VPD and/or OLS implementation

Similar Messages

• VPD and discoverer portlets

  Hi,
  Resolution History
  23-MAY-07 16:53:02 GMT
  ### What kind of problem do you have? ###
  Security Issues
  ### Describe the problem you are having in detail. Include any notes, guides, or documentation
  that you have followed. ###
  We have test implementation of VPD or row-level security at database level. This works fine with discoverer queries. At the
  portal level we are okay with getting discoverer portlets via a public
  connection (the VPD works fine).
  Q1. What kind of parameter form would be better for discoverer portlets so that we retrieve list of values via a sql query? Simple parameter form allows static list of values so any suggestion on what parameter would be good and easy to implement to write sql queries.
  Q2. With parameters form of some kind we are trying to limit the list of values for each parameter that we have at the portal based on the user logon at the portal somehow married up to database users. (FYI-- we don't have SSO for discoverer). Any suggestions as to how this can be implemented also would be greatly appreciated!
  Thanks in advance,
  -Esther

  I really hope someone can help! I'm trying to accomplish the same exact thing! The private connection for each user gets tricky because not all of our users know exactly what they are doing. Please help!!
  Alanna

• VPD and AW Security

  We have a security requirement on a dimension
  containing cost centers. Different users are
  allowed access to different cost centers.
  On the relational cube side, I have implementated
  such security requirement with some success using
  Virtual Private Database (VPD). We now have to
  move into Analytic Workspace (AW) as we have to put
  in some financial models. My question is: will VPD
  work in AW environment? Can we bring across
  VPD security implementation into AW?
  I have read that you can use PERMIT_READ and
  PERMIT_WRITE program to control access into AW.
  You can also use the PERMIT command to fine
  tune the security inside these programs. Does
  this mean we have to give up VPD and start over
  again using these programs and commands :-(?
  How would an implementation using the PERMIT
  commands scale, i.e. how does this cope with
  growing number of users and forever changing
  cost centers?
  Any advice will be appreciated. Thanks.

  From the OLAP Field Guide:
  Virtual Private Database (VPD or FGAC) on an AW View
  This example creates an administrator named FGAC_SYS which manages the VPD (Fine Grained Access Control) configuration of the database. A table named USR_FGAC_LVL contains information on what group they belong to (i.e., DEF [default], MGR [manager]) and REGION they are allowed to see. The DBMS_RLS (row level security) package uses this table as a reference to create policies for managing access to the CUSTOMER_VIEW owned by GLOBAL_AW user. So if SCOTT wished to select from the CUSTOMER_VIEW (which uses the OLAP_TABLE function to retrieve data from the AW) he will only see data relating to REGION 10. While GLOBAL user can see everything because this user is a member of the MGR group.
  NOTE: In Oracle Database 10g Virtual Private Database supports parallel query, resulting in performance and scalability improvements, lets you distinguish between static policies, which are suitable for hosting environments that always need to enforce an unchanging policy, and dynamic policies, which are suited for time-dependent enforcement, such as time of day, where rows returned must vary at a particular time and able to enforce VPD rewrite when a query references a particular column. (See Oracle® Database New Features Guide,10g Release 1 (10.1), Part Number B10750-01 for more information)
  conn / as sysdba
  drop user fgac_sys cascade
  create user fgac_sys profile default identified by oracle default tablespace system account unlock;
  grant execute on sys.dbms_rls to fgac_sys;
  grant dba, olap_user to fgac_sys;
  set serveroutput on size 1000000
  conn fgac_sys/oracle
  drop table USR_FGAC_LVL cascade constraints';
  create table usr_fgac_lvl (username varchar2(20) not null, fgac_lvl varchar2(3) not null, cregion varchar2(3) not null);
  create or replace public synonym usr_fgac_lvl for fgac_sys.usr_fgac_lvl;
  grant select on usr_fgac_lvl to public;
  create or replace public synonym dbms_rls for sys.dbms_rls;
  insert into usr_fgac_lvl values ('SCOTT' ,'DEF','10');
  insert into usr_fgac_lvl values ('GLOBAL','MGR','999');
  insert into usr_fgac_lvl values ('GLOBAL_AW','MGR','999');
  insert into usr_fgac_lvl values ('SYSTEM','DEF','9');
  create or replace package fgac_on_logon as
  procedure set_fgac_parameters;
  end;
  create or replace package body fgac_on_logon is
       procedure
            set_fgac_parameters is
            v_user varchar2(30);
                 v_fgac_lvl varchar2(3);
                 v_cregion varchar2(3);
       begin
            v_user := sys_context ('userenv','session_user');
            select fgac_lvl, cregion into v_fgac_lvl, v_cregion from usr_fgac_lvl where username = v_user;
            dbms_session.set_context ('FGAC_CONTEXT','FGAC_LVL',v_fgac_lvl);
            dbms_session.set_context ('FGAC_CONTEXT','CREGION',v_cregion);
       exception when no_data_found
       then dbms_session.set_context ('FGAC_CONTEXT','FGAC_LVL','NA');
       end;
  end;
  create or replace context fgac_context using fgac_on_logon;
  create or replace trigger fgac_trigger
  after logonon database
  begin
  fgac_on_logon.set_fgac_parameters;
  end;
  create or replace package olap_security as
       function olap_sec (d1 varchar2, d2 varchar2)
       return varchar2;
  end;
  create or replace package body olap_security is
       function olap_sec (d1 varchar2, d2 varchar2)
       return varchar2 is
            d_predicate varchar2(2000);
       begin
            if sys_context('FGAC_CONTEXT','FGAC_LVL') = 'NA' then d_predicate := '0=1'; end if;
            if sys_context('FGAC_CONTEXT','FGAC_LVL') = 'DEF'
                 then d_predicate := 'REGION = SYS_CONTEXT(''FGAC_CONTEXT'',''CREGION'')'; end if;
            if sys_context('FGAC_CONTEXT','FGAC_LVL') = 'MGR' then d_predicate := ''; end if;
            return d_predicate;
       end;
  end;
  begin
  dbms_rls.add_policy ('GLOBAL_AW','CUST_VW','cust_vw_policy','fgac_sys','olap_security.olap_sec','select');
  dbms_rls.enable_policy ('GLOBAL_AW','CUST_VIEW','customer_view_policy', true);
  end;
  connect global_aw/global_aw
  grant select on CUSTOMER_VIEW to public;
  FGA (Fine-Grained Auditing) Auditing an AW View
  BEGIN DBMS_FGA.add_policy( object_schema=> 'GLOBAL_AW', object_name=> 'CUSTOMER_VIEW', policy_name=> 'CUSTVIEW_ACCESS', audit_column => 'REGION', audit_condition => 'REGION = 9');
  END;
  select timestamp, db_user, os_user, object_schema, object_name, sql_text from dba_fga_audit_trail;

• VPD and JSP

  Hi,
  Having followed the example at http://www.oracle.com/technology/products/jdev/howtos/bc4j/bc4jvpdjaas.html?_template
  I have been able to design a jsp application which implements vpd and works well.
  Now I have added another view object to the same project based on a sql statement and do not want apply vpd to this object. However when I create a jsp based on this new view object, the jsp does not query any data and shows blank output.
  Does anybody have any clue?
  Thanks
  Sanjay

  Hi Frank,
  now i have realized that this problem has nothing to do with VPD.
  My second VO points to a table that does not have a policy defined. As such if I use the same query to create a view in the database itself and then based on this database view I create both entity object and view object in my jdeveloper project then things work fine. I fail to understand why the view object on its own does not work.
  Thanks
  Sanjay

• Training and Event Management Implementation based on competencies

  Dear Friends,
  My client is going ahead for Training and Event Managment Implementation. They have a basic requirement to start with and that is :
  1) They have done competency mapping for all its employees and they want that the competencies of each employees(along with the skill levels) to be recorded in the system and that has to be the starting point of using Training and Event Management module.
  2) They want, if the competencies can flow based on Job/ Position.
  3) Some identifier to the competencies, whther it has flowed from Appraisal or any other sources in the Final Training Needs.
  Kindly provide me help, as to how I will be able to achieve that and in what Infotypes the data pertaining to Training and Event Managment will be stored.
  If u all can kindly share with me the User Manuals and Configuration Docs of Training and Event Management, it will be of great help.
  Thank you all.

  Hi,
  Competencies can be stored as qualifications in PD and then by activation of PD PA intergration can be seen from pa30 infotype 24.
  Qualifications can be stored against a Job/Position and are called as the Requirements. They are seen as a separate Tab and to which ever position the person is linked to the corresponding qualifications of the position will appear in the requirements tab.
  You can maintain the proficiency and a note along with the qualification when assigned to a person.
  Also Appraisals can have qualifications in the template rather than criteria and criteria groups.
  Also after training is completed during the follow up we can create an appraisal and transfer the qualifications or simply transfer the qualifications to the employee.
  Regards,
  Divya

• How many types of authentications in sharepoint and how to implement those authentication in sharepoint?

  Hi All,
  How many types of authentications in sharepoint and how to implement those authentication in sharepoint?
  can any one explain the above things with examples?
  Thanks in Advance!

  In addition to
  A Sai Gunaranjan you can also check this URL for Sharepoint 2010:
  http://technet.microsoft.com/en-us/library/cc288475(v=office.14).aspx
  http://www.codeproject.com/Tips/382312/SharePoint-2010-Form-Based-Authentication
  ***If my post is answer for your query please mark as answer***
  ***If my answer is helpful please vote***

• Logical Database design and physical database implementation

  Hi
  I am an ORACLE DBA basically and we started a proactive server dashboard portal ,which basically reports all aspects of our infrastructure (Dev,QA and Prod,performance,capacity,number of servers,No of CPU,decomissioned date,OS level,Database patch level) etc..
  This has to be done entirely by our DBA team as this is not externally funded project.Now i was asked to do " Logical Database design and physical Database
  implementation"
  Even though i know roughly what's that mean(like designing whole set of tables in star schema format) ,i have never done this before.
  In my mind i have a rough set of tables that can be used but again i think there is lot of engineering involved in this area to make sure that we do it properly.
  I am wondering you guys might be having some recommendations for me in the sense where to start?are there any documents online , are there any book on this topic?Are there any documents which explain this phenomena with examples ?
  Also exactly what is the difference between logical database design vs physical database implementation
  Thanks and Regards

  Logical database design is the process of taking a business or conceptual data model (often described in the form of an Entity-Relationship Diagram) and transforming that into a logical representation of that model using the specific semantics of the database management system. In the case of an RDBMS such as Oracle, this representation would be in the form of definitions of relational tables, primary, unique and foreign key constraints and the appropriate column data types supported by the RDBMS.
  Physical database implementation is the process of taking the logical database design and translating that into the actual DDL statements supported by the target RDBMS that will create the database objects in a target RDBMS database. This will generally include specific physical implementation details such as the specification of tablespaces, use of specialised indexing (bitmap, clustered etc), partitioning, compression and anything else that relates to how data will actually be physically stored inside the database.
  It sounds like you already have a physical implementation? If so, you can reverse engineer this implementation into a design tool such as SQL Developer Data Modeller. This will create a logical design by examining the contents of the Oracle data dictionary. Even if you don't have an existing database, Data Modeller is a good tool to use as a starting point for logical and even conceptual/business models.
  If you want to read anything about logical design, "An Introduction to Database Systems" by Date is always a good starting point. "Database Systems - A Practical Approach to Design, Implementation and Management" by Connolly & Begg is also an excellent reference.

• What is serialization? and how to implement it?

  what is serialization? and how to implement it?

  why not try googling rather than spamming the forum with your homework questions? This spitting out questions without showing that you've done any work (even if you have done the work) is guaranteed to piss us off. Please learn to ask a question the smart way:
  http://www.catb.org/~esr/faqs/smart-questions.html

• Difference between EDN-DB and EDN-JMS implementation

  Experts,
  Looking for a difference between EDN-DB and EDN-JMS implementation. We have EDN implementation going on, where multiple source systems will be publishing business events. Events can be published using SOA Suite or JMS Bridge from AQ and MQ. In this scenario which implementation approach is suited better ?

  Oracle Apps Adapter can be used for many other products other than E-Business Suite (JD Edwards E1, OTM, and others).  The apps adapter was mainly used in ERP systems and was strong when you needed have added functionality other than just polling a db for a status / calling a stored procedure...  It could connect out to other business services, xml gateways and so-on.
  From a technical aspect / development perspective I always thought of that the Oracle Apps Adapter simplifies the development but, may is not flexible. The App Adapter's strength is the services that are difficult to integrate with (business services, xml gateway). If you need to hook in to these types of services, use the APPS adapter. (Again like it is named the "Apps Adapter" its for interacting w/ other applications to enable real-time processing / functionality. 
  That being said the dbAdapter can be very powerful but, like it is named is database focused (to poll some table to know when to kick off other logic and enable real-time functionality through database interaction.
  Looking at the Oracle 12C Roadmap I had heard that there is more planned for the Oracle Apps Adapter moving forward, especially as Anuj said in the "Financial Apps" side of the isle at Oracle. Who knows what is real and what isn't though =]
  Hope this helps!
  -Luke

• VPD and AQs

  Hi All,
  I am trying to make AQ working with VPD (Virtual Private Database).
  What I've done is the following.
  1. Enqueue some items in the queue with correlation=1
  2. Create a VPD rule 'CORRID = 1' against the underlying queue table
  3. Try to select against underlying queue table - everything is ok (only items with corrid = 1 are shown) (same for the aq$ view)
  4. Dequeue item from a queue - all items are dequeued (no matter if corrid is 1 or other).
  5. Everything works if deque option correlation = 1, but the ordering is "random"
  My queue is ordered by Priority and Enqueue Time.
  I want to make AQ working with VPD and benefit still on current message ordering.
  Any ideas are very welcome!
  Thanks

  According to [http://download.oracle.com/docs/cd/B19306_01/server.102/b14257/manage.htm#sthref498] this should be impossible.....
  However any workaround will be appreciated!

• Security properties of jks and jceks keystore implementations

  Hi,
  could somebody point me to a description of the security properties of the jks and jceks keystore implementations, which allow me to judge how secure they are?
  Thanks in advance!
  Basti

  http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#KeyManagement
  Both are only as strong as the password used to protect them. Apparently JKS is relatively weak, JCEKS is probably equivalent to a PKCS12 as both can use 3DES PBE.
  If you want good private key storage you need to move to hardware tokens and the PKCS11 interface.

• Oracle TIME and Labour module implementation process

  Hi,
  Can some one help me to get Oracle TIME and Labour module implementation process/presentation/lesson learned etc.
  thanks,

  Hi,
  The implementation manuals can be found at:
  Applications Releases 11i and 12
  http://www.oracle.com/technology/documentation/applications.html
  Regards,
  Hussein

• Best practice for VPD and remote tables

  Not specifically an HTMLDB question, but here goes...
  HTMLDB 1.6 on 9.2.0.4 connecting over database link (fixed username/password) to 9.2.0.4
  I've currently "wrapped" access to the remote tables in views, i.e. view "T" in the HTMLDB parsing schema LOCAL_USER is defined as "SELECT * FROM T@remote"
  I'd like to put VPD controls on my backend tables, but I don't get how v('APP_USER') (or even APP_USER put into an application context) would be seen by the remote database.
  Should I just put VPD policies on LOCAL_USER's views and call it a day?
  Thanks for input!
  -John

  If you implemented the VPD in the remote database, what would your VPD be restricting? All queries would apply the policy based on the DB link fixed username resulting in all users of the HTML DB application having same policy restrictions.
  The policy in the remote database does not has access to the value of v('APP_USER'). That value is only available in the database that has HTML DB. You would have to write APIs in the remote database in PL/SQL functions/procedures to pass in the V('APP_USER') value to the remote database. This is doable, but cumbersome.
  If you want to have your policy modify your WHERE clause on the fly based on your HTML DB user account, then I would implement the VPD in the database which has your HTML DB repository. I am not sure which of the two scenarios below occur when doing a SELECT * FROM T.
  1.) The query goes across the database link, gets all the data out of table T in the remote database, passes back to the HTML DB database, and applies the policy WHERE clause modification in the HTML DB database.
  2.) The query applies the policy WHERE clause modification to the view, goes across the database link with the WHERE clause modified, and gets only the data allowed based on the policy from the remote database.
  You should test this out to find out for performance purposes what query is actually performed on the remote database.
  As always if anyone sees anything inaccurate in what I have written, please correct me.
  Mike

• Error executing a query using VPD and BC4J

  Hi all,
  Our team is developing an application using an Oracle DB 9.2.0.4 and BC4J 10g (9.0.5.16.0) as persistence layer.
  We also are using the VPD (virtual private database) to have security in the database at row level.
  The problem we are facing is that every some time (days) we get a jdbc error when a query (see below) that uses VPD policies is executed. Once the error occurs I execute it from sqlplus without getting any error .. it only occurs from our java application.
  To temporary solve this problem, we delete and recreate the VPD policies, then the application continue working fine for some time ...
  I'll appreciate any comment / suggestions
  Thank in advance.
  Eduardo.
  ERROR LOG:
  oracle.jbo.SQLStmtException: JBO-27122: SQL error during statement preparation. Statement: SELECT * FROM (SELECT CalLocation.ID,
  CalLocation.CODE, eo
  CalLocation.NAME,
  CalLocation.ZIP,
  CalLocation.PHONE,
  CalLocation.FAX,
  CalLocation.ADDRESS1,
  CalLocation.ADDRESS2,
  CalLocation.URL,
  CalLocation.OWNER,
  CalLocation.CTY_ID,
  CalLocation.DESCRIPTION,
  ORefCity.CODE CTY_CODE,
  ORefCountry.ID CTR_ID,
  ORefCountry.CODE CTR_CODE,
  ORefRegion.ID REG_ID,
  ORefRegion.CODE REG_CODE
  FROM CAL_LOCATIONS CalLocation,
  OREF_CITIES ORefCity,
  OREF_COUNTRIES ORefCountry,
  OREF_REGIONS ORefRegion
  WHERE ORefCity.ID = CalLocation.CTY_ID
  and ORefCountry.ID = ORefCity.CTR_ID
  and ORefRegion.ID = ORefCountry.REG_ID) QRSLT WHERE ( ( (CTY_ID = 867) ) )
  ## Detail 0 ##
  java.sql.SQLException: Io exception: Broken pipe
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:189)
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:231)
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:345)
       at oracle.jdbc.driver.OracleStatement.open(OracleStatement.java:717)
       at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:2605)
       at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:457)
       at oracle.jdbc.driver.OraclePreparedStatement.executeQuery(OraclePreparedStatement.java:387)

  The symptoms we have been getting are quite similar to the bug 3662364 .
  I'm going to implement the patch for that bug and see what happend then.
  Thank you very much for your help.
  Regards,
  Eduardo.

• Using VPD and Portal

  Situation: Trying to implement row level security using VPD for
  applications created in PORTAL. using portal's
  Light weight users.
  Method: Created a fine grain access control policy to build a
  predicate based on a Portal user (not database user).
  1 Get Portal User (proc: portal30.wwctx_api.get_user)
  2 Determine what business rules are setup for this
  Portal User
  3 Based on the above rules, build predicate for the
  Portal User
  Problem: In the first step, not retrieving the Portal user -
  looks to be getting PUBLIC when the code is part of a
  VPD policy. When it is executed on its own, it gets the correct
  information back (ie. The portal user not PUBLIC).
  The idea is that we want to be able to set the VPD policy based
  on the light weight Portal User.
  Oracle Database version 8.1.7
  Oracle iAS 1.0.2.2.0
  There is a work around for this, which is to create a database
  schema for each portal user and then associate the
  Portal account with this database schema. When we do this, we
  get the correct information for use in the VPD policy,
  But we actually look for the Proxy Account (database schema the
  portal user is associated with) and not the portal
  user/session info. This work around in not desirable when we
  get a large number of portal users.
  I've included the VPD package below where we try to extract the
  Portal user acct using the
  portal30.wwctx_api.get_user function
  we also tried the
  WPG_SESSION_PRIVATE.GET_LW_USER function with the same results
  When this PLSQL is executed within a portlet, it seems to return
  the correct information.
  Code:
  CREATE OR REPLACE PACKAGE
  BODY "P_CORPORATE_SECURITY_CONTEXT" as
  function f_company_security (p1 varchar2, p2 varchar2) return
  varchar2 is
  v_predicate VARCHAR2(4000);
  CURSOR cur_company(p_portal_user_name IN
  company_wwsec_person.WWSEC_PERSON_USER_NAME%TYPE) IS
  SELECT decode(rownum,1,to_char(company_id),','||to_char
  (company_id)) company_id
  FROM company_wwsec_person
  WHERE POLICY = '='
  and upper(WWSEC_PERSON_USER_NAME) = upper
  (p_portal_user_name);
  l_portal_user_name varchar2(256);
  l_oracle_user_name varchar2(30);
  l_all_policy_cnt number;
  l_equal_policy_cnt number;
  BEGIN
  l_portal_user_name := portal30.wwctx_api.get_user;
  -- l_portal_user_name := USER; Commented out since we
  want portal user not
  database user.
  select count(*)
  into l_all_policy_cnt
  from company_wwsec_person
  where upper(WWSEC_PERSON_USER_NAME) = upper
  (l_portal_user_name)
  and policy = 'ALL';
  select count(*)
  into l_equal_policy_cnt
  from company_wwsec_person
  where upper(WWSEC_PERSON_USER_NAME) = upper
  (l_portal_user_name)
  and policy = '=';
  IF l_all_policy_cnt = 0 and l_equal_policy_cnt > 0 THEN
  v_predicate := ' company_id in (';
  FOR l_company IN cur_company(l_portal_user_name)
  LOOP
  v_predicate := v_predicate || l_company.company_id;
  END LOOP;
  v_predicate := v_predicate || ')';
  ELSIF l_all_policy_cnt = 0 and l_equal_policy_cnt = 0 THEN
  v_predicate := ' 1=2';
  ELSE
  v_predicate := NULL;
  END IF;
  -- Uncomment to allow access to everything
  -- v_predicate := ' 1=1';
  RETURN v_predicate;
  END;
  END;

  Situation: Trying to implement row level security using VPD for
  applications created in PORTAL. using portal's
  Light weight users.
  Method: Created a fine grain access control policy to build a
  predicate based on a Portal user (not database user).
  1 Get Portal User (proc: portal30.wwctx_api.get_user)
  2 Determine what business rules are setup for this
  Portal User
  3 Based on the above rules, build predicate for the
  Portal User
  Problem: In the first step, not retrieving the Portal user -
  looks to be getting PUBLIC when the code is part of a
  VPD policy. When it is executed on its own, it gets the correct
  information back (ie. The portal user not PUBLIC).
  The idea is that we want to be able to set the VPD policy based
  on the light weight Portal User.
  Oracle Database version 8.1.7
  Oracle iAS 1.0.2.2.0
  There is a work around for this, which is to create a database
  schema for each portal user and then associate the
  Portal account with this database schema. When we do this, we
  get the correct information for use in the VPD policy,
  But we actually look for the Proxy Account (database schema the
  portal user is associated with) and not the portal
  user/session info. This work around in not desirable when we
  get a large number of portal users.
  I've included the VPD package below where we try to extract the
  Portal user acct using the
  portal30.wwctx_api.get_user function
  we also tried the
  WPG_SESSION_PRIVATE.GET_LW_USER function with the same results
  When this PLSQL is executed within a portlet, it seems to return
  the correct information.
  Code:
  CREATE OR REPLACE PACKAGE
  BODY "P_CORPORATE_SECURITY_CONTEXT" as
  function f_company_security (p1 varchar2, p2 varchar2) return
  varchar2 is
  v_predicate VARCHAR2(4000);
  CURSOR cur_company(p_portal_user_name IN
  company_wwsec_person.WWSEC_PERSON_USER_NAME%TYPE) IS
  SELECT decode(rownum,1,to_char(company_id),','||to_char
  (company_id)) company_id
  FROM company_wwsec_person
  WHERE POLICY = '='
  and upper(WWSEC_PERSON_USER_NAME) = upper
  (p_portal_user_name);
  l_portal_user_name varchar2(256);
  l_oracle_user_name varchar2(30);
  l_all_policy_cnt number;
  l_equal_policy_cnt number;
  BEGIN
  l_portal_user_name := portal30.wwctx_api.get_user;
  -- l_portal_user_name := USER; Commented out since we
  want portal user not
  database user.
  select count(*)
  into l_all_policy_cnt
  from company_wwsec_person
  where upper(WWSEC_PERSON_USER_NAME) = upper
  (l_portal_user_name)
  and policy = 'ALL';
  select count(*)
  into l_equal_policy_cnt
  from company_wwsec_person
  where upper(WWSEC_PERSON_USER_NAME) = upper
  (l_portal_user_name)
  and policy = '=';
  IF l_all_policy_cnt = 0 and l_equal_policy_cnt > 0 THEN
  v_predicate := ' company_id in (';
  FOR l_company IN cur_company(l_portal_user_name)
  LOOP
  v_predicate := v_predicate || l_company.company_id;
  END LOOP;
  v_predicate := v_predicate || ')';
  ELSIF l_all_policy_cnt = 0 and l_equal_policy_cnt = 0 THEN
  v_predicate := ' 1=2';
  ELSE
  v_predicate := NULL;
  END IF;
  -- Uncomment to allow access to everything
  -- v_predicate := ' 1=1';
  RETURN v_predicate;
  END;
  END;