Virtual Private Database (VPD) enables programmers and database administrators to enforce security, to a fine level of granularity, directly on tables, views, or synonyms. Because security policies are attached directly to tables, views, or synonyms and automatically applied whenever a user accesses data, there’s no way to bypass security.
When a user directly or indirectly accesses an object protected with a VPD policy, the server dynamically modifies the SQL statement of the user. The modification creates a WHERE condition returned by a function implementing the security policy. The statement is modified dynamically, transparently to the user.
In the example diagram above, a customer can only see his orders in the ‘orders’ table when he is listed in the ‘customers’ table.
Not a Walk in the Park
Apps makes some use of VPD internally in Release 11i, but enabling your own VPD policies across the E-Business Suite isn’t as simple as flipping a switch, unfortunately.
For example, let’s say you decide to apply VPD policies to a
particular Workflow or concurrent processing table. If your custom VPD
policies lock out a set of users, there may be unknown side-effects in
other dependent Apps products that need generic administrative access
to these tables.
Although it’s technically possible to use VPD to implement your own data security extensions, there’s a decidedly non-trivial amount of custom work involved. This requires deep understanding of the E-Business Suite data model and is not for the faint-hearted. Supporting these kind of customizations is outside of our scope here in Apps Development, but there are Oracle Consultants who may have the right expertise for this.
Is It Supported for E-Business Suite Environments?
If you create custom VPD policies for your E-Business Suite environment, Oracle Support will regard these like any other customization or third-party products in your environment, namely:
- If you report issues that can be reproduced in standard, uncustomized environments, those issues will be resolved via workarounds or patches.
- If the issues can’t be reproduced in standard environments and are isolated to your custom VPD policies, the outcome will be a recommendation to remove or fix your VPD policies.
The Applications Technology Group doesn’t currently document how VPD extensions should be performed in the E-Business Suite. There are plans for future documentation that will describe what session context is available for use in VPD policies, but no firm schedules.
In Release 12, VPD will be used as part of the new implementation of Multi-Organization Access Control (MOAC).
The above is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.