Oracle Database Vault - Realm

简介: http://blog.csdn.net/teapot82/article/details/66188941.  REALM的作用Oracle Database Vault通过建立REALM可以防止未授权的DBA用户访问REALM内的业务数据。

http://blog.csdn.net/teapot82/article/details/6618894

1.  REALM的作用

Oracle Database Vault通过建立REALM可以防止未授权的DBA用户访问REALM内的业务数据。

在Oracle中,如果要看到其他用户下的数据,有两种方法,一个是被直接授权这个对象的查询权限,而另一个是被授权SELECT ANY TABLE系统权限。REALM对于用户直接授权是允许的,而对于SELECT ANY TABLE系统权限是禁止的。

 

Realms: Concepts

A realm is a collection of roles anddatabase objects that are, as a group, protected from access by users on thebasis of a participant list. Even though certain users may have been grantedthe SELECT ANY TABLE system privilege, they have to be listed as realmparticipants in order to select data from a table that is protected by therealm.

 

Realm可以使用Rule Set来定义一些访问Realm内业务对象的条件,如只能在工作时间访问、限制IP访问等。Rule Set在本次测试不进行设置。


2.  测试用户

SQL> conndvacct/qawsedrf_1

Connected.

SQL> create user scottidentified by tiger default tablespace users;

User created.

SQL> grant connect toscott;

Grant succeeded.

SQL> alter user scottquota 0 on system;

User altered.

SQL> alter user scottquota unlimited on users;

User altered.

dvacct用户无法赋权限resource,因为resource没有赋给DV_ACCTMGR角色

SQL> conn / as sysdba

Connected.

SQL> grant resource toscott;

Grant succeeded.

3.  创建和删除REALM

# dvowner用户

创建realm

begin

  dbms_macadm.CREATE_REALM(realm_name    => 'SCOTT_REALM',

              description   => 'Protect SCOTT data from DBA access',

              enabled       => DVSYS.DBMS_MACUTL.G_YES,

              audit_options =>DVSYS.DBMS_MACUTL.G_REALM_AUDIT_FAIL);

  commit;

end;

/

 

删除realm

# 删除relam

execdbms_macadm.delete_realm(realm_name => 'SCOTT_REALM');

4.  向REALM中添加和删除对象

添加对象,添加完对象后,默认这些对象无法被有SELECT ANY TABLE权限的用户所访问,DatabaseVault就是为了防止系统权限

begin

  DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM(

realm_name   => 'SCOTT_REALM',

                                       object_owner => 'SCOTT',

                                       object_name  => '%',

                                       object_type  => 'TABLE');

end;

/

 

删除对象

begin

  DVSYS.DBMS_MACADM.delete_object_from_realm(

realm_name   => 'SCOTT_REALM',

                                      object_owner => 'SCOTT',

                                      object_name  => '%',

                                      object_type  => 'TABLE');

end;

/

 

# 测试System用户访问scott用户的表

SQL>conn system/system

Connected.

SQL>select * from scott.emp;

select* from scott.emp

                    *

ERRORat line 1:

ORA-01031:insufficient privileges

 

5.  向REALM添加和删除AUTH

添加auth

begin

  DVSYS.DBMS_MACADM.add_auth_to_realm(

realm_name    => 'SCOTT_REALM',

              grantee       => 'SCOTT',

              rule_set_name => null,

              auth_options  => DVSYS.DBMS_MACUTL.G_REALM_AUTH_OWNER);

end;

/

 

begin

  DVSYS.DBMS_MACADM.add_auth_to_realm(

realm_name    => 'SCOTT_REALM',

      grantee       => 'SYSTEM',

      rule_set_name => null,

      auth_options  =>DVSYS.DBMS_MACUTL.g_realm_auth_participant);

end;

/

 

这样system用户就可以访问scott的表

 

删除auth

begin

  DVSYS.DBMS_MACADM.delete_auth_from_realm(

realm_name=> 'SCOTT_REALM',

                           grantee    => 'SCOTT');

end;

/

所有者与参与者的区别:

l  Participant: Thegrantee is able to access the realm-secured objects.
l  Owner: Thegrantee has all the access rights that a participant has, and can also grantprivileges to others on any of the objects in the realm. This is comparable tothe WITH ADMIN option of the GRANT statement.

 

6.  相关视图

DBA_DV_REALM
DBA_DV_REALM_OBJECT
DBA_DV_REALM_AUTH

7.  REALM相关API

DBMS_MACADM包:

•         Create realms:
-         CREATE_REALM

•         Modify realms:
-         ADD_AUTH_TO_REALM
-         ADD_OBJECT_TO_REALM
-         DELETE_AUTH_FROM_REALM
-         DELETE_OBJECT_FROM_REALM
-         RENAME_REALM
-         UPDATE_REALM
-         UPDATE_REALM_AUTH

•         Delete realms:
-         DELETE_REALM
-         DELETE_REALM_CASCADE

 


目录
打赏
0
0
0
0
680
分享
相关文章
WARNING: Too Many Parse Errors With error=911 When Running a JDBC Application Connected to an Oracle 19c database
WARNING: Too Many Parse Errors With error=911 When Running a JDBC Application Connected to an Oracle 19c database (
118 2
Connect to Autonomous Database Using Oracle Database Tools
Connect to Autonomous Database Using Oracle Database Tools
83 1
Requirements for Installing Oracle Database/Client 19c on OL8 or RHEL8 64-bit (x86-64) (Doc ID 2668780.1)
Requirements for Installing Oracle Database/Client 19c on OL8 or RHEL8 64-bit (x86-64) (Doc ID 2668780.1)
73 0
Oracle Database Vault Access Control Components
Oracle Database Vault Access Control Components
67 0
What Is Oracle Database Vault?
The Oracle Database Vault security controls protect application data from unauthorized access, and helps you to comply with privacy and regulatory requirements. You can deploy controls to block privileged account access to application data and control sensitive operations inside the database using
56 0

推荐镜像

更多
AI助理

你好,我是AI助理

可以解答问题、推荐解决方案等