SlideShare ist ein Scribd-Unternehmen logo

An additional security layer in adw cloud v2

Als DOCX, PDF herunterladen
T
Thomas Teske

Secure your data Next to all you've seen: make your policies for data usage aware of the context (who, when, why, how, .. ) fully context-aware. Stop leaving wide gaps in access rules. Define them once, change them - but all in ONE place for now and the future of your data. Note: scripts of the original MS Word document are NOT accessible in PDF conversion at slideshare. Scripts are at #GITHUB https://github.com/thomasteske/An_additional_security_layer_for_RDBMS

Technologie
1 von 18
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL Securingyour data in Oracle AutonomousData Warehouse CloudService Say “Hello”tovirtual private database inthe cloud by ThomasTeske, Oracle, June 18th 2018 Introduction: Securitymatterstoeveryone.All cloudvendorsstriveforthe securityprotectionlevelsforthe cloud infrastructure,the service instances,datatransfersandproperrole basedaccesscontrols.See the followingreportfora recent securitydocument bykuppingercole. Itisonline available at http://www.oracle.com/us/products/database/kuppingercole-autonomous-database-4368706.pdf Thisdocumentshall triggeryourthoughts,turnyourwantsintoactionable sprintsdelivering actionable code.Justcode it… Is your data secure within your applicationor analytics? Withinanapplicationoranalytics-service itisequallyimportanttobe contextaware.  Who has the permissionon whichoperationonwhichsubsetof data?  Under whichcircumstancesisinallowed?  If it is allowed:isitinsix monthsalsoOKforyour auditor?Thus:alwaysenforce accessrules and monitorthemandanalysisthe monitoredusage.Otherwise youdon’tknow,whatis goingon.Any modernsecurityoperationscenterworksonsuchprinciples.  On topof that youwant to constrainall applicationusersasfollows: no one shall see the PIIrelevantattributes – inour example:name,address,city,phone-numberare shownbuttheyremainempty.  Some usersmightnotevenbe allowedtosee the countrynorregional information inour example:nationandregion are shownbuttheyremainempty.  Responsibilitiesof usersmightrestrictthemtoworkonlywithasubsetof the data - inour example:we onlyallowsome usersworkingwithdataforAMERICA and MIDDLE- EAST. All data shownhere issyntheticdata.The Oracle AutonomousDataWarehouse cloudservice (ADWC) comeswitha greatresource:the SSB schemafor testing.Itispopulatedwithasimple data model aboutcustomers,businessdates,products,suppliersandorderlinessreferringto them. ADWC isdescribedat https://cloud.oracle.com/en_US/datawarehouse
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL Example for VPD: One recipe implementingVPDisshownin ourexample: 1. DATA Creatingacopy of a subsetof the sample schemaSSBintoschemaADMIN. ADMIN ownsthe data beingsharedwiththe otherusers. 2. USERS Creatingtendatabase usersALICE,BOB, CHARLIE,… to demonstrate accessfor different persons/profiles. Alternativeapproach:use ONLYdatabase usersforapplicationroles.Thatrequiresthe VPD policiestodetermine permissionsinaslightlydifferentway. 3. METADATA Creatingusermeta-datadescribingthe (application) users. 4. METADATA Creatingpermission meta-datadescribingpermissionsonthe data model. 5. METADATA Assigningpermissionstothe database users. 6. VPD FUNCTIONS& POLICIES Create for eachtable the necessaryfunctionstodetermine the predicatestobe appliedbyVPD.Define the VPDpoliciesontablesusingthesefunctions. 7. ROLE Define arole inthe database containingthe basicaccessrightsto tables. ROLE ASSIGNMENTAssignthe database role tothe database users. 8. PUBLIC SYNONYMSCreatingpublicsynonymsforthe tables –simplifyaccess. Note:VPDimplementationscanbe done differentlyi.e.using differentMETA DATA model.
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL WHAT we protect We coverinour simple model dataaboutCUSTOMERs, SUPPLIERs,TIME, PRODUCTS and ORDERs. No matter,howpeople accessthe data:it mustremainsecuredwithnoexceptionspossible.
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL HOW we protect it METADATA drivessecurity.We keeprecordof PEOPLE,ROLESand ENTITLEMENTS i.e.assigned ROLES to PEOPLE.
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL HOW it works in the database In Oracle database we have VPD.It takesthe METADATA first.FUNCTIONsare automaticallyinvoked to access the METADATA.The FUNCTIONsdetermine,how toautomaticallyaddaccessrestrictions to SQL commands.All thishappenswithoutachance of interceptionnorexception. Thisis,how itworksfor an individualtable.
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL Since we have more than one table:all the rulesapply,whenevercombinationsof tablesare used.It happensall inthe backgroundautomatically.Rulescanbe muchmore complex thanthe oneswe usedhere. A caution:alwaysensure,thatrulescanbe explainedinsimple terms.If youcan’tdo that, than itis reallydifficulttocheck,if theyare correct.
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 1. DATA Creatingacopy of a subsetof the sample schemaSSB As userADMIN run the following. CUSTOMER -- create a demo table from SSB demo schema create table customer as select * from ssb.customer; SUPPLIER -- create a demo table from SSB demo schema create table supplier as select * from ssb.supplier; DWDATE -- create a demo table from SSB demo schema create table dwdate as select * from ssb.dwdate; PART -- create a demo table from SSB demo schema create table part as select * from ssb.part; LINEORDER -- create a demo table from SSB demo schema -- original table is 6 billion records! create table lineorder as select * from ssb.lineorder where c_custkey <= 1000;
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 2. USERS Creatingtendatabase users As userADMIN run the following. -- create users using simple passwords -- consider enabling password policies later on! create user alice identified by Welcome1234#; … -- allow them having sessions to the database grant CREATE SESSION to alice; …
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 3. METADATA Creatinguser As userADMIN run the following.CreateaMETA-DATA table first. create table SOC_USER ( U_USER VARCHAR2(30 BYTE) NOT NULL ENABLE, U_NAME VARCHAR2(30 BYTE) NOT NULL ENABLE, U_DEPT VARCHAR2(30 BYTE) NOT NULL ENABLE, CONSTRAINT "SOC_USER_PK" PRIMARY KEY ("U_USER") ENABLE ); Nowadd METADATA describingthe rolesandresponsibilitiesof these applicationusers. insert into SOC_USER values ( 'ADMIN', 'Matthew and team', 'application data steward' ); insert into SOC_USER values ( 'ALICE', 'Alice', 'sales management, worldwide' ); insert into SOC_USER …
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 4. METADATA Creatingmeta-datadescribingpermissions As userADMIN run the following.CreateaMETA-DATA table first. create table SOC_PROFILE ( P_PROFILE VARCHAR2(30 BYTE) NOT NULL ENABLE, P_NAME VARCHAR2(60 BYTE) NOT NULL ENABLE, P_PREDTYPE VARCHAR2(12 BYTE) NOT NULL ENABLE, P_PRED_TABLE VARCHAR2(60 BYTE) NOT NULL ENABLE, P_PRED_COLUMN VARCHAR2(60 BYTE) , P_PRED_COLVAL VARCHAR2(60 BYTE) , CONSTRAINT "SOC_PROFILE_PK" PRIMARY KEY ("P_PROFILE") ENABLE ); Insertdata describingthe permissionsinbusinessterms. -- allow access to all columns in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_ALL_COLUMNS', 'see all columns in table', 'HIDE_COLS', 'CUSTOMER', NULL, NULL ); -- allow access to all columns excluding the PII columns in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_NO_PII_COLUMNS', 'see no PII columns in table', 'HIDE_COLS', 'CUSTOMER', NULL, NULL ); -- allow access to all columns excluding the GEO columns in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_NO_GEO_COLUMNS', 'see no GEOGRAPHY columns in table', 'HIDE_COLS', 'CUSTOMER', NULL, NULL ); -- allow access to all rows in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_ALL_RECORDS', 'see all records in table', 'HIDE_ROWS', 'CUSTOMER', NULL, NULL ); -- allow access to C_REGION having value EUROPE only in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_ONLY_EUROPE_ROWS', 'see only EUROPE rows in table', 'HIDE_ROWS', 'CUSTOMER', 'C_REGION', 'EUROPE' ); -- allow access to C_REGION having value AMERICA only in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_ONLY_AMERICA_ROWS', 'see only AMERICA rows in table', 'HIDE_ROWS', 'CUSTOMER', 'C_REGION', 'AMERICA' ); -- allow access to C_REGION having value ASIA only in CUSTOMER table
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL insert into SOC_PROFILE values ( 'CUST_ONLY_ASIA_ROWS', 'see only ASIA rows in table', 'HIDE_ROWS', 'CUSTOMER', 'C_REGION', 'ASIA' ); -- allow access to C_REGION having value MIDDLE EAST only in CUSTOMER table -- This REGION is not used at all in our COUNTRY table! insert into SOC_PROFILE values ( 'CUST_ONLY_MIEAST_ROWS', 'see only MIDDLE EAST rows in table', 'HIDE_ROWS', 'CUSTOMER', 'C_REGION', 'MIDDLE EAST' ); -- allow access to C_REGION having value AFRICA only in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_ONLY_AFRICA_ROWS', 'see only AFRICA rows in table', 'HIDE_ROWS', 'CUSTOMER', 'C_REGION', 'AFRICA' ); -- allow access to all columns in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_ALL_COLUMNS', 'see all columns in table', 'HIDE_COLS', 'LINEORDER', NULL, NULL ); -- allo access to all columns excluding the COMMERCIAL columns in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_NO_COMM_COLUMNS', 'see no COMMERCIAL columns in table', 'HIDE_COLS', 'LINEORDER', NULL, NULL ); -- allow access to all LO_ORDERDATE values in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_ALL_DAYS', 'see any data in table', 'HIDE_ROWS', 'LINEORDER', NULL, NULL ); -- allow access to LO_ORDERDATE having value 30 days only in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_30_DAYS_ONLY', 'see only last 30 days in table', 'HIDE_ROWS', 'LINEORDER', 'LO_ORDERDATE', '30' ); -- allow access to LO_ORDERDATE having value 60 days only in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_60_DAYS_ONLY', 'see only last 60 days in table', 'HIDE_ROWS', 'LINEORDER', 'LO_ORDERDATE', '60' ); -- allow access to LO_ORDERDATE having value 365 days only in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_365_DAYS_ONLY', 'see only last 365 days in table', 'HIDE_ROWS', 'LINEORDER', 'LO_ORDERDATE', '365' );
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL -- allow access to LO_ORDERDATE having value 3650 days only in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_3650_DAYS_ONLY', 'see only last 3650 days in table', 'HIDE_ROWS', 'LINEORDER', 'LO_ORDERDATE', '3650' ); -- allow access to all rows in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ALL_RECORDS', 'see all records in table', 'HIDE_ROWS', 'SUPPLIER', NULL, NULL ); -- allow access to S_REGION having value EUROPE only in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ONLY_EUROPE_ROWS', 'see only EUROPE rows in table', 'HIDE_ROWS', 'SUPPLIER', 'S_REGION', 'EUROPE' ); -- allow access to S_REGION having value AMERICA only in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ONLY_AMERICA_ROWS', 'see only AMERICA rows in table', 'HIDE_ROWS', 'SUPPLIER', 'S_REGION', 'AMERICA' ); -- allow access to S_REGION having value ASIA only in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ONLY_ASIA_ROWS', 'see only ASIA rows in table', 'HIDE_ROWS', 'SUPPLIER', 'S_REGION', 'ASIA' ); -- allow access to S_REGION having value MIDDLE EAST only in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ONLY_MIEAST_ROWS', 'see only MIDDLE EAST rows in table', 'HIDE_ROWS', 'SUPPLIER', 'S_REGION', 'MIDDLE EAST' ); -- allow access to S_REGION having value AFRICA only in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ONLY_AFRICA_ROWS', 'see only AFRICA rows in table', 'HIDE_ROWS', 'SUPPLIER', 'S_REGION', 'AFRICA' ); -- allow access to all columns in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ALL_COLUMNS', 'see all columns in table', 'HIDE_COLS', 'SUPPLIER', NULL, NULL ); -- allow access to all columns excluding the PII columns in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_NO_PII_COLUMNS', 'see no PII columns in table', 'HIDE_COLS', 'SUPPLIER', NULL, NULL );
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL -- allow access to all columns excluding the GEO columns in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_NO_GEO_COLUMNS', 'see no GEOGRAPHY columns in table', 'HIDE_COLS', 'SUPPLIER', NULL, NULL ); Nowwe have usersand permissionsdefined.We now needtoassignpermissionstousers. All the steps to this pointare covered by two scripts:
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 5. METADATA Assigningpermissions As userADMIN run the following.CreateaMETA-DATA table first. create table SOC_USER_PROFILE ( UP_USER VARCHAR2(30 BYTE) NOT NULL ENABLE, UP_PROFILE VARCHAR2(30 BYTE) NOT NULL ENABLE, CONSTRAINT "SOC_USER_PROFILE_PK" PRIMARY KEY ("UP_USER","UP_PROFILE") ENABLE, CONSTRAINT "UP_FK_USER" FOREIGN KEY ("UP_USER") REFERENCES "SOC_USER" ("U_USER") ENABLE, CONSTRAINT "UP_FK_PROFILE" FOREIGN KEY ("UP_PROFILE") REFERENCES "SOC_PROFILE" ("P_PROFILE") ENABLE ); Insertingactual assignments( akaentitlements) -- user ADMIN - no constraints on customers nor order details insert into SOC_USER_PROFILE values ( 'ADMIN', 'CUST_ALL_COLUMNS' ); insert into SOC_USER_PROFILE values ( 'ADMIN', 'CUST_ALL_RECORDS' ); insert into SOC_USER_PROFILE values ( 'ADMIN', 'ORDERS_ALL_COLUMNS' ); insert into SOC_USER_PROFILE values ( 'ADMIN', 'ORDERS_ALL_DAYS' ); insert into SOC_USER_PROFILE values ( 'ADMIN', 'SUPP_ALL_RECORDS' ); insert into SOC_USER_PROFILE values ( 'ADMIN', 'SUPP_ALL_COLUMNS' ); -- user ALICE - no constraints on customers nor order details insert into SOC_USER_PROFILE values ( 'ALICE', 'CUST_ALL_COLUMNS' ); insert into SOC_USER_PROFILE values ( 'ALICE', 'CUST_ALL_RECORDS' ); insert into SOC_USER_PROFILE values ( 'ALICE', 'ORDERS_ALL_COLUMNS' ); insert into SOC_USER_PROFILE values ( 'ALICE', 'ORDERS_ALL_DAYS' ); insert into SOC_USER_PROFILE values ( 'ALICE', 'SUPP_ALL_RECORDS' );
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL insert into SOC_USER_PROFILE values ( 'ALICE', 'SUPP_NO_PII_COLUMNS' ); and so on.The complete listof assignmentsiscreated inscript: We create a simple viewtodetail the insertedMETADATA. create or replace view soc_entitlements as select u.*, p.* from soc_user u, soc_profile p, soc_user_profile up where u.u_user = up.up_user and p.p_profile = up.up_profile; -- list the entitlements to see the overview select * from soc_entitlements order by u_user, p_profile;
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 6. VPD FUNCTIONS& POLICIES Create for eachtable As userADMIN we define foreachtable the functionsandpoliciestobe applied. GeneratedVPDpredicatesmayuse one scalarvalue tocompare withor a listof scalars. Table inschema Scripts to define functionandpolicy DWDATE none CUSTOMER LINEORDER SUPPLIER DWDATE
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 7. ROLE Define arole inthe database containingthe basicaccessrightsto tables& ROLE ASSIGNMENTAssignthe database role tothe database users. As userADMIN we define arole to accessthe objectsownedbythe usertothe application users. -- create a role to SELECT tables and views owned by ADMIN create role select_on_admin; grant select on dwdate to select_on_admin; grant select on part to select_on_admin; grant select on customer to select_on_admin; grant select on supplier to select_on_admin; grant select on lineorder to select_on_admin; Then we grant the role to the application users: -- grant role to users grant select_on_admin to alice; grant select_on_admin to bob; grant select_on_admin to charlie; grant select_on_admin to doug; grant select_on_admin to linda; grant select_on_admin to monica; grant select_on_admin to robert; grant select_on_admin to susan; grant select_on_admin to harry; grant select_on_admin to frank; These stepsare coveredinthe followingscript:
ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 8. PUBLIC SYNONYMSCreatingpublicsynonymsforthe tables –simplifyaccess. As userADMIN run the following: create public synonym dwdate for admin.dwdate; create public synonym customer for admin.customer; create public synonym prod for admin.prod; create public synonym supplier for admin.supplier; create public synonym lineorder for admin.lineorder; Nowwe have createdthree METADATA tablesthat governwiththe helpof VPDfunctionsand policiesthe accesstotablesownedbyADMIN. That is all folks. Nowyoucan start designingyourown.Please note:all code iskeptmostsimple and maystrict codingguideline.Butyousee,how itisdone and can adapt as per your codingethics,standardsandsecurityrequirements.

Empfohlen

Artwork by Thomas Teske 2018
Artwork by Thomas Teske 2018Artwork by Thomas Teske 2018
Artwork by Thomas Teske 2018
Thomas Teske
 
Graph-Based Machine Learning for Automated Health Care Services
Graph-Based Machine Learning for Automated Health Care ServicesGraph-Based Machine Learning for Automated Health Care Services
Graph-Based Machine Learning for Automated Health Care Services
Thomas Teske
 
Fraud Detection in Financial Services using Graph Analysis and Machine Learning
Fraud Detection in Financial Services using Graph Analysis and Machine LearningFraud Detection in Financial Services using Graph Analysis and Machine Learning
Fraud Detection in Financial Services using Graph Analysis and Machine Learning
Thomas Teske
 
SOUG Day - autonomous what is next
SOUG Day - autonomous what is nextSOUG Day - autonomous what is next
SOUG Day - autonomous what is next
Thomas Teske
 
My artwork created in 2017
My artwork created in 2017My artwork created in 2017
My artwork created in 2017
Thomas Teske
 
My artwork created in 2016
My artwork created in 2016My artwork created in 2016
My artwork created in 2016
Thomas Teske
 
My artwork created in 2015
My artwork created in 2015My artwork created in 2015
My artwork created in 2015
Thomas Teske
 
My artwork created in 2014
My artwork created in 2014My artwork created in 2014
My artwork created in 2014
Thomas Teske
 

Empfohlen

Artwork by Thomas Teske 2018
Artwork by Thomas Teske 2018Artwork by Thomas Teske 2018
Artwork by Thomas Teske 2018
Thomas Teske
 
Graph-Based Machine Learning for Automated Health Care Services
Graph-Based Machine Learning for Automated Health Care ServicesGraph-Based Machine Learning for Automated Health Care Services
Graph-Based Machine Learning for Automated Health Care Services
Thomas Teske
 
Fraud Detection in Financial Services using Graph Analysis and Machine Learning
Fraud Detection in Financial Services using Graph Analysis and Machine LearningFraud Detection in Financial Services using Graph Analysis and Machine Learning
Fraud Detection in Financial Services using Graph Analysis and Machine Learning
Thomas Teske
 
SOUG Day - autonomous what is next
SOUG Day - autonomous what is nextSOUG Day - autonomous what is next
SOUG Day - autonomous what is next
Thomas Teske
 
My artwork created in 2017
My artwork created in 2017My artwork created in 2017
My artwork created in 2017
Thomas Teske
 
My artwork created in 2016
My artwork created in 2016My artwork created in 2016
My artwork created in 2016
Thomas Teske
 
My artwork created in 2015
My artwork created in 2015My artwork created in 2015
My artwork created in 2015
Thomas Teske
 
My artwork created in 2014
My artwork created in 2014My artwork created in 2014
My artwork created in 2014
Thomas Teske
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rustici Software
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Bhuvaneswari Subramani
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Nanddeep Nachan
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
WSO2
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 

Weitere ähnliche Inhalte

Kürzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Empfohlen

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Empfohlen (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

An additional security layer in adw cloud v2

  • 1. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL Securingyour data in Oracle AutonomousData Warehouse CloudService Say “Hello”tovirtual private database inthe cloud by ThomasTeske, Oracle, June 18th 2018 Introduction: Securitymatterstoeveryone.All cloudvendorsstriveforthe securityprotectionlevelsforthe cloud infrastructure,the service instances,datatransfersandproperrole basedaccesscontrols.See the followingreportfora recent securitydocument bykuppingercole. Itisonline available at http://www.oracle.com/us/products/database/kuppingercole-autonomous-database-4368706.pdf Thisdocumentshall triggeryourthoughts,turnyourwantsintoactionable sprintsdelivering actionable code.Justcode it… Is your data secure within your applicationor analytics? Withinanapplicationoranalytics-service itisequallyimportanttobe contextaware.  Who has the permissionon whichoperationonwhichsubsetof data?  Under whichcircumstancesisinallowed?  If it is allowed:isitinsix monthsalsoOKforyour auditor?Thus:alwaysenforce accessrules and monitorthemandanalysisthe monitoredusage.Otherwise youdon’tknow,whatis goingon.Any modernsecurityoperationscenterworksonsuchprinciples.  On topof that youwant to constrainall applicationusersasfollows: no one shall see the PIIrelevantattributes – inour example:name,address,city,phone-numberare shownbuttheyremainempty.  Some usersmightnotevenbe allowedtosee the countrynorregional information inour example:nationandregion are shownbuttheyremainempty.  Responsibilitiesof usersmightrestrictthemtoworkonlywithasubsetof the data - inour example:we onlyallowsome usersworkingwithdataforAMERICA and MIDDLE- EAST. All data shownhere issyntheticdata.The Oracle AutonomousDataWarehouse cloudservice (ADWC) comeswitha greatresource:the SSB schemafor testing.Itispopulatedwithasimple data model aboutcustomers,businessdates,products,suppliersandorderlinessreferringto them. ADWC isdescribedat https://cloud.oracle.com/en_US/datawarehouse
  • 2. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL Example for VPD: One recipe implementingVPDisshownin ourexample: 1. DATA Creatingacopy of a subsetof the sample schemaSSBintoschemaADMIN. ADMIN ownsthe data beingsharedwiththe otherusers. 2. USERS Creatingtendatabase usersALICE,BOB, CHARLIE,… to demonstrate accessfor different persons/profiles. Alternativeapproach:use ONLYdatabase usersforapplicationroles.Thatrequiresthe VPD policiestodetermine permissionsinaslightlydifferentway. 3. METADATA Creatingusermeta-datadescribingthe (application) users. 4. METADATA Creatingpermission meta-datadescribingpermissionsonthe data model. 5. METADATA Assigningpermissionstothe database users. 6. VPD FUNCTIONS& POLICIES Create for eachtable the necessaryfunctionstodetermine the predicatestobe appliedbyVPD.Define the VPDpoliciesontablesusingthesefunctions. 7. ROLE Define arole inthe database containingthe basicaccessrightsto tables. ROLE ASSIGNMENTAssignthe database role tothe database users. 8. PUBLIC SYNONYMSCreatingpublicsynonymsforthe tables –simplifyaccess. Note:VPDimplementationscanbe done differentlyi.e.using differentMETA DATA model.
  • 3. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL WHAT we protect We coverinour simple model dataaboutCUSTOMERs, SUPPLIERs,TIME, PRODUCTS and ORDERs. No matter,howpeople accessthe data:it mustremainsecuredwithnoexceptionspossible.
  • 4. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL HOW we protect it METADATA drivessecurity.We keeprecordof PEOPLE,ROLESand ENTITLEMENTS i.e.assigned ROLES to PEOPLE.
  • 5. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL HOW it works in the database In Oracle database we have VPD.It takesthe METADATA first.FUNCTIONsare automaticallyinvoked to access the METADATA.The FUNCTIONsdetermine,how toautomaticallyaddaccessrestrictions to SQL commands.All thishappenswithoutachance of interceptionnorexception. Thisis,how itworksfor an individualtable.
  • 6. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL Since we have more than one table:all the rulesapply,whenevercombinationsof tablesare used.It happensall inthe backgroundautomatically.Rulescanbe muchmore complex thanthe oneswe usedhere. A caution:alwaysensure,thatrulescanbe explainedinsimple terms.If youcan’tdo that, than itis reallydifficulttocheck,if theyare correct.
  • 7. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 1. DATA Creatingacopy of a subsetof the sample schemaSSB As userADMIN run the following. CUSTOMER -- create a demo table from SSB demo schema create table customer as select * from ssb.customer; SUPPLIER -- create a demo table from SSB demo schema create table supplier as select * from ssb.supplier; DWDATE -- create a demo table from SSB demo schema create table dwdate as select * from ssb.dwdate; PART -- create a demo table from SSB demo schema create table part as select * from ssb.part; LINEORDER -- create a demo table from SSB demo schema -- original table is 6 billion records! create table lineorder as select * from ssb.lineorder where c_custkey <= 1000;
  • 8. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 2. USERS Creatingtendatabase users As userADMIN run the following. -- create users using simple passwords -- consider enabling password policies later on! create user alice identified by Welcome1234#; … -- allow them having sessions to the database grant CREATE SESSION to alice; …
  • 9. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 3. METADATA Creatinguser As userADMIN run the following.CreateaMETA-DATA table first. create table SOC_USER ( U_USER VARCHAR2(30 BYTE) NOT NULL ENABLE, U_NAME VARCHAR2(30 BYTE) NOT NULL ENABLE, U_DEPT VARCHAR2(30 BYTE) NOT NULL ENABLE, CONSTRAINT "SOC_USER_PK" PRIMARY KEY ("U_USER") ENABLE ); Nowadd METADATA describingthe rolesandresponsibilitiesof these applicationusers. insert into SOC_USER values ( 'ADMIN', 'Matthew and team', 'application data steward' ); insert into SOC_USER values ( 'ALICE', 'Alice', 'sales management, worldwide' ); insert into SOC_USER …
  • 10. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 4. METADATA Creatingmeta-datadescribingpermissions As userADMIN run the following.CreateaMETA-DATA table first. create table SOC_PROFILE ( P_PROFILE VARCHAR2(30 BYTE) NOT NULL ENABLE, P_NAME VARCHAR2(60 BYTE) NOT NULL ENABLE, P_PREDTYPE VARCHAR2(12 BYTE) NOT NULL ENABLE, P_PRED_TABLE VARCHAR2(60 BYTE) NOT NULL ENABLE, P_PRED_COLUMN VARCHAR2(60 BYTE) , P_PRED_COLVAL VARCHAR2(60 BYTE) , CONSTRAINT "SOC_PROFILE_PK" PRIMARY KEY ("P_PROFILE") ENABLE ); Insertdata describingthe permissionsinbusinessterms. -- allow access to all columns in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_ALL_COLUMNS', 'see all columns in table', 'HIDE_COLS', 'CUSTOMER', NULL, NULL ); -- allow access to all columns excluding the PII columns in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_NO_PII_COLUMNS', 'see no PII columns in table', 'HIDE_COLS', 'CUSTOMER', NULL, NULL ); -- allow access to all columns excluding the GEO columns in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_NO_GEO_COLUMNS', 'see no GEOGRAPHY columns in table', 'HIDE_COLS', 'CUSTOMER', NULL, NULL ); -- allow access to all rows in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_ALL_RECORDS', 'see all records in table', 'HIDE_ROWS', 'CUSTOMER', NULL, NULL ); -- allow access to C_REGION having value EUROPE only in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_ONLY_EUROPE_ROWS', 'see only EUROPE rows in table', 'HIDE_ROWS', 'CUSTOMER', 'C_REGION', 'EUROPE' ); -- allow access to C_REGION having value AMERICA only in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_ONLY_AMERICA_ROWS', 'see only AMERICA rows in table', 'HIDE_ROWS', 'CUSTOMER', 'C_REGION', 'AMERICA' ); -- allow access to C_REGION having value ASIA only in CUSTOMER table
  • 11. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL insert into SOC_PROFILE values ( 'CUST_ONLY_ASIA_ROWS', 'see only ASIA rows in table', 'HIDE_ROWS', 'CUSTOMER', 'C_REGION', 'ASIA' ); -- allow access to C_REGION having value MIDDLE EAST only in CUSTOMER table -- This REGION is not used at all in our COUNTRY table! insert into SOC_PROFILE values ( 'CUST_ONLY_MIEAST_ROWS', 'see only MIDDLE EAST rows in table', 'HIDE_ROWS', 'CUSTOMER', 'C_REGION', 'MIDDLE EAST' ); -- allow access to C_REGION having value AFRICA only in CUSTOMER table insert into SOC_PROFILE values ( 'CUST_ONLY_AFRICA_ROWS', 'see only AFRICA rows in table', 'HIDE_ROWS', 'CUSTOMER', 'C_REGION', 'AFRICA' ); -- allow access to all columns in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_ALL_COLUMNS', 'see all columns in table', 'HIDE_COLS', 'LINEORDER', NULL, NULL ); -- allo access to all columns excluding the COMMERCIAL columns in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_NO_COMM_COLUMNS', 'see no COMMERCIAL columns in table', 'HIDE_COLS', 'LINEORDER', NULL, NULL ); -- allow access to all LO_ORDERDATE values in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_ALL_DAYS', 'see any data in table', 'HIDE_ROWS', 'LINEORDER', NULL, NULL ); -- allow access to LO_ORDERDATE having value 30 days only in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_30_DAYS_ONLY', 'see only last 30 days in table', 'HIDE_ROWS', 'LINEORDER', 'LO_ORDERDATE', '30' ); -- allow access to LO_ORDERDATE having value 60 days only in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_60_DAYS_ONLY', 'see only last 60 days in table', 'HIDE_ROWS', 'LINEORDER', 'LO_ORDERDATE', '60' ); -- allow access to LO_ORDERDATE having value 365 days only in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_365_DAYS_ONLY', 'see only last 365 days in table', 'HIDE_ROWS', 'LINEORDER', 'LO_ORDERDATE', '365' );
  • 12. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL -- allow access to LO_ORDERDATE having value 3650 days only in LINEORDER table insert into SOC_PROFILE values ( 'ORDERS_3650_DAYS_ONLY', 'see only last 3650 days in table', 'HIDE_ROWS', 'LINEORDER', 'LO_ORDERDATE', '3650' ); -- allow access to all rows in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ALL_RECORDS', 'see all records in table', 'HIDE_ROWS', 'SUPPLIER', NULL, NULL ); -- allow access to S_REGION having value EUROPE only in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ONLY_EUROPE_ROWS', 'see only EUROPE rows in table', 'HIDE_ROWS', 'SUPPLIER', 'S_REGION', 'EUROPE' ); -- allow access to S_REGION having value AMERICA only in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ONLY_AMERICA_ROWS', 'see only AMERICA rows in table', 'HIDE_ROWS', 'SUPPLIER', 'S_REGION', 'AMERICA' ); -- allow access to S_REGION having value ASIA only in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ONLY_ASIA_ROWS', 'see only ASIA rows in table', 'HIDE_ROWS', 'SUPPLIER', 'S_REGION', 'ASIA' ); -- allow access to S_REGION having value MIDDLE EAST only in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ONLY_MIEAST_ROWS', 'see only MIDDLE EAST rows in table', 'HIDE_ROWS', 'SUPPLIER', 'S_REGION', 'MIDDLE EAST' ); -- allow access to S_REGION having value AFRICA only in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ONLY_AFRICA_ROWS', 'see only AFRICA rows in table', 'HIDE_ROWS', 'SUPPLIER', 'S_REGION', 'AFRICA' ); -- allow access to all columns in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_ALL_COLUMNS', 'see all columns in table', 'HIDE_COLS', 'SUPPLIER', NULL, NULL ); -- allow access to all columns excluding the PII columns in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_NO_PII_COLUMNS', 'see no PII columns in table', 'HIDE_COLS', 'SUPPLIER', NULL, NULL );
  • 13. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL -- allow access to all columns excluding the GEO columns in SUPPLIER table insert into SOC_PROFILE values ( 'SUPP_NO_GEO_COLUMNS', 'see no GEOGRAPHY columns in table', 'HIDE_COLS', 'SUPPLIER', NULL, NULL ); Nowwe have usersand permissionsdefined.We now needtoassignpermissionstousers. All the steps to this pointare covered by two scripts:
  • 14. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 5. METADATA Assigningpermissions As userADMIN run the following.CreateaMETA-DATA table first. create table SOC_USER_PROFILE ( UP_USER VARCHAR2(30 BYTE) NOT NULL ENABLE, UP_PROFILE VARCHAR2(30 BYTE) NOT NULL ENABLE, CONSTRAINT "SOC_USER_PROFILE_PK" PRIMARY KEY ("UP_USER","UP_PROFILE") ENABLE, CONSTRAINT "UP_FK_USER" FOREIGN KEY ("UP_USER") REFERENCES "SOC_USER" ("U_USER") ENABLE, CONSTRAINT "UP_FK_PROFILE" FOREIGN KEY ("UP_PROFILE") REFERENCES "SOC_PROFILE" ("P_PROFILE") ENABLE ); Insertingactual assignments( akaentitlements) -- user ADMIN - no constraints on customers nor order details insert into SOC_USER_PROFILE values ( 'ADMIN', 'CUST_ALL_COLUMNS' ); insert into SOC_USER_PROFILE values ( 'ADMIN', 'CUST_ALL_RECORDS' ); insert into SOC_USER_PROFILE values ( 'ADMIN', 'ORDERS_ALL_COLUMNS' ); insert into SOC_USER_PROFILE values ( 'ADMIN', 'ORDERS_ALL_DAYS' ); insert into SOC_USER_PROFILE values ( 'ADMIN', 'SUPP_ALL_RECORDS' ); insert into SOC_USER_PROFILE values ( 'ADMIN', 'SUPP_ALL_COLUMNS' ); -- user ALICE - no constraints on customers nor order details insert into SOC_USER_PROFILE values ( 'ALICE', 'CUST_ALL_COLUMNS' ); insert into SOC_USER_PROFILE values ( 'ALICE', 'CUST_ALL_RECORDS' ); insert into SOC_USER_PROFILE values ( 'ALICE', 'ORDERS_ALL_COLUMNS' ); insert into SOC_USER_PROFILE values ( 'ALICE', 'ORDERS_ALL_DAYS' ); insert into SOC_USER_PROFILE values ( 'ALICE', 'SUPP_ALL_RECORDS' );
  • 15. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL insert into SOC_USER_PROFILE values ( 'ALICE', 'SUPP_NO_PII_COLUMNS' ); and so on.The complete listof assignmentsiscreated inscript: We create a simple viewtodetail the insertedMETADATA. create or replace view soc_entitlements as select u.*, p.* from soc_user u, soc_profile p, soc_user_profile up where u.u_user = up.up_user and p.p_profile = up.up_profile; -- list the entitlements to see the overview select * from soc_entitlements order by u_user, p_profile;
  • 16. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 6. VPD FUNCTIONS& POLICIES Create for eachtable As userADMIN we define foreachtable the functionsandpoliciestobe applied. GeneratedVPDpredicatesmayuse one scalarvalue tocompare withor a listof scalars. Table inschema Scripts to define functionandpolicy DWDATE none CUSTOMER LINEORDER SUPPLIER DWDATE
  • 17. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 7. ROLE Define arole inthe database containingthe basicaccessrightsto tables& ROLE ASSIGNMENTAssignthe database role tothe database users. As userADMIN we define arole to accessthe objectsownedbythe usertothe application users. -- create a role to SELECT tables and views owned by ADMIN create role select_on_admin; grant select on dwdate to select_on_admin; grant select on part to select_on_admin; grant select on customer to select_on_admin; grant select on supplier to select_on_admin; grant select on lineorder to select_on_admin; Then we grant the role to the application users: -- grant role to users grant select_on_admin to alice; grant select_on_admin to bob; grant select_on_admin to charlie; grant select_on_admin to doug; grant select_on_admin to linda; grant select_on_admin to monica; grant select_on_admin to robert; grant select_on_admin to susan; grant select_on_admin to harry; grant select_on_admin to frank; These stepsare coveredinthe followingscript:
  • 18. ThomasTeske,Oracle – 2018-06-18 – audience:public–keywords :database,security,autonomous thomas.teske@oracle.com @ThomasTeskeORCL 8. PUBLIC SYNONYMSCreatingpublicsynonymsforthe tables –simplifyaccess. As userADMIN run the following: create public synonym dwdate for admin.dwdate; create public synonym customer for admin.customer; create public synonym prod for admin.prod; create public synonym supplier for admin.supplier; create public synonym lineorder for admin.lineorder; Nowwe have createdthree METADATA tablesthat governwiththe helpof VPDfunctionsand policiesthe accesstotablesownedbyADMIN. That is all folks. Nowyoucan start designingyourown.Please note:all code iskeptmostsimple and maystrict codingguideline.Butyousee,how itisdone and can adapt as per your codingethics,standardsandsecurityrequirements.