vault note Rule Set





1 What Are Rule Sets?

1.1 A rule set is a collection of one or more rules that you can associate with a realm authorization, factor assignment, command rule, or secure application role.

1.2 The rule set evaluates to true or false based on the evaluation of each rule it contains and the evaluation type (All True or Any True).

2 How Rule Sets Work

2.1 Oracle Database Vault evaluates the rules within a rule set as a collection of expressions.

2.2 If you have set Evaluation Options to All True and if a rule fails the evaluation, then the evaluation stops at that point, instead of attempting to evaluate the rest of the rules in the rule set.

2.3 Similarly, if Evaluation Options is set to Any True and if a rule evaluates to true, the evaluation stops at that point.

2.4 If a rule set is disabled, Oracle Database Vault evaluates it to true without evaluating its rules.

3 Tutorial: Configuring Two-Person Integrity, or Dual Key Security

Tutorial: Configuring Two-Person Integrity, or Dual Key Security

Step 1: Create Users for This Tutorial

You must create the following two users for this tutorial:

■ patch_boss

acts in a supervisory role: If patch_boss is not logged in, then the patch_user user cannot log in.

■ patch_user

is the user who is assigned to perform the patch upgrade. However, for this tutorial, user patch_user does not actually perform a patch upgrade. He only attempts to log in.

To create the users:

1. Connect to SQL*Plus as a user who has been granted the DV_ACCTMGR role.

CONNECT dvam/oracle_4U

2. Create the following users.

CREATE USER patch_boss IDENTIFIED BY oracle;

CREATE USER patch_user IDENTIFIED BY oracle;

3. Connect as user SYS with the SYSDBA privilege and grant privileges to the patch_boss and patch_user users.

CONNECT SYS/oracle_4U AS SYSDBA

GRANT CREATE SESSION TO patch_boss, patch_user;

4. Grant the following privileges to the DV_OWNER or DV_ADMIN user.

GRANT CREATE PROCEDURE TO dva;

GRANT SELECT ON V_$SESSION TO dva;

Step 2: Create a Function to Check if User patch_boss Is Logged In

The function that you must create, check_boss_logged_in, does just that: When user patch_user tries to log in to SQL*Plus, it checks if user patch_boss is already logged in by querying the V$SESSION data dictionary view.

To create the check_boss_logged_in function:

1. As the DV_OWNER or DV_ADMIN user, create the check_boss_logged_in function as follows:

CONNECT dva/oracle_4U

CREATE OR REPLACE FUNCTION check_boss_logged_in

return varchar2

authid definer as

v_session_number number := 0;

v_allow varchar2(10) := ‘TRUE’;

v_deny varchar2(10) := ‘FALSE’;

BEGIN

SELECT COUNT(*) INTO v_session_number

FROM SYS.V_$SESSION

WHERE USERNAME = ‘PATCH_BOSS’; — Enter the user name in capital letters.

IF v_session_number > 0

THEN RETURN v_allow;

ELSE

RETURN v_deny;

END IF;

END check_boss_logged_in;

/

2. Grant the EXECUTE privilege on the check_boss_logged_in function to the DVSYS schema.

GRANT EXECUTE ON check_boss_logged_in to DVSYS;

Step 3: Create Rules, a Rule Set, and a Command Rule to Control the Users’ Access

Next, you must create two rules, a rule set to which you will add them, and a command rule. The rule set triggers the check_boss_logged_in function when user patch_user tries to logs in to the database.

To create the rules and rule set:

1. Connect as a user who has been granted the DV_OWNER or DV_ADMIN role.

CONNECT dva/oracle_4U

2. Create the Check if Boss Is Logged In rule, which checks that the patch_user user is logged in to the database. In the definition, replace lbrown_dvowner with the name of the DVOWNER or DV_ADMIN user who created the check_boss_logged_in function.

If the check_boss_logged_in function returns TRUE (that is, patch_boss is logged in to another session), then patch_user can log in.

BEGIN

DVSYS.DBMS_MACADM.CREATE_RULE(

rule_name => ‘Check if Boss Is Logged In’,

rule_expr => ‘SYS_CONTEXT(”USERENV”,”SESSION_USER”) = ”PATCH_USER” and dva.check_boss_logged_in = ”TRUE” ‘);

END;

/

Enter the user name, PATCH_USER, in upper-case letters, which is how the SESSION_USER parameter stores it.

3. Create the Allow Connect for Other Database Users rule, which ensures that the user logged in (patch_user) is not user patch_boss. It also enables all other valid users to log in.

BEGIN

DVSYS.DBMS_MACADM.CREATE_RULE(

rule_name => ‘Allow Connect for Other Database Users’,

rule_expr => ‘SYS_CONTEXT(”USERENV”,”SESSION_USER”) != ”PATCH_USER”’);

END;

/

COMMIT;

4. Create the Dual Connect for Boss and Patch rule set, and then add the two rules to

it.

BEGIN

DVSYS.DBMS_MACADM.CREATE_RULE_SET(

rule_set_name => ‘Dual Connect for Boss and Patch’,

description => ‘Checks if both boss and patch users are logged in.’,

enabled => ‘Y’,

eval_options => 2,

audit_options => DBMS_MACUTL.G_RULESET_AUDIT_FAIL,

fail_options => DBMS_MACUTL.G_RULESET_FAIL_SILENT,

fail_message =>”,

fail_code => NULL,

handler_options => DBMS_MACUTL.G_RULESET_HANDLER_OFF,

handler => ”

);

END;

/

BEGIN

DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(

rule_set_name => ‘Dual Connect for Boss and Patch’,

rule_name => ‘Check if Boss Is Logged In’

);

END;

/

BEGIN

DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(

rule_set_name => ‘Dual Connect for Boss and Patch’,

rule_name => ‘Allow Connect for Other Database Users’

);

END;

/

5. Create the following CONNECT command rule, which permits user patch_user to connect to the database only if patch_boss is already logged in.

BEGIN

DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE(

command => ‘CONNECT’,

rule_set_name => ‘Dual Connect for Boss and Patch’,

object_owner => ‘%’,

object_name => ‘%’,

enabled => ‘Y’);

END;

/

COMMIT;

clip_image002[6]

clip_image004

Step 4: Test the Users’ Access

1. Exit SQL*Plus.

EXIT

2. Create a second shell, for example:

xterm &

3. In the first shell, try to log in as user patch_user.

sqlplus patch_user/oracle

ERROR:

ORA-47400: Command Rule violation for CONNECT on LOGON

Enter user-name:

User patch_user cannot log in until user patch_boss is already logged in. (Do not try the Enter user-name prompt yet.)

4. In the second shell, log in as user patch_boss.

sqlplus patch_boss/oracle

Connected.

User patch_boss can log in.

5. Go back to the first shell, and then try logging in as user patch_user again.

Enter user_name: patch_user

Enter password: password

This time, user patch_user is deemed a valid user, so now he can log in.




Related posts

coded by nessus
分享:  DeliciousGReader鲜果豆瓣CSDN网摘
Trackback

only 1 comment untill now

  1. unfamiliar@skiing.soreness” rel=”nofollow”>.…

    ñïñ çà èíôó!!…

Add your comment now

无觅相关文章插件