department of computer and information science, school of science, iupui
DESCRIPTION
Department of Computer and Information Science, School of Science, IUPUI. Oracle Security. Dale Roberts, Lecturer Computer Science, IUPUI E-mail: [email protected]. Where Is Security Enforced?. Application Applications often have the need to be security-aware. - PowerPoint PPT PresentationTRANSCRIPT
Dale Roberts 1
Department of Computer and Information Science,School of Science, IUPUI
Dale Roberts, Lecturer
Computer Science, IUPUI
E-mail: [email protected]
Oracle SecurityOracle Security
Dale Roberts
Where Is Security Enforced?Where Is Security Enforced?ApplicationApplication
Applications often have the need to be security-aware.Applications often have the need to be security-aware.
Some commercial applications use the Some commercial applications use the One Big ApplicationOne Big Application user user model. The SQL that users submit is restricted by the application.model. The SQL that users submit is restricted by the application.
Are application users also database users. (Does the application Are application users also database users. (Does the application have a user table?) What user is used to connect to Oracle?have a user table?) What user is used to connect to Oracle?
Applications whose users are not database users have no choice but Applications whose users are not database users have no choice but to manage security themselves.to manage security themselves.
Security best practices recommend authenticating the user with the Security best practices recommend authenticating the user with the database, not using a shared applid. Sharing an applid compromises database, not using a shared applid. Sharing an applid compromises security because the identity of the user is unknown to the databasesecurity because the identity of the user is unknown to the database
Ad-hoc tools like SQLPlus, Access, Excel or Toad do not restrict the Ad-hoc tools like SQLPlus, Access, Excel or Toad do not restrict the SQL and bypass application security.SQL and bypass application security.
Universal implementation of security requires that every application Universal implementation of security requires that every application
module correctly implement security – difficult and expensivemodule correctly implement security – difficult and expensive..
2
Dale Roberts
Where Is Security Enforced?Where Is Security Enforced?
DatabaseDatabaseApplications whose users are also database users can Applications whose users are also database users can choose to implement application or database security.choose to implement application or database security.
Database security cannot be bypassed, even with ad hoc Database security cannot be bypassed, even with ad hoc tools.tools.
Oracle audit features can record who does what inside Oracle audit features can record who does what inside the database.the database.
Database roles can be set up for different classes of Database roles can be set up for different classes of users, allowing and restricting access as appropriate.users, allowing and restricting access as appropriate.
Database roles can be derived from enterprise roles Database roles can be derived from enterprise roles maintained outside of Oracle (LDAP with Oracle Identity maintained outside of Oracle (LDAP with Oracle Identity Management), reducing administrative burden.Management), reducing administrative burden.
3
Dale Roberts 4
Basic Oracle SecurityBasic Oracle Security
By What Authority?By What Authority?UsersUsers
RolesRoles
Grant and revokeGrant and revoke
SynonymsSynonyms
Dale Roberts 5
CREATE USERCREATE USERCREATE USERCREATE USER
Create user Create user usernameusername identified by identified by passwordpassword;;Create user Create user usernameusername identified externally; identified externally;
Changing passwordsChanging passwordsAlter user Alter user usernameusername identified by identified by passwordpassword;;
Password Management – determined by DBA created profiles.Password Management – determined by DBA created profiles.Password lifetimePassword lifetimeGrace periodGrace periodAccount lock rulesAccount lock rulesPassword reuse rulesPassword reuse rules
Moving to another user, connect sqlplus commandMoving to another user, connect sqlplus commandCONNECTCONNECTCONNECT CONNECT usernameusernameCONNECT CONNECT usernameusername / / passwordpassword
Dale Roberts
Password ManagementPassword ManagementCREATE PROFILE prof CREATE PROFILE prof LIMIT LIMIT FAILED_LOGIN_ATTEMPTS 4 FAILED_LOGIN_ATTEMPTS 4 PASSWORD_LOCK_TIME 30 PASSWORD_LOCK_TIME 30 PASSWORD_LIFE_TIME 90 PASSWORD_LIFE_TIME 90 PASSWORD_GRACE_TIME 3; PASSWORD_GRACE_TIME 3; ALTER USER johndoe ALTER USER johndoe PROFILE prof; PROFILE prof;
ALTER USER johndoe ALTER USER johndoe ACCOUNT UNLOCK; ACCOUNT UNLOCK;
CREATE USER jbrown CREATE USER jbrown IDENTIFIED BY zX83yT ... IDENTIFIED BY zX83yT ... PASSWORD EXPIRE; PASSWORD EXPIRE;
6
Dale Roberts 7
CREATE ROLECREATE ROLERoles manage sets of privileges.Roles manage sets of privileges.
CREATE ROLECREATE ROLECreate role Create role rolenamerolename;;
Standard Oracle RolesStandard Oracle RolesCONNECTCONNECT – connect to database and perform very limited functions. – connect to database and perform very limited functions.
RESOURCE RESOURCE – for basic users.– for basic users.
DBA DBA – all system privileges.– all system privileges.
Maximum roles allowed is set at startup, Maximum roles allowed is set at startup, max_enabled_roles parameter (30 on phoenix).max_enabled_roles parameter (30 on phoenix).
Roles can have passwords, but do not by default.Roles can have passwords, but do not by default.
Dale Roberts
Role-based Security ModelRole-based Security Model
Roles are a named set Roles are a named set of privilegesof privileges
Resolves delete Resolves delete anomolies like anomolies like dropping a user dropping a user loosing all the loosing all the security rules.security rules.
Users are never Users are never directly assigned directly assigned privileges. privileges.
More than one role More than one role can be active.can be active.
8
Dale Roberts 9
GRANT and REVOKEGRANT and REVOKEGrant for object privilegesGrant for object privilegesGRANT {GRANT {privilege, …privilege, … | ALL} [ (column,…) ] | ALL} [ (column,…) ]
on object to {on object to {useruser | | rolerole}}
[with grant option][with grant option]
[with hierarchy option];[with hierarchy option];
Grant for system privilegesGrant for system privilegesGRANT {GRANT {system privilege system privilege | role | ALL}| role | ALL}
to {to {useruser | | rolerole} [, {} [, {user user | | rolerole}, …]}, …]
[identified by [identified by passwordpassword]]
[with admin option];[with admin option];
Revoke takes privileges from roles or users.Revoke takes privileges from roles or users.REVOKE {REVOKE {system privilege system privilege | role | ALL} | role | ALL}
[, { [, {system privilege system privilege | role | ALL} …]| role | ALL} …]
from {from {useruser | | rolerole} [, {} [, {user user | | rolerole}, …];}, …];
Dale Roberts 10
Synonyms, Examples, OtherSynonyms, Examples, OtherWhat you can grant to other usersWhat you can grant to other users
Tables: alter, references, index, on commit refresh, query rewrite, allTables: alter, references, index, on commit refresh, query rewrite, allPL/SQL Procedures and Functions: executePL/SQL Procedures and Functions: executeSequences: select, alterSequences: select, alter
Synonyms provide for another name for an object. (location independence)Synonyms provide for another name for an object. (location independence)CREATE [PUBLIC] SYNONYM CREATE [PUBLIC] SYNONYM synonym synonym FOR SCHEMA.OBJECT[@LINK];FOR SCHEMA.OBJECT[@LINK];
Examples:Examples:CREATE ROLE MYTEAM;CREATE ROLE MYTEAM;GRANT MYTEAM TO JOE, TOM, SUE;GRANT MYTEAM TO JOE, TOM, SUE;GRANT SELECT ON MYTABLE TO MYTEAM;GRANT SELECT ON MYTABLE TO MYTEAM;GRANT UPDATE (COL1) ON MYTABLE TO MYTEAM;GRANT UPDATE (COL1) ON MYTABLE TO MYTEAM;CREATE PUBLIC SYNONYM TAB1 FOR MYSCHEMA.MYTABLE;CREATE PUBLIC SYNONYM TAB1 FOR MYSCHEMA.MYTABLE;
Advanced Options for Security by UserAdvanced Options for Security by UserVirtual private database (VPD) adds a where clause to all commands issued by the user to restrict Virtual private database (VPD) adds a where clause to all commands issued by the user to restrict data to only his view of the database. data to only his view of the database. Oracle Label Security uses security labels on all rows, users only have access to those in their Oracle Label Security uses security labels on all rows, users only have access to those in their hierarchy. hierarchy.
Dale Roberts
Enterprise-level ConsiderationsEnterprise-level ConsiderationsApplication access is strictly enforced using roles.Application access is strictly enforced using roles.
Roles are defined based on function, not operation. For example, a Roles are defined based on function, not operation. For example, a role APPL_USER_WRITE_ROLE means that the user can modify role APPL_USER_WRITE_ROLE means that the user can modify application data. The role may include SELECT, EXECUTE grants application data. The role may include SELECT, EXECUTE grants as well as INSERT, UPDATE, DELETE. as well as INSERT, UPDATE, DELETE.
Role APPL_USER_READONLY_ROLE may also include some Role APPL_USER_READONLY_ROLE may also include some INSERT/UPDATE privileges to activity logs, etc., but the user cannot INSERT/UPDATE privileges to activity logs, etc., but the user cannot modify application data.modify application data.
Public synonyms cannot be used when there is more than one Public synonyms cannot be used when there is more than one instance of an application in a database instance. This often instance of an application in a database instance. This often happens for test environments: string, integration, user happens for test environments: string, integration, user acceptance, capacity, etc.acceptance, capacity, etc.
Batch jobs also require roles, such as APPL_BATCH_WRITE_ROLE. Batch jobs also require roles, such as APPL_BATCH_WRITE_ROLE.
Under no circumstances should any user or job ever login as the Under no circumstances should any user or job ever login as the schema owner.schema owner.
11
Dale Roberts
Advanced Security – VPDsAdvanced Security – VPDsVirtual Private Databases - VPDsVirtual Private Databases - VPDs
VPDs are an advanced security topic that requires fluency in several VPDs are an advanced security topic that requires fluency in several different areas including contexts, packages, triggers and SQL.different areas including contexts, packages, triggers and SQL.
The grants discussed previously control access at an object-level. The grants discussed previously control access at an object-level. You can grant SELECT to a VIEW as an example.You can grant SELECT to a VIEW as an example.
VPD implements what is called VPD implements what is called fine-grained access controlfine-grained access control. Fine-. Fine-grained access control means that security is implemented at a row-grained access control means that security is implemented at a row-level. For example, the following querylevel. For example, the following query
SELECT * FROM emp; SELECT * FROM emp;
can be changed by a VPD security policy to add a can be changed by a VPD security policy to add a predicatepredicate
SELECT * FROM emp WHERE division = 'RETAIL'; SELECT * FROM emp WHERE division = 'RETAIL';
VPD can also be set up to add predicates based on what columns VPD can also be set up to add predicates based on what columns are mentioned.are mentioned.
12