Restricting Privileged Users from Accessing Private Application Data Using Oracle Database Vault

Purpose

This tutorial shows you how Oracle Database Vault prevents a powerful user with the DBA role from accessing private data from the HR department.

Time to Complete

Approximately 15 minutes

Topics

This tutorial covers the following topics:

 Overview
 Prerequisites

Creating a SYSTEM Database Connection

Access Private Data as the SYSTEM User

 Creating a Realm Around the HR Schema
 Testing the Realm
 Producing an Audit Report
 Summary

Viewing Screenshots

 Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: This action loads all screenshots simultaneously, so response time may be slow depending on your Internet connection.)

Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.

Overview

Oracle Database Vault helps customers address the most difficult security problems remaining today - protecting against the insider threat, meeting regulatory compliance requirements and enforcing separation of duty. Oracle Database Vault keeps the DBA from viewing application data, a top concern for customers who must protect sensitive business information or privacy data related to partners, employees and customers. Oracle Database Vault keeps the powerful application DBAs from accessing other applications and from performing tasks outside their authorized responsibilities. Oracle Database Vault can protect existing applications quickly and easily without interfering with the application functionality.

Back to Topic List

Prerequisites

Before you perform this tutorial, you should:

1.

Install Oracle Database 11g Release 11.1.0.6. Create a database with the sample schemas (either during install process or after).

2.

Download and unzip Oracle SQL Developer.

3.

Configure the Oracle Database Vault Option for your database. Oracle Database Vault is not installed in a default Oracle Database installation, but it is part of the products available in the Oracle Database installation media. You can install it into an existing database by using Oracle Universal Installer. After you install Oracle Database Vault use the Database Configuration Assistant ( dbca ) to to register database vault with your database and then create the required database vault accounts.(see the Oracle Database 2Day + Security Guide 11g Release 1(11.1) online documentation for more information).

Back to Topic List

Creating a SYSTEM Database Connection

You want to create a database connection as SYSTEM to see if you can access some sensitive Employee Information. Perform the following steps:

1.

Open Oracle SQL Developer. Right-click on Connections and select New Connection.


2.

Enter the following information and click Test.

Connection Name: system@database vault
Username: system
Password: <your_system_password>
Save Password: checked
Hostname: <your_hostname or ip >
Port: <your_database_port>
SID: <your_database_sid>


3.

When the status is successful, click Connect.


4.

Your connection was made.


Accessing Private Data as the SYSTEM User

In this topic you access Employee Information logged in as the SYSTEM user. Perform the following steps:

1.

Enter the following SELECT statement in the SQL Worksheet area and select the Execute Statement icon  or press F9.

                               
SELECT last_name, salary
 FROM hr.employees
 WHERE employee_id < 110
                            


2.

The SYSTEM user was able to access private Employee information. The SYSTEM user should not be able to access this data. Oracle Database Vault can resolve this issue easily using Realms which is discussed in the next topic.

 

Back to Topic List

Creating a Realm Around the HR Schema

In this topic you create a realm around the HR schema, disabling all users from making any modifications to the HR schema. The HR user is excluded, however, from any limitations. Perform the following steps:

1.

Open your browser and enter the following URL:

                               
https://<your_hostname>:1158/dva
          
                                

Enter the following information and click Login.

User Name: <your_database_vault_owner>
Password: <your_database_vault_owner_password>
Host: <your_hostname>
Port: <your_database_port>
SID / Service: <select SID and enter your_database_sid>


2.

Click the Realms link.

 

3.

To create a new Realm, click Create.


4.

Enter HR Application Protection for the Name and provide a meaningful description. Make sure the Enabled Status is selected and Audit On Failure is selected for Audit Options. Then click OK.

 

5.

Select the new Realm and click Edit.

 

6.

Under Realm Secured Objects, click Create.

 

7.

From the list of Object Owners, select HR. Since all the objects in the HR schema should be protected, make sure % is selected for both Object Type and Object Name. Then click OK.

 

8.

Notice the HR schema objects now appear on the Realm Secured Objects list. Click OK to finish editing the Realm.

 

9.

Your HR Application Protection Realm has been created.

 

Back to Topic List

Testing the Realm

Now that you added a Realm around all objects in the HR Schema, re-execute the SQL statement you previously ran in Oracle SQL Developer. This time you see that the Employee Information cannot be accessed and you receive a Realm Violation. Perform the following steps:

1.

Switch back to Oracle SQL Developer. Click the Execute Statement icon  or press F9 to re-execute the SQL you ran previously.


2 .

A Realm violation occurs. When SYSTEM tries to access private Employee information this time, a violation occurs.

 

Back to Topic List

Producing an Audit Report

When the Realm was created, the auditing option was set to Audit on Failure. Perform the following steps to verify the audit:

1.

Switch back to Oracle Database Vault. Click the Database Instance: orcl link to take you back to the main Database Vault page for this database..


2.

Click the Data Vault Reports tab.


3.

Under the Data Vault Reporting category, select Realm Audit and click Run Report.

 

4.

The report is displayed. Notice that the Realm you created was invoked.

 

Back to Topic List

Summary

In this tutorial, you learned how to restrict a privileged user from accessing private data in the HR Schema .

Back to Topic List

 Place the cursor over this icon to hide all screenshots.

 

 

Left Curve
Popular Downloads
Right Curve
Untitled Document