SlideShare a Scribd company logo

Access Denied: Real-World Use Cases for APEX and Real Application Security

Jim Czuprynski
Jim Czuprynski

Limiting users’ access to data is still a thorny issue in many Oracle shops: How do we insure only the right people view - much less change! - only the data they’re allowed to? We’ll show you how we solved those issues for a large government agency with hundreds of external users via Real Application Security (RAS), whether they’re using APEX applications or direct-access tools like SQLcl.

Data & Analytics
1 of 32
Download to read offline
Access Denied: Real-World Use Cases for APEX and Real Application Security Jim Czuprynski @JimTheWhyGuy Zero Defect Computing, Inc. Karen Cannell @thtechnology TH Technology
Jim Czuprynski: Who Am I, and What Am I Doing Here? ➢E-mail me at jim@jimthewhyguy.com ➢Follow me on Twitter (@JimTheWhyGuy) ➢Connect with me on LinkedIn (Jim Czuprynski) Traveler & public speaker Summers: Wisconsin Winters: Illinois Cyclist XC skier Avid amateur bird watcher Oldest dude in martial arts class
Jim Czuprynski Liron Amitzi https://www.beyondtechskills.com The podcast that talks about everything tech – except tech.TM
Karen Cannell: About Me … • TH Technology – Oracle Consulting Services, APEX Focus • Mechanical/SW Engineer - Analyzed, designed, developed, converted, upgraded, enhanced legacy & Oracle database applications for 30+ Years • Web/APEX applications for Govt, Medical, Engineering, Fisheries since HTMLDB • ODTUG Vice President, Kscope Conference Chair, Editor Emeritus, Technical Journal • APress Author • Oracle ACE Director APEX Grids: Editable Essentials ➢E-mail me at kcannell@thtechnology.com ➢Follow me on Twitter (@thtechnology) ➢Connect with me on LinkedIn (Karen Cannell)
A Tricky Business Problem, Vexing DevOps As Well As DBAs The Business Problem: A government agency’s complex data warehouse-based application must strictly limit each user to access only the confidential data they are permitted to view Access Methods: • Most users access their data via desktop or mobile apps written in APEX … • … but a small number of privileged users leverage SQL*Plus or other native SQL tools Environment: • Data model includes multiple schemas, each containing complex views and MVs • Multiple APEX applications developed / evolved over 20+ years, dating back to HTMLDB Security: • Strict data access and confidentiality rules must be enforced, based on complex overlapping requirements from multiple state and federal government agencies • DevOps are tired of rewriting / duplicating security rules throughout several applications • DBAs are tired of responding to requests for out-of-band custom reporting / extracts
You Said VPD. Did You Mean RAS? Good news! Our client suggests we implement VPD! Virtual Private Database (VPD): Relatively ancient • Uses query rewrite via WHERE clause predicates to limit data access • Focused on database, not application, technology • Inadequate management of newer identity management techniques Real Application Security (RAS): VPD 2.0 ✓Much more secure ✓Extremely flexible security policies ✓Scalable to thousands of different users connecting via SQL tools / APEX / SSO ✓Cost effective – implement it just once ✓Security is enforced within the DB kernel Uh-huh, that’s nice! Did you tell them about RAS?
How RAS Handles Data Access Requests APEX, Java, OCI (aka Web Connections) SQLPlus, SQLcl (aka Direct Connections) Oracle Database RAS Security Policies Data Realm ACLs ACE ACE ACE ORDERS LINEITEM SUPPLIER CUSTOMER 1. Users initiate DB connections as RAS users 2. RAS determines security policy based on connecting user 3. Appropriate permissions to allow or deny access to data within tables are applied via Access Control Lists (ACLs) 4. Only appropriate data is returned (if any at all!) ??
RAS: Components and Concepts Every application session that needs security implemented is assigned a RAS session during connection to the database Note that direct connections are assigned a RAS session as well Access to database objects and the data stored within is strictly controlled through RAS security policies as well
SECCLS Security Class controls access to all objects in TPCH schema RAS Components: ACLs, ACEs, Realms, Policies, & Classes App Roles App Users TPCH_SUPV TPCH_DWRO APP_DWRO TPCH_READONLY_ ROLE TPCH_READONLY _ROLE TPCH_FULL_ROLE FULLDML READONLY READONLY TPCH_DWRO_ACL ACE SELECT REALM C_NATIONKEY = {19,21} CUSTOMER CUSTOMER_DS Security Policy TPCH_SUPV_ACL ACE SELECT INSERT UPDATE DELETE REALM 1 = 1 TPCH_DWRO_ACL ACE SELECT REALM C_NATIONKEY = {20,22,23} ORDERS_DS Security Policy ORDERS REALM CHILD OF CUSTOMER LINEITEM_DS Security Policy LINEITEM REALM CHILD OF ORDERS
DW_SC and SAFIS_SC Security Classes control access to all objects in ACCSP schemas RAS Components: ACLs, ACEs, Realms, Policies, & Classes App Roles App Users JSIMPSON KCANNELL JIMCZUPRYN DWRO_ROLE DWRO_ROLE SAFIS_ROLE FULLDML READONLY READONLY DW_ACL ACE SELECT REALM DATA_SOURCE IN (‘0016’,’0022’,’0031’) CONSOLIDATED_ REPORTS ACCSP_DATA_SOURCE Data Security Policy SAFIS_ACL ACE SELECT INSERT UPDATE DELETE REALM 1 = 1 DW_ACL ACE SELECT REALM DATA_SOURCE IN (‘0001’,’0002’,’0003’) ACCSP_SUBSAMPLE Data Security Policy CONSOLIDATED_ LANDINGS REALM CHILD OF CONSOLIDATED_ REPORTS
RAS Terminology Term Definition Principal Either an application user / role or a database user / role Application Session A lightweight connection to the database through which only permitted data may be accessed Application User Like a traditional database user account, but only used within an application session to connect to the database via either the middle tier or by connecting directly to the database. Application users do not own schemas Application Role Uses one or more ACLs – not database grants – to map privileges to application users or application roles. (Application roles can be granted database privileges by being granting a database role) Application Privilege A right or permission either granted or denied to a principal. Application privileges can also be aggregated so that they imply other rights or permissions Access Control Entry (ACE) Grants or denies access a particular set of privileges to a particular application user or role. Note that an ACE doesn’t specify which data to protect; that only happens when the ACL is associated with specific target data, thus creating a data realm Access Control List (ACL) A collection of ACEs that permit or deny application privileges to specific users Security Class The scope for a set of application privileges, typically associated with an ACL. The ACL then grants application privileges within the security class to specific principals Data Realm A specific filter that’s applied to rows within the table – for example, limiting a user’s view of rows in TPCH.CUSTOMERS to only those whose C_NATIONKEY column contains a value of 24 (USA) Data Security Policy Protects database rows and columns within tables from unauthorized access. Only rows from the specified data realms for only the columns permitted to be viewed will show data
TPC-H: A Perfect Schema for RAS Demonstrations Entities and Relationships: CUSTOMER Purchasers of PARTS and SUPPLIES NATION Country where Customer resides REGION Global area ORDERS Records what each Customer has purchased over time LINEITEM Items and services purchased for each Order PARTSUPP Combines PART and SUPPLY entities PART Items available for purchase SUPPLY Services provided
Obscuring Rows and Columns For Specific Users . . . realms := XS$REALM_CONSTRAINT_LIST( XS$REALM_CONSTRAINT_TYPE( realm => 'C_NATIONKEY IN (SELECT RSU_NATIONKEY FROM TPCH.RAS_SECURED_USERS WHERE RSU_USERNAME = XS_SYS_CONTEXT('XS$SESSION', 'SESSION_XS_USER'))' ,acl_list => XS$NAME_LIST('TPCH.SUPR_ACL’,TPCH.DWRO_ACL') ) ); collims := XS$COLUMN_CONSTRAINT_LIST( XS$COLUMN_CONSTRAINT_TYPE( column_list => XS$LIST('C_MKTSEGMENT’,’C_NAME’) ,privilege => 'VIEW_RESTRICTED_PARTICIPANT_INFO' ) ); SYS.XS_DATA_SECURITY.CREATE_POLICY( name => ‘TPCH.CUSTOMER_DS' ,realm_constraint_list => realms ,column_constraint_list => collims ); . . . This establishes the realm in which values for C_NATIONKEY should be used to limit rows retrieved for each specific user account … … and this establishes the list of columns whose data should be hidden within that realm as well
Using RAS with SQL Tools, APEX, and Other Application Languages RAS complements both SQL Tools (e.g. SQL*Plus) as well as other application environments, especially APEX • RAS direct-connect application user accounts – those that are granted XS$CONNECT privileges - allow direct connections to a database instance, thus enabling (sufficiently- trained!) “super-users” to build their own custom data extracts or reports • APEX interfaces with RAS almost seamlessly, with some minor tweaks to existing application security settings • The identical RAS security privileges the user has when connecting via APEX are enforced when connecting directly to an instance via SQL tools (e.g. SQLcl, SQLDeveloper) using a direct-connect RAS user account … so no special handling is needed
RAS User Accounts: Options and Implications RAS User Type Usage Granted XS$CONNECT Role? Per- Session Username Password State Retained & Managed Within Connect to APEX? Direct User Connecting directly to an Oracle database instance through SQL tools (e.g. SQL*Plus) Yes User account Oracle Database No Internal User Connecting to application sessions only No User account Oracle Database Yes External User Connecting to applications sessions only No XS$GUEST SSO / Custom Methods Yes Note: The domain of Direct and Internal user account names is distinct – they cannot overlap!
Choosing RAS Internal vs. External Users for APEX This is actually a great opportunity! • We can transition from how database accounts are managed right now: intra-database • We only need a few RAS Direct users for now to handle SQL Tool access • RAS Internal users will work best for all the rest of our logins – I can transition everyone with a few magic DBA scripts! Yeah. Not so fast, hot shot! • The decision to go with “schema-d” users was made long ago, for a good reason! • So now super-users have two logins? Great. • And don’t even suggest going to SSO – that’s a huge project and means refactoring! Solution: For our APEX application environment, the External user type actually makes a lot more sense RAS Internal Users seem to make the most sense for our APEX accounts! Huh?!? What about all our existing user accounts?
How RAS and APEX Authentication Schemes Interact [oracle@host19c ~]$ sqlplus tpch_dwro/@devdb SQL*Plus: Release 19.0.0.0.0 - Production on Sat Sep 3 17:06:45 2022 Version 19.11.0.0.0 Copyright (c) 1982, 2020, Oracle. All rights reserved. Enter password: ************* SQL*Plus Session APEX Application APEX Authentication RAS Security Policies DirectConnect RAS users initiate database connections as DB user accounts … ... while APEX RAS External users are first authenticated via an APEX authentication scheme The authentication scheme evaluates the user + password supplied, then simply returns TRUE if that combination is valid Once authenticated, the APEX application session is transformed into a RAS session as user XS$GUEST Finally, it’s crucial to remember that while RAS enforces row & column security, it does not handle APEX- specific feature, page, or item security!
Enabling RAS External Users in APEX Via Authentication Schemes • Series of images RAS Mode determines whether APEX will use INTERNAL users (i.e. resident within Oracle SYS schema, controlled just like typical user accounts) or EXTERNAL users (typically, controlled via SSO / other means) RAS application roles can be assigned during the initial connection to the application, or even dynamically within a user session If needed, RAS can also access customized namespaces that store variable values in application-specific or user account-specific domains
APEX Post-Authentication Process Why not simplify? Just put all these application item computations into a single place! Umm … you’ve lost your $#@%$^ mind, dude! DBA: Centralize and Simplify! Move all Application Item Computations (AICs) to an APEX post-authentication process – it’s cleaner, simpler, and involves a single round-trip to the server. See? DevOps: Stay in Your Lane, Bruh! Application items and computations are an integral part of APEX – developers need to see how these are set. This also means refactoring our applications! And oh, BTW – don’t even try to tell APEX developers what they can and can’t implement within RAS! Solution: Actually, it turns out that all data essential for RAS policies must be set in post-authentication process • Application computations and processing can simply pick up from there • Be sure to clearly document what gets set where and how - don’t hide the logic! • Learn the gentle art of compromise ☺
POST_AUTH Procedure: Replacing AICs & Enabling RAS Dynamic Roles CREATE OR REPLACE PROCEDURE post_auth (p_username IN VARCHAR2) IS v_contact_id ACCSPADMIN.MM_CONTACTS.CONTACT_ID%TYPE; v_Is_Admin CHAR(01); v_access_ids VARCHAR2(4000); v_access_ids_char VARCHAR2(4000); v_safis_access_ids VARCHAR2(4000); v_safis_access_ids_char VARCHAR2(4000); v_partner_id ACCSPADMIN.ACCSP_PARTNERS_CONTACT.PARTNER_ID%TYPE; v_partner_name ACCSPREC.PARTNERS.PARTNER_NAME%TYPE; v_partner_abbrev ACCSPREC.PARTNERS.PARTNER_ABBREV%TYPE; BEGIN -- Determine + assign Contact ID v_contact_id := ACCSPREC.DW_AUTH.GET_CONTACT_ID(UPPER(p_username)); APEX_UTIL.SET_SESSION_STATE('G_CONTACT_ID', v_contact_id); . . . Just as in our APEX application, the supplied username drives both authorization and determination of appropriate privileges within the app itself
POST_AUTH Procedure: Replacing AICs & Enabling RAS Dynamic Roles CREATE OR REPLACE PROCEDURE post_auth (p_username IN VARCHAR2) IS v_contact_id ACCSPADMIN.MM_CONTACTS.CONTACT_ID%TYPE; v_Is_Admin CHAR(01); v_access_ids VARCHAR2(4000); v_access_ids_char VARCHAR2(4000); v_safis_access_ids VARCHAR2(4000); v_safis_access_ids_char VARCHAR2(4000); v_partner_id ACCSPADMIN.ACCSP_PARTNERS_CONTACT.PARTNER_ID%TYPE; v_partner_name ACCSPREC.PARTNERS.PARTNER_NAME%TYPE; v_partner_abbrev ACCSPREC.PARTNERS.PARTNER_ABBREV%TYPE; BEGIN -- Determine + assign Contact ID v_contact_id := ACCSPREC.DW_AUTH.GET_CONTACT_ID(UPPER(p_username)); APEX_UTIL.SET_SESSION_STATE('G_CONTACT_ID', v_contact_id); . . . Just as in our APEX application, the supplied username drives both authorization and determination of appropriate privileges within the app itself . . . -- Determine + assign ADMIN privileges v_Is_Admin:= ACCSPREC.DW_AUTH.IS_DW_ADMIN(UPPER(p_username)); APEX_UTIL.SET_SESSION_STATE('G_IS_ADMIN', v_Is_Admin); -- Determine + assign PartnerID, Partner Name, and Partner Abbreviation v_partner_id := ACCSPREC.DW_AUTH.GET_PARTNER_ID(v_contact_id); APEX_UTIL.SET_SESSION_STATE('G_PARTNER_ID', v_partner_id); v_partner_name := ACCSPREC.DW_AUTH.GET_PARTNER_NAME(v_partner_id); APEX_UTIL.SET_SESSION_STATE('G_PARTNER_NAME', v_partner_name); v_partner_abbrev := ACCSPREC.DW_AUTH.GET_PARTNER_ABBREV(v_partner_id); APEX_UTIL.SET_SESSION_STATE('G_PARTNER_ABBREV', v_partner_abbrev); . . . -- Activate RAS dynamic role if Participant confidential information -- is viewable for the user IF ACCSPREC.DW_AUTH.DETAIL_PPT(UPPER(p_username)) THEN APEX_AUTHORIZATION.ENABLE_DYNAMIC_GROUPS ( p_group_names => APEX_T_VARCHAR2('RAS_DW_VIEW_PARTINFO_ROLE') ); END IF; END; These replace all Application Item Computations originally coded within the application If the user is allowed to view data in secured columns, this enables the appropriate RAS role dynamically
Managing RAS Sessions in APEX: Wait, What Now? Everything looks great from my side! Just let me log out … Wow, It’s Actually Working! My application testing looks good; RAS constraints are being applied properly depending on each user’s permitted realms. Nicely done! Really? Well, your $#@%^ app is leaving sessions connected to my database!! Then Why Are All These RAS Sessions Still Connected? • RAS sessions were not terminating after a “normal” logout • After some research and conversations with RAS and APEX developers at Oracle, we found out that a RAS session apparently does not “kill” itself in the same manner as a normal APEX session Solution: Terminate RAS sessions on logout by invoking a post-logout procedure
INVALID_SESSION: Cleaning Up RAS Sessions After Logout A simple call to the DELETE_SESSION procedure of the APEX_SESSION package terminates a RAS session cleanly These Custom authorization scheme settings offer precise control of session invalidation, authentication, and post-logout processing for RAS External Users
RAS: Recommendations for Seamless Implementation • The ease of implementing RAS security policies is directly proportional to time spent on building consistent data models in the past. Some examples: • Key realm discriminator column is not consistently named or applied across every table, MV, and view • We implemented separate DSPs for any special cases … which is much smarter than renaming columns for consistency’s sake • PII columns that need to be hidden were named inconsistently across several views and MVs • We implemented four (4) different DSPs for about a dozen database objects – ideally, we’d have liked to implement just one • RAS-specific tracing is invaluable when a security policy seems to be failing: SQL> BEGIN DBMS_SESSION.SET_IDENTIFIER('ACCSP_DEBUG'); DBMS_APPLICATION_INFO.SET_MODULE('ACCSPD', NULL); END; / ALTER SESSION SET EVENTS 'TRACE [XSSECCLASS] disk=high'; ALTER SESSION SET EVENTS 'TRACE [XSXDS] disk=high'; ALTER SESSION SET EVENTS 'TRACE [XSVPD] disk=high'; ALTER SESSION SET EVENTS 'TRACE [XSACL] disk=high'; ALTER SESSION SET EVENTS 'TRACE [XSSESSION] disk=high'; ALTER SESSION SET EVENTS 'TRACE [XSPRINCIPAL] disk=high'; These two trace directives look closely at all events related to applying data security policies
RAS and APEX: Key Concepts to Remember Work with your DBA, plan ahead … and think! Exactly! And don’t forget to listen to your DevOps teammates! Put simply: Application security is now subdivided! ✓RAS controls which data (rows and columns) the user can view & access ✓APEX roles control what app features the user can utilize RAS Security Policies must cover all combinations and possibilities across all potential users, so this means you’ll need to invest significant time into planning and brainstorming Your APEX app no longer needs to enforce row and column security! ✓Be sure to document & reference all RAS Security Policies within the application ✓Developers don’t have to implement the policies, but they need to understand them
RAS and APEX: RTFM, and Go Slow To Go Fast ... but implementing RAS in APEX can be confusing! Sure, RAS appears to be simple and elegant … • RTFM!!! Be sure you understand all RAS concepts • Decide on where you’re keeping your user account information, depending on RAS user type(s) selected • Start small! Build a simplified APEX app to prove out key RAS policies are being applied implemented as expected • Build a simple APEX page to prove policies are working, and be sure to include a real-time display of whatever RAS dynamic application role privileges are in effect for RAS External users Note: The RAS examples in the documentation are extremely simple. Our actual use cases were much more complex – e.g., multiple schemas, MVs, and a “mature” application base – so we encountered some frustratingly undocumented aspects of RAS
Real-Time Display of RAS Session Info & Applied Restrictions (1) Here’s a list of the applied discriminator values that restrict row realms and column display, as well as any RAS Roles currently in force … … and here’s the result of the POST_AUTH procedure’s population of variables that used to be Application Item Computations
Real-Time Display of RAS Session Info & Applied Restrictions (1) Here’s a list of the applied discriminator values that restrict row realms and column display, as well as any RAS Roles currently in force … … and here’s the result of the POST_AUTH procedure’s population of variables that used to be Application Item Computations And since this user is permitted to view sensitive data, they appear in unrestricted format (blurred here for purposes of privacy)
Real-Time Display of RAS Session Info & Applied Restrictions (2) Likewise, this user’s discriminator values reveal they can see a different set of row realms, but note there is no dynamic role granted to view sensitive data
Real-Time Display of RAS Session Info & Applied Restrictions (2) Likewise, this user’s discriminator values reveal they can see a different set of row realms, but note there is no dynamic role granted to view sensitive data Since this user is not permitted to view sensitive data, they appear in restricted format … … but they can still view unrestricted data based on the row domain they’re permitted to view
RAS and APEX: When RTFM Fails Not everything is documented in the #$%^& manual! We had one big advantage: Oracle PMs actually listened to us. Eventually :) Here’s what wasn’t intuitively obvious from the documentation! • How different RAS user account types actually connect to the DB • Whether to implement RAS External or Internal users • When to build and use RAS dynamic roles • Whether RAS namespaces were required for APEX implementation • Building RAS realm and column constraints for complex scenarios – e.g., involving restricting data to be viewed based on more than one discriminator value – is simply not documented anywhere • Columnar security policies applied via RAS application roles permit access to data, not restrict it from access! There are a dizzying array of RAS options, so be sure to choose wisely to avoid unnecessary refactoring of your applications!
Useful Resources and Documentation Oracle Real Application Security & Virtual Private Database Home Page: https://www.oracle.com/database/technologies/security/virtual-private-db.html Oracle 19c Real Application Security User Guide: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbfsg/index.html Oracle 19c Real Application Security Administration (RASADM) User Guide: https://docs.oracle.com/en/database/oracle/oracle-database/19/rasad/index.html#RASAD142

Recommended

Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleNelson Calero
 
ORDS - Oracle REST Data Services
ORDS - Oracle REST Data ServicesORDS - Oracle REST Data Services
ORDS - Oracle REST Data ServicesJustin Michael Raj
 
Reporting with Oracle Application Express (APEX)
Reporting with Oracle Application Express (APEX)Reporting with Oracle Application Express (APEX)
Reporting with Oracle Application Express (APEX)Dimitri Gielis
 
Oracle data pump
Oracle data pumpOracle data pump
Oracle data pumpmarcxav72
 
Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)Dimitri Gielis
 
AWS VPC.pdf
AWS VPC.pdfAWS VPC.pdf
AWS VPC.pdfShagun Rathore
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19cMaria Colgan
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 

Recommended

Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleProtect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Protect Sensitive Data: Implementing Fine-Grained Access Control in OracleNelson Calero
 
ORDS - Oracle REST Data Services
ORDS - Oracle REST Data ServicesORDS - Oracle REST Data Services
ORDS - Oracle REST Data ServicesJustin Michael Raj
 
Reporting with Oracle Application Express (APEX)
Reporting with Oracle Application Express (APEX)Reporting with Oracle Application Express (APEX)
Reporting with Oracle Application Express (APEX)Dimitri Gielis
 
Oracle data pump
Oracle data pumpOracle data pump
Oracle data pumpmarcxav72
 
Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)Real Application Security (RAS) and Oracle Application Express (APEX)
Real Application Security (RAS) and Oracle Application Express (APEX)Dimitri Gielis
 
AWS VPC.pdf
AWS VPC.pdfAWS VPC.pdf
AWS VPC.pdfShagun Rathore
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19cMaria Colgan
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Intro on Oracle Application express - APEX
Intro on Oracle Application express - APEXIntro on Oracle Application express - APEX
Intro on Oracle Application express - APEXLino Schildenfeld
 
ADFS + IAM
ADFS + IAMADFS + IAM
ADFS + IAMRichard Harvey
 
Active Directory component
Active Directory componentActive Directory component
Active Directory componentkuldeep singh shishodia
 
Getting Started with Amazon ElastiCache
Getting Started with Amazon ElastiCacheGetting Started with Amazon ElastiCache
Getting Started with Amazon ElastiCacheAmazon Web Services
 
Oracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDSOracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDSDoug Gault
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
Oracle Apex Overview
Oracle Apex OverviewOracle Apex Overview
Oracle Apex OverviewViveka Solutions
 
EXACC Presentat CHEUG 2019 (9).pptx
EXACC Presentat CHEUG 2019 (9).pptxEXACC Presentat CHEUG 2019 (9).pptx
EXACC Presentat CHEUG 2019 (9).pptxabdulhafeezkalsekar1
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An IntroductionVenkatesh Narayanan
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
How to make APEX print through Node.js
How to make APEX print through Node.jsHow to make APEX print through Node.js
How to make APEX print through Node.jsDimitri Gielis
 
Oracle Application Express 20.2 New Features
Oracle Application Express 20.2 New FeaturesOracle Application Express 20.2 New Features
Oracle Application Express 20.2 New Featuresmsewtz
 
Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)
Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)
Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)enpit GmbH & Co. KG
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionAlex Zaballa
 
Azure Active Directory - External Identities Demo
Azure Active Directory - External Identities Demo Azure Active Directory - External Identities Demo
Azure Active Directory - External Identities Demo Cheah Eng Soon
 
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017Amazon Web Services
 
Enterprise manager 13c
Enterprise manager 13cEnterprise manager 13c
Enterprise manager 13cMarketingArrowECS_CZ
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Amazon Web Services
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesAmazon Web Services
 
Modern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaModern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaLucas Jellema
 
Deep Dive on Amazon Relational Database Service
Deep Dive on Amazon Relational Database ServiceDeep Dive on Amazon Relational Database Service
Deep Dive on Amazon Relational Database ServiceAmazon Web Services
 

More Related Content

What's hot

Intro on Oracle Application express - APEX
Intro on Oracle Application express - APEXIntro on Oracle Application express - APEX
Intro on Oracle Application express - APEXLino Schildenfeld
 
Getting Started with Amazon ElastiCache
Getting Started with Amazon ElastiCacheGetting Started with Amazon ElastiCache
Getting Started with Amazon ElastiCacheAmazon Web Services
 
Oracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDSOracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDSDoug Gault
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
EXACC Presentat CHEUG 2019 (9).pptx
EXACC Presentat CHEUG 2019 (9).pptxEXACC Presentat CHEUG 2019 (9).pptx
EXACC Presentat CHEUG 2019 (9).pptxabdulhafeezkalsekar1
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An IntroductionVenkatesh Narayanan
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
How to make APEX print through Node.js
How to make APEX print through Node.jsHow to make APEX print through Node.js
How to make APEX print through Node.jsDimitri Gielis
 
Oracle Application Express 20.2 New Features
Oracle Application Express 20.2 New FeaturesOracle Application Express 20.2 New Features
Oracle Application Express 20.2 New Featuresmsewtz
 
Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)
Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)
Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)enpit GmbH & Co. KG
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyDavid J Rosenthal
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionAlex Zaballa
 
Azure Active Directory - External Identities Demo
Azure Active Directory - External Identities Demo Azure Active Directory - External Identities Demo
Azure Active Directory - External Identities Demo Cheah Eng Soon
 
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017Amazon Web Services
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Amazon Web Services
 

What's hot (20)

Intro on Oracle Application express - APEX
Intro on Oracle Application express - APEXIntro on Oracle Application express - APEX
Intro on Oracle Application express - APEX
 
ADFS + IAM
ADFS + IAMADFS + IAM
ADFS + IAM
 
Active Directory component
Active Directory componentActive Directory component
Active Directory component
 
Getting Started with Amazon ElastiCache
Getting Started with Amazon ElastiCacheGetting Started with Amazon ElastiCache
Getting Started with Amazon ElastiCache
 
Oracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDSOracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDS
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 
Oracle Apex Overview
Oracle Apex OverviewOracle Apex Overview
Oracle Apex Overview
 
EXACC Presentat CHEUG 2019 (9).pptx
EXACC Presentat CHEUG 2019 (9).pptxEXACC Presentat CHEUG 2019 (9).pptx
EXACC Presentat CHEUG 2019 (9).pptx
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An Introduction
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
 
How to make APEX print through Node.js
How to make APEX print through Node.jsHow to make APEX print through Node.js
How to make APEX print through Node.js
 
Oracle Application Express 20.2 New Features
Oracle Application Express 20.2 New FeaturesOracle Application Express 20.2 New Features
Oracle Application Express 20.2 New Features
 
Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)
Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)
Deployment Best Practices on WebLogic Server (DOAG IMC Summit 2013)
 
Identity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor TechnologyIdentity and Access Management from Microsoft and Razor Technology
Identity and Access Management from Microsoft and Razor Technology
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Azure Active Directory - External Identities Demo
Azure Active Directory - External Identities Demo Azure Active Directory - External Identities Demo
Azure Active Directory - External Identities Demo
 
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
Best Practices for Running PostgreSQL on AWS - DAT314 - re:Invent 2017
 
Enterprise manager 13c
Enterprise manager 13cEnterprise manager 13c
Enterprise manager 13c
 
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
Delegating Access to your AWS Environment (SEC303) | AWS re:Invent 2013
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 

Similar to Access Denied: Real-World Use Cases for APEX and Real Application Security

Modern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaModern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaLucas Jellema
 
Deep Dive on Amazon Relational Database Service
Deep Dive on Amazon Relational Database ServiceDeep Dive on Amazon Relational Database Service
Deep Dive on Amazon Relational Database ServiceAmazon Web Services
 
Database Design Slide 1
Database Design Slide 1Database Design Slide 1
Database Design Slide 1ahfiki
 
SE - Software Requirements
SE - Software RequirementsSE - Software Requirements
SE - Software RequirementsJomel Penalba
 
Unified Situational Awareness Dashboard for Spacecraft Operations: an inte...
Unified Situational Awareness Dashboard for Spacecraft Operations: an inte...Unified Situational Awareness Dashboard for Spacecraft Operations: an inte...
Unified Situational Awareness Dashboard for Spacecraft Operations: an inte...Haisam Ido
 
SQL Azure Dec 2010 Update
SQL Azure Dec 2010 UpdateSQL Azure Dec 2010 Update
SQL Azure Dec 2010 UpdateEric Nelson
 
SQL Azure Dec Update
SQL Azure Dec UpdateSQL Azure Dec Update
SQL Azure Dec UpdateEric Nelson
 
DBMS introduction and functionality of of dbms
DBMS introduction and functionality of of dbmsDBMS introduction and functionality of of dbms
DBMS introduction and functionality of of dbmsranjana dalwani
 
System Architecture Exploration Training Class
System Architecture Exploration Training ClassSystem Architecture Exploration Training Class
System Architecture Exploration Training ClassDeepak Shankar
 
Requirment anlaysis
Requirment anlaysisRequirment anlaysis
Requirment anlaysiscsk selva
 
Unit 1: Introduction to DBMS Unit 1 Complete
Unit 1: Introduction to DBMS Unit 1 CompleteUnit 1: Introduction to DBMS Unit 1 Complete
Unit 1: Introduction to DBMS Unit 1 CompleteRaj vardhan
 
Requirment anlaysis , application, device, network requirements
Requirment anlaysis , application, device, network requirementsRequirment anlaysis , application, device, network requirements
Requirment anlaysis , application, device, network requirementscsk selva
 
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...Lucas Jellema
 
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014Amazon Web Services
 
Databases on AWS: The Right Tool for the Right Job (DAT205-R1) - AWS re:Inven...
Databases on AWS: The Right Tool for the Right Job (DAT205-R1) - AWS re:Inven...Databases on AWS: The Right Tool for the Right Job (DAT205-R1) - AWS re:Inven...
Databases on AWS: The Right Tool for the Right Job (DAT205-R1) - AWS re:Inven...Amazon Web Services
 

Similar to Access Denied: Real-World Use Cases for APEX and Real Application Security (20)

Modern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaModern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas Jellema
 
Deep Dive on Amazon Relational Database Service
Deep Dive on Amazon Relational Database ServiceDeep Dive on Amazon Relational Database Service
Deep Dive on Amazon Relational Database Service
 
Database Design Slide 1
Database Design Slide 1Database Design Slide 1
Database Design Slide 1
 
SE - Software Requirements
SE - Software RequirementsSE - Software Requirements
SE - Software Requirements
 
DBMS and its Models
DBMS and its ModelsDBMS and its Models
DBMS and its Models
 
Unified Situational Awareness Dashboard for Spacecraft Operations: an inte...
Unified Situational Awareness Dashboard for Spacecraft Operations: an inte...Unified Situational Awareness Dashboard for Spacecraft Operations: an inte...
Unified Situational Awareness Dashboard for Spacecraft Operations: an inte...
 
One m2m
One m2mOne m2m
One m2m
 
Dbms models
Dbms modelsDbms models
Dbms models
 
SQL Azure Dec 2010 Update
SQL Azure Dec 2010 UpdateSQL Azure Dec 2010 Update
SQL Azure Dec 2010 Update
 
SQL Azure Dec Update
SQL Azure Dec UpdateSQL Azure Dec Update
SQL Azure Dec Update
 
DBMS introduction and functionality of of dbms
DBMS introduction and functionality of of dbmsDBMS introduction and functionality of of dbms
DBMS introduction and functionality of of dbms
 
System Architecture Exploration Training Class
System Architecture Exploration Training ClassSystem Architecture Exploration Training Class
System Architecture Exploration Training Class
 
DBMS Practical File
DBMS Practical FileDBMS Practical File
DBMS Practical File
 
Requirment anlaysis
Requirment anlaysisRequirment anlaysis
Requirment anlaysis
 
Predix
PredixPredix
Predix
 
Unit 1: Introduction to DBMS Unit 1 Complete
Unit 1: Introduction to DBMS Unit 1 CompleteUnit 1: Introduction to DBMS Unit 1 Complete
Unit 1: Introduction to DBMS Unit 1 Complete
 
Requirment anlaysis , application, device, network requirements
Requirment anlaysis , application, device, network requirementsRequirment anlaysis , application, device, network requirements
Requirment anlaysis , application, device, network requirements
 
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...
The Story of How an Oracle Classic Stronghold successfully embraced SOA (ODTU...
 
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
(ENT211) Migrating the US Government to the Cloud | AWS re:Invent 2014
 
Databases on AWS: The Right Tool for the Right Job (DAT205-R1) - AWS re:Inven...
Databases on AWS: The Right Tool for the Right Job (DAT205-R1) - AWS re:Inven...Databases on AWS: The Right Tool for the Right Job (DAT205-R1) - AWS re:Inven...
Databases on AWS: The Right Tool for the Right Job (DAT205-R1) - AWS re:Inven...
 

More from Jim Czuprynski

From DBA to DE: Becoming a Data Engineer
From DBA to DE: Becoming a Data Engineer From DBA to DE: Becoming a Data Engineer
From DBA to DE: Becoming a Data Engineer Jim Czuprynski
 
Going Native: Leveraging the New JSON Native Datatype in Oracle 21c
Going Native: Leveraging the New JSON Native Datatype in Oracle 21cGoing Native: Leveraging the New JSON Native Datatype in Oracle 21c
Going Native: Leveraging the New JSON Native Datatype in Oracle 21cJim Czuprynski
 
Charge Me Up! Using Oracle ML, Analytics, and APEX For Finding Optimal Charge...
Charge Me Up! Using Oracle ML, Analytics, and APEX For Finding Optimal Charge...Charge Me Up! Using Oracle ML, Analytics, and APEX For Finding Optimal Charge...
Charge Me Up! Using Oracle ML, Analytics, and APEX For Finding Optimal Charge...Jim Czuprynski
 
Graphing Grifters: Identify & Display Patterns of Corruption With Oracle Graph
Graphing Grifters: Identify & Display Patterns of Corruption With Oracle GraphGraphing Grifters: Identify & Display Patterns of Corruption With Oracle Graph
Graphing Grifters: Identify & Display Patterns of Corruption With Oracle GraphJim Czuprynski
 
So an Airline Pilot, a Urologist, and an IT Technologist Walk Into a Bar: Thi...
So an Airline Pilot, a Urologist, and an IT Technologist Walk Into a Bar: Thi...So an Airline Pilot, a Urologist, and an IT Technologist Walk Into a Bar: Thi...
So an Airline Pilot, a Urologist, and an IT Technologist Walk Into a Bar: Thi...Jim Czuprynski
 
Autonomous Transaction Processing (ATP): In Heavy Traffic, Why Drive Stick?
Autonomous Transaction Processing (ATP): In Heavy Traffic, Why Drive Stick?Autonomous Transaction Processing (ATP): In Heavy Traffic, Why Drive Stick?
Autonomous Transaction Processing (ATP): In Heavy Traffic, Why Drive Stick?Jim Czuprynski
 
Conquer Big Data with Oracle 18c, In-Memory External Tables and Analytic Func...
Conquer Big Data with Oracle 18c, In-Memory External Tables and Analytic Func...Conquer Big Data with Oracle 18c, In-Memory External Tables and Analytic Func...
Conquer Big Data with Oracle 18c, In-Memory External Tables and Analytic Func...Jim Czuprynski
 
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...Jim Czuprynski
 
What's Your Super-Power? Mine is Machine Learning with Oracle Autonomous DB.
What's Your Super-Power? Mine is Machine Learning with Oracle Autonomous DB.What's Your Super-Power? Mine is Machine Learning with Oracle Autonomous DB.
What's Your Super-Power? Mine is Machine Learning with Oracle Autonomous DB.Jim Czuprynski
 
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAsAn Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAsJim Czuprynski
 
Politics Ain’t Beanbag: Using APEX, ML, and GeoCoding In a Modern Election Ca...
Politics Ain’t Beanbag: Using APEX, ML, and GeoCoding In a Modern Election Ca...Politics Ain’t Beanbag: Using APEX, ML, and GeoCoding In a Modern Election Ca...
Politics Ain’t Beanbag: Using APEX, ML, and GeoCoding In a Modern Election Ca...Jim Czuprynski
 
One Less Thing For DBAs to Worry About: Automatic Indexing
One Less Thing For DBAs to Worry About: Automatic IndexingOne Less Thing For DBAs to Worry About: Automatic Indexing
One Less Thing For DBAs to Worry About: Automatic IndexingJim Czuprynski
 
Keep Your Code Low, Low, Low, Low, Low: Getting to Digitally Driven With Orac...
Keep Your Code Low, Low, Low, Low, Low: Getting to Digitally Driven With Orac...Keep Your Code Low, Low, Low, Low, Low: Getting to Digitally Driven With Orac...
Keep Your Code Low, Low, Low, Low, Low: Getting to Digitally Driven With Orac...Jim Czuprynski
 
Cluster, Classify, Associate, Regress: Satisfy Your Inner Data Scientist with...
Cluster, Classify, Associate, Regress: Satisfy Your Inner Data Scientist with...Cluster, Classify, Associate, Regress: Satisfy Your Inner Data Scientist with...
Cluster, Classify, Associate, Regress: Satisfy Your Inner Data Scientist with...Jim Czuprynski
 
Where the %$#^ Is Everybody? Geospatial Solutions For Oracle APEX
Where the %$#^ Is Everybody? Geospatial Solutions For Oracle APEXWhere the %$#^ Is Everybody? Geospatial Solutions For Oracle APEX
Where the %$#^ Is Everybody? Geospatial Solutions For Oracle APEXJim Czuprynski
 
JSON, A Splash of SODA, and a SQL Chaser: Real-World Use Cases for Autonomous...
JSON, A Splash of SODA, and a SQL Chaser: Real-World Use Cases for Autonomous...JSON, A Splash of SODA, and a SQL Chaser: Real-World Use Cases for Autonomous...
JSON, A Splash of SODA, and a SQL Chaser: Real-World Use Cases for Autonomous...Jim Czuprynski
 
Fast and Furious: Handling Edge Computing Data With Oracle 19c Fast Ingest an...
Fast and Furious: Handling Edge Computing Data With Oracle 19c Fast Ingest an...Fast and Furious: Handling Edge Computing Data With Oracle 19c Fast Ingest an...
Fast and Furious: Handling Edge Computing Data With Oracle 19c Fast Ingest an...Jim Czuprynski
 

More from Jim Czuprynski (17)

From DBA to DE: Becoming a Data Engineer
From DBA to DE: Becoming a Data Engineer From DBA to DE: Becoming a Data Engineer
From DBA to DE: Becoming a Data Engineer
 
Going Native: Leveraging the New JSON Native Datatype in Oracle 21c
Going Native: Leveraging the New JSON Native Datatype in Oracle 21cGoing Native: Leveraging the New JSON Native Datatype in Oracle 21c
Going Native: Leveraging the New JSON Native Datatype in Oracle 21c
 
Charge Me Up! Using Oracle ML, Analytics, and APEX For Finding Optimal Charge...
Charge Me Up! Using Oracle ML, Analytics, and APEX For Finding Optimal Charge...Charge Me Up! Using Oracle ML, Analytics, and APEX For Finding Optimal Charge...
Charge Me Up! Using Oracle ML, Analytics, and APEX For Finding Optimal Charge...
 
Graphing Grifters: Identify & Display Patterns of Corruption With Oracle Graph
Graphing Grifters: Identify & Display Patterns of Corruption With Oracle GraphGraphing Grifters: Identify & Display Patterns of Corruption With Oracle Graph
Graphing Grifters: Identify & Display Patterns of Corruption With Oracle Graph
 
So an Airline Pilot, a Urologist, and an IT Technologist Walk Into a Bar: Thi...
So an Airline Pilot, a Urologist, and an IT Technologist Walk Into a Bar: Thi...So an Airline Pilot, a Urologist, and an IT Technologist Walk Into a Bar: Thi...
So an Airline Pilot, a Urologist, and an IT Technologist Walk Into a Bar: Thi...
 
Autonomous Transaction Processing (ATP): In Heavy Traffic, Why Drive Stick?
Autonomous Transaction Processing (ATP): In Heavy Traffic, Why Drive Stick?Autonomous Transaction Processing (ATP): In Heavy Traffic, Why Drive Stick?
Autonomous Transaction Processing (ATP): In Heavy Traffic, Why Drive Stick?
 
Conquer Big Data with Oracle 18c, In-Memory External Tables and Analytic Func...
Conquer Big Data with Oracle 18c, In-Memory External Tables and Analytic Func...Conquer Big Data with Oracle 18c, In-Memory External Tables and Analytic Func...
Conquer Big Data with Oracle 18c, In-Memory External Tables and Analytic Func...
 
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
 
What's Your Super-Power? Mine is Machine Learning with Oracle Autonomous DB.
What's Your Super-Power? Mine is Machine Learning with Oracle Autonomous DB.What's Your Super-Power? Mine is Machine Learning with Oracle Autonomous DB.
What's Your Super-Power? Mine is Machine Learning with Oracle Autonomous DB.
 
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAsAn Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
An Autonomous Singularity Approaches: Force Multipliers For Overwhelmed DBAs
 
Politics Ain’t Beanbag: Using APEX, ML, and GeoCoding In a Modern Election Ca...
Politics Ain’t Beanbag: Using APEX, ML, and GeoCoding In a Modern Election Ca...Politics Ain’t Beanbag: Using APEX, ML, and GeoCoding In a Modern Election Ca...
Politics Ain’t Beanbag: Using APEX, ML, and GeoCoding In a Modern Election Ca...
 
One Less Thing For DBAs to Worry About: Automatic Indexing
One Less Thing For DBAs to Worry About: Automatic IndexingOne Less Thing For DBAs to Worry About: Automatic Indexing
One Less Thing For DBAs to Worry About: Automatic Indexing
 
Keep Your Code Low, Low, Low, Low, Low: Getting to Digitally Driven With Orac...
Keep Your Code Low, Low, Low, Low, Low: Getting to Digitally Driven With Orac...Keep Your Code Low, Low, Low, Low, Low: Getting to Digitally Driven With Orac...
Keep Your Code Low, Low, Low, Low, Low: Getting to Digitally Driven With Orac...
 
Cluster, Classify, Associate, Regress: Satisfy Your Inner Data Scientist with...
Cluster, Classify, Associate, Regress: Satisfy Your Inner Data Scientist with...Cluster, Classify, Associate, Regress: Satisfy Your Inner Data Scientist with...
Cluster, Classify, Associate, Regress: Satisfy Your Inner Data Scientist with...
 
Where the %$#^ Is Everybody? Geospatial Solutions For Oracle APEX
Where the %$#^ Is Everybody? Geospatial Solutions For Oracle APEXWhere the %$#^ Is Everybody? Geospatial Solutions For Oracle APEX
Where the %$#^ Is Everybody? Geospatial Solutions For Oracle APEX
 
JSON, A Splash of SODA, and a SQL Chaser: Real-World Use Cases for Autonomous...
JSON, A Splash of SODA, and a SQL Chaser: Real-World Use Cases for Autonomous...JSON, A Splash of SODA, and a SQL Chaser: Real-World Use Cases for Autonomous...
JSON, A Splash of SODA, and a SQL Chaser: Real-World Use Cases for Autonomous...
 
Fast and Furious: Handling Edge Computing Data With Oracle 19c Fast Ingest an...
Fast and Furious: Handling Edge Computing Data With Oracle 19c Fast Ingest an...Fast and Furious: Handling Edge Computing Data With Oracle 19c Fast Ingest an...
Fast and Furious: Handling Edge Computing Data With Oracle 19c Fast Ingest an...
 

Recently uploaded

꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Callshivangimorya083
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998YohFuh
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxfirstjob4
 
04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationshipsccctableauusergroup
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxEmmanuel Dauda
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxolyaivanovalion
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfLars Albertsson
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxolyaivanovalion
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxolyaivanovalion
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfRachmat Ramadhan H
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsappssapnasaifi408
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz1
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxJohnnyPlasten
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSAishani27
 
Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingNeil Barnes
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysismanisha194592
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxolyaivanovalion
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 

Recently uploaded (20)

꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptx
 
04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptx
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptx
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdf
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptx
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signals
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICS
 
Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data Storytelling
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysis
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptx
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 

Access Denied: Real-World Use Cases for APEX and Real Application Security

  • 1. Access Denied: Real-World Use Cases for APEX and Real Application Security Jim Czuprynski @JimTheWhyGuy Zero Defect Computing, Inc. Karen Cannell @thtechnology TH Technology
  • 2. Jim Czuprynski: Who Am I, and What Am I Doing Here? ➢E-mail me at jim@jimthewhyguy.com ➢Follow me on Twitter (@JimTheWhyGuy) ➢Connect with me on LinkedIn (Jim Czuprynski) Traveler & public speaker Summers: Wisconsin Winters: Illinois Cyclist XC skier Avid amateur bird watcher Oldest dude in martial arts class
  • 3. Jim Czuprynski Liron Amitzi https://www.beyondtechskills.com The podcast that talks about everything tech – except tech.TM
  • 4. Karen Cannell: About Me … • TH Technology – Oracle Consulting Services, APEX Focus • Mechanical/SW Engineer - Analyzed, designed, developed, converted, upgraded, enhanced legacy & Oracle database applications for 30+ Years • Web/APEX applications for Govt, Medical, Engineering, Fisheries since HTMLDB • ODTUG Vice President, Kscope Conference Chair, Editor Emeritus, Technical Journal • APress Author • Oracle ACE Director APEX Grids: Editable Essentials ➢E-mail me at kcannell@thtechnology.com ➢Follow me on Twitter (@thtechnology) ➢Connect with me on LinkedIn (Karen Cannell)
  • 5. A Tricky Business Problem, Vexing DevOps As Well As DBAs The Business Problem: A government agency’s complex data warehouse-based application must strictly limit each user to access only the confidential data they are permitted to view Access Methods: • Most users access their data via desktop or mobile apps written in APEX … • … but a small number of privileged users leverage SQL*Plus or other native SQL tools Environment: • Data model includes multiple schemas, each containing complex views and MVs • Multiple APEX applications developed / evolved over 20+ years, dating back to HTMLDB Security: • Strict data access and confidentiality rules must be enforced, based on complex overlapping requirements from multiple state and federal government agencies • DevOps are tired of rewriting / duplicating security rules throughout several applications • DBAs are tired of responding to requests for out-of-band custom reporting / extracts
  • 6. You Said VPD. Did You Mean RAS? Good news! Our client suggests we implement VPD! Virtual Private Database (VPD): Relatively ancient • Uses query rewrite via WHERE clause predicates to limit data access • Focused on database, not application, technology • Inadequate management of newer identity management techniques Real Application Security (RAS): VPD 2.0 ✓Much more secure ✓Extremely flexible security policies ✓Scalable to thousands of different users connecting via SQL tools / APEX / SSO ✓Cost effective – implement it just once ✓Security is enforced within the DB kernel Uh-huh, that’s nice! Did you tell them about RAS?
  • 7. How RAS Handles Data Access Requests APEX, Java, OCI (aka Web Connections) SQLPlus, SQLcl (aka Direct Connections) Oracle Database RAS Security Policies Data Realm ACLs ACE ACE ACE ORDERS LINEITEM SUPPLIER CUSTOMER 1. Users initiate DB connections as RAS users 2. RAS determines security policy based on connecting user 3. Appropriate permissions to allow or deny access to data within tables are applied via Access Control Lists (ACLs) 4. Only appropriate data is returned (if any at all!) ??
  • 8. RAS: Components and Concepts Every application session that needs security implemented is assigned a RAS session during connection to the database Note that direct connections are assigned a RAS session as well Access to database objects and the data stored within is strictly controlled through RAS security policies as well
  • 9. SECCLS Security Class controls access to all objects in TPCH schema RAS Components: ACLs, ACEs, Realms, Policies, & Classes App Roles App Users TPCH_SUPV TPCH_DWRO APP_DWRO TPCH_READONLY_ ROLE TPCH_READONLY _ROLE TPCH_FULL_ROLE FULLDML READONLY READONLY TPCH_DWRO_ACL ACE SELECT REALM C_NATIONKEY = {19,21} CUSTOMER CUSTOMER_DS Security Policy TPCH_SUPV_ACL ACE SELECT INSERT UPDATE DELETE REALM 1 = 1 TPCH_DWRO_ACL ACE SELECT REALM C_NATIONKEY = {20,22,23} ORDERS_DS Security Policy ORDERS REALM CHILD OF CUSTOMER LINEITEM_DS Security Policy LINEITEM REALM CHILD OF ORDERS
  • 10. DW_SC and SAFIS_SC Security Classes control access to all objects in ACCSP schemas RAS Components: ACLs, ACEs, Realms, Policies, & Classes App Roles App Users JSIMPSON KCANNELL JIMCZUPRYN DWRO_ROLE DWRO_ROLE SAFIS_ROLE FULLDML READONLY READONLY DW_ACL ACE SELECT REALM DATA_SOURCE IN (‘0016’,’0022’,’0031’) CONSOLIDATED_ REPORTS ACCSP_DATA_SOURCE Data Security Policy SAFIS_ACL ACE SELECT INSERT UPDATE DELETE REALM 1 = 1 DW_ACL ACE SELECT REALM DATA_SOURCE IN (‘0001’,’0002’,’0003’) ACCSP_SUBSAMPLE Data Security Policy CONSOLIDATED_ LANDINGS REALM CHILD OF CONSOLIDATED_ REPORTS
  • 11. RAS Terminology Term Definition Principal Either an application user / role or a database user / role Application Session A lightweight connection to the database through which only permitted data may be accessed Application User Like a traditional database user account, but only used within an application session to connect to the database via either the middle tier or by connecting directly to the database. Application users do not own schemas Application Role Uses one or more ACLs – not database grants – to map privileges to application users or application roles. (Application roles can be granted database privileges by being granting a database role) Application Privilege A right or permission either granted or denied to a principal. Application privileges can also be aggregated so that they imply other rights or permissions Access Control Entry (ACE) Grants or denies access a particular set of privileges to a particular application user or role. Note that an ACE doesn’t specify which data to protect; that only happens when the ACL is associated with specific target data, thus creating a data realm Access Control List (ACL) A collection of ACEs that permit or deny application privileges to specific users Security Class The scope for a set of application privileges, typically associated with an ACL. The ACL then grants application privileges within the security class to specific principals Data Realm A specific filter that’s applied to rows within the table – for example, limiting a user’s view of rows in TPCH.CUSTOMERS to only those whose C_NATIONKEY column contains a value of 24 (USA) Data Security Policy Protects database rows and columns within tables from unauthorized access. Only rows from the specified data realms for only the columns permitted to be viewed will show data
  • 12. TPC-H: A Perfect Schema for RAS Demonstrations Entities and Relationships: CUSTOMER Purchasers of PARTS and SUPPLIES NATION Country where Customer resides REGION Global area ORDERS Records what each Customer has purchased over time LINEITEM Items and services purchased for each Order PARTSUPP Combines PART and SUPPLY entities PART Items available for purchase SUPPLY Services provided
  • 13. Obscuring Rows and Columns For Specific Users . . . realms := XS$REALM_CONSTRAINT_LIST( XS$REALM_CONSTRAINT_TYPE( realm => 'C_NATIONKEY IN (SELECT RSU_NATIONKEY FROM TPCH.RAS_SECURED_USERS WHERE RSU_USERNAME = XS_SYS_CONTEXT('XS$SESSION', 'SESSION_XS_USER'))' ,acl_list => XS$NAME_LIST('TPCH.SUPR_ACL’,TPCH.DWRO_ACL') ) ); collims := XS$COLUMN_CONSTRAINT_LIST( XS$COLUMN_CONSTRAINT_TYPE( column_list => XS$LIST('C_MKTSEGMENT’,’C_NAME’) ,privilege => 'VIEW_RESTRICTED_PARTICIPANT_INFO' ) ); SYS.XS_DATA_SECURITY.CREATE_POLICY( name => ‘TPCH.CUSTOMER_DS' ,realm_constraint_list => realms ,column_constraint_list => collims ); . . . This establishes the realm in which values for C_NATIONKEY should be used to limit rows retrieved for each specific user account … … and this establishes the list of columns whose data should be hidden within that realm as well
  • 14. Using RAS with SQL Tools, APEX, and Other Application Languages RAS complements both SQL Tools (e.g. SQL*Plus) as well as other application environments, especially APEX • RAS direct-connect application user accounts – those that are granted XS$CONNECT privileges - allow direct connections to a database instance, thus enabling (sufficiently- trained!) “super-users” to build their own custom data extracts or reports • APEX interfaces with RAS almost seamlessly, with some minor tweaks to existing application security settings • The identical RAS security privileges the user has when connecting via APEX are enforced when connecting directly to an instance via SQL tools (e.g. SQLcl, SQLDeveloper) using a direct-connect RAS user account … so no special handling is needed
  • 15. RAS User Accounts: Options and Implications RAS User Type Usage Granted XS$CONNECT Role? Per- Session Username Password State Retained & Managed Within Connect to APEX? Direct User Connecting directly to an Oracle database instance through SQL tools (e.g. SQL*Plus) Yes User account Oracle Database No Internal User Connecting to application sessions only No User account Oracle Database Yes External User Connecting to applications sessions only No XS$GUEST SSO / Custom Methods Yes Note: The domain of Direct and Internal user account names is distinct – they cannot overlap!
  • 16. Choosing RAS Internal vs. External Users for APEX This is actually a great opportunity! • We can transition from how database accounts are managed right now: intra-database • We only need a few RAS Direct users for now to handle SQL Tool access • RAS Internal users will work best for all the rest of our logins – I can transition everyone with a few magic DBA scripts! Yeah. Not so fast, hot shot! • The decision to go with “schema-d” users was made long ago, for a good reason! • So now super-users have two logins? Great. • And don’t even suggest going to SSO – that’s a huge project and means refactoring! Solution: For our APEX application environment, the External user type actually makes a lot more sense RAS Internal Users seem to make the most sense for our APEX accounts! Huh?!? What about all our existing user accounts?
  • 17. How RAS and APEX Authentication Schemes Interact [oracle@host19c ~]$ sqlplus tpch_dwro/@devdb SQL*Plus: Release 19.0.0.0.0 - Production on Sat Sep 3 17:06:45 2022 Version 19.11.0.0.0 Copyright (c) 1982, 2020, Oracle. All rights reserved. Enter password: ************* SQL*Plus Session APEX Application APEX Authentication RAS Security Policies DirectConnect RAS users initiate database connections as DB user accounts … ... while APEX RAS External users are first authenticated via an APEX authentication scheme The authentication scheme evaluates the user + password supplied, then simply returns TRUE if that combination is valid Once authenticated, the APEX application session is transformed into a RAS session as user XS$GUEST Finally, it’s crucial to remember that while RAS enforces row & column security, it does not handle APEX- specific feature, page, or item security!
  • 18. Enabling RAS External Users in APEX Via Authentication Schemes • Series of images RAS Mode determines whether APEX will use INTERNAL users (i.e. resident within Oracle SYS schema, controlled just like typical user accounts) or EXTERNAL users (typically, controlled via SSO / other means) RAS application roles can be assigned during the initial connection to the application, or even dynamically within a user session If needed, RAS can also access customized namespaces that store variable values in application-specific or user account-specific domains
  • 19. APEX Post-Authentication Process Why not simplify? Just put all these application item computations into a single place! Umm … you’ve lost your $#@%$^ mind, dude! DBA: Centralize and Simplify! Move all Application Item Computations (AICs) to an APEX post-authentication process – it’s cleaner, simpler, and involves a single round-trip to the server. See? DevOps: Stay in Your Lane, Bruh! Application items and computations are an integral part of APEX – developers need to see how these are set. This also means refactoring our applications! And oh, BTW – don’t even try to tell APEX developers what they can and can’t implement within RAS! Solution: Actually, it turns out that all data essential for RAS policies must be set in post-authentication process • Application computations and processing can simply pick up from there • Be sure to clearly document what gets set where and how - don’t hide the logic! • Learn the gentle art of compromise ☺
  • 20. POST_AUTH Procedure: Replacing AICs & Enabling RAS Dynamic Roles CREATE OR REPLACE PROCEDURE post_auth (p_username IN VARCHAR2) IS v_contact_id ACCSPADMIN.MM_CONTACTS.CONTACT_ID%TYPE; v_Is_Admin CHAR(01); v_access_ids VARCHAR2(4000); v_access_ids_char VARCHAR2(4000); v_safis_access_ids VARCHAR2(4000); v_safis_access_ids_char VARCHAR2(4000); v_partner_id ACCSPADMIN.ACCSP_PARTNERS_CONTACT.PARTNER_ID%TYPE; v_partner_name ACCSPREC.PARTNERS.PARTNER_NAME%TYPE; v_partner_abbrev ACCSPREC.PARTNERS.PARTNER_ABBREV%TYPE; BEGIN -- Determine + assign Contact ID v_contact_id := ACCSPREC.DW_AUTH.GET_CONTACT_ID(UPPER(p_username)); APEX_UTIL.SET_SESSION_STATE('G_CONTACT_ID', v_contact_id); . . . Just as in our APEX application, the supplied username drives both authorization and determination of appropriate privileges within the app itself
  • 21. POST_AUTH Procedure: Replacing AICs & Enabling RAS Dynamic Roles CREATE OR REPLACE PROCEDURE post_auth (p_username IN VARCHAR2) IS v_contact_id ACCSPADMIN.MM_CONTACTS.CONTACT_ID%TYPE; v_Is_Admin CHAR(01); v_access_ids VARCHAR2(4000); v_access_ids_char VARCHAR2(4000); v_safis_access_ids VARCHAR2(4000); v_safis_access_ids_char VARCHAR2(4000); v_partner_id ACCSPADMIN.ACCSP_PARTNERS_CONTACT.PARTNER_ID%TYPE; v_partner_name ACCSPREC.PARTNERS.PARTNER_NAME%TYPE; v_partner_abbrev ACCSPREC.PARTNERS.PARTNER_ABBREV%TYPE; BEGIN -- Determine + assign Contact ID v_contact_id := ACCSPREC.DW_AUTH.GET_CONTACT_ID(UPPER(p_username)); APEX_UTIL.SET_SESSION_STATE('G_CONTACT_ID', v_contact_id); . . . Just as in our APEX application, the supplied username drives both authorization and determination of appropriate privileges within the app itself . . . -- Determine + assign ADMIN privileges v_Is_Admin:= ACCSPREC.DW_AUTH.IS_DW_ADMIN(UPPER(p_username)); APEX_UTIL.SET_SESSION_STATE('G_IS_ADMIN', v_Is_Admin); -- Determine + assign PartnerID, Partner Name, and Partner Abbreviation v_partner_id := ACCSPREC.DW_AUTH.GET_PARTNER_ID(v_contact_id); APEX_UTIL.SET_SESSION_STATE('G_PARTNER_ID', v_partner_id); v_partner_name := ACCSPREC.DW_AUTH.GET_PARTNER_NAME(v_partner_id); APEX_UTIL.SET_SESSION_STATE('G_PARTNER_NAME', v_partner_name); v_partner_abbrev := ACCSPREC.DW_AUTH.GET_PARTNER_ABBREV(v_partner_id); APEX_UTIL.SET_SESSION_STATE('G_PARTNER_ABBREV', v_partner_abbrev); . . . -- Activate RAS dynamic role if Participant confidential information -- is viewable for the user IF ACCSPREC.DW_AUTH.DETAIL_PPT(UPPER(p_username)) THEN APEX_AUTHORIZATION.ENABLE_DYNAMIC_GROUPS ( p_group_names => APEX_T_VARCHAR2('RAS_DW_VIEW_PARTINFO_ROLE') ); END IF; END; These replace all Application Item Computations originally coded within the application If the user is allowed to view data in secured columns, this enables the appropriate RAS role dynamically
  • 22. Managing RAS Sessions in APEX: Wait, What Now? Everything looks great from my side! Just let me log out … Wow, It’s Actually Working! My application testing looks good; RAS constraints are being applied properly depending on each user’s permitted realms. Nicely done! Really? Well, your $#@%^ app is leaving sessions connected to my database!! Then Why Are All These RAS Sessions Still Connected? • RAS sessions were not terminating after a “normal” logout • After some research and conversations with RAS and APEX developers at Oracle, we found out that a RAS session apparently does not “kill” itself in the same manner as a normal APEX session Solution: Terminate RAS sessions on logout by invoking a post-logout procedure
  • 23. INVALID_SESSION: Cleaning Up RAS Sessions After Logout A simple call to the DELETE_SESSION procedure of the APEX_SESSION package terminates a RAS session cleanly These Custom authorization scheme settings offer precise control of session invalidation, authentication, and post-logout processing for RAS External Users
  • 24. RAS: Recommendations for Seamless Implementation • The ease of implementing RAS security policies is directly proportional to time spent on building consistent data models in the past. Some examples: • Key realm discriminator column is not consistently named or applied across every table, MV, and view • We implemented separate DSPs for any special cases … which is much smarter than renaming columns for consistency’s sake • PII columns that need to be hidden were named inconsistently across several views and MVs • We implemented four (4) different DSPs for about a dozen database objects – ideally, we’d have liked to implement just one • RAS-specific tracing is invaluable when a security policy seems to be failing: SQL> BEGIN DBMS_SESSION.SET_IDENTIFIER('ACCSP_DEBUG'); DBMS_APPLICATION_INFO.SET_MODULE('ACCSPD', NULL); END; / ALTER SESSION SET EVENTS 'TRACE [XSSECCLASS] disk=high'; ALTER SESSION SET EVENTS 'TRACE [XSXDS] disk=high'; ALTER SESSION SET EVENTS 'TRACE [XSVPD] disk=high'; ALTER SESSION SET EVENTS 'TRACE [XSACL] disk=high'; ALTER SESSION SET EVENTS 'TRACE [XSSESSION] disk=high'; ALTER SESSION SET EVENTS 'TRACE [XSPRINCIPAL] disk=high'; These two trace directives look closely at all events related to applying data security policies
  • 25. RAS and APEX: Key Concepts to Remember Work with your DBA, plan ahead … and think! Exactly! And don’t forget to listen to your DevOps teammates! Put simply: Application security is now subdivided! ✓RAS controls which data (rows and columns) the user can view & access ✓APEX roles control what app features the user can utilize RAS Security Policies must cover all combinations and possibilities across all potential users, so this means you’ll need to invest significant time into planning and brainstorming Your APEX app no longer needs to enforce row and column security! ✓Be sure to document & reference all RAS Security Policies within the application ✓Developers don’t have to implement the policies, but they need to understand them
  • 26. RAS and APEX: RTFM, and Go Slow To Go Fast ... but implementing RAS in APEX can be confusing! Sure, RAS appears to be simple and elegant … • RTFM!!! Be sure you understand all RAS concepts • Decide on where you’re keeping your user account information, depending on RAS user type(s) selected • Start small! Build a simplified APEX app to prove out key RAS policies are being applied implemented as expected • Build a simple APEX page to prove policies are working, and be sure to include a real-time display of whatever RAS dynamic application role privileges are in effect for RAS External users Note: The RAS examples in the documentation are extremely simple. Our actual use cases were much more complex – e.g., multiple schemas, MVs, and a “mature” application base – so we encountered some frustratingly undocumented aspects of RAS
  • 27. Real-Time Display of RAS Session Info & Applied Restrictions (1) Here’s a list of the applied discriminator values that restrict row realms and column display, as well as any RAS Roles currently in force … … and here’s the result of the POST_AUTH procedure’s population of variables that used to be Application Item Computations
  • 28. Real-Time Display of RAS Session Info & Applied Restrictions (1) Here’s a list of the applied discriminator values that restrict row realms and column display, as well as any RAS Roles currently in force … … and here’s the result of the POST_AUTH procedure’s population of variables that used to be Application Item Computations And since this user is permitted to view sensitive data, they appear in unrestricted format (blurred here for purposes of privacy)
  • 29. Real-Time Display of RAS Session Info & Applied Restrictions (2) Likewise, this user’s discriminator values reveal they can see a different set of row realms, but note there is no dynamic role granted to view sensitive data
  • 30. Real-Time Display of RAS Session Info & Applied Restrictions (2) Likewise, this user’s discriminator values reveal they can see a different set of row realms, but note there is no dynamic role granted to view sensitive data Since this user is not permitted to view sensitive data, they appear in restricted format … … but they can still view unrestricted data based on the row domain they’re permitted to view
  • 31. RAS and APEX: When RTFM Fails Not everything is documented in the #$%^& manual! We had one big advantage: Oracle PMs actually listened to us. Eventually :) Here’s what wasn’t intuitively obvious from the documentation! • How different RAS user account types actually connect to the DB • Whether to implement RAS External or Internal users • When to build and use RAS dynamic roles • Whether RAS namespaces were required for APEX implementation • Building RAS realm and column constraints for complex scenarios – e.g., involving restricting data to be viewed based on more than one discriminator value – is simply not documented anywhere • Columnar security policies applied via RAS application roles permit access to data, not restrict it from access! There are a dizzying array of RAS options, so be sure to choose wisely to avoid unnecessary refactoring of your applications!
  • 32. Useful Resources and Documentation Oracle Real Application Security & Virtual Private Database Home Page: https://www.oracle.com/database/technologies/security/virtual-private-db.html Oracle 19c Real Application Security User Guide: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbfsg/index.html Oracle 19c Real Application Security Administration (RASADM) User Guide: https://docs.oracle.com/en/database/oracle/oracle-database/19/rasad/index.html#RASAD142