As their name denotes, rulesets are a collection of rules that in turn consist of logical statements, which might evaluate to true or false. Because of their capacity for evaluation, rulesets can be associated with command rules, realm authorization, and factor assignment, as well as secure application roles.
In this recipe we will create two rulesets:
- The first ruleset will allow the selection of
emp_detail_viewfrom thevw_americaandvw_europeusers only, and no other user will be allowed to select from this view. - The second ruleset will limit the creation of views for reporting, only at the end of the month. In these recipes, we will re-use the two command rules created in the previous recipe.
Rules sets can be defined by using the PL/SQL Oracle Database Vault administrative packages or by using DVA:
- Log in with
ODVA_OWNERin DVA Console. - In the Database Vault Feature Administration panel, click on Rule Sets.
- In the Rule Sets page, click on the Create button.
- In the Create Rule Set page, make the following changes:
- In the General panel for Name, enter
Reporting from HR Views - In the Status panel select Enabled
- For Evaluation Options select Any True
- In the Audit Options panel choose Audit Disabled
- In the Error Handling Options panel, choose Show Error Message for Error Handling, for Fail Code enter 20998, for Fail Message enter
You are not allowed to report from this view, and for Custom Event Handler Option select Handler disabled - Finally click on the OK button
- In the General panel for Name, enter
- In the Rule Sets page, select Report from HR views and click on the Edit button. In the Rules Associated To the Rule Set panel, click on the Create button.
- Next we will create two simple rules for this ruleset, which evaluates the connected user as follows. Type
Evaluate VW_AMERICA useras the name andSYS_CONTEXT('USERENV','SESSION_USER')='VW_AMERICA'as the rule expression, as follows:
- Next create a second rule, type
Evaluate VW_EUROPE useras the name andSYS_CONTEXT('USERENV', 'SESSION_USER')= 'VW_EUROPE'as the rule expression, as follows:
- Click on the OK button. You will get back to the Rule Sets page; click on the OK button again.
- At this step, we will re-use the
SELECTcommand rule defined in the previous recipe. It will be associated with theReport from HR viewsruleset. - Next go to the Command Rules page, choose the SELECT command rule, and click on the Edit button.
- In the Rule Set panel, choose Report from HR views and click OK, as shown in the following screenshot:
- From sqlplus, connect as the
HRuser and issue aSELECTagainstEMP_DETAILS_VIEW, as follows:SQL> conn HR Enter password: Connected. SQL> select first_name,last_name from emp_Details_view where employee_id=100; select first_name,last_name from hr.emp_Details_view where employee_id=100 * ERROR at line 1: ORA-47306: 20998: You are not allowed to report from this view
As we can see, the ruleset is in effect.
- Now connect as
vw_americaand issue the sameSELECTas that used in the previous step, as follows:SQL> conn vw_america Enter password: Connected. SQL> select first_name,last_name from hr.emp_Details_view where employee_id=100; FIRST_NAME LAST_NAME -------------------- ------------------------- Steven King
- Connect as
vw_europeand issue theSELECTagain:SQL> conn vw_europe Enter password: Connected. SQL> select first_name,last_name from hr.emp_Details_view where employee_id=100; FIRST_NAME LAST_NAME -------------------- ------------------------- Steven King SQL>
Next, we will create a ruleset associated with the
CREATE VIEWcommand rule. - Navigate to the Rule Sets page and click on the Create button. Then make the following changes:
- Type
Create views for end of the month reportingas Name - In the Status panel select Enabled
- For Evaluation Options select All True
- In Audit Options choose Audit Disabled
- In Error Handling Options, choose Show Error Message for Error Handling, for Fail code enter 20999, enter
You are not allowed to create reports until the end of the monthin the Fail Message box, and for Custom Event Handler Option choose Handler disabled:
- Type
- Select the Create views for end of the month reporting ruleset and click on the Edit button.
- In the Rules Associated To The Rule Set panel, click on the Create button.
- In the Create Rule page, type
Evaluate HR useras the name andSYS_CONTEXT('USERENV','SESSION_USER')='HR'as the rule expression as follows, and click on the OK button.
- In the Rules Associated to The Rule Set panel, click on the Add Existing Rules button. In the Rules to Add panel from the Available Rules listbox, select Is Last Day of Month and move to the Selected Rules listbox and click on the OK button, as follows:
- Click on the OK button in the Edit Rule Set to finalize the modifications made to the
Create views for end of the month reportingruleset. - Next go to command rules and associate the
CREATE VIEWcommand rule with theCreate views for end of the month reportingruleset, as follows:
- Connect as the user
HRand try to create a view namedsalaries_and_commisions, as follows:SQL> conn HR Enter password: Connected. SQL> create or replace view salaries_and_commissions as select first_name,last_name,salary,commission_pct from employees where commission_pct is not null; create or replace view salaries_and_commissions as select first_name,last_name,salary,commission_pct from employees where commission_pct is not null * ERROR at line 1: ORA-47306: 20999: You are not allowed to create reports until the end of the month SQL>
- Check your current date, and modify your system date to fall on the end of the month:
SQL> select sysdate from dual; SYSDATE --------- 16-APR-12 SQL>
- Modify your system date. We have the option to modify the system time or by using
ALTER SYSTEM SET FIXED_DATE=<desired date>:SQL> select sysdate from dual; SYSDATE --------- 30-APR-12 SQL>
- Now try again to create the
salaries_and_commissionsview:SQL> create or replace view salaries_and_commissions as select first_name,last_name,salary,commission_pct from employees where commission_pct is not null; View created. SQL>
Since we have changed the system date to the last day of the month and are connected as the user HR, the view is created. After testing, you should reset the system date back to the current date.
The rules contained in a ruleset will be evaluated based on Evaluation Options that can be set to All True or Any True. If we use All True, then all the rules will be evaluated, and if one rule is returning FALSE, then the evaluation stops there and the operation will be denied. Otherwise if all the rules return TRUE, then the overall return will also be TRUE and the operation is allowed. If we use Any True, the evaluation stops at the first occurrence of the TRUE condition for any of the rules defined in the ruleset.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.