Home » RDBMS Server » Security » security policy - vpd vs ols
security policy - vpd vs ols [message #600633] Sun, 10 November 2013 02:22 Go to next message
VIP2013
Messages: 91
Registered: June 2013
Member
Hi i am using release 11.2.0.3.0 version of oracle.
Trying to evaluate suitable security policy for our database.
after reading the details, i undetstand that we can achieve both row level and column access restriction using vpd.
and OLS will provide rowlevel access restriction only. so i am wondering if all the things ols do is achievef by vpd , then
why ols comes into picture? is it because of the ease of its gui administration whereas vpd needs plsql code?
please help me to understand, the exact limitation of vpd which can only be achieved using ols.
Re: security policy - vpd vs ols [message #600634 is a reply to message #600633] Sun, 10 November 2013 02:36 Go to previous messageGo to next message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
OLS configures a set of VDP policies. Probably more sophisticated than anything you could develop yourself. Of course you pay for it as an option (whereas VPD is included in Enterprise Edition) but it may be worth paying for. You need to compare the licence cost plus the (comparatively) short implementation time with the consultancy costs of a a pure VPD solution. VPD is simple in concept but can be very time consuming to get right on a large scale.
Either solution may have significant performance issues that are complex to get round. And often, determining what you want to achieve may be the hardest part.

Security is very complex, but you have no choice: you must do what is required, no less (and do not do more). It changes a lot in release 12c, I cover both release in this course
http://skillbuilders.com/instructor-led-training/Course_outlines/new/course-description.cfm?c=new/oracle-security-administration-trai ning&id=576
if you are interested.
Re: security policy - vpd vs ols [message #600635 is a reply to message #600634] Sun, 10 November 2013 03:10 Go to previous messageGo to next message
VIP2013
Messages: 91
Registered: June 2013
Member
Thanks John for prompt response. Appreciate your help. I have two questions here.

1. As our database having single DB user talking to all the web users through connection pooling. As i got the concept of VPD , i need to have
set application context in application code and get the values(for respective user) in the database and apply respective policy, so it will be a application/java code change. Similarly in case of OLS for catering to web users, do i have to apply application context or something and if it will be a java code change?

2. Again if current requirement of my application is to hide some of the PI columns from the specific users so that they cant view it, but should able to se other columns. So basically if i will go for OLS then hopefully, my requirement cant be achieved as it will dissappear whole row from the user?
And if i would have requirement to restict the webusers capability from viewing records(rows) as per their dept/organisation, then OLS would be useful for me, correct me if wrong?
Re: security policy - vpd vs ols [message #600636 is a reply to message #600635] Sun, 10 November 2013 03:14 Go to previous message
John Watson
Messages: 8922
Registered: January 2010
Location: Global Village
Senior Member
Sounds like a case for Data Redaction to me,
http://docs.oracle.com/cd/E11882_01/server.112/e41360/chapter1_11204.htm#NEWFT379

http://skillbuilders.com/webinars/webinar.cfm?id=93&title=Oracle%2012c%20Security%20Transparent%20Sensitive%20Data%20Protection%2 0New%20Features%20Tutorial
Previous Topic: User of DBA role
Next Topic: Accessing Oracle DB from UNIX OS
Goto Forum:
  


Current Time: Thu Mar 28 05:49:30 CDT 2024