Overview:

This blog talks about VPD (Virtual Private Database) in Oracle Apex, a feature that helps address security concerns by restricting access to data at the row level based on certain conditions.

Technologies and Tools Used:

The following technologies have been used to implement this requirement.

  • SQL
  • PL/SQL
  • Oracle Apex

Use Case:

  • Consider a corporation that utilizes Oracle Apex for its web-based apps. The organization has several departments, and employees from each need access to data in the program. However, sensitive information should only be accessible to specified people, depending on their positions or conditions.
  • For example, the Human Resources department should only see employee records relating to their department, whereas the Finance department should only have access to financial data relevant to their role. Without sufficient security measures, all users may have uncontrolled access to all data, potentially breaching confidentiality and allowing unwanted access to critical information.

Architecture:

The following steps are explained in detail:

Step 1: Create a policy function in oracle database using PL/SQL

create or replace function get_emp_criteria

(

object_schema IN VARCHAR2,

object_name VARCHAR2

)

return varchar2 DETERMINISTIC as

l_criteria varchar2(4000);

begin

if sys_context(‘APEX$SESSION’, ‘APP_ID’) in (121) — Only apply VPD to specific APEX applications

then

l_criteria:=q’#(ENAME=sys_context(‘APEX$SESSION’, ‘APP_USER’))#’;

This will have current apex user who logged in.

end if;

return l_criteria;

end get_emp_criteria;

Step 2: Create a database policy that will use the above-created function.

begin

dbms_rls.add_policy

(object_schema=>’HR’  /*provide the schema name*/

,object_name=>’EMP’ /* provide your table name used in your application*/

,policy_name=>’EMP_POLICY’ /* Policy name*/

function_schema=>’HR’  /* schema name where your policy function was created*/

,policy_function=>’get_emp_criteria’ /* function name above created*/

statement_types=>’SELECT’  /* statement we use in our application*/

);

end;

Step 3: Enable the policy created:

BEGIN

DBMS_RLS.enable_POLICY(‘HR’, ‘EMP’, ‘EMP_POLICY’ , TRUE);

END;

Step 4: Create an apex application and a report page with the query as below.

Note that I am not using any filtering conditions; I am just querying my table.

 

 

Scenario:

If you want to restrict users to a particular location, you need to follow the steps below to achieve the same.

Step 1:Create a context in Oracle PL/SQL.

create or replace

context MYLOC using LOC_FN;

Step 2: Create a context function and a policy function to filter employee name and location details.

create or replace function LOC_FN

return NUMBER

is

L_LOC_ID NUMBER;

L_LOC_NAME VARCHAR2(100);

begin

select location_id

into L_LOC_ID

from

emp_demo

where ENAME=sys_context(‘APEX$SESSION’, ‘APP_USER’);

dbms_session.set_context(‘MYLOC’,’ATTR’,L_LOC_ID);/*Need privilege in your schema to execute the same.*/

return L_LOC_ID;

end;

CREATE OR REPLACE FUNCTION vpd_location_policy_function (

schema_var IN VARCHAR2,

table_var IN VARCHAR2

) RETURN VARCHAR2

AS

l_location_id NUMBER;

BEGIN

Retrieve the location ID from the custom context using the LOC_FN function

l_location_id := LOC_FN();

 

Return a predicate to filter records based on location_id

RETURN ‘location_id = ‘ || l_location_id;

 

EXCEPTION

WHEN OTHERS THEN

Handle exceptions, but do not return a value incompatible with the function’s return type

Raise_application_error(‘-20000’, sqlerrm);

RETURN NULL; return null in case of an exception

END vpd_location_policy_function;

Step 3: Create a policy in your table as per below code.

BEGIN

DBMS_RLS.ADD_POLICY(

object_schema   => ‘hr’,/* Schema name*/

object_name     => ’emp_demo’,/* Table name*/

policy_name     => ’emp_demo_vpd_policy’,/* Policy name*/

function_schema => ‘hr’,/* policy function schema name*/

policy_function => ‘vpd_location_policy_function’,/* policy function name*/

statement_types =’select’ /* we can select,insert, update, and delete based on scenarios.

);

END;

Enable policy:

BEGIN

DBMS_RLS.enable_POLICY(‘HR’, ‘EMP_DEMO’, ’emp_demo_vpd_policy’, TRUE);

END;

Step 4:Create an Apex application and create a report page with the below query.

Outcome:

Here, I am logging in as Employee “king” ,I am only getting the details related to “king.”

The required outcome is given below.

Here, I am logged in as Employee “BLAKE” ,I am only getting the details related to “BLAKE.”

 

Here,I am selecting the employees according to location:10

Conclusion :

  • By implementing VPD in Oracle Apex, the company can ensure that sensitive data is appropriately secured and that users have access only to the information that is relevant to their roles and responsibilities.
  • This enhances data confidentiality and minimizes the risk of unauthorized access, contributing to a more secure and compliant application environment.

 

 

 

 

 

 

Recent Posts

Start typing and press Enter to search