VPD | DBMS_RLS | Policy Function | FGAC
In the context of Virtual Private Database (VPD), the most critical component is the policy function—a user-defined function that returns a predicate (a WHERE clause condition). However, this function only becomes a policy function when it is explicitly registered through the DBMS_RLS.ADD_POLICY procedure. Until then, it's just a regular function.Once associated via ADD_POLICY, Oracle automatically invokes this function before any user query (e.g., SELECT) on the protected table, and it appends the returned condition as a WHERE clause to that query. This dynamic and transparent mechanism is what enables Fine-Grained Access Control (FGAC) at the row level.
Query set to check VPD | DBMS_RLS | Policy Function
SELECT * FROM DBA_CONTEXT;
SELECT * FROM DBA_POLICIES;
-- Check if the context namespace exists
SELECT * FROM DBA_CONTEXT
WHERE NAMESPACE LIKE '%CTX_FOR_SOFT_PARSING%'; -- actual context name
-- Policy name
SELECT * FROM DBA_POLICIES
WHERE POLICY_NAME = 'CFR_HDR_POLICY';
-- actual Policy name
-- Policy function details - CFR_HDR_SECURITY_FN
SELECT name, type, line, text
FROM all_source
WHERE UPPER(text) LIKE '%CFR_HDR_SECURITY_FN%';
-- DBA_POLICIES details
SELECT OBJECT_OWNER,
OBJECT_NAME,
POLICY_NAME,
PF_OWNER,
PACKAGE,
FUNCTION,
POLICY_TYPE,
ENABLE
FROM DBA_POLICIES
ORDER BY OBJECT_OWNER, OBJECT_NAME;
Top comments (0)