Friday, April 23, 2010

How Database Vault really works

I was worried as I ran into a problem with the Database Vault security. I configured a new realm in a database where the Oracle E-Business Suite is running. The main idea was to have a user for the OBIEE that should have only limited access.

Together with some colleagues we made sure that the OBIEE user had the correct grants on some tables and views inside the EBS schema (APPS, AR, GMS, PA). I created the realm and added the OBIEE user as a participant.
Everything seemed to work. Then I disabled the realm and even removed the OBIEE user from the realm, but still Oracle Answers was capable of accessing the APPS schema objects.

Took me a day and finally I reread the manual. I understood my error.

The purpose of the DBV is to lockout users with system privileges, such as the SYS or SYSTEM user.
Now the account of the OBIEE user does not have these system privileges except CREATE SESSION.
In order to access any object the OBIEE user relies on discretionary grants (e.g. the AR user grants select on HZ_CUST_ACCOUNTS).
By this the OBIEE userR does not need the realm as this is granted.

The intention of the DBV is not focusing on users as OBIEE user but on all users who have system privileges.

From the Oracle manual:

... Oracle Database Vault does not replace the discretionary access control model in the existing Oracle database. It functions as a layer on top of this model for both realms and command rules. ...

No comments: