Restricting Privileged Users from Accessing Private Application Data Using Oracle Database Vault

Purpose

This tutorial shows you how Oracle Database Vault prevents a powerful user with the DBA role from accessing private data from the HR department.

Time to Complete

Approximately 15 minutes

Topics

This tutorial covers the following topics:

 Overview
 Prerequisites

Creating a SYSTEM Database Connection

Access Private Data as the SYSTEM User

 Creating a Realm Around the HR Schema
 Testing the Realm
 Producing an Audit Report
 Summary

Viewing Screenshots

 Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: This action loads all screenshots simultaneously, so response time may be slow depending on your Internet connection.)

Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.

Overview

Oracle Database Vault helps customers address the most difficult security problems remaining today - protecting against the insider threat, meeting regulatory compliance requirements and enforcing separation of duty. Oracle Database Vault keeps the DBA from viewing application data, a top concern for customers who must protect sensitive business information or privacy data related to partners, employees and customers. Oracle Database Vault keeps the powerful application DBAs from accessing other applications and from performing tasks outside their authorized responsibilities. Oracle Database Vault can protect existing applications quickly and easily without interfering with the application functionality.

Back to Topic List

Prerequisites

Before you perform this tutorial, you should:

1.

Install Oracle Database 10g Release 10.2.0.2.

2.

Download and unzip Oracle SQL Developer.

3.

Install the Oracle Database Vault Option (coming soon)

Back to Topic List

Creating a SYSTEM Database Connection

You want to create a database connection as SYSTEM to see if you can access some sensitive Employee Information. Perform the following steps:

1.

Open Oracle SQL Developer. Right-click on Connections and select New Database Connection.


2.

Enter the following information and click Test.

Connection Name: system@database vault
Username: system
Password: <your_system_password>
Save Password: checked
Hostname: <your_hostname>
Port: <your_database_port>
SID: <your_database_sid>


3.

When the status is successful, click Connect.


4.

Your connection was made.


Accessing Private Data as the SYSTEM User

In this topic you access Employee Information logged in as the SYSTEM user. Perform the following steps:

1.

Enter the following SELECT statement in the SQL Worksheet area and select the Execute Statement icon  or press F9.

                               
SELECT last_name name, ssn
 FROM hr.employees
 WHERE employee_id < 110;
                            


2.

The SYSTEM user was able to access private Employee information. The SYSTEM user should not be able to access this data. Oracle Database Vault can resolve this issue easily using Realms which is discussed in the next topic.

 

Back to Topic List

Creating a Realm Around the HR Schema

In this topic you create a realm around the HR schema, disabling all users from making any modifications to the HR schema. The HR user is excluded, however, from any limitations. Perform the following steps:

1.

Open your browser and enter the following URL:

                               
http://<your_hostname:port>/dva

                            
Enter dvowner for the User Name and <your_password> for the Password. Then click Login.


2.

Click the Realms link.

 

3.

To create a new Realm, click Create.


4.

Enter a Name, make sure the Enabled Status is selected, and Audit On Failure is selected for Audit Options. Then click OK.

 

5.

Select the new Realm and click Edit.

 

6.

Under Realm Secured Objects, click Create.

 

7.

From the list of Object Owners, select HR. Since all the objects in the HR schema should be protected, make sure % is selected for both Object Type and Object Name. Then click OK.

 

8.

Click OK to create the Realm.

 

9.

Your Realm has been created.

 

Back to Topic List

Testing the Realm

Now that you added a Realm around all objects in the HR Schema, you can re-execute the SQL statement you previously ran in Oracle SQL Developer. This time you see that the Employee Information can not be accessed and you receive a Realm Violation. Perform the following steps:

1.

Switch back to Oracle SQL Developer. Click the Execute Statement icon  or press F9 to re-execute the SQL you ran previously.


2 .

A Realm violation occurs. When SYSTEM tries to access private Employee information this time, a violation occurs.

 

Back to Topic List

Producing an Audit Report

When the Realm was created, the auditing option was set to Audit on Failure. Perform the following steps to verify the audit:

1.

Switch back to Oracle Database Vault. Click the Data Vault Reports tab.


2 .

Under the Data Vault Reporting category, select Realm Audit and click Run Report.

 

3.

The report is displayed. Notice that the Realm you created was invoked.

 

Back to Topic List

Summary

In this tutorial, you learned how to restrict a privileged user from accessing private data in the HR Schema .

Back to Topic List

 Place the cursor over this icon to hide all screenshots.

 

 

Left Curve
Popular Downloads
Right Curve
Untitled Document