SlideShare ist ein Scribd-Unternehmen logo

Apex and Virtual Private Database

Jeffrey Kemp
Jeffrey Kemp

This document discusses using Virtual Private Database (VPD) to implement row-level security in an Oracle database. It begins with an overview of VPD and its history. It then presents a case study of implementing VPD for an eBud budgeting application to restrict data access based on user roles. The solution uses application contexts and policy functions to dynamically modify SQL statements. Various enhancements to the policy functions over time improve flexibility and performance. Recommendations are provided for best practices in developing and optimizing VPD policies.

TechnologieBusiness
1 von 44
Downloaden Sie, um offline zu lesen
Apex and Virtual Private Database Jeffrey Kemp InSync Perth, Nov 2013
Why use VPD? • • • • Security Simplicity Flexibility No backdoors
Acronym Overload • Virtual Private Database • Row Level Security • Fine-Grained Access Control
VPD introduced; supports tables and views 9i History 8i global application contexts support for synonyms policy groups 10g column-level privacy column masking static policies shared policies 11g integrated into Enterprise Manager 12c improved security for expdp fine-grained context-sensitive policies
Requirements • Enterprise Edition • execute on DBMS_RLS
Disclaimer not an expert expertise
Case Study: eBud • Budgeting solution for a large government department • Groups of users: “Super Admins”, “Finance”, “Managers” • Super Admin: "access all areas" • Finance: "access to most areas" • Managers: "limited access"
eBud Data Model BUDGETS budget_id budget_owner budget_publicity COST_CENTRES cost_centre branch_code BUDGET_ENTRIES chart amount USERS username role_list Row-level security required
Solution #1 Query: SELECT budget_id, name FROM budgets_vw WHERE budget_id = :b1; View: CREATE VIEW budgets_vw AS SELECT * FROM budgets WHERE budget_owner = v('APP_USER');
Solution #2 V.P.D. Image source: http://www.executiveinvestigationandsecurity.com/security/
Row Level Security The query you asked for: SELECT budget_id, name FROM budgets WHERE budget_id = :b1; What we executed: SELECT budget_id, name FROM budgets WHERE budget_id = :b1 AND budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER'); (not exactly, but this gives the general idea)
Package spec PACKAGE vpd_pkg IS PROCEDURE new_session; FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2; END vpd_pkg;
Initialise an Apex Session PROCEDURE new_session IS BEGIN set_context('APP_USER', v('APP_USER')); set_context('SUPERADMIN', is_superadmin); set_context('FINANCE', is_finance_user); END new_session;
Set Context PROCEDURE set_context ( i_attr IN VARCHAR2 , i_value IN VARCHAR2 ) IS BEGIN DBMS_SESSION.set_context ( namespace => 'EBUD_CTX' , attribute => i_attr , value => i_value , client_id => v('APP_USER') || ':' || v('SESSION') ); END set_context;
Create an Application Context CREATE CONTEXT EBUD_CTX USING VPD_PKG ACCESSED GLOBALLY;
Apex Setup 1. Authentication Scheme 2. (no step 2!)
Policy Function body #1 FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END budgets_policy;
(old quote syntax) FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN ' budget_owner = SYS_CONTEXT(''EBUD_CTX'',''APP_USER'') '; END budgets_policy;
Create a Policy begin DBMS_RLS.add_policy ( object_name => 'BUDGETS' , policy_name => 'budgets_policy' , policy_function => 'VPD_PKG.budgets_policy' ); end; /
Create a Policy begin DBMS_RLS.add_policy ( object_name , policy_name , policy_function , statement_types ); end; / => => => => 'BUDGETS' 'budgets_policy' 'VPD_PKG.budgets_policy' 'SELECT'
DBMS_RLS.add_policy • • • • • • object_schema (NULL for current user) object_name (table or view) policy_name function_schema (NULL for current user) policy_function statement_types (default is SELECT, INSERT, UPDATE, DELETE) • policy_type • (other optional parameters)
How it works Query: SELECT budget_id, name FROM budgets WHERE budget_id = :b1; Parser calls function: budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') Executed: SELECT budget_id, name FROM ( SELECT * FROM budgets budgets WHERE budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ) WHERE budget_id = :b1;
Policy Function body #2 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') OR budget_publicity = 'PUBLIC' ]'; END budgets_policy;
Policy Function body #3 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') OR budget_publicity = 'PUBLIC' OR (budget_publicity = 'FINANCE' AND SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y') OR SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' ]'; END budgets_policy;
Policy Function body #4 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS o_predicate VARCHAR2(4000); BEGIN IF SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' THEN o_predicate := ''; ELSE o_predicate := q'[ budget_publicity = 'PUBLIC' OR (budget_publicity = 'FINANCE' AND SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y') OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END IF; RETURN o_predicate; END budgets_policy;
Policy Function body #5 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS o_predicate VARCHAR2(4000); BEGIN IF SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' THEN o_predicate := ''; ELSIF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN o_predicate := q'[ budget_publicity IN ('PUBLIC','FINANCE') OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; ELSE o_predicate := q'[ budget_publicity = 'PUBLIC' OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END IF; RETURN o_predicate; lots of different queries in shared pool END budgets_policy;
Directorate Branch Cost Centre Directorate Branch Cost Centre Cost Centre Branch Cost Centre Cost Centre Hierarchy "Cost Centre Groups" Division
eBud Data Model BUDGETS budget_id budget_owner budget_publicity USER_COST_CENTRES COST_CENTRES cost_centre branch_code USERS username role_list COST_CENTRE_GROUPS parent_group_code USER_COST_CENTRE_GROUPS group_code hierarchy
FUNCTION cost_centre_policy (object_schema IN VARCHAR2, object_name IN VARCHAR2) RETURN VARCHAR2 IS BEGIN IF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN RETURN ''; ELSE RETURN q'[ EXISTS ( SELECT null FROM user_cost_centres ucc WHERE ucc.username = SYS_CONTEXT('EBUD_CTX','APP_USER') AND ucc.cost_centre = cost_centres.cost_centre ) OR EXISTS ( SELECT null FROM all_budget_branches_vw b JOIN user_cost_centre_groups uccg ON uccg.group_code IN (b.branch_code, b.directorate_code, b.division_code) WHERE uccg.username = SYS_CONTEXT('EBUD_CTX','APP_USER') AND b.budget_id = cost_centres.budget_id AND b.branch_code = cost_centres.branch_code ) ]'; END IF; we can refer to the table via its alias END cost_centre_policy; Cost Centre Policy Function
Warning Predicate MUST NOT query the table to which it is meant to be applied - not even via a view Image source: http://en.wikipedia.org/wiki/Drawing_Hands
But… The predicate may query another table that itself has an RLS policy.
Budget Entry Policy Function FUNCTION budget_entry_policy (object_schema IN VARCHAR2, object_name IN VARCHAR2) RETURN VARCHAR2 IS BEGIN IF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN RETURN ''; ELSE RETURN q'[ EXISTS ( SELECT null FROM cost_centres cc WHERE cc.cost_centre = budget_entries.cost_centre AND cc.budget_id = budget_entries.budget_id ) ]'; END IF; END budget_entry_policy;
Policy Type parameter (10g+) Re-Executed statement for each for all DYNAMIC (default) object STATIC SHARED_STATIC context CONTEXT_SENSITIVE SHARED_CONTEXT_SENSITIVE consider SHARED_... if your policy function is shared amongs multiple tables If in doubt, always start with the default - DYNAMIC The policy type parameter is just for performance optimisation.
Improved in 12c Fine-grained Context Sensitive policies – new parameters for DBMS_RLS.add_policy: namespace and attribute – new procedure DBMS_RLS.add_policy_context – improved performance
Bypassing VPD • Not enforced for DIRECT path export • Grant EXEMPT ACCESS POLICY • Return NULL for object owner: IF object_schema = USER THEN RETURN ''; END IF;
Errors • ORA-28112: failed to execute policy function – the policy function raised an exception • "Invalid SQL statement" – may be a syntax error in the generated SQL • ORA-28115: policy with check option violation – policy has been applied to Insert, Update or Delete operations • ORA-28133: full table access is restricted by fine-grained security – policy has been applied to Index operation
Tuning • Set client_identifier to APP_USER:SESSION then call the policy function • or, query v$vpd_policy to get the predicate(s) applied to the query • or, get the final exact SQL statement from the trace file ALTER SESSION SET EVENTS '10730 trace name context forever, level 12';
Recommendations • Use q'{ syntax for predicates }' • Understand how Apex Sessions work • Use context for variables – avoid injecting literals – avoid calls to v() etc. • Keep predicates simple
More Information Read the Oracle Docs for: – using policy groups – automated policy creation in DDL triggers – integration with Oracle Label Security – data dictionary views – Oracle Data Redaction
Oracle Docs Oracle Database Security Guide: Using Oracle Virtual Private Database to Control Data Access http://bit.ly/16Iq5EQ Oracle Database PL/SQL Packages and Types Reference: DBMS_RLS http://bit.ly/1abI46V
Thank you jeffkemponoracle.com Image source: http://www.toothpastefordinner.com/index.php?date=082609

Empfohlen

Introducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriIntroducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriLucas Jellema
 
Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabhguestd83b546
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabaseMarkus Flechtner
 
OER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseOER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseGirija Muscut
 
Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)Dimitri Gielis
 
Migration to Oracle Multitenant
Migration to Oracle MultitenantMigration to Oracle Multitenant
Migration to Oracle MultitenantJitendra Singh
 
Oracle DB 19c: SQL Tuning Using SPM
Oracle DB 19c: SQL Tuning Using SPMOracle DB 19c: SQL Tuning Using SPM
Oracle DB 19c: SQL Tuning Using SPMArturo Aranda
 
Dbms and rdbms
Dbms and rdbmsDbms and rdbms
Dbms and rdbmsUmair Shakir
 

Empfohlen

Introducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriIntroducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriLucas Jellema
 
Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabhguestd83b546
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabaseMarkus Flechtner
 
OER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseOER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseGirija Muscut
 
Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)Dimitri Gielis
 
Migration to Oracle Multitenant
Migration to Oracle MultitenantMigration to Oracle Multitenant
Migration to Oracle MultitenantJitendra Singh
 
Oracle DB 19c: SQL Tuning Using SPM
Oracle DB 19c: SQL Tuning Using SPMOracle DB 19c: SQL Tuning Using SPM
Oracle DB 19c: SQL Tuning Using SPMArturo Aranda
 
Dbms and rdbms
Dbms and rdbmsDbms and rdbms
Dbms and rdbmsUmair Shakir
 
ASM
ASMASM
ASMVINAY PANDEY
 
Postgresql các vấn đề thực tế
Postgresql các vấn đề thực tếPostgresql các vấn đề thực tế
Postgresql các vấn đề thực tếTechMaster Vietnam
 
Oracle 21c: New Features and Enhancements of Data Pump & TTS
Oracle 21c: New Features and Enhancements of Data Pump & TTSOracle 21c: New Features and Enhancements of Data Pump & TTS
Oracle 21c: New Features and Enhancements of Data Pump & TTSChristian Gohmann
 
Introduction to Oracle Data Guard Broker
Introduction to Oracle Data Guard BrokerIntroduction to Oracle Data Guard Broker
Introduction to Oracle Data Guard BrokerZohar Elkayam
 
Tuning PostgreSQL for High Write Throughput
Tuning PostgreSQL for High Write Throughput Tuning PostgreSQL for High Write Throughput
Tuning PostgreSQL for High Write Throughput Grant McAlister
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database VaultMarco Alamanni
 
Optimizing Cypher Queries in Neo4j
Optimizing Cypher Queries in Neo4jOptimizing Cypher Queries in Neo4j
Optimizing Cypher Queries in Neo4jNeo4j
 
Sql operator
Sql operatorSql operator
Sql operatorPooja Dixit
 
Oracle Tablespace - Basic
Oracle Tablespace - BasicOracle Tablespace - Basic
Oracle Tablespace - BasicEryk Budi Pratama
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityTed Wennmark
 
Dd and atomic ddl pl17 dublin
Dd and atomic ddl pl17 dublinDd and atomic ddl pl17 dublin
Dd and atomic ddl pl17 dublinStåle Deraas
 
02 Writing Executable Statments
02 Writing Executable Statments02 Writing Executable Statments
02 Writing Executable Statmentsrehaniltifat
 
[Pgday.Seoul 2021] 1. 예제로 살펴보는 포스트그레스큐엘의 독특한 SQL
[Pgday.Seoul 2021] 1. 예제로 살펴보는 포스트그레스큐엘의 독특한 SQL[Pgday.Seoul 2021] 1. 예제로 살펴보는 포스트그레스큐엘의 독특한 SQL
[Pgday.Seoul 2021] 1. 예제로 살펴보는 포스트그레스큐엘의 독특한 SQLPgDay.Seoul
 
Relational RDBMS : MySQL, PostgreSQL and SQL SERVER
Relational RDBMS : MySQL, PostgreSQL and SQL SERVERRelational RDBMS : MySQL, PostgreSQL and SQL SERVER
Relational RDBMS : MySQL, PostgreSQL and SQL SERVERDalila Chouaya
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database VaultStefan Oehrli
 
Topic 10: Taxonomy of Data and Storage
Topic 10: Taxonomy of Data and StorageTopic 10: Taxonomy of Data and Storage
Topic 10: Taxonomy of Data and StorageZubair Nabi
 
Oracle DB
Oracle DBOracle DB
Oracle DBR KRISHNA DEEKSHITH VINNAKOTA
 
Architecture of exadata database machine – Part II
Architecture of exadata database machine – Part IIArchitecture of exadata database machine – Part II
Architecture of exadata database machine – Part IIParesh Nayak,OCP®,Prince2®
 
Caching
CachingCaching
CachingNascenia IT
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19cMaria Colgan
 
Why You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperWhy You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperJeffrey Kemp
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in ApexJeffrey Kemp
 

Weitere ähnliche Inhalte

Was ist angesagt?

Postgresql các vấn đề thực tế
Postgresql các vấn đề thực tếPostgresql các vấn đề thực tế
Postgresql các vấn đề thực tếTechMaster Vietnam
 
Oracle 21c: New Features and Enhancements of Data Pump & TTS
Oracle 21c: New Features and Enhancements of Data Pump & TTSOracle 21c: New Features and Enhancements of Data Pump & TTS
Oracle 21c: New Features and Enhancements of Data Pump & TTSChristian Gohmann
 
Introduction to Oracle Data Guard Broker
Introduction to Oracle Data Guard BrokerIntroduction to Oracle Data Guard Broker
Introduction to Oracle Data Guard BrokerZohar Elkayam
 
Tuning PostgreSQL for High Write Throughput
Tuning PostgreSQL for High Write Throughput Tuning PostgreSQL for High Write Throughput
Tuning PostgreSQL for High Write Throughput Grant McAlister
 
Optimizing Cypher Queries in Neo4j
Optimizing Cypher Queries in Neo4jOptimizing Cypher Queries in Neo4j
Optimizing Cypher Queries in Neo4jNeo4j
 
Dd and atomic ddl pl17 dublin
Dd and atomic ddl pl17 dublinDd and atomic ddl pl17 dublin
Dd and atomic ddl pl17 dublinStåle Deraas
 
02 Writing Executable Statments
02 Writing Executable Statments02 Writing Executable Statments
02 Writing Executable Statmentsrehaniltifat
 
[Pgday.Seoul 2021] 1. 예제로 살펴보는 포스트그레스큐엘의 독특한 SQL
[Pgday.Seoul 2021] 1. 예제로 살펴보는 포스트그레스큐엘의 독특한 SQL[Pgday.Seoul 2021] 1. 예제로 살펴보는 포스트그레스큐엘의 독특한 SQL
[Pgday.Seoul 2021] 1. 예제로 살펴보는 포스트그레스큐엘의 독특한 SQLPgDay.Seoul
 
Relational RDBMS : MySQL, PostgreSQL and SQL SERVER
Relational RDBMS : MySQL, PostgreSQL and SQL SERVERRelational RDBMS : MySQL, PostgreSQL and SQL SERVER
Relational RDBMS : MySQL, PostgreSQL and SQL SERVERDalila Chouaya
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database VaultStefan Oehrli
 
Topic 10: Taxonomy of Data and Storage
Topic 10: Taxonomy of Data and StorageTopic 10: Taxonomy of Data and Storage
Topic 10: Taxonomy of Data and StorageZubair Nabi
 
Architecture of exadata database machine – Part II
Architecture of exadata database machine – Part IIArchitecture of exadata database machine – Part II
Architecture of exadata database machine – Part IIParesh Nayak,OCP®,Prince2®
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19cMaria Colgan
 

Was ist angesagt? (20)

ASM
ASMASM
ASM
 
Postgresql các vấn đề thực tế
Postgresql các vấn đề thực tếPostgresql các vấn đề thực tế
Postgresql các vấn đề thực tế
 
Oracle 21c: New Features and Enhancements of Data Pump & TTS
Oracle 21c: New Features and Enhancements of Data Pump & TTSOracle 21c: New Features and Enhancements of Data Pump & TTS
Oracle 21c: New Features and Enhancements of Data Pump & TTS
 
Introduction to Oracle Data Guard Broker
Introduction to Oracle Data Guard BrokerIntroduction to Oracle Data Guard Broker
Introduction to Oracle Data Guard Broker
 
Tuning PostgreSQL for High Write Throughput
Tuning PostgreSQL for High Write Throughput Tuning PostgreSQL for High Write Throughput
Tuning PostgreSQL for High Write Throughput
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
Optimizing Cypher Queries in Neo4j
Optimizing Cypher Queries in Neo4jOptimizing Cypher Queries in Neo4j
Optimizing Cypher Queries in Neo4j
 
Sql operator
Sql operatorSql operator
Sql operator
 
Oracle Tablespace - Basic
Oracle Tablespace - BasicOracle Tablespace - Basic
Oracle Tablespace - Basic
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
Dd and atomic ddl pl17 dublin
Dd and atomic ddl pl17 dublinDd and atomic ddl pl17 dublin
Dd and atomic ddl pl17 dublin
 
02 Writing Executable Statments
02 Writing Executable Statments02 Writing Executable Statments
02 Writing Executable Statments
 
[Pgday.Seoul 2021] 1. 예제로 살펴보는 포스트그레스큐엘의 독특한 SQL
[Pgday.Seoul 2021] 1. 예제로 살펴보는 포스트그레스큐엘의 독특한 SQL[Pgday.Seoul 2021] 1. 예제로 살펴보는 포스트그레스큐엘의 독특한 SQL
[Pgday.Seoul 2021] 1. 예제로 살펴보는 포스트그레스큐엘의 독특한 SQL
 
Relational RDBMS : MySQL, PostgreSQL and SQL SERVER
Relational RDBMS : MySQL, PostgreSQL and SQL SERVERRelational RDBMS : MySQL, PostgreSQL and SQL SERVER
Relational RDBMS : MySQL, PostgreSQL and SQL SERVER
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database Vault
 
Topic 10: Taxonomy of Data and Storage
Topic 10: Taxonomy of Data and StorageTopic 10: Taxonomy of Data and Storage
Topic 10: Taxonomy of Data and Storage
 
Oracle DB
Oracle DBOracle DB
Oracle DB
 
Architecture of exadata database machine – Part II
Architecture of exadata database machine – Part IIArchitecture of exadata database machine – Part II
Architecture of exadata database machine – Part II
 
Caching
CachingCaching
Caching
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19c
 

Andere mochten auch

Why You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperWhy You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperJeffrey Kemp
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in ApexJeffrey Kemp
 
Why You Should Use TAPIs
Why You Should Use TAPIsWhy You Should Use TAPIs
Why You Should Use TAPIsJeffrey Kemp
 
Automate Amazon S3 Storage with Alexandria
Automate Amazon S3 Storage with AlexandriaAutomate Amazon S3 Storage with Alexandria
Automate Amazon S3 Storage with AlexandriaJeffrey Kemp
 
Aws konferenz vortrag gk
Aws konferenz vortrag gkAws konferenz vortrag gk
Aws konferenz vortrag gkexecupery
 
Učinkovitejše iskanje v Google
Učinkovitejše iskanje v GoogleUčinkovitejše iskanje v Google
Učinkovitejše iskanje v GoogleTomaž Bešter
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
2013 first of the year woooo
2013 first of the year woooo2013 first of the year woooo
2013 first of the year woooopeterpanpeyton
 

Andere mochten auch (9)

Why You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperWhy You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL Developer
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in Apex
 
Why You Should Use TAPIs
Why You Should Use TAPIsWhy You Should Use TAPIs
Why You Should Use TAPIs
 
Automate Amazon S3 Storage with Alexandria
Automate Amazon S3 Storage with AlexandriaAutomate Amazon S3 Storage with Alexandria
Automate Amazon S3 Storage with Alexandria
 
Aws konferenz vortrag gk
Aws konferenz vortrag gkAws konferenz vortrag gk
Aws konferenz vortrag gk
 
Učinkovitejše iskanje v Google
Učinkovitejše iskanje v GoogleUčinkovitejše iskanje v Google
Učinkovitejše iskanje v Google
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
2013 first of the year woooo
2013 first of the year woooo2013 first of the year woooo
2013 first of the year woooo
 
Single page App
Single page AppSingle page App
Single page App
 

Ähnlich wie Apex and Virtual Private Database

Advanced Postgres Monitoring
Advanced Postgres MonitoringAdvanced Postgres Monitoring
Advanced Postgres MonitoringDenish Patel
 
Part1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the OptimizerPart1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the OptimizerMaria Colgan
 
(Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx (Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docxaryan532920
 
Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Stamatis Zampetakis
 
Getting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialGetting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialSam Garforth
 
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...Sparkhound Inc.
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeBiju Thomas
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionAlex Zaballa
 
Supercharge your data analytics with BigQuery
Supercharge your data analytics with BigQuerySupercharge your data analytics with BigQuery
Supercharge your data analytics with BigQueryMárton Kodok
 
Intershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL ServerIntershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL ServerMauro Boffardi
 
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1MariaDB plc
 
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1MariaDB plc
 
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
22-4_PerformanceTuningUsingtheAdvisorFramework.pdfyishengxi
 
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...Karthik K Iyengar
 
Beginners guide to_optimizer
Beginners guide to_optimizerBeginners guide to_optimizer
Beginners guide to_optimizerMaria Colgan
 
SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...
SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...
SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...Sencha
 

Ähnlich wie Apex and Virtual Private Database (20)

Advanced Postgres Monitoring
Advanced Postgres MonitoringAdvanced Postgres Monitoring
Advanced Postgres Monitoring
 
Part1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the OptimizerPart1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the Optimizer
 
(Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx (Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx
 
Vpd
VpdVpd
Vpd
 
Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21
 
Getting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialGetting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
 
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
 
Droidcon Paris 2015
Droidcon Paris 2015Droidcon Paris 2015
Droidcon Paris 2015
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least Privilege
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Supercharge your data analytics with BigQuery
Supercharge your data analytics with BigQuerySupercharge your data analytics with BigQuery
Supercharge your data analytics with BigQuery
 
Intershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL ServerIntershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL Server
 
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
 
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
 
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
 
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
 
Beginners guide to_optimizer
Beginners guide to_optimizerBeginners guide to_optimizer
Beginners guide to_optimizer
 
SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...
SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...
SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...
 

Kürzlich hochgeladen

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Apex and Virtual Private Database

  • 1. Apex and Virtual Private Database Jeffrey Kemp InSync Perth, Nov 2013
  • 3.
  • 4. Acronym Overload • Virtual Private Database • Row Level Security • Fine-Grained Access Control
  • 5. VPD introduced; supports tables and views 9i History 8i global application contexts support for synonyms policy groups 10g column-level privacy column masking static policies shared policies 11g integrated into Enterprise Manager 12c improved security for expdp fine-grained context-sensitive policies
  • 6.
  • 9. Case Study: eBud • Budgeting solution for a large government department • Groups of users: “Super Admins”, “Finance”, “Managers” • Super Admin: "access all areas" • Finance: "access to most areas" • Managers: "limited access"
  • 11. Solution #1 Query: SELECT budget_id, name FROM budgets_vw WHERE budget_id = :b1; View: CREATE VIEW budgets_vw AS SELECT * FROM budgets WHERE budget_owner = v('APP_USER');
  • 12. Solution #2 V.P.D. Image source: http://www.executiveinvestigationandsecurity.com/security/
  • 13. Row Level Security The query you asked for: SELECT budget_id, name FROM budgets WHERE budget_id = :b1; What we executed: SELECT budget_id, name FROM budgets WHERE budget_id = :b1 AND budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER'); (not exactly, but this gives the general idea)
  • 14. Package spec PACKAGE vpd_pkg IS PROCEDURE new_session; FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2; END vpd_pkg;
  • 15. Initialise an Apex Session PROCEDURE new_session IS BEGIN set_context('APP_USER', v('APP_USER')); set_context('SUPERADMIN', is_superadmin); set_context('FINANCE', is_finance_user); END new_session;
  • 16. Set Context PROCEDURE set_context ( i_attr IN VARCHAR2 , i_value IN VARCHAR2 ) IS BEGIN DBMS_SESSION.set_context ( namespace => 'EBUD_CTX' , attribute => i_attr , value => i_value , client_id => v('APP_USER') || ':' || v('SESSION') ); END set_context;
  • 17. Create an Application Context CREATE CONTEXT EBUD_CTX USING VPD_PKG ACCESSED GLOBALLY;
  • 18. Apex Setup 1. Authentication Scheme 2. (no step 2!)
  • 19.
  • 20. Policy Function body #1 FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END budgets_policy;
  • 21. (old quote syntax) FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN ' budget_owner = SYS_CONTEXT(''EBUD_CTX'',''APP_USER'') '; END budgets_policy;
  • 22. Create a Policy begin DBMS_RLS.add_policy ( object_name => 'BUDGETS' , policy_name => 'budgets_policy' , policy_function => 'VPD_PKG.budgets_policy' ); end; /
  • 23. Create a Policy begin DBMS_RLS.add_policy ( object_name , policy_name , policy_function , statement_types ); end; / => => => => 'BUDGETS' 'budgets_policy' 'VPD_PKG.budgets_policy' 'SELECT'
  • 24. DBMS_RLS.add_policy • • • • • • object_schema (NULL for current user) object_name (table or view) policy_name function_schema (NULL for current user) policy_function statement_types (default is SELECT, INSERT, UPDATE, DELETE) • policy_type • (other optional parameters)
  • 25. How it works Query: SELECT budget_id, name FROM budgets WHERE budget_id = :b1; Parser calls function: budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') Executed: SELECT budget_id, name FROM ( SELECT * FROM budgets budgets WHERE budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ) WHERE budget_id = :b1;
  • 26. Policy Function body #2 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') OR budget_publicity = 'PUBLIC' ]'; END budgets_policy;
  • 27. Policy Function body #3 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') OR budget_publicity = 'PUBLIC' OR (budget_publicity = 'FINANCE' AND SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y') OR SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' ]'; END budgets_policy;
  • 28. Policy Function body #4 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS o_predicate VARCHAR2(4000); BEGIN IF SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' THEN o_predicate := ''; ELSE o_predicate := q'[ budget_publicity = 'PUBLIC' OR (budget_publicity = 'FINANCE' AND SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y') OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END IF; RETURN o_predicate; END budgets_policy;
  • 29. Policy Function body #5 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS o_predicate VARCHAR2(4000); BEGIN IF SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' THEN o_predicate := ''; ELSIF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN o_predicate := q'[ budget_publicity IN ('PUBLIC','FINANCE') OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; ELSE o_predicate := q'[ budget_publicity = 'PUBLIC' OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END IF; RETURN o_predicate; lots of different queries in shared pool END budgets_policy;
  • 32. FUNCTION cost_centre_policy (object_schema IN VARCHAR2, object_name IN VARCHAR2) RETURN VARCHAR2 IS BEGIN IF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN RETURN ''; ELSE RETURN q'[ EXISTS ( SELECT null FROM user_cost_centres ucc WHERE ucc.username = SYS_CONTEXT('EBUD_CTX','APP_USER') AND ucc.cost_centre = cost_centres.cost_centre ) OR EXISTS ( SELECT null FROM all_budget_branches_vw b JOIN user_cost_centre_groups uccg ON uccg.group_code IN (b.branch_code, b.directorate_code, b.division_code) WHERE uccg.username = SYS_CONTEXT('EBUD_CTX','APP_USER') AND b.budget_id = cost_centres.budget_id AND b.branch_code = cost_centres.branch_code ) ]'; END IF; we can refer to the table via its alias END cost_centre_policy; Cost Centre Policy Function
  • 33. Warning Predicate MUST NOT query the table to which it is meant to be applied - not even via a view Image source: http://en.wikipedia.org/wiki/Drawing_Hands
  • 34. But… The predicate may query another table that itself has an RLS policy.
  • 35. Budget Entry Policy Function FUNCTION budget_entry_policy (object_schema IN VARCHAR2, object_name IN VARCHAR2) RETURN VARCHAR2 IS BEGIN IF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN RETURN ''; ELSE RETURN q'[ EXISTS ( SELECT null FROM cost_centres cc WHERE cc.cost_centre = budget_entries.cost_centre AND cc.budget_id = budget_entries.budget_id ) ]'; END IF; END budget_entry_policy;
  • 36. Policy Type parameter (10g+) Re-Executed statement for each for all DYNAMIC (default) object STATIC SHARED_STATIC context CONTEXT_SENSITIVE SHARED_CONTEXT_SENSITIVE consider SHARED_... if your policy function is shared amongs multiple tables If in doubt, always start with the default - DYNAMIC The policy type parameter is just for performance optimisation.
  • 37. Improved in 12c Fine-grained Context Sensitive policies – new parameters for DBMS_RLS.add_policy: namespace and attribute – new procedure DBMS_RLS.add_policy_context – improved performance
  • 38. Bypassing VPD • Not enforced for DIRECT path export • Grant EXEMPT ACCESS POLICY • Return NULL for object owner: IF object_schema = USER THEN RETURN ''; END IF;
  • 39. Errors • ORA-28112: failed to execute policy function – the policy function raised an exception • "Invalid SQL statement" – may be a syntax error in the generated SQL • ORA-28115: policy with check option violation – policy has been applied to Insert, Update or Delete operations • ORA-28133: full table access is restricted by fine-grained security – policy has been applied to Index operation
  • 40. Tuning • Set client_identifier to APP_USER:SESSION then call the policy function • or, query v$vpd_policy to get the predicate(s) applied to the query • or, get the final exact SQL statement from the trace file ALTER SESSION SET EVENTS '10730 trace name context forever, level 12';
  • 41. Recommendations • Use q'{ syntax for predicates }' • Understand how Apex Sessions work • Use context for variables – avoid injecting literals – avoid calls to v() etc. • Keep predicates simple
  • 42. More Information Read the Oracle Docs for: – using policy groups – automated policy creation in DDL triggers – integration with Oracle Label Security – data dictionary views – Oracle Data Redaction
  • 43. Oracle Docs Oracle Database Security Guide: Using Oracle Virtual Private Database to Control Data Access http://bit.ly/16Iq5EQ Oracle Database PL/SQL Packages and Types Reference: DBMS_RLS http://bit.ly/1abI46V
  • 44. Thank you jeffkemponoracle.com Image source: http://www.toothpastefordinner.com/index.php?date=082609