It's interesting how certain questions seem to surge in clusters. Lately there's been a bountiful harvest of questions about using Virtual Private Database (VPD) functionality in E-Business Suite Release 11i environments.
Virtual Private Database (VPD) enables programmers and database administrators to enforce security, to a fine level of granularity, directly on tables, views, or synonyms. Because security policies are attached directly to tables, views, or synonyms and automatically applied whenever a user accesses data, there's no way to bypass security.
When a user directly or indirectly accesses an object protected with a VPD policy, the server dynamically modifies the SQL statement of the user. The modification creates a WHERE condition returned by a function implementing the security policy. The statement is modified dynamically, transparently to the user.
In the example diagram above, a customer can only see his orders in the 'orders' table when he is listed in the 'customers' table.
Not a Walk in the Park
Apps makes some use of VPD internally in Release 11i, but enabling your own VPD policies across the E-Business Suite isn't as simple as flipping a switch, unfortunately.
For example, let's say you decide to apply VPD policies to a
particular Workflow or concurrent processing table. If your custom VPD
policies lock out a set of users, there may be unknown side-effects in
other dependent Apps products that need generic administrative access
to these tables.
Although it's technically possible to use VPD to implement your own data security extensions, there's a decidedly non-trivial amount of custom work involved. This requires deep understanding of the E-Business Suite data model and is not for the faint-hearted. Supporting these kind of customizations is outside of our scope here in Apps Development, but there are Oracle Consultants who may have the right expertise for this.
Is It Supported for E-Business Suite Environments?
If you create custom VPD policies for your E-Business Suite environment, Oracle Support will regard these like any other customization or third-party products in your environment, namely:
- If you report issues that can be reproduced in standard, uncustomized environments, those issues will be resolved via workarounds or patches.
- If the issues can't be reproduced in standard environments and are isolated to your custom VPD policies, the outcome will be a recommendation to remove or fix your VPD policies.
The Applications Technology Group doesn't currently document how VPD extensions should be performed in the E-Business Suite. There are plans for future documentation that will describe what session context is available for use in VPD policies, but no firm schedules.
In Release 12, VPD will be used as part of the new implementation of Multi-Organization Access Control (MOAC).
The above is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.
Comments (3)
Steven,
At the time I hear VPN or FGAC or RLS first that I am thinking about is PERFOMANCE!
Most of the cases those things (if not planed CAREFULY, and most of the cases they are not) just killers of a database performance.
If we will add complexity of the OEBS data model 窶? I would say it would be a nightmare if you (Oracle) tried to support it.
THANK YOU VERY MUCH that you are not doing it ;)
Just my 0.02ツ」,
Yury
Posted by Yury Velikanov | June 20, 2006 5:47 PM
Posted on June 20, 2006 17:47
Srini,Certainly -- check this article out:Statement of Direction: Transparent Data Encryption & E-Business Suite Release 11iRegards,Steven
Posted by Steven Chan | June 22, 2006 7:12 AM
Posted on June 22, 2006 07:12
Steven,
Thanks for this info ! On a related matter, can you comment on if and when EBS will support database column encryption ? By this I mean that data would only be visible thru the EBS application and would not be visible (i.e. encrypted) thru any SQL manipulation tools. Columns that would be ideal candidates would be National Identifier (SSN in US), salary info, etc. This was promised to us back in 11.5.5 but have yet to see this implemented (we are on 11.5.10.2). I had put in a enhancement request thru the old ERS system a few years ago, but am unable to track it anymore :-)
Thanks in advance
Srini Chavali
Cummins Inc
Posted by Srini Chavali | June 22, 2006 7:45 AM
Posted on June 22, 2006 07:45