VPD-Policy function, dependent on CURRENT_SQL
Hello ALL,
i must implement VPD into a medium size data warehouse database, the customer is using 10gR2.
There are some detail tables from which it should be allowed for certain users to retrieve aggregated data, but not to retrieve the details itself.
The background is that everybody in the organization should be able to see the aggregated data for the whole organization, but should have access to the details only for the own organizational unit and units below.
The aggregations are made on the fly. A simple example with the Scott.EMP table would look like this:
- SELECT salary FROM emp -- should be blocked
- SELECt Avg(salary) FROM emp -- shold return the average
I told the customer that this is not possible with VPD - unfortunately they found the SYS_CONTEXT('USERENV''CURRENT_SQL') function and are now asking me to create the policy, based on the current SQL statement... :-(
I consider this as being extremely RISKY, to do so i have to parse the SQL statement to ensure that the aggregation function is used for the protected column, that is not in a comment, and so on...
My questions:
1. Is there another way to achieve such a behavior of a policy function?
2. If not, is there more information available about the current SQL than just the statement as a string? (Access to the builtin SQL parser's tree...)
3. Would you agree that making a policy function based on the SQL statement is a risky thing?
4. Has anybody else ever done this before?
Thank you very much in advance for all answers and your help.
Best regards from Houston,TX
Frank/2
Edited by: fjuedes on Mar 18, 2010 3:41 PM
fjuedes wrote:
Hello ALL,
i must implement VPD into a medium size data warehouse database, the customer is using 10gR2.
There are some detail tables from which it should be allowed for certain users to retrieve aggregated data, but not to retrieve the details itself.
The background is that everybody in the organization should be able to see the aggregated data for the whole organization, but should have access to the details only for the own organizational unit and units below.
The aggregations are made on the fly. A simple example with the Scott.EMP table would look like this:
- SELECT salary FROM emp -- should be blocked
- SELECt Avg(salary) FROM emp -- shold return the average
I told the customer that this is not possible with VPD - unfortunately they found the SYS_CONTEXT('USERENV''CURRENT_SQL') function and are now asking me to create the policy, based on the current SQL statement... :-(
I consider this as being extremely RISKY, to do so i have to parse the SQL statement to ensure that the aggregation function is used for the protected column, that is not in a comment, and so on...
My questions:
1. Is there another way to achieve such a behavior of a policy function?
2. If not, is there more information available about the current SQL than just the statement as a string? (Access to the builtin SQL parser's tree...)
3. Would you agree that making a policy function based on the SQL statement is a risky thing?
4. Has anybody else ever done this before?
Thank you very much in advance for all answers and your help.
Best regards from Houston,TX
Frank/2
Edited by: fjuedes on Mar 18, 2010 3:41 PMThis sounds very much like something a colleague of mine did at a sister organization. I don't have the details (I've asked him to send me the specs as I would like to implement the same thing) but it did involve creating and populating some additional tables to define who had access to which departments, and use info from that table to help build the VPD functions. Another key, though, is that he/we do NOT have the requirement to let people see enterprise-wide aggregation. If user Dilbert is defined as having access only to members of departments 10, 15, and 20, then any aggregates he runs will only include those departments.
Similar Messages
-
Problem with VPD policy function
Hi All,
I'm trying to secure database tables with VPD and getting "ORA-28112: failed to execute policy function" error when I query the table.
--My schema is "sales"
grant crete any context to sales;
-- created context using this statement
create OR REPLACE context sales_APP_CTX using PKG_SECURITY ACCESSED GLOBALLY;
-- Package spec
CREATE OR REPLACE PACKAGE PKG_SECURITY is
function vpd_sec_pol_func return varchar2 ;
procedure set_sales_app_context(p_user varchar2,p_security_level varchar2);
end;
-- package body
CREATE OR REPLACE PACKAGE BODY PKG_SECURITY is
function vpd_sec_pol_func return varchar2 is
-- v_user varchar2(100) := UPPER(portal.wwctx_api.get_user);
begin
if user not in ('SALES','ORACLE') then
return ' state in (select state from app_user_states where user_id = sys_context(''SALES_APP_CTX'', ''APP_USER''))';
else
return null;
end if;
end;
procedure set_sales_app_context(p_user varchar2,p_security_level varchar2) is
begin
dbms_session.set_context('SALES_APP_CTX','APP_USER',p_user);
-- dbms_session.set_context('SALES_APP_CTX','SECURITY_LEVEL',p_security_level);
end;
end;
-- Added the policy to the table
begin
dbms_rls.add_policy
( object_schema => 'SALES',
object_name => 'SALES_SUMMARY',
policy_name => 'SALES_SUMMARY_POLICY',
function_schema => 'SALES',
policy_function => 'PKG_SECURITY.VPD_SEC_POL_FUNC',
statement_types => 'SELECT,INSERT,UPDATE,DELETE' ,
update_check => TRUE );
end;
-- I was able to set context using sqlplus by executing the procedure
exec PKG_SECURITY.set_sales_app_context('TEST_USER','R');
What am I doing wrong?
ThanksHi,
ml_huang wrote:
Is it necessary to create 'Context' and 'Procedure' before the function and policy?It is not necessary to create a context.
A context can be very useful for doing row-level security, but it is not required.
Even if you are using SYS_CONTEXT, you can create the function first, if you want to.
Sorry, I don't understand what 'Procedure' you mean.
I have created a function (with no parameters) and a policy and kept getting the Ora-28112 error.Policy functions must accept 2 VARCHAR2 parameters. See the messages above.
Any suggestions for me? Thanks!Start your own thread for your own question.
I think more people will want to read (and therefore respond to) a new message with 0 replies than a 3-month old message with 4 replies. -
Error In Executing VPD Policy Function
Hi,
I have 10.2.0.3 DB running on windows. I have created a function to implement
the VPD. Here is code for Function:
Create or Replace FUNCTION vpd_p return varchar2
as
retn varchar2(50) := user;
begin
if upper(user) = 'P10' then
retn := 'DEPTNO = 10' ;
end if;
if upper(user) = 'SCOTT' then
retn := 'DEPTNO = 10' ;
end if;
if user = 'P20' then
retn := 'DEPTNO = 10 or DEPTNO = 20' ;
end if;
return retn;
end;
end;I add a policy as:
Begin
dbms_rls.add_policy
( 'SCOTT' ,
'e' ,
'MY_POLICY',
'SCOTT' ,
'vpd_p' ,
'SELECT'
end;When i am accessing the table on which i applied poliyc i was
getting the following error:
Policy function execution error:
Logon user : P10
Table/View : SCOTT.E
Policy name : MY_POLICY
Policy function: SCOTT.PK_1.VPD_P
ORA-06550: line 1, column 15:
PLS-00306: wrong number or types of arguments in call to 'VPD_P'
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored
*** 2008-02-13 19:49:48.922
Policy function execution error:
Logon user : P10
Table/View : SCOTT.E
Policy name : MY_POLICY
Policy function: SCOTT.PK_1.VPD_P
ORA-06550: line 1, column 7:
PL/SQL: Statement ignoredWhen i modified my function to below code, it works fine:
Create or Replace FUNCTION vpd_p (abc varchar2 , abcd varchar2)
return varchar2
as
retn varchar2(50) := user;
begin
if upper(user) = 'P10' then
retn := 'DEPTNO = 10' ;
end if;
if upper(user) = 'SCOTT' then
retn := 'DEPTNO = 10' ;
end if;
if user = 'P20' then
retn := 'DEPTNO = 10 or DEPTNO = 20' ;
end if;
return retn;
end;
end;Even if i change the DATATYPE for "abc" or "abcd" variables to NUMBER
it starts giving the same error. So, my query is why we have to pass any
two VARCHAR2 type variables to apply the VPD policy through function,
even when we are not using these variables anywhere. In documentation
also, i can't find any reason for same.
Please suggest any reason for this abnormal behaviour.........my query is why we have to pass any
two VARCHAR2 type variables to apply the VPD policy through function,
even when we are not using these variables anywhere. In documentation
also, i can't find any reason for same.Look the Usage Notes in the documentation:
* the policy functions which generate dynamic predicates are called by the server. Following is the interface for the function:
FUNCTION policy_function (object_schema IN VARCHAR2, object_name VARCHAR2)
RETURN VARCHAR2
--- object_schema is the schema owning the table of view.
--- object_name is the name of table, view, or synonym to which the policy applies. -
Trying to implement a VPD policy but got the following error ORA-20001
hey good day,
I'm trying to implement a VPD policy to my application. After I have performed the below task (Label 1) in oracle 10g database. When I'm about to access my application page in ApEx 3.2.1 I got the following error
ORA-20001: get_dbms_sql_cursor error ORA-28110: policy function or package CHARLES.VPD_PREDICATE has error
any form of assistance will be greatly appreciated.
thanks in advance
Label 1
USER is "VPD_ADMIN"
SQL> create or replace context empnum_ctx using set_empnum_ctx_pkg;
Context created.
SQL> CREATE OR REPLACE PACKAGE set_empnum_ctx_pkg IS
2 PROCEDURE set_empnum;
3 END;
4 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY set_empnum_ctx_pkg IS
2 PROCEDURE set_empnum IS
3 emp_id NUMBER;
4 BEGIN
5 SELECT EMPNUM INTO emp_id FROM CHARLES.INSTRUCTOR
6 WHERE upper(username) = nvl(v('APP_USER'), USER);
7 DBMS_SESSION.SET_CONTEXT('empnum_ctx', 'empnum', emp_id);
8
9 EXCEPTION
10 WHEN NO_DATA_FOUND THEN NULL;
11 END;
12 END;
13 /
Package body created.
SQL> create or replace package vpd_policy as
2 function vpd_predicate(object_schema in varchar2 default null, object_name in varchar2 default null)
3 return varchar2;
4 end;
5 /
Package created.
SQL> create or replace package body vpd_policy as function vpd_predicate(
2 object_schema in varchar2 default null, object_name in varchar2 default null)
3 return varchar2 as
4
5 BEGIN
6 if (USER = 'ADMIN') and (v('APP_USER') is null) or
7 (USER = 'MICHAEL.GRAY') and (v('APP_USER') is NULL) then
8 return '';
9 else
10 return '(
11 exists (
12 select "INSTRUCTOR"."EMPNUM" as "EMPNUM",
13 "INSTRUCTOR"."FIRSTNAME" as "FIRSTNAME",
14 "INSTRUCTOR"."LASTNAME" as "LASTNAME",
15 "LOAD"."COURSEID" as "COURSEID",
16 "COURSE"."CREDIT" as "CREDIT",
17 "COURSE"."HPW" as "HPW",
18 "LOAD"."CAMPID" as "CAMPID",
19 "LOAD"."YR" as "YR",
20 "INSTRUCTOR"."POS" as "POS",
21 "INSTRUCTOR"."USERNAME" as "USERNAME",
22 "INSTRUCTOR"."DEPARTMENT_NAME" as "DEPARTMENT_NAME",
23 "LOAD"."SEMESTER" as "SEMESTER"
24 from "COURSE" "COURSE",
25 "INSTRUCTOR" "INSTRUCTOR",
26 "LOAD" "LOAD"
27 where "INSTRUCTOR"."EMPNUM"="LOAD"."EMPNUM"
28 and "LOAD"."COURSEID"="COURSE"."COURSEID"
29 and department_name = (
30 select department_name from departments
31 where upper (assigned_to) = nvl(v(''APP_USER''),USER) )
32 )
33
34 or upper(username) = nvl(v(''APP_USER''), USER)
35 ) ';
36
37 END IF;
38 END vpd_predicate;
39 END vpd_policy;
40 /
Package body created.
SQL> begin
2 dbms_rls.add_policy(
3 object_schema => 'charles',
4 object_name => 'load',
5 policy_name => 'Loading Policy',
6 function_schema => 'charles',
7 policy_function => 'vpd_predicate',
8 statement_types => 'select, update, insert, delete');
9 end;
10 /
PL/SQL procedure successfully completed.ORA-20001 isn't an Oracle error message it was coded into your application by a developer: Look it up.
Consider too the following:
EXCEPTION
WHEN NO_DATA_FOUND THEN NULL;so if the employee identifier is not found ... is this really what you want? If an employee isn't valid shouldn't you know it? -
Does a table/view still return records if the underlying VPD policy fails ?
Hi All,
I have one following question -
Does a table or view still return records if the underlying VPD policy fails?
I am adding one more thing here. Let us say security is being implemented using the application context and VPD.
What would happen when application context is not set ? Would the application apply any default privilege as VPD?
Thanks,
AshiAshiKD wrote:
Hi All,
I have one following question -
Does a table or view still return records if the underlying VPD policy fails?No, you get a standard error message if the VPD function is wrong and if you won't pass the conditions of the VPD, you get nothing. That's what in general happens and should happen as well.
>
I am adding one more thing here. Let us say security is being implemented using the application context and VPD.
What would happen when application context is not set ? Would the application apply any default privilege as VPD?This would be a wrong approach then. If you are truly setting a VPD, you have to make sure that the context is set and the condition variable are passed through it. This is normally done through a logon trigger so again, generically , its not possible that it would not be set. I didn't get at all what ever you said in the last line? What is "default priv for VPD" ?
HTH
Aman.... -
Error encountered with VPD Policy in place
Local Platform: Windows XP
SQL DEV Version: 1.0.0.15.57
Host: Solaris Oracle 10.2.0.2.0
The problem I am incurring is related to using a VPD Policy and trying to update data via the table editor. I have included my function, the add policy statements and everything needed to duplicate this on the EMP table.
I am able to update the tables with the VPD policy in place using both SQLPLUS and the pl/sql editor region within SQL Developer..
The only thing that would need changed is before the function is compiled the user that you will be using to login to the database needs to be set within the function.
create or replace function
vpd_test_function
-- Function must have the following parameters
(schema in varchar2, tab in varchar2)
-- Function will return a string that is used as a WHERE clause
return varchar2
as
v_user varchar2(100);
out_string varchar2(4000) default null;
begin
-- get session user
v_user := UPPER(nvl(v('APP_USER'),USER));
-- create where clause when user is authorized to see parts of the table
if (v_user = 'DB_USER') then
out_string := out_string || '(nvl(deptno,0) <>10 and nvl(deptno,0) <>30)';
end if;
return out_string;
end;
begin
DBMS_RLS.add_policy
(object_schema => 'DB_USER',
object_name => 'EMP',
policy_name => 'VPD_TEST_POLICY',
function_schema => 'DB_USER',
policy_function => 'vpd_TEST_FUNCTION',
statement_types => 'SELECT,INSERT,UPDATE,DELETE');
end;
SELECT * FROM USER_POLICIES;
OBJECT_NAME POLICY_GROUP POLICY_NAME PF_OWNER PACKAGE FUNCTION SEL INS UPD DEL IDX CHK_OPTION ENABLE STATIC_POLICY POLICY_TYPE LONG_PREDICATE
EMP SYS_DEFAULT VPD_TEST_POLICY DB_USER VPD_TEST_FUNCTION YES YES YES YES NO NO YES NO DYNAMIC NO
1 rows selected
Change empno 7788 salary from 3000 to 85 results by clicking on a table and editing the value and clicking commit
UPDATE "DB_USER"."EMP" SET SAL = "85" WHERE ROWID = 'AAAXLmAAGAAAAylAAF' AND ORA_ROWSCN = '7788'
One error saving changes to table "DB_USER"."EMP":
Row 3: ORA-00904: "ORA_ROWSCN": invalid identifier
When run as a script or execute statement in SQL Developer (it works):
UPDATE EMP SET SAL = 85 WHERE EMPNO = 7788;
1 rows updated
Change policy by first dropping and then recreating, selecting to only apply the policy to select statements rather than INS,DEL,SEL,UPD:
BEGIN
DBMS_RLS.DROP_POLICY (
object_schema => 'DB_USER',
object_name => 'EMP',
policy_name => 'VPD_TEST_POLICY');
end;
begin
DBMS_RLS.add_policy
(object_schema => 'DB_USER',
object_name => 'EMP',
policy_name => 'VPD_TEST_POLICY',
function_schema => 'DB_USER',
policy_function => 'vpd_TEST_FUNCTION',
statement_types => 'SELECT');
end;
SELECT * FROM USER_POLICIES;
OBJECT_NAME POLICY_GROUP POLICY_NAME PF_OWNER PACKAGE FUNCTION SEL INS UPD DEL IDX CHK_OPTION ENABLE STATIC_POLICY POLICY_TYPE LONG_PREDICATE
EMP SYS_DEFAULT VPD_TEST_POLICY DB_USER VPD_TEST_FUNCTION YES NO NO NO NO NO YES NO DYNAMIC NO
1 rows selected
Change empno 7788 salary from 3000 to 85 results by clicking on a table and editing the value and clicking commit
One error saving changes to table "DB_USER"."EMP":
Row 3: Data updated by another user, cannot update row.
The following popup is displayed as well....
But once again when run as a script or execute statement in SQL Developer (it works):
UPDATE EMP SET SAL = 85 WHERE EMPNO = 7788;
1 rows updated
The last thing I would like to add is that if I drop the policy and I edit the table it works just fine ..
UPDATE "DB_USER"."EMP" SET SAL = "85" WHERE ROWID = 'AAAXLmAAGAAAAylAAF' AND ORA_ROWSCN = '57937995'
Commit Successful
The only twist is that if you notice when I have the VPD policy in place SQL Developer is aying that the ORA_ROWSCN is equal to EMPNO/the primary key and not the try ORA_ROWSCN...
Any ideas, I can file a TAR as well if you would like me to?
Thanks
JustinI first identified the problem setting up VPD for a DB user, I granted them update privileges and I wanted to ensure everything was working and that is how I found it. So yes I logged into the DB as the "other user" and then went to "Other Users" and went to the table that was owned by another schema with a VPD policy when I first encounter the error.
It was when I setup the test case to post here on OTN that I discovered the error ALSO exists if I own the table as well so for me in my test cases it did not matter who the original owner of the table was. The only thing that mattered was whether or not a VPD policy was enabled on a table. -
Opportunities in account overview without partner function dependency
Hello,
on the account overview page we can see the opportunities as well as the interaction history for a account.
In the interaction history frame we can see every activity and opportunity where the account is involved.
In the opportunities frame we could only see these opportunities where the account has a special partner function in the opportunity.
For example the main account role is prospect.
This account is involved in several opportunities with several different partner functions in the opportunities.
We can only see these opportunities in the account overview where he is assigned with the role prospect.
We did a customization for the time-frame in IMG: Customer Relationship Management => Master Data => Business Partner => Specify Display Options for Business Transactions.
Is there a similar way to customize the partner function dependency for display?
Or is there another way to show all the opportunities (in the opportunity frame) where the account is involved, without partner function dependency?
Best regards and thanks in advance
Matthias BreuerMatthias,
I believe you could influence this via the BADI CRM_BP_UIU_BT in enhancement spot CRM_UIU_BP_ENHANCEMENT. You can edit the selection criteria CT_SELECTION_PARAM as needed.
You can review the code CL_BUPA_IL_OPPORTUNITY_COMP to determine what criteria is being pouplated before the BADI is being called. In addition the filter value of the implementation needs to be 'BPQOPP'. From what I have seen SAP is hard-coding the partner type selection for the opportunity selection.
Take care,
Stephen -
Can we make apply join a column on which VPD policy applied in Oracle 10g
Hi,
i am planning to apply a column level security using VPD concept into Oracle 10g
but i have a one doubt.
Suppose i am going to apply a VPD policy based on user priviliges on a column DEPTNO in EMP table so whenever a particular user logs in,he will not see the deptno.But he can fetch the data from other table DEPT based on join condition EMP.DEPTNO=DEPT.DEPTNO . Is it possible can we make a join a column on which VPD polciy is applied ?
pls any idea or thought would be appreciable..
Thanks in advance
AnwarHi Anwar!
I have not tried yet, but I believe that you can do this.
However imagine the following:
A user U1 has the right to see some values in the deptno column, but not all. This is fine, and I believe that this is what you want to achieve.
A user U2 will see no records from the deptno column. This will impact your query, as your emp.deptno = dept.deptno part of the where clause will deliever no records.
So you have to be careful if this condition could apply and what the impact will be on your software.
cu
Andreas -
Policy name and column name inside a policy function
I have the following function associated with a policy in the employee table for SSN and SALARY columns
FUNCTION empid_policy_fn (object_schema IN VARCHAR2, object_name VARCHAR2)
end;
When the policy fires, the schema name and the name of the table are passed onto this function which we can use inside this function but is there a way to get the policy name and the column name which invokes this function?. The problem here is, I'm using same function (common) for multiple policies in different tables and that's why I need to get these details.
Thanks
-KrishnamurthyInside your policy function you can query V$VPD_POLICY along with V$SESSION, V$SQL and USER_SEC_RELEVANT_COLS
to get the fired policy name and column_names.
Something like
SELECT v.POLICY, .........
FROM v$session ss, v$sql s, v$vpd_policy v
WHERE ss.SID = (SELECT SID
FROM v$mystat
WHERE ROWNUM = 1)
AND s.address = ss.sql_address
AND s.address = v.paraddr
AND s.hash_value = v.sql_hash
AND s.child_number = 0HTH -
Row Level Security - using a policy function.
Hi,
I am trying to implement RLS within our database and am getting the following error message:
ORA-28112: failed to execute policy function
Looking around the web, these seems to point to un-handled exception in my function, but I cannot seem to find anything untoward.
I have tested the function and can confrim that it is returning the desired predicate where appropriate..
Here is the function..
FUNCTION Fnc_Rls_Control(Pin_Schema IN VARCHAR2) RETURN VARCHAR2 IS
-- Author: MLLOYD
-- Purpose: Policy function that supplies a predicate to limit access to tables based
-- on the site code
-- Created: 30/12/2010
-- Revision History
-- Date Version Comments
-- 30/12/2010 1 Created
CURSOR Cur_Rls_Site IS
SELECT s.Site_Code
FROM All_Users u
INNER JOIN Rls_Discoverer_User_Role Ur
ON Ur.User_Id = u.User_Id
INNER JOIN Rls_Discoverer_Roles r
ON r.Role_Id = Ur.Role_Id
INNER JOIN Rls_Discoverer_Role_Sites Rs
ON Rs.Role_Id = r.Role_Id
INNER JOIN Commons.t_Site_Codes s
ON s.Siteid = Rs.Site_Id
WHERE u.Username = USER;
Rec_Rls_Site Cur_Rls_Site%ROWTYPE;
Lcl_Predicate VARCHAR2(2000);
Lcl_Return_Value VARCHAR2(2000);
BEGIN
Lcl_Predicate := NULL;
Lcl_Return_Value := NULL;
-- CHECK IF USER IS OWNER OF SCHEMA, IF SO, NO PREDICATE
IF Pin_Schema = USER THEN
Lcl_Return_Value := NULL;
ELSE
-- OBTAIN SITE CODES AVAILABLE TO USER
OPEN Cur_Rls_Site;
LOOP
FETCH Cur_Rls_Site
INTO Rec_Rls_Site;
EXIT WHEN Cur_Rls_Site%NOTFOUND;
Lcl_Predicate := Lcl_Predicate || q'(')' || Rec_Rls_Site.Site_Code ||
q'(')' || ',';
END LOOP;
IF Lcl_Predicate IS NULL THEN
Lcl_Return_Value := NULL;
ELSE
-- REMOVE TRAILING COMMA
Lcl_Predicate := Rtrim(Lcl_Predicate,
-- BUILD FINAL PREDICATE
Lcl_Return_Value := 'SITE_CODE IN (' || Lcl_Predicate || ')';
END IF;
CLOSE Cur_Rls_Site;
END IF;
RETURN Lcl_Return_Value;
EXCEPTION
WHEN OTHERS THEN
IF Cur_Rls_Site%ISOPEN THEN
CLOSE Cur_Rls_Site;
RETURN Lcl_Return_Value;
END IF;
END Fnc_Rls_Control;
-- ************************************************************************************I have applied this to a specifc table using the following:
-- ADD POLICY
BEGIN
DBMS_RLS.ADD_POLICY (
object_schema => 'REPORTING',
object_name => 'URS_OP_VISIT_STATISTICS',
policy_name => 'ACCESS_POLICY',
function_schema => 'REPORTING',
policy_function => 'PKG_REPORTING.FNC_RLS_CONTROL',
statement_types => 'SELECT'
END;Have I missed anything obvious?
Regards
MarkPolicy function must have two IN paranters on varchar2 type and return varchar2 .
So add second parametr to you function.
Simple example
CREATE OR REPLACE FUNCTION auth_orders(
schema_var IN VARCHAR2,
table_var IN VARCHAR2
RETURN VARCHAR2
IS
return_val VARCHAR2 (400);
BEGIN
return_val := 'SALES_REP_ID = 159';
RETURN return_val;
END auth_orders;
/First parametr is schema_name second parametr is object name. So you can have one universal function that on IN parameters return appropriate where condition. -
ORA-28112: failed to execute policy function - Error in Application Builder
Hey all,
I've added a policy function to one of my tables and now I'm getting this error when I try to update a report region that references that table.
"Query cannot be parsed within the Builder. If you believe your query is syntactically correct, check the ''generic columns'' checkbox below the region source to proceed without parsing. ORA-28112: failed to execute policy function"
If I remove the policy then everything works fine. My application also runs fine with the policy in place. I just get these errors in the application builder when updating a report or an LOV that references the secure table.
The parsing schema is APPL_USER.
Here is the policy function:
FUNCTION DOCUMENT_TABLE_POLICY (object_schema IN VARCHAR2 DEFAULT NULL
,object_name IN VARCHAR2 DEFAULT NULL)
RETURN VARCHAR2 IS
v_nt_seq NUMBER;
BEGIN
IF user = 'APPL_USER' OR INSTR(user, 'ITFC_') = 1 THEN
RETURN NULL;
END IF;
IF V('APP_USER') IS NOT NULL THEN
IF V('F_NT_SEQ') IS NOT NULL THEN
v_nt_seq := V('F_NT_SEQ');
ELSE
SELECT NT_SEQ
INTO v_nt_seq
FROM APPL_USERS
WHERE UPPER(NT_ID) = UPPER(V('APP_USER'));
END IF;
RETURN '(DOCUMENT_TYPE, MANAGED_BY_ELEMENT, PROGRAM_CODE, CONTRACT_NUMBER) IN (SELECT DISTINCT R.DOCUMENT_TYPE, USL.ELEMENT, USL.PROGRAM_CODE, USL.CONTRACT_NUMBER FROM IPRACA_USERS_SECURITY_LINK USL, IPRACA_SECURITY_ROLES R WHERE R.SECURITY_ROLE_SEQ = USL.SECURITY_ROLE_SEQ AND USL.NT_SEQ = ' || TO_CHAR(v_nt_seq) || ')';
END IF;
--UNAUTHORIZED USERS CAN SEE NO DATA
RETURN '1=0';
END;
This is how I setup the policy:
BEGIN
DBMS_RLS.ADD_POLICY(
object_schema => 'APPL_USER'
,object_name => 'APPL_DOCUMENT'
,policy_name => 'APPL_DOCUMENT_POLICY'
,function_schema => 'APPL_USER'
,policy_function=> 'APPL_SECURITY.DOCUMENT_TABLE_POLICY'
END;
Any help would be greatly appreciated!
Thanks,
Jonathan Hart
APEX 3.1.1Thanks.
After looking at it again, I think that may be the problem, too. I guess the APP_USER is set when in the application builder and the Builder is running the report query as it is being parsed which is causing the error. I added a Begin - Exception block around that query and everything seems to work now.
Thanks again! -
Please explain functional dependency & normalization for the below relation
For relation:
DEPTINFO ( DEPT_NUM, DOFF_NUM, DBUDGET, MGR_NUM, EMP_NUM, PROJ_NUM, PLEADER, EOFF_NUM, EMAIL, EJOBTITLE, EFFORT%, YEAR, SALARY, PBUDGET, BLDG )
where :
Each employee works for one department.
Each employee has one office.
Each employee has one email.
Each employee has one job title.
Employees can work on more than one project.
Each employee office is assigned to one department.
Each project has its own project budget.
Each project has its own project leader.
Each department is assigned a unique office.
Each department office is in a unique building.
Each department has its own department budget.
Each department has a unique manager.
Each employee is assigned a percentage of effort he/she is to devote to a project to which he/she is assigned.
Each year an employee is allocated a unique salary for that year.
1.a Convert each of the above statements to a functional dependency
1.b Fully normalize the above relation.9d5c95e3-f768-4078-893d-e16d5d6ba39e wrote:
from my observation the answer for first question is
EMP#->{DEPT# ,EOFF#,EMAIL,EJOBTITLE,EFFORT%,SALARY}
EOFF#->DEPT#
PROJ#->{PBUDGET,PLEADER}
DEPT#->{DOFF#,BLDG,DBUDGET,MGR#}
DOFF#->BLDG
is that correct
Just a side observation ... when you get to actually defining tables and columns, you really don't want to be using special characters, as they are often interpreted as meta-characters. So get in the habit now:
Not this
But this
EMP#
EMP_NUM
DEPT#
DEPT_NUM
EOFF#
EOFF_NUM
EFFORT%
EFFORT_PCT
PROJ#
PROJ_NUM
DOFF#
DOFF_NUM
MGR#
MGR_NUM -
GPP Scheduled Task Fails in Group Policy Modeling depending on DC
We have multiple domain controllers running at a 2003 functional level.
We have 1 DC running Server 2003 x86 SP2 and the rest run Server 2008 (maybe R2)
I created a GPO that includes a Scheduled Task Group Policy Preference under Computer Configuration.
In order to test this I used Group Policy Modeling in the GPMC on a 2008 R2 Machine where I am editing Group Policy.
If I run the modeling (perform the simulation on the 2003 DC it fails. (Note I am modeling the GPO for a different computer, not the 2003 SP2 DC, I am running the modeling for a Workstation)
Information from the Component Status on the Summary Tab of the Modeling Report
Component Name Status
Group Policy Infrastructure Success
EFS recovery Success (no data)
Group Policy Scheduled Tasks Failed
Group Policy Scheduled Tasks failed due to the error listed below and failed to log resultant set of policy information.
Additional information may have been logged. Review the application event log on the domain controller on which the simulation was run for events between 2/28/2014 10:07:36 AM and 2/28/2014 10:07:36 AM.
Registry Success
Security Success
Info on the Settings Tab of the Modeling Report below.
An error has occurred while collecting data for Scheduled Tasks.
The following errors were encountered:
An unknown error occurred while data was gathered for this extension. Details: Invalid class
If I run the modeling using a 2008 DC to perform the simulation it works fine.
Per the instructions on the Summary Tab regarding the scheduled task failure I look at the event log on the 2003 domain controller and this is what i find.
The event I get on the 2003 DC is 8196 and I will place the details below.
Event Type: Error
Event Source: Group Policy Scheduled Tasks
Event Category: Disk
Event ID: 8196
Date: 2/27/2014
Time: 4:48:47 PM
User: NT AUTHORITY\SYSTEM
Computer: <computername>
Description:
The client-side extension caught the unhandled exception '0xC0000005' inside: 'threadEntry : client main' See trace file for more details. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
So, should I be concerned that this is failing on the 2003 DC, does this mean that if my workstations authenticate to my 2003 DC that the preference will not process?
I was reading that in 2003 client side extensions were not there and can be installed, would this make the modeling succeed?
How do I get verified, I tried to post screenshots, but I could not. :(Hi Jonathan,
As you have found the reason, I want to confirm whether the issue has been fixed.
In fact, for Windows Server 2003 to apply or process Group Policy Preferences settings, we must install client-side extensions of GPP for Windows Server 2003.
Although this is not related to this case, for your information, if our clients are Windows XP or Windows Vista, to use GPP, we must install client-side extensions for these
workstations respectively.
Regarding GPP, the following article can be referred to for more information.
Group Policy Preferences Getting Started Guide
http://technet.microsoft.com/en-us/library/cc731892(v=WS.10).aspx
Best regards,
Frank Shen -
Getting error ORA-01732, after implementation of VPD policy
Hi,
I have created a policy to restrcit the number of records affected in auncondtional select & update (not more than 3 at a time). The policy is working fine for the select staement but when I'm trying to update the same table I'm getting "ORA-01372: data manipulation operation not legal on this view".
I'm using Oracle 10g release 2. & I performed following steps:
SQL> connect SYS as SYSDBA
Enter password: ****************
Connected.
SQL> GRANT EXECUTE ON DBMS_SESSION TO smbdev;
Grant succeeded.
SQL> GRANT EXECUTE ON DBMS_RLS TO smbdev;
Grant succeeded.
SQL> GRANT CREATE ANY CONTEXT to smbdev;
Grant succeeded.
SQL> GRANT create trigger to smbdev;
Grant succeeded.
SQL> GRANT ADMINISTER DATABASE TRIGGER to smbdev;
Grant succeeded.
SQL> connect smbdev@SMBS
Enter password: *******
Connected.
SQL> CREATE OR REPLACE CONTEXT rownum_ctx USING rownum_ctx_pkg;
Context created.
SQL> CREATE OR REPLACE PACKAGE rownum_ctx_pkg IS
2 PROCEDURE set_rownum;
3 END;
4 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY rownum_ctx_pkg IS
2 PROCEDURE set_rownum
3 AS
4 BEGIN
5 DBMS_SESSION.SET_CONTEXT('rownum_ctx', 'rownum', 4);
6 EXCEPTION
7 WHEN NO_DATA_FOUND THEN NULL;
8 END set_rownum;
9 END;
10 /
Package body created.
SQL> CREATE OR REPLACE TRIGGER set_rownum_ctx_trig AFTER LOGON ON DATABASE
2 BEGIN
3 smbdev.rownum_ctx_pkg.set_rownum;
4 END;
5 /
Trigger created.
SQL> CREATE OR REPLACE FUNCTION get_rownum(
2 schema_p IN VARCHAR2,
3 table_p IN VARCHAR2)
4 RETURN VARCHAR2
5 AS
6 rownum_pred VARCHAR2 (400);
7 BEGIN
8 rownum_pred := 'rownum < SYS_CONTEXT(''rownum_ctx'', ''rownum'')';
9 RETURN rownum_pred;
10 END;
11 /
Function created.
SQL> BEGIN
2 DBMS_RLS.ADD_POLICY (
3 object_schema => 'smbdev',
4 object_name => 'SMB_BOLT_CODE',
5 policy_name => 'rownum_policy',
6 function_schema => 'smbdev',
7 policy_function => 'get_rownum',
8 statement_types => 'select,update’)
9 END;
10 /
PL/SQL procedure successfully completed.
SQL> select * from smbdev.SMB_BOLT_CODES;
CATENTRY_ID SYN_BOLT_CODE
13700 08000026540000
13701 08000026520000
13702 08000026530000
SQL> update smb_bolt_codes set SYN_BOLT_CODE='asd';
update smb_bolt_codes set SYN_BOLT_CODE='asd'
ERROR at line 1:
ORA-01732: data manipulation operation not legal on this view
SQL> select * from tab where tname=’ SMB_BOLT_CODES’;
TNAME TABTYPE CLUSTERID
SMB_BOLT_CODES TABLE
SQL> connect sys@smbs as SYSDBA
Enter password: ***********
Connected.
SQL> select count(*) from smbdev.SMB_BOLT_CODES;
COUNT(*)
101
Please let me know what I'm doing wrong or what I need to change?
Thanks in advance.Welcome to the forum!
This seems odd: you add a policy to an object named SMB_BOLT_CODE, but you query SMB_BOLT_CODES
SQL> BEGIN
2 DBMS_RLS.ADD_POLICY (
3 object_schema => 'smbdev',
4 object_name => 'SMB_BOLT_CODE',
5 policy_name => 'rownum_policy',
6 function_schema => 'smbdev',
7 policy_function => 'get_rownum',
8 statement_types => 'select,update’)
9 END;
10 /
PL/SQL procedure successfully completed.
SQL> select * from smbdev.SMB_BOLT_CODES; --<------ Notice the extra S here...Edited by: Alex Nuijten on Aug 14, 2009 2:28 PM -
Trying to use SQL to implement a VPD policy
could some please help me with the following code :-
these are the steps i took. i'm trying to implement a VPD(virtual private database) also know as Fine Grained Accessed on my APEX 3.2.1
------ login as SYS
CREATE USER vpd_admin IDENTIFIED BY Password_1 DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp;
GRANT CREATE SESSION TO vpd_admin;
grant create any context to vpd_admin;
GRANT CREATE PROCEDURE TO vpd_admin;
grant select on charles.load to vpd_admin;
grant select on charles.instructor to vpd_admin;
grant execute on dbms_session to vpd_admin;
grant execute on dbms_rls to vpd_admin;
------ login as vpd_admin
create or replace context empnum_ctx using set_empnum_ctx_pkg;
CREATE OR REPLACE PACKAGE set_empnum_ctx_pkg IS
PROCEDURE set_empnum;
END;
CREATE OR REPLACE PACKAGE BODY set_empnum_ctx_pkg IS
PROCEDURE set_empnum IS
emp_id NUMBER;
BEGIN
SELECT EMPNUM INTO emp_id FROM CHARLES.LOAD
WHERE upper(username) = nvl(v('APP_USER'), USER);
DBMS_SESSION.SET_CONTEXT('empnum_ctx', 'empnum', emp_id);
EXCEPTION
WHEN NO_DATA_FOUND THEN NULL;
END;
END;
create or replace package vpd_policy as
function vpd_predicate(schema_name in varchar2, object_name in varchar2)
return varchar2;
end;
create or replace package body vpd_policy as function vpd_predicate(
schema_name in varchar2 default null, object_name in varchar2 default null)
return varchar2 as
BEGIN
if (USER = 'ADMIN') and (v('APP_USER') is null) or
(USER = 'MICHAEL.GRAY') and (v('APP_USER') is NULL) then
return '';
else
return '(
exists (
select "INSTRUCTOR"."EMPNUM" as "EMPNUM",
"INSTRUCTOR"."FIRSTNAME" as "FIRSTNAME",
"INSTRUCTOR"."LASTNAME" as "LASTNAME",
"LOAD"."COURSEID" as "COURSEID",
"COURSE"."CREDIT" as "CREDIT",
"COURSE"."HPW" as "HPW",
"LOAD"."CAMPID" as "CAMPID",
"LOAD"."YR" as "YR",
"INSTRUCTOR"."USERNAME" as "USERNAME",
"LOAD"."SEMESTER" as "SEMESTER"
from "COURSE" "COURSE",
"INSTRUCTOR" "INSTRUCTOR",
"LOAD" "LOAD"
where "INSTRUCTOR"."EMPNUM"="LOAD"."EMPNUM"
and "LOAD"."COURSEID"="COURSE"."COURSEID"
and department_name = (
select department_name from departments
where upper (assigned_to) = nvl(v('APP_USER'),USER) )
or upper(username) = nvl(v('APP_USER'), USER)
END IF;
END;
SQL> show errors
Errors for PACKAGE BODY VPD_POLICY:
LINE/COL ERROR
33/4 PLS-00103: Encountered the symbol "end-of-file" when expecting
one of the following:
begin end function package pragma procedure form
when i reached this point trying to implement the function 'vpd_predicate' i got this error
any advice will be great,
thanksYou didn't specify an END for the package.
One reason you should always name your END blocks (makes it easier to realize when you've missed one).
END vpd_predicate;
END vpd_policy;
/Also, your package specification doesn't match the body (they need to have identical declarations).
Also, please format your code like i've done so it's actually readable. Use the tags before and after your code.
Maybe you are looking for
-
Smart Playlists no longer updated with iOS 4.3 on iPhone 4
I've run into an issue with the latest iOS 4.3 update: my smart playlists are no longer dynamically being updated on my iPhone 4. All of my main playlists are smart: they exclude songs that I've played in the past week. Earlier today when I'd play a
-
F110 Paying Company Code AP vs AR
Collegues, We have configured a payer company code diferent than a sender company code for Payment Program (F110). The issue here is that we need this scenario only for AP, but not for AR. AP should "centralize" outgoing payments from one single comp
-
Error stopping tomcat 5.5 from eclipse?
Hi, I installed Tomcat 5.5 in my WinXP Pro and i am using eclipse wtp 3.1 to create JSP pages. I created a server in eclipse and the tomcat start normally by eclipse, but when i stop the tomcat I get the follow message in console: 8690 [main] INFO ht
-
Hi, im a trip away meeting family for a few months so i brought my laptop with me, anyhow i was using my imac fine turnt it off to later go on to finsh some work and for some reason or another when i load my mac the gray apple shows up with noise an
-
Hyperlinks, scrollable text frames, and Multistate objects
I have a DPS layout with a scrollable text frame on one side, and a multistate object (MSO) on the other. I want to be able to hyperlink parts of the text in the text frame to specific states in the MSO. How do I do this?