The Latest Oracle E-Business Suite Technology News direct from
Oracle E-Business Suite Development & Product Management

  • June 20, 2006

Using Virtual Private Database in E-Business Environments

Steven Chan
Senior Director
It's interesting how certain questions seem to surge in clusters.  Lately there's been a bountiful harvest of questions about using Virtual Private Database (VPD) functionality in E-Business Suite Release 11i environments.

Virtual Private Database example:

VPD in a Nutshell

Virtual Private Database (VPD) enables programmers and database administrators to enforce security, to a fine level of granularity, directly on tables, views, or synonyms. Because security policies are attached directly to tables, views, or synonyms and automatically applied whenever a user accesses data, there's no way to bypass security.

When a user directly or indirectly accesses an object protected with a VPD policy, the server dynamically modifies the SQL statement of the user. The modification creates a WHERE condition returned by a function implementing the security policy. The statement is modified dynamically, transparently to the user.

In the example diagram above, a customer can only see his orders in the 'orders' table when he is listed in the 'customers' table.

Not a Walk in the Park

Apps makes some use of VPD internally in Release 11i, but enabling your own VPD policies across the E-Business Suite isn't as simple as flipping a switch, unfortunately.

For example, let's say you decide to apply VPD policies to a
particular Workflow or concurrent processing table.  If your custom VPD
policies lock out a set of users, there may be unknown side-effects in
other dependent Apps products that need generic administrative access
to these tables.

Although it's technically possible to use VPD to implement your own data security extensions, there's a decidedly non-trivial amount of custom work involved.  This requires deep understanding of the E-Business Suite data model and is not for the faint-hearted.  Supporting these kind of customizations is outside of our scope here in Apps Development, but there are Oracle Consultants who may have the right expertise for this.

Is It Supported for E-Business Suite Environments?

If you create custom VPD policies for your E-Business Suite environment, Oracle Support will regard these like any other customization or third-party products in your environment, namely:
  • If you report issues that can be reproduced in standard, uncustomized environments, those issues will be resolved via workarounds or patches. 
  • If the issues can't be reproduced in standard environments and are isolated to your custom VPD policies, the outcome will be a recommendation to remove or fix your VPD policies.
Future Plans for Documentation and Release 12

The Applications Technology Group doesn't currently document how VPD extensions should be performed in the E-Business Suite.  There are plans for future documentation that will describe what session context is available for use in VPD policies, but no firm schedules.

In Release 12, VPD will be used as part of the new implementation of Multi-Organization Access Control (MOAC).

The above is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle. 

Join the discussion

Comments ( 9 )
  • Yury Velikanov Tuesday, June 20, 2006


    At the time I hear VPN or FGAC or RLS first that I am thinking about is PERFOMANCE!

    Most of the cases those things (if not planed CAREFULY, and most of the cases they are not) just killers of a database performance.

    If we will add complexity of the OEBS data model 窶? I would say it would be a nightmare if you (Oracle) tried to support it.

    THANK YOU VERY MUCH that you are not doing it ;)

    Just my 0.02ツ」,


  • Steven Chan Thursday, June 22, 2006

    Srini,Certainly -- check this article out:Statement of Direction: Transparent Data Encryption & E-Business Suite Release 11iRegards,Steven

  • Srini Chavali Thursday, June 22, 2006


    Thanks for this info ! On a related matter, can you comment on if and when EBS will support database column encryption ? By this I mean that data would only be visible thru the EBS application and would not be visible (i.e. encrypted) thru any SQL manipulation tools. Columns that would be ideal candidates would be National Identifier (SSN in US), salary info, etc. This was promised to us back in 11.5.5 but have yet to see this implemented (we are on I had put in a enhancement request thru the old ERS system a few years ago, but am unable to track it anymore :-)

    Thanks in advance

    Srini Chavali

    Cummins Inc

  • John Thursday, March 25, 2010

    Steve, Does Oracle support still consider use of VPD in E-Business Suite environments as customization? We are thinking of using VPD in our 11i environment. But I do not see any document that confirms that Oracle supports VPD in E-Business Suite environemnts like other features and not considers it as a customization. Just want to see whether anything has changed in the past 4 years.


  • Steven Chan Thursday, March 25, 2010

    Hi, John,

    VPD allows you to create custom security policies that can fundamentally affect the way the E-Business Suite works. For example, it's possible to create custom VPD policies that lock out whole portions of the E-Business Suite database in certain conditions.

    You are always free to use VPD to create custom security policies with the E-Business Suite.

    However, Oracle can only issue patches for issues that can be reproduced in plain-vanilla environments without custom VPD policies. If EBS issues are isolated to custom VPD policies that you've created, it will be your responsibility to modify them in such a way that they don't interfere with the E-Business Suite's regular operation.



  • krishnamoorthy Friday, April 19, 2013

    Hi Steve,

    In you original post you have mentioned "There are plans for future documentation that will describe what session context is available for use in VPD policies, but no firm schedules" . Can you please advise if this documentation is available now and will appreciate if u can point me to it.


  • Steven Chan Friday, April 19, 2013

    Hello, Krishna,

    As you've probably gathered, our priorities have shifted since this article was first published in 2006. We do not have any immediate plans for additional VPD-related documentation at this point.



  • Daniel Monday, June 9, 2014

    Hello Steven,

    Currently we are using ebs 12.1.3 and for security reasons we would like to configure VPD.

    Our question is:

    How can we define VPD based on "Responsibility" ?



  • Steven Chan Thursday, June 19, 2014

    Hello, Daniel,

    As noted in the article above, defining new VPD policies can be very involved. We do not issue specific guidance on how to do this -- we regard this as a customization. You can contact Oracle Consulting for assistance with customizations.

    Also see:

    Support Implications for Your EBS Customizations




Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.