SlideShare a Scribd company logo
Winter 2014

And more:
18 authors, 17 articles,
4 ACE's, 6 ACE
Directors, ...

Future is now, ODI 12c

Maturity of Service
Oriented Architectures

Enforcing Principle of
Least Privilege

ASM Metrics

Content-Enabling Your
Insurance Business
Using Oracle BPM and
WebCenter Content
Oracle Database 12c brings the Privilege Analysis feature to
clearly identify the privileges required by an application for
its functioning and tells the DBA which privileges can be
revoked, to enforce the principle of least privilege and make
the database and application more secure. Privilege analysis
feature is available only in Enterprise Edition and it requires
Database Vault license, which is an extra cost option. The
good thing is that Database Vault need not be enabled to use
Privilege Analysis - one less thing to worry.

One of the top features of Oracle Database 12c that
attracted me is the ability to enforce principle of least
privilege with ease. Ever since database vendors started
taking security seriously, the principle of least privilege
theory is in play. To identify the privileges required by an
application or user in Oracle database versions prior 12c was
a tedious trial and error process. Many applications I have
come across run with DBA or DBA like privileges, this is
because no privilege analysis done at application design and
development time. For application design and development
team the focus is always on getting the development work
completed and delivering the project. Security, especially
least privilege, is not a focus item where team wants to
spend time. It is easy to grant system privileges (especially
DBA or ANY privileges like INSERT ANY TABLE) to get the
application working.

Biju Thomas - OneNeck IT Solutions

Enforcing Principle of Least Privilege

Figure 1: Privilege Analysis

I will explain the steps using SQL command line as well as
using Enterprise Manager Cloud Control 12c. To do the
privilege analysis you need the CAPTURE_ADMIN role, this
role is granted to DBA role, so if you have DBA privileges on
the 12c database, you can perform the analysis.

In a nutshell, privilege analysis works as below:
- Define a capture - to identify what need to be analyzed
- Enable the capture, to start capturing
- Run the application or utility whose privilege need to be
analyzed
- Disable the capture
- Generate results from capture for review
- Implement the results, from the findings

Oracle Database Security
SELECT ANY TABLE
INSERT ANY TABLE
UPDATE ANY TABLE
DELETE ANY TABLE
ALTER ANY TRIGGER
CREATE PROCEDURE
CREATE TABLE
CREATE SYNONYM
CREATE ANY INDEX
ALL privs on ORDERS and ORDER_ITEMS tables
CONNECT and DBA Roles

OBJECT_TYPE
COUNT(*)
----------------------- ---------SEQUENCE
1
LOB
15
TYPE BODY
3
TRIGGER
4
TABLE
14
INDEX
48
SYNONYM
6
VIEW
13

SQL> select object_type, count(*) from dba_objects
where owner = 'OE' group by object_type;

-

Demo Environment
For demonstration purposes I am going to use the OE
schema that comes with Oracle Database 12c examples - it
has 14 tables and several other objects. We want to analyze
the privileges of OE_ADM user who currently has the
following privileges.

1
37

- Database (G_DATABASE - 1): If no condition is defined,
analyzes used privilege on all objects within the whole
database. No condition or roles parameter specified for this
type of capture.
- Role (G_ROLE - 2): Analyses privileges exercised through a
role. Specify the roles to analyze using the ROLES parameter.
- Context (G_CONTEXT - 3): Use this to analyze privileges that
are used through an application module or specific context.
Specify a CONDITION to analyze
- Role and Context (G_ROLE_AND_CONTEXT - 4): Combination
of role and context.

Define and Start Capture
The very first step in privilege analysis is to create a capture,
to define what actions need to be monitored. Four types of
analysis can be defined in the capture:

New package DBMS_PRIVILEGE_CAPTURE has the
subprograms to manage the privilege analysis. The
CAPTURE_ADMIN role has execute privilege on this
package.

OE_ADM user connects using SQL*Developer to run the
scripts and reports. Our objective is to remove the ANY
privileges from OE_ADM user and grant appropriate
privileges based on the tasks performed during the analysis
period.

FUNCTION
TYPE

Oracle Database Security
Figure 2 shows the OEM screen to create a capture policy.
With few clicks you can easily create the policy. Based on the
context additional input is captured.

Figure 2: OEM Screen to Create a Privilege Analysis Policy

The CREATE_CAPTURE subprogram is used to define the
capture. For our demo, we want to use the Role and Context,
because we want to know what privilege from the DBA role is
being used as well as what other privileges granted to
OE_ADM are used when the application used is “SQL
Developer”.

BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'Analyze_OE_ADM' ,
description => 'Review Privileges used by
OE_ADM through SQL Developer' ,
type =>
DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT ,
roles => ROLE_NAME_LIST('DBA','CONNECT') ,
condition => 'SYS_CONTEXT(''USERENV'',
''MODULE'') = ''SQL Developer'' AND
SYS_CONTEXT(''USERENV'', ''SESSION_USER'') =
''OE_ADM''');
END;
/

The SQL to define the policy as shown in Figure 2 is:

Oracle Database Security
EXECUTE DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE
(name => 'Analyze_OE_ADM');

Stop Capture and Generate Reports
Ok, now that OE_ADM user has performed their tasks using
SQL Developer, let us stop the capture and review the
privileges used.

Now run the application and for a period of time, so that
Oracle can capture all the privileges used.

EXECUTE
DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE (name =>
'Analyze_OE_ADM');

You can click on the start button to start capture, or
use the below SQL to start the capture.

Figure 3: Privilege Analysis screen of OEM

Once the policy is defined, it shows up in the OEM Privilege
Analysis main screen, from where you can enable, disable,
generate report and drop the policy. See figure 3.

Once you run the Generate Results procedure, all the
DBA_USED_ views as well as DBA_UNUSED_ views are
populated. You may query these views to generate revoke
scripts or to prepare reports. The DBA_USED_ views show the
privileges used by the user for the policy. The DBA_UNUSED_
views show the privileges that are assigned to the user, but
are not used. The _PATH views show the privilege path (how
the privileged was given to the user, through which role).

Figure 4: unused privileges

OEM shows the number of unused privileges in the summary
screen as shown in figure 4.

EXECUTE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT
(name => 'Analyze_OE_ADM');

Using OEM you can click on the Stop Capture button as
shown in Figure 3. Now click the Generate Report button.
Using SQL you can accomplish this by :

Oracle Database Security
Figure 5: OEM Options under Actions

OEM makes it easier on you to see the reports and even
generate a revoke script. Figure 5 shows the drop down
menu under Actions.

DBA_USED_OBJPRIVS
DBA_USED_OBJPRIVS_PATH
DBA_USED_PRIVS
DBA_USED_PUBPRIVS
DBA_USED_SYSPRIVS
DBA_USED_SYSPRIVS_PATH
DBA_USED_USERPRIVS
DBA_USED_USERPRIVS_PATH
DBA_UNUSED_COL_TABS
DBA_UNUSED_OBJPRIVS
DBA_UNUSED_OBJPRIVS_PATH
DBA_UNUSED_PRIVS
DBA_UNUSED_SYSPRIVS
DBA_UNUSED_SYSPRIVS_PATH
DBA_UNUSED_USERPRIVS
DBA_UNUSED_USERPRIVS_PATH

Capture Privilege - DBA Views Populated with Generate
Results Procedure

Figure 6: OEM Setup for Revoke Scripts Generation

The Reports menu shows a summary, as well as used and
unused privilege listing that you can export to an excel file.
To be able to use the Revoke Scripts option, OEM needs to
complete a setup as shown in figure 6.

Oracle Database Security
This creates a new role for you with only the used privileges how sweet is that!

Figure 7: Create Role screen of OEM

The revoke script revokes all unused roles and privileges
from the role granted to the user, in this case this is not
desired, because we do not want to mess with the DBA role.
Here the Create Role menu comes for help. Figure 7 shows
the OEM screen to create the role; you have option to
customize the role creation as well.

OneNeck IT Solutions

Biju Thomas

Oracle Database Security

More Related Content

What's hot

DB2 10 Security Enhancements
DB2 10 Security EnhancementsDB2 10 Security Enhancements
DB2 10 Security Enhancements
Laura Hood
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
Alex Zaballa
 
Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015 Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015
Alex Zaballa
 
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu   (obscure) tools of the trade for tuning oracle sq lsTony Jambu   (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
InSync Conference
 
Database Foundation Training
Database Foundation TrainingDatabase Foundation Training
Database Foundation Training
Franky Lao
 
Obiee 11.1.1.5 installation and configuration guide
Obiee 11.1.1.5 installation and configuration guideObiee 11.1.1.5 installation and configuration guide
Obiee 11.1.1.5 installation and configuration guide
Amit Sharma
 
Oracle Data Redaction - UKOUG - TECH14
Oracle Data Redaction - UKOUG - TECH14Oracle Data Redaction - UKOUG - TECH14
Oracle Data Redaction - UKOUG - TECH14
Alex Zaballa
 
Database security
Database securityDatabase security
Database security
Javed Khan
 
Cua setup procedure SAP security
Cua setup procedure SAP securityCua setup procedure SAP security
Cua setup procedure SAP security
Siva Pradeep Bolisetti
 
security-checklist-database
security-checklist-databasesecurity-checklist-database
security-checklist-database
Mohsen B
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
sumitmsn2
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
sapdocs. info
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
Siva Pradeep Bolisetti
 
Introducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriIntroducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL Potpourri
Lucas Jellema
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
Siva Pradeep Bolisetti
 

What's hot (15)

DB2 10 Security Enhancements
DB2 10 Security EnhancementsDB2 10 Security Enhancements
DB2 10 Security Enhancements
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015 Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015
 
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu   (obscure) tools of the trade for tuning oracle sq lsTony Jambu   (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
 
Database Foundation Training
Database Foundation TrainingDatabase Foundation Training
Database Foundation Training
 
Obiee 11.1.1.5 installation and configuration guide
Obiee 11.1.1.5 installation and configuration guideObiee 11.1.1.5 installation and configuration guide
Obiee 11.1.1.5 installation and configuration guide
 
Oracle Data Redaction - UKOUG - TECH14
Oracle Data Redaction - UKOUG - TECH14Oracle Data Redaction - UKOUG - TECH14
Oracle Data Redaction - UKOUG - TECH14
 
Database security
Database securityDatabase security
Database security
 
Cua setup procedure SAP security
Cua setup procedure SAP securityCua setup procedure SAP security
Cua setup procedure SAP security
 
security-checklist-database
security-checklist-databasesecurity-checklist-database
security-checklist-database
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
 
Introducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriIntroducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL Potpourri
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
 

Similar to OTech magazine article - Principle of Least Privilege

Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle Database
Markus Flechtner
 
MySQL Administration and Monitoring
MySQL Administration and MonitoringMySQL Administration and Monitoring
MySQL Administration and Monitoring
Mark Leith
 
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptxFive_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Maria Colgan
 
What is sap security
What is sap securityWhat is sap security
What is sap security
grconlinetraining
 
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
Leighton Nelson
 
Oracle audit and reporting in one hour or less
Oracle audit and reporting in one hour or lessOracle audit and reporting in one hour or less
Oracle audit and reporting in one hour or less
Leon Rzhemovskiy
 
oracle
oracleoracle
oracle
tarunamoria
 
Sherlock holmes for dba’s
Sherlock holmes for dba’sSherlock holmes for dba’s
Sherlock holmes for dba’s
Kellyn Pot'Vin-Gorman
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
Sage Computing Services
 
MySQL Performance Schema : fossasia
MySQL Performance Schema : fossasiaMySQL Performance Schema : fossasia
MySQL Performance Schema : fossasia
Mayank Prasad
 
Performance schema and_ps_helper
Performance schema and_ps_helperPerformance schema and_ps_helper
Performance schema and_ps_helper
Mark Leith
 
patchVantage Cloud Starter Pack
patchVantage Cloud Starter Pack patchVantage Cloud Starter Pack
patchVantage Cloud Starter Pack
David McNish
 
DB2UDB_the_Basics Day 3
DB2UDB_the_Basics Day 3DB2UDB_the_Basics Day 3
DB2UDB_the_Basics Day 3
Pranav Prakash
 
Less11 Security
Less11 SecurityLess11 Security
Less11 Security
vivaankumar
 
Sap basis and_security_administration
Sap basis and_security_administrationSap basis and_security_administration
Sap basis and_security_administration
Anil Kumar Reddy Cheppalli
 
How to analyze_table_through_informatica
How to analyze_table_through_informaticaHow to analyze_table_through_informatica
How to analyze_table_through_informatica
sushantbit04
 
Oracle SQL Tuning
Oracle SQL TuningOracle SQL Tuning
Oracle SQL Tuning
Alex Zaballa
 
Oracle - Program with PL/SQL - Lession 11
Oracle - Program with PL/SQL - Lession 11Oracle - Program with PL/SQL - Lession 11
Oracle - Program with PL/SQL - Lession 11
Thuan Nguyen
 
Cursor injection
Cursor injectionCursor injection
Cursor injection
fangjiafu
 
D73549GC10_06.pptx
D73549GC10_06.pptxD73549GC10_06.pptx
D73549GC10_06.pptx
VLQuyNhn
 

Similar to OTech magazine article - Principle of Least Privilege (20)

Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle Database
 
MySQL Administration and Monitoring
MySQL Administration and MonitoringMySQL Administration and Monitoring
MySQL Administration and Monitoring
 
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptxFive_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
 
What is sap security
What is sap securityWhat is sap security
What is sap security
 
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
 
Oracle audit and reporting in one hour or less
Oracle audit and reporting in one hour or lessOracle audit and reporting in one hour or less
Oracle audit and reporting in one hour or less
 
oracle
oracleoracle
oracle
 
Sherlock holmes for dba’s
Sherlock holmes for dba’sSherlock holmes for dba’s
Sherlock holmes for dba’s
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
 
MySQL Performance Schema : fossasia
MySQL Performance Schema : fossasiaMySQL Performance Schema : fossasia
MySQL Performance Schema : fossasia
 
Performance schema and_ps_helper
Performance schema and_ps_helperPerformance schema and_ps_helper
Performance schema and_ps_helper
 
patchVantage Cloud Starter Pack
patchVantage Cloud Starter Pack patchVantage Cloud Starter Pack
patchVantage Cloud Starter Pack
 
DB2UDB_the_Basics Day 3
DB2UDB_the_Basics Day 3DB2UDB_the_Basics Day 3
DB2UDB_the_Basics Day 3
 
Less11 Security
Less11 SecurityLess11 Security
Less11 Security
 
Sap basis and_security_administration
Sap basis and_security_administrationSap basis and_security_administration
Sap basis and_security_administration
 
How to analyze_table_through_informatica
How to analyze_table_through_informaticaHow to analyze_table_through_informatica
How to analyze_table_through_informatica
 
Oracle SQL Tuning
Oracle SQL TuningOracle SQL Tuning
Oracle SQL Tuning
 
Oracle - Program with PL/SQL - Lession 11
Oracle - Program with PL/SQL - Lession 11Oracle - Program with PL/SQL - Lession 11
Oracle - Program with PL/SQL - Lession 11
 
Cursor injection
Cursor injectionCursor injection
Cursor injection
 
D73549GC10_06.pptx
D73549GC10_06.pptxD73549GC10_06.pptx
D73549GC10_06.pptx
 

More from Biju Thomas

Notes from #OOW19
Notes from #OOW19Notes from #OOW19
Notes from #OOW19
Biju Thomas
 
Using VirtualBox - Learn Oracle Database 12c and EBS R12
Using VirtualBox - Learn Oracle Database 12c and EBS R12Using VirtualBox - Learn Oracle Database 12c and EBS R12
Using VirtualBox - Learn Oracle Database 12c and EBS R12
Biju Thomas
 
Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2
Biju Thomas
 
GLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New FeaturesGLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New Features
Biju Thomas
 
GLOC 2014 NEOOUG - R12 Upgrade Downtime Reduction
GLOC 2014 NEOOUG - R12 Upgrade Downtime ReductionGLOC 2014 NEOOUG - R12 Upgrade Downtime Reduction
GLOC 2014 NEOOUG - R12 Upgrade Downtime Reduction
Biju Thomas
 
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Biju Thomas
 
Create non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsCreate non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windows
Biju Thomas
 
Install oracle database 12c software on windows
Install oracle database 12c software on windowsInstall oracle database 12c software on windows
Install oracle database 12c software on windows
Biju Thomas
 
2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation
Biju Thomas
 
2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation
Biju Thomas
 
2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation
Biju Thomas
 
2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation
Biju Thomas
 

More from Biju Thomas (12)

Notes from #OOW19
Notes from #OOW19Notes from #OOW19
Notes from #OOW19
 
Using VirtualBox - Learn Oracle Database 12c and EBS R12
Using VirtualBox - Learn Oracle Database 12c and EBS R12Using VirtualBox - Learn Oracle Database 12c and EBS R12
Using VirtualBox - Learn Oracle Database 12c and EBS R12
 
Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2
 
GLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New FeaturesGLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New Features
 
GLOC 2014 NEOOUG - R12 Upgrade Downtime Reduction
GLOC 2014 NEOOUG - R12 Upgrade Downtime ReductionGLOC 2014 NEOOUG - R12 Upgrade Downtime Reduction
GLOC 2014 NEOOUG - R12 Upgrade Downtime Reduction
 
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
 
Create non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsCreate non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windows
 
Install oracle database 12c software on windows
Install oracle database 12c software on windowsInstall oracle database 12c software on windows
Install oracle database 12c software on windows
 
2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation
 
2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation
 
2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation
 
2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation
 

Recently uploaded

High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
moinahousna
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
Shiv Technolabs
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
Management Institute of Skills Development
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
digitalxplive
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
Axel Rennoch
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 

Recently uploaded (20)

High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
CiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.pptCiscoIconsLibrary cours de réseau VLAN.ppt
CiscoIconsLibrary cours de réseau VLAN.ppt
 
The Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF GuideThe Role of IoT in Australian Mobile App Development - PDF Guide
The Role of IoT in Australian Mobile App Development - PDF Guide
 
Figma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdfFigma AI Design Generator_ In-Depth Review.pdf
Figma AI Design Generator_ In-Depth Review.pdf
 
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
The Rise of AI in Cybersecurity How Machine Learning Will Shape Threat Detect...
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
The importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT StandardizationThe importance of Quality Assurance for ICT Standardization
The importance of Quality Assurance for ICT Standardization
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 

OTech magazine article - Principle of Least Privilege

  • 1. Winter 2014 And more: 18 authors, 17 articles, 4 ACE's, 6 ACE Directors, ... Future is now, ODI 12c Maturity of Service Oriented Architectures Enforcing Principle of Least Privilege ASM Metrics Content-Enabling Your Insurance Business Using Oracle BPM and WebCenter Content
  • 2. Oracle Database 12c brings the Privilege Analysis feature to clearly identify the privileges required by an application for its functioning and tells the DBA which privileges can be revoked, to enforce the principle of least privilege and make the database and application more secure. Privilege analysis feature is available only in Enterprise Edition and it requires Database Vault license, which is an extra cost option. The good thing is that Database Vault need not be enabled to use Privilege Analysis - one less thing to worry. One of the top features of Oracle Database 12c that attracted me is the ability to enforce principle of least privilege with ease. Ever since database vendors started taking security seriously, the principle of least privilege theory is in play. To identify the privileges required by an application or user in Oracle database versions prior 12c was a tedious trial and error process. Many applications I have come across run with DBA or DBA like privileges, this is because no privilege analysis done at application design and development time. For application design and development team the focus is always on getting the development work completed and delivering the project. Security, especially least privilege, is not a focus item where team wants to spend time. It is easy to grant system privileges (especially DBA or ANY privileges like INSERT ANY TABLE) to get the application working. Biju Thomas - OneNeck IT Solutions Enforcing Principle of Least Privilege Figure 1: Privilege Analysis I will explain the steps using SQL command line as well as using Enterprise Manager Cloud Control 12c. To do the privilege analysis you need the CAPTURE_ADMIN role, this role is granted to DBA role, so if you have DBA privileges on the 12c database, you can perform the analysis. In a nutshell, privilege analysis works as below: - Define a capture - to identify what need to be analyzed - Enable the capture, to start capturing - Run the application or utility whose privilege need to be analyzed - Disable the capture - Generate results from capture for review - Implement the results, from the findings Oracle Database Security
  • 3. SELECT ANY TABLE INSERT ANY TABLE UPDATE ANY TABLE DELETE ANY TABLE ALTER ANY TRIGGER CREATE PROCEDURE CREATE TABLE CREATE SYNONYM CREATE ANY INDEX ALL privs on ORDERS and ORDER_ITEMS tables CONNECT and DBA Roles OBJECT_TYPE COUNT(*) ----------------------- ---------SEQUENCE 1 LOB 15 TYPE BODY 3 TRIGGER 4 TABLE 14 INDEX 48 SYNONYM 6 VIEW 13 SQL> select object_type, count(*) from dba_objects where owner = 'OE' group by object_type; - Demo Environment For demonstration purposes I am going to use the OE schema that comes with Oracle Database 12c examples - it has 14 tables and several other objects. We want to analyze the privileges of OE_ADM user who currently has the following privileges. 1 37 - Database (G_DATABASE - 1): If no condition is defined, analyzes used privilege on all objects within the whole database. No condition or roles parameter specified for this type of capture. - Role (G_ROLE - 2): Analyses privileges exercised through a role. Specify the roles to analyze using the ROLES parameter. - Context (G_CONTEXT - 3): Use this to analyze privileges that are used through an application module or specific context. Specify a CONDITION to analyze - Role and Context (G_ROLE_AND_CONTEXT - 4): Combination of role and context. Define and Start Capture The very first step in privilege analysis is to create a capture, to define what actions need to be monitored. Four types of analysis can be defined in the capture: New package DBMS_PRIVILEGE_CAPTURE has the subprograms to manage the privilege analysis. The CAPTURE_ADMIN role has execute privilege on this package. OE_ADM user connects using SQL*Developer to run the scripts and reports. Our objective is to remove the ANY privileges from OE_ADM user and grant appropriate privileges based on the tasks performed during the analysis period. FUNCTION TYPE Oracle Database Security
  • 4. Figure 2 shows the OEM screen to create a capture policy. With few clicks you can easily create the policy. Based on the context additional input is captured. Figure 2: OEM Screen to Create a Privilege Analysis Policy The CREATE_CAPTURE subprogram is used to define the capture. For our demo, we want to use the Role and Context, because we want to know what privilege from the DBA role is being used as well as what other privileges granted to OE_ADM are used when the application used is “SQL Developer”. BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'Analyze_OE_ADM' , description => 'Review Privileges used by OE_ADM through SQL Developer' , type => DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT , roles => ROLE_NAME_LIST('DBA','CONNECT') , condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'') = ''SQL Developer'' AND SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''OE_ADM'''); END; / The SQL to define the policy as shown in Figure 2 is: Oracle Database Security
  • 5. EXECUTE DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE (name => 'Analyze_OE_ADM'); Stop Capture and Generate Reports Ok, now that OE_ADM user has performed their tasks using SQL Developer, let us stop the capture and review the privileges used. Now run the application and for a period of time, so that Oracle can capture all the privileges used. EXECUTE DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE (name => 'Analyze_OE_ADM'); You can click on the start button to start capture, or use the below SQL to start the capture. Figure 3: Privilege Analysis screen of OEM Once the policy is defined, it shows up in the OEM Privilege Analysis main screen, from where you can enable, disable, generate report and drop the policy. See figure 3. Once you run the Generate Results procedure, all the DBA_USED_ views as well as DBA_UNUSED_ views are populated. You may query these views to generate revoke scripts or to prepare reports. The DBA_USED_ views show the privileges used by the user for the policy. The DBA_UNUSED_ views show the privileges that are assigned to the user, but are not used. The _PATH views show the privilege path (how the privileged was given to the user, through which role). Figure 4: unused privileges OEM shows the number of unused privileges in the summary screen as shown in figure 4. EXECUTE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT (name => 'Analyze_OE_ADM'); Using OEM you can click on the Stop Capture button as shown in Figure 3. Now click the Generate Report button. Using SQL you can accomplish this by : Oracle Database Security
  • 6. Figure 5: OEM Options under Actions OEM makes it easier on you to see the reports and even generate a revoke script. Figure 5 shows the drop down menu under Actions. DBA_USED_OBJPRIVS DBA_USED_OBJPRIVS_PATH DBA_USED_PRIVS DBA_USED_PUBPRIVS DBA_USED_SYSPRIVS DBA_USED_SYSPRIVS_PATH DBA_USED_USERPRIVS DBA_USED_USERPRIVS_PATH DBA_UNUSED_COL_TABS DBA_UNUSED_OBJPRIVS DBA_UNUSED_OBJPRIVS_PATH DBA_UNUSED_PRIVS DBA_UNUSED_SYSPRIVS DBA_UNUSED_SYSPRIVS_PATH DBA_UNUSED_USERPRIVS DBA_UNUSED_USERPRIVS_PATH Capture Privilege - DBA Views Populated with Generate Results Procedure Figure 6: OEM Setup for Revoke Scripts Generation The Reports menu shows a summary, as well as used and unused privilege listing that you can export to an excel file. To be able to use the Revoke Scripts option, OEM needs to complete a setup as shown in figure 6. Oracle Database Security
  • 7. This creates a new role for you with only the used privileges how sweet is that! Figure 7: Create Role screen of OEM The revoke script revokes all unused roles and privileges from the role granted to the user, in this case this is not desired, because we do not want to mess with the DBA role. Here the Create Role menu comes for help. Figure 7 shows the OEM screen to create the role; you have option to customize the role creation as well. OneNeck IT Solutions Biju Thomas Oracle Database Security