VPD and AQs

Similar Messages

• VPD and AW Security

  We have a security requirement on a dimension
  containing cost centers. Different users are
  allowed access to different cost centers.
  On the relational cube side, I have implementated
  such security requirement with some success using
  Virtual Private Database (VPD). We now have to
  move into Analytic Workspace (AW) as we have to put
  in some financial models. My question is: will VPD
  work in AW environment? Can we bring across
  VPD security implementation into AW?
  I have read that you can use PERMIT_READ and
  PERMIT_WRITE program to control access into AW.
  You can also use the PERMIT command to fine
  tune the security inside these programs. Does
  this mean we have to give up VPD and start over
  again using these programs and commands :-(?
  How would an implementation using the PERMIT
  commands scale, i.e. how does this cope with
  growing number of users and forever changing
  cost centers?
  Any advice will be appreciated. Thanks.

  From the OLAP Field Guide:
  Virtual Private Database (VPD or FGAC) on an AW View
  This example creates an administrator named FGAC_SYS which manages the VPD (Fine Grained Access Control) configuration of the database. A table named USR_FGAC_LVL contains information on what group they belong to (i.e., DEF [default], MGR [manager]) and REGION they are allowed to see. The DBMS_RLS (row level security) package uses this table as a reference to create policies for managing access to the CUSTOMER_VIEW owned by GLOBAL_AW user. So if SCOTT wished to select from the CUSTOMER_VIEW (which uses the OLAP_TABLE function to retrieve data from the AW) he will only see data relating to REGION 10. While GLOBAL user can see everything because this user is a member of the MGR group.
  NOTE: In Oracle Database 10g Virtual Private Database supports parallel query, resulting in performance and scalability improvements, lets you distinguish between static policies, which are suitable for hosting environments that always need to enforce an unchanging policy, and dynamic policies, which are suited for time-dependent enforcement, such as time of day, where rows returned must vary at a particular time and able to enforce VPD rewrite when a query references a particular column. (See Oracle® Database New Features Guide,10g Release 1 (10.1), Part Number B10750-01 for more information)
  conn / as sysdba
  drop user fgac_sys cascade
  create user fgac_sys profile default identified by oracle default tablespace system account unlock;
  grant execute on sys.dbms_rls to fgac_sys;
  grant dba, olap_user to fgac_sys;
  set serveroutput on size 1000000
  conn fgac_sys/oracle
  drop table USR_FGAC_LVL cascade constraints';
  create table usr_fgac_lvl (username varchar2(20) not null, fgac_lvl varchar2(3) not null, cregion varchar2(3) not null);
  create or replace public synonym usr_fgac_lvl for fgac_sys.usr_fgac_lvl;
  grant select on usr_fgac_lvl to public;
  create or replace public synonym dbms_rls for sys.dbms_rls;
  insert into usr_fgac_lvl values ('SCOTT' ,'DEF','10');
  insert into usr_fgac_lvl values ('GLOBAL','MGR','999');
  insert into usr_fgac_lvl values ('GLOBAL_AW','MGR','999');
  insert into usr_fgac_lvl values ('SYSTEM','DEF','9');
  create or replace package fgac_on_logon as
  procedure set_fgac_parameters;
  end;
  create or replace package body fgac_on_logon is
       procedure
            set_fgac_parameters is
            v_user varchar2(30);
                 v_fgac_lvl varchar2(3);
                 v_cregion varchar2(3);
       begin
            v_user := sys_context ('userenv','session_user');
            select fgac_lvl, cregion into v_fgac_lvl, v_cregion from usr_fgac_lvl where username = v_user;
            dbms_session.set_context ('FGAC_CONTEXT','FGAC_LVL',v_fgac_lvl);
            dbms_session.set_context ('FGAC_CONTEXT','CREGION',v_cregion);
       exception when no_data_found
       then dbms_session.set_context ('FGAC_CONTEXT','FGAC_LVL','NA');
       end;
  end;
  create or replace context fgac_context using fgac_on_logon;
  create or replace trigger fgac_trigger
  after logonon database
  begin
  fgac_on_logon.set_fgac_parameters;
  end;
  create or replace package olap_security as
       function olap_sec (d1 varchar2, d2 varchar2)
       return varchar2;
  end;
  create or replace package body olap_security is
       function olap_sec (d1 varchar2, d2 varchar2)
       return varchar2 is
            d_predicate varchar2(2000);
       begin
            if sys_context('FGAC_CONTEXT','FGAC_LVL') = 'NA' then d_predicate := '0=1'; end if;
            if sys_context('FGAC_CONTEXT','FGAC_LVL') = 'DEF'
                 then d_predicate := 'REGION = SYS_CONTEXT(''FGAC_CONTEXT'',''CREGION'')'; end if;
            if sys_context('FGAC_CONTEXT','FGAC_LVL') = 'MGR' then d_predicate := ''; end if;
            return d_predicate;
       end;
  end;
  begin
  dbms_rls.add_policy ('GLOBAL_AW','CUST_VW','cust_vw_policy','fgac_sys','olap_security.olap_sec','select');
  dbms_rls.enable_policy ('GLOBAL_AW','CUST_VIEW','customer_view_policy', true);
  end;
  connect global_aw/global_aw
  grant select on CUSTOMER_VIEW to public;
  FGA (Fine-Grained Auditing) Auditing an AW View
  BEGIN DBMS_FGA.add_policy( object_schema=> 'GLOBAL_AW', object_name=> 'CUSTOMER_VIEW', policy_name=> 'CUSTVIEW_ACCESS', audit_column => 'REGION', audit_condition => 'REGION = 9');
  END;
  select timestamp, db_user, os_user, object_schema, object_name, sql_text from dba_fga_audit_trail;

• VPD and JSP

  Hi,
  Having followed the example at http://www.oracle.com/technology/products/jdev/howtos/bc4j/bc4jvpdjaas.html?_template
  I have been able to design a jsp application which implements vpd and works well.
  Now I have added another view object to the same project based on a sql statement and do not want apply vpd to this object. However when I create a jsp based on this new view object, the jsp does not query any data and shows blank output.
  Does anybody have any clue?
  Thanks
  Sanjay

  Hi Frank,
  now i have realized that this problem has nothing to do with VPD.
  My second VO points to a table that does not have a policy defined. As such if I use the same query to create a view in the database itself and then based on this database view I create both entity object and view object in my jdeveloper project then things work fine. I fail to understand why the view object on its own does not work.
  Thanks
  Sanjay

• VPD and/or OLS implementation

  Hi,
  I'm starting implementing security access at row level in a schema.
  I know VPD and how make my problem solved.
  However I would like to know how it is feasible with Oracle Label Security.
  I've three tables, germplasm, list, germplasmList
  Here are the structures:
  Germplasm
  GID number(8),
  Name varchar2(50),
  UserId number(5),
  List
  LID number(8),
  ListName varchar2(50),
  userId number(5)
  GermplasmList
  LID number(8),
  GID number(8)
  The goal is to restrict CRUD access depending user 'privileges' to List, GermplasmList and Germplasm.
  Cheers,
  Sebastien

  Hi Arf,
  Thanks for your fast answer.
  May you give me more details espeacially for OLS?
  I, maybe, didn't explain well what it is my problem.
  I would like to put in place a restriction access based on a sensitivity, hierarchy and compartment.
  Data are public or private.
  They can belong to one more following compartments
  They belong to one or more locations organized in hierarchical way.
  This is clearly what OLS can do.
  Although the implementation on table is easy to understand and implement, I don't see how it can be done on several tables using only one label policy ;
  and how you can stay consistant as soon as you have to use several OLS policies in parallel.
  Examples will be welcome.
  Cheers,
  Sebastien

• Best practice for VPD and remote tables

  Not specifically an HTMLDB question, but here goes...
  HTMLDB 1.6 on 9.2.0.4 connecting over database link (fixed username/password) to 9.2.0.4
  I've currently "wrapped" access to the remote tables in views, i.e. view "T" in the HTMLDB parsing schema LOCAL_USER is defined as "SELECT * FROM T@remote"
  I'd like to put VPD controls on my backend tables, but I don't get how v('APP_USER') (or even APP_USER put into an application context) would be seen by the remote database.
  Should I just put VPD policies on LOCAL_USER's views and call it a day?
  Thanks for input!
  -John

  If you implemented the VPD in the remote database, what would your VPD be restricting? All queries would apply the policy based on the DB link fixed username resulting in all users of the HTML DB application having same policy restrictions.
  The policy in the remote database does not has access to the value of v('APP_USER'). That value is only available in the database that has HTML DB. You would have to write APIs in the remote database in PL/SQL functions/procedures to pass in the V('APP_USER') value to the remote database. This is doable, but cumbersome.
  If you want to have your policy modify your WHERE clause on the fly based on your HTML DB user account, then I would implement the VPD in the database which has your HTML DB repository. I am not sure which of the two scenarios below occur when doing a SELECT * FROM T.
  1.) The query goes across the database link, gets all the data out of table T in the remote database, passes back to the HTML DB database, and applies the policy WHERE clause modification in the HTML DB database.
  2.) The query applies the policy WHERE clause modification to the view, goes across the database link with the WHERE clause modified, and gets only the data allowed based on the policy from the remote database.
  You should test this out to find out for performance purposes what query is actually performed on the remote database.
  As always if anyone sees anything inaccurate in what I have written, please correct me.
  Mike

• Searching for calendar items older than a specific date with search-mailbox and AQS

  I need to find the total size of all calendar items in a mailbox older than a specified date using PowerShell through the search-mailbox cmdlet's searchquery parameter.  My problem is that I cannot find a complete list of Calendar item properties to
  use in search queries.  The AQS page doesn't have a complete list of properties for a Calendar object.
  I'm using code from the ArchiveStatisticsPlanner.ps1 script as a base and the only date properties I know of are the sent and receive properties (see below.)  The basic start, end, date properties generate errors in the query.  How can I find all
  Calendar items older than say, 1/1/2013?
  Sample:
  $MBXSearch=Search-Mailbox-Identity$MBX-SearchQuery"kind:calendar
  sent:<=$QueryDate OR kind:calendar received:<=$QueryDate"-EstimateResultOnly-DoNotIncludeArchive

  huh, you a get response marked as answer that wasn't very helpful.
  EDIT: and now I'm reported as abusive.  Please don't tell the truth on these forums, it seems to be frowned upon
  I did that.
  If you're going to necro an answered thread and attempt to hijack it, you should have an actual answer that you feel is more relevant.
  All you did was complain and add zero useful information, thus earning an 'offtopic/irrelevant' notation.
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Error executing a query using VPD and BC4J

  Hi all,
  Our team is developing an application using an Oracle DB 9.2.0.4 and BC4J 10g (9.0.5.16.0) as persistence layer.
  We also are using the VPD (virtual private database) to have security in the database at row level.
  The problem we are facing is that every some time (days) we get a jdbc error when a query (see below) that uses VPD policies is executed. Once the error occurs I execute it from sqlplus without getting any error .. it only occurs from our java application.
  To temporary solve this problem, we delete and recreate the VPD policies, then the application continue working fine for some time ...
  I'll appreciate any comment / suggestions
  Thank in advance.
  Eduardo.
  ERROR LOG:
  oracle.jbo.SQLStmtException: JBO-27122: SQL error during statement preparation. Statement: SELECT * FROM (SELECT CalLocation.ID,
  CalLocation.CODE, eo
  CalLocation.NAME,
  CalLocation.ZIP,
  CalLocation.PHONE,
  CalLocation.FAX,
  CalLocation.ADDRESS1,
  CalLocation.ADDRESS2,
  CalLocation.URL,
  CalLocation.OWNER,
  CalLocation.CTY_ID,
  CalLocation.DESCRIPTION,
  ORefCity.CODE CTY_CODE,
  ORefCountry.ID CTR_ID,
  ORefCountry.CODE CTR_CODE,
  ORefRegion.ID REG_ID,
  ORefRegion.CODE REG_CODE
  FROM CAL_LOCATIONS CalLocation,
  OREF_CITIES ORefCity,
  OREF_COUNTRIES ORefCountry,
  OREF_REGIONS ORefRegion
  WHERE ORefCity.ID = CalLocation.CTY_ID
  and ORefCountry.ID = ORefCity.CTR_ID
  and ORefRegion.ID = ORefCountry.REG_ID) QRSLT WHERE ( ( (CTY_ID = 867) ) )
  ## Detail 0 ##
  java.sql.SQLException: Io exception: Broken pipe
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:189)
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:231)
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:345)
       at oracle.jdbc.driver.OracleStatement.open(OracleStatement.java:717)
       at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:2605)
       at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:457)
       at oracle.jdbc.driver.OraclePreparedStatement.executeQuery(OraclePreparedStatement.java:387)

  The symptoms we have been getting are quite similar to the bug 3662364 .
  I'm going to implement the patch for that bug and see what happend then.
  Thank you very much for your help.
  Regards,
  Eduardo.

• Using VPD and Portal

  Situation: Trying to implement row level security using VPD for
  applications created in PORTAL. using portal's
  Light weight users.
  Method: Created a fine grain access control policy to build a
  predicate based on a Portal user (not database user).
  1 Get Portal User (proc: portal30.wwctx_api.get_user)
  2 Determine what business rules are setup for this
  Portal User
  3 Based on the above rules, build predicate for the
  Portal User
  Problem: In the first step, not retrieving the Portal user -
  looks to be getting PUBLIC when the code is part of a
  VPD policy. When it is executed on its own, it gets the correct
  information back (ie. The portal user not PUBLIC).
  The idea is that we want to be able to set the VPD policy based
  on the light weight Portal User.
  Oracle Database version 8.1.7
  Oracle iAS 1.0.2.2.0
  There is a work around for this, which is to create a database
  schema for each portal user and then associate the
  Portal account with this database schema. When we do this, we
  get the correct information for use in the VPD policy,
  But we actually look for the Proxy Account (database schema the
  portal user is associated with) and not the portal
  user/session info. This work around in not desirable when we
  get a large number of portal users.
  I've included the VPD package below where we try to extract the
  Portal user acct using the
  portal30.wwctx_api.get_user function
  we also tried the
  WPG_SESSION_PRIVATE.GET_LW_USER function with the same results
  When this PLSQL is executed within a portlet, it seems to return
  the correct information.
  Code:
  CREATE OR REPLACE PACKAGE
  BODY "P_CORPORATE_SECURITY_CONTEXT" as
  function f_company_security (p1 varchar2, p2 varchar2) return
  varchar2 is
  v_predicate VARCHAR2(4000);
  CURSOR cur_company(p_portal_user_name IN
  company_wwsec_person.WWSEC_PERSON_USER_NAME%TYPE) IS
  SELECT decode(rownum,1,to_char(company_id),','||to_char
  (company_id)) company_id
  FROM company_wwsec_person
  WHERE POLICY = '='
  and upper(WWSEC_PERSON_USER_NAME) = upper
  (p_portal_user_name);
  l_portal_user_name varchar2(256);
  l_oracle_user_name varchar2(30);
  l_all_policy_cnt number;
  l_equal_policy_cnt number;
  BEGIN
  l_portal_user_name := portal30.wwctx_api.get_user;
  -- l_portal_user_name := USER; Commented out since we
  want portal user not
  database user.
  select count(*)
  into l_all_policy_cnt
  from company_wwsec_person
  where upper(WWSEC_PERSON_USER_NAME) = upper
  (l_portal_user_name)
  and policy = 'ALL';
  select count(*)
  into l_equal_policy_cnt
  from company_wwsec_person
  where upper(WWSEC_PERSON_USER_NAME) = upper
  (l_portal_user_name)
  and policy = '=';
  IF l_all_policy_cnt = 0 and l_equal_policy_cnt > 0 THEN
  v_predicate := ' company_id in (';
  FOR l_company IN cur_company(l_portal_user_name)
  LOOP
  v_predicate := v_predicate || l_company.company_id;
  END LOOP;
  v_predicate := v_predicate || ')';
  ELSIF l_all_policy_cnt = 0 and l_equal_policy_cnt = 0 THEN
  v_predicate := ' 1=2';
  ELSE
  v_predicate := NULL;
  END IF;
  -- Uncomment to allow access to everything
  -- v_predicate := ' 1=1';
  RETURN v_predicate;
  END;
  END;

  Situation: Trying to implement row level security using VPD for
  applications created in PORTAL. using portal's
  Light weight users.
  Method: Created a fine grain access control policy to build a
  predicate based on a Portal user (not database user).
  1 Get Portal User (proc: portal30.wwctx_api.get_user)
  2 Determine what business rules are setup for this
  Portal User
  3 Based on the above rules, build predicate for the
  Portal User
  Problem: In the first step, not retrieving the Portal user -
  looks to be getting PUBLIC when the code is part of a
  VPD policy. When it is executed on its own, it gets the correct
  information back (ie. The portal user not PUBLIC).
  The idea is that we want to be able to set the VPD policy based
  on the light weight Portal User.
  Oracle Database version 8.1.7
  Oracle iAS 1.0.2.2.0
  There is a work around for this, which is to create a database
  schema for each portal user and then associate the
  Portal account with this database schema. When we do this, we
  get the correct information for use in the VPD policy,
  But we actually look for the Proxy Account (database schema the
  portal user is associated with) and not the portal
  user/session info. This work around in not desirable when we
  get a large number of portal users.
  I've included the VPD package below where we try to extract the
  Portal user acct using the
  portal30.wwctx_api.get_user function
  we also tried the
  WPG_SESSION_PRIVATE.GET_LW_USER function with the same results
  When this PLSQL is executed within a portlet, it seems to return
  the correct information.
  Code:
  CREATE OR REPLACE PACKAGE
  BODY "P_CORPORATE_SECURITY_CONTEXT" as
  function f_company_security (p1 varchar2, p2 varchar2) return
  varchar2 is
  v_predicate VARCHAR2(4000);
  CURSOR cur_company(p_portal_user_name IN
  company_wwsec_person.WWSEC_PERSON_USER_NAME%TYPE) IS
  SELECT decode(rownum,1,to_char(company_id),','||to_char
  (company_id)) company_id
  FROM company_wwsec_person
  WHERE POLICY = '='
  and upper(WWSEC_PERSON_USER_NAME) = upper
  (p_portal_user_name);
  l_portal_user_name varchar2(256);
  l_oracle_user_name varchar2(30);
  l_all_policy_cnt number;
  l_equal_policy_cnt number;
  BEGIN
  l_portal_user_name := portal30.wwctx_api.get_user;
  -- l_portal_user_name := USER; Commented out since we
  want portal user not
  database user.
  select count(*)
  into l_all_policy_cnt
  from company_wwsec_person
  where upper(WWSEC_PERSON_USER_NAME) = upper
  (l_portal_user_name)
  and policy = 'ALL';
  select count(*)
  into l_equal_policy_cnt
  from company_wwsec_person
  where upper(WWSEC_PERSON_USER_NAME) = upper
  (l_portal_user_name)
  and policy = '=';
  IF l_all_policy_cnt = 0 and l_equal_policy_cnt > 0 THEN
  v_predicate := ' company_id in (';
  FOR l_company IN cur_company(l_portal_user_name)
  LOOP
  v_predicate := v_predicate || l_company.company_id;
  END LOOP;
  v_predicate := v_predicate || ')';
  ELSIF l_all_policy_cnt = 0 and l_equal_policy_cnt = 0 THEN
  v_predicate := ' 1=2';
  ELSE
  v_predicate := NULL;
  END IF;
  -- Uncomment to allow access to everything
  -- v_predicate := ' 1=1';
  RETURN v_predicate;
  END;
  END;

• VPD and Context With Application Express

  Dear All
  i'm going to build application using application express and oracle database enterprise , VPD Implemented on the schema using Context,
  for developer issue i set on login trigger to set user ;
  but i can't view data inside application but i can view it using sql statement
  So is their issue in Apex when using VPD , Context , or On log on trigger?
  thanks

  Logon triggers won't work with web apps using a connection pool like APEX. The VPD context should be set via the APEX VPD application security attribute.
  http://download.oracle.com/docs/cd/E17556_01/doc/user.40/e15517/bldr.htm#CHDFCFGD

• VPD and discoverer portlets

  Hi,
  Resolution History
  23-MAY-07 16:53:02 GMT
  ### What kind of problem do you have? ###
  Security Issues
  ### Describe the problem you are having in detail. Include any notes, guides, or documentation
  that you have followed. ###
  We have test implementation of VPD or row-level security at database level. This works fine with discoverer queries. At the
  portal level we are okay with getting discoverer portlets via a public
  connection (the VPD works fine).
  Q1. What kind of parameter form would be better for discoverer portlets so that we retrieve list of values via a sql query? Simple parameter form allows static list of values so any suggestion on what parameter would be good and easy to implement to write sql queries.
  Q2. With parameters form of some kind we are trying to limit the list of values for each parameter that we have at the portal based on the user logon at the portal somehow married up to database users. (FYI-- we don't have SSO for discoverer). Any suggestions as to how this can be implemented also would be greatly appreciated!
  Thanks in advance,
  -Esther

  I really hope someone can help! I'm trying to accomplish the same exact thing! The private connection for each user gets tricky because not all of our users know exactly what they are doing. Please help!!
  Alanna

• VPD and connection for XSQL

  We want to use Virtual Private Databases and the benefit of the connection pooling used in XSQL. For example, each connection is XMLBOOOK/XMLBOOK.
  My understanding of VPD is that it "tracks" the user's connection session id and applies the "where" clauses in the securty policy to any data being selected. Because the XSQL connection is shared by many users, the session id is the same for all users, and VPD cannot work.
  Ideas?

  If the VPD depends on the setting of some session-level package varible, or session-level context, I believe your XSQL page could contain an <xsql:dml> statement to set this value appropriately for the current user (perhaps based on an HTTP-session level username?) so that the VPD will be in sync with the current browser user name.

• VPD and APEX

  I have a VPD policy in place on a table. The VPD function returns a predictate of the form
  "1=2 or substr('000000010000000000100000000000000000000010000000000000000000001000000000000000000000000000000000000',dept_code,1) = 1"
  The generation of the predicate used to be based on the value returned from upper(sys_context('userenv','session_user')).
  Everything worked fine (in SQL*Plus, Discoverer and TOAD).
  However, I query the same table in APEX and all values returned, i.e. the predicates seem not to have been applied.
  Obviously, the session_user value would not be useful as this would be APEX_PUBLIC_USER for all connections.
  I modified the VPD function to include...
  v_user := upper(sys_context('userenv','session_user'));
  IF v_user='APEX_PUBLIC_USER'
  THEN
  execute immediate 'select NVL(v(''APP_USER''),user) from dual' into v_user;
  END IF;
  HTP.P('VPD Activated');
  Again, running in SQLPLUS, Discoverer, TOAD all is well. But it still doesnt affect the APEX query. Also, I do not see the string 'VPD Activated' being displayed, suggesting that the function is not being run?
  I created a dummy region to query the VPD function from dual....
  select edw_sys.f_vpd_policy('EDW','TEXTILES_REVISED_DSCHED_NOS_WK') test from dual
  and the correct predicate is being returned from the function.
  I know there is a VPD region in the application's security attributes, but as I understand it this is for creating a context, and that is not a requirement in this case.
  Am I missing something?
  Many thanks in advance.
  Rob

  Hi Scott,
  I granted execute any procedure to EDW_SYS and the "v" function is now available!!!!
  I also implemented your code, getting rid of the dynamic sql, so the code is much cleaner now - thanks for that.
  And the VPD policy works very nicely in SQL*Plus, TOAD, Discoverer.....
  BUT....
  Not in APEX :-(
  I have gone through the document you mention, it is fairly straight forward and I believe all steps have been followed.
  Any other suggestions? In parallel of course I am googling away for other possible solutions, but done in conjunction with APEX, the responses all eventually end up pointing to the document you highlighted.
  If I had hair to spare I'd be pulling it out!
  Thanks again,
  Rob

• How to use vpd to restrict rows by application and schema_name?

  We have a need to reuse a schema name many times in a test/dev. environment. Normally we just create a new instance so development can test their apps. using the same schema_name, let's call it test_user. This is very tedious and time consuming to create many db's and sometimes we don't have the hardware to support so many db's. So I was wondering if I could use vpd and an application_context to restrict the rows & columns that can be seen. But instead of restricting it by schema_name I want to restrict it by schema_name and another env. variable like app_name or something similar. So when the middle layer connects with test_user user name and the app is called accts_payable they see parts of the rows that pertain to them. But if the middle layer connects with the test_user user name and the app is called accts_payable2 they see completely different rows. Any help would be appreciated.
  Thanks,
  George

  I was hoping someone else had already been down this path so I don't have to re-invent the wheel. But it looks like I'm going to go down that path. I did find something in the manual that may help but again it's not exactly what I was hoping for so I will have to test it. It mentions using dbms_session to set the application name in the environment like this:
  Consider the application server, AppSvr, that has assigned the client identifier 12345 to client SCOTT. It then issues the following statement to indicate that, for this client identifier, there is an application context called RESPONSIBILITY with a value of 13 in the HR namespace.
  DBMS_SESSION.SET_CONTEXT( 'HR', 'RESPONSIBILITY' , '13', 'SCOTT', '12345' );
  Thanks for your help on this. If anyone else has been through a similar situation please reply.
  Thanks,
  George

• JHS and VPD

  I'm using ADF 11.1.1.6 and JHeadstart 11.1.1.4. An application, being upgraded to ADF and JHS, uses a virtual private database to restrict rows to logged in users based on their organisation.
  I found a fairly old article on the JHeadstart blog, [Row Level Security using VPD and ADF |https://blogs.oracle.com/jheadstart/entry/row_level_security_using_vpd_a] , and was wondering if this is still considered a valid approach or whether there is now, in 11g, a more declarative way. If the latter, can someone direct me to some relevant documentation?
  Thanks,
  David.

  This falls in the 20% category where you need to code something. Usually, this is just done in the AM base class so you don't need to worry about individual AMs.
  I'm using this approach for a current project.
  Happy coding!
  BradW

• AQ and VPD support

  Hi All,
  I am trying to make AQ working with VPD (Virtual Private Database).
  What I've done is the following.
  1. Enqueue some items in the queue with correlation=1
  2. Create a VPD rule 'CORRID = 1' against the underlying queue table
  3. Try to select against underlying queue table - everything is ok (only items with corrid = 1 are shown) (same for the aq$ view)
  4. Dequeue item from a queue - all items are dequeued (no matter if corrid is 1 or other).
  5. Everything works if deque option correlation = 1, but the ordering is "random"
  My queue is ordered by Priority and Enqueue Time.
  I want to make AQ working with VPD and benefit still on current message ordering.
  Any ideas are very welcome!
  Thanks

  I will move this to other forum category that is more popular.