Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • Identity Resolution 10.5 HotFix 2
  • All Products

Table of Contents

Search

  1. Preface
  2. Introduction
  3. Defining a System
  4. Flattening IDTs
  5. Link Tables
  6. Loading a System
  7. Static Clustering
  8. Simple Search
  9. Search Performance
  10. Miscellaneous Issues
  11. Limitations
  12. Error Messages

Design Guide

Design Guide

Back Next

Virtual Private Databases (VPD)

Virtual Private Databases (VPD)

Virtual Private Databases (VPD) is an Oracle specific feature available as a standard part of Enterprise Edition. VPD provides fine-grained access control that is data-driven, context-dependent and rowbased.
A security administrator defines database
contexts
 for individual users or groups of users. These contexts are used to limit the data that a user can see when they execute SQL statements.
Contexts are usually set (enabled) using a login trigger so that a user has no control over the context they use. Once enabled, the context name is used by Oracle to find predefined rules that are used to dynamically modify SQL statements executed by the user.
The security administrator defines contexts and their associated rules. For example, user U1 logs on, a login trigger fires to set a context C1. When the user executes the following SQL: 
SELECT * FROM EMP
Oracle adds
WHERE DEPT = 10
 to the query so that user U1 can only see rows from his/her own department. Another user U2 using context C2 might have the predicate
WHERE DEPT = 20
 added to their otherwise identical SQL. In this way, each user only sees data that is relevant to them.

IIR Implementation

The SSA userid is used to extract source data from the UST and create an IDT and IDXs. In order to see all rows in the UST, the SSA userid must be exempted from VPD based restrictions. This is done with the following SQL:
GRANT EXEMPT ACCESS POLICY TO SSA;
Once all the data is loaded into the IDT and IDXs, ordinary database access controls secure this data, since it is private to the SSA user. A dictionary-alias is normally used to hide the SSA userid and password from search clients.
IIR provides access to the IDT/IDX data through the Search Server. To guard against unauthorized access the System administrator defines the System-Definition option
VPD-Secure
 and/or defines the environment variable
SSASECUREENV
.
When either is defined, IIR insists that each user provide a context using
ids_set_vpd_user
 API prior to starting a search. In response to a search request, the Search Server will build a result set and for each record in that set, issue SQL queries using the user’s context to screen out any record that the user is not permitted to see.

Environment Variables

A VPD System requires an additional environment variable to be defined.
SSASECURECONNECT
specifies a database connection string for a "proxy user" that will be used to screen records from the result set.
The connection string is a normal IIR connection string such as
odb:99:ssaproxy/ssaproxy@oracle920
or may be the special keyword
SSAUSER
, in which case IIR uses the current Rulebase connection string to create a proxy user connection to the UST database.

Proxy User Context

IIR establishes a context for the proxy user by calling a PL/SQL package provided by the security administrator.
Each search user must call the API function
ids_set_vpd_user
 to nominate the name of the package and the parameter to be passed to it.

Restrictions

IDTs may not be created by merging (
merged_from
 clause)
IDTs may not be flattened.
LOGTEST
 tracing is disabled in a VPD environment.
The only IIR Search Client that supports VPD is
relate
. Use the
-V
 switch to specify the name of the context setting package and its parameter.
0 COMMENTS
We’d like to hear from you!