Factors can also play an important role in enforcing security in Oracle Database Vault. A factor is a variable or an attribute, something similar to application context attributes. A factor can represent a user session, session identifier, module, IP address, and more. You can use factors for conditioning and restricting user authentication, and to build additional restrictions on data access based on their values and attributes.
In this recipe, we will replace the rule expressions Evaluate VW_AMERICA user
and Evaluate VW_EUROPE user
with the default Session_user
factor.
Oracle Database Vault provides build it factors that can be used alone or combined to enforce different types of evaluations:
ODVA_OWNER
user and select the session user from the dvf.f$session_user
factor function:SQL> conn odva_owner Enter password: SQL> select dvf.f$session_user from dual; F$SESSION_USER -------------------------------------------------------------------- ODVA_OWNER SQL>
odva_owner
in DVA and navigate to the Factors page. Here we will see the default factors. You can check the Session_user
factor and click on the Edit button to study the proprieties of this factor. For the moment, we are interested in Retrieval Method. We can observe that it is the same as we are using in our rule expressions Evaluate VW_AMERICA user
and Evaluate VW_EUROPE user
, defined on the Report from HR views
rule set. Click on the Cancel button.Report from HR views
ruleset, and replace the rule expression from Evaluate VW_AMERICA user with DVF.F$SESSION_USER='VW_AMERICA' and the rule expression from Evaluate VW_EUROPE user with DVF.F$SESSION_USER='VW_EUROPE', shown as follows:HR
and issue a SELECT
from emp_details_view
, as follows:SQL> conn HR Connected. SQL> select first_name, last_name from emp_details_view where employee_id=100; select first_name, last_name from emp_details_view where employee_id=100 * ERROR at line 1: ORA-47306: 20998: You are not allowed to report from this view SQL>
The ruleset is enforced, but this time by using factors.
vw_america
user and issue the same SELECT
from emp_details_view
, as follows:SQL> conn vw_america/vw_america Connected. SQL> select first_name, last_name from hr.emp_details_view where employee_id=100 ; FIRST_NAME LAST_NAME -------------------- ------------------------- Steven King SQL>
The value of factors is returned by factor functions. Every factor will have an associated factor function created automatically when the factor is created. The format of this function is F$factorname
and is stored within the DVF
schema.
SQL> connect system Enter password: Connected. SQL> select object_name from dba_objects where object_type='FUNCTION' and owner='DVF'; OBJECT_NAME -------------------------------------------------------------------------------- F$DATABASE_IP F$DATABASE_HOSTNAME F$DATABASE_INSTANCE F$CLIENT_IP F$AUTHENTICATION_METHOD F$IDENTIFICATION_TYPE F$DATABASE_DOMAIN F$DATABASE_NAME F$LANG F$LANGUAGE F$NETWORK_PROTOCOL F$PROXY_USER F$PROXY_ENTERPRISE_IDENTITY F$SESSION_USER F$DOMAIN F$MACHINE F$ENTERPRISE_IDENTITY 17 rows selected.
All factors are evaluated at
the start of every session depending on the retrieval method defined for the factor. The retrieval method is usually an expression. For example, the session_user
factor has as the retrieval method sys_context('USERENV','SESSION_USER')
.
When a factor is defined, we should set some characteristics such as:
SQL> select name from dvsys.dba_dv_factor; NAME ------------------------------ Domain Database_Hostname Database_IP Database_Instance Client_IP Database_Domain Database_Name Network_Protocol Proxy_User Proxy_Enterprise_Identity Machine Authentication_Method Identification_Type Lang Language Session_ Enterprise_Identity 17 rows selected. SQL>
session_user
factor, this is the username returned by the sys_context('userenv','session_user')
retrieval method.As with every Oracle Database Vault component discussed before, there are also default factors available for our use. These factors cover a wide area of database, protocol, session, and authentication variables, which can be used in the definition of rulesets as rule expressions.
To find out more about default factors, the DVSYS.DBA_DV_FACTORS
view might be used. For example:
SQL> select name,description from dvsys.dba_dv_factor where name='Database_IP' 2 ; NAME DESCRIPTION ---------------------------------------------- Database_IP This factor defines the IP Address and retrieval method for a database server SQL>
Additional information about factors can be retrieved by using the Oracle Vault-related reports and by querying the DBA_DV_FACTOR
, DBA_DV_FACTOR_LINK
, DBA_DV_FACTOR_TYPE
, DBA_DV_IDENTITY
, and DBA_DV_IDENTITY_MAP
dictionary views.
3.17.76.175