Discussion:
Database vault and execution privilege
l***@bluewin.ch
2018-06-27 12:44:12 UTC
Permalink
Hi,
we have Database vault implemented and protect on schema level.
We want to define a prackage that will be stored in a protected schema.
That way we want to do some maintenance jobs.
We are not sure if that is possible or the schema protection will also prohibit execute access.
I did not find something usefull in the documentation, but I also do not know database vault.
If a direct execute is not possible, is somebody aware of a work around (e.g. by a database job)?
Regards
Lothar
Ricardo Kucharski Arnoud
2018-06-27 14:25:33 UTC
Permalink
Hi Lothar,

Please detail your setup and oracle version you're working on.
Script To List The Database Vault Realms, Command Rules And Rule Sets ( Doc
ID 1352556.1
<https://support.oracle.com/epmos/faces/DocumentDisplay?parent=SrDetailText&sourceId=3-17119640681&id=1352556.1>
)

If you're working with mandatory realms, You could achieve this by listing
an authorized user within realm protection.

I could suggest the following setup (Please consider authorized user with
the role dv_owner to perform the following procedure):

Create a FACTOR:
BEGIN
DVSYS.DBMS_MACADM.CREATE_FACTOR(factor_name => 'USER_NAME', description =>
' Returns the username for the current session ', factor_type_name =>
'User', rule_set_name => NULL, get_expr =>
'DVSYS.DBMS_MACADM.GET_SESSION_INFO(''USERNAME'')', validate_expr => NULL,
identify_by => '1', labeled_by => '0', eval_options => '0', audit_options
=> '16',fail_options => '1');
END;
/

Create a Rule called TRUSTED_USER
begin DVSYS.DBMS_MACADM.CREATE_RULE(rule_name => 'TRUSTED_USER', rule_expr
=> 'DVF.F$USER_NAME= 'USERNAME''); end;

Create a RULE SET:

begin
DECLARE x VARCHAR2(40);
static_option BOOLEAN := FALSE; BEGIN x:='Y';
IF x = 'Y' THEN static_option := TRUE; ELSE static_option := FALSE;
END IF;
DVSYS.DBMS_MACADM.CREATE_RULE_SET(rule_set_name => 'TRUSTED_ACCESS',
description => ' Trusted users and applications',
enabled => 'Y',
eval_options => 2,
audit_options => 1,
fail_options => 1,
fail_message => '',
fail_code => '',
handler_options => 0,
handler => '',
is_static => static_option);
END;
DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(rule_set_name => 'TRUSTED_ACCESS',
rule_name => 'TRUSTED_USER',
rule_order => '1',
enabled => 'Y');
end;
/

Grant this RULE SET on your app realm protection

begin
DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(realm_name => 'APP - REALM',
grantee => DBMS_ASSERT.ENQUOTE_NAME('USERNAME',FALSE),
rule_set_name => 'TRUSTED_ACCESS',
auth_options => '0' );
end;

The user should be able to login and run your procedures.
You can play more options on this setup with the rule set TRUSTED_ACCESS...

Best Regards,
Ricardo Arnoud
Post by l***@bluewin.ch
Hi,
we have Database vault implemented and protect on schema level.
We want to define a prackage that will be stored in a protected schema.
That way we want to do some maintenance jobs.
We are not sure if that is possible or the schema protection will also
prohibit execute access.
I did not find something usefull in the documentation, but I also do not
know database vault.
If a direct execute is not possible, is somebody aware of a work around
(e.g. by a database job)?
Regards
Lothar
--
--
Thanks,
* Ricardo Arnoud*






Porto Alegre - RS
http://www.queroaprenderlinux.com.br
http://www.peritodigitalonline.com.br
Loading...