1.Oracle Database Vault - Realm
来源:互联网 发布:笔记本电脑评测软件 编辑:程序博客网 时间:2024/06/04 17:42
1. REALM的作用
Oracle Database Vault通过建立REALM可以防止未授权的DBA用户访问REALM内的业务数据。
在Oracle中,如果要看到其他用户下的数据,有两种方法,一个是被直接授权这个对象的查询权限,而另一个是被授权SELECT ANY TABLE系统权限。REALM对于用户直接授权是允许的,而对于SELECT ANY TABLE系统权限是禁止的。
Realms: Concepts
A realm is a collection of roles anddatabase objects that are, as a group, protected from access by users on thebasis of a participant list. Even though certain users may have been grantedthe SELECT ANY TABLE system privilege, they have to be listed as realmparticipants in order to select data from a table that is protected by therealm.
Realm可以使用Rule Set来定义一些访问Realm内业务对象的条件,如只能在工作时间访问、限制IP访问等。Rule Set在本次测试不进行设置。
2. 测试用户
SQL> conndvacct/qawsedrf_1
Connected.
SQL> create user scottidentified by tiger default tablespace users;
User created.
SQL> grant connect toscott;
Grant succeeded.
SQL> alter user scottquota 0 on system;
User altered.
SQL> alter user scottquota unlimited on users;
User altered.
dvacct用户无法赋权限resource,因为resource没有赋给DV_ACCTMGR角色
SQL> conn / as sysdba
Connected.
SQL> grant resource toscott;
Grant succeeded.
3. 创建和删除REALM
# dvowner用户
创建realm
begin
dbms_macadm.CREATE_REALM(realm_name => 'SCOTT_REALM',
description => 'Protect SCOTT data from DBA access',
enabled => DVSYS.DBMS_MACUTL.G_YES,
audit_options =>DVSYS.DBMS_MACUTL.G_REALM_AUDIT_FAIL);
commit;
end;
/
删除realm
# 删除relam
execdbms_macadm.delete_realm(realm_name => 'SCOTT_REALM');
4. 向REALM中添加和删除对象
添加对象,添加完对象后,默认这些对象无法被有SELECT ANY TABLE权限的用户所访问,DatabaseVault就是为了防止系统权限
begin
DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM(
realm_name => 'SCOTT_REALM',
object_owner => 'SCOTT',
object_name => '%',
object_type => 'TABLE');
end;
/
删除对象
begin
DVSYS.DBMS_MACADM.delete_object_from_realm(
realm_name => 'SCOTT_REALM',
object_owner => 'SCOTT',
object_name => '%',
object_type => 'TABLE');
end;
/
# 测试System用户访问scott用户的表
SQL>conn system/system
Connected.
SQL>select * from scott.emp;
select* from scott.emp
*
ERRORat line 1:
ORA-01031:insufficient privileges
5. 向REALM添加和删除AUTH
添加auth
begin
DVSYS.DBMS_MACADM.add_auth_to_realm(
realm_name => 'SCOTT_REALM',
grantee => 'SCOTT',
rule_set_name => null,
auth_options => DVSYS.DBMS_MACUTL.G_REALM_AUTH_OWNER);
end;
/
begin
DVSYS.DBMS_MACADM.add_auth_to_realm(
realm_name => 'SCOTT_REALM',
grantee => 'SYSTEM',
rule_set_name => null,
auth_options =>DVSYS.DBMS_MACUTL.g_realm_auth_participant);
end;
/
这样system用户就可以访问scott的表
删除auth
begin
DVSYS.DBMS_MACADM.delete_auth_from_realm(
realm_name=> 'SCOTT_REALM',
grantee => 'SCOTT');
end;
/
所有者与参与者的区别:
l Participant: Thegrantee is able to access the realm-secured objects.
l Owner: Thegrantee has all the access rights that a participant has, and can also grantprivileges to others on any of the objects in the realm. This is comparable tothe WITH ADMIN option of the GRANT statement.
6. 相关视图
DBA_DV_REALM
DBA_DV_REALM_OBJECT
DBA_DV_REALM_AUTH
7. REALM相关API
DBMS_MACADM包:
• Create realms:
- CREATE_REALM
• Modify realms:
- ADD_AUTH_TO_REALM
- ADD_OBJECT_TO_REALM
- DELETE_AUTH_FROM_REALM
- DELETE_OBJECT_FROM_REALM
- RENAME_REALM
- UPDATE_REALM
- UPDATE_REALM_AUTH
• Delete realms:
- DELETE_REALM
- DELETE_REALM_CASCADE
- 1.Oracle Database Vault - Realm
- Oracle Database Vault - Realm
- 例解 Oracle Database Vault
- oracle database vault
- 2.Oracle Database Vault - Rule_Set
- 3.Oracle Database Vault - Factors
- 如何禁用 Oracle Database Vault
- Oracle Database Vault--信息系统的安全保障
- oracle database vault(数据库保险库)
- ORA-47958与Oracle Database Vault
- Oracle Database Vault关闭方法(二)
- database vault
- oracle之 oracle database vault(数据库保险库)
- Oracle数据安全解决方案系列-----Database Vault安装篇
- Installing Database Vault Into An Existing 11.1.0.7 Oracle Home:
- Install the database vault
- Database Vault注册
- Database Vault的禁用
- iphone 应用程序加载图像的方法
- 一些iphone开发的资料
- EDI的报文标准和代码标准
- Android的SQLite学习及使用方法(1)
- String,StringBuffer,StringBulider的区别
- 1.Oracle Database Vault - Realm
- 机遇lan的数据备份
- Android TextView 使用HTML格式串
- 解决L2TP_VPN_768#连接错误的方法
- iPhone/iPad利用系统MFMailComposeViewController调用系统
- C#中Show()和ShowDialog()的区别
- 线程的一些基本概念
- PHP中的魔术方法,转自:http://4nail.iteye.com/blog/604913
- 总结:Android JNI开发疑点
