SlideShare a Scribd company logo

Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle

ā€¢Download as PPTX, PDFā€¢
ā€¢
Nelson Calero
Nelson Calero

Using Oracle Enterprise Edition we can restrict the access to data from different users implementing security at row-level. This presentation will walk through the implementation of a virtual private database evaluating different aspects of its usage, reviewing the changes introduced on different Oracle versions from its original 8i implementation to 12c. First delivered on Kscope16 conference in Chicago, including scripts to illustrate each of the alternatives.

Technology
1 of 54
Protect Sensitive Data: Implementing Fine-Grained Access Control Nelson Calero Pythian
ā€¢Database Consultant at Pythian ā€¢Working with Oracle tools and Linux environments since 1996 ā€¢DBA Oracle (2001) & MySQL (2005) ā€¢Co-founder and President of the Oracle user Group of Uruguay (2009) ā€¢LAOUC Director of events (2013) ā€¢Computer Engineer ā€¢Oracle ACE (2014) ā€¢Oracle Certified Professional DBA 10g/11g (2008) ā€¢Amazon Solutions Architect ā€“ Associate since (2016) ā€¢Oracle University Instructor (2011) ā€¢Blogger and speaker: Oracle Open World, Collaborate, OTN Tour, Regional conferences About me 4 Ā© 2014 Pythian Confidential http://www.linkedin.com/in/ncalero @ncalerouy
Pythian overview Ā© 2015 Pythian Confidential5 ā€¢ 19 Years of data infrastructure management consulting ā€¢ 250+ Top brands ā€¢ 11700+ Systems under management ā€¢ Over 400 DBAs in 35 countries ā€¢ Top 5% of DBA work force, 10 Oracle ACEs, 4 ACED, 3 OakTable members, 2 OCM, 6 Microsoft MVPs, 1 Cloudera Champion of Big Data, AWS Certified Solutions Architect ā€“ 2 Professional, 12 Associate ā€¢ Oracle, Microsoft, MySQL, Hadoop, Cassandra, MongoDB, and more ā€¢ Infrastructure, Cloud, DevOps, and application expertise
Todayā€™s topics ā€¢ What is Fine Grain Access control? ā€¢ Functionalities available with Oracle ā€¢ Implementing row level security ā€“ With standard edition ā€“ Using OLS ā€“ Using VPD ā€“ Using RAS ā€¢ Complex scenarios Ā© 2015 Pythian Confidential6
Fine Grain Access control? What ā€“ Ability to restrict access to objects applying small granularity ā€¢ row level instead of table level ā€¢ network services instead of all network access Why ā€“ Access to data comply with security regulations ā€“ Industry regulations: health care (HIPAA), Defense (security clearances), Personal information protection (several). ā€¢ database side implementation => no code on the application side ā€“ Several functionalities available (next slide) ā€¢ We will discuss implementation and management from database point of view Ā© 2015 Pythian Confidential7
Oracle functionalities for FG control ā€¢ auditing ā€¢ DBMS_FGA package (only in EE) ā€¢ external network services and wallets ā€¢ DBMS_NETWORK_ACL_ADMIN package ā€¢ data ā€“ several ways: ā€¢ Application context ā€“ available in SE ā€¢ Virtual Private Database (VPD) ā€“ 8i ā€“ Only with EE, no extra cost ā€¢ Oracle Label Security (OLS) ā€“ 8i ā€“ Only with EE, Extra cost option ā€¢ Oracle Real Application Security ā€“ new in 12c ā€“ Next generation VPD, only with EE, no extra cost Ā© 2015 Pythian Confidential8
Simple example Ā© 2015 Pythian Confidential9 Policy rules SMAVRIS user JDANIEL Manager 103 Select * From HR.EMPLOYEES
Simple example What do I need to implement it? ā€“ It depends on your requirements Functionalities available out of the box for free? ā€“ limited, needs maintenance, will explore them next Many functionalities with EE with no extra cost ā€“ Only OLS have extra cost Ā© 2015 Pythian Confidential10
Simple example - demo Implementing a simple VPD on SE ā€“ Schema owner of data not allowed to connect from app ā€“ Views for each table including a where condition ā€“ Nominated users granted access to views only ā€“ Usage of application context script: fga-se.sql Ā© 2015 Pythian Confidential11
Application contexts ā€¢ session variables to store information ā€¢ useful to implement FGAC with Standard Edition ā€¢ session (local) or global (shared) ā€“ select sys_context(namespace, attribute) from dual; ā€“ dbms_session.set_context(namespace, attribute, value, client_id) ā€¢ built-in application context namespace: USERENV ā€“ select sys_context('USERENV', 'SESSION_USER')from dual; ā€¢ Dictionary views ā€“ V$CONTEXT / V$GLOBALCONTEXT ā€¢ Memory footprint ā€“ select * from v$sgastat where name like 'Global Context%'; https://docs.oracle.com/database/121/DBSEG/app_context.htm#DBSEG173 Ā© 2015 Pythian Confidential12
Poor man VPD problems ā€¢ Users with different privileges over the same data? ā€“ More views per privilege set / coding logic into function / intermediate table/... ā€“ It is up to your coding abilities ā€¢ Different policies for insert/update/deletes? ā€“ More views per policies / coding logic into functions /ā€¦ ā€¢ Modified data will match the condition? ā€“ Triggers to validate after data modifications / manual controls Ā© 2015 Pythian Confidential13
Other implications ā€¢ Changes in query performance? ā€“ Review indexes to cover all new conditions ā€¢ Connection pools at middle tier ā€“ Proxy user and client_identifier usage ALTER USER john GRANT CONNECT THROUGH appsrv; oracle.jdbc.OracleConnection.setClientIdentifier() ļƒŸ from JDBC exec dbms_session.set_identifier ('ABCD') ļƒŸ same from PL/SQL Ā© 2015 Pythian Confidential14
General implementation principles Before coding, design your policies: ā€“ Identify tables that requires security ā€“ Evaluate its data and define level of security and groups ā€“ Categorize users (privileged / typical / etc.) As part of the coding: ā€“ Lock down access to configuration ā€“ least privilege principle ā€“ Audit operations Ā© 2015 Pythian Confidential15
Todayā€™s topics ā€¢ What is Fine Grain Access control? ā€¢ Functionalities available with Oracle ā€¢ Implementing row level security ā€“ With standard edition ā€“ Using VPD ā€“ Using OLS ā€“ Using RAS ā€¢ Complex scenarios Ā© 2015 Pythian Confidential16
Virtual Private Database (VPD) ā€œinterface to associate PL/SQL packages with application tables to compute and append a predicate (where clause) that is automatically appended to incoming SQL statements, restricting access to rows and columns within the tableā€ http://www.oracle.com/technetwork/database/security/real-application-security/overview/index.html ā€¢ Package DBMS_RLS to manage policies ā€¢ View DBA_POLICIES to view existing policies ā€¢ View V$VPD_POLICY to see predicates generated for SQL_IDs ā€¢ Different policies can be used for SELECT/INSERT/UPDATE/DELETE ā€¢ Multiple policies allowed per table Ā© 2015 Pythian Confidential17
Virtual Private Database (VPD) - example script: fga-vpd.sql Summary: ā€¢ Policy function using static and dynamic predicates ā€¢ Errors when querying base table on some cases ā€¢ Adding extra code to allow privileged user access ā€¢ Testing SELECT/UPDATE Ā© 2015 Pythian Confidential18
Policies evaluation ā€¢ Defined by the policy type: ā€“ Dynamic ā€“ evaluated every time is used ā€“ Static ā€“ executed only once and cached ā€“ Context_sensitive ā€“ evaluated if context change (useful on connection pooling) ā€“ Shared_static ā€“ cache over multiple objects ā€“ Shared_context_sensitive ā€“ combine previous two ā€¢ policy exemptions: ā€“ direct path export ā€“ cannot be applied to objects in schema SYS ā€“ EXEMPT ACCESS POLICY privilege ā€¢ MERGE INTO statements supported on tables using VPD since 11gR2 ā€¢ ORA_ROWSCN usage has problems Ā© 2015 Pythian Confidential19
Policy function ā€¢ No validation on the code we create ā€“ it fails at runtime if wrong ā€¢ Code can use whatever we want to produce the string ā€“ Performance overhead depending on the policy type when evaluating ā€“ Execution plans may change because of the new condition in use ā€¢ String returned may be different for different tables (FK relationships, etc.) ā€¢ It can be applied to columns, not entire table ā€“ Column masking vs row masking ā€¢ Access to policy function definition should be protected Ā© 2015 Pythian Confidential20
VPD - Column masking BEGIN DBMS_RLS.ADD_POLICY(object_schema=>ā€™HRā€™, object_name=>'EMPLOYEES', policy_name=>'SEC_SALARY', function_schema=>ā€˜HR', policy_function=>'f_protect_salary', sec_relevant_cols=>'SALARY', sec_relevant_cols_opt=>dbms_rls.ALL_ROWS); END; create or replace function f_protect_salary (p_owner in varchar2, p_name in varchar2) return varchar2 as begin if sys_context('userenv', 'session_user') = 'MANAGER' then return ā€˜1=1ā€™; /* value is displayed */ else return 'salary <= 10000'; /* displayed only if match condition */ end if; end; Ā© 2015 Pythian Confidential21 policy_function is treated as a Boolean expression to decide if column values are shown
VPD ā€“ update check New in 11.2: BEGIN DBMS_RLS.ADD_POLICY(object_schema=>user, object_name=>'EMPLOYEES', policy_name=>'SEC_SALARY', function_schema=>'LBACSYS', policy_function=>'f_protect_salary', update_check=>true); END; SQL> Update hr.employees set salary=salary*2; ERROR at line 1: ORA-28115: policy with check option violation Ā© 2015 Pythian Confidential22 policy_function is enforced also after updates
Policies troubleshooting ā€¢ What condition (policy) is being applied to my query? ā€“ v$vpd_policy ā€¢ When errors, trace file is generated on user_dump_dest ā€¢ Debugging ā€“ Trace 10730 / 10060 Ā© 2015 Pythian Confidential23
Todayā€™s topics ā€¢ What is Fine Grain Access control? ā€¢ Functionalities available with Oracle ā€¢ Implementing row level security ā€“ With standard edition ā€“ Using VPD ā€“ Using OLS ā€“ Using RAS ā€¢ Complex scenarios Ā© 2015 Pythian Confidential24
Oracle Label Security (OLS) ā€¢ Based on tags for data ā€¢ Hierarchical classification: levels / compartments / groups ā€¢ Access to data granted based on policies without manual coding ā€“ Using predefined PL/SQL packages, not user created as in VPD ā€“ policy can be applied to table or schema ā€¢ When labels are used, a (hidden) column is created when policy is applied to tables ā€¢ Administration: ā€“ User LBACSYS to manage policies ā€“ SA_USER_ADMIN package - to manage user labels and user privileges ā€“ SA_SESSION package to configure Labels & Privileges ā€“ several SA_* views ā€“ DBA_OLS_STATUS view shows if OLS is enabled and configured Ā© 2015 Pythian Confidential25
Oracle Label Security (OLS) ā€“ labels example Ā© 2015 Pythian Confidential26
Oracle Label Security (OLS) - example script: fga-ols.sql Summary: define label hierarchy define policies test policies from users with different privileges validate predicates used Ā© 2015 Pythian Confidential27
Oracle Label Security (OLS) Not enabled by default SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security'; VALUE -------------------------------------------- FALSE select * from DBA_OLS_STATUS; NAME STATUS DESCRIPTION -------------------- ------ ------------------------------------- OLS_CONFIGURE_STATUS FALSE Determines if OLS is configured OLS_DIRECTORY_STATUS FALSE Determines if OID is enabled with OLS OLS_ENABLE_STATUS FALSE Determines if OLS is enabled Ā© 2015 Pythian Confidential28
Oracle Label Security (OLS) - install On 12c: EXEC LBACSYS.CONFIGURE_OLS; EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS; On 11g: cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk lbac_on ioracle (same as: chopt enable lbac) shutdown/startup sqlplus @?/rdbms/admin/catols.sql Ā© 2015 Pythian Confidential29
Oracle Label Security (OLS) - labels label_to_char (OLS_COLUMN) Display string label instead of internal code sa_session.label(ā€˜policy_name') current userā€™s session label for the policy OLS_LABEL_DOMINATES (session_tag, desired_tag) returns 1 when first label is allowed for the second one New in 12.1 - LBACSYS schema can be exported using full export/import source>=11.2.0.3, target>=12.1 Ā© 2015 Pythian Confidential30
Oracle Label Security (OLS) - DML Labeling column implications: ā€¢ column values set using labeling function or manually oracle-base example ā€¢ affects initial configuration and inserts create function f_label(..) RETURN LBACSYS.LBAC_LABEL .. RETURN TO_LBAC_DATA_LABEL('label', string); end; exec SA_POLICY_ADMIN.APPLY_TABLE_POLICY (...label_function => 'f_label(..)') Ā© 2015 Pythian Confidential31
Todayā€™s topics ā€¢ What is Fine Grain Access control? ā€¢ Functionalities available with Oracle ā€¢ Implementing row level security ā€“ With standard edition ā€“ Using VPD ā€“ Using OLS ā€“ Using RAS ā€¢ Complex scenarios Ā© 2015 Pythian Confidential32
Oracle Real Application Security (RAS) ā€œA database authorization model: ā€¢ Supports declarative security policies ā€¢ Enables end-to-end security for multitier applications ā€¢ Provides an integrated solution to secure database and application resources ā€¢ Advances the security architecture of Oracle Database to meet existing and emerging demands of applications developed for the Internetā€ https://docs.oracle.com/database/121/DBFSG/intro.htm#DBFSG10000 Ā© 2015 Pythian Confidential33
Ā© 2015 Pythian Confidential34 https://docs.oracle.com/database/121/DBFSG/intro.htm#BABHAIFD
Oracle Real Application Security (RAS) concepts Application users ā€“ schema-less to create application session Application role (static/dynamic) Application privileges Security class ā€“ set of privileges Access control entry (ACE) ā€“ grant/deny application privileges to principals Access control list (ACL) ā€“ named list of privilege grants bound to resources Data realm ā€“ business object defined by SQL predicate authorized by an ACL ā€“ Regular / parameterized / inherited Data security policy ā€“ protect realms associating ACLs Ā© 2015 Pythian Confidential35
Oracle Real Application Security (RAS) ā€¢ Application sessions ā€“ not bounded to database schemas ā€¢ PL/SQL and Java API ā€¢ Administration Application (RASADM) in APEX to download from OTN http://www.oracle.com/technetwork/database/security/real-application-security/downloads/index.html ā€¢ HR Demo from java https://docs.oracle.com/database/121/DBFSG/midtierjava.htm#CBBDJDDE Ā© 2015 Pythian Confidential36
Oracle Real Application Security (RAS) - example scripts: ras-*.sql Usage from PL/SQL http://docs.oracle.com/database/121/DBFSG/security_hr_demo_tutorial.htm#DBFSG816 based on hrdemo*.sql scripts Summary: row filtering and column masking realm with errors and troubleshooting Ā© 2015 Pythian Confidential37
Oracle Real Application Security (RAS) New hidden column to enforce policy: SYS_ACLOID begin xs_data_security.apply_object_policy( policy => 'hr.employees_ds', row_acl=> true , schema => 'hr', object => 'employees'); end; / select column_name from dba_tab_cols where table_name='EMPLOYEES' and hidden_column='YES'; Ā© 2015 Pythian Confidential38
Oracle Real Application Security (RAS) Static policies (data realms): XS$REALM_CONSTRAINT_TYPE(realm=> 'DEPARTMENT_ID=50', acl_list=> XS$NAME_LIST('HRACL'), is_static=> TRUE); -- default is FALSE Materialized view generated automatically to keep binding between rows and ACL Change the ACL refresh mode to on-commit or on-demand refresh XS_DATA_SECURITY_UTIL.ALTER_STATIC_ACL_REFRESH Ā© 2015 Pythian Confidential39
Oracle Real Application Security (RAS) ACLs evaluation order: 1) application user-managed ACLs - from grants directly on object instances 2) ACLs from static data realm constraint grants are evaluated next 3) ACLs from dynamic data realm constraint grants are evaluated last To see realms associated with tables: DBA_XS_REALM_CONSTRAINTS DBA_XS_* and DBA_XDS_* views to see all related data to RAS ras-check.sql script Ā© 2015 Pythian Confidential40
Oracle Real Application Security (RAS) Parameters in data realm rules ā€“ definition 1) rows_sec := xs$REALM_CONSTRAINT_LIST( XS$REALM_CONSTRAINT_TYPE( realm => 'COUNTRY_REGION = &' || 'REGION')); 2) sys.xs_data_security.create_policy( name => 'SH.CUSTOMER_DS', realm_constraint_list => rows_secs, description => 'Policy to protect sh.customers table'); 3) sys.xs_data_security.create_acl_parameter( policy => 'SH.CUSTOMER_DS', parameter => 'REGION', param_type => XS_ACL.TYPE_VARCHAR); Ā© 2015 Pythian Confidential41
Oracle Real Application Security (RAS) Parameters in data realm rules ā€“ usage when creating ACL DECLARE ace_list XS$ACE_LIST; BEGIN ace_list := XS$ACE_LIST( XS$ACE_TYPE(privilege_list => XS$NAME_LIST('SELECT'), granted => true, principal_name => 'Americas_sales'), XS$ACE_TYPE(privilege_list => XS$NAME_LIST('SELECT', 'VIEW_SENSITIVE_INFO'), granted => true, principal_name => 'Business_Analyst')); sys.xs_acl.create_acl(name => 'View_Americas_sales', ace_list => ace_list, sec_class => 'SH.CUST_SEC_CLASS', description => 'Authorize read access for the Americas region'); sys.xs_acl.add_acl_parameter(acl => 'View_Americas_sales', policy => 'SH.CUSTOMER_DS', parameter => 'REGION', value => 'Americas'); END; / Ā© 2015 Pythian Confidential42
Oracle Real Application Security (RAS) - Trace ā€¢ V$VPD_POLICY works ā€¢ dump all the data realm constraint rules: ALTER SESSION SET EVENTS 'TRACE[XSXDS] disk=high'; ā€¢ dump the VPD views of the XDS-enabled table during the initial (hard) parse ALTER SESSION SET EVENTS 'TRACE[XSVPD] disk=high'; Ā© 2015 Pythian Confidential43
Oracle Real Application Security (RAS) ā€¢ Default passwords for RAS users are created with SHA2 hashes. SQL Developer uses JDBC which does not support SHA512 hashes. Need to specify SHA1 passwords for those cases: exec XS_PRINCIPAL.SET_PASSWORD('john', 'john',xs_principal.XS_SALTED_SHA1); ā€¢ SA_SESSION.SET_ACCESS_PROFILE ā€“ To implement proxy accounts with application users ā€“ SA_SESSION.SA_USER_NAME function to see the current username Ā© 2015 Pythian Confidential44
Todayā€™s topics ā€¢ What is Fine Grain Access control? ā€¢ Functionalities available with Oracle ā€¢ Implementing row level security ā€“ With standard edition ā€“ Using VPD ā€“ Using OLS ā€“ Using RAS ā€¢ Complex scenarios Ā© 2015 Pythian Confidential45
Complex scenarios? ā€¢ Combined with other functionalities ā€“ Oracle Internet Directory ā€“ Result cache, Materialized views, non-deterministic functions, etc. ā€¢ Mixed application usages of same data ā€“ vpd + non vpd ā€“ Views for applying policies, base table access for non-vpd ā€“ Grants / synonyms to control access to correct ones ā€¢ Multiple policies ā€“ Combined condition should be valid ā€“ Definition challenge when applied to multiple tables Ā© 2015 Pythian Confidential46
Performance considerations ā€“ Traditional tuning - considering final user + policy conditions for SQLs ā€¢ V$VPD_POLICY to start ā€“ Optimizer does not estimate cardinality when using functions in policies ā€¢ id= SYS_CONTEXT('USERENV', 'SESSION_USER'); ā€¢ Id=10 => it does Ā© 2015 Pythian Confidential47
Changes in different versions ā€¢ 9i ā€“ Multiple policies per table. Global contexts. ā€¢ 10g ā€“ Column based policies, column masking, policy types ā€¢ 11g ā€“ Support for MERGE INTO statement ā€¢ 12c ā€“ RAS ā€“ VPD context-sensitive policies ā€“ evaluated only if associated application context attribute changes Ā© 2015 Pythian Confidential48
Auditing - OLS 12c - unified auditing ā€¢ enabling and disabling of OLS policies, etc. SELECT * FROM AUDITABLE_SYSTEM_ACTIONS WHERE COMPONENT = 'Label Security'; ā€¢ example: CREATE AUDIT POLICY audit_ols ACTIONS SELECT ON OE.ORDERS ACTIONS COMPONENT=OLS ALL; ā€¢ Oracle Label Security session label attributes can be audited AUDIT CONTEXT NAMESPACE ORA_SESSION_LABELS ATTRIBUTES lsec_pol1, lsec_pol2; ā€¢ Auditing Oracle Label Security Events: https://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG454 ā€¢ SYS.UNIFIED_AUDIT_TRAIL.xs_user_name for RAS db connections, XS$NULL on sys.aud$ Pre-12c auditing (OLS): ā€¢ using SA_AUDIT_ADMIN package https://docs.oracle.com/database/121/OLSAG/packages.htm#GUID-C4FB5E20-D9B8-48A1-9DDB-1ACA4722846E Ā© 2015 Pythian Confidential49
FGA options compared Ā© 2015 Pythian Confidential50
Conclusions ā€¢ Several alternatives available with different functionality ā€¢ Some limitations exists, needs testing to validate it works for your needs ā€¢ Access to packages that modify policies should be protected and audited ā€¢ Donā€™t underestimate the effort needed to design the policies ā€¢ Changes in different versions ā€¢ RAS is brand new but should be used for all new developments Ā© 2015 Pythian Confidential51
Questions? 52 calero@pythian.com @ncalerouy http://www.linkedin.com/in/ncalero Ā© 2014 Pythian Confidential
References - documentation ā€“ Oracle license 12c https://docs.oracle.com/database/121/DBLIC/editions.htm#DBLIC110 ā€“ Oracle Label Security https://docs.oracle.com/database/121/OLSAG/toc.htm http://www.oracle.com/technetwork/database/options/label-security/label-security-wp-12c-1896140.pdf ā€“ Oracle VPD https://docs.oracle.com/database/121/TDPSG/GUID-92A1A94D-319C-4FB2-AEC3-B86415D72628.htm#TDPSG94442 ā€“ Oracle Real Application Security http://www.oracle.com/technetwork/database/security/real-application-security/overview/index.html ā€“ Auditing Oracle Label Security Events https://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG454 - Application context https://docs.oracle.com/database/121/DBSEG/app_context.htm#DBSEG172 53 Ā© 2014 Pythian Confidential
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle

Recommended

Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle Database
Markus Flechtner
Ā 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
Nabeel Yoosuf
Ā 
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdfOracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
SrirakshaSrinivasan2
Ā 
Oracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best PracticesOracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best Practices
Bobby Curtis
Ā 
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cMaximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Glen Hawkins
Ā 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
Sandesh Rao
Ā 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
Ivica Arsov
Ā 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19c
Maria Colgan
Ā 

Recommended

Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle Database
Markus Flechtner
Ā 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
Nabeel Yoosuf
Ā 
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdfOracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
Oracle_Multitenant_19c_-_All_About_Pluggable_D.pdf
SrirakshaSrinivasan2
Ā 
Oracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best PracticesOracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best Practices
Bobby Curtis
Ā 
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cMaximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Glen Hawkins
Ā 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
Sandesh Rao
Ā 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
Ivica Arsov
Ā 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19c
Maria Colgan
Ā 
Exploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12cExploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12c
Zohar Elkayam
Ā 
Transparent Data Encryption
Transparent Data EncryptionTransparent Data Encryption
Transparent Data Encryption
John Magnabosco
Ā 
SQL Server Database Backup and Restore Plan
SQL Server Database Backup and Restore PlanSQL Server Database Backup and Restore Plan
SQL Server Database Backup and Restore Plan
Hamid J. Fard
Ā 
Oracle RAC, Data Guard, and Pluggable Databases: When MAA Meets Multitenant (...
Oracle RAC, Data Guard, and Pluggable Databases: When MAA Meets Multitenant (...Oracle RAC, Data Guard, and Pluggable Databases: When MAA Meets Multitenant (...
Oracle RAC, Data Guard, and Pluggable Databases: When MAA Meets Multitenant (...
Ludovico Caldara
Ā 
Migration to Oracle Multitenant
Migration to Oracle MultitenantMigration to Oracle Multitenant
Migration to Oracle Multitenant
Jitendra Singh
Ā 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
Marco Alamanni
Ā 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
Markus Michalewicz
Ā 
Em13c New Features- Two of Two
Em13c New Features- Two of TwoEm13c New Features- Two of Two
Em13c New Features- Two of Two
Kellyn Pot'Vin-Gorman
Ā 
Oracle Database 12c with RAC High Availability Best Practices
Oracle Database 12c with RAC High Availability Best PracticesOracle Database 12c with RAC High Availability Best Practices
Oracle Database 12c with RAC High Availability Best Practices
Markus Michalewicz
Ā 
Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...
Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...
Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...
Aaron Shilo
Ā 
Top 10 Mistakes When Migrating From Oracle to PostgreSQL
Top 10 Mistakes When Migrating From Oracle to PostgreSQLTop 10 Mistakes When Migrating From Oracle to PostgreSQL
Top 10 Mistakes When Migrating From Oracle to PostgreSQL
Jim Mlodgenski
Ā 
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive PresentationNabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Nabil Nawaz
Ā 
Oracle database introduction
Oracle database introductionOracle database introduction
Oracle database introduction
Mohammad Javad Beheshtian
Ā 
Oracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret InternalsOracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret Internals
Anil Nair
Ā 
MySQL Connectors 8.0.19 & DNS SRV
MySQL Connectors 8.0.19 & DNS SRVMySQL Connectors 8.0.19 & DNS SRV
MySQL Connectors 8.0.19 & DNS SRV
Kenny Gryp
Ā 
MySQL Performance Schema in MySQL 8.0
MySQL Performance Schema in MySQL 8.0MySQL Performance Schema in MySQL 8.0
MySQL Performance Schema in MySQL 8.0
Mayank Prasad
Ā 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database Vault
Stefan Oehrli
Ā 
Introduction to NoSQL Databases
Introduction to NoSQL DatabasesIntroduction to NoSQL Databases
Introduction to NoSQL Databases
Derek Stainer
Ā 
Oracle 12c PDB insights
Oracle 12c PDB insightsOracle 12c PDB insights
Oracle 12c PDB insights
Kirill Loifman
Ā 
Oracle RAC 19c - the Basis for the Autonomous Database
Oracle RAC 19c - the Basis for the Autonomous DatabaseOracle RAC 19c - the Basis for the Autonomous Database
Oracle RAC 19c - the Basis for the Autonomous Database
Markus Michalewicz
Ā 
Sql server 2012 & big data
Sql server 2012 & big dataSql server 2012 & big data
Sql server 2012 & big data
persiandeveloper
Ā 
Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabh
guestd83b546
Ā 

More Related Content

What's hot

Oracle RAC, Data Guard, and Pluggable Databases: When MAA Meets Multitenant (...
Oracle RAC, Data Guard, and Pluggable Databases: When MAA Meets Multitenant (...Oracle RAC, Data Guard, and Pluggable Databases: When MAA Meets Multitenant (...
Oracle RAC, Data Guard, and Pluggable Databases: When MAA Meets Multitenant (...
Ludovico Caldara
Ā 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
Marco Alamanni
Ā 
Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...
Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...
Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...
Aaron Shilo
Ā 
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive PresentationNabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Nabil Nawaz
Ā 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database Vault
Stefan Oehrli
Ā 
Introduction to NoSQL Databases
Introduction to NoSQL DatabasesIntroduction to NoSQL Databases
Introduction to NoSQL Databases
Derek Stainer
Ā 

What's hot (20)

Exploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12cExploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12c
Ā 
Transparent Data Encryption
Transparent Data EncryptionTransparent Data Encryption
Transparent Data Encryption
Ā 
SQL Server Database Backup and Restore Plan
SQL Server Database Backup and Restore PlanSQL Server Database Backup and Restore Plan
SQL Server Database Backup and Restore Plan
Ā 
Oracle RAC, Data Guard, and Pluggable Databases: When MAA Meets Multitenant (...
Oracle RAC, Data Guard, and Pluggable Databases: When MAA Meets Multitenant (...Oracle RAC, Data Guard, and Pluggable Databases: When MAA Meets Multitenant (...
Oracle RAC, Data Guard, and Pluggable Databases: When MAA Meets Multitenant (...
Ā 
Migration to Oracle Multitenant
Migration to Oracle MultitenantMigration to Oracle Multitenant
Migration to Oracle Multitenant
Ā 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
Ā 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
Ā 
Em13c New Features- Two of Two
Em13c New Features- Two of TwoEm13c New Features- Two of Two
Em13c New Features- Two of Two
Ā 
Oracle Database 12c with RAC High Availability Best Practices
Oracle Database 12c with RAC High Availability Best PracticesOracle Database 12c with RAC High Availability Best Practices
Oracle Database 12c with RAC High Availability Best Practices
Ā 
Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...
Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...
Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...
Ā 
Top 10 Mistakes When Migrating From Oracle to PostgreSQL
Top 10 Mistakes When Migrating From Oracle to PostgreSQLTop 10 Mistakes When Migrating From Oracle to PostgreSQL
Top 10 Mistakes When Migrating From Oracle to PostgreSQL
Ā 
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive PresentationNabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Nabil Nawaz Oracle Oracle 12c Data Guard Deep Dive Presentation
Ā 
Oracle database introduction
Oracle database introductionOracle database introduction
Oracle database introduction
Ā 
Oracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret InternalsOracle RAC 19c: Best Practices and Secret Internals
Oracle RAC 19c: Best Practices and Secret Internals
Ā 
MySQL Connectors 8.0.19 & DNS SRV
MySQL Connectors 8.0.19 & DNS SRVMySQL Connectors 8.0.19 & DNS SRV
MySQL Connectors 8.0.19 & DNS SRV
Ā 
MySQL Performance Schema in MySQL 8.0
MySQL Performance Schema in MySQL 8.0MySQL Performance Schema in MySQL 8.0
MySQL Performance Schema in MySQL 8.0
Ā 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database Vault
Ā 
Introduction to NoSQL Databases
Introduction to NoSQL DatabasesIntroduction to NoSQL Databases
Introduction to NoSQL Databases
Ā 
Oracle 12c PDB insights
Oracle 12c PDB insightsOracle 12c PDB insights
Oracle 12c PDB insights
Ā 
Oracle RAC 19c - the Basis for the Autonomous Database
Oracle RAC 19c - the Basis for the Autonomous DatabaseOracle RAC 19c - the Basis for the Autonomous Database
Oracle RAC 19c - the Basis for the Autonomous Database
Ā 

Viewers also liked

Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabh
guestd83b546
Ā 
Portfolio Serious Ambtenaar II
Portfolio Serious Ambtenaar IIPortfolio Serious Ambtenaar II
Portfolio Serious Ambtenaar II
seriousambtenaar
Ā 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
David Brossard
Ā 

Viewers also liked (6)

Sql server 2012 & big data
Sql server 2012 & big dataSql server 2012 & big data
Sql server 2012 & big data
Ā 
Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabh
Ā 
Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)
Ā 
Portfolio Serious Ambtenaar II
Portfolio Serious Ambtenaar IIPortfolio Serious Ambtenaar II
Portfolio Serious Ambtenaar II
Ā 
Authorization - it's not just about who you are
Authorization - it's not just about who you areAuthorization - it's not just about who you are
Authorization - it's not just about who you are
Ā 
Evolution of Performance Management: Oracle 12c adaptive optimizations - ukou...
Evolution of Performance Management: Oracle 12c adaptive optimizations - ukou...Evolution of Performance Management: Oracle 12c adaptive optimizations - ukou...
Evolution of Performance Management: Oracle 12c adaptive optimizations - ukou...
Ā 

Similar to Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle

Expanding with EDB Postgres Advanced Server 9.5
Expanding with EDB Postgres Advanced Server 9.5Expanding with EDB Postgres Advanced Server 9.5
Expanding with EDB Postgres Advanced Server 9.5
EDB
Ā 
01 demystifying mysq-lfororacledbaanddeveloperv1
01 demystifying mysq-lfororacledbaanddeveloperv101 demystifying mysq-lfororacledbaanddeveloperv1
01 demystifying mysq-lfororacledbaanddeveloperv1
Ivan Ma
Ā 
Integrating Hybrid Cloud Database-as-a-Service with Cloud Foundryā€™s Serviceā€‹ ...
Integrating Hybrid Cloud Database-as-a-Service with Cloud Foundryā€™s Serviceā€‹ ...Integrating Hybrid Cloud Database-as-a-Service with Cloud Foundryā€™s Serviceā€‹ ...
Integrating Hybrid Cloud Database-as-a-Service with Cloud Foundryā€™s Serviceā€‹ ...
VMware Tanzu
Ā 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
Anne Starr
Ā 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Andrejs Prokopjevs
Ā 

Similar to Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle (20)

Oracle Enterprise Manager 12c: updates and upgrades.
Oracle Enterprise Manager 12c: updates and upgrades.Oracle Enterprise Manager 12c: updates and upgrades.
Oracle Enterprise Manager 12c: updates and upgrades.
Ā 
Expanding with EDB Postgres Advanced Server 9.5
Expanding with EDB Postgres Advanced Server 9.5Expanding with EDB Postgres Advanced Server 9.5
Expanding with EDB Postgres Advanced Server 9.5
Ā 
Pl17: MySQL 8.0: security
Pl17: MySQL 8.0: securityPl17: MySQL 8.0: security
Pl17: MySQL 8.0: security
Ā 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use Cases
Ā 
LVOUG meetup #2 - Forcing SQL Execution Plan Instability
LVOUG meetup #2 - Forcing SQL Execution Plan InstabilityLVOUG meetup #2 - Forcing SQL Execution Plan Instability
LVOUG meetup #2 - Forcing SQL Execution Plan Instability
Ā 
Upgrading to my sql 8.0
Upgrading to my sql 8.0Upgrading to my sql 8.0
Upgrading to my sql 8.0
Ā 
01 demystifying mysq-lfororacledbaanddeveloperv1
01 demystifying mysq-lfororacledbaanddeveloperv101 demystifying mysq-lfororacledbaanddeveloperv1
01 demystifying mysq-lfororacledbaanddeveloperv1
Ā 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous World
Ā 
Presentation database security enhancements with oracle
Presentation database security enhancements with oraclePresentation database security enhancements with oracle
Presentation database security enhancements with oracle
Ā 
BVT_Swamy_Abap_4
BVT_Swamy_Abap_4BVT_Swamy_Abap_4
BVT_Swamy_Abap_4
Ā 
Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager
Ā 
OUG Harmony 2012 - Using SQL Plan Baselines for Performance Testing
OUG Harmony 2012 - Using SQL Plan Baselines for Performance TestingOUG Harmony 2012 - Using SQL Plan Baselines for Performance Testing
OUG Harmony 2012 - Using SQL Plan Baselines for Performance Testing
Ā 
Baltimore jan2019 mule4
Baltimore jan2019 mule4Baltimore jan2019 mule4
Baltimore jan2019 mule4
Ā 
MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021MuleSoft Manchester Meetup #4 slides 11th February 2021
MuleSoft Manchester Meetup #4 slides 11th February 2021
Ā 
Integrating Hybrid Cloud Database-as-a-Service with Cloud Foundryā€™s Serviceā€‹ ...
Integrating Hybrid Cloud Database-as-a-Service with Cloud Foundryā€™s Serviceā€‹ ...Integrating Hybrid Cloud Database-as-a-Service with Cloud Foundryā€™s Serviceā€‹ ...
Integrating Hybrid Cloud Database-as-a-Service with Cloud Foundryā€™s Serviceā€‹ ...
Ā 
Architecture Concepts
Architecture ConceptsArchitecture Concepts
Architecture Concepts
Ā 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
Ā 
MySQL Enterprise Portfolio
MySQL Enterprise PortfolioMySQL Enterprise Portfolio
MySQL Enterprise Portfolio
Ā 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Ā 
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015 2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
Ā 

More from Nelson Calero

Automate your oracle cloud infrastructure operations v2.0 - OOW19
Automate your oracle cloud infrastructure operations v2.0 - OOW19Automate your oracle cloud infrastructure operations v2.0 - OOW19
Automate your oracle cloud infrastructure operations v2.0 - OOW19
Nelson Calero
Ā 
Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0
Nelson Calero
Ā 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
Nelson Calero
Ā 
Redefining tables online without surprises
Redefining tables online without surprisesRedefining tables online without surprises
Redefining tables online without surprises
Nelson Calero
Ā 

More from Nelson Calero (20)

Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023Database automation guide - Oracle Community Tour LATAM 2023
Database automation guide - Oracle Community Tour LATAM 2023
Ā 
Terraform Tips and Tricks - LAOUC 2022
Terraform Tips and Tricks - LAOUC 2022Terraform Tips and Tricks - LAOUC 2022
Terraform Tips and Tricks - LAOUC 2022
Ā 
Oracle on kubernetes 101 - Dec/2021
Oracle on kubernetes 101 - Dec/2021Oracle on kubernetes 101 - Dec/2021
Oracle on kubernetes 101 - Dec/2021
Ā 
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Automate Oracle database patches and upgrades using Fleet Provisioning and Pa...
Ā 
Oracle Exadata Cloud Services guide from practical experience - OOW19
Oracle Exadata Cloud Services guide from practical experience - OOW19Oracle Exadata Cloud Services guide from practical experience - OOW19
Oracle Exadata Cloud Services guide from practical experience - OOW19
Ā 
Automate your oracle cloud infrastructure operations v2.0 - OOW19
Automate your oracle cloud infrastructure operations v2.0 - OOW19Automate your oracle cloud infrastructure operations v2.0 - OOW19
Automate your oracle cloud infrastructure operations v2.0 - OOW19
Ā 
Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0
Ā 
SSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprisesSSL certificates in the Oracle Database without surprises
SSL certificates in the Oracle Database without surprises
Ā 
Practical guide to Oracle Virtual environments
Practical guide to Oracle Virtual environmentsPractical guide to Oracle Virtual environments
Practical guide to Oracle Virtual environments
Ā 
Automate your Oracle Cloud Infrastructure operation
Automate your Oracle Cloud Infrastructure operationAutomate your Oracle Cloud Infrastructure operation
Automate your Oracle Cloud Infrastructure operation
Ā 
Welcome to databases in the Cloud
Welcome to databases in the CloudWelcome to databases in the Cloud
Welcome to databases in the Cloud
Ā 
Redefining tables online without surprises
Redefining tables online without surprisesRedefining tables online without surprises
Redefining tables online without surprises
Ā 
Oracle Exadata Maintenance tasks 101 - OTN Tour 2015
Oracle Exadata Maintenance tasks 101 - OTN Tour 2015Oracle Exadata Maintenance tasks 101 - OTN Tour 2015
Oracle Exadata Maintenance tasks 101 - OTN Tour 2015
Ā 
My Experience Using Oracle SQL Plan Baselines 11g/12c
My Experience Using Oracle SQL Plan Baselines 11g/12cMy Experience Using Oracle SQL Plan Baselines 11g/12c
My Experience Using Oracle SQL Plan Baselines 11g/12c
Ā 
Oracle RAC sin sorpresas - v2014
Oracle RAC sin sorpresas - v2014Oracle RAC sin sorpresas - v2014
Oracle RAC sin sorpresas - v2014
Ā 
Alta disponibilidad con Pacemaker
Alta disponibilidad con PacemakerAlta disponibilidad con Pacemaker
Alta disponibilidad con Pacemaker
Ā 
AROUG BIDAY 2013 - Automatizar procesos de ETL con PL/SQL
AROUG BIDAY 2013 - Automatizar procesos de ETL con PL/SQLAROUG BIDAY 2013 - Automatizar procesos de ETL con PL/SQL
AROUG BIDAY 2013 - Automatizar procesos de ETL con PL/SQL
Ā 
MariaDB y FOSS en infraestructura de salud y estƔndares
MariaDB y FOSS en infraestructura de salud y estƔndaresMariaDB y FOSS en infraestructura de salud y estƔndares
MariaDB y FOSS en infraestructura de salud y estƔndares
Ā 
UYOUG 2012 - Oracle RAC 11gR2 - New features
UYOUG 2012 - Oracle RAC 11gR2 - New featuresUYOUG 2012 - Oracle RAC 11gR2 - New features
UYOUG 2012 - Oracle RAC 11gR2 - New features
Ā 
Collaborate 2012 - Administering MySQL for Oracle DBAs
Collaborate 2012 - Administering MySQL for Oracle DBAsCollaborate 2012 - Administering MySQL for Oracle DBAs
Collaborate 2012 - Administering MySQL for Oracle DBAs
Ā 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
Ā 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(ā˜Žļø+971_581248768%)**%*]'#abortion pills for sale in dubai@
Ā 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Ā 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
Ā 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
Ā 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
Ā 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel AraĆŗjo
Ā 

Recently uploaded (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Ā 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Ā 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Ā 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Ā 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Ā 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Ā 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Ā 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Ā 
Finology Group ā€“ Insurtech Innovation Award 2024
Finology Group ā€“ Insurtech Innovation Award 2024Finology Group ā€“ Insurtech Innovation Award 2024
Finology Group ā€“ Insurtech Innovation Award 2024
Ā 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Ā 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Ā 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
Ā 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Ā 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Ā 
šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜
Ā 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Ā 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Ā 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Ā 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Ā 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Ā 

Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle

  • 1.
  • 2. Protect Sensitive Data: Implementing Fine-Grained Access Control Nelson Calero Pythian
  • 3.
  • 4. ā€¢Database Consultant at Pythian ā€¢Working with Oracle tools and Linux environments since 1996 ā€¢DBA Oracle (2001) & MySQL (2005) ā€¢Co-founder and President of the Oracle user Group of Uruguay (2009) ā€¢LAOUC Director of events (2013) ā€¢Computer Engineer ā€¢Oracle ACE (2014) ā€¢Oracle Certified Professional DBA 10g/11g (2008) ā€¢Amazon Solutions Architect ā€“ Associate since (2016) ā€¢Oracle University Instructor (2011) ā€¢Blogger and speaker: Oracle Open World, Collaborate, OTN Tour, Regional conferences About me 4 Ā© 2014 Pythian Confidential http://www.linkedin.com/in/ncalero @ncalerouy
  • 5. Pythian overview Ā© 2015 Pythian Confidential5 ā€¢ 19 Years of data infrastructure management consulting ā€¢ 250+ Top brands ā€¢ 11700+ Systems under management ā€¢ Over 400 DBAs in 35 countries ā€¢ Top 5% of DBA work force, 10 Oracle ACEs, 4 ACED, 3 OakTable members, 2 OCM, 6 Microsoft MVPs, 1 Cloudera Champion of Big Data, AWS Certified Solutions Architect ā€“ 2 Professional, 12 Associate ā€¢ Oracle, Microsoft, MySQL, Hadoop, Cassandra, MongoDB, and more ā€¢ Infrastructure, Cloud, DevOps, and application expertise
  • 6. Todayā€™s topics ā€¢ What is Fine Grain Access control? ā€¢ Functionalities available with Oracle ā€¢ Implementing row level security ā€“ With standard edition ā€“ Using OLS ā€“ Using VPD ā€“ Using RAS ā€¢ Complex scenarios Ā© 2015 Pythian Confidential6
  • 7. Fine Grain Access control? What ā€“ Ability to restrict access to objects applying small granularity ā€¢ row level instead of table level ā€¢ network services instead of all network access Why ā€“ Access to data comply with security regulations ā€“ Industry regulations: health care (HIPAA), Defense (security clearances), Personal information protection (several). ā€¢ database side implementation => no code on the application side ā€“ Several functionalities available (next slide) ā€¢ We will discuss implementation and management from database point of view Ā© 2015 Pythian Confidential7
  • 8. Oracle functionalities for FG control ā€¢ auditing ā€¢ DBMS_FGA package (only in EE) ā€¢ external network services and wallets ā€¢ DBMS_NETWORK_ACL_ADMIN package ā€¢ data ā€“ several ways: ā€¢ Application context ā€“ available in SE ā€¢ Virtual Private Database (VPD) ā€“ 8i ā€“ Only with EE, no extra cost ā€¢ Oracle Label Security (OLS) ā€“ 8i ā€“ Only with EE, Extra cost option ā€¢ Oracle Real Application Security ā€“ new in 12c ā€“ Next generation VPD, only with EE, no extra cost Ā© 2015 Pythian Confidential8
  • 9. Simple example Ā© 2015 Pythian Confidential9 Policy rules SMAVRIS user JDANIEL Manager 103 Select * From HR.EMPLOYEES
  • 10. Simple example What do I need to implement it? ā€“ It depends on your requirements Functionalities available out of the box for free? ā€“ limited, needs maintenance, will explore them next Many functionalities with EE with no extra cost ā€“ Only OLS have extra cost Ā© 2015 Pythian Confidential10
  • 11. Simple example - demo Implementing a simple VPD on SE ā€“ Schema owner of data not allowed to connect from app ā€“ Views for each table including a where condition ā€“ Nominated users granted access to views only ā€“ Usage of application context script: fga-se.sql Ā© 2015 Pythian Confidential11
  • 12. Application contexts ā€¢ session variables to store information ā€¢ useful to implement FGAC with Standard Edition ā€¢ session (local) or global (shared) ā€“ select sys_context(namespace, attribute) from dual; ā€“ dbms_session.set_context(namespace, attribute, value, client_id) ā€¢ built-in application context namespace: USERENV ā€“ select sys_context('USERENV', 'SESSION_USER')from dual; ā€¢ Dictionary views ā€“ V$CONTEXT / V$GLOBALCONTEXT ā€¢ Memory footprint ā€“ select * from v$sgastat where name like 'Global Context%'; https://docs.oracle.com/database/121/DBSEG/app_context.htm#DBSEG173 Ā© 2015 Pythian Confidential12
  • 13. Poor man VPD problems ā€¢ Users with different privileges over the same data? ā€“ More views per privilege set / coding logic into function / intermediate table/... ā€“ It is up to your coding abilities ā€¢ Different policies for insert/update/deletes? ā€“ More views per policies / coding logic into functions /ā€¦ ā€¢ Modified data will match the condition? ā€“ Triggers to validate after data modifications / manual controls Ā© 2015 Pythian Confidential13
  • 14. Other implications ā€¢ Changes in query performance? ā€“ Review indexes to cover all new conditions ā€¢ Connection pools at middle tier ā€“ Proxy user and client_identifier usage ALTER USER john GRANT CONNECT THROUGH appsrv; oracle.jdbc.OracleConnection.setClientIdentifier() ļƒŸ from JDBC exec dbms_session.set_identifier ('ABCD') ļƒŸ same from PL/SQL Ā© 2015 Pythian Confidential14
  • 15. General implementation principles Before coding, design your policies: ā€“ Identify tables that requires security ā€“ Evaluate its data and define level of security and groups ā€“ Categorize users (privileged / typical / etc.) As part of the coding: ā€“ Lock down access to configuration ā€“ least privilege principle ā€“ Audit operations Ā© 2015 Pythian Confidential15
  • 16. Todayā€™s topics ā€¢ What is Fine Grain Access control? ā€¢ Functionalities available with Oracle ā€¢ Implementing row level security ā€“ With standard edition ā€“ Using VPD ā€“ Using OLS ā€“ Using RAS ā€¢ Complex scenarios Ā© 2015 Pythian Confidential16
  • 17. Virtual Private Database (VPD) ā€œinterface to associate PL/SQL packages with application tables to compute and append a predicate (where clause) that is automatically appended to incoming SQL statements, restricting access to rows and columns within the tableā€ http://www.oracle.com/technetwork/database/security/real-application-security/overview/index.html ā€¢ Package DBMS_RLS to manage policies ā€¢ View DBA_POLICIES to view existing policies ā€¢ View V$VPD_POLICY to see predicates generated for SQL_IDs ā€¢ Different policies can be used for SELECT/INSERT/UPDATE/DELETE ā€¢ Multiple policies allowed per table Ā© 2015 Pythian Confidential17
  • 18. Virtual Private Database (VPD) - example script: fga-vpd.sql Summary: ā€¢ Policy function using static and dynamic predicates ā€¢ Errors when querying base table on some cases ā€¢ Adding extra code to allow privileged user access ā€¢ Testing SELECT/UPDATE Ā© 2015 Pythian Confidential18
  • 19. Policies evaluation ā€¢ Defined by the policy type: ā€“ Dynamic ā€“ evaluated every time is used ā€“ Static ā€“ executed only once and cached ā€“ Context_sensitive ā€“ evaluated if context change (useful on connection pooling) ā€“ Shared_static ā€“ cache over multiple objects ā€“ Shared_context_sensitive ā€“ combine previous two ā€¢ policy exemptions: ā€“ direct path export ā€“ cannot be applied to objects in schema SYS ā€“ EXEMPT ACCESS POLICY privilege ā€¢ MERGE INTO statements supported on tables using VPD since 11gR2 ā€¢ ORA_ROWSCN usage has problems Ā© 2015 Pythian Confidential19
  • 20. Policy function ā€¢ No validation on the code we create ā€“ it fails at runtime if wrong ā€¢ Code can use whatever we want to produce the string ā€“ Performance overhead depending on the policy type when evaluating ā€“ Execution plans may change because of the new condition in use ā€¢ String returned may be different for different tables (FK relationships, etc.) ā€¢ It can be applied to columns, not entire table ā€“ Column masking vs row masking ā€¢ Access to policy function definition should be protected Ā© 2015 Pythian Confidential20
  • 21. VPD - Column masking BEGIN DBMS_RLS.ADD_POLICY(object_schema=>ā€™HRā€™, object_name=>'EMPLOYEES', policy_name=>'SEC_SALARY', function_schema=>ā€˜HR', policy_function=>'f_protect_salary', sec_relevant_cols=>'SALARY', sec_relevant_cols_opt=>dbms_rls.ALL_ROWS); END; create or replace function f_protect_salary (p_owner in varchar2, p_name in varchar2) return varchar2 as begin if sys_context('userenv', 'session_user') = 'MANAGER' then return ā€˜1=1ā€™; /* value is displayed */ else return 'salary <= 10000'; /* displayed only if match condition */ end if; end; Ā© 2015 Pythian Confidential21 policy_function is treated as a Boolean expression to decide if column values are shown
  • 22. VPD ā€“ update check New in 11.2: BEGIN DBMS_RLS.ADD_POLICY(object_schema=>user, object_name=>'EMPLOYEES', policy_name=>'SEC_SALARY', function_schema=>'LBACSYS', policy_function=>'f_protect_salary', update_check=>true); END; SQL> Update hr.employees set salary=salary*2; ERROR at line 1: ORA-28115: policy with check option violation Ā© 2015 Pythian Confidential22 policy_function is enforced also after updates
  • 23. Policies troubleshooting ā€¢ What condition (policy) is being applied to my query? ā€“ v$vpd_policy ā€¢ When errors, trace file is generated on user_dump_dest ā€¢ Debugging ā€“ Trace 10730 / 10060 Ā© 2015 Pythian Confidential23
  • 24. Todayā€™s topics ā€¢ What is Fine Grain Access control? ā€¢ Functionalities available with Oracle ā€¢ Implementing row level security ā€“ With standard edition ā€“ Using VPD ā€“ Using OLS ā€“ Using RAS ā€¢ Complex scenarios Ā© 2015 Pythian Confidential24
  • 25. Oracle Label Security (OLS) ā€¢ Based on tags for data ā€¢ Hierarchical classification: levels / compartments / groups ā€¢ Access to data granted based on policies without manual coding ā€“ Using predefined PL/SQL packages, not user created as in VPD ā€“ policy can be applied to table or schema ā€¢ When labels are used, a (hidden) column is created when policy is applied to tables ā€¢ Administration: ā€“ User LBACSYS to manage policies ā€“ SA_USER_ADMIN package - to manage user labels and user privileges ā€“ SA_SESSION package to configure Labels & Privileges ā€“ several SA_* views ā€“ DBA_OLS_STATUS view shows if OLS is enabled and configured Ā© 2015 Pythian Confidential25
  • 26. Oracle Label Security (OLS) ā€“ labels example Ā© 2015 Pythian Confidential26
  • 27. Oracle Label Security (OLS) - example script: fga-ols.sql Summary: define label hierarchy define policies test policies from users with different privileges validate predicates used Ā© 2015 Pythian Confidential27
  • 28. Oracle Label Security (OLS) Not enabled by default SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security'; VALUE -------------------------------------------- FALSE select * from DBA_OLS_STATUS; NAME STATUS DESCRIPTION -------------------- ------ ------------------------------------- OLS_CONFIGURE_STATUS FALSE Determines if OLS is configured OLS_DIRECTORY_STATUS FALSE Determines if OID is enabled with OLS OLS_ENABLE_STATUS FALSE Determines if OLS is enabled Ā© 2015 Pythian Confidential28
  • 29. Oracle Label Security (OLS) - install On 12c: EXEC LBACSYS.CONFIGURE_OLS; EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS; On 11g: cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk lbac_on ioracle (same as: chopt enable lbac) shutdown/startup sqlplus @?/rdbms/admin/catols.sql Ā© 2015 Pythian Confidential29
  • 30. Oracle Label Security (OLS) - labels label_to_char (OLS_COLUMN) Display string label instead of internal code sa_session.label(ā€˜policy_name') current userā€™s session label for the policy OLS_LABEL_DOMINATES (session_tag, desired_tag) returns 1 when first label is allowed for the second one New in 12.1 - LBACSYS schema can be exported using full export/import source>=11.2.0.3, target>=12.1 Ā© 2015 Pythian Confidential30
  • 31. Oracle Label Security (OLS) - DML Labeling column implications: ā€¢ column values set using labeling function or manually oracle-base example ā€¢ affects initial configuration and inserts create function f_label(..) RETURN LBACSYS.LBAC_LABEL .. RETURN TO_LBAC_DATA_LABEL('label', string); end; exec SA_POLICY_ADMIN.APPLY_TABLE_POLICY (...label_function => 'f_label(..)') Ā© 2015 Pythian Confidential31
  • 32. Todayā€™s topics ā€¢ What is Fine Grain Access control? ā€¢ Functionalities available with Oracle ā€¢ Implementing row level security ā€“ With standard edition ā€“ Using VPD ā€“ Using OLS ā€“ Using RAS ā€¢ Complex scenarios Ā© 2015 Pythian Confidential32
  • 33. Oracle Real Application Security (RAS) ā€œA database authorization model: ā€¢ Supports declarative security policies ā€¢ Enables end-to-end security for multitier applications ā€¢ Provides an integrated solution to secure database and application resources ā€¢ Advances the security architecture of Oracle Database to meet existing and emerging demands of applications developed for the Internetā€ https://docs.oracle.com/database/121/DBFSG/intro.htm#DBFSG10000 Ā© 2015 Pythian Confidential33
  • 34. Ā© 2015 Pythian Confidential34 https://docs.oracle.com/database/121/DBFSG/intro.htm#BABHAIFD
  • 35. Oracle Real Application Security (RAS) concepts Application users ā€“ schema-less to create application session Application role (static/dynamic) Application privileges Security class ā€“ set of privileges Access control entry (ACE) ā€“ grant/deny application privileges to principals Access control list (ACL) ā€“ named list of privilege grants bound to resources Data realm ā€“ business object defined by SQL predicate authorized by an ACL ā€“ Regular / parameterized / inherited Data security policy ā€“ protect realms associating ACLs Ā© 2015 Pythian Confidential35
  • 36. Oracle Real Application Security (RAS) ā€¢ Application sessions ā€“ not bounded to database schemas ā€¢ PL/SQL and Java API ā€¢ Administration Application (RASADM) in APEX to download from OTN http://www.oracle.com/technetwork/database/security/real-application-security/downloads/index.html ā€¢ HR Demo from java https://docs.oracle.com/database/121/DBFSG/midtierjava.htm#CBBDJDDE Ā© 2015 Pythian Confidential36
  • 37. Oracle Real Application Security (RAS) - example scripts: ras-*.sql Usage from PL/SQL http://docs.oracle.com/database/121/DBFSG/security_hr_demo_tutorial.htm#DBFSG816 based on hrdemo*.sql scripts Summary: row filtering and column masking realm with errors and troubleshooting Ā© 2015 Pythian Confidential37
  • 38. Oracle Real Application Security (RAS) New hidden column to enforce policy: SYS_ACLOID begin xs_data_security.apply_object_policy( policy => 'hr.employees_ds', row_acl=> true , schema => 'hr', object => 'employees'); end; / select column_name from dba_tab_cols where table_name='EMPLOYEES' and hidden_column='YES'; Ā© 2015 Pythian Confidential38
  • 39. Oracle Real Application Security (RAS) Static policies (data realms): XS$REALM_CONSTRAINT_TYPE(realm=> 'DEPARTMENT_ID=50', acl_list=> XS$NAME_LIST('HRACL'), is_static=> TRUE); -- default is FALSE Materialized view generated automatically to keep binding between rows and ACL Change the ACL refresh mode to on-commit or on-demand refresh XS_DATA_SECURITY_UTIL.ALTER_STATIC_ACL_REFRESH Ā© 2015 Pythian Confidential39
  • 40. Oracle Real Application Security (RAS) ACLs evaluation order: 1) application user-managed ACLs - from grants directly on object instances 2) ACLs from static data realm constraint grants are evaluated next 3) ACLs from dynamic data realm constraint grants are evaluated last To see realms associated with tables: DBA_XS_REALM_CONSTRAINTS DBA_XS_* and DBA_XDS_* views to see all related data to RAS ras-check.sql script Ā© 2015 Pythian Confidential40
  • 41. Oracle Real Application Security (RAS) Parameters in data realm rules ā€“ definition 1) rows_sec := xs$REALM_CONSTRAINT_LIST( XS$REALM_CONSTRAINT_TYPE( realm => 'COUNTRY_REGION = &' || 'REGION')); 2) sys.xs_data_security.create_policy( name => 'SH.CUSTOMER_DS', realm_constraint_list => rows_secs, description => 'Policy to protect sh.customers table'); 3) sys.xs_data_security.create_acl_parameter( policy => 'SH.CUSTOMER_DS', parameter => 'REGION', param_type => XS_ACL.TYPE_VARCHAR); Ā© 2015 Pythian Confidential41
  • 42. Oracle Real Application Security (RAS) Parameters in data realm rules ā€“ usage when creating ACL DECLARE ace_list XS$ACE_LIST; BEGIN ace_list := XS$ACE_LIST( XS$ACE_TYPE(privilege_list => XS$NAME_LIST('SELECT'), granted => true, principal_name => 'Americas_sales'), XS$ACE_TYPE(privilege_list => XS$NAME_LIST('SELECT', 'VIEW_SENSITIVE_INFO'), granted => true, principal_name => 'Business_Analyst')); sys.xs_acl.create_acl(name => 'View_Americas_sales', ace_list => ace_list, sec_class => 'SH.CUST_SEC_CLASS', description => 'Authorize read access for the Americas region'); sys.xs_acl.add_acl_parameter(acl => 'View_Americas_sales', policy => 'SH.CUSTOMER_DS', parameter => 'REGION', value => 'Americas'); END; / Ā© 2015 Pythian Confidential42
  • 43. Oracle Real Application Security (RAS) - Trace ā€¢ V$VPD_POLICY works ā€¢ dump all the data realm constraint rules: ALTER SESSION SET EVENTS 'TRACE[XSXDS] disk=high'; ā€¢ dump the VPD views of the XDS-enabled table during the initial (hard) parse ALTER SESSION SET EVENTS 'TRACE[XSVPD] disk=high'; Ā© 2015 Pythian Confidential43
  • 44. Oracle Real Application Security (RAS) ā€¢ Default passwords for RAS users are created with SHA2 hashes. SQL Developer uses JDBC which does not support SHA512 hashes. Need to specify SHA1 passwords for those cases: exec XS_PRINCIPAL.SET_PASSWORD('john', 'john',xs_principal.XS_SALTED_SHA1); ā€¢ SA_SESSION.SET_ACCESS_PROFILE ā€“ To implement proxy accounts with application users ā€“ SA_SESSION.SA_USER_NAME function to see the current username Ā© 2015 Pythian Confidential44
  • 45. Todayā€™s topics ā€¢ What is Fine Grain Access control? ā€¢ Functionalities available with Oracle ā€¢ Implementing row level security ā€“ With standard edition ā€“ Using VPD ā€“ Using OLS ā€“ Using RAS ā€¢ Complex scenarios Ā© 2015 Pythian Confidential45
  • 46. Complex scenarios? ā€¢ Combined with other functionalities ā€“ Oracle Internet Directory ā€“ Result cache, Materialized views, non-deterministic functions, etc. ā€¢ Mixed application usages of same data ā€“ vpd + non vpd ā€“ Views for applying policies, base table access for non-vpd ā€“ Grants / synonyms to control access to correct ones ā€¢ Multiple policies ā€“ Combined condition should be valid ā€“ Definition challenge when applied to multiple tables Ā© 2015 Pythian Confidential46
  • 47. Performance considerations ā€“ Traditional tuning - considering final user + policy conditions for SQLs ā€¢ V$VPD_POLICY to start ā€“ Optimizer does not estimate cardinality when using functions in policies ā€¢ id= SYS_CONTEXT('USERENV', 'SESSION_USER'); ā€¢ Id=10 => it does Ā© 2015 Pythian Confidential47
  • 48. Changes in different versions ā€¢ 9i ā€“ Multiple policies per table. Global contexts. ā€¢ 10g ā€“ Column based policies, column masking, policy types ā€¢ 11g ā€“ Support for MERGE INTO statement ā€¢ 12c ā€“ RAS ā€“ VPD context-sensitive policies ā€“ evaluated only if associated application context attribute changes Ā© 2015 Pythian Confidential48
  • 49. Auditing - OLS 12c - unified auditing ā€¢ enabling and disabling of OLS policies, etc. SELECT * FROM AUDITABLE_SYSTEM_ACTIONS WHERE COMPONENT = 'Label Security'; ā€¢ example: CREATE AUDIT POLICY audit_ols ACTIONS SELECT ON OE.ORDERS ACTIONS COMPONENT=OLS ALL; ā€¢ Oracle Label Security session label attributes can be audited AUDIT CONTEXT NAMESPACE ORA_SESSION_LABELS ATTRIBUTES lsec_pol1, lsec_pol2; ā€¢ Auditing Oracle Label Security Events: https://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG454 ā€¢ SYS.UNIFIED_AUDIT_TRAIL.xs_user_name for RAS db connections, XS$NULL on sys.aud$ Pre-12c auditing (OLS): ā€¢ using SA_AUDIT_ADMIN package https://docs.oracle.com/database/121/OLSAG/packages.htm#GUID-C4FB5E20-D9B8-48A1-9DDB-1ACA4722846E Ā© 2015 Pythian Confidential49
  • 50. FGA options compared Ā© 2015 Pythian Confidential50
  • 51. Conclusions ā€¢ Several alternatives available with different functionality ā€¢ Some limitations exists, needs testing to validate it works for your needs ā€¢ Access to packages that modify policies should be protected and audited ā€¢ Donā€™t underestimate the effort needed to design the policies ā€¢ Changes in different versions ā€¢ RAS is brand new but should be used for all new developments Ā© 2015 Pythian Confidential51
  • 53. References - documentation ā€“ Oracle license 12c https://docs.oracle.com/database/121/DBLIC/editions.htm#DBLIC110 ā€“ Oracle Label Security https://docs.oracle.com/database/121/OLSAG/toc.htm http://www.oracle.com/technetwork/database/options/label-security/label-security-wp-12c-1896140.pdf ā€“ Oracle VPD https://docs.oracle.com/database/121/TDPSG/GUID-92A1A94D-319C-4FB2-AEC3-B86415D72628.htm#TDPSG94442 ā€“ Oracle Real Application Security http://www.oracle.com/technetwork/database/security/real-application-security/overview/index.html ā€“ Auditing Oracle Label Security Events https://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG454 - Application context https://docs.oracle.com/database/121/DBSEG/app_context.htm#DBSEG172 53 Ā© 2014 Pythian Confidential