Database Security for Applications

Real Application Security

Oracle Database 18c includes Oracle Real Application Security (RAS), the next generation Oracle Virtual Private Database (VPD). Oracle RAS is the industry’s most advanced technology for supporting application security requirements.  The out-of-the-box integration of Oracle RAS with Oracle Fusion Middleware and Oracle APEX eliminates custom development for securing application data thus providing end-to-end application security.

Oracle RAS provides a declarative model that enables security policies that encompass not only the business objects being protected but also the principals (users and roles) that have permissions to operate on those business objects. RAS is more secure, scalable, and cost effective than traditional Oracle VPD technology.

Oracle RAS Benefits include:

  • End-user session propagation to the database
  • Data security based upon application users, role, privileges, and various relationships
  • Audit of end-user activity
  • Simplified administration with declarative security 

RAS allows developers to

  • Define the data security policy in the database based on business objects
  • Associate custom application privileges to authorize application-level operations on these business objects and
  • Provision authorization to application users and roles which can be managed in LDAP compliant identity stores as well as in the database

With Oracle RAS, application users are authenticated in the application-tier as well as in the database.  Irrespective of the data access path, the data security policies are enforced in the database kernel based on the end-user native session in the database.  The privileges assigned to the user control the type of operations (select, insert, update and delete) that can be performed on rows and columns of the database objects.

Technical Information

Virtual Private Database

Oracle Database 18c Virtual Private Database (VPD, first introduced in Oracle8i), provides an interface to associate PL/SQL packages with application tables. The PL/SQL package computes a predicate or "where" clause that is automatically appended to incoming SQL statements, restricting access to rows and columns within the table. VPD policies can be simple or complex depending on your security requirements, but almost always use an Oracle defined application context that is initialized by the application at runtime. VPD can be used to enforce row and/or column level security requirements for privacy and regulatory compliance. A simple VPD example might restrict access to data during business hours and a more complex VPD example might read an application context during a login trigger and enforce row level security against an application table.

 
 
 
 
Oracle Live SQL

OTN Cloud Promo RHS