Embed Size (px)
Citation preview
© 2007 by Prentice Hall12-1
Introduction to Oracle 10gChapter 12Maintaining Database Security
James Perry and Gerald Post
© 2007 by Prentice Hall12-2
Chapter Outline
• Creating and Editing User Accounts• Controlling User Access to Objects• Enforcing Privileges through Views and
Procedures• Protecting Data with Encryption• Auditing the Database
© 2007 by Prentice Hall12-3
12.1 Creating a user with Enterprise Manager
Creating and editing user accounts
© 2007 by Prentice Hall12-4
User Accounts
Role: Agent
Permissions:
Add customer
Add listings
Add offers
…
Database
StewartMRole: Agent
12.2 User roles
© 2007 by Prentice Hall12-5
Table 12.1 Some common system privileges
• ALTER SESSION• ALTER SYSTEM• ALTER USER• AUDIT ANY• BACKUP ANY TABLE• CREATE PROCEDURE• CREATE ROLE• CREATE SEQUENCE• CREATE TABLE• CREATE TRIGGER• CREATE TYPE• CREATE USER• CREATE VIEW• DROP USER• FORCE TRANSACTION
© 2007 by Prentice Hall12-6
Table 12.2 Common object privileges
Privilege Table View Sequence Procedure, Function, or Package
User Defined Type
ALTER X X
DELETE X X
EXECUTE X X
DEBUG X X X X
FLASHBACK X X
INDEX X
INSERT X X
ON COMMIT REFRESH X
QUERY REWRITE X
REFERENCES X X
SELECT X X X
UNDER X X
UPDATE X X
© 2007 by Prentice Hall12-7
Purchasing clerkplaces order
Purchasing managerverifies new supplier
Supplier
Supplier Table
INSERT
Purchase TablePurchase Item Table INSERT
Receiving clerkaccepts items
UPDATEQuantity Received
Accounting clerkauthorizes payment
SELECT
SELECT
AccountsPayableCash
INSERT
12.3 Separation of duties
© 2007 by Prentice Hall12-8
12.4 Using a DBA system table to list roles granted to a user
© 2007 by Prentice Hall12-9
Table 12.3 Desired permissions by object and role
Database Object
Agent role Manager role
TablesAgentsContactReasonCustAgentListCustomersLicenseStatusListingsPropertiesSaleStatus
SelectSelectAllAllSelect?AllAllSelect
AllAllAllAllAllAllAllAll
FormsAgentContactsAgentListingsAgentsContactReasonCustomersLicenseStatusListingActivityListingsManagementPropertiesSaleStatusSearch4Startup
AllAllNoneNoneAllNoneAllAllNoneAllNoneAllAll
AllAllAllAllAllAllAllAllAllAllAllAllAll
Database Object Agent role Manager role
ReportsAgentSalesCustomerListListingsAndOffersSalesByCityAndAgentSalesByMonthAndAgent
Maybe for selfAllAllMaybe for selfMaybe for self
AllAllAllAllAll
© 2007 by Prentice Hall12-10
12.5 Results for MarcouxListings view
© 2007 by Prentice Hall12-11
Management button is not available
12.6 Startup form run by an agent without the Manager role
© 2007 by Prentice Hall12-12
https://server
Client Browser
Server
Server’s public key
Data encrypted with server’s public key
Data decryptedwith server’s private key
Public keyPrivate key
CertificateAuthority
Security
certif
icate
Database
Data
12.7 Public key encryption
Securing Internet transmissions
© 2007 by Prentice Hall12-13
12.8 Encryption test results
© 2007 by Prentice Hall12-14
Table 12.4 Oracle auditing types
Type of Auditing Description
Statement Auditing Tracks activity by the type of statement. For example, AUDIT TABLE tracks several DDL statements regardless of the table involved. A broad-based tracking but it can be applied to individual users or to everyone.
Privilege Auditing Monitors the use of system privileges such as AUDIT CREATE TABLE. Can be assigned to track individual users or everyone.
Schema Object Auditing Records the usage of specific statements on individual objects. For instance, AUDIT SELECT ON customers records a note every time someone retrieves data from the customer table. Always applies to all users.
Fine-Grained Auditing The most detailed specifications, you can create any Boolean condition based on individual columns or specific rows of data. Or example, you might track all orders with a value > 100,000.
Auditing the database
© 2007 by Prentice Hall12-15
12.9 Audit log results
Auditing the database
© 2007 by Prentice Hall12-16
12.10 Changes stored from trigger code
Creating triggers for audits
