CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.

Slides:



Advertisements
Similar presentations
Auditing Oracle Lisa Outlaw CISA, CISSP, ITIL Foundation
Advertisements

Manipulating Data Schedule: Timing Topic 60 minutes Lecture
Understand Database Security Concepts
System Administration Accounts privileges, users and roles
Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.
Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.
About physical design After you have provided your scripts Understand the problems Present a template that can be used to report on the physical design.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Database Security Managing Users and Security Models.
CERN IT Department CH-1211 Genève 23 Switzerland t Streams new features in 11g Zbigniew Baranowski.
Getting Started with Oracle11g Abeer bin humaid. Create database user You should create at least one database user that you will use to create database.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.
9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
CERN IT Department CH-1211 Geneva 23 Switzerland t The Experiment Dashboard ISGC th April 2008 Pablo Saiz, Julia Andreeva, Benjamin.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
Profiles, Password Policies, Privileges, and Roles
To Presentation on SECURITY By Office of the A.G. (A&E) Punjab, Chandigarh.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
7 Copyright © 2004, Oracle. All rights reserved. Administering Users.
CERN IT Department CH-1211 Genève 23 Switzerland t LCG Gridview / LCG SAM use cases Miguel Anjo 8 th July 2008 Database Developers’ Workshop.
Controlling User Access. Objectives After completing this lesson, you should be able to do the following: Create users Create roles to ease setup and.
CERN - IT Department CH-1211 Genève 23 Switzerland t Oracle Metalink for Tier 1 Miguel Anjo Database mini workshop 26.January.2007.
CERN - IT Department CH-1211 Genève 23 Switzerland t DB Development Tools Benthic SQL Developer Application Express WLCG Service Reliability.
Managing users and security Akhtar Ali. Aims Understand and manage profiles Understand and manage users Understand and manage privileges Understand and.
Roles & privileges privilege A user privilege is a right to execute a particular type of SQL statement, or a right to access another user's object. The.
Dale Roberts 1 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Computer Science, IUPUI
Controlling User Access Fresher Learning Program January, 2012.
© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 1 (SQL) Controlling User Access Asif Sohail University of the.
CERN - IT Department CH-1211 Genève 23 Switzerland t Oracle Real Application Clusters (RAC) Techniques for implementing & running robust.
Controlling User Access. 2 home back first prev next last What Will I Learn? Compare the difference between object privileges and system privileges Construct.
CERN IT Department CH-1211 Genève 23 Switzerland t Security Overview Luca Canali, CERN Distributed Database Operations Workshop April
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Copyright © 2004, Oracle. All rights reserved. CONTROLLING USER ACCESS Oracle Lecture 8.
Module 6: Data Protection. Overview What does Data Protection include? Protecting data from unauthorized users and authorized users who are trying to.
Increasing security by disabling DML statements to a dba user in Oracle database Hakik PACI Polytechnic University of Tirana.
CERN IT Department CH-1211 Genève 23 Switzerland t DM Database Monitoring Tools Database Developers' Workshop CERN, July 8 th, 2008 Dawid.
CERN IT Department CH-1211 Genève 23 Switzerland t DBA Experience in a multiple RAC environment DM Technical Meeting, Feb 2008 Miguel Anjo.
Authorization in Oracle Part 1 Ji-WonMahesh. Sources Starting source: Starting source: Oracle Database – Security Guide Oracle Database – Security Guide.
CERN IT Department CH-1211 Genève 23 Switzerland t Streams Service Review and Outlook Distributed Database Workshop PIC, 20th April 2009.
Transactions, Roles & Privileges Oracle and ANSI Standard SQL Lecture 11.
IST 318 Database Administration Lecture 9 Database Security.
CERN IT Department CH-1211 Genève 23 Switzerland t Streams Service Review Distributed Database Workshop CERN, 27 th November 2009 Eva Dafonte.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Oracle 11g: SQL Chapter 7 User Creation and Management.
13 Copyright © Oracle Corporation, All rights reserved. Controlling User Access.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Intro To Oracle :part 1 1.Save your Memory Usage & Performance. 2.Oracle Login ways. 3.Adding Database to DB Trees. 4.How to Create your own user(schema).
1 Copyright © 2009, Oracle. All rights reserved. Controlling User Access.
SQL Server Security Basics Starting with a good foundation Kenneth Fisher
6 Copyright © 2007, Oracle. All rights reserved. Managing Security and Metadata.
Database Systems Slide 1 Database Systems Lecture 4 Database Security - Concept Manual : Chapter 20 - Database Security Manual : Chapters 5,10 - SQL Reference.
1 Chapters 19 and 20  Ch. 19: By What Authority? Users Roles Grant and revoke Synonyms  Ch. 20: Changing the Oracle Surroundings Indexes Clusters Sequences.
19 Copyright © 2008, Oracle. All rights reserved. Security.
6 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Controlling User Access
Recommended Practices & Fundamentals
Oracle structures on database applications development
Controlling User Access
Controlling User Access
Managing Privileges.
Database Security.
Naming convention for Database Services at CERN
SQL Server Security For Everyone
Database Security.
OER- UNIT 3 Authorization
SQL Server Security from the ground up
Create New User in Database. First Connect the System.
SQL Server Security from the ground up
Presentation transcript:

CERN IT Department CH-1211 Genève 23 Switzerland t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database Developers’ Workshop

CERN IT Department CH-1211 Genève 23 Switzerland t DB Application security - 2 Abloy key

CERN IT Department CH-1211 Genève 23 Switzerland t Floor plan DB Application security - 3

CERN IT Department CH-1211 Genève 23 Switzerland t Floor plan - 2 DB Application security - 4

CERN IT Department CH-1211 Genève 23 Switzerland t 3-Tier Application DB Application security - 5

CERN IT Department CH-1211 Genève 23 Switzerland t Abloy + floor plan + 3-tier app DB Application security - 6

CERN IT Department CH-1211 Genève 23 Switzerland t FTS abloy key FTS application access DB Application security - 7

CERN IT Department CH-1211 Genève 23 Switzerland t Dashboard abloy key 1 Dashboard Writer application access DB Application security - 8

CERN IT Department CH-1211 Genève 23 Switzerland t Dashboard abloy key 2 Dashboard Reader application access DB Application security - 9

CERN IT Department CH-1211 Genève 23 Switzerland t Developer abloy master key Developer DB Application security - 10

CERN IT Department CH-1211 Genève 23 Switzerland t Application deployment “I would like to put FTS Dashboard in production” “Here are 3 abloy keys, one master and two configurable” CREATE TABLE JOB; CREATE TABLE SUMMARY; “Lets configure the other keys” GRANT SELECT ON JOB TO DASHBOARD_W; GRANT INSERT ON SUMMARY TO DASHBOARD_W; GRANT SELECT ON SUMMARY TO DASHBOARD_R; DB Application security - 11

CERN IT Department CH-1211 Genève 23 Switzerland t Application deployment Necessary to tell who is room owner: SELECT FROM JOB; – ORA-00942: table or view does not exist SELECT FROM DASHBOARD.JOB; Possibility to create a mapping: CREATE SYNONYM JOB FOR DASHBOARD.JOB; SELECT FROM JOB; (  SELECT FROM DASHBOARD.JOB) Oracle bugs, might go to different house with same room name… DB Application security - 12

CERN IT Department CH-1211 Genève 23 Switzerland t Application deployment - summary Each application should use different key configuration Each key should have only minimum privileges Necessary to tell owner name ( dashboard.job ) Endings _R/_W are just proposals DB Application security - 13

CERN IT Department CH-1211 Genève 23 Switzerland t Updatable View DB Application security - 14

CERN IT Department CH-1211 Genève 23 Switzerland t Updatable View DB Application security - 15

CERN IT Department CH-1211 Genève 23 Switzerland t Updatable View - example Window is filtered representation of a room Different VOs  different access rights Tables structure all the same Build the window with right filters: CREATE VIEW LHCB_ACL as SELECT … FROM ACL WHERE VO=‘LHCB’ WITH CHECK OPTION; Add privilege to application key (application is LFC for LHCB – username VOMS_LHCB): GRANT SELECT, INSERT on LHCB_ACL to LFC_LHCB; DB Application security - 16

CERN IT Department CH-1211 Genève 23 Switzerland t Updatable View - example INSERT INTO LHCB_ACL(access,vo) VALUES (‘w’,‘CMS’); ORA-01402: view WITH CHECK OPTION where-clause violation INSERT INTO ACL(access,vo) VALUES (‘w’,‘CMS’); COMMIT; SELECT * FROM LHCB_ACL; no rows selected SELECT * FROM LHCB_ACL; ORA-00942: table or view does not exist DB Application security - 17

CERN IT Department CH-1211 Genève 23 Switzerland t Stored Procedures DB Application security - 18

CERN IT Department CH-1211 Genève 23 Switzerland t Stored Procedures Robot does only programmed operation Can perform complex operations Privileges set who can call him Based on PL/SQL procedural language create procedure summarize is begin -- select some jobs -- if something do something else -- insert average on summarize just if something; end; grant execute on summarize to dashboard_w; exec dashboard.summarize; DB Application security - 19

CERN IT Department CH-1211 Genève 23 Switzerland t Role based access DB Application security - 20

CERN IT Department CH-1211 Genève 23 Switzerland t Role based access Hidden doors with ‘open sesame’ Special privileges password protected Allows to group privileges create role writer_role identified by x13y; grant insert on summary to writer_role; grant writer_role to dashboard_w; insert into summary values (…); ORA-00942: table or view does not exist set role writer_role identified by x13y; insert into summary values (…); 1 row created. DB Application security - 21

CERN IT Department CH-1211 Genève 23 Switzerland t Owner vs Application accounts The abloy keys are, in reality, Oracle accounts with different roles and profiles. –Owner – to be used by the developer Master key Can create objects (tables, views, sequences) and PL/SQL (functions, procedures, packages) Responsible to configure application accounts Maximum 10 simultaneous connections Password expires after 1 year –Application accounts No initial privileges (_W/_R are suggestions) Max 400 sessions per DB instance (variable) No password expiration (but recommended to change) Can create synonyms (not recommended) – DB Application security - 22

CERN IT Department CH-1211 Genève 23 Switzerland t Profile - Password DB Application security - 23 Prevention of brute force attacks –1 minute locking after 5 failed attempts Expiration after 1 year  No warning Cannot reuse password Follows CERN security recommendations

CERN IT Department CH-1211 Genève 23 Switzerland t Summary Separate applications = separate privileges Give only minimum set of privileges Enhanced security with: –updatable views with check option –PL/SQL procedures –Password protected roles Avoid use of synonyms  use FQN Use different credentials in test/development Request necessary application accounts to your DBA Check if you gave too many privileges –Use USER_TAB_PRIVS view DB Application security - 24

DB Application security - 25

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.