Skip Headers
Oracle® Database Vault Administrator's Guide
11g Release 1 (11.1)

Part Number B31222-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

9 Integrating Oracle Database Vault with Other Oracle Products

This chapter explains how you can integrate Oracle Database Vault with the following Oracle products:

9.1 Integrating Oracle Database Vault with Enterprise User Security

You can integrate Oracle Database Vault with Oracle Enterprise User Security. Enterprise User Security enables you to centrally manage database users and authorizations in one place. It is combined with Oracle Identity Management and is available in Oracle Database Enterprise Edition.

In general, to integrate Oracle Database Vault with Oracle Enterprise User Security, you configure the appropriate realms to protect the data that you want to protect in the database.

After you define the Oracle Database Vault roles as needed, you can create a rule set for the Enterprise users to allow or disallow their access.

To configure an Enterprise User authorization:

  1. Create a rule to allow or disallow user access.

    Follow the instructions in "Creating a Rule to Add to a Rule Set" to create a new rule. In the Create Rule page, enter the following PL/SQL in the Rule Expression field:

    SYS_CONTEXT('USERENV','EXTERNAL_NAME') = 'user_domain_name'
    

    Replace user_domain_name with the domain, for example:

    SYS_CONTEXT('USERENV','EXTERNAL_NAME') = 'myserver.us.mycompany.com'
    
  2. Add this rule to a new rule set.

    "Creating a Rule Set" explains how to create a new rule set, including how to add an existing rule to it.

  3. Add this rule set to the realm authorization for the database that you want to protect.

    "Defining Realm Authorization" explains how to create realm authorizations. In the Authorization Rule Set list, select the rule set that you created in Step 2. Afterward, the realm authorization applies to all users.

For more information about Enterprise User Security, see Oracle Database Enterprise User Security Administrator's Guide.

9.2 Integrating Oracle Database Vault with Transparent Data Encryption

Oracle Database Vault works with Transparent Data Encryption (TDE). With Transparent Data Encryption, an application administrator can use a single one line command to alter a table and encrypt a column. Subsequent inserts into that table column will be written to disk encrypted transparent to the SQL. This means that no SQL modification, database triggers, or views are required.

If a user passes the authentication and authorization checks, Transparent Data Encryption automatically encrypts and decrypts information for the user. This way, you can implement encryption without having to change your applications.

So, if you have TDE enabled, Oracle Database Vault will work with it seemlessly and without any additional configuration. TDE also can be enabled in an Oracle Database Vault environment with any additional configuration.

Figure 9-1 shows how Oracle Database Vault realms handle encrypted data.

Figure 9-1 Encrypted Data and Oracle Database Vault

Encrypted Data and Oracle Database Vault
Description of "Figure 9-1 Encrypted Data and Oracle Database Vault"

9.3 Attaching Factors to an Oracle Virtual Private Database

You can attach factors to an Oracle Virtual Private Database. To do so, define a policy predicate that is a PL/SQL function or expression. Then, for each function or expression, you can use the DVF.F$ PL/SQL function that is created for each factor.

9.4 Integrating Oracle Database Vault with Oracle Label Security

This section includes the following topics:

9.4.1 How Oracle Database Vault Is Integrated with Oracle Label Security

When you integrate Oracle Database Vault with Oracle Label Security, it means that you can assign an Oracle Label Security label to an Oracle Database Vault factor identity.

In Oracle Label Security, you can restrict access to records in database tables or PL/SQL programs. For example, Mary may be able to see data protected by the HIGHLY SENSITIVE label, an Oracle Label Security label on the EMPLOYEE table that includes records that should have access limited to certain managers. Another label can be PUBLIC, which allows more open access to this data.

In Oracle Database Vault, you can create a factor called Network, for the network on which the database session originates, with the following identities:

  • Intranet: Used for when an employee is working on site within the intranet for your company.

  • Remote: Used for when the employee is working at home from a VPN connection.

You then assign a maximum session label to both. For example:

  • Assign the Intranet identity to the HIGHLY SENSITIVE Oracle Label Security label.

  • Assign the Remote identity to the PUBLIC label.

This means that when Mary is working at home using her VPN connection, she has access only to the limited table data protected under the PUBLIC identity. But when she is in the office, she has access to the HIGHLY SENSITIVE data, because she is using the Intranet identity. "Example of Integrating Oracle Database Vault with Oracle Label Security" provides an example of how to accomplish this type of integration.

You can audit the integration with Oracle Label Security by using the Label Security Integration Audit Report. See "Label Security Integration Audit Report" for more information.

You can use the Oracle Database Vault APIs to integrate Oracle Database Vault with Oracle Label Security. See Appendix E, "Oracle Database Vault DVSYS.DBMS_MACADM Package" for more information.

For more information about Oracle Label Security labels, levels, and policies, see Oracle Label Security Administrator's Guide.

You can run reports on the Oracle Database Vault and Oracle Label Security integration. See "Related Reports" for more information.

9.4.2 Requirements for Using Oracle Database Vault with Oracle Label Security

You must have the following requirements in place before you use Oracle Database Vault with Oracle Label Security:

  • Oracle Label Security is licensed separately. Make sure you have purchased a license to use it.

  • Before you install Oracle Database Vault, you must have already installed Oracle Label Security.

  • Ensure that you have the appropriate Oracle Label Security policies defined. For more information, see Oracle Label Security Administrator's Guide.

9.4.3 Using an Oracle Database Vault Factor with an Oracle Label Security Policy

Oracle Database Vault controls the maximum security clearance for a database session by merging the maximum allowable data for each label in a database session by merging the labels of Oracle Database Vault factors that are associated to an Oracle Label Security policy. In brief, a label acts as an identifier for the access privileges of a database table row. A policy is a name associated with the labels, rules, and authorizations that govern access to table rows. See Oracle Label Security Administrator's Guide for more information about row labels and policies.

Use the following steps to define factors that contribute to the maximum allowable data label of an Oracle Label Security policy:

  1. Log in to Oracle Database Vault Administrator using a database account that has been granted the DV_OWNER role.

    At a minimum, you must have the DV_ADMIN role. "Starting Oracle Database Vault Administrator" explains how to log in.

  2. Make the user LBACSYS account an owner of the realm that contains the schema to which a label security policy has been applied.

    This enables the LBACSYS account to have access to all the protected data in the realm, so that it can properly classify the data.

    The LBACSYS account is created in Oracle Label Security using the Oracle Universal Installer custom installation option. Before you can create an Oracle Label Security policy for use with Oracle Database Vault, you must make LBACSYS an owner for the realm you plan to use. See "Defining Realm Authorization" for more information.

  3. In the Administration page, under Database Vault Feature Administration, click Label Security Integration.

  4. In the Label Security Policies page:

    • To register a new label security policy, click Create.

    • To edit an existing label security policy, select it from the list and then click Edit.

  5. Enter the following settings and then click OK:

General

Under General, enter the following settings:

  • Label Security Policy: From the list, select the Oracle Label Security policy that you want to use.

  • Algorithm: Optionally change the label-merging algorithm for cases when Oracle Label Security has merged two labels. In most cases, you may want to select LII - Minimum Level/Intersection/Intersection. This setting is the most commonly used method that Oracle Label Security administrators use when they want to merge two labels. This setting provides optimum flexibility when your applications need to determine the resulting label that is required when combining two data sets that have different labels. It is also necessary for situations in which you need to perform queries using joins on rows with different data labels.

    For more information on these label-merging algorithms, see Oracle Label Security Administrator's Guide. If you want to use the DVSYS.DBMS_MACADM package to specify a merge algorithm, see Table E-62, "Merge Algorithm Codes" for a full listing of possible merge algorithms.

  • Label for Initialization Errors: Optionally enter a label for initialization errors. The label specified for initialization errors is set when a configuration error or run-time error occurs during session initialization. You can use this setting to assign the session a data label that prevents access or updates to any data the policy protects until the issue is resolved.

Label Security Policy Factors

To select a factor to associate with an Oracle Label Security policy:

  1. In the Available Factors list under Label Security Policy Factors, select the factor that you want to associate with the Oracle Label Security policy.

  2. Click Move to move the factor to the Selected Factors list.

    Note:

    You can select multiple factors by holding down the Ctrl key as you click each factor that you want to select.

After you associate a factor with an Oracle Label Security policy, you can label the factor identities using the labels for the policy. "Adding an Identity to a Factor" provides detailed information.

Note:

If you do not associate an Oracle Label Security policy with factors, then Oracle Database Vault maintains the default Oracle Label Security behavior for the policy.

9.4.4 Example of Integrating Oracle Database Vault with Oracle Label Security

You can use Oracle Database Vault factors in conjunction with Oracle Label Security and Oracle Virtual Private Database (VPD) technology to restrict access to sensitive data. You can restrict this data so that it is only exposed to a database session when the correct combination of factors exists, defined by the security administrator, for any given database session.

To demonstrate how you can integrate Oracle Database Vault with Oracle Label Security, assume that you must create the following access controls for your company:

  • Allow access to sensitive accounting data to database sessions that originate from the corporate Intranet

  • Prevent access to this data to database sessions that originate over the corporate VPN network

To do so, you can create a factor named Network, whose identity values are Intranet and Remote. These values are resolved based on values of a second factor, Client_IP, which stores the IP address of the computer making the connection. Because of the interdependency of the two factors, the Network factor is considered a parent factor and the Client_IP factor is its child factor. You establish this interdependency by creating an identity map. Then finally, you associate an Oracle Label Security label with the Intranet and Remote identities in Network.

To accomplish this, follow these steps:

9.4.4.1 Step 1: Create the Network Factor

First, create the Network factor:

  1. In the Oracle Database Vault Administrator home page, select Factors.

  2. In the Factors page, select Create.

  3. In the Create Factors page, enter the following settings:

    • Name: Network

    • Description: Example factor for application access through network.

    • Factor Type: Physical

    • Factor Identification: By Factors

    • Evaluation: For Session.

    • Factor Labeling: By Self

    • Retrieval Method: Leave this field blank.

    • Validation Method: Leave this field blank.

  4. Click OK.

    The Network factor appears in the Factors page listing. Now you are ready to create its identities, Intranet and Remote.

  5. In the Factors page, select Network and then click Edit.

  6. In the Edit Factor page, go to the Identities section and click Create.

  7. In the Create Identity page, enter the following settings:

    • Value: Intranet

    • Trust Level: Select Very Trusted.

    • Label Identity: EMPLOYEE_POLICY - HIGHLY_SENSITIVE

  8. Click OK.

  9. Repeat Step 6 and Step 7 to create the Remote identity, using the following settings:

    • Value: Remote

    • Trust Level: Select Trusted.

    • Label Identity: EMPLOYEE_POLICY - SENSITIVE

  10. Click OK.

You do not need to create the Client_IP factor; it is supplied with Oracle Database Vault.

9.4.4.2 Step 2: Create Identity Maps for the Network Intranet and Remote Identities

Next, you are ready to create an identity map for each of the Network factor Intranet and Remote identities. This map links the Network and Client_IP factors, by identifying the Network as the parent factor and Client_IP as its child factor.

First, create the identity map for the Intranet identity:

  1. In the Factors page in Oracle Database Vault Administrator, select Network and then click Edit.

  2. In the Edit Factor page, under Identities, select Intranet and then click Edit.

  3. In the Edit Identity page, under Map Identity, click Create.

  4. In the Create Identity Map page, enter the following settings:

    • Contributing Factor: Client_IP

    • Map Condition: Select Like. Then enter the following values:

      • Low Value: 192.168.10%

      • High Value: Leave this field blank.

  5. Click OK.

  6. Create a second mapping by repeating Step 3 and Step 4, using the following settings:

    • Contributing Factor: Client_IP

    • Map Condition: Select Is Null. Then enter the following values:

      • Low Value: NULL

      • High Value: Leave this field blank.

    The second mapping handles situations in which a user logs in from the database host computer, the Client_IP factor will be null.

The settings should appear as follows:

Table 9-1 Identify Map Settings

Child Factor Name Operation Value Operand 1 Operand 2

Client_IP

Equal

Is Null

Blank

Client_IP

Like

192.168.10%

Blank


Next, create an identity map for the Remote identity by using the following settings:

  • Contributing Factor: Client_IP

  • Map Condition: Select Like. Then enter the following values:

    • Low Value: 192.168.67%

    • High Value: Leave this field blank.

Once you have completed this mapping, you can check the values for the Network factor by executing the following statement in SQL*Plus from a corporate and remote/VPN network connection or session:

SQL> SELECT dvf.f$network FROM dual 
-----------------------------------------------
Remote

9.4.4.3 Step 3: Associate the Network Factor with an Oracle Label Security Policy

Finally, you are ready to associate the Network factor with an Oracle Label Security policy.

Follow these steps:

  1. In the Administration page, under Database Vault Feature Administration, click Label Security Integration.

  2. In the Label Security Policies page, click Create.

  3. In the Create Label Security Policy page, enter the following settings:

    • Label Security Policy: Select EMPLOYEE_POLICY.

    • Algorithm: Select LII - Minimum Level/Intersection/Intersection.

    • Label for Initialization Errors: Leave this setting blank.

    • Label Security Policy Factors: Select Network and click Move to move it to the Selected Factors list.

  4. Click OK.

9.4.4.4 Step 4: Test the Configuration

To test this configuration, try logging on from both the local Intranet connection and a remote connection.

First, try the connection from the local Intranet connection. As you can see, you have access to all the records in HR.EMPLOYEES:

SQL> SELECT COUNT(*) FROM HR.EMPLOYEES;
----------------------------------------------------------------------------
350
 
SQL> SELECT DVF.F$NETWORK FROM DUAL;
 
F$NETWORK
----------------------------------------------------------------------------
Intranet

Now try it from a remote connection. In this case, you have access only to a limited subset (200 rows) of the HR.EMPLOYEES table records:

SQL> SELECT COUNT(*) FROM HR.EMPLOYEES;
 
COUNT(*)
----------------------------------------------------------------------------
200
 
SQL> SELECT DVF.F$NETWORK FROM DUAL;

F$NETWORK
----------------------------------------------------------------------------
Remote

9.4.5 Related Reports

Table 9-2 lists Oracle Database Vault reports that are useful for analyzing the Oracle Database Vault and Oracle Label Security integration. See Chapter 11, "Oracle Database Vault Reports" for information about how to run these reports.

Table 9-2 Reports Related to Database Vault and Oracle Label Security Integration

Report Purpose

"Factor Configuration Issues Report"


To find factors in which the Oracle Label Security policy does not exist.

"Identity Configuration Issues Report"


To find any invalid label identities (the Oracle Label Security label for this identity has been removed and no longer exists).

"Security Policy Exemption Report"


To find accounts and roles that have the EXEMPT ACCESS POLICY system privilege granted to them. Accounts that have this privilege can bypass all Virtual Private Database policy filters and any Oracle Label Security policies that use Oracle Virtual Private Database indirectly.