0

Am looking for a solution to a problem that I have - I have some applications that connect to Oracle databases and we need to filter out the query results that is returned based on the user role and the row content of the Oracle database. RBAC and Oracle VPD (LBAC) is not an option as this is considered too unwieldy and difficult to maintain, even though LBAC is already implemented.

Am looking at application and database-agnostic solutions such as IBM DataPower and Websphere WTX that are more used in the SOA space as enterprise application brokers. I am aware of the challenge in using these or other solutions at the network layer which involves deconstructing Oracle TNS packets and not being able to package them back. Am wondering if there is a solution to this problem that I have using DataPower or any other similar?

Or are there any alternate solutions to solve this problem?

rajeshvenkat
  • 13
  • 4
  • 1
    Your question is a bit hard to understand. I guess that RBAC is an acronym for role-based access control. I have no idea what LBAC is intended to stand for. I am hard-pressed to imagine how a middle tier application could possibly filter packets from the Oracle database in order to implement anything approaching a VPD solution outside of the database. Or how that level of deep packet inspection could possibly be database agnostic. Or how that could possibly be more difficult to maintain than a VPD policy. – Justin Cave Apr 08 '15 at 23:18
  • Right, RBAC does stand for that and from my understanding, VPD does enable you to implement RBAC as well. Also, LBAC and VPD are conceptually similar in that they both allow or facilitate RBAC implementation. That said, the middle tier products such as DataPower or other ESBs are able to perform routing and selective filtering, so I was wondering if there is any capabilities that I could extend to solve the issue. – rajeshvenkat Apr 09 '15 at 00:16
  • I still don't have any idea what LBAC is supposed to stand for. A middle tier that routes and filters particular types of messages based on standard protocols is radically different than trying to inspect a proprietary data stream to try to remove rows being returned in a data set. I still can't fathom how this would be easier to maintain than a VPD policy even if you could cobble something together. – Justin Cave Apr 09 '15 at 03:05

0 Answers0