A realm is a core Oracle Database Vault structure that provides logical protection against users with any
type of object-level privilege. A realm can be defined on any object in any schema. In this recipe, we will use both the PL/SQL interface and Oracle Database Vault Administrator (DVA) for defining realms.
In this chapter, we will create a realm named HR_TABLES_REALM
by using the PL/SQL interface. This realm will include all the tables from the HR
schema. Next, we will create a realm named HR_VIEWS_REALM
by using DVA Console. This realm will include all the views from the HR
schema. The user HR
will be defined as the realm owner and the users vw_america
and vw_europe
will be defined as the realm participants.
Before you start, you must have Oracle Database Vault installed. Details on installation can be found in the documentation page http://docs.oracle.com/cd/E11882_01/server.112/e23090/dvca.htm#CIAIHIDA and on deinstallation can be found at http://docs.oracle.com/cd/E11882_01/server.112/e23090/dvca.htm#CIAJGEBI. Details on enabling/disabling can be found at the Oracle Database Vault documentation link http://docs.oracle.com/cd/E11882_01/server.112/e23090/dvdisabl.htm#BJEDGGGA , http://docs.oracle.com/cd/B28359_01/network.111/b28529/getstrtd.htm#CIHBBJFA. Another detailed description about enabling and disabling Oracle Database Vault can be found in Oracle Support doc: How to Install/Deinstall Oracle Database Vault [ID 171155.1]. During installation you should create the Database Vault Owner user named odva_owner
, and the Database Vault Account Manager odva_manager
. All steps will be performed on the HACKDB
database.
All realms and realm authorization will be created and granted using Oracle Database Vault owner user odva_owner
. This can be done by
using the PL/SQL interface:
SQL> conn odva_owner Enter password: Connected. SQL>
HR_TABLES_REALM
by using the dbms_macadm
package, as follows:SQL> BEGIN DBMS_MACADM.CREATE_REALM(REALM_NAME => 'HR_TABLES_REALM', DESCRIPTION =>'PROTECTS HR SCHEMA TABLES', ENABLED=> DBMS_MACUTL.G_YES, AUDIT_OPTIONS=>DBMS_MACUTL.G_REALM_AUDIT_OFF); END; 2 / Pl/sql procedure successfully completed. SQL>
HR
user to HR_TABLES_REALM
, as follows:SQL> begin dbms_macadm.add_object_to_realm(realm_name=>'HR_TABLES_REALM',object_owner=>'HR',object_name=>'%',object_type =>'%' ); end; 2 / PL/SQL procedure successfully completed. SQL>
system
and issue a SELECT
statement against the employees
table:SQL> conn system Enter password: Connected. SQL> select salary from hr.employees; select salary from hr.employees * ERROR at line 1: ORA-01031: insufficient privileges SQL>
Now all the tables from the HR
schema are protected by the realm.
HR
and issue a SELECT
statement against the employees
table, as follows:SQL> conn HR Enter password: Connected. SQL> select salary from hr.employees where first_name like 'B%'; SALARY ---------- 6000 3900 SQL>
The user HR
being the schema owner has DML rights against all the tables within the schema.
Using Oracle Vault Administration Conso
https://yourhost:yourport/dva
in the browser address bar.odva_owner
.HR_VIEWS_REALM
by specifying Name as HR_VIEWS_REALM
, Description type as Protects HR Schema Views
, and then click on Audit Disabled in the Audit Options section and finally click on the OK button.%
for Object Name to add all the views, as follows:vw_america
. For this choose VW_AMERICA [USER] in the Grantee section. Choose Authorization Type as Participant:vw_europe
, and click on the OK button from the Edit Realm page.HR
, grant select on
the view emp_details_view
to vm_america
and vw_europe
users, as follows:SQL> conn HR Enter password: Connected. SQL> grant select on emp_details_view to vw_america,vw_europe; Grant succeeded. SQL>
vw_europe
issue a SELECT
against emp_details_view
, as follows:SQL> conn vw_america Enter password: Connected. SQL> select first_name,last_name from hr.emp_details_view where employee_id=100; FIRST_NAME LAST_NAME -------------------- ------------------------- Steven King SQL>
The user vw_america
, having select rights and being a realm participant, can select from emp_details_view
.
Objects can be protected in a realm by following logical steps. (An example of how realms work can be found at http://docs.oracle.com/cd/E11882_01/server.112/e23090/cfrealms.htm#CHDBFEHJ.) By defining a realm, all privileges on objects will be revoked from all the users except the schema owner. A realm also has a set of authorizations; they could be realm owner and participants. A realm owner can grant and revoke realm-protected roles and privileges on and from the protected objects. A realm participant can access objects from a realm after it has received privileges on those objects from a realm owner.
It is important to remember that realms generally protect objects in conjunction with rulesets, factors, and command rules.
During the installation of Oracle Vault, a number of default realms are created around sensitive objects, as follows:
DVSYS
and DVF
schemas, which are Oracle Database Vault functional schemas, and the LBACSYS
schema, which is the functional schema for Oracle Label Securityodva_owner
and odva_manager
) who manage and create database accounts and database profilesSYSMAN
and DBSNMP
ANONYMOUS
, DBSNMP
, MDSYS
, SYS
, SYSMAN
, OUTLN
, MDDATA
, BI
, CTXSYS
, and MGMT_VIEW
More information about realms can be found by running the Oracle Vault-related reports and by querying the DBA_DV_REALM
, DBA_DV_REALM_AUTH
, and DBA_DV_REALM_OBJECT
system views. Realm violations can be a sign of an attack directed against protected objects. You can catch realm violations into a trace file by using event 47998
at session or system level (for example, ALTER SYSTEM SET EVENTS '47998 trace name context forever, level 12
') or by setting audit on realm and use audit reports as we will see in the recipe Creating and using Oracle Database Vault reports from this chapter.
3.22.74.3