Monday, February 12, 2007

Restrict DBA's data access

Preventing the DBA and other powerful users from seeing company confidential data has not been an easy task. With Oracle 10g R2 this can be easily accomplished via the use of Database Vault. DV allows you to define realms around your application data to block DBA's from seeing the data they're not supposed to see. DV allows you to define realms to protect your data through an easy to use web interface or through PL/SQL API's. Here are the basic steps to protect a schema with a realm:

1. Create the Realm:

Exec dbms_macadm.create_realm('Protected_Scott','Scott schema DV protected','YES',0);

2. Define the Schema and objects to be protected, this protects all objects of Scott's schema:

Exec dbms_macadm.add_object_to_realm(’Protected_Scott',’scott','%','%');

3. Give access to appropriate users for accessing the schema protected data:

Exec dbms_macadm.add_auth_to_realm(realm_name => ’Protected_Scott', grantee => ’scott', auth_options => 1);

And that's basically it. Now the schema scott is protected and scott is made the owner of the realm. From now on users such as sys and system will not be able to select data from scott's tables.

Taking the Database Vault configuration a step further enables features such as: multifactor authorization, Oracle Label Security integration etc. Utilizing these features one can for example create an environment where database access from certain IP-address at certain time of day restricts data visibility to certain OLS level.

Posted by at
Labels:

1 comment:

Libby said...

Its a very difficult task to prevent the DBA from accessing companies important data. But in the newer versions of Oracle a toll is provided to do so. I just knew about the tool and have never implemented it. Its really great to know about this utility from the above post. Thanks for sharing the code.
upgrade sap 6.0

July 11, 2011 at 8:42 AM

Post a Comment

Subscribe to: Post Comments (Atom)