Skip to main content

PL/SQL Office Hours: Virtual Private Database in the Wild

Virtual Private Database (VPD), also referred to as row-level security or RLS, is a feature built into the Oracle Database that allows you to set up security policies on tables that restrict which rows a user can see or change based on the policy logic.

One of the nicest things about VPD is that this logic (and the fact that a filter is being applied) is completely invisible to the user. They just see the data relevant to them and none the wiser about all that other data in the data.

Here's a simple example to drive the point home: suppose I am building a health care application and it contains a patients table. The security policy is straightforward:

A patient can only see their own information.
A doctor can see only the information about their own patients.
A clinic administrator can see information only about the patients in their clinic.

In all three cases, the user would sign on to the application and execute the same query:

SELECT * FROM patients

and only their rows would appear.

Of course, there are lots of different and very interesting aspects to setting up your policies.

The documentation for VPD provides many details for a successful implementation, but there's not substitute for real world experience. That's what you'll hear about in our March 3, 2020 10 AM Eastern PL/SQL Office Hours session from AskTOM.

Our Presenter: Praveen Kumar of Wipro

Parveen Kumar is a Java and Oracle Developer with Wipro, based in the UK. He has over eight years experience focused mainly on developing and designing applications using Oracle Database as a primary database. He aims to keep the business logic inside the database and expose data through PL/SQL APIs. He has in various projects taken advantage of native support for XML, JSON and Object datatypes, SOAP/REST APIs for Web Programming and security features like VPD/RLS, Oracle Wallet for Web APIs and other features which provide true fine grained access to different types of users.

In the March Office Hours session, Praveen will show how Virtual Private Database functionality can be applied across an entire application to control what end users can see based on their role/access level. The business driver for this use of VPD is to ensure appropriate access to the sensitive/financial data in the application.

Follow this link to subscribe to my monthly PL/SQL Office Hours program, so that you will receive email reminders. You can also view recordings of the dozens of past sessions, including:


Popular posts from this blog

Get rid of mutating table trigger errors with the compound trigger

When something mutates, it is changing. Something that is changing is hard to analyze and to quantify. A mutating table error (ORA-04091) occurs when a row-level trigger tries to examine or change a table that is already undergoing change (via an INSERT, UPDATE, or DELETE statement). In particular, this error occurs when a row-level trigger attempts to read or write the table from which the trigger was fired. Fortunately, the same restriction does not apply in statement-level triggers.

In this post, I demonstrate the kind of scenario that will result in an ORA-04091 errors. I then show the "traditional" solution, using a collection defined in a package. Then I demonstrate how to use the compound trigger, added in Oracle Database 11g Release1,  to solve the problem much more simply.

All the code shown in this example may be found in this LiveSQL script.
How to Get a Mutating Table ErrorI need to implement this rule on my employees table:
Your new salary cannot be more than 25x th…

How to Pick the Limit for BULK COLLECT

This question rolled into my In Box today:
In the case of using the LIMIT clause of BULK COLLECT, how do we decide what value to use for the limit? First I give the quick answer, then I provide support for that answer

Quick Answer
Start with 100. That's the default (and only) setting for cursor FOR loop optimizations. It offers a sweet spot of improved performance over row-by-row and not-too-much PGA memory consumption.Test to see if that's fast enough (likely will be for many cases).If not, try higher values until you reach the performance level you need - and you are not consuming too much PGA memory. Don't hard-code the limit value: make it a parameter to your subprogram or a constant in a package specification.Don't put anything in the collection you don't need. [from Giulio Dottorini]Remember: each session that runs this code will use that amount of memory.Background

When you use BULK COLLECT, you retrieve more than row with each fetch, reducing context switchi…

Quick Guide to User-Defined Types in Oracle PL/SQL

A Twitter follower recently asked for more information on user-defined types in the PL/SQL language, and I figured the best way to answer is to offer up this blog post.

PL/SQL is a strongly-typed language. Before you can work with a variable or constant, it must be declared with a type (yes, PL/SQL also supports lots of implicit conversions from one type to another, but still, everything must be declared with a type).

PL/SQL offers a wide array of pre-defined data types, both in the language natively (such as VARCHAR2, PLS_INTEGER, BOOLEAN, etc.) and in a variety of supplied packages (e.g., the NUMBER_TABLE collection type in the DBMS_SQL package).

Data types in PL/SQL can be scalars, such as strings and numbers, or composite (consisting of one or more scalars), such as record types, collection types and object types.

You can't really declare your own "user-defined" scalars, though you can define subtypes from those scalars, which can be very helpful from the perspective…