1/25
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
Changes in This Release for Oracle Database Real Application Security Administrator's and Developer's Guide
Changes in Oracle Database 12
c
Release 1 (12.1.0.2)
1
Introducing Oracle Database Real Application Security
What Is Oracle Database Real Application Security?
Disadvantages of Traditional Security for Managing Application Users
Advantages of Real Application Security
Architecture of Real Application Security
Data Security Concepts Used in Real Application Security
About Data Security with Oracle Database Real Application Security
Principals: Users and Roles
Understanding the Difference Between Database Users and Application Users
Understanding the Difference Between Database Roles and Application Roles
Granting Database Privileges to Application Users and Application Roles
Application Privileges
Security Classes in Oracle Database Real Application Security
Access Control Entry (ACE)
Access Control List (ACL)
Data Security Policy
Application Session Concepts Used in Application Security
Flow of Design and Development
Scenario: Security Human Resources (HR) Demonstration of Employee Information
Basic Security HR Demo Scenario: Description and Security Requirements
Basic HR Scenario: Implementation Overview
Auditing in an Oracle Database Real Application Security Environment
2
Configuring Application Users and Application Roles
Configuring Application Users
About Application User Accounts
General Procedures for Creating Application User Accounts
Creating a Simple Application User Account
Creating a Direct Login Application User Account
Creating Direct Login Application User Accounts
Procedure for Creating the Direct Login Application User Account
Setting a Password Verifier for Direct Application User Accounts
Resetting the Application User's Password with the SQL*Plus PASSWORD Command
Configuring an Application User Switch
Validating an Application User
Configuring Application Roles
About Application Roles
Regular and Dynamic Application Roles
Regular Application Roles
Dynamic Application Roles
Configuring an Application Role
Creating a Regular Application Role
Creating a Dynamic Application Role
Validating an Application Role
Predefined Regular Application Roles and Dynamic Application Roles
Effective Dates for Application Users and Application Roles
Granting Application Privileges to Principals
Granting an Application Role to an Application User
Creating a New Application User and Granting This User an Application Role
Granting an Application Role to an Existing Application User
Granting an Application Role to Another Application Role
Granting a Database Role to an Application Role
3
Configuring Application Sessions
About Application Sessions
Application Sessions in Real Application Security
Advantages of Application Sessions
Creating and Maintaining Application Sessions
Creating an Application Session
Creating an Anonymous Application Session
Attaching an Application Session to a Traditional Database Session
Setting a Cookie for an Application Session
Assigning an Application User to an Anonymous Application Session
Switching Current Application User to Another Application User in Current Application Session
Configuring Global Callback Event Handlers for an Application Session
Saving an Application Session
Detaching an Application Session from a Traditional Database Session
Destroying an Application Session
Manipulating the Application Session State
Using Namespace Templates to Create Namespaces
Components of a Namespace Template
Namespace Views
Creating a Namespace Template for an Application Session
Initializing a Namespace in an Application Session
Initializing a Namespace When the Session Is Created
Initializing a Namespace When the Session Is Attached
Initializing a Namespace When a Named Application User Is Assigned to an Anonymous Application Session
Initializing a Namespace When the Application User Is Switched in an Application Session
Initializing a Namespace Explicitly
Setting Session Attributes in an Application Session
Getting Session Attributes in an Application Session
Creating Custom Attributes in an Application Session
Deleting a Namespace in an Application Session
Enabling Application Roles for a Session
Disabling Application Roles for a Session
Administrative APIs for External Users and Roles
4
Configuring Application Privileges and Access Control Lists
Application Privileges
Aggregate Privilege
ALL Privilege
Configuring Security Classes
About Security Classes
Security Class Inheritance
Security Class as Privilege Scope
DML Security Class
Validating Security Classes
Manipulating Security Classes
Configuring Access Control Lists
About ACLs and ACEs
Creating ACLs and ACEs
Deny
Invert
ACE Start-Date and End-Date
Validating Access Control Lists
Updating Access Control Lists
Checking ACLs for a Privilege
Using Multilevel Authentication
Principal Types
Access Resolution Results
ACE Evaluation Order
ACL Inheritance
Extending ACL Inheritance
Constraining ACL Inheritance
ACL Catalog Views
Security Class Catalog Views
Data Security
Data Realms
Parameterized ACL
ACL Binding
5
Configuring Data Security
About Data Security
Validating the Data Security Policy
Understanding the Structure of the Data Security Policy
Designing Data Realms
Understanding the Structure of a Data Realm
Using Static Data Realms
Using Trace Files to Check for Policy Predicate Errors
Applying Additional Application Privileges to a Column
Enabling Data Security Policy for a Database Table or View
Enabling Real Application Security Using the APPLY_OBJECT_POLICY Procedure
Applying Multiple Policies for a Table or View
How the APPLY_OBJECT_POLICY Procedure Alters a Database Table
How ACLs on Table Data Are Evaluated
Creating Real Application Security Policies on Master-Detail Related Tables
About Real Application Security Policies on Master-Detail Related Tables
Understanding the Structure of Master Detail Data Realms
Example of Creating a Real Application Security Policy on Master-Detail Related Tables
Managing Application Privileges for Data Security Policies
Bypassing the Security Checks of a Real Application Security Policy
SQL*Plus SET SECUREDCOL Command
Using BEQUEATH CURRENT_USER Views
Using SQL Functions to Determine the Invoking Application User
Real Application Security: Putting It All Together
Basic HR Scenario: Implementation Tasks
Creating a Database User as the Real Application Security Administrator
Creating Roles and Application Users
Creating the Security Class and ACLS
Creating the Data Security Policy
Validating the Real Application Security Objects
Disabling a Data Security Policy for a Table
Running the Security HR Demo
6
Using Real Application Security in Java Applications
Initializing the Middle Tier
Mid-tier Configuration Mode
Using the getSessionManager Method
Changing the Middle-Tier Cache Setting
Setting the Maximum Cache Idle Time
Setting the Maximum Cache Size
Getting the Maximum Cache Idle Time
Getting the Maximum Cache Size
Removing Entries from the Cache
Clearing the Cache
Managing Real Application Security Sessions
Creating A Real Application Security User Session
Attaching An Application Session
Assigning or Switching an Application User
Enabling Real Application Security Application Roles
Enabling a Real Application Security Application Role
Disabling a Real Application Security Application Role
Checking If a Real Application Security Application Role Is Enabled
Performing Namespace Operations as Session User
Creating Namespaces
Deleting Namespaces
Implicitly Creating Namespaces
Using Namespace Attributes
Performing Namespace Operations as Session Manager
Performing Miscellaneous Session-Related Activities
Getting the Oracle Connection Associated with the Session
Getting the Application User ID for the Session
Getting the Session ID for the Session
Getting a String Representation of the Session
Getting the Session Cookie
Setting Session Inactivity Timeout as Session Manager
Setting the Session Cookie as Session Manager
Detaching an Application Session
Destroying A Real Application Security Application Session
Authenticating Application Users Using Java APIs
Authorizing Application Users Using ACLs
Constructing an ACL Identifier
Using the checkAcl Method
Getting Data Privileges Associated with a Specific ACL
Human Resources Administration Use Case: Implementation in Java
7
Oracle Fusion Middleware Integration with Real Application Security
External Users and External Roles
Session APIs for External Users and Roles
Namespace for External Users
Creating a Session
Attaching a Session
Assigning a User to a Session
Saving a Session and Aborting a Session
8
Application Session Service in Oracle Fusion Middleware
Real Application Security Concepts
Application Session Service in Oracle Fusion Middleware
Application Session Filter
Application Session Filter Operation
Deployment
Application Configuration of the Application Session Filter
Domain Configuration: Setting Up an Application Session Service to Work with OPSS and Oracle Fusion Middleware
Prerequisites
Manual Configuration
Automatic Configuration
Application Session APIs
Application Session APIs
Attaching to an Application Session
Detaching from an Application Session
Destroying an Application Session
Privilege Elevation API
Enabling a Dynamic Role in the Application Session
Namespace APIs
Creating a Namespace
Deleting a Namespace
Setting the Namespace Attribute
Deleting a Namespace Attribute
Getting a Namespace Attribute
Check Privilege API
Check a Privilege on the ACLs
Human Resources Demo Use Case: Implementation in Java
Setting Up the HR Demo Application for External Principals (setup.sql)
Application Session Filter Configuration File (web.xml)
Sample Servlet Application (MyHR.java)
Filter to Set Up the Application Namespace (MyFilter.java)
HR Demo Use Case - User Roles
HR Demo (1) - Logged in as Employee LPOPP
HR Demo (2) - Logged in as HRMGR
HR Demo (3) - Logged in as a Team Manager
9
Oracle Database Real Application Security Data Dictionary Views
DBA_XS_OBJECTS
DBA_XS_PRINCIPALS
DBA_XS_EXTERNAL_PRINCIPALS
DBA_XS_USERS
USER_XS_USERS
USER_XS_PASSWORD_LIMITS
DBA_XS_ROLES
DBA_XS_DYNAMIC_ROLES
DBA_XS_PROXY_ROLES
DBA_XS_ROLE_GRANTS
DBA_XS_PRIVILEGES
USER_XS_PRIVILEGES
DBA_XS_IMPLIED_PRIVILEGES
USER_XS_IMPLIED_PRIVILEGES
DBA_XS_SECURITY_CLASSES
USER_XS_SECURITY_CLASSES
DBA_XS_SECURITY_CLASS_DEP
USER_XS_SECURITY_CLASS_DEP
DBA_XS_ACLS
USER_XS_ACLS
DBA_XS_ACES
USER_XS_ACES
DBA_XS_POLICIES
USER_XS_POLICIES
DBA_XS_REALM_CONSTRAINTS
USER_XS_REALM_CONSTRAINTS
DBA_XS_INHERITED_REALMS
USER_XS_INHERITED_REALMS
DBA_XS_ACL_PARAMETERS
USER_XS_ACL_PARAMETERS
DBA_XS_COLUMN_CONSTRAINTS
USER_XS_COLUMN_CONSTRAINTS
DBA_XS_APPLIED_POLICIES
DBA_XS_MODIFIED_POLICIES
DBA_XS_SESSIONS
DBA_XS_ACTIVE_SESSIONS
DBA_XS_SESSION_ROLES
DBA_XS_SESSION_NS_ATTRIBUTES
DBA_XS_NS_TEMPLATES
DBA_XS_NS_TEMPLATE_ATTRIBUTES
ALL_XDS_ACL_REFRESH
ALL_XDS_ACL_REFSTAT
ALL_XDS_LATEST_ACL_REFSTAT
DBA_XDS_ACL_REFRESH
DBA_XDS_ACL_REFSTAT
DBA_XDS_LATEST_ACL_REFSTAT
USER_XDS_ACL_REFRESH
USER_XDS_ACL_REFSTAT
USER_XDS_LATEST_ACL_REFSTAT
V$XS_SESSION_NS_ATTRIBUTES
V$XS_SESSION_ROLES
10
Oracle Database Real Application Security SQL Functions
COLUMN_AUTH_INDICATOR Function
XS_SYS_CONTEXT Function
ORA_CHECK_ACL Function
ORA_GET_ACLIDS Function
ORA_CHECK_PRIVILEGE Function
TO_ACLID Function
11
Oracle Database Real Application Security PL/SQL Packages
DBMS_XS_SESSIONS Package
Security Model
Constants
Object Types, Constructor Functions, Synonyms, and Grants
Summary of DBMS_XS_SESSIONS Subprograms
CREATE_SESSION Procedure
ATTACH_SESSION Procedure
ASSIGN_USER Procedure
SWITCH_USER Procedure
CREATE_NAMESPACE Procedure
CREATE_ATTRIBUTE Procedure
SET_ATTRIBUTE Procedure
GET_ATTRIBUTE Procedure
RESET_ATTRIBUTE Procedure
DELETE_ATTRIBUTE Procedure
DELETE_NAMESPACE Procedure
ENABLE_ROLE Procedure
DISABLE_ROLE Procedure
SET_SESSION_COOKIE Procedure
REAUTH_SESSION Procedure
SET_INACTIVITY_TIMEOUT Procedure
SAVE_SESSION Procedure
DETACH_SESSION Procedure
DESTROY_SESSION Procedure
ADD_GLOBAL_CALLBACK Procedure
ENABLE_GLOBAL_CALLBACK Procedure
DELETE_GLOBAL_CALLBACK Procedure
XS_ACL Package
Security Model
Object Types, Constructor Functions, Synonyms, and Grants
Constants
Summary of XS_ACL Subprograms
CREATE_ACL Procedure
APPEND_ACES Procedure
REMOVE_ACES Procedure
SET_SECURITY_CLASS Procedure
SET_PARENT_ACL Procedure
ADD_ACL_PARAMETER Procedure
REMOVE_ACL_PARAMETERS Procedure
SET_DESCRIPTION Procedure
DELETE_ACL Procedure
XS_ADMIN_UTIL Package
Security Model
Object Types, Constructor Functions, Synonyms, and Grants
Constants
Summary of XS_ADMIN_UTIL Subprograms
GRANT_SYSTEM_PRIVILEGE Procedure
REVOKE_SYSTEM_PRIVILEGE Procedure
XS_DATA_SECURITY Package
Object Types, Constructor Functions, Synonyms, and Grants
Security Model
Summary of XS_DATA_SECURITY Subprograms
CREATE_POLICY Procedure
APPEND_REALM_CONSTRAINTS Procedure
REMOVE_REALM_CONSTRAINTS Procedure
ADD_COLUMN_CONSTRAINTS Procedure
REMOVE_COLUMN_CONSTRAINTS Procedure
CREATE_ACL_PARAMETER Procedure
DELETE_ACL_PARAMETER Procedure
SET_DESCRIPTION Procedure
DELETE_POLICY Procedure
ENABLE_OBJECT_POLICY Procedure
DISABLE_OBJECT_POLICY Procedure
REMOVE_OBJECT_POLICY Procedure
APPLY_OBJECT_POLICY Procedure
XS_DATA_SECURITY_UTIL Package
Security Model
Constants
Summary of XS_DATA_SECURITY_UTIL Subprograms
SCHEDULE_STATIC_ACL_REFRESH Procedure
ALTER_STATIC_ACL_REFRESH Procedure
XS_DIAG Package
Security Model
Summary of XS_DIAG Subprograms
VALIDATE_PRINCIPAL Function
VALIDATE_SECURITY_CLASS Function
VALIDATE_ACL Function
VALIDATE_DATA_SECURITY Function
VALIDATE_NAMESPACE_TEMPLATE Function
VALIDATE_WORKSPACE Function
XS_NAMESPACE Package
Security Model
Object Types, Constructor Functions, Synonyms, and Grants
Constants
Summary of XS_NAMESPACE Subprograms
CREATE_TEMPLATE Procedure
ADD_ATTRIBUTES Procedure
REMOVE_ATTRIBUTES Procedure
SET_HANDLER Procedure
SET_DESCRIPTION Procedure
DELETE_TEMPLATE Procedure
XS_PRINCIPAL Package
Security Model
Object Types, Constructor Functions, Synonyms, and Grants
Constants
Summary of XS_PRINCIPAL Subprograms
CREATE_USER Procedure
CREATE_ROLE Procedure
CREATE_DYNAMIC_ROLE Procedure
GRANT_ROLES Procedure
REVOKE_ROLES Procedure
ADD_PROXY_USER Procedure
REMOVE_PROXY_USERS Procedure
ADD_PROXY_TO_DBUSER
REMOVE_PROXY_FROM_DBUSER
SET_EFFECTIVE_DATES Procedure
SET_DYNAMIC_ROLE_DURATION Procedure
SET_DYNAMIC_ROLE_SCOPE Procedure
ENABLE_BY_DEFAULT Procedure
ENABLE_ROLES_BY_DEFAULT Procedure
SET_USER_SCHEMA Procedure
SET_GUID Procedure
SET_PROFILE Procedure
SET_USER_STATUS Procedure
SET_PASSWORD Procedure
SET_VERIFIER Procedure
SET_DESCRIPTION Procedure
DELETE_PRINCIPAL Procedure
XS_SECURITY_CLASS Package
Security Model
Summary of XS_SECURITY_CLASS Subprograms
CREATE_SECURITY_CLASS Procedure
ADD_PARENTS Procedure
REMOVE_PARENTS Procedure
ADD_PRIVILEGES Procedure
REMOVE_PRIVILEGES Procedure
ADD_IMPLIED_PRIVILEGES Procedure
REMOVE_IMPLIED_PRIVILEGES Procedure
SET_DESCRIPTION Procedure
DELETE_SECURITY_CLASS Procedure
12
Real Application Security HR Demo
Overview of the Security HR Demo
What Each Script Does
Setting Up the Security HR Demo Components
Create Roles and Application Users
Create the Security Class and ACLs
Create the Data Security Policy
Validate the Real Application Security Objects
Set up the Mid-Tier Related Configuration
Running the Security HR Demo Using Direct Logon
Running the Security HR Demo Attached to a Real Application Security Session
Running the Security HR Demo Cleanup Script
Running the Security HR Demo in the Java Interface
Using RASADM to Run the Security HR Demo
Running the RASADM Application
For More Information
Design Phase
Development Flow
Using RASADM to Create the HR Demo
Creating Application Roles
Creating Application Users
Creating the Data Security Policy
A
Predefined Objects in Real Application Security
Users
Roles
Regular Application Roles
Dynamic Application Roles
Database Roles
Namespaces
Security Classes
ACLs
B
Configuring OCI and JDBC Applications for Column Authorization
Using OCI to Retrieve Column Authorization Indicators
Example of Obtaining the Return Code
Using Return Code and Indicator with Authorization Indicator
Warning for Unknown Authorization Indicator
OCI Describe for Column Security
Using JDBC to Retrieve Column Authorization Indicators
Checking Security Attributes for a Table Column
Check User Authorization for a Table Column
Example of Checking Security Attributes and User Authorization
C
Real Application Security HR Demo Files
How to Run the Security HR Demo
Scripts for the Security HR Demo
hrdemo_setup.sql
hrdemo_run.sql
hrdemo_run_sess.sql
HRDemo.java
hrdemo_clean.sql
Generated Log Files for Each Script
hrdemo_setup.log
hrdemo_run.log
hrdemo_run_sess.log
HRDemo.log
hrdemo_clean.log
D
Troubleshooting Oracle Database Real Application Security
About Real Application Security Diagnostics
Using Validation APIs
How to Check Which ACLs Are Associated with a Row for the Current User
How to Find If a Privilege Is Granted in an ACL to a User
Exception State Dumps
Event-Based Tracing
In-Memory Tracing
Statistics
Event-Based Tracing of Real Application Security Components
Application Sessions (XSSESSION) Event-Based Tracing
Application Principals (XSPRINCIPAL) Event-Based Tracing
Security Classes (XSSECCLASS) Event-Based Tracing
ACL (XSACL) Event-Based Tracing
Data Security (XSXDS and XSVPD) Event-Based Tracing
Exception State Dump Information
Session Statistics
Middle-Tier Tracing
Glossary
Index
Scripting on this page enhances content navigation, but does not change the content in any way.