RE: Hiding sensitive EBS column data from certain users
Date: Wed, 10 Oct 2018 17:52:28 +0000
Message-ID: <SN1PR10MB098968797FA3595C637F19C7D5E00_at_SN1PR10MB0989.namprd10.prod.outlook.com>
A few thoughts about redaction for what they are worth…
I’ve been working with redaction for a while now. In its basic form, it’s pretty easy to work with. However anything beyond that, and it gets pretty complex. Also, keep in mind that using redaction requires and Advanced Security license.
One redaction complexity comes about because of the limited number of ways you can define the expression of a redaction policy. The expression basically provides the logic that defines if the policy is applied to a given query or not.
For example, assume I define a redaction policy on a table called people and a column called SSN using dbms_redact.add_policy.
In that definition, there is a parameter called expression which you set that indicates what conditions should be met for the policy to be applied. For example, if I want the policy to be applied all the time then I’d set the expression like this:
expression=>’1=1’
You can add complexity to the expression, so that redaction only applies in certain cases. For example, let’s say that my application is setting MODULE via dbms_application_info. I could say that I only want redaction to be applied if MODULE is set to ‘USER_INTERFACE_MODULE’ module by doing something like this (specific example not tested so possible typos here):
Expression=>’sys_context(‘’USERENV’’, ‘’MODULE’’,’’USER_INTERFACE_MODULE’’)=’’TRUE’’’
In this case, the redaction policy would ONLY be applied in cases where the USER_INTERFACE_MODULE was set when the query was issued, otherwise the data would not be redacted. You can use custom created contexts as well, setting the appropriate values in things like logon triggers, from the application or whatever.
The biggest problem with redaction that I see (and this sounds like your kind of situation) involve cases where an application needs to internally have access to non-redacted data for downstream processing (say some form of PII is queried and is needed for further application related queries) but you want any display of that data to be redacted. COTs and Legacy applications tend to make this really difficult since they generally do not supply sufficient context information to develop an expression that can correctly indicate if the data should, or should not, be redacted.
Now, I have seen some legacy and COTS applications set certain values available in SYS_CONTEXT (such as ACTION, CURRENT_SQL, MODULE or SERVICE_NAME) that might be used to identify specific areas that redaction would be desirable. I these cases, you might be able to craft a redaction policy where data is not redacted by default (allowing the app to have access to unredacted data). If you can identify unique context settings that occur at the times you want the data to be redacted (perhaps there is a MODULE called print_module that gets set whenever the user data needs to be redacted) then you could craft a redaction policy around those specific conditions. (I hope this makes sense).
It would be nice if redaction could take advantage of a user created function, that allowed some PL/SQL logic to determine if the data should be redacted. Then, you might be able to do something like look at the SQL statement being executed and redact based on a set of blacklisted SQL statements/SQLID’s. However, this functionality does not exist. Redaction only supports use of sys_context or xs_sys_context functions to return values set in a specific namespace. Also, you can define redaction expressions based on Oracle Label Security, APEX Expression states and you can use substr and length in the function.
RLS gives you a bit more flexibility in some respects. You can write some logic around RLS in the policy function itself. However, at the column level only allows you to NULL out the column ( I have yet to figure a way around that one), as opposed to masking it. Additionally, RLS comes with potential performance issues since it appends predicates to the where clause of your SQL. So, you can find yourself chasing performance issues all over creation….
Hope that helps….
RF
Robert G. Freeman
Deliverer of Enterprise Data®
Businessolver
Cell: 801-703-3405
“Greater than the death of flesh is the death of hope. The death of dreams. Against this peril we can never surrender. The future is all around us, waiting in moments of transition, to be born in moments of revelation. No one knows the shape of that future, or where it will take us. We know only that it is always born in pain.”
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Syed Jaffar Hussain Sent: Thursday, October 04, 2018 1:10 PM To: Matthew Parker <dimensional.dba_at_comcast.net> Cc: Oracle-L Freelists <oracle-l_at_freelists.org>; tim.evdbt_at_gmail.com Subject: Re: Hiding sensitive EBS column data from certain users
Thank you all for fhe swift response.
Its a production EBS 12.2.6 environment. The requirement is to hide certain columns data in HR and Finance modules to specific users through forms. If we apply VPD it will break forms functionality. Also APPS. These are application defined users. In EBS its not simple VpD. So, any body with EBS functional and development knowledge can respond this.
Regards
On Thu, 4 Oct 2018 at 8:56 PM Matthew Parker <dimensional.dba_at_comcast.net<mailto:dimensional.dba_at_comcast.net>> wrote: Just need to highlight the problem in prod. The rules applied can actually cause problems with the COTS applications like EBS that has their own internal security architecture. Just need to do lots of testing.
Matthew Parker
Chief Technologist
Dimensional DBA
Oracle Gold Partner
425-891-7934 (cell)
D&B 047931344
CAGE 7J5S7
Dimensional.dba_at_comcast.net<mailto:Dimensional.dba_at_comcast.net>
View Matthew Parker's profile on LinkedIn<http://www.linkedin.com/pub/matthew-parker/6/51b/944/>
www.dimensionaldba.com<http://www.dimensionaldba.com/>
From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org> <oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>> On Behalf Of Tim Gorman Sent: Thursday, October 4, 2018 10:52 AM To: dimensional.dba_at_comcast.net<mailto:dimensional.dba_at_comcast.net>; sjaffarhussain_at_gmail.com<mailto:sjaffarhussain_at_gmail.com>; 'Oracle-L Freelists' <oracle-l_at_freelists.org<mailto:oracle-l_at_freelists.org>> Subject: Re: Hiding sensitive EBS column data from certain users
For production environments, technologies which mask data in-flight, including Oracle's data redaction and SQL Server's dynamic data masking are appropriate solutions when a portion of the user community should not have access to certain data.
In development or testing (a.k.a. non-production) environments, there is no reason for anyone to have access to confidential data, including database administrators and systems administrators, partially because of the movement of development and testing environments to out-sourced, off-shore, or cloud environments. Masking data at-rest is the appropriate solution for non-production environments by permanently and irreversibly obfuscating data in datafiles, thus removing any value to intruders.
Following the implementation of GDPR<https://en.wikipedia.org/wiki/General_Data_Protection_Regulation> in Europe this past May, CCPA<https://www.caprivacy.org/> in California has already been signed into law, with more countries and states to follow. The professional honor code to which all of IT has adhered for the past 40-50 years is no longer sufficient to protect confidential data. Essentially, unmasked data in non-production is becoming a liability to the DBAs, developers, and testers who work with it, because at some point, all these laws may hold individuals (as well as organizations) liable for the damages from data breaches. I expect that, like SOX, individual liability will begin at the top of the organization (i.e. CEO, CFO, etc) but with examples like Snowden there is no reason why those lower in the hierarchy cannot be targeted.
On 10/4/18 11:04, Matthew Parker wrote: In Production or in Development? Different ways to do things based on the environment.
What version of the database are you running?
In 12.1 there is RAS Security (VPD 2.0) that also does column level data masking at no extra cost, but you have to create/implement the rules yourself. Normally you control PROD by standard security controls, but you can implement RAS against report users if they are landing on your primary database. Just need to make sure anything you implement it doesn’t affect base EBS apps.
Matthew Parker
Chief Technologist
Dimensional DBA
Oracle Gold Partner
425-891-7934 (cell)
D&B 047931344
CAGE 7J5S7
Dimensional.dba_at_comcast.net<mailto:Dimensional.dba_at_comcast.net>
View Matthew Parker's profile on LinkedIn<http://www.linkedin.com/pub/matthew-parker/6/51b/944/>
www.dimensionaldba.com<http://www.dimensionaldba.com/>
From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org> <oracle-l-bounce_at_freelists.org><mailto:oracle-l-bounce_at_freelists.org> On Behalf Of Syed Jaffar Hussain Sent: Thursday, October 4, 2018 9:51 AM To: Oracle-L Freelists <oracle-l_at_freelists.org><mailto:oracle-l_at_freelists.org> Subject: Hiding sensitive EBS column data from certain users
Hello List,
Is there anyway to hide data of sensitive columns in Oracle EBS (v12.2) to certain users? I thought of VPD, but, it seems, it has different approaches in EBS. Something like, personalizing the form to hide the values of the columns, though not sure.
Appreciate if any EBS expert can shed some light on this.
Thanks in advance,
--
Best Regards,
Syed Jaffar Hussain
--
Best Regards,
Syed Jaffar Hussain
Oracle ACE Director <http://apex.oracle.com/pls/otn/f?p=19297:4:4640302666204919::NO:4:P4_ID:186>
Oracle Certified Master (10g)<http://education.oracle.com/education/otn/shussain.html>
Authored Expert Oracle RAC 12c<http://www.apress.com/9781430250449>
Oracle 11gR1/R2 RAC Essentials<http://link.packtpub.com/yNZicz>,
Oracle Exadata Expert's Handbook <http://www.pearsonhighered.com/educator/product/Oracle-Exadata-Experts-Handbook/9780321992604.page>
Oracle Problem Solving and Troubleshooting Handbook<http://www.pearson.com.au/products/A-C-Ault-Czuprynski/Oracle-Problem-Solving-and-Troubleshooting-Handbook/9780134429205?R=9780134429205>
Oracle Magazine DBA of year (2011)
OCP 8i/9i/10g/11g DBA, RAC Certified Expert, ITIL V3 foundation certified Mini MBA
Certified Oracle Exadata Database Machine Implementation Essentials Oracle Certified Expert, Oracle Exadata X3 and X4 Administrator Charity : www.sajcharity.org<http://www.sajcharity.org> I blog at : http://jaffardba.blogspot.com/ LinkedIn : http://www.linkedin.com/in/sjaffarhussain Follow me on twitter : http://twitter.com/#!/sjaffarhussain<http://twitter.com/#%21/sjaffarhussain>
"Winners don't do different things. They do things differently."
--
http://www.freelists.org/webpage/oracle-l Received on Wed Oct 10 2018 - 19:52:28 CEST