parallel
Architecture Changes and New Security
Features in Oracle Database 12c
Zoran Pavlović, Security Team Lead, Paralle...
parallel
About the Authors
Zoran Pavlović, Security Team Lead
Zoran Pavlovic works for Parallel as a security team
leader....
parallel
About the Authors
Maja Veselica, Security Consultant
Maja Veselica, MSc in Software Engineering, works
for Parall...
parallel
Container and Pluggable
Databases
parallel
Share-nothing databases
Instance1
NonCDB1
Instance2
SGA SGA
User data
Obj$ Tab$ Source$
NonCDB1
User data
Obj$ Ta...
parallel
User data
Data Dictionary Separation
Obj$ Tab$ Source$ Obj$ Tab$ Source$
System Dictionary User Dictionary
parallel
User data
Data Dictionary Separation
Obj$ Tab$ Source$ Obj$ Tab$ Source$
parallel
User data
CDB
root PDB
Data Dictionary Separation
Obj$ Tab$ Source$ Obj$ Tab$ Source$
parallel
CDB
New Multi-Tenant Architecture
root
PDB1
PDB2
Instance
SGA
seed
System objects User-created objects
Dblink
parallel
Create Database as Container
parallel
Create PDB from Seed
$ sqlplus / as sysdba
SQL*Plus: Release 12.1.0.1.0 Production on Fri May 04 19:45:12 2013
Co...
parallel
Unplug PDB from CDB
SQL> ALTER PLUGGABLE DATABASE pdb1 UNPLUG INTO ’pdb1.xml’;
cdb1
root seed pdb1Unplug
pdb1.xml...
parallel
Plug Unplugged PDB in CDB
cdb2
root seed
pdb1.xml
pdb1 pdb1Plug-In
SQL> DBMS_PDB.CHECK_PLUG_COMPATIBILITY(pdb_des...
parallel
Upgrading 12c Database
Oracle 12.2
root seed
pdb1.xml
pdb1 pdb1Plug-In
Oracle 12.1
root seed pdb1Unplug
pdb1.xml
...
parallel
Cloning PDBs inside CDB
SQL> ALTER PLUGGABLE DATABASE pdb1 CLOSE;
Pluggable database altered.
SQL> ALTER PLUGGABL...
parallel
Plug NonCDB in CDB
SQL> EXEC DBMS_PDB.DESCRIBE ('/stage/noncdb/noncdb.xml’);
cdb1
root seed noncdbPlug-In
noncdb....
parallel
Common and Local Users,
Privileges and Roles
parallel
CDB
root pdb1
Common and Local Users
pdb2
c##zoransys loc_usr1 loc_usr2
c##zoran
sys
c##zoran
sys
Common users ar...
parallel
cdb1
root pdb1
Common and Local Users
c##zoransys
mgrc##zoran
sys
SQL> CONNECT / AS SYSDBA
Connected.
SQL> CREATE...
parallel
CDB
root pdb1
Common and Local Privileges
pdb2
c##zoran loc_usr1c##zoran
Common privileges are
privileges, that w...
parallel
cdb1
Common and Local Privileges
SQL> CONNECT / AS SYSDBA
Connected.
SQL> GRANT SELECT ANY TABLE
TO c##zoran CONT...
parallel
Common and Local Roles
Local roles are roles created in
PDB that exist in only one
container. These roles can be
...
parallel
cdb1
Adding Privs to Common and Local Roles
SQL> CREATE ROLE c##role1
CONTAINER = ALL;
Role created.
SQL> GRANT S...
parallel
cdb1
Granting Common and Local Roles
SQL> GRANT c##role1 to
c##zoran CONTAINER = ALL;
Grant succeeded.
SQL> GRANT...
parallel
SQL> connect / as sysdba
Connected.
SQL> create user c##zoran identified by oracle1 container=all;
User created.
...
parallel
Inherit Privileges
parallel
SQL> connect zoran/oracle1
Connected.
SQL> create user maja identified by oracle1;
User created.
SQL> grant creat...
parallel
SQL> exec maja.evil_proc;
PL/SQL procedure successfully completed.
SQL> connect maja/oracle1
Connected.
SQL> sele...
parallel
SQL> connect c##zoran/oracle1@pdb1
Connected.
SQL> create user maja identified by oracle1 container=current;
User...
parallel
SQL> exec maja.evil_proc;
ERROR at line 1:
ORA-06598: insufficient INHERIT PRIVILEGES privilege
ORA-06512: at ”MA...
parallel
New PL/SQL Privilege Checking
SQL> create or replace procedure evil_proc
2 authid current_user
3 as
4 pragma auto...
parallel
New PL/SQL Privilege Checking
SQL> create or replace procedure evil_proc
2 authid current_user
3 as
4 pragma auto...
parallel
New PL/SQL Privilege Checking
SQL> create or replace procedure evil_proc
2 authid current_user
3 as
4 pragma auto...
parallel
New PL/SQL Privilege Checking
EXECUTE
ERROR at line 1:
ORA-06598: insufficient INHERIT PRIVILEGES privilege
ORA-0...
parallel
New PL/SQL Privilege Checking
SQL> GRANT INHERIT PRIVILEGES ON USER c##zoran TO
maja;
maja
c##zoran
SQL> create o...
parallel
New PL/SQL Privilege Checking
EXECUTE
maja
SQL> create or replace procedure evil_proc
2 authid current_user
3 as
...
parallel
Code Based Access
Control
parallel
SQL> connect zoran/oracle1
Connected.
SQL> create user mike identified by oracle1;
User created.
SQL> create role...
parallel
SQL> exec c_table;
BEGIN c_table; END;
*
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at ”MIKE....
parallel
SQL> connect c##zoran/oracle1@pdb1
Connected.
SQL> create user mike identified by oracle1 container=current;
User...
parallel
SQL> exec c_table;
BEGIN c_table; END;
*
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at ”MIKE....
parallel
SQL> connect c##zoran/oracle1@pdb1
Connected.
SQL> create or replace procedure test
2 authid current_user
3 as
4 ...
parallel
SQL> connect john/oracle1@pdb1
Connected.
SQL> exec c##zoran.test;
PL/SQL procedure successfully completed.
SQL> ...
parallel
Data Reduction
parallel
Data Redaction - Full
DBMS_REDACT.ADD_POLICY
(object_schema => ‘GLDB’,
object_name => ’CUSTOMERS’,
policy_name =>...
parallel
Data Redaction - Partial
DBMS_REDACT.ADD_POLICY
(object_schema => ‘GLDB’,
object_name => ’CUSTOMERS’,
policy_name...
parallel
Data Redaction - Exemptions
DBMS_REDACT.ADD_POLICY
(object_schema => ‘GLDB’,
object_name => ’CUSTOMERS’,
policy_n...
parallel
Data Redaction - Exemptions
DBMS_REDACT.ADD_POLICY
(object_schema => ‘GLDB’,
object_name => ’CUSTOMERS’,
policy_n...
parallel
SQL> connect c##zoran/oracle1@pdb1
Connected.
SQL> BEGIN
2 DBMS_REDACT.ADD_POLICY (object_schema => ‘GLDB’,
3 obj...
parallel
SQL> connect maja/oracle1@pdb1
Connected.
SQL> select * from gldb.customers;
NAME CREDIT_CARD
---------------- --...
parallel
None
• Reduction is
NOT
applied
Full
• Columns
are
redacted to
constant
values
depending
on column
data type
Part...
parallel
New Administrative
Privileges
parallel
New Administrative Privileges
PRIVILEGE USERNAME DUTIES
SYSBACKUP SYSBACKUP
Backup and
recovery
operations in
RMA...
parallel
New SYSBACKUP Privilege
SQL> connect / as SYSBACKUP
Connected.
SQL> show user
USER is "SYSBACKUP"
SQL> select * f...
parallel
New SYSBACKUP Privilege
$ rman target ’”zoran/passwd@orcldb AS SYSBACKUP"’
Recovery Manager: Release 12.1.0.1.0 -...
parallel
New SYSDG Privilege
SQL> connect / as SYSDG
Connected.
SQL> show user
USER is “SYSDG"
SQL> select * from session_...
parallel
New SYSKM Privilege
SQL> connect / as SYSKM
Connected.
SQL> show user
USER is “SYSKM"
SQL> select * from session_...
parallel
Invisible Columns
parallel
Invisible columns
SQL> create table t(a int);
Table created.
SQL> desc t
Name Null? Type
----------------- ------...
parallel
SQL> insert into t(a,b) values(3,5);
1 rows inserted.
SQL> select a,b from t;
A B
------------ -------------
1
3 ...
parallel
SQL> select * from t;
A B
------------ -------------
1
3 5
Invisible columns
parallel
Thank you!
Upcoming SlideShare
Loading in …5
×

Database 12c

2,252 views
2,094 views

Published on

Oracle Database 12c

Published in: Technology
1 Comment
8 Likes
Statistics
Notes
  • can you please activate save link .. its a great documnet
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
2,252
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
1
Likes
8
Embeds 0
No embeds

No notes for slide

Database 12c

  1. 1. parallel Architecture Changes and New Security Features in Oracle Database 12c Zoran Pavlović, Security Team Lead, Parallel Maja Veselica, Security Consultant, Parallel
  2. 2. parallel About the Authors Zoran Pavlović, Security Team Lead Zoran Pavlovic works for Parallel as a security team leader. He has worked as an external instructor for Oracle University across EMEA region. As an active member of the Oracle community and a long-time database security enthusiast, Zoran frequently delivers technical presentations and demonstrations about Oracle technologies in Serbia, Croatia, Bulgaria, and online across the Globe. He is an Oracle Certified Professional, Oracle Certified Expert and Oracle Certified Specialist for Database, Security and Java. When Zoran is not helping customers solve various problems in Oracle Database, he enjoys learning more about how Oracle Database works and (beta) testing Oracle products Twitter: @orclarchitect
  3. 3. parallel About the Authors Maja Veselica, Security Consultant Maja Veselica, MSc in Software Engineering, works for Parallel d.o.o. Belgrade, as Security Consultant and Education Manager. She is an instructor for numerous Oracle courses and a regular speaker at Oracle User Group conferences (SrOUG, HrOUG, BGOUG). She possesses several Oracle certificates, such as: Oracle Certified Professional, Oracle Certified Expert and Oracle Certified Specialist for Database, Security and Java. When Maja is not helping customers solve various challenges using Oracle technologies, she enjoys (beta) testing Oracle products. Twitter: @orapassion
  4. 4. parallel Container and Pluggable Databases
  5. 5. parallel Share-nothing databases Instance1 NonCDB1 Instance2 SGA SGA User data Obj$ Tab$ Source$ NonCDB1 User data Obj$ Tab$ Source$
  6. 6. parallel User data Data Dictionary Separation Obj$ Tab$ Source$ Obj$ Tab$ Source$ System Dictionary User Dictionary
  7. 7. parallel User data Data Dictionary Separation Obj$ Tab$ Source$ Obj$ Tab$ Source$
  8. 8. parallel User data CDB root PDB Data Dictionary Separation Obj$ Tab$ Source$ Obj$ Tab$ Source$
  9. 9. parallel CDB New Multi-Tenant Architecture root PDB1 PDB2 Instance SGA seed System objects User-created objects Dblink
  10. 10. parallel Create Database as Container
  11. 11. parallel Create PDB from Seed $ sqlplus / as sysdba SQL*Plus: Release 12.1.0.1.0 Production on Fri May 04 19:45:12 2013 Copyright (c) 1982, 2012, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.1.0 - 64bit Production With the Partitioning, OLAP, Data Mining, Real Application Testing and Unified Auditing options SQL> CREATE PLUGGABLE DATABASE pdb1 ADMIN USER pdb1_admin 2 IDENTIFIED BY oracle_4U ROLES=(CONNECT) 3 FILE_NAME_CONVERT=('/u01/app/oracle/oradata/cdb1/pdbseed' 4 ,'/u01/app/oracle/oradata/cdb1/pdb1'); Pluggable database created. cdb1 root pdb1seed Clone
  12. 12. parallel Unplug PDB from CDB SQL> ALTER PLUGGABLE DATABASE pdb1 UNPLUG INTO ’pdb1.xml’; cdb1 root seed pdb1Unplug pdb1.xml SQL> DROP PLUGGABLE DATABASE pdb1 KEEP DATAFILES; pdb1 SQL> ALTER PLUGGABLE DATABASE pdb1 OPEN READ ONLY;
  13. 13. parallel Plug Unplugged PDB in CDB cdb2 root seed pdb1.xml pdb1 pdb1Plug-In SQL> DBMS_PDB.CHECK_PLUG_COMPATIBILITY(pdb_descr_file => ‘/stage/pdb1.xml’, store_report => TRUE); SQL> CREATE PLUGGABLE DATABASE pdb1 USING '/stage/pdb1.xml' NOCOPY; SQL> ALTER PLUGGABLE DATABASE pdb1 OPEN READ WRITE;
  14. 14. parallel Upgrading 12c Database Oracle 12.2 root seed pdb1.xml pdb1 pdb1Plug-In Oracle 12.1 root seed pdb1Unplug pdb1.xml pdb1
  15. 15. parallel Cloning PDBs inside CDB SQL> ALTER PLUGGABLE DATABASE pdb1 CLOSE; Pluggable database altered. SQL> ALTER PLUGGABLE DATABASE pdb1 OPEN READ ONLY; Pluggable database altered. SQL> ALTER SYSTEM SET db_create_file_dest = '/u01/app/oracle/oradata/cdb1/pdb2'; System altered. SQL> CREATE PLUGGABLE DATABASE pdb2 FROM pdb1; Pluggable database created. SQL> ALTER PLUGGABLE DATABASE pdb2 OPEN; Pluggable database altered. cdb1 root pdb1seed Clone pdb2
  16. 16. parallel Plug NonCDB in CDB SQL> EXEC DBMS_PDB.DESCRIBE ('/stage/noncdb/noncdb.xml’); cdb1 root seed noncdbPlug-In noncdb.xml SQL> CREATE PLUGGABLE DATABASE pdb3 USING '/stage/noncdb.xml' NOCOPY; SQL> @$ORACLE_HOME/rdbms/admin/noncdb_to_pdb.sql pdb3
  17. 17. parallel Common and Local Users, Privileges and Roles
  18. 18. parallel CDB root pdb1 Common and Local Users pdb2 c##zoransys loc_usr1 loc_usr2 c##zoran sys c##zoran sys Common users are users created in root container, that have same identity across all containers. Local users are users that are created and exist in only one PDB. They can’t be created in root.
  19. 19. parallel cdb1 root pdb1 Common and Local Users c##zoransys mgrc##zoran sys SQL> CONNECT / AS SYSDBA Connected. SQL> CREATE USER c##zoran IDENTIFIED BY oracle1 CONTAINER = ALL; User created. SQL> CONNECT c##zoran/oracle1@pdb1 Connected. SQL> CREATE USER mgr IDENTIFIED BY oracle1 CONTAINER = CURRENT; User created. loc_usr1 Common user created by common user: Local user created by common user: SQL> CONNECT mgr/oracle1@pdb1 Connected. SQL> CREATE USER loc_usr1 IDENTIFIED BY password; User created. Local user created by local user:
  20. 20. parallel CDB root pdb1 Common and Local Privileges pdb2 c##zoran loc_usr1c##zoran Common privileges are privileges, that when granted can be exercised across all containers. Local privileges are privileges, that when granted can be exercised in context of a single PDB. loc_usr2c##zoran
  21. 21. parallel cdb1 Common and Local Privileges SQL> CONNECT / AS SYSDBA Connected. SQL> GRANT SELECT ANY TABLE TO c##zoran CONTAINER = ALL; Grant succeeded. SQL> CONNECT sys/oracle1@pdb1 AS SYSDBA Connected. SQL> GRANT UPDATE ANY TABLE TO c##zoran CONTAINER = CURRENT; Grant succeeded. Common privilege granted by common user to common user: Local privilege granted by common user to common user: SQL> CONNECT mgr/oracle1@pdb1 Connected. SQL> GRANT UPDATE ANY TABLE TO loc_usr1; Grant succeeded. Local privilege granted by local user to local user: root pdb1 c##zoran loc_usr1c##zoran
  22. 22. parallel Common and Local Roles Local roles are roles created in PDB that exist in only one container. These roles can be granted only locally to either common or local users or roles. Common roles are roles created in root container, that exist in all containers. These roles can have different set of privileges in different containers, and can be granted to either common or local users or roles. CDB root pdb1 pdb2 c##role1 c##role1 loc_role1 c##role1 loc_role2
  23. 23. parallel cdb1 Adding Privs to Common and Local Roles SQL> CREATE ROLE c##role1 CONTAINER = ALL; Role created. SQL> GRANT SELECT ANY TABLE TO c##role1 CONTAINER = ALL; Grant succeeded. SQL> GRANT CREATE TABLE TO c##role1; SQL> CREATE ROLE loc_role1 CONTAINER = CURRENT; Role created. SQL> GRANT UPDATE ANY TABLE TO loc_role1; Grant succeeded. SQL> GRANT ALTER USER TO c##role1; Grant succeeded. SQL> GRANT loc_role1 TO c##role1 CONTAINER = CURRENT; Grant succeeded. SQL> GRANT c##role1 TO loc_role2 CONTAINER = CURRENT; Grant succeeded. root pdb1 in root container: in pdb1 container:
  24. 24. parallel cdb1 Granting Common and Local Roles SQL> GRANT c##role1 to c##zoran CONTAINER = ALL; Grant succeeded. SQL> GRANT c##role2 to c##zoran CONTAINER = CURRENT; Grant succeeded. SQL> GRANT c##role2 to c##zoran CONTAINER = CURRENT; Grant succeeded. SQL> GRANT loc_role to c##zoran CONTAINER = CURRENT; Grant succeeded. SQL> GRANT c##role2 to loc_usr1 CONTAINER = CURRENT; Grant succeeded. GRANT loc_role to loc_usr1 CONTAINER = CURRENT; Grant succeeded. root pdb1
  25. 25. parallel SQL> connect / as sysdba Connected. SQL> create user c##zoran identified by oracle1 container=all; User created. SQL> grant create session, drop any synonym to c##zoran container=all; Grant succeeded. SQL> connect sys/oracle1@pdb1 as sysdba Connected. SQL> grant drop any table to c##zoran container=current; Grant succeeded. SQL> connect c##zoran/oracle1@pdb1 Connected. SQL> drop synonym customers_syn; Synonym dropped. SQL> drop table gldb.customers; Table dropped. SQL> connect c##zoran/oracle1@pdb2 Connected. SQL> drop synonym test_syn; Synonym dropped. SQL> drop table test.a; drop table test.a * ERROR at line 1: ORA-00942: table or view does not exist
  26. 26. parallel Inherit Privileges
  27. 27. parallel SQL> connect zoran/oracle1 Connected. SQL> create user maja identified by oracle1; User created. SQL> grant create session, create procedure to maja; Grant succeeded. SQL> connect maja/oracle1; Connected. SQL> select * from session_roles; No rows selected. SQL> create or replace procedure evil_proc 3 authid current_user 4 as 5 pragma autonomous_transaction; 6 begin 9 execute immediate 'grant dba to maja’; 10 end; 11 / Procedure created. SQL> grant execute on evil_proc to zoran; Grant succeeded. SQL> connect zoran/oracle1 Connected. SQL> exec maja.evil_proc;
  28. 28. parallel SQL> exec maja.evil_proc; PL/SQL procedure successfully completed. SQL> connect maja/oracle1 Connected. SQL> select * from session_roles; ROLE ------------------------------ DBA SELECT_CATALOG_ROLE EXECUTE_CATALOG_ROLE ... XDB_SET_INVOKER OLAP_DBA OLAP_XS_ADMIN 19 rows selected. Inherit Privileges
  29. 29. parallel SQL> connect c##zoran/oracle1@pdb1 Connected. SQL> create user maja identified by oracle1 container=current; User created. SQL> grant create session, create procedure to maja container=current; Grant succeeded. SQL> connect maja/oracle1@pdb1; Connected. SQL> select * from session_roles; No rows selected. SQL> create or replace procedure evil_proc 3 authid current_user 4 as 5 pragma autonomous_transaction; 6 begin 9 execute immediate 'grant dba to maja’; 10 end; 11 / Procedure created. SQL> grant execute on evil_proc to c##zoran; Grant succeeded. SQL> connect c##zoran/oracle1@pdb1 Connected. SQL> exec maja.evil_proc;
  30. 30. parallel SQL> exec maja.evil_proc; ERROR at line 1: ORA-06598: insufficient INHERIT PRIVILEGES privilege ORA-06512: at ”MAJA.EVIL_PROC", line 1 ORA-06512: at line 1 SQL> grant inherit privileges on user c##zoran to maja; Grant succeeded. SQL> exec maja.evil_proc; PL/SQL procedure successfully completed. SQL> connect maja/oracle1 Connected. SQL> select * from session_roles; ROLE ------------------------------ DBA SELECT_CATALOG_ROLE ... 19 rows selected. Inherit Privileges
  31. 31. parallel New PL/SQL Privilege Checking SQL> create or replace procedure evil_proc 2 authid current_user 3 as 4 pragma autonomous_transaction; 5 begin 6 execute immediate 'grant dba to maja’; 7 end; 8 / maja c##zoran
  32. 32. parallel New PL/SQL Privilege Checking SQL> create or replace procedure evil_proc 2 authid current_user 3 as 4 pragma autonomous_transaction; 5 begin 6 execute immediate 'grant dba to maja’; 7 end; 8 / maja c##zoran SQL> GRANT EXECUTE ON MAJA.EVIL_PROC TO c##zoran;
  33. 33. parallel New PL/SQL Privilege Checking SQL> create or replace procedure evil_proc 2 authid current_user 3 as 4 pragma autonomous_transaction; 5 begin 6 execute immediate 'grant dba to maja’; 7 end; 8 / maja c##zoran EXECUTE
  34. 34. parallel New PL/SQL Privilege Checking EXECUTE ERROR at line 1: ORA-06598: insufficient INHERIT PRIVILEGES privilege ORA-06512: at ”maja.evil_proc", line 1 ORA-06512: at line 1 maja c##zoran SQL> create or replace procedure evil_proc 2 authid current_user 3 as 4 pragma autonomous_transaction; 5 begin 6 execute immediate 'grant dba to maja’; 7 end; 8 /
  35. 35. parallel New PL/SQL Privilege Checking SQL> GRANT INHERIT PRIVILEGES ON USER c##zoran TO maja; maja c##zoran SQL> create or replace procedure evil_proc 2 authid current_user 3 as 4 pragma autonomous_transaction; 5 begin 6 execute immediate 'grant dba to maja’; 7 end; 8 /
  36. 36. parallel New PL/SQL Privilege Checking EXECUTE maja SQL> create or replace procedure evil_proc 2 authid current_user 3 as 4 pragma autonomous_transaction; 5 begin 6 execute immediate 'grant dba to maja’; 7 end; 8 / c##zoran
  37. 37. parallel Code Based Access Control
  38. 38. parallel SQL> connect zoran/oracle1 Connected. SQL> create user mike identified by oracle1; User created. SQL> create role proc_role; Role created. SQL> grant create session, create procedure, create table to proc_role; Grant succeeded. SQL> grant proc_role to mike; Grant succeeded. SQL> connect mike/oracle1 Connected. SQL> create or replace procedure c_table 2 as 3 begin 4 execute immediate ‘create table test(a int)’; 5 end; 6 / Procedure created. SQL> exec c_table; Code Based Access Control
  39. 39. parallel SQL> exec c_table; BEGIN c_table; END; * ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at ”MIKE.C_TABLE", line 4 ORA-06512: at line 1 Code Based Access Control
  40. 40. parallel SQL> connect c##zoran/oracle1@pdb1 Connected. SQL> create user mike identified by oracle1 container=current; User created. SQL> create role proc_role container=current; Role created. SQL> grant create session, create procedure, create table to proc_role; Grant succeeded. SQL> grant proc_role to mike; Grant succeeded. SQL> connect mike/oracle1@pdb1 Connected. SQL> create or replace procedure c_table 2 as 3 begin 4 execute immediate ‘create table test(a int)’; 5 end; 6 / Procedure created. SQL> exec c_table; Code Based Access Control
  41. 41. parallel SQL> exec c_table; BEGIN c_table; END; * ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at ”MIKE.C_TABLE", line 4 ORA-06512: at line 1 SQL> grant proc_role to procedure c_table; Grant succeeded. SQL> exec c_table; PL/SQL procedure successfully completed. SQL> desc test Name Null? Type ----------------- -------- ------------ A NUMBER(38) Code Based Access Control
  42. 42. parallel SQL> connect c##zoran/oracle1@pdb1 Connected. SQL> create or replace procedure test 2 authid current_user 3 as 4 begin 5 execute immediate ‘create table tjohn(z int)’; 6 end; 7 / Procedure created. SQL> create user john identified by oracle1 container=current; User created. SQL> grant create session to john; Grant succeeded. SQL> create role test_role container=current; Role created. SQL> grant create table to test_role; Grant succeeded. SQL> grant test_role to procedure test; Grant succeeded. SQL> grant execute on test to john; Grant succeeded. Code Based Access Control
  43. 43. parallel SQL> connect john/oracle1@pdb1 Connected. SQL> exec c##zoran.test; PL/SQL procedure successfully completed. SQL> desc tjohn Name Null? Type ----------------- -------- ------------ Z NUMBER(38) Code Based Access Control
  44. 44. parallel Data Reduction
  45. 45. parallel Data Redaction - Full DBMS_REDACT.ADD_POLICY (object_schema => ‘GLDB’, object_name => ’CUSTOMERS’, policy_name => ’CCN_POLICY', column_name => ’CREDIT_CARD', function_type => DBMS_REDACT.FULL, expression => ‘7=7'); NAME CREDIT_CARD tom 3455647456589132 mike 3734982321225691 john 3472586894975806 CUSTOMERS NAME CREDIT_CARD tom 0 mike 0 john 0 SQL> SELECT * FROM CUSTOMERS;
  46. 46. parallel Data Redaction - Partial DBMS_REDACT.ADD_POLICY (object_schema => ‘GLDB’, object_name => ’CUSTOMERS’, policy_name => ’CCN_POLICY', column_name => ’CREDIT_CARD', function_type => DBMS_REDACT.PARTIAL, function_parameters => 'VVVVVVVVVVVVVVVV, VVVV-VVVV-VVVV-VVVV, #,1,12’ expression => ‘7=7'); NAME CREDIT_CARD tom 3455647456589132 mike 3734982321225691 john 3472586894975806 CUSTOMERS SQL> SELECT * FROM CUSTOMERS; NAME CREDIT_CARD tom ####-####-####-9132 mike ####-####-####-5691 john ####-####-####-5806
  47. 47. parallel Data Redaction - Exemptions DBMS_REDACT.ADD_POLICY (object_schema => ‘GLDB’, object_name => ’CUSTOMERS’, policy_name => ’CCN_POLICY', column_name => ’CREDIT_CARD', function_type => DBMS_REDACT.FULL, expression => ‘7=7'); NAME CREDIT_CARD tom 3455647456589132 mike 3734982321225691 john 3472586894975806 CUSTOMERS RMAN> BACKUP TABLESPACE gltbs; NAME CREDIT_CARD tom 3455647456589132 mike 3734982321225691 john 3472586894975806
  48. 48. parallel Data Redaction - Exemptions DBMS_REDACT.ADD_POLICY (object_schema => ‘GLDB’, object_name => ’CUSTOMERS’, policy_name => ’CCN_POLICY', column_name => ’CREDIT_CARD', function_type => DBMS_REDACT.FULL, expression => ‘7=7'); NAME CREDIT_CARD tom 3455647456589132 mike 3734982321225691 john 3472586894975806 CUSTOMERS NAME CREDIT_CARD tom 3455647456589132 mike 3734982321225691 john 3472586894975806 SQL> SELECT * FROM CUSTOMERS; User with EXEMPT REDUCTION POLICY
  49. 49. parallel SQL> connect c##zoran/oracle1@pdb1 Connected. SQL> BEGIN 2 DBMS_REDACT.ADD_POLICY (object_schema => ‘GLDB’, 3 object_name => ’CUSTOMERS’, 4 policy_name => ’CCN_POLICY', 5 column_name => ’CREDIT_CARD', 6 function_type => DBMS_REDACT.PARTIAL, 7 function_parameters => 'VVVVVVVVVVVVVVVV, VVVV-VVVV-VVVV-VVVV, #,1,12’ 8 expression => ‘7=7'); 9 END; 10 / PL/SQL procedure successfully completed. SQL> select * from gldb.customers; NAME CREDIT_CARD ---------------- -------------------- tom 3455647456589132 mike 3734982321225691 john 3472586894975806 SQL> grant select on gldb.customers to maja; Grant succeeded. Data Redaction - Example
  50. 50. parallel SQL> connect maja/oracle1@pdb1 Connected. SQL> select * from gldb.customers; NAME CREDIT_CARD ---------------- -------------------- tom ####-####-####-9132 mike ####-####-####-5691 john ####-####-####-5806 SQL> select * from gldb.customers where credit_card like ‘3472%’; NAME CREDIT_CARD ---------------- -------------------- john ####-####-####-5806 Data Redaction - Example
  51. 51. parallel None • Reduction is NOT applied Full • Columns are redacted to constant values depending on column data type Partial • User- specified positions are replaced by a user- specified character Regular Expression • Pattern for matching and replacing is defined and used for reduction Random • Preserves data types • Randomizes output Available Reduction Types
  52. 52. parallel New Administrative Privileges
  53. 53. parallel New Administrative Privileges PRIVILEGE USERNAME DUTIES SYSBACKUP SYSBACKUP Backup and recovery operations in RMAN and SQL. SYSDG SYSDG Managing Data Guard with Data Guard Broker. SYSKM SYSKM Managing keys for TDE. Password file format_12c
  54. 54. parallel New SYSBACKUP Privilege SQL> connect / as SYSBACKUP Connected. SQL> show user USER is "SYSBACKUP" SQL> select * from session_privs; PRIVILEGE ---------------------------------------- SYSBACKUP SELECT ANY TRANSACTION SELECT ANY DICTIONARY RESUMABLE CREATE ANY DIRECTORY ALTER DATABASE AUDIT ANY CREATE ANY CLUSTER CREATE ANY TABLE UNLIMITED TABLESPACE DROP TABLESPACE ALTER TABLESPACE ALTER SESSION ALTER SYSTEM 14 rows selected. SQL>
  55. 55. parallel New SYSBACKUP Privilege $ rman target ’”zoran/passwd@orcldb AS SYSBACKUP"’ Recovery Manager: Release 12.1.0.1.0 - Beta on Tue May 07 17:41:37 2013 Copyright (c) 1982, 2012, Oracle and/or its affiliates. All rights reserved. connected to target database: ORCLDB (DBID=1625181741) RMAN> select user from dual; using target database control file instead of recovery catalog USER ------------------------------ SYSBACKUP RMAN> SQL> connect / as SYSBACKUP Connected. SQL> SELECT TABLE_NAME FROM DBA_TABLES 2 WHERE OWNER = ‘GLDB’; TABLE_NAME ---------------------------------------- CUSTOMERS ORDERS SQL> SELECT * FROM GLDB.CUSTOMERS; SELECT * FROM GLDB.CUSTOMERS * ERROR at line 1: ORA-01031: insufficient privileges
  56. 56. parallel New SYSDG Privilege SQL> connect / as SYSDG Connected. SQL> show user USER is “SYSDG" SQL> select * from session_privs; PRIVILEGE --------------------------------------- - SYSDG ALTER SYSTEM ALTER SESSION ALTER DATABASE SELECT ANY DICTIONARY 5 rows selected. SQL>
  57. 57. parallel New SYSKM Privilege SQL> connect / as SYSKM Connected. SQL> show user USER is “SYSKM" SQL> select * from session_privs; PRIVILEGE ---------------------------------------- SYSKM ADMINISTER KEY MANAGEMENT 2 rows selected. SQL>
  58. 58. parallel Invisible Columns
  59. 59. parallel Invisible columns SQL> create table t(a int); Table created. SQL> desc t Name Null? Type ----------------- -------- ------------ A NUMBER(38) SQL> insert into t(a) values(1); 1 rows inserted. SQL> alter table add(b int invisible); Table altered. SQL> desc t Name Null? Type ----------------- -------- ------------ A NUMBER(38) SQL> select * from t; A ------------ 1
  60. 60. parallel SQL> insert into t(a,b) values(3,5); 1 rows inserted. SQL> select a,b from t; A B ------------ ------------- 1 3 5 SQL> alter table t modify(b visible); Table altered. SQL> desc t Name Null? Type ----------------- -------- ------------ A NUMBER(38) B NUMBER(38) Invisible columns
  61. 61. parallel SQL> select * from t; A B ------------ ------------- 1 3 5 Invisible columns
  62. 62. parallel Thank you!

×