Sie sind auf Seite 1von 2
Overview The Oracle ​ Virtual Private Database (VPD) ​ allows the creation of security policies


The Oracle Virtual Private Database (VPD)allows the creation of security policies to control database access at the row and column level. The VPD adds a dynamic WHEREclause to a SQL statement that is issued against the table, view, or synonym to an applied VPD security policy.

The VPD enforces security to a fine level of granularity policy directly on database tables, views, or synonyms. The security policies are attached directly to the database objects and automatically applied whenever a user accesses data. There is no way to bypass security. By default, queries against objects enabled with fine­grained access control run the policy function to ensure that the most current predicate is used for each policy.

When a user directly or indirectly accesses a table, view, or synonym that is protected with a VPD policy, Oracle Database dynamically modifies the SQL statement of the user. This modification creates predicate or a WHERE condition returned by a function implementing the security policy. Oracle Database modifies the statement dynamically using any condition that can be expressed in or returned by a function. You can apply VPD policies to SELECT, INSERT, UPDATE, INDEX, and DELETEstatements.

This allows security policies on the database objects rather than application while controlling how the database evaluates the policy functions. Policy evaluation occurs once for each query, only when an application context within the policy

function changes and each time it is run. VPD policy function runs as if it had been declared with definer's rights.

For VPD implementation you must create a function to generate the dynamic WHERE clause and a policy to attach this function to the objects that you want to protect. Next associate this function with the database table to which the VPD action applies by configuring the VPD policy. The policy itself is a mechanism for managing the VPD function. The policy allows the addition of fine­grained access control such as the types of SQL statements or particular table columns the policy affects. When a user tries to access the data in this database object, the policy goes into effect automatically.

You can group multiple security policies together then apply the policies to an application. A policy groupis a set of security policies that belong to an application. By designating an application context to indicate the policy group in effect when a user accesses the table, view, or synonym column the database looks up the driving context to determine the policy group in effect. It enforces all the associated policies that belong to the policy group.

The VPD security policyis applied within the database instead of within an application. Users accessing data by using a different application cannot bypass the VPD security policy. One advantage of creating the security policy in the database is maintaining it in one central place instead of maintaining individual security policies in multiple applications.

You can use VPD in the following types of user models:

● Application users who are also database users

● Proxy authentication using OCI or JDBC/OCI

● Proxy authentication integrated with Enterprise User Security

● Users connecting as One Big Application User

● Web­based applications

We will be working with VPD in our labs.