Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: RAC 10G for different companies with one shared database and label security

RE: RAC 10G for different companies with one shared database and label security

From: Christian Antognini <>
Date: Fri, 4 May 2007 11:13:39 +0200
Message-ID: <>

Hi Joop

> In the new situation it will be be 1 or 2 10G release 2
> RAC Clusters with each one " shared" database. Oracle Label
> security must assure that on row level the different companies
> can not use each other's data.

Interesting. I'm helping a customer doing something very similar. The differences are that they use VPD instead of Label Security and at the moment no RAC is involved.

To comment on the question other asked, i.e. why not multiple schemas, this is because they want to have only *one* support team that is able to see data from several customers at the same time. And that, of course, without completely rewriting the current application that supports a single customer in one schema.

> is Oracle Label Security an absolute, garantueed, method that
> different companies using the same database/schema, not can see
> each others data?

If correctly setup only users having the system privilege EXEMPT ACCESS POLICY are able to see all data. I.e. users will see only the data you provide them through the user/data labels... If you want to avoid that, only Database Vault can help you.

> is there any argument for two clusters above one clusters
> with 2/3/4/n instances?

Nothing that I can think of is specific to Label Security. As always is matter of giving more importance to flexibility or efficiency.

> can i use the the "services" concept in 10G RAC to force a bit
> of a flexible way of loadbalancing (company A and B uses instance
> 1, coampany C and D uses instance 2, company Eand F uses instance
> 3, etc.. and flexible, that i can change that when company C uses
> more resources at moment x...

I don't see why it should not work. But, be careful, since data is stored in the very same blocks, cache fusion will probably very busy shipping blocks between instances... Therefore, I would suggest investigating if it is not possible to do a load balancing based on the data utilization, i.e. modules mainly using the same tables should be served by one instance, modules mainly using other tables should be served by another one...


Received on Fri May 04 2007 - 04:13:39 CDT

Original text of this message