TAILIEUCHUNG - Applied Oracle Security: Developing Secure Database and Middleware Environments- P23

Applied Oracle Security: Developing Secure Database and Middleware Environments- P23:Computer security is a field of study that continues to undergo significant changes at an extremely fast pace. As a result of research combined with increases in computing capacity, computer security has reached what many consider to be “early adulthood.” From advances in encryption and encryption devices to identity management and enterprise auditing, the computer security field is as vast and complex as it is sophisticated and powerful | 194 Part II Oracle Database Vault It is easy to see that DBV factor assignment provides additional access control and validation capabilities when used as a wrapper for traditional methods of asserting client information that use the DBMS_SESSION or DBMS_APPLICATION_INFO packages. The feature provides the same benefits when used in lieu of custom Oracle application context objects and reduces the number of objects that must be maintained. The feature extends the overall auditing capability for these traditional mechanisms while preserving the existing audit capabilities on which applications may rely. DBV Secure Application Roles Oracle SARs are database roles that can be enabled only from within a PL SQL program. The PL SQL program will typically perform a series of checks to determine whether the conditions are correct for the role to be enabled. DBV provides an integration capability with Oracle SARs that allow you define these conditions using a DBV rule set. To help illustrate how DBV Secure Application Roles work consider the DBV Is System Maintenance Allowed rule set presented earlier in the chapter. This rule set allowed system maintenance routines on Fridays from 5 to 11 . We can reuse this rule set to control the ability to set a role that has DELETE privileges on tables protected by the Sales History DBV realm for the purpose of archiving and deleting records that no longer need to be maintained in the table. Privileges that allow for the update or deletion of data are typically considered security-sensitive operations and are perfect candidates for DBV SARs. tip Use DBV SARs for security-sensitive privilege sets. The first step in creating this type of capability requires that the DBV security administrator DBVOWNER create the DBV SARs using the PL SQL procedure. To secure the role from being granted or revoked outside the control of the Sales History realm administrator MARY we should also protect the role in the Sales .