<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Flexible VPD structures for Oracle

Published on
5,476 Points
2,476 Views
Last Modified:
We have a data warehouse that has tables that contain data that not everyone is allowed to see.  to get around this, there are 2 views over the top of the table, one containing all data, one with restricted data and these views are then granted out to the users.  select privilege on the underlying table is not granted.

This has issues when using explain plans, it generates ORA-01039 errors, "insufficient privileges on underlying objects of the view".

To get around this, you can use VPD, virtual private database.

Now, the way that VPD is implemented ( or the way that I have implemented it ), there is a context for each type of security you wish to apply.  each context is associated with a security package which contains functions / procedures to determine which predicates to add to the query.

For a database with several types of security models, this can become an overwhelming management nightmare.

I have developed a flexible VPD solution that allows unlimited security models with unlimited predicates as well, all with only 4 tables and 2 packages.

to use this, create a logon trigger that calls "oemdba.vpd_security.set_vpd_access_levels".

feel free to take from this what you will, any suggestions / improvements will be gratefully incorporated back into what i have here.
0
Comment
Author:rbrooker
  • 2
3 Comments

Expert Comment

by:batzman
is is really this complicated. I dont understand how I could incorporate this into what I need. I thought it was as simple as creating a policy on the tables.
0
LVL 6

Expert Comment

by:Pradeepgv03
VPD is not thing complex..  The article describes the use of RLS and COntexts...

If  aim  is just RLS on tables, it can as simple as given below..
This limits anybody querying EMP table from seeing PRESIDENT's information..
==========================
CREATE OR REPLACE FUNCTION no_PRESIDENT( p_schema  IN  VARCHAR2, p_object  IN  VARCHAR2) RETURN VARCHAR2  AS
      V_pred varchar2(100);
BEGIN
       v_pred:= 'JOB != ''PRESIDENT'' ';
       return v_pred;
 END;
    /
 


PAUSE

 
 


connect / as sysdba

--  connect to sys and add the policy to scott emp table..

 BEGIN
    DBMS_RLS.add_policy
                (object_schema       => 'SCOTT',
                  object_name        => 'EMP',
                 policy_name         => 'POL_NOPRESIDENT',
                  policy_function    => 'no_President',
              FUNCTION_SCHEMA    => 'SEC_ADMIN');
    END;
   /

0

Expert Comment

by:batzman
Thanks for this example. My problem is how would I limit say 3 users from seeing this.
User a, b & c.
0

Featured Post

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Join & Write a Comment

Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
This video explains what a user managed backup is and shows how to take one, providing a couple of simple example scripts.

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month