Using Virtual Private Database in E-Business Environments

It's interesting how certain questions seem to surge in clusters.  Lately there's been a bountiful harvest of questions about using Virtual Private Database (VPD) functionality in E-Business Suite Release 11i environments.

Virtual Private Database example:

VPD in a Nutshell

Virtual Private Database (VPD) enables programmers and database administrators to enforce security, to a fine level of granularity, directly on tables, views, or synonyms. Because security policies are attached directly to tables, views, or synonyms and automatically applied whenever a user accesses data, there's no way to bypass security.

When a user directly or indirectly accesses an object protected with a VPD policy, the server dynamically modifies the SQL statement of the user. The modification creates a WHERE condition returned by a function implementing the security policy. The statement is modified dynamically, transparently to the user.

In the example diagram above, a customer can only see his orders in the 'orders' table when he is listed in the 'customers' table.

Not a Walk in the Park


Apps makes some use of VPD internally in Release 11i, but enabling your own VPD policies across the E-Business Suite isn't as simple as flipping a switch, unfortunately.

For example, let's say you decide to apply VPD policies to a particular Workflow or concurrent processing table.  If your custom VPD policies lock out a set of users, there may be unknown side-effects in other dependent Apps products that need generic administrative access to these tables.

Although it's technically possible to use VPD to implement your own data security extensions, there's a decidedly non-trivial amount of custom work involved.  This requires deep understanding of the E-Business Suite data model and is not for the faint-hearted.  Supporting these kind of customizations is outside of our scope here in Apps Development, but there are Oracle Consultants who may have the right expertise for this.

Is It Supported for E-Business Suite Environments?

If you create custom VPD policies for your E-Business Suite environment, Oracle Support will regard these like any other customization or third-party products in your environment, namely:
  • If you report issues that can be reproduced in standard, uncustomized environments, those issues will be resolved via workarounds or patches. 
  • If the issues can't be reproduced in standard environments and are isolated to your custom VPD policies, the outcome will be a recommendation to remove or fix your VPD policies.
Future Plans for Documentation and Release 12

The Applications Technology Group doesn't currently document how VPD extensions should be performed in the E-Business Suite.  There are plans for future documentation that will describe what session context is available for use in VPD policies, but no firm schedules.

In Release 12, VPD will be used as part of the new implementation of Multi-Organization Access Control (MOAC).

The above is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle. 

Comments:

Steven,

At the time I hear VPN or FGAC or RLS first that I am thinking about is PERFOMANCE!
Most of the cases those things (if not planed CAREFULY, and most of the cases they are not) just killers of a database performance.
If we will add complexity of the OEBS data model 窶? I would say it would be a nightmare if you (Oracle) tried to support it.
THANK YOU VERY MUCH that you are not doing it ;)

Just my 0.02ツ」,
Yury

Posted by Yury Velikanov on June 20, 2006 at 10:47 AM PDT #

Srini,Certainly -- check this article out:Statement of Direction: Transparent Data Encryption & E-Business Suite Release 11iRegards,Steven

Posted by Steven Chan on June 22, 2006 at 12:12 AM PDT #

Steven,
Thanks for this info ! On a related matter, can you comment on if and when EBS will support database column encryption ? By this I mean that data would only be visible thru the EBS application and would not be visible (i.e. encrypted) thru any SQL manipulation tools. Columns that would be ideal candidates would be National Identifier (SSN in US), salary info, etc. This was promised to us back in 11.5.5 but have yet to see this implemented (we are on 11.5.10.2). I had put in a enhancement request thru the old ERS system a few years ago, but am unable to track it anymore :-)
Thanks in advance
Srini Chavali
Cummins Inc

Posted by Srini Chavali on June 22, 2006 at 12:45 AM PDT #

Steve, Does Oracle support still consider use of VPD in E-Business Suite environments as customization? We are thinking of using VPD in our 11i environment. But I do not see any document that confirms that Oracle supports VPD in E-Business Suite environemnts like other features and not considers it as a customization. Just want to see whether anything has changed in the past 4 years.

Thanks.

Posted by John on March 24, 2010 at 11:20 PM PDT #

Hi, John,

VPD allows you to create custom security policies that can fundamentally affect the way the E-Business Suite works. For example, it's possible to create custom VPD policies that lock out whole portions of the E-Business Suite database in certain conditions.

You are always free to use VPD to create custom security policies with the E-Business Suite.

However, Oracle can only issue patches for issues that can be reproduced in plain-vanilla environments without custom VPD policies. If EBS issues are isolated to custom VPD policies that you've created, it will be your responsibility to modify them in such a way that they don't interfere with the E-Business Suite's regular operation.

Regards,
Steven

Posted by Steven Chan on March 25, 2010 at 02:50 AM PDT #

Hi Steve,
In you original post you have mentioned "There are plans for future documentation that will describe what session context is available for use in VPD policies, but no firm schedules" . Can you please advise if this documentation is available now and will appreciate if u can point me to it.
Thanks,krishna

Posted by krishnamoorthy on April 19, 2013 at 11:18 AM PDT #

Hello, Krishna,

As you've probably gathered, our priorities have shifted since this article was first published in 2006. We do not have any immediate plans for additional VPD-related documentation at this point.

Regards,
Steven

Posted by Steven Chan on April 19, 2013 at 12:04 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today