Oracle Database 12c introduces Oracle Real Application Security (RAS), the next generation Oracle Virtual Private Database (VPD). Oracle RAS introduces the industry’s most advanced technology for supporting application security requirements.
Oracle RAS provides a declarative model that enables security policies that encompass not only the business objects being protected but also the principals (users and roles) that have permissions to operate on those business objects. RAS is more secure, scalable, and cost effective than traditional Oracle VPD technology.
Unlike the existing Oracle VPD, RAS provides a declarative interface that allows developers to define the data security policy, application roles, and application users without requiring application developers to create and maintain PL/SQL stored procedures. With Oracle RAS, the data security policies are defined inside the database kernel using the Oracle RAS API. The permissions associated with business objects are stored in Access Control Lists (ACLs) that are defined and maintained through the RAS API. ACLs are a key component of Real Application Security and store the privileges assigned to principals and control the type of operations (select, insert, update and delete) that can be performed on the objects.
The Oracle Real Application Security Administration Application (RASADM) simplifies management of Oracle Database 12c Real Application Security (RAS). Application developers and security administrators can easily create and manage RAS security policies, application users, and roles. RASADM complements the comprehensive RAS PL/SQL API available with Oracle Database 12c.
After downloading the RASADM package, follow the README file (readme.txt) to install the application on your Oracle Database 12c (12.1.0.2 or higher) with Oracle Application Express 5.0. Visit the Oracle Technology Network (OTN) Database Security Discussion Forum to ask questions and provide feedback about this application.
Oracle Database 12c Virtual Private Database (VPD, first introduced in Oracle8i), provides an interface to associate PL/SQL packages with application tables. The PL/SQL package computes a predicate or "where" clause that is automatically appended to incoming SQL statements, restricting access to rows and columns within the table. VPD policies can be simple or complex depending on your security requirements, but almost always use an Oracle defined application context that is initialized by the application at runtime. VPD can be used to enforce row and/or column level security requirements for privacy and regulatory compliance. A simple VPD example might restrict access to data during business hours and a more complex VPD example might read an application context during a login trigger and enforce row level security against an application table.