a first look at database vault david bergmeier. overview installation limitations securing data ...
TRANSCRIPT
![Page 1: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/1.jpg)
A First look atA First look atDatabase VaultDatabase Vault
David BergmeierDavid Bergmeier
![Page 2: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/2.jpg)
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
AgendaAgenda
![Page 3: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/3.jpg)
Senior Oracle DBA
Worked for MGA nearly 2 years
Background as an Analyst/Programmer
12 years in financial services industry
Started using Oracle in 1996
About meAbout me
![Page 4: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/4.jpg)
Why Oracle Database Vault?
• Don’t trust the DBA
• Regulatory Compliance(e.g. Sarbanes Oxley)
• Separation of duties
OverviewOverview
![Page 5: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/5.jpg)
Separation of dutiesSeparation of duties
connect / as sysdbacreate user david ...grant dba to david;select * from scott.emp;
![Page 6: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/6.jpg)
Separation of dutiesSeparation of duties
connect / as sysdbacreate user david ...grant dba to david;select * from scott.emp;
![Page 7: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/7.jpg)
Separation of dutiesSeparation of duties
![Page 8: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/8.jpg)
Separation of dutiesSeparation of duties
![Page 9: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/9.jpg)
Separation of dutiesSeparation of duties
![Page 10: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/10.jpg)
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
AgendaAgenda
![Page 11: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/11.jpg)
• Oracle 10.2.0.3
• 1024 MB of Physical RAM
• Swap space (1.5 times RAM)
• 400 MB in /tmp
• 270 MB for database vault binaries
• 10 MB additional for database files
PrerequisitesPrerequisites
![Page 12: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/12.jpg)
Installation
• Assumes one instance per Oracle home
• But can support more
PrerequisitesPrerequisites
![Page 13: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/13.jpg)
InstallationInstallation
![Page 14: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/14.jpg)
InstallationInstallationUser to receive DV_OWNER role
![Page 15: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/15.jpg)
InstallationInstallationPasswords must
have alpha, numeric & special
![Page 16: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/16.jpg)
InstallationInstallation
User to receive DV_ACCTMGR role
![Page 17: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/17.jpg)
InstallationInstallation
![Page 18: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/18.jpg)
InstallationInstallation
![Page 19: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/19.jpg)
InstallationInstallation
![Page 20: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/20.jpg)
InstallationInstallation
![Page 21: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/21.jpg)
InstallationInstallation
![Page 22: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/22.jpg)
InstallationInstallation
![Page 23: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/23.jpg)
InstallationInstallation
![Page 24: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/24.jpg)
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
AgendaAgenda
![Page 25: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/25.jpg)
Let’s start the database
The First ProblemThe First Problem
![Page 26: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/26.jpg)
The First ProblemThe First Problem
![Page 27: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/27.jpg)
The First ProblemThe First Problem
![Page 28: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/28.jpg)
I cannot login as SYDBA
So how do I start/stop Oracle?
The First ProblemThe First Problem
![Page 29: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/29.jpg)
connect / as SYSOPER
The First ProblemThe First Problem
![Page 30: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/30.jpg)
The First ProblemThe First Problem
![Page 31: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/31.jpg)
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
AgendaAgenda
![Page 32: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/32.jpg)
$ lsnrctl start
$ emctl start dbconsole
Securing Some DataSecuring Some Data
![Page 33: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/33.jpg)
$ sqlplus system/manager
SQL> select * from scott.emp;
...
14 rows selected.
SQL>
Securing Some DataSecuring Some Data
![Page 34: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/34.jpg)
Securing Some DataSecuring Some Data
![Page 35: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/35.jpg)
Securing Some DataSecuring Some Data
![Page 36: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/36.jpg)
Securing Some DataSecuring Some Data
![Page 37: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/37.jpg)
Securing Some DataSecuring Some Data
![Page 38: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/38.jpg)
A realm is a
functional grouping of schemas and roles that are
secured.
What is a Realm?What is a Realm?
![Page 39: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/39.jpg)
What is a Realm?What is a Realm?
Realm
Secured Objects Authorizations
One
Many
![Page 40: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/40.jpg)
Securing Some DataSecuring Some Data
![Page 41: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/41.jpg)
Securing Some DataSecuring Some Data
![Page 42: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/42.jpg)
Securing Some DataSecuring Some Data
![Page 43: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/43.jpg)
Securing Some DataSecuring Some Data
![Page 44: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/44.jpg)
Securing Some DataSecuring Some Data
![Page 45: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/45.jpg)
Securing Some DataSecuring Some Data
![Page 46: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/46.jpg)
Securing Some DataSecuring Some Data
![Page 47: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/47.jpg)
SQL> select * from scott.emp;
select * from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL>
Securing Some DataSecuring Some Data
![Page 48: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/48.jpg)
SQL> select * from scott.dept; DEPTNO DNAME LOC---------- -------------- -------- 10 ACCOUNTING NEW YORK 20 RESEARCH DALLAS 30 SALES CHICAGO 40 OPERATIONS BOSTONSQL>
Securing Some DataSecuring Some Data
![Page 49: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/49.jpg)
That’s the end of the tutorial.
So now let’s consider a real world application.
Securing Some DataSecuring Some Data
![Page 50: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/50.jpg)
Real world ExampleReal world Example
EMP
application user
SCOTT
Application server connects to database as
single user
![Page 51: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/51.jpg)
Real world ExampleReal world Example
EMP
application user
support users
SCOTT
Support users connect with
individual accounts with
read-only access
![Page 52: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/52.jpg)
Real world ExampleReal world Example
EMP
grant select insert update delete
scott_app_user
scott_ro_role
scott_rogrant select
grant role
SCOTT
![Page 53: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/53.jpg)
SQL> connect system/manager
SQL> create user scott_app_user
2> identified by tiger
3> default tablespace USERS;
identified by tiger
*
ERROR at line 2:
ORA-01031: Insufficient Privileges
Create UserCreate User
![Page 54: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/54.jpg)
SQL> connect dbu/manager
SQL> create user scott_app_user
2> identified by tiger
3> default tablespace USERS;
User created.
SQL> grant connect to scott_app_user;
Create UserCreate User
![Page 55: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/55.jpg)
SQL> connect dbu/manager
SQL> create user scott_ro
2> identified by tiger
3> default tablespace USERS;
User created.
SQL> grant connect to scott_ro;
Create UserCreate User
![Page 56: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/56.jpg)
SQL> connect system/manager
SQL> create role scott_ro_role;
Role created.
SQL> grant scott_ro_role to scott_ro;
Grant succeeded.
SQL>
Create RoleCreate Role
![Page 57: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/57.jpg)
SQL> connect scott/tiger
SQL> grant select,insert,update,delete on emp to scott_app_user;
Grant succeeded.
SQL> grant select on emp to scott_ro_role;
Grant succeeded.
SQL>
GrantsGrants
![Page 58: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/58.jpg)
Now to test it...
Real world ExampleReal world Example
![Page 59: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/59.jpg)
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing scott_roTesting scott_ro
![Page 60: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/60.jpg)
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing scott_roTesting scott_ro
![Page 61: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/61.jpg)
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing scott_app_userTesting scott_app_user
![Page 62: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/62.jpg)
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing scott_app_userTesting scott_app_user
![Page 63: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/63.jpg)
SQL> connect system/manager
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing systemTesting system
![Page 64: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/64.jpg)
SQL> connect system/manager
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing systemTesting system
![Page 65: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/65.jpg)
SQL> connect system/manager
SQL> select * from session_roles;
ROLE---------------------------DV_PUBLICDBA...SCOTT_RO_ROLE
14 rows selected.
SQL>
What went wrong?What went wrong?
![Page 66: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/66.jpg)
How did SYSTEM get
SCOTT_RO_ROLE?
What went wrong?What went wrong?
![Page 67: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/67.jpg)
SQL> connect system/manager
SQL> create role foo;
Role created.
SQL> set role all;
Role set.
SQL> select * from session_roles;
ROLE---------------------------DV_PUBLIC...FOO
What went wrong?What went wrong?
![Page 68: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/68.jpg)
So now we have a problem!
What went wrong?What went wrong?
If we only revoke the role, SYSTEM can grant it again.
How do we prevent this?
![Page 69: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/69.jpg)
SQL> connect system/manager
SQL> drop role scott_ro_role;
Role dropped.
SQL> select * from session_roles;
ROLE---------------------------DV_PUBLIC...MGMT_USER
13 rows selected.
SQL>
Remove the RoleRemove the Role
![Page 70: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/70.jpg)
DV_ACCTMGR has• create/drop user
• alter user account lock/unlock
• alter user password expire
• grant/revoke CONNECT role
Problem with DV_ACCTMGRProblem with DV_ACCTMGR
![Page 71: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/71.jpg)
DV_ACCTMGR needs• create role
• alter any role
• drop any role
• SELECT_CATALOG_ROLE
To get these, we need to login as SYSDBA
Problem with DV_ACCTMGRProblem with DV_ACCTMGR
![Page 72: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/72.jpg)
$ cd $ORACLE_HOME/dbs
$ orapwd file=orapwmozart password=mozart entries=20 force=y nosysdba=n
$ sqlplus sys/mozart as sysdba
SQL> startup
SQL> alter user sys identified by mozart;
Allow SYSDBAAllow SYSDBA
![Page 73: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/73.jpg)
SQL> connect sys/mozart as sysdba
SQL> grant create role to DV_ACCTMGR;
SQL> grant alter any role to DV_ACCTMGR;
SQL> grant drop any role to DV_ACCTMGR;
Grants to DV_ACCTMGRGrants to DV_ACCTMGR
![Page 74: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/74.jpg)
SELECT_CATALOG_ROLESELECT_CATALOG_ROLE
![Page 75: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/75.jpg)
SELECT_CATALOG_ROLESELECT_CATALOG_ROLE
![Page 76: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/76.jpg)
Fixing DV_ACCTMGRFixing DV_ACCTMGR
![Page 77: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/77.jpg)
Fixing DV_ACCTMGRFixing DV_ACCTMGR
![Page 78: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/78.jpg)
Fixing DV_ACCTMGRFixing DV_ACCTMGR
![Page 79: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/79.jpg)
SQL> connect dbu/manager
SQL> create role scott_ro_role;
Role created.
SQL>
Create Role as DV_ACCTMGRCreate Role as DV_ACCTMGR
At this stage we delay granting scott_ro_role
![Page 80: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/80.jpg)
Securing SCOTT_RO_ROLESecuring SCOTT_RO_ROLE
![Page 81: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/81.jpg)
Securing SCOTT_RO_ROLESecuring SCOTT_RO_ROLE
![Page 82: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/82.jpg)
SQL> connect dbu/manager
SQL> grant scott_ro_role to scott_ro;
grant scott_ro_role to scott_ro
*
ERROR at line 1:
ORA-47401: Realm violation for grant role privilege on SCOTT_RO_ROLE
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
![Page 83: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/83.jpg)
So who can/should
do the grant of SCOTT_RO_ROLE ?
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
![Page 84: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/84.jpg)
So who can/should
do the grant of SCOTT_RO_ROLE ?
Answer: SCOTT
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
![Page 85: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/85.jpg)
Answer: SCOTT
Provided SCOTT can only grant SCOTT_RO_ROLE
and not other roles
like DBA.
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
![Page 86: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/86.jpg)
One more grant as SYSDBA
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
SQL> connect sys/mozart as sysdba
SQL> grant grant any role to scott;
Grant succeeded.
SQL>
![Page 87: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/87.jpg)
SQL> connect scott/tiger
SQL> grant scott_ro_role to scott_ro;
Grant succeeded.
SQL> revoke scott_ro_role from dbu;
Revoke succeeded.
SQL>
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
![Page 88: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/88.jpg)
SQL> connect scott/tigerSQL> grant DBA to scott;grant DBA to scott*ERROR at line 1:ORA-00604: error occurred at recursive SQL level 1
ORA-47401: Realm violation for grant role privilege on UNLIMITED TABLESPACE.
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
![Page 89: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/89.jpg)
WHY?
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
![Page 90: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/90.jpg)
The DBA role
is protected by the
“Oracle Data Dictionary” Realm.
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
![Page 91: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/91.jpg)
Now to test it...
Again
Granting SCOTT_RO_ROLEGranting SCOTT_RO_ROLE
![Page 92: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/92.jpg)
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing scott_ro againTesting scott_ro again
![Page 93: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/93.jpg)
SQL> connect scott_ro/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
delete from scott.emp
*
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing scott_ro againTesting scott_ro again
![Page 94: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/94.jpg)
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing scott_app_userTesting scott_app_user
![Page 95: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/95.jpg)
SQL> connect scott_app_user/tiger
SQL> select * from scott.emp;
14 rows selected.
SQL> delete from scott.emp;
14 rows deleted.
SQL> rollback;
Testing scott_app_userTesting scott_app_user
![Page 96: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/96.jpg)
SQL> connect system/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing system againTesting system again
![Page 97: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/97.jpg)
SQL> connect system/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing system againTesting system again
![Page 98: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/98.jpg)
SQL> connect sys/mozart as sysdba
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing SYSDBATesting SYSDBA
![Page 99: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/99.jpg)
SQL> connect sys/mozart as sysdba
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing SYSDBATesting SYSDBA
![Page 100: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/100.jpg)
SQL> connect dbu/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing DV_ACCTMGRTesting DV_ACCTMGR
![Page 101: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/101.jpg)
SQL> connect dbu/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing DV_ACCTMGRTesting DV_ACCTMGR
![Page 102: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/102.jpg)
SQL> connect dbv/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing DV_ADMINTesting DV_ADMIN
![Page 103: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/103.jpg)
SQL> connect dbv/manager
SQL> select * from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
SQL> delete from scott.emp;
ERROR at line 1:
ORA-01031: Insufficient Privileges
Testing DV_ADMINTesting DV_ADMIN
![Page 104: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/104.jpg)
Let’s review the actions performed by each of the different users/roles
Separation of DutiesSeparation of Duties
![Page 105: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/105.jpg)
SYS as SYSDBA
• Grant role privileges to DV_ACCTMGR(one time)
• Grant “grant any role” to SCOTT(once per application)
Separation of DutiesSeparation of Duties
![Page 106: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/106.jpg)
DV_ADMIN (user = dbv)
• Realm authorizations (once per application)
• Command Rules(one time)
Separation of DutiesSeparation of Duties
![Page 107: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/107.jpg)
DV_ACCTMGR (user = dbu)
• Create user (ongoing)
• Grant connect (ongoing)
• Create role (once per app)
Separation of DutiesSeparation of Duties
![Page 108: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/108.jpg)
Schema owner (SCOTT)
• Grant object privileges(once per application)
• Grant SCOTT_RO_ROLE (ongoing)
Separation of DutiesSeparation of Duties
![Page 109: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/109.jpg)
DBA (user = system)
• Nothing
Separation of DutiesSeparation of Duties
![Page 110: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/110.jpg)
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
AgendaAgenda
![Page 111: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/111.jpg)
Impact of Backups
• Export
• Data Pump
• RMAN
BackupsBackups
![Page 112: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/112.jpg)
Export
• Lots of ORA-01031
• Will be unable to Import
• Not viable
BackupsBackups
![Page 113: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/113.jpg)
Data Pump
• Not tested
BackupsBackups
![Page 114: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/114.jpg)
RMAN
• Requires SYSDBA access
• May need to hardcode SYS password or use wallet
• Works successfully
BackupsBackups
![Page 115: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/115.jpg)
Overview
Installation
Limitations
Securing Data
Backups
A trigger problem
AgendaAgenda
![Page 116: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/116.jpg)
Error creating trigger
• Minor changes to whitespace in trigger source caused compile success/failure
• Known Bug: 5630439
• ORA-47999: internal Database Vault error: create trigger
Trigger ProblemTrigger Problem
![Page 117: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/117.jpg)
Workaround available• Login as dv_owner account
• alter trigger dvsys.DV_BEFORE_DDL_TRG disable
• Login as SCOTT and create trigger
• Login as dv_owner account
• alter trigger dvsys.DV_BEFORE_DDL_TRG enable
Trigger ProblemTrigger Problem
![Page 118: A First look at Database Vault David Bergmeier. Overview Installation Limitations Securing Data Backups A trigger problem Agenda](https://reader035.vdocuments.site/reader035/viewer/2022062712/56649cab5503460f9496be3b/html5/thumbnails/118.jpg)
You probably don’t need Database Vault
It’s a trade off between more security with more bureaucracy
It seems to work okay but there are some bugs
Typical work arounds involve deactivating Database Vault
ConclusionConclusion