4 Oracle Database Vault Realms
Oracle Database Vault Realms restrict what actions users can take on the database.
In addition to Oracle Database Vault's goal to protect your sensitive data, reduce human error, and limit insider threats, Oracle Database Vault protects components of the Oracle Database dictionary and its own dictionary objects.
There are times when, to access certain objects, perform certain administrative tasks, or grant certain Oracle database roles, you must be authorized by Database Vault to do so.
Oracle Database Vault provides two types of realms: traditional and mandatory. Both realm types can protect either an entire schema, individual database roles or crucial objects within a schema selectively, such as tables and indexes.
Traditional realms will respect database users using their direct-object grants.
Mandatory realms require the grant, either direct or granted through a role, and the Database Vault realm authorization.
In this example, you will authorize C##JSMITH
to
forward-grant the resource role they have been granted. To do so, you must add
C##JSMITH
to a Database Vault default realm.
4.1 Traditional Realms
With a traditional realm, an object owner or users who has been granted object privileges can perform queries or DML operations without realm authorization but must have realm authorization to perform DDL operations.
4.1.1 Demonstrating Realm Violations
Because Oracle Database Vault Realms restrict actions that a user can take
on the database, some actions will fail without proper authorization. This example shows how
the C##JSMITH
user is unable to grant the RESOURCE
role
because they are not in the Oracle System Privilege and Role Management Realm.
- Attempt to create the
C##CMACK
user and grant them theRESOURCE
role:- Connect as
C##JSMITH
:connect c##jsmith
- Create
C##CMACK
role and grant them theRESOURCE
role:CREATE USER C##CMACK IDENTIFIED BY <password> CONTAINER=ALL; GRANT RESOURCE TO C##CMACK WITH ADMIN OPTION CONTAINER=ALL;
You will receive the following error asC##JSMITH
:ORA-47410: Insufficient realm privileges to GRANT on RESOURCE
- Connect as
- Identify which realm is protecting the
RESOURCE
role:- Connect as
C##JSMITH
:connect c##jsmith
- Run the following:
SELECT REALM_NAME, OBJECT_NAME FROM DBA_DV_REALM_OBJECT WHERE OBJECT_TYPE = 'ROLE' AND OBJECT_NAME = 'RESOURCE' ORDER BY 1,2;
You should see the following output:REALM_NAME OBJECT_NAME ____________________________________________________ ______________ Oracle System Privilege and Role Management Realm RESOURCE
- Connect as
- Identify which database users are authorized to access the realm protected objects
and, more specifically, which users have the
OWNER
realm authorization which will allow them to forward-grant privileges on objects they holdWITH ADMIN OPTION
privileges:SELECT GRANTEE, AUTH_OPTIONS FROM DBA_DV_REALM_AUTH WHERE REALM_NAME = 'Oracle System Privilege and Role Management Realm' ORDER BY 1;
You should see the following output:GRANTEE AUTH_OPTIONS _____________ _______________ SYS Owner
You should not use SYS
unless it is necessary. Instead, you should
authorize C##JSMITH
to the Oracle System Privilege and Role Management
Realm as an owner, thus allowing C##JSMITH
to grant the resource role
to other database users.
You have completed the steps to authorize C##JSMITH
to the
Oracle System Privilege and Role Management Realm as an owner, thus allowing
C##JSMITH
to grant the resource role to other database users.
4.1.2 Granting Realm Authorization
Authorize a named user to the Oracle System Privilege and Role Management Realm as an owner, allowing the user to grant the resource role to other database users. If you are granting privileges to a database user in all database containers, authorize a named user on each of the pluggable databases (PDB) where Oracle Database Vault is enabled.
For example, add C##JSMITH
to the Database Vault realm:
- Connect as
C##JSMITH
:connect c##jsmith
- Add
C##JSMITH
to the realm:BEGIN DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM ( realm_name => 'Oracle System Privilege and Role Management Realm' ,grantee => 'C##JSMITH' ,rule_set_name => null ,auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER); END; /
- Confirm that
C##JSMITH
has been added to the realm:SELECT GRANTEE, AUTH_OPTIONS FROM DBA_DV_REALM_AUTH WHERE REALM_NAME = 'Oracle System Privilege and Role Management Realm' ORDER BY 1;
You should see the following output:GRANTEE AUTH_OPTIONS _____________ _______________ C##JSMITH Owner SYS Owner
- Connect as
C##JSMITH
on the PDB:connect c##jsmith@pdb_name
- Add
C##JSMITH
to the realm:BEGIN DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM ( realm_name => 'Oracle System Privilege and Role Management Realm' ,grantee => 'C##JSMITH' ,rule_set_name => null ,auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER ,auth_scope => DBMS_MACUTL.G_SCOPE_LOCAL); END; /
- Confirm that
C##JSMITH
has been added to the realm:SELECT GRANTEE, AUTH_OPTIONS FROM DBA_DV_REALM_AUTH WHERE REALM_NAME = 'Oracle System Privilege and Role Management Realm' ORDER BY 1;
You should see the following output:GRANTEE AUTH_OPTIONS _____________ _______________ C##JSMITH Owner SYS Owner
Tip:
An advanced configuration would be to create a common role and add that role to the realm authorized owners list instead of individual database usernames.For example, create C##ACME_DBA
role and add it to Oracle System
Privilege and Role Management Realm as an authorized owner. You can then create a
Database Vault realm to protect who can grant the C##ACME_DBA
role.
4.1.3 Granting RESOURCE
Role to
Other Users
After a named user has the privileges and realm authorization, they can
grant the RESOURCE
to other users.
For example, as C##JSMITH
, grant the
RESOURCE
role to C##CMACK
:
- Connect as
C##JSMITH
:connect c##jsmith
- Create
C##CMACK
role and grant them theRESOURCE
role:CREATE USER C##CMACK IDENTIFIED BY <password> CONTAINER=ALL; GRANT RESOURCE TO C##CMACK WITH ADMIN OPTION CONTAINER=ALL;
- As
C##JSMITH
, create theGRKAMER
account in the pluggable database:ALTER SESSION SET CONTAINER=pdb_name; CREATE USER GKRAMER IDENTIFIED BY <password>; GRANT CREATE SESSION TO GKRAMER;
- Use the
C##JSMITH
database user to grant several system privileges toGRKAMER
:GRANT SELECT ANY TABLE, UPDATE ANY TABLE, CREATE ANY TABLE, DROP ANY TABLE TO GKRAMER; GRANT CREATE ANY INDEX, DROP ANY INDEX TO GKRAMER; GRANT RESOURCE TO GKRAMER;
For additional information on default realms and command rules, refer to the Oracle Database Vault Administrator’s Guide.
4.2 Mandatory Realms
A mandatory realm provides stronger protection than traditional realms for objects within a realm. Mandatory realms block both object privilege and system privilege access and will not allow users with object privileges to perform queries, DML, or DDL operations without realm authorization. In other words, if the objects are protected by mandatory realms, even the object owner cannot access their own objects without proper realm authorization.
4.2.1 Querying Application Data Before Applying Realms and Command Rules
Prior to applying realms and command rules, you can query the
HR.EMPLOYEES
table to see what actions users are able to perform. After
applying realms and command rules the results will be different.
Query the HR.EMPLOYEES
table as each of the following user and
compare the results to the table below:
SYS
SYSTEM
C##DVOWNER
C##DVACCTMGR
C##JSMITH
C##CMACK
GKRAMER
HR
- Connect as
<user>
:connect <user>
- Attempt the following
commands:
SELECT COUNT(*) FROM HR.EMPLOYEES; CREATE TABLE HR.EMP2 AS SELECT * FROM HR.EMPLOYEES; CREATE INDEX HR.TEST_IDX ON HR.EMP2(HIRE_DATE,LAST_NAME); DROP INDEX HR.TEST_IDX; DROP TABLE HR.EMP2;
Command | SYS |
SYSTEM |
C##DVOWNER |
C##DVACCTMGR |
C##JSMITH |
C##CMACK |
GKRAMER |
HR |
---|---|---|---|---|---|---|---|---|
SELECT COUNT(*) FROM HR.EMPLOYEES; |
Success |
Success |
ORA-00942: table or view does not exist |
ORA-00942: table or view does not exist |
Success |
ORA-00942: table or view does not exist |
Success |
Success |
CREATE TABLE HR.EMP2 AS SELECT * FROM
HR.EMPLOYEES; |
Success |
Success |
ORA-00942: table or view does not exist |
ORA-00942: table or view does not exist |
Success |
ORA-00942: table or view does not exist |
Success |
Success |
CREATE INDEX HR.TEST_IDX ON
HR.EMP2(HIRE_DATE,LAST_NAME); |
Success |
Success |
ORA-00942: table or view does not exist |
ORA-00942: table or view does not exist |
Success |
ORA-00942: table or view does not exist |
Success |
Success |
DROP INDEX HR.TEST_IDX; |
Success |
Success |
ORA-01418: specified index does not exist |
ORA-01418: specified index does not exist |
Success |
ORA-01418: specified index does not exist |
Success |
Success |
DROP TABLE HR.EMP2; |
Success |
Success |
ORA-00942: table or view does not exist |
ORA-00942: table or view does not exist |
Success |
ORA-00942: table or view does not exist |
Success |
Success |
If your results be different from the table, verify you have configured and enabled Oracle Database Vault in the container database and created the users and granted the appropriate privileges.
Notice the Database Vault related accounts C##DVOWNER
and
C##DVACCTMGR
do not have the system or object privileges required
to access the HR.EMPLOYEES table. These accounts are not intended to access data, only
perform Database Vault administrative activities
4.2.2 Creating a Mandatory Realm to Protect Tables and Views
Mandatory realms require the grant, either direct or granted through a role, and the Database Vault realm authorization. By creating a mandatory realm, only users who have the appropriate system or object privileges and realm authorization can access the specified tables and views.
Prerequisites
Have an account that has been granted the DV_ACCTMGR
or
DV_OWNER
role, such as the C##JSMITH
user that
you created during Creating Named Database Accounts.
- Connect as
C##JSMITH
on the pluggable database:connect c##jsmith@pdb_name
- Create the mandatory
realm:
BEGIN DVSYS.DBMS_MACADM.CREATE_REALM( realm_name => 'Protect HR tables' ,description => 'Mandatory realm to protect HR tables' ,enabled => dbms_macutl.g_yes ,audit_options => null ,realm_type => dbms_macadm.mandatory_realm); END; /
Note:
If you are using Oracle Database 19c or earlier, and traditional auditing, you can specify a value foraudit_options
instead of null. For more information, see the Oracle Database Vault Administrator’s Guide for Oracle Database 19c. - Add the objects you wish to protect with the new realm. You could
specify a wildcard (%) for the
OBJECT_TYPE
parameter and protect all existing and new objects in a schema.In this example, you will separate
TABLES
andVIEWS
into a single realm, andINDEXES
into a separate realm in the following example.BEGIN DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM( realm_name => 'Protect HR tables' ,object_owner => 'HR' ,object_name => '%' ,object_type => 'TABLE'); END; / BEGIN DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM( realm_name => 'Protect HR tables' ,object_owner => 'HR' ,object_name => '%' ,object_type => 'VIEW'); END; /
- Authorize the users to access the realm-protected tables and views. In
a mandatory realm you will also authorize the object owner.
In this example, you will authorize
HR
to access its own objects.BEGIN DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Protect HR tables' ,grantee => 'HR' ,rule_set_name => '' ,auth_options => dbms_macutl.g_realm_auth_owner); END; /
- Determine if you will be enforcing the realm or not:
- Simulation (non-enforcement) mode: Oracle Database Vault
simulation mode allows you to identify which users are accessing data you
want to protect with an Oracle Database Vault realm. Only violations of the
Database Vault realm authorization list will be recorded.
Set the
ENABLED
parameter toDBMS_MACUTL.G_SIMULATION
BEGIN DVSYS.DBMS_MACADM.UPDATE_REALM( realm_name => 'Protect HR tables' ,description => 'Mandatory realm to protect HR tables' ,enabled => dbms_macutl.g_simulation ,audit_options => null ,realm_type => dbms_macadm.mandatory_realm); END; /
- Enforcement mode: Oracle Database Vault enforcement mode means
the mandatory realm will enforce the controls on the objects it is
protecting and allow database users access if they maintain the appropriate
system or object privileges and authorization to the realm.
Set the
ENABLED
parameter toDBMS_MACUTL.G_YES
BEGIN DVSYS.DBMS_MACADM.UPDATE_REALM( realm_name => 'Protect HR tables' ,description => 'Mandatory realm to protect HR tables' ,enabled => dbms_macutl.g_yes ,audit_options => null ,realm_type => dbms_macadm.mandatory_realm); END; /
- Simulation (non-enforcement) mode: Oracle Database Vault
simulation mode allows you to identify which users are accessing data you
want to protect with an Oracle Database Vault realm. Only violations of the
Database Vault realm authorization list will be recorded.
For more information on Oracle Database Vault simulation mode, see the Troubleshooting and Tracing Errors section in the Oracle Database Vault Administrator’s Guide.
4.2.3 Creating a Mandatory Realm to Protect Indexes
By separating the tables and indexes into separate realms, you can allow index maintenance without access to table data. There is still a risk because data could be accessed indirectly, but if index maintenance is a task of the DBA and this is a risk you are comfortable assuming, then this separation is a common methodology.
For example:
- Connect as
C##JSMITH
:connect c##jsmith
- Create the mandatory
realm:
BEGIN DVSYS.DBMS_MACADM.CREATE_REALM( realm_name => 'Protect HR indexes' ,description => 'Mandatory realm to protect HR indexes' ,enabled => dbms_macutl.g_yes ,audit_options => null ,realm_type => dbms_macadm.mandatory_realm); END; /
Note:
If you are using Oracle Database 19c or earlier, and traditional auditing, you can specify a value foraudit_options
instead of null. For more information, see the Oracle Database Vault Administrator’s Guide. - Add the index to the
realm:
BEGIN DBMS_MACADM.ADD_OBJECT_TO_REALM( realm_name => 'Protect HR indexes' ,object_owner => 'HR' ,object_name => '%' ,object_type => 'INDEX'); END; /
- Add authorization to the
realm:
BEGIN DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Protect HR indexes' ,grantee => 'HR' ,rule_set_name => null ,auth_options => dbms_macutl.g_realm_auth_owner); END; /
- Add the DBA, in this case
GKRAMER
, as a realm-authorized owner so that they can perform index creation, deletion, and updates:BEGIN DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Protect HR indexes' ,grantee => 'GKRAMER' ,rule_set_name => null ,auth_options => dbms_macutl.g_realm_auth_owner); END; /