Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-09 |
|
|
View PDF |
In this chapter:
Oracle Database Vault provides a set of procedural interfaces to administer various Database Vault security options and manage Database Vault security enforcements. There are also procedures and functions that expose the logic to validate a DDL command for realm violations and command authorizations. Additional procedures and functions are provided to set the value of a factor (assuming their associated rule sets evaluate to true), for example, from a Web application, to retrieve the trust level for a session or specific factor identity, and to get the label for a factor identity. These procedures and functions are provided so that a database administrator does not grant EXECUTE
privileges on all DVSYS
package procedures to the general database account population. The procedures and functions expose only the minimum methods that are required. All of these functions and procedures are publicly available for applications that need them.
Table 14-1 lists the procedures and functions that are used to enable Oracle Database Vault processing with the DVSYS
schema.
Table 14-1 DVSYS Functions
Procedure or Function | Parameter |
---|---|
Sets a factor |
|
Retrieves a factor |
|
Retrieves the trust level assigned to a factor |
|
Retrieves the trust level for a specified factor and identity |
|
Checks whether the specified database role is enabled. |
|
Retrieves the label for the specified factor when the factor has a label assigned to it for the specified Oracle Label Security policy |
This procedure can be exposed to an application that requires the ability to set factor identities dynamically. It wraps the package procedure DBMS_MACSEC.SET_FACTOR
. When a factor has a rule set associated with it for assignment and if the rule set returns true, then the value will be set. Normal rule set handling occurs, and the factor value (identity) validation method will be called. This procedure is available (to execute) to the general database account population.
Syntax
SET_FACTOR( p_factor VARCHAR2, p_value VARCHAR2);
Parameters
Table 14-2 SET_FACTOR Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
|
Identity value, up to 1024 characters in mixed-case. To find the identities for each factor in the current database instance, query the |
This function is exposed to the DVF
schema to allow the public factor functions to resolve the identity of a factor. This enables the F$
functions in the DVF
schema. This function is available (to execute) to the general database account population.
Syntax
GET_FACTOR( p_factor VARCHAR2) RETURNS VARCHAR2;
Parameter
Table 14-3 GET_FACTOR Parameter
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
This function returns the trust level of the current session identity for the factor requested. This function is available (to execute) to the general database account population. See "Creating and Configuring a Factor Identity" for a listing of the available trust levels.
Syntax
GET_TRUST_LEVEL( p_factor VARCHAR2) RETURNS VARCHAR2;
Parameter
Table 14-4 GET_TRUST_LEVEL Parameter
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
This function returns the trust level for the factor and identity requested. This function is available (to execute) to the general database account population. See "Creating and Configuring a Factor Identity" for a listing of the available trust levels.
Syntax
GET_TRUST_LEVEL_FOR_IDENTITY( p_factor VARCHAR2, p_identity VARCHAR2) RETURNS VARCHAR2;
Parameters
Table 14-5 GET_TRUST_LEVEL_FOR_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
|
Identity value. To find the identities for each factor in the current database instance, use the |
This function returns a boolean value that specifies whether or not a database role has been enabled. This function is available (to execute) to the general database account population.
Syntax
ROLE_IS_ENABLED( p_role VARCHAR2) RETURNS BOOLEAN;
Parameter
Table 14-6 ROLE_IS_ENABLED Parameter
Parameter | Description |
---|---|
|
Database role name to check. To find existing roles, use the following views:
|
This function returns the label for the specified factor when the factor has a label assigned to it for the specified Oracle Label Security policy. The function returns a label that is merged with the maximum session label for the policy if the policy is configured with Oracle Label Security. The function is available (to execute) to the general database population. See "Label Identity" for more information about factor labels.
Syntax
GET_FACTOR_LABEL( p_factor IN VARCHAR2, p_policy_name IN VARCHAR2) RETURNS VARCHAR2;
Parameters
Table 14-7 GET_FACTOR_LABEL Parameters
Parameter | Description |
---|---|
|
Factor name. To find the available factors in the current database instance, use the See "DBA_DV_FACTOR View" and "DBA_DV_MAC_POLICY_FACTOR View". |
|
Oracle Label Security policy name. Use the following views to find information about policies and factors in the current database instance:
|
In addition to the functions and procedures made available from the DVSYS
schema, the DVF
schema contains a single function for each factor defined in the system. These functions are created and maintained as the Oracle Database Vault configuration API (DVSYS.DBMS_MACADM
) is called for managing the various factors. The functions are then available to the general database account population through PL/SQL functions and standard SQL. This allows factors to be used in Oracle Label Security, Oracle Virtual Private Database (VPD), and so on.
Typically, you can incorporate these functions into rule expressions. For example:
BEGIN DVSYS.DBMS_MACADM.CREATE_RULE( rule_name => 'Not Internal DBA', rule_expr => 'dvf.f$session_user not in (''JSMTIH'', ''TBROWN'')'); END;
To find the value of a factor function, select from the DUAL
system table. For example:
SELECT DVF.F$SESSION_USER FROM DUAL; F$SESSION_USER ------------------------------------------------ DBVOWNER
The name of the factor itself is case-insensitive. For example, the following statements return the same result
SELECT DVF.F$session_user FROM DUAL; SELECT DVF.F$Session_User FROM DUAL;
Table 14-8 describes the functions that are created during installation based on the default factors provided by Oracle Database Vault.
Table 14-8 Installed Oracle Database Vault Factor Functions
Oracle Database Vault provides a set of functions that you can use in rule sets to inspect the SQL statement that you want the rule set to protect. For example, if a rule set protects SELECT ON HR.EMPLOYEES
under a command rule, then you could use these functions to make more informed decisions in the rule expression.
Table 14-9 describes the functions that are created during installation based on the default rule sets provided by Oracle Database Vault.
Table 14-9 Installed Oracle Database Vault PL/SQL Rule Set Functions
Oracle Database Vault provides a collection of PL/SQL package APIs to support the maintenance and run-time behavior of Oracle Database Vault. Table 14-10 lists these packages. Chapter 11, "Using the DVSYS.DBMS_MACADM Package" describes these packages in detail.
Table 14-10 Oracle Database Vault Administrator and Run-Time PL/SQL Packages
Package | Description |
---|---|
|
This package API provides for the administration of all aspects of the secure and access control configuration data. The realm owner of the Oracle Database Vault realm can grant the ability to run this package. See Chapter 11, "Using the DVSYS.DBMS_MACADM Package" for more information. |
|
This package API provides the The API also provides a method to issue the See Chapter 12, "Using the DVSYS.DBMS_MACSEC_ROLES Package" for more information. |
|
This package API defines several constants and utility methods that are commonly used by other Oracle Database Vault packages, such as code/message lookup, error handling, data conversion, and privilege checks. This package can be run by the general database account population. This allows for security developers to leverage the constants in scripted configuration files. Utility methods such as See Chapter 13, "Using the DVSYS.DBMS_MACUTL Package" for more information. |
Note:
There are several procedures in theDVSYS.DBMS_MACADM
package that are not exposed in the Oracle Database Vault Administration Web application. The procedures that are not exposed include:
CREATE_DOMAIN_IDENTITY
CREATE_FACTOR_TYPE
DELETE_FACTOR_TYPE
RENAME_FACTOR_TYPE
UPDATE_FACTOR_TYPE