Introduction
Oracle Database Vault is part of Oracle Database Security feature that provides powerful security controls to protect application data from unauthorized access
It can restrict access to areas in Oracle Database for any user and also who have administrative access such as DBA or SYSDBA
With Oracle Database Vault, one can address the most difficult security problems prevailing today: protecting against insider threats, meeting regulatory compliance requirements and enforcing separation of duty
It enables data users to apply fine-grained access control to their sensitive data in a variety of ways.
It hardens ones Oracle Database instance and enforces industry standard best practices in terms of separating duties from traditionally powerful users
For example, one can restrict administrative access to salaries, financial data of employees, medical records of employees or customer or other such sensitive information
DBA's can configure Oracle Database Vault to manage security of an individual Oracle Database instance
Installation of Oracle Database Vault can be done on standalone Database, multiple Oracle Homes and also in Oracle RAC environments
Privileges
Oracle Database Vault (ODV) provides set of database roles which enable Oracle Users to perform specific tasks
Most commonly roles are "DV_ADMIN" and "DV_OWNER" which enables one to create and manage policies of ODV
"DV_ACCTMGR" enables one to manage Oracle User accounts
Oracle Database Vault Access Control Components
Oracle Database Vault enables you to create a set of components to manage security for your database instance.
These components are as follows:
Realms
A realm is a protection zone inside the database where database schemas, objects and roles can be secured
For example: One can secure a set of schemas, objects and roles that are related to accounting, sales or human resources.
After one have secured these into a realm, one can use the realm to control the use of system and object privileges to specific accounts or roles.
This enables one to provide fine-grained access controls for anyone who wants to use these schemas, objects and roles.
Command rules
A command rule is a special security policy that you can create to control how users can execute almost any SQL statement, including SELECT, ALTER SYSTEM, Database Definition Language (DDL) and Data Manipulation Language (DML) statements.
Command rules must work with rule sets to determine whether the statement is allowed.
Factors
A factor is a named variable or attribute, such as a user location, database IP address or session user which Oracle Database Vault can recognize and use.
One can use factors in rules to control activities such as authorizing database accounts to connect to the database or execution of a specific database command to restrict the visibility and manageability of data.
Each factor can have one or more identities.
An identity is the actual value of a factor. A factor can have several identities depending on the factor retrieval method or its identity mapping logic
Rule sets
A rule set is a collection of one or more rules that one can associate with a realm authorization, command rule, factor assignment or secure application role.
The rule set evaluates to true or false based on the evaluation of each rule it contains and the evaluation type (All True or Any True)
The rule within a rule set is a PL/SQL expression that evaluates to true or false. One can have the same rule in multiple rule sets
Secure application roles
A secure application role is a special Oracle Database role that can be enabled based on the evaluation of an Oracle Database Vault rule set.
Oracle Database Vault is part of Oracle Database Security feature that provides powerful security controls to protect application data from unauthorized access
It can restrict access to areas in Oracle Database for any user and also who have administrative access such as DBA or SYSDBA
With Oracle Database Vault, one can address the most difficult security problems prevailing today: protecting against insider threats, meeting regulatory compliance requirements and enforcing separation of duty
It enables data users to apply fine-grained access control to their sensitive data in a variety of ways.
It hardens ones Oracle Database instance and enforces industry standard best practices in terms of separating duties from traditionally powerful users
For example, one can restrict administrative access to salaries, financial data of employees, medical records of employees or customer or other such sensitive information
DBA's can configure Oracle Database Vault to manage security of an individual Oracle Database instance
Installation of Oracle Database Vault can be done on standalone Database, multiple Oracle Homes and also in Oracle RAC environments
Privileges
Oracle Database Vault (ODV) provides set of database roles which enable Oracle Users to perform specific tasks
Most commonly roles are "DV_ADMIN" and "DV_OWNER" which enables one to create and manage policies of ODV
"DV_ACCTMGR" enables one to manage Oracle User accounts
Oracle Database Vault Access Control Components
Oracle Database Vault enables you to create a set of components to manage security for your database instance.
These components are as follows:
Realms
A realm is a protection zone inside the database where database schemas, objects and roles can be secured
For example: One can secure a set of schemas, objects and roles that are related to accounting, sales or human resources.
After one have secured these into a realm, one can use the realm to control the use of system and object privileges to specific accounts or roles.
This enables one to provide fine-grained access controls for anyone who wants to use these schemas, objects and roles.
Command rules
A command rule is a special security policy that you can create to control how users can execute almost any SQL statement, including SELECT, ALTER SYSTEM, Database Definition Language (DDL) and Data Manipulation Language (DML) statements.
Command rules must work with rule sets to determine whether the statement is allowed.
Factors
A factor is a named variable or attribute, such as a user location, database IP address or session user which Oracle Database Vault can recognize and use.
One can use factors in rules to control activities such as authorizing database accounts to connect to the database or execution of a specific database command to restrict the visibility and manageability of data.
Each factor can have one or more identities.
An identity is the actual value of a factor. A factor can have several identities depending on the factor retrieval method or its identity mapping logic
Rule sets
A rule set is a collection of one or more rules that one can associate with a realm authorization, command rule, factor assignment or secure application role.
The rule set evaluates to true or false based on the evaluation of each rule it contains and the evaluation type (All True or Any True)
The rule within a rule set is a PL/SQL expression that evaluates to true or false. One can have the same rule in multiple rule sets
Secure application roles
A secure application role is a special Oracle Database role that can be enabled based on the evaluation of an Oracle Database Vault rule set.
