Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: VPD vs Multiple Schemas
Had a similar problem where data in the same table belonged to
different "departments" and users could also enable other departments
to see their data using standard operating procedures.
Solutions: Used Oracle Label Security (OLS, Common Criteria Certified to ISO 15408) to manage the security on the row level and VPD on the column level. This is all driven from the user application context which is set and determined during a login trigger which authenticates the user against an LDAP server (DBMS_LDAP).
It works fine and saved my allot of time developing something that already exists in Oracle. OLS (built using VPD) also has the concept of security Levels, Groups and Compartments that will probably be suited to 99% of the data security requirements out there.
A good book to read for this is "Effective Oracle Database 10g Security by Design" by David C Knox and of course the Oracle Documentation: OracleŽ Label Security Administrator's Guide 10g Release 2 (10.2) B14267-02
Regards
Bernard
Received on Fri Oct 06 2006 - 04:07:47 CDT