Create Custom Security Policies

Create Custom Security Policies

1. Under Data Safe - Database Security, select Security policies.
2. Click Create security policy.
3. Enter a name and description for the security policy.
4. Select which compartment the security policy will be available and stored in.
5. Click Create.

An empty security policy will be created. You must then add unified audit policies to this security policy and set the configuration .

Add Unified Audit Policies to Custom Security Policies

Add unified audit policies to security policies to collect audit data on target databases.

1. Under Data Safe - Database Security, select Security policies.
2. Select the Custom security policies tab.
3. Select the security policy you want to add unified audit policies to.
4. Select the Unified audit policies tab.
5. Select Add unified audit policy.
6. Enter the audit policy name, description, and select the compartment the unified audit policy will be stored in.
7. Select a unified audit policy definition.
8. Configure the audit conditions for All users, Only a specific set of users and/or roles, or All users except a specific set of users.
9. If applicable based on the previous step, select the users/roles to be included or excluded and the conditions for their auditing.

   Tip:

   Ensure that any attribute sets are populated in order for the audit policy to work as expected.

   You may select multiple users or roles at once. However, they must come from the same database to be selected at the same time. You may also add additional users or roles by selecting from the lists and selecting Add for each entry. You must select the type, target database (if applicable), and operation status for each.

   When adding users, you use the target database drop-down to filter the list of available users. However, any selected user names are independent of the database. For example, if user JOE appears in database1 and database2, assuming the policy is deployed to both these databases, JOE's activity will be audited in both databases regardless of which database was selected when adding JOE to the list of users to include.

   Note:

   Only one attribute set may be used in a unified audit policy and attributes sets can only be used to define included users/roles.
10. If applicable, determine when to audit based on operation success or failure.
11. Select Add.
12. Deploy Security Policies

Import Audit Policies Into a Security Policy

You can import existing audit policies on a target database to a security policy which can then be deployed to several target databases.

1. Under Data Safe - Database Security, select Security policies.
2. Under Security Policies, select Unified audit policies.
3. Select the Target Summary tab.
4. In the Actions column (...) for the row of the target database you want to import audit policies from, select View policies.
5. Select the unified audit policy(ies) that you want to import into a security policy.
6. Select Import audit policies into Data Safe.
7. Select which existing security policy you want to add the audit policy(ies) to or create a new security policy for the selected audit policy(ies).
8. Select Import.

   Do not navigate out of import panel until the security policy status changes to Active.

The security policy can then be deployed to any number of target databases and will retain the same audit policy configuration.

Edit the Configuration of a Custom Security Policy

Edit if the activity of the Data Safe user is excluded or included in unified audit policies.

1. Under Data Safe - Database Security, select Security policies.
2. Select a custom security policy from the Custom security policies tab.
3. Under Actions, select Edit config.
4. Set the unified audit policy configurations as desired.

   Note:

   Excluding the Oracle Data Safe user for audit policies will fail for the following instances:

   • RDBMS mandatory auditing
   • Compliance policies, such as STIG and CIS
   • Any custom audit policies that are provisioned exclusively on the Oracle Data Safe user
   • Any audit policies that audit a role that is already assigned to the Oracle Data Safe user
   • Audit records generated by a traditional audit trail
5. Select Save.