Virtual Private Database (VPD) with Oracle

最新推荐文章于 2025-10-21 22:09:11 发布
转载 最新推荐文章于 2025-10-21 22:09:11 发布 · 740 阅读 · 0
文章标签:

#database #insert #session #table #schema #user

本文介绍如何使用 Oracle 的 Virtual Private Database (VPD) 功能实现细粒度访问控制。通过具体示例展示了如何限制员工仅能访问其所在部门的秘密信息,并提供了完整的 SQL 脚本及步骤。

 

refer:http://www.adp-gmbh.ch/ora/security/vpd/

 

Virtual Private Database is also known as fine graind access control (FGAC). It allows to define which rows users may have access to.

A simple example

In this example, it is assumed that a company consists of different departments (with each having an entry in the departments table). An employee belongs to exactly on department. A department can have secrets that go into the department_secrets table. 
create table department (
  dep_id int primary key,
  name    varchar2(30)
);

create table employee (
  dep_id references department,
  name    varchar2(30)
);

create table department_secrets (
  dep_id references department,
  secret varchar2(30)
);
Filling in some truly confidential secrets: 
insert into department values (1, 'Research and Development');
insert into department values (2, 'Sales'                   );
insert into department values (3, 'Human Resources'         );

insert into employee values (2, 'Peter');
insert into employee values (3, 'Julia');
insert into employee values (3, 'Sandy');
insert into employee values (1, 'Frank');
insert into employee values (2, 'Eric' );
insert into employee values (1, 'Joel' );

insert into department_secrets values (1, 'R+D Secret #1'  );
insert into department_secrets values (1, 'R+D Secret #2'  );
insert into department_secrets values (2, 'Sales Secret #1');
insert into department_secrets values (2, 'Sales Secret #2');
insert into department_secrets values (3, 'HR Secret #1'   );
insert into department_secrets values (3, 'HR Secret #2'   );
For any employee, it must be possible to see all secrets of his department, but no secret of another department.
In order to make that happen with Oracle, we need to create a package, a trigger, and set a policy.
First, the package is created. 
create or replace package pck_vpd
as
  p_dep_id department.dep_id%type;

  procedure set_dep_id(v_dep_id department.dep_id%type);

  function predicate (obj_schema varchar2, obj_name varchar2) return varchar2;
end pck_vpd;
/

create or replace package body pck_vpd as 
  
  procedure set_dep_id(v_dep_id department.dep_id%type) is
  begin
    p_dep_id := v_dep_id;
  end set_dep_id;


  function predicate (obj_schema varchar2, obj_name varchar2) return varchar2 is
  begin
    return 'dep_id = ' || p_dep_id;
  end predicate;
  
end pck_vpd;
/
Then the trigger is defined. This trigger fires whenever someone log on to the database. It finds the user's departement id ( dep_id) and calls set_dep_id in the package. 
create or replace trigger trg_vpd
  after logon on database
declare
  v_dep_id department.dep_id%type;
begin
  select dep_id into v_dep_id
  from employee where upper(name) = user;

  pck_vpd.set_dep_id(v_dep_id);
end;
/
Finally, the policy is defined. The policy states which procedure is used to add a where clause part to the where clause if someone executes a select statement. 
begin
dbms_rls.add_policy  (
  user,
  'department_secrets',
  'choosable policy name',
  user,
  'pck_vpd.predicate',
  'select,update,delete');
end;
/
To test the setup, some users are created. 
create user frank identified by frank default tablespace users temporary tablespace temp;
create user peter identified by peter default tablespace users temporary tablespace temp;
create user julia identified by julia default tablespace users temporary tablespace temp;
The necessary privileges are granted. 
grant all on department_secrets to frank;
grant all on department_secrets to peter;
grant all on department_secrets to julia;

grant create session to frank;
grant create session to peter;
grant create session to julia;
A public synonym is created. 
create public synonym department_secrets for department_secrets;
Frank (belonging to R+D) executes a query.... 
connect frank/frank;

select * from department_secrets;

    DEP_ID SECRET
---------- ------------------------------
         1 R+D Secret #1
         1 R+D Secret #2
Peter (belonging to Sales) executes a query.... 
connect peter/peter;

select * from department_secrets;

    DEP_ID SECRET
---------- ------------------------------
         2 Sales Secret #1
         2 Sales Secret #2

  
-- -----------------------------------------------------------------------------
-- File Name   : vpd2.sql
-- -----------------------------------------------------------------------------
-- Maintainer  : Pete Finnigan (http://www.petefinnigan.com)
-- Copyright   : Copyright (C) 2009 PeteFinnigan.com Limited. All rights
--               reserved. All registered trademarks are the property of their
--               respective owners and are hereby acknowledged.
-- -----------------------------------------------------------------------------
--  Usage      : The script provided here is available free. You can do anything 
--               you want with it commercial or non commercial as long as the 
--               copyright and this notice are not removed or edited in any way. 
--               The scripts cannot be posted / published / hosted or whatever 
--               anywhere else except at www.petefinnigan.com/vpd2.sql
-- ------------------------------------------------------------------------------

prompt [*] connect as SYS
pause

connect sys/oracle1 as sysdba

prompt [*] Drop the test user
drop user pxf cascade;

prompt [*] Recreate the test user

create user pxf identified by pxf default tablespace users temporary tablespace temp;

grant create session to pxf;

grant create any context to pxf;

grant create table to pxf;

grant unlimited tablespace to pxf;

grant create procedure to pxf;

grant execute on dbms_rls to pxf;

grant execute on dbms_session to pxf;

create table pxf.emp as select * from scott.emp;

prompt [*] Now connect as PXF
pause

connect pxf/pxf

prompt [*] Select from the sample table - should be 15 rows
pause

select * from emp;

Prompt [*] Let everyone see the table and connect as SCOTT and select again
prompt [*] should still be 15 rows

grant select on pxf.emp to public;

connect scott/tiger

select * from pxf.emp;

prompt [*] connect as PXF again and set up a simple VPD
prompt [*] that restricts access to dept 10
pause

connect pxf/pxf

create or replace function predicate (pv_schema in varchar2, pv_object in varchar2)
return varchar2
as
begin
	return 'deptno != ''10''';
end;
/

begin
	dbms_rls.add_policy(
		object_schema => 'PXF',
		object_name => 'EMP',
		policy_name => 'PXFTEST',
		policy_function => 'PREDICATE');
end;
/

prompt [*] Finally connect as SCOTT and see if he is blocked from seeing the data
prompt [*] should now be 12 rows!
pause

connect scott/tiger

select * from pxf.emp;

prompt [*]
pause
sho user

prompt [*] set up trace and dump the predicate
pause
alter session set sql_trace=true;

alter session set events '10730 trace name context forever';

prompt [*] Dump the data from the emp table
select * from pxf.emp;

prompt [*] Turn trace off
alter session set events '10730 trace name context off';
alter session set sql_trace=false;

prompt [*] Lets look at the trace file
pause

prompt [*]
pause

prompt [*] View the predicate
pause

select object_owner,object_name,policy_name,
       pf_owner,pf_owner,function
from all_policies;

set serveroutput on size 1000000

declare
	predic varchar2(1000);
begin
	dbms_output.put_line('The predicate is :'||pxf.predicate('PXF','EMP'));
end;
/

prompt [*] I have seen this type of design:
prompt [*] where the predicate functions are executable by all
pause

connect pxf/pxf
grant execute on predicate to public;
connect scott/tiger

set serveroutput on size 1000000

declare
	predic varchar2(1000);
begin
	dbms_output.put_line('The predicate is :'||pxf.predicate('PXF','EMP'));
end;
/

prompt [*] Access the data directly
pause

-- -------------------------------------------------------
-- change the file number and block number to suit your
-- database not mine.
-- -------------------------------------------------------

select distinct dbms_rowid.rowid_block_number(rowid) blk,
   dbms_rowid.rowid_relative_fno(rowid) fno
from pxf.emp;

select file_name from dba_data_files
where file_id=4;

alter system dump datafile 4 block 444;

prompt [*] Lets try again as monitor
pause

connect monitor/monitor

select distinct dbms_rowid.rowid_block_number(rowid) blk,
   dbms_rowid.rowid_relative_fno(rowid) fno
from pxf.emp;

select file_name from dba_data_files
where file_id=4;

alter system dump datafile 4 block 444;



 
oracle vpd策略,oracle vpd 策略查询
weixin_34771903的博客
04-10 1115
Oracle VPD策略示例 - abce - 博客园2015年12月14日Oracle VPD策略示例 1.未创建前使用oe用户登录查询: + View Code + View Code 2.创建VPD策略 以sys用户用sysdba权限登录pdb2 2.1.创建策略函数 + View...oracle vpd 策略查询_文档之家这与Oracle VPD 的实现相反,Oracle VPD 的实...
VPD--Virtual Private Database / Oracle Policy
cudaon633797的博客
01-12 190
VPD--Virtual Private Database / Oracle Policy[@more@]1. 说明Policy应用于数据行访问权限控制时,其作用简而言之,就是在查询数据表时,自动在查询结果上加上一个Where子...
QUESTION 2 Virtual Private Database (VPD) policies
jisen_huang的专栏
02-01 244
QUESTION 2 Examine the following commands for redefining a table with Virtual Private Database (VPD) policies: BEGIN DBMS_RLS.ADD_POLICY ( object_schema => 'hr', object_name => 'employees', policy_name => 'employees_policy', function_schema =>
mysql实现vpd_VPD(Virtual Private Database) 简单演示
weixin_32127545的博客
01-19 382
VPDVirtual Private Database , 是一种限制对数据库信息细粒度的访问控制技术。实现的关键在于:RLS(Row Level Security) 行级权限控制,通过 ORACLE 的 存储过程:dbms_rls.add_policy 实现.实现原理:查询时在 WHERE 语句后 加上 'AND ...', 该功能由策略函数实现。下面用PL/SQL 简单举例演示。--创建测...
Oracle(101)什么是虚拟专用数据库(VPD)?
qq_43012298的博客
09-03 1412
虚拟专用数据库(Virtual Private Database, VPD)是Oracle数据库中用于实现细粒度访问控制的强大技术。通过创建策略函数和策略,可以基于用户身份、会话属性或其他上下文信息,动态地控制用户对数据库数据的访问。上述步骤和代码示例展示了如何配置和使用虚拟专用数据库,以满足具体的业务需求。
OracleVPD介绍
weixin_33998125的博客
05-29 407
1、什么是VPD?虚拟专用数据库 (VPD) 提供了角色和视图无法提供的行级访问控制。对于互联网访问,虚拟专用数据库可以确保在线银行的客户只能看到他们自己的帐户。Web 托管公司可以在同一Oracle 数据库中维护多个公司的数据,但只允许每个公司查看其自身数据。在企业内部,虚拟数据库可在应用程序部署方面降低拥有成本。可以在数据库服务器一次实现安全性,而不用在访问数据的每个应用...
VPD(Virtual Private Database)
彦祖的小号的博客
07-13 2032
VPD可以直接在表,视图和同义词上实施安全策略,提供行或列级别的安全性 VPD可应用于SELECT, INSERT, UPDATE, INDEX和DELETE命令 VPD是在SQL访问受VPD保护的对象时,SQL被动态地修改加入限制where条件 创建用户并授权 conn sys/oracle as sysdba grant create session to adams identified by john7; grant create session to burlington i..
ORACLE Virtual Private DatabaseVPD
rfb0204421的专栏
08-13 1737
行记录级访问控制(ROW-RULE control)问题的提出和意义?        企业的应用系统都离不开数据库系统,数据库系统的权限控制是很重要的一个环节,大型数据库系统(ORACLE、DB2、SYBASE、MS SQLSERVER)都提供完善的用户管理机制,从而可以严密地控制数据库对象(表、视图、函数、存储过程、程序包等等)的访问。但是,这往往是对象级别的。          随着
mysql实现vpd_Oracle Virtual Private Database(VPD) 初体验
weixin_42298645的博客
02-18 304
注:本文为原创,作为学习交流使用,转载请标明作者及出处,作者保留追究法律责任的权力。Lumen Su前几周初略学习了OracleVPD技,做了几个试验,也在EBS系统上测试了一下。总结如下,有些内容摘自网络。在数据库的数据安全访问的解决上,有很多的方法来解决权限的问题,常用的方法例如建立视图的方法控制,例如查询语句中加where语句来控制。用view的方法在表结构或者权限变更的时候很不容易操作,...
Oracle_VPD:在Oracle VPD中下载
02-14
Oracle VPD,全称为Virtual Private Database(虚拟私有数据库),是Oracle数据库的一种安全特性,它允许数据库管理员在数据库级别实施细粒度的访问控制。VPD技术通过在SQL语句中动态插入额外的条件,实现了数据级别...
Oracle数据库用VPD来确保信息的隐私
03-03
Oracle数据库的虚拟私有数据库(Virtual Private Database, VPD)是一种强大的行级安全特性,它在Oracle8i中被引入,旨在提供更为精细化的访问控制。VPD允许根据用户的身份和角色来限制对数据行的访问,从而实现高度...
基于Oracle VPD技术实现系统可配置数据屏蔽.pdf
10-09
Oracle VPDVirtual Private Database)技术是Oracle数据库提供的一种安全机制,它允许数据库根据用户的上下文信息动态地修改SQL查询,实现数据的行级访问控制。这种技术的主要目的是确保敏感数据的安全,同时简化...
[Oracle] 数据库安全之 - 虚拟私有数据库 (VPD
Zhu_Julian's Notes (朱显杰的技术博客)
06-09 4490
Oracle的安全分为四大部分,分别是用户管理、访问控制、数据保护和监控,具体可参考《[Oracle] 数据库安全概述》http://blog.youkuaiyun.com/u010415792/article/details/9008089 今天着重讲讲访问控制中一种常见的技术VPDVPD的全称是Virtual Private Database 虚拟私有数据库,它在Oracle 8i时就出现了,是Ora
架构设计过去十年与未来十年
weixin_40213018的博客
10-21 607
架构十年 过去的十年,刘海锋与架构一同成长。他认为,架构领域经历了快速演进的十年。架构领域在整个互联网的技术栈是偏底层的,但过去十年架构领域的演进速度,一点都不亚于应用开发,甚至移动端开发的速度。比如容器,新型的数据库,新型的中间件,大规模集群的调度,以及系统跟算法的结合,在很多方面都出现了新的变化,甚至是出现了里程碑式的进步。 在具体的变化方面,刘海锋列举了三点,第一点是容器。把所有的东西都放在容器里,这是以前从没有过的。到今天,我们不光把应用的部署放在容器里,很多有状态的服务,包括缓存,..
CAD print.pdf
12-05
CAD print.pdf
install_dmt.apk
12-05
install_dmt.apk
【环境遥感监测】基于Google Earth Engine的空气质量数据获取系统:多污染物时空序列提取与分析工具设计
12-05
内容概要:本文介绍了一个基于Google Earth Engine(GEE)的空气质量数据获取工具类 `GEEDataFetcher`,旨在从GEE平台高效提取多种污染物(如SO₂、NO₂)的时间序列与空间数据。该工具支持区域筛选、多污染物批量获取、日/月时间分辨率聚合,并采用批处理和并行机制优化性能,避免请求超限。同时提供了认证初始化、数据导出为CSV、空间影像生成等功能,便于后续分析与可视化。; 适合人群:具备Python编程基础,熟悉pandas、ee等库的数据分析师、环境科研人员或地理信息系统(GIS)开发者;有遥感数据处理需求的研究生或技术人员;; 使用场景及目标:①用于获取特定区域(如德里)长时间序列的空气污染数据,支持环境变化趋势分析;②结合统计分析或机器学习模型进行空气质量预测;③生成空间分布图辅助决策与政策制定;④教学演示中展示GEE与Python集成应用; 阅读建议:建议结合实际区域与污染物配置运行示例代码,理解各参数作用;注意处理GEE认证问题,推荐在Jupyter环境中逐步调试;可扩展本工具以接入更多传感器数据源或集成Polars提升大数据处理效率。
各大厂商信息mac地址对应表
12-05
各大厂商信息mac地址对应表
知识星球智驾机器人技术前线内容同步项目是一个专注于自动驾驶与机器人领域前沿技术分享与交流的开源知识库致力于每日更新并系统化整理该领域的最新研究成果优秀论文深度解析工程实践方案.zip
最新发布
12-05
知识星球智驾机器人技术前线内容同步项目是一个专注于自动驾驶与机器人领域前沿技术分享与交流的开源知识库致力于每日更新并系统化整理该领域的最新研究成果优秀论文深度解析工程实践方案.zip
Oracle VPD详解:行级与列级数据隔离
Oracle虚拟专用数据库(Virtual Private DatabaseVPD)是一种强大的安全特性,它允许数据库管理员限制不同用户访问特定数据的范围,从而实现更为精细的数据隔离。VPD通过在数据库级别配置策略,使得用户在操作数据...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值