Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Implementing Oracle Label Security
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Objectives
After completing this lesson, you should be able to
impleme...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Access Control: Overview
Oracle provides two complementary access cont...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Discretionary Access Control
Joe
Fred
GRANT SELECT ON emp TO JOE;
REVO...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Oracle Label Security
Discretionary access control
SQL request
Label s...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
How Sensitivity Labels Are Used
Labels Data
Users
Data sensitivity
Aut...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Installing Oracle Label Security
To install Oracle Label Security, per...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Oracle Label Security: Features
Oracle Label Security provides:
• Row-...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Comparing Oracle Label Security
and the VPD
The VPD provides:
• API fo...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
When to Use Oracle Label Security
VPD
Uses existing user
attributes
Us...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Implementing the Oracle Label
Security Policy
The steps to implement a...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Analyzing the Needs
• Identify application tables that need Oracle Lab...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating Policies
Create the policy to contain the label information:
...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Defining Labels: Overview
• Labels have three parts:
– Level
– Group
–...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Defining Levels
PPUBLIC100
CCONFIDENTIAL200
SSENSITIVE300
HSHIGHLY_SEN...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating Levels
BEGIN
SA_COMPONENTS.CREATE_LEVEL(
POLICY_NAME =>'FACIL...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Defining Groups
Numeric
Form
Long Form Short
Form
Parent
1000 WESTERN_...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating Groups
BEGIN
SA_COMPONENTS.CREATE_GROUP(
POLICY_NAME =>'FACIL...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Defining Compartments
Numeric Form Long Form Short Form
85 Financial F...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating Compartments
BEGIN
SA_COMPONENTS.CREATE_COMPARTMENT(
POLICY_N...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Identifying Data Labels
The administrator creates a set of data labels...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating Data Labels
BEGIN
SA_LABEL_ADMIN.CREATE_LABEL(
POLICY_NAME =>...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Assigning User Authorization Labels
A user is assigned:
• Maximum and ...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Access Mediation
User session label
Row data label
SQL request
Access ...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Adding Labels to Data
• Labels are defined by the administrator.
• Acc...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Policy-Enforcement Options
• Access-control enforcement:
– READ_CONTRO...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Applying the Policy to a Table
• Add the FACILITY policy to the LOCATI...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Oracle Label Security Privileges
Oracle Label Security supports these ...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Example: READ Privilege
Labeled data rows
User Label Authorizations
No...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Example: FULL Privilege
Labeled data rows
User Label Authorizations
An...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Example: COMPACCESS Privilege
Labeled data rows
User Label Authorizati...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Using SET_ACCESS_PROFILE
The SA_SESSION.SET_ACCESS_PROFILE function in...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Trusted Stored Package Units
To create a trusted stored package unit, ...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Exporting with Oracle Label Security
• Only rows with labels authorize...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Importing with Oracle Label Security
• Precreate the Oracle Label Secu...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Performance Tips
• Analyze the LBACSYS schema.
• Apply a bitmap index ...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Summary
In this lesson, you should have learned how to:
• Describe the...
云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Q&A
Nächste SlideShare
Wird geladen in …5
×

Oracle security 06-implementing oracle label security

748 Aufrufe

Veröffentlicht am

Oracle security 06-implementing oracle label security

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Oracle security 06-implementing oracle label security

  1. 1. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Implementing Oracle Label Security
  2. 2. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Objectives After completing this lesson, you should be able to implement a simple Oracle Label Security policy by: • Describe Oracle Label Security • Install Oracle Label Security • Creating policies • Defining labels • Setting up user authorizations • Applying policies to tables
  3. 3. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Access Control: Overview Oracle provides two complementary access control models: • Discretionary access control (DAC) – Allows only grant and revoke – Controls access on an entire object – Controls access by privilege • Row-level security – Allows sophisticated access rules – Supplements DAC – Is provided by the Virtual Private Database and Oracle Label Security DAC and row-level security dictate row access.
  4. 4. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Discretionary Access Control Joe Fred GRANT SELECT ON emp TO JOE; REVOKE SELECT ON emp FROM FRED;
  5. 5. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Label Security Discretionary access control SQL request Label security policy Object privileges Row-level security
  6. 6. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com How Sensitivity Labels Are Used Labels Data Users Data sensitivity Authorizations Secret Top Secret Access mediation
  7. 7. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Installing Oracle Label Security To install Oracle Label Security, perform the following steps: 1. Use the Custom Install option of Oracle Universal Installer (OUI) to add Oracle Label Security components. 2. Use the Database Configuration Assistant (DBCA) to configure Oracle Label Security.
  8. 8. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Label Security: Features Oracle Label Security provides: • Row-level security based on the VPD technology • A complete infrastructure for managing label security policies, sensitivity labels, and user security clearances • Oracle Policy Manager, a graphical user interface for managing Oracle Label Security • Integration with Oracle Identity Management starting in Oracle Database 10g Release 1
  9. 9. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Comparing Oracle Label Security and the VPD The VPD provides: • API for implementing row-level security by using application context and PL/SQL Oracle Label Security provides: • A system evaluated under Common Criteria EAL 4 • All required packages for access mediation • Complete data dictionary for managing policies, sensitivity labels, and user clearances • A complete user interface for managing Oracle Label Security • Integration with Oracle Identity Management
  10. 10. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com When to Use Oracle Label Security VPD Uses existing user attributes Uses natural data attributes Oracle Label Security Uses created user labels Uses assigned data labels
  11. 11. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Implementing the Oracle Label Security Policy The steps to implement an Oracle Label Security solution are: 1. Develop a strategy to understand the security problem. 2. Analyze the data levels in the application 3. Create policies. 4. Define labels. 5. Assign user authorizations. 6. Apply policies. 7. Review and document your policy decisions.
  12. 12. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Analyzing the Needs • Identify application tables that need Oracle Label Security: – Majority of the tables do not require Oracle Label Security. – Use existing tools when possible. – Do not apply Oracle Label Security to everything. – Identify important application queries where possible. • Discretionary access control (DAC) is sufficient for most tables: – Database roles – Secure application roles – Stored procedures and functions
  13. 13. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Policies Create the policy to contain the label information: • Policy name is FACILITY. • Policy label column is FACLAB. BEGIN SA_SYSDBA.CREATE_POLICY( POLICY_NAME =>'FACILITY', COLUMN_NAME => 'FACLAB', DEFAULT_OPTIONS => 'READ_CONTROL,CHECK_CONTROL,LABEL_DEFAULT,HIDE'); END;
  14. 14. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Labels: Overview • Labels have three parts: – Level – Group – Compartment • Each part must be defined. • The label is defined on the basis of the combinations of the parts.
  15. 15. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Levels PPUBLIC100 CCONFIDENTIAL200 SSENSITIVE300 HSHIGHLY_SENSITIVE400 Short FormLong FormNumeric Form • The data level is set to SENSITIVE. • These levels are part of the label that is assigned to users and data.
  16. 16. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Levels BEGIN SA_COMPONENTS.CREATE_LEVEL( POLICY_NAME =>'FACILITY', LEVEL_NUM => 100, SHORT_NAME => 'P', LONG_NAME => 'PUBLIC'); END;
  17. 17. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Groups Numeric Form Long Form Short Form Parent 1000 WESTERN_REGION WR 1100 WR_SALES WR_SAL WR 1200 WR_FINANCE WR_FIN WR 1210 WR_ACCT_PAYABLE WR_AP WR_FIN • The group is WR_FINANCE. • The data label shows WR_FIN in the level:compartment:group group field.
  18. 18. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Groups BEGIN SA_COMPONENTS.CREATE_GROUP( POLICY_NAME =>'FACILITY', GROUP_NUM => 1000, SHORT_NAME => 'WR_SAL', LONG_NAME => 'WR_SALES', PARENT_NAME => 'WR'); END;
  19. 19. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Defining Compartments Numeric Form Long Form Short Form 85 Financial FIN 65 Chemical CH 45 Operations OP • Compartments are OP, CH, and FIN. • The second field in the data label shows OP, CH, and FIN.
  20. 20. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Compartments BEGIN SA_COMPONENTS.CREATE_COMPARTMENT( POLICY_NAME =>'FACILITY', COMP_NUM => 85, SHORT_NAME => 'FIN', LONG_NAME => 'Financial'); END;
  21. 21. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Identifying Data Labels The administrator creates a set of data labels that are actually used from the components already defined. LEVEL:COMPARMENT:GROUP ---------------------------------------------- SENSITIVE:FINANCIAL,CHEMICAL:WESTERN_REGION CONFIDENTIAL:FINANCIAL:WR_SALES SENSITIVE:: HIGHLY_SENSITIVE:FINANCIAL: SENSITIVE::WESTERN_REGION
  22. 22. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Creating Data Labels BEGIN SA_LABEL_ADMIN.CREATE_LABEL( POLICY_NAME =>'FACILITY', LABEL_TAG => 201000, LABEL_VALUE => 'S::WR'); END;
  23. 23. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Assigning User Authorization Labels A user is assigned: • Maximum and minimum labels • A default session label • A row label for inserts BEGIN SA_USER_ADMIN.SET_USER_LABELS ( POLICY_NAME =>'FACILITY', USER_NAME => 'MYCO_MGR', MAX_READ_LABEL =>'S::US,EU,ASIA'); END;
  24. 24. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Access Mediation User session label Row data label SQL request Access mediation SQL results
  25. 25. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Adding Labels to Data • Labels are defined by the administrator. • Access mediation requires all rows to have labels. • Labels are set on rows.
  26. 26. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Policy-Enforcement Options • Access-control enforcement: – READ_CONTROL – WRITE_CONTROL • Label-management enforcement: – LABEL_DEFAULT – LABEL_UPDATE – CHECK_CONTROL • Options to override enforcement: – ALL_CONTROL – NO_CONTROL
  27. 27. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Applying the Policy to a Table • Add the FACILITY policy to the LOCATIONS table. • TABLE_OPTION => NULL implies that the policy default options are used. BEGIN SA_POLICY_ADMIN.APPLY_TABLE_POLICY ( POLICY_NAME => 'FACILITY', SCHEMA_NAME => 'HR', TABLE_NAME => 'LOCATIONS', TABLE_OPTIONS => NULL, LABEL_FUNCTION => NULL); END;
  28. 28. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Oracle Label Security Privileges Oracle Label Security supports these privileges that allow authorized users to bypass certain parts of the policy: • READ • FULL • COMPACCESS • SET_ACCESS_PROFILE
  29. 29. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Example: READ Privilege Labeled data rows User Label Authorizations None READ privilege SELECT All rows returned
  30. 30. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Example: FULL Privilege Labeled data rows User Label Authorizations Any FULL privilege Any DML All rows affected
  31. 31. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Example: COMPACCESS Privilege Labeled data rows User Label Authorizations Compartment = OP COMPACCESS privilege Data label Compartment = OP, Group=Any
  32. 32. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Using SET_ACCESS_PROFILE The SA_SESSION.SET_ACCESS_PROFILE function in Oracle Label Security: • Allows an application session to assume a different Oracle Label Security authorization • Is used when application users do not have real database accounts Note: Users who are assigned Oracle Label Security authorizations do not need to be real database users. SQL>connect appuser/mypassword SQL>execute set_access_profile(‘finance’,’team1’);
  33. 33. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Trusted Stored Package Units To create a trusted stored package unit, you must: • Grant the Oracle Label Security privileges to a program unit • Have the special policy_DBA role • Use OPM or the SA_USER_ADMIN package to grant privileges SQL> EXECUTE SA_USER_ADMIN.SET_PROG_PRIVS(- 2> POLICY_NAME=>‘HR’,- 3> SCHEMA_NAME=>’MYSCHEMA’,- 4> PROGRAM_UNIT_NAME =>’SUM_PURCHASES’,- 5> PRIVILEGE=>’READ’);
  34. 34. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Exporting with Oracle Label Security • Only rows with labels authorized for read access are exported. • The label columns can be exported. • The LBACSYS schema cannot be exported.
  35. 35. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Importing with Oracle Label Security • Precreate the Oracle Label Security policies and tables. • Labels and tag values must be the same.
  36. 36. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Performance Tips • Analyze the LBACSYS schema. • Apply a bitmap index on the policy label column. • Plan a label tag strategy. • Partition on the basis of the label. • Allow time to tune your application after applying Oracle Label Security.
  37. 37. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Summary In this lesson, you should have learned how to: • Describe the main features of Oracle Label Security • Install and configure Oracle Label Security • Install and configure Oracle Label Security • Use Oracle Policy Manager • Create and implement a simple Oracle Label Security policy
  38. 38. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com Q&A

×