Oracle Database 10g Release 2 Database Vault - Restricting the DBA From Accessing Business Data An Oracle White Paper August 2006 Oracle Database Vault Overview Oracle Database Vault enables you to Restrict the DBA and other privileged users from accessing application data Protect the database and applications from unauthorized changes Enforce strong controls over who, when, and where application can be accessed These features help you to address regulatory compliance, insider threats, and protection of personally identifiable information. This paper is the first in a series of whitepapers that discuss and demonstrate real world use cases for the security provided by Oracle Database Vault. In this paper we discuss how Oracle Database Vault can be used to restrict DBA access to application data. The business drivers for restricting DBA access to application data include Protection of business sensitive data and personally identifiable information Separation of duty and strong internal controls for regulatory compliance IT/DBA Outsourcing Online hosted applications Restricting the DBA from accessing business Data Oracle Database Vault uses the concept of a Realm to establish a protection boundary or firewall around applications to protect application data from users with powerful privileges such as the DBA. The following steps outline the process for creating a Realm and protecting an application. Create a Realm around your application: Once Oracle Database Vault is installed you can protect your business data by creating a realm that encompasses all database objects comprising your business application in a matter of minutes. Once the application s database objects are protected, you can authorize selected users to access it. You can do this using either the Database Vault Administration web interface (DVA) or the Database Vault Application Programming Interface (API). In this example, we will restrict DBA access to the Human Resources business data by creating a Realm around the HR schema. Then we will authorize only the HR user to access the HR Realm.
1. Point your browser to DVA URL. The URL will have the following form: http://hostname:portnumber/dva Login using the Database Vault owner account. 2. Click on Realms link. Now using an Oracle Database Vault s feature called Realm, we will try to restrict DBA access to the HR business data.
3. In the Realms Summary screen click on Create and fill out the attributes as follows: Name: HR Realm Description: This realm restricts DBA access to HR data. Status: Enabled Audit Options: Audit on Failure Then click OK 4. In the Realm Summary screen select HR Realm and click Edit. Scroll down in the Realm edit screen to Realm Secured Objects section.
5. Under Realm Secured Objects click Create and specify the following attributes: Object Owner: HR Object Type: % Object Name: % Then click OK and scroll down to the Realm Authorizations section. This tells Oracle Database Vault to protect the HR schema with all its objects. 6. Under Realm Authorization section click Create and specify the following attributes: Grantee: HR [USER] Authorization Type: Owner (Note: the default type is Participant) Authorization Rule Set: <non selected> Then click OK This will grant the HR user the ownership of the HR Realm. As owner of the HR Realm HR user will have access to business data and will be able to grant access to others.
7. Start SQL Developer and login as a user with DBA role like SYSTEM. Try to query the employee data in HR schema: SELECT first_name, last_name, salary FROM hr.employees; The DBA gets ORA-01031: insufficient privileges error
API Steps: 1. Create HR Realm: begin dvsys.dbms_macadm.create_realm( realm_name => 'HR Realm',description => 'This realm protects HR data from DBA access',enabled => 'Y',audit_options => 1); end; / commit; 2. Protect the HR schema with all its database objects begin dvsys.dbms_macadm.add_object_to_r ealm( realm_name => 'HR Realm',object_owner => 'HR',object_name => '%',object_type => '%'); end; / commit; 3. Authorize the HR user as the HR Realm owner begin dvsys.dbms_macadm.add_auth_to_rea LM( realm_name => 'HR Realm',grantee => 'HR'); end; / commit;
August 2006 Author: Kamal Tbeileh, Paul Needham Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright 2006, Oracle. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle, JD Edwards, PeopleSoft, and Retek are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.