Access Control Facilities in Oracle Database 11gR2

M. Amin Saghizadeh

JUN 2015

1) Introduction In this document we will introduce some access control facilities in Oracle Database 11gR2 (Oracle from

now on) and discuss about how we can achieve a certain access control need in it and with its available

capabilities.

2) Access Control Facilities In this section we will discuss about the available facilities useful for access control.

1-1) User Groups and Assigning Roles to the group T the concept of user groups can be implemented in Oracle in two ways. However, not both of them

support assigning roles to the group.

At first, grouping users in performed by assigning them to Profiles. A profile is a named set of resource

limits and password parameters that restrict database usage and instance resources for a user [1]. When

you create users, you can give them a profile and if you don’t, DBMS automatically gives the DEFAULT

profile to the.

There is two limitation with profiles in relation with access control. First, the user can have only one

profile at a time and second, profiles can be assigned only to users and not to roles or other profiles. So,

they only group users based on the usage limitations of database instance resources. They also cannot

be used for grouping users in a hierarchical fashion.

Another way of grouping users in oracle is to group them by roles. You can create a grouping role,

granting the needed privileges to it, and even assign other roles to it. So, this way completely brings the

desired access control facility of user groups assigning roles to them.

1-2) Hierarchical Role-Based Access Control Hierarchical RBAC is supported by default from Oracle database 9i on. In a role hierarchy, role members

inherit permissions from the parent role [2]. Thus, if Role A is a member of Role B, then all permissions

granted to Role B are also permissions granted to Role A. Of course, Role A may have its own particular

permissions, but, just by being a member of Role B, Role A inherits all the permissions granted to Role B.

1-3) Role-Based Access Control with Separation of Duty In Oracle database, separation of duty is delivered by Oracle Database Vault. Oracle Database Vault

restricts access to specific areas in an Oracle database from any user, including users who have

administrative access [3]. For example, you can restrict administrative access to employee salaries,

customer medical records, or other sensitive information.

Oracle Database Vault is disabled by default and before enabling and using it, you must also enable

Oracle Label Security. Oracle Database Vault security controls include realms, command rules, factors,

separation of duty, and reporting.

Oracle Database Vault separation of duty enables a systematic approach to security that strengthens

controls within the database and helps satisfy requirements found in many regulations. It creates three

distinct separate responsibilities within the database by default including Account Management,

Security Administration and Database Administration. However, its extensibility allows separation of

duty to be customized to any specific business requirements. For example, you can further subdivide the

database administration responsibility into backup, performance and patching responsibilities.

As there isn’t any facility to deliver separation of duty in database roles themselves, Oracle database

Vault is the only recommended solution in Oracle database 11g to implement separation of duty.

1-4) Access Control with Time-Based and Location-Based Constraints There isn’t any special and straightforward facility about Time-Based constraints for access control in

oracle database 11gR2. However, you can do some workarounds – mainly by triggers and profiles - to

achieve that.

If you want to restrict a user to be able to login to the database only in certain time ranges, you can

declare a database logon trigger for that. Here is an example which prevents user AMIN if he is trying to

connect to database out of the time range from 8 to 22:

Listing 1 – Database Logon Trigger

SQL> CREATE OR REPLACE TRIGGER trgLimitLoginTime

2 AFTER LOGON ON DATABASE

3 BEGIN

4 IF USER = 'AMIN' THEN

5 IF to_number(TO_CHAR (SYSDATE, 'hh24'))

NOT BETWEEN 8 AND 22

6 THEN

7 RAISE_APPLICATION_ERROR(-20998,'Dear Amin! You cannot

login before 08:00 and after 22:00');

8 END IF;

9 END IF;

10 END trgLimitLoginTime;

11 /

You can also prevent users with specific roles or user that don’t have a specific role by a similar

approach.

You can also limit total time of connections of users. Doing this is easier and more straightforward that

the previous scenario and can be done by Profiles. You can use CONNECT_TIME resource parameter of

profiles to specify the total elapsed time limit for a session, expressed in minutes [4]. With this facility,

you can for example limit the time for each connection of users of a profile to 5 minutes, i.e. each

connection of users of that profile will last for 5 minutes and after that, the connection will be closed by

DBMS.

Location-based constraints are easier to implement than time-based ones. You can filter connection to

the database based on their IP address and it support both of the Closed and Open approaches. You can

simply achieve them by configuring the SQLNET.ORA file.

The SQLNET.ORA file is the profile configuration file. It resides on the client machines and the database

server. Profiles are stored and implemented using this file. The database server can be configured with

access control parameters in the SQLNET.ORA file [5]. These parameters specify whether clients are

allowed or denied access based on the protocol.

To enable this facility, you should open the SQLNET.ORA file and add the following line to it:

tcp.validnode_checking = yes

This turns on the hostname/IP checking for your database listeners. After this, you can supply lists of

authorized/unauthorized nodes, and it implicitly determines the closed or open approach. For example,

closed approach could be implemented like the following:

tcp.invited_nodes = (hostname1, hostname2)

It means that only connections from hostname1 and hostname2 are accepted and connections from the

other sources will be dropped.

Similarly, you can implement an open approach like the following:

tcp.excluded_nodes = (192.168.10.3)

This line means that connections from the 192.168.10.3 address will be dropped and the others can

connect to the database.

There also are some considerations and best practices about using this facility which can be found in [6].

1-5) Cascading and Non-Cascading Revocation Oracle database uses cascading revocation [7]. For example, suppose that USERA grants the role R to

USERB, and USERB grants R to USERC. After that, if USERA revokes R from USERB, the revocation

cascades and R will be revoked from USERC implicitly. However, USERA cannot revoke R from USERC

directly. Revocation cannot be done if R is granted to USERC by another user too. You cannot perform

cascading or non-cascading revocation on your will.

1-6) Negative Authorization Oracle database uses negative security model for authorization. That is, if user is not granted a role, it

will not have permissions assigned to that role and its every request of it which needs one of those

permissions will be dropped.

1-7) Conflict Resolution You can assign a user to one or more roles. If you assign multiple roles with conflicting privileges, then

the user is granted the more permissive privilege, which is the union of all the privileges granted to the

multiple roles [8]. For example, if you assign to the same user a role that allows creating a snapshot and

a role that restricts it, then the user is allowed to create snapshots.

1-8) Mandatory Access Control Mandatory Access Control (MAC) is fully supported in and Oracle Label Security is an implementation of

MAC in the Oracle. This capability allows the database to inherently know what data is sensitive and

allows the sensitive data to be combined in the same table as the larger data set without compromising

security [9]. Figure (1) shows the main concept the Oracle Label Security.

Figure 1 – Oracle Label Security Access Control

The labels are assigned to data based on the sensitivity level of the information and access to the data

labeled at a certain level (such as Sensitive) is restricted to those users who have been granted that level

of access or higher. Oracle Label Security is an add-on security option from the Oracle9i Enterprise

Edition and on [10]. The Oracle Policy Manager provides a graphical user interface for managing the

labels. Oracle Label Security is built on the Virtual Private Database toolkit and mediates access to rows

in database tables based on a label contained in the row, a label associated with each database session,

and Oracle Label Security privileges assigned to the session. Instructions on how to enabling OLS and a

starter guide can be found in [11].

1-9) Administering Access Control Policies Oracle Authorization Policy Manager is graphical interface tool to manage application authorization

policies [12]. Security administrators can use Authorization Policy Manager which greatly simplifies the

creation, configuration, and administration of application policies over by offering the following

facilities:

User-friendly names and descriptions of security artifacts [13].

A way to organize application roles by business, product, or any other parameter specific to an application [13].

A uniform graphic interface to search, create, browse, and edit security artifacts [14, 15].

A way to specify a subset of applications that a role can manage [16].

3) Conclusion In this document, we briefly introduced some access control facilities in Oracle Database 11gR2. Oracle

database 11gR2 supports almost all of those access control concepts and they can be achieved directly

with some DBMS features, or by a workaround. With roles and user profiles you will have most of the

mentioned access control concepts. The rest of needs can be achieved with Oracle Database Vault and

Oracle Label Security which deliver advanced access control and security features.

4) References

1. Administering User Privileges, Roles, and Profiles. 2015. Administering User Privileges, Roles, and

Profiles. [ONLINE] Available at:

http://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#i1012785.

[Accessed 19 June 2015].

2. Understanding Users and Roles. 2015. Understanding Users and Roles. [ONLINE] Available at:

http://docs.oracle.com/cd/E23943_01/core.1111/e10043/introroles.htm#JISEC2263. [Accessed

20 June 2015].

3. Introducing Oracle Database Vault. 2015. Introducing Oracle Database Vault. [ONLINE] Available

at: http://docs.oracle.com/cd/B28359_01/server.111/b31222/dvintro.htm#DVADM70086.

[Accessed 20 June 2015].

4. CREATE PROFILE. 2015. CREATE PROFILE. [ONLINE] Available at:

http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_6010.htm. [Accessed 24

June 2015].

5. Parameters for the sqlnet.ora File. 2015. Parameters for the sqlnet.ora File. [ONLINE] Available

at: https://docs.oracle.com/cd/E11882_01/network.112/e10835/sqlnet.htm#NETRF181.

[Accessed 25 June 2015].

6. Blocking Oracle access by IP Addresses. 2015. Blocking Oracle access by IP Addresses. [ONLINE]

Available at: http://www.dba-oracle.com/t_blocking_listener_ip_addresses.htm. [Accessed 25

June 2015].

7. REVOKE. 2015. REVOKE. [ONLINE] Available at:

http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_9020.htm#i2133838.

[Accessed 27 June 2015].

8. Managing Security. 2015. Managing Security. [ONLINE] Available at:

http://docs.oracle.com/cd/E11882_01/owb.112/e17130/security_mgmt.htm#WBINS16282.

[Accessed 27 June 2015].

9. Oracle Label Security with Oracle Database 11g Release 2. 2009. Oracle Label Security with

Oracle Database 11g Release 2. [ONLINE] Available at:

http://www.oracle.com/technetwork/database/security/owp-security-label-security-11gr2-

133601.pdf. [Accessed 29 June 2015].

10. Oracle Access Control. 2015. Oracle Access Control. [ONLINE] Available

at: http://www.itillious.com/insight/articles/OracleAccessControl.html. [Accessed 29 June

2015].

11. Getting Started with Oracle Label Security. 2015. Getting Started with Oracle Label Security.

[ONLINE] Available at:

https://docs.oracle.com/cd/E11882_01/network.112/e10745/getstrtd.htm#OLSAG3096.

[Accessed 29 June 2015].

12. Introduction to Oracle Authorization Policy Manager. 2015. Introduction to Oracle Authorization

Policy Manager. [ONLINE] Available at:

http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/apmintro.htm#APMAG4493.

[Accessed 29 June 2015].

13. The OPSS Authorization Model. 2015. The OPSS Authorization Model. [ONLINE] Available at:

http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/basics.htm#BEIJGIBJ. [Accessed 29

June 2015].

14. Querying Security Artifacts. 2015. Querying Security Artifacts. [ONLINE] Available at:

http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/searching.htm#CEGBJJIF. [Accessed 29

June 2015].

15. Managing Security Artifacts. 2015. Managing Security Artifacts. [ONLINE] Available at:

http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/managing.htm#BABFCAEJ. [Accessed

29 June 2015].

16. Delegated Administration. 2015. Delegated Administration. [ONLINE] Available at:

http://docs.oracle.com/cd/E21764_01/doc.1111/e14431/delegatedadmin.htm#BAJEBHJG.

[Accessed 29 June 2015].