This tutorial shows you how Oracle Database Vault prevents a powerful user with the DBA role from accessing private data from the HR department.
Approximately 15 minutes
This tutorial covers the following topics:
|
Overview | |
|
Prerequisites | |
|
||
|
||
|
Creating a Realm Around the HR Schema | |
|
Testing the Realm | |
|
Producing an Audit Report | |
|
Summary | |
Place the cursor over this icon to load and view all the screenshots for this tutorial. (Caution: This action loads all screenshots simultaneously, so response time may be slow depending on your Internet connection.)
Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.
Oracle Database Vault helps customers address the most difficult security problems remaining today - protecting against the insider threat, meeting regulatory compliance requirements and enforcing separation of duty. Oracle Database Vault keeps the DBA from viewing application data, a top concern for customers who must protect sensitive business information or privacy data related to partners, employees and customers. Oracle Database Vault keeps the powerful application DBAs from accessing other applications and from performing tasks outside their authorized responsibilities. Oracle Database Vault can protect existing applications quickly and easily without interfering with the application functionality.
Before you perform this tutorial, you should:
| 1. | Install Oracle Database 11g Release 11.1.0.6. Create a database with the sample schemas (either during install process or after). |
| 2. | Download and unzip Oracle SQL Developer. |
| 3. | Configure the Oracle Database Vault Option for your database. Oracle Database Vault is not installed in a default Oracle Database installation, but it is part of the products available in the Oracle Database installation media. You can install it into an existing database by using Oracle Universal Installer. After you install Oracle Database Vault use the Database Configuration Assistant (dbca) to to register database vault with your database and then create the required database vault accounts.(see the Oracle Database 2Day + Security Guide 11g Release 1(11.1) online documentation for more information). |
You want to create a database connection as SYSTEM to see if you can access some sensitive Employee Information. Perform the following steps:
| 1. | Open Oracle SQL Developer. Right-click on Connections and select New Connection.
|
| 2. | Enter the following information and click Test. Connection Name: system@database vault
|
| 3. | When the status is successful, click Connect.
|
| 4. | Your connection was made.
|
In this topic you access Employee Information logged in as the SYSTEM user. Perform the following steps:
| 1. |
Enter the following SELECT statement in the SQL Worksheet area and select the Execute Statement icon SELECT last_name, salary FROM hr.employees WHERE employee_id < 110
|
| 2. |
The SYSTEM user was able to access private Employee information. The SYSTEM user should not be able to access this data. Oracle Database Vault can resolve this issue easily using Realms which is discussed in the next topic.
|
In this topic you create a realm around the HR schema, disabling all users from making any modifications to the HR schema. The HR user is excluded, however, from any limitations. Perform the following steps:
| 1. | Open your browser and enter the following URL: https://<your_hostname>:1158/dva
User Name: <your_database_vault_owner>
|
| 2. | Click the Realms link.
|
| 3. | To create a new Realm, click Create.
|
| 4. | Enter HR Application Protection for the Name and provide a meaningful description. Make sure the Enabled Status is selected and Audit On Failure is selected for Audit Options. Then click OK.
|
| 5. | Select the new Realm and click Edit.
|
| 6. | Under Realm Secured Objects, click Create.
|
| 7. | From the list of Object Owners, select HR. Since all the objects in the HR schema should be protected, make sure % is selected for both Object Type and Object Name. Then click OK.
|
| 8. | Notice the HR schema objects now appear on the Realm Secured Objects list. Click OK to finish editing the Realm.
|
| 9. | Your HR Application Protection Realm has been created.
|
Now that you added a Realm around all objects in the HR Schema, re-execute the SQL statement you previously ran in Oracle SQL Developer. This time you see that the Employee Information cannot be accessed and you receive a Realm Violation. Perform the following steps:
| 1. | Switch back to Oracle SQL Developer. Click the Execute Statement icon
|
2. |
A Realm violation occurs. When SYSTEM tries to access private Employee information this time, a violation occurs.
|
When the Realm was created, the auditing option was set to Audit on Failure. Perform the following steps to verify the audit:
| 1. | Switch back to Oracle Database Vault. Click the Database Instance: orcl link to take you back to the main Database Vault page for this database..
|
| 2. | Click the Data Vault Reports tab.
|
3. |
Under the Data Vault Reporting category, select Realm Audit and click Run Report.
|
4. |
The report is displayed. Notice that the Realm you created was invoked.
|
In this tutorial, you learned how to restrict a privileged user from accessing private data in the HR Schema.
Place the cursor over this icon to hide all screenshots.
or press F9.