Prligence Empowering Intelligence All About Fine Grained Access Control by Arup Nanda.

Slides:



Advertisements
Similar presentations
Prligence Empowering Intelligence Summary Management By Advanced Queues Paper # 419 Arup Nanda Proligence, Inc
Advertisements

Password Management for Oracle8 Ari Kaplan Independent Consultant.
Virtuális Privát Adatbázis - VPD SELECT * FROM OE.ORDERS; SELECT * FROM OE.ORDERS WHERE SALES_REP_ID = 159;
Prligence Empowering Intelligence A Multi-Source Time-Variant Datawarehouse Case Study Session# by Arup Nanda Proligence, Inc. Norwalk, CT.
Module 12: Auditing SQL Server Environments
Manipulating Data Schedule: Timing Topic 60 minutes Lecture
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Database Management System
یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.
Triggers The different types of integrity constraints discussed so far provide a declarative mechanism to associate “simple” conditions with a table such.
A Guide to Oracle9i1 Advanced SQL And PL/SQL Topics Chapter 9.
DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.
ORACLE DATABASE SECURITY
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
Database Constraints. Database constraints are restrictions on the contents of the database or on database operations Database constraints provide a way.
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
Adapted from Afyouni, Database Security and Auditing DB Auditing Examples (Ch. 9) Dr. Mario Guimaraes.
Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.
Security and Integrity
The powerhouse PL/SQL upgrade option: Edition-Based Redefinition (EBR)
Database Application Security Models
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
CSIS 4310 – Advanced Databases Virtual Private Databases.
Week 6 Lecture 2 System and Object Privileges. Learning Objectives  Identify and manage system and object privileges  Grant and revoke privileges to.
Lecture 4 PL/SQL language. PL/SQL – procedural SQL Allows combining procedural and SQL code PL/SQL code is compiled, including SQL commands PL/SQL code.
The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.
Other database objects (Sequence). What Is a Sequence? A sequence: Automatically generates sequential numbers Is a sharable object Is typically used to.
Triggers A Quick Reference and Summary BIT 275. Triggers SQL code permits you to access only one table for an INSERT, UPDATE, or DELETE statement. The.
Controlling User Access. Objectives After completing this lesson, you should be able to do the following: Create users Create roles to ease setup and.
Oracle Data Integrator Procedures, Advanced Workflows.
Roles & privileges privilege A user privilege is a right to execute a particular type of SQL statement, or a right to access another user's object. The.
Dale Roberts 1 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Computer Science, IUPUI
Controlling User Access Fresher Learning Program January, 2012.
Creating DDL and Database Event Triggers. 2 home back first prev next last What Will I Learn? Describe events that cause DDL and database event triggers.
What is a Package? A package is an Oracle object, which holds other objects within it. Objects commonly held within a package are procedures, functions,
Chapter 4 Constraints Oracle 10g: SQL. Oracle 10g: SQL 2 Objectives Explain the purpose of constraints in a table Distinguish among PRIMARY KEY, FOREIGN.
Controlling User Access. 2 home back first prev next last What Will I Learn? Compare the difference between object privileges and system privileges Construct.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Dynamic SQL. 2 home back first prev next last What Will I Learn? Recall the stages through which all SQL statements pass Describe the reasons for using.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Chapter 5 : Integrity And Security  Domain Constraints  Referential Integrity  Security  Triggers  Authorization  Authorization in SQL  Views 
A Guide to SQL, Eighth Edition Chapter Six Updating Data.
Chapter 6 Virtual Private Databases
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
PRACTICE OVERVIEW PL/SQL Part Your stored procedure, GET_BUDGET, has a logic problem and must be modified. The script that contains the procedure.
Starting with Oracle SQL Plus. Today in the lab… Connect to SQL Plus – your schema. Set up two tables. Find the tables in the catalog. Insert four rows.
Stored Procedures / Session 4/ 1 of 41 Session 4 Module 7: Introducing stored procedures Module 8: More about stored procedures.
Oracle Business Intelligence Foundation – Testing and Deploying OBI Repository.
5 Copyright © 2008, Oracle. All rights reserved. Testing and Validating a Repository.
SQL Triggers, Functions & Stored Procedures Programming Operations.
 CONACT UC:  Magnific training   
18 Copyright © 2004, Oracle. All rights reserved. Implementing Oracle Database Security.
2 Copyright © 2009, Oracle. All rights reserved. Managing Schema Objects.
Controlling User Access
Creating Database Triggers
Database Security.
SQL Stored Triggers Presented by: Dr. Samir Tartir
The powerhouse PL/SQL upgrade option: Edition-Based Redefinition (EBR)
Database Security.
OER- UNIT 3 Authorization
Security Enhancements in SQL Server 2016
PRACTICE OVERVIEW PL/SQL Part - 1.
Prof. Arfaoui. COM390 Chapter 9
Virtual Private Databases
Presentation transcript:

prligence Empowering Intelligence All About Fine Grained Access Control by Arup Nanda

prligence Empowering Intelligence Oracle DBA for more than 10 years Written 50+ Articles –Oracle Magazine, Select Journal, DBAZine.com, SQLUpdate, Oracle Scene, TechJournal Presented at several conferences –Oracle World, IOUG Live, OraTechs, AOTC, VOUG, NYOUG Executive Director of Connecticut Oracle User Group Editor of Select Journal – the IOUG Publication Written the book Oracle Privacy Security Auditing, from Rampant TechPress 1-day Training Course on Oracle Security Security Audits Awarded DBA of the Year by Oracle.

prligence Empowering Intelligence Hospital Database IDNameGroup 1DrAdam1 2DrBarb2 3DrCharlie2 IDDoctorNameDisease 11LarryEgo 21BillControl 32ScottFickleness 43CraigLowVision 53LouGreed DOCTORSPATIENTS

prligence Empowering Intelligence Patient Application IDDoctorNameDisease 11LarryEgo 21BillControl 32ScottFickleness 43CraigLowVision 53LouGreed select * from patients Dr. Adam Doctor ID = 1 where doctor_id =

prligence Empowering Intelligence Options 1.Application Change Add a predicate to each SQL statement No security! 2.Views Automatic predicate Selection on view; no access to base table Too many views Predicate has to be static Difficult to determine accountability

prligence Empowering Intelligence A Third Option Automatic application of predicate User’s statement SELECT * FROM PATIENTS Transformed to SELECT * FROM PATIENTS WHERE DOCTOR_ID = Predicate generated by a user defined policy function.

prligence Empowering Intelligence Hospital Database IDNameGroup 1DrAdam1 2DrBarb2 3DrCharlie2 IDDoctorNameDisease 11LarryEgo 21BillControl 32ScottFickleness 43CraigLowVision 53LouGreed DOCTORSPATIENTS Select * from PATIENTS Where DOCTOR_ID = 1

prligence Empowering Intelligence Policy policy Policy Function where doctor_id = 1 select * from patients; select * from patients where doctor_id = 1 IDDoctorNameDisease 11LarryEgo 21BillControl 32ScottFickleness 43CraigLowVision 53LouGreed Doctor ID = 1

prligence Empowering Intelligence Policy Function Takes only two arguments –Table Owner –Table Name Must return a predicate that is to be applied, without the word WHERE. The predicate must be syntactically correct – Correct : doctor_id = (select doctor_id from doctors where doctor_name = USER) – Incorrect : doctor_id = (select USER from doctors)

prligence Empowering Intelligence Policy Function create or replace function get_doctor_id ( p_schema_name in varchar2, p_table_name in varchar2 ) return varchar2 is l_doctor_id number; begin select doctor_id into l_doctor_id from doctors where doctor_name = USER; return 'doctor_id = '||l_doctor_id; end; returns the currently logged in username

prligence Empowering Intelligence Adding a Policy begin dbms_rls.add_policy( object_schema => 'HOSPITAL', object_name => 'PATIENTS', policy_name => 'PATIENT_VIEW_POLICY', policy_function => 'GET_DOCTOR_ID', function_schema => 'HOSPITAL', statement_types => 'SELECT, INSERT, UPDATE, DELETE', update_check => true, enable => true ); end; the owner and name of the policy function the table on which the policy is defined Policy applied to all types of statements

prligence Empowering Intelligence Query Transformation Original Query SELECT * FROM PATIENTS Modified to SELECT * FROM (SELECT * FROM PATIENTS) WHERE DOCTOR_ID = 1

prligence Empowering Intelligence Insert/Update Check User DRADAM allowed to see only DOCTOR_ID = 1 He tries to insert a record with DOCTOR_ID = 2 ORA-28115: policy with check option violation He issues update PATIENTS set DOCTOR_ID = 2; ORA-28115: policy with check option violation, if update_check = TRUE

prligence Empowering Intelligence Bypassing create or replace function get_doctor_id ( p_schema_name in varchar2, p_table_name in varchar2 ) return varchar2 is l_doctor_id number; begin if (p_schema_name = USER) then return null; end if; select doctor_id into l_doctor_id from doctors where doctor_name = USER; return 'doctor_id = '||l_doctor_id; end; if (p_schema_name = USER) then return null; end if;

prligence Empowering Intelligence Other Bypasses System Privilege –EXEMPT ACCESS POLICY SYS and DBA roles have this by default.

prligence Empowering Intelligence Other Dependent Tables Applied predicate WHERE PATIENT_ID IN (SELECT PATIENT_ID FROM PATIENTS) create or replace function get_patient_id (p_schema_nameinvarchar2, p_table_nameinvarchar2 )return varchar2 is l_patient_idnumber; begin if (p_schema_name = USER) then return null; end if; return 'patient_id in (select patient_id from patients)'; end; /

prligence Empowering Intelligence Multiple Policies Table can have multiple policies of the same type. Each policy applied with AND PATIENTS DOCTOR_ID = 1 PROC_CODE != ‘HIV’ TREATED = TRUE policy1 policy2 policy3 AND select * from patients select * from patients where

prligence Empowering Intelligence Extending the Functionality Table for Authorized User Table: USER_AUTHORITY USERNAME - the name of the user DOCTOR_ID – the DOCTOR_ID this user is allowed to see Policy Function Change select deptno into l_doctor_id from user_authority where username = USER; l_ret := ‘doctor_id = '||l_ doctor_id; Table TREATMENTS (PATIENT_ID, TRATMENT_ID) l_ret := ‘patient_id in (select patient_id from patients)';

prligence Empowering Intelligence VPD and Other Oracle Tools VPD is applied in Conventional Modes only. Export DIRECT=Y EXP-00079: Data in table “PATIENTS" is protected. Conventional path may only be exporting partial table... exporting table PATIENTS 3 rows exported SQL*Loader DIRECT=Y SQL*Loader-951: Error calling once/load initialization ORA-00604: error occurred at recursive SQL level 1 ORA-28113: policy predicate has error Direct Mode Load insert /*+ APPEND */ into EMP; ERROR at line 1: ORA-28115: policy with check option violation

prligence Empowering Intelligence Managing Policies View DBA_POLICIES Oracle Policy Manager –oemapp opm Applied Policies –V$VPD_POLICY

prligence Empowering Intelligence Refreshing a Policy dbms_rls.refresh_policy ( object_schema => 'HOSPITAL' object_name => 'PATIENTS', policy_name => 'PATIENT_VIEW_POLICY' ); Required when the parsed copy of the policy function needs to be changed. Refreshing guarantees that. Recommended every time the policy or function is changed Not required in 9i

prligence Empowering Intelligence Dropping a Policy dbms_rls.drop_policy ( object_schema =>'HOSPITAL' object_name =>'PATIENTS', policy_name =>'PATIENT_VIEW_POLICY' ); When the policy is not required anymore or the table should not be subjected to the restrictions.

prligence Empowering Intelligence Enabling/Disabling a Policy dbms_rls.enable_policy ( object_schema => 'HOSPITAL' object_name => 'PATIENTS', policy_name => 'PATIENT_VIEW_POLICY', enable => FALSE ); When enabling a policy, just change parameter enable to TRUE and execute this function.

prligence Empowering Intelligence Troubleshooting Most errors produce trace files Debugging alter session set events '10730 trace name context forever, level 12'; Will produce the rewritten query in a trace file ORA-28110: Policy function or package has error Recompile the package ORA-28112: failed to execute policy function Some unhandled exception; check the trace file ORA-28116: insufficient privileges to do direct path access Conventional or Exempt User ORA-28113: policy predicate has error Check the trace file – SYNTAX Problem

prligence Empowering Intelligence Application Users User: DrAdam User: DrCharlie Application Server User: APPUSER

prligence Empowering Intelligence Client Identifier Introduced in Oracle 9i dbms_session.set_identifier (' ') CLIENT_ID in V$SESSION CLIENT_ID in Auditing sys_context('USERENV','CLIENT_IDENTIFIER')

prligence Empowering Intelligence Application Context Select USER from dual; Select SYS_CONTEXT (‘USERENV’, ‘CURRENT_USER’) from dual; APP_CTX ATTR1 ATTR2 set_app_ctx dbms_session.set_context (‘APP_CTX’,’ATTR1’,’Val1’);

prligence Empowering Intelligence Oracle 10g Enhancements Relevant Columns SELECT COUNT(*) FROM PATIENTS SELECT PATIENT_ID FROM PATIENTS SELECT SOCIAL_SEC_NO FROM PATIENTS Another parameter dbms_rls.add_policy ( … sec_relevant_cols => 'PATIENT_ID'

prligence Empowering Intelligence Policy Types dynamic context_sensitive shared_context_sensitive static shared_static

prligence Empowering Intelligence Conclusion Different view – on user Predicate applied automatically Predicate user generated 10g enhancements

prligence Empowering Intelligence Thank You! Questions? Download

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.