OracleBIBlog Search

Monday, December 29, 2008

OBIEE and Virtual Private Database (VPD)

What is VPD?

Virtual Private Database is Oracle’s fine grain access control (FGAC) feature that was introduced in Oracle 8i. It helps control data level security on the database side by applying policies, thus data level security in the applications that read from the database is not necessary. The advantage is that if there are multiple applications accessing data from a database, it is not necessary to implement data level security in all those applications.

How does VPD work?

Policies are created in the database that would append a predicate (a WHERE clause) to the query in runtime. Consider a simple example – there exists a policy which would return only the rows attached to a particular user id on the table Orders. If a user “Kumar” were to query data from Orders table, Kumar would enter the following command:

Select * from Orders;

The policy that dictates what information a user can see would append a predicate to the query as follows:

Select * from Orders

where user_name = ‘KUMAR’;

This mechanism of appending the predicate is entirely transparent to the user.

Click here to read more about VPD on Oracle’s OTN.

Configuring VPD in OBIEE

To use the VPD feature in the Database and OBIEE along with its caching capabilities it is important to configure VPD in OBIEE. Failing to configure VPD in OBIEE while caching is enabled (in OBIEE), the request would bypass VPD policies by accessing data from cache and data level security will not be effectively handled by the database’s VPD. Thus, the users will see incorrect results.

To configure VPD in OBIEE, first enable the VPD option in the database’s general tab as shown:

clip_image002[7]

Then enable the “Security Sensitive” option in the security variable:

clip_image004[4]

Normal OBIEE Cache Behavior

To be simple and brief, if caching is enabled, a query that is being run for the first time would create a cache. Subsequent requests that is similar to the query or its subset would hit the cache to retrieve the results. This is true even if the users are different.

Example:

Logged on as Kumar Kambam

clip_image006[6]

Running a request…

clip_image008[6]

… generates the following Query log

clip_image010[6]

The cache is created….

clip_image012[6]

Now any user that issues a similar request or a subset of the request will hit the cache.

Logged on as Power User1

clip_image014[6]

Running a similar request, generates the following log. Notice that OBIEE server found a matching query in the cache that is created by Kumar.Kambam for the query issued by Poweruser1.

clip_image016[6]

clip_image018[6]

OBIEE Cache Behavior with VPD configured

When VPD option is configured in OBIEE, cache is created for each user even though a matching query exists in the cache. This ensures that the data retrieved for a user is not retrieved from the cache created by a different user, thereby ensuring the enforcement of VPD policies. In other words, if Kumar.Kambam were to run a query, the cache is created by the data visibility rules enforced by the VPD for Kumar.Kambam. If Poweruser1 runs a similar request it should bypass the query cache and hit the database to retrieve the data along the policies of the VPD for Poweruser1; if it were to hit the cache created by Kumar.Kambam, the results for Kumar Kambam will be presented to Poweruser1.

After configuring VPD, logged on as Kumar Kambam

clip_image019[4]

Running a query for the first time…

clip_image021[4]

…the following log is generated

clip_image023[4]

The cache is created

clip_image025[6]

Running the same query again, the following log is generated…

clip_image027[6]

OBIEE found a matching query in the cache and uses it.

clip_image029[6]

Now log on as Power User1

clip_image030[4]

By running the same request, the following log is generated…

clip_image032[4]

A new cache entry is created even though a similar request has been issued by a different user and a cache has been created for it

clip_image034[4]

The subsequent requests by Poweruser1 that is similar to the query will hit its own cache. This ensures that a user will only see his/her data.

1 comments:

Anonymous said...

My experience with cacheing (non-vpd) is that it is user specific. Other identical queries but from different users will not get a cache hit. I'm wondering if this has something to do with the connection pool? Can you describe your environment in which you see cache hits on other people's cache?
We are using external authentication. Our connection pools use the Shared Login with a hardcoded username and password.