Oracle Database Vault With Iflex 334760

COPYRIGHT (C) 2008 i-flex solutions ltd.
All rights reserved. No part of this work may be reproduced, stored in a retrieval system,
adopted or transmitted in any form or by any means, electronic, mechanical,
photographic, graphic, optic recording or otherwise, translated in any language or
computer language, without the prior written permission of i-flex.
Due care has been taken to make this document and any accompanying software package
as accurate as possible. However, i-flex makes no representation or warranties with
respect to the contents hereof and shall not be responsible for any loss or damage caused
to the user by the direct or indirect use of this document and any accompanying software
package. Furthermore, i-flex reserves the right to alter, modify or otherwise change in
any manner the content hereof, without obligation of i-flex to notify any person of such
revision or changes.
All company and product names are trademarks of the respective companies with which
they are associated.
Document Revision Control
Version Date Changes Author

1.0 12-Feb-2008 Initial Writing I-flex
Oracle Database Vault Flexcube POC Add On 1

CONTENTS
1. INTRODUCTION ORACLE DATABASE VAULT ....................................................................... 3

2. SUMMARY OF ORACLE DATABASE VAULT ........................................................................... 3
3. ORACLE DATABASE VAULT INTEGRATED WITH FLEXCUBE ......................................... 4
4. COMPONENTS OF ORACLE DATABASE VAULT .................................................................... 5
5. ORACLE DATABASE VAULT ACCESS CONTROL COMPONENTS ..................................... 5
5.1. REALM: ......................................................................................................................................... 5
5.2. FACTORS:- .................................................................................................................................... 6
5.3. RULE SETS:- ................................................................................................................................. 6
5.4. COMMAND RULES:-................................................................................................................... 7
6. ORACLE DATABASE VAULT ADMINISTRATOR (DVA) ........................................................ 7
7. ORACLE DATABASE VAULT DVSYS AND DVF SCHEMAS .................................................. 8
8. ORACLE DATABASE VAULT PL/SQL INTERFACES AND PACKAGES.............................. 8
9. ORACLE DATABASE VAULT REPORTS .................................................................................... 8
10. POC SECTION .............................................................................................................................. 9
10.1 REALM ......................................................................................................................................... 9
10.2 RULE SET..................................................................................................................................14
10.3 COMMAND RULES: ......................................................................................................................19
10.4 FACTORS .....................................................................................................................................25
10.5 PRODUCING DATABASE VAULT REPORTS. ....................................................................................29
10.6 ORACLE APPLICATION PROGRAMMING INTERFACES .................................................31
10.7 COLUMN LEVEL DATA PROTECTION USING OLS AND DBMS_RLS .............................................34

1. Introduction oracle database vault
Oracle‟s new add-on to enterprise database software that will give users more control
over how their data is accessed, Called “Database Vault”, the software is introduced at
Oracle's Collaborate 06 User Group Conference, in Nashville, Tennessee on April 2006.
Primarily Database Vault can place restrictions on what data is available to users,
depending on a variety of factors, such as the Internet Protocol address being used, the
machine being accessed, or what time of day the request is being made.
This software will work with Oracle Database release 9i (9 2 0 8) or Oracle Database 10g
Release 2 and later versions. It will be priced at either $20,000 per CPU or $400 per user,
depending on what the customer prefers.
2. Summary of oracle database vault

1. Oracle Database Vault is a database security option that we will protect
application data from DBA access; enforce protection of database structures
from unauthorized change.
2. It enables organizations to efficiently increase security without making
changes to the application code.
3. Oracle Database Vault provides real time preventive controls by restricting
access to application data by highly privileged users and enabling control over
who, when, where and how databases and application data can be accessed.
4. Oracle Database Vault provides a web based management console that can be
used to configure and manage the offering.
5. Oracle Database Vault is an option for the Oracle Database Enterprise Edition.
Oracle Database Vault can be installed into Oracle Database release 9i
(9.2.0.8) or 10g Release 2 (10.2.0.3) or higher.
6. Oracle Database Vault helps customers achieve separation of duty by creating
different responsibilities to manage the different aspects of the database
environment. Oracle Database Vault creates responsibilities for managing
security, managing user accounts, and managing database resources.
Separation of duty helps customers prevent unauthorized access to business
data.
7. Oracle Database Vault to manage the security of an individual Oracle
Database instance.

3. Oracle database vault integrated with FLEXCUBE
ORACLE database vault features are tested on FCC and the result are as follows,
1. FLEXCUBE schema fcj80 on fcc instance is protected from the super privileged
users such as sys, system etc using Realm.
2. A range of client IP‟s are blocked from accessing the FLEXCUBE schema fcj80
using Factors, Rule set and command rules.
3. Maintenance activities are forced to carry out after the business hours using Rule
set and command rules so application will not have surprised breakdown
datacenter team.
4. Confidential columns are protected from unauthorized access using Oracle Label
Security, this will ensure by no other means you can access the sensitive columns
other then FLEXCUBE Application.
5. Transparent Data Encryption(TDE) in FLEXCUBE to avoid the unauthorized

data dump creation using data pump

4. Components of Oracle Database Vault
Oracle database vault consists of below 5 components which will address it own scope of
area .Section 4 to 8 will have the details on the components
1. Oracle Database Vault Access Control Components

2. Oracle Database Vault Administrator (DVA)
3. Oracle Database Vault DVSYS and DVF Schemas
4. Oracle Database Vault PL/SQL Interfaces and Packages
5. Oracle Database Vault Reports
5. Oracle Database Vault Access Control Components
Realms.
Factors
Command rules
Rule sets
5.1. Realm:
A realm is a functional grouping of database schemas and roles that must be secured
for a given application. Prevent highly privileged users from accessing application
data .Realm is a container that serves as a "protection zone". The Database Vault
administrator can create a Realm and define the content within the realm.
 Using realms we can protect a single object or an entire application schema.

 Oracle Database Vault Realms prevent DBAs, application owners, and other
privileged users from viewing application data using their powerful privileges.
 When you create a realm, Oracle Database Vault creates a realm record and
stores it in an Oracle Database Vault security table.
 After the realm creation, you have to register a set of schema objects or roles
(secured objects) for realm protection and authorize a set of users or roles to
access the secured objects
Realm Authorizations:-
The application owner typically corresponds to the schema containing the objects
associated with the application. This user can be designated as the realm owner.
Application servers typically connect to the application using the application owner
account.

 The authorization that we set up here does not affect regular users who have
normal direct object privileges to the database objects that are protected by
realms.
 Realm owners cannot add other users to their realms as owners or participants.
Only users who have the DV_OWNER or DV_ADMIN role are allowed to add
users as owners or participants to a realm.
 Only a realm owner can grant or revoke realm secured Database roles to anyone.
 A user can be granted either as a realm owner or a realm participant , that use
can‟t have both type.
5.2. Factors:-
A factor is a named variable like i.e. location, database IP address which Oracle Database
Vault can recognize. The Factor details are stored in DVF schema. Once we create a
factor the factor function will be created in dvf schema and the function name will be
f$factor_name format.
Example:
Creating filtering logic to restrict the client ip‟s explained in POC section .
5.3. Rule sets:-

A rule set is a collection of one or more rules that will associate with a factor assignment
and command rule.
1. Rule sets can be created that restrict access based on time, specific hosts, subnets.
2. The rule set evaluates to true or false based on the evaluation of each rule.
3. A rule within a rule set is a PL/SQL expression that evaluates to true or false.
Example
Restricting maintenance activities during business hours combination of rule set and
command rule
Create rule set with the name table_drop. Assign a rule expression TO_CHAR
(SYSDATE,'HH24') >= '17' to the rule set drop_table. This must evaluate to a Boolean
(TRUE or FALSE) value. This rule set is then assigned to the command rule drop table
which indicates that we couldn‟t drop a table before 5 „o‟ clock.

5.4. Command rules:-
A command rules will control how users can execute almost any SQL statements,
including SELECT, ALTER SYSTEM, database definition language (DDL), and data
manipulation language (DML) statements. When such a statement is executed, the realm
authorization is checked first. If no realm violation is found and the associated command
rules are enabled, then the associated rule sets are evaluated. If all the rule sets evaluate to
TRUE, then the statement is authorized for further processing. If any of the rule sets
evaluate to FALSE, then the statement is not authorized and a command rule violation is
created.
1. Command rules will work with rule sets to determine whether or not the statement is
allowed.
2. Oracle Database Vault Command rules will be used to protect application objects
from modification.
3. Allow DDL statements such as CREATE TABLE, DROP TABLE, and ALTER
TABLE in the fcj80 schema to be authorized only after business hours, but not during
business hours.
Example: see section 5.3 example
6. Oracle Database Vault Administrator (DVA)
Oracle Database Vault Administrator is a Java application that is built on top of the
Oracle Database Vault PL/SQL application programming interfaces (API). It gets created
when we install vault. This application allows security managers who may not be
proficient in PL/SQL to configure the access control policy through a user-friendly
interface.

7. Oracle Database Vault DVSYS and DVF Schemas
Oracle Database Vault provides the below schemas
1. The DVSYS schema contains Oracle Database Vault database objects: database
tables, sequences, views, triggers, roles, packages, procedures, functions,
contexts, and other objects to store Oracle Database Vault configuration
information and support the administration and run-time processing of Oracle
Database Vault.
2. The DVF schema is the owner of the Oracle Database Vault

DBMS_MACSEC_FUNCTION PL/SQL package, which contains the functions
that retrieve factor identities. When you create a new factor, Oracle Database
Vault creates a new retrieval function for the factor and saves it in this schema.
8. Oracle Database Vault PL/SQL Interfaces and Packages
Oracle Database Vault provides a set of procedures and functions in the DVSYS schema
to enable access control in an Oracle database. The functions within the
DVSYS.DBMS_MACADM package allow you to write Applications that configure the
realms, factors, rule sets, command rules, secure Application roles configured in Oracle
Database Vault Administrator.
Note: The DVSYS.DBMS_MACADM package is available only for users who have the
DV_ADMIN or DV_OWNER role.
9. Oracle Database Vault Reports
Oracle Database Vault provides a selection of reports that display security-related

information from the database. These reports allow you to check configuration issues
with realms, command rules, factors, factor identities, rule sets, and secure application
roles.

10. POC Section
10.1 Realm
Create a realm with the name of fcj80_realm for fcj80 flexcube schema. In fcj80 schema
the tables will be protected from access by other users including super users.
Steps to create realms.
1. Open the browser

2. http://<your_hostname:port>/dva
3. Enter dvowner for the User Name and password. And then Login.

4. Click the realms link.
5. To create a new Realm, click Create.

6. Enter a Name, make sure the Enabled Status is selected, and Audit on Failure is
selected for Audit options. OK
7. Select the fcj80_Realm and click Edit.

8. Under Realm Secured Objects, click Create.
9. From the list of Object Owners, select fcj80. Since all the objects in the fcj80 schema
should be protected, make sure % is selected for both Object Type and Object Name.
Then click OK.

10. Realm authorization:-A realm authorization can be an account or role that is
authorized to use its system privileges when creating or accessing realm secured
objects and granting or revoking realm secured roles.
11. Under realm authorization click create

c

10.2 RULE SET
The below example we are filtering client access to the database with respect to a
range of ip address. Here we create a rule set which compares the client systems ip
address with the ip range we defined. If the client ip address falls in the range defined
then the rule returns TRUE.
Perform the following steps to create rule set ,
1. Click the Rule Sets link.

2. Click on create

3. Mention name of rule set name click on ok

4. Click on client_ip and edit

5. rules associated to the rule set and click create
6. Enter name,rule expression and click on ok

10.3 Command rules:
In this example the client ip rule set is linked to command rule CONNECT.
Once the command rule set only the client ips range 10.80.5.% can connect to the
schema.
1. click on command rules

2. Select connect and rule set name

Example for rule set and command rules.
In this example we are restricting maintenance activities during business hours.
1. create a rule set

2. assign the rule expression as to_char(sysdate,‟HH24‟)>=17

3. This rule set returns true only one rule expression is satisfied in this example
this rule set return only >=17hours

4. The rule set rule set will be assign to the command rules to restrict the
dropping of the table during business hours.

10.4 Factors
A factor is a named variable like user location, database IP address that Oracle
Database Vault can recognize. The Factor details are stored in DVF schema.we can
see that by quering (SELECT dvf.f$database_ip FROM dual;). creating filtering logic
to restrict the client ip‟s
1. click on factors
2. click on create

Sql>Select dvf.f$client_ip from dual;
Example for restricting client ip’s using factors.
1. Create rule set with the name filter_ip .

2. Assign a rule expression in rule set (dvf.f$client_ip like '10.80.55.%')

3. Assign rule set to command rule.
10.5 Producing database vault reports.
Oracle Database Vault provides a selection of reports that display security- related
information from the database. These reports allow you to check configuration issues
with realms, command rules, factors ,rule sets, and secure application roles.
1. Click the Data Vault Reports tab

2. Under the Data Vault Reporting category, select Command Rule Audit and
click Run Report

3. The report is displayed. Notice that in this case, the command run is displayed
and the rule set that is invoked.
10.6 ORACLE APPLICATION PROGRAMMING INTERFACES
The functions within the DVSYS.DBMS_MACADM package allow you to write

Applications that configure the realms, factors, rule sets, command rules and Oracle
Label Security policies normally configured in Oracle Database Vault Administrator.
Note: The DVSYS.DBMS_MACADM package is available only for users who have
the DV_ADMIN or DV_OWNER role.
1. Create realm

Exec DBMS_MACADM.CREATE_REALM('test', 'testing API','YES',0);
2. Add object to realm
Exec DBMS_MACADM.ADD_OBJECT_TO_REALM('test','SCOTT','%','%');
3. Add owner to realm
Exec DBMS_MACADM.ADD_AUTH_TO_REALM ('test','SCOTT',1);
4. enable realm
exec DBMS_MACADM.UPDATE_REALM('test','testing API','YES',0);
5. disable realm
exec DBMS_MACADM.UPDATE_REALM ('test','testing API','NO',0);
6. delete a realm
Exec DBMS_MACADM.DELETE_REALM ('test');
Command rules
1. Create command rule
exec DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE('DROP
TABLE','maint_period','SCOTT','%','YES');
2. update command rule
UPDATE_COMMAND_RULE('DROP TABLE','maint_period','SCOTT','%','NO');
3. Delete command rule

DELETE_COMMAND_RULE('DROP TABLE','SCOTT','%');
Creation of rule sets
1. Create rule
Exec
DVSYS.DBMS_MACADM.CREATE_RULE('local_access','sys_context(''userenv'',''
ip_address'') like ''10.80.5.%''');
2. Create rule set
Exec
DVSYS.DBMS_MACADM.CREATE_RULE_SET('maint_period','Maintenance
Period','YES',1,0,1,null,null,0,null);
3. Adding rule to rule set
Exec
DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET('maint_period','local_acc
ess',1,'Y');
4. Delete rule from rule set
Exec
DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET('maint_period','l
ocal_access');
5. Delete rule
Exec DVSYS.DBMS_MACADM.DELETE_RULE('local_access');
6. Delete rule set
Exec DVSYS.DBMS_MACADM.DELETE_RULE_SET('maint_period');

10.7 Column level data protection using OLS and DBMS_RLS
Using oracle label security with fine-grained access control (dbms_rls) confidential
columns can be protected even from the owner of the schema.
1. OLS policy can be created either by Oracle Policy Manager Interface or using
SA_SYSDBA package.
2. To use the SA_SYSDBA package to create, alter, and drop policies, a user must
have: LBAC_DBA role and EXECUTE privilege on the SA_SYSDBA package.
3. When you create a policy, a role named policy_DBA is automatically created.
You can use this role to control the users who are authorized to run the policy's
administrative procedures. The user who creates the policy is automatically
granted the policy_DBA role with the ADMIN option, and the user can grant the
role to others.
4. Valid characters for all policy specifications include alphanumeric characters and
underscores, as well as any valid character from your database character set.
5. In order to protect the confident columns need to create a OLS policy. Use the
CREATE_POLICY procedure to create a new Oracle Label Security policy,
define a policy-specific column name, and specify a set of default policy options.
Syntax:
PROCEDURE CREATE_POLICY (
policy_name IN VARCHAR2,
column_name IN VARCHAR2 DEFAULT
NULL,
default_options IN VARCHAR2 DEFAULT
NULL);
Parameters for SA_SYSDBA.CREATE_POLICY
Parameter
Name Parameter Description
policy_name Specifies the policy name, which must be unique within the database. It
can have a maximum of 30 characters, but only the first 26 characters in
the policy_name are significant. Two policies may not have the same
first 26 characters in the policy_name.
column_name Specifies the name of the column to be added to tables protected by the
policy. If NULL, the default name "SA_LABEL" is used. Two Oracle
Label Security policies cannot share the same column name.
default_options Specifies the default options to be used when the policy is applied and
no table- or schema-specific options are specified. Includes enforcement

Parameter
options and the option to hide the label column.
6. Use the CREATE_LEVEL procedure to create a level and specify its short name
and long name. The numeric values assigned to the level_num parameter
determine the sensitivity ranking (that is, a lower number indicates less sensitive
data).
Syntax:
PROCEDURE CREATE_LEVEL ( policy_name IN VARCHAR2,

level_num IN INTEGER,
short_name IN VARCHAR2,
long_name IN VARCHAR2);
Parameters for SA_COMPONENTS.CREATE_LEVEL
Parameter Name Parameter Description

policy_name Specifies the policy
level_num Specifies the level number (0-9999)
short_name Specifies the short name for the level (up to 30 characters)
long_name Specifies the long name for the level (up to 80 characters)
7. The SA_LABEL_ADMIN package provides an administrative interface to

manage the labels used by a policy. To do this, a user must have the EXECUTE
privilege for the SA_LABEL_ADMIN package and have been granted the
policy_DBA role. Use the SA_LABEL_ADMIN.CREATE_LABEL procedure to
create a valid data label. You must manually specify a label tag value from 1 to 8
digits long.
Syntax:
PROCEDURE CREATE_LABEL (
label_tag IN INTEGER,
label_value IN VARCHAR2,
data_label IN BOOLEAN DEFAULT TRUE);
Parameters for SA_LABEL_ADMIN.CREATE_LABEL

Parameter
policy_name Specifies the name of an existing policy
label_tag Specifies a unique integer value representing the sort order of the label,
relative to other policy labels (0-99999999)
label_value Specifies the character string representation of the label to be created
data_label TRUE if the label can be used to label row data. Use this to define the
label as valid for data.
8. Associate the labels to the user.
The SET_USER_LABELS procedure sets the user's levels, compartments, and

groups using a set of labels, instead of the individual components.
Syntax:
PROCEDURE SET_USER_LABELS (
user_name IN VARCHAR2,
max_read_label IN VARCHAR2,
max_write_label IN VARCHAR2 DEFAULT NULL,
min_write_label IN VARCHAR2 DEFAULT NULL,
def_label IN VARCHAR2 DEFAULT NULL,
row_label IN VARCHAR2 DEFAULT NULL);
Parameters for SA_USER_ADMIN.SET_USER_LABELS
Parameter Meaning
max_read_label Specifies the label string to be used to initialize the user's maximum
authorized read label. Composed of the user's maximum level,
compartments authorized for read access, and groups authorized for
read access.
max_write_label Specifies the label string to be used to initialize the user's maximum
authorized write label. Composed of the user's maximum level,
compartments authorized for write access, and groups authorized for
write access. If max_write_label is not specified, then it is set to
max_read_label.
min_write_label Specifies the label string to be used to initialize the user's minimum
authorized write label. Contains only the level, with no compartments
or groups. If min_write_label is not specified, then it is set to the lowest
defined level for the policy, with no compartments or groups.
def_label Specifies the label string to be used to initialize the user's session label,

Parameter Meaning
including level, compartments, and groups (a subset of
max_read_label). If default_label is not specified, then it is set to
max_read_label.
policy_name Specifies the policy
user_name Specifies the user name
row_label Specifies the label string to be used to initialize the program's row
label. Includes level, components, and groups: subsets of
max_write_label and def_label. If row_label is not specified, then it is
set to def_label, with only the compartments and groups authorized for
write access.
9. Create a function which creates the function that generates the VPD 'Where'
clause.
10. DBMS_RLS.ADD_POLICY
This procedure creates a fine-grained access control policy to a table or view.
The procedure causes the current transaction, if any, to commit before the
operation is carried out. However, this does not cause a commit first if it is inside
a DDL event trigger.
Syntax
DBMS_RLS.ADD_POLICY (
object_schema IN VARCHAR2 :=
NULL,
object_name IN VARCHAR2,
function_schema IN VARCHAR2 :=
NULL,
policy_function IN VARCHAR2,
statement_types IN VARCHAR2 :=
NULL,
update_check IN BOOLEAN :=
FALSE,
enable IN BOOLEAN :=
TRUE);
Parameters for DBMS_RLS.ADD_POLICY Procedure

Parameter Description
object_schema Schema containing the table or view (logon user, if NULL).
object_name Name of table or view to which the policy is added.
policy_name Name of policy to be added. It must be unique for the same table or
view.
function_schema Schema of the policy function (logon user, if NULL).
policy_function Name of a function which generates a predicate for the policy. If the
function is defined within a package, then the name of the package
must be present.
statement_types Statement types that the policy will apply. It can be any combination of
SELECT, INSERT, UPDATE, and DELETE. The default is to apply to
all of these types.
update_check Optional argument for INSERT or UPDATE statement types. The
default is FALSE. Setting update_check to TRUE causes the server to
also check the policy against the value after insert or update.
enable Indicates if the policy is enabled when it is added. The default is TRUE
 With respect to FLEXCUBE there are some confidential information which

should be hided even from the owner of the schema. i.e. these column details
should not be accessible through any back end tools such as sql*plus, plsql
developer etc. using SQL queries. At the same time the details should be
accessible using FLEXCUBE for the authorized users. The following example
takes the Fund Transfer module and demonstrates how to hide the confident
columns credit amount (cr_amount) and debit amount (dr_amount) in FT contract
inputs. The protected columns will not be exported.
Table: FTTB_CONTRACT_MASTER table

Columns: cr_amount, dr_amount
1. Connect as the flexcube schema. Grant select privilege on smtb_user and

FTTB_CONTRACT_MASTER to lbacsys.

Conn fcj80/fcj80@fcc128
Grant select on smtb_user to lbacsys;
Grant select on FTTB_CONTRACT_MASTER to lbacsys;
2. Create the policy after connecting to lbacsys,
Conn lbacsys/lbacsys@fcc128
BEGIN
SA_SYSDBA.CREATE_POLICY (policy_name => 'PROTECT_PII',
column_name => 'OLS_COLUMN',
default_options => 'NO_CONTROL');
END;
3. Create levels for the policy,
BEGIN
SA_COMPONENTS.CREATE_LEVEL (policy_name =>
'PROTECT_PII',
level_num => 1000,
short_name => 'CONF',
long_name => 'CONFIDENTIAL');
END;
Execute SA_COMPONENTS.CREATE_LEVEL
('PROTECT_PII',2000,'SENS','SENSITIVE');
4. Create labels for the rows as follows,
execute
SA_LABEL_ADMIN.CREATE_LABEL('PROTECT_PII',2100,'SENS',FALSE);
BEGIN
SA_LABEL_ADMIN.CREATE_LABEL( policy_name => 'PROTECT_PII',
label_tag => 1000,
label_value => 'CONF',
data_label => FALSE);
END;
5. Set label for the user fcj80,
execute SA_USER_ADMIN.SET_USER_LABELS ('PROTECT_PII','FCJ80',

'CONF','CONF','CONF','CONF','CONF');

6. Create a function which creates the function that generates the VPD 'Where'
CREATE OR REPLACE FUNCTION f_protect_pii (schema in varchar2, tab in

varchar2)
RETURN varchar2 AS
Predicate varchar2(2000); -- the VPD 'where' clause

session_lab varchar2(4000); -- the current user's session label
session_tag number; -- numerical expression of session label
sens_tag number; -- numerical expression of SENS label
module_id varchar2(50);
L_cnt number: =0;
BEGIN
Predicate := '1=2'; -- is never true, will hide all rows by default
session_lab := sa_session.label('PROTECT_PII'); -- the current user's
session label for that policy
session_tag:= char_to_label('PROTECT_PII',session_lab);-- numerical
expression of session label
sens_tag:= char_to_label ('PROTECT_PII','SENS'); -- numerical
expression of the SENS label
begin
select module
Into module_id
From v$session
where audsid = (select userenv('sessionid') from dual);
exception
when no_data_found then
module_id := 'XXX';
end;
select count(*)
into l_cnt
From fcj80.smtb_user
where user_id = NVL(module_id,'XXX');
IF l_cnt = 0 then
predicate := '1=2'; -- will hide all rows if checks fail
elsif IF l_cnt > 0 then
predicate := '1=1';

end if;
return predicate;
END;
7. Apply the VPD policy to the fcj80.FTTB_CONTRACT_MASTER table
begin
DBMS_RLS.ADD_POLICY (
object_schema => 'FCJ80',
object_name => 'FTTB_CONTRACT_MASTER',
policy_name => 'vpd_protect_pii',
function_schema => 'LBACSYS',
policy_function => 'f_protect_pii',
statement_types => 'select',
sec_relevant_cols => 'DR_AMOUNT,CR_AMOUNT',
sec_relevant_cols_opt => dbms_rls.ALL_ROWS,
policy_type => dbms_rls.CONTEXT_SENSITIVE);
end;

Oracle Database Vault With Iflex 334760

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Oracle Database Vault With Iflex 334760

Uploaded by

Copyright:

Available Formats

COPYRIGHT (C) 2008 i-flex solutions ltd.

Document Revision Control

Version Date Changes Author

Oracle Database Vault Flexcube POC Add On 1

1. INTRODUCTION ORACLE DATABASE VAULT ....................................................................... 3

Oracle Database Vault Flexcube POC Add On 2

2. Summary of oracle database vault

Oracle Database Vault Flexcube POC Add On 3

5. Transparent Data Encryption(TDE) in FLEXCUBE to avoid the unauthorized

Oracle Database Vault Flexcube POC Add On 4

1. Oracle Database Vault Access Control Components

5. Oracle Database Vault Access Control Components

 Using realms we can protect a single object or an entire application schema.

Oracle Database Vault Flexcube POC Add On 5

5.3. Rule sets:-

Oracle Database Vault Flexcube POC Add On 6

Example: see section 5.3 example

6. Oracle Database Vault Administrator (DVA)

Oracle Database Vault Flexcube POC Add On 7

Oracle Database Vault provides the below schemas

2. The DVF schema is the owner of the Oracle Database Vault

8. Oracle Database Vault PL/SQL Interfaces and Packages

9. Oracle Database Vault Reports

Oracle Database Vault provides a selection of reports that display security-related

Oracle Database Vault Flexcube POC Add On 8

Steps to create realms.

1. Open the browser

Oracle Database Vault Flexcube POC Add On 9

5. To create a new Realm, click Create.

Oracle Database Vault Flexcube POC Add On 10

7. Select the fcj80_Realm and click Edit.

Oracle Database Vault Flexcube POC Add On 11

Oracle Database Vault Flexcube POC Add On 12

11. Under realm authorization click create

Oracle Database Vault Flexcube POC Add On 13

Perform the following steps to create rule set ,

1. Click the Rule Sets link.

Oracle Database Vault Flexcube POC Add On 14

Oracle Database Vault Flexcube POC Add On 15

Oracle Database Vault Flexcube POC Add On 16

Oracle Database Vault Flexcube POC Add On 17

6. Enter name,rule expression and click on ok

Oracle Database Vault Flexcube POC Add On 18

1. click on command rules

Oracle Database Vault Flexcube POC Add On 19

Oracle Database Vault Flexcube POC Add On 20

Oracle Database Vault Flexcube POC Add On 21

Oracle Database Vault Flexcube POC Add On 22

Oracle Database Vault Flexcube POC Add On 23

Oracle Database Vault Flexcube POC Add On 24

Oracle Database Vault Flexcube POC Add On 25

Example for restricting client ip’s using factors.

1. Create rule set with the name filter_ip .

Oracle Database Vault Flexcube POC Add On 27

Oracle Database Vault Flexcube POC Add On 28

10.5 Producing database vault reports.

1. Click the Data Vault Reports tab

Oracle Database Vault Flexcube POC Add On 29

Oracle Database Vault Flexcube POC Add On 30

10.6 ORACLE APPLICATION PROGRAMMING INTERFACES

The functions within the DVSYS.DBMS_MACADM package allow you to write

Oracle Database Vault Flexcube POC Add On 31

2. Add object to realm