Factors can also play an important role in enforcing security in Oracle Database Vault. A factor is a variable or an attribute, something similar to application context attributes. A factor can represent a user session, session identifier, module, IP address, and more. You can use factors for conditioning and restricting user authentication, and to build additional restrictions on data access based on their values and attributes.
In this recipe, we will replace the rule expressions Evaluate VW_AMERICA user and Evaluate VW_EUROPE user with the default Session_user factor.
Oracle Database Vault provides build it factors that can be used alone or combined to enforce different types of evaluations:
- Connect as the
ODVA_OWNERuser and select the session user from thedvf.f$session_userfactor function:SQL> conn odva_owner Enter password: SQL> select dvf.f$session_user from dual; F$SESSION_USER -------------------------------------------------------------------- ODVA_OWNER SQL>
- Connect as
odva_ownerin DVA and navigate to the Factors page. Here we will see the default factors. You can check theSession_userfactor and click on the Edit button to study the proprieties of this factor. For the moment, we are interested in Retrieval Method. We can observe that it is the same as we are using in our rule expressionsEvaluate VW_AMERICA userandEvaluate VW_EUROPE user, defined on theReport from HR viewsrule set. Click on the Cancel button.
- Navigate to Rule Sets, check the
Report from HR viewsruleset, and replace the rule expression from Evaluate VW_AMERICA user with DVF.F$SESSION_USER='VW_AMERICA' and the rule expression from Evaluate VW_EUROPE user with DVF.F$SESSION_USER='VW_EUROPE', shown as follows:
- Connect in sqlplus as the user
HRand issue aSELECTfromemp_details_view, as follows:SQL> conn HR Connected. SQL> select first_name, last_name from emp_details_view where employee_id=100; select first_name, last_name from emp_details_view where employee_id=100 * ERROR at line 1: ORA-47306: 20998: You are not allowed to report from this view SQL>
The ruleset is enforced, but this time by using factors.
- Connect as the
vw_americauser and issue the sameSELECTfromemp_details_view, as follows:SQL> conn vw_america/vw_america Connected. SQL> select first_name, last_name from hr.emp_details_view where employee_id=100 ; FIRST_NAME LAST_NAME -------------------- ------------------------- Steven King SQL>
The value of factors is returned by factor functions. Every factor will have an associated factor function created automatically when the factor is created. The format of this function is F$factorname and is stored within the DVF schema.
SQL> connect system Enter password: Connected. SQL> select object_name from dba_objects where object_type='FUNCTION' and owner='DVF'; OBJECT_NAME -------------------------------------------------------------------------------- F$DATABASE_IP F$DATABASE_HOSTNAME F$DATABASE_INSTANCE F$CLIENT_IP F$AUTHENTICATION_METHOD F$IDENTIFICATION_TYPE F$DATABASE_DOMAIN F$DATABASE_NAME F$LANG F$LANGUAGE F$NETWORK_PROTOCOL F$PROXY_USER F$PROXY_ENTERPRISE_IDENTITY F$SESSION_USER F$DOMAIN F$MACHINE F$ENTERPRISE_IDENTITY 17 rows selected.
All factors are evaluated at
the start of every session depending on the retrieval method defined for the factor. The retrieval method is usually an expression. For example, the session_user factor has as the retrieval method sys_context('USERENV','SESSION_USER').
When a factor is defined, we should set some characteristics such as:
- Factor type: This category contains the factor type. Here we have some defined categories that can be retrieved by using the following statement:
SQL> select name from dvsys.dba_dv_factor; NAME ------------------------------ Domain Database_Hostname Database_IP Database_Instance Client_IP Database_Domain Database_Name Network_Protocol Proxy_User Proxy_Enterprise_Identity Machine Authentication_Method Identification_Type Lang Language Session_ Enterprise_Identity 17 rows selected. SQL>
- Factor identification: This category can be set in three ways:
- By method: In this case you should use a retrieval method
- By constant: In this case, you should use a retrieval method that returns a constant
- By factors: In this case you should use a child factor
- Factor identity: This is the actual value of the factor. For example, in the case of the
session_userfactor, this is the username returned by thesys_context('userenv','session_user')retrieval method. - Evaluation: This category can be set:
- By session: When a session is created
- By access: Each time the factor is accessed
As with every Oracle Database Vault component discussed before, there are also default factors available for our use. These factors cover a wide area of database, protocol, session, and authentication variables, which can be used in the definition of rulesets as rule expressions.
To find out more about default factors, the DVSYS.DBA_DV_FACTORS view might be used. For example:
SQL> select name,description from dvsys.dba_dv_factor where name='Database_IP' 2 ; NAME DESCRIPTION ---------------------------------------------- Database_IP This factor defines the IP Address and retrieval method for a database server SQL>
Additional information about factors can be retrieved by using the Oracle Vault-related reports and by querying the DBA_DV_FACTOR, DBA_DV_FACTOR_LINK, DBA_DV_FACTOR_TYPE, DBA_DV_IDENTITY, and DBA_DV_IDENTITY_MAP dictionary views.