Hey,
it seems to me that using columns already masked by a policy (using SEC_RELEVANT_COLS_OPT => dbms_rls.ALL_ROWS) can't be reused as a decision criterion in another policy function. Let's assume i have a table EMP containing columns ID, NAME and SAL. I am trying to achieve the following to cell-level restrictions:
* ID column is restricted to all users and used for internal purposes only (e.g. for security enforcement)
* SAL is only visible for the logged in user (identified in the context with her ID)
But: everyone is allowed to see all the rows (i.e. all the names) of the EMP table.
My approach was to write two policy functions implementing the above-mentioned restrictions. But it seems that VPD enforces the policies also for columns used in the predicate returned by a policy function, so the SAL constraint will never work as no one is allowed to read her ID, not even for the purpose of comparing it to the ID stored in the context. Is there a workaround for my use case?
Kind regards,
Gerhard