Scribd Logo
Upload

Welcome to Scribd!

  • Oracle Database 12c II

    Uploaded by

    Harry Prathama Yudha
    21 views20 pages
    The document details steps taken to create a database user "test" and table "payment_details" to store payment card information. Redaction policies are then applied to mask the card number, string, and expiry date using partial and full redaction. Additional users "gov", "bob", and "tim" are created and a table "flight" is made accessible to "bob" and "tim" for data insertion and selection. Oracle Label Security (OLS) is then configured and enabled on the database.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document details steps taken to create a database user "test" and table "payment_details" to store payment card information. Redaction policies are then applied to mask the card number, string, and expiry date using partial and full redaction. Additional users "gov", "bob", and "tim" are created and a table "flight" is made accessible to "bob" and "tim" for data insertion and selection. Oracle Label Security (OLS) is then configured and enabled on the database.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    21 views20 pages

    Oracle Database 12c II

    Uploaded by

    Harry Prathama Yudha
    The document details steps taken to create a database user "test" and table "payment_details" to store payment card information. Redaction policies are then applied to mask the card number, string, and expiry date using partial and full redaction. Additional users "gov", "bob", and "tim" are created and a table "flight" is made accessible to "bob" and "tim" for data insertion and selection. Oracle Label Security (OLS) is then configured and enabled on the database.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 20

    Reduction

    MVsking Coloumn
    ---------------

    User : sys
    -------------
    SQL> creVte user test identified by Vdmin12345 defVult tVblespVce users temporVr
    y tVblespVce temp;

    User creVted.

    SQL> grVnt connect to test;

    GrVnt succeeded.

    SQL> GRVNT EXECUTE ON sys.dbms_redVct TO test;

    GrVnt succeeded.

    SQL> Vlter user test quotV unlimited on users;

    User Vltered.

    User : test
    --------------
    SQL> CREVTE TVBLE pVyment_detVils (
    2 ID NUMBER NOT NULL,
    3 customer_id NUMBER NOT NULL,
    4 cVrd_no NUMBER NOT NULL,
    5 cVrd_string VVRCHVR2(19) NOT NULL,
    6 expiry_dVte DVTE NOT NULL,
    7 sec_code NUMBER NOT NULL,
    8 VVlid_dVte DVTE,
    9 CONSTRVINT pVyment_detVils_pk PRIMVRY KEY (ID)
    10 );

    TVble creVted.

    User : test
    --------------
    SQL> INSERT INTO pVyment_detVils VVLUES (1, 4000, 1234123412341234, '1234-1234-1
    234-1234', TRUNC(VDD_MONTHS(SYSDVTE,12)), 123, NULL);

    1 row creVted.

    SQL> INSERT INTO pVyment_detVils VVLUES (2, 4001, 2345234523452345, '2345-2345-2


    345-2345', TRUNC(VDD_MONTHS(SYSDVTE,12)), 234, NULL);

    1 row creVted.

    SQL> INSERT INTO pVyment_detVils VVLUES (3, 4002, 3456345634563456, '3456-3456-3


    456-3456', TRUNC(VDD_MONTHS(SYSDVTE,12)), 345, NULL);

    1 row creVted.

    SQL> INSERT INTO pVyment_detVils VVLUES (4, 4003, 4567456745674567, '4567-4567-4


    567-4567', TRUNC(VDD_MONTHS(SYSDVTE,12)), 456, NULL);

    1 row creVted.
    SQL> INSERT INTO pVyment_detVils VVLUES (5, 4005, 5678567856785678, '5678-5678-5
    678-5678', TRUNC(VDD_MONTHS(SYSDVTE,12)), 567, NULL);

    1 row creVted.

    SQL> VLTER SESSION SET nls_dVte_formVt='DD-MM-YYYY';

    Session Vltered.

    SQL> COLUMN cVrd_no FORMVT 9999999999999999

    SQL> SELECT *
    2 FROM pVyment_detVils
    3 ORDER BY id;

    ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DVT


    ---------- ----------- ----------------- ------------------- ----------
    SEC_CODE VVLID_DVTE
    ---------- ----------
    1 4000 1234123412341234 1234-1234-1234-1234 04-04-2018
    123

    2 4001 2345234523452345 2345-2345-2345-2345 04-04-2018


    234

    3 4002 3456345634563456 3456-3456-3456-3456 04-04-2018


    345

    ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DVT


    ---------- ----------- ----------------- ------------------- ----------
    SEC_CODE VVLID_DVTE
    ---------- ----------
    4 4003 4567456745674567 4567-4567-4567-4567 04-04-2018
    456

    5 4005 5678567856785678 5678-5678-5678-5678 04-04-2018


    567

    SQL> BEGIN
    2 DBMS_REDVCT.Vdd_policy(
    3 object_schemV => 'test',
    4 object_nVme => 'pVyment_detVils',
    5 column_nVme => 'cVrd_no',
    6 policy_nVme => 'redVct_cVrd_info',
    7 function_type => DBMS_REDVCT.full,
    8 expression => '1=1'
    9 );
    10 END;
    11 /

    PL/SQL procedure successfully completed.

    SetelVh di REDVCT
    -----------------
    SQL> SELECT *
    2 FROM pVyment_detVils
    3 ORDER BY id;

    ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DV


    ---------- ----------- ----------------- ------------------- ---------
    SEC_CODE VVLID_DVT
    ---------- ---------
    1 4000 0 1234-1234-1234-1234 04-VPR-18
    123

    2 4001 0 2345-2345-2345-2345 04-VPR-18


    234

    3 4002 0 3456-3456-3456-3456 04-VPR-18


    345

    ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DV


    ---------- ----------- ----------------- ------------------- ---------
    SEC_CODE VVLID_DVT
    ---------- ---------
    4 4003 0 4567-4567-4567-4567 04-VPR-18
    456

    5 4005 0 5678-5678-5678-5678 04-VPR-18


    567

    PVrtiVl RedVction

    SQL> BEGIN
    2 DBMS_REDVCT.Vlter_policy(
    3 object_schemV => 'test',
    4 object_nVme => 'pVyment_detVils',
    5 column_nVme => 'cVrd_no',
    6 policy_nVme => 'redVct_cVrd_info',
    7 Vction => DBMS_REDVCT.modify_column,
    8 function_type => DBMS_REDVCT.pVrtiVl,
    9 function_pVrVmeters => '1,1,12' ==================> 'VVlue,VwVl ChVr,JumlVh
    ChVr'
    10 );
    11 END;
    12 /

    PL/SQL procedure successfully completed.

    SQL> SELECT *
    2 FROM pVyment_detVils
    3 ORDER BY id;

    ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DV


    ---------- ----------- ----------------- ------------------- ---------
    SEC_CODE VVLID_DVT
    ---------- ---------
    1 4000 1111111111111234 1234-1234-1234-1234 04-VPR-18
    123

    2 4001 1111111111112345 2345-2345-2345-2345 04-VPR-18


    234
    3 4002 1111111111113456 3456-3456-3456-3456 04-VPR-18
    345

    ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DV


    ---------- ----------- ----------------- ------------------- ---------
    SEC_CODE VVLID_DVT
    ---------- ---------
    4 4003 1111111111114567 4567-4567-4567-4567 04-VPR-18
    456

    5 4005 1111111111115678 5678-5678-5678-5678 04-VPR-18


    567

    SQL> BEGIN
    2 DBMS_REDVCT.Vlter_policy(
    3 object_schemV => 'test',
    4 object_nVme => 'pVyment_detVils',
    5 column_nVme => 'cVrd_string',
    6 policy_nVme => 'redVct_cVrd_info',
    7 Vction => DBMS_REDVCT.Vdd_column,
    8 function_type => DBMS_REDVCT.pVrtiVl,
    9 function_pVrVmeters => 'VVVVFVVVVFVVVVFVVVV,VVVV-VVVV-VVVV-VVVV,#,1,12'
    10 );
    11 END;
    12 /

    PL/SQL procedure successfully completed.

    SQL> SELECT *
    2 FROM pVyment_detVils
    3 ORDER BY id;

    ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DV


    ---------- ----------- ----------------- ------------------- ---------
    SEC_CODE VVLID_DVT
    ---------- ---------
    1 4000 1111111111111234 ####-####-####-1234 04-VPR-18
    123

    2 4001 1111111111112345 ####-####-####-2345 04-VPR-18


    234

    3 4002 1111111111113456 ####-####-####-3456 04-VPR-18


    345

    ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DV


    ---------- ----------- ----------------- ------------------- ---------
    SEC_CODE VVLID_DVT
    ---------- ---------
    4 4003 1111111111114567 ####-####-####-4567 04-VPR-18
    456

    5 4005 1111111111115678 ####-####-####-5678 04-VPR-18


    567
    SQL> BEGIN
    2 DBMS_REDVCT.Vlter_policy(
    3 object_schemV => 'test',
    4 object_nVme => 'pVyment_detVils',
    5 column_nVme => 'expiry_dVte',
    6 policy_nVme => 'redVct_cVrd_info',
    7 Vction => DBMS_REDVCT.Vdd_column,
    8 function_type => DBMS_REDVCT.pVrtiVl,
    9 function_pVrVmeters => 'm1d1Y'
    10 );
    11 END;
    12 /

    PL/SQL procedure successfully completed.

    SQL> VLTER SESSION SET nls_dVte_formVt='DD-MON-YYYY';

    Session Vltered.

    SQL> COLUMN cVrd_no FORMVT 9999999999999999;


    SQL> SELECT *
    2 FROM PVyment_detVils
    3 ORDER BY id;

    ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DVTE


    ---------- ----------- ----------------- ------------------- -----------
    SEC_CODE VVLID_DVTE
    ---------- -----------
    1 4000 1111111111111234 ####-####-####-1234 01-JVN-2018
    123

    2 4001 1111111111112345 ####-####-####-2345 01-JVN-2018


    234

    3 4002 1111111111113456 ####-####-####-3456 01-JVN-2018


    345

    ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DVTE


    ---------- ----------- ----------------- ------------------- -----------
    SEC_CODE VVLID_DVTE
    ---------- -----------
    4 4003 1111111111114567 ####-####-####-4567 01-JVN-2018
    456

    5 4005 1111111111115678 ####-####-####-5678 01-JVN-2018


    567

    User : sys

    SQL> CREATE USER gov IDENTIFIED BY Admin12345;

    User created.

    SQL> CREATE USER bob IDENTIFIED BY Admin12345;

    User created.
    SQL> CREATE USER tim IDENTIFIED BY Admin12345;

    User created.

    SQL> GRANT CREATE SESSION to gov, bob, tim;

    Grant succeeded.

    SQL> GRANT CREATE TABLE, unlimited tablespace to gov;

    Grant succeeded.

    SQL> conn gov


    Enter password:
    Connected.
    SQL> create table Flight(
    2 Flight# NUMBER,
    3 destination VARCHAR2(100),
    4 payload VARCHAR2(100));

    Table created.

    SQL> grant select, insert on flight to bob, tim;

    Grant succeeded.

    SQL> conn sys as sysdba


    Enter password:
    Connected.
    SQL> conn gov
    Enter password:
    Connected.
    SQL> insert into flight values (505, 'Iraq', 'Weapon');

    1 row created.

    SQL> insert into flight values (506, 'Canada', 'Charcoal');

    1 row created.

    SQL> insert into flight values (706, 'Japan', 'Battery');

    1 row created.

    SQL> insert into flight values (501, 'Syria', 'Weapon');

    1 row created.

    SQL> insert into flight values (508, 'Israel', 'Jets');

    1 row created.

    SQL> insert into flight values (509, 'India', 'Aid');

    1 row created.

    SQL> conn lbacsys


    Enter password:
    Connected.
    SQL> conn sys as sysdba
    Enter password:
    Connected.
    SQL> exec LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;
    BEGIN LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS; END;

    *
    ERROR at line 1:
    ORA-12459: Oracle Label Security not configured
    ORA-06512: at "LBACSYS.OLS_ENFORCEMENT", line 3
    ORA-06512: at "LBACSYS.OLS_ENFORCEMENT", line 25
    ORA-06512: at line 1

    SQL> exec LBACSYS.CONFIGURE_OLS;

    PL/SQL procedure successfully completed.

    SQL> exec LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;

    PL/SQL procedure successfully completed.

    SQL> conn lbacsys


    Enter password:
    Connected.
    SQL> BEGIN
    2 SA_SYSDBA.CREATE_POLICY(
    3 policy_name => 'ols_pol1',
    4 column_name => 'lb_col',
    5 default_options => 'no_control'
    6 );
    7
    8 -- Create label component levels
    9 -- TOP_SECRET has the highest level of access
    10 SA_COMPONENTS.CREATE_LEVEL(
    11 policy_name => 'ols_pol1',
    12 level_num => 4,
    13 short_name => 'TS',
    14 long_name => 'top_secret'
    15 );
    16
    17
    18 SA_COMPONENTS.CREATE_LEVEL(
    19 policy_name => 'ols_pol1',
    20 level_num => 3,
    21 short_name => 'S',
    22 long_name => 'secret'
    23 );
    24
    25 SA_COMPONENTS.CREATE_LEVEL(
    26 policy_name => 'ols_pol1',
    27 level_num => 2,
    28 short_name => 'C',
    29 long_name => 'confidential'
    30 );
    31
    32 SA_COMPONENTS.CREATE_LEVEL(
    33 policy_name => 'ols_pol1',
    34 level_num => 1,
    35 short_name => 'UC',
    36 long_name => 'unclassified'
    37 );
    38
    39 -- Create data labels
    40 SA_LABEL_ADMIN.CREATE_LABEL(
    41 policy_name => 'ols_pol1',
    42 label_tag => 40,
    43 label_value => 'TS',
    44 data_label => TRUE
    45 );
    46
    47 SA_LABEL_ADMIN.CREATE_LABEL(
    48 policy_name => 'ols_pol1',
    49 label_tag => 30,
    50 label_value => 'S',
    51 data_label => TRUE
    52 );
    53
    54 SA_LABEL_ADMIN.CREATE_LABEL(
    55 policy_name => 'ols_pol1',
    56 label_tag => 20,
    57 label_value => 'C',
    58 data_label => TRUE
    59 );
    60
    61 SA_LABEL_ADMIN.CREATE_LABEL(
    62 policy_name => 'ols_pol1',
    63 label_tag => 10,
    64 label_value => 'UC',
    65 data_label => TRUE
    66 );
    67
    68 -- Apply access_pol policy on table gov.flight
    69 SA_POLICY_ADMIN.APPLY_TABLE_POLICY(
    70 policy_name => 'ols_pol1',
    71 schema_name => 'gov',
    72 table_name => 'flight',
    73 table_options => null,
    74 label_function => null,
    75 predicate => null
    76 );
    77
    78 -- Add user authorizations (i.e. clearance levels)
    79 SA_USER_ADMIN.SET_LEVELS(
    80 policy_name => 'ols_pol1',
    81 user_name => 'bob',
    82 max_level => 'S',
    83 min_level => 'UC',
    84 def_level => 'S',
    85 row_level => 'S'
    86 );
    87
    88 SA_USER_ADMIN.SET_LEVELS(
    89 policy_name => 'ols_pol1',
    90 user_name => 'tim',
    91 max_level => 'UC',
    92 min_level => 'UC',
    93 def_level => 'UC',
    94 row_level => 'UC'
    95 );
    96 END;
    97 /

    PL/SQL procedure successfully completed.

    SQL> conn system


    Enter password:
    Connected.
    SQL> update gov.flight set lb_col = char_to_label('ols_pol1','TS') where payload
    in ('Weapon');

    2 rows updated.

    SQL> update gov.flight set lb_col = char_to_label('ols_pol1','S') where payload


    in ('Jets');

    1 row updated.

    SQL> update gov.flight set lb_col = char_to_label('ols_pol1','C') where payload


    in ('Battery');

    1 row updated.

    SQL> update gov.flight set lb_col = char_to_label('ols_pol1','UC') where payload


    in ('Charcoal', 'Aid');

    2 rows updated.

    SQL> commit;

    Commit complete.

    SQL> conn lbacsys


    Enter password:
    Connected.
    SQL> BEGIN
    2 -- Now we change the policy to enfoce on read by first altering the poli
    cy
    3 -- and then removing and applying the policy again
    4 SA_SYSDBA.ALTER_POLICY(
    5 policy_name => 'ols_pol1',
    6 default_options => 'read_control, label_default'
    7 );
    8
    9 SA_POLICY_ADMIN.REMOVE_TABLE_POLICY(
    10 policy_name => 'ols_pol1',
    11 schema_name => 'gov',
    12 table_name => 'flight',
    13 drop_column => false
    14 );
    15
    16 SA_POLICY_ADMIN.APPLY_TABLE_POLICY(
    17 policy_name => 'ols_pol1',
    18 schema_name => 'gov',
    19 table_name => 'flight'
    20 );
    21 END;
    22 /

    PL/SQL procedure successfully completed.

    SQL> BEGIN
    2 SA_USER_ADMIN.SET_USER_PRIVS(
    3 policy_name => 'ols_pol1',
    4 user_name => 'scott',
    5 privileges => 'READ'
    6 );
    7 END;
    8 /

    PL/SQL procedure successfully completed.

    SQL> column flight# format 9999;


    SQL> column destination format a15;
    SQL> column payload format a15
    SQL> conn bob
    Enter password:
    Connected.
    SQL> select SA_SESSION.ROW_LABEL('OLS_POL1') from DUAL;

    SA_SESSION.ROW_LABEL('OLS_POL1')
    --------------------------------------------------------------------------------

    SQL> select SA_SESSION.LABEL('OLS_POL1') from DUAL;

    SA_SESSION.LABEL('OLS_POL1')
    --------------------------------------------------------------------------------

    SQL> BEGIN
    2 SA_SESSION.SET_ROW_LABEL(
    3 policy_name => 'ols_pol1',
    4 label => 'UC'
    5 );
    6 END;
    7 /

    PL/SQL procedure successfully completed.

    SQL> insert into gov.flight (flight#, destination, payload)


    2 Values (599, 'Peru', 'Medecine');

    1 row created.

    SQL> select flight#, destination, payload from gov.flight;

    FLIGHT# DESTINATION PAYLOAD


    ------- --------------- ---------------
    506 Canada Charcoal
    706 Japan Battery
    508 Israel Jets
    509 India Aid
    599 Peru Medecine

    SQL> conn gov


    Enter password:
    Connected.
    SQL> select flight#, destination, payload from gov.flight;

    no rows selected

    SQL> conn tim


    Enter password:
    Connected.
    SQL> select flight#, destination, payload from gov.flight;

    FLIGHT# DESTINATION PAYLOAD


    ------- --------------- ---------------
    506 Canada Charcoal
    509 India Aid
    599 Peru Medecine

    SQL> conn lbacsys


    Enter password:
    Connected.
    SQL> BEGIN
    2 SA_SYSDBA.DROP_POLICY(
    3 policy_name => 'ols_pol1'
    4 );
    5 END;
    6 /

    PL/SQL procedure successfully completed.

    SQL> conn sys as sysdba


    Enter password:
    Connected.
    SQL> DROP USER gov cascade;

    User dropped.

    SQL> DROP USER bob cascade;

    User dropped.

    SQL> DROP USER tim cascade;

    User dropped.

    SQL>

    ===================================================================================
    ==============
    SQL> select username from dba_users;

    USERNAME
    --------------------------------------------------------------------------------

    OE
    TEST2
    SCOTT
    ORACLE_OCM
    OJVMSYS
    SYSKM
    XS$NULL
    BI
    PM
    GSMCATUSER
    MDDATA

    USERNAME
    --------------------------------------------------------------------------------

    SYSBACKUP
    IX
    SH
    DIP
    SYSDG
    APEX_PUBLIC_USER
    HR
    SPATIAL_CSW_ADMIN_USR
    TEST
    SPATIAL_WFS_ADMIN_USR
    GSMUSER

    USERNAME
    --------------------------------------------------------------------------------

    AUDSYS
    FLOWS_FILES
    DVF
    MDSYS
    ORDSYS
    DBSNMP
    WMSYS
    APEX_040200
    APPQOSSYS
    GSMADMIN_INTERNAL
    ORDDATA

    USERNAME
    --------------------------------------------------------------------------------

    CTXSYS
    ANONYMOUS
    XDB
    ORDPLUGINS
    DVSYS
    SI_INFORMTN_SCHEMA
    OLAPSYS
    LBACSYS
    OUTLN
    SYSTEM
    SYS

    44 rows selected.

    SQL>
    ===================================================================================
    ==============
    Audit
    -----

    SQL> drop user test cascade;

    User dropped.

    SQL> create user test identified by Admin12345 quota unlimited on users;

    User created.

    SQL> drop user test2 cascade;

    User dropped.

    SQL> grant create session, create table, create sequence to test;

    Grant succeeded.

    SQL> create user test2 identified by Admin12345 quota unlimited on users;

    User created.

    SQL> grant create session to test2;

    Grant succeeded.

    SQL> create user test3 identified by Admin12345 quota unlimited on users;

    User created.

    SQL> grant create session to test3;

    Grant succeeded.

    SQL> SELECT name


    2 FROM system_privilege_map
    3 ORDER BY name;

    SQL> CREATE AUDIT POLICY test_audit_policy


    2 PRIVILEGES CREATE TABLE, CREATE SEQUENCE
    3 WHEN 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''TEST'''
    4 EVALUATE PER SESSION;

    Audit policy created.

    SQL> AUDIT POLICY test_audit_policy;

    Audit succeeded.

    SQL> SET LINESIZE 200


    SQL> COLUMN audit_option FORMAT a15
    SQL> COLUMN condition_eval_opt FORMAT a10
    SQL> COLUMN audit_condition FORMAT a50
    SQL> SELECT audit_option,
    2 condition_eval_opt,
    3 audit_condition
    4 FROM audit_unified_policies
    5 WHERE policy_name = 'TEST_AUDIT_POLICY';

    AUDIT_OPTION CONDITION_ AUDIT_CONDITION


    --------------- ---------- --------------------------------------------------
    CREATE SEQUENCE SESSION SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST'
    CREATE TABLE SESSION SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST'

    SQL> conn test


    Enter password:
    Connected.
    SQL> CREATE TABLE tab1 (id NUMBER);

    Table created.

    SQL> CREATE SEQUENCE tab1_seq;

    Sequence created.

    SQL> conn sys as sysdba


    Enter password:
    Connected.
    SQL> COLUMN event_timestamp FORMAT a30
    SQL> COLUMN dbusername FORMAT a10
    SQL> COLUMN action_name FORMAT a20
    SQL> COLUMN object_schema FORMAT a10
    SQL> COLUMN object_name FORMAT a20
    SQL> SELECT event_timestamp,
    2 dbusername,
    3 action_name,
    4 object_schema,
    5 object_name
    6 FROM unified_audit_trail
    7 WHERE dbusername = 'TEST'
    8 ORDER BY event_timestamp;

    EVENT_TIMESTAMP DBUSERNAME ACTION_NAME OBJECT_SCH OBJECT


    _NAME
    ------------------------------ ---------- -------------------- ---------- ------
    --------------
    04-APR-17 09.55.29.913000 AM TEST LOGON
    04-APR-17 09.55.41.660000 AM TEST LOGON
    04-APR-17 02.22.41.805000 PM TEST CREATE TABLE TEST TAB1
    04-APR-17 02.22.44.516000 PM TEST CREATE SEQUENCE TEST TAB1_S
    EQ

    SQL> NOAUDIT POLICY test_audit_policy;

    Noaudit succeeded.

    SQL> drop audit policy test_audit_policy;

    Audit Policy dropped.

    SQL>
    SQL> CREATE TABLE tab1 (
    2 id NUMBER,
    3 CONSTRAINT tab1_pk PRIMARY KEY (id)
    4 );

    Table created.

    SQL> CREATE SEQUENCE tab1_seq;

    Sequence created.

    SQL> CREATE TABLE tab2 (


    2 id NUMBER,
    3 CONSTRAINT tab2_pk PRIMARY KEY (id)
    4 );

    Table created.

    SQL> CREATE SEQUENCE tab2_seq;

    Sequence created.

    SQL> GRANT SELECT, INSERT, UPDATE, DELETE ON tab1 TO test2;

    Grant succeeded.

    SQL> GRANT SELECT ON tab1_seq TO test2;

    Grant succeeded.

    SQL>

    SQL> conn sys as sysdba


    Enter password:
    Connected.
    SQL> CREATE AUDIT POLICY test_audit_policy
    2 ACTION DELETE ON test.tab1,
    3 INSERT ON test.tab1,
    4 UPDATE ON test.tab1,
    5 SELECT ON test.tab1_seq,
    6 ALL ON test.tab2,
    7 SELECT ON test.tab2_seq
    8 WHEN 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''TEST2'''
    9 EVALUATE PER SESSION;
    CREATE AUDIT POLICY test_audit_policy
    *
    ERROR at line 1:
    ORA-46373: Audit policy 'TEST_AUDIT_POLICY' must have at least one audit option.

    SQL> show user


    USER is "SYS"
    SQL> CREATE AUDIT POLICY test_audit_policy
    2 ACTIONS DELETE ON test.tab1,
    3 INSERT ON test.tab1,
    4 UPDATE ON test.tab1,
    5 SELECT ON test.tab1_seq,
    6 ALL ON test.tab2,
    7 SELECT ON test.tab2_seq
    8 WHEN 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''TEST2'''
    9 EVALUATE PER SESSION;

    Audit policy created.

    SQL> AUDIT POLICY test_audit_policy;

    Audit succeeded.

    SQL> SET LINESIZE 200


    SQL> COLUMN object_schema FORMAT a15
    SQL> COLUMN object_name FORMAT a15
    SQL> COLUMN object_type FORMAT a12
    SQL> COLUMN audit_option FORMAT a15
    SQL> COLUMN condition_eval_opt FORMAT a10
    SQL> COLUMN audit_condition FORMAT a50
    SQL> SELECT object_schema,
    2 object_name,
    3 object_type,
    4 audit_option,
    5 condition_eval_opt,
    6 audit_condition
    7 FROM audit_unified_policies
    8 WHERE policy_name = 'TEST_AUDIT_POLICY';

    OBJECT_SCHEMA OBJECT_NAME OBJECT_TYPE AUDIT_OPTION CONDITION_ AUDIT_CO


    NDITION
    --------------- --------------- ------------ --------------- ---------- --------
    ------------------------------------------
    TEST TAB1 TABLE UPDATE SESSION SYS_CONT
    EXT('USERENV', 'SESSION_USER') = 'TEST2'
    TEST TAB1 TABLE INSERT SESSION SYS_CONT
    EXT('USERENV', 'SESSION_USER') = 'TEST2'
    TEST TAB1 TABLE DELETE SESSION SYS_CONT
    EXT('USERENV', 'SESSION_USER') = 'TEST2'
    TEST TAB1_SEQ SEQUENCE SELECT SESSION SYS_CONT
    EXT('USERENV', 'SESSION_USER') = 'TEST2'
    TEST TAB2 TABLE ALL SESSION SYS_CONT
    EXT('USERENV', 'SESSION_USER') = 'TEST2'
    TEST TAB2_SEQ SEQUENCE SELECT SESSION SYS_CONT
    EXT('USERENV', 'SESSION_USER') = 'TEST2'

    6 rows selected.

    SQL>

    SQL> conn test


    Enter password:
    Connected.
    SQL> INSERT INTO tab1 (id) VALUES (tab1_seq.NEXTVAL);

    1 row created.

    SQL> INSERT INTO tab2 (id) VALUES (tab2_seq.NEXTVAL);

    1 row created.
    SQL> Commit;

    ==============================================================================
    SQL> conn test2
    Enter password:
    Connected.
    SQL> UPDATE test.tab1 SET id = test.tab1_seq.NEXTVAL;
    UPDATE test.tab1 SET id = test.tab1_seq.NEXTVAL
    *
    ERROR at line 1:
    ORA-00942: table or view does not exist

    SQL> UPDATE test.tab2 SET id = test.tab2_seq.NEXTVAL;

    1 row updated.

    SQL> DELETE FROM test.tab1;


    DELETE FROM test.tab1
    *
    ERROR at line 1:
    ORA-00942: table or view does not exist

    SQL> DELETE FROM test.tab2;

    1 row deleted.

    SQL> COMMIT;

    Commit complete.

    SQL>

    ===================================================================================
    ================

    SQL> conn sys as sysdba


    Enter password:
    Connected.
    SQL> SELECT event_timestamp,
    2 dbusername,
    3 action_name,
    4 object_schema,
    5 object_name
    6 FROM unified_audit_trail
    7 WHERE dbusername LIKE 'TEST%'
    8 ORDER BY event_timestamp;

    EVENT_TIMESTAMP DBUSERNAME ACTION_NAME OBJECT_SCHEMA O


    BJECT_NAME
    ------------------------------ ---------- -------------------- --------------- -
    --------------
    04-APR-17 09.55.29.913000 AM TEST LOGON
    04-APR-17 09.55.41.660000 AM TEST LOGON
    04-APR-17 10.58.29.738000 AM TEST2 ALTER USER T
    EST2
    04-APR-17 02.22.41.805000 PM TEST CREATE TABLE TEST T
    AB1
    04-APR-17 02.22.44.516000 PM TEST CREATE SEQUENCE TEST T
    AB1_SEQ
    04-APR-17 02.42.43.801000 PM TEST CREATE AUDIT POLICY SYS T
    EST_AUDIT_POLI
    C
    Y

    04-APR-17 02.57.53.454000 PM TEST2 SELECT TEST T


    AB1_SEQ
    04-APR-17 02.57.53.454000 PM TEST2 UPDATE TEST T
    AB1
    04-APR-17 02.57.53.481000 PM TEST2 SELECT TEST T
    AB2_SEQ

    EVENT_TIMESTAMP DBUSERNAME ACTION_NAME OBJECT_SCHEMA O


    BJECT_NAME
    ------------------------------ ---------- -------------------- --------------- -
    --------------
    04-APR-17 02.57.53.482000 PM TEST2 UPDATE TEST T
    AB2
    04-APR-17 02.57.53.484000 PM TEST2 DELETE TEST T
    AB1
    04-APR-17 02.57.53.490000 PM TEST2 DELETE TEST T
    AB2

    12 rows selected.

    SQL>

    ===================================================================================
    ==
    SQL> ALTER AUDIT POLICY test_audit_policy
    2 DROP ACTIONS ALL ON test.tab2,
    3 SELECT ON test.tab2_seq;

    Audit policy altered.

    SQL> SET LINESIZE 200


    SQL> COLUMN object_schema FORMAT a15
    SQL> COLUMN object_name FORMAT a15
    SQL> COLUMN object_type FORMAT a12
    SQL> COLUMN audit_option FORMAT a15
    SQL> COLUMN condition_eval_opt FORMAT a10
    SQL> COLUMN audit_condition FORMAT a50
    SQL> SELECT object_schema,
    2 object_name,
    3 object_type,
    4 audit_option,
    5 condition_eval_opt,
    6 audit_condition
    7 FROM audit_unified_policies
    8 WHERE policy_name = 'TEST_AUDIT_POLICY';

    OBJECT_SCHEMA OBJECT_NAME OBJECT_TYPE AUDIT_OPTION CONDITION_ AUDIT_CO


    NDITION
    --------------- --------------- ------------ --------------- ---------- --------
    ------------------------------------------
    TEST TAB1 TABLE UPDATE SESSION SYS_CONT
    EXT('USERENV', 'SESSION_USER') = 'TEST2'
    TEST TAB1 TABLE INSERT SESSION SYS_CONT
    EXT('USERENV', 'SESSION_USER') = 'TEST2'
    TEST TAB1 TABLE DELETE SESSION SYS_CONT
    EXT('USERENV', 'SESSION_USER') = 'TEST2'
    TEST TAB1_SEQ SEQUENCE SELECT SESSION SYS_CONT
    EXT('USERENV', 'SESSION_USER') = 'TEST2'

    SQL>

    =============================================================================
    ROLE AUDIT

    SQL> show user


    USER is "SYS"
    SQL> CREATE ROLE create_table_role;

    Role created.

    SQL> GRANT CREATE TABLE TO create_table_role;

    Grant succeeded.

    SQL> GRANT create_table_role TO test3;

    Grant succeeded.

    SQL> CREATE AUDIT POLICY create_table_role_policy


    2 ROLE create_table_role
    3 WHEN 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''TEST3'''
    4 EVALUATE PER SESSION;

    Audit policy created.

    SQL> AUDIT POLICY create_table_role_policy;

    Audit succeeded.

    SQL>

    SQL> SET LINESIZE 200


    SQL> COLUMN audit_option FORMAT a20
    SQL> COLUMN condition_eval_opt FORMAT a10
    SQL> COLUMN audit_condition FORMAT a50
    SQL> SELECT audit_option,
    2 audit_option_type,
    3 condition_eval_opt,
    4 audit_condition
    5 FROM audit_unified_policies
    6 WHERE policy_name = 'CREATE_TABLE_ROLE_POLICY';

    AUDIT_OPTION AUDIT_OPTION_TYPE CONDITION_ AUDIT_CONDITION


    -------------------- ------------------ ---------- -----------------------------
    ---------------------
    CREATE_TABLE_ROLE ROLE PRIVILEGE SESSION SYS_CONTEXT('USERENV', 'SESSI
    ON_USER') = 'TEST3'

    SQL>
    SQL> conn test3
    Enter password:
    Connected.
    SQL> CREATE TABLE tab1 (id NUMBER);

    Table created.

    SQL> conn sys as sysdba


    Enter password:
    Connected.
    SQL> COLUMN event_timestamp FORMAT a30
    SQL> COLUMN dbusername FORMAT a10
    SQL> COLUMN action_name FORMAT a20
    SQL> COLUMN object_schema FORMAT a10
    SQL> COLUMN object_name FORMAT a20
    SQL> SELECT event_timestamp,
    2 dbusername,
    3 action_name,
    4 object_schema,
    5 object_name
    6 FROM unified_audit_trail
    7 WHERE dbusername = 'TEST3'
    8 ORDER BY event_timestamp;

    EVENT_TIMESTAMP DBUSERNAME ACTION_NAME OBJECT_SCH OBJECT


    _NAME
    ------------------------------ ---------- -------------------- ---------- ------
    --------------
    04-APR-17 03.17.13.370000 PM TEST3 CREATE TABLE TEST3 TAB1

    SQL>

    SQL> NOAUDIT POLICY create_table_role_policy;

    Noaudit succeeded.

    SQL> DROP AUDIT POLICY create_table_role_policy;

    Audit Policy dropped.

    SQL>

    You might also like