Skip to Main Content
  • Questions
  • Fine-grained Access Control (FGAC) vs. Row Level Security (RLS) vs. Virtual Private Database (VPD) vs. Oracle Label Security (OLS)

Breadcrumb

May 4th

Question and Answer

Connor McDonald

Thanks for the question, John.

Asked: November 30, 2016 - 2:31 am UTC

Last updated: December 02, 2016 - 2:53 pm UTC

Version: 11.2

Viewed 10K+ times! This question is

You Asked

Good Evening,

Throughout my career, I heard about Fine-grained Access Control (FGAC), Row Level Security (RLS), Virtual Private/Policy Database (VPD) and Oracle Label Security (OLS). These all sound very similar. I've only heard of OLS since it was used by an old DBA friend of mine. He told me that OLS was complex to setup, it appends a "Where" clause at the end of SQL to control access to rows, it reduced database performance and it required a separate license. After that, I pretty much stayed as far away from it as possible. In the last 10 years, I've heard of other security features like FGAC, RLS and VPD. Maybe it is time to reconsider using one of these features.

Please compare and contrast (concepts, performance, cost) each of those four security items if they are not all the same.

I see from that Oracle Label Security has an extra cost within this Oracle licensing document: https://docs.oracle.com/cd/E11882_01/license.112/e47877.pdf , but it doesn't state if there is cost for FGAC, RLS or VPD.

I found a note that states that FGAC is also called VPD or RLS and RLS is also called OLS. Is this true? If it is true, you can see why I am very confused. If this is the case, is this the place to start to learn the concepts: http://docs.oracle.com/cd/E11882_01/network.112/e36292/vpd.htm#DBSEG007 ?

Thanks,

John

and Connor said...

I've got some bad news ... there's more as well :-) We also now have a thing called Real Application Security

http://www.oracle.com/technetwork/database/security/real-application-security/wp-security-ras12c-2312936.pdf

but we'll skip that for now.

FGAC, RLS and VPD are more or less the same thing. Probably best described as a sentence:

"By applying *fine grained access controls* to the database, you in effect, create a *virtual private database* to individual users. They can only see subsets of the data by using *row level security*"

So these are a *technology* that allows *you* to control at a granular level access to your database. But the two key points there: these are technologies that you configure.

Oracle Label Security is not a technology as such but a solution. It uses the same underlying technologies to solve a particular problem - multi-level user access control to data.

You could build OLS yourself using VPD/RLS/etc, but obviously then the task of building/configuring/maintaining/upgrade etc becomes your problem as opposed to an off-the-shelf offering.

More details on OLS here

http://www.oracle.com/technetwork/database/options/label-security/label-security-wp-12c-1896140.pdf

Rating

  (3 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

John Cantu, December 01, 2016 - 1:04 pm UTC

GM Connor,

Thanks for the explanation. I certainly don't blame to messenger for telling us about the additional changes.

Connor, there is a tutorial in the VPD section ( http://docs.oracle.com/cd/E11882_01/network.112/e36292/vpd.htm#CIHIFFDE ). Is this an example of FGAC? Do you know if there an added cost to it? If yes, then what is to stop us from simply using a trigger or even have the front-end application append the where clause if we only need to protect a few tables?

Connor McDonald
December 02, 2016 - 2:51 am UTC

"If yes, then what is to stop us from simply using a trigger"

Because there is no such thing as a "select" trigger. You could do with this a view, but you might end up needing dozens of views to implement different policies for different users etc. Lots of complexity there.

"or even have the front-end application append the where clause if"

Because in the world I've worked in, anyone that ever sees "Oh...the only way anyone ever access our data is by this application" is kidding themselves :-)

John Cantu, December 02, 2016 - 1:18 pm UTC

Thanks once again, Connor.

However, you reminding me that there isn't a trigger on selects, make me wonder why that was left out, but that is a totally different topic.

John

Chris Saxon
December 02, 2016 - 2:53 pm UTC

A select statement shouldn't have any side-effects. If you could create triggers they would...

Miracle

A reader, December 02, 2016 - 5:50 pm UTC

Maybe when Assertions come to existence. We get then a Select within Trigger clause 😊

More to Explore

Security

All of the vital components for a secure database are covered in the Security guide.