Home Discussions Questions & Answers Column-Level Security: Implementing Oracle VPD to Hide Sensitive Data from Database Users and Developers

Column-Level Security: Implementing Oracle VPD to Hide Sensitive Data from Database Users and Developers

Avatar photoCustomer October 31, 2025 at 4:53 pm

Our developers and custom report writers require basic SELECT privileges on many tables, such as HR.PER_ALL_PEOPLE_F, for building complex Blitz Reports. However, due to compliance, they absolutely must not see sensitive columns like DATE_OF_BIRTH or NATIONAL_IDENTIFIER. We need to implement a solution that allows them to query the table but masks these specific columns. Is Column Level VPD the appropriate solution, and how does this affect Blitz Reports run by the privileged APPS user?

Viewing 5 reply threads
  • Author
    Replies
    • Support October 31, 2025 at 8:02 pm  

      Yes, implementing Column Level VPD is ideal for this scenario, as it allows users to access the table while returning NULL values only for specified, sensitive columns. This is far more efficient than modifying countless view definitions.

    • Avatar photoCustomer November 1, 2025 at 1:37 am  

      How do we define the VPD Policy for column restriction? Specifically, how is the list of sensitive columns provided?

    • Support November 1, 2025 at 4:40 am  

      You create a VPD policy using `DBMS_RLS.ADD_POLICY`. Within this policy definition, you utilize the parameter `sec_relevant_cols` and specify the column names that should be restricted, such as ‘DATE_OF_BIRTH,NATIONAL_IDENTIFIER’. This security cannot be bypassed by SQL statements.

    • Avatar photoCustomer November 1, 2025 at 7:45 am  

      Since Blitz Report runs as APPS, how do we prevent the security policy from inadvertently blocking APPS or standard Oracle functionality?

    • Support November 1, 2025 at 12:41 pm  

      If you want to secure data only from general database users (like your developers’ direct accounts) but allow the core APPS user (who executes Blitz Reports) to see data, the Policy Function is designed to check the current database user. If the user is NOT APPS, it applies a predicate like ‘1=2’ or enforces column masking.

    • Support November 1, 2025 at 5:03 pm  

      If the goal is to protect against any external access, including Blitz Reports, the VPD policy must use application context (`sys_context`) to restrict data based on the source module name, ensuring data is hidden when accessed via Blitz Reports.

  • Author
    Replies
Viewing 5 reply threads
  • You must be logged in to reply to this post.

Login with:
Popular Posts
How to track master data changes using Oracle EBS Audit function and Blitz Report™ 123741

Oracle Enterprise Command Center Framework Release 12.2 installation and integration with Oracle EBS 12.2.8 19782

Oracle Discoverer replacement – importing worksheets into Blitz Report™ 14609

How to check if a patch is applied in Oracle EBS 12.2 14380

Oracle Discoverer 11.1.1.7 installation and integration with Oracle EBS R12.1.3 14067

Oracle E-Business Suite 12.2.8 upgrade to version 12.2.9 11961

Oracle E-Business Suite 12.2.7 upgrade to version 12.2.8 9896

Migration to Java Web Start in Oracle EBS 12.2 instance 9889

Securing sensitive data with Oracle VPD 7791

EBS 12.1.3 BI Publisher Excel templates generate XLS instead of XLSX and limit row number to 65,536 6444

Blog Archive
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
Recent Events
2026
2025
2024
2023
2022
2021
2020
2019
2018