SlideShare a Scribd company logo

Access Control Facilities in Oracle Database 11g r2

Amin Saqi
Amin Saqi

The document discusses access control facilities in Oracle Database 11gR2. It describes how user groups can be implemented through profiles or roles. Hierarchical role-based access control and role-based access control with separation of duty using Oracle Database Vault are also covered. The document outlines how time-based and location-based access constraints can be achieved and discusses cascading revocation and conflict resolution. Mandatory access control using Oracle Label Security and tools for administering access policies are also introduced.

Data & Analytics
1 of 7
Download to read offline
Access Control Facilities in Oracle Database 11gR2 M. Amin Saghizadeh JUN 2015
1) Introduction In this document we will introduce some access control facilities in Oracle Database 11gR2 (Oracle from now on) and discuss about how we can achieve a certain access control need in it and with its available capabilities. 2) Access Control Facilities In this section we will discuss about the available facilities useful for access control. 1-1) User Groups and Assigning Roles to the group T the concept of user groups can be implemented in Oracle in two ways. However, not both of them support assigning roles to the group. At first, grouping users in performed by assigning them to Profiles. A profile is a named set of resource limits and password parameters that restrict database usage and instance resources for a user [1]. When you create users, you can give them a profile and if you don’t, DBMS automatically gives the DEFAULT profile to the. There is two limitation with profiles in relation with access control. First, the user can have only one profile at a time and second, profiles can be assigned only to users and not to roles or other profiles. So, they only group users based on the usage limitations of database instance resources. They also cannot be used for grouping users in a hierarchical fashion. Another way of grouping users in oracle is to group them by roles. You can create a grouping role, granting the needed privileges to it, and even assign other roles to it. So, this way completely brings the desired access control facility of user groups assigning roles to them. 1-2) Hierarchical Role-Based Access Control Hierarchical RBAC is supported by default from Oracle database 9i on. In a role hierarchy, role members inherit permissions from the parent role [2]. Thus, if Role A is a member of Role B, then all permissions granted to Role B are also permissions granted to Role A. Of course, Role A may have its own particular permissions, but, just by being a member of Role B, Role A inherits all the permissions granted to Role B. 1-3) Role-Based Access Control with Separation of Duty In Oracle database, separation of duty is delivered by Oracle Database Vault. Oracle Database Vault restricts access to specific areas in an Oracle database from any user, including users who have administrative access [3]. For example, you can restrict administrative access to employee salaries, customer medical records, or other sensitive information. Oracle Database Vault is disabled by default and before enabling and using it, you must also enable Oracle Label Security. Oracle Database Vault security controls include realms, command rules, factors, separation of duty, and reporting. Oracle Database Vault separation of duty enables a systematic approach to security that strengthens controls within the database and helps satisfy requirements found in many regulations. It creates three distinct separate responsibilities within the database by default including Account Management, Security Administration and Database Administration. However, its extensibility allows separation of
duty to be customized to any specific business requirements. For example, you can further subdivide the database administration responsibility into backup, performance and patching responsibilities. As there isn’t any facility to deliver separation of duty in database roles themselves, Oracle database Vault is the only recommended solution in Oracle database 11g to implement separation of duty. 1-4) Access Control with Time-Based and Location-Based Constraints There isn’t any special and straightforward facility about Time-Based constraints for access control in oracle database 11gR2. However, you can do some workarounds – mainly by triggers and profiles - to achieve that. If you want to restrict a user to be able to login to the database only in certain time ranges, you can declare a database logon trigger for that. Here is an example which prevents user AMIN if he is trying to connect to database out of the time range from 8 to 22: Listing 1 – Database Logon Trigger SQL> CREATE OR REPLACE TRIGGER trgLimitLoginTime 2 AFTER LOGON ON DATABASE 3 BEGIN 4 IF USER = 'AMIN' THEN 5 IF to_number(TO_CHAR (SYSDATE, 'hh24')) NOT BETWEEN 8 AND 22 6 THEN 7 RAISE_APPLICATION_ERROR(-20998,'Dear Amin! You cannot login before 08:00 and after 22:00'); 8 END IF; 9 END IF; 10 END trgLimitLoginTime; 11 / You can also prevent users with specific roles or user that don’t have a specific role by a similar approach. You can also limit total time of connections of users. Doing this is easier and more straightforward that the previous scenario and can be done by Profiles. You can use CONNECT_TIME resource parameter of profiles to specify the total elapsed time limit for a session, expressed in minutes [4]. With this facility, you can for example limit the time for each connection of users of a profile to 5 minutes, i.e. each connection of users of that profile will last for 5 minutes and after that, the connection will be closed by DBMS.
Location-based constraints are easier to implement than time-based ones. You can filter connection to the database based on their IP address and it support both of the Closed and Open approaches. You can simply achieve them by configuring the SQLNET.ORA file. The SQLNET.ORA file is the profile configuration file. It resides on the client machines and the database server. Profiles are stored and implemented using this file. The database server can be configured with access control parameters in the SQLNET.ORA file [5]. These parameters specify whether clients are allowed or denied access based on the protocol. To enable this facility, you should open the SQLNET.ORA file and add the following line to it: tcp.validnode_checking = yes This turns on the hostname/IP checking for your database listeners. After this, you can supply lists of authorized/unauthorized nodes, and it implicitly determines the closed or open approach. For example, closed approach could be implemented like the following: tcp.invited_nodes = (hostname1, hostname2) It means that only connections from hostname1 and hostname2 are accepted and connections from the other sources will be dropped. Similarly, you can implement an open approach like the following: tcp.excluded_nodes = (192.168.10.3) This line means that connections from the 192.168.10.3 address will be dropped and the others can connect to the database. There also are some considerations and best practices about using this facility which can be found in [6]. 1-5) Cascading and Non-Cascading Revocation Oracle database uses cascading revocation [7]. For example, suppose that USERA grants the role R to USERB, and USERB grants R to USERC. After that, if USERA revokes R from USERB, the revocation cascades and R will be revoked from USERC implicitly. However, USERA cannot revoke R from USERC directly. Revocation cannot be done if R is granted to USERC by another user too. You cannot perform cascading or non-cascading revocation on your will. 1-6) Negative Authorization Oracle database uses negative security model for authorization. That is, if user is not granted a role, it will not have permissions assigned to that role and its every request of it which needs one of those permissions will be dropped. 1-7) Conflict Resolution You can assign a user to one or more roles. If you assign multiple roles with conflicting privileges, then the user is granted the more permissive privilege, which is the union of all the privileges granted to the multiple roles [8]. For example, if you assign to the same user a role that allows creating a snapshot and a role that restricts it, then the user is allowed to create snapshots.
1-8) Mandatory Access Control Mandatory Access Control (MAC) is fully supported in and Oracle Label Security is an implementation of MAC in the Oracle. This capability allows the database to inherently know what data is sensitive and allows the sensitive data to be combined in the same table as the larger data set without compromising security [9]. Figure (1) shows the main concept the Oracle Label Security. Figure 1 – Oracle Label Security Access Control The labels are assigned to data based on the sensitivity level of the information and access to the data labeled at a certain level (such as Sensitive) is restricted to those users who have been granted that level of access or higher. Oracle Label Security is an add-on security option from the Oracle9i Enterprise Edition and on [10]. The Oracle Policy Manager provides a graphical user interface for managing the labels. Oracle Label Security is built on the Virtual Private Database toolkit and mediates access to rows in database tables based on a label contained in the row, a label associated with each database session, and Oracle Label Security privileges assigned to the session. Instructions on how to enabling OLS and a starter guide can be found in [11]. 1-9) Administering Access Control Policies Oracle Authorization Policy Manager is graphical interface tool to manage application authorization policies [12]. Security administrators can use Authorization Policy Manager which greatly simplifies the creation, configuration, and administration of application policies over by offering the following facilities:  User-friendly names and descriptions of security artifacts [13].  A way to organize application roles by business, product, or any other parameter specific to an application [13].  A uniform graphic interface to search, create, browse, and edit security artifacts [14, 15].  A way to specify a subset of applications that a role can manage [16].
3) Conclusion In this document, we briefly introduced some access control facilities in Oracle Database 11gR2. Oracle database 11gR2 supports almost all of those access control concepts and they can be achieved directly with some DBMS features, or by a workaround. With roles and user profiles you will have most of the mentioned access control concepts. The rest of needs can be achieved with Oracle Database Vault and Oracle Label Security which deliver advanced access control and security features. 4) References 1. Administering User Privileges, Roles, and Profiles. 2015. Administering User Privileges, Roles, and Profiles. [ONLINE] Available at: http://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#i1012785. [Accessed 19 June 2015]. 2. Understanding Users and Roles. 2015. Understanding Users and Roles. [ONLINE] Available at: http://docs.oracle.com/cd/E23943_01/core.1111/e10043/introroles.htm#JISEC2263. [Accessed 20 June 2015]. 3. Introducing Oracle Database Vault. 2015. Introducing Oracle Database Vault. [ONLINE] Available at: http://docs.oracle.com/cd/B28359_01/server.111/b31222/dvintro.htm#DVADM70086. [Accessed 20 June 2015]. 4. CREATE PROFILE. 2015. CREATE PROFILE. [ONLINE] Available at: http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_6010.htm. [Accessed 24 June 2015]. 5. Parameters for the sqlnet.ora File. 2015. Parameters for the sqlnet.ora File. [ONLINE] Available at: https://docs.oracle.com/cd/E11882_01/network.112/e10835/sqlnet.htm#NETRF181. [Accessed 25 June 2015]. 6. Blocking Oracle access by IP Addresses. 2015. Blocking Oracle access by IP Addresses. [ONLINE] Available at: http://www.dba-oracle.com/t_blocking_listener_ip_addresses.htm. [Accessed 25 June 2015]. 7. REVOKE. 2015. REVOKE. [ONLINE] Available at: http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_9020.htm#i2133838. [Accessed 27 June 2015]. 8. Managing Security. 2015. Managing Security. [ONLINE] Available at: http://docs.oracle.com/cd/E11882_01/owb.112/e17130/security_mgmt.htm#WBINS16282. [Accessed 27 June 2015]. 9. Oracle Label Security with Oracle Database 11g Release 2. 2009. Oracle Label Security with Oracle Database 11g Release 2. [ONLINE] Available at: http://www.oracle.com/technetwork/database/security/owp-security-label-security-11gr2- 133601.pdf. [Accessed 29 June 2015]. 10. Oracle Access Control. 2015. Oracle Access Control. [ONLINE] Available at: http://www.itillious.com/insight/articles/OracleAccessControl.html. [Accessed 29 June 2015]. 11. Getting Started with Oracle Label Security. 2015. Getting Started with Oracle Label Security. [ONLINE] Available at:
https://docs.oracle.com/cd/E11882_01/network.112/e10745/getstrtd.htm#OLSAG3096. [Accessed 29 June 2015]. 12. Introduction to Oracle Authorization Policy Manager. 2015. Introduction to Oracle Authorization Policy Manager. [ONLINE] Available at: http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/apmintro.htm#APMAG4493. [Accessed 29 June 2015]. 13. The OPSS Authorization Model. 2015. The OPSS Authorization Model. [ONLINE] Available at: http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/basics.htm#BEIJGIBJ. [Accessed 29 June 2015]. 14. Querying Security Artifacts. 2015. Querying Security Artifacts. [ONLINE] Available at: http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/searching.htm#CEGBJJIF. [Accessed 29 June 2015]. 15. Managing Security Artifacts. 2015. Managing Security Artifacts. [ONLINE] Available at: http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/managing.htm#BABFCAEJ. [Accessed 29 June 2015]. 16. Delegated Administration. 2015. Delegated Administration. [ONLINE] Available at: http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/delegatedadmin.htm#BAJEBHJG. [Accessed 29 June 2015].

Recommended

DB2 10 Security Enhancements
DB2 10 Security EnhancementsDB2 10 Security Enhancements
DB2 10 Security Enhancements
Laura Hood
 
Resource Access Control Facility (RACF) in Mainframes
Resource Access Control Facility (RACF) in MainframesResource Access Control Facility (RACF) in Mainframes
Resource Access Control Facility (RACF) in Mainframes
Aayush Singh
 
Struts by l n rao
Struts by l n raoStruts by l n rao
Struts by l n rao
Urs'Truly V'Nayak
 
Hibernate by l n rao
Hibernate by l n raoHibernate by l n rao
Hibernate by l n rao
Urs'Truly V'Nayak
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - Newsletter
Smitha Padmanabhan
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
DB2Locksmith
 
Basic constituent elements
Basic constituent elementsBasic constituent elements
Basic constituent elements
Pooja Dixit
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Security
ijsrd.com
 

Recommended

DB2 10 Security Enhancements
DB2 10 Security EnhancementsDB2 10 Security Enhancements
DB2 10 Security Enhancements
Laura Hood
 
Resource Access Control Facility (RACF) in Mainframes
Resource Access Control Facility (RACF) in MainframesResource Access Control Facility (RACF) in Mainframes
Resource Access Control Facility (RACF) in Mainframes
Aayush Singh
 
Struts by l n rao
Struts by l n raoStruts by l n rao
Struts by l n rao
Urs'Truly V'Nayak
 
Hibernate by l n rao
Hibernate by l n raoHibernate by l n rao
Hibernate by l n rao
Urs'Truly V'Nayak
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - Newsletter
Smitha Padmanabhan
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
DB2Locksmith
 
Basic constituent elements
Basic constituent elementsBasic constituent elements
Basic constituent elements
Pooja Dixit
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Security
ijsrd.com
 
Rodc features
Rodc featuresRodc features
Rodc features
pothurajr
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
Denny Lee
 
RACF - The Basics (v1.2)
RACF - The Basics (v1.2)RACF - The Basics (v1.2)
RACF - The Basics (v1.2)
Rui Miguel Feio
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET Journal
 
Oracle Complete Interview Questions
Oracle Complete Interview QuestionsOracle Complete Interview Questions
Oracle Complete Interview Questions
Sandeep Sharma IIMK Smart City,IoT,Bigdata,Cloud,BI,DW
 
Reviewing sql server permissions tech republic
Reviewing sql server permissions tech republicReviewing sql server permissions tech republic
Reviewing sql server permissions tech republic
Kaing Menglieng
 
Railsplitter: Simplify Your CRUD
Railsplitter: Simplify Your CRUDRailsplitter: Simplify Your CRUD
Railsplitter: Simplify Your CRUD
Flurry, Inc.
 
201 Pdfsam
201 Pdfsam201 Pdfsam
201 Pdfsam
Emanuel Mateus
 
Asp net whitepaper
Asp net whitepaperAsp net whitepaper
Asp net whitepaper
Zayar Shwe
 
Cisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integrationCisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integration
ArunKumar Subbiah
 
70 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 04100970 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 041009
Coffeyville Community College
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
webhostingguy
 
Oracle dba interview question
Oracle dba interview questionOracle dba interview question
Oracle dba interview question
Amarendra Sharma
 
Day4
Day4Day4
Day4
madamewoolf
 
70 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 04100970 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 041009
Coffeyville Community College
 
Material modulo02 asf6501(6425-b_01)
Material modulo02 asf6501(6425-b_01)Material modulo02 asf6501(6425-b_01)
Material modulo02 asf6501(6425-b_01)
JSantanderQ
 
Sdd 4
Sdd 4Sdd 4
Sdd 4
Auro Infomation Technology
 
Material modulo01 asf6501(6419-a_01)
Material modulo01 asf6501(6419-a_01)Material modulo01 asf6501(6419-a_01)
Material modulo01 asf6501(6419-a_01)
JSantanderQ
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure Environment
InterSystems Corporation
 
Material modulo03 asf6501(6425-b_02)
Material modulo03 asf6501(6425-b_02)Material modulo03 asf6501(6425-b_02)
Material modulo03 asf6501(6425-b_02)
JSantanderQ
 
10 Criterios para Elegir una Solución ECM
10 Criterios para Elegir una Solución ECM10 Criterios para Elegir una Solución ECM
10 Criterios para Elegir una Solución ECM
Alkaid · Open Source Business Software
 
2014-annual-report
2014-annual-report2014-annual-report
2014-annual-report
Jim Nichols
 

More Related Content

What's hot

Reviewing sql server permissions tech republic
Reviewing sql server permissions tech republicReviewing sql server permissions tech republic
Reviewing sql server permissions tech republic
Kaing Menglieng
 
Railsplitter: Simplify Your CRUD
Railsplitter: Simplify Your CRUDRailsplitter: Simplify Your CRUD
Railsplitter: Simplify Your CRUD
Flurry, Inc.
 
Asp net whitepaper
Asp net whitepaperAsp net whitepaper
Asp net whitepaper
Zayar Shwe
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
webhostingguy
 
Material modulo02 asf6501(6425-b_01)
Material modulo02 asf6501(6425-b_01)Material modulo02 asf6501(6425-b_01)
Material modulo02 asf6501(6425-b_01)
JSantanderQ
 
Material modulo01 asf6501(6419-a_01)
Material modulo01 asf6501(6419-a_01)Material modulo01 asf6501(6419-a_01)
Material modulo01 asf6501(6419-a_01)
JSantanderQ
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure Environment
InterSystems Corporation
 
Material modulo03 asf6501(6425-b_02)
Material modulo03 asf6501(6425-b_02)Material modulo03 asf6501(6425-b_02)
Material modulo03 asf6501(6425-b_02)
JSantanderQ
 

What's hot (20)

Rodc features
Rodc featuresRodc features
Rodc features
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
 
RACF - The Basics (v1.2)
RACF - The Basics (v1.2)RACF - The Basics (v1.2)
RACF - The Basics (v1.2)
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using Blockchain
 
Oracle Complete Interview Questions
Oracle Complete Interview QuestionsOracle Complete Interview Questions
Oracle Complete Interview Questions
 
Reviewing sql server permissions tech republic
Reviewing sql server permissions tech republicReviewing sql server permissions tech republic
Reviewing sql server permissions tech republic
 
Railsplitter: Simplify Your CRUD
Railsplitter: Simplify Your CRUDRailsplitter: Simplify Your CRUD
Railsplitter: Simplify Your CRUD
 
201 Pdfsam
201 Pdfsam201 Pdfsam
201 Pdfsam
 
Asp net whitepaper
Asp net whitepaperAsp net whitepaper
Asp net whitepaper
 
Cisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integrationCisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integration
 
70 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 04100970 640 Lesson08 Ppt 041009
70 640 Lesson08 Ppt 041009
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
Oracle dba interview question
Oracle dba interview questionOracle dba interview question
Oracle dba interview question
 
Day4
Day4Day4
Day4
 
70 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 04100970 640 Lesson02 Ppt 041009
70 640 Lesson02 Ppt 041009
 
Material modulo02 asf6501(6425-b_01)
Material modulo02 asf6501(6425-b_01)Material modulo02 asf6501(6425-b_01)
Material modulo02 asf6501(6425-b_01)
 
Sdd 4
Sdd 4Sdd 4
Sdd 4
 
Material modulo01 asf6501(6419-a_01)
Material modulo01 asf6501(6419-a_01)Material modulo01 asf6501(6419-a_01)
Material modulo01 asf6501(6419-a_01)
 
Cache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure EnvironmentCache Security- Configuring a Secure Environment
Cache Security- Configuring a Secure Environment
 
Material modulo03 asf6501(6425-b_02)
Material modulo03 asf6501(6425-b_02)Material modulo03 asf6501(6425-b_02)
Material modulo03 asf6501(6425-b_02)
 

Viewers also liked

2014-annual-report
2014-annual-report2014-annual-report
2014-annual-report
Jim Nichols
 
Se vende leche de vaca
Se vende leche de vacaSe vende leche de vaca
Se vende leche de vaca
roblesua
 
Tema 2. Parte 2. Seguridad en el entorno físico
Tema 2. Parte 2. Seguridad en el entorno físicoTema 2. Parte 2. Seguridad en el entorno físico
Tema 2. Parte 2. Seguridad en el entorno físico
alphareticuli
 
IAVE reference letter for Sarah 7 5 15
IAVE reference letter for Sarah 7 5 15IAVE reference letter for Sarah 7 5 15
IAVE reference letter for Sarah 7 5 15
Sarah Hayes
 
Gibson-Energy-Stock-Pitch
Gibson-Energy-Stock-PitchGibson-Energy-Stock-Pitch
Gibson-Energy-Stock-Pitch
Yousuf Aziz
 
Presentacion Intertraining
Presentacion IntertrainingPresentacion Intertraining
Presentacion Intertraining
Felipe Martinez
 

Viewers also liked (19)

10 Criterios para Elegir una Solución ECM
10 Criterios para Elegir una Solución ECM10 Criterios para Elegir una Solución ECM
10 Criterios para Elegir una Solución ECM
 
2014-annual-report
2014-annual-report2014-annual-report
2014-annual-report
 
Bien respirer pour vivre pleinement
Bien respirer pour vivre pleinementBien respirer pour vivre pleinement
Bien respirer pour vivre pleinement
 
Internet Librarian International 2013 murphy
Internet Librarian International 2013 murphy Internet Librarian International 2013 murphy
Internet Librarian International 2013 murphy
 
Se vende leche de vaca
Se vende leche de vacaSe vende leche de vaca
Se vende leche de vaca
 
Informe de gestión 2012 – 2015
Informe de gestión 2012 – 2015Informe de gestión 2012 – 2015
Informe de gestión 2012 – 2015
 
Tema 2. Parte 2. Seguridad en el entorno físico
Tema 2. Parte 2. Seguridad en el entorno físicoTema 2. Parte 2. Seguridad en el entorno físico
Tema 2. Parte 2. Seguridad en el entorno físico
 
IAVE reference letter for Sarah 7 5 15
IAVE reference letter for Sarah 7 5 15IAVE reference letter for Sarah 7 5 15
IAVE reference letter for Sarah 7 5 15
 
DIABETES TIPO II
DIABETES TIPO IIDIABETES TIPO II
DIABETES TIPO II
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
LR Magazine
LR MagazineLR Magazine
LR Magazine
 
Tanner LAB B rough
Tanner LAB B roughTanner LAB B rough
Tanner LAB B rough
 
Agile Testing…or Walking Dead Testing?
Agile Testing…or Walking Dead Testing?Agile Testing…or Walking Dead Testing?
Agile Testing…or Walking Dead Testing?
 
Imbongi zalamuhla
Imbongi zalamuhlaImbongi zalamuhla
Imbongi zalamuhla
 
Gibson-Energy-Stock-Pitch
Gibson-Energy-Stock-PitchGibson-Energy-Stock-Pitch
Gibson-Energy-Stock-Pitch
 
Ukuvezwa kwabalingiswa
Ukuvezwa kwabalingiswaUkuvezwa kwabalingiswa
Ukuvezwa kwabalingiswa
 
Mechanical industrial visit
Mechanical industrial visitMechanical industrial visit
Mechanical industrial visit
 
Presentacion Intertraining
Presentacion IntertrainingPresentacion Intertraining
Presentacion Intertraining
 
Yoga Accessories
Yoga AccessoriesYoga Accessories
Yoga Accessories
 

Similar to Access Control Facilities in Oracle Database 11g r2

how to protect your sensitive data using oracle database vault
how to protect your sensitive data using oracle database vaulthow to protect your sensitive data using oracle database vault
how to protect your sensitive data using oracle database vault
Anar Godjaev
 
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLEDATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
ijdms
 
1 ISACA JOURNAL VOLUME 1, 2012FeatureThe ability to r.docx
1 ISACA JOURNAL VOLUME 1, 2012FeatureThe ability to r.docx1 ISACA JOURNAL VOLUME 1, 2012FeatureThe ability to r.docx
1 ISACA JOURNAL VOLUME 1, 2012FeatureThe ability to r.docx
honey725342
 
A Framework for Predicate Based Access Control Policies in Infrastructure as ...
A Framework for Predicate Based Access Control Policies in Infrastructure as ...A Framework for Predicate Based Access Control Policies in Infrastructure as ...
A Framework for Predicate Based Access Control Policies in Infrastructure as ...
IJERA Editor
 
Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946
Editor IJARCET
 
Sql grant, revoke, privileges and roles
Sql grant, revoke, privileges and rolesSql grant, revoke, privileges and roles
Sql grant, revoke, privileges and roles
Vivek Singh
 

Similar to Access Control Facilities in Oracle Database 11g r2 (20)

Data base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access methodData base Access Control a look at Fine grain Access method
Data base Access Control a look at Fine grain Access method
 
oracle
oracleoracle
oracle
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
how to protect your sensitive data using oracle database vault
how to protect your sensitive data using oracle database vaulthow to protect your sensitive data using oracle database vault
how to protect your sensitive data using oracle database vault
 
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLEDATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
DATABASE PRIVATE SECURITY JURISPRUDENCE: A CASE STUDY USING ORACLE
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql database
 
1 ISACA JOURNAL VOLUME 1, 2012FeatureThe ability to r.docx
1 ISACA JOURNAL VOLUME 1, 2012FeatureThe ability to r.docx1 ISACA JOURNAL VOLUME 1, 2012FeatureThe ability to r.docx
1 ISACA JOURNAL VOLUME 1, 2012FeatureThe ability to r.docx
 
Database_Security.ppt
Database_Security.pptDatabase_Security.ppt
Database_Security.ppt
 
A Framework for Predicate Based Access Control Policies in Infrastructure as ...
A Framework for Predicate Based Access Control Policies in Infrastructure as ...A Framework for Predicate Based Access Control Policies in Infrastructure as ...
A Framework for Predicate Based Access Control Policies in Infrastructure as ...
 
8.1.6 newsecurity features
8.1.6 newsecurity features8.1.6 newsecurity features
8.1.6 newsecurity features
 
03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx
 
How to protect your sensitive data using oracle database vault / Creating and...
How to protect your sensitive data using oracle database vault / Creating and...How to protect your sensitive data using oracle database vault / Creating and...
How to protect your sensitive data using oracle database vault / Creating and...
 
Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946Ijarcet vol-2-issue-3-942-946
Ijarcet vol-2-issue-3-942-946
 
Sql ch 15 - sql security
Sql ch 15 - sql securitySql ch 15 - sql security
Sql ch 15 - sql security
 
Websphere on z/OS and RACF security
Websphere on z/OS and RACF securityWebsphere on z/OS and RACF security
Websphere on z/OS and RACF security
 
Database Management System Security.pptx
Database Management System Security.pptxDatabase Management System Security.pptx
Database Management System Security.pptx
 
MS SQL server audit
MS SQL server auditMS SQL server audit
MS SQL server audit
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
 
Sql grant, revoke, privileges and roles
Sql grant, revoke, privileges and rolesSql grant, revoke, privileges and roles
Sql grant, revoke, privileges and roles
 
Database security issues
Database security issuesDatabase security issues
Database security issues
 

Recently uploaded

Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get CytotecAbortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...
amitlee9823
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
Delhi Call girls
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdf
MarinCaroMartnezBerg
 
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night StandCall Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
SUHANI PANDEY
 
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
amitlee9823
 
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
amitlee9823
 
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night StandCall Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
AroojKhan71
 
Mg Road Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Banga...
Mg Road Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Banga...Mg Road Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Banga...
Mg Road Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Banga...
amitlee9823
 

Recently uploaded (20)

Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get CytotecAbortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
 
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bellandur ☎ 7737669865 🥵 Book Your One night Stand
 
Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...
Vip Mumbai Call Girls Thane West Call On 9920725232 With Body to body massage...
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdf
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptx
 
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night StandCall Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
 
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -
Thane Call Girls 7091864438 Call Girls in Thane Escort service book now -
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFx
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
 
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Research
 
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
 
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night StandCall Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
 
Mg Road Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Banga...
Mg Road Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Banga...Mg Road Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Banga...
Mg Road Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Banga...
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 

Access Control Facilities in Oracle Database 11g r2

  • 1. Access Control Facilities in Oracle Database 11gR2 M. Amin Saghizadeh JUN 2015
  • 2. 1) Introduction In this document we will introduce some access control facilities in Oracle Database 11gR2 (Oracle from now on) and discuss about how we can achieve a certain access control need in it and with its available capabilities. 2) Access Control Facilities In this section we will discuss about the available facilities useful for access control. 1-1) User Groups and Assigning Roles to the group T the concept of user groups can be implemented in Oracle in two ways. However, not both of them support assigning roles to the group. At first, grouping users in performed by assigning them to Profiles. A profile is a named set of resource limits and password parameters that restrict database usage and instance resources for a user [1]. When you create users, you can give them a profile and if you don’t, DBMS automatically gives the DEFAULT profile to the. There is two limitation with profiles in relation with access control. First, the user can have only one profile at a time and second, profiles can be assigned only to users and not to roles or other profiles. So, they only group users based on the usage limitations of database instance resources. They also cannot be used for grouping users in a hierarchical fashion. Another way of grouping users in oracle is to group them by roles. You can create a grouping role, granting the needed privileges to it, and even assign other roles to it. So, this way completely brings the desired access control facility of user groups assigning roles to them. 1-2) Hierarchical Role-Based Access Control Hierarchical RBAC is supported by default from Oracle database 9i on. In a role hierarchy, role members inherit permissions from the parent role [2]. Thus, if Role A is a member of Role B, then all permissions granted to Role B are also permissions granted to Role A. Of course, Role A may have its own particular permissions, but, just by being a member of Role B, Role A inherits all the permissions granted to Role B. 1-3) Role-Based Access Control with Separation of Duty In Oracle database, separation of duty is delivered by Oracle Database Vault. Oracle Database Vault restricts access to specific areas in an Oracle database from any user, including users who have administrative access [3]. For example, you can restrict administrative access to employee salaries, customer medical records, or other sensitive information. Oracle Database Vault is disabled by default and before enabling and using it, you must also enable Oracle Label Security. Oracle Database Vault security controls include realms, command rules, factors, separation of duty, and reporting. Oracle Database Vault separation of duty enables a systematic approach to security that strengthens controls within the database and helps satisfy requirements found in many regulations. It creates three distinct separate responsibilities within the database by default including Account Management, Security Administration and Database Administration. However, its extensibility allows separation of
  • 3. duty to be customized to any specific business requirements. For example, you can further subdivide the database administration responsibility into backup, performance and patching responsibilities. As there isn’t any facility to deliver separation of duty in database roles themselves, Oracle database Vault is the only recommended solution in Oracle database 11g to implement separation of duty. 1-4) Access Control with Time-Based and Location-Based Constraints There isn’t any special and straightforward facility about Time-Based constraints for access control in oracle database 11gR2. However, you can do some workarounds – mainly by triggers and profiles - to achieve that. If you want to restrict a user to be able to login to the database only in certain time ranges, you can declare a database logon trigger for that. Here is an example which prevents user AMIN if he is trying to connect to database out of the time range from 8 to 22: Listing 1 – Database Logon Trigger SQL> CREATE OR REPLACE TRIGGER trgLimitLoginTime 2 AFTER LOGON ON DATABASE 3 BEGIN 4 IF USER = 'AMIN' THEN 5 IF to_number(TO_CHAR (SYSDATE, 'hh24')) NOT BETWEEN 8 AND 22 6 THEN 7 RAISE_APPLICATION_ERROR(-20998,'Dear Amin! You cannot login before 08:00 and after 22:00'); 8 END IF; 9 END IF; 10 END trgLimitLoginTime; 11 / You can also prevent users with specific roles or user that don’t have a specific role by a similar approach. You can also limit total time of connections of users. Doing this is easier and more straightforward that the previous scenario and can be done by Profiles. You can use CONNECT_TIME resource parameter of profiles to specify the total elapsed time limit for a session, expressed in minutes [4]. With this facility, you can for example limit the time for each connection of users of a profile to 5 minutes, i.e. each connection of users of that profile will last for 5 minutes and after that, the connection will be closed by DBMS.
  • 4. Location-based constraints are easier to implement than time-based ones. You can filter connection to the database based on their IP address and it support both of the Closed and Open approaches. You can simply achieve them by configuring the SQLNET.ORA file. The SQLNET.ORA file is the profile configuration file. It resides on the client machines and the database server. Profiles are stored and implemented using this file. The database server can be configured with access control parameters in the SQLNET.ORA file [5]. These parameters specify whether clients are allowed or denied access based on the protocol. To enable this facility, you should open the SQLNET.ORA file and add the following line to it: tcp.validnode_checking = yes This turns on the hostname/IP checking for your database listeners. After this, you can supply lists of authorized/unauthorized nodes, and it implicitly determines the closed or open approach. For example, closed approach could be implemented like the following: tcp.invited_nodes = (hostname1, hostname2) It means that only connections from hostname1 and hostname2 are accepted and connections from the other sources will be dropped. Similarly, you can implement an open approach like the following: tcp.excluded_nodes = (192.168.10.3) This line means that connections from the 192.168.10.3 address will be dropped and the others can connect to the database. There also are some considerations and best practices about using this facility which can be found in [6]. 1-5) Cascading and Non-Cascading Revocation Oracle database uses cascading revocation [7]. For example, suppose that USERA grants the role R to USERB, and USERB grants R to USERC. After that, if USERA revokes R from USERB, the revocation cascades and R will be revoked from USERC implicitly. However, USERA cannot revoke R from USERC directly. Revocation cannot be done if R is granted to USERC by another user too. You cannot perform cascading or non-cascading revocation on your will. 1-6) Negative Authorization Oracle database uses negative security model for authorization. That is, if user is not granted a role, it will not have permissions assigned to that role and its every request of it which needs one of those permissions will be dropped. 1-7) Conflict Resolution You can assign a user to one or more roles. If you assign multiple roles with conflicting privileges, then the user is granted the more permissive privilege, which is the union of all the privileges granted to the multiple roles [8]. For example, if you assign to the same user a role that allows creating a snapshot and a role that restricts it, then the user is allowed to create snapshots.
  • 5. 1-8) Mandatory Access Control Mandatory Access Control (MAC) is fully supported in and Oracle Label Security is an implementation of MAC in the Oracle. This capability allows the database to inherently know what data is sensitive and allows the sensitive data to be combined in the same table as the larger data set without compromising security [9]. Figure (1) shows the main concept the Oracle Label Security. Figure 1 – Oracle Label Security Access Control The labels are assigned to data based on the sensitivity level of the information and access to the data labeled at a certain level (such as Sensitive) is restricted to those users who have been granted that level of access or higher. Oracle Label Security is an add-on security option from the Oracle9i Enterprise Edition and on [10]. The Oracle Policy Manager provides a graphical user interface for managing the labels. Oracle Label Security is built on the Virtual Private Database toolkit and mediates access to rows in database tables based on a label contained in the row, a label associated with each database session, and Oracle Label Security privileges assigned to the session. Instructions on how to enabling OLS and a starter guide can be found in [11]. 1-9) Administering Access Control Policies Oracle Authorization Policy Manager is graphical interface tool to manage application authorization policies [12]. Security administrators can use Authorization Policy Manager which greatly simplifies the creation, configuration, and administration of application policies over by offering the following facilities:  User-friendly names and descriptions of security artifacts [13].  A way to organize application roles by business, product, or any other parameter specific to an application [13].  A uniform graphic interface to search, create, browse, and edit security artifacts [14, 15].  A way to specify a subset of applications that a role can manage [16].
  • 6. 3) Conclusion In this document, we briefly introduced some access control facilities in Oracle Database 11gR2. Oracle database 11gR2 supports almost all of those access control concepts and they can be achieved directly with some DBMS features, or by a workaround. With roles and user profiles you will have most of the mentioned access control concepts. The rest of needs can be achieved with Oracle Database Vault and Oracle Label Security which deliver advanced access control and security features. 4) References 1. Administering User Privileges, Roles, and Profiles. 2015. Administering User Privileges, Roles, and Profiles. [ONLINE] Available at: http://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#i1012785. [Accessed 19 June 2015]. 2. Understanding Users and Roles. 2015. Understanding Users and Roles. [ONLINE] Available at: http://docs.oracle.com/cd/E23943_01/core.1111/e10043/introroles.htm#JISEC2263. [Accessed 20 June 2015]. 3. Introducing Oracle Database Vault. 2015. Introducing Oracle Database Vault. [ONLINE] Available at: http://docs.oracle.com/cd/B28359_01/server.111/b31222/dvintro.htm#DVADM70086. [Accessed 20 June 2015]. 4. CREATE PROFILE. 2015. CREATE PROFILE. [ONLINE] Available at: http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_6010.htm. [Accessed 24 June 2015]. 5. Parameters for the sqlnet.ora File. 2015. Parameters for the sqlnet.ora File. [ONLINE] Available at: https://docs.oracle.com/cd/E11882_01/network.112/e10835/sqlnet.htm#NETRF181. [Accessed 25 June 2015]. 6. Blocking Oracle access by IP Addresses. 2015. Blocking Oracle access by IP Addresses. [ONLINE] Available at: http://www.dba-oracle.com/t_blocking_listener_ip_addresses.htm. [Accessed 25 June 2015]. 7. REVOKE. 2015. REVOKE. [ONLINE] Available at: http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_9020.htm#i2133838. [Accessed 27 June 2015]. 8. Managing Security. 2015. Managing Security. [ONLINE] Available at: http://docs.oracle.com/cd/E11882_01/owb.112/e17130/security_mgmt.htm#WBINS16282. [Accessed 27 June 2015]. 9. Oracle Label Security with Oracle Database 11g Release 2. 2009. Oracle Label Security with Oracle Database 11g Release 2. [ONLINE] Available at: http://www.oracle.com/technetwork/database/security/owp-security-label-security-11gr2- 133601.pdf. [Accessed 29 June 2015]. 10. Oracle Access Control. 2015. Oracle Access Control. [ONLINE] Available at: http://www.itillious.com/insight/articles/OracleAccessControl.html. [Accessed 29 June 2015]. 11. Getting Started with Oracle Label Security. 2015. Getting Started with Oracle Label Security. [ONLINE] Available at:
  • 7. https://docs.oracle.com/cd/E11882_01/network.112/e10745/getstrtd.htm#OLSAG3096. [Accessed 29 June 2015]. 12. Introduction to Oracle Authorization Policy Manager. 2015. Introduction to Oracle Authorization Policy Manager. [ONLINE] Available at: http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/apmintro.htm#APMAG4493. [Accessed 29 June 2015]. 13. The OPSS Authorization Model. 2015. The OPSS Authorization Model. [ONLINE] Available at: http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/basics.htm#BEIJGIBJ. [Accessed 29 June 2015]. 14. Querying Security Artifacts. 2015. Querying Security Artifacts. [ONLINE] Available at: http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/searching.htm#CEGBJJIF. [Accessed 29 June 2015]. 15. Managing Security Artifacts. 2015. Managing Security Artifacts. [ONLINE] Available at: http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/managing.htm#BABFCAEJ. [Accessed 29 June 2015]. 16. Delegated Administration. 2015. Delegated Administration. [ONLINE] Available at: http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/delegatedadmin.htm#BAJEBHJG. [Accessed 29 June 2015].