Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: DBMS_RLS and Security

Re: DBMS_RLS and Security

From: rjamya <>
Date: Tue, 1 May 2007 20:39:35 -0400
Message-ID: <>


Not sure if you can really hide it from the dba. My understanding is if a user has 'access exempt policy' privilege, then policies don't apply.

The article states that by 'wrapping' plsql code, you can hide the policy implementation from the dbas. But a malicious dba can set an event to dump the full sqltext on the next hard parse. Plus if you do db_extended_audit, that information will be visible to any dba, including bind values in the fga audit trail (if so enabled) ... oh and you can head to Pete Finnigan's site to see how one an attempt to unwrap the wrapped code. In 10g, you can compress the code after wrapping it, but there is an event to disable that compression too,

As for loosing data, not sure, but if the policies are not implemented appropriately, that data will not be seen and users might think it is missing. Because unless you see the actual sql, you can't really say if the data isn't there or it is restricted by policy.

AFAIK, oracle application server is not required for dbms_rls usage. The only thing that can protect data from DBAs is database vault outside of encryption. Then again, think about it, if you don't trust your DBAs, you have got a bigger problem. The buck has to stop somewhere.

we have used dbms_rls in 9i to restrict data that each user can see, no app server, it is oracle forms client/server application.


On 5/1/07, William Wagman <> wrote:
> Greetings,
> One of my users sent me this URL for a paper on improving security,
> The
> writer presents a technique for hiding columns using DBMS_RL to create
> policies to hide data. Apparently one can even hide data from a user
> with full DBA access. I had a conversation with one of my co-workers who
> had just attended an Oracle taught security class and she reported that
> there are numerous examples of users losing data when attenpting to do
> this. Apparently the class instructor also did not have real good
> feelings about this technique as well. It apparently also takes
> advantage of Oracle Application server's security which makes it appear
> that application server is required in order to utilize this
> methodology. Unfortunately I don't have a good enough understanding of
> the process to give a concise explanation. I am interested in knowing if
> others are familiar with this technique, have used it and what your
> experiences were.
> Thanks.
> Bill Wagman
> Univ. of California at Davis
> IET Campus Data Center
> (530) 754-6208
> --

Best regards

Received on Tue May 01 2007 - 19:39:35 CDT

Original text of this message