Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence...
Transcript of Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence...
![Page 1: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/1.jpg)
pr ligence Empowering Intelligence
OracleFine Grained Access
Controlby
Arup Nanda
![Page 2: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/2.jpg)
pr ligence Empowering Intelligence
• Oracle DBA for more than 10 years• Written 50+ Articles
– Oracle Magazine, Select Journal, DBAZine.com,SQLUpdate, Oracle Scene, TechJournal
• Presented at several conferences– Oracle World, IOUG Live, OraTechs, AOTC,
VOUG, NYOUG• Executive Director of Connecticut Oracle
User Group• Editor of Select Journal – the IOUG
Publication• Written the book Oracle Privacy Security
Auditing, from Rampant TechPress• Awarded DBA of the Year by Oracle.
![Page 3: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/3.jpg)
pr ligence Empowering Intelligence
Hospital Database
2DrCharlie3
2DrBarb2
1DrAdam1GroupNameID
GreedLou35
LowVisionCraig34
FicklenessScott23
ControlBill12EgoLarry11
DiseaseNameDoctorIDDOCTORS PATIENTS
![Page 4: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/4.jpg)
pr ligence Empowering Intelligence
Patient Application
GreedLou35
LowVisionCraig34
FicklenessScott23ControlBill12EgoLarry11DiseaseNameDoctorID
select * from patients
Dr. AdamDoctor ID = 1
where doctor_id =<id of the doctor logged in>
![Page 5: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/5.jpg)
pr ligence Empowering Intelligence
Hospital Database
2DrCharlie3
2DrBarb2
1DrAdam1GroupNameID
GreedLou35
LowVisionCraig34
FicklenessScott23
ControlBill12EgoLarry11
DiseaseNameDoctorIDDOCTORS PATIENTS
Select * from PATIENTS
Select * from PATIENTSWhere DOCTOR_ID = 1
![Page 6: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/6.jpg)
pr ligence Empowering Intelligence
Options
• Application Change• Add a predicate to each SQL statement• No security!
• Views• Automatic predicate• Selection on view; no access to base table• Too many views• Predicate has to be static• Difficult to determine accountability
![Page 7: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/7.jpg)
pr ligence Empowering Intelligence
A Third Option
• Automatic application of predicate• User’s statement
SELECT * FROM PATIENTS
• Transformed toSELECT * FROM PATIENTS
WHERE DOCTOR_ID = <ID>• Predicate generated by a user defined policy
function.
![Page 8: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/8.jpg)
pr ligence Empowering Intelligence
Policy
policyPolicy Function
where doctor_id = 1
select * from patients; select * from patientswhere doctor_id = 1
GreedLou35
LowVisionCraig34
FicklenessScott23
ControlBill12
EgoLarry11
DiseaseNameDoctorID Doctor ID = 1
![Page 9: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/9.jpg)
pr ligence Empowering Intelligence
Policy Function
• Takes only two arguments– Table Owner– Table Name
• Must return a predicate that is to be applied, without theword WHERE.
• The predicate must be syntactically correct– Correct: doctor_id = (select doctor_id from doctors where
doctor_name = USER)
– Incorrect: doctor_id = (select USER from doctors)
![Page 10: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/10.jpg)
pr ligence Empowering Intelligence
Policy Functioncreate or replace function get_doctor_id( p_schema_name in varchar2, p_table_name in varchar2)return varchar2is l_doctor_id number;begin select doctor_id into l_doctor_id from doctors where doctor_name = USER; return 'doctor_id = '||l_doctor_id;end;
returns the currentlylogged in username
![Page 11: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/11.jpg)
pr ligence Empowering Intelligence
Adding a Policybegin dbms_rls.add_policy( object_schema => 'HOSPITAL', object_name => 'PATIENTS', policy_name => 'PATIENT_VIEW_POLICY', policy_function => 'GET_DOCTOR_ID', function_schema => 'HOSPITAL', statement_types => 'SELECT, INSERT, UPDATE, DELETE', update_check => true, enable => true );end;
the owner and nameof the policy function
the table on whichthe policy is defined
Policy applied to alltypes of statements
![Page 12: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/12.jpg)
pr ligence Empowering Intelligence
Query Transform ation
Original QuerySELECT * FROM PATIENTS
Modified toSELECT * FROM
(SELECT * FROM PATIENTS)
WHERE DOCTOR_ID = 1
![Page 13: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/13.jpg)
pr ligence Empowering Intelligence
Insert/Update Check
User DRADAM allowed to see only DOCTOR_ID = 1He tries to insert a record with DOCTOR_ID = 2ORA-28115: policy with check option violation
He issuesupdate PATIENTS set DOCTOR_ID = 2;
ORA-28115: policy with check option violation, ifupdate_check = TRUE
![Page 14: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/14.jpg)
pr ligence Empowering Intelligence
Bypassingcreate or replace function get_doctor_id( p_schema_name in varchar2, p_table_name in varchar2)return varchar2is l_doctor_id number;begin if (p_schema_name = USER) then return null; end if; select doctor_id into l_doctor_id from doctors where doctor_name = USER; return 'doctor_id = '||l_doctor_id;end;
if (p_schema_name = USER) then return null;end if;
![Page 15: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/15.jpg)
pr ligence Empowering Intelligence
Other Bypasses
• System Privilege• EXEMPT ACCESS POLICY• SYS and DBA roles have this by default.
![Page 16: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/16.jpg)
pr ligence Empowering Intelligence
Other Dependent Tables
Applied predicateWHERE PATIENT_ID IN (SELECT PATIENT_ID
FROM PATIENTS)
![Page 17: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/17.jpg)
pr ligence Empowering Intelligence
M ultiple Policies
• Table can have multiple policies of the sametype.
• Each policy applied with AND
PATIENTS
DOCTOR_ID = 1
PROC_CODE != ‘HIV’
TREATED = TRUE
policy1
policy2
policy3
AND
AND
select *from patients
select *from patientswhere
![Page 18: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/18.jpg)
pr ligence Empowering Intelligence
Extending the FunctionalityTable for Authorized UserTable: USER_AUTHORITY
USERNAME - the name of the userDOCTOR_ID – the DOCTOR_ID this user is allowed to see
Policy Function Changeselect deptno into l_doctor_idfrom user_authority where username = USER;l_ret := ‘doctor_id = '||l_ doctor_id;
Table TREATMENTS (PATIENT_ID, TRATMENT_ID)l_ret := ‘patient_id in (select patient_id from patients)';
![Page 19: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/19.jpg)
pr ligence Empowering Intelligence
VPD and Other Oracle ToolsVPD is applied in Conventional Modes only.Export DIRECT=Y
EXP-00079: Data in table “PATIENTS" is protected.Conventional path may only be exporting partialtable.
. . exporting table PATIENTS 3rows exported
SQL*Loader DIRECT=YSQL*Loader-951: Error calling once/load
initializationORA-00604: error occurred at recursive SQL level
1ORA-28113: policy predicate has error
Direct Mode Loadinsert /*+ APPEND */ into EMP;ERROR at line 1:ORA-28115: policy with check option violation
![Page 20: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/20.jpg)
pr ligence Empowering Intelligence
M anaging Policies
• View DBA_POLICIES• Oracle Policy Manager
– oemapp opm• Applied Policies
– V$VPD_POLICY
![Page 21: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/21.jpg)
pr ligence Empowering Intelligence
Refreshing a Policydbms_rls.refresh_policy ( object_schema => 'HOSPITAL' object_name => 'PATIENTS', policy_name => 'PATIENT_VIEW_POLICY');
Required when the parsed copy of the policy functionneeds to be changed.
Refreshing guarantees that. Recommended every time thepolicy or function is changed
Not required in 9i
![Page 22: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/22.jpg)
pr ligence Empowering Intelligence
Dropping a Policydbms_rls.drop_policy ( object_schema =>'HOSPITAL' object_name =>'PATIENTS', policy_name =>'PATIENT_VIEW_POLICY');
When the policy is not required anymore or thetable should not be subjected to the restrictions.
![Page 23: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/23.jpg)
pr ligence Empowering Intelligence
Enabling/Disabling a Policydbms_rls.enable_policy ( object_schema => 'HOSPITAL' object_name => 'PATIENTS', policy_name => 'PATIENT_VIEW_POLICY', enable => TRUE);
When enabling a policy, just change parameterenable to TRUE and execute this function.
![Page 24: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/24.jpg)
pr ligence Empowering Intelligence
Troubleshooting• Most errors produce trace files• Debugging
alter session set events'10730 trace name context forever, level 12‘;Will produce the rewritten query in a trace file
• ORA-28110: Policy function or package has errorRecompile the package
• ORA-28112: failed to execute policy functionSome unhandled exception; check the trace file
• ORA-28116: insufficient privileges to do direct path accessConventional or Exempt User
• ORA-28113: policy predicate has errorCheck the trace file – SYNTAX Problem
![Page 25: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/25.jpg)
pr ligence Empowering Intelligence
Application Users
User: DrAdam
User: DrCharlie
ApplicationServer
User:APPUSER
![Page 26: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/26.jpg)
pr ligence Empowering Intelligence
Client Identifier
• Introduced in Oracle 9i• dbms_session.set_identifier('<identifier>')• CLIENT_ID in V$SESSION• CLIENT_ID in Auditing• sys_context('USERENV','CLIENT_IDENTIFIER')
![Page 27: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/27.jpg)
pr ligence Empowering Intelligence
Application Context
Select USER from dual;Select SYS_CONTEXT (‘USERENV’,
‘CURRENT_USER’) from dual;
APP_CTX
ATTR1
ATTR2
set_app_ctxset_app_ctx
![Page 28: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/28.jpg)
pr ligence Empowering Intelligence
Oracle 10g Enhancem ents
Relevant ColumnsSELECT COUNT(*) FROM PATIENTSSELECT PATIENT_ID FROM PATIENTSSELECT SOCIAL_SEC_NO FROM PATIENTS
Another parameterdbms_rls.add_policy (…sec_relevant_cols => 'PATIENT_ID'
![Page 29: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/29.jpg)
pr ligence Empowering Intelligence
Policy Types
• dynamic• context_sensitive• shared_context_sensitive• static• shared_static
![Page 30: Nanda Fine Grained Access Control - NYOUG · Fine Grained Access Control by Arup Nanda. pr ligence Empowering Intelligence • Oracle DBA for more than 10 years ... Auditing, from](https://reader033.fdocuments.in/reader033/viewer/2022060911/60a567d879e02156cc53bcb1/html5/thumbnails/30.jpg)
pr ligence Empowering Intelligence
Conclusion
• Different view – on user• Predicate applied automatically• Predicate user generated• 10g enhancements