Security :: VPD Function For Column Masking With Inner-select?
Sep 12, 2013
I'm writing a VPD function to be used for column masking. The predicate (WHERE-clause) it generates may take many different forms. In particular, it may contain inner-selects; for example,
"exists(select '*' from B where B.VAL = '123' and A.KEY = B.KEY)"
where A is the table that is associated to the VPD function, and B is some other table.
if this is OK for column masking? If not, my VPD function may sometimes work and sometimes fail, in unexpected ways.
The Oracle Database Security Guide (11g Release 1) says
Column-masking conditions generated by the policy function must be simple Boolean expressions, unlike regular Oracle Virtual Private Database predicates".
This seems to indicate that there are cases where a VPD function works for row-level security, but not for column masking.
an example of a 'regular Oracle VPD predicate' that doesn't work for column-masking?
I want to understand the restrictions that apply to VPD functions when used for column masking, compared with their use for Row-Level Security. According to the Oracle Database Security Guide (11g Release 1) Column-masking conditions generated by the policy function must be simple Boolean expressions, unlike regular Oracle Virtual Private Database predicates.
I have long understood the above as implying that column-masking conditions should not contain sub-queries (i.e. inner selects). However, we tested using a condition with a select inside another select (2-level nesting) and yet it worked. We were on 11g Release 2, by the way. So, I wonder about using sub-queries in column-masking conditions? Or, alternatively, what Oracle means with "regular VPD predicates" and "simple Boolean expressions" (of course, in the context of VPD)?
I've created a password verification function (verify_pwd) in a schema which is not in SYS, but an equivalent of SYS. However, the problem arises when I'm trying to create a profie (MAIN_PROFILE) with the following attributes :
I created a user and granted connect, resource to the user. but trying to select columns from the view USER_HISTORY$,it's showing no value, i tried to login the user several times, but it's displaying no value, any particular reason or any minor mistake?
Developers they use Toad and in that they want to use session browser option so that they can see the SQL running and open Cursor,other session specific details...So what grant/ permissions can be given to them so that the Schema they logged on can access those information.
I have 4 tables , Certain users need to (Select ,insert,delete) certain rows only based on nApplication id
All the tables have Application Id , Based on this application id user will (Select ,insert,delete)
I tried row level security DBMS_RLS.add_policy but it hangs every time when i query the data or when i try to drop the policy. Is there is any method to resolve this issue.
If only Row level security will solve this issue , give me some example
I just want to know whether we can mask salary column of number datatype into text ,like we used to_char(to_date(<column_name>,'j'),'jsp') in sql? for example
I have question regarding data masking. Currently we are using Oracle 11g database , we are thinking of implementing data-masking feature in 11g. Is this can be done by adding any package to it.
My boss make a requirement in exist database as some user can view salary column at employment table by SQL and some user can view salary column at employment table by SQL.
The boss do not like to make changes front SQL. Ooracle 11g vault or Oracle Label Security is best for this requirement? my oS is 2008 32 bit window and DB is 11.2.0.1
I am trying to use decode function in sql and inside decode function can I use select statement ?
here is my sql
select we.wf_entity_id, decode(object_type_id, 1, select audit_number from ea_audit_general where sys_audit_id=object_id 2,'test', object_type_id ) from wf_entity we where
[code]....
see this
decode(object_type_id, 1, select audit_number from ea_audit_general where sys_audit_id=object_id 2,'test', object_type_id )
A B ---------------------- 2*3 2*4*5 4*5 column B contain no data.
I want to create a function which can be used in a select query,and the output should come like that :-
A B ---------------------- 2*3 6 2*4*5 40 4*5 20
Means column B contains the resultant value of column A.And the above output should come through a select statement.You can use any function inside the select statement.
I'm running a 10.2.0.4 database with auditing enabled:
SQL> show parameter audit_trail;
NAME TYPE VALUE ------------------------------------ -------- ------------- audit_trail string DB, EXTENDED
I have auditing enabled for create session:
SQL> select audit_option, success, failure from dba_stmt_audit_opts;
AUDIT_OPTION SUCCESS FAILURE ---------------------------------------- ---------- ---------- CREATE SESSION BY ACCESS BY ACCESS
My problem is that when I run a report against DBA_AUDIT_SESSION, the CLIENT_ID column is never populated, it's always blank. I've tried running a trigger to populate the client_identifier variable:
create or replace procedure capture_module as begin dbms_session.set_identifier(sys_context('userenv','module')); end; / [code]....
And if I put an access trigger on a table and create an audit event, the CLIENT_ID column from DBA_AUDIT_TRAIL and DBA_COMMON_AUDIT_TRAIL both show the updated value (module), but no matter what, I never get the CLIENT_ID column in DBA_AUDIT_SESSION to show anything - it's always null.
I want to run a report against DBA_AUDIT_SESSION that will tell me who logged in, when they logged in and out, where they logged in from and the one thing I can't get - what module they were running (SQLplus, Toad, etc). Why can't I get the CLIENT_ ID column to take the value I'm setting with the logon trigger?
I need encrypt column in the table (TDE) with 160 rows (PK) i'd like know what impact if i rn in time production this procedure. And as will be behavior the oracle database if this column is FK.
im trying to select columns from different tables dynamically in a function . The parameter for the function will be table name and column id's, In this number of columns may vary . Is it possible to have dynamic %rowtype to store the cursor value in it.
I am trying to run a dynamic select statement form a function and return the result into a variable, everything goes fine but the return is always null!
CREATE TABLE AFESD.MAJOR_ACCOUNT ( NUMBER0 NUMBER(2) NOT NULL, SHORT_NAME CHAR(35 BYTE) NOT NULL, FULL_NAME CHAR(50 BYTE) )
--Actually any table can do
CREATE OR REPLACE FUNCTION F_GEN_SELECT_INT (S_APP_USER IN VARCHAR2, I_MODULE_ID IN NUMBER, S_TABLE IN VARCHAR2, S_COLUMNS IN VARCHAR2) RETURN NUMBER AS I_RETURN NUMBER; S_SQL VARCHAR2(300); --S_DB_ERROR VARCHAR2(100);
[code]....
B.S. I didnt delete the commented lines to have your review comments.
SELECT rp.id r_paper_id, COUNT(*) created, COUNT( CASE WHEN a.approved_yn = 'Y'
[code]....
But it fails, saying that 'single-row subquery returns more than one row' when I introduce the 'unique_users' clause. The remaining fields of the output are correct.