Documente Academic
Documente Profesional
Documente Cultură
Virtual Private
Database Concept
in
R12
Oracle Policies
Author
Sachin Goel
Creation Date: 10-Apr-2008
Virtual private databases have several other names within the Oracle documentation, including row-level security
(RLS) and fine-grained access control (FGAC). Regardless of the name, VPD security provides a whole new way to
control access to Oracle data. Most interesting is the dynamic nature of a VPD. At runtime, Oracle performs these
near magical feats by dynamically modifying the SQL statement of the end user:
1. Oracle gathers application context information at user logon time and then calls the policy function, which
returns a predicate. A predicate is a where clause that qualifies a particular set of rows within the table.
2. Oracle dynamically rewrites the query by appending the predicate to users' SQL statements.
Whenever a query is run against the target tables, Oracle invokes the policy and produces a transient view with a
where clause predicate pasted onto the end of the query, like so: -
To understand the above statement, please see below example, which is being applied in the P2P on
GL_DAILY_RATES table: -
*********************************************************************************
*********************************************************************************
Script of Function:
**** This function generates a condition. Get the Profile value for Profile
POR_DEFAULT_RATE_TYPE. ****
**** If Profile Value is null, nothing to restrict, so return 1=1 else
restrict by Conversion Type. ****
*****************************************************************************
**************************/
l_concurrent_program_id:=fnd_global.CONC_PROGRAM_ID;
l_resp_name:=FND_GLOBAL.RESP_NAME;
RETURN l_predicate;
END xxcgl_rates_sec;
***********************************END SCRIPT***************************************
Above script sets the default where on the basis of profile (POR_DEFAULT_RATE_TYPE) value on
GL_DAILY_RATES table.
Parameter Description
object_schema Schema containing the table or view (logon user, if NULL).
policy_name Name of policy to be added. It must be unique for the same table or view.
policy_function Name of a function which generates a predicate for the policy. If the function
is defined within a package, then the name of the package must be present.
statement_types Statement types that the policy will apply. It can be any combination of
SELECT, INSERT, UPDATE, and DELETE. The default is to apply to all of these
types.
update_check Optional argument for INSERT or UPDATE statement types. The default is
FALSE. Setting update_check to TRUE causes the server to also check the
policy against the value after insert or update.
enable Indicates if the policy is enabled when it is added. The default is TRUE
Example: -
DBMS_RLS.ADD_POLICY (
'APPS' ,
'GL_DAILY_RATES',
'XXCGL_DAILY_RATES_SEC',
'APPS',
'XXCGL_RATES_SEC');
DBMS_RLS.DROP_POLICY (
object_schema IN VARCHAR2 := NULL,
object_name IN VARCHAR2,
policy_name IN VARCHAR2);
Parameter Description
object_schema Schema containing the table or view (logon user if NULL).
Example: -
DBMS_RLS.DROP_POLICY(
'APPS',
'GL_DAILY_RATES',
'XXCGL_DAILY_RATES_SEC');