SlideShare a Scribd company logo

Apex and Virtual Private Database

Jeffrey Kemp
Jeffrey Kemp

This document discusses using Virtual Private Database (VPD) to implement row-level security in an Oracle database. It begins with an overview of VPD and its history. It then presents a case study of implementing VPD for an eBud budgeting application to restrict data access based on user roles. The solution uses application contexts and policy functions to dynamically modify SQL statements. Various enhancements to the policy functions over time improve flexibility and performance. Recommendations are provided for best practices in developing and optimizing VPD policies.

TechnologyBusiness
1 of 44
Download to read offline
Apex and Virtual Private Database Jeffrey Kemp InSync Perth, Nov 2013
Why use VPD? • • • • Security Simplicity Flexibility No backdoors
Acronym Overload • Virtual Private Database • Row Level Security • Fine-Grained Access Control
VPD introduced; supports tables and views 9i History 8i global application contexts support for synonyms policy groups 10g column-level privacy column masking static policies shared policies 11g integrated into Enterprise Manager 12c improved security for expdp fine-grained context-sensitive policies
Requirements • Enterprise Edition • execute on DBMS_RLS
Disclaimer not an expert expertise
Case Study: eBud • Budgeting solution for a large government department • Groups of users: “Super Admins”, “Finance”, “Managers” • Super Admin: "access all areas" • Finance: "access to most areas" • Managers: "limited access"
eBud Data Model BUDGETS budget_id budget_owner budget_publicity COST_CENTRES cost_centre branch_code BUDGET_ENTRIES chart amount USERS username role_list Row-level security required
Solution #1 Query: SELECT budget_id, name FROM budgets_vw WHERE budget_id = :b1; View: CREATE VIEW budgets_vw AS SELECT * FROM budgets WHERE budget_owner = v('APP_USER');
Solution #2 V.P.D. Image source: http://www.executiveinvestigationandsecurity.com/security/
Row Level Security The query you asked for: SELECT budget_id, name FROM budgets WHERE budget_id = :b1; What we executed: SELECT budget_id, name FROM budgets WHERE budget_id = :b1 AND budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER'); (not exactly, but this gives the general idea)
Package spec PACKAGE vpd_pkg IS PROCEDURE new_session; FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2; END vpd_pkg;
Initialise an Apex Session PROCEDURE new_session IS BEGIN set_context('APP_USER', v('APP_USER')); set_context('SUPERADMIN', is_superadmin); set_context('FINANCE', is_finance_user); END new_session;
Set Context PROCEDURE set_context ( i_attr IN VARCHAR2 , i_value IN VARCHAR2 ) IS BEGIN DBMS_SESSION.set_context ( namespace => 'EBUD_CTX' , attribute => i_attr , value => i_value , client_id => v('APP_USER') || ':' || v('SESSION') ); END set_context;
Create an Application Context CREATE CONTEXT EBUD_CTX USING VPD_PKG ACCESSED GLOBALLY;
Apex Setup 1. Authentication Scheme 2. (no step 2!)
Policy Function body #1 FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END budgets_policy;
(old quote syntax) FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN ' budget_owner = SYS_CONTEXT(''EBUD_CTX'',''APP_USER'') '; END budgets_policy;
Create a Policy begin DBMS_RLS.add_policy ( object_name => 'BUDGETS' , policy_name => 'budgets_policy' , policy_function => 'VPD_PKG.budgets_policy' ); end; /
Create a Policy begin DBMS_RLS.add_policy ( object_name , policy_name , policy_function , statement_types ); end; / => => => => 'BUDGETS' 'budgets_policy' 'VPD_PKG.budgets_policy' 'SELECT'
DBMS_RLS.add_policy • • • • • • object_schema (NULL for current user) object_name (table or view) policy_name function_schema (NULL for current user) policy_function statement_types (default is SELECT, INSERT, UPDATE, DELETE) • policy_type • (other optional parameters)
How it works Query: SELECT budget_id, name FROM budgets WHERE budget_id = :b1; Parser calls function: budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') Executed: SELECT budget_id, name FROM ( SELECT * FROM budgets budgets WHERE budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ) WHERE budget_id = :b1;
Policy Function body #2 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') OR budget_publicity = 'PUBLIC' ]'; END budgets_policy;
Policy Function body #3 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') OR budget_publicity = 'PUBLIC' OR (budget_publicity = 'FINANCE' AND SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y') OR SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' ]'; END budgets_policy;
Policy Function body #4 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS o_predicate VARCHAR2(4000); BEGIN IF SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' THEN o_predicate := ''; ELSE o_predicate := q'[ budget_publicity = 'PUBLIC' OR (budget_publicity = 'FINANCE' AND SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y') OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END IF; RETURN o_predicate; END budgets_policy;
Policy Function body #5 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS o_predicate VARCHAR2(4000); BEGIN IF SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' THEN o_predicate := ''; ELSIF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN o_predicate := q'[ budget_publicity IN ('PUBLIC','FINANCE') OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; ELSE o_predicate := q'[ budget_publicity = 'PUBLIC' OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END IF; RETURN o_predicate; lots of different queries in shared pool END budgets_policy;
Directorate Branch Cost Centre Directorate Branch Cost Centre Cost Centre Branch Cost Centre Cost Centre Hierarchy "Cost Centre Groups" Division
eBud Data Model BUDGETS budget_id budget_owner budget_publicity USER_COST_CENTRES COST_CENTRES cost_centre branch_code USERS username role_list COST_CENTRE_GROUPS parent_group_code USER_COST_CENTRE_GROUPS group_code hierarchy
FUNCTION cost_centre_policy (object_schema IN VARCHAR2, object_name IN VARCHAR2) RETURN VARCHAR2 IS BEGIN IF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN RETURN ''; ELSE RETURN q'[ EXISTS ( SELECT null FROM user_cost_centres ucc WHERE ucc.username = SYS_CONTEXT('EBUD_CTX','APP_USER') AND ucc.cost_centre = cost_centres.cost_centre ) OR EXISTS ( SELECT null FROM all_budget_branches_vw b JOIN user_cost_centre_groups uccg ON uccg.group_code IN (b.branch_code, b.directorate_code, b.division_code) WHERE uccg.username = SYS_CONTEXT('EBUD_CTX','APP_USER') AND b.budget_id = cost_centres.budget_id AND b.branch_code = cost_centres.branch_code ) ]'; END IF; we can refer to the table via its alias END cost_centre_policy; Cost Centre Policy Function
Warning Predicate MUST NOT query the table to which it is meant to be applied - not even via a view Image source: http://en.wikipedia.org/wiki/Drawing_Hands
But… The predicate may query another table that itself has an RLS policy.
Budget Entry Policy Function FUNCTION budget_entry_policy (object_schema IN VARCHAR2, object_name IN VARCHAR2) RETURN VARCHAR2 IS BEGIN IF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN RETURN ''; ELSE RETURN q'[ EXISTS ( SELECT null FROM cost_centres cc WHERE cc.cost_centre = budget_entries.cost_centre AND cc.budget_id = budget_entries.budget_id ) ]'; END IF; END budget_entry_policy;
Policy Type parameter (10g+) Re-Executed statement for each for all DYNAMIC (default) object STATIC SHARED_STATIC context CONTEXT_SENSITIVE SHARED_CONTEXT_SENSITIVE consider SHARED_... if your policy function is shared amongs multiple tables If in doubt, always start with the default - DYNAMIC The policy type parameter is just for performance optimisation.
Improved in 12c Fine-grained Context Sensitive policies – new parameters for DBMS_RLS.add_policy: namespace and attribute – new procedure DBMS_RLS.add_policy_context – improved performance
Bypassing VPD • Not enforced for DIRECT path export • Grant EXEMPT ACCESS POLICY • Return NULL for object owner: IF object_schema = USER THEN RETURN ''; END IF;
Errors • ORA-28112: failed to execute policy function – the policy function raised an exception • "Invalid SQL statement" – may be a syntax error in the generated SQL • ORA-28115: policy with check option violation – policy has been applied to Insert, Update or Delete operations • ORA-28133: full table access is restricted by fine-grained security – policy has been applied to Index operation
Tuning • Set client_identifier to APP_USER:SESSION then call the policy function • or, query v$vpd_policy to get the predicate(s) applied to the query • or, get the final exact SQL statement from the trace file ALTER SESSION SET EVENTS '10730 trace name context forever, level 12';
Recommendations • Use q'{ syntax for predicates }' • Understand how Apex Sessions work • Use context for variables – avoid injecting literals – avoid calls to v() etc. • Keep predicates simple
More Information Read the Oracle Docs for: – using policy groups – automated policy creation in DDL triggers – integration with Oracle Label Security – data dictionary views – Oracle Data Redaction
Oracle Docs Oracle Database Security Guide: Using Oracle Virtual Private Database to Control Data Access http://bit.ly/16Iq5EQ Oracle Database PL/SQL Packages and Types Reference: DBMS_RLS http://bit.ly/1abI46V
Thank you jeffkemponoracle.com Image source: http://www.toothpastefordinner.com/index.php?date=082609

Recommended

SQL Server Stored procedures
SQL Server Stored proceduresSQL Server Stored procedures
SQL Server Stored proceduresRandy Riness @ South Puget Sound Community College
 
Introducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriIntroducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriLucas Jellema
 
Sql
SqlSql
Sqlnavsissuk
 
[Pgday.Seoul 2020] SQL Tuning
[Pgday.Seoul 2020] SQL Tuning[Pgday.Seoul 2020] SQL Tuning
[Pgday.Seoul 2020] SQL TuningPgDay.Seoul
 
Introduction to Apache Pig
Introduction to Apache PigIntroduction to Apache Pig
Introduction to Apache PigJason Shao
 
MYSQL
MYSQLMYSQL
MYSQLAnkush Jain
 
Practical Partitioning in Production with Postgres
Practical Partitioning in Production with PostgresPractical Partitioning in Production with Postgres
Practical Partitioning in Production with PostgresEDB
 
MySQL Group Replication
MySQL Group ReplicationMySQL Group Replication
MySQL Group ReplicationKenny Gryp
 

Recommended

SQL Server Stored procedures
SQL Server Stored proceduresSQL Server Stored procedures
SQL Server Stored proceduresRandy Riness @ South Puget Sound Community College
 
Introducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriIntroducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriLucas Jellema
 
Sql
SqlSql
Sqlnavsissuk
 
[Pgday.Seoul 2020] SQL Tuning
[Pgday.Seoul 2020] SQL Tuning[Pgday.Seoul 2020] SQL Tuning
[Pgday.Seoul 2020] SQL TuningPgDay.Seoul
 
Introduction to Apache Pig
Introduction to Apache PigIntroduction to Apache Pig
Introduction to Apache PigJason Shao
 
MYSQL
MYSQLMYSQL
MYSQLAnkush Jain
 
Practical Partitioning in Production with Postgres
Practical Partitioning in Production with PostgresPractical Partitioning in Production with Postgres
Practical Partitioning in Production with PostgresEDB
 
MySQL Group Replication
MySQL Group ReplicationMySQL Group Replication
MySQL Group ReplicationKenny Gryp
 
How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?Alkin Tezuysal
 
Faster, better, stronger: The new InnoDB
Faster, better, stronger: The new InnoDBFaster, better, stronger: The new InnoDB
Faster, better, stronger: The new InnoDBMariaDB plc
 
MySQL for beginners
MySQL for beginnersMySQL for beginners
MySQL for beginnersSaeid Zebardast
 
Open Source 101 2022 - MySQL Indexes and Histograms
Open Source 101 2022 - MySQL Indexes and HistogramsOpen Source 101 2022 - MySQL Indexes and Histograms
Open Source 101 2022 - MySQL Indexes and HistogramsFrederic Descamps
 
Mysql Explain Explained
Mysql Explain ExplainedMysql Explain Explained
Mysql Explain ExplainedJeremy Coates
 
Liquibase for java developers
Liquibase for java developersLiquibase for java developers
Liquibase for java developersIllia Seleznov
 
E-R diagram & SQL
E-R diagram & SQLE-R diagram & SQL
E-R diagram & SQLAbdullah Almasud
 
MYSQL.ppt
MYSQL.pptMYSQL.ppt
MYSQL.pptwebhostingguy
 
Ad-Tech on AWS 세미나 | AWS와 데이터 분석
Ad-Tech on AWS 세미나 | AWS와 데이터 분석Ad-Tech on AWS 세미나 | AWS와 데이터 분석
Ad-Tech on AWS 세미나 | AWS와 데이터 분석Amazon Web Services Korea
 
Using PostgreSQL for Data Privacy
Using PostgreSQL for Data PrivacyUsing PostgreSQL for Data Privacy
Using PostgreSQL for Data PrivacyMason Sharp
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-PresentationChuck Walker
 
[TDC2016] Apache Cassandra Estratégias de Modelagem de Dados
[TDC2016] Apache Cassandra Estratégias de Modelagem de Dados[TDC2016] Apache Cassandra Estratégias de Modelagem de Dados
[TDC2016] Apache Cassandra Estratégias de Modelagem de DadosEiti Kimura
 
The InnoDB Storage Engine for MySQL
The InnoDB Storage Engine for MySQLThe InnoDB Storage Engine for MySQL
The InnoDB Storage Engine for MySQLMorgan Tocker
 
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)I Goo Lee.
 
The MySQL Query Optimizer Explained Through Optimizer Trace
The MySQL Query Optimizer Explained Through Optimizer TraceThe MySQL Query Optimizer Explained Through Optimizer Trace
The MySQL Query Optimizer Explained Through Optimizer Traceoysteing
 
[pgday.Seoul 2022] 서비스개편시 PostgreSQL 도입기 - 진소린 & 김태정
[pgday.Seoul 2022] 서비스개편시 PostgreSQL 도입기 - 진소린 & 김태정[pgday.Seoul 2022] 서비스개편시 PostgreSQL 도입기 - 진소린 & 김태정
[pgday.Seoul 2022] 서비스개편시 PostgreSQL 도입기 - 진소린 & 김태정PgDay.Seoul
 
OER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseOER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseGirija Muscut
 
Introduccion a Doctrine 2 ORM
Introduccion a Doctrine 2 ORMIntroduccion a Doctrine 2 ORM
Introduccion a Doctrine 2 ORMJuan Ramón Laguardia
 
Technical Introduction to PostgreSQL and PPAS
Technical Introduction to PostgreSQL and PPASTechnical Introduction to PostgreSQL and PPAS
Technical Introduction to PostgreSQL and PPASAshnikbiz
 
MySQL Shell for Database Engineers
MySQL Shell for Database EngineersMySQL Shell for Database Engineers
MySQL Shell for Database EngineersMydbops
 
Why You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperWhy You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperJeffrey Kemp
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in ApexJeffrey Kemp
 

More Related Content

What's hot

How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?Alkin Tezuysal
 
Faster, better, stronger: The new InnoDB
Faster, better, stronger: The new InnoDBFaster, better, stronger: The new InnoDB
Faster, better, stronger: The new InnoDBMariaDB plc
 
Open Source 101 2022 - MySQL Indexes and Histograms
Open Source 101 2022 - MySQL Indexes and HistogramsOpen Source 101 2022 - MySQL Indexes and Histograms
Open Source 101 2022 - MySQL Indexes and HistogramsFrederic Descamps
 
Mysql Explain Explained
Mysql Explain ExplainedMysql Explain Explained
Mysql Explain ExplainedJeremy Coates
 
Liquibase for java developers
Liquibase for java developersLiquibase for java developers
Liquibase for java developersIllia Seleznov
 
Ad-Tech on AWS 세미나 | AWS와 데이터 분석
Ad-Tech on AWS 세미나 | AWS와 데이터 분석Ad-Tech on AWS 세미나 | AWS와 데이터 분석
Ad-Tech on AWS 세미나 | AWS와 데이터 분석Amazon Web Services Korea
 
Using PostgreSQL for Data Privacy
Using PostgreSQL for Data PrivacyUsing PostgreSQL for Data Privacy
Using PostgreSQL for Data PrivacyMason Sharp
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-PresentationChuck Walker
 
[TDC2016] Apache Cassandra Estratégias de Modelagem de Dados
[TDC2016] Apache Cassandra Estratégias de Modelagem de Dados[TDC2016] Apache Cassandra Estratégias de Modelagem de Dados
[TDC2016] Apache Cassandra Estratégias de Modelagem de DadosEiti Kimura
 
The InnoDB Storage Engine for MySQL
The InnoDB Storage Engine for MySQLThe InnoDB Storage Engine for MySQL
The InnoDB Storage Engine for MySQLMorgan Tocker
 
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)I Goo Lee.
 
The MySQL Query Optimizer Explained Through Optimizer Trace
The MySQL Query Optimizer Explained Through Optimizer TraceThe MySQL Query Optimizer Explained Through Optimizer Trace
The MySQL Query Optimizer Explained Through Optimizer Traceoysteing
 
[pgday.Seoul 2022] 서비스개편시 PostgreSQL 도입기 - 진소린 & 김태정
[pgday.Seoul 2022] 서비스개편시 PostgreSQL 도입기 - 진소린 & 김태정[pgday.Seoul 2022] 서비스개편시 PostgreSQL 도입기 - 진소린 & 김태정
[pgday.Seoul 2022] 서비스개편시 PostgreSQL 도입기 - 진소린 & 김태정PgDay.Seoul
 
OER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseOER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseGirija Muscut
 
Technical Introduction to PostgreSQL and PPAS
Technical Introduction to PostgreSQL and PPASTechnical Introduction to PostgreSQL and PPAS
Technical Introduction to PostgreSQL and PPASAshnikbiz
 
MySQL Shell for Database Engineers
MySQL Shell for Database EngineersMySQL Shell for Database Engineers
MySQL Shell for Database EngineersMydbops
 

What's hot (20)

How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?
 
Faster, better, stronger: The new InnoDB
Faster, better, stronger: The new InnoDBFaster, better, stronger: The new InnoDB
Faster, better, stronger: The new InnoDB
 
MySQL for beginners
MySQL for beginnersMySQL for beginners
MySQL for beginners
 
Open Source 101 2022 - MySQL Indexes and Histograms
Open Source 101 2022 - MySQL Indexes and HistogramsOpen Source 101 2022 - MySQL Indexes and Histograms
Open Source 101 2022 - MySQL Indexes and Histograms
 
Mysql Explain Explained
Mysql Explain ExplainedMysql Explain Explained
Mysql Explain Explained
 
Liquibase for java developers
Liquibase for java developersLiquibase for java developers
Liquibase for java developers
 
E-R diagram & SQL
E-R diagram & SQLE-R diagram & SQL
E-R diagram & SQL
 
MYSQL.ppt
MYSQL.pptMYSQL.ppt
MYSQL.ppt
 
Ad-Tech on AWS 세미나 | AWS와 데이터 분석
Ad-Tech on AWS 세미나 | AWS와 데이터 분석Ad-Tech on AWS 세미나 | AWS와 데이터 분석
Ad-Tech on AWS 세미나 | AWS와 데이터 분석
 
Using PostgreSQL for Data Privacy
Using PostgreSQL for Data PrivacyUsing PostgreSQL for Data Privacy
Using PostgreSQL for Data Privacy
 
Stored-Procedures-Presentation
Stored-Procedures-PresentationStored-Procedures-Presentation
Stored-Procedures-Presentation
 
[TDC2016] Apache Cassandra Estratégias de Modelagem de Dados
[TDC2016] Apache Cassandra Estratégias de Modelagem de Dados[TDC2016] Apache Cassandra Estratégias de Modelagem de Dados
[TDC2016] Apache Cassandra Estratégias de Modelagem de Dados
 
The InnoDB Storage Engine for MySQL
The InnoDB Storage Engine for MySQLThe InnoDB Storage Engine for MySQL
The InnoDB Storage Engine for MySQL
 
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
Innodb에서의 Purge 메커니즘 deep internal (by 이근오)
 
The MySQL Query Optimizer Explained Through Optimizer Trace
The MySQL Query Optimizer Explained Through Optimizer TraceThe MySQL Query Optimizer Explained Through Optimizer Trace
The MySQL Query Optimizer Explained Through Optimizer Trace
 
[pgday.Seoul 2022] 서비스개편시 PostgreSQL 도입기 - 진소린 & 김태정
[pgday.Seoul 2022] 서비스개편시 PostgreSQL 도입기 - 진소린 & 김태정[pgday.Seoul 2022] 서비스개편시 PostgreSQL 도입기 - 진소린 & 김태정
[pgday.Seoul 2022] 서비스개편시 PostgreSQL 도입기 - 진소린 & 김태정
 
OER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private DatabaseOER Unit 4 Virtual Private Database
OER Unit 4 Virtual Private Database
 
Introduccion a Doctrine 2 ORM
Introduccion a Doctrine 2 ORMIntroduccion a Doctrine 2 ORM
Introduccion a Doctrine 2 ORM
 
Technical Introduction to PostgreSQL and PPAS
Technical Introduction to PostgreSQL and PPASTechnical Introduction to PostgreSQL and PPAS
Technical Introduction to PostgreSQL and PPAS
 
MySQL Shell for Database Engineers
MySQL Shell for Database EngineersMySQL Shell for Database Engineers
MySQL Shell for Database Engineers
 

Viewers also liked

Why You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperWhy You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperJeffrey Kemp
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in ApexJeffrey Kemp
 
Why You Should Use TAPIs
Why You Should Use TAPIsWhy You Should Use TAPIs
Why You Should Use TAPIsJeffrey Kemp
 
Automate Amazon S3 Storage with Alexandria
Automate Amazon S3 Storage with AlexandriaAutomate Amazon S3 Storage with Alexandria
Automate Amazon S3 Storage with AlexandriaJeffrey Kemp
 
Aws konferenz vortrag gk
Aws konferenz vortrag gkAws konferenz vortrag gk
Aws konferenz vortrag gkexecupery
 
Učinkovitejše iskanje v Google
Učinkovitejše iskanje v GoogleUčinkovitejše iskanje v Google
Učinkovitejše iskanje v GoogleTomaž Bešter
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackersChris Gates
 
2013 first of the year woooo
2013 first of the year woooo2013 first of the year woooo
2013 first of the year woooopeterpanpeyton
 

Viewers also liked (9)

Why You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL DeveloperWhy You Should Use Oracle SQL Developer
Why You Should Use Oracle SQL Developer
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in Apex
 
Why You Should Use TAPIs
Why You Should Use TAPIsWhy You Should Use TAPIs
Why You Should Use TAPIs
 
Automate Amazon S3 Storage with Alexandria
Automate Amazon S3 Storage with AlexandriaAutomate Amazon S3 Storage with Alexandria
Automate Amazon S3 Storage with Alexandria
 
Aws konferenz vortrag gk
Aws konferenz vortrag gkAws konferenz vortrag gk
Aws konferenz vortrag gk
 
Učinkovitejše iskanje v Google
Učinkovitejše iskanje v GoogleUčinkovitejše iskanje v Google
Učinkovitejše iskanje v Google
 
Open Canary - novahackers
Open Canary - novahackersOpen Canary - novahackers
Open Canary - novahackers
 
2013 first of the year woooo
2013 first of the year woooo2013 first of the year woooo
2013 first of the year woooo
 
Single page App
Single page AppSingle page App
Single page App
 

Similar to Apex and Virtual Private Database

Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabhguestd83b546
 
Advanced Postgres Monitoring
Advanced Postgres MonitoringAdvanced Postgres Monitoring
Advanced Postgres MonitoringDenish Patel
 
Part1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the OptimizerPart1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the OptimizerMaria Colgan
 
(Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx (Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docxaryan532920
 
Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Stamatis Zampetakis
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabaseMarkus Flechtner
 
Getting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialGetting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialSam Garforth
 
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...Sparkhound Inc.
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeBiju Thomas
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionAlex Zaballa
 
Supercharge your data analytics with BigQuery
Supercharge your data analytics with BigQuerySupercharge your data analytics with BigQuery
Supercharge your data analytics with BigQueryMárton Kodok
 
Intershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL ServerIntershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL ServerMauro Boffardi
 
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1MariaDB plc
 
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1MariaDB plc
 
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
22-4_PerformanceTuningUsingtheAdvisorFramework.pdfyishengxi
 
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...Karthik K Iyengar
 

Similar to Apex and Virtual Private Database (20)

Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabh
 
Advanced Postgres Monitoring
Advanced Postgres MonitoringAdvanced Postgres Monitoring
Advanced Postgres Monitoring
 
Part1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the OptimizerPart1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the Optimizer
 
(Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx (Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx
 
Vpd
VpdVpd
Vpd
 
Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle Database
 
Getting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialGetting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
 
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
Optimizing Code Reusability for SharePoint using Linq to SharePoint & the MVP...
 
Droidcon Paris 2015
Droidcon Paris 2015Droidcon Paris 2015
Droidcon Paris 2015
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least Privilege
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Supercharge your data analytics with BigQuery
Supercharge your data analytics with BigQuerySupercharge your data analytics with BigQuery
Supercharge your data analytics with BigQuery
 
Intershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL ServerIntershop Commerce Management with Microsoft SQL Server
Intershop Commerce Management with Microsoft SQL Server
 
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
 
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
What's New in MariaDB Server 10.2 and MariaDB MaxScale 2.1
 
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
22-4_PerformanceTuningUsingtheAdvisorFramework.pdf
 
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
World2016_T1_S8_How to upgrade your cubes from 9.x to 10 and turn on optimize...
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
 

Recently uploaded

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Recently uploaded (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Apex and Virtual Private Database

  • 1. Apex and Virtual Private Database Jeffrey Kemp InSync Perth, Nov 2013
  • 3.
  • 4. Acronym Overload • Virtual Private Database • Row Level Security • Fine-Grained Access Control
  • 5. VPD introduced; supports tables and views 9i History 8i global application contexts support for synonyms policy groups 10g column-level privacy column masking static policies shared policies 11g integrated into Enterprise Manager 12c improved security for expdp fine-grained context-sensitive policies
  • 6.
  • 9. Case Study: eBud • Budgeting solution for a large government department • Groups of users: “Super Admins”, “Finance”, “Managers” • Super Admin: "access all areas" • Finance: "access to most areas" • Managers: "limited access"
  • 11. Solution #1 Query: SELECT budget_id, name FROM budgets_vw WHERE budget_id = :b1; View: CREATE VIEW budgets_vw AS SELECT * FROM budgets WHERE budget_owner = v('APP_USER');
  • 12. Solution #2 V.P.D. Image source: http://www.executiveinvestigationandsecurity.com/security/
  • 13. Row Level Security The query you asked for: SELECT budget_id, name FROM budgets WHERE budget_id = :b1; What we executed: SELECT budget_id, name FROM budgets WHERE budget_id = :b1 AND budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER'); (not exactly, but this gives the general idea)
  • 14. Package spec PACKAGE vpd_pkg IS PROCEDURE new_session; FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2; END vpd_pkg;
  • 15. Initialise an Apex Session PROCEDURE new_session IS BEGIN set_context('APP_USER', v('APP_USER')); set_context('SUPERADMIN', is_superadmin); set_context('FINANCE', is_finance_user); END new_session;
  • 16. Set Context PROCEDURE set_context ( i_attr IN VARCHAR2 , i_value IN VARCHAR2 ) IS BEGIN DBMS_SESSION.set_context ( namespace => 'EBUD_CTX' , attribute => i_attr , value => i_value , client_id => v('APP_USER') || ':' || v('SESSION') ); END set_context;
  • 17. Create an Application Context CREATE CONTEXT EBUD_CTX USING VPD_PKG ACCESSED GLOBALLY;
  • 18. Apex Setup 1. Authentication Scheme 2. (no step 2!)
  • 19.
  • 20. Policy Function body #1 FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END budgets_policy;
  • 21. (old quote syntax) FUNCTION budgets_policy ( object_schema IN VARCHAR2 , object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN ' budget_owner = SYS_CONTEXT(''EBUD_CTX'',''APP_USER'') '; END budgets_policy;
  • 22. Create a Policy begin DBMS_RLS.add_policy ( object_name => 'BUDGETS' , policy_name => 'budgets_policy' , policy_function => 'VPD_PKG.budgets_policy' ); end; /
  • 23. Create a Policy begin DBMS_RLS.add_policy ( object_name , policy_name , policy_function , statement_types ); end; / => => => => 'BUDGETS' 'budgets_policy' 'VPD_PKG.budgets_policy' 'SELECT'
  • 24. DBMS_RLS.add_policy • • • • • • object_schema (NULL for current user) object_name (table or view) policy_name function_schema (NULL for current user) policy_function statement_types (default is SELECT, INSERT, UPDATE, DELETE) • policy_type • (other optional parameters)
  • 25. How it works Query: SELECT budget_id, name FROM budgets WHERE budget_id = :b1; Parser calls function: budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') Executed: SELECT budget_id, name FROM ( SELECT * FROM budgets budgets WHERE budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ) WHERE budget_id = :b1;
  • 26. Policy Function body #2 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') OR budget_publicity = 'PUBLIC' ]'; END budgets_policy;
  • 27. Policy Function body #3 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS BEGIN RETURN q'[ budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') OR budget_publicity = 'PUBLIC' OR (budget_publicity = 'FINANCE' AND SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y') OR SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' ]'; END budgets_policy;
  • 28. Policy Function body #4 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS o_predicate VARCHAR2(4000); BEGIN IF SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' THEN o_predicate := ''; ELSE o_predicate := q'[ budget_publicity = 'PUBLIC' OR (budget_publicity = 'FINANCE' AND SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y') OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END IF; RETURN o_predicate; END budgets_policy;
  • 29. Policy Function body #5 FUNCTION budgets_policy (object_schema IN VARCHAR2 ,object_name IN VARCHAR2 ) RETURN VARCHAR2 IS o_predicate VARCHAR2(4000); BEGIN IF SYS_CONTEXT('EBUD_CTX','SUPERADMIN') = 'Y' THEN o_predicate := ''; ELSIF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN o_predicate := q'[ budget_publicity IN ('PUBLIC','FINANCE') OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; ELSE o_predicate := q'[ budget_publicity = 'PUBLIC' OR budget_owner = SYS_CONTEXT('EBUD_CTX','APP_USER') ]'; END IF; RETURN o_predicate; lots of different queries in shared pool END budgets_policy;
  • 32. FUNCTION cost_centre_policy (object_schema IN VARCHAR2, object_name IN VARCHAR2) RETURN VARCHAR2 IS BEGIN IF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN RETURN ''; ELSE RETURN q'[ EXISTS ( SELECT null FROM user_cost_centres ucc WHERE ucc.username = SYS_CONTEXT('EBUD_CTX','APP_USER') AND ucc.cost_centre = cost_centres.cost_centre ) OR EXISTS ( SELECT null FROM all_budget_branches_vw b JOIN user_cost_centre_groups uccg ON uccg.group_code IN (b.branch_code, b.directorate_code, b.division_code) WHERE uccg.username = SYS_CONTEXT('EBUD_CTX','APP_USER') AND b.budget_id = cost_centres.budget_id AND b.branch_code = cost_centres.branch_code ) ]'; END IF; we can refer to the table via its alias END cost_centre_policy; Cost Centre Policy Function
  • 33. Warning Predicate MUST NOT query the table to which it is meant to be applied - not even via a view Image source: http://en.wikipedia.org/wiki/Drawing_Hands
  • 34. But… The predicate may query another table that itself has an RLS policy.
  • 35. Budget Entry Policy Function FUNCTION budget_entry_policy (object_schema IN VARCHAR2, object_name IN VARCHAR2) RETURN VARCHAR2 IS BEGIN IF SYS_CONTEXT('EBUD_CTX','FINANCE') = 'Y' THEN RETURN ''; ELSE RETURN q'[ EXISTS ( SELECT null FROM cost_centres cc WHERE cc.cost_centre = budget_entries.cost_centre AND cc.budget_id = budget_entries.budget_id ) ]'; END IF; END budget_entry_policy;
  • 36. Policy Type parameter (10g+) Re-Executed statement for each for all DYNAMIC (default) object STATIC SHARED_STATIC context CONTEXT_SENSITIVE SHARED_CONTEXT_SENSITIVE consider SHARED_... if your policy function is shared amongs multiple tables If in doubt, always start with the default - DYNAMIC The policy type parameter is just for performance optimisation.
  • 37. Improved in 12c Fine-grained Context Sensitive policies – new parameters for DBMS_RLS.add_policy: namespace and attribute – new procedure DBMS_RLS.add_policy_context – improved performance
  • 38. Bypassing VPD • Not enforced for DIRECT path export • Grant EXEMPT ACCESS POLICY • Return NULL for object owner: IF object_schema = USER THEN RETURN ''; END IF;
  • 39. Errors • ORA-28112: failed to execute policy function – the policy function raised an exception • "Invalid SQL statement" – may be a syntax error in the generated SQL • ORA-28115: policy with check option violation – policy has been applied to Insert, Update or Delete operations • ORA-28133: full table access is restricted by fine-grained security – policy has been applied to Index operation
  • 40. Tuning • Set client_identifier to APP_USER:SESSION then call the policy function • or, query v$vpd_policy to get the predicate(s) applied to the query • or, get the final exact SQL statement from the trace file ALTER SESSION SET EVENTS '10730 trace name context forever, level 12';
  • 41. Recommendations • Use q'{ syntax for predicates }' • Understand how Apex Sessions work • Use context for variables – avoid injecting literals – avoid calls to v() etc. • Keep predicates simple
  • 42. More Information Read the Oracle Docs for: – using policy groups – automated policy creation in DDL triggers – integration with Oracle Label Security – data dictionary views – Oracle Data Redaction
  • 43. Oracle Docs Oracle Database Security Guide: Using Oracle Virtual Private Database to Control Data Access http://bit.ly/16Iq5EQ Oracle Database PL/SQL Packages and Types Reference: DBMS_RLS http://bit.ly/1abI46V
  • 44. Thank you jeffkemponoracle.com Image source: http://www.toothpastefordinner.com/index.php?date=082609