In this chapter we will cover:
Creating and using Oracle Database Vault realms
Creating and using Oracle Vault command rules
Creating and using Oracle Database Vault rulesets
Creating and using Oracle Database Vault factors
Creating and using Oracle Database Vault reports
Oracle Database Vault can be described as a security framework developed primarily for the purpose of implementing fine-grained access control to objects. Oracle Database Vault functionality provides additional capabilities to restrict access to sensitive data and can apply controls that are not currently available with the traditional privilege model.
By using Oracle Database Vault, practically every database object can be isolated from unauthorized access by the users with any type privileges, including super-privileged users such as DBAs or power users such as SYS and SYSTEM. Oracle Database Vault also has the ability to filter DML and DDL statements against the database, by using virtually unlimited combinations of parameters, such as the IP address, time, connection protocol, and authentication type with realms, factors, command sets, command rules, and secure application roles.
The next series of recipes will cover the main components that make up Oracle Database Vault,...
A realm is a core Oracle Database Vault structure that provides logical protection against users with any type of object-level privilege. A realm can be defined on any object in any schema. In this recipe, we will use both the PL/SQL interface and Oracle Database Vault Administrator (DVA) for defining realms.
In this chapter, we will create a realm named HR_TABLES_REALM by using the PL/SQL interface. This realm will include all the tables from the HR schema. Next, we will create a realm named HR_VIEWS_REALM by using DVA Console. This realm will include all the views from the HR schema. The user HR will be defined as the realm owner and the users vw_america and vw_europe will be defined as the realm participants.
Before you start, you must have Oracle Database Vault installed. Details on installation can be found in the documentation page http://docs.oracle.com/cd/E11882_01/server.112/e23090/dvca.htm#CIAIHIDA and on deinstallation...
Command rules can be used in Oracle Vault to restrict and protect database objects against DDL and DML statements, by imposing specific rules. Usually command rules are associated with rulesets, a subject covered in the next recipe. This association is made to permit or restrict certain statements following a logical rule at runtime.
In this recipe, we will create a command rule that will control attempts to select the EMP_DETAILS_VIEW by using the PL/SQL interface and a command rule that controls the use of the CREATE VIEW statement by using DVA. We will be using these two command rules again, in the Creating and using Oracle Vault rulesets recipe given later.
As their name denotes, rulesets are a collection of rules that in turn consist of logical statements, which might evaluate to true or false. Because of their capacity for evaluation, rulesets can be associated with command rules, realm authorization, and factor assignment, as well as secure application roles.
In this recipe we will create two rulesets:
The first ruleset will allow the selection of emp_detail_view from the vw_america and vw_europe users only, and no other user will be allowed to select from this view.
The second ruleset will limit the creation of views for reporting, only at the end of the month. In these recipes, we will re-use the two command rules created in the previous recipe.
Factors can also play an important role in enforcing security in Oracle Database Vault. A factor is a variable or an attribute, something similar to application context attributes. A factor can represent a user session, session identifier, module, IP address, and more. You can use factors for conditioning and restricting user authentication, and to build additional restrictions on data access based on their values and attributes.
In this recipe, we will replace the rule expressions Evaluate VW_AMERICA user and Evaluate VW_EUROPE user with the default Session_user factor.
Oracle Database Vault provides build it factors that can be used alone or combined to enforce different types of evaluations:
Connect as the ODVA_OWNER user and select the session user from the dvf.f$session_user factor function:
SQL> conn odva_owner Enter password: SQL> select dvf.f$session_user from dual; F$SESSION_USER ------------------...
Oracle Vault has an integrated reporting system that can be used for generating reports for specific Oracle Database Vault components, and for general database security. In the next series of recipes, we will generate some specific Oracle Database Vault reports as well as some reports related to general database security.
In the previous recipes, we have created all the Oracle Vault objects with the audit options disabled. During this series of recipes, we will enable the Audit Options to Audit On Success or Failure on the realms and command rules created earlier, and we will generate several related audit reports. We will also generate some general database security reports related to privileges, audit, passwords, and so on.
© 2012 Packt Publishing Limited All Rights Reserved
