Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.

Slides:



Advertisements
Similar presentations
Module 12: Auditing SQL Server Environments
Advertisements

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Chapter 9 Auditing Database Activities
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.
System Administration Accounts privileges, users and roles
A Guide to Oracle9i1 Advanced SQL And PL/SQL Topics Chapter 9.
Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Chapter 7 Database Auditing Models
Chapter 5 Database Application Security Models
ORACLE DATABASE SECURITY
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
Database Security Managing Users and Security Models.
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.
Overview What is SQL Server? Creating databases Administration Security Backup.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
DAVID M. KROENKE’S DATABASE PROCESSING, 10th Edition © 2006 Pearson Prentice Hall 7-1 David M. Kroenke’s Chapter Seven: SQL for Database Construction and.
IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, /14/20151.
Chapter Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.
© 2007 by Prentice Hall12-1 Introduction to Oracle 10g Chapter 12 Maintaining Database Security James Perry and Gerald Post.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
ORACLE LABEL SECURITY Evgeniya Kotzeva VEREO Technologies.
Virtual Private Databases Dr. Gabriel. 2 Overview of Virtual Private Databases A VPD deals with data access VPD controls data access at the row or column.
CSIS 4310 – Advanced Databases Virtual Private Databases.
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
PL/SQLPL/SQL Oracle10g Developer: PL/SQL Programming Chapter 7 PL/SQL Packages.
Using Procedures & Functions Oracle Database PL/SQL 10g Programming Chapter 9.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
Database Management System (DBMS) an Introduction DeSiaMore 1.
Roles & privileges privilege A user privilege is a right to execute a particular type of SQL statement, or a right to access another user's object. The.
Dale Roberts 1 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Computer Science, IUPUI
PL/SQLPL/SQL Oracle10g Developer: PL/SQL Programming Chapter 3 Handling Data in PL/SQL Blocks.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 9 Auditing Database Activities.
CHAPTER 9 Views, Synonyms, and Sequences. Views are used extensively in reporting applications and also to present subsets of data to applications. Synonyms.
What is a Package? A package is an Oracle object, which holds other objects within it. Objects commonly held within a package are procedures, functions,
Chapter 13 Views Oracle 10g: SQL. Oracle 10g: SQL2 Objectives Create a view, using CREATE VIEW command or the CREATE OR REPLACE VIEW command Employ the.
55 Creating Data Dictionary Views and Standard Packages.
Oracle11g: PL/SQL Programming Chapter 3 Handling Data in PL/SQL Blocks.
Chapter 5 : Integrity And Security  Domain Constraints  Referential Integrity  Security  Triggers  Authorization  Authorization in SQL  Views 
SQL.. AN OVERVIEW lecture3 1. Overview of SQL 2  Query: allow questions to be asked of the data and display only the information required. It can include.
Oracle 11g: SQL Chapter 7 User Creation and Management.
Chapter 6 Virtual Private Databases
11 Copyright © 2007, Oracle. All rights reserved. Implementing Oracle Database Security.
SQL Introduction to database and SQL. Chapter 1: Databases and Database Users 6 Introduction to Databases Databases touch all aspects of our lives. Examples:
SQL Triggers, Functions & Stored Procedures Programming Operations.
 CONACT UC:  Magnific training   
18 Copyright © 2004, Oracle. All rights reserved. Implementing Oracle Database Security.
SQL Server 2016 Security Features Marek Chmel Microsoft MVP: Data Platform Microsoft MCT: Regional Lead MCSE: Data Platform Certified Ethical Hacker.
7.5 Using Stored-Procedure and Triggers NAME MATRIC NUM GROUP Muhammad Azwan Bin Khairul Anwar CS2305A Muhammad Faiz Bin Badrol Shah CS2305B.
Oracle9i Developer: PL/SQL Programming Chapter 6 PL/SQL Packages.
ORACLE's Approach ORALCE uses a proprietary mechanism for security. They user OLS.... ORACLE Labeling Security. They do data confidentiality They do adjudication.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Understanding Core Database Concepts Lesson 1. Objectives.
SQL Introduction SQL stands for “Structured Query Language” and can be pronounced as “SQL” or “sequel – (Structured English.
Controlling User Access
Introduction To Database Systems
OER- UNIT 3 Authorization
Oracle9i Developer: PL/SQL Programming Chapter 8 Database Triggers.
Managing Privileges.
Chapter 7 Using SQL in Applications
Prof. Arfaoui. COM390 Chapter 9
Handling Data in PL/SQL Blocks
Prof. Arfaoui. COM390 Chapter 7
Understanding Core Database Concepts
Presentation transcript:

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases

Database Security & Auditing: Protecting Data Integrity & Accessibility2 Objectives Define the term “virtual private database” and explain its importance Implement a virtual private database by using the VIEW database object Implement a virtual private database by using Oracle’s application context Implement the Oracle virtual private database feature

Database Security & Auditing: Protecting Data Integrity & Accessibility3 Objectives (continued) Use a data dictionary to view an Oracle virtual private database Use Policy Manager to view an Oracle virtual private database Implement row-level and column-level security

Database Security & Auditing: Protecting Data Integrity & Accessibility4 Overview of Virtual Private Databases A VPD deals with data access VPD controls data access at the row or column level SQL Server 2000: use VIEW data object Oracle10g: –Specific functions –Row-level security, fine-grained access (FGA)

Database Security & Auditing: Protecting Data Integrity & Accessibility5 Overview of Virtual Private Databases (continued)

Database Security & Auditing: Protecting Data Integrity & Accessibility6 Overview of Virtual Private Databases (continued) Shared database schema: –Containing data that belongs to different users –User view or update only data he or she owns Purposes/benefits: –Security requirements necessitate data access be restricted at row or column level (FGA) –One database schema serves multiple unrelated groups or entities

Database Security & Auditing: Protecting Data Integrity & Accessibility7 Implementing a VPD Using Views View object limits what users can see and do with existing data: hides columns or rows from users CREATE VIEW statement: creates data views Views can become hard to administer; solution is VPD Implementation is limited and requires careful design and development

Database Security & Auditing: Protecting Data Integrity & Accessibility8 Implementing a VPD Using Views (continued) Example implementation steps: –Logon as DBSEC schema –Display the EMPLOYEES table –Create the table EMPLOYESS_VER1 –Create a VIEW object to display rows that belong only to the logged on user –Grant SELECT and INSERT on this view to another user –Insert a row using EMPLOYEES_VIEW1

Database Security & Auditing: Protecting Data Integrity & Accessibility9 Implementing a VPD Using Views (continued) Example implementation steps (continued) –Logon as the other user –Select the EMPLOYEES_VIEW1 VIEW object; you see only rows that belongs to the other user

Database Security & Auditing: Protecting Data Integrity & Accessibility10 Hiding Rows Based on the Current User System function USER: –Returns database user –Used to implement row-based security Implementing row-based security with views: –Need a column in your tables for the row’s owner –Preface it with “CTL”

Database Security & Auditing: Protecting Data Integrity & Accessibility11 Hiding Rows Based on the Current User (continued)

Database Security & Auditing: Protecting Data Integrity & Accessibility12 Hiding Rows Based on the Current User (continued) Steps: –Alter table to contain column CTL_UPD_USER –Create database users in the database –Create the view users will use to access table –Test the code: Login as one user and do some actions Then login as a different user

Database Security & Auditing: Protecting Data Integrity & Accessibility13 Hiding Rows Based on the Current User (continued)

Database Security & Auditing: Protecting Data Integrity & Accessibility14 Hiding Rows Based on the Current User (continued)

Database Security & Auditing: Protecting Data Integrity & Accessibility15 Implementing a VPD Using Application Context in Oracle Triggers Application context: –Functionality specific to Oracle –Allows to set database application variables that can be retrieved by database sessions –Variables can be used for security context- based or user-defined environmental attributes Dynamic performance view V$SESSION Application context function SYS_CONTEXT

Database Security & Auditing: Protecting Data Integrity & Accessibility16 Implementing a VPD Using Application Context in Oracle (continued)

Database Security & Auditing: Protecting Data Integrity & Accessibility17 Implementing a VPD Using Application Context in Oracle (continued) Set your own application context: use Oracle PL/SQL package DBMS_SESSION (SET_CONTEXT procedure) Example steps: –Using DBSEC that has privileges to create tables and other database objects: Application context table APP_CONTEXT_USERS ORDERS table

Database Security & Auditing: Protecting Data Integrity & Accessibility18 Implementing a VPD Using Application Context in Oracle (continued) Example steps (continued): –As DBSEC insert rows into: ORDERS table APP_CONTEXT_USERS table –As DBSEC create a VIEW object to display rows based on application context SECURITY_LEVEL –As DBSEC create context for ORDERS_APP –Create a package; can be owned by SYS, SYSTEM or DBSEC

Database Security & Auditing: Protecting Data Integrity & Accessibility19 Implementing a VPD Using Application Context in Oracle (continued) Example steps (continued): –Grant the user CREATE ANY CONTEXT privilege and the execute privilege to DBSEC –Create a logon database trigger –Connect as HR and select from the view Complex implementation: use VPD instead

Database Security & Auditing: Protecting Data Integrity & Accessibility20 Implementing Oracle Virtual Private Databases VPDs are a more direct solution User functions: –DBSEC users: application schema owner –CUSTOMERS: used to demonstrate VPDs –VPD_CLERK1, VPD_CLERK2, and VPD_CLERK3 users: database users that are used to test VPDs

Database Security & Auditing: Protecting Data Integrity & Accessibility21 Implementing Oracle Virtual Private Databases (continued)

Database Security & Auditing: Protecting Data Integrity & Accessibility22 Implementing Oracle Virtual Private Databases (continued) Create table for customer users: –Create the CUSTOMERS table –Insert rows into the CUSTOMERS table –Create three users for testing, VPD_CLERK1, VPD_CLERK2, and VPD_CLERK3 –Grant the necessary privileges on the CUSTOMERS table to use each test ROW_OWNER security: row-level security based on user that owns row

Database Security & Auditing: Protecting Data Integrity & Accessibility23 Implementing Oracle Virtual Private Databases (continued) Steps: –Create a policy function to add a predicate to the WHERE clause –Using DBMS_RLS add the VPD policy: Oracle- supplied package –Log in as VPD_CLERK1; display number of records that this user can see –Disable this policy

Database Security & Auditing: Protecting Data Integrity & Accessibility24 Implementing Oracle Virtual Private Databases (continued)

Database Security & Auditing: Protecting Data Integrity & Accessibility25 Implementing Oracle Virtual Private Databases (continued) APPLICATION-CONTEXT security: allows specific users to see only rows for a specific sales representative Steps: –Create the DBSEC_CUSTOMERS_APP_CONTEXT table –Insert rows into this table –Create a trusted package that allows DBSEC to execute DBMS_SESSION

Database Security & Auditing: Protecting Data Integrity & Accessibility26 Implementing Oracle Virtual Private Databases (continued) Steps (continued): –Create an application context for this policy –Create a new VPD function policy to add a WHERE clause predicate –Add a VPD policy for the CUSTOMERS table –Create an after-logon trigger –Now log on as VPD_CLERK2

Database Security & Auditing: Protecting Data Integrity & Accessibility27 Implementing Oracle Virtual Private Databases (continued) ROLE SECURITY LEVEL: –Detects the role of the user –A predicate is used to filter the rows that can be seen by each user Steps: –Disable any policies on the CUSTOMERS table –Disable the AFTER LOGON database trigger –Create three new roles

Database Security & Auditing: Protecting Data Integrity & Accessibility28 Implementing Oracle Virtual Private Databases (continued)

Database Security & Auditing: Protecting Data Integrity & Accessibility29 Implementing Oracle Virtual Private Databases (continued) Steps (continued): –Create application context for the security level –Create application context package to set the application context –Create a policy function to implement row-level security (VPD) –Create a policy to enforce a WHERE clause predicate

Database Security & Auditing: Protecting Data Integrity & Accessibility30 Implementing Oracle Virtual Private Databases (continued) Steps (continued): –Application logs on as VPD_CLERK3; run PKG_DBSEC_ROLE_SECURITY_LEVEL package –Repeat last step, this time use VPD_CLERK1 VPD policies can be grouped for organizational purposes Oracle enforces row-level security using all the DML statements

Database Security & Auditing: Protecting Data Integrity & Accessibility31 Viewing VPD Policies and Applications Context Using the Data Dictionary

Database Security & Auditing: Protecting Data Integrity & Accessibility32 Viewing VPD Policies and Applications Context Using Policy Manager Graphical tool called Policy Manage Use SYSTEM credentials to log in FGA control policies are divided into two parts: –Policy groups –Application context

Database Security & Auditing: Protecting Data Integrity & Accessibility33 Viewing VPD Policies and Applications Context Using Policy Manager (continued)

Database Security & Auditing: Protecting Data Integrity & Accessibility34 Viewing VPD Policies and Applications Context Using Policy Manager (continued)

Database Security & Auditing: Protecting Data Integrity & Accessibility35 Viewing VPD Policies and Applications Context Using Policy Manager (continued)

Database Security & Auditing: Protecting Data Integrity & Accessibility36 Implementing Row- and Column-level Security with SQL Server SQL Server 2000 does not support VPDs; you can mimic their functionality Use views and expand security models

Database Security & Auditing: Protecting Data Integrity & Accessibility37 Row-based Security Using Access Levels Variation of both: –Application table-based security model –Application function-based security model Access levels: –0 = No access –1 = select –2 = select, insert –3 = select, insert, update

Database Security & Auditing: Protecting Data Integrity & Accessibility38 Row-based Security Using Access Levels (continued) Access levels (continued): –4 = select, insert, update, delete –5 = administrator access Steps: –Create the APPLICATION USERS table –Alter the CUSTOMER table to include the ACCESS CONTROL column –With the security structure in place use a view to retrieve data

Database Security & Auditing: Protecting Data Integrity & Accessibility39 Row-based Security Using Application Functions Steps (continued): apply privileges Drawbacks: it allows insertion, update, and deletion of records Alternatives: –Use stored procedures –Use application functions: access table list a function instead of a level

Database Security & Auditing: Protecting Data Integrity & Accessibility40 Column-based Security VPD and Column Access Using Oracle steps: –Log in as VPD_CLERK2 and view rows and columns in the CUSTOMERS table –Log in as the DBSEC user and recreate the policy on customers –Log in as VPD_CLERK2 and query the CUSTOMERS table

Database Security & Auditing: Protecting Data Integrity & Accessibility41 Column-based Security Column privileges in Oracle steps: –Log in as DBSEC and create a table called TEST –Grant SELECT on the TEST table to SCOTT –Grant UPDATE only on the column TEXT in the TEST table to SCOTT –Insert a row into the TEST table and save it –Log in as SCOTT and query the TEST table owned by DBSEC

Database Security & Auditing: Protecting Data Integrity & Accessibility42 Column-based Security (continued) Column privileges in Oracle steps (continued): –Update the TEXT column in the TEST table –Try to update the NUM column in the TEST table

Database Security & Auditing: Protecting Data Integrity & Accessibility43 Column-based Security (continued) Access-level control with SQL Server steps: –Create the APP_TABLES table –Create the APP_COLUMNS columns –All access to the tables must be performed with stored procedures

Database Security & Auditing: Protecting Data Integrity & Accessibility44 Column-based Security (continued) Column Privileges with SQL Server steps: set update permissions for sam on the column phone in the Customer table Customized column-access control facilitates management

Database Security & Auditing: Protecting Data Integrity & Accessibility45 Summary A virtual private database allows or prevents data access at the row or column level; implemented using VIEW database object VPDs are also referred to as row-level security (RLS) or fine-grained access (FGA) SQL Server does not support VPDs Microsoft SQL Server 2000 system function of USER

Database Security & Auditing: Protecting Data Integrity & Accessibility46 Summary (continued) Oracle Application context: –Allows setting of database application be retrieved by database sessions –SYS_CONTEXT function –PL/SQL package DBMS_SESSION –SET_CONTEXT procedure Use Oracle-supplied package DBMS_RLS to add the VPD policy Oracle data dictionary views

Database Security & Auditing: Protecting Data Integrity & Accessibility47 Summary (continued) Oracle Policy Manager: graphical tool used to administer VPD policies Oracle has the capability to restrict updates or inserts on columns, using GRANT UPDATE(column) and INSERT(column)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.