Virtual Private Databases

download Virtual Private Databases

of 20

  • date post

    01-Jan-2016
  • Category

    Documents

  • view

    30
  • download

    0

Embed Size (px)

description

Virtual Private Databases. Objectives. Define the term “virtual private database” and explain its importance Implement a virtual private database by using the VIEW database object Introduce the Oracle virtual private database feature. Overview of Virtual Private Databases. - PowerPoint PPT Presentation

Transcript of Virtual Private Databases

  • Virtual Private Databases

    *

    Database Security & Auditing: Protecting Data Integrity & Accessibility

  • *ObjectivesDefine the term virtual private database and explain its importanceImplement a virtual private database by using the VIEW database objectIntroduce the Oracle virtual private database feature

  • *Overview of Virtual Private DatabasesA VPD deals with data accessVPD controls data access at the row or column levelOracle10g:Specific functionTwo other names: Row-level security (RLS), fine-grained access (FGA)

  • *Overview of Virtual Private Databases (continued)A shared database schema containing data that belongs to many different users, and each user can view or update only the data he or she owns.

  • *Overview of Virtual Private Databases (continued)Shared database schema:Containing data that belongs to different usersUser view or update only data he or she ownsPurposes/benefits:Security requirements necessitate data access be restricted at row or column level (FGA)One database schema serves multiple unrelated groups or entities

  • *Implementing a VPD Using ViewsView object limits what users can see and do with existing data: hides columns or rows from usersCREATE VIEW statement: creates data viewsViews can become hard to administerbusiness rules require that each department can see only its own employeesneed to create a view for each departmentSolution is VPD

  • CREATE VIEW EMP_FOR_DEP_20 ASSELECT EMPLOYEE_ID, FIRST_NAME, LAST_NAME, EMAIL, PHONE_NUMBER, JOB_IDFROM EMPLOYEESWHERE DEPARTMENT_ID = 20*

  • *Implementing a VPD Using Views (continued)Example implementation steps: (in class code)Logon as user1Create the table sharedCreate a VIEW object shared_view to display rows that belong only to the logged on userGrant SELECT and INSERT on this view to another user user2Insert a row using shared_view

  • *Implementing a VPD Using Views (continued)Example implementation steps (continued)Logon as the other user user2Select the shared_view VIEW object; you see only rows that belongs to the other user user2

  • *Hiding Rows Based on the Current UserSystem function USER:Returns database userUsed to implement row-based securityImplementing row-based security with views:Need a column in your tables for the rows ownerUse a trigger to make sure the rows owner is inserted every time a new row is inserted into shared

  • *Implementing a VPD Using Application Context in OracleTriggersa stored PL/SQL procedure that fires (is called) automatically when a specific event occurs, such as the BEFORE INSERT eventApplication context:Functionality specific to OracleAllows to set database application variables that can be retrieved by database sessionsVariables can be used for security context-based or user-defined environmental attributesDynamic performance view V$SESSIONApplication context function SYS_CONTEXTUSERENV: predefined user-environment attributes

  • *Implementing a VPD Using Application Context in Oracle (continued)

  • *Implementing a VPD Using Application Context in Oracle (continued)Set your own application context: use Oracle PL/SQL package DBMS_SESSIONDBMS_SESSION contains several functions and procedures, for example: SET_CONTEXT

  • *Implementing Oracle Virtual Private DatabasesVPDs are a more direct solutionUser functions:DBSEC users: application schema ownerCUSTOMERS: used to demonstrate VPDsVPD_CLERK1, VPD_CLERK2, and VPD_CLERK3 users: database users that are used to test VPDs

  • *Implementing Oracle Virtual Private Databases (continued)

  • *Implementing Oracle Virtual Private Databases (continued)Create table for customer users:Create the CUSTOMERS tableInsert rows into the CUSTOMERS tableCreate three users for testing, VPD_CLERK1, VPD_CLERK2, and VPD_CLERK3Grant the necessary privileges on the CUSTOMERS table to use each testROW_OWNER security: row-level security based on user that owns row

  • *Implementing Oracle Virtual Private Databases (continued)Steps:Create a policy function to add a predicate to the WHERE clauseUsing DBMS_RLS add the VPD policy: Oracle-supplied packageLog in as VPD_CLERK1; display number of records that this user can seeDisable this policy

  • *Implementing Oracle Virtual Private Databases (continued)

  • create or replace functiondbsec_row_owner_where (p_schema_name in varchar2,p_object_name in varchar2) return varchar2 isv_where varchar2(4000);beginv_where := 'CTL_UPD_USER = ' || user ;return v_where;end;/*

  • EXEC DBMS_RLS.ADD_POLICY(OBJECT_SCHEMA=>'DBSEC',-OBJECT_NAME=>'CUSTOMERS',-POLICY_NAME=>'DBSEC_ROW_OWNER_POLICY',-FUNCTION_SCHEMA=>'DBSEC',-POLICY_FUNCTION=>'DBSEC_ROW_OWNER_WHERE',-STATEMENT_TYPES=>'SELECT,UPDATE,INSERT,DELETE',-ENABLE=>TRUE)/*