Implementing Fine Grained Access Control and Masking. What is FGAC?. Fine Grained Access Control (FGAC) in Oracle 8i gives you the ability to dynamically attach, at runtime, a predicate (the WHERE clause) to all queries issued against a database table or view.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
(Expert One-on-One Oracle by Tom Kite)
Other terms for FGAC are Row Level Security and Virtual Private Database (VPD).
FGAC is an Oracle feature that SCT has implemented within the Banner framework.
Assume FGAC has been implemented for table SPBPERS:
User JSMITH has BAN_DEFAULT_M access to SPAPERS. We want him to see all people who are designated General Student on form GUASYST. To do this, we associate the SB_GENSTUDENT_PII with JSMITH. When JSMITH queries a person in SPAPERS which has an SGBSTDN record, he will see and have access to this record.
If JSMITH tries to query a person which does not have an SGBSTDN record, he will get into the form but will not see anything, as if the record does not exist at all.
This will carry over into SQL queries against SPBPERS.
We are using FGAC on SPBPERS & GOBTPAC.
Step 4: GORFDPI1. Make sure policies are enabled on form GORFDPI for SPBPERS and GOBTPAC and the Active Indicator is checked for these tables. Make sure the Active Indicator is unchecked for SPRIDEN.. 2. Log in as baninst1 and position in the links directory, run gfpiiaddpol.sql
Checking Exempt from PII will bypass FGAC processing for this user in all Banner Forms. FGAC will remain in place at the table level. (Defect or feature?)
Checking Cross Domain PII will allow user to by pass FGAC by entering through a search Form (SOAIDEN, etc).
In order to grant full database access to certain users we created a Business Profile which has all PII Domains associated with it. This is needed for users who will need full SQL row access.
Shows the predicate that is being used on each select statement issued against applicable FGAC table.
GORFEOBJob Submission process are placed here to exempt from FGAC. FYI, Job submission jobs which call database procedures will be processed under FGAC.
Table build code
Assume spbpers_ssn has been masked on form SPAPERS for user JSMITH and he has BAN_DEFAULT_M:
When JSMITH enters into SPAPERS he will be able to see all columns except SSN, which will be masked. He will be able to update all columns except SSN. Every record he queries in SPAPERS will have the SSN masked, there is no PII processing. Masking is all or nothing.
Masking does not carry over into SQL, and each form a user has access to must be set up to Mask. We are masking SSN (birthdate soon) on SPAPERS, SPAIDEN, APAIDEN & APSABIO.
We are using a combination of FGAC and Masking on Personal Data.