Expand all | Collapse all

EBS-VPD column update issue

  • 1.  EBS-VPD column update issue

    Posted 05-01-2020 15:40

    Hello All,

    Use-case: Restrict/Hide sensitive data from backend DB & EBS frontend user.

    Potential solution: Identified VPD (implement column-level policy) as a potential solution to stop backend (DB) and Frontend (EBS 11i /R12) user viewing/accessing sensitive data

    We have implemented a VPD policy on one of the sensitive columns. it is working fine as expected for backend DB user but when a user logs on to the EBS and query the concurrent form and update any non-vpd column of the VPD enabled table, it is updating the VPD column to null on the same table.

    For eg: There is a table called CUSTOMER table in the AR module of EBS. 

              CUSTOMER Table
                       CREDIT_CARD - VPD policy


    Let's say an EBS user login into the EBS frontend and query the form (CUSTOMER). The user sees the null value in the CREDIT_CARD column which is expected behavior due to VPD policy however if a user updates the ADDRESS column then it is updating the CREDIT_CARD value to null permanently. 

     I have the following questions

    1) is there any solution or workaround to avoid the VPD column being updated when the user updates the non-VPD columns in the EBS Concurrent form?
    2) is there an alternative tool or solution within Oracle or EBS to accomplish the customer requirement. I think EBS doesn't support data redaction
    3) is there any other tool or solution that can enable us to accomplish a solution for our use case
    4) Any suggestion or method that you know or implemented to accomplish the same.

     Thanks in Advance


    Raja Kaparthi
    Data Security Manager
    Emerson Electric Co.
    Saint Louis MO
    (314) 553-117

  • 2.  RE: EBS-VPD column update issue

    OATUG Star Partner
    Posted 05-08-2020 07:46
    Edited by Andy Haack 05-08-2020 07:58
    Hi Raja,

    Adding VPD policies to the EBS database like this should not be done as it can lead to even more severe unexpected side-effects and data corruption than just clearing out credit card numbers, in case Oracle standard processes don't find the data as expected.

    In case of your problematic forms update, the record is queried into the UI with a null credit card value due to the VPD, and this null value is then incorrectly updated back to the table when saving the record.
    To answer your question 1: Yes, in Oracle Forms there is a block property 'Update Changed Properties Only', which controls if the form includes all columns or just the modified ones when it updates the record to the database. This property is set to the default 'No' for most Oracle standard forms and in theory, you could customize the standard form and set this block property to 'Yes' instead, which should bring the desired behavior.
    This approach however would not at all be recommended as you would replace the Oracle standard form with a non supported custom version, and there are probably more processes that could go wrong.

    I would suggest the following solution instead:
    -Create a forms personalization on all Oracle EBS standard forms where you need to hide sensitive data by setting the DISPLAYED item property to FALSE
    -Create DB policies to restrict access for your custom database users only, but not for the APPS database account.
    -If you need to secure data visibility in reports you can use Blitz Report, which has policy creation scripts build in (affecting Blitz Reports only)

    Please give me a call or send me a message if you like to discuss more.

    Andy Haack
    Managing Director
    Küsnacht, Switzerland