Skip to main content

How Database Vault really works

I was worried as I ran into a problem with the Database Vault security. I configured a new realm in a database where the Oracle E-Business Suite is running. The main idea was to have a user for the OBIEE that should have only limited access.

Together with some colleagues we made sure that the OBIEE user had the correct grants on some tables and views inside the EBS schema (APPS, AR, GMS, PA). I created the realm and added the OBIEE user as a participant.
Everything seemed to work. Then I disabled the realm and even removed the OBIEE user from the realm, but still Oracle Answers was capable of accessing the APPS schema objects.

Took me a day and finally I reread the manual. I understood my error.

The purpose of the DBV is to lockout users with system privileges, such as the SYS or SYSTEM user.
Now the account of the OBIEE user does not have these system privileges except CREATE SESSION.
In order to access any object the OBIEE user relies on discretionary grants (e.g. the AR user grants select on HZ_CUST_ACCOUNTS).
By this the OBIEE userR does not need the realm as this is granted.

The intention of the DBV is not focusing on users as OBIEE user but on all users who have system privileges.

From the Oracle manual:

... Oracle Database Vault does not replace the discretionary access control model in the existing Oracle database. It functions as a layer on top of this model for both realms and command rules. ...

Comments

Popular posts from this blog

Oracle Fusion Middleware Forum in Valencia

Last week the 22nd Fusion Middleware and PaaS Partner Community Forum took place in Valencia, Spain. For me this was a very valuable experience - again as I have visited a number of #ofmForum before. Let me recap here the highlights of this meeting. After a great Welcome-Reception the evening before, where everybody had the chance to catch up with a large number of old (and soon-to-be new) friends, the conference started with a kind of the state of the union by Jürgen Kress. The community already has more than 8000 people. This - in a fact - is a tremendous achievement. Everybody agrees that this is only possible by the relentless work of Jürgen who puts a big effort into this. It shows that other areas inside the Oracle technology stack do not benefit by equivalent communities. Even other communities, when they exist at all, do not compete in the same league. So a VERY BIG THANK YOU for Jürgen is at its place here. After the opening a keynote from Alistair Hopkins showed ver...

Oracle Streams Explorer

At the recent Oracle SOA Suite community forum in Budapest I had a hands-on experience with the Oracle Streams Explorer. Having worked with the Oracle Complex Event Processing and also some hands-on exercises with the new Oracle Event Processing, the Oracle Streams Explorer is a very easy to handle and useful addition to the area of near-real-time data insight and analysis. The user interface comes along in the new Oracle look-and-feel. You can select a number of areas like IOT, Risk and Fraud Management, Transportation and Logistics, Customer Experience and Analysis and Telecommunications. Within that you get a number of predefined patterns and resources. Defining your own solution can therefore be based on an existing solution in your catalog or simply by combining input streams and defining filters on them. Now plenty of examples can (and will) be named. The essence for me - and this is a message that I will convey to customers - is the fact that by using Oracle Streams Expl...

Copy and Paste

I bounced into a funny thing when I setup a Data Guard Physical Standby Database. First I prepared some database init parameters in a document (actually I reused some old documentation I had done in a previous project). log_archive_dest_1 location=use_db_recovery_file_dest valid_for=(all_logfiles,all_roles) db_unique_name=osbsoadb The "alter system ..." command worked like a charm. During the preparations I needed to restart the database instance. To my surprise I received an error that there was an issue with an init parameter. ORA-16024:  parameter  LOG_ARCHIVE_DEST_1  cannot  be  parsed Google did not really help me. So I decided to create a pfile from the spfile and had a look into it. There it became evident what the error was. Somehow during the copy & paste the end-of-lines were copied as well - leaving my init parameter with some newlines in it. Made one line from it in the pfile, started the db and cr...