Virtual private database and cascade delete

We can't secure rows deleted by cascade delete by vpd.
User "A" have right to delete row "1" but don't have right to delete row "2".
If user "A" delete row "1", database will delete also row "2" by cascade delete.
Why it is possible to delete row "2"?

Either of the two options (a policy that queries the base table or propagating the security columns to the child tables) should work.
My preference from a data model standpoint would be to have a policy that queries the base table so that the security information can be maintained in exactly one place. But if your application is frequently querying the child tables without reference to the parent table, joining to the parent table, particularly if data volumes are such that an IN would be less than ideal, there may be performance issues to this approach.
Copying the columns creates a potential data integrity problem-- if you change the security on a base table row, you may forget to change the security on all the child records. But that issue may not be significant if the security is essentially static once the rows are created. And it's definitely easier to tune.
You may also want to create views that join the parent and child tables and grant users access to these views rather than to the child tables directly, which would allow you to have a single policy on the base table and get most of the benefits of the first option with less performance problems if data volumes make an IN less than ideal.
Justin

Similar Messages

  • Oracle Virtual Private Database and Weblogic.

    Hi All,
    I am using Oracle 11gR2 and weblogic 10.3.5.
    I would like to use Virtual Private Database feature in my project. I read the documentation and I understood the concept. I made a few tests on my dev environment and it seems to work fine.
    Now, I would like to use VPD with weblogic (we are also using Hibernate) as all my users connect to the database through weblogic.
    My question is how can get the name of my non-database users (so coming from weblogic) and automatically set them  to my context ?
    Many thanks for your help.

    Anyone on this one ?
    Many thanks !

  • Privately Owned and Cascade Delete in DB

    HI,
    What is the relationship between setting privately owned in Toplink vs creating a cascade delete in Oracle DB? If I've the cascade delete in DB then what is the advantage of setting the privately owned flag in toplink?
    Thanks

    If you only set the cascade delete option in the database, then TopLink will have no knowledge that the private object was deleted (or that it is private in general). This would mean that TopLink would not remove the private object from the cache or process it as have being deleted. In general this may not cause your app any direct issues if you never read the private object directly as it will eventually garbage collect from the cache.
    Making the relationship privately own in TopLink will also ensure the following:
    - If you replace the private object with another, or set it to null, TopLink will delete the old object on the update of the source. Cascade delete only works on deletion.
    - If the relationship is a 1-m and you remove an object from the collection it will be removed.
    - If you refresh the parent object, by default the child will also be refreshed.
    - If you merge the parent object, by default the child will also be merged.

  • Virtual Private Database and APEX

    Hi guys!
    I've incorporated VPD configuration tables to an APEX reporting application. But unfortunatelly it doesn't work. My interactive report shows still all the records from the table instead of few. My authentication scheme is database account. I wonder why it doesnt work because in SQL Developer it selects only the number of rows narrowed by the predicate...Do you have an idea why?
    With regards,
    PsmakR

    Hi!
    In general there are five tables one for dimensions, second for fact tables, thirf for dimension levels, fourth for fact table dimensions and the fifth for predicates based on information in other tables. There is also a package which synchronise the security policies.
    So to be honest I don't know why it works in Toad/SQL Developer and doesn't work in APEX ;/ I thought if i change the authentication scheme to database account it would work like different user different schema...but it doesnt work at all and I wonder why...maybe there is some additional info you would like to know to help me get through this?
    With regards,
    PsmakR

  • Virtual Private Database and BC4J

    How do I designate CLIENT_IDENTIFIER in Global Application Context on the database using BC4J ?

    Hi,
    try http://otn.oracle.com/products/jdev/howtos/bc4j/bc4jvpdjaas.html
    Frank

  • Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

    Environment: Business Objects XI R2; Oracle 10g
    Functional Requirement:
    Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
    What do we need from the Business Objects support team?
    1.     Review the 2 attempted solutions that we have tried to implement
    2.     Propose solutions/answers to open questions for each of the attempted solutions
    3.     Propose any alternate solution that will help us implement the Function Requirement stated above
    Attempted Solution 1: Connection String uses Oracle Proxy User
    The connection string that is specified in the Universe is the following:
    app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
    app_user = generic application user
    end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
    We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
    Open Question for Solution 1:
    i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
    ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
    iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
    Attempted Solution 2: Using the ConnectInit parameter
    Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
    Therefore, we tried to set the parameter in the Universe using several different options:
    ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
    Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
    One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
    Open Questions for Solution 2:
    How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
    Note: Arroba word is being used instead of the symbol in order to avoid following error message:
    We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

    the connectinit setting should look something like this:
    declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
    The vpd_setup procedure (in Oracle) should look like this:
    CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
    BEGIN
      DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
    END vpd_setup;
    Then you can retrieve the value of the context variable in your vpd functions
    and set the vpd.

  • Use of Virtual Private Database

    Hello
    our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
    i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
    any white paper or document is welcome.
    thanks
    Vijay

    Hello,
    I am also looking for the same information. Though there is lot of info on setting up VPD for Oracle users, there is no material/document which describes how VPD can be implemented for 3-Tier application. I use an Application server to connect to Oracle 9i.
    Did you get any leads?
    Thanks,
    Srinivasan
    Hello
    our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
    i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
    any white paper or document is welcome.
    thanks
    Vijay

  • About Virtual Private Database

    Hi All,
    Oracle provided two ways to implement D.B securities.
    1. RBAM(Role base access model)
    2. RLS(Row level security)
    So the quey is which one is best method for implementation of securities in database suppose we don't have any requirement for row level restricitions.
    wanted to see the prons and cons for both methods.
    Thanks a lot for your help!
    Thanks
    Sandeep

    Hi Sandeep,
    Row level security (RLS) and Virtual Private Database (VDP) are the same thing which provides a database applied row level filtering mechanism through some context that is set for the database connection. As you don't believe you need this then I suppose this is redundant.
    Role based security is based around a system of grants and privileges between database users/schemas. This is becoming increasingly redundant these days from a database applications point of view because many (maybe most) applications designed these days have users connect to the database using a common database user and must therefor control user access through application controlled mechanisms.
    So it also depends on your application on whether Role based security is of any use to you, or if you have to create your own security mechanism in your application. Which you have to do anyway for application objects that aren't database owned, such as screens, reports, buttons, fields, tabs etc.
    Regards
    Andre

  • Virtual Private Database

    Hi All,
    We are using Oracle 11g R2 and we would like to implement Virtual Private Database.
    We have an application connected to LDAP with serveral users. The users are also created in Weblogic. The Application is using only with Oracle schema with many tables.
    Unfortunately the application we are using do not implement Row Level Security so we thought about using VPD but as I understood you can implement it in creating multiples users schemas in the database, however in our case we have only one schema.
    The question is then is it possible to implement VPD with only one Oracle schema and different application users ?
    Many thanks.

    Re: Virtual Private Database
    Chiwatel 25 juin 2013 19:25 (en réponse à JustinCave)
    Hi Karan,
    Do you know how to do this (calling the package associated with the context) with Weblogic (and hibernate) by any chance ?
    Many thanks.

  • Using VPD (Virtual Private Database) with Discoverer for Dummies

    Firstly could you please excuse me for the title of the thread, but it’s all I could come up with. For those of you who are looking at me with a strange look of disgust, please view thread that started it all: BIS vs DBI vs Noetix .
    Otherwise I’m hoping to gain a greater understanding of how VPD can be used to enhance Discoverer and it’s performance. I've just read that :
    “Oracle 8i introduced the notion of a Virtual Private Database (VPD). A VPD offers Fine-Grained Access Control (FGAC) for secure separation of data. This ensures that users only have access to data that pertains to them. Using this option, one could even store multiple companies' data within the same schema, without them knowing about it.
    VPD configuration is done via the DBMS_RLS (Row Level Security) package. Select from SYS.V$VPD_POLICY to see existing VPD configuration.”
    With Regards to Discoverer, I would like to ask the following:
    -When would be best to use VPD in Discoverer?
    -Pro’s and Con’s of VPD?
    -Tips / Tricks?
    -and anything else Michael would like to add (I don’t believe there is a post limit, although this could change in the future)
    I've found a few handy links:
    http://www.adp-gmbh.ch/ora/security/vpd/index.html
    http://www.oracle.com/technology/oramag/oracle/04-mar/o24tech_security.html
    As Metalink support would say : I Looking forward to your ‘Positive’ comments. ;-)
    Lance

    Lance,
    You sure do raise some interesting questions here.
    I've noticed from some of your previous posts that you are using views to link Discoverer through to apps. I have found this very interesting document that may help with your queries; http://www.oracle.com/technology/deploy/security/oracle9ir2/pdf/VPD9ir2twp.pdf
    If you scroll down to the section "Additional VPD Capabilities" and read the following sub-topics, this might enable you to base your Discoverer reports on views that contain VPD policies.
    I trust "My Positive Comment" may help!!
    Merry Christmas
    Si ;-)
    P.s This also may come in handy if running 10g http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/apdvpoli.htm
    Message was edited by:
    Simon Pittaway

  • Row level access, virtual private database, label security

    Hello All,
    I'm experiencing an issue.... I've a datawarehouse where some tables, for examples orders are shared for two different countries. Difference is made simply with a field country may contain country_id.
    So using OBI and publisher I need to permit to some user to query only country with id 1, other country with id 2 and other both countries.
    There's a way to achieve this result without implement VPD or OLS? Do you have any hint?
    Thanks
    Stefano

    Hi,
    it must be useful
    http://obieeblog.wordpress.com/2008/12/29/obiee-and-virtual-private-database-vpd/
    thanks
    karthick

  • About virtual private databases

    I've read in the documentation that:
    Oracle Virtual Private Database enforces security, to a fine level of granularity, directly on database tables, views, or synonyms. Because you attach security policies directly to these database objects, and the policies are automatically applied whenever a user accesses data, there is no way to bypass security.Ok, but i cannot specify a policy using a trigger on a table, let's say? So, instead of using VPD to dynamically generate a policy and append it to the where clause, i should specify a where condition in the trigger and based on which user loggs on, to select only specific data. What's the advantages of using VPD instead of specifying those conditions in other way?
    Thanks

    Roger22 wrote:
    What's the advantages of using VPD instead of specifying those conditions in other way?Single schema. Single set of tables. Used by 100's of customers. While guaranteeing that one customer cannot CRUD data of any other customers. And this guarantee is at SQL level. So while having full SQL access to the schema objects, that customer will see that schema as only containing his data and nothing else.
    This in a nutshell is a VPDB.
    And it is impossible to provide that guarantee at SQL level using any other way.
    Views and triggers? Not as robust. Not as a secure. Not as flexible. A lot more moving parts that means an increase in complexity and potential problems and bugs.

  • ADF BC + Virtual Private Database

    First and foremost, as it's my first post here i'd like to say hello to you all.
    I hope i'll get answers to my questions and help others as well with my (little) experience.
    But for now i'm in need of help.
    We're currently developing our first web application using JSF + ADF BC. A part of the project is to use the Virtual Private Database functionality.
    On a page we change the context from one to another on the fly via a dropdown list, it works but we would like to refresh automatically the data displayed on the page (especially because we have a filter depending on the VPD context).
    Should we try to refresh the view object / the entity object / and how ?
    it may seem simple to one of you but as we're new to ADF BC, it's not yet so.
    many thanks for your help.

    In this case you coud use the refresh condition in the page definition and test a flag that indicate a refresh is necessary due to a change of the pvd context. This is to be done systematically on each page where your data are used.
    An another way is to cause the entity view to resfresh programatically in a way that the data control will refresh also. In this case, you will have to change only one piece of your code but you have to be sure to indicate the data control that it has to refresh the cache.
    you will find all necessary code in the developer guide.
    hope its help a little bit

  • Where Is The Virtual Private Database Option

    In apex 3.2, I could find the Virtual Private Database option in
    Shared Components/Security
    I am now using Apex 4.2 and I cannot find this option under
    Shared Components/Security or anywhere else.
    Where has it gone ?
    Gus

    Hi,
    It is in same place, but renamed to Database Session
    http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35125/bldr_attr.htm#sthref738
    Regards,
    Jari

  • Virtual Private Databases via ConnectionPool from OC4J?

    We would like to use the Virtual Private Database feature, but can not find any documentation describing how to configure the application server.
    What we are hoping to do is:
    Setting up ONE(?) database connection pool in OC4J, and being able to share this between different Companies/Departments using the same application, but having different VPD.
    How can the group/role of the user in AS be mapped to the concept of application_context and CLIENT_IDENTIFIER in the database?
    We are using CMP entity beans, (and not BC4J)
    regards
    Trond Rxnneberg

    It's an explicit call that we have to make from our application. Right now I'm thinking that the library we use to connect to Oracle (which also provides connection handling/pooling) etc, is the problem.
    I was just hoping that there was a more sophisticated way of dealing with this issue. At the moment we have little control over our connection pool (sucks, should be -- and probably will be -- rewritten in the near future). So, at the moment I don't really have a clue when we get a new connection from the pool. We worked around this issue by calling the login procedure more often than we would like.
    I've read something about the ODP.NET drivers exposing the ClientID property in the connection on application level. I'm a little hazy on Oracle, but am I correct in assuming that when I set a ClientID, the Oracle database can read the client identifier and can set the VPD's accordingly solely based on that ID? Because if it does work like that, it sounds like the solution to our problem here. :)
    Cheers,

Maybe you are looking for