Professional Documents
Culture Documents
Database Vault
David Bergmeier
Agenda
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
About me
Overview
Why Oracle Database Vault?
Dont trust the DBA
Regulatory Compliance
Separation of duties
connect / as sysdba
create user david ...
grant dba to david;
select * from scott.emp;
Separation of duties
connect / as sysdba
create user david ...
grant dba to david;
select * from scott.emp;
Separation of duties
Separation of duties
Separation of duties
Agenda
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
Prerequisites
Oracle 10.2.0.3
Prerequisites
Installation
Installation
Installation
User to receive
DV_OWNER role
Installation
Passwords must
have alpha,
numeric & special
Installation
User to receive
DV_ACCTMGR role
Installation
Installation
Installation
Installation
Installation
Installation
Installation
Agenda
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
connect / as SYSOPER
Agenda
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
$ lsnrctl start
$ emctl start dbconsole
$ sqlplus system/manager
SQL> select * from scott.emp;
...
14 rows selected.
SQL>
What is a Realm?
A realm is a
functional grouping of
schemas and roles
that are secured.
What is a Realm?
Realm
One
Many
Secured Objects
Authorizations
application user
Application server
connects to
database as single
user
SCOTT
EMP
application user
Support users
connect with
individual
accounts with
read-only access
SCOTT
EMP
support users
scott_ro_role
SCOTT
grant role
scott_ro
EMP
grant select
Create User
SQL> connect system/manager
SQL> create user scott_app_user
identified by tiger
*
ERROR at line 2:
ORA-01031: Insufficient Privileges
Create User
SQL> connect dbu/manager
SQL> create user scott_app_user
Create User
SQL> connect dbu/manager
SQL> create user scott_ro
Create Role
SQL> connect system/manager
SQL> create role scott_ro_role;
Role created.
Grants
SQL> connect scott/tiger
SQL> grant select,insert,update,
delete on emp to scott_app_user;
Grant succeeded.
Testing scott_ro
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing scott_ro
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing scott_app_user
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing scott_app_user
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing system
SQL> connect system/manager
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing system
SQL> connect system/manager
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
ROLE
--------------------------DV_PUBLIC
DBA
...
SCOTT_RO_ROLE
14 rows selected.
SQL>
DV_ACCTMGR has
create/drop user
alter user account lock/unlock
DV_ACCTMGR needs
create role
alter any role
Allow SYSDBA
$ cd $ORACLE_HOME/dbs
$ orapwd file=orapwmozart
password=mozart
entries=20
force=y
nosysdba=n
$ sqlplus sys/mozart as sysdba
SQL> startup
Grants to DV_ACCTMGR
SQL> connect sys/mozart as sysdba
SQL> grant create role
to DV_ACCTMGR;
SQL> grant alter any role
to DV_ACCTMGR;
SQL> grant drop any role
to DV_ACCTMGR;
SELECT_CATALOG_ROLE
SELECT_CATALOG_ROLE
Fixing DV_ACCTMGR
Fixing DV_ACCTMGR
Fixing DV_ACCTMGR
SQL>
Securing SCOTT_RO_ROLE
Securing SCOTT_RO_ROLE
Granting SCOTT_RO_ROLE
SQL> connect dbu/manager
SQL> grant scott_ro_role
to scott_ro;
grant scott_ro_role to scott_ro
*
ERROR at line 1:
ORA-47401: Realm violation for
grant role privilege on
SCOTT_RO_ROLE
Granting SCOTT_RO_ROLE
So who can/should
do the grant of
SCOTT_RO_ROLE ?
Granting SCOTT_RO_ROLE
So who can/should
do the grant of
SCOTT_RO_ROLE ?
Answer: SCOTT
Granting SCOTT_RO_ROLE
Answer: SCOTT
Granting SCOTT_RO_ROLE
Grant succeeded.
SQL>
Granting SCOTT_RO_ROLE
SQL> connect scott/tiger
SQL> grant scott_ro_role
to scott_ro;
Grant succeeded.
SQL>
Granting SCOTT_RO_ROLE
SQL> connect scott/tiger
SQL> grant DBA to scott;
grant DBA to scott
*
ERROR at line 1:
ORA-00604: error occurred at
recursive SQL level 1
ORA-47401: Realm violation for
grant role privilege on
UNLIMITED TABLESPACE.
Granting SCOTT_RO_ROLE
WHY?
Granting SCOTT_RO_ROLE
is protected by the
Oracle Data Dictionary
Realm.
Granting SCOTT_RO_ROLE
ERROR at line 1:
ORA-01031: Insufficient Privileges
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing scott_app_user
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing scott_app_user
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
ERROR at line 1:
ORA-01031: Insufficient Privileges
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing SYSDBA
SQL> connect sys/mozart as sysdba
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing SYSDBA
SQL> connect sys/mozart as sysdba
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing DV_ACCTMGR
SQL> connect dbu/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing DV_ACCTMGR
SQL> connect dbu/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing DV_ADMIN
SQL> connect dbv/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing DV_ADMIN
SQL> connect dbv/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Separation of Duties
Separation of Duties
SYS as SYSDBA
Grant role privileges to
DV_ACCTMGR
(one time)
Grant grant any role to
SCOTT
(once per application)
Separation of Duties
(one time)
Separation of Duties
Separation of Duties
(ongoing)
Separation of Duties
Agenda
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
Backups
Impact of Backups
Export
Data Pump
RMAN
Backups
Export
Lots of ORA-01031
Backups
Data Pump
Not tested
Backups
RMAN
Requires SYSDBA access
Agenda
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
Trigger Problem
Trigger Problem
Workaround available
Login as dv_owner account
alter trigger
dvsys.DV_BEFORE_DDL_TRG disable
Login as SCOTT and create trigger
Login as dv_owner account
alter trigger
dvsys.DV_BEFORE_DDL_TRG enable
Conclusion
You probably dont need
Database Vault
The End
Thank you for your attendance
dbergmeier@mga-it.com
http://www.mga.com.au