Tuesday, February 5, 2013

Database Vault Realms

Dear Readers,

My name is Franz Devantier, creator of this blog.  I am an Oracle Certified Professional (OCP DBA 11g) Security DBA.  I will be sharing with you the basic duties of an Oracle DBA, and also some of the undocumented, and not so well known tasks. 

Database Vault Realms
Definition of a Realm
A group of database schemas and roles, that must be secured for an application is called a realm.  In otherwords, a realm is a functional zone of protection for your database objects.  A schema is a logical collection of database objects such as tables, views, and packages.  A role is a collection of privileges.

By classifying functional groups(realms), that consist of schemas and roles, you achieve the following advantages:
·         You can control the ability to use system privileges against these functional groups.
·         You can prevent unauthorized data access by the DBA or other powerful users with system privileges.

Oracle database vault does not replace the discretionary access control model in the existing Oracle database.  Database vault functions as a layer on top of this model for both realms and command rules.

The process flow is to create a new realm, then you register a set of schema objects for realm protection, and finally authorize a set of users or roles that can access the secured objects.  For example once database vault is installed, you can create a realm to protect all the schemas that are used in the financial department.  The realm protects the secured financial data from any user who is not authorized to use the system privileges that access the financial data.  Once a realm is defined and in operation you can run reports on the realms.

Oracle database vault comes packaged with a few default realms:
·         “Database Vault Account Management”:  This is the definition of the administrators realm, who manage and create database accounts and database profiles.
·         “Oracle Data Dictionary ”:  Defines the realm for a number of Catalog schemas.
ANONYMOUS, BI, CTXSYS, DBSNMP, EXFSYS, MDDATA, MDSYS, MGMT_VIEW, OUTLN, SYS, SYSMAN, SYSTEM
This realm controls the ability to grant system privileges and database administrator roles.
·         “Oracle Database Vault”: Realm definition for the Oracle Database Vault schemas, this is the configuration and roles information.  DVSYS, DVF, LBACSYS
·         “Oracle Enterprise Manager”:  Realm for the Oracle Enterprise Manager accounts to access the database information.  SYSMAN, DBSNMP

Steps to create a realm
·         Log into Oracle Database vault Administrator as a user who has been granted the DV_OWNER, or DV_ADMIN role.
·         Go to the Administration page.  Under Database Vault Feature Administration, click on “Realms”.
·         When you get to the Realms page, click on “Create”.
·         You will need to fill in a few fields under the “General” heading:
o   Name:  Enter a name for the realm.  This attribute is mandatory, and can contain up to 90 characters in mixed-case.  It is a good idea to use the name of the protected application as the realm name.  For example fin_app for a financial application.
o   Description:  This is an optional attribute, but good to use it as a means of documenting the business objective of the given application protection, and you can also include the other security policies that compliment the realms protection.  Document who is authorized to the realm, and the purpose of the authorization, as well as possible emergency authorizations.  The description can contain up to 1024 characters in mixed-case.
o   Status: By default a Realm is enabled.  Select either “Enabled” or “Disabled”.  This is a mandatory attribute.
·         Then you get to the “Audit Options” heading.  By default this will be set to “Audit on Failure”.  The audit trail is written to the DVSYS.AUDIT_TRAIL$ system file.  Note that the audit trail is not part of the Oracle database audit trail, and audit records will be written, regardless of whether auditing is enabled or disabled on the database.
o   Audit Disabled:  If selected an audit record will not be created
o   Audit on Failure: This is the default.  If selected then an audit record is created when a realm violation occurs.  For example when a user not authorized to use the realm tries to modify an object that is protected by the realm.
o   Audit on Success or Failure:  Creates an audit record for all the activity that occurs in the realm, both authorized and unauthorized.
·         Click OK:  The Realms summary page appears.  You will see the realm that you have just created listed with the other realms that are already there.  Now you are ready to add schema and database objects to the realm, for realm protection.  You are ready to authorize users and roles to access the realm.  In order to do this you will need to edit the realm.


Steps to Editing the realm:
·         Log into Oracle Database vault Administrator as a user who has been granted the DV_OWNER, or DV_ADMIN role.
·         Go to the Administration page.  Under Database Vault Feature Administration, click on “Realms”.
·         When you get to the Realms page, select the realm that you want to edit and click on “Edit”.
·         Move down to the “Realm Secured Objects” heading and click on “Create”
·         When you get to the “Realm Secured Object” page, select an “Object Owner” from the drop down list.
·         You can leave the “Object Type” at the default of %, or you can specify a specific object type that you want to protect, from the drop down list.  % will protect all of the object types in the schema, which will create additional overhead.
·         You can leave the “Object Name” field at the default of %, or you can fill in a specific name of an object to be protected.
·         Finish up this page by clicking on “OK”.
·         Now move down to the “Realm Authorization” heading and click on “Create”
·         On the “Create Realm Authorization” page, Select the “Grantee” from the drop-down list.
·         Under the Authorization Type heading, select Owner or Participant

Franz Devantier,
Need a database health check?
devantierf@gmail.com

Income stabilizer (win-win opportunity)
Join the carefully selected and tested cash-flow generating program below to potentially create a long-term residual or annuity type income enhancer for yourself.

Traffic Wave - Free Report:  The report will give you all the information you need to start making a nice long-term residual income stream for yourself.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)