Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Label Security and Virtual Private Database

Re: Oracle Label Security and Virtual Private Database

From: Hans Forbrich <forbrich_at_telusplanet.net>
Date: Wed, 18 Jun 2003 16:59:39 GMT
Message-ID: <3EF098E2.5D67A666@telusplanet.net>


Christian Hartmann wrote:

> Hi there,
>
> I am seeking for information on Oracle Label Security and/or Virtual
> Private Database.
>
> Does anybody know where I can find information except for the
> information on the oracle-side?

All the info I've seen is on the Oracle site. Following is very high level conceptual info on both. All this is introduced in Oracle8i - 8.1.5 and should be valid at all higher versions, although the 9iR2 has a lot of enhancements. (Expansion and correction on the potential mistakes welcomed - thx)

  1. For Virtual Private Database (VPD) -

Start with Context Variables ('unix-like environment variables') that are available throughout a session;

Have a mode that ensures they can only be updated or changed using the same package in which they are first set; - note that the package can then say "it's set, therefore do not allow changes"

Add the database 'login' trigger and allow the context setting package to be run at login time;
- at login you have the user's id and can do a quick table lookup, setting the context variable appropriately!

For any table, allow a 're-write trigger' to be invoked before Query or DML;
- allow that trigger to modify the the actual conditional (where) clause

Label Security seems to be a rewrite (using VPD technology) of the option formerly known as Military Label Security. It is used to implement security by adding a label to each row and automatically appending a "where row_label = 'xxx'" to each DML/query based on the user's capability defined at login.

Except for the Enterprise Manager interface and the GUI, anyone could probably implement the same as Label Security in a couple of months using the VPD. Oracle has done a packaged implementation of a very specific subset of VPD and has provided an interface. This saves a LOT of time, development, maintenance and admin and is supported. (This, in my mind, that savings justifies Label Security as a licensable option!)

> A praxis-report would be also nice.

You definitely want to watch the performance, do appropriate tuning. My tests indicate that there can be minimum impact if tuned properly, or significant impact if totally untuned. Good database tuning principals apply. Exact impact will vary in the complexity of the VPD clause re-write, data set size, indexing, etc.

Also - do not use against all tables, only those that need to be secured. For example, don't both securing most look-up tables. Received on Wed Jun 18 2003 - 11:59:39 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US