RE: DBMS_RLS and Security

Hi Bill

> One of my users sent me this URL for a paper on improving security,
> http://www.oracle.com/technology/pub/articles/jucan_security.html.

Be careful that paper covers/mixes different techniques.

> The writer presents a technique for hiding columns using DBMS_RL to
> create policies to hide data. Apparently one can even hide data from
> a user with full DBA access.

With RLS you cannot prevent DBA/users having sys priv EXEMPT ACCESS POLICY to see all data. If you want to do so I see only two options: - encrypt data outside the database
- use Datatabase Vault and encrypt data inside the database

> I had a conversation with one of my co-workers who had just attended
> an Oracle taught security class and she reported that there are
> numerous examples of users losing data when attenpting to do this.

If you mean RLS, that is not possible. You never lose data. I guess such a comment is related with data encrypted outside the database.

> Unfortunately I don't have a good enough understanding of the process
> to give a concise explanation. I am interested in knowing if others
> are familiar with this technique, have used it and what your
> experiences were.

You have to ask yourself an essential question: What kind of risk are you trying to mitigate/avoid?
When that is clear it's much easier to know which features may help.

HTH
Chris

--
http://www.freelists.org/webpage/oracle-l