Security Policies Overview
Learn why you should use security policies and what permissions you need to use them.
About Security Policies
In the Security Policies feature you create security policies which allow you to create, deploy, and manage audit policies across target database groups and target databases. In addition, security policies allow you to manage your SQL Firewall configuration across target database groups and target databases.
Each security policy should have at least one unified audit policy assigned to it. A security policy can then be deployed to target database groups and individual target databases. After deploying a security policy to a target database group or target database, the associated unified audit policies will be applied to the database(s). After a security policy has been deployed to a target database group, whenever a target is added to or removed from the group, the unified audit policies associated with the security policy will automatically be added to or removed from the target. After an audit trail collection is started, the audit data can be viewed in Activity Auditing.
There are a number of Oracle predefined security policies available for use or you can create custom security policies. Custom security policies can either be created with the available Oracle predefined audit policies, audit policies that you import from an existing target database, or with custom audit policies that you create with the available unified audit policy definitions.
Terms in Security Policies
Learn the terms used in Security Policies.
- Security policy: A Data Safe resource that stores unified audit policy and SQL Firewall configurations. Security policies allow you to easily apply unified audit policies and SQL Firewall to multiple target database groups and/or target databases at once.
- Unified audit policy: Consists of a unified audit policy definition and the audit conditions associated with the unified audit policy definitions. Audit conditions determine which users the audit policy is applicable to and on what operation activities should be audited.
- Unified audit policy definition: Defines what actions in the database
will be audited.
For example, the
COMMON_USER_LOGONaudit policy definition will apply the following to your targets. The audit conditions you specify in the unified audit policy determine for which users and operations this applies to.CREATE AUDIT POLICY common_user_logons ACTIONS LOGON CONTAINER=ALL - SQL Firewall configuration: Defines if SQL Firewall is enabled on your
target database(s), if violation logs should be automatically purged by Data Safe
every seven days, and if database jobs are included in SQL Firewall
enforcement.
SQL Firewall is only available for Oracle Database 23ai.
Note:
When an Oracle Database 23ai target is registered, an empty security policy is automatically created. This security policy is the only security policy that can affect the SQL Firewall configuration of a target, i.e. creating a new security policy will have no affect on SQL Firewall configuration. Because of this limitation, SQL Firewall configurations can't be managed for target database groups. - Security policy deployment: Defines what target database groups and/or target databases a security policy is deployed to. When a security policy is deployed to a database, the audit policies and SQL Firewall configurations that are defined by the security policy become applicable to that database.
Prerequisites for Security Policies
These are the prerequisites for using Security Policies:
- Register the target databases that you want to use with Security Policies.
- Grant the Audit Collection and Audit Setting roles on the target
database. A Database Administrator can grant these roles to the Oracle Data Safe Service Account on the target database.
Tip:
Non-Autonomous Databases will need to re-run the privilege script even if the Data Safe service account already has theAUDIT_COLLECTIONandAUDIT_SETTINGroles. -
Obtain permission in Oracle Cloud Infrastructure Identity and Access Management
(IAM) to use the Security Policies feature in Oracle Data Safe. An OCI administrator can grant
useormanagepermission as needed on the following resources:data-safe-unified-audit-policiesdata-safe-unified-audit-policy-definitiondata-safe-security-policiesdata-safe-security-policy-configdata-safe-security-policy-deploymentsdata-safe-attribute-sets
As an alternative to selectively granting permissions, you can grant
permissions on data-safe-audit-family or
data-safe-unified-audit-policy-family in the relevant compartments,
which would include permissions on all of the resources above. See data-safe-audit-family Resource or data-safe-unified-audit-policy-family in the
Administering Oracle Data Safe guide for more information.
Security Policy Workflow
The general steps for creating and deploying security policies for target databases are as follows:
Predefined Security Policies
If you are using predefined security policies, follow these steps.
- Register target databases and create target database groups as needed.
- Deploy the security policy to the desired target database group(s) and target database(s).
Custom Security Policies
If you are plan to create custom security policies, follow these steps.
- Register target databases and create target database groups as needed.
- Create a security policy.
- Set the security policy's configuration.
- Add or import unified audit policies to the security policy.
- Deploy the security policy to the desired target database group(s) and target database(s).