RE: Hiding sensitive EBS column data from certain users

From: Matthew Parker <dimensional.dba_at_comcast.net>
Date: Wed, 10 Oct 2018 11:19:55 -0700
Message-ID: <034201d460c5$d91394f0$8b3abed0$_at_comcast.net>

RAS is made for live masking or removal of rows from view based on security rules.

The reason I asked PROD versus DEV.

If you want permanent masking of data in DEV and all downstream copies of the database them you would probably use other tools.

If you want on the fly masking for different groups of user, RAS is the choice.

It is not that complicated even for COTS, if you understand the application.

The performance hit for simple masking such as only a certain role allows access to a certain columns is negligible. If you need some complicated rules such as show me only data for myself as a manager and the employees who report to me that tree walk of ids can become a little more intensive.

Just depends on what you are doing.

Matthew Parker

Chief Technologist

Dimensional DBA

Oracle Gold Partner

425-891-7934 (cell)

D&B 047931344

CAGE 7J5S7
<mailto:Dimensional.dba_at_comcast.net> Dimensional.dba_at_comcast.net

<http://www.linkedin.com/pub/matthew-parker/6/51b/944/> View Matthew Parker's profile on LinkedIn

<http://www.dimensionaldba.com/> www.dimensionaldba.com

From: Robert Freeman <rfreeman_at_businessolver.com> Sent: Wednesday, October 10, 2018 10:58 AM To: dimensional.dba_at_comcast.net; sjaffarhussain_at_gmail.com; 'Oracle-L Freelists' <oracle-l_at_freelists.org> Subject: RE: Hiding sensitive EBS column data from certain users

RAS does not offer true masking at the column level – instead it just NULL’s out the column, unless something has changed which I have not seen yet (which is always a possibility).

RAS also offers potential performance issues with the associated predicates getting attached to SQL, potentially all over creation.

While the policy function of a RAS policy could offer more intelligence than redaction policies, finding the exact conditions to redact, or not redact, can be quite difficult. Especially with legacy or COTS applications.

Robert G. Freeman

Deliverer of Enterprise Data®

Businessolver

Cell: 801-703-3405

“Greater than the death of flesh is the death of hope. The death of dreams. Against this peril we can never surrender. The future is all around us, waiting in moments of transition, to be born in moments of revelation. No one knows the shape of that future, or where it will take us. We know only that it is always born in pain.”

From: oracle-l-bounce_at_freelists.org <mailto:oracle-l-bounce_at_freelists.org> [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Matthew Parker Sent: Thursday, October 04, 2018 12:05 PM To: sjaffarhussain_at_gmail.com <mailto:sjaffarhussain_at_gmail.com> ; 'Oracle-L Freelists' <oracle-l_at_freelists.org <mailto:oracle-l_at_freelists.org> > Subject: RE: Hiding sensitive EBS column data from certain users

In Production or in Development? Different ways to do things based on the environment.

What version of the database are you running?

In 12.1 there is RAS Security (VPD 2.0) that also does column level data masking at no extra cost, but you have to create/implement the rules yourself.

Normally you control PROD by standard security controls, but you can implement RAS against report users if they are landing on your primary database. Just need to make sure anything you implement it doesn’t affect base EBS apps.

Matthew Parker

Chief Technologist

Dimensional DBA

Oracle Gold Partner

425-891-7934 (cell)

D&B 047931344

CAGE 7J5S7
<mailto:Dimensional.dba_at_comcast.net> Dimensional.dba_at_comcast.net

<http://www.linkedin.com/pub/matthew-parker/6/51b/944/> View Matthew Parker's profile on LinkedIn

<http://www.dimensionaldba.com/> www.dimensionaldba.com

From: oracle-l-bounce_at_freelists.org <mailto:oracle-l-bounce_at_freelists.org> <oracle-l-bounce_at_freelists.org <mailto:oracle-l-bounce_at_freelists.org> > On Behalf Of Syed Jaffar Hussain Sent: Thursday, October 4, 2018 9:51 AM
To: Oracle-L Freelists <oracle-l_at_freelists.org <mailto:oracle-l_at_freelists.org> > Subject: Hiding sensitive EBS column data from certain users

Hello List,

Is there anyway to hide data of sensitive columns in Oracle EBS (v12.2) to certain users? I thought of VPD, but, it seems, it has different approaches in EBS. Something like, personalizing the form to hide the values of the columns, though not sure.

Appreciate if any EBS expert can shed some light on this.

Thanks in advance,

-- 

Best Regards,

Syed Jaffar Hussain



--
http://www.freelists.org/webpage/oracle-l

Received on Wed Oct 10 2018 - 20:19:55 CEST

This message: [ Message body ]
Next message: Rich J: "Re: Flashback guaranteed restore point with ADG for DB upgrade fallback"
Previous message: Jose Rodriguez: "Re: Flashback guaranteed restore point with ADG for DB upgrade fallback"
Maybe in reply to: Syed Jaffar Hussain: "Hiding sensitive EBS column data from certain users"
In reply to Matthew Parker: "RE: Hiding sensitive EBS column data from certain users"
Next in thread: Mladen Gogala: "Re: Database CPU Usage"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message