Oracle VPD as a safeguard for DML

Franck Pachot
Dec 17, 2018 · 1 min read

A new blog post on the Databases at CERN blog about using VPD Row-Level Security (DBMS_RLS) as a safeguard for the privileged users who need to bypass the application and run SQL directly: https://db-blog.web.cern.ch/blog/franck-pachot/2018-12-oracle-vpd-safeguard-dml

Of course, your data should be guarded behind a hard shell (See Bryn Llewellyn presentation https://community.oracle.com/docs/DOC-1018915) but there may be some exceptional reasons to directly modify data with SQL because some information was not originally supposed to be changed, and then the application has no GUI or API for this. If all security was implemented through the application, everything is now possible when directly connected and a mistake (like a where clause predicate lost in ac copy-paste) can be critical. Flashback features are awesome to react to this kind of error, but VPD rules can be used as a proactive safeguard by allowing, by default, only a subset of data to be touched.

Franck Pachot

Written by

https://twitter.com/FranckPachot DBA at CERN, Oracle OCM 12c, Oracle ACE Director, Oak Table member. My 499 posts at dbi-services: http://blog.dbi.pachot.net

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade