I have read some documentation, but i think VPD and OLS (Oracle Label Security) are very similar.
Oracle Label Security provides multi-level security, row-level access control out of the box, and provides factor to be used inside Database Vault.
So what are the differences between them and why should we use OLS, in which cases? why VPD is not sufficient?
OLS is based on VPD. In VPD you need to code pl/sql predicate function to achieve row level security, and you must create and/or use application contexts directly. OLS on the other hand is used for data classification (like confidential, secret, top secret), and everything can be done graphically in EM - you don't need to code anything. To achieve this, data in the table need to be classified first.
Moreover, in VPD, Fine-grained access control policies cannot be applied to objects in the SYS schema.
Consequently, the SYS user and users making a privileged connection to the database (for
example, CONNECT / AS SYSDBA) do not have fine-grained access control policies applied to
their actions. They are always exempted from fine-grained access control enforcement. However,
the SYSDBA actions can be audited.
And with DB VAULT, SYSDBA can be audited. It's a major difference.
OLS is not based on VPD, although internally there may be some areas of shared code, OLS is mainly 'kernelized', meaning that
underlying processing takes place in compiled C code and the LBACSYS pl/sql packages only provide an interface to that (so called stubs).
While VPD and OLS are both adding a means of row level security, Label Security has historically been best adapted to
environments that conceptually have different hierarchical levels of security classification, like 'Top Secret', 'Secret', etc.
(in other words the military and intelligence communities). It has a strict hierarchy and requires data to be properly labelled,
a classification system that probably already existed before the data entered an electronic system such as an RDBMS and
to which OLS has been modelled.
VPD using dbms_rls is probably better suited to commercial businesses, like multi tennancy environments, where you can separate
data between businesses (organization id) that have data in the same database but otherwise has no hierarchical classification.
Harm ten Napel
Edited by: hnapel on Dec 11, 2012 8:43 AM
OLS is in fact based on VPD ("Oracle Label Security is an out-of-the-box solution for row level security, built on VPD technology." - link: http://www.oracle.com/technetwork/database/security/ols-faq-088171.html#A05)
OLS uses VPD policies implicitly to create infrastructure for label based access control.
I have some other internal stuff that I cannot disclose here where it states that OLS is based on VPD.
OLS is supposed to implement row level security based on classifications (Mandatory Access Control). VPD is supposted to implement the same using predicates. Both solutions are good at what they do (VPD is included in EE, OLS is additional cost option).
I agree that VPD is better suited for commercial business (however some banks and large firms have internal classification, so for them OLS represents a better solution).
Edited by: Zoran Pavlovic on Dec 11, 2012 11:54 PM
yes, EXEMPT ACCESS POLICY privilege will bypass both VPD and OLS policies, as I already stated
there are shared code areas internally but altogether OLS is significantly different from VPD,
EXEMPT ACCESS POLICY is in repsonse to user7643286 post :)
It is not about shared code (OLS is just a layer on top of VPD, and it is not coded in kernel). VPD is executing at data level (Oracle kernel adds where clause in SQL VM). OLS implicitly uses VPD to create a special type of VPD in which access is controlled through user authorizations and data labels (you can create label security by yourself using VPD, but that is more difficult solution than OLS because OLS has better user interface and you don't need to write a single line of code). OLS is nothing more than a special case of VPD.
Edited by: Zoran Pavlovic on Dec 12, 2012 4:30 PM