VPD and AW Security
We have a security requirement on a dimension
containing cost centers. Different users are
allowed access to different cost centers.
On the relational cube side, I have implementated
such security requirement with some success using
Virtual Private Database (VPD). We now have to
move into Analytic Workspace (AW) as we have to put
in some financial models. My question is: will VPD
work in AW environment? Can we bring across
VPD security implementation into AW?
I have read that you can use PERMIT_READ and
PERMIT_WRITE program to control access into AW.
You can also use the PERMIT command to fine
tune the security inside these programs. Does
this mean we have to give up VPD and start over
again using these programs and commands :-(?
How would an implementation using the PERMIT
commands scale, i.e. how does this cope with
growing number of users and forever changing
cost centers?
Any advice will be appreciated. Thanks.
From the OLAP Field Guide:
Virtual Private Database (VPD or FGAC) on an AW View
This example creates an administrator named FGAC_SYS which manages the VPD (Fine Grained Access Control) configuration of the database. A table named USR_FGAC_LVL contains information on what group they belong to (i.e., DEF [default], MGR [manager]) and REGION they are allowed to see. The DBMS_RLS (row level security) package uses this table as a reference to create policies for managing access to the CUSTOMER_VIEW owned by GLOBAL_AW user. So if SCOTT wished to select from the CUSTOMER_VIEW (which uses the OLAP_TABLE function to retrieve data from the AW) he will only see data relating to REGION 10. While GLOBAL user can see everything because this user is a member of the MGR group.
NOTE: In Oracle Database 10g Virtual Private Database supports parallel query, resulting in performance and scalability improvements, lets you distinguish between static policies, which are suitable for hosting environments that always need to enforce an unchanging policy, and dynamic policies, which are suited for time-dependent enforcement, such as time of day, where rows returned must vary at a particular time and able to enforce VPD rewrite when a query references a particular column. (See Oracle® Database New Features Guide,10g Release 1 (10.1), Part Number B10750-01 for more information)
conn / as sysdba
drop user fgac_sys cascade
create user fgac_sys profile default identified by oracle default tablespace system account unlock;
grant execute on sys.dbms_rls to fgac_sys;
grant dba, olap_user to fgac_sys;
set serveroutput on size 1000000
conn fgac_sys/oracle
drop table USR_FGAC_LVL cascade constraints';
create table usr_fgac_lvl (username varchar2(20) not null, fgac_lvl varchar2(3) not null, cregion varchar2(3) not null);
create or replace public synonym usr_fgac_lvl for fgac_sys.usr_fgac_lvl;
grant select on usr_fgac_lvl to public;
create or replace public synonym dbms_rls for sys.dbms_rls;
insert into usr_fgac_lvl values ('SCOTT' ,'DEF','10');
insert into usr_fgac_lvl values ('GLOBAL','MGR','999');
insert into usr_fgac_lvl values ('GLOBAL_AW','MGR','999');
insert into usr_fgac_lvl values ('SYSTEM','DEF','9');
create or replace package fgac_on_logon as
procedure set_fgac_parameters;
end;
create or replace package body fgac_on_logon is
procedure
set_fgac_parameters is
v_user varchar2(30);
v_fgac_lvl varchar2(3);
v_cregion varchar2(3);
begin
v_user := sys_context ('userenv','session_user');
select fgac_lvl, cregion into v_fgac_lvl, v_cregion from usr_fgac_lvl where username = v_user;
dbms_session.set_context ('FGAC_CONTEXT','FGAC_LVL',v_fgac_lvl);
dbms_session.set_context ('FGAC_CONTEXT','CREGION',v_cregion);
exception when no_data_found
then dbms_session.set_context ('FGAC_CONTEXT','FGAC_LVL','NA');
end;
end;
create or replace context fgac_context using fgac_on_logon;
create or replace trigger fgac_trigger
after logonon database
begin
fgac_on_logon.set_fgac_parameters;
end;
create or replace package olap_security as
function olap_sec (d1 varchar2, d2 varchar2)
return varchar2;
end;
create or replace package body olap_security is
function olap_sec (d1 varchar2, d2 varchar2)
return varchar2 is
d_predicate varchar2(2000);
begin
if sys_context('FGAC_CONTEXT','FGAC_LVL') = 'NA' then d_predicate := '0=1'; end if;
if sys_context('FGAC_CONTEXT','FGAC_LVL') = 'DEF'
then d_predicate := 'REGION = SYS_CONTEXT(''FGAC_CONTEXT'',''CREGION'')'; end if;
if sys_context('FGAC_CONTEXT','FGAC_LVL') = 'MGR' then d_predicate := ''; end if;
return d_predicate;
end;
end;
begin
dbms_rls.add_policy ('GLOBAL_AW','CUST_VW','cust_vw_policy','fgac_sys','olap_security.olap_sec','select');
dbms_rls.enable_policy ('GLOBAL_AW','CUST_VIEW','customer_view_policy', true);
end;
connect global_aw/global_aw
grant select on CUSTOMER_VIEW to public;
FGA (Fine-Grained Auditing) Auditing an AW View
BEGIN DBMS_FGA.add_policy( object_schema=> 'GLOBAL_AW', object_name=> 'CUSTOMER_VIEW', policy_name=> 'CUSTVIEW_ACCESS', audit_column => 'REGION', audit_condition => 'REGION = 9');
END;
select timestamp, db_user, os_user, object_schema, object_name, sql_text from dba_fga_audit_trail;
Similar Messages
-
Hi,
I'm starting implementing security access at row level in a schema.
I know VPD and how make my problem solved.
However I would like to know how it is feasible with Oracle Label Security.
I've three tables, germplasm, list, germplasmList
Here are the structures:
Germplasm
GID number(8),
Name varchar2(50),
UserId number(5),
List
LID number(8),
ListName varchar2(50),
userId number(5)
GermplasmList
LID number(8),
GID number(8)
The goal is to restrict CRUD access depending user 'privileges' to List, GermplasmList and Germplasm.
Cheers,
SebastienHi Arf,
Thanks for your fast answer.
May you give me more details espeacially for OLS?
I, maybe, didn't explain well what it is my problem.
I would like to put in place a restriction access based on a sensitivity, hierarchy and compartment.
Data are public or private.
They can belong to one more following compartments
They belong to one or more locations organized in hierarchical way.
This is clearly what OLS can do.
Although the implementation on table is easy to understand and implement, I don't see how it can be done on several tables using only one label policy ;
and how you can stay consistant as soon as you have to use several OLS policies in parallel.
Examples will be welcome.
Cheers,
Sebastien -
Adv Replication AND Label Security
Has anybody implemented Adv Replication AND Label Security?
I am looking for any advice and warnings.Your replication administrator accounts (REPADMIN,etc) will need to have the OLS READ (or FULL) privilege for the policy on the replicated tables so that the predicate is not added. These users will see and replicate everything, there is no way (in Adv. Rep) to replicate data based on the OLS label (say, to only replicate things that are S instead of TS).
As long as your replication admins have full privilege (or potentially the system privilege EXEMPT ACCESS POLICY, but this bypasses all policies/vpds and shouldn't be used unless you need to and understand the impacts), everything will work out just fine.
Likely you are aware but if you intend to have the data protected on the target(s), it will need a copy of the policy and the policy applied to the tables as well. You can use database managed OLS and manage the policy in both (or all) places, or evaluate central management of the policy in OID. As much as the OID method has its advanages, I would stick to managing the policy in the database (and automating distributing the changes to different environments) unless you have another good reason to use OID. -
Workspace Mgr and Label Security?
I noticed in the 10g Workspace manager that it now works with VPD's. Will it work therefor with Label Security?
Hi,
the answer to your question is no. Label Security is built on top of VPD and must be seperately licensed. -
hi i got a new airport express for christmas and i set it up as per instructions ,i even give a static ip and wpa2 security ..the problem is is when i come to want to use it it says its not on my network and a orange triangle shows .when i reboot it works..then if i leave it a while and try iy agian its disapeared of my network...i have a bt hub 3 ....any help please ..im not sure if itsa faulty express
I really don't have an answer for that one. I guess that while trying to get things working correctly, I would use the most basic monitor I had which in your case would be the Eizon using the Thunderbolt port and adaptor.
When you boot into Safe Mode the startup is quite slow, but you should get the Apple logo and then the spinning gear below it (release the SHIFT key when it appears.) Then after a little more time you should see a gray progress bar appear below the spinning gear. When that disappears the computer will startup to a login screen. -
My iPod touch wont let me buy anything, i've beem using this account for a couple of years and now it says that this is the first ime this id has been used on my device... it's not.... and to sign in and answer security questions. i cant remember the answers to the questions. How can i fix this without making a new account and losing all my stuff???
From a Kappy post
The Three Best Alternatives for Security Questions and Rescue Mail
1. Use Apple's Express Lane.
Go to https://expresslane.apple.com ; click 'See all products and services' at the
bottom of the page. In the next page click 'More Products and Services, then
'Apple ID'. In the next page select 'Other Apple ID Topics' then 'Forgotten Apple
ID security questions' and click 'Continue'. Please be patient waiting for the return
phone call. It will come in time depending on how heavily the servers are being hit.
2. Call Apple Support in your country: Customer Service: Contact Apple support.
3. Rescue email address and how to reset Apple ID security questions.
A substitute for using the security questions is to use 2-step verification:
Two-step verification FAQ Get answers to frequently asked questions about two-step verification for Apple ID. -
I've forgotten my Apple ID and my security question. I've tried to receive the Apple ID through email but I never receive the email.
The Best Alternatives for Security Questions and Rescue Mail
a. Send Apple an email request at: Apple - Support - iTunes Store - Contact Us.
b. Call Apple Support in your country: Customer Service: Contact Apple support.
c. Rescue email address and how to reset Apple ID security questions. -
When I try to setup my new iPad air, I go through all the steps for the iCloud sign-in and choosing security questions and what not. But after I hit the agree to the terms and conditions... It says Apple ID could not be created because of a server error. Have no clue what to do... I've restarted the iPad and get the same message. But my internet works just fine.
1. Turn router off for 30 seconds and on again
2. Settings>General>Reset>Reset Network Settings -
Secure and non-secure access to the web application in one war
Say we have one web application (in one war) which includes JSP, servlets and the security intercepter. There is one business requirement to have most of the JSP(s) accessed via HTTPS, but a few JSP(S) accessed via HTTP.
My questions are:
a. Is this possible, or a reasonable requirement or a good practice?
b. if yes, what can we do to make it happen in the security intercepter implementation?
c. If not, what is the technical reasons?
Thanks much.a) Yes its is reasonable and good practive, there is an overhead using https, so you should only encrypt file you need to. When you use an online store, only account details / payments are https, the shop itself is http
b) I dont really understand your difficulty. You can define a folder as 'secure' and put all your secure pages in this folder, leaving non secure files in a different folder. Whenever a page in the secure folder is accessed, https is automatically invoked. -
Please help me because it's not the first time the account has been hacked, every time i found out that it was hacked i changed the password, but this time it is not easy because he changed the alternative email-adress and the security questions.
Call the Apple support phone number for your country:
http://support.apple.com/kb/HE57
and the 1st tier agent should be able to assist you or transfer your call to the Account Security team.
Regards. -
I want to change my icloud id on my iPhone, but it won't let me now that i have upgraded. I no longer have the password and the problem is It is using an old id which the email isn't valid and the security question does not think my birthday is valid. I cannnot delete the account because "find my iphone" wants the password linked to this old account. But when i go into the find my iphone app it is using my corect Apple ID. How do i fix this?
If you still have access to your old email address, go to https//appleid.apple.com, click Manage my Apple ID and sign in with your iCloud ID. Tap edit next to the primary email account, tap Edit, change it back to your old email account and verify it. Then edit the name of the account to change it back to your old email address. You can now use your current password to turn off Find My iPhone on your device. Then go to Settings>iCloud, tap Delete Account and choose Delete from My iDevice when prompted (your iCloud data will still be in iCloud). Next, go back to https//appleid.apple.com and change your primary email address and iCloud ID name back to the way it was. You can now go to Settings>iCloud and sign in with your correct iCloud ID and password.
If you don't have access to your old email address, you will have to contact Apple to have them reset the password so you can disable Find My iPhone and sign into your iCloud account. You can either go to https://expresslane.apple.com, select "More Products and Services", then "Apple ID", then on the next page select "Other Apple ID Topics", then "Lost or forgotten Apple ID password" and click "Continue"; or you can contact Apple Support (http://www.apple.com/support/icloud/contact/). -
Have used bilmac@mac email address for years last couple of weeks am getting message icloud needs password which it then rejects, when I try to reset password,they want email to verify i cannot access email and the security question is D. O B. it tells me I have wrong date of birth. so I am stumped, any ideas bilmac
COME ON PEOPLE. (WHY ARE THE LETTERS SO BIG HERE?) I AM VERY OLD AND JUST LIKE THINGS TO STAY THE SAME. I DID NOT, DO NOT, WANT ICLOUD TO DO ANYTHING I HAVE NOT USED IT AT ALL YET IT HAS MANAGED TO MESS UP MY EMAIL ADDRESS WHICH I HAVE BEEN USING FOR YEARS, IT ASKS FOR PASSWORD THEN REJECTS AND WHEN I TRY TO RESET WITH APPLE ID THEY ASK FOR SECURITY AS I CANNOT ACCESS THE EMAIL ADDRESS THEY HAVE FOR ME BECAUSE ICLOUD ASKS FOR PASSWORD, THEN APPLE TELL ME I DONT KNOW MY OWN DATE OF BIRTH, VERY CONFUSING
-
I Forgot my Apple ID password and I can't reset it because the related email account has been closed and the security questions don't work! How do I solve this? Thank you.
Click here and contact Apple.
(113292) -
How to maintaing E-Business suite with latest product levels and bug/securi
Hi All,
How to maintaing E-Business suite with latest product levels and bug/security fixes?
backup strataegies for database and E-BS suite?
what is mean by gather user requirements?
Please some one explain briefly...........
ThanksPlease post your question in the appropriate forum.
E-Business Suite
http://forums.oracle.com/forums/category.jspa?categoryID=3
Thanks,
Hussein -
i kept a dual boot of windows 7 and mac os x lion in macbook pro. so, should i keep antivirus for windows 7? which is prescribable between bit defender(bd) and microsoft security essentials(mse)?does bd and mse un-installs easily?
lower your font size unless you have difficulty
MS Security Essentials is excellent
Then again maybe time to investigate Windows 8 RP (which uses Defender)
Maybe you are looking for
-
Error while opening Expenses Credit Card Entry form
Hello I am getting the following error when I try to open in Expenses Credit Card Entry form. Any help will be really appreciated. Thanks. "+Function not available to this responsibility. Change responbsibilities or contact your System Administrator.
-
Popup : OrgUnit doesn't exist. while creating Contract in SRM 7.0
Hi Experts, I am using Extended classic senario and upgraded from SRM5.0 to SRM7.0. While creating Contract I am getting popu : OrgUnit doesn't exist. This error is not stopping to create contract. How to remove this error popup? please suggest. Reg,
-
Nokia 5530 XM Touchscreen (red button) not working...
I bought my nokia 5530 for about 4 months and i had dropped it a couple of times.. But before that it did not experience any serious damage. It was until recent i accidently dropped it AGAIN and i found out that the red button is not working anymore.
-
Why is my back camera blurry ?
-
How does share Internet to Window 7?, How to share Airport to Window 7?
Hello Apple Forums, I recently have bought a MacBook Pro 15" and I have heard there is a feature of the Macbook acting as a hotspot provided a LAN with internet is connected. I have followed the "Sharing Internet" tutorial. System Preferences > Shari