Using Oracle Database Vault 10gR2 With Apps 11i

[Editor Update May 21, 2008:  Nilesh has moved on to another team within Oracle and, sadly, is no longer an active contributor to this blog.  Feel free to direct any questions about his posted articles directly to Steven Chan, instead.]


I'm very pleased to announce that Oracle Database Vault 10gR2 10.2.0.3 is certified with the E-Business Suite Release 11i.  I've been working on this certification for the last year. In this article I will give you some insight into how Oracle E-Business Suite Release 11i can be configured to use Oracle Database Vault features to protect sensitive transactional data from powerful users like Apps DBAs.

What is Oracle Database Vault?

A key challenge for security administrators is protecting enterprise data from insider attacks.  Oracle Database Vault is an optional database feature that can help you defend against that class of threats, as well as build internal controls to help meet regulatory requirements for privacy and segregation of duties.

Oracle Database Vault can prevent highly privileged users, including powerful application DBAs and others, from accessing sensitive applications and data in Oracle databases outside their authorized responsibilities. You can use customizable Realms and rules to ensure that users, even administrators, have access only to what they need to do their job.

Database Vault example: Diagram showing how Database Vault prevents a privileged DBA user from accessing application data, while allowing the authorized Realm owner to access the same data

The figure above illustrates how Oracle Database Vault addresses the following database security concerns:
  • Administrative privileged account access to application data: In this case, Oracle Database Vault prevents the DBA from accessing the schemas that are protected by the FIN Realm. Although the DBA is the most powerful and trusted user, the DBA does not need access to application data residing within the database.
  • Separation of duties for application data access: In this case, the FIN Realm Owner, created in Oracle Database Vault, has access to the FIN Realm schemas.
Protecting Database Objects With Realms and Rules

Oracle Database Vault uses Realms to set up boundaries around set of objects in specific schemas; specific conditions must be met to access data protected by those boundaries. Realms specify a set of conditions that must be met before a given command can be executed on a set of database objects.

This provides very granular control over what can be done to certain objects, and by whom. You can define rules to restrict access based on business-specific factors such as data access connections from particular database, from a particular machine, and from specific IP addresses.  You can also specify the time of day or authentication modes for data access.

For details about various Oracle Database Vault Realms and customizable rules, see:
Minimum Requirements
Additional interoperability patches are also required. For complete details, see:
Preseeded Realms for the E-Business Suite

Oracle delivers a set of preseeded Database Vault Realms for your E-Business Suite Release 11i environment via the following patch:
This patch contains the master fnddvebs.sql script. The fnddbvebs.sql script creates Realms around Oracle E-Business Suite 11i product schemas and gives authorization only to those users required to allow the Oracle E-Business Suite to function normally.

The fnddvebs.sql script creates six Realms. Each realm protects different product schemas and has its own set of user authorizations.
  • EBS Realm
  • EBS Realm - Applsys Schema
  • EBS Realm - Applsyspub Schema
  • EBS Realm - Apps Schema
  • EBS Realm - MSC Schema
  • CTXSYS Data Dictionary
Oracle Supplied Ebiz 11i Realms: Screenshot of Database Vault 10g 10.2.0.3 Realms definition screen, with pre-seeded Realms for the E-Business Suite Release 11i displayed

Extending Oracle-Supplied Realms

Oracle strongly recommends against modifying the preseeded Oracle-supplied Realms for the E-Business Suite. If you're familiar with the E-Business Suite data model, you can create your own realms and secure additional objects as needed. Improperly defined Realms can prevent the E-Business Suite from functioning normally, so careful testing of your custom Realms is advisable.

Metalink Note 428503.1 has a detailed example of extending Oracle E-Business suite 11i realms.

Key Considerations About Realms

The preseeded Realms are not intended to provide:
  1. Protection from user logged into the SYSTEM schema
  2. Protection during Application mid tier patching
Documentation
Related Articles

Comments:

Steven,

This is GREAT news!! Tell the team that they've done a great job in getting this out.

We've been waiting a long time...sounds familiar...:-)

thx,
John

Posted by John Stouffer on February 07, 2008 at 05:22 AM PST #

Nilesh,

Any idea when HP-UX will be certified? We're going to patch current just to be ready but the document doesn't mention even if HP is pending.

thx,
John

Posted by John Stouffer on February 11, 2008 at 01:31 AM PST #

John,The Note has a platform advisory at the top which reads, in part, "This note will be updated with support for additional
platforms as they become available."  HP-UX falls into the category of "additional platforms" -- it's something that we're working on now.  As usual, we don't have any specific dates for its release that we can share.Regards,Steven 

Posted by Steven Chan on February 11, 2008 at 02:39 AM PST #

Wait... "Oracle Database Vault can prevent highly privileged users, including powerful application DBAs and others, from accessing sensitive applications and data in Oracle databases outside their authorized responsibilities" Yet you go on to say that if the user can access the system schema they won't be stopped, and during patching they won't be stopped.

Forgive me, but exactly what is the point then? I have yet to be an Apps DBA at a client where I didn't have sys/system (umm, you're not a DBA at that point...) and if I was nefarious, even without having read this document I would have planned on doing acts I didn't want traced DURING A PATCH, as there's lots of DML to "hide my tracks"

What am I missing? This seems completely pointless.

Posted by Jay Weinshenker on February 12, 2008 at 06:26 AM PST #

Marc,We're in the process of juggling our Release 12.x activities to fit the DB Vault certification into the overall plans.  I'm afraid that I can't provide a specific timeframe due to reasons I've previously explained in this article.  That said, you're welcome to monitor or subscribe to my E-Business Suite Technology Stack blog (http://blogs.oracle.com/schan) for updates, which I'll post as soon as soon as they're available.  Regards,Steven

Posted by Steven Chan on February 14, 2008 at 01:54 AM PST #

Nilesh/Steven,

When can we expect this functionality to be certified for Release 12? Even a vague ballpark would be appreciated.

Thanks and regards,

Marc

Posted by Marc Caruso on February 14, 2008 at 03:00 AM PST #

Hello, is what Jay said correct ? If so, what is the point of this feature ?

Posted by David Browne on July 20, 2008 at 05:20 PM PDT #

Oracle Database Vault 10.2.0.3 Certified with Apps 12

See http://blogs.oracle.com/stevenChan/2008/05/oracle_database_vault_10203_ce.html

Posted by Mike Shaw on July 20, 2008 at 09:28 PM PDT #

Hello Jay and David,

This article is just a taster of Database Vault with eBiz, so should read Note 428503.1 and Oracle Database 10g Release 2 Vault Administrator's Guide to get a good view of what it can do (and the limitations)

If a customer is interested in segregation of duties, then Database Vault will likely be part of an integration solution.

regards,
Mike

Posted by Mike Shaw on July 20, 2008 at 10:02 PM PDT #

Hi,

Is DataBase VAULT & VPD (Row Level Security) same feature or different?
If it does differ, what is the difference?

Thanks
Aniruddha.

Posted by Aniruddha on August 14, 2008 at 06:56 PM PDT #

Hi, Aniruddha,

I've asked one of our Database Vault product managers to provide a positioning and features comparison between DB Vault and VPD. He'll be posting an update here soon.

Regards,
Steven

Posted by Steven Chan on August 18, 2008 at 04:35 AM PDT #

Hi, Aniruddha,

Here's a response from our Database Security team:

VPD provides real time query modification for select, insert, update and delete statements, enforcing row level security and limiting data rows returned to a user or program. Oracle Database Vault on the other hand is focused on operational security and internal controls at the database, schema and table level.

Database Vault command rules work against any SQL including DDL operations such as the "alter" command. Database Vault command rules can verify specific operational conditions are met, controlling, who, when, where and how the database and operations within the database are accessed. Privileged user access to application data can be prevented with a few simply steps, no PL/SQL programming or stored procedure maintenance is required. Database Vault enforces separation-of-duty in the Oracle database, preventing existing privileged users from performing sensitive administrative operations and enabling customers to easily raise the security bar on application that may not have followed a least privilege model of security design. Another big difference between Database Vault and VPD is that the Database Vault architecture prevents a DBA from changing the security policies enforced by Database Vault.

Feel free to let us know if you have any additional questions about either of these technologies.

Regards,
Steven

Posted by Steven Chan on August 19, 2008 at 06:20 AM PDT #

Steven,

Is Audit Vault certified with Release 11i and Release 12?

Looks like a great product and we'd like to get it in-house.

thx,
John

Posted by John Stouffer on August 19, 2008 at 11:10 PM PDT #

This is our requirement.

we are using oracle applications R12.1.2 and database is 11.1.0.7 in oracle Enterprise Linux 5.1 platform having financial and HRMS modules.

Our requirement is to protect only HRMS datas like national-identifier from dba and powerful users. How we fulfil this requirement by using oracle vault11.1.0.7

Posted by varatharajan on July 06, 2011 at 10:19 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today