Professional Documents
Culture Documents
Oracle Database Vault With Iflex 334760
Oracle Database Vault With Iflex 334760
All rights reserved. No part of this work may be reproduced, stored in a retrieval system,
adopted or transmitted in any form or by any means, electronic, mechanical,
photographic, graphic, optic recording or otherwise, translated in any language or
computer language, without the prior written permission of i-flex.
Due care has been taken to make this document and any accompanying software package
as accurate as possible. However, i-flex makes no representation or warranties with
respect to the contents hereof and shall not be responsible for any loss or damage caused
to the user by the direct or indirect use of this document and any accompanying software
package. Furthermore, i-flex reserves the right to alter, modify or otherwise change in
any manner the content hereof, without obligation of i-flex to notify any person of such
revision or changes.
All company and product names are trademarks of the respective companies with which
they are associated.
Primarily Database Vault can place restrictions on what data is available to users,
depending on a variety of factors, such as the Internet Protocol address being used, the
machine being accessed, or what time of day the request is being made.
This software will work with Oracle Database release 9i (9 2 0 8) or Oracle Database 10g
Release 2 and later versions. It will be priced at either $20,000 per CPU or $400 per user,
depending on what the customer prefers.
ORACLE database vault features are tested on FCC and the result are as follows,
1. FLEXCUBE schema fcj80 on fcc instance is protected from the super privileged
users such as sys, system etc using Realm.
2. A range of client IP‟s are blocked from accessing the FLEXCUBE schema fcj80
using Factors, Rule set and command rules.
3. Maintenance activities are forced to carry out after the business hours using Rule
set and command rules so application will not have surprised breakdown
datacenter team.
4. Confidential columns are protected from unauthorized access using Oracle Label
Security, this will ensure by no other means you can access the sensitive columns
other then FLEXCUBE Application.
Realms.
Factors
Command rules
Rule sets
5.1. Realm:
A realm is a functional grouping of database schemas and roles that must be secured
for a given application. Prevent highly privileged users from accessing application
data .Realm is a container that serves as a "protection zone". The Database Vault
administrator can create a Realm and define the content within the realm.
Realm Authorizations:-
The application owner typically corresponds to the schema containing the objects
associated with the application. This user can be designated as the realm owner.
Application servers typically connect to the application using the application owner
account.
5.2. Factors:-
A factor is a named variable like i.e. location, database IP address which Oracle Database
Vault can recognize. The Factor details are stored in DVF schema. Once we create a
factor the factor function will be created in dvf schema and the function name will be
f$factor_name format.
Example:
Creating filtering logic to restrict the client ip‟s explained in POC section .
1. Rule sets can be created that restrict access based on time, specific hosts, subnets.
2. The rule set evaluates to true or false based on the evaluation of each rule.
3. A rule within a rule set is a PL/SQL expression that evaluates to true or false.
Example
Restricting maintenance activities during business hours combination of rule set and
command rule
Create rule set with the name table_drop. Assign a rule expression TO_CHAR
(SYSDATE,'HH24') >= '17' to the rule set drop_table. This must evaluate to a Boolean
(TRUE or FALSE) value. This rule set is then assigned to the command rule drop table
which indicates that we couldn‟t drop a table before 5 „o‟ clock.
1. Command rules will work with rule sets to determine whether or not the statement is
allowed.
2. Oracle Database Vault Command rules will be used to protect application objects
from modification.
3. Allow DDL statements such as CREATE TABLE, DROP TABLE, and ALTER
TABLE in the fcj80 schema to be authorized only after business hours, but not during
business hours.
Oracle Database Vault Administrator is a Java application that is built on top of the
Oracle Database Vault PL/SQL application programming interfaces (API). It gets created
when we install vault. This application allows security managers who may not be
proficient in PL/SQL to configure the access control policy through a user-friendly
interface.
1. The DVSYS schema contains Oracle Database Vault database objects: database
tables, sequences, views, triggers, roles, packages, procedures, functions,
contexts, and other objects to store Oracle Database Vault configuration
information and support the administration and run-time processing of Oracle
Database Vault.
Oracle Database Vault provides a set of procedures and functions in the DVSYS schema
to enable access control in an Oracle database. The functions within the
DVSYS.DBMS_MACADM package allow you to write Applications that configure the
realms, factors, rule sets, command rules, secure Application roles configured in Oracle
Database Vault Administrator.
Note: The DVSYS.DBMS_MACADM package is available only for users who have the
DV_ADMIN or DV_OWNER role.
10.1 Realm
Create a realm with the name of fcj80_realm for fcj80 flexcube schema. In fcj80 schema
the tables will be protected from access by other users including super users.
9. From the list of Object Owners, select fcj80. Since all the objects in the fcj80 schema
should be protected, make sure % is selected for both Object Type and Object Name.
Then click OK.
The below example we are filtering client access to the database with respect to a
range of ip address. Here we create a rule set which compares the client systems ip
address with the ip range we defined. If the client ip address falls in the range defined
then the rule returns TRUE.
In this example the client ip rule set is linked to command rule CONNECT.
Once the command rule set only the client ips range 10.80.5.% can connect to the
schema.
1. click on factors
2. click on create
Oracle Database Vault provides a selection of reports that display security- related
information from the database. These reports allow you to check configuration issues
with realms, command rules, factors ,rule sets, and secure application roles.
Note: The DVSYS.DBMS_MACADM package is available only for users who have
the DV_ADMIN or DV_OWNER role.
1. Create realm
Exec DBMS_MACADM.ADD_OBJECT_TO_REALM('test','SCOTT','%','%');
4. enable realm
5. disable realm
6. delete a realm
Command rules
exec DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE('DROP
TABLE','maint_period','SCOTT','%','YES');
UPDATE_COMMAND_RULE('DROP TABLE','maint_period','SCOTT','%','NO');
1. Create rule
Exec
DVSYS.DBMS_MACADM.CREATE_RULE('local_access','sys_context(''userenv'',''
ip_address'') like ''10.80.5.%''');
Exec
DVSYS.DBMS_MACADM.CREATE_RULE_SET('maint_period','Maintenance
Period','YES',1,0,1,null,null,0,null);
Exec
DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET('maint_period','local_acc
ess',1,'Y');
Exec
DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET('maint_period','l
ocal_access');
5. Delete rule
Exec DVSYS.DBMS_MACADM.DELETE_RULE('local_access');
Exec DVSYS.DBMS_MACADM.DELETE_RULE_SET('maint_period');
Using oracle label security with fine-grained access control (dbms_rls) confidential
columns can be protected even from the owner of the schema.
1. OLS policy can be created either by Oracle Policy Manager Interface or using
SA_SYSDBA package.
2. To use the SA_SYSDBA package to create, alter, and drop policies, a user must
have: LBAC_DBA role and EXECUTE privilege on the SA_SYSDBA package.
3. When you create a policy, a role named policy_DBA is automatically created.
You can use this role to control the users who are authorized to run the policy's
administrative procedures. The user who creates the policy is automatically
granted the policy_DBA role with the ADMIN option, and the user can grant the
role to others.
4. Valid characters for all policy specifications include alphanumeric characters and
underscores, as well as any valid character from your database character set.
5. In order to protect the confident columns need to create a OLS policy. Use the
CREATE_POLICY procedure to create a new Oracle Label Security policy,
define a policy-specific column name, and specify a set of default policy options.
Syntax:
PROCEDURE CREATE_POLICY (
policy_name IN VARCHAR2,
column_name IN VARCHAR2 DEFAULT
NULL,
default_options IN VARCHAR2 DEFAULT
NULL);
Parameter
Name Parameter Description
policy_name Specifies the policy name, which must be unique within the database. It
can have a maximum of 30 characters, but only the first 26 characters in
the policy_name are significant. Two policies may not have the same
first 26 characters in the policy_name.
column_name Specifies the name of the column to be added to tables protected by the
policy. If NULL, the default name "SA_LABEL" is used. Two Oracle
Label Security policies cannot share the same column name.
default_options Specifies the default options to be used when the policy is applied and
no table- or schema-specific options are specified. Includes enforcement
6. Use the CREATE_LEVEL procedure to create a level and specify its short name
and long name. The numeric values assigned to the level_num parameter
determine the sensitivity ranking (that is, a lower number indicates less sensitive
data).
Syntax:
Syntax:
PROCEDURE CREATE_LABEL (
policy_name IN VARCHAR2,
label_tag IN INTEGER,
label_value IN VARCHAR2,
data_label IN BOOLEAN DEFAULT TRUE);
Syntax:
PROCEDURE SET_USER_LABELS (
policy_name IN VARCHAR2,
user_name IN VARCHAR2,
max_read_label IN VARCHAR2,
max_write_label IN VARCHAR2 DEFAULT NULL,
min_write_label IN VARCHAR2 DEFAULT NULL,
def_label IN VARCHAR2 DEFAULT NULL,
row_label IN VARCHAR2 DEFAULT NULL);
Parameter Meaning
max_read_label Specifies the label string to be used to initialize the user's maximum
authorized read label. Composed of the user's maximum level,
compartments authorized for read access, and groups authorized for
read access.
max_write_label Specifies the label string to be used to initialize the user's maximum
authorized write label. Composed of the user's maximum level,
compartments authorized for write access, and groups authorized for
write access. If max_write_label is not specified, then it is set to
max_read_label.
min_write_label Specifies the label string to be used to initialize the user's minimum
authorized write label. Contains only the level, with no compartments
or groups. If min_write_label is not specified, then it is set to the lowest
defined level for the policy, with no compartments or groups.
def_label Specifies the label string to be used to initialize the user's session label,
9. Create a function which creates the function that generates the VPD 'Where'
clause.
10. DBMS_RLS.ADD_POLICY
The procedure causes the current transaction, if any, to commit before the
operation is carried out. However, this does not cause a commit first if it is inside
a DDL event trigger.
Syntax
DBMS_RLS.ADD_POLICY (
object_schema IN VARCHAR2 :=
NULL,
object_name IN VARCHAR2,
policy_name IN VARCHAR2,
function_schema IN VARCHAR2 :=
NULL,
policy_function IN VARCHAR2,
statement_types IN VARCHAR2 :=
NULL,
update_check IN BOOLEAN :=
FALSE,
enable IN BOOLEAN :=
TRUE);
policy_name Name of policy to be added. It must be unique for the same table or
view.
policy_function Name of a function which generates a predicate for the policy. If the
function is defined within a package, then the name of the package
must be present.
statement_types Statement types that the policy will apply. It can be any combination of
SELECT, INSERT, UPDATE, and DELETE. The default is to apply to
all of these types.
update_check Optional argument for INSERT or UPDATE statement types. The
default is FALSE. Setting update_check to TRUE causes the server to
also check the policy against the value after insert or update.
enable Indicates if the policy is enabled when it is added. The default is TRUE
Conn lbacsys/lbacsys@fcc128
BEGIN
SA_SYSDBA.CREATE_POLICY (policy_name => 'PROTECT_PII',
column_name => 'OLS_COLUMN',
default_options => 'NO_CONTROL');
END;
BEGIN
SA_COMPONENTS.CREATE_LEVEL (policy_name =>
'PROTECT_PII',
level_num => 1000,
short_name => 'CONF',
long_name => 'CONFIDENTIAL');
END;
Execute SA_COMPONENTS.CREATE_LEVEL
('PROTECT_PII',2000,'SENS','SENSITIVE');
execute
SA_LABEL_ADMIN.CREATE_LABEL('PROTECT_PII',2100,'SENS',FALSE);
BEGIN
SA_LABEL_ADMIN.CREATE_LABEL( policy_name => 'PROTECT_PII',
label_tag => 1000,
label_value => 'CONF',
data_label => FALSE);
END;
BEGIN
Predicate := '1=2'; -- is never true, will hide all rows by default
session_lab := sa_session.label('PROTECT_PII'); -- the current user's
session label for that policy
session_tag:= char_to_label('PROTECT_PII',session_lab);-- numerical
expression of session label
sens_tag:= char_to_label ('PROTECT_PII','SENS'); -- numerical
expression of the SENS label
begin
select module
Into module_id
From v$session
where audsid = (select userenv('sessionid') from dual);
exception
when no_data_found then
module_id := 'XXX';
end;
select count(*)
into l_cnt
From fcj80.smtb_user
where user_id = NVL(module_id,'XXX');
IF l_cnt = 0 then
predicate := '1=2'; -- will hide all rows if checks fail
predicate := '1=1';
return predicate;
END;
begin
DBMS_RLS.ADD_POLICY (
object_schema => 'FCJ80',
object_name => 'FTTB_CONTRACT_MASTER',
policy_name => 'vpd_protect_pii',
function_schema => 'LBACSYS',
policy_function => 'f_protect_pii',
statement_types => 'select',
sec_relevant_cols => 'DR_AMOUNT,CR_AMOUNT',
sec_relevant_cols_opt => dbms_rls.ALL_ROWS,
policy_type => dbms_rls.CONTEXT_SENSITIVE);
end;