Book Image

Oracle Database 12c Security Cookbook

By : Zoran Pavlovic, Maja Veselica
Book Image

Oracle Database 12c Security Cookbook

By: Zoran Pavlovic, Maja Veselica

Overview of this book

Businesses around the world are paying much greater attention toward database security than they ever have before. Not only does the current regulatory environment require tight security, particularly when dealing with sensitive and personal data, data is also arguably a company’s most valuable asset - why wouldn’t you want to protect it in a secure and reliable database? Oracle Database lets you do exactly that. It’s why it is one of the world’s leading databases – with a rich portfolio of features to protect data from contemporary vulnerabilities, it’s the go-to database for many organizations. Oracle Database 12c Security Cookbook helps DBAs, developers, and architects to better understand database security challenges. Let it guide you through the process of implementing appropriate security mechanisms, helping you to ensure you are taking proactive steps to keep your data safe. Featuring solutions for common security problems in the new Oracle Database 12c, with this book you can be confident about securing your database from a range of different threats and problems.

Related Content you might be interested in

Current Title:

Small book image
Oracle Database 12c Security Cookbook
Zoran Pavlovic | Maja Veselica
Jun, 2016 | 388 pages
No titles found
Table of Contents (18 chapters)
Oracle Database 12c Security Cookbook
Oracle Database 12c Security Cookbook
Credits
Credits
About the Authors
About the Authors
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Basic Database Security
Basic Database Security
Introduction
Creating a password profile
Creating password-authenticated users
Changing a user's password
Creating a user with the same credentials on another database
Locking a user account
Expiring a user's password
Creating and using OS-authenticated users
Creating and using proxy users
Creating and using database roles
The sysbackup privilege – how, when, and why should you use it?
The syskm privilege – how, when, and why should you use it?
The sysdg privilege – how, when, and why should you use it?
2
Security Considerations in Multitenant Environment
Security Considerations in Multitenant Environment
Introduction
Creating a common user
Creating a local user
Creating a common role
Creating a local role
Granting privileges and roles commonly
Granting privileges and roles locally
Effects of plugging/unplugging operations on users, roles, and privileges
3
PL/SQL Security
PL/SQL Security
Introduction
Creating and using definer's rights procedures
Creating and using invoker's right procedures
Using code-based access control
Restricting access to program units by using accessible by
4
Virtual Private Database
Virtual Private Database
Introduction
Creating different policy functions
Creating Oracle Virtual Private Database row-level policies
Creating column-level policies
Creating a driving context
Creating policy groups
Setting context as a driving context
Adding policy to a group
Exempting users from VPD policies
5
Data Redaction
Data Redaction
Introduction
Creating a redaction policy when using full redaction
Creating a redaction policy when using partial redaction
Creating a redaction policy when using random redaction
Creating a redaction policy when using regular expression redaction
Using Oracle Enterprise Manager Cloud Control 12c to manage redaction policies
Changing the function parameters for a specified column
Add a column to the redaction policy
Enabling, disabling, and dropping redaction policy
Exempting users from data redaction policies
6
Transparent Sensitive Data Protection
Transparent Sensitive Data Protection
Introduction
Creating a sensitive type
Determining sensitive columns
Creating transparent sensitive data protection policy
Associating transparent sensitive data protection policy with sensitive type
Enabling, disabling, and dropping policy
Altering transparent sensitive data protection policy
7
Privilege Analysis
Privilege Analysis
Introduction
Creating database analysis policy
Creating role analysis policy
Creating context analysis policy
Creating combined analysis policy
Starting and stopping privilege analysis
Reporting on used system privileges
Reporting on used object privileges
Reporting on unused system privileges
Reporting on unused object privileges
How to revoke unused privileges
Dropping the analysis
8
Transparent Data Encryption
Transparent Data Encryption
Introduction
Configuring keystore location in sqlnet.ora
Creating and opening the keystore
Setting master encryption key in software keystore
Column encryption - adding new encrypted column to table
Column encryption - creating new table that has encrypted column(s)
Using salt and MAC
Column encryption - encrypting existing column
Auto-login keystore
Encrypting tablespace
Rekeying
Backup and Recovery
9
Database Vault
Database Vault
Introduction
Registering Database Vault
Preventing users from exercising system privileges on schema objects
Securing roles
Preventing users from executing specific command on specific object
Creating a rule set
Creating a secure application role
Using Database Vault to implement that administrators cannot view data
Running Oracle Database Vault reports
Disabling Database Vault
Re-enabling Database Vault
10
Unified Auditing
Unified Auditing
Introduction
Enabling Unified Auditing mode
Configuring whether loss of audit data is acceptable
Which roles do you need to have to be able to create audit policies and to view audit data?
Auditing RMAN operations
Auditing Data Pump operations
Auditing Database Vault operations
Creating audit policies to audit privileges, actions and roles under specified conditions
Enabling audit policy
Finding information about audit policies and audited data
Auditing application contexts
Purging audit trail
Disabling and dropping audit policies
11
Additional Topics
Additional Topics
Introduction
Exporting data using Oracle Data Pump in Oracle Database Vault environment
Creating factors in Oracle Database Vault
Using TDE in a multitenant environment
12
Appendix – Application Contexts
Appendix – Application Contexts
Introduction
Exploring and using built-in contexts
Creating an application context
Setting application context attributes
Using an application context

Creating and using database roles

In this recipe, you'll learn the basics about database roles. Roles group together related system and/or object privileges and they can be granted to users and other roles. They simplify privilege management (for example, rather than granting the same set of privileges to many users, you can grant those privileges to a role and then grant that role to users that need those privileges).

Getting ready

For this recipe, you will need an existing (for example, OS-authenticated) user that has a dba role and another three existing users (for example, mike, tom, and jessica). It is assumed that sample schemas are installed.

How to do it...

  1. Connect to the database as a user who has a dba role:

    $ sqlplus /

  2. Create the role usr_role:

    SQL> create role usr_role;

  3. Grant system privilege to usr_role:

    SQL> grant create session to usr_role;

  4. Grant object privileges to usr_role:

    SQL> grant select, insert on hr.employees to usr_role;

  5. Create another role as follows:

    SQL> create role mgr_role;

  6. Grant usr_role to mgr_role:

    SQL> grant usr_role to mgr_role;

  7. Grant system privileges to mgr_role:

    SQL> grant create table to mgr_role;

  8. Grant object privileges to mgr_role:

    SQL> grant update, delete on hr.employees to mgr_role;

  9. Grant usr_role to user (mike):

    SQL> grant usr_role to mike;

  10. Grant mgr_role to user (tom):

    SQL> grant mgr_role to tom;

How it works...

In the first step, you used OS authentication to connect to the database. In steps 2 and 3, you granted system privileges and object privileges, respectively, to the role usr_role. In the next steps, you practiced using database roles; you granted the following:

  • A role to another role

  • System and object privileges to role

  • Roles to users

You revoke privileges and roles by using a revoke statement. For example:

SQL> revoke usr_role from mike;

Note

Circular granting of roles is not allowed.

SQL> grant role1 to role2;
Grant succeeded.

SQL> grant role2 to role1;
grant role2 to role1
*
ERROR at line 1: ORA-01934: circular role grant detected

There's more...

Tip

You should be careful about granting privileges to the PUBLIC role because then every database user can use these privileges.

Suppose that user mike grants object privilege to user jessica with a grant option and user jessica grants that privilege to user tom. If user mike revokes that privilege from jessica, it will be automatically revoked from tom.

Note

Revoking a system privilege will not cascade.

SQL> grant select on hr.employees to jessica with grant option;
Grant succeeded.

SQL> connect jessica
Enter password:
Connected.

SQL> grant select on hr.employees to tom;
Grant succeeded.

SQL> connect tom/oracle_123
Connected.

SQL> select count(*) from hr.employees;
COUNT(*)
----------
 107

SQL> connect mike/welcome1
Connected.

SQL> revoke select on hr.employees from jessica;
Revoke succeeded.

SQL> connect tom/oracle_123
Connected.

SQL> select count(*) from hr.employees;
select count(*) from hr.employees
*
ERROR at line 1:
ORA-00942: table or view does not exist

Note

You cannot revoke object privileges you didn't grant.

See also

  • If you want to learn more about roles, see the official Oracle documentation—Oracle Database Security Guide 12c Release 1 (refer Chapter 4, Configuring Privilege and Role Authorization, of this documentation).

Previous Section
End of Section 11
Next Section