SlideShare uma empresa Scribd logo

Apex and Virtual Private Database

Jeffrey Kemp
Jeffrey Kemp

This document discusses using Virtual Private Database (VPD) to implement row-level security in an Oracle database. It begins with an overview of VPD and its history. It then presents a case study of implementing VPD for an eBud budgeting application to restrict data access based on user roles. The solution uses application contexts and policy functions to dynamically modify SQL statements. Various enhancements to the policy functions over time improve flexibility and performance. Recommendations are provided for best practices in developing and optimizing VPD policies.

TecnologiaNegócios
1 de 44
Baixar para ler offline
Apex and Virtual Private Database Jeffrey Kemp InSync Perth, Nov 2013
Why use VPD? • • • • Security Simplicity Flexibility No backdoors
Acronym Overload • Virtual Private Database • Row Level Security • Fine-Grained Access Control
VPD introduced; supports tables and views 9i History 8i global application contexts support for synonyms policy groups 10g column-level privacy column masking static policies shared policies 11g integrated into Enterprise Manager 12c improved security for expdp fine-grained context-sensitive policies
Requirements • Enterprise Edition • execute on DBMS_RLS
Disclaimer not an expert expertise
Case Study: eBud • Budgeting solution for a large government department • Groups of users: “Super Admins”, “Finance”, “Managers” • Super Admin: "access all areas" • Finance: "access to most areas" • Managers: "limited access"
eBud Data Model BUDGETS budget_id budget_owner budget_publicity COST_CENTRES cost_centre branch_code BUDGET_ENTRIES chart amount USERS username role_list Row-level security required
Solution #1 Query: SELECT budget_id, name FROM budgets_vw WHERE budget_id = :b1; View: CREATE VIEW budgets_vw AS SELECT * FROM budgets WHERE budget_owner = v('APP_USER');
Solution #2 V.P.D. Image source: http://www.executiveinvestigationandsecurity.com/security/
Row Level Security The query you asked for: SELECT budget_id, name FROM budgets WHERE budget_id = :b1; What we executed: SELECT budget_id, name FROM budgets WHERE budget_id = :b1 AND budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER'); (not exactly, but this gives the general idea)
Package spec PACKAGE vpd_pkg IS PROCEDURE new_session; FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2; END vpd_pkg;
Initialise an Apex Session PROCEDURE new_session IS BEGIN set_context('APP_USER', v('APP_USER')); set_context('SUPERADMIN', is_superadmin); set_context('FINANCE', is_finance_user); END new_session;
Set Context PROCEDURE set_context ( i_attr IN VARCHAR2 , i_value IN VARCHAR2 ) IS BEGIN DBMS_SESSION.set_context ( namespace => 'EBUD_CTX' , attribute => i_attr , value => i_value , client_id => v('APP_USER') || ':' || v('SESSION') ); END set_context;
Create an Application Context CREATE CONTEXT EBUD_CTX USING VPD_PKG ACCESSED GLOBALLY;
Apex Setup 1. Authentication Scheme 2. (no step 2!)
Policy Function body #1 FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END budgets_policy;
(old quote syntax) FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN ' budget_owner = SYS_CONTEXT(''EBUD_CTX'',''APP_USER'') '; END budgets_policy;
Create a Policy begin DBMS_RLS.add_policy ( object_name => 'BUDGETS' , policy_name => 'budgets_policy' , policy_function => 'VPD_PKG.budgets_policy' ); end; /
Create a Policy begin DBMS_RLS.add_policy ( object_name , policy_name , policy_function , statement_types ); end; / => => => => 'BUDGETS' 'budgets_policy' 'VPD_PKG.budgets_policy' 'SELECT'
DBMS_RLS.add_policy • • • • • • object_schema (NULL for current user) object_name (table or view) policy_name function_schema (NULL for current user) policy_function statement_types (default is SELECT, INSERT, UPDATE, DELETE) • policy_type • (other optional parameters)
How it works Query: SELECT budget_id, name FROM budgets WHERE budget_id = :b1; Parser calls function: budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') Executed: SELECT budget_id, name FROM ( SELECT * FROM budgets budgets WHERE budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ) WHERE budget_id = :b1;
Policy Function body #2 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') OR budget_publicity = 'PUBLIC' ]'; END budgets_policy;
Policy Function body #3 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') OR budget_publicity = 'PUBLIC' OR (budget_publicity = 'FINANCE' AND SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y') OR SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' ]'; END budgets_policy;
Policy Function body #4 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS o_predicate VARCHAR2(4000); BEGIN IF SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' THEN o_predicate := ''; ELSE o_predicate := q'[ budget_publicity = 'PUBLIC' OR (budget_publicity = 'FINANCE' AND SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y') OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END IF; RETURN o_predicate; END budgets_policy;
Policy Function body #5 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS o_predicate VARCHAR2(4000); BEGIN IF SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' THEN o_predicate := ''; ELSIF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN o_predicate := q'[ budget_publicity IN ('PUBLIC','FINANCE') OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; ELSE o_predicate := q'[ budget_publicity = 'PUBLIC' OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END IF; RETURN o_predicate; lots of different queries in shared pool END budgets_policy;
Directorate Branch Cost Centre Directorate Branch Cost Centre Cost Centre Branch Cost Centre Cost Centre Hierarchy "Cost Centre Groups" Division
eBud Data Model BUDGETS budget_id budget_owner budget_publicity USER_COST_CENTRES COST_CENTRES cost_centre branch_code USERS username role_list COST_CENTRE_GROUPS parent_group_code USER_COST_CENTRE_GROUPS group_code hierarchy
FUNCTION cost_centre_policy (object_schema IN VARCHAR2, object_name IN VARCHAR2) RETURN VARCHAR2 IS BEGIN IF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN RETURN ''; ELSE RETURN q'[ EXISTS ( SELECT null FROM user_cost_centres ucc WHERE ucc.username = SYS_CONTEXT('EBUD_CTX','APP_USER') AND ucc.cost_centre = cost_centres.cost_centre ) OR EXISTS ( SELECT null FROM all_budget_branches_vw b JOIN user_cost_centre_groups uccg ON uccg.group_code IN (b.branch_code, b.directorate_code, b.division_code) WHERE uccg.username = SYS_CONTEXT('EBUD_CTX','APP_USER') AND b.budget_id = cost_centres.budget_id AND b.branch_code = cost_centres.branch_code ) ]'; END IF; we can refer to the table via its alias END cost_centre_policy; Cost Centre Policy Function
Warning Predicate MUST NOT query the table to which it is meant to be applied - not even via a view Image source: http://en.wikipedia.org/wiki/Drawing_Hands
But… The predicate may query another table that itself has an RLS policy.
Budget Entry Policy Function FUNCTION budget_entry_policy (object_schema IN VARCHAR2, object_name IN VARCHAR2) RETURN VARCHAR2 IS BEGIN IF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN RETURN ''; ELSE RETURN q'[ EXISTS ( SELECT null FROM cost_centres cc WHERE cc.cost_centre = budget_entries.cost_centre AND cc.budget_id = budget_entries.budget_id ) ]'; END IF; END budget_entry_policy;
Policy Type parameter (10g+) Re-Executed statement for each for all DYNAMIC (default) object STATIC SHARED_STATIC context CONTEXT_SENSITIVE SHARED_CONTEXT_SENSITIVE consider SHARED_... if your policy function is shared amongs multiple tables If in doubt, always start with the default - DYNAMIC The policy type parameter is just for performance optimisation.
Improved in 12c Fine-grained Context Sensitive policies – new parameters for DBMS_RLS.add_policy: namespace and attribute – new procedure DBMS_RLS.add_policy_context – improved performance
Bypassing VPD • Not enforced for DIRECT path export • Grant EXEMPT ACCESS POLICY • Return NULL for object owner: IF object_schema = USER THEN RETURN ''; END IF;
Errors • ORA-28112: failed to execute policy function – the policy function raised an exception • "Invalid SQL statement" – may be a syntax error in the generated SQL • ORA-28115: policy with check option violation – policy has been applied to Insert, Update or Delete operations • ORA-28133: full table access is restricted by fine-grained security – policy has been applied to Index operation
Tuning • Set client_identifier to APP_USER:SESSION then call the policy function • or, query v$vpd_policy to get the predicate(s) applied to the query • or, get the final exact SQL statement from the trace file ALTER SESSION SET EVENTS '10730 trace name context forever, level 12';
Recommendations • Use q'{ syntax for predicates }' • Understand how Apex Sessions work • Use context for variables – avoid injecting literals – avoid calls to v() etc. • Keep predicates simple
More Information Read the Oracle Docs for: – using policy groups – automated policy creation in DDL triggers – integration with Oracle Label Security – data dictionary views – Oracle Data Redaction
Oracle Docs Oracle Database Security Guide: Using Oracle Virtual Private Database to Control Data Access http://bit.ly/16Iq5EQ Oracle Database PL/SQL Packages and Types Reference: DBMS_RLS http://bit.ly/1abI46V
Thank you jeffkemponoracle.com Image source: http://www.toothpastefordinner.com/index.php?date=082609

Recomendados

Vpd
VpdVpd
VpdSage Computing Services
 
Introducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriIntroducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriLucas Jellema
 
OER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseOER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseGirija Muscut
 
Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabhguestd83b546
 
Creating Your Data Governance Dashboard
Creating Your Data Governance DashboardCreating Your Data Governance Dashboard
Creating Your Data Governance DashboardTrillium Software
 
Database Archiving - Managing Data for Long Retention Periods
Database Archiving - Managing Data for Long Retention PeriodsDatabase Archiving - Managing Data for Long Retention Periods
Database Archiving - Managing Data for Long Retention PeriodsCraig Mullins
 
Data and AI summit: data pipelines observability with open lineage
Data and AI summit: data pipelines observability with open lineageData and AI summit: data pipelines observability with open lineage
Data and AI summit: data pipelines observability with open lineageJulien Le Dem
 
MySQL Administrator 2021 - 네오클로바
MySQL Administrator 2021 - 네오클로바MySQL Administrator 2021 - 네오클로바
MySQL Administrator 2021 - 네오클로바NeoClova
 

Recomendados

Vpd
VpdVpd
VpdSage Computing Services
 
Introducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriIntroducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriLucas Jellema
 
OER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseOER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseGirija Muscut
 
Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabhguestd83b546
 
Creating Your Data Governance Dashboard
Creating Your Data Governance DashboardCreating Your Data Governance Dashboard
Creating Your Data Governance DashboardTrillium Software
 
Database Archiving - Managing Data for Long Retention Periods
Database Archiving - Managing Data for Long Retention PeriodsDatabase Archiving - Managing Data for Long Retention Periods
Database Archiving - Managing Data for Long Retention PeriodsCraig Mullins
 
Data and AI summit: data pipelines observability with open lineage
Data and AI summit: data pipelines observability with open lineageData and AI summit: data pipelines observability with open lineage
Data and AI summit: data pipelines observability with open lineageJulien Le Dem
 
MySQL Administrator 2021 - 네오클로바
MySQL Administrator 2021 - 네오클로바MySQL Administrator 2021 - 네오클로바
MySQL Administrator 2021 - 네오클로바NeoClova
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionIvica Arsov
 
Less05 asm instance
Less05 asm instanceLess05 asm instance
Less05 asm instanceAmit Bhalla
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cNabeel Yoosuf
 
Data Vault Overview
Data Vault OverviewData Vault Overview
Data Vault OverviewEmpowered Holdings, LLC
 
Master Data Management - Gartner Presentation
Master Data Management - Gartner PresentationMaster Data Management - Gartner Presentation
Master Data Management - Gartner Presentation303Computing
 
Zensar SAP Practice
Zensar SAP PracticeZensar SAP Practice
Zensar SAP PracticeNiraj Singh
 
Hash, Little Baby. Some examples of SAS programming when hash object are real...
Hash, Little Baby. Some examples of SAS programming when hash object are real...Hash, Little Baby. Some examples of SAS programming when hash object are real...
Hash, Little Baby. Some examples of SAS programming when hash object are real...Dmitry Shopin
 
Get to know PostgreSQL!
Get to know PostgreSQL!Get to know PostgreSQL!
Get to know PostgreSQL!Oddbjørn Steffensen
 
MongoDB Sharding Fundamentals
MongoDB Sharding Fundamentals MongoDB Sharding Fundamentals
MongoDB Sharding Fundamentals Antonios Giannopoulos
 
Autonomous Data Warehouse
Autonomous Data WarehouseAutonomous Data Warehouse
Autonomous Data WarehouseMarketingArrowECS_CZ
 
Modern Data Architecture
Modern Data ArchitectureModern Data Architecture
Modern Data ArchitectureAlexey Grishchenko
 
Pre-Con Ed: Introduction to CA Datacom Key Concepts and Facilities Part I
Pre-Con Ed: Introduction to CA Datacom Key Concepts and Facilities Part IPre-Con Ed: Introduction to CA Datacom Key Concepts and Facilities Part I
Pre-Con Ed: Introduction to CA Datacom Key Concepts and Facilities Part ICA Technologies
 
NoSQL Database- cassandra column Base DB
NoSQL Database- cassandra column Base DBNoSQL Database- cassandra column Base DB
NoSQL Database- cassandra column Base DBsadegh salehi
 
Data management best practices - infographic
Data management best practices - infographicData management best practices - infographic
Data management best practices - infographicIntellspot
 
Modern Data Warehousing with the Microsoft Analytics Platform System
Modern Data Warehousing with the Microsoft Analytics Platform SystemModern Data Warehousing with the Microsoft Analytics Platform System
Modern Data Warehousing with the Microsoft Analytics Platform SystemJames Serra
 
MongoDB WiredTiger Internals
MongoDB WiredTiger InternalsMongoDB WiredTiger Internals
MongoDB WiredTiger InternalsNorberto Leite
 
Implementing Data Virtualization for Data Warehouses and Master Data Manageme...
Implementing Data Virtualization for Data Warehouses and Master Data Manageme...Implementing Data Virtualization for Data Warehouses and Master Data Manageme...
Implementing Data Virtualization for Data Warehouses and Master Data Manageme...Denodo
 
The what, why, and how of master data management
The what, why, and how of master data managementThe what, why, and how of master data management
The what, why, and how of master data managementMohammad Yousri
 
MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting Mydbops
 
What Can I Get You? An Introduction to Dynamic Resource Allocation
What Can I Get You? An Introduction to Dynamic Resource AllocationWhat Can I Get You? An Introduction to Dynamic Resource Allocation
What Can I Get You? An Introduction to Dynamic Resource AllocationFreddy Rolland
 
Why You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperWhy You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperJeffrey Kemp
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in ApexJeffrey Kemp
 

Mais conteúdo relacionado

Mais procurados

Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionIvica Arsov
 
Less05 asm instance
Less05 asm instanceLess05 asm instance
Less05 asm instanceAmit Bhalla
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cNabeel Yoosuf
 
Master Data Management - Gartner Presentation
Master Data Management - Gartner PresentationMaster Data Management - Gartner Presentation
Master Data Management - Gartner Presentation303Computing
 
Zensar SAP Practice
Zensar SAP PracticeZensar SAP Practice
Zensar SAP PracticeNiraj Singh
 
Hash, Little Baby. Some examples of SAS programming when hash object are real...
Hash, Little Baby. Some examples of SAS programming when hash object are real...Hash, Little Baby. Some examples of SAS programming when hash object are real...
Hash, Little Baby. Some examples of SAS programming when hash object are real...Dmitry Shopin
 
Pre-Con Ed: Introduction to CA Datacom Key Concepts and Facilities Part I
Pre-Con Ed: Introduction to CA Datacom Key Concepts and Facilities Part IPre-Con Ed: Introduction to CA Datacom Key Concepts and Facilities Part I
Pre-Con Ed: Introduction to CA Datacom Key Concepts and Facilities Part ICA Technologies
 
NoSQL Database- cassandra column Base DB
NoSQL Database- cassandra column Base DBNoSQL Database- cassandra column Base DB
NoSQL Database- cassandra column Base DBsadegh salehi
 
Data management best practices - infographic
Data management best practices - infographicData management best practices - infographic
Data management best practices - infographicIntellspot
 
Modern Data Warehousing with the Microsoft Analytics Platform System
Modern Data Warehousing with the Microsoft Analytics Platform SystemModern Data Warehousing with the Microsoft Analytics Platform System
Modern Data Warehousing with the Microsoft Analytics Platform SystemJames Serra
 
MongoDB WiredTiger Internals
MongoDB WiredTiger InternalsMongoDB WiredTiger Internals
MongoDB WiredTiger InternalsNorberto Leite
 
Implementing Data Virtualization for Data Warehouses and Master Data Manageme...
Implementing Data Virtualization for Data Warehouses and Master Data Manageme...Implementing Data Virtualization for Data Warehouses and Master Data Manageme...
Implementing Data Virtualization for Data Warehouses and Master Data Manageme...Denodo
 
The what, why, and how of master data management
The what, why, and how of master data managementThe what, why, and how of master data management
The what, why, and how of master data managementMohammad Yousri
 
MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting Mydbops
 
What Can I Get You? An Introduction to Dynamic Resource Allocation
What Can I Get You? An Introduction to Dynamic Resource AllocationWhat Can I Get You? An Introduction to Dynamic Resource Allocation
What Can I Get You? An Introduction to Dynamic Resource AllocationFreddy Rolland
 

Mais procurados (20)

Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Less05 asm instance
Less05 asm instanceLess05 asm instance
Less05 asm instance
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
 
Data Vault Overview
Data Vault OverviewData Vault Overview
Data Vault Overview
 
Master Data Management - Gartner Presentation
Master Data Management - Gartner PresentationMaster Data Management - Gartner Presentation
Master Data Management - Gartner Presentation
 
Zensar SAP Practice
Zensar SAP PracticeZensar SAP Practice
Zensar SAP Practice
 
Hash, Little Baby. Some examples of SAS programming when hash object are real...
Hash, Little Baby. Some examples of SAS programming when hash object are real...Hash, Little Baby. Some examples of SAS programming when hash object are real...
Hash, Little Baby. Some examples of SAS programming when hash object are real...
 
Get to know PostgreSQL!
Get to know PostgreSQL!Get to know PostgreSQL!
Get to know PostgreSQL!
 
MongoDB Sharding Fundamentals
MongoDB Sharding Fundamentals MongoDB Sharding Fundamentals
MongoDB Sharding Fundamentals
 
Autonomous Data Warehouse
Autonomous Data WarehouseAutonomous Data Warehouse
Autonomous Data Warehouse
 
Modern Data Architecture
Modern Data ArchitectureModern Data Architecture
Modern Data Architecture
 
Pre-Con Ed: Introduction to CA Datacom Key Concepts and Facilities Part I
Pre-Con Ed: Introduction to CA Datacom Key Concepts and Facilities Part IPre-Con Ed: Introduction to CA Datacom Key Concepts and Facilities Part I
Pre-Con Ed: Introduction to CA Datacom Key Concepts and Facilities Part I
 
NoSQL Database- cassandra column Base DB
NoSQL Database- cassandra column Base DBNoSQL Database- cassandra column Base DB
NoSQL Database- cassandra column Base DB
 
Data management best practices - infographic
Data management best practices - infographicData management best practices - infographic
Data management best practices - infographic
 
Modern Data Warehousing with the Microsoft Analytics Platform System
Modern Data Warehousing with the Microsoft Analytics Platform SystemModern Data Warehousing with the Microsoft Analytics Platform System
Modern Data Warehousing with the Microsoft Analytics Platform System
 
MongoDB WiredTiger Internals
MongoDB WiredTiger InternalsMongoDB WiredTiger Internals
MongoDB WiredTiger Internals
 
Implementing Data Virtualization for Data Warehouses and Master Data Manageme...
Implementing Data Virtualization for Data Warehouses and Master Data Manageme...Implementing Data Virtualization for Data Warehouses and Master Data Manageme...
Implementing Data Virtualization for Data Warehouses and Master Data Manageme...
 
The what, why, and how of master data management
The what, why, and how of master data managementThe what, why, and how of master data management
The what, why, and how of master data management
 
MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting MySQL GTID Concepts, Implementation and troubleshooting
MySQL GTID Concepts, Implementation and troubleshooting
 
What Can I Get You? An Introduction to Dynamic Resource Allocation
What Can I Get You? An Introduction to Dynamic Resource AllocationWhat Can I Get You? An Introduction to Dynamic Resource Allocation
What Can I Get You? An Introduction to Dynamic Resource Allocation
 

Destaque

Why You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperWhy You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperJeffrey Kemp
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in ApexJeffrey Kemp
 
Why You Should Use TAPIs
Why You Should Use TAPIsWhy You Should Use TAPIs
Why You Should Use TAPIsJeffrey Kemp
 
Automate Amazon S3 Storage with Alexandria
Automate Amazon S3 Storage with AlexandriaAutomate Amazon S3 Storage with Alexandria
Automate Amazon S3 Storage with AlexandriaJeffrey Kemp
 
Aws konferenz vortrag gk
Aws konferenz vortrag gkAws konferenz vortrag gk
Aws konferenz vortrag gkexecupery
 
Učinkovitejše iskanje v Google
Učinkovitejše iskanje v GoogleUčinkovitejše iskanje v Google
Učinkovitejše iskanje v GoogleTomaž Bešter
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
2013 first of the year woooo
2013 first of the year woooo2013 first of the year woooo
2013 first of the year woooopeterpanpeyton
 

Destaque (9)

Why You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperWhy You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL Developer
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in Apex
 
Why You Should Use TAPIs
Why You Should Use TAPIsWhy You Should Use TAPIs
Why You Should Use TAPIs
 
Automate Amazon S3 Storage with Alexandria
Automate Amazon S3 Storage with AlexandriaAutomate Amazon S3 Storage with Alexandria
Automate Amazon S3 Storage with Alexandria
 
Aws konferenz vortrag gk
Aws konferenz vortrag gkAws konferenz vortrag gk
Aws konferenz vortrag gk
 
Učinkovitejše iskanje v Google
Učinkovitejše iskanje v GoogleUčinkovitejše iskanje v Google
Učinkovitejše iskanje v Google
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
2013 first of the year woooo
2013 first of the year woooo2013 first of the year woooo
2013 first of the year woooo
 
Single page App
Single page AppSingle page App
Single page App
 

Semelhante a Apex and Virtual Private Database

Advanced Postgres Monitoring
Advanced Postgres MonitoringAdvanced Postgres Monitoring
Advanced Postgres MonitoringDenish Patel
 
Part1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the OptimizerPart1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the OptimizerMaria Colgan
 
(Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx (Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docxaryan532920
 
Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Stamatis Zampetakis
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabaseMarkus Flechtner
 
Getting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialGetting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialSam Garforth
 
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...Sparkhound Inc.
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeBiju Thomas
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionAlex Zaballa
 
Supercharge your data analytics with BigQuery
Supercharge your data analytics with BigQuerySupercharge your data analytics with BigQuery
Supercharge your data analytics with BigQueryMárton Kodok
 
Intershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL ServerIntershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL ServerMauro Boffardi
 
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1MariaDB plc
 
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1MariaDB plc
 
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
22-4_PerformanceTuningUsingtheAdvisorFramework.pdfyishengxi
 
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...Karthik K Iyengar
 
Beginners guide to_optimizer
Beginners guide to_optimizerBeginners guide to_optimizer
Beginners guide to_optimizerMaria Colgan
 
SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...
SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...
SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...Sencha
 

Semelhante a Apex and Virtual Private Database (20)

Advanced Postgres Monitoring
Advanced Postgres MonitoringAdvanced Postgres Monitoring
Advanced Postgres Monitoring
 
Part1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the OptimizerPart1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the Optimizer
 
(Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx (Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx
 
Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle Database
 
Getting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialGetting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
 
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
 
Droidcon Paris 2015
Droidcon Paris 2015Droidcon Paris 2015
Droidcon Paris 2015
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least Privilege
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Supercharge your data analytics with BigQuery
Supercharge your data analytics with BigQuerySupercharge your data analytics with BigQuery
Supercharge your data analytics with BigQuery
 
Intershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL ServerIntershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL Server
 
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
 
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
 
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
 
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
 
Beginners guide to_optimizer
Beginners guide to_optimizerBeginners guide to_optimizer
Beginners guide to_optimizer
 
SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...
SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...
SenchaCon 2016: Enterprise Applications, Role Based Access Controls (RBAC) an...
 

Último

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 

Último (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

Apex and Virtual Private Database

  • 1. Apex and Virtual Private Database Jeffrey Kemp InSync Perth, Nov 2013
  • 3.
  • 4. Acronym Overload • Virtual Private Database • Row Level Security • Fine-Grained Access Control
  • 5. VPD introduced; supports tables and views 9i History 8i global application contexts support for synonyms policy groups 10g column-level privacy column masking static policies shared policies 11g integrated into Enterprise Manager 12c improved security for expdp fine-grained context-sensitive policies
  • 6.
  • 9. Case Study: eBud • Budgeting solution for a large government department • Groups of users: “Super Admins”, “Finance”, “Managers” • Super Admin: "access all areas" • Finance: "access to most areas" • Managers: "limited access"
  • 11. Solution #1 Query: SELECT budget_id, name FROM budgets_vw WHERE budget_id = :b1; View: CREATE VIEW budgets_vw AS SELECT * FROM budgets WHERE budget_owner = v('APP_USER');
  • 12. Solution #2 V.P.D. Image source: http://www.executiveinvestigationandsecurity.com/security/
  • 13. Row Level Security The query you asked for: SELECT budget_id, name FROM budgets WHERE budget_id = :b1; What we executed: SELECT budget_id, name FROM budgets WHERE budget_id = :b1 AND budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER'); (not exactly, but this gives the general idea)
  • 14. Package spec PACKAGE vpd_pkg IS PROCEDURE new_session; FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2; END vpd_pkg;
  • 15. Initialise an Apex Session PROCEDURE new_session IS BEGIN set_context('APP_USER', v('APP_USER')); set_context('SUPERADMIN', is_superadmin); set_context('FINANCE', is_finance_user); END new_session;
  • 16. Set Context PROCEDURE set_context ( i_attr IN VARCHAR2 , i_value IN VARCHAR2 ) IS BEGIN DBMS_SESSION.set_context ( namespace => 'EBUD_CTX' , attribute => i_attr , value => i_value , client_id => v('APP_USER') || ':' || v('SESSION') ); END set_context;
  • 17. Create an Application Context CREATE CONTEXT EBUD_CTX USING VPD_PKG ACCESSED GLOBALLY;
  • 18. Apex Setup 1. Authentication Scheme 2. (no step 2!)
  • 19.
  • 20. Policy Function body #1 FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END budgets_policy;
  • 21. (old quote syntax) FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN ' budget_owner = SYS_CONTEXT(''EBUD_CTX'',''APP_USER'') '; END budgets_policy;
  • 22. Create a Policy begin DBMS_RLS.add_policy ( object_name => 'BUDGETS' , policy_name => 'budgets_policy' , policy_function => 'VPD_PKG.budgets_policy' ); end; /
  • 23. Create a Policy begin DBMS_RLS.add_policy ( object_name , policy_name , policy_function , statement_types ); end; / => => => => 'BUDGETS' 'budgets_policy' 'VPD_PKG.budgets_policy' 'SELECT'
  • 24. DBMS_RLS.add_policy • • • • • • object_schema (NULL for current user) object_name (table or view) policy_name function_schema (NULL for current user) policy_function statement_types (default is SELECT, INSERT, UPDATE, DELETE) • policy_type • (other optional parameters)
  • 25. How it works Query: SELECT budget_id, name FROM budgets WHERE budget_id = :b1; Parser calls function: budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') Executed: SELECT budget_id, name FROM ( SELECT * FROM budgets budgets WHERE budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ) WHERE budget_id = :b1;
  • 26. Policy Function body #2 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') OR budget_publicity = 'PUBLIC' ]'; END budgets_policy;
  • 27. Policy Function body #3 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') OR budget_publicity = 'PUBLIC' OR (budget_publicity = 'FINANCE' AND SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y') OR SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' ]'; END budgets_policy;
  • 28. Policy Function body #4 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS o_predicate VARCHAR2(4000); BEGIN IF SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' THEN o_predicate := ''; ELSE o_predicate := q'[ budget_publicity = 'PUBLIC' OR (budget_publicity = 'FINANCE' AND SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y') OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END IF; RETURN o_predicate; END budgets_policy;
  • 29. Policy Function body #5 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS o_predicate VARCHAR2(4000); BEGIN IF SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' THEN o_predicate := ''; ELSIF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN o_predicate := q'[ budget_publicity IN ('PUBLIC','FINANCE') OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; ELSE o_predicate := q'[ budget_publicity = 'PUBLIC' OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END IF; RETURN o_predicate; lots of different queries in shared pool END budgets_policy;
  • 32. FUNCTION cost_centre_policy (object_schema IN VARCHAR2, object_name IN VARCHAR2) RETURN VARCHAR2 IS BEGIN IF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN RETURN ''; ELSE RETURN q'[ EXISTS ( SELECT null FROM user_cost_centres ucc WHERE ucc.username = SYS_CONTEXT('EBUD_CTX','APP_USER') AND ucc.cost_centre = cost_centres.cost_centre ) OR EXISTS ( SELECT null FROM all_budget_branches_vw b JOIN user_cost_centre_groups uccg ON uccg.group_code IN (b.branch_code, b.directorate_code, b.division_code) WHERE uccg.username = SYS_CONTEXT('EBUD_CTX','APP_USER') AND b.budget_id = cost_centres.budget_id AND b.branch_code = cost_centres.branch_code ) ]'; END IF; we can refer to the table via its alias END cost_centre_policy; Cost Centre Policy Function
  • 33. Warning Predicate MUST NOT query the table to which it is meant to be applied - not even via a view Image source: http://en.wikipedia.org/wiki/Drawing_Hands
  • 34. But… The predicate may query another table that itself has an RLS policy.
  • 35. Budget Entry Policy Function FUNCTION budget_entry_policy (object_schema IN VARCHAR2, object_name IN VARCHAR2) RETURN VARCHAR2 IS BEGIN IF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN RETURN ''; ELSE RETURN q'[ EXISTS ( SELECT null FROM cost_centres cc WHERE cc.cost_centre = budget_entries.cost_centre AND cc.budget_id = budget_entries.budget_id ) ]'; END IF; END budget_entry_policy;
  • 36. Policy Type parameter (10g+) Re-Executed statement for each for all DYNAMIC (default) object STATIC SHARED_STATIC context CONTEXT_SENSITIVE SHARED_CONTEXT_SENSITIVE consider SHARED_... if your policy function is shared amongs multiple tables If in doubt, always start with the default - DYNAMIC The policy type parameter is just for performance optimisation.
  • 37. Improved in 12c Fine-grained Context Sensitive policies – new parameters for DBMS_RLS.add_policy: namespace and attribute – new procedure DBMS_RLS.add_policy_context – improved performance
  • 38. Bypassing VPD • Not enforced for DIRECT path export • Grant EXEMPT ACCESS POLICY • Return NULL for object owner: IF object_schema = USER THEN RETURN ''; END IF;
  • 39. Errors • ORA-28112: failed to execute policy function – the policy function raised an exception • "Invalid SQL statement" – may be a syntax error in the generated SQL • ORA-28115: policy with check option violation – policy has been applied to Insert, Update or Delete operations • ORA-28133: full table access is restricted by fine-grained security – policy has been applied to Index operation
  • 40. Tuning • Set client_identifier to APP_USER:SESSION then call the policy function • or, query v$vpd_policy to get the predicate(s) applied to the query • or, get the final exact SQL statement from the trace file ALTER SESSION SET EVENTS '10730 trace name context forever, level 12';
  • 41. Recommendations • Use q'{ syntax for predicates }' • Understand how Apex Sessions work • Use context for variables – avoid injecting literals – avoid calls to v() etc. • Keep predicates simple
  • 42. More Information Read the Oracle Docs for: – using policy groups – automated policy creation in DDL triggers – integration with Oracle Label Security – data dictionary views – Oracle Data Redaction
  • 43. Oracle Docs Oracle Database Security Guide: Using Oracle Virtual Private Database to Control Data Access http://bit.ly/16Iq5EQ Oracle Database PL/SQL Packages and Types Reference: DBMS_RLS http://bit.ly/1abI46V
  • 44. Thank you jeffkemponoracle.com Image source: http://www.toothpastefordinner.com/index.php?date=082609