Oracle Database - Vpd (Virtual Private Database)

Card Puncher Data Processing

Overview

The Virtual Private Database (VPD) provides row-level access control beyond the capabilities of roles and views.

Features

Row Level Security

A customer can only see his orders in the 'orders' table (below), when he is listed in the 'customers' table (below).

Oracle Database Vpd Row Level Security

Column Relevance

VPD can be configured such that the policy is enforced only when a critical column is selected.

Example : The account manager with the account_mgr_id “149” can see all rows from the customers table, but not the credit limits. As soon as she queries the 'credit_limit' column, she can only see her own customers.

Oracle Database Vpd Column Relevance

Column Hiding

The most advanced configuration (“Column Hiding”) of VPD allows for the most effective combination of ease-of-use and security: She still has access to all public information in the 'customers' table, but confidential information remains hidden:

Oracle Database Vpd Column Hiding

Application context

VPD can be used in combination with the “application context” feature to enforce sophisticated row and/or column level security requirements for privacy and regulatory compliance.

Advantages

Lower costs

Within the enterprise, the Virtual Private Database results in lower costs of ownership in deploying applications. Security can be built once, in the data server, rather than in each application that accesses data.

Central Data Security

The security is stronger, because it is enforced by the database. The Virtual Private Database ensures that, no matter how a user gets to the data (through an application, a report writing tool, or SQL*Plus), the same strong access control policy is enforced.

How the Virtual Private Database Works

The Virtual Private Database is enabled by associating one or more security policies with tables or views. Direct or indirect access to a table with an attached security policy causes the database to consult a function that implements the policy. The policy function returns an access condition known as a predicate (a WHERE clause), which the database appends to the user's SQL statement, thus dynamically modifying the user's data access.

Documentation / Reference





Discover More
Oracle Olap Query
OBIEE - How to define OBIEE to leverage SQL OLAP Query ?

While not really different from any other implementation, it is useful to point out that it is very likely that cube views will contain measures such as rankings and percentages that should generally not...
Obi Edition
OBIEE - Virtual Private Database

The virtual Private Database check box in the database object identifies the physical database source as a virtual private database (VPD). When a VPD is used, returned data results are contingent on the...
Data System Architecture
What is Row Level Security? or authorization

When multiple users run the same query, the results that are returned to each user depend on their access rights and roles in the organization. A sales vice president sees results for all regions,...



Share this page:
Follow us:
Task Runner