This discussion is archived
2 Replies Latest reply: Sep 23, 2013 7:22 AM by user13298813 RSS

What restrictions apply to VPD functions for column masking?

user13298813 Newbie
Currently Being Moderated

I want to understand the restrictions that apply to VPD functions when used for column masking, compared with their use for Row-Level Security.

 

According to the Oracle Database Security Guide (11g Release 1)

 

Column-masking conditions generated by the policy function must be simple Boolean expressions, unlike regular Oracle Virtual Private Database predicates.

 

I have long understood the above as implying that column-masking conditions should not contain sub-queries (i.e. inner selects).

 

However, we tested using a condition with a select inside another select (2-level nesting) and yet it worked. We were on 11g Release 2, by the way.

 

So, I wonder, does anyone have experience with using sub-queries in column-masking conditions? Or, alternatively, does anyone have more information on what Oracle means with "regular VPD predicates" and "simple Boolean expressions" (of course, in the context of VPD)?

 

Thanks,

 

Pablo

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points