Database Security for Applications

Real Application Security

Oracle Database 12c introduces Oracle Real Application Security (RAS), the next generation Oracle Virtual Private Database (VPD). Oracle RAS introduces the industry’s most advanced technology for supporting application security requirements.

Oracle RAS provides a declarative model that enables security policies that encompass not only the business objects being protected but also the principals (users and roles) that have permissions to operate on those business objects. RAS is more secure, scalable, and cost effective than traditional Oracle VPD technology.

Oracle RAS Benefits include:

  • End-user session propagation to the database
  • Data security based upon application users, role, privileges, and various relationships
  • Audit of end-user activity
  • Simplified administration with declarative security


Unlike the existing Oracle VPD, RAS provides a declarative interface that allows developers to define the data security policy, application roles, and application users without requiring application developers to create and maintain PL/SQL stored procedures. With Oracle RAS, the data security policies are defined inside the database kernel using the Oracle RAS API. The permissions associated with business objects are stored in Access Control Lists (ACLs) that are defined and maintained through the RAS API. ACLs are a key component of Real Application Security and store the privileges assigned to principals and control the type of operations (select, insert, update and delete) that can be performed on the objects.

Technical Information

Virtual Private Database

Oracle Database 12c Virtual Private Database (VPD, first introduced in Oracle8i), provides an interface to associate PL/SQL packages with application tables. The PL/SQL package computes a predicate or "where" clause that is automatically appended to incoming SQL statements, restricting access to rows and columns within the table. VPD policies can be simple or complex depending on your security requirements, but almost always use an Oracle defined application context that is initialized by the application at runtime. VPD can be used to enforce row and/or column level security requirements for privacy and regulatory compliance. A simple VPD example might restrict access to data during business hours and a more complex VPD example might read an application context during a login trigger and enforce row level security against an application table.


Oracle has a very active research organization (Oracle Labs) that is charged to 'Identify, explore, and transfer new technologies that have the potential to substantially improve Oracle's business'. One part of the organization is the External Research Office (ERO). The ERO is charged to ' ... invest in research collaborations that fit Oracle's long-term strategic goals. These collaborations are between university researchers and engineers/researchers throughout Oracle's various organizations'. The ERO webpage lists numerous current and past collaborations. Oracle provides funds and direct interactions with highly experienced developers.

If you are interested in the ERO program please contact Steve Jeffreys at

If you would like to explore opportunities for a research collaboration with the database team please contact Dieter Gawlick at

or Garret Swart at
Oracle Database Cloud