Oracle Database Vault is a security enhancement provided by Oracle to ensure unauthorized users to access your sensitive data. What is brilliant about this is that it works on privileged (e.g. DBA, SYS, … ) accounts as well 🙂 Not only you can restrict access to particular objects in the database to a specific set of users (e.g. only HR payroll specialist can access salaries in the database), but also limit activity for a set of users to ensure a database smooth run (e.g. you can limit certain commands to a specific time and day only).
To check if you have the Oracle Database Vault enabled, run the following command:
SELECT value FROM v$option WHERE 1=1 AND parameter = 'Oracle Database Vault'; VALUE ----- TRUE
If you don’t have the Oracle Database Vault installed, you have to make sure you have the correct license before you proceed with the installation.
$ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk dv_on lbac_on ioracle
Once installed, the following roles and objects will be created/have to be assigned.
- DV_OWNER – this role allows managing Oracle Database Vault (DV) policies
- DV_ADMIN – same as DV_OWNER
- DV_ACCTMGR – this role allows managing user accounts
- PROFILE – CREATE, DROP, ALTER
- USER – CREATE, DROP, ALTER
- DVSYS – a schema for Oracle Database Vault’s objects (roles, views, accounts, objects, …)
- DVF – a schema for Oracle Database Vault’s public functions (to retrieve factor values)
Please do not put your eggs in one basket and assigned these roles to at least two active accounts to make sure you won’t lose access to the Database Vault management.
Enabling of Oracle Database Vault
To effectively apply all the security measures and prevent any access leakage/misuse, by enabling Oracle DV several privileges will be revoked from the following roles.
- DBA – become user, select any transaction, create any job, manage scheduler, …
- EXECUTE CATALOG ROLE – execute on: dbms_logmngr, dbms_logmnr_%, dbms_file_transfer
- PUBLIC – execute on utl_file
- SCHEDULER_ADMIN – create any job, execute any program, …
For the specific list of roles being revoked check the official documentation pls.
On the other hand, you can do user management with the DV_ACCTMGR role mentioned above because by default, not even privileged accounts can do it anymore.
Oracle Database Vault terms
- REALM – defines a set of schemas, tables, and/or objects in the database to be protected
- COMMAND RULE – controls the execution of SQL statements
- FACTOR – prevents access based on IP, geolocation, user session, program name, …
- RULE SET – set of rules (one or many) you can associate with REALMs, COMMAND RULEs, and FACTORs
As mentioned above, realms group schemas and objects to form a protected zone. By default, a user has access to his own objects – so no realm authorization is applied. Nevertheless, you can create mandatory realms and restrict (or limit) the access even to the owner of an object.
If there are multiple mandatory realms applied to an object, to access it, the user will have to comply with all rules for all mandatory realms.
Objects which you can protect with realms:
- INDEX PARTITION
You can protect (under one realm) multiple objects from multiple schemas (=different owners). Also, you can assign one object to multiple realms. As long as they are not mandatory and the user complies with at least one of the realm, the query will be executed (based on the allowed rules).
Here is a little diagram to demonstrate how the realm’s decision making works:
* applies to DDL, DML, EXECUTE, GRANT, REVOKE, SELECT
With that, you might wonder if there is any impact on the performance. Don’t worry, Oracle tuned all of these steps and there is practically no impact on your queries 🙂
With command rules, you can restrict SELECT, ALTER SYSTEM, DDL, and DML queries. Command rules (one more many) are tied to rule sets and enforced during the run time. They are independent of realms and therefore applied to everybody. For instance, you easily block programs (such as Excel, … ) as mentioned in another article Block connection from Excel.
There are three categories of command rules:
- system-wise – apply to the whole system
- schema – apply to a specific schema
- object – apply to a specific object
For each restricted command Oracle DV will apply all active command rules. If there is a match, Oracle DV will stop the command from executing.
Important note: Command rules override the object privileges! Having said that, even the owner of objects can be restricted from accessing them.
You can imagine factors as named variables or attributes used to limit/restrict access to a particular database or activity in the database. Oracle DV defines several default factors (to name a few):
You can use those in combination with rules or/and rule sets. To put it simply, they provide contextual information to be used in your rules/rule sets.
A rule set is a collection of rules (one or many). Once created, you can associate them with command rules, factors, or realm authorization.
You can create nested rule sets as well. There are two ways evaluation can be done:
- All rules must return TRUE – once the first rule returns FALSE, the query stops and is canceled
- Any rule must return TRUE – once the first rule returns TRUE, the query is executed
It could take a big thick book to describe everything about Oracle Database Vault. This is to give you a good insight into what it can do and how you can use it to secure your data. For any more details, please check the official documentation page for your specific version.