Document Revision Control Version Date Changes Author · 5. Oracle Database Vault is an option for...

Oracle Database Vault Flexcube POC Add On 1

COPYRIGHT (C) 2008 i-flex solutions ltd.

All rights reserved. No part of this work may be reproduced, stored in a retrieval system,

adopted or transmitted in any form or by any means, electronic, mechanical,

photographic, graphic, optic recording or otherwise, translated in any language or

computer language, without the prior written permission of i-flex.

Due care has been taken to make this document and any accompanying software package

as accurate as possible. However, i-flex makes no representation or warranties with

respect to the contents hereof and shall not be responsible for any loss or damage caused

to the user by the direct or indirect use of this document and any accompanying software

package. Furthermore, i-flex reserves the right to alter, modify or otherwise change in

any manner the content hereof, without obligation of i-flex to notify any person of such

revision or changes.

All company and product names are trademarks of the respective companies with which

they are associated.

Document Revision Control

Version Date Changes Author

1.0 12-Feb-2008 Initial Writing I-flex


CONTENTS

1. INTRODUCTION ORACLE DATABASE VAULT ....................................................................... 3

2. SUMMARY OF ORACLE DATABASE VAULT ........................................................................... 3

3. ORACLE DATABASE VAULT INTEGRATED WITH FLEXCUBE ......................................... 4

4. COMPONENTS OF ORACLE DATABASE VAULT .................................................................... 5

5. ORACLE DATABASE VAULT ACCESS CONTROL COMPONENTS ..................................... 5

5.1. REALM: ......................................................................................................................................... 5

5.2. FACTORS:- .................................................................................................................................... 6

5.3. RULE SETS:- ................................................................................................................................. 6

5.4. COMMAND RULES:- ................................................................................................................... 7

6. ORACLE DATABASE VAULT ADMINISTRATOR (DVA) ........................................................ 7

7. ORACLE DATABASE VAULT DVSYS AND DVF SCHEMAS .................................................. 8

8. ORACLE DATABASE VAULT PL/SQL INTERFACES AND PACKAGES.............................. 8

9. ORACLE DATABASE VAULT REPORTS .................................................................................... 8

10. POC SECTION .............................................................................................................................. 9

10.1 REALM ......................................................................................................................................... 9 10.2 RULE SET ..................................................................................................................................14 10.3 COMMAND RULES: ......................................................................................................................19 10.4 FACTORS .....................................................................................................................................25 10.5 PRODUCING DATABASE VAULT REPORTS. ....................................................................................29 10.6 ORACLE APPLICATION PROGRAMMING INTERFACES .................................................31 10.7 COLUMN LEVEL DATA PROTECTION USING OLS AND DBMS_RLS .............................................34


1. Introduction oracle database vault

Oracle‟s new add-on to enterprise database software that will give users more control

over how their data is accessed, Called “Database Vault”, the software is introduced at

Oracle's Collaborate 06 User Group Conference, in Nashville, Tennessee on April 2006.

Primarily Database Vault can place restrictions on what data is available to users,

depending on a variety of factors, such as the Internet Protocol address being used, the

machine being accessed, or what time of day the request is being made.

This software will work with Oracle Database release 9i (9 2 0 8) or Oracle Database 10g

Release 2 and later versions. It will be priced at either $20,000 per CPU or $400 per user,

depending on what the customer prefers.

2. Summary of oracle database vault

1. Oracle Database Vault is a database security option that we will protect

application data from DBA access; enforce protection of database structures

from unauthorized change.

2. It enables organizations to efficiently increase security without making

changes to the application code.

3. Oracle Database Vault provides real time preventive controls by restricting

access to application data by highly privileged users and enabling control over

who, when, where and how databases and application data can be accessed.

4. Oracle Database Vault provides a web based management console that can be

used to configure and manage the offering.

5. Oracle Database Vault is an option for the Oracle Database Enterprise Edition.

Oracle Database Vault can be installed into Oracle Database release 9i

(9.2.0.8) or 10g Release 2 (10.2.0.3) or higher.

6. Oracle Database Vault helps customers achieve separation of duty by creating

different responsibilities to manage the different aspects of the database

environment. Oracle Database Vault creates responsibilities for managing

security, managing user accounts, and managing database resources.

Separation of duty helps customers prevent unauthorized access to business

data.

7. Oracle Database Vault to manage the security of an individual Oracle

Database instance.


3. Oracle database vault integrated with FLEXCUBE

ORACLE database vault features are tested on FCC and the result are as follows,

1. FLEXCUBE schema fcj80 on fcc instance is protected from the super privileged

users such as sys, system etc using Realm.

2. A range of client IP‟s are blocked from accessing the FLEXCUBE schema fcj80

using Factors, Rule set and command rules.

3. Maintenance activities are forced to carry out after the business hours using Rule

set and command rules so application will not have surprised breakdown

datacenter team.

4. Confidential columns are protected from unauthorized access using Oracle Label

Security, this will ensure by no other means you can access the sensitive columns

other then FLEXCUBE Application.

5. Transparent Data Encryption(TDE) in FLEXCUBE to avoid the unauthorized

data dump creation using data pump


4. Components of Oracle Database Vault

Oracle database vault consists of below 5 components which will address it own scope of

area .Section 4 to 8 will have the details on the components

1. Oracle Database Vault Access Control Components

2. Oracle Database Vault Administrator (DVA)

3. Oracle Database Vault DVSYS and DVF Schemas

4. Oracle Database Vault PL/SQL Interfaces and Packages

5. Oracle Database Vault Reports

5. Oracle Database Vault Access Control Components

Realms.

Factors

Command rules

Rule sets

5.1. Realm:

A realm is a functional grouping of database schemas and roles that must be secured

for a given application. Prevent highly privileged users from accessing application

data .Realm is a container that serves as a "protection zone". The Database Vault

administrator can create a Realm and define the content within the realm.

Using realms we can protect a single object or an entire application schema.

Oracle Database Vault Realms prevent DBAs, application owners, and other

privileged users from viewing application data using their powerful privileges.

When you create a realm, Oracle Database Vault creates a realm record and

stores it in an Oracle Database Vault security table.

After the realm creation, you have to register a set of schema objects or roles

(secured objects) for realm protection and authorize a set of users or roles to

access the secured objects

Realm Authorizations:-

The application owner typically corresponds to the schema containing the objects

associated with the application. This user can be designated as the realm owner.

Application servers typically connect to the application using the application owner

account.


The authorization that we set up here does not affect regular users who have

normal direct object privileges to the database objects that are protected by

realms.

Realm owners cannot add other users to their realms as owners or participants.

Only users who have the DV_OWNER or DV_ADMIN role are allowed to add

users as owners or participants to a realm.

Only a realm owner can grant or revoke realm secured Database roles to anyone.

A user can be granted either as a realm owner or a realm participant , that use

can‟t have both type.

5.2. Factors:-

A factor is a named variable like i.e. location, database IP address which Oracle Database

Vault can recognize. The Factor details are stored in DVF schema. Once we create a

factor the factor function will be created in dvf schema and the function name will be

f$factor_name format.

Example:

Creating filtering logic to restrict the client ip‟s explained in POC section .

5.3. Rule sets:- A rule set is a collection of one or more rules that will associate with a factor assignment

and command rule.

1. Rule sets can be created that restrict access based on time, specific hosts, subnets.

2. The rule set evaluates to true or false based on the evaluation of each rule.

3. A rule within a rule set is a PL/SQL expression that evaluates to true or false.

Example

Restricting maintenance activities during business hours combination of rule set and

command rule

Create rule set with the name table_drop. Assign a rule expression TO_CHAR

(SYSDATE,'HH24') >= '17' to the rule set drop_table. This must evaluate to a Boolean

(TRUE or FALSE) value. This rule set is then assigned to the command rule drop table

which indicates that we couldn‟t drop a table before 5 „o‟ clock.


5.4. Command rules:-

A command rules will control how users can execute almost any SQL statements,

including SELECT, ALTER SYSTEM, database definition language (DDL), and data

manipulation language (DML) statements. When such a statement is executed, the realm

authorization is checked first. If no realm violation is found and the associated command

rules are enabled, then the associated rule sets are evaluated. If all the rule sets evaluate to

TRUE, then the statement is authorized for further processing. If any of the rule sets

evaluate to FALSE, then the statement is not authorized and a command rule violation is

created.

1. Command rules will work with rule sets to determine whether or not the statement is

allowed.

2. Oracle Database Vault Command rules will be used to protect application objects

from modification.

3. Allow DDL statements such as CREATE TABLE, DROP TABLE, and ALTER

TABLE in the fcj80 schema to be authorized only after business hours, but not during

business hours.

Example: see section 5.3 example

6. Oracle Database Vault Administrator (DVA)

Oracle Database Vault Administrator is a Java application that is built on top of the

Oracle Database Vault PL/SQL application programming interfaces (API). It gets created

when we install vault. This application allows security managers who may not be

proficient in PL/SQL to configure the access control policy through a user-friendly

interface.


7. Oracle Database Vault DVSYS and DVF Schemas

Oracle Database Vault provides the below schemas

1. The DVSYS schema contains Oracle Database Vault database objects: database

tables, sequences, views, triggers, roles, packages, procedures, functions,

contexts, and other objects to store Oracle Database Vault configuration

information and support the administration and run-time processing of Oracle

Database Vault.

2. The DVF schema is the owner of the Oracle Database Vault

DBMS_MACSEC_FUNCTION PL/SQL package, which contains the functions

that retrieve factor identities. When you create a new factor, Oracle Database

Vault creates a new retrieval function for the factor and saves it in this schema.

8. Oracle Database Vault PL/SQL Interfaces and Packages

Oracle Database Vault provides a set of procedures and functions in the DVSYS schema

to enable access control in an Oracle database. The functions within the

DVSYS.DBMS_MACADM package allow you to write Applications that configure the

realms, factors, rule sets, command rules, secure Application roles configured in Oracle

Database Vault Administrator.

Note: The DVSYS.DBMS_MACADM package is available only for users who have the

DV_ADMIN or DV_OWNER role.

9. Oracle Database Vault Reports

Oracle Database Vault provides a selection of reports that display security-related

information from the database. These reports allow you to check configuration issues

with realms, command rules, factors, factor identities, rule sets, and secure application

roles.


10. POC Section

10.1 Realm

Create a realm with the name of fcj80_realm for fcj80 flexcube schema. In fcj80 schema

the tables will be protected from access by other users including super users.

Steps to create realms.

1. Open the browser

2. http://<your_hostname:port>/dva

3. Enter dvowner for the User Name and password. And then Login.


4. Click the realms link.

5. To create a new Realm, click Create.


6. Enter a Name, make sure the Enabled Status is selected, and Audit on Failure is

selected for Audit options. OK

7. Select the fcj80_Realm and click Edit.


8. Under Realm Secured Objects, click Create.

9. From the list of Object Owners, select fcj80. Since all the objects in the fcj80 schema

should be protected, make sure % is selected for both Object Type and Object Name.

Then click OK.


10. Realm authorization:-A realm authorization can be an account or role that is

authorized to use its system privileges when creating or accessing realm secured

objects and granting or revoking realm secured roles.

11. Under realm authorization click create

c


10.2 RULE SET

The below example we are filtering client access to the database with respect to a

range of ip address. Here we create a rule set which compares the client systems ip

address with the ip range we defined. If the client ip address falls in the range defined

then the rule returns TRUE.

Perform the following steps to create rule set ,

1. Click the Rule Sets link.


2. Click on create


3. Mention name of rule set name click on ok


4. Click on client_ip and edit


5. rules associated to the rule set and click create

6. Enter name,rule expression and click on ok


10.3 Command rules:

In this example the client ip rule set is linked to command rule CONNECT.

Once the command rule set only the client ips range 10.80.5.% can connect to the

schema.

1. click on command rules


2. Select connect and rule set name


Example for rule set and command rules.

In this example we are restricting maintenance activities during business hours.

1. create a rule set


2. assign the rule expression as to_char(sysdate,‟HH24‟)>=17


3. This rule set returns true only one rule expression is satisfied in this example

this rule set return only >=17hours


4. The rule set rule set will be assign to the command rules to restrict the

dropping of the table during business hours.


10.4 Factors

A factor is a named variable like user location, database IP address that Oracle

Database Vault can recognize. The Factor details are stored in DVF schema.we can

see that by quering (SELECT dvf.f$database_ip FROM dual;). creating filtering logic

to restrict the client ip‟s

1. click on factors

2. click on create


Sql>Select dvf.f$client_ip from dual;

Example for restricting client ip’s using factors.

1. Create rule set with the name filter_ip .


2. Assign a rule expression in rule set (dvf.f$client_ip like '10.80.55.%')


3. Assign rule set to command rule.

10.5 Producing database vault reports.

Oracle Database Vault provides a selection of reports that display security- related

information from the database. These reports allow you to check configuration issues

with realms, command rules, factors ,rule sets, and secure application roles.

1. Click the Data Vault Reports tab


2. Under the Data Vault Reporting category, select Command Rule Audit and

click Run Report


3. The report is displayed. Notice that in this case, the command run is displayed

and the rule set that is invoked.

10.6 ORACLE APPLICATION PROGRAMMING INTERFACES

The functions within the DVSYS.DBMS_MACADM package allow you to write

Applications that configure the realms, factors, rule sets, command rules and Oracle

Label Security policies normally configured in Oracle Database Vault Administrator.

Note: The DVSYS.DBMS_MACADM package is available only for users who have

the DV_ADMIN or DV_OWNER role.

1. Create realm


Exec DBMS_MACADM.CREATE_REALM('test', 'testing API','YES',0);

2. Add object to realm

Exec DBMS_MACADM.ADD_OBJECT_TO_REALM('test','SCOTT','%','%');

3. Add owner to realm

Exec DBMS_MACADM.ADD_AUTH_TO_REALM ('test','SCOTT',1);

4. enable realm

exec DBMS_MACADM.UPDATE_REALM('test','testing API','YES',0);

5. disable realm

exec DBMS_MACADM.UPDATE_REALM ('test','testing API','NO',0);

6. delete a realm

Exec DBMS_MACADM.DELETE_REALM ('test');

Command rules

1. Create command rule

exec DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE('DROP

TABLE','maint_period','SCOTT','%','YES');

2. update command rule

UPDATE_COMMAND_RULE('DROP TABLE','maint_period','SCOTT','%','NO');

3. Delete command rule


DELETE_COMMAND_RULE('DROP TABLE','SCOTT','%');

Creation of rule sets

1. Create rule

Exec

DVSYS.DBMS_MACADM.CREATE_RULE('local_access','sys_context(''userenv'',''

ip_address'') like ''10.80.5.%''');

2. Create rule set

Exec

DVSYS.DBMS_MACADM.CREATE_RULE_SET('maint_period','Maintenance

Period','YES',1,0,1,null,null,0,null);

3. Adding rule to rule set

Exec

DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET('maint_period','local_acc

ess',1,'Y');

4. Delete rule from rule set

Exec

DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET('maint_period','l

ocal_access');

5. Delete rule

Exec DVSYS.DBMS_MACADM.DELETE_RULE('local_access');

6. Delete rule set

Exec DVSYS.DBMS_MACADM.DELETE_RULE_SET('maint_period');


10.7 Column level data protection using OLS and DBMS_RLS

Using oracle label security with fine-grained access control (dbms_rls) confidential

columns can be protected even from the owner of the schema.

1. OLS policy can be created either by Oracle Policy Manager Interface or using

SA_SYSDBA package.

2. To use the SA_SYSDBA package to create, alter, and drop policies, a user must

have: LBAC_DBA role and EXECUTE privilege on the SA_SYSDBA package.

3. When you create a policy, a role named policy_DBA is automatically created.

You can use this role to control the users who are authorized to run the policy's

administrative procedures. The user who creates the policy is automatically

granted the policy_DBA role with the ADMIN option, and the user can grant the

role to others.

4. Valid characters for all policy specifications include alphanumeric characters and

underscores, as well as any valid character from your database character set.

5. In order to protect the confident columns need to create a OLS policy. Use the

CREATE_POLICY procedure to create a new Oracle Label Security policy,

define a policy-specific column name, and specify a set of default policy options.

Syntax:

PROCEDURE CREATE_POLICY (

policy_name IN VARCHAR2,

column_name IN VARCHAR2 DEFAULT

NULL,

default_options IN VARCHAR2 DEFAULT

NULL);

Parameters for SA_SYSDBA.CREATE_POLICY

Parameter

Name Parameter Description

policy_name Specifies the policy name, which must be unique within the database. It

can have a maximum of 30 characters, but only the first 26 characters in

the policy_name are significant. Two policies may not have the same

first 26 characters in the policy_name.

column_name Specifies the name of the column to be added to tables protected by the

policy. If NULL, the default name "SA_LABEL" is used. Two Oracle

Label Security policies cannot share the same column name.

default_options Specifies the default options to be used when the policy is applied and

no table- or schema-specific options are specified. Includes enforcement


Parameter


options and the option to hide the label column.

6. Use the CREATE_LEVEL procedure to create a level and specify its short name

and long name. The numeric values assigned to the level_num parameter

determine the sensitivity ranking (that is, a lower number indicates less sensitive

data).

Syntax:

PROCEDURE CREATE_LEVEL ( policy_name IN VARCHAR2,

level_num IN INTEGER,

short_name IN VARCHAR2,

long_name IN VARCHAR2);

Parameters for SA_COMPONENTS.CREATE_LEVEL

Parameter Name Parameter Description

policy_name Specifies the policy

level_num Specifies the level number (0-9999)

short_name Specifies the short name for the level (up to 30 characters)

long_name Specifies the long name for the level (up to 80 characters)

7. The SA_LABEL_ADMIN package provides an administrative interface to

manage the labels used by a policy. To do this, a user must have the EXECUTE

privilege for the SA_LABEL_ADMIN package and have been granted the

policy_DBA role. Use the SA_LABEL_ADMIN.CREATE_LABEL procedure to

create a valid data label. You must manually specify a label tag value from 1 to 8

digits long.

Syntax:

PROCEDURE CREATE_LABEL (


label_tag IN INTEGER,

label_value IN VARCHAR2,

data_label IN BOOLEAN DEFAULT TRUE);

Parameters for SA_LABEL_ADMIN.CREATE_LABEL


Parameter


policy_name Specifies the name of an existing policy

label_tag Specifies a unique integer value representing the sort order of the label,

relative to other policy labels (0-99999999)

label_value Specifies the character string representation of the label to be created

data_label TRUE if the label can be used to label row data. Use this to define the

label as valid for data.

8. Associate the labels to the user.

The SET_USER_LABELS procedure sets the user's levels, compartments, and

groups using a set of labels, instead of the individual components.

Syntax:

PROCEDURE SET_USER_LABELS (


user_name IN VARCHAR2,

max_read_label IN VARCHAR2,

max_write_label IN VARCHAR2 DEFAULT NULL,

min_write_label IN VARCHAR2 DEFAULT NULL,

def_label IN VARCHAR2 DEFAULT NULL,

row_label IN VARCHAR2 DEFAULT NULL);

Parameters for SA_USER_ADMIN.SET_USER_LABELS

Parameter Meaning

max_read_label Specifies the label string to be used to initialize the user's maximum

authorized read label. Composed of the user's maximum level,

compartments authorized for read access, and groups authorized for

read access.

max_write_label Specifies the label string to be used to initialize the user's maximum

authorized write label. Composed of the user's maximum level,

compartments authorized for write access, and groups authorized for

write access. If max_write_label is not specified, then it is set to

max_read_label.

min_write_label Specifies the label string to be used to initialize the user's minimum

authorized write label. Contains only the level, with no compartments

or groups. If min_write_label is not specified, then it is set to the lowest

defined level for the policy, with no compartments or groups.

def_label Specifies the label string to be used to initialize the user's session label,


Parameter Meaning

including level, compartments, and groups (a subset of

max_read_label). If default_label is not specified, then it is set to

max_read_label.

policy_name Specifies the policy

user_name Specifies the user name

row_label Specifies the label string to be used to initialize the program's row

label. Includes level, components, and groups: subsets of

max_write_label and def_label. If row_label is not specified, then it is

set to def_label, with only the compartments and groups authorized for

write access.

9. Create a function which creates the function that generates the VPD 'Where'

clause.

10. DBMS_RLS.ADD_POLICY

This procedure creates a fine-grained access control policy to a table or view.

The procedure causes the current transaction, if any, to commit before the

operation is carried out. However, this does not cause a commit first if it is inside

a DDL event trigger.

Syntax

DBMS_RLS.ADD_POLICY (

object_schema IN VARCHAR2 :=

NULL,

object_name IN VARCHAR2,


function_schema IN VARCHAR2 :=

NULL,

policy_function IN VARCHAR2,

statement_types IN VARCHAR2 :=

NULL,

update_check IN BOOLEAN :=

FALSE,

enable IN BOOLEAN :=

TRUE);

Parameters for DBMS_RLS.ADD_POLICY Procedure


Parameter Description

object_schema

Schema containing the table or view (logon user, if NULL).

object_name

Name of table or view to which the policy is added.

policy_name

Name of policy to be added. It must be unique for the same table or

view.

function_schema

Schema of the policy function (logon user, if NULL).

policy_function

Name of a function which generates a predicate for the policy. If the

function is defined within a package, then the name of the package

must be present.

statement_types

Statement types that the policy will apply. It can be any combination of

SELECT, INSERT, UPDATE, and DELETE. The default is to apply to

all of these types.

update_check

Optional argument for INSERT or UPDATE statement types. The

default is FALSE. Setting update_check to TRUE causes the server to

also check the policy against the value after insert or update.

enable

Indicates if the policy is enabled when it is added. The default is TRUE

With respect to FLEXCUBE there are some confidential information which

should be hided even from the owner of the schema. i.e. these column details

should not be accessible through any back end tools such as sql*plus, plsql

developer etc. using SQL queries. At the same time the details should be

accessible using FLEXCUBE for the authorized users. The following example

takes the Fund Transfer module and demonstrates how to hide the confident

columns credit amount (cr_amount) and debit amount (dr_amount) in FT contract

inputs. The protected columns will not be exported.

Table: FTTB_CONTRACT_MASTER table

Columns: cr_amount, dr_amount

1. Connect as the flexcube schema. Grant select privilege on smtb_user and

FTTB_CONTRACT_MASTER to lbacsys.


Conn fcj80/fcj80@fcc128

Grant select on smtb_user to lbacsys;

Grant select on FTTB_CONTRACT_MASTER to lbacsys;

2. Create the policy after connecting to lbacsys,

Conn lbacsys/lbacsys@fcc128

BEGIN

SA_SYSDBA.CREATE_POLICY (policy_name => 'PROTECT_PII',

column_name => 'OLS_COLUMN',

default_options => 'NO_CONTROL');

END;

3. Create levels for the policy,

BEGIN

SA_COMPONENTS.CREATE_LEVEL (policy_name =>

'PROTECT_PII',

level_num => 1000,

short_name => 'CONF',

long_name => 'CONFIDENTIAL');

END;

Execute SA_COMPONENTS.CREATE_LEVEL

('PROTECT_PII',2000,'SENS','SENSITIVE');

4. Create labels for the rows as follows,

execute

SA_LABEL_ADMIN.CREATE_LABEL('PROTECT_PII',2100,'SENS',FALSE);

BEGIN

SA_LABEL_ADMIN.CREATE_LABEL( policy_name => 'PROTECT_PII',

label_tag => 1000,

label_value => 'CONF',

data_label => FALSE);

END;

5. Set label for the user fcj80,

execute SA_USER_ADMIN.SET_USER_LABELS ('PROTECT_PII','FCJ80',

'CONF','CONF','CONF','CONF','CONF');


6. Create a function which creates the function that generates the VPD 'Where'

CREATE OR REPLACE FUNCTION f_protect_pii (schema in varchar2, tab in

varchar2)

RETURN varchar2 AS

Predicate varchar2(2000); -- the VPD 'where' clause

session_lab varchar2(4000); -- the current user's session label

session_tag number; -- numerical expression of session label

sens_tag number; -- numerical expression of SENS label

module_id varchar2(50);

L_cnt number: =0;

BEGIN

Predicate := '1=2'; -- is never true, will hide all rows by default

session_lab := sa_session.label('PROTECT_PII'); -- the current user's

session label for that policy

session_tag:= char_to_label('PROTECT_PII',session_lab);-- numerical

expression of session label

sens_tag:= char_to_label ('PROTECT_PII','SENS'); -- numerical

expression of the SENS label

begin

select module

Into module_id

From v$session

where audsid = (select userenv('sessionid') from dual);

exception

when no_data_found then

module_id := 'XXX';

end;

select count(*)

into l_cnt

From fcj80.smtb_user

where user_id = NVL(module_id,'XXX');

IF l_cnt = 0 then

predicate := '1=2'; -- will hide all rows if checks fail

elsif IF l_cnt > 0 then

predicate := '1=1';


end if;

return predicate;

END;

7. Apply the VPD policy to the fcj80.FTTB_CONTRACT_MASTER table

begin

DBMS_RLS.ADD_POLICY (

object_schema => 'FCJ80',

object_name => 'FTTB_CONTRACT_MASTER',

policy_name => 'vpd_protect_pii',

function_schema => 'LBACSYS',

policy_function => 'f_protect_pii',

statement_types => 'select',

sec_relevant_cols => 'DR_AMOUNT,CR_AMOUNT',

sec_relevant_cols_opt => dbms_rls.ALL_ROWS,

policy_type => dbms_rls.CONTEXT_SENSITIVE);

end;

Document Revision Control Version Date Changes Author · 5. Oracle Database Vault is an option for...

Documents

Transcript of Document Revision Control Version Date Changes Author · 5. Oracle Database Vault is an option for...