Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Fine-Grained Auditing OCP Question

Re: Fine-Grained Auditing OCP Question

From: Howard J. Rogers <howardjr2000_at_yahoo.com.au>
Date: Thu, 13 Mar 2003 09:41:43 +1100
Message-Id: <pan.2003.03.12.22.41.42.882031@yahoo.com.au> 





On Tue, 11 Mar 2003 01:44:21 +0000, Buck Turgidson wrote:



> I am wrestling with the following question (which I got wrong), and

> would like some opinions.  I chose a and d, but apparently the correct

> answer is d and e.  How could you differentiate access between internal

> and external users?

> 

> In which 2 situations would Fine-Grained Auditing be beneficial:

> 

> You need to track all accesses of the EMPLOYEE table.

> You need to identify all users who updated the CUSTOMER table on a

> specific date.

> You want to be able to compare the before and after values of each

> update of the PRICE column of the PRODUCT table.

> You want to alert the Human Resources Administrator any time someone

> accesses an executive's salary in the EMPLOYEE table.

> You want to allow unaudited access to the CONTACT_ ADDRESS column of the

> CUSTOMER table from within your organization, but track any access to

> the CONTACT_ADDRESS column that occurs via the Internet.




The letters would have helped!!



But (a) is clearly the wrong answer, because Fine-Grained Auditing *only*
audits select statements. So if you wanted "all" accesses to the EMPLOYEES
table, you'd be fine on the selects, but missing rather a lot on the DML.



(b) is out because it refers to updates. No DML in FGA!!



(c) is out because FGA only captures SQL statements, not before and after
images. Plus the mention of before and after images implies DML. And, er,
no DML in FGA!!!



(d) is clearly in, because it's column-specific (a feature of FGA) and one
is clearly supposed to re-invent the English language so as to correctly
interpret the word "access" to mean "select". Despite the same word
meaning "selects and DML" in (a). So welcome to OCP. Didn't they teach you
how to re-parse the English language in DBA Fundamentals I????? Should
have.



(e) is clearly in because it's column specific, and there's that word
"access" again (which we assume is some new Americanism for 'select',
unless proceeded by the word "all" in which case, it implies DML as well).



As to how to distinguish between external and internal users: the FGA
policy can make reference to the SYS.CONTEXT function, which appears a lot
under any discussion of FGAC (fine-grained access control, which has
sod-all to do with FGA, just in case the bewildering variety of acronyms
was getting to you). SYS.CONTEXT can interrogate (as a for example) the IP
address of the user, or whether they've come in via a proxy server. So (e)
is very definitely in, because the distinguishing between internal and
external users can only be done by using a function which is a hall-mark
of FGA (and FGAC!!).



Regards


HJR

Received on Wed Mar 12 2003 - 16:41:43 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US