Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: VPDs or schemas

RE: VPDs or schemas

From: Justin Cave (DDBC) <>
Date: Mon, 7 Mar 2005 14:01:01 -0700
Message-ID: <87E9F113CEF1D211A4C300902730187462CA54@ddbcinc.ddbc.local>

If you are concerned with being parsed to death, VPD is probably the better option. Assuming the security policy is something reusable, i.e. adding a WHERE clause that checks a BRANCH_NO context value to a BRANCH_NO column in the table, you should only end up with one hard-parse for every statement. If you split things up into multiple schemas, you'll end up hard parsing each statement at least once per schema (assuming I am understanding your solution properly).

With either approach, you will need to come up with a way to differentiate users and to associate them with some branch, so I wouldn't think it would be any more difficult to have users logging in to a different schema or having a context set for them. I'm not sure how you would implement logging in to different schemas for different users, but the approaches I can think of off the top of my head tend to be somewhat brittle.

Given that poorly constructed security policies could kill performance, I would tend to let the developers use VPD but insist on working with them to define "sane" security policies. =20

Justin Cave =20
Distributed Database Consulting, Inc.

-----Original Message-----

[] On Behalf Of Uwe Weber Sent: Monday, March 07, 2005 3:08 PM
Subject: VPDs or schemas


the DBAs at our site are currently reviewing a design document for=20 a new Web-Application. This application will be used by about 2.500 branch offices and around 10.000 users. Oracle will be 10.n. and estimated size of the DB is about 300G.

Development suggests to use a VPD for every branch office.=20 Further on they want to partition every table with one partition per office. Since the application is web-based, I doubt whether it will be possible to use context sensitive security policies.=20

We (the DBAs) are not really happy with this idea, because we feel that this design wil have a negative impact on=20 performance and scalability. We are especially afraid that the database will parse itself to death.

So we are thinking of suggesting a different design (or more of a sketch

until now) that would use a schema for every branch and take care of data seperation by creating views (MVs where it makes sense) and granting appropiate permissions. Keeping the idea of partitioning the base tables on a per office basis sounds good to me. Of course this will cause more work for the developers :->. =20

Any hints, tips or comments on the merits of both 'designs' are very welcome.

-- Received on Mon Mar 07 2005 - 16:04:24 CST

Original text of this message