Pete Finnigan's Oracle Security Weblog

I came across a very interesting post on the oracle-l list the other day entitled "how to check fine-grained access control is on?". The poster asked how to check if Row Level Security is enabled in the enterprise edition of Oracle. He knew about setting an event in the standard edition to enable this feature so assumed it’s the same in enterprise edition.

Of course you only get Row Level Security (or Virtual Private Database (VPD)) in the enterprise edition not in the standard edition. The poster suggested that Row Level Security can be enabled by setting event 28131 in the init.ora as follows:

event="28131 trace name context forever"

I love internals information like this and hard to find knowledge so I was immediately drawn to this post. So a feature that is only available in the enterprise edition can be turned on in the standard edition. This is interesting. This maybe means that all features can be enabled in the standard edition or conversely features can or could be disabled in the enterprise edition - I have not tested this latter thought - maybe I will if i get chance - This could be a very useful security tool to disable features that are a security risk because of known bugs that cannot be patched.

I should also point out that you should not enable features in the standard edition that are not part of the license agreement.

It would be a good exercise to find out what other features can be enabled or disabled in this way. If you are not familiar with the way Row Level Security works or would like some extra information particularly on extracting the predicates from the database either via SQL or using various events and trace then take a look at the two part paper I wrote some time back on Row Level Security.

So to recap the poster suggested that Row Level Security can be enabled in the standard edition by adding the following lines to your init.ora file.

For 8i and lower add

event="28119 trace name context forever"

For 9i and higher add

event="28131 trace name context forever"

Why does this work? - There is a paper that I found entitled "Migration of Oracle 9i Application server portal (release 1) across databases" that mentions these two events 28131 and 28119 but does not explain why they are used.

I searched on google and found a post on de.comp.datenbanken.misc that explains that these two events can be used to get around ORA-00439 errors. Basically these events can be used to enable Row Level Security in the standard edition when the call to DBMS_RLS.ADD_POLICY fails. This is when Portal is used with the standard edition with which it has been certified. It can be necessary to recreate the VPD policies on tables for Portal in a standard edition database and setting the events 28131 or 28119 depending on version will allow this. The events should be removed after use though. Quite interestingly in this post on de.comp.datenbanken.misc also shows the generic for of the ORA-00439 error as well as the specific error in this case:

ORA-00439: feature not enabled: %s
ORA-00439: feature not enabled: Fine-grained access control

This would also lead us to believe that other features can be enabled or disabled.

I also found two documents on Metalink Doc ID 219911.1 and Doc ID 173512.1 that explain again about the use of 28131 to enable Row Level Security in the Standard Edition.

From an audit angle it is worth adding a check for these events being set in a standard edition database, as they should not be set. This can be done with the DBMS_SYSTEM.READ_EV database procedure.