Using VPD (Virtual Private Database) with Discoverer for Dummies

Similar Messages

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• Some thoughts about VPD (Virtual Private Database)

  You may be interested in some of the brief articles I recently published on Virtual Private Database. You will find them here:
  Pop-quiz: VPD policy that depends on a table with a policy…- http://technology.amis.nl/blog/index.php?p=812
  Another Pop-Quiz: Whose VPD policy is used when executing SQL in a (definer rights) package? - http://technology.amis.nl/blog/index.php?p=817
  best regards,
  Lucas

  But I think that you know what he is and pra that she serves...
  In this in case that, you must also know that some particularitities exist.
  For example, so that security in row level is made, we need to define which will be the politics of applied security, which the restriction that will be made (seemed with clause WHERE).
  After this, we must select the columns, the ones relevant that will be masked.
  And finally, to add the politics functions.
  Manually, to create and to modify or to give any maintenance well is complicated.
  For this, the SQL Developer, by means of its graphical interface, would go to decide the problem definitively.
  Perhaps if it will not be possible to add the functionalities of the VPD, was interesting to create some thing for the application contexts.
  I spoke in VPD and in application contexts because, generally, who has the version Enterprise Edition uses the VPD, but who only has the version Stantard or Standard One, applies politics of security in row level by means of views, triggers and contexts of application.
  Message was edited by:
  ARF

• Use of Virtual Private Database

  Hello
  our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
  i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
  any white paper or document is welcome.
  thanks
  Vijay

  Hello,
  I am also looking for the same information. Though there is lot of info on setting up VPD for Oracle users, there is no material/document which describes how VPD can be implemented for 3-Tier application. I use an Application server to connect to Oracle 9i.
  Did you get any leads?
  Thanks,
  Srinivasan
  Hello
  our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
  i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
  any white paper or document is welcome.
  thanks
  Vijay

• How to use Oracle Virtual Private Database (VPD) with EclipseLink JPA

  My project required to use VPD in database to isolate data access based on different user type. How can I use EclipseLink JPA with VPD? For instance, how I could set up server context in database for each database session? Thanks for any help.

  There is some information on Oracle proxy authentication here,
  http://wiki.eclipse.org/EclipseLink/Examples/JPA/Oracle/Proxy
  VPD usage would be very similar.
  James : http://www.eclipselink.org : http://en.wikibooks.org/wiki/Java_Persistence

• SES with VPD (Virtual Private Database)?

  I am trying to use SES to search a database with row-level security enabled in the form of VPD. My plan is to have SES index the database as a user with read permissions on all data, and likely use Query-Time Authorization to filter results.
  The trouble is, I cannot see how to have SES call the set_app_ctx() procedure at crawl time to set the application context (in my test case, with user name). As such, nothing is indexed. I am using the Database crawler to index the source. Is this possible at all using the Database crawler?
  Thanks in advance.

  Thanks for your reply.
  I don't know an awful lot about VPD either ;-). But I don't see how I could embed the call in the select.
  I will investigate implementing a custom crawler, but I have been led to believe that doing so is anything but trivial. It would be handy if I could extend the included Database crawler, or see the source code for it...

• Using for update clause in VPD(Virtual Private Databases)

  Hi,
  We are using for update clause in our procedure to explicitly lock rows in a particular table as shown below:
  SELECT AMOUNT FROM INTERFACE_TABLE
  INTO T_Amount
  WHERE ROWID = :B1
  FOR UPDATE OF BANK_ACCOUNT_NUM NOWAIT;
  But this statement is giving the following error in VPD:
  ORACLE error 1733 in FDPSTP
  Cause: FDPSTP failed due to ORA-01733: virtual column not allowed here.
  We need to lock rows in that particular table until the commit is issued,so as to prevent the updation of the rows which are being processed.
  Is there any other way in which this can be achieved.
  Thanks & Regards,
  Brahmendra Kashyap

  From the docs, which you didn't read:
  ORA-01733 virtual column not allowed here
  Cause: An attempt was made to use an INSERT, UPDATE, or DELETE statement on an expression in a view.
  Action: INSERT, UPDATE, or DELETE data in the base tables, instead of the view.
  Can you explain why you didn't read the docs? I'm just curious why so many people do absolutely nothing to resolve their problem (they would learn Oracle by doing so) and request to be spoon fed.
  Sybrand Bakker
  Senior Oracle DBA
  Experts: those who did read the documentation.

• VPD(Virtual Private Database)

  Exists some possibility to implement tools for the configuration and development of VPD inside of the SQL Developer?

  But I think that you know what he is and pra that she serves...
  In this in case that, you must also know that some particularitities exist.
  For example, so that security in row level is made, we need to define which will be the politics of applied security, which the restriction that will be made (seemed with clause WHERE).
  After this, we must select the columns, the ones relevant that will be masked.
  And finally, to add the politics functions.
  Manually, to create and to modify or to give any maintenance well is complicated.
  For this, the SQL Developer, by means of its graphical interface, would go to decide the problem definitively.
  Perhaps if it will not be possible to add the functionalities of the VPD, was interesting to create some thing for the application contexts.
  I spoke in VPD and in application contexts because, generally, who has the version Enterprise Edition uses the VPD, but who only has the version Stantard or Standard One, applies politics of security in row level by means of views, triggers and contexts of application.
  Message was edited by:
  ARF

• (VPD) Virtual Private Database Question?

  Hi All,
  I have a question regarding VPD, I want to implement Column level security, senario is: (Oracle 9i, 10g)
  TABLE
  =======
  CUSTOMER
  (cust_id, name , address, phone, email ) etc
  There is one user "PIN"in which all objects are created and stored, and others users has granted rights through synonyms created on their schemas,
  my question is: All users can access/fetch all rows of customer table but they should not see address and phone fields?, these 2 fields should be NULL for them, is it possible to implement this security policy through VPD?
  prompt reply would be appreciated.
  regards
  qamar
  Edited by: qamarsyed on Nov 5, 2008 12:43 PM

  From the same example, I created the function to exclude all department numbers from DEPT table and I got what you were looking for. But based on your requirement, this function can prove to be costly.
  SQL> ed
  Wrote file afiedt.buf
    1  CREATE OR REPLACE FUNCTION pf_job (oowner IN VARCHAR2, ojname IN VARCHAR2)
    2  RETURN VARCHAR2 AS
    3    con VARCHAR2 (200);
    4  BEGIN
    5    con := 'deptno not in (select deptno from dept)';
    6    RETURN (con);
    7* END pf_job;
  SQL> /
  Function created.And here is the output from other user.
  SQL> /
      DEPTNO      EMPNO ENAME             SAL       COMM
          20       7369 SMITH
          30       7499 ALLEN
          30       7521 WARD
          20       7566 JONES
          30       7654 MARTIN
          30       7698 BLAKE
          10       7782 CLARK
          20       7788 SCOTT
          10       7839 KING
          30       7844 TURNER
          20       7876 ADAMS
          30       7900 JAMES
          20       7902 FORD
          10       7934 MILLER
  14 rows selected.
  SQL>

• Can VPD (Virtual Private Database) being defined in EBS'S responsibility level?

  Hi all,
      I would like to have a restriction of customer data when querying EBS Customer Form (ARXCUDCI.fmb).
     E.g  when I login to new created responsibility, having 1 access Standard Customer from menu. When I search on Customer, only Sales_Channel_Type = RTL is allowed to be displayed. Can i leverage VPD feature to do this restriction of data? It's just only this new responsibility to have this restriction, the rest of responsibilities are allowed to query all type of customers.
    Form personalization is not a best approach of doing above which i am been tested.
  Hope someone can give some advice about this?
  Regards,
  Lygine

  Hi;
  Please check below which could be helpful for your issue:
  https://blogs.oracle.com/stevenChan/entry/virtual_private_database_in_eb
  Also see:
  How do I open a form specific to particular user?
  http://forums.oracle.com/forums/thread.jspa?threadID=2154178&tstart=0
  Regard
  Helios

• ADF BC + Virtual Private Database

  First and foremost, as it's my first post here i'd like to say hello to you all.
  I hope i'll get answers to my questions and help others as well with my (little) experience.
  But for now i'm in need of help.
  We're currently developing our first web application using JSF + ADF BC. A part of the project is to use the Virtual Private Database functionality.
  On a page we change the context from one to another on the fly via a dropdown list, it works but we would like to refresh automatically the data displayed on the page (especially because we have a filter depending on the VPD context).
  Should we try to refresh the view object / the entity object / and how ?
  it may seem simple to one of you but as we're new to ADF BC, it's not yet so.
  many thanks for your help.

  In this case you coud use the refresh condition in the page definition and test a flag that indicate a refresh is necessary due to a change of the pvd context. This is to be done systematically on each page where your data are used.
  An another way is to cause the entity view to resfresh programatically in a way that the data control will refresh also. In this case, you will have to change only one piece of your code but you have to be sure to indicate the data control that it has to refresh the cache.
  you will find all necessary code in the developer guide.
  hope its help a little bit

• Virtual Private Databases via ConnectionPool from OC4J?

  We would like to use the Virtual Private Database feature, but can not find any documentation describing how to configure the application server.
  What we are hoping to do is:
  Setting up ONE(?) database connection pool in OC4J, and being able to share this between different Companies/Departments using the same application, but having different VPD.
  How can the group/role of the user in AS be mapped to the concept of application_context and CLIENT_IDENTIFIER in the database?
  We are using CMP entity beans, (and not BC4J)
  regards
  Trond Rxnneberg

  It's an explicit call that we have to make from our application. Right now I'm thinking that the library we use to connect to Oracle (which also provides connection handling/pooling) etc, is the problem.
  I was just hoping that there was a more sophisticated way of dealing with this issue. At the moment we have little control over our connection pool (sucks, should be -- and probably will be -- rewritten in the near future). So, at the moment I don't really have a clue when we get a new connection from the pool. We worked around this issue by calling the login procedure more often than we would like.
  I've read something about the ODP.NET drivers exposing the ClientID property in the connection on application level. I'm a little hazy on Oracle, but am I correct in assuming that when I set a ClientID, the Oracle database can read the client identifier and can set the VPD's accordingly solely based on that ID? Because if it does work like that, it sounds like the solution to our problem here. :)
  Cheers,

• Virtual private database / procedure with AUTHID DEFINER

  Dear all,
  short question (11.2.0.3 EE): is virtual private database (dbms_rls) working together with a procedure defined as AUTHID=DEFINER?
  We have the following scenario:
  User A owns table AA (mandantid number, name varchar2(20))
  Data:
  100, ABC
  102, XYZ
  User B has access to table A.AA with RLS in place seeing the record 100,ABC only.
  So far, this works correct.
  Now there is a procedure owned by B:
  create or replace procedure BB AUTHID DEFINER is
       num     number;
  begin
       select count(*) into num from A.AA;
       dbms_output.put_line('num='||to_char(num));
  end BB;
  /Execution of procedure BB by B itself returns 1 (correct)
  Now the part that causes problems:
  There is another user X, calling procedure B.BB. Actually I thought, the output of the procedure would be 1, since it runs under DEFINER, but actually it's 0.
  Why?
  Thanks for any hints on this
  Regards
  Christoph

  What is your policy function? How does it determine what rows to show?
  A common approach to building a VPD policy would be to create a context that the user populates by calling some procedure (i.e. a login procedure that you've implemented) and then refer to the value in the context in your VPD policy. If that's what your VPD policy is doing, my wager is that the problem is that when B is executing the procedure, the context is already populated appropriately but when some other user executes the procedure, the context is empty. If the policy function is using something like the USER function, that would also explain why it behaves differently for different callers.
  Justin

• Oracle Virtual Private Database (VPD), Column Level Security

  Hello,
  About Oracle Virtual Private Database (VPD), is it possible to set a Column Level Security without setting a Row Level Security (without using any predicate)?
  Thanks,
  Herve.

  Thanks, Zoran.
  A colleague shared with me a link containing a function without returning a predicate (in using SYS_CONTEXT function to skip row restriction).
  Herve.
  Link

• Error trying to run the Sample Code Virtual Private Database using JSP's

  Hi.
  I`ve downloaded the Virtual Private Database using JSP's example from the Oracle9iAS Security - Sample Corner (http://otn.oracle.com/sample_code/deploy/security/9i_security.html)
  I ran the SQL script just fine. I�ve Opened the JDeveloper Flile (security.jws) and tried to Make it (following step 2 on "Run the Application using JDeveloper Environmentinstructions" in the README ) but i get this error:
  Error: unable to copy to output directory, web.xml not found
  It seems that i need the web.xml to run this application, but in the zip file i cannot find any XML file.
  What can i do?.
  Thanks in advance for your help

  Hi,
  the problem seems not to be within your application but in missing files on your embedded OC4J. Just try and unzip the JDeveloper 10.1.3 install again.
  Frank