The ability to use several Oracle security features such as Virtual Private Database (VPD), Unified Auditing, and Oracle Label Security (OLS) typically depend upon the use of session-level application contexts.

Before Oracle 21c, any cross-shard operations such as cross-shard queries or DMLs initiated by the shard catalog would not send session-level application context values to the affected shards. Therefore, features that depended on the context values being passed from the shard catalog session to the shards were not supported in a sharded environment.

Starting with Oracle 21c, any database session-based application context values set before a cross-shard query or DML are sent securely to all shards involved in the operation. This is how features such as VPD, auditing, and OLS are supported in a sharding environment.

For example, if a user connects to the shard catalog or a query coordinator from SQL*Plus and calls the DBMS_SESSION.SET_CONTEXT procedure to set a context value, then that value is sent to any shards involved in subsequent cross-shard operations initiated from the SQL*Plus session on the shard catalog. Calling the SYS_CONTEXT function on the shard will return the value originally set on the shard catalog as you would expect.

Note the following limitations when you attempt to use application contexts for cross-shard operations:

• The maximum length of a context value is 1968 bytes, as opposed to 4000 bytes in non-sharded environments.

• The maximum length of a context attribute name is 32 bytes, as opposed to 128 bytes in non-sharded environments.

• Only database session-based contexts initialized locally are currently supported.

• All of the shards in the configuration must be Oracle Database 21c or later releases for the context value to be passed during cross-shard operations.

For more information see Using Application Contexts to Retrieve User Information.