More Related Content Similar to Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle (20) More from Nelson Calero (20) Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle4. ā¢Database Consultant at Pythian
ā¢Working with Oracle tools and Linux environments since 1996
ā¢DBA Oracle (2001) & MySQL (2005)
ā¢Co-founder and President of the Oracle user Group of Uruguay (2009)
ā¢LAOUC Director of events (2013)
ā¢Computer Engineer
ā¢Oracle ACE (2014)
ā¢Oracle Certified Professional DBA 10g/11g (2008)
ā¢Amazon Solutions Architect ā Associate since (2016)
ā¢Oracle University Instructor (2011)
ā¢Blogger and speaker: Oracle Open World, Collaborate, OTN Tour, Regional conferences
About me
4 Ā© 2014 Pythian Confidential
http://www.linkedin.com/in/ncalero @ncalerouy
5. Pythian overview
Ā© 2015 Pythian Confidential5
ā¢ 19 Years of data infrastructure management consulting
ā¢ 250+ Top brands
ā¢ 11700+ Systems under management
ā¢ Over 400 DBAs in 35 countries
ā¢ Top 5% of DBA work force, 10 Oracle ACEs, 4 ACED,
3 OakTable members, 2 OCM, 6 Microsoft MVPs,
1 Cloudera Champion of Big Data,
AWS Certified Solutions Architect ā 2 Professional, 12 Associate
ā¢ Oracle, Microsoft, MySQL, Hadoop, Cassandra, MongoDB, and more
ā¢ Infrastructure, Cloud, DevOps, and application expertise
6. Todayās topics
ā¢ What is Fine Grain Access control?
ā¢ Functionalities available with Oracle
ā¢ Implementing row level security
ā With standard edition
ā Using OLS
ā Using VPD
ā Using RAS
ā¢ Complex scenarios
Ā© 2015 Pythian Confidential6
7. Fine Grain Access control?
What
ā Ability to restrict access to objects applying small granularity
ā¢ row level instead of table level
ā¢ network services instead of all network access
Why
ā Access to data comply with security regulations
ā Industry regulations: health care (HIPAA), Defense (security clearances), Personal
information protection (several).
ā¢ database side implementation => no code on the application side
ā Several functionalities available (next slide)
ā¢ We will discuss implementation and management from database point of view
Ā© 2015 Pythian Confidential7
8. Oracle functionalities for FG control
ā¢ auditing
ā¢ DBMS_FGA package (only in EE)
ā¢ external network services and wallets
ā¢ DBMS_NETWORK_ACL_ADMIN package
ā¢ data ā several ways:
ā¢ Application context ā available in SE
ā¢ Virtual Private Database (VPD) ā 8i
ā Only with EE, no extra cost
ā¢ Oracle Label Security (OLS) ā 8i
ā Only with EE, Extra cost option
ā¢ Oracle Real Application Security ā new in 12c
ā Next generation VPD, only with EE, no extra cost
Ā© 2015 Pythian Confidential8
9. Simple example
Ā© 2015 Pythian Confidential9
Policy
rules
SMAVRIS
user
JDANIEL
Manager 103
Select * From
HR.EMPLOYEES
10. Simple example
What do I need to implement it?
ā It depends on your requirements
Functionalities available out of the box for free?
ā limited, needs maintenance, will explore them next
Many functionalities with EE with no extra cost
ā Only OLS have extra cost
Ā© 2015 Pythian Confidential10
11. Simple example - demo
Implementing a simple VPD on SE
ā Schema owner of data not allowed to connect from app
ā Views for each table including a where condition
ā Nominated users granted access to views only
ā Usage of application context
script: fga-se.sql
Ā© 2015 Pythian Confidential11
12. Application contexts
ā¢ session variables to store information
ā¢ useful to implement FGAC with Standard Edition
ā¢ session (local) or global (shared)
ā select sys_context(namespace, attribute) from dual;
ā dbms_session.set_context(namespace, attribute, value, client_id)
ā¢ built-in application context namespace: USERENV
ā select sys_context('USERENV', 'SESSION_USER')from dual;
ā¢ Dictionary views
ā V$CONTEXT / V$GLOBALCONTEXT
ā¢ Memory footprint
ā select * from v$sgastat where name like 'Global Context%';
https://docs.oracle.com/database/121/DBSEG/app_context.htm#DBSEG173
Ā© 2015 Pythian Confidential12
13. Poor man VPD problems
ā¢ Users with different privileges over the same data?
ā More views per privilege set / coding logic into function / intermediate
table/...
ā It is up to your coding abilities
ā¢ Different policies for insert/update/deletes?
ā More views per policies / coding logic into functions /ā¦
ā¢ Modified data will match the condition?
ā Triggers to validate after data modifications / manual controls
Ā© 2015 Pythian Confidential13
14. Other implications
ā¢ Changes in query performance?
ā Review indexes to cover all new conditions
ā¢ Connection pools at middle tier
ā Proxy user and client_identifier usage
ALTER USER john GRANT CONNECT THROUGH appsrv;
oracle.jdbc.OracleConnection.setClientIdentifier() ļ from JDBC
exec dbms_session.set_identifier ('ABCD') ļ same from PL/SQL
Ā© 2015 Pythian Confidential14
15. General implementation principles
Before coding, design your policies:
ā Identify tables that requires security
ā Evaluate its data and define level of security and groups
ā Categorize users (privileged / typical / etc.)
As part of the coding:
ā Lock down access to configuration ā least privilege principle
ā Audit operations
Ā© 2015 Pythian Confidential15
16. Todayās topics
ā¢ What is Fine Grain Access control?
ā¢ Functionalities available with Oracle
ā¢ Implementing row level security
ā With standard edition
ā Using VPD
ā Using OLS
ā Using RAS
ā¢ Complex scenarios
Ā© 2015 Pythian Confidential16
17. Virtual Private Database (VPD)
āinterface to associate PL/SQL packages with application tables
to compute and append a predicate (where clause) that is
automatically appended to incoming SQL statements, restricting
access to rows and columns within the tableā
http://www.oracle.com/technetwork/database/security/real-application-security/overview/index.html
ā¢ Package DBMS_RLS to manage policies
ā¢ View DBA_POLICIES to view existing policies
ā¢ View V$VPD_POLICY to see predicates generated for SQL_IDs
ā¢ Different policies can be used for SELECT/INSERT/UPDATE/DELETE
ā¢ Multiple policies allowed per table
Ā© 2015 Pythian Confidential17
18. Virtual Private Database (VPD) - example
script: fga-vpd.sql
Summary:
ā¢ Policy function using static and dynamic predicates
ā¢ Errors when querying base table on some cases
ā¢ Adding extra code to allow privileged user access
ā¢ Testing SELECT/UPDATE
Ā© 2015 Pythian Confidential18
19. Policies evaluation
ā¢ Defined by the policy type:
ā Dynamic ā evaluated every time is used
ā Static ā executed only once and cached
ā Context_sensitive ā evaluated if context change (useful on connection pooling)
ā Shared_static ā cache over multiple objects
ā Shared_context_sensitive ā combine previous two
ā¢ policy exemptions:
ā direct path export
ā cannot be applied to objects in schema SYS
ā EXEMPT ACCESS POLICY privilege
ā¢ MERGE INTO statements supported on tables using VPD since 11gR2
ā¢ ORA_ROWSCN usage has problems
Ā© 2015 Pythian Confidential19
20. Policy function
ā¢ No validation on the code we create ā it fails at runtime if wrong
ā¢ Code can use whatever we want to produce the string
ā Performance overhead depending on the policy type when evaluating
ā Execution plans may change because of the new condition in use
ā¢ String returned may be different for different tables (FK relationships, etc.)
ā¢ It can be applied to columns, not entire table
ā Column masking vs row masking
ā¢ Access to policy function definition should be protected
Ā© 2015 Pythian Confidential20
21. VPD - Column masking
BEGIN
DBMS_RLS.ADD_POLICY(object_schema=>āHRā,
object_name=>'EMPLOYEES',
policy_name=>'SEC_SALARY',
function_schema=>āHR',
policy_function=>'f_protect_salary',
sec_relevant_cols=>'SALARY',
sec_relevant_cols_opt=>dbms_rls.ALL_ROWS);
END;
create or replace function f_protect_salary (p_owner in varchar2, p_name in varchar2)
return varchar2 as
begin
if sys_context('userenv', 'session_user') = 'MANAGER'
then return ā1=1ā; /* value is displayed */
else return 'salary <= 10000'; /* displayed only if match condition */
end if;
end;
Ā© 2015 Pythian Confidential21
policy_function is treated
as a Boolean expression to
decide if column values are
shown
22. VPD ā update check
New in 11.2:
BEGIN
DBMS_RLS.ADD_POLICY(object_schema=>user,
object_name=>'EMPLOYEES',
policy_name=>'SEC_SALARY',
function_schema=>'LBACSYS',
policy_function=>'f_protect_salary',
update_check=>true);
END;
SQL> Update hr.employees set salary=salary*2;
ERROR at line 1:
ORA-28115: policy with check option violation
Ā© 2015 Pythian Confidential22
policy_function is enforced
also after updates
23. Policies troubleshooting
ā¢ What condition (policy) is being applied to my query?
ā v$vpd_policy
ā¢ When errors, trace file is generated on user_dump_dest
ā¢ Debugging
ā Trace 10730 / 10060
Ā© 2015 Pythian Confidential23
24. Todayās topics
ā¢ What is Fine Grain Access control?
ā¢ Functionalities available with Oracle
ā¢ Implementing row level security
ā With standard edition
ā Using VPD
ā Using OLS
ā Using RAS
ā¢ Complex scenarios
Ā© 2015 Pythian Confidential24
25. Oracle Label Security (OLS)
ā¢ Based on tags for data
ā¢ Hierarchical classification: levels / compartments / groups
ā¢ Access to data granted based on policies without manual coding
ā Using predefined PL/SQL packages, not user created as in VPD
ā policy can be applied to table or schema
ā¢ When labels are used, a (hidden) column is created when policy is applied to tables
ā¢ Administration:
ā User LBACSYS to manage policies
ā SA_USER_ADMIN package - to manage user labels and user privileges
ā SA_SESSION package to configure Labels & Privileges
ā several SA_* views
ā DBA_OLS_STATUS view shows if OLS is enabled and configured
Ā© 2015 Pythian Confidential25
27. Oracle Label Security (OLS) - example
script: fga-ols.sql
Summary:
define label hierarchy
define policies
test policies from users with different privileges
validate predicates used
Ā© 2015 Pythian Confidential27
28. Oracle Label Security (OLS)
Not enabled by default
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';
VALUE
--------------------------------------------
FALSE
select * from DBA_OLS_STATUS;
NAME STATUS DESCRIPTION
-------------------- ------ -------------------------------------
OLS_CONFIGURE_STATUS FALSE Determines if OLS is configured
OLS_DIRECTORY_STATUS FALSE Determines if OID is enabled with OLS
OLS_ENABLE_STATUS FALSE Determines if OLS is enabled
Ā© 2015 Pythian Confidential28
29. Oracle Label Security (OLS) - install
On 12c:
EXEC LBACSYS.CONFIGURE_OLS;
EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;
On 11g:
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk lbac_on ioracle
(same as: chopt enable lbac)
shutdown/startup
sqlplus @?/rdbms/admin/catols.sql
Ā© 2015 Pythian Confidential29
30. Oracle Label Security (OLS) - labels
label_to_char (OLS_COLUMN)
Display string label instead of internal code
sa_session.label(āpolicy_name')
current userās session label for the policy
OLS_LABEL_DOMINATES (session_tag, desired_tag)
returns 1 when first label is allowed for the second one
New in 12.1 - LBACSYS schema can be exported using full export/import
source>=11.2.0.3, target>=12.1
Ā© 2015 Pythian Confidential30
31. Oracle Label Security (OLS) - DML
Labeling column implications:
ā¢ column values set using labeling function or manually
oracle-base example
ā¢ affects initial configuration and inserts
create function f_label(..)
RETURN LBACSYS.LBAC_LABEL
..
RETURN TO_LBAC_DATA_LABEL('label', string);
end;
exec SA_POLICY_ADMIN.APPLY_TABLE_POLICY
(...label_function => 'f_label(..)')
Ā© 2015 Pythian Confidential31
32. Todayās topics
ā¢ What is Fine Grain Access control?
ā¢ Functionalities available with Oracle
ā¢ Implementing row level security
ā With standard edition
ā Using VPD
ā Using OLS
ā Using RAS
ā¢ Complex scenarios
Ā© 2015 Pythian Confidential32
33. Oracle Real Application Security (RAS)
āA database authorization model:
ā¢ Supports declarative security policies
ā¢ Enables end-to-end security for multitier applications
ā¢ Provides an integrated solution to secure database and application
resources
ā¢ Advances the security architecture of Oracle Database to meet
existing and emerging demands of applications developed for the
Internetā
https://docs.oracle.com/database/121/DBFSG/intro.htm#DBFSG10000
Ā© 2015 Pythian Confidential33
34. Ā© 2015 Pythian Confidential34 https://docs.oracle.com/database/121/DBFSG/intro.htm#BABHAIFD
35. Oracle Real Application Security (RAS) concepts
Application users ā schema-less to create application session
Application role (static/dynamic)
Application privileges
Security class ā set of privileges
Access control entry (ACE)
ā grant/deny application privileges to principals
Access control list (ACL)
ā named list of privilege grants bound to resources
Data realm
ā business object defined by SQL predicate authorized by an ACL
ā Regular / parameterized / inherited
Data security policy
ā protect realms associating ACLs
Ā© 2015 Pythian Confidential35
36. Oracle Real Application Security (RAS)
ā¢ Application sessions ā not bounded to database schemas
ā¢ PL/SQL and Java API
ā¢ Administration Application (RASADM) in APEX to download from OTN
http://www.oracle.com/technetwork/database/security/real-application-security/downloads/index.html
ā¢ HR Demo from java
https://docs.oracle.com/database/121/DBFSG/midtierjava.htm#CBBDJDDE
Ā© 2015 Pythian Confidential36
37. Oracle Real Application Security (RAS) - example
scripts: ras-*.sql
Usage from PL/SQL
http://docs.oracle.com/database/121/DBFSG/security_hr_demo_tutorial.htm#DBFSG816
based on hrdemo*.sql scripts
Summary:
row filtering and column masking
realm with errors and troubleshooting
Ā© 2015 Pythian Confidential37
38. Oracle Real Application Security (RAS)
New hidden column to enforce policy: SYS_ACLOID
begin
xs_data_security.apply_object_policy(
policy => 'hr.employees_ds',
row_acl=> true ,
schema => 'hr',
object => 'employees');
end;
/
select column_name from dba_tab_cols
where table_name='EMPLOYEES' and hidden_column='YES';
Ā© 2015 Pythian Confidential38
39. Oracle Real Application Security (RAS)
Static policies (data realms):
XS$REALM_CONSTRAINT_TYPE(realm=> 'DEPARTMENT_ID=50',
acl_list=> XS$NAME_LIST('HRACL'),
is_static=> TRUE); -- default is FALSE
Materialized view generated automatically to keep binding between
rows and ACL
Change the ACL refresh mode to on-commit or on-demand refresh
XS_DATA_SECURITY_UTIL.ALTER_STATIC_ACL_REFRESH
Ā© 2015 Pythian Confidential39
40. Oracle Real Application Security (RAS)
ACLs evaluation order:
1) application user-managed ACLs - from grants directly on object instances
2) ACLs from static data realm constraint grants are evaluated next
3) ACLs from dynamic data realm constraint grants are evaluated last
To see realms associated with tables:
DBA_XS_REALM_CONSTRAINTS
DBA_XS_* and DBA_XDS_* views to see all related data to RAS
ras-check.sql script
Ā© 2015 Pythian Confidential40
41. Oracle Real Application Security (RAS)
Parameters in data realm rules ā definition
1) rows_sec := xs$REALM_CONSTRAINT_LIST(
XS$REALM_CONSTRAINT_TYPE(
realm => 'COUNTRY_REGION = &' || 'REGION'));
2) sys.xs_data_security.create_policy(
name => 'SH.CUSTOMER_DS',
realm_constraint_list => rows_secs,
description => 'Policy to protect sh.customers table');
3) sys.xs_data_security.create_acl_parameter(
policy => 'SH.CUSTOMER_DS',
parameter => 'REGION',
param_type => XS_ACL.TYPE_VARCHAR);
Ā© 2015 Pythian Confidential41
42. Oracle Real Application Security (RAS)
Parameters in data realm rules ā usage when creating ACL
DECLARE
ace_list XS$ACE_LIST;
BEGIN
ace_list := XS$ACE_LIST(
XS$ACE_TYPE(privilege_list => XS$NAME_LIST('SELECT'),
granted => true,
principal_name => 'Americas_sales'),
XS$ACE_TYPE(privilege_list => XS$NAME_LIST('SELECT', 'VIEW_SENSITIVE_INFO'),
granted => true,
principal_name => 'Business_Analyst'));
sys.xs_acl.create_acl(name => 'View_Americas_sales',
ace_list => ace_list,
sec_class => 'SH.CUST_SEC_CLASS',
description => 'Authorize read access for the Americas region');
sys.xs_acl.add_acl_parameter(acl => 'View_Americas_sales',
policy => 'SH.CUSTOMER_DS',
parameter => 'REGION',
value => 'Americas');
END;
/
Ā© 2015 Pythian Confidential42
43. Oracle Real Application Security (RAS) - Trace
ā¢ V$VPD_POLICY works
ā¢ dump all the data realm constraint rules:
ALTER SESSION SET EVENTS 'TRACE[XSXDS] disk=high';
ā¢ dump the VPD views of the XDS-enabled table during the initial
(hard) parse
ALTER SESSION SET EVENTS 'TRACE[XSVPD] disk=high';
Ā© 2015 Pythian Confidential43
44. Oracle Real Application Security (RAS)
ā¢ Default passwords for RAS users are created with SHA2 hashes.
SQL Developer uses JDBC which does not support SHA512 hashes.
Need to specify SHA1 passwords for those cases:
exec XS_PRINCIPAL.SET_PASSWORD('john', 'john',xs_principal.XS_SALTED_SHA1);
ā¢ SA_SESSION.SET_ACCESS_PROFILE
ā To implement proxy accounts with application users
ā SA_SESSION.SA_USER_NAME function to see the current username
Ā© 2015 Pythian Confidential44
45. Todayās topics
ā¢ What is Fine Grain Access control?
ā¢ Functionalities available with Oracle
ā¢ Implementing row level security
ā With standard edition
ā Using VPD
ā Using OLS
ā Using RAS
ā¢ Complex scenarios
Ā© 2015 Pythian Confidential45
46. Complex scenarios?
ā¢ Combined with other functionalities
ā Oracle Internet Directory
ā Result cache, Materialized views, non-deterministic functions, etc.
ā¢ Mixed application usages of same data ā vpd + non vpd
ā Views for applying policies, base table access for non-vpd
ā Grants / synonyms to control access to correct ones
ā¢ Multiple policies
ā Combined condition should be valid
ā Definition challenge when applied to multiple tables
Ā© 2015 Pythian Confidential46
47. Performance considerations
ā Traditional tuning - considering final user + policy conditions for SQLs
ā¢ V$VPD_POLICY to start
ā Optimizer does not estimate cardinality when using functions in policies
ā¢ id= SYS_CONTEXT('USERENV', 'SESSION_USER');
ā¢ Id=10 => it does
Ā© 2015 Pythian Confidential47
48. Changes in different versions
ā¢ 9i
ā Multiple policies per table. Global contexts.
ā¢ 10g
ā Column based policies, column masking, policy types
ā¢ 11g
ā Support for MERGE INTO statement
ā¢ 12c
ā RAS
ā VPD context-sensitive policies ā evaluated only if associated
application context attribute changes
Ā© 2015 Pythian Confidential48
49. Auditing - OLS
12c - unified auditing
ā¢ enabling and disabling of OLS policies, etc.
SELECT * FROM AUDITABLE_SYSTEM_ACTIONS WHERE COMPONENT = 'Label Security';
ā¢ example:
CREATE AUDIT POLICY audit_ols
ACTIONS SELECT ON OE.ORDERS
ACTIONS COMPONENT=OLS ALL;
ā¢ Oracle Label Security session label attributes can be audited
AUDIT CONTEXT NAMESPACE ORA_SESSION_LABELS ATTRIBUTES lsec_pol1, lsec_pol2;
ā¢ Auditing Oracle Label Security Events: https://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG454
ā¢ SYS.UNIFIED_AUDIT_TRAIL.xs_user_name for RAS db connections, XS$NULL on sys.aud$
Pre-12c auditing (OLS):
ā¢ using SA_AUDIT_ADMIN package
https://docs.oracle.com/database/121/OLSAG/packages.htm#GUID-C4FB5E20-D9B8-48A1-9DDB-1ACA4722846E
Ā© 2015 Pythian Confidential49
51. Conclusions
ā¢ Several alternatives available with different functionality
ā¢ Some limitations exists, needs testing to validate it works for your
needs
ā¢ Access to packages that modify policies should be protected and
audited
ā¢ Donāt underestimate the effort needed to design the policies
ā¢ Changes in different versions
ā¢ RAS is brand new but should be used for all new developments
Ā© 2015 Pythian Confidential51
53. References - documentation
ā Oracle license 12c
https://docs.oracle.com/database/121/DBLIC/editions.htm#DBLIC110
ā Oracle Label Security
https://docs.oracle.com/database/121/OLSAG/toc.htm
http://www.oracle.com/technetwork/database/options/label-security/label-security-wp-12c-1896140.pdf
ā Oracle VPD
https://docs.oracle.com/database/121/TDPSG/GUID-92A1A94D-319C-4FB2-AEC3-B86415D72628.htm#TDPSG94442
ā Oracle Real Application Security
http://www.oracle.com/technetwork/database/security/real-application-security/overview/index.html
ā Auditing Oracle Label Security Events
https://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG454
- Application context
https://docs.oracle.com/database/121/DBSEG/app_context.htm#DBSEG172
53 Ā© 2014 Pythian Confidential