Manage Security Policies

Edit the Configuration of a Custom Security Policy

Edit if the activity of the Data Safe user is excluded or included in unified audit policies.

Under Data Safe - Database Security, select Security policies.
Select a custom security policy from the Custom security policies tab.
Under Actions, select Edit config.
Set the unified audit policy configurations as desired.
Note:
Excluding the Oracle Data Safe user for audit policies will fail for the following instances:
- RDBMS mandatory auditing
- Compliance policies, such as STIG and CIS
- Any custom audit policies that are provisioned exclusively on the Oracle Data Safe user
- Any audit policies that audit a role that is already assigned to the Oracle Data Safe user
- Audit records generated by a traditional audit trail
Select Save.

Related Topics

Redeploy a Security Policy

Add Unified Audit Policies to Custom Security Policies

Add unified audit policies to security policies to collect audit data on target databases.

Under Data Safe - Database Security, select Security policies.
Select the Custom security policies tab.
Select the security policy you want to add unified audit policies to.
Select the Unified audit policies tab.
Select Add unified audit policy.
Enter the audit policy name, description, and select the compartment the unified audit policy will be stored in.
Select a unified audit policy definition.
Configure the audit conditions for All users, Only a specific set of users and/or roles, or All users except a specific set of users.
If applicable based on the previous step, select the users/roles to be included or excluded and the conditions for their auditing.

Tip:
Ensure that any attribute sets are populated in order for the audit policy to work as expected.

You may select multiple users or roles at once. However, they must come from the same database to be selected at the same time. You may also add additional users or roles by selecting from the lists and selecting Add for each entry. You must select the type, target database (if applicable), and operation status for each.

When adding users, you use the target database drop-down to filter the list of available users. However, any selected user names are independent of the database. For example, if user JOE appears in database1 and database2, assuming the policy is deployed to both these databases, JOE's activity will be audited in both databases regardless of which database was selected when adding JOE to the list of users to include.

Note:
Only one attribute set may be used in a unified audit policy and attributes sets can only be used to define included users/roles.
If applicable, determine when to audit based on operation success or failure.
Select Add.
Deploy Security Policies

Related Topics

Terms in Security Policies

Enable or Disable Unified Audit Policies in a Custom Security Policy

Individual audit policies can be enabled or disabled once they are added to a security policy.

Under Data Safe - Database Security, select Security policies.
Select a custom security policy in the Custom security policies tab.
Select the Unified audit policies tab.
Select a unified audit policy.
Select Enable policy or Disable policy.

View Unified Audit Policies on a Target Database

See what unified audit policies are deployed on a target database and the source of those policies.

Under Data Safe - Database Security, select Security policies.
Under Security Policies, select Unified audit policies.
Select the Target summary tab.
In the Actions column (...) for the row of the target database you want to view audit policies for, select View policies.
For each applied unified audit policy, you will see the name, the audit conditions, and the security policy that the unified audit policy is a part of. If the security policy column is -, this means that the unified audit policy is applied directly on the target database, i.e., the audit policy can't be managed within Oracle Data Safe.

Update Users and Roles for Audit Policies

Change what users a policy is enabled for and operations are audited.

Under Data Safe - Database Security, select Security policies.
Under Security policies, select Unified audit policies
Select a unified audit policy from the list.
Select the Audit conditions tab.
Select Edit conditions.
Configure the audit conditions for All users, Only a specific set of users and/or roles, or All users except a specific set of users.
If applicable based on the previous step, select the users/roles to be included or excluded and the conditions for their auditing.

Tip:
Ensure that any attribute sets are populated in order for the audit policy to work as expected.

You may select multiple users or roles at once. However, they must come from the same database to be selected at the same time. You may also add additional users or roles by selecting from the lists and selecting Add for each entry. You must select the type, target database (if applicable), and operation status for each.

When adding users you use the target database drop-down to filter the list of available users. However any selected user names are independent of the database. For example, if user JOE appears in database1 and database2, assuming the policy is deployed to both these databases, JOE's activity will be audited in both databases regardless of which database was selected when adding JOE to the list of users to include.

Note:
Only one attribute set may be used in a unified audit policy and attributes sets can only be used to define included users/roles.
If applicable, determine when to audit based on operation success or failure.
Select Save.

Import Audit Policies Into a Security Policy

You can import existing audit policies on a target database to a security policy which can then be deployed to several target databases.

Under Data Safe - Database Security, select Security policies.
Under Security Policies, select Unified audit policies.
Select the Target Summary tab.
In the Actions column (...) for the row of the target database you want to import audit policies from, select View policies.
Select the unified audit policy(ies) that you want to import into a security policy.
Select Import audit policies into Data Safe.
Select which existing security policy you want to add the audit policy(ies) to or create a new security policy for the selected audit policy(ies).
Select Import.
Do not navigate out of import panel until the security policy status changes to Active.

The security policy can then be deployed to any number of target databases and will retain the same audit policy configuration.

Related Topics

Deploy Security Policies

View Security Policy Deployments

See what targets and target groups a security policy is deployed on.

To view which security policies are deployed on a particular target:

Under Data Safe - Database Security, select Security policies.
Under Security Policies, select Security Policy Deployments.
Select the Target summary tab or the Target group summary tab.
You will see an entry for each security policy that is deployed on a target.
Select a target database (group) name to view the deployment for the specific security policy.

To view which targets a security policy is deployed on:

Under Data Safe - Database Security, select Security policies.
Select any policy on the Oracle predefined security policies tab or in the Custom security policies tab.
View the list of target database groups or target databases that this policy is deployed on in the Target group summary and Target summary tabs.

View Details of Failed Security Policy Deployments

Viewing the deployment details of failed security policy deployments can help resolve deployment conflicts.

Under Data Safe - Database Security, select Security policies.
Under Security Policies, select Security Policy Deployments.
Select the target name in the Needs Attention state in the Target summary tab or target group in the Target group summary tab.
Ensure that you select the target from the row of the security policy that is not deployed properly.
Use the Security policy deployment issues tab and specifically the Deployment details column to resolve the deployment issue.
Select Refresh to refresh the deployment once you've resolved the issue.

Redeploy a Security Policy

After changes to the security policy, such as the configuration changes or modifying unified audit policies, security policies need to be redeployed for these changes to take effect on targets.

Under Data Safe - Database Security, select Security policies.
Under Security Policies, select Security Policy Deployments.
In the Target group summary or Target summary tabs, select a target database group or target database that is in the Pending Deployment state.
View the security policy deployment and select the associated security policy.
In the security policy, select Deploy.
This will redeploy all security policies that were already deployed to the selected target database group or target database.

Undeploy a Security Policy

Under Data Safe - Database Security, select Security policies.
Under Security Policies, select Security Policy Deployments.
In the Target group summary or Target summary tabs, select a target database group or target database of the security policy you want to undeploy
Confirm you have selected the deployment of the correct security policy and target database group or target database by viewing the Details tab.
Under Actions, select Delete.
Select Delete.
This will undeploy the associated security policy on the selected target database group or target database. The security policy will see be available, this action only removes the deployment on the selected target database group or target database.