You can create command rules or use the default command rules to protect DDL and DML statements.
Topics:
See Also:
A command rule applies Oracle Database Vault protections with an Oracle Database SQL statement, such as ALTER SESSION
.
Topics:
A command rule protects Oracle Database SQL statements that affect one or more database objects.
These statements can include SELECT
, ALTER SYSTEM
, database definition language (DDL), and data manipulation language (DML) statements.
To customize and enforce the command rule, you associate it with a rule set, which is a collection of one or more rules. The command rule is enforced at run time. Command rules affect anyone who tries to use the SQL statements it protects, regardless of the realm in which the object exists. If you want to protect realm-specific objects, see About Realm Authorization.
A command rule has the following attributes, in addition to associating a command rule to a command:
SQL statement the command rule protects
Owner of the object the command rule affects
Database object the command rule affects
Whether the command rule is enabled
An associated rule set
For more information about SQL statements and operations, refer to Oracle Database SQL Language Reference. See also SQL Statements That Can Be Protected by Command Rules.
Command rules can be categorized as follows:
Command rules that have a system-wide scope. With this type, you can only create one command rule for each database instance. Examples are command rules for the ALTER SYSTEM
and CONNECT
statements.
Command rules that are schema specific. An example is creating a command rule for the DROP TABLE
statement.
Command rules that are object specific. An example is creating a command rule for the DROP TABLE
statement with a specific table included in the command rule definition.
When a user executes a statement affected by a command rule, Oracle Database Vault checks the realm authorization first. If it finds no realm violation and if the associated command rules are enabled, then Database Vault evaluates the associated rule sets. If all the rule sets evaluate to TRUE
, then the statement is authorized for further processing. If any of the rule sets evaluate to FALSE
, then the statement is not allowed to be executed and a command rule violation is raised. Configuring Rule Sets describes rule sets in detail.
You can define a command rule that uses factors for the CONNECT
event to permit or deny sessions after the usual steps–user factor initialization, and authentication process, Oracle Label Security integration–are complete.
For example, you can configure a command rule that allows DDL statements such as CREATE TABLE
, DROP TABLE
, and ALTER TABLE
in the BIZAPP
schema to be authorized after business hours, but not during business hours.
You can run reports on the command rules that you create in Oracle Database Vault.
See Also:
Command Rule Related Reports and Data Dictionary View for information about reports that you can run to find more information about command rules
Oracle Database Vault Command Rule APIs for information about using the DBMS_MACADM
PL/SQL package to configure command rules
In a multitenant environment, you can create command rules for the CREATE PLUGGABLE DATABASE
, ALTER PLUGGABLE DATABASE
, and DROP PLUGGABLE DATABASE
statements.
To apply these command rules to the entire multitenant environment, you must create them in the root as a common user who has the DVADM
or DVOWNER
role. You can check a user’s roles by querying the USER_ROLE_PRIVS
data dictionary view.
Oracle Database Vault provides default command rules, based on commonly used SQL statements.
Table 7-1 lists the default Database Vault command rules.
Table 7-1 Default Command Rules
SQL Statement | Object Name | Rule Set Name |
---|---|---|
|
- |
Can Maintain Accounts/Profiles |
|
- |
Can Maintain Own Account |
|
- |
Can Maintain Accounts/Profiles |
|
- |
Can Maintain Accounts/Profiles |
|
- |
Can Maintain Accounts/Profiles |
|
- |
Can Maintain Accounts/Profiles |
|
- |
Allow Fine Grained Control of System Parameters |
|
- |
Can Maintain Own AccountFoot 1 |
Footnote 1
The actual SQL statement that the Can Maintain Own Account rule refers to is PASSWORD
.
The following set of command rules helps you to achieve separation of duty for user management:
ALTER PROFILE
ALTER USER
CREATE PROFILE
CREATE USER
DROP PROFILE
DROP USER
To grant a user the ability to use these commands, you can grant the user the role that the rule set checks. For example, the CREATE USER
command rule ensures that a user who tries to run a CREATE USER
statement has the DV_ACCTMGR
role.
You can protect a large number of SQL statements by using command rules.
The SQL statements that you can protect are as follows:
SQL Statements A-C | SQL Statements C-D | SQL Statements D-U |
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
See Also:
Command Rules in a Multitenant Environment for information about using the CREATE PLUGGABLE DATABASE
, ALTER PLUGGABLE DATABASE
, and DROP PLUGGABLE DATABASE
in a multitenant container database (CDB)
You can create or edit a command rule in Oracle Database Vault Administrator.
Before you delete a command rule, you can locate the various references to it by querying the command rule-related Oracle Database Vault views.
See Also:
Oracle Database Vault Data Dictionary Views for more information about the command rule-related Oracle Data Vault data dictionary views
Command rules follow a set of steps to check their associated components.
How Realms Work describes what happens when a database account issues a SELECT
, DDL, or DML statement that affects objects within a realm.
The following actions take place when SELECT
, DDL, or DML statement is issued:
Oracle Database Vault queries all the command rules that need to be applied.
For SELECT
, DDL, and DML statements, multiple command rules may apply because the object owner and object name support wildcard notation.
You can associate rule sets with both command rules and realm authorizations. Oracle Database Vault evaluates the realm authorization rule set first, and then it evaluates the rule sets that apply to the command type being evaluated.
For each command rule that applies, Oracle Database Vault evaluates its associated rule set.
If the associated rule set of any of the applicable command rules returns false or errors, Oracle Database Vault prevents the command from executing. Otherwise, the command is authorized for further processing. The configuration of the rule set with respect to auditing and event handlers dictates the auditing or custom processing that occurs.
Command rules override object privileges. That is, even the owner of an object cannot access the object if the object is protected by a command rule. You can disable either a command rule or the rule set of a command. If you disable a command rule, then the command rule does not perform the check it is designed to handle. If you disable a rule set, then the rule set always evaluates to TRUE
. However, if you want to disable a command rule for a particular command, then you should disable the command rule because the rule set may be associated with other command rules or realm authorizations.
In this tutorial, you create a simple local command rule to control whether users can create tables in the SCOTT
schema.
Topics:
First, user SCOTT
must create a table.
At this stage, user SCOTT
can create and drop tables. Do not exit SQL*Plus yet, and remain connected as SCOTT
. You must use it later on when SCOTT
tries to create another table.
After the table has been created in the SCOTT
schema, you can create a command rule.
Command rules take effect immediately. Right away, user SCOTT
is prevented from creating tables, even though he is still in the same user session he was in a moment ago, before you created the CREATE TABLE command rule.
Next, you are ready to test the CREATE TABLE local command rule.
In SQL*Plus, ensure that you are logged on as user SCOTT
.
CONNECT SCOTT --Or, CONNECT SCOTT@hrpdb Enter password: password
Try to create a table.
CREATE TABLE t1 (num NUMBER);
The following output should appear:
ORA-47400: Command Rule violation for create table on SCOTT.T1
As you can see, SCOTT
is no longer allowed to create tables, even in his own schema.
In Oracle Database Vault Administrator, do the following:
In the Command Rules page, select the CREATE TABLE command rule and then click Edit.
In the Edit Command Rule page, select Enabled from the Rule Set list.
Click OK.
In SQL*Plus, as user SCOTT
, try creating the table again.
CREATE TABLE t1 (num NUMBER); Table created.
Now that the CREATE TABLE
command rule is set to Enabled, user SCOTT
is once again permitted to create tables. (Do not exit SQL*Plus.)
You can remove the components that you created for this tutorial if you no longer need them.
In Oracle Database Vault Administrator, remove the CREATE TABLE command rule as follows:
Return to the Command Rules page.
Select the CREATE TABLE local command rule and then click Delete.
In the Confirmation window, click Yes.
Log into the database instance as user SCOTT
and remove the t1
table.
DROP TABLE t1;
If you no longer need the SCOTT
account to be available, then connect as the Database Vault Account Manager and enter the following ALTER USER
statement:
CONNECT bea_dvacctmgr --Or, CONNECT bea_dvacctmgr@hrpdb Enter password: password ALTER USER SCOTT ACCOUNT LOCK PASSWORD EXPIRE;
Oracle provides guidelines for designing command rules.
Create finer-grained command rules, because they are far easier to maintain.
For example, if you want to prevent SELECT
statements from occurring on specific schema objects, then design multiple command rules to stop the SELECT
statements on those specific schema objects, rather than creating a general command rule to prevent SELECT
statements in the schema level.
When designing rules for the CONNECT
event, be careful to include logic that does not inadvertently lock out any required user connections. If any account has been locked out accidentally, ask a user who has been granted the DV_ADMIN
or DV_OWNER
role to log in and correct the rule that is causing the lock-out problem. The CONNECT command rule does not apply to users with the DV_OWNER
and DV_ADMIN
roles. This prevents improperly configured CONNECT command rules from causing a complete lock-out.
If the account has been locked out, you can disable Oracle Database Vault, correct the rule that is causing the lock-out problem, and then reenable Oracle Database Vault. Even when Oracle Database Vault is disabled, you still can use Database Vault Administrator and the Database Vault PL/SQL packages. See Disabling and Enabling Oracle Database Vault, for instructions on disabling and reenabling Database Vault.
Sometimes you must temporarily relax an enabled command rule for an administrative task. Rather than disabling the command rule, have the Security Manager (the account with the DV_ADMIN
or DV_OWNER
role) log in, set the rule set to Enabled, turn on Auditing on Success or Failure for the default rule set named Enabled, and then set the command rule back to its original rule set when the task is complete. (Be aware that in a unified auditing environment, this setting does not work. Instead, you must create a unified audit policy. Oracle Database Security Guide describes how to create unified audit policies for Database Vault.)
When designing command rules, be careful to consider automated processes such as backup where these procedures may be inadvertently disabled. You can account for these tasks by creating rules that allow the command when a series of Oracle Database Vault factors is known to be true (for example, the program being used), and the account being used or the computer or network on which the client program is running.
The performance of a command rule depends on the complexity of the rules in the rule set associated with the command rule.
For example, suppose a rule set invokes a PL/SQL function that takes 5 seconds to run. In this case, a command rule that uses that rule set would take 5 seconds to grant access for the command statement to run.
You can check the system performance by running tools such as Oracle Enterprise Manager (including Oracle Enterprise Manager Cloud Control, which is installed by default with Oracle Database), Automatic Workload Repository (AWR), and TKPROF
.
See Also:
Oracle Database Performance Tuning Guide to learn how to monitor database performance
Oracle Database SQL Tuning Guide to monitor the performance of individual SQL and PL/SQL statements
Oracle Database Vault provides reports and a data dictionary view that are useful for analyzing command rules.
Table 7-2 lists the Oracle Database Vault report. See Oracle Database Vault Reports, for information about how to run these reports.
Table 7-2 Reports Related to Command Rules
Report | Description |
---|---|
Lists audit records generated by command rule processing operations |
|
Tracks rule violations, in addition to other configuration issues the command rule may have |
|
Lists object privileges that the command rule affects |
|
Lists objects that the command rule affects |
|
Lists rules sets that have no rules defined or enabled, which may affect the command rules that use them |
You can use the DVSYS.DBA_DV_COMMAND_RULE
data dictionary view to find the SQL statements that are protected by command rules. See DVSYS.DBA_DV_COMMAND_RULE View for more information.