Thanks for the question, Charles.
Asked: May 05, 2017 - 7:17 pm UTC
Last updated: February 28, 2018 - 2:07 am UTC
Version: 12.1
Viewed 1000+ times
You Asked
I have a couple of VPD issues that I'm trying to ensure I fully understand based on reading Chapter 7 of Oracle Database 12c Security. I've seen both examples for well respected Oracle authors. Regarding bind variable reference of the SYS_CONTEXT function, I currently have the first of these cases in the policy function returned for the WHERE clause:
1. lvar_where_clause := 'activity_sa_id = ' || SYS_CONTEXT ('APP_USER_CTX', 'ACTIVITY');
produces:
WHERE (activity_sa_id = 8)
2. lvar_where_clause := 'activity_sa_id = SYS_CONTEXT (''APP_USER_CTX'', ''ACTIVITY'')';
produces:
WHERE (activity_sa_id = SYS_CONTEXT ('APP_USER_CTX', 'ACTIVITY'))
I see multiple cursors on the majority of application queries. I have 7 different activities in the system and this single policy is on 80% of the 1,500 tables. This has over 10 million hits per day and will probably hit 5-10 times that when the entire client base transition is complete. From the referenced chapter, #2 will allow binding and I should see more plan reuse.
This leads to the best choice for the VPD policy type. We're currently using DYNAMIC. I'm wondering why I can't/shouldn't be using SHARED_CONTEXT_SENSITIVE. A user can belong to multiple activities, but all applications force activity selection at startup for users with multiple assignments. They can also switch activities in a few of the stateless web apps, but it completely moves them into the selected activity and all SYS_CONTEXT parameters are reset. I have multiple technologies from COBOL, Forms, .Net, Cold Fusion, plus other client-server oddballs restricted by the VPD so any remote chance of bleed over cannot be tolerated. Is SHARED_CONTEXT_SENSITIVE with #2 WHERE clause the right path for such a session static parameter?
and Connor said...
Some of that is going to come down to your 'activity' values. You say the number of distinct values for 'activity' is small (ie, less than 10), and you say you have ~1500 tables. Depending on the kinds of queries that being written, that might be a quite small set of distinct queries, or it could be immense (eg a 5 way join with 10 activities could by either just a few distinct queries, or it could be thousands of permutations).
Assuming its (potentially) the latter (ie, lots of activities), than just switching from (1) to (2) will yield a significant benefit.
The policy *type* is a slightly different affair, being more about the cost/frequency of running the policy *function* - that will dictate your choice of policy type. From what you've said in the question, certainly context_sensitive or shared_context_sensitive seem applicable to your use case.
Rating
(1 rating)
Is this answer out of date? If it is, please let us know via a Comment