Monday, March 29, 2010

Enhancements to VPD

Main enhancements to VPD in Oracle Database 10g include: column-level privacy, customization, and shared policies. These enhancements are explained in the following three paragraphs.

Column-Level Privacy
VPD provides row-level security (RLS). Oracle Database 10g enforces row-level access control only when a command accesses or references security-relevant columns. You can specify more than one relevant column in a policy. If you do not specify any relevant columns, the database applies VPD rewrites to all commands that access or reference the object. This behavior is consistent with previous releases.

You use row-level access control when you want to limit the rows returned. For example, queries on nonsensitive data (such as LAST_NAME or DEPARTMENT_ID) should not be limited because there is no harm in returning a list of all departments but queries that reference sensitive or private columns (such as national identification) should be limited by VPD.

The enforcement of relevant-column VPD occurs whenever a command references the column:

Explicitly: When the column name is included in the query
Implicitly: In a SELECT * command because all columns are returned
The ability to specify relevant columns in VPD policies lends itself to privacy. Often privacy-relevant information, or personally identifiable information (PII), is stored in columns. For example: national identifier, credit card number, address, and account number are all PII. Only queries that access the relevant columns should have VPD’s granular access control applied to them. A VPD policy need not restrict queries that do not reference relevant columns.

The column-level VPD increases performance by limiting the number of queries that the database rewrites. Rewrites occur only when the statement references relevant columns.

Customization
You use customization to base the VPD on the individual requirements of a customer’s deployment. You can customize VPD to always enforce the same predicate with a static policy or you can have VPD predicates that change dynamically with a nonstatic policy.

Shared Policies
In Oracle Database 10g, you apply a single VPD policy to multiple objects. This feature reduces the administration costs.

at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Troubleshooting ACFS-07981: Metadata Validation Errors

  Troubleshooting ACFS-07981: Metadata Validation Errors Introduction The ACFS-07981 error indicates that an attempt to run an online file ...