VPD vs OLS
While applying an OLS policy to a table we have to finally apply the label tag to specific rows where we add the where clause. my question is where exactly does VPD come into picture since we add a where clause for specifying row level security, what does VPD do in OLS.
Virtual Private Database (VPD) and Oracle Label Security (OLS) are very similar concepts-- sometimes they are interchangable. To quote from the Application Developer's Guide[url]
Oracle Policy Manager is the administration tool for Oracle Label Security. Oracle Label Security provides a functional, out-of-the-box VPD policy which enhances your ability to implement row-level security.
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC
Similar Messages
-
Row-/instance-based authorization
Hi,
I'm looking for ways to implement row-/instance-based authorization using Toplink 9.0.4+ and Oracle DB 9.204. The domain objects are represented by standard Java objects (POJO's) not entity-beans.
My question: what are well-know working approaches to implement this? How did you do that in a project using Toplink and POJO's?
I guess Label security/Virtual Private Databases would be interesting to consider. But I wonder if it's possible to use that with Toplink. Issues that I see right now:
- how to propagate the credentials of the user to the database and still use connectionpooling?
- can Toplink generally make use of Label Security
Another approach would be to implement a JAAS extension following the lines of the article "Extending JAAS for class-instance authorization" http://www-106.ibm.com/developerworks/java/library/j-jaas/
I expect this can easily result in a separate query per object. Which probably results in atrocious performance.
Or this could be implemented by an aspect. But still this would probably necessitate n+1 queries for n objects. In other words: this would still let the appserver do the constraining of results while that is right task for the database of course.
Your comments and advice are highly appreciated,
Joost de Vries
the NetherlandsThe main decision to make is whether to handle the instance level security in the application, or the database.
As you mentioned there are many ways to handle security in the application.
Oracle database supports VPD and OLS for row level security. The TopLink 10g 10.0.3 preview has added support for this refer to:
http://otn.oracle.com/products/ias/toplink/preview/index.html -
Row level access, virtual private database, label security
Hello All,
I'm experiencing an issue.... I've a datawarehouse where some tables, for examples orders are shared for two different countries. Difference is made simply with a field country may contain country_id.
So using OBI and publisher I need to permit to some user to query only country with id 1, other country with id 2 and other both countries.
There's a way to achieve this result without implement VPD or OLS? Do you have any hint?
Thanks
StefanoHi,
it must be useful
http://obieeblog.wordpress.com/2008/12/29/obiee-and-virtual-private-database-vpd/
thanks
karthick -
RLS Solutions with BI Applications
If I have customer that has a BI application that queries a table for say the average of the salary column. If they introduce a row-level security solution like VPD or OLS and a subset of the rows are redacted for that BI query (say policy is you only want the user to be able to see salary for members of their org), the results would be altered and inaccurate results would be returned. What are the best practices for implementing a RLS solution and not interfere with BI-type applications that utilize this data?
Thanks,
Matt
[email protected]That probably depends on what sort of BI the users need on that aggregate information. One option would be to create an aggregate table (potentially via a materialized view) and to grant the users access to that aggregate table (i.e. a SALARY_DEPT_AGGREGATE table that gives the average, standard deviation, median, etc. salary by department a SALARY_CITY_AGGREGATE table that gives the same breakdown by city). You would have to be able to anticipate the sorts of BI queries that would be allowed by fixing the dimensions of interest, which limits the flexibility of the BI you can perform. And you'd have to be careful that the aggregate data didn't provide enough information to allow users to back in to row-level data (i.e. if there is only one employee in a particular city).
Justin -
Hi,
Is there a way to use VPD sec_relevant_cols feature with OLS?
Cheers,
SebastienThe application connects to Oracle via ODBC with the user login (So I have as many Oracle users as Application users).
In order to simplify a bit the schema, there is one table called LISTNMS which organizes list and folder (tree organization)
CREATE TABLE LISTNMS
LISTID NUMBER(5) PRIMARY KEY,
LISTNAME VARCHAR2(47 BYTE),
LISTDATE NUMBER(11),
LISTTYPE VARCHAR2(7 BYTE),
LISTUID NUMBER(5),
LISTDESC VARCHAR2(79 BYTE),
LISTSTATUS NUMBER(11),
LHIERARCHY NUMBER(11)
LISTTYPE can take one of the two values: LIST or FOLDER
LHIERARCHY defined the parent folder of the current list or folder.
LISTID MUST be out of security restriction.
Concerning OLS I imagine to have:
- two levels: Public and Private
- three compartments: BRE, PRE, TRIAL
- and groups which represent a hirearchy tree of locations
World
--->Asia
---> SouthEastAsia
---> Indonesia
---> Singapore
---> South Asia
---> India
The lists/folders data will have the following Data Label
World Public
--->Asia Public
---> SouthEastAsia Public
---> Indonesia Public
---> Trial Private:Trial:Indonesia
---> ... Private:Trial:Indonesia
---> Thailand Public
---> Trial Private:Trial:Thailand
---> ... Private:Trial:Thailand
---> Breeding Private:Bre:Thailand
---> ... Private:Bre:Thailand
---> PreBreeding Private:PRE:Thailand
---> ... Private:PRE:Thailand
---> South Asia Public
---> India Public
---> Trial Private:Trial:India
---> ... Private:Trial:India
---> Breeding Private:Bre:India
---> ... Private:Bre:India
---> PreBreeding Private:PRE:India
---> ... Private:PRE:India
A user may have read (R) / write (W) privileges to the LISTNMS and have a specific label.
for example:
user1 can:
- RW BRE Thailand data
- R PRE thailand data
- R PRE and BRE India data
whereas a user2 can only RW TRIAL India data.
Of course those users must see the public data.
Do you have an idea? -
I have gone over a couple of sources on OLS and VPD.
BTW I am working with Oracle 11g R1.
What I am trying to accomplish is cell level protection. Where cell is defined as the intersection between a row and a column.
OLS will get me the proper row restrictions.
VPD has the ability to do Column Masking.
Has anyone mix the two to accomplish cell level protection?
Basic examples would be GREATLY appreciated.Hi again. Thank you for your reply, but I wanted to achieve cell-level security as I'm trying to create conception of fine-grained processing data with different levels of confidentiality. Here is what I have:
- I created 3 levels of confidentiality: J < P < T (Unclassified < Confidential < Secret)
- I created a table and here is how it looks for different users:
User with T-level authorization:
!http://img709.imageshack.us/img709/1847/screentj.png!
User with P-level authorization (can't see T-level data):
!http://img704.imageshack.us/img704/4002/screenp.png!
I did that by creating two policies on two columns with data:
CREATE OR REPLACE FUNCTION f_data01 (schema in varchar2, tab in varchar2) -- or "CREATE OR REPLACE FUNCTION f_data02" for second column
RETURN varchar2 AS
predicate varchar2(2000); -- the VPD 'where' clause
session_lab varchar2(4000); -- the current user's session label
session_tag number; -- numerical expression of session label
t_sa_user_name varchar2(2000); -- only users with Labels are examined, others don't get access.
BEGIN
session_lab := sa_session.label('cells'); -- the current user's session label for that policy
session_tag := char_to_label('cells',session_lab); -- numerical expression of session label
predicate := 'dominates(' || session_tag || ',CDATA01)=1'; -- or "predicate := 'dominates(' || session_tag || ',CDATA02)=1';" for second column
return predicate;
END;I asked if it is possible to create one policy with variable instead of column name (ex. CDATA01) or if there is another way to get that effect.
And is it good practice to put column with labels in one table with data?
Thank you in advance.
Edited by: arc.undcvr on 2010-01-23 22:50 -
Hi,
I'm starting implementing security access at row level in a schema.
I know VPD and how make my problem solved.
However I would like to know how it is feasible with Oracle Label Security.
I've three tables, germplasm, list, germplasmList
Here are the structures:
Germplasm
GID number(8),
Name varchar2(50),
UserId number(5),
List
LID number(8),
ListName varchar2(50),
userId number(5)
GermplasmList
LID number(8),
GID number(8)
The goal is to restrict CRUD access depending user 'privileges' to List, GermplasmList and Germplasm.
Cheers,
SebastienHi Arf,
Thanks for your fast answer.
May you give me more details espeacially for OLS?
I, maybe, didn't explain well what it is my problem.
I would like to put in place a restriction access based on a sensitivity, hierarchy and compartment.
Data are public or private.
They can belong to one more following compartments
They belong to one or more locations organized in hierarchical way.
This is clearly what OLS can do.
Although the implementation on table is easy to understand and implement, I don't see how it can be done on several tables using only one label policy ;
and how you can stay consistant as soon as you have to use several OLS policies in parallel.
Examples will be welcome.
Cheers,
Sebastien -
Would I be able to use the Oracle Content Management SDK to build my own version of Oracle Files/Files Online/iFiles application but enforce security at the DB level (assuming all my content was labeled) instead of at the application level, using OLS. We would need to preserve the individual users identity to the DB.
Thanks,
Peterjustatest
-
Peoplesoft Enterprise with OLS or VPD/FGAC/RLS
I know that the EBusiness Suite 11i and 12i have been certified (with Patches) for VPD.
I can't find information on Certification / Patches / Implementation of Peoplesoft Enterprise (particularly say Peoplesoft Financials Modules) with Oracle Label Security or with VPD/FGAC/RLS.
Is there such information on metalink3 ? Has anyone implemented/enhanced Peoplesoft in this manner ?Well, generally the level security is application embedded and configured, very rarely database level implemented (because mainly only one database user is used). The report should be run through the application query which comes with row level security.
But it is supported, even Database Vault.
Nicolas. -
Using Content Manager with OLS - Oracle Label Security
There are two entries in this forum with OLS - the last one in 2005.
Has any one successfully deployed UCM with OLS?
Thanks,
PaulYes I have with 10gr3
It can be made to work but perhaps not in the way you want (per user?). Your label security will need to have policies based on something.
I did a proof of concept using Security Group column as the 'label'. Then applied VPD policies based on which network the request came from (1 DB rac node in each network).
In my case I wanted to show ALL content to a secure network but a subset of content to the lower security network. For this use case it is ideal.
It worked flawlessly...not supported though
Apparently OLS is on roadmap or UCM (WCC) so ask Oracle and see if you can find out if it is slated for any particular release yet.
Tim -
Hello.
I need some help from OLS experts.
I defined user labels using set_user_label function provided by OLS. Example
sa_user_admin.set_user_labels
(policy_name => 'ESBD',
user_name => 'ALL_EMPLOYEES',
max_read_label => 'EMP');
I need to set the access profile of users when they logon in the application using:
sa_session.set_access_profile (<p_policy>, <g_access_profile>);
On the above example, < g_access_profile > is 'ALL_EMPLOYEES', and it doesn't correspond to a unique user, but a group of users
The problem is that I don't know the < g_access_profile > parameter when the user logon in the application. I only have its max_read_label.
Is there a way to retrieve the < g_access_profile > from the max_read_label. I mean, a get method that receives the max label and gives the corresponding access profile
thanks in advance.
Edited by: user11187989 on 09-Jun-2009 10:12
Edited by: user11187989 on 09-Jun-2009 10:12Hi,
the correct usage of set_access_profile is explained here:
http://www.oracle.com/technology/obe/11gr1_db/security/olsvpd/olsvpd.htm
Scroll all the way down to "Querying the HR_INFO Table", and ignore the embedded VPD policy for now.
Applying user labels (clearances) to groups is not recommend, unless you manage your OLS policies centrally in Oracle Internet Directory, the LDAP-3 compliant part of Oracle Identity Management; with OLS, user clearances are assigned to 'profiles', and multiple users can be associated to one profile.
Best, Peter -
Hello All!
I need to change the text of Query with OLS. But, OLS enable change the WHERE clause and don't change the FROM clause. Am i right?
If yes, exists any feature that do make changes the WHERE clause and FROM?
Thanks.
Att,
Anderson Haertel Rodrigues
Database Administrator - DBA
Florianópolis/SC/BrasilThat's VPD AKA RLS - row level security. So yes it's just about the WHERE clause. If you want to change the tables people see then you'll need to use views and synonyms t make it work. Depending on the precise details of your implementation you may be able to use some of your VPD infrastructure in the view definition.
Cheers, APC -
Is a separate license required for Oracle Label Security? Or could my company have an site-wide enterprise license for the Oracle database but not OLS?
OLS is an option that can be added to Enterprise Edition of the database.
As with all Oracle database options, if you decide to use (and therefore license) it, the number of OLS licenses must match the number of EE database licenses.
Note that OLS is built using the Row Level Security, or VPD, feature that is included in the Enterprise Edition. The big advantages of OLS over rolling your own RLS-based security - it comes with a UI; it simplifies administration; it's been tested; it is supported directly. -
Best practice for VPD and remote tables
Not specifically an HTMLDB question, but here goes...
HTMLDB 1.6 on 9.2.0.4 connecting over database link (fixed username/password) to 9.2.0.4
I've currently "wrapped" access to the remote tables in views, i.e. view "T" in the HTMLDB parsing schema LOCAL_USER is defined as "SELECT * FROM T@remote"
I'd like to put VPD controls on my backend tables, but I don't get how v('APP_USER') (or even APP_USER put into an application context) would be seen by the remote database.
Should I just put VPD policies on LOCAL_USER's views and call it a day?
Thanks for input!
-JohnIf you implemented the VPD in the remote database, what would your VPD be restricting? All queries would apply the policy based on the DB link fixed username resulting in all users of the HTML DB application having same policy restrictions.
The policy in the remote database does not has access to the value of v('APP_USER'). That value is only available in the database that has HTML DB. You would have to write APIs in the remote database in PL/SQL functions/procedures to pass in the V('APP_USER') value to the remote database. This is doable, but cumbersome.
If you want to have your policy modify your WHERE clause on the fly based on your HTML DB user account, then I would implement the VPD in the database which has your HTML DB repository. I am not sure which of the two scenarios below occur when doing a SELECT * FROM T.
1.) The query goes across the database link, gets all the data out of table T in the remote database, passes back to the HTML DB database, and applies the policy WHERE clause modification in the HTML DB database.
2.) The query applies the policy WHERE clause modification to the view, goes across the database link with the WHERE clause modified, and gets only the data allowed based on the policy from the remote database.
You should test this out to find out for performance purposes what query is actually performed on the remote database.
As always if anyone sees anything inaccurate in what I have written, please correct me.
Mike -
When I open Adobe Bridge, the following error message pops up: OLSException in OLS Adapter Startup
Within the box, underneath the heading of the error message is: /OLS/develpment/main/bridge/3.2.0/build/mac/../../sdk/src/COLS.cpp#19: 16
A little more info. What version of PSE? Did you just upgrade to 10.8? Did you do any housekeeping after doing so?
Maybe you are looking for
-
Vendor Return for after INvoicing
Hi Dear, We have one scenarion suppose we already did GR for 100 Q and also made quality inpection for all quantities now we have to return 20 quantites ,but we are unable to return delivery giving message IR already happened , if first we trying to
-
Deploying Jabber on PC and MAC for BE-6K
Hi, i ask your help to clarify if i can deploy using BE6K jabber softclient o PC and MAC for a customer that doesn't want to synchronize its user DB with CUCM, or for example does not have one. I am asking because looking at the deploying guide for J
-
Power calibration area error. (0x73, 0x03.) for my DVD burner
My dvd drive was working just fine then the other day I went to burn a dvd using idvd studio pro (like I always do) and it started burning, then about 2 minutes into the burn I got an error message stating that the burn failed due to a "Power calibra
-
Creating Ztcode for standard Tcode - f.13
Hi, I have created a Ztcode zf.13 for a standard tcode f.13 in FI. As per client requirement I have to make certain changes to it like the document should be posted irrespective of the business area or profit center considering just Assignment
-
I've installed CS4 and at first glance, other than the strange looking UI, it's not providing any huge shocks. So far. A lot of software has a help area along the lines of "Differences between DW8 and CD4" to give a good rundown on changes and what's