Presentation is loading. Please wait.

Presentation is loading. Please wait.

CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database.

Published byMadeleine Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database."— Presentation transcript:

1 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database Developers’ Workshop

2 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t DB Application security - 2 Abloy key

3 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Floor plan DB Application security - 3

4 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Floor plan - 2 DB Application security - 4

5 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t 3-Tier Application DB Application security - 5

6 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Abloy + floor plan + 3-tier app DB Application security - 6

7 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t FTS abloy key FTS application access DB Application security - 7

8 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Dashboard abloy key 1 Dashboard Writer application access DB Application security - 8

9 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Dashboard abloy key 2 Dashboard Reader application access DB Application security - 9

10 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Developer abloy master key Developer DB Application security - 10

11 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Application deployment “I would like to put FTS Dashboard in production” “Here are 3 abloy keys, one master and two configurable” CREATE TABLE JOB; CREATE TABLE SUMMARY; “Lets configure the other keys” GRANT SELECT ON JOB TO DASHBOARD_W; GRANT INSERT ON SUMMARY TO DASHBOARD_W; GRANT SELECT ON SUMMARY TO DASHBOARD_R; DB Application security - 11

12 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Application deployment Necessary to tell who is room owner: SELECT FROM JOB; – ORA-00942: table or view does not exist SELECT FROM DASHBOARD.JOB; Possibility to create a mapping: CREATE SYNONYM JOB FOR DASHBOARD.JOB; SELECT FROM JOB; (  SELECT FROM DASHBOARD.JOB) Oracle bugs, might go to different house with same room name… DB Application security - 12

13 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Application deployment - summary Each application should use different key configuration Each key should have only minimum privileges Necessary to tell owner name ( dashboard.job ) Endings _R/_W are just proposals DB Application security - 13

14 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Updatable View DB Application security - 14

15 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Updatable View DB Application security - 15

16 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Updatable View - example Window is filtered representation of a room Different VOs  different access rights Tables structure all the same Build the window with right filters: CREATE VIEW LHCB_ACL as SELECT … FROM ACL WHERE VO=‘LHCB’ WITH CHECK OPTION; Add privilege to application key (application is LFC for LHCB – username VOMS_LHCB): GRANT SELECT, INSERT on LHCB_ACL to LFC_LHCB; DB Application security - 16

17 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Updatable View - example INSERT INTO LHCB_ACL(access,vo) VALUES (‘w’,‘CMS’); ORA-01402: view WITH CHECK OPTION where-clause violation INSERT INTO ACL(access,vo) VALUES (‘w’,‘CMS’); COMMIT; SELECT * FROM LHCB_ACL; no rows selected SELECT * FROM LHCB_ACL; ORA-00942: table or view does not exist DB Application security - 17

18 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Stored Procedures DB Application security - 18

19 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Stored Procedures Robot does only programmed operation Can perform complex operations Privileges set who can call him Based on PL/SQL procedural language create procedure summarize is begin -- select some jobs -- if something do something else -- insert average on summarize just if something; end; grant execute on summarize to dashboard_w; exec dashboard.summarize; DB Application security - 19

20 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Role based access DB Application security - 20

21 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Role based access Hidden doors with ‘open sesame’ Special privileges password protected Allows to group privileges create role writer_role identified by x13y; grant insert on summary to writer_role; grant writer_role to dashboard_w; insert into summary values (…); ORA-00942: table or view does not exist set role writer_role identified by x13y; insert into summary values (…); 1 row created. DB Application security - 21

22 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Owner vs Application accounts The abloy keys are, in reality, Oracle accounts with different roles and profiles. –Owner – to be used by the developer Master key Can create objects (tables, views, sequences) and PL/SQL (functions, procedures, packages) Responsible to configure application accounts Maximum 10 simultaneous connections Password expires after 1 year –Application accounts No initial privileges (_W/_R are suggestions) Max 400 sessions per DB instance (variable) No password expiration (but recommended to change) Can create synonyms (not recommended) –https://twiki.cern.ch/twiki/bin/view/PSSGroup/UserAccounts DB Application security - 22

23 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Profile - Password DB Application security - 23 Prevention of brute force attacks –1 minute locking after 5 failed attempts Expiration after 1 year  No email warning Cannot reuse password Follows CERN security recommendations

24 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Summary Separate applications = separate privileges Give only minimum set of privileges Enhanced security with: –updatable views with check option –PL/SQL procedures –Password protected roles Avoid use of synonyms  use FQN Use different credentials in test/development Request necessary application accounts to your DBA Check if you gave too many privileges –Use USER_TAB_PRIVS view DB Application security - 24

25 DB Application security - 25

Download ppt "CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Application security (behind Oracle roles and profiles) Miguel Anjo 8 th July 2008 Database."

Similar presentations

Auditing Oracle Lisa Outlaw CISA, CISSP, ITIL Foundation

Auditing Oracle Lisa Outlaw CISA, CISSP, ITIL Foundation
Manipulating Data Schedule: Timing Topic 60 minutes Lecture

Manipulating Data Schedule: Timing Topic 60 minutes Lecture
Understand Database Security Concepts

Understand Database Security Concepts
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.

Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.
Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.

Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.
About physical design After you have provided your scripts Understand the problems Present a template that can be used to report on the physical design.

About physical design After you have provided your scripts Understand the problems Present a template that can be used to report on the physical design.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Streams new features in 11g Zbigniew Baranowski.

CERN IT Department CH-1211 Genève 23 Switzerland t Streams new features in 11g Zbigniew Baranowski.
Getting Started with Oracle11g Abeer bin humaid. Create database user You should create at least one database user that you will use to create database.

Getting Started with Oracle11g Abeer bin humaid. Create database user You should create at least one database user that you will use to create database.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.

By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.

CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.
9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.

9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t The Experiment Dashboard ISGC 2008 9-11 th April 2008 Pablo Saiz, Julia Andreeva, Benjamin.

CERN IT Department CH-1211 Geneva 23 Switzerland t The Experiment Dashboard ISGC th April 2008 Pablo Saiz, Julia Andreeva, Benjamin.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.

Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
Profiles, Password Policies, Privileges, and Roles

Profiles, Password Policies, Privileges, and Roles
To Presentation on SECURITY By Office of the A.G. (A&E) Punjab, Chandigarh.

To Presentation on SECURITY By Office of the A.G. (A&E) Punjab, Chandigarh.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

Similar presentations

Ads by Google