Database Security for Applications

Real Application Security

Oracle Database 12c introduces Oracle Real Application Security (RAS), the next generation Oracle Virtual Private Database (VPD). Oracle RAS introduces the industry’s most advanced technology for supporting application security requirements.

Oracle RAS provides a declarative model that enables security policies that encompass not only the business objects being protected but also the principals (users and roles) that have permissions to operate on those business objects. RAS is more secure, scalable, and cost effective than traditional Oracle VPD technology.

Oracle RAS Benefits include:

  • End-user session propagation to the database
  • Data security based upon application users, role, privileges, and various relationships
  • Audit of end-user activity
  • Simplified administration with declarative security


Unlike the existing Oracle VPD, RAS provides a declarative interface that allows developers to define the data security policy, application roles, and application users without requiring application developers to create and maintain PL/SQL stored procedures. With Oracle RAS, the data security policies are defined inside the database kernel using the Oracle RAS API. The permissions associated with business objects are stored in Access Control Lists (ACLs) that are defined and maintained through the RAS API. ACLs are a key component of Real Application Security and store the privileges assigned to principals and control the type of operations (select, insert, update and delete) that can be performed on the objects.

Technical Information

Virtual Private Database

Oracle Database 12c Virtual Private Database (VPD, first introduced in Oracle8i), provides an interface to associate PL/SQL packages with application tables. The PL/SQL package computes a predicate or "where" clause that is automatically appended to incoming SQL statements, restricting access to rows and columns within the table. VPD policies can be simple or complex depending on your security requirements, but almost always use an Oracle defined application context that is initialized by the application at runtime. VPD can be used to enforce row and/or column level security requirements for privacy and regulatory compliance. A simple VPD example might restrict access to data during business hours and a more complex VPD example might read an application context during a login trigger and enforce row level security against an application table.