Re: Database vault and execution privilege

From: Ricardo Kucharski Arnoud <ricardoskn_at_gmail.com>
Date: Wed, 27 Jun 2018 11:25:33 -0300
Message-ID: <CAC540oj96-gnQHnPm2rNEbxYzKkLR=oKGDj_bLWurgpMN1oEog_at_mail.gmail.com>

Hi Lothar,

Please detail your setup and oracle version you're working on. Script To List The Database Vault Realms, Command Rules And Rule Sets ( Doc ID 1352556.1
<https://support.oracle.com/epmos/faces/DocumentDisplay?parent=SrDetailText&sourceId=3-17119640681&id=1352556.1> )

If you're working with mandatory realms, You could achieve this by listing an authorized user within realm protection.

I could suggest the following setup (Please consider authorized user with the role dv_owner to perform the following procedure):

Create a FACTOR:
BEGIN
DVSYS.DBMS_MACADM.CREATE_FACTOR(factor_name => 'USER_NAME', description =>

' Returns the username for the current session ', factor_type_name =>
'User', rule_set_name => NULL, get_expr =>
'DVSYS.DBMS_MACADM.GET_SESSION_INFO(''USERNAME'')', validate_expr => NULL,

identify_by => '1', labeled_by => '0', eval_options => '0', audit_options => '16',fail_options => '1');
END;
/

Create a Rule called TRUSTED_USER
begin DVSYS.DBMS_MACADM.CREATE_RULE(rule_name => 'TRUSTED_USER', rule_expr => 'DVF.F$USER_NAME= 'USERNAME''); end;

Create a RULE SET:

begin
DECLARE x VARCHAR2(40);
static_option BOOLEAN := FALSE; BEGIN x:='Y'; IF x = 'Y' THEN static_option := TRUE; ELSE static_option := FALSE; END IF;
DVSYS.DBMS_MACADM.CREATE_RULE_SET(rule_set_name => 'TRUSTED_ACCESS', description => ' Trusted users and applications', enabled => 'Y',
eval_options => 2,
audit_options => 1,

fail_options => 1,
fail_message => '',
fail_code => '',

handler_options => 0,
handler => '',
is_static => static_option);
END;
DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(rule_set_name => 'TRUSTED_ACCESS', rule_name => 'TRUSTED_USER',
rule_order => '1',
enabled => 'Y');
end;
/

Grant this RULE SET on your app realm protection

begin
DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(realm_name => 'APP - REALM', grantee => DBMS_ASSERT.ENQUOTE_NAME('USERNAME',FALSE), rule_set_name => 'TRUSTED_ACCESS',
auth_options => '0' );
end;

The user should be able to login and run your procedures. You can play more options on this setup with the rule set TRUSTED_ACCESS...

Best Regards,
Ricardo Arnoud

On Wed, Jun 27, 2018 at 9:44 AM, l.flatz_at_bluewin.ch <l.flatz_at_bluewin.ch> wrote:

> Hi,
>
> we have Database vault implemented and protect on schema level.
> We want to define a prackage that will be stored in a protected schema.
> That way we want to do some maintenance jobs.
> We are not sure if that is possible or the schema protection will also
> prohibit execute access.
> I did not find something usefull in the documentation, but I also do not
> know database vault.
> If a direct execute is not possible, is somebody aware of a work around
> (e.g. by a database job)?
>
> Regards
>
> Lothar
>

-- 
--
Thanks,
* Ricardo Arnoud*






Porto Alegre - RS
http://www.queroaprenderlinux.com.br
http://www.peritodigitalonline.com.br

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Jun 27 2018 - 16:25:33 CEST

This message: [ Message body ]
Next message: Reen, Elizabeth : "RE: Performance and encryption"
In reply to l.flatz_at_bluewin.ch: "Database vault and execution privilege"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message