Data Level Security using Virtual Private Database
In this article we are going to see the implementation part of VPD concept in OBIEE. Before understanding the working of VPD, let us see the meaning of this concept:
Virtual private database graciously use the FGAC (fine grain access feature) which was implemented by Oracle 8i.It helps us with Data Level Security on the database side by applying policies. The advantage is that if there are multiple applications accessing data from the database then it is not necessary to implement data level security in all those applications.
It can be used as in combination of “application context” feature to enforce sophisticated row and/or column level security for privacy and regulatory compliance.
No matter how users connect to the protected table (via an web application) web interface or SQL* plus) the results are the same. No application problem persists since the access polices are attached to the table, and cannot be bypassed.
Working of VPD:
As discussed above in simple words the polices that are created in the database will append a predicate (where clause) to the query at run time.
Eg: there exists a query that would return data according to the user.
If a user would enter a query then he would enter the following:
Select * from table
Internally according to the policies the following query will be generated.
Select * from table
this mechanism is transparent to the users.
Configuration of VPD in OBIEE
To use the VPD feature in the database and in OBIEE along with its caching capabilities it is necessary to configure VPD in OBIEE.
Failing to configure VPD feature when the cache is enabled (in obiee)the request would by pass all the VPD policies by accessing the data from the cache and the data level security will not be handled properly. The user will not see the results as expected.
In order to understand the topic in a much better way I have divided this article I two parts.
First we will see how the cache behaves normally and then in the second part we will see OBIEE cache behaviour with VPD installed
Normal OBEE cache behavior
Pr-requisite:Make sure that your cache is enabled so subsequent requests that are similar to the query or the subset will hit the cache and understanding the concept will be easier..
Login as Administrator and create request(Any request).
Now via the admin tool, in the repository check the cache section.
Since the cache is enabled you will see that an entry is made in the cache with respect to the request created in the presentation services.
Now Login as another user and send the same request
Here I Have logged in as User MARY WEST
Create the same/similar request .In this case I have the same request that I had created when logged in as Administrator so it would be easy to understand.(Refer Step I).
Now again via the admin tool check the cache section/Repeat step II
You will see that the entry that was seen last time still persists. This means that the request that I have created when logged in as Mary West has hit the cache.
Note: You can also check the NQQuery log to cross check if the query has hit the cache or not.
OBIEE Cache behavior with VPD installed
First in the repository you need to right click the database object and in the propreties you check the VPD check box as shown below.
In the repository Tool-Variables I create a system session variable and enable the Security Sensitive option.
Before going to the presentation services I purge the previous cache entries so that it will make things easier to understand.
Now in the presentaiton services I again log in as administrator and create a request.
Now via the admin tool in the repository check the cache section.
An entry will be made in the cache for the user administrator.
tip:You can also check the query log to see if the request is inserted into the cache
Now log in as a different user(I logged in as Mary West) and fire the same or the subset of the request sent earlier when the user Administrator had logged in.
In the repositorysection check the entry made in the cache .
You will notice that even if the cache was enabled and the same/subset of the request created by the user Mary West(in my case) a separate entry is made according to the user Mary West.
The subsequent requests by the user Mary West that is similar to the query will hit its own cache.
This ensures that the user will see only his data.