql.JPQLParser.buildParseTree(JPQLParser.java:94)
    at org.eclipse.persistence.internal.jpa.EJBQueryImpl.buildEJBQLDatabaseQuery(EJBQueryImpl.java:198)
    at org.eclipse.persistence.internal.jpa.EJBQueryImpl.buildEJBQLDatabaseQuery(EJBQueryImpl.java:173)
    at org.eclipse.persistence.internal.jpa.EJBQueryImpl.<init>(EJBQueryImpl.java:125)
    at org.eclipse.persistence.internal.jpa.EJBQueryImpl.<init>(EJBQueryImpl.java:109)
    at org.eclipse.persistence.internal.jpa.EntityManagerImpl.createQuery(EntityManagerImpl.java:1326)
    ... 59 more
    Caused by: MismatchedTokenException(8!=82)
    ... 74 more
    What can I do?? I have been stuck in this problem for 2 weeks :s I have tried almost everything..
    Thanks in advance for your help!

    SELECT tmp.contract_no, tmp.Actual, tmp.Actual - tmp.NbHours
    FROM ( SELECT t.contract_no, sum(l.hrs) AS Actual, (c.labour_hours * c.labour_progress_per) / 100 AS NbHours
    FROM TASK_DELEGATION t
    INNER JOIN COST_CODE c
    ON t.cost_code = c.cost_code AND t.contract_no = c.contract_no AND t.is_inactive=0
    INNER JOIN Labour.dbo.LABOURALLOT l
    ON l.contractNo = c.contract_no AND l.costcode = c.cost_code AND l.pm = 'N'
    GROUP BY t.contract_no, c.labour_hours, c.labour_progress_per
    ) tmp

  • Using Highlight for columns in data tables

    Hi, I'm using the "Highlight" function of SpryEffects in
    combination with the sorting features. My HTML structure is a
    simple data table, with a repeating region on the table row, so it
    pulls in as many rows there are pieces in the attached XML file.
    When I sort by one of the column headers at the top, I want to
    highlight that whole column, so users can see what they're sorting
    by. I'm able to get the first row of the data table highlighted,
    but none of the following rows work. I'm pretty sure the problem is
    that the highlight function only works when you use an id to define
    the element that you want highlighted. If it's in a repeating row,
    it sees many ids on the page, and only applies the highlight to the
    first one. I want to change the id to a class, so I can put
    multiple ones on the page and have it work, but I can't see how to
    do that in the SpryEffects.js file.
    Can anyone tell me if it's possible to do this? Thanks.
    Here's the portion of the .js file:
    function setupHighlight(element, effect)
    Spry.Effect.setStyleProp(element, 'background-image',
    'none');
    function finishHighlight(element, effect)
    Spry.Effect.setStyleProp(element, 'background-image',
    effect.options.restoreBackgroundImage);
    if (effect.direction == Spry.forwards)
    Spry.Effect.setStyleProp(element, 'background-color',
    effect.options.restoreColor);
    Spry.Effect.Highlight = function (element, options)
    var durationInMilliseconds = 1000;
    var toColor = "#ffffff";
    var doToggle = false;
    var kindOfTransition = Spry.sinusoidalTransition;
    var setupCallback = setupHighlight;
    var finishCallback = finishHighlight;
    var element = Spry.Effect.getElement(element);
    var fromColor = Spry.Effect.getStyleProp(element,
    "background-color");
    var restoreColor = fromColor;
    if (fromColor == "transparent") fromColor = "#ffff99";
    var optionFrom = options ? options.from : '#ffff00';
    var optionTo = options ? options.to : '#0000ff';
    if (options)
    if (options.duration != null) durationInMilliseconds =
    options.duration;
    if (options.from != null) fromColor = options.from;
    if (options.to != null) toColor = options.to;
    if (options.restoreColor) restoreColor =
    options.restoreColor;
    if (options.toggle != null) doToggle = options.toggle;
    if (options.transition != null) kindOfTransition =
    options.transition;
    if (options.setup != null) setupCallback = options.setup;
    if (options.finish != null) finishCallback = options.finish;
    var restoreBackgroundImage =
    Spry.Effect.getStyleProp(element, 'background-image');
    options = {duration: durationInMilliseconds, toggle:
    doToggle, transition: kindOfTransition, setup: setupCallback,
    finish: finishCallback, restoreColor: restoreColor,
    restoreBackgroundImage: restoreBackgroundImage, from: optionFrom,
    to: optionTo};
    var highlightEffect = new Spry.Effect.Color(element,
    fromColor, toColor, options);
    highlightEffect.name = 'Highlight';
    var registeredEffect =
    SpryRegistry.getRegisteredEffect(element, highlightEffect);
    registeredEffect.start();
    return registeredEffect;

    Hi Philip, Thanks a lot for puting this enhancement request through.
    Just downloaded the latest Patch upgrading to v 3.1.2-704 and confirmed that this functionality is not available yet.
    Keeping your experience in mind what kind of expectation to you have for the approval and realization of your request?
    Most likely this will take a couple of month – right? Or is there a beta version of 3.2 already available we could use.
    Thanks a lot. Cheers Stefan

  • Using variables for column headings in REUSE_ALV_GRID_DISPLAY

    Hi Everyone,
               Is it possible for me to display the column heading in REUSE_ALV_GRID_DISPLAY using a variable?
      CLEAR ls_fieldcat.
      ls_fieldcat-col_pos         =   13.
      ls_fieldcat-reptext_ddic      =  LWOP1.  " <===Here is my variable for my
                                                                          column heading
      ls_fieldcat-tabname           =  'ITAB'.
      ls_fieldcat-fieldname         =  'LWOP2'.
      ls_fieldcat-datatype          =  'CURR'.
      ls_fieldcat-outputlen       =  15.
      APPEND ls_fieldcat TO rt_fieldcat.
    Please help me.  Thanks in advance.

    for me isfielldcat-seltext_l = v_heading. working properly .
    i think you cant give
    ls_fieldcat-reptext_ddic = LWOP1.
    but i m not sure.
    regards
    shiba dutta

  • Column masking row level security in Peoplesoft Databases

    Hi
    How about the credibility of using VPD( for column masking,row level security) in People soft Databases?where the sensitive data is redundant across 100's of tables.
    My intention is to use the VPD across all the tables that contain the sensitive data ( ssn,bank accno, etc)
    Appreciate your help.
    Chelli

    Hi.
    I also have a trouble like yours,but mine is more simple.
    I'd tried to solve,and find that it's really hard and must lost a lot of time to solve,because some table have 2,3 or more derive information that to use VPD is not easy.
    Can i ask for any aspect to solve problem like this.
    Thanks for any answer and support.
    Thinhbk.

  • Using VPD and Portal

    Situation: Trying to implement row level security using VPD for
    applications created in PORTAL. using portal's
    Light weight users.
    Method: Created a fine grain access control policy to build a
    predicate based on a Portal user (not database user).
    1 Get Portal User (proc: portal30.wwctx_api.get_user)
    2 Determine what business rules are setup for this
    Portal User
    3 Based on the above rules, build predicate for the
    Portal User
    Problem: In the first step, not retrieving the Portal user -
    looks to be getting PUBLIC when the code is part of a
    VPD policy. When it is executed on its own, it gets the correct
    information back (ie. The portal user not PUBLIC).
    The idea is that we want to be able to set the VPD policy based
    on the light weight Portal User.
    Oracle Database version 8.1.7
    Oracle iAS 1.0.2.2.0
    There is a work around for this, which is to create a database
    schema for each portal user and then associate the
    Portal account with this database schema. When we do this, we
    get the correct information for use in the VPD policy,
    But we actually look for the Proxy Account (database schema the
    portal user is associated with) and not the portal
    user/session info. This work around in not desirable when we
    get a large number of portal users.
    I've included the VPD package below where we try to extract the
    Portal user acct using the
    portal30.wwctx_api.get_user function
    we also tried the
    WPG_SESSION_PRIVATE.GET_LW_USER function with the same results
    When this PLSQL is executed within a portlet, it seems to return
    the correct information.
    Code:
    CREATE OR REPLACE PACKAGE
    BODY "P_CORPORATE_SECURITY_CONTEXT" as
    function f_company_security (p1 varchar2, p2 varchar2) return
    varchar2 is
    v_predicate VARCHAR2(4000);
    CURSOR cur_company(p_portal_user_name IN
    company_wwsec_person.WWSEC_PERSON_USER_NAME%TYPE) IS
    SELECT decode(rownum,1,to_char(company_id),','||to_char
    (company_id)) company_id
    FROM company_wwsec_person
    WHERE POLICY = '='
    and upper(WWSEC_PERSON_USER_NAME) = upper
    (p_portal_user_name);
    l_portal_user_name varchar2(256);
    l_oracle_user_name varchar2(30);
    l_all_policy_cnt number;
    l_equal_policy_cnt number;
    BEGIN
    l_portal_user_name := portal30.wwctx_api.get_user;
    -- l_portal_user_name := USER; Commented out since we
    want portal user not
    database user.
    select count(*)
    into l_all_policy_cnt
    from company_wwsec_person
    where upper(WWSEC_PERSON_USER_NAME) = upper
    (l_portal_user_name)
    and policy = 'ALL';
    select count(*)
    into l_equal_policy_cnt
    from company_wwsec_person
    where upper(WWSEC_PERSON_USER_NAME) = upper
    (l_portal_user_name)
    and policy = '=';
    IF l_all_policy_cnt = 0 and l_equal_policy_cnt > 0 THEN
    v_predicate := ' company_id in (';
    FOR l_company IN cur_company(l_portal_user_name)
    LOOP
    v_predicate := v_predicate || l_company.company_id;
    END LOOP;
    v_predicate := v_predicate || ')';
    ELSIF l_all_policy_cnt = 0 and l_equal_policy_cnt = 0 THEN
    v_predicate := ' 1=2';
    ELSE
    v_predicate := NULL;
    END IF;
    -- Uncomment to allow access to everything
    -- v_predicate := ' 1=1';
    RETURN v_predicate;
    END;
    END;

    Situation: Trying to implement row level security using VPD for
    applications created in PORTAL. using portal's
    Light weight users.
    Method: Created a fine grain access control policy to build a
    predicate based on a Portal user (not database user).
    1 Get Portal User (proc: portal30.wwctx_api.get_user)
    2 Determine what business rules are setup for this
    Portal User
    3 Based on the above rules, build predicate for the
    Portal User
    Problem: In the first step, not retrieving the Portal user -
    looks to be getting PUBLIC when the code is part of a
    VPD policy. When it is executed on its own, it gets the correct
    information back (ie. The portal user not PUBLIC).
    The idea is that we want to be able to set the VPD policy based
    on the light weight Portal User.
    Oracle Database version 8.1.7
    Oracle iAS 1.0.2.2.0
    There is a work around for this, which is to create a database
    schema for each portal user and then associate the
    Portal account with this database schema. When we do this, we
    get the correct information for use in the VPD policy,
    But we actually look for the Proxy Account (database schema the
    portal user is associated with) and not the portal
    user/session info. This work around in not desirable when we
    get a large number of portal users.
    I've included the VPD package below where we try to extract the
    Portal user acct using the
    portal30.wwctx_api.get_user function
    we also tried the
    WPG_SESSION_PRIVATE.GET_LW_USER function with the same results
    When this PLSQL is executed within a portlet, it seems to return
    the correct information.
    Code:
    CREATE OR REPLACE PACKAGE
    BODY "P_CORPORATE_SECURITY_CONTEXT" as
    function f_company_security (p1 varchar2, p2 varchar2) return
    varchar2 is
    v_predicate VARCHAR2(4000);
    CURSOR cur_company(p_portal_user_name IN
    company_wwsec_person.WWSEC_PERSON_USER_NAME%TYPE) IS
    SELECT decode(rownum,1,to_char(company_id),','||to_char
    (company_id)) company_id
    FROM company_wwsec_person
    WHERE POLICY = '='
    and upper(WWSEC_PERSON_USER_NAME) = upper
    (p_portal_user_name);
    l_portal_user_name varchar2(256);
    l_oracle_user_name varchar2(30);
    l_all_policy_cnt number;
    l_equal_policy_cnt number;
    BEGIN
    l_portal_user_name := portal30.wwctx_api.get_user;
    -- l_portal_user_name := USER; Commented out since we
    want portal user not
    database user.
    select count(*)
    into l_all_policy_cnt
    from company_wwsec_person
    where upper(WWSEC_PERSON_USER_NAME) = upper
    (l_portal_user_name)
    and policy = 'ALL';
    select count(*)
    into l_equal_policy_cnt
    from company_wwsec_person
    where upper(WWSEC_PERSON_USER_NAME) = upper
    (l_portal_user_name)
    and policy = '=';
    IF l_all_policy_cnt = 0 and l_equal_policy_cnt > 0 THEN
    v_predicate := ' company_id in (';
    FOR l_company IN cur_company(l_portal_user_name)
    LOOP
    v_predicate := v_predicate || l_company.company_id;
    END LOOP;
    v_predicate := v_predicate || ')';
    ELSIF l_all_policy_cnt = 0 and l_equal_policy_cnt = 0 THEN
    v_predicate := ' 1=2';
    ELSE
    v_predicate := NULL;
    END IF;
    -- Uncomment to allow access to everything
    -- v_predicate := ' 1=1';
    RETURN v_predicate;
    END;
    END;

  • VPD column-masking: unexpected results using masked column in WHERE?

    Hi everyone..
    We are considering implementing VPD column-masking (to hide sensitive columns from unauthorized users), but I am concerned that queries will return incorrect results if an unauthorized user submits a query using a masked column in a WHERE clause - particularly in a JOIN operation.
    Our initial experiment confirms my concern:
    - We have a VPD policy on TABLE_X.COLUMN_Y:
    DBMS_RLS.ADD_POLICY(
    object_schema => 'xxxx',
    object_name => 'TABLE_X',
    policy_name => 'policy_x',
    function_schema => 'xxxx',
    policy_function => 'function_x',
    sec_relevant_cols =>'COLUMN_Y',
    sec_relevant_cols_opt => dbms_rls.ALL_ROWS)
    - The VPD function determines whether the user is authorized (1=1) or not (1=0)
    - COLUMN_Y contains various values, including NULL
    - when an "authorized" user submits the query "SELECT COUNT(*) FROM TABLE_X WHERE COLUMN_Y IS NULL", COUNT=correct number of rows containing NULL
    - when an "unauthorized" user submits the same query, COUNT=the total number of rows in the table -- presumably because the WHERE clause was modified to WHERE NULL=NULL
    In my opinion, the unauthorized user's query should return an error, because any other result is either wrong (i.e. COUNT=all rows, or returns a null result set) or something the user is not permitted to know (i.e. COUNT=correct number of rows)
    Am I missing some feature/setting of VPD that could let me force an error? I hope there is something out there, since I don't see any discussion or warnings about this pitfall.
    We are currently using Oracle 10.2.0.4 but upgrading to 11.1 soon.
    Thanks!
    Betty
    p.s. I originally incorrectly posted this question on the Technologies / Security forum.

    Thanks - yes, we have a function that checks whether the user id is authorized or not.
    The column-masking works, that is, authorized users can see the data; unauthorized users cannot. The issue is what happens when unauthorized users use the masked column in a WHERE predicate.

  • Column Level Security Using VPD under oracle 11g

    Hi
    I am using an example from Oracle Database 10g: Advance Security -- Virtual Private Databases
    1. The Application Context -- that sets the session environment for the use is ok.
    2. The Logon Trigger that executes the above is ok. It had been tested.
    3. The Security Policy that returns a predicate after checking the output of the Application Context is ok.
    4. The security policy applied to the STOCK_TRX table is ok.
    5. Select and Insert from the database work.
    However, after dropping both the insert and select policy, I am having problem getting a select policy to work with column-level VPD. I will get the ORA-28104 -- input value for statement type is not valid and ORA-06512 at SYS.DBMS_RLS line 20. See code below
    begin
    DBMS_RLS.ADD_POLICY
    ('PRACTICE', 'STOCK_TRX', 'STOCK_TRX_SELECT_POLICY', 'PRACTICE', 'SECURITY_PACKAGE.STOCK_TRX_SELECT_SECURITY', 'PRICE');
    end;
    Note:
    PRICE is the sec_relevant_cols
    STOCK_TRX is the table
    Can you please help.
    Thx

    The syntax for row level security is not the same for columns level security. All the parameters to the DBMS_RLS.ADD_Policy() function should be preceded by the type of the parameter for:
    begin
    DBMS_RLS.ADD_POLICy(object_schema=>PRACTICE, ... sec_relevant_cols=>'PRICE);
    end;
    I did not know this before. I thought they were there in the example for explanatory reasons. I decided to answer the question for myself because I know others have the same interpretation.

  • OLS    AND    VPD Column Masking.

    I have gone over a couple of sources on OLS and VPD.
    BTW I am working with Oracle 11g R1.
    What I am trying to accomplish is cell level protection. Where cell is defined as the intersection between a row and a column.
    OLS will get me the proper row restrictions.
    VPD has the ability to do Column Masking.
    Has anyone mix the two to accomplish cell level protection?
    Basic examples would be GREATLY appreciated.

    Hi again. Thank you for your reply, but I wanted to achieve cell-level security as I'm trying to create conception of fine-grained processing data with different levels of confidentiality. Here is what I have:
    - I created 3 levels of confidentiality: J < P < T (Unclassified < Confidential < Secret)
    - I created a table and here is how it looks for different users:
    User with T-level authorization:
    !http://img709.imageshack.us/img709/1847/screentj.png!
    User with P-level authorization (can't see T-level data):
    !http://img704.imageshack.us/img704/4002/screenp.png!
    I did that by creating two policies on two columns with data:
    CREATE OR REPLACE FUNCTION f_data01 (schema in varchar2, tab in varchar2) -- or "CREATE OR REPLACE FUNCTION f_data02" for second column
      RETURN varchar2 AS
        predicate         varchar2(2000);        -- the VPD 'where' clause
        session_lab        varchar2(4000);        -- the current user's session label
        session_tag        number;            -- numerical expression of session label
        t_sa_user_name    varchar2(2000);        -- only users with Labels are examined, others don't get access.
    BEGIN
      session_lab := sa_session.label('cells');        -- the current user's session label for that policy
      session_tag := char_to_label('cells',session_lab);    -- numerical expression of session label
      predicate := 'dominates(' || session_tag || ',CDATA01)=1'; -- or "predicate := 'dominates(' || session_tag || ',CDATA02)=1';" for second column
      return predicate;
    END;I asked if it is possible to create one policy with variable instead of column name (ex. CDATA01) or if there is another way to get that effect.
    And is it good practice to put column with labels in one table with data?
    Thank you in advance.
    Edited by: arc.undcvr on 2010-01-23 22:50

  • HT5824 I've been using numbers for iPad and I accidentally deleted a column. And the auto-save feature saved that and now I can't undo it. Does iCloud storage have backups of saved files from like 10 minutes ago? I have number

    I've been using numbers for iPad and I accidentally deleted a column. And the auto-save feature saved that and now I can't undo it. Does iCloud storage have backups of saved files from like 10 minutes ago? I have numbers synced to iCloud.
    I tried to undo it but the app crashed.
    I am hoping there's like a previously saved version of my file in iCloud somewhere. 

    No, iOS does not do short term incremental back ups to iCloud such as you get with Time Capsule.It backs up when you do soo manually, or if set properly, when the device is plugged in and connected to WiFi. It will not have saved your changes as of 10 minutes prior.

  • How to use resource bundle entries for column names/title in .rpt file

    <p>Our application needs to be able to support reporting in multiple languages. Hence we do not want to put language specifiec column names in the rpt file but rather use text for a particular locale during runtime which in java world is easily achievable using Resource Bundle entries.</p><p>Does JRC allow for using resource bundle entries as column names or for that matter for titles etc. in the .rpt file?</p>

    Hi,
       You can follow this step-by-step tutorial to find out how to achieve this using our User Function Libraries (UFLs). The walkthrough can be found here:
    <a href="http://diamond.businessobjects.com/node/412">http://diamond.businessobjects.com/node/412</a>
    Regards,<br />Sean Johnson (CR4E Product Manager) <br /><br /> <a href="http://www.eclipseplugincentral.com/Web_Links-index-req-ratelink-lid-639.html">Rate this plugin @ Eclipse Plugin Central</a>

  • Using VPD (Virtual Private Database) with Discoverer for Dummies

    Firstly could you please excuse me for the title of the thread, but it’s all I could come up with. For those of you who are looking at me with a strange look of disgust, please view thread that started it all: BIS vs DBI vs Noetix .
    Otherwise I’m hoping to gain a greater understanding of how VPD can be used to enhance Discoverer and it’s performance. I've just read that :
    “Oracle 8i introduced the notion of a Virtual Private Database (VPD). A VPD offers Fine-Grained Access Control (FGAC) for secure separation of data. This ensures that users only have access to data that pertains to them. Using this option, one could even store multiple companies' data within the same schema, without them knowing about it.
    VPD configuration is done via the DBMS_RLS (Row Level Security) package. Select from SYS.V$VPD_POLICY to see existing VPD configuration.”
    With Regards to Discoverer, I would like to ask the following:
    -When would be best to use VPD in Discoverer?
    -Pro’s and Con’s of VPD?
    -Tips / Tricks?
    -and anything else Michael would like to add (I don’t believe there is a post limit, although this could change in the future)
    I've found a few handy links:
    http://www.adp-gmbh.ch/ora/security/vpd/index.html
    http://www.oracle.com/technology/oramag/oracle/04-mar/o24tech_security.html
    As Metalink support would say : I Looking forward to your ‘Positive’ comments. ;-)
    Lance

    Lance,
    You sure do raise some interesting questions here.
    I've noticed from some of your previous posts that you are using views to link Discoverer through to apps. I have found this very interesting document that may help with your queries; http://www.oracle.com/technology/deploy/security/oracle9ir2/pdf/VPD9ir2twp.pdf
    If you scroll down to the section "Additional VPD Capabilities" and read the following sub-topics, this might enable you to base your Discoverer reports on views that contain VPD policies.
    I trust "My Positive Comment" may help!!
    Merry Christmas
    Si ;-)
    P.s This also may come in handy if running 10g http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/apdvpoli.htm
    Message was edited by:
    Simon Pittaway

  • Using Alias for the table column

    Dear all,
       Can we use alias name for the table column while developing zreport.
    ie.,
      without using standard  table column name ( like mara-matnr ), i wish to use mat_num for matnr. So that, one can easily understand the column.
    Could you help me out in this regard.
    Thanks in Advance,
    S.Sridhar.

    yes you can declare in ur internal table like
    material_number like mara-matnr.

  • Using same tablix column for 2 row groups

    Hi.  We run 2012 enterprise.  My tablix is grouped (for the most part) by hidden primary (values are 5,10,15,20) , secondary and tertiary sort columns.  And a couple of visible label items that are aligned left.
    Every row's data columns are completely %, $ or numerically formatted depending on a hidden helper field i've snuck into the tablix row group data fields after the tertiary sort.
    The primary sort column does equate to a label that I dont show right now.  In biz terms that label is actually the highest from a grouping standpoint but isnt being used right now for anything.  I left it for last.
    As I put the finishing touches on this report, I'd like to display that label ahead of the 4 sections it represents using the same column being occupied by the 1st (leftmost) label that is currently visible.  I'd like to center it in that column on
    its own row and apply some shading to the cells to its right.   And show nothing in those shadded cells.   All without changing my dataset if possible.
    To complicate things, I'd like to follow each of the 4 sections with a completely shaded row.  No data at all but grid lines can show thru shading.   Again without changing my dataset.  Is there a feature in ssrs that deals with this
    kind of visual nuance?

    Hi Jeewan,
    Try this formula, If I understood your question correctly it will work for you.

Maybe you are looking for

  • Is there a way to create basic tier Azurvm using new-azureVMconfig?

    Currently with azure powershell version 0.8.0 I am able to provision new Azure virtual machines using a combination of New-AzureVMconfig | Add-AzureProvisioningConfig | New-AzureVM cmdlets.  This gets me standard tier virtual machines with parameters

  • Simple web.xml question

    Hi all, Do I have to restart Tomcat whenever I make changes to any web.xml file(either global or individual web apps)? Thanks for your help.

  • Ideas on best approach - Product Catalogue, Orders to appear in a UWL

    I am looking for some guidance/ideas on how best to approach the following: I have a request to create a product catalogue (only to be accessed internally), that will allow staff to order products. Once they have selected the products and quantities

  • Spc chart

    hi, can some one tell how to get the spc charts from  the system- config, master data,etc. settings. how to export it to excel thanks in advance

  • Web Album creator error

    I have Dreamweaver 2004 and I was in the middle of creating web albums using the command, create album from within dreamweaver. I get a internal error has occured each time  I try to do it  starting today. I cant figure out what has change.  I have r