Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
Security,
Policies and Tips - Part 5
Enable and Disable Roles Promptly
Only
enable a role when the application starts, and then disable the role again as
soon as the application terminates. Here
are some pointers to manage this
·
Create distinct application roles
for each application
·
Create a role for a specific
application, that contains all of the privileges necessary to run the
application successfully
·
To provide tighter security for
different users of the application, you can create roles, that only have a
subset of the privileges of the main role
·
Protect each database role by a
password. To prevent unauthorized use of
the roles
Create
a role designed for ad hoc query building.
This role will only have select privileges on the application objects,
and not have update, insert, or delete privileges. You may protect this role with a password as
well.
Role
granting guidelines:
·
Use the SET ROLE statement at
application startup to enable one of the database roles associated with that
application. If the role is authorized
by a password, then the SET ROLE statement within the application must include
the password, which should be encrypted by the application. If a role is authorized by the operating
system, then the system administrator must set up accounts in advance for
application users with appropriate operating system privileges
·
When the application terminates,
the database roles that were enabled whend the application started up, must be
disabled
·
Grant application users, database
roles only when needed
Database
roles that are used in applications, can be enabled by users outside of the
application as well. Protecting the role
by a password, will help to control this issue.
You can also use a virtual private database, to control the effect of
roles being granted outside of the application.
In a three-tier system, you can prevent users from acquiring the role
outside of the application, by using secure application roles.
You
can use the PRODUCT_USER_PROFILE table to control what the user can do:
·
You can specify which roles to
enable when a user starts a SQL*Plus session.
This functionality will work in a similar way to a SET ROLE statement in
an application. For example the Oracle
Call Interface (OCI)
·
You can disable the use of the SET
ROLE statement for SQL*Plus users. This
will restrict SQL*Plus users to those privileges that they already have, and to
the roles enabled for them when QSL*Plus started up.
·
You can also enable other
reporting tools, and ad hoc query tools that the user may use, to restrict the
roles and commands that each user can use while running the specific product
Franz
Devantier,
Need
a database health check, or a security audit?
devantierf@gmail.com
Income stabilizer (win-win opportunity)
Join the carefully selected and tested cash-flow generating
program below to potentially create a long-term residual or annuity type income
enhancer for yourself.
|
Traffic Wave - Free Report: The report
will give you all the information you need to start making a nice long-term
residual income stream for yourself.
|
No comments:
Post a Comment