Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: VPD vs Multiple Schemas

Re: VPD vs Multiple Schemas

From: bernard (bernard_at_bosvark.com) <bernard_at_bosvark.com>
Date: 6 Oct 2006 02:07:47 -0700
Message-ID: <1160125667.299697.92490@h48g2000cwc.googlegroups.com> 





Had a similar problem where data in the same table belonged to
different "departments" and users could also enable other departments
to see their data using standard operating procedures.



Solutions: Used Oracle Label Security (OLS, Common Criteria Certified
to ISO 15408) to manage the security on the row level and VPD on the
column level. This is all driven from the user application context
which is set and determined during a login trigger which authenticates
the user against an LDAP server (DBMS_LDAP).



It works fine and saved my allot of time developing something that
already exists in Oracle. OLS (built using VPD) also has the concept of
security Levels, Groups and Compartments that will probably be suited
to 99% of the data security requirements out there.



A good book to read for this is "Effective Oracle Database 10g
Security by Design" by David C Knox and of course the Oracle
Documentation: OracleŽ Label Security Administrator's Guide 10g
Release 2 (10.2) B14267-02



Regards


Bernard
Received on Fri Oct 06 2006 - 04:07:47 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US