Virtual Private Databases (VPD) + LDAP server

Similar Messages

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• Oracle Virtual Private Database (VPD), Column Level Security

  Hello,
  About Oracle Virtual Private Database (VPD), is it possible to set a Column Level Security without setting a Row Level Security (without using any predicate)?
  Thanks,
  Herve.

  Thanks, Zoran.
  A colleague shared with me a link containing a function without returning a predicate (in using SYS_CONTEXT function to skip row restriction).
  Herve.
  Link

• How to use Oracle Virtual Private Database (VPD) with EclipseLink JPA

  My project required to use VPD in database to isolate data access based on different user type. How can I use EclipseLink JPA with VPD? For instance, how I could set up server context in database for each database session? Thanks for any help.

  There is some information on Oracle proxy authentication here,
  http://wiki.eclipse.org/EclipseLink/Examples/JPA/Oracle/Proxy
  VPD usage would be very similar.
  James : http://www.eclipselink.org : http://en.wikibooks.org/wiki/Java_Persistence

• Less expensive options to Virtual Private Database (VPD)

  Are there any options that can achieve the same result (i.e., row-level security)?
  VPD apparently requires the Enterprise Edition of the database. $40,000 is difficult for a small business.
  I've been heading down the path of Standard One Edition, and planned on significant use of VPD. However; I recently found out the above news and am a little bit stuck as I have already developed much of the application in APEX.
  I'm looking for solutions that wouldn't require major rework in my APEX application, if there are any.

  VPD basically rewrites the SQL to add in extra filter predicates based on your criteria. So SELECT * FROM fred.table_name gets rewritten to something like
  SELECT * FROM fred.table_name WHERE client = SYS_CONTEXT('...','...');
  Simple VPD can be replicated with views. You would rename table_name to table_name_data, and create a view table_name as select * from table_name_data WHERE client = SYS_CONTEXT('...','...');
  Complex VPD (applying multiple predicates depending on different criteria) can follow the same theory but increases the view complexity a lot.
  I'd add that either mechanism adds a layer of complexity into query optimization and therefore into the testing process.

• Virtual Private Database (VPD) on 9iR2

  DBA's have set up a VPD on some tables.
  I have the role SELECT ANY DICTIONARY, but do not seem to be able to see the table SYS.V$VPD_POLICY (this i think would allow me to see what tables VPD polices where set against)
  The V$VPD_POLICY table does not seem to be generally documented in books etc.
  Can anyone give me any advice or leads.
  Many thanks
  Richard

  There is SELECT_CATALOG_ROLE role, SELECT ANY DICTIONARY is not a role, but a system privilege. Anyway, if you have this privilege you should be able to see that view :
  $ sqlplus test/test
  SQL*Plus: Release 9.2.0.4.0 - Production on Sun Nov 27 12:01:50 2005
  Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
  Connected to:
  Oracle9i Enterprise Edition Release 9.2.0.4.0 - Production
  With the Partitioning, OLAP and Oracle Data Mining options
  JServer Release 9.2.0.4.0 - Production
  SQL> desc v$vpd_policy
  ERROR:
  ORA-04043: object "SYS"."V_$VPD_POLICY" does not exist
  SQL> conn / as sysdba
  Connected.
  SQL> grant select any dictionary to test;
  Grant succeeded.
  SQL> conn test/test
  Connected.
  SQL> desc v$vpd_policy
  Name                                      Null?    Type
  ADDRESS                                            RAW(4)
  PARADDR                                            RAW(4)
  SQL_HASH                                           NUMBER
  CHILD_NUMBER                                       NUMBER
  OBJECT_OWNER                                       VARCHAR2(30)
  OBJECT_NAME                                        VARCHAR2(30)
  POLICY_GROUP                                       VARCHAR2(30)
  POLICY                                             VARCHAR2(30)
  POLICY_FUNCTION_OWNER                              VARCHAR2(30)
  PREDICATE                                          VARCHAR2(4000)
  SQL>                                                                                        You can see privileges / roles you have been granted :
  SQL> conn / as sysdba
  Connected.
  SQL> select * from dba_sys_privs where grantee = 'TEST';
  GRANTEE                        PRIVILEGE                                ADM
  TEST                           SELECT ANY DICTIONARY                    NO
  SQL> select * from dba_role_privs where grantee = 'TEST';
  GRANTEE                        GRANTED_ROLE                   ADM DEF
  TEST                           CONNECT                        NO  YES
  TEST                           RESOURCE                       NO  YES
  SQL>

• Virtual Private Database - VPD

  I have been trying to enforce security policies through oracle's fine grained access control (DBMS_RLS).
  When trying to access object the error
  ORA-28112: Fail to execute policy function
  received, but I can see predicate value generated by secure_person from as
  DECLARE
  RetVal VARCHAR2(200);
  BEGIN
  RetVal := Secure_Person();
  dbms_output.put_line(retval);
  END;
  any hint
  regards
  SH

  There'll be a dump file in the directory indicated by USER_DUMP_DEST. What does that tell you?
  Cheers, APC

• Using VPD (Virtual Private Database) with Discoverer for Dummies

  Firstly could you please excuse me for the title of the thread, but it’s all I could come up with. For those of you who are looking at me with a strange look of disgust, please view thread that started it all: BIS vs DBI vs Noetix .
  Otherwise I’m hoping to gain a greater understanding of how VPD can be used to enhance Discoverer and it’s performance. I've just read that :
  “Oracle 8i introduced the notion of a Virtual Private Database (VPD). A VPD offers Fine-Grained Access Control (FGAC) for secure separation of data. This ensures that users only have access to data that pertains to them. Using this option, one could even store multiple companies' data within the same schema, without them knowing about it.
  VPD configuration is done via the DBMS_RLS (Row Level Security) package. Select from SYS.V$VPD_POLICY to see existing VPD configuration.”
  With Regards to Discoverer, I would like to ask the following:
  -When would be best to use VPD in Discoverer?
  -Pro’s and Con’s of VPD?
  -Tips / Tricks?
  -and anything else Michael would like to add (I don’t believe there is a post limit, although this could change in the future)
  I've found a few handy links:
  http://www.adp-gmbh.ch/ora/security/vpd/index.html
  http://www.oracle.com/technology/oramag/oracle/04-mar/o24tech_security.html
  As Metalink support would say : I Looking forward to your ‘Positive’ comments. ;-)
  Lance

  Lance,
  You sure do raise some interesting questions here.
  I've noticed from some of your previous posts that you are using views to link Discoverer through to apps. I have found this very interesting document that may help with your queries; http://www.oracle.com/technology/deploy/security/oracle9ir2/pdf/VPD9ir2twp.pdf
  If you scroll down to the section "Additional VPD Capabilities" and read the following sub-topics, this might enable you to base your Discoverer reports on views that contain VPD policies.
  I trust "My Positive Comment" may help!!
  Merry Christmas
  Si ;-)
  P.s This also may come in handy if running 10g http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/apdvpoli.htm
  Message was edited by:
  Simon Pittaway

• Row level access, virtual private database, label security

  Hello All,
  I'm experiencing an issue.... I've a datawarehouse where some tables, for examples orders are shared for two different countries. Difference is made simply with a field country may contain country_id.
  So using OBI and publisher I need to permit to some user to query only country with id 1, other country with id 2 and other both countries.
  There's a way to achieve this result without implement VPD or OLS? Do you have any hint?
  Thanks
  Stefano

  Hi,
  it must be useful
  http://obieeblog.wordpress.com/2008/12/29/obiee-and-virtual-private-database-vpd/
  thanks
  karthick

• Some thoughts about VPD (Virtual Private Database)

  You may be interested in some of the brief articles I recently published on Virtual Private Database. You will find them here:
  Pop-quiz: VPD policy that depends on a table with a policy…- http://technology.amis.nl/blog/index.php?p=812
  Another Pop-Quiz: Whose VPD policy is used when executing SQL in a (definer rights) package? - http://technology.amis.nl/blog/index.php?p=817
  best regards,
  Lucas

  But I think that you know what he is and pra that she serves...
  In this in case that, you must also know that some particularitities exist.
  For example, so that security in row level is made, we need to define which will be the politics of applied security, which the restriction that will be made (seemed with clause WHERE).
  After this, we must select the columns, the ones relevant that will be masked.
  And finally, to add the politics functions.
  Manually, to create and to modify or to give any maintenance well is complicated.
  For this, the SQL Developer, by means of its graphical interface, would go to decide the problem definitively.
  Perhaps if it will not be possible to add the functionalities of the VPD, was interesting to create some thing for the application contexts.
  I spoke in VPD and in application contexts because, generally, who has the version Enterprise Edition uses the VPD, but who only has the version Stantard or Standard One, applies politics of security in row level by means of views, triggers and contexts of application.
  Message was edited by:
  ARF

• Use of Virtual Private Database

  Hello
  our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
  i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
  any white paper or document is welcome.
  thanks
  Vijay

  Hello,
  I am also looking for the same information. Though there is lot of info on setting up VPD for Oracle users, there is no material/document which describes how VPD can be implemented for 3-Tier application. I use an Application server to connect to Oracle 9i.
  Did you get any leads?
  Thanks,
  Srinivasan
  Hello
  our company is in e-business and wants to expore new features of Oracle 9i for next project. one of the option for security is Virtual Private Database. i was just wondering how much VPD is useful in an application where there is connection pooling? i mean in our case we will be using Application Server in the middle tier and so all users who logged on to AS will finally go to database as XYZ user. what are pros and cons of using VPD in such scenario.
  i know the Oracle Manual talks about use of Global Application Context but i was wondering if anyone who has implemented this or thought of implementing and would like to share his / her views on this.
  any white paper or document is welcome.
  thanks
  Vijay

• Virtual Private Database

  Hi All,
  We are using Oracle 11g R2 and we would like to implement Virtual Private Database.
  We have an application connected to LDAP with serveral users. The users are also created in Weblogic. The Application is using only with Oracle schema with many tables.
  Unfortunately the application we are using do not implement Row Level Security so we thought about using VPD but as I understood you can implement it in creating multiples users schemas in the database, however in our case we have only one schema.
  The question is then is it possible to implement VPD with only one Oracle schema and different application users ?
  Many thanks.

  Re: Virtual Private Database
  Chiwatel 25 juin 2013 19:25 (en réponse à JustinCave)
  Hi Karan,
  Do you know how to do this (calling the package associated with the context) with Weblogic (and hibernate) by any chance ?
  Many thanks.

• Virtual Private Databases via ConnectionPool from OC4J?

  We would like to use the Virtual Private Database feature, but can not find any documentation describing how to configure the application server.
  What we are hoping to do is:
  Setting up ONE(?) database connection pool in OC4J, and being able to share this between different Companies/Departments using the same application, but having different VPD.
  How can the group/role of the user in AS be mapped to the concept of application_context and CLIENT_IDENTIFIER in the database?
  We are using CMP entity beans, (and not BC4J)
  regards
  Trond Rxnneberg

  It's an explicit call that we have to make from our application. Right now I'm thinking that the library we use to connect to Oracle (which also provides connection handling/pooling) etc, is the problem.
  I was just hoping that there was a more sophisticated way of dealing with this issue. At the moment we have little control over our connection pool (sucks, should be -- and probably will be -- rewritten in the near future). So, at the moment I don't really have a clue when we get a new connection from the pool. We worked around this issue by calling the login procedure more often than we would like.
  I've read something about the ODP.NET drivers exposing the ClientID property in the connection on application level. I'm a little hazy on Oracle, but am I correct in assuming that when I set a ClientID, the Oracle database can read the client identifier and can set the VPD's accordingly solely based on that ID? Because if it does work like that, it sounds like the solution to our problem here. :)
  Cheers,

• About virtual private databases

  I've read in the documentation that:
  Oracle Virtual Private Database enforces security, to a fine level of granularity, directly on database tables, views, or synonyms. Because you attach security policies directly to these database objects, and the policies are automatically applied whenever a user accesses data, there is no way to bypass security.Ok, but i cannot specify a policy using a trigger on a table, let's say? So, instead of using VPD to dynamically generate a policy and append it to the where clause, i should specify a where condition in the trigger and based on which user loggs on, to select only specific data. What's the advantages of using VPD instead of specifying those conditions in other way?
  Thanks

  Roger22 wrote:
  What's the advantages of using VPD instead of specifying those conditions in other way?Single schema. Single set of tables. Used by 100's of customers. While guaranteeing that one customer cannot CRUD data of any other customers. And this guarantee is at SQL level. So while having full SQL access to the schema objects, that customer will see that schema as only containing his data and nothing else.
  This in a nutshell is a VPDB.
  And it is impossible to provide that guarantee at SQL level using any other way.
  Views and triggers? Not as robust. Not as a secure. Not as flexible. A lot more moving parts that means an increase in complexity and potential problems and bugs.

• ADF BC + Virtual Private Database

  First and foremost, as it's my first post here i'd like to say hello to you all.
  I hope i'll get answers to my questions and help others as well with my (little) experience.
  But for now i'm in need of help.
  We're currently developing our first web application using JSF + ADF BC. A part of the project is to use the Virtual Private Database functionality.
  On a page we change the context from one to another on the fly via a dropdown list, it works but we would like to refresh automatically the data displayed on the page (especially because we have a filter depending on the VPD context).
  Should we try to refresh the view object / the entity object / and how ?
  it may seem simple to one of you but as we're new to ADF BC, it's not yet so.
  many thanks for your help.

  In this case you coud use the refresh condition in the page definition and test a flag that indicate a refresh is necessary due to a change of the pvd context. This is to be done systematically on each page where your data are used.
  An another way is to cause the entity view to resfresh programatically in a way that the data control will refresh also. In this case, you will have to change only one piece of your code but you have to be sure to indicate the data control that it has to refresh the cache.
  you will find all necessary code in the developer guide.
  hope its help a little bit