1 Reply Latest reply: Apr 2, 2012 6:59 PM by damorgan RSS

    Create VPD policy

    Saurabh Gupta-OC
      Dear friends,

      I have a requirement to setup up VPD security policy on one of our database. We have single schema - multiple access scenario where a single schema is being accessed by multiple users with same userid/password, hence we must set some security to track if any changes are being made by any user on any object.

      I have found that VPD can help me in setting up the security policy for this but I have not worked on VPD earlier so thought this forum might help me in setting up the policy and getting more information on VPD.

      We are on Oracle 11.2.01 Database with Linux 5.3 environment.

      Below is our scenario and requirement:

      SCHENARIO:
      One Database
      3 Schema
      10 Users
      10 Users accessing 3 schema with same password and full access on all 3 schema.

      REQUIREMENT:
      1. Auditing on DML queries on object level.
      2. Auditing on DDL (Except Select) queries on object level.
      3. Auditing on session login

      Thanks in advance.
        • 1. Re: Create VPD policy
          damorgan
          I do not know what country you are in but in many countries what you have stated: "multiple users with same userid/password" is a prima facia violation of the law.

          My first instinct is to fix the above so that everyone MUST log in with their own userid and password. To simplify and further secure the system they could proxy to a single account that owns the access privileges.

          You can find working demos here:
          http://www.morganslibrary.org/reference/demos/fgac_demo.html
          and syntax here:
          http://www.morganslibrary.org/reference/pkgs/dbms_rls.html

          Note in the demo how an AFTER LOGON trigger is used to create a CONTEXT. This trigger can personalize the CONTEXT by taking into account information that can be obtained with the SYS_CONTEXT function
          http://www.morganslibrary.org/reference/sys_context.html
          such as OS_USER and IP_ADDRESS.