Skip to Main Content

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Charles.

Asked: May 05, 2017 - 7:17 pm UTC

Last updated: February 28, 2018 - 2:07 am UTC

Version: 12.1

Viewed 1000+ times

You Asked

I have a couple of VPD issues that I'm trying to ensure I fully understand based on reading Chapter 7 of Oracle Database 12c Security. I've seen both examples for well respected Oracle authors. Regarding bind variable reference of the SYS_CONTEXT function, I currently have the first of these cases in the policy function returned for the WHERE clause:

1. lvar_where_clause := 'activity_sa_id = ' || SYS_CONTEXT ('APP_USER_CTX', 'ACTIVITY');
produces:
WHERE (activity_sa_id = 8)

2. lvar_where_clause := 'activity_sa_id = SYS_CONTEXT (''APP_USER_CTX'', ''ACTIVITY'')';
produces:
WHERE (activity_sa_id = SYS_CONTEXT ('APP_USER_CTX', 'ACTIVITY'))

I see multiple cursors on the majority of application queries. I have 7 different activities in the system and this single policy is on 80% of the 1,500 tables. This has over 10 million hits per day and will probably hit 5-10 times that when the entire client base transition is complete. From the referenced chapter, #2 will allow binding and I should see more plan reuse.

This leads to the best choice for the VPD policy type. We're currently using DYNAMIC. I'm wondering why I can't/shouldn't be using SHARED_CONTEXT_SENSITIVE. A user can belong to multiple activities, but all applications force activity selection at startup for users with multiple assignments. They can also switch activities in a few of the stateless web apps, but it completely moves them into the selected activity and all SYS_CONTEXT parameters are reset. I have multiple technologies from COBOL, Forms, .Net, Cold Fusion, plus other client-server oddballs restricted by the VPD so any remote chance of bleed over cannot be tolerated. Is SHARED_CONTEXT_SENSITIVE with #2 WHERE clause the right path for such a session static parameter?

and Connor said...

Some of that is going to come down to your 'activity' values. You say the number of distinct values for 'activity' is small (ie, less than 10), and you say you have ~1500 tables. Depending on the kinds of queries that being written, that might be a quite small set of distinct queries, or it could be immense (eg a 5 way join with 10 activities could by either just a few distinct queries, or it could be thousands of permutations).

Assuming its (potentially) the latter (ie, lots of activities), than just switching from (1) to (2) will yield a significant benefit.

The policy *type* is a slightly different affair, being more about the cost/frequency of running the policy *function* - that will dictate your choice of policy type. From what you've said in the question, certainly context_sensitive or shared_context_sensitive seem applicable to your use case.

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

The gotcha

Chuck, February 27, 2018 - 1:52 pm UTC

Now that option 2 is implemented with shared_context_sensitive we see radical decrease in function calls and all seems to be trending better. Then I hit bug 5208794 which prevents MERGE/INSERTs INTO remote_table@dblink SELECT FROM SYS_CONTEXT...anything and gives the ORA-2070 because the entire query execution is really done on the remote site and it does not know the SYS_CONTEXT values. The prior || sys_context did work. Since I really don't control the remote site I opted to insert the data into new global temp tables and insert from them into the remote tables. I was a little surprised that my supposed "push" of data is really converted to a remote pull with access to local objects not explicitly granted as opposed to pushing a dataset that my local VPD protected and SYS_CONTEXT aware user passed.
Connor McDonald
February 28, 2018 - 2:07 am UTC

The DRIVING_SITE hint can be used to yield some control over cross-database queries, but its not something I would typically recommend, because having a query that might run successfully or fail based on *where* the execution is done is a recipe for disaster (imho)
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Security

All of the vital components for a secure database are covered in the Security guide.