VPD Performance

Similar Messages

• Best practice for VPD and remote tables

  Not specifically an HTMLDB question, but here goes...
  HTMLDB 1.6 on 9.2.0.4 connecting over database link (fixed username/password) to 9.2.0.4
  I've currently "wrapped" access to the remote tables in views, i.e. view "T" in the HTMLDB parsing schema LOCAL_USER is defined as "SELECT * FROM T@remote"
  I'd like to put VPD controls on my backend tables, but I don't get how v('APP_USER') (or even APP_USER put into an application context) would be seen by the remote database.
  Should I just put VPD policies on LOCAL_USER's views and call it a day?
  Thanks for input!
  -John

  If you implemented the VPD in the remote database, what would your VPD be restricting? All queries would apply the policy based on the DB link fixed username resulting in all users of the HTML DB application having same policy restrictions.
  The policy in the remote database does not has access to the value of v('APP_USER'). That value is only available in the database that has HTML DB. You would have to write APIs in the remote database in PL/SQL functions/procedures to pass in the V('APP_USER') value to the remote database. This is doable, but cumbersome.
  If you want to have your policy modify your WHERE clause on the fly based on your HTML DB user account, then I would implement the VPD in the database which has your HTML DB repository. I am not sure which of the two scenarios below occur when doing a SELECT * FROM T.
  1.) The query goes across the database link, gets all the data out of table T in the remote database, passes back to the HTML DB database, and applies the policy WHERE clause modification in the HTML DB database.
  2.) The query applies the policy WHERE clause modification to the view, goes across the database link with the WHERE clause modified, and gets only the data allowed based on the policy from the remote database.
  You should test this out to find out for performance purposes what query is actually performed on the remote database.
  As always if anyone sees anything inaccurate in what I have written, please correct me.
  Mike

• Trying to implement a VPD policy but got the following error ORA-20001

  hey good day,
  I'm trying to implement a VPD policy to my application. After I have performed the below task (Label 1) in oracle 10g database. When I'm about to access my application page in ApEx 3.2.1 I got the following error
  ORA-20001: get_dbms_sql_cursor error ORA-28110: policy function or package CHARLES.VPD_PREDICATE has error
  any form of assistance will be greatly appreciated.
  thanks in advance
  Label 1
  USER is "VPD_ADMIN"
  SQL> create or replace context empnum_ctx using set_empnum_ctx_pkg;
  Context created.
  SQL> CREATE OR REPLACE PACKAGE set_empnum_ctx_pkg IS
    2    PROCEDURE set_empnum;
    3  END;
    4  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY set_empnum_ctx_pkg IS
    2    PROCEDURE set_empnum IS
    3     emp_id NUMBER;
    4    BEGIN
    5     SELECT EMPNUM INTO emp_id FROM CHARLES.INSTRUCTOR
    6     WHERE upper(username) = nvl(v('APP_USER'), USER);
    7     DBMS_SESSION.SET_CONTEXT('empnum_ctx', 'empnum', emp_id);
    8
    9    EXCEPTION
  10      WHEN NO_DATA_FOUND THEN NULL;
  11    END;
  12  END;
  13  /
  Package body created.
  SQL> create or replace package vpd_policy as
    2    function vpd_predicate(object_schema in varchar2 default null, object_name in varchar2 default null)
    3     return varchar2;
    4  end;
    5  /
  Package created.
  SQL> create or replace package body vpd_policy as  function vpd_predicate(
    2   object_schema in varchar2 default null, object_name in varchar2 default null)
    3     return varchar2 as
    4
    5      BEGIN
    6     if (USER = 'ADMIN') and (v('APP_USER') is null) or
    7        (USER = 'MICHAEL.GRAY') and (v('APP_USER') is NULL) then
    8       return '';
    9     else
  10       return '(
  11             exists (
  12                     select  "INSTRUCTOR"."EMPNUM" as "EMPNUM",
  13                             "INSTRUCTOR"."FIRSTNAME" as "FIRSTNAME",
  14                             "INSTRUCTOR"."LASTNAME" as "LASTNAME",
  15                             "LOAD"."COURSEID" as "COURSEID",
  16                             "COURSE"."CREDIT" as "CREDIT",
  17                             "COURSE"."HPW" as "HPW",
  18                             "LOAD"."CAMPID" as "CAMPID",
  19                             "LOAD"."YR" as "YR",
  20                             "INSTRUCTOR"."POS" as "POS",
  21                             "INSTRUCTOR"."USERNAME" as "USERNAME",
  22                             "INSTRUCTOR"."DEPARTMENT_NAME" as "DEPARTMENT_NAME",
  23                             "LOAD"."SEMESTER" as "SEMESTER"
  24                     from    "COURSE" "COURSE",
  25                             "INSTRUCTOR" "INSTRUCTOR",
  26                             "LOAD" "LOAD"
  27                     where   "INSTRUCTOR"."EMPNUM"="LOAD"."EMPNUM"
  28                     and     "LOAD"."COURSEID"="COURSE"."COURSEID"
  29                     and     department_name = (
  30                                     select department_name from departments
  31                                     where upper (assigned_to) = nvl(v(''APP_USER''),USER) )
  32                                     )
  33
  34                     or upper(username) = nvl(v(''APP_USER''), USER)
  35                                                ) ';
  36
  37     END IF;
  38  END vpd_predicate;
  39  END vpd_policy;
  40  /
  Package body created.
  SQL> begin
    2  dbms_rls.add_policy(
    3  object_schema => 'charles',
    4  object_name => 'load',
    5  policy_name => 'Loading Policy',
    6  function_schema => 'charles',
    7  policy_function => 'vpd_predicate',
    8  statement_types => 'select, update, insert, delete');
    9  end;
  10  /
  PL/SQL procedure successfully completed.

  ORA-20001 isn't an Oracle error message it was coded into your application by a developer: Look it up.
  Consider too the following:
  EXCEPTION
     WHEN NO_DATA_FOUND THEN NULL;so if the employee identifier is not found ... is this really what you want? If an employee isn't valid shouldn't you know it?

• VPD "Lost" after validation fails

  Hi,
  We have a custom in house VPD. In the application security section, under VPD, we call a procedure which sets our security context client_id in order to be used to make context references within secure views.
  In our page we have a simple select list which is run against a "secure" view. Once the user selects a value they hit continue to go on. A validation is put in place to make sure that a value has been selected.
  If the validation fails, we go back to the page and the validation error message displays (as it should) however the select list has no values. After doing a lot of testing, references to any view that uses the VPD returns no values when a validation fails.
  We've done some test and it appears that the following happens:
  - On a page submit the VPD function gets called (as per the application security / vpd)
  - Validations are performed
  - If validation fails, run: dbms_session.clear_identifier;
  - Load the page along with the appropriate error messages.
  Is this correct? Is their anyway around this?
  We have tried to set an application process to run before header which would run the same function as that called in the VPD section, however the process isn't run when a validation fails.
  Thank you,
  Martin

  APEX sets client identifier to: APP_USER:APP_SESSION. CLIENT_INFO is set to just APP_USER. Try the following query from the SQL Workshop as well as a region on a page to give you a better idea of what APEX sets:select sys_context('USERENV','CURRENT_SCHEMA') CURRENT_SCHEMA,sys_context('USERENV','SESSION_USER') SESSION_USER,
         sys_context('USERENV','MODULE') module,sys_context('USERENV','ACTION') action,
         sys_context('USERENV','CLIENT_INFO') CLIENT_INFO, sys_context('USERENV','CLIENT_IDENTIFIER') CLIENT_IDENTIFIER
    from dualI would probably include the IP Address of your HTTP Servers in the policy to make sure it's not someone connecting from SQL*Plus: sys_context('USERENV', 'IP_ADDRESS')
  Tyler

• Oracle 11g advantages for performance

  Hello,
  I am doing test of Client side result set cache on oracle 11 g rel2 ,O/S- RHEL
  i am doing test as below on 2 Oracle 11g rel2 test servers on RHEL
  one oracle 11g rel2 instance is used as server1,from other oracle 11g rel2 server2, i am running queries connecting to server1 through sqlplus,listener(tnsnames )
  i run query few times without any client cache settings then
  i have set init.ora paras for oracle 11g rel2 for client result cache,cache size/cache lag
  i run the same query few times
  in both the cases after each run i am noting statistics
  select * from V$RESULT_CACHE_OBJECTS;
  select * from V$CLIENT_RESULT_CACHE_STATS;
  select * from gv$cpool_conn_info;
  also autotrace,plan etc
  but after using cache this views are getting poplulated ,autiotrace plan shows cache is used
  but i cant see any improvement in performance after using client cache like speed,reduce network trip, etc
  in fact without using cache/with no hint ,query executes faster
  let me know if i am missing something,i believe sqlplus internally using OCI
  thanks

  >
  I tested with custom code using java/jdbc thin driver ,connecting same as between 2 oracle 11g2 instance 1 as client other server,running code calling queries from client connecting to server
  >
  Unless you plan to provide the information ask for about what it is you are doing there really isn't any point in providing status updates that: you test this, you tested that. You made several statements about what you were doing
  >
  i have set init.ora paras for oracle 11g rel2 for client result cache,cache size/cache lag
  i run the same query few times
  in both the cases after each run i am noting statistics
  select * from V$RESULT_CACHE_OBJECTS;
  select * from V$CLIENT_RESULT_CACHE_STATS;
  select * from gv$cpool_conn_info;
  also autotrace,plan etc
  >
  and were asked to provide specific information that you haven't provided nor have you provided the query.
  >
  You say you are doing a bunch of things
  But you don't post any of those results so we can see what it is you are looking at.
  No one can comment on things they can't see.
  >
  You have to be using OCI for client side caching so if you use the Java thin driver but don't use OCI there won't be any cacheing. There also won't be any if it is not enabled or if the query has certain constraints as listed in the doc
  http://docs.oracle.com/cd/B28359_01/appdev.111/b28395/oci10new.htm#CHDGGFEF
  >
  Queries that are not Cached
  There are queries that are not cached on the OCI client even if the result cache hint is specified. Such queries may be cached on the database if the server result cache feature is enabled (see Oracle Database Concepts, "SQL Query Result Cache" for more information). If a SQL query includes any of the following, then the result set of that query is not cached in the OCI client result cache:
  •Views
  •Remote objects
  •Complex types in the select list
  •Snapshot-based or flashback queries
  •Queries executed in a serializable, read-only transaction, or inside a flashback session
  •Queries that have PL/SQL functions in them
  •Queries that have VPD policies enabled on the tables
  >
  This Oracle-Developer.net article author doesn't seem to have any trouble caching results.
  http://www.oracle-developer.net/display.php?id=503

• Row level security in OBIEE 11g: Which is better: VPD or RPD

  We can apply row level security in OBIEE by 2 ways.
  1. by Creating Initialize Block in RPD
  2. or Applying VPD in Database, which restricts source tables
  Which one is more efficient and why?
  Thanks,
  Sunil Jena

  you will have some degree of performance degradation with either approach since you are adding additional filters so I would not use that as the main factor to decide. You need to assess your actual requirements. What is the basis by which you are planning on doing the security. Is LDAP the main basis for the security? Do you plan to use certain roles? if your security is more based on roles at the application level, then it may be easier to define at the Application level (OBIEE)...if its just based on a certain user ID for a set of tables, then perhaps VPD can work. If helpful, pls mark.

• Multimaster Replication and VPD in Oracle 10g R2

  Hello,
  I would like to know if MlitiMaster Replication supports the VPD(Virtual Private Database) Row level or column level access control? if so could some one point me to the right documentation? i searched Metalink and googled but unable to find any info regarding the support of VPD to replication.
  Thank you....

  Justin,
  we have streams and replication in our environment. our databases on window 2003 server and oracle 10gR2. my question is we are planning to implement the VPD on few tables which are already in replication group. We use 'REPADMIN' for replication. will it propagate the data for VPD columns that are in replication environment? how will this impact performance wise? I am trying to find also some Pros and Cons too.
  Thank you.

• Tuning VPD predicate

  Hi,
  I'm using VPD(RLS) to filter data based.
  I have a performance issue due to the VPD predicate my VPD function generate.
  I have two tables:
  - MARKER which is the table I want to secure and contains a primary key named marker_id and a filed use by VPD name VPD_IS_PUBLIC.
  - DATASECURITY which is the table containing security information and tells to VPD wich data can be seen for a given role.
  I put the script at the end of the message.
  If you look to the code, the VPD function can return two predicates:
  VPD_IS_PUBLIC=1
  or
  VPD_IS_PUBLIC=1 or marker_id in (select field_id from datasecurity where roleid=3)
  The problem with the second query is that more I have data in my MARKER table more the query is slow.
  This is because of "VPD_IS_PUBLIC=1 or" statement.
  Is there another way to write that predicate?
  Does someone can help me?
  Cheers,
  Sebastien
  CREATE TABLE DATASECURITY
  OBJECT_DB_ID NUMBER(10),
  ROLEID NUMBER(10),
  FIELD_ID NUMBER(10),
  CREATION_DATE TIMESTAMP(6) WITH TIME ZONE DEFAULT systimestamp CONSTRAINT NN_DATASECURITY_CREATIONDATE NOT NULL,
  CONSTRAINT PK_DATASECURITY
  PRIMARY KEY
  (OBJECT_DB_ID, ROLEID, FIELD_ID)
  CREATE INDEX INDEX_DATASECURITY ON DATASECURITY
  (FIELD_ID);
  CREATE OR REPLACE TRIGGER TRG_AFT_INSERT_DATASECURITY
  AFTER INSERT
  ON DATASECURITY
  REFERENCING NEW AS New OLD AS Old
  FOR EACH ROW
  DECLARE
  BEGIN
  UPDATE marker
  SET vpd_is_public = 0
  WHERE marker_id = :new.field_id;
  END TRG_BEF_INSERT_DATASECURITY;
  CREATE TABLE MARKER
  MARKER_ID NUMBER(10) NOT NULL,
  MARKER_TYPE_ID NUMBER(10),
  MARKER_ACC VARCHAR2(50 BYTE),
  VERSION VARCHAR2(10 BYTE),
  DISPLAY_SYNONYM_ID NUMBER(10),
  SPECIES_ID NUMBER(10) NOT NULL,
  GERMPLASM_ID NUMBER(10),
  LIBRARY_ID NUMBER(10),
  DESCRIPTION VARCHAR2(2000 BYTE),
  DATE_CREATED DATE,
  DATE_UPDATED DATE,
  VPD_IS_PUBLIC NUMBER(1) DEFAULT 1 CONSTRAINT NN_MARKER_VPD_IS_PUBLIC NOT NULL,
  CONSTRAINT PK_MARKER
  PRIMARY KEY
  (MARKER_ID)
  CREATE INDEX INDEX_MARKER ON MARKER
  (VPD_IS_PUBLIC);
  -- This function return the value stored in the session client info
  CREATE OR REPLACE FUNCTION CSFDS.get_cwid
  RETURN VARCHAR2
  IS
  retval VARCHAR2 (50);
  BEGIN
  DBMS_APPLICATION_INFO.READ_CLIENT_INFO (retval);
  RETURN retval;
  EXCEPTION
  WHEN OTHERS
  THEN
  RAISE;
  END get_cwid;
  -- This function sets the value to the session client info
  CREATE OR REPLACE FUNCTION CSFDS.set_cwid (cwid IN VARCHAR2)
  RETURN NUMBER
  IS
  BEGIN
  DBMS_APPLICATION_INFO.set_client_info (cwid);
  RETURN 1;
  EXCEPTION
  WHEN OTHERS
  THEN
  RETURN 0;
  END set_cwid;
  -- This function is the vpd function.
  -- It returns differents predicate according the value in the session client info
  CREATE OR REPLACE FUNCTION CSFDS.vpd (sch_name IN VARCHAR2, tab_name IN VARCHAR2)
  RETURN VARCHAR2
  IS
  retval VARCHAR2 (500) DEFAULT '' ;
  l_roleid NUMBER DEFAULT 3 ;
  BEGIN
  IF GET_CWID = 'csfds'
  THEN
  retval := 'VPD_IS_PUBLIC=1 or ';
  retval :=
  retval
  || 'marker_id in (select field_id from datasecurity where roleid='
  || l_roleid
  || ')';
  ELSE
  retval := 'VPD_IS_PUBLIC=1';
  END IF;
  RETURN retval;
  EXCEPTION
  WHEN OTHERS
  THEN
  RAISE;
  END vpd;
  -- To create the VPD policy
  BEGIN
  SYS.DBMS_RLS.ADD_POLICY (
  object_schema => 'CSFDS'
  ,object_name => 'MARKER'
  ,policy_name => 'TEST_VPD'
  ,function_schema => 'CSFDS'
  ,policy_function => 'VPD'
  ,statement_types => 'SELECT'
  ,policy_type => dbms_rls.dynamic
  ,long_predicate => FALSE
  ,sec_relevant_cols => 'MARKER_ID,MARKER_TYPE_ID,MARKER_ACC,VERSION,DISPLAY_SYNONYM_ID,SPECIES_ID,GERMPLASM_ID,LIBRARY_ID,DESCRIPTION,DATE_CREATED,DATE_UPDATED,VPD_IS_PUBLIC'
  ,sec_relevant_cols_opt => NULL
  ,update_check => TRUE
  ,static_policy => FALSE
  ,enable => TRUE );
  END;
  Edited by: sfrade on Mar 18, 2009 2:00 PM

  Hi
  Done using the following commands:
  execute DBMS_STATS.gather_table_stats ( ownname => 'CSFDS', tabname => 'DATASECURITY', estimate_percent => DBMS_STATS.AUTO_SAMPLE_SIZE, method_opt => 'FOR ALL COLUMNS SIZE AUTO', cascade => TRUE );
  execute DBMS_STATS.gather_table_stats ( ownname => 'CSFDS', tabname => 'MARKER', estimate_percent => DBMS_STATS.AUTO_SAMPLE_SIZE, method_opt => 'FOR ALL COLUMNS SIZE AUTO', cascade => TRUE );
  and the plan for the following query
  SELECT COUNT ( * )
  FROM MARKER
  WHERE marker_id in (SELECT FIELD_ID
  FROM DATASECURITY
  WHERE roleid = 1)
  OR vpd_is_public = 1;
  Plan
  SELECT STATEMENT ALL_ROWSCost: 314 Bytes: 10 Cardinality: 1                          
       7 SORT AGGREGATE Bytes: 10 Cardinality: 1                     
            6 FILTER                
                 4 VIEW VIEW CSFDS.index$_join$_001 Cost: 314 Bytes: 176,780 Cardinality: 17,678           
                      3 HASH JOIN      
                           1 INDEX FAST FULL SCAN INDEX (UNIQUE) CSFDS.PK_MARKER Cost: 83 Bytes: 176,780 Cardinality: 17,678
                           2 INDEX FAST FULL SCAN INDEX CSFDS.INDEX_MARKER Cost: 89 Bytes: 176,780 Cardinality: 17,678
                 5 INDEX SKIP SCAN INDEX (UNIQUE) CSFDS.PK_DATASECURITY Cost: 2 Bytes: 10 Cardinality: 1
  By the way, how do you know that the stat were out of date?
  Edited by: sfrade on Mar 20, 2009 8:54 AM

• EJB3 and/or Toplink and setting context for VPD

  We are looking at moving to the latest version of jdeveloper and taking advantage of the ejb3 and/or toplink features for the model part of applications. I have a question on how to set the vpd context using this new model. Currently we use:
  Jdeveloper 10.1.2.1
  Oracle application server 10g R2 Enterprise Edition ver 10.1.2.0.2
  OracleOCI driver
  Oracle 9i database
  Our database access is in regular java beans where we get a connection from the pool , set the context for the current user (by running a stored procedure on the connection) perform the required data access and then release the connection. It looks like when you use Toplink or EJBs with CMP the database access is out of the developer's control. How will I be able to set the context for each connection ( it's different for each user) once I move to the new model?

  Thank you. That looks like exactly what I need, at least for toplink. I have been told though, that since we are deploying to the OC4J container and it will manage persistence and since EJB 3 simplifies the creation of entity beans that we should use EJB 3 entity beans and a session facade for the model and not add toplink as it would be an extra layer we don't really need , would you agree?

• Controlling access to Oracle Mapviewer spatial data through VPD

  I am building a web GIS application in Oracle Application Express (APEX) and have used the Virtual Private Database feature of Oracle Database 11g Enterprise Edition so as to ensure row level security. I've integrated APEX with Oracle Mapviewer through Oracle Maps API in order to display a map.
  VPD feature is working properly through the command prompt at the database level but I also need to use the VPD policy at the application level so that each authenticated user can only see his own spatial data on the map.
  So far I have accomplished that by creating as many data sources as the number of application users on the mapViewerConfig.xml file. Every time a user logs in the web GIS application, the correct data source is being employed.
  I was wondering if there is any other parameterised way that I can perform this access control functionality without having to create all these data sources.
  Many thanks in advance.

  Yes you can define a single "secure" MapViewer data source to achieve VPD or make use of your database VPD setup. For more details and how to get the Apex app user to MapViewer and then onto VPD you can check out my blog post here: http://oraclemaps.blogspot.com/2008/09/apex-oracle-maps-and-secure-mapping.html
  hope this helps,
  LJ

• Using VPD (Virtual Private Database) with Discoverer for Dummies

  Firstly could you please excuse me for the title of the thread, but it’s all I could come up with. For those of you who are looking at me with a strange look of disgust, please view thread that started it all: BIS vs DBI vs Noetix .
  Otherwise I’m hoping to gain a greater understanding of how VPD can be used to enhance Discoverer and it’s performance. I've just read that :
  “Oracle 8i introduced the notion of a Virtual Private Database (VPD). A VPD offers Fine-Grained Access Control (FGAC) for secure separation of data. This ensures that users only have access to data that pertains to them. Using this option, one could even store multiple companies' data within the same schema, without them knowing about it.
  VPD configuration is done via the DBMS_RLS (Row Level Security) package. Select from SYS.V$VPD_POLICY to see existing VPD configuration.”
  With Regards to Discoverer, I would like to ask the following:
  -When would be best to use VPD in Discoverer?
  -Pro’s and Con’s of VPD?
  -Tips / Tricks?
  -and anything else Michael would like to add (I don’t believe there is a post limit, although this could change in the future)
  I've found a few handy links:
  http://www.adp-gmbh.ch/ora/security/vpd/index.html
  http://www.oracle.com/technology/oramag/oracle/04-mar/o24tech_security.html
  As Metalink support would say : I Looking forward to your ‘Positive’ comments. ;-)
  Lance

  Lance,
  You sure do raise some interesting questions here.
  I've noticed from some of your previous posts that you are using views to link Discoverer through to apps. I have found this very interesting document that may help with your queries; http://www.oracle.com/technology/deploy/security/oracle9ir2/pdf/VPD9ir2twp.pdf
  If you scroll down to the section "Additional VPD Capabilities" and read the following sub-topics, this might enable you to base your Discoverer reports on views that contain VPD policies.
  I trust "My Positive Comment" may help!!
  Merry Christmas
  Si ;-)
  P.s This also may come in handy if running 10g http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/apdvpoli.htm
  Message was edited by:
  Simon Pittaway

• VPD 9i

  Hi all!
  I have a problem and I would like to get your oppinion.
  The customer wants implement VPD. The database is Oracle 9i (9.2.0.7) on RHEL4AS Server. Initially, this step was included in Database Migration to Oracle 10g, but, the application runs very slowly! After this situation, the IT Manager wants to implement VPD in 9i and then migrate your database to 10g, after the application have been modified by development team.
  But, in Oracle 9i, the procedure ADD_POLICY in DBMS_RLS package haven't SEC_RELEVANT_COLS and SEC_RELEVANT_COLS_OPT options. How can I implement VPD in vertical and horizontal levels in Oracle 9i?
  Thanks!
  Marcus Vinicius

  In 9i, VPD didn't allow you to selectively permit access to particular columns in a table, just particular rows. In 9i, you could create a series of views that expose different sets of columns, grant appropriate users appropriate access on one of these views, and create appropriate private synonyms that point to the appropriate view in each user's schema. That's probably more work than figuring out how to fix the performance issues that followed the 10g migration.
  Justin

• Securing data - custom vs VPD vs another solution

  Hi we have a requirement in our project to secure data for entities like "cases" based upon attribute value like "dispute type". So if the attribute "dispute type" has a value "franchise"; an admin can go and create a group "franchise" so that Members of the “Franchise” group can VIEW all parts of all case records with a dispute type of “Franchise” but others cannot. Also we could control the permissions e.g VIEW, Edit CREATE for that group on thoserecord
  Like this we could decide to secure "cases" based upon another value for dispute type. Also we could then secure data based upon another attribute.
  Potential solutions:1) Custom
  we use standard ADF grid to display all data to super admin. He can filter based upon the required attribute, all cases with the value for that attribute.
  e.g filter on "dispute type" column and get all cases with "dispute type"= "franchise". We select all these cases and create an access control list (ACLs) a combination of group and permission and apply to these cases. The ACL resides in the database linked to the "cases". This could be normalized tables again. Like this we can filter records at run time and build the ACLs for the cases for which we need to link the groups based upon conditions.
  At run time, we only need to check the ACL for a case to decide if the user has access to that based upon whether or not user is any of the group and the permissions then available.
  This is on top of the standard ADF permissions
  2) VPD - use virtual private data base to do this
  3) Other solution
  We need to know what could be best possible solution. Also would a VPD based solution be better here? would it allow flexibility like custom solution? also in terms of timelines and performance which is best match ..

  Hi,
  VPD for sure is a good solution if the same rules apply to multiple applications, not just one and not just ADF. My take on data security usually is to no query what users aren't allowed to see anyway. Data that is left in the database cannot be stolen on transit. For other options I can envision, is the use of discriminator columns as explained here: http://mjabr.wordpress.com/2011/06/17/using-discriminator-columns/ or polymorphic views (see sample 10 at https://blogs.oracle.com/smuenchadf/resource/examples#10) (doc: http://docs.oracle.com/cd/E25178_01/web.1111/b31974/bcadvvo.htm#CEGDCCCB)
  You can then define security roles for the different application or enterprise roles that you check (in the case of ADF Security) using EL, Java or Groovy.
  Frank
  Ps.: Note that JDeveloper 12c will provide options to dynamically apply view criteria based on user security roles, in which case you get another option.

• VPD issue affecting scalability of Application

  Hi all --
  Our reporting application is using VPD to limit access to the data a user can see. Unfortunately, we are seeing scalability issues when using VPD, so we are wondering if any of you have any insight on what we're doing incorrectly. Here's the scenario:
  Users may have access to multiple stores, so the VPD policy is returning a predicate that looks like this: branch_code in ('MNWIN','WIMAD'). Unfortunately with each predicate change we are getting a hard parse of the statement leading to degraded performance.
  We have been playing with using sys_context to set the predicate and returning a predicate that looks like: branch_code in sys_context('BRANCH_CTX','BRANCH_CODE') but errors get returned from the policy predicate or the context doesn't get set correctly.
  So a few questions:
  1. Is this the appropriate forum in which to post this?
  2. Is it possible to use sys_context in this way
  3. What is the preferred method for using VPD in a nonunique environment (ie: users have access to multiple values)
  Thanks!
  Leigh Johnson
  Fastenal Company

  You are correct to use bind variables to expedite the SQL processing. From your code, it is failing because you need to double the single quotes:
  RETURN 'branch_code in sys_context (''BRANCH_CTX'',''BRANCH_CODE'')';

• Forms 9i and VPD

  Hi :)
  I'm loocking for method how to catch in form policy (VPD) which restrict update or delete on current record.
  When I'm performing update/dlete form don't see that policy and normally proceeds update/delete and commit -but after requery there is no change in data (good- policy works) but form don't tells to user "You can't do this".
  Please help me resolve this problem -thanks very much.
  Artur

  Artur,
  the problem you describe is one we discussed more often recently.
  The situation is that something not in control by Forms performs changes to the actual transaction state (VPD). In fact the policy works, which means that everything is fine as far as the business goes.
  Seeing it from the Forms runtime angle: Forms does send its cached records that are marked as dirty to the database for commit. The database doesn't report any errors because there are none and thus Forms puts out a message with the number of records passed as successfully submitted.
  To change the message behavior yourself, you will have to raise a PLSQL Exception when Forms commits the data and the policy preventing it.
  This then should bubble up to Forms where it is intercepted for proper alerting (haven't tried, but this sounds plausible).
  I'll point one of the developers to this question in case I overlooked something.
  Frank