Manage Security Policies

After you create a security policy, there are a number of actions that can be taken to manage it.

Edit the Configuration of a Custom Security Policy

Edit if the activity of the Data Safe user is excluded or included in unified audit policies. Additionally, you can edit the SQL Firewall configuration.

  1. Under Security center, click Security policies.
  2. Click on a custom security policy from the Custom security policies tab.
  3. Click Edit config.
  4. Set the unified audit policy and SQL Firewall configurations as desired.

    Note:

    Excluded the Data Safe user for audit policies will fail for the following instances:
    • RDBMS mandatory auditing
    • Compliance policies, such as STIG and CIS
    • Any custom audit policies that are provisioned exclusively on the Data Safe user
    • Any audit policies that audit a role that is already assigned to the Data Safe user
    • Audit records generated by a traditional audit trail

    For the SQL Firewall configuration to affect a target database, you must edit the configuration of the security policy that is automatically created when an Oracle Database 23ai target is registered.

  5. Click Save.

Related Topics

Add Unified Audit Policies to Custom Security Policies

Add unified audit policies to security policies to collect audit data on target databases.

  1. Under Security center, click Security policies.
  2. Click the Custom security policies tab.
  3. Click the security policy you want to add unified audit policies to.
  4. Under Resources, click Unified audit policies.
  5. Click Add unified audit policies.
  6. Enter the audit policy name, description, and select the compartment the unified audit policy will be stored in.
  7. Select a unified audit policy definition.
  8. Configure the audit conditions for All users, Only a specific set of users and/or roles, or All users except a specific set of users.
  9. If applicable based on the previous step, select the users/roles to be included or excluded and the conditions for their auditing.

    Tip:

    Ensure that any attribute sets are populated in order for the audit policy to work as expected.

    You may select multiple users or roles at once. However, they must come from the same database to be selected at the same time. You may also add additional users or roles by selecting from the lists and clicking Add for each entry. You must select the type, target database (if applicable), and operation status for each.

    When adding users you use the target database drop-down to filter the list of available users. However any selected user names are independent of the database. For example, if user JOE appears in database1 and database2, assuming the policy is deployed to both these databases, JOE's activity will be audited in both databases regardless of which database was selected when adding JOE to the list of users to include.

    Note:

    Only one attribute set may be used in a unified audit policy and attributes sets can only be used to define included users/roles.
  10. If applicable, determine when to audit based on operation success or failure.
  11. Click Add.

Related Topics

Enable or Disable Unified Audit Policies in a Custom Security Policy

Individual audit policies can be enabled or disabled once they are added to a security policy.

  1. Under Security center, click Security policies.
  2. Click on a custom security policy in the Custom security policies tab.
  3. Under Resources, click Unified audit policies.
  4. Click on a unified audit policy.
  5. Click Update status.
  6. Select if you want to Enable or Disable.
  7. Click Update status.

View Unified Audit Policies on a Target Database

See what unified audit policies are deployed on a target database and the source of those policies.

  1. Under Security center, click Security policies.
  2. Under Related resources, click Unified audit policies.
  3. Click on any target in the Target summary tab.

    For each applied unified audit policy, you will see the name, the audit conditions, and the security policy that the unified audit policy is a part of. If the security policy column is -, this means that the unified audit policy is applied directly on the target database, i.e., the audit policy can't be managed within Data Safe.

Update Users and Roles for Audit Policies

Change what users a policy is enabled for and operations are audited.

  1. Under Security center, click Security policies.
  2. Select a custom security policy from the Custom security policies tab.
  3. Under Resources, click Unified audit policies.
  4. Click on a unified audit policy from the list.
  5. Click Edit conditions.
  6. Configure the audit conditions for All users, Only a specific set of users and/or roles, or All users except a specific set of users.
  7. If applicable based on the previous step, select the users/roles to be included or excluded and the conditions for their auditing.

    Tip:

    Ensure that any attribute sets are populated in order for the audit policy to work as expected.

    You may select multiple users or roles at once. However, they must come from the same database to be selected at the same time. You may also add additional users or roles by selecting from the lists and clicking Add for each entry. You must select the type, target database (if applicable), and operation status for each.

    When adding users you use the target database drop-down to filter the list of available users. However any selected user names are independent of the database. For example, if user JOE appears in database1 and database2, assuming the policy is deployed to both these databases, JOE's activity will be audited in both databases regardless of which database was selected when adding JOE to the list of users to include.

    Note:

    Only one attribute set may be used in a unified audit policy and attributes sets can only be used to define included users/roles.
  8. If applicable, determine when to audit based on operation success or failure.
  9. Click Save.

Import Audit Policies Into a Security Policy

You can import existing audit policies on a target database to a security policy which can then be deployed to several target databases.

  1. Under Security center, click Security policies.
  2. Under Related resources, click Unified audit policies.
  3. Click the Target Summary tab.
  4. Click on the target you want to use the audit policies from.
  5. Select the unified audit policy(ies) that you want to import into a security policy.
  6. Click Import audit policies into Data Safe.
  7. Select which existing security policy you want to add the audit policy(ies) to or create a new security policy for the selected audit policy(ies).
  8. Click Import.

    Do not click out of import panel until the action is complete.

The security policy can then be deployed to any number of target databases and will retain the same audit policy configuration.

Related Topics

View Security Policy Deployments

See what targets and target groups a security policy is deployed on.

See which policies are deployed on a particular target

  1. Under Security center, click Security policies.
  2. Under Related resources, click Security policy deployments.
  3. Click on any target in the Target summary tab or target group in the Target group summary tab.

    You will see an entry for each security policy that is deployed on your target.

  4. See the list of security policies deployed on the target database group or target database under the Security policy section of the Security policy deployment information.

See which targets a policy is deployed on

  1. Under Security center, click Security policies.
  2. Click on any policy in the Oracle predefined security policies tab or in the Custom security policies tab.
  3. See the list of target database groups or target databases that this policy is deployed on in the Target group summary and Target summary tabs.

View Details of Failed Security Policy Deployments

Viewing the deployment details of failed security policy deployments can help resolve deployment conflicts.

  1. Under Security center, click Security policies.
  2. Under Related resources, click Security policy deployments.
  3. Click the target name in the Needs Attention state in the Target summary tab or target group in the Target group summary tab.

    Ensure that you select the target from the row of the security policy that is not deployed properly.

  4. Use the Security policy deployment issues table and specifically the Deployment details column to resolve the deployment issue.
  5. Click Refresh to refresh the deployment once you've resolved the issue.

Redeploy a Security Policy

After changes to the security policy, such as the configuration changes or modifying unified audit policies, security policies need to be redeployed for these changes to take effect on targets.

  1. Under Security center, click Security policies.
  2. Under Related resources, click Security policy deployments.
  3. Click on a target database group or target database that is in the Pending Deployment state.
  4. Click Refresh.

    This will redeploy all security policies that were already deployed to the selected target database group or target database.

Undeploy a Security Policy

  1. Under Security center, click Security policies.
  2. Under Related resources, click Security policy deployments.
  3. Click on the target database group or target database name of the security policy you want to undeploy.
  4. Confirm you have selected the deployment of the correct security policy and target database group or target database by viewing the details in the Security policy deployment information tab.
  5. Click Delete.
  6. Click Delete.

    This will undeploy the associated security policy on the selected target database group or target database. The security policy will see be available, this action only removes the deployment on the selected target database group or target database.