TAILIEUCHUNG - Applied Oracle Security: Developing Secure Database and Middleware Environments- P14

Applied Oracle Security: Developing Secure Database and Middleware Environments- P14:Computer security is a field of study that continues to undergo significant changes at an extremely fast pace. As a result of research combined with increases in computing capacity, computer security has reached what many consider to be “early adulthood.” From advances in encryption and encryption devices to identity management and enterprise auditing, the computer security field is as vast and complex as it is sophisticated and powerful | 104 Part II Oracle Database Vault against unauthorized grant or revoke operations on the roles. This is where you can see DBV protecting the security infrastructure that is securing the components that enforce the security for the database and data itself. In practice realms are flexible and transparent. The applications know nothing of the realms. When implemented correctly the standard security and application capabilities remain functioning. This transparency is essential to an effective implementation so that well-behaved applications won t be negatively affected once the security capabilities are enabled. Command Rules Earlier in the chapter we discussed the idea of applying conditional security to commands to create some context-based or rules-based mechanism for database commands. The commands can be used for objects on which the user has direct object privileges or for system commands such as CREATE USER that do not apply to a specific object or schema. The notion is similar to the conditional security checks that you would perform for SARs but this time it s applied to basic commands. DBV s command rules offer another new security layer that allows the authorization of a database command such as SELECT or CREATE USER for custom-defined rules. The rules may and often do use rules and factors. The result is that you derive the same conditional security capabilities that you might otherwise get from enabling a role with SARs. The decision to allow a command to execute is based on an existing privilege and a rule that must be passed. An important differentiation exists between SARs and command rules. With SARs the user does not have the privileges to perform the action. The privileges are granted to the role and when the role is enabled the user can perform the action. Conditional security was performed to enable the role thus giving the user privileges. With command rules and for DBV in general the user must already have the base database privileges. DBV acts