This discussion is archived
2 Replies Latest reply: Sep 23, 2013 7:22 AM by user13298813 RSS

What restrictions apply to VPD functions for column masking?

user13298813 Newbie
Currently Being Moderated

I want to understand the restrictions that apply to VPD functions when used for column masking, compared with their use for Row-Level Security.


According to the Oracle Database Security Guide (11g Release 1)


Column-masking conditions generated by the policy function must be simple Boolean expressions, unlike regular Oracle Virtual Private Database predicates.


I have long understood the above as implying that column-masking conditions should not contain sub-queries (i.e. inner selects).


However, we tested using a condition with a select inside another select (2-level nesting) and yet it worked. We were on 11g Release 2, by the way.


So, I wonder, does anyone have experience with using sub-queries in column-masking conditions? Or, alternatively, does anyone have more information on what Oracle means with "regular VPD predicates" and "simple Boolean expressions" (of course, in the context of VPD)?






  • Correct Answers - 10 points
  • Helpful Answers - 5 points