DBMS_RLS v12
The DBMS_RLS
package enables the implementation of Virtual Private Database on certain Advanced Server database objects.
Function/Procedure | Function or Procedure | Return Type | Description |
---|---|---|---|
ADD_POLICY(object_schema, object_name, policy_name, function_schema, policy_function [, statement_types [, update_check [, enable [, static_policy [, policy_type [, long_predicate [, sec_relevant_cols [, sec_relevant_cols_opt ]]]]]]]]) | Procedure | n/a | Add a security policy to a database object. |
DROP_POLICY(object_schema, object_name, policy_name) | Procedure | n/a | Remove a security policy from a database object. |
ENABLE_POLICY(object_schema, object_name, policy_name, enable) | Procedure | n/a | Enable or disable a security policy. |
Advanced Server's implementation of DBMS_RLS
is a partial implementation when compared to Oracle's version. Only those functions and procedures listed in the table above are supported.
Virtual Private Database is a type of fine-grained access control using security policies. Fine-grained access control in Virtual Private Database means that access to data can be controlled down to specific rows as defined by the security policy.
The rules that encode a security policy are defined in a policy function, which is an SPL function with certain input parameters and return value. The security policy is the named association of the policy function to a particular database object, typically a table.
Note
In Advanced Server, the policy function can be written in any language supported by Advanced Server such as SQL, PL/pgSQL and SPL.
Note
The database objects currently supported by Advanced Server Virtual Private Database are tables. Policies cannot be applied to views or synonyms.
The advantages of using Virtual Private Database are the following:
- Provides a fine-grained level of security. Database object level privileges given by the
GRANT
command determine access privileges to the entire instance of a database object, while Virtual Private Database provides access control for the individual rows of a database object instance. - A different security policy can be applied depending upon the type of SQL command (
INSERT, UPDATE, DELETE
, orSELECT
). - The security policy can vary dynamically for each applicable SQL command affecting the database object depending upon factors such as the session user of the application accessing the database object.
- Invocation of the security policy is transparent to all applications that access the database object and thus, individual applications do not have to be modified to apply the security policy.
- Once a security policy is enabled, it is not possible for any application (including new applications) to circumvent the security policy except by the system privilege noted by the following.
- Even superusers cannot circumvent the security policy except by the system privilege noted by the following.
Note
The only way security policies can be circumvented is if the EXEMPT ACCESS POLICY
system privilege has been granted to a user. The EXEMPT ACCESS POLICY
privilege should be granted with extreme care as a user with this privilege is exempted from all policies in the database.
The DBMS_RLS
package provides procedures to create policies, remove policies, enable policies, and disable policies.
The process for implementing Virtual Private Database is as follows:
- Create a policy function. The function must have two input parameters of type
VARCHAR2
. The first input parameter is for the schema containing the database object to which the policy is to apply and the second input parameter is for the name of that database object. The function must have aVARCHAR2
return type. The function must return a string in the form of aWHERE
clause predicate. This predicate is dynamically appended as anAND
condition to the SQL command that acts upon the database object. Thus, rows that do not satisfy the policy function predicate are filtered out from the SQL command result set. - Use the
ADD_POLICY
procedure to define a new policy, which is the association of a policy function with a database object. With theADD_POLICY
procedure, you can also specify the types of SQL commands (INSERT, UPDATE, DELETE
, orSELECT
) to which the policy is to apply, whether or not to enable the policy at the time of its creation, and if the policy should apply to newly inserted rows or the modified image of updated rows. - Use the
ENABLE_POLICY
procedure to disable or enable an existing policy. - Use the
DROP_POLICY
procedure to remove an existing policy. TheDROP_POLICY
procedure does not drop the policy function or the associated database object.
Once policies are created, they can be viewed in the catalog views, compatible with Oracle databases: ALL_POLICIES, DBA_POLICIES
, or USER_POLICIES
. The supported compatible views are listed in the Database Compatibility for Oracle Developers Catalog Views Guide, available at the EDB website at:
https://www.enterprisedb.com/docs/
The SYS_CONTEXT
function is often used with DBMS_RLS
. The signature is:
Where:
namespace
is a VARCHAR2
; the only accepted value is USERENV
. Any other value will return NULL
.
attribute
is a VARCHAR2
. attribute
may be:
attribute Value | Equivalent Value |
---|---|
SESSION_USER | pg_catalog.session_user |
CURRENT_USER | pg_catalog.current_user |
CURRENT_SCHEMA | pg_catalog.current_schema |
HOST | pg_catalog.inet_host |
IP_ADDRESS | pg_catalog.inet_client_addr |
SERVER_HOST | pg_catalog.inet_server_addr |
Note
The examples used to illustrate the DBMS_RLS
package are based on a modified copy of the sample emp
table provided with Advanced Server along with a role named salesmgr
that is granted all privileges on the table. You can create the modified copy of the emp
table named vpemp
and the salesmgr
role as shown by the following:
ADD_POLICY
The ADD_POLICY
procedure creates a new policy by associating a policy function with a database object.
You must be a superuser to execute this procedure.
Parameters
object_schema
Name of the schema containing the database object to which the policy is to be applied.
object_name
Name of the database object to which the policy is to be applied. A given database object may have more than one policy applied to it.
policy_name
Name assigned to the policy. The combination of database object (identified by object_schema
and object_name
) and policy name must be unique within the database.
function_schema
Name of the schema containing the policy function.
Note: The policy function may belong to a package in which case function_schema
must contain the name of the schema in which the package is defined.
policy_function
Name of the SPL function that defines the rules of the security policy. The same function may be specified in more than one policy.
Note: The policy function may belong to a package in which case policy_function
must also contain the package name in dot notation (that is, package_name.function_name
).
statement_types
Comma-separated list of SQL commands to which the policy applies. Valid SQL commands are INSERT, UPDATE, DELETE
, and SELECT
. The default is INSERT,UPDATE,DELETE,SELECT
.
Note: Advanced Server accepts INDEX
as a statement type, but it is ignored. Policies are not applied to index operations in Advanced Server.
update_check
Applies to INSERT
and UPDATE
SQL commands only.
When set to
TRUE
, the policy is applied to newly inserted rows and to the modified image of updated rows. If any of the new or modified rows do not qualify according to the policy function predicate, then theINSERT
orUPDATE
command throws an exception and no rows are inserted or modified by theINSERT
orUPDATE
command.When set to
FALSE
, the policy is not applied to newly inserted rows or the modified image of updated rows. Thus, a newly inserted row may not appear in the result set of a subsequent SQL command that invokes the same policy. Similarly, rows which qualified according to the policy prior to anUPDATE
command may not appear in the result set of a subsequent SQL command that invokes the same policy.The default is
FALSE
.
enable
When set to TRUE
, the policy is enabled and applied to the SQL commands given by the statement_types
parameter. When set to FALSE
the policy is disabled and not applied to any SQL commands. The policy can be enabled using the ENABLE_POLICY
procedure. The default is TRUE
.
static_policy
In Oracle, when set to TRUE
, the policy is static, which means the policy function is evaluated once per database object the first time it is invoked by a policy on that database object. The resulting policy function predicate string is saved in memory and reused for all invocations of that policy on that database object while the database server instance is running.
When set to
FALSE
, the policy is dynamic, which means the policy function is re-evaluated and the policy function predicate string regenerated for all invocations of the policy.The default is
FALSE
.Note
In Oracle 10g, the
policy_type
parameter was introduced, which is intended to replace thestatic_policy
parameter. In Oracle, if thepolicy_type
parameter is not set to its default value ofNULL
, thepolicy_type
parameter setting overrides thestatic_policy
setting.Note
The setting of
static_policy
is ignored by Advanced Server. Advanced Server implements only the dynamic policy, regardless of the setting of thestatic_policy
parameter.
policy_type
In Oracle, determines when the policy function is re-evaluated, and hence, if and when the predicate string returned by the policy function changes. The default is NULL
.
Note: The setting of this parameter is ignored by Advanced Server. Advanced Server always assumes a dynamic policy.
long_predicate
In Oracle, allows predicates up to 32K bytes if set to TRUE
, otherwise predicates are limited to 4000 bytes. The default is FALSE
.
Note: The setting of this parameter is ignored by Advanced Server. An Advanced Server policy function can return a predicate of unlimited length for all practical purposes.
sec_relevant_cols
Comma-separated list of columns of object_name
. Provides column-level Virtual Private Database for the listed columns. The policy is enforced if any of the listed columns are referenced in a SQL command of a type listed in statement_types
. The policy is not enforced if no such columns are referenced.
The default is NULL
, which has the same effect as if all of the database object’s columns were included in sec_relevant_cols
.
sec_relevant_cols_opt
In Oracle, if sec_relevant_cols_opt
is set to DBMS_RLS.ALL_ROWS (INTEGER
constant of value 1), then the columns listed in sec_relevant_cols
return NULL
on all rows where the applied policy predicate is false. (If sec_relevant_cols_opt
is not set to DBMS_RLS.ALL_ROWS
, these rows would not be returned at all in the result set.) The default is NULL
.
Note: Advanced Server does not support the DBMS_RLS.ALL_ROWS
functionality. Advanced Server throws an error if sec_relevant_cols_opt
is set to DBMS_RLS.ALL_ROWS (INTEGER
value of 1).
Examples
This example uses the following policy function:
This function generates the predicate authid = SYS_CONTEXT('USERENV', 'SESSION_USER')
, which is added to the WHERE
clause of any SQL command of the type specified in the ADD_POLICY
procedure.
This limits the effect of the SQL command to those rows where the content of the authid
column is the same as the session user.
Note
This example uses the SYS_CONTEXT
function to return the login user name. In Oracle the SYS_CONTEXT
function is used to return attributes of an application context. The first parameter of the SYS_CONTEXT
function is the name of an application context while the second parameter is the name of an attribute set within the application context. USERENV
is a special built-in namespace that describes the current session. Advanced Server does not support application contexts, but only this specific usage of the SYS_CONTEXT
function.
The following anonymous block calls the ADD_POLICY
procedure to create a policy named secure_update
to be applied to the vpemp
table using function verify_session_user
whenever an INSERT, UPDATE
, or DELETE
SQL command is given referencing the vpemp
table.
After successful creation of the policy, a terminal session is started by user salesmgr
. The following query shows the content of the vpemp
table:
An unqualified UPDATE
command (no WHERE
clause) is issued by the salesmgr
user:
Instead of updating all rows in the table, the policy restricts the effect of the update to only those rows where the authid
column contains the value salesmgr
as specified by the policy function predicate authid = SYS_CONTEXT('USERENV', 'SESSION_USER')
.
The following query shows that the comm
column has been changed only for those rows where authid
contains salesmgr
. All other rows are unchanged.
Furthermore, since the update_check
parameter was set to TRUE
in the ADD_POLICY
procedure, the following INSERT
command throws an exception since the value given for the authid
column, researchmgr
, does not match the session user, which is salesmgr
, and hence, fails the policy.
If update_check
was set to FALSE
, the preceding INSERT
command would have succeeded.
The following example illustrates the use of the sec_relevant_cols
parameter to apply a policy only when certain columns are referenced in the SQL command. The following policy function is used for this example, which selects rows where the employee salary is less than 2000
.
The policy is created so that it is enforced only if a SELECT
command includes columns sal
or comm
:
If a query does not reference columns sal
or comm
, then the policy is not applied. The following query returns all 14 rows of table vpemp
:
If the query references the sal
or comm
columns, then the policy is applied to the query eliminating any rows where sal
is greater than or equal to 2000
as shown by the following:
DROP_POLICY
The DROP_POLICY
procedure deletes an existing policy. The policy function and database object associated with the policy are not deleted by the DROP_POLICY
procedure.
You must be a superuser to execute this procedure.
Parameters
object_schema
Name of the schema containing the database object to which the policy applies.
object_name
Name of the database object to which the policy applies.
policy_name
Name of the policy to be deleted.
Examples
The following example deletes policy secure_update
on table public.vpemp
:
ENABLE_POLICY
The ENABLE_POLICY
procedure enables or disables an existing policy on the specified database object.
You must be a superuser to execute this procedure.
Parameters
object_schema
Name of the schema containing the database object to which the policy applies.
object_name
Name of the database object to which the policy applies.
policy_name
Name of the policy to be enabled or disabled.
enable
When set to TRUE
, the policy is enabled. When set to FALSE
, the policy is disabled.
Examples
The following example disables policy secure_update
on table public.vpemp
:
- On this page
- ADD_POLICY
- DROP_POLICY
- ENABLE_POLICY