The document discusses access control facilities in Oracle Database 11gR2. It describes how user groups can be implemented through profiles or roles. Hierarchical role-based access control and role-based access control with separation of duty using Oracle Database Vault are also covered. The document outlines how time-based and location-based access constraints can be achieved and discusses cascading revocation and conflict resolution. Mandatory access control using Oracle Label Security and tools for administering access policies are also introduced.
2. 1) Introduction
In this document we will introduce some access control facilities in Oracle Database 11gR2 (Oracle from
now on) and discuss about how we can achieve a certain access control need in it and with its available
capabilities.
2) Access Control Facilities
In this section we will discuss about the available facilities useful for access control.
1-1) User Groups and Assigning Roles to the group
T the concept of user groups can be implemented in Oracle in two ways. However, not both of them
support assigning roles to the group.
At first, grouping users in performed by assigning them to Profiles. A profile is a named set of resource
limits and password parameters that restrict database usage and instance resources for a user [1]. When
you create users, you can give them a profile and if you don’t, DBMS automatically gives the DEFAULT
profile to the.
There is two limitation with profiles in relation with access control. First, the user can have only one
profile at a time and second, profiles can be assigned only to users and not to roles or other profiles. So,
they only group users based on the usage limitations of database instance resources. They also cannot
be used for grouping users in a hierarchical fashion.
Another way of grouping users in oracle is to group them by roles. You can create a grouping role,
granting the needed privileges to it, and even assign other roles to it. So, this way completely brings the
desired access control facility of user groups assigning roles to them.
1-2) Hierarchical Role-Based Access Control
Hierarchical RBAC is supported by default from Oracle database 9i on. In a role hierarchy, role members
inherit permissions from the parent role [2]. Thus, if Role A is a member of Role B, then all permissions
granted to Role B are also permissions granted to Role A. Of course, Role A may have its own particular
permissions, but, just by being a member of Role B, Role A inherits all the permissions granted to Role B.
1-3) Role-Based Access Control with Separation of Duty
In Oracle database, separation of duty is delivered by Oracle Database Vault. Oracle Database Vault
restricts access to specific areas in an Oracle database from any user, including users who have
administrative access [3]. For example, you can restrict administrative access to employee salaries,
customer medical records, or other sensitive information.
Oracle Database Vault is disabled by default and before enabling and using it, you must also enable
Oracle Label Security. Oracle Database Vault security controls include realms, command rules, factors,
separation of duty, and reporting.
Oracle Database Vault separation of duty enables a systematic approach to security that strengthens
controls within the database and helps satisfy requirements found in many regulations. It creates three
distinct separate responsibilities within the database by default including Account Management,
Security Administration and Database Administration. However, its extensibility allows separation of
3. duty to be customized to any specific business requirements. For example, you can further subdivide the
database administration responsibility into backup, performance and patching responsibilities.
As there isn’t any facility to deliver separation of duty in database roles themselves, Oracle database
Vault is the only recommended solution in Oracle database 11g to implement separation of duty.
1-4) Access Control with Time-Based and Location-Based Constraints
There isn’t any special and straightforward facility about Time-Based constraints for access control in
oracle database 11gR2. However, you can do some workarounds – mainly by triggers and profiles - to
achieve that.
If you want to restrict a user to be able to login to the database only in certain time ranges, you can
declare a database logon trigger for that. Here is an example which prevents user AMIN if he is trying to
connect to database out of the time range from 8 to 22:
Listing 1 – Database Logon Trigger
SQL> CREATE OR REPLACE TRIGGER trgLimitLoginTime
2 AFTER LOGON ON DATABASE
3 BEGIN
4 IF USER = 'AMIN' THEN
5 IF to_number(TO_CHAR (SYSDATE, 'hh24'))
NOT BETWEEN 8 AND 22
6 THEN
7 RAISE_APPLICATION_ERROR(-20998,'Dear Amin! You cannot
login before 08:00 and after 22:00');
8 END IF;
9 END IF;
10 END trgLimitLoginTime;
11 /
You can also prevent users with specific roles or user that don’t have a specific role by a similar
approach.
You can also limit total time of connections of users. Doing this is easier and more straightforward that
the previous scenario and can be done by Profiles. You can use CONNECT_TIME resource parameter of
profiles to specify the total elapsed time limit for a session, expressed in minutes [4]. With this facility,
you can for example limit the time for each connection of users of a profile to 5 minutes, i.e. each
connection of users of that profile will last for 5 minutes and after that, the connection will be closed by
DBMS.
4. Location-based constraints are easier to implement than time-based ones. You can filter connection to
the database based on their IP address and it support both of the Closed and Open approaches. You can
simply achieve them by configuring the SQLNET.ORA file.
The SQLNET.ORA file is the profile configuration file. It resides on the client machines and the database
server. Profiles are stored and implemented using this file. The database server can be configured with
access control parameters in the SQLNET.ORA file [5]. These parameters specify whether clients are
allowed or denied access based on the protocol.
To enable this facility, you should open the SQLNET.ORA file and add the following line to it:
tcp.validnode_checking = yes
This turns on the hostname/IP checking for your database listeners. After this, you can supply lists of
authorized/unauthorized nodes, and it implicitly determines the closed or open approach. For example,
closed approach could be implemented like the following:
tcp.invited_nodes = (hostname1, hostname2)
It means that only connections from hostname1 and hostname2 are accepted and connections from the
other sources will be dropped.
Similarly, you can implement an open approach like the following:
tcp.excluded_nodes = (192.168.10.3)
This line means that connections from the 192.168.10.3 address will be dropped and the others can
connect to the database.
There also are some considerations and best practices about using this facility which can be found in [6].
1-5) Cascading and Non-Cascading Revocation
Oracle database uses cascading revocation [7]. For example, suppose that USERA grants the role R to
USERB, and USERB grants R to USERC. After that, if USERA revokes R from USERB, the revocation
cascades and R will be revoked from USERC implicitly. However, USERA cannot revoke R from USERC
directly. Revocation cannot be done if R is granted to USERC by another user too. You cannot perform
cascading or non-cascading revocation on your will.
1-6) Negative Authorization
Oracle database uses negative security model for authorization. That is, if user is not granted a role, it
will not have permissions assigned to that role and its every request of it which needs one of those
permissions will be dropped.
1-7) Conflict Resolution
You can assign a user to one or more roles. If you assign multiple roles with conflicting privileges, then
the user is granted the more permissive privilege, which is the union of all the privileges granted to the
multiple roles [8]. For example, if you assign to the same user a role that allows creating a snapshot and
a role that restricts it, then the user is allowed to create snapshots.
5. 1-8) Mandatory Access Control
Mandatory Access Control (MAC) is fully supported in and Oracle Label Security is an implementation of
MAC in the Oracle. This capability allows the database to inherently know what data is sensitive and
allows the sensitive data to be combined in the same table as the larger data set without compromising
security [9]. Figure (1) shows the main concept the Oracle Label Security.
Figure 1 – Oracle Label Security Access Control
The labels are assigned to data based on the sensitivity level of the information and access to the data
labeled at a certain level (such as Sensitive) is restricted to those users who have been granted that level
of access or higher. Oracle Label Security is an add-on security option from the Oracle9i Enterprise
Edition and on [10]. The Oracle Policy Manager provides a graphical user interface for managing the
labels. Oracle Label Security is built on the Virtual Private Database toolkit and mediates access to rows
in database tables based on a label contained in the row, a label associated with each database session,
and Oracle Label Security privileges assigned to the session. Instructions on how to enabling OLS and a
starter guide can be found in [11].
1-9) Administering Access Control Policies
Oracle Authorization Policy Manager is graphical interface tool to manage application authorization
policies [12]. Security administrators can use Authorization Policy Manager which greatly simplifies the
creation, configuration, and administration of application policies over by offering the following
facilities:
User-friendly names and descriptions of security artifacts [13].
A way to organize application roles by business, product, or any other parameter specific to
an application [13].
A uniform graphic interface to search, create, browse, and edit security artifacts [14, 15].
A way to specify a subset of applications that a role can manage [16].
6. 3) Conclusion
In this document, we briefly introduced some access control facilities in Oracle Database 11gR2. Oracle
database 11gR2 supports almost all of those access control concepts and they can be achieved directly
with some DBMS features, or by a workaround. With roles and user profiles you will have most of the
mentioned access control concepts. The rest of needs can be achieved with Oracle Database Vault and
Oracle Label Security which deliver advanced access control and security features.
4) References
1. Administering User Privileges, Roles, and Profiles. 2015. Administering User Privileges, Roles, and
Profiles. [ONLINE] Available at:
http://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#i1012785.
[Accessed 19 June 2015].
2. Understanding Users and Roles. 2015. Understanding Users and Roles. [ONLINE] Available at:
http://docs.oracle.com/cd/E23943_01/core.1111/e10043/introroles.htm#JISEC2263. [Accessed
20 June 2015].
3. Introducing Oracle Database Vault. 2015. Introducing Oracle Database Vault. [ONLINE] Available
at: http://docs.oracle.com/cd/B28359_01/server.111/b31222/dvintro.htm#DVADM70086.
[Accessed 20 June 2015].
4. CREATE PROFILE. 2015. CREATE PROFILE. [ONLINE] Available at:
http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_6010.htm. [Accessed 24
June 2015].
5. Parameters for the sqlnet.ora File. 2015. Parameters for the sqlnet.ora File. [ONLINE] Available
at: https://docs.oracle.com/cd/E11882_01/network.112/e10835/sqlnet.htm#NETRF181.
[Accessed 25 June 2015].
6. Blocking Oracle access by IP Addresses. 2015. Blocking Oracle access by IP Addresses. [ONLINE]
Available at: http://www.dba-oracle.com/t_blocking_listener_ip_addresses.htm. [Accessed 25
June 2015].
7. REVOKE. 2015. REVOKE. [ONLINE] Available at:
http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_9020.htm#i2133838.
[Accessed 27 June 2015].
8. Managing Security. 2015. Managing Security. [ONLINE] Available at:
http://docs.oracle.com/cd/E11882_01/owb.112/e17130/security_mgmt.htm#WBINS16282.
[Accessed 27 June 2015].
9. Oracle Label Security with Oracle Database 11g Release 2. 2009. Oracle Label Security with
Oracle Database 11g Release 2. [ONLINE] Available at:
http://www.oracle.com/technetwork/database/security/owp-security-label-security-11gr2-
133601.pdf. [Accessed 29 June 2015].
10. Oracle Access Control. 2015. Oracle Access Control. [ONLINE] Available
at: http://www.itillious.com/insight/articles/OracleAccessControl.html. [Accessed 29 June
2015].
11. Getting Started with Oracle Label Security. 2015. Getting Started with Oracle Label Security.
[ONLINE] Available at:
7. https://docs.oracle.com/cd/E11882_01/network.112/e10745/getstrtd.htm#OLSAG3096.
[Accessed 29 June 2015].
12. Introduction to Oracle Authorization Policy Manager. 2015. Introduction to Oracle Authorization
Policy Manager. [ONLINE] Available at:
http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/apmintro.htm#APMAG4493.
[Accessed 29 June 2015].
13. The OPSS Authorization Model. 2015. The OPSS Authorization Model. [ONLINE] Available at:
http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/basics.htm#BEIJGIBJ. [Accessed 29
June 2015].
14. Querying Security Artifacts. 2015. Querying Security Artifacts. [ONLINE] Available at:
http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/searching.htm#CEGBJJIF. [Accessed 29
June 2015].
15. Managing Security Artifacts. 2015. Managing Security Artifacts. [ONLINE] Available at:
http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/managing.htm#BABFCAEJ. [Accessed
29 June 2015].
16. Delegated Administration. 2015. Delegated Administration. [ONLINE] Available at:
http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/delegatedadmin.htm#BAJEBHJG.
[Accessed 29 June 2015].