PK )Aoa,mimetypeapplication/epub+zipPK)AiTunesMetadata.plistQ artistName Oracle Corporation book-info cover-image-hash 426091184 cover-image-path OEBPS/dcommon/oracle-logo.jpg package-file-hash 803722437 publisher-unique-id E23090-05 unique-id 401639658 genre Oracle Documentation itemName Oracle® Database Vault Administrator's Guide, 11g Release 2 (11.2) releaseDate 2012-03-03T07:02:50Z year 2012 PKUFVQPK)AMETA-INF/container.xml PKYuPK)AOEBPS/cfrulset.htm Configuring Rule Sets

5 Configuring Rule Sets

This chapter contains:

What Are Rule Sets?

A rule set is a collection of one or more rules that you can associate with a realm authorization, factor assignment, command rule, or secure application role. The rule set evaluates to true or false based on the evaluation of each rule it contains and the evaluation type (All True or Any True). A rule within a rule set is a PL/SQL expression that evaluates to true or false. You can create a rule and add the rule to multiple rule sets.

You can use rule sets to accomplish the following activities:

When you create a rule set, Oracle Database Vault makes it available for selection when you configure the authorization for a realm, command rule, factor, or secure application role.

You can run reports on the rule sets that you create in Oracle Database Vault. See "Related Reports and Data Dictionary Views" for more information.

This chapter explains how to configure rule sets by using Oracle Database Vault Administrator. To configure rule sets by using the PL/SQL interfaces and packages provided by Oracle Database Vault, refer to the following chapters:

Default Rule Sets

Oracle Database Vault provides a set of default rules sets that you can customize for your needs. The default rule sets are as follows:

Creating a Rule Set

In general, to create a rule set, you first create the rule set itself, and then you edit the rule set to associate it with one or more rules. You can associate a new rule with the rule set, add existing rules to the rule set, or delete a rule association from the rule set.

See also the following sections:

To create a rule set:

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER or DV_ADMIN role.

    "Starting Oracle Database Vault" explains how to log in.

  2. In the Administration page, under Database Vault Feature Administration, click Rule Sets.

  3. In the Rule Sets page, click Create.

  4. In the Create Rule Set page, enter the following settings, and then click OK:

General

Enter the following settings:

Audit Options

Select from the following options to generate an audit record for the rule set. Oracle Database Vault writes the audit trail to the DVSYS.AUDIT_TRAIL$ system file, described in Appendix A, "Auditing Oracle Database Vault."

This attribute is mandatory. The settings are:

For additional audit options, see "CREATE_RULE_SET Procedure".

The Oracle Database Vault audit trail, written to the DVSYS.AUDIT_TRAIL$ system table, contains the fields RULE_SET_NAME and RULE_SET_ID. These fields are populated when a rule set is associated with a realm authorization and a command authorization, and the rule set is configured to audit under some circumstances. See Appendix A, "Auditing Oracle Database Vault," for more information.

Error Handling Options

Enter the following settings to control the messaging to the database session when the rule set evaluates to false or one of the associated rules contains an invalid PL/SQL expression:

After you create a rule set, you are ready to create rules to attach to the rule set. To do so, you edit the new rule set, and then define its rules.


See Also:


Configuring or Editing a Rule Set

To configure or edit a rule set:

  1. In the Oracle Database Vault Administration page, select Rule Sets.

  2. In the Rule Set page, select the rule set that you want to edit.

  3. Click Edit.

  4. Modify the rule set as necessary, and then click OK.


See Also:


Creating a Rule to Add to a Rule Set

After you create a new rule set, you can associate it with one or more rules. When you create a new rule, it is automatically added to the current rule set. You also can add existing rules to the rule set. Alternatively, you can omit adding rules to the rule set and use it as a template for rule sets you may want to create in the future.

The rule set evaluation depends on the evaluation of its rules using the Evaluation Options (All True or Any True). If a rule set is disabled, Oracle Database Vault evaluates the rule set to true without evaluating its rules.

See "How Rule Sets Work" for information on how rules are evaluated, how to nest rules, and how to create rules that exclude a particular user, such as a privileged user.

Creating a New Rule

To create and add a rule to a rule set:

  1. In the Oracle Database Vault Administration page, select Rule Sets.

  2. In the Rule Sets page, select the rule set to which you want to create and add a rule, and then select Edit.

  3. In the Edit Rule Set Page, scroll down to Rules Associated To The Rule Set and select Create.

  4. In the Create Rule page, enter the following settings:

    • Name: Enter a name for the rule. Use up to 90 characters in mixed-case.

      Oracle suggests that you start the name with a verb and complete the name with the purpose of the rule. For example:

      Prevent non-admin access to SQL*Plus

      Because rules do not have a Description field, make the name explicit but be sure to not exceed over 90 characters.

    • Rule Expression: Enter a PL/SQL expression that fits the following requirements:

      • It is valid in a SQL WHERE clause.

      • It can be a freestanding and valid PL/SQL Boolean expression such as the following:

        TO_CHAR(SYSDATE,'HH24') = '12'

      • It must evaluate to a Boolean (TRUE or FALSE) value.

      • It must be no more than 255 characters long.

      • It can contain existing and compiled PL/SQL functions from the current database instance. Ensure that these are fully qualified functions (such as schema. function_name). Do not include complete SQL statements.

        If you want to use application package functions or standalone functions, you must grant the DVSYS account the EXECUTE privilege on the function. Doing so reduces the chances of errors when you add new rules.

      • Ensure that the rule works. You can test the syntax by running the following statement in SQL*Plus:

        SELECT rule_expression FROM DUAL;

        For example, suppose you have created the following the rule expression:

        SYS_CONTEXT('USERENV','SESSION_USER') != 'TSMITH'

        You could test this expression as follows:

        SELECT SYS_CONTEXT('USERENV','SESSION_USER') FROM DUAL;

      See the following sections for functions that you can use in the rule set expression:

      For additional examples of expressions, see the rule defined in the rule sets provided with Oracle Database Vault. "Default Rule Sets" lists these rule sets.

  5. Click OK.

    The Edit Rule Set page appears. By default, the new rule is added to the rule set.

Editing a Rule

The changes you make to a rule apply to all rule sets that include the rule.

To edit a rule:

  1. In the Edit Rule Set page, scroll to Rules Associated To The Rule Set.

  2. Select the rule you want to edit and click Edit.

  3. In the Edit Rule page, modify the rule as necessary.

  4. Click OK.

Removing a Rule from a Rule Set

Before you remove a rule from a rule set, you can locate the various references to it by querying the rules-related Oracle Database Vault views. See "Oracle Database Vault Data Dictionary Views" for more information.

To remove a rule from a rule set:

  1. In the Edit Rule Set page, scroll to Rules Associated To The Rule Set.

  2. Select the rule you want to delete and click Remove.

  3. In the Confirmation page, click Yes.

After you remove the rule from the rule set, it still exists. If you want, you can associate it with other rule sets. If you want to delete the rule, use the DVSYS.DBMS_MACADM.DELETE_RULE function, described in "Rule Set Procedures Within DVSYS.DBMS_MACADM". For example, to delete the rule Night Shift, log in to SQL*Plus as the Database Vault Owner and enter the following statement:

EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Night Shift');

Adding Existing Rules to a Rule Set

To add existing rules to a rule set:

  1. In the Rule Sets page, select the rule set that you want to add rules to, and then select Edit.

  2. Under Rules Associated To The Rule Set, select Add Existing Rules.

  3. In the Add Existing Rules page, select the rules you want, and then click Move (or Move All, if you want all of them) to move them to the Selected Rules list.

    You can select multiple rules by holding down the Ctrl key as you click each rule.

  4. Click OK.

Deleting a Rule Set

Before you delete a rule set, you can locate the various references to it by querying the rules-related Oracle Database Vault views. See "Oracle Database Vault Data Dictionary Views" for more information.

To delete a rule set:

  1. If other Database Vault objects, such as command rules, reference the rule set, then remove the reference.

    You can delete a rule set only if no other Database Vault objects are referencing it.

  2. In the Oracle Database Vault Administration page, select Rule Sets.

  3. In the Rule Set page, select the rule set that you want to remove.

  4. Click Remove.

  5. In the Confirmation page, click Yes.

    The rule set is deleted. However, the rules associated with the rule set are not deleted.

How Rule Sets Work

This section describes how rule sets work in the following ways:

How Oracle Database Vault Evaluates Rules

Oracle Database Vault evaluates the rules within a rule set as a collection of expressions. If you have set Evaluation Options to All True and if a rule fails the evaluation, then the evaluation stops at that point, instead of attempting to evaluate the rest of the rules in the rule set. Similarly, if Evaluation Options is set to Any True and if a rule evaluates to true, the evaluation stops at that point. If a rule set is disabled, Oracle Database Vault evaluates it to true without evaluating its rules.

Nesting Rules Within a Rule Set

You can nest one or more rules within the rule set. For example, suppose you want to create a nested rule, Is Corporate Network During Maintenance, that performs the following two tasks:

  • It limits table modifications only when the database session originates within the corporate network.

  • It restricts table modifications during the system maintenance window scheduled between 10:00 p.m. and 10:59 p.m.

The rule definition would be as follows:

DVF.F$NETWORK = 'Corporate' AND TO_CHAR(SYSDATE,'HH24') between '22' AND '23'

You can create it using a factor function. See "Oracle Database Vault PL/SQL Factor Functions" for more information. Chapter 7 explains how to create factors.

Creating Rules to Apply to Everyone Except One User

You can also create rules to apply to everyone except one user (for example, a privileged user). The rule definition for this type of rule can be as follows:

SYS_CONTEXT('USERENV','SESSION_USER') = 'SUPERADMIN_USER' OR additional_rule

If the current user is a privileged user, then the system evaluates the rule to true without evaluating additional_rule. If the current user is not a privileged user, then the evaluation of the rule depends on the evaluation of additional_rule.

Tutorial: Creating an Email Alert for Security Violations

This section contains:

About This Tutorial

In the following tutorial, you create an email alert that is sent when a user attempts to alter a table outside a maintenance period. To do this, you must create a rule to set the maintenance period hours, attach this rule to a rule set, and then create a command rule to allow the user to alter the table. You then associate the rule set with this command rule, which then sends the email alert when the user attempts to use the ALTER TABLE SQL statement outside the maintenance period.

Step 1: Install and Configure the UTL_MAIL PL/SQL Package

  1. Log in to SQL*Plus as SYS using the SYSDBA privilege, and then install the UTL_MAIL package.

    sqlplus sys as sysdba
Enter password: password

@$ORACLE_HOME/rdbms/admin/utlmail.sql
@$ORACLE_HOME/rdbms/admin/prvtmail.plb

    The UTL_MAIL package enables you to manage email. See Oracle Database PL/SQL Packages and Types Reference for more information about UTL_MAIL. However, be aware that currently, the UTL_MAIL PL/SQL package do not support SSL servers.

  2. Check the current value of the SMTP_OUT_SERVER parameter, and make a note of this value so that you can restore it when you complete this tutorial.

    For example:

    SHOW PARAMETER SMTP_OUT_SERVER

    Output similar to the following appears:

    NAME                    TYPE              VALUE
----------------------- ----------------- ----------------------------------
SMTP_OUT_SERVER         string            some_value.example.com

  3. Issue the following ALTER SYSTEM statement:

    ALTER SYSTEM SET SMTP_OUT_SERVER="imap_mail_server.example.com";

    Replace imap_mail_server.example.com with the name of your SMTP server, which you can find in the account settings in your email tool. Enclose these settings in quotation marks. For example:

    ALTER SYSTEM SET SMTP_OUT_SERVER="my_imap_mail_server.example.com"

  4. Connect as SYS using the SYSOPER privilege and then restart the database.

    CONNECT SYS/AS SYSOPER
Enter password: password

SHUTDOWN IMMEDIATE
STARTUP

  5. Ensure that the SMTP_OUT_SERVER parameter setting is correct.

    CONNECT SYS AS SYSDBA
Enter password: password

SHOW PARAMETER SMTP_OUT_SERVER

    Output similar to the following appears:

    NAME                    TYPE              VALUE
----------------------- ----------------- ----------------------------------
SMTP_OUT_SERVER         string            my_imap_mail_server.example.com

Step 2: Create an Email Security Alert PL/SQL Procedure

  1. Ensure that you are connected as SYS using the SYSDBA privilege, and then grant the following privileges to a user who has been granted the DV_OWNER role.

    (Alternatively, you can select a user who has been granted the DV_ADMIN role, but for this tutorial, you will select a user who has the DV_OWNER role.)

    For example:

    CONNECT SYS AS SYSDBA
Enter password: password

GRANT CREATE PROCEDURE, DROP ANY PROCEDURE TO lbrown_dvowner;
GRANT EXECUTE ON UTL_TCP TO lbrown_dvowner;
GRANT EXECUTE ON UTL_SMTP TO lbrown_dvowner;
GRANT EXECUTE ON UTL_MAIL TO lbrown_dvowner;
GRANT EXECUTE ON DBMS_NETWORK_ACL_ADMIN TO lbrown_dvowner;

    The UTL_TCP, UTL_SMTP, UTL_MAIL, and DBMS_NETWORK_ACL_ADMIN PL/SQL packages will be used by the email security alert that you create.

  2. Connect to SQL*Plus as the DV_OWNER user.

    For example:

    CONNECT lbrown_dvowner
Enter password: password

  3. Create the following procedure:

    CREATE OR REPLACE PROCEDURE email_alert AS
msg varchar2(20000) := 'Realm violation occurred for the ALTER TABLE Command Security Policy rule set. The time is: '; 
BEGIN
  msg := msg||to_char(SYSDATE, 'Day DD MON, YYYY HH24:MI:SS'); 
UTL_MAIL.SEND (
    sender      => 'youremail@example.com',
    recipients  => 'recipientemail@example.com',
    subject     => 'Table modification attempted outside maintenance!',
    message     => msg); 
END email_alert;
/

    Replace youremail@example.com with your email address, and recipientemail@example.com with the email address of the person you want to receive the notification.

  4. Grant the EXECUTE permission on this procedure to DVSYS.

    GRANT EXECUTE ON email_alert TO DVSYS;

Step 3: Configure an Access Control List File for Network Services

Before you can use PL/SQL network utility packages such as UTL_MAIL, you must configure an access control list (ACL) file that enables fine-grained access to external network services. For detailed information about this topic, see Oracle Database Security Guide.

To configure an access control list for the email alert:

  1. As the DV_OWNER user, in SQL*Plus, create the following access control list and its privilege definitions.

    BEGIN
 DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (
  acl          => 'mail_server_permissions.xml', 
  description  => 'Enables network permissions for the mail server',
  principal    => 'LBROWN_DVOWNER',
  is_grant     => TRUE, 
  privilege    => 'connect');
END;
/

    Ensure that you enter your exact user name for the principal setting, in upper-case letters. For this tutorial, enter the name of the Database Vault Owner account (for example, LBROWN_DVOWNER).

  2. Assign the access control list to the outgoing SMTP network host for your email server.

    BEGIN
 DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (
  acl         => 'mail_server_permissions.xml',
  host        => 'SMTP_OUT_SERVER_setting', 
  lower_port  => port); 
END;
/

    In this example:

    • SMTP_OUT_SERVER_setting: Enter the SMTP_OUT_SERVER setting that you set for the SMTP_OUT_SERVER parameter in "Step 1: Install and Configure the UTL_MAIL PL/SQL Package". This setting should match exactly the setting that your email tool specifies for its outgoing server.

    • port: Enter the port number that your email tool specifies for its outgoing server. Typically, this setting is 25. Enter this value for both the lower_port and upper_port settings. (Currently, the UTL_MAIL package does not support SSL. If your mail server is an SSL server, then enter 25 for the port number, even if the mail server uses a different port number.)

  3. Commit your changes to the database.

    COMMIT;

  4. Test the settings that you have created so far.

    EXEC EMAIL_ALERT;
COMMIT;

    SQL*Plus should display a PL/SQL procedure successfully completed message, and in a moment, depending on the speed of your email server, you should receive the email alert.

    If you receive an ORA-24247: network access denied by access control list (ACL) error followed by ORA-06512: at stringline string errors, then check the settings in the access control list file.

Step 4: Create a Rule Set and a Command Rule to Use the Email Security Alert

  1. As the DV_OWNER user, create the following rule set:

    BEGIN
 DVSYS.DBMS_MACADM.CREATE_RULE_SET(
  rule_set_name    => 'ALTER TABLE Command Security Policy', 
  description      => 'This rule set allows ALTER TABLE only during the 
                       maintenance period.', 
  enabled          => 'Y',
  eval_options     => 1,
  audit_options    => DBMS_MACUTL.G_RULESET_AUDIT_FAIL,,
  fail_options     => DBMS_MACUTL.G_RULESET_FAIL_SILENT,
  fail_message     => '',
  fail_code        => NULL,
  handler_options  => DBMS_MACUTL.G_RULESET_HANDLER_FAIL,
  handler          => 'dbavowner.email_alert');
END;
/

  2. Create a rule similar to the following.

    For now, set the rule expression to be during the time you test it. For example, if you want to test it between 2 p.m. and 3 p.m., create the rule as follows:

    BEGIN
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name  => 'Restrict Access to Maintenance Period', 
  rule_expr  => 'TO_CHAR(SYSDATE,''HH24'') BETWEEN ''14'' AND ''15''');
END;
/

    Ensure that you use two single quotation marks instead of double quotation marks for HH24, 14, and 15.

    You can check the system time on your computer by issuing the following SQL statement:

    SELECT TO_CHAR(SYSDATE,'HH24') FROM DUAL;

    Output similar to the following appears:

    TO
--
14

    Later on, when you are satisfied that the rule works, you can update it to a time when your site typically performs maintenance work (for example, between 7 p.m. and 10 p.m), as follows:

    BEGIN
 DVSYS.DBMS_MACADM.UPDATE_RULE(
  rule_name  => 'Restrict Access to Maintenance Period', 
  rule_expr  => 'TO_CHAR(SYSDATE,''HH24'') BETWEEN ''19'' AND ''22''');
END;
/

  3. Add the Restrict Access to Maintenance Period rule to the ALTER TABLE Command Security Policy rule set.

    BEGIN
 DBMS_MACADM.ADD_RULE_TO_RULE_SET(
  rule_set_name => 'ALTER TABLE Command Security Policy', 
  rule_name     => 'Restrict Access to Maintenance Period'); 
END;
/

  4. Create the following command rule:

    BEGIN
 DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE(
  command         => 'ALTER TABLE', 
  rule_set_name   => 'ALTER TABLE Command Security Policy', 
  object_owner    => 'SCOTT', 
  object_name     => '%', 
  enabled         => 'Y');
END; 
/

  5. Commit these updates to the database.

    COMMIT;

Step 5: Test the Email Security Alert

  1. Connect to SQL*Plus as user SCOTT.

    For example:

    CONNECT SCOTT
Enter password: password

    If the SCOTT account is locked and expired, then a user with the DV_ACCTMGR role can unlock this account and create a new password as follows:

    ALTER USER SCOTT ACCOUNT UNLOCK IDENTIFIED BY password;

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

  2. As the user SCOTT, create a test table.

    CREATE TABLE mytest (col1 number);

  3. Change the system time on your computer to a time when the ALTER TABLE Command Security Policy rule set takes place (for example, between 2 p.m. and 3 p.m).

    UNIX: Log in as root and use the date command to set the time. For example, assuming the date today is December 14, 2011, you would enter the following:

    su root
Password: password

date --set="14 DEC 2011 14:00:00"

    Windows: Double-click the clock icon, which is typically at the lower right corner of the screen. In the Date and Time Properties window, set the time to 2 p.m., and then click OK.

  4. Try altering the my_test table.

    ALTER TABLE mytest ADD (col2 number);

Table altered.

    SCOTT should be able to alter the mytest table during this time.

  5. Reset the system time to a time outside the Restrict Access to Maintenance Period time.

  6. Log in as SCOTT and try altering the my_test table again.

    CONNECT SCOTT
Enter password: password

ALTER TABLE mytest ADD (col3 number);

    The following output should appear:

    ORA-47400: Command Rule violation for ALTER TABLE on SCOTT.MYTEST

    SCOTT cannot alter the mytest table. In a moment, you should receive an email with the subject header Table modification attempted outside maintenance! and with a message similar to the following:

    Realm violation occurred for the ALTER TABLE Command Security Policy rule set. The time is: Wednesday 06 MAY, 2009 14:24:25

  7. Reset the system time to the correct time.

Step 6: Remove the Components for This Tutorial

  1. Connect to SQL*Plus as the DV_OWNER user, and then in the order shown, drop the Oracle Database Vault rule components.

    EXEC DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET('ALTER TABLE Command Security Policy', 'Restrict Access to Maintenance Period');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Restrict Access to Maintenance Period');
EXEC DVSYS.DBMS_MACADM.DELETE_COMMAND_RULE('ALTER TABLE', 'SCOTT', '%');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE_SET('ALTER TABLE Command Security Policy');

  2. Drop the email_alert PL/SQL procedure.

    DROP PROCEDURE email_alert;

  3. Remove the access control list.

    EXEC DBMS_NETWORK_ACL_ADMIN.DROP_ACL ('email_alert_permissions.xml');

  4. Connect as user SCOTT and remove the mytest table.

    CONNECT SCOTT
Enter password: password

DROP TABLE mytest;

  5. Connect as SYS using the SYSDBA privilege and then revoke the EXECUTE privilege on the UTL_TCP, UTL_SMTP, and UTL_MAIL PL/SQL packages from the DV_OWNER user.

    For example:

    REVOKE EXECUTE ON UTL_TCP FROM lbrown_dvowner;
REVOKE EXECUTE ON UTL_SMTP FROM lbrown_dvowner;
REVOKE EXECUTE ON UTL_MAIL FROM lbrown_dvowner;
REVOKE EXECUTE ON DBMS_NETWORK_ACL_ADMIN from lbrown_dvowner;

  6. Set the SMTP_OUT_SERVER parameter to its original value.

    For example:

    ALTER SYSTEM SET SMTP_OUT_SERVER="some_value.example.com";

  7. Connect as SYS using the SYSOPER privilege and then restart the database.

    CONNECT SYS/AS SYSOPER
Enter password: password

SHUTDOWN IMMEDIATE
STARTUP

Tutorial: Configuring Two-Person Integrity, or Dual Key Security

This section contains:

About This Tutorial

In this tutorial, you configure a rule set that defines two-person integrity (TPI), also called dual key security, dual key connection, and two-man rule security. In this type of security, two users are required to authorize an action instead of one user. The idea is that one user provides a safety check for the other user before that user can proceed with a task. Two-person integrity provides an additional layer of security for actions that potentially can be dangerous. This type of scenario is often used for tasks such as database patch updates, which is what this tutorial will demonstrate. One user, patch_user must log in to perform a database patch upgrade, but the only way that he can do this is if his manager, patch_boss is already logged in. You will create a function, rules, a rule set, and a command rule to control patch_user's ability to log in.

Step 1: Create Users for This Tutorial

You must create the following two users for this tutorial:

  • patch_boss acts in a supervisory role: If patch_boss is not logged in, then the patch_user user cannot log in.

  • patch_user is the user who is assigned to perform the patch upgrade. However, for this tutorial, user patch_user does not actually perform a patch upgrade. He only attempts to log in.

To create the users:

  1. Connect to SQL*Plus as a user who has been granted the DV_ACCTMGR role.

    For example:

    CONNECT amalcolm_dvacctmgr
Enter password: password

  2. Create the following users.

    CREATE USER patch_boss IDENTIFIED BY password;
CREATE USER patch_user IDENTIFIED BY password;

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

  3. Connect as user SYS with the SYSDBA privilege and grant privileges to the patch_boss and patch_user users.

    CONNECT SYS AS SYSDBA
Enter password: password

GRANT CREATE SESSION TO patch_boss, patch_user;

  4. Grant the following privileges to the DV_OWNER or DV_ADMIN user.

    For example:

    GRANT CREATE PROCEDURE TO lbrown_dvowner;
GRANT SELECT ON V_$SESSION TO lbrown_dvowner;

    The V_$SESSION table is the underlying table for the V$SESSION dynamic view.

In a real-world scenario, you also would log in as the DV_OWNER user and grant the DV_PATCH_ADMIN role to user patch_user (but not to patch_boss). But because you are not really going to perform a database patch upgrade in this tutorial, you do not need to grant this role to user patch_user.

Step 2: Create a Function to Check if User patch_boss Is Logged In

The function that you must create, check_boss_logged_in, does just that: When user patch_user tries to log in to SQL*Plus, it checks if user patch_boss is already logged in by querying the V$SESSION data dictionary view.

To create the check_boss_logged_in function:

  1. As the DV_OWNER or DV_ADMIN user, create the check_boss_logged_in function as follows:

    CREATE OR REPLACE FUNCTION check_boss_logged_in
return varchar2
authid definer as 
 
v_session_number number := 0;
v_allow varchar2(10)    := 'TRUE';
v_deny varchar2(10)     := 'FALSE';
 
BEGIN
  SELECT COUNT(*) INTO v_session_number
  FROM SYS.V_$SESSION
  WHERE USERNAME = 'PATCH_BOSS'; -- Enter the user name in capital letters.
 
 IF v_session_number > 0
  THEN RETURN v_allow;
 ELSE
  RETURN v_deny;
 END IF;
END check_boss_logged_in;
/

  2. Grant the EXECUTE privilege on the check_boss_logged_in function to the DVSYS schema.

    GRANT EXECUTE ON check_boss_logged_in to DVSYS;

Step 3: Create Rules, a Rule Set, and a Command Rule to Control the Users' Access

Next, you must create two rules, a rule set to which you will add them, and a command rule. The rule set triggers the check_boss_logged_in function when user patch_user tries to logs in to the database.

To create the rules and rule set:

  1. Connect as a user who has been granted the DV_OWNER or DV_ADMIN role.

    For example:

    CONNECT lbrown_dvowner
Enter password: password

  2. Create the Check if Boss Is Logged In rule, which checks that the patch_user user is logged in to the database. In the definition, replace lbrown_dvowner with the name of the DVOWNER or DV_ADMIN user who created the check_boss_logged_in function.

    If the check_boss_logged_in function returns TRUE (that is, patch_boss is logged in to another session), then patch_user can log in.

    BEGIN
  DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check if Boss Is Logged In',
  rule_expr => 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''PATCH_USER'' and lbrown_dvowner.check_boss_logged_in =  ''TRUE'' ');
END;
/

    Enter the user name, PATCH_USER, in upper-case letters, which is how the SESSION_USER parameter stores it.

  3. Create the Allow Connect for Other Database Users rule, which ensures that the user logged in (patch_user) is not user patch_boss. It also enables all other valid users to log in.

    BEGIN
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Allow Connect for Other Database Users',
  rule_expr => 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') != ''PATCH_USER''');
END;
/
COMMIT;

  4. Create the Dual Connect for Boss and Patch rule set, and then add the two rules to it.

    BEGIN
     DVSYS.DBMS_MACADM.CREATE_RULE_SET(
     rule_set_name => 'Dual Connect for Boss and Patch',
     description => 'Checks if both boss and patch users are logged in.',
     enabled           => 'Y',
     eval_options      => 2,
     audit_options     => DBMS_MACUTL.G_RULESET_AUDIT_FAIL,
     fail_options      => DBMS_MACUTL.G_RULESET_FAIL_SILENT,
     fail_message      =>'',
     fail_code         => NULL,
     handler_options   => DBMS_MACUTL.G_RULESET_HANDLER_OFF,
     handler           => ''
     );
END;
/

BEGIN
     DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(
     rule_set_name     => 'Dual Connect for Boss and Patch',
     rule_name         => 'Check if Boss Is Logged In'
   );
END;
/

BEGIN
     DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(
     rule_set_name     => 'Dual Connect for Boss and Patch',
     rule_name         => 'Allow Connect for Other Database Users'
   );
END;
/

  5. Create the following CONNECT command rule, which permits user patch_user to connect to the database only if patch_boss is already logged in.

    BEGIN
   DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE(
   command             => 'CONNECT',
    rule_set_name      => 'Dual Connect for Boss and Patch',
    object_owner       => '%',
    object_name        => '%',
    enabled            => 'Y');
END;
/
COMMIT;

Step 4: Test the Users' Access

  1. Exit SQL*Plus.

    EXIT

  2. Create a second shell, for example:

    xterm &

  3. In the first shell, try to log in as user patch_user.

    sqlplus patch_user
Enter password: password

ERROR:
ORA-47400: Command Rule violation for CONNECT on LOGON

Enter user-name:

    User patch_user cannot log in until user patch_boss is already logged in. (Do not try the Enter user-name prompt yet.)

  4. In the second shell, log in as user patch_boss.

    sqlplus patch_boss
Enter password: password
Connected.

    User patch_boss can log in.

  5. Go back to the first shell, and then try logging in as user patch_user again.

    Enter user_name: patch_user
Enter password: password

    This time, user patch_user is deemed a valid user, so now he can log in.

Step 5: Remove the Components for This Tutorial

  1. In the session for the user patch_boss, exit SQL*Plus and then close the shell.

    EXIT

  2. In the first shell, connect the DV_ACCTMGR user and remove the users you created.

    CONNECT amalcolm_dvacctmgr
Enter password: password

DROP USER patch_boss;
DROP USER patch_user;

  3. Connect as user SYS with the SYSDBA privilege and revoke the privileges that you had granted to the DV_OWNER or DV_ADMIN user.

    CONNECT SYS AS SYSDBA
Enter password: password

REVOKE CREATE PROCEDURE FROM lbrown_dvowner;
REVOKE SELECT ON V_$SESSION FROM lbrown_dvowner;

  4. Connect as the DV_OWNER or DV_ADMIN user and drop the rules, rule set, and command rule, in the order shown.

    CONNECT lbrown_dvowner
Enter password: password

DROP FUNCTION check_boss_logged_in;
EXEC DVSYS.DBMS_MACADM.DELETE_COMMAND_RULE('CONNECT', '%', '%');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET('Dual Connect for Boss and Patch', 'Check if Boss Is Logged In');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET('Dual Connect for Boss and Patch', 'Allow Connect for Other Database Users');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Check if Boss Is Logged In');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Allow Connect for Other Database Users');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE_SET('Dual Connect for Boss and Patch');
COMMIT;

Guidelines for Designing Rule Sets

Follow these guidelines for designing rule sets:

How Rule Sets Affect Performance

In general, the more rules and more complex the rules, the more performance overhead the performance for execution of certain operations governed by these rule sets. For example, if you have a very large number of rules in a rule set governing a SELECT statement, performance could degrade significantly.

If you have rule sets that require many rules, performance improves if you move all the rules to logic defined in a single PL/SQL standalone or package function. However, if a rule is used by other rule sets, there is little performance effect on your system.

If possible, consider setting the rule set to use static evaluation, assuming this is compatible with the associated command rule's usage. See "Guidelines for Designing Rule Sets" for more information.

You can check system performance by running tools such as Oracle Enterprise Manager (including Oracle Enterprise Manager Database Control, which is installed by default with Oracle Database), Statspack, and TKPROF. For more information about Oracle Enterprise Manager, see the Oracle Enterprise Manager documentation set. For information about Database Control, refer to its online Help. Oracle Database Performance Tuning Guide describes the Statspack and TKPROF utilities.

Related Reports and Data Dictionary Views

Table 5-1 lists Oracle Database Vault reports that are useful for analyzing rule sets and the rules within them. See Chapter 17, "Oracle Database Vault Reports," for information about how to run these reports.

Table 5-1 Reports Related to Rule Sets

ReportDescription

"Rule Set Configuration Issues Report"

Lists rule sets that have no rules defined or enabled

"Secure Application Configuration Issues Report"

Lists secure application roles that have incomplete or disabled rule sets

"Command Rule Configuration Issues Report"

Lists rule sets that are incomplete or disabled


Table 5-2 lists data dictionary views that provide information about existing rules and rule sets.

Table 5-2 Data Dictionary Views Used for Rules and Rule Sets

Data Dictionary ViewDescription

"DBA_DV_RULE View"

Lists the rules that have been defined

"DBA_DV_RULE_SET View"

Lists the rules sets that have been created

"DBA_DV_RULE_SET_RULE View"

Lists rules that are associated with existing rule sets


PK3gCf?#0#PK)AOEBPS/dv_impact.htmX What to Expect After You Install Oracle Database Vault

2 What to Expect After You Install Oracle Database Vault

This chapter contains:


See Also:

Appendix D, "Oracle Database Vault Security Guidelines," for guidelines on managing security in the Oracle Database configuration

Initialization and Password Parameter Settings That Change

When you install Oracle Database Vault, the installation process modifies several database initialization parameter settings to better secure your database configuration. If these changes adversely affect your organizational processes or database maintenance procedures, then contact Oracle Support for help in resolving the issue.

Table 2-1 describes the initialization parameter settings that Oracle Database Vault modifies. Initialization parameters are stored in the init.ora initialization parameter file, located in $ORACLE_HOME/srvm/admin. For more information about this file, see Oracle Database Administrator's Guide.

Table 2-1 Modified Database Initialization Parameter Settings

ParameterDefault Value in DatabaseNew Value Set by Database VaultImpact of the Change

AUDIT_SYS_OPERATIONS

FALSE

TRUE

Enables the auditing of top-level operations directly issued by user SYS, and users connecting with SYSDBA or SYSOPER privilege.

For more information about AUDIT_SYS_OPERATIONS, see Oracle Database Reference.

OS_ROLES

Not configured.

FALSE

Disables the operating system to completely manage the granting and revoking of roles to users. Any previous grants of roles to users using GRANT statements do not change, because they are still listed in the data dictionary. Only the role grants made at the operating system-level to users apply. Users can still grant privileges to roles and users.

For more information about OS_ROLES, see Oracle Database SQL Language Reference.

RECYCLEBIN

ON

OFF

Controls whether the Flashback Drop feature is turned on or off. If RECYCLEBIN is set to OFF, then dropped tables do not go into the recycle bin. If it is set to ON, then dropped tables go into the recycle bin, which means that they can be recovered.

See Also:

REMOTE_LOGIN_PASSWORDFILE

EXCLUSIVE

EXCLUSIVE

Specifies whether Oracle Database checks for a password file. The EXCLUSIVE setting enforces the use of the password file, if you installed Oracle Database Vault into a database where REMOTE_LOGIN_PASSWORDFILE is not set to EXCLUSIVE.

For more information about REMOTE_LOGIN_PASSWORDFILE, see Oracle Database Reference.

SQL92_SECURITY

FALSE

TRUE

Ensures that users have been granted the SELECT object privilege to execute such UPDATE or DELETE statements.

For more information about SQL92_SECURITY, see Oracle Database SQL Language Reference.


How Oracle Database Vault Restricts User Authorizations

During installation of Oracle Database Vault, the installer prompts for several additional database account names. In addition, several database roles are created. These accounts are part of the separation of duties provided by Oracle Database Vault. One common audit problem that has affected several large organizations is the unauthorized creation of new database accounts by a database administrator within a production instance. Upon installation, Oracle Database Vault prevents anyone other than the Oracle Database Vault account manager or a user granted the Oracle Database Vault account manager role from creating users in the database.

For guidelines on managing separation of duty, see "Separation of Duty Guidelines".

Using New Database Roles to Enforce Separation of Duties

To meet regulatory, privacy and other compliance requirements, Oracle Database Vault implements the concept of separation of duty. Oracle Database Vault makes clear separation between the account management responsibility, data security responsibility, and database resource management responsibility inside the database. This means that the concept of a superprivileged user (for example, DBA) is divided among several new database roles to ensure no one user has full control over both the data and configuration of the system. Oracle Database Vault prevents the SYS user and other accounts with the DBA role and other system privileges from designated protected areas of the database called realms. It also introduces new database roles called the Oracle Database Vault Owner (DV_OWNER) and the Oracle Database Vault Account Manager (DV_ACCTMGR). These new database roles separate the data security and the account management from the traditional DBA role. You should map these roles to distinct security professionals within your organization.


See Also:


Privileges That Are Revoked or Prevented from Existing Users and Roles

When you install Oracle Database Vault, it revokes a set of privileges from several Oracle Database-supplied roles, as part of the separation of duty enhancement.

Table 2-2 lists privileges that Oracle Database Vault revokes from existing users and roles. Be aware that if you disable Oracle Database Vault, these privileges remain revoked. If your applications depend on these privileges, then grant them to application owner directly.

Table 2-2 Privileges Oracle Database Vault Revokes

User or RolePrivilege That Is Revoked

DBA role

  • BECOME USER

  • SELECT ANY TRANSACTION

  • CREATE ANY JOB

  • CREATE EXTERNAL JOB

  • EXECUTE ANY PROGRAM

  • EXECUTE ANY CLASS

  • MANAGE SCHEDULER

  • DEQUEUE ANY QUEUE

  • ENQUEUE ANY QUEUE

  • MANAGE ANY QUEUE

IMP_FULL_DATABASE roleFoot 1 

  • BECOME USER

  • MANAGE ANY QUEUE

EXECUTE_CATALOG_ROLE role

  • EXECUTE ON DBMS_LOGMNR

  • EXECUTE ON DBMS_LOGMNR_D

  • EXECUTE ON DBMS_LOGMNR_LOGREP_DICT

  • EXECUTE ON DBMS_LOGMNR_SESSION

  • EXECUTE ON DBMS_FILE_TRANSFER

PUBLIC user

  • EXECUTE ON UTL_FILE

SCHEDULER_ADMIN roleFoot 2 

  • CREATE ANY JOB

  • CREATE EXTERNAL JOB

  • EXECUTE ANY PROGRAM

  • EXECUTE ANY CLASS

  • MANAGE SCHEDULER


Footnote 1 To authorize users to export and import data using Oracle Data Pump, see "Using Oracle Data Pump in an Oracle Database Vault Environment".

Footnote 2 To authorize users to schedule database jobs, see "Scheduling Database Jobs in an Oracle Database Vault Environment".

Table 2-3 lists privileges that Oracle Database Vault prevents. When Oracle Database Vault is enabled, users who have the Database Vault Account Manager role (DV_ACCTMGR) have the privileges listed in this table. If you disable Oracle Database Vault, users SYS and SYSTEM have these privileges.

Table 2-3 Privileges Oracle Database Vault Prevents

User or RolePrivilege That Is Prevented

SYS userFoot 1 

  • ALTER PROFILE

  • ALTER USER

  • CREATE PROFILE

  • CREATE USER

  • DROP PROFILE

  • DROP USER

SYSTEM user

  • ALTER PROFILE

  • ALTER USER

  • CREATE PROFILE

  • CREATE USER

  • DROP PROFILE

  • DROP USER


Footnote 1 For better security and to maintain separation-of-duty standards, do not enable SYS or SYSTEM users the ability to create or manage user accounts.


Note:

Both the SYS and SYSTEM users retain the SELECT privilege for the DBA_USERS_WITH_DEFPWD data dictionary view, which lists user accounts that use default passwords. If you want other users to have access to this view, grant them the SELECT privilege on it.


See Also:


How Oracle Database Vault Affects Oracle Database Auditing

This section contains:

AUD$ Table Moved from SYS to the SYSTEM Schema

In an Oracle Database Vault environment, when Oracle Label Security is enabled, the AUD$ table is moved from the SYS schema to the SYSTEM schema. The synonym SYS.AUD$ is created to refer to the SYSTEM.AUD$ table.


Tip:

For greater security, create a realm around the SYSTEM.AUD$ and SYS.FGA_LOG$ tables. See Chapter 4, "Configuring Realms," for more information about realms.

Modified AUDIT Statement Settings

When you install Oracle Database Vault, it configures several AUDIT statement settings in the database. See "Oracle Database Audit Settings Created for Oracle Database Vault" for more information.

PK΄/ XXPK)AOEBPS/cover.htmO Cover

Oracle Corporation

PK[pTOPK)AOEBPS/whatsnew.htmAK What's New in Oracle Database Vault?

What's New in Oracle Database Vault?

This section describes new features in Oracle Database Vault for this release of Oracle Database.

This section contains:

New Oracle Database Vault Features in Oracle Database 11g Release 2 (11.2.0.3)

This section contains:

New Role to Support the XStream in an Oracle Database Vault Environment

Users who want to use XStream in an Oracle Database Vault environment must now be granted the DV_XSTREAM_ADMIN role.

See "DV_XSTREAM_ADMIN XStream Administrative Role" for more information.

New Roles to Support Oracle GoldenGate in an Oracle Database Vault Environment

Users who want to use Oracle GoldenGate in an Oracle Database Vault environment must be granted one of the following roles, depending on how they plan to use Oracle GoldenGate:

See the following sections for more information:

Deprecation of Database Vault Configuration Assistant

Database Vault Configuration Assistant (DVCA) has been deprecated starting with this release. The functionality for DVCA to add languages to Database Vault has been replaced with the DVSYS.DBMS_MACADM.ADD_NLS_DATA procedure.

See "Adding Languages to Oracle Database Vault" for more information.

Changed Oracle Database Vault Features in Oracle Database 11g Release 2 (11.2.0.2)

This section contains:

Desupport for the Oracle Data Pump EXP and IMP Utilities

Starting with this release, the Oracle Data Pump EXP and IMP utilities cannot be used in an Oracle Database Vault environment.

See "Using Oracle Data Pump in an Oracle Database Vault Environment" for more information about using Oracle Data Pump with Oracle Database Vault.

New Oracle Database Vault Features in Oracle Database 11g Release 2 (11.2.0.2)

This section contains:

DBMS_MACADM Procedures Now Use Previous Values for Defaults

Default settings for some of the values for the following DVSYS.DBMS_MACADM PL/SQL package procedures are now based on their previous settings:

For example, suppose you created or updated a realm to have realm checking enabled. When you use the DVSYS.DBMS_MACADM.UPDATE_REALM procedure to modify the realm, the enabled parameter default is set to enable realm checking.

For more information, see Chapter 12, "Using the DVSYS.DBMS_MACADM Package."

New Oracle Database Vault Features in Oracle Database 11g Release 2 (11.2.0.1)

This section contains:

Integration with Oracle Enterprise Manager

You now can perform a set of Oracle Database Vault functions from both Oracle Database Enterprise Manager Database Control Release 11.2 and Grid Control Release 10.2.0.5. This integration also applies to Releases 9.2.0.8, 10.2.0.4, and 11.1.0.7 of Oracle Database Vault.

From Database Control, you now can perform the following tasks:

From Grid Control, you can perform these tasks:

See the following sections for more information:

Oracle Data Pump Support

Oracle Data Pump users now can export and import data in an Oracle Database Vault environment.

See "Using Oracle Data Pump in an Oracle Database Vault Environment" for more information.

Oracle Database Job Scheduler Support

Users who are responsible for scheduling database jobs now can do so in an Oracle Database Vault environment.

See "Scheduling Database Jobs in an Oracle Database Vault Environment" for more information.

Additional Oracle Database Vault Roles

Oracle Database Vault includes the following new roles:

See the following sections for more information:

Additional Default Rule Sets

Oracle Database Vault now provides the following additional rule sets:

See "Default Rule Sets" for more information.

Expanded Range for Fail Codes Used for Rule Set Creation

You are no longer restricted to negative numbers when you specify a fail code for the creation of a rule set. You can enter a number the ranges of -20999 to -20000 or 20000 to 20999.

See "Error Handling Options" for more information.

Changes to Oracle Database Vault PL/SQL Packages

The DBMS_MACADM and DBMS_MACSEC_ROLES PL/SQL packages have changed as follows:

Changes to Database Vault Configuration Assistant

Database Vault Configuration Assistant (DVCA) has the following changes:

Support for Oracle Recovery Manager

You now can use Oracle Recovery Manager (RMAN) in an Oracle Database Vault environment.

See "Using Oracle Database Vault with Oracle Recovery Manager".

SYS Control of EXECUTE Privilege for the DBMS_RLS PL/SQL Package

In previous releases of Oracle Database Vault, the SYS user was prevented from granting or revoking the EXECUTE privilege on the DBMS_RLS PL/SQL package to other users. Starting with this release, user SYS can resume granting and revoking EXECUTE on DBMS_RLS to other users.

Stronger Protection for the DVSYS Schema

To keep DVSYS as a protected schema, you can no longer drop its objects, even if the recycle bin is disabled. For better security for other realms, you should disable the recycle bin.

See "Security Considerations for the Recycle Bin".

OS_AUTHENT_PREFIX Parameter No Longer Modified

Oracle Database Vault no longer modifies the OS_AUTHENT_PREFIX initialization parameter during installation. The default value for the OS_AUTHENT_PREFIX parameter is OPS$.

See Oracle Database Reference for more information about this parameter.

NOSYSDBA Parameter of ORAPWD Deprecated

The NOSYSDBA parameter of the ORAPWD utility has been deprecated in this release. It is no longer necessary in Oracle Database Vault. As part of this deprecation, the lockout parameter of the DVCA utility has been deprecated as well.

PKy$AAAPK)AOEBPS/title.htm^ Oracle Database Vault Administrator's Guide 11g Release 2 (11.2)

Oracle® Database Vault

Administrator's Guide

11g Release 2 (11.2)

E23090-05

March 2012

Oracle Database Vault Administrator's Guide 11g Release 2 (11.2)

E23090-05

Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.

Primary Author:  Patricia Huey

Contributors:  Priya Badnar, Tammy Bednar, Tom Best, Ji-won Byun, Ben Chang, Martin Cheng, Chi Ching Chui, Scott Gaetjen, Viksit Gaur, Lijie Heng, Sumit Jeloka, Dominique Jeunot, Terri Keller, Peter Knaggs, Chon Lee, Frank Lee, Paul Needham, Deborah Owens, Yi Ouyang, Hozefa Palitanawala, Robert Pang, Rupa Parameswaran, Gayathri Sairamkrishnan, Vipin Samar, Javed Samuel, James Spiller, Ashwini Supur, Srividya Tata, Kamal Tbeileh, Sudheesh Varma, Peter Wahl, Rodney Ward, Daniel Wong, Aravind Yalamanchi

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle America, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

PK;iPK)A OEBPS/loe.htmK List of Examples

List of Examples

PKFܻP K PK)AOEBPS/getting_started.htm Getting Started with Oracle Database Vault

3 Getting Started with Oracle Database Vault

This chapter contains:

Starting Oracle Database Vault

This section describes how to start Oracle Database Vault Administrator. This section contains:

Accessing the Oracle Database Vault Pages from Oracle Enterprise Manager

This section contains:

Accessing Oracle Database Vault Pages from Database Control

From Database Control, you can use the Oracle Database Vault pages to monitor a Database Vault-enabled database and view Database Vault reports.

However, you cannot create policies or perform other Database Vault Administrator-related actions from Database Control. If you want to perform these tasks, use Database Vault Administrator, described under "Starting Oracle Database Vault Administrator". If you want to propagate Database Vault policies to other Database Vault-enabled databases, see "Accessing Oracle Database Vault Pages from Grid Control".

To access the Oracle Database Vault pages from Database Control:

  1. If necessary, register Oracle Database Vault.

    If you have just installed Oracle Database Vault, you must register it with the database. See "Registering (Enabling) Oracle Database Vault" for more information.

  2. Start Database Control.

    For example:

    https://myserver.example.com:1158/em

    See Oracle Database 2 Day DBA for more information on logging in to Oracle Enterprise Manager.

  3. Log in to Database Control with the following information:

    • Username: Enter the name of a user who has been granted the appropriate Oracle Database Vault role:

      • Creating and propagating Database Vault policies: DV_OWNER or DV_ADMIN

      • Viewing Database Vault alerts and reports: DV_OWNER, DV_ADMIN, or DV_SECANALYST

      • Creating and managing user accounts and roles: DV_ACCTMGR

      The Oracle Database Vault roles do not need any additional privileges (such as SELECT ANY DICTIONARY) to use Database Control.

      See "About Oracle Database Vault Roles" for more information about these roles.

    • Password: Enter your password.

    • Connect As: Select Normal from the list.

    • Save as Preferred Credential check box: Select this check box if you want these credentials to be automatically filled in for you the next time that this page appears

  4. In the Home page, click Server to display the Server subpage.

  5. Under Security, select Database Vault.

    The Oracle Database Vault home page appears.

Accessing Oracle Database Vault Pages from Grid Control

From Grid Control, you can use the Oracle Database Vault pages to propagate Database Vault policies to other Database Vault-protected databases, administer and monitor Database Vault-protected databases from a centralized console, automate alerts, and view Database Vault reports.

However, you cannot create policies or perform other Database Vault Administrator-related actions from Grid Control. If you want to perform these tasks, use Database Vault Administrator, described under "Starting Oracle Database Vault Administrator".

To access the Oracle Database Vault pages from Grid Control:

  1. Ensure that you have configured the Grid Control target databases that you plan to use with Database Vault.

    See the Oracle Enterprise Manager online help and Oracle Enterprise Manager Advanced Configuration for more information about configuring target databases.

  2. If necessary, register Oracle Database Vault.

    If you have just installed Oracle Database Vault, you must register it with the database. See "Registering (Enabling) Oracle Database Vault" for more information.

  3. Start Grid Control.

    For example:

    https://myserver.example.com:1158/em

    See Oracle Database 2 Day DBA for more information on logging in to Oracle Enterprise Manager.

  4. Log in to Oracle Enterprise Manager as user SYSMAN and connect as Normal.

  5. In the Oracle Enterprise Manager Database Home page (Database Home page), select the Targets subpage.

  6. Select the Databases subpage.

  7. In the Databases page, select the link for the Oracle Database Vault-protected database to which you want to connect.

    The home page for the database instance appears.

  8. In the Home page, click Server to display the Server subpage.

  9. Under Security, select Database Vault.

    The Database Login page appears.

  10. Enter the following information:

    • Username: Enter the name of a user who has been granted the appropriate Oracle Database Vault role:

      • Creating and propagating Database Vault policies: DV_OWNER or DV_ADMIN

      • Viewing Database Vault alerts and reports: DV_OWNER, DV_ADMIN, or DV_SECANALYST

      • Creating and managing user accounts and roles: DV_ACCTMGR

      The Oracle Database Vault roles do not need any additional privileges (such as SELECT ANY DICTIONARY) to use Grid Control.

      See "About Oracle Database Vault Roles" for more information.

    • Password: Enter your password.

    • Connect As: Select Normal from the list.

    • Save as Preferred Credential check box: Select this check box if you want these credentials to be automatically filled in for you the next time that this page appears

  11. Click the Login button.

    The Database Vault home page appears.


See Also:

"Using Oracle Database Vault with Oracle Enterprise Manager"

Starting Oracle Database Vault Administrator

If you are not using Oracle Enterprise Manager Database Control or Grid Control, or if you want to connect to Oracle Database Vault from a different computer, follow these steps to start Oracle Database Vault Administrator.

  1. If necessary, register Oracle Database Vault.

    If you have just installed Oracle Database Vault, you must register it with the database. See "Registering (Enabling) Oracle Database Vault" for more information.

  2. From a browser, enter the following URL:

    https://host_name:port/dva

    In this specification:

    • host_name: The server where you installed Oracle Database Vault

    • port: The Oracle Enterprise Manager Console HTTPS port number

    For example:

    https://myserver:1158/dva

    If you are unsure of the port number, open the $ORACLE_HOME/host_sid/sysman/config/emd.properties file and search for REPOSITORY_URL. In most cases, the host name and port number are the same as Oracle Enterprise Database Control.

    If you cannot start Oracle Database Vault Administrator, check that the Oracle database console process is running.

    • UNIX: Go to the $ORACLE_HOME/bin directory and run the following command:

      ./emctl status dbconsole

      If you must start the dbconsole process, then run the following command:

      ./emctl start dbconsole

    • Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. If necessary, select Start from the menu to start the database console.

    Log files for the database are in the following directory:

    $ORACLE_HOME/sysman/log

  3. Log in by using the Oracle Database Vault Owner account that you created during installation.

    To log in, you must enter the full connect string. This enables you to manage multiple Oracle Database instances with Oracle Database Vault.

    By default, you cannot log in to Oracle Database Vault Administrator by using the SYS, SYSTEM, or other administrative accounts. You can log in if you have the DV_ADMIN or DV_OWNER roles.

    Enter the following values:

    • User Name: Enter the name of a user who has been granted the appropriate Oracle Database Vault role:

      • Creating and managing Database Vault policies: DV_OWNER or DV_ADMIN

      • Viewing Database Vault reports: DV_OWNER, DV_ADMIN, or DV_SECANALYST

      • Creating and managing user accounts and roles: DV_ACCTMGR

      See "About Oracle Database Vault Roles" for more information.

    • Password: Enter your password.

    • Host: Enter the host name of the computer of the Oracle Database Vault installation you want. Use the following format:

      server.domain

      For example:

      myserver-pc.us.example.com

    • Port: Enter the port number for Oracle Database. The default port number is 1521. If you are unsure of the port number, check the tnsnames.ora file.

      For example:

      1521

    • SID/Service: Select either SID or Service. You can find these values in the tnsnames.ora file. By default, this file is located in $ORACLE_HOME/network/admin.

      • SID: Enter the name of the Oracle Database instance. For example:

        orcl

      • Service: Enter the service name of the database instance, in the following format:

        service_name.domain

        For example:

        orcl.us.example.com

Figure 3-1 shows the Oracle Database Vault Administrator home page, which appears after you log in.

Figure 3-1 Oracle Database Vault Administrator Home Page

Database Vault Home page
Description of "Figure 3-1 Oracle Database Vault Administrator Home Page"

Quick Start Tutorial: Securing a Schema from DBA Access

This section contains:

About This Tutorial

In this tutorial, you create a simple security configuration for the HR sample database schema. In the HR schema, the EMPLOYEES table has information such as salaries that should be hidden from most employees in the company, including those with administrative access. To accomplish this, you add the HR schema to the secured objects of the protection zone, which in Oracle Database Vault is called a realm, inside the database. Then you grant limited authorizations to this realm. Afterward, you test the realm to make sure it has been properly secured. And finally, to see how Oracle Database Vault provides an audit trail on suspicious activities like the one you will try when you test the realm, you will run a report.

Before you can use this tutorial, ensure that the HR sample schema is installed. See Oracle Database Sample Schemas for information on installing the sample schemas.

Step 1: Adding the SYSTEM User to the Data Dictionary Realm

In this tutorial, the SYSTEM user grants the ANY privilege to a new user account, SEBASTIAN. To do this, you must include SYSTEM in the Oracle Data Dictionary realm.

To include SYSTEM in the Oracle Data Dictionary realm:

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER or DV_ADMIN role.

    "Starting Oracle Database Vault" explains how to log in.

  2. In the Administration page, under Database Vault Feature Administration, click Realms.

  3. In the Realms page, select Oracle Data Dictionary from the list and then click Edit.

  4. In the Edit Realm: Oracle Data Dictionary page, under Realm Authorizations, click Create.

  5. In the Create Realm Authorization Page, from the Grantee list, select SYSTEM [USER].

  6. For Authorization Type, select Owner.

  7. Leave Authorization Rule Set at <Non Selected>.

  8. Click OK.

    In the Edit Realm: Oracle Data Dictionary page, SYSTEM should be listed as an owner under the Realm Authorizations.

  9. Click OK to return to the Realms page.

  10. To return to the Administration page, click the Database Instance instance_name link over Realms.

Step 2: Log On as SYSTEM to Access the HR Schema

Log in to SQL*Plus as user SYSTEM and access the HR schema.

sqlplus system
Enter password: password

SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM < 10;

Output similar to the following appears:

FIRST_NAME           LAST_NAME                     SALARY
-------------------- ------------------------- ----------
Donald               OConnell                        2600
Douglas              Grant                           2600
Jennifer             Whalen                          4400
Michael              Hartstein                      13000
Pat                  Fay                             6000
Susan                Mavris                          6500
Hermann              Baer                           10000
Shelley              Higgins                        12000
William              Gietz                           8300
 
9 rows selected.

If the HR schema is locked and expired, log in to SQL*Plus as the DV_ACCTMGR user and unlock and unexpire the account. For example:

sqlplus amalcolm_dvacctmgr
Enter password: password

ALTER USER HR ACCOUNT UNLOCK IDENTIFIED BY password

Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

As you can see, SYSTEM has access to the salary information in the EMPLOYEES table of the HR schema. This is because SYSTEM is automatically granted the DBA role, which includes the SELECT ANY TABLE system privilege.

Step 3: Create a Realm

Realms can protect one or more schemas, individual schema objects, and database roles. Once you create a realm, you can create security restrictions that apply to the schemas and their schema objects within the realm. Your first step is to create a realm for the HR schema.

  1. In the Realms page of Oracle Database Vault Administrator, click Create.

  2. In the Create Realm page, under General, enter HR Realm after Name.

  3. After Status, ensure that Enabled is selected so that the realm can be used.

  4. Under Audit Options, ensure that Audit On Failure is selected so that you can create an audit trial later on.

  5. Click OK.

    The Realms Summary page appears, with HR Realm in the list of realms.

Step 4: Secure the EMPLOYEES Table in the HR Schema

At this stage, you are ready to add the EMPLOYEES table in the HR schema to the secured objects of the HR realm.

  1. In the Realms page, select HR Realm from the list and then click Edit.

  2. In the Edit Realm: HR Realm page, scroll to Realm Secured Objects and then click Create.

  3. In the Create Realm Secured Object page, enter the following settings:

    • Object Owner: Select HR from the list.

    • Object Type: Select TABLE from the list

    • Object Name: Enter EMPLOYEES.

  4. Click OK.

  5. In the Edit Realm: HR Realm page, click OK.

Step 5: Create an Authorization for the Realm

At this stage, there are no database accounts or roles authorized to access or otherwise manipulate the database objects the realm will protect. So, the next step is to authorize database accounts or database roles so that they can have access to the schemas within the realm. You will create the SEBASTIAN user account. After you authorize him for the realm, SEBASTIAN can view and modify the EMPLOYEES table.

  1. In SQL*Plus, connect as the Database Vault Account Manager, who has the DV_ACCTMGR role, and create user SEBASTIAN.

    For example:

    CONNECT amalcolm_dvacctmgr
Enter password: password

CREATE USER SEBASTIAN IDENTIFIED BY password;

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

  2. Connect as SYSTEM privilege, and then grant SEBASTIAN the following additional privileges.

    CONNECT SYSTEM
Enter password: password

GRANT CREATE SESSION, SELECT ANY TABLE TO SEBASTIAN;

Do not exit SQL*Plus; you will need it for Step 6: Test the Realm, when you test the realm.

At this stage, even though SEBASTIAN has the SELECT ANY TABLE privilege, he cannot select from the HR.EMPLOYEES table because it is protected by a realm.

Next, authorize user SEBASTIAN to have access to the HR Realm as follows:

  1. In the Realms page of Database Vault Administrator, select the HR Realm in the list of realms, and then click Edit.

  2. In the Edit Realm: HR Realm page, scroll down to Realm Authorizations and then click Create.

  3. In the Create Realm Authorization page, under Grantee, select SEBASTIAN[USER] from the list.

    If SEBASTIAN does not appear in the list, select the Refresh button in your browser.

    SEBASTIAN is the only user who has access to the EMPLOYEES table in the HR schema.

  4. Under Authorization Type, select Participant.

    The Participant authorization allows the user SEBASTIAN in the HR realm to manage access, manipulate, and create objects protected by the HR realm. In this case, the HR user and SEBASTIAN are the only users allowed to view the EMPLOYEES table.

  5. Under Authorization Rule Set, select <Not Assigned>, because rule sets are not needed to govern this realm.

  6. Click OK.

Step 6: Test the Realm

To test the realm, try accessing the EMPLOYEES table as a user other than HR. The SYSTEM account normally has access to all objects in the HR schema, but now that you have safeguarded the EMPLOYEES table with Oracle Database Vault, this is no longer the case.

In SQL*Plus, connect as SYSTEM, and then try accessing the salary information in the EMPLOYEES table again:

sqlplus system
Enter password: password

SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM <10;

The following output should appear:

Error at line 1:
ORA-01031: insufficient privileges

SYSTEM no longer has access to the salary information in the EMPLOYEES table. However, user SEBASTIAN does have access to this information. Try the following:

CONNECT SEBASTIAN
Enter password: password

SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM <10;

Output similar to the following appears:

FIRST_NAME           LAST_NAME                     SALARY
-------------------- ------------------------- ----------
Donald               OConnell                        2600
Douglas              Grant                           2600
Jennifer             Whalen                          4400
Michael              Hartstein                      13000
Pat                  Fay                             6000
Susan                Mavris                          6500
Hermann              Baer                           10000
Shelley              Higgins                        12000
William              Gietz                           8300
 
9 rows selected.

Step 7: Run a Report

Because you enabled auditing on failure for the HR Realm, you can generate a report to find any security violations such as the one you attempted in Step 6: Test the Realm.

  1. In the Oracle Database Vault Administrator home page, click Database Vault Reports.

    Before you can run the report, you must log in using an account that has the DV_OWNER, DV_ADMIN, or DV_SECANALYST role. Note that user SEBASTIAN cannot run the report, even if it affects his own realm. "Oracle Database Vault Roles" describes these roles in detail. Currently, you should be logged in as the Database Vault Owner (DV_OWNER) account.

  2. In the Database Vault Reports page, scroll down to Database Vault Auditing Reports and select Realm Audit.

  3. Click Run Report.

Oracle Database Vault generates a report listing the type of violation (in this case, the SELECT statement entered in the previous section), when and where it occurred, the login account who tried the violation, and what the violation was.

Step 8: Remove the Components for This Tutorial

  1. Remove the SYSTEM account from the Data Dictionary Realm.

    1. Ensure that you are logged on to Oracle Database Vault Administrator using a database account that has been granted the DV_OWNER role.

    2. From the Administration page, select Realms.

    3. From the list of realms, select Oracle Data Dictionary, and then click Edit.

    4. Under Realm Authorizations, select SYSTEM.

    5. Click Remove, and in the Confirmation window, click Yes.

  2. Delete the HR Realm.

    1. In the Realms page, select HR Realm from the list of realms.

    2. Click Remove, and in the Confirmation window, click Yes.

  3. Drop user SEBASTIAN.

    In SQL*Plus, log on as the Oracle Database Vault account manager (for example, amalcolm_dvacctmgr) you created when you installed Oracle Database Vault, and then drop SEBASTIAN as follows:

    sqlplus amalcolm_dvacctmgr
Enter password: password

DROP USER SEBASTIAN;

  4. If necessary, lock and expire the HR account.

    ALTER USER HR ACCOUNT LOCK PASSWORD EXPIRE;
PKٔNhPK)AOEBPS/plsql_interfaces.htm Using the Oracle Database Vault PL/SQL Interfaces

15 Using the Oracle Database Vault PL/SQL Interfaces

This chapter contains:

Oracle Database Vault Run-Time PL/SQL Procedures and Functions

Oracle Database Vault provides a set of procedural interfaces to administer various Database Vault security options and manage Database Vault security enforcements. There are also procedures and functions that expose the logic to validate a DDL command for realm violations and command authorizations. Additional procedures and functions are provided to set the value of a factor (assuming their associated rule sets evaluate to true) (for example, from a Web application), to retrieve the trust level for a session or specific factor identity, and to get the label for a factor identity. These procedures and functions are provided so that a database administrator does not grant the EXECUTE privilege on all DVSYS package procedures to the general database account population. The procedures and functions expose only the minimum methods that are required. All of these functions and procedures are publicly available for applications that need them.

Table 15-1 lists the default run-time PL/SQL procedures and functions.

Table 15-1 DVSYS Functions

Procedure or FunctionParameter

SET_FACTOR Procedure

Sets a factor

GET_FACTOR Function

Retrieves a factor

GET_TRUST_LEVEL Function

Retrieves the trust level assigned to a factor

GET_TRUST_LEVEL_FOR_IDENTITY Function

Retrieves the trust level for a specified factor and an identity

ROLE_IS_ENABLED Function

Checks whether the specified database role is enabled

GET_FACTOR_LABEL Function

Retrieves the label for the specified factor when the factor has a label assigned to it for the specified Oracle Label Security policy


SET_FACTOR Procedure

The SET_FACTOR procedure can be exposed to an application that requires the ability to set factor identities dynamically. It wraps the package procedure DVSYS.DBMS_MACADM.SET_FACTOR. When a factor has a rule set associated with it for assignment and if the rule set returns true, then the value is set. Normal rule set handling occurs, and the factor value (identity) validation method is called. This procedure is available (to execute) to the general database account population.

Syntax

DVSYS.SET_FACTOR(
  p_factor IN VARCHAR2, 
  p_value  IN VARCHAR2);

Parameters

Table 15-2 SET_FACTOR Parameters

ParameterDescription

p_factor

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR data dictionary view, described in "DBA_DV_FACTOR View".

p_value

Identity value, up to 1024 characters in mixed case.

To find the identities for each factor in the current database instance, query the DVSYS.DBA_DV_IDENTITY data dictionary view, described in "DBA_DV_IDENTITY View".


Example

EXECUTE DVSYS.SET_FACTOR(''Sector2_ClientID'', ''identity'');

GET_FACTOR Function

The GET_FACTOR function is exposed to the DVF schema to allow the public factor functions to resolve the identity of a factor. This enables the F$ functions in the DVF schema. This function is available (to execute) to the general database account population.

Syntax

DVSYS.GET_FACTOR(
  p_factor IN VARCHAR2)
RETURN VARCHAR2;

Parameter

Table 15-3 GET_FACTOR Parameter

ParameterDescription

p_factor

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR data dictionary view, described in "DBA_DV_FACTOR View".


Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Get Client ID Factor Identity',
  rule_expr => 'DVSYS.GET_FACTOR(''Sector2_ClientID'')');
END;
/

GET_TRUST_LEVEL Function

The GET_TRUST_LEVEL function returns the trust level of the current session identity for the factor requested. This function is available (to execute) to the general database account population. See "Creating and Configuring a Factor Identity" for a listing of the available trust levels.

Syntax

DVSYS.GET_TRUST_LEVEL(
  p_factor IN VARCHAR2)
RETURN VARCHAR2;

Parameter

Table 15-4 GET_TRUST_LEVEL Parameter

ParameterDescription

p_factor

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR data dictionary view, described in "DBA_DV_FACTOR View".


Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Get Client ID Trust Level',
  rule_expr => 'DVSYS.GET_TRUST_LEVEL(''Sector2_ClientID'')');
END;
/

GET_TRUST_LEVEL_FOR_IDENTITY Function

The GET_TRUST_LEVEL_FOR_IDENTITY function returns the trust level for the factor and identity requested. This function is available (to execute) to the general database account population. See "Creating and Configuring a Factor Identity" for a listing of the available trust levels.

Syntax

DVSYS.GET_TRUST_LEVEL_FOR_IDENTITY(
  p_factor   IN VARCHAR2, 
  p_identity IN VARCHAR2)
RETURN VARCHAR2;

Parameters

Table 15-5 GET_TRUST_LEVEL_FOR_IDENTITY Parameters

ParameterDescription

p_factor

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

p_identity

Identity value.

To find the identities for each factor in the current database instance, use the DVSYS.DBA_DV_IDENTITY data dictionary view, described in "DBA_DV_IDENTITY View".


Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Get Client ID Identity Trust Level',
  rule_expr => 'DVSYS.GET_TRUST_LEVEL_FOR_IDENTITY(''Sector2_ClientID'', ''identity'')');
END;
/

ROLE_IS_ENABLED Function

The ROLE_IS_ENABLED function returns a boolean value that specifies whether a database role has been enabled. This function is available (to execute) to the general database account population.

Syntax

DVSYS.ROLE_IS_ENABLED(
  p_role IN VARCHAR2)
RETURN BOOLEAN;

Parameter

Table 15-6 ROLE_IS_ENABLED Parameter

ParameterDescription

p_role

Database role name to check.

To find existing roles, use the following data dictionary views:


Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check if SYSADM Role Is Enabled',
  rule_expr => 'DVSYS.ROLE_IS_ENABLED(''SYSADM'')');
END;
/

GET_FACTOR_LABEL Function

The GET_FACTOR_LABEL function returns the label for the specified factor when the factor has a label assigned to it for the specified Oracle Label Security policy. The function returns a label that is merged with the maximum session label for the policy if the policy is configured with Oracle Label Security. The function is available (to execute) to the general database population. See "Label Identity" for more information about factor labels.

Syntax

DVSYS.GET_FACTOR_LABEL(
  p_factor      IN VARCHAR2, 
  p_policy_name IN VARCHAR2)
RETURN VARCHAR2;

Parameters

Table 15-7 GET_FACTOR_LABEL Parameters

ParameterDescription

p_factor

Factor name.

To find the available factors in the current database instance, query the DVSYS.DBA_DV_FACTOR data dictionary view. To find factors that are associated with Oracle Label Security policies, use DVSYS.DBA_DV_MAC_POLICY_FACTOR.

See "DBA_DV_FACTOR View" and "DBA_DV_MAC_POLICY_FACTOR View".

p_policy_name

Oracle Label Security policy name.

Use the following data dictionary views to find information about policies and factors in the current database instance:

  • DVSYS.DBA_DV_MAC_POLICY: Lists Oracle Label Security policies defined in the current database instance. See "DBA_DV_MAC_POLICY View".

  • DVSYS.DBA_DV_MAC_POLICY_FACTOR: Lists the factors that are associated with Oracle Label Security policies for the current database instance. See "DBA_DV_MAC_POLICY_FACTOR View".

  • DVSYS.DBA_DV_POLICY_LABEL: Lists the Oracle Label Security label for each factor identifier in the DVSYS.DBA_DV_IDENTITY view for each policy. See "DBA_DV_POLICY_LABEL View".


Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Get the ClientID Factor Label',
  rule_expr => 'DVSYS.GET_FACTOR_LABEL(''Sector2_ClientID'', ''Access Locations'')');
END;
/

Oracle Database Vault PL/SQL Factor Functions

In addition to the functions and procedures made available from the DVSYS schema, the DVF schema contains a single function for each factor defined in the system. Oracle Database Vault maintains these functions when you use the DVSYS.DBMS_MACADM PL/SQL package to manage the various factors. The functions are then available to the general database account population through PL/SQL functions and standard SQL. This enables factors to be used in Oracle Label Security, Oracle Virtual Private Database (VPD), and so on.

Typically, you can incorporate these functions into rule expressions. For example:

BEGIN
 DVSYS.DBMS_MACADM.CREATE_RULE(
 rule_name => 'Not Internal DBA',
 rule_expr => 'DVF.F$SESSION_USER NOT IN (''JSMTIH'', ''TBROWN'')');
END;
/

To find the value of a factor function, select from the DUAL system table. For example:

SELECT DVF.F$SESSION_USER FROM DUAL;

F$SESSION_USER
------------------------------------------------
LBROWN_DVOWNER

The name of the factor itself is case-insensitive. For example, the following statements return the same result

select dvf.f$session_user from dual;

SELECT DVF.F$SESSION_USER FROM DUAL;

Table 15-8 lists the default factor functions.

Table 15-8 Installed Oracle Database Vault Factor Functions

DVF Factor FunctionDescription

F$AUTHENTICATION_METHOD Function

Returns the method of authentication in VARCHAR2 data type. In the list that follows, the type of user is followed by the method returned

F$CLIENT_IP Function

Returns the IP address of the computer from which the client is connected

F$DATABASE_DOMAIN Function

Returns the domain of the database as specified in the DB_DOMAIN initialization parameter

F$DATABASE_HOSTNAME Function

Returns the host name of the computer on which the database instance is running

F$DATABASE_INSTANCE Function

Returns the database instance identification number of the current database instance

F$DATABASE_IP Function

Returns the IP address of the computer on which the database instance is running

F$DATABASE_NAME Function

Returns the name of the database as specified in the DB_NAME initialization parameter

F$DOMAIN Function

Returns a named collection of physical, configuration, or implementation-specific factors in the run-time environment (for example, a networked IT environment or subset of it) that operates at a specific sensitivity level

F$ENTERPRISE_IDENTITY Function

Returns the enterprise-wide identity for a user

F$IDENTIFICATION_TYPE Function

Returns the way the schema of a user was created in the database. Specifically, it reflects the IDENTIFIED clause in the CREATE USER or ALTER USER syntax.

F$LANG Function

Returns the ISO abbreviation for the language name, a shorter form than the existing LANGUAGE parameter

F$LANGUAGE Function

Returns the language and territory currently used by your session, in VARCHAR2 data type, along with the database character set

F$MACHINE Function

Returns the computer (host) name for the database client that established the database session.

F$NETWORK_PROTOCOL Function

Returns the network protocol being used for communication, as specified in the PROTOCOL=protocol portion of the connect string

F$PROXY_ENTERPRISE_IDENTITY Function

Returns the Oracle Internet Directory distinguished name (DN) when the proxy user is an enterprise user

F$SESSION_USER Function

Returns the database user name by which the current user is authenticated


F$AUTHENTICATION_METHOD Function

The F$AUTHENTICATION_METHOD function returns the method of authentication in VARCHAR2 data type. In the list that follows, the type of user is followed by the method returned:

  • Password-authenticated enterprise user, local database user, or SYSDBA/SYSOPER using Password File; proxy with user name using password: PASSWORD

  • Kerberos-authenticated enterprise or external user: KERBEROS

  • SSL-authenticated enterprise or external user: SSL

  • Radius-authenticated external user: RADIUS

  • Operating system-authenticated external user or SYSDBA/SYSOPER: OS

  • DCE-authenticated external user: DCE

  • Proxy with certificate, distinguished name (DN), or user name without using password: NONE

You can use IDENTIFICATION_TYPE to distinguish between external and enterprise users when the authentication method is Password, Kerberos, or SSL.

Syntax

DVF.F$AUTHENTICATION_METHOD () 
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check SSL Authentication Method',
  rule_expr => 'DVF.F$AUTHENTICATION_METHOD = ''SSL''');
END;
/

F$CLIENT_IP Function

The F$CLIENT_IP function returns the IP address of the computer from which the client is connected, in VARCHAR2 data type.

Syntax

DVF.F$CLIENT_IP ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Client IP Address',
  rule_expr => 'DVF.F$CLIENT_IP BETWEEN ''192.0.2.10'' AND ''192.0.2.20''');
END;
/

F$DATABASE_DOMAIN Function

The F$DATABASE_DOMAIN function returns the domain of the database as specified in the DB_DOMAIN initialization parameter, in sVARCHAR2 data type.

Syntax

DVF.F$DATABASE_DOMAIN ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Client Database Domain',
  rule_expr => 'DVF.F$DATABASE_DOMAIN NOT IN (''EXAMPLE'', ''YOURDOMAIN'')');
END;
/

F$DATABASE_HOSTNAME Function

The F$DATABASE_HOSTNAME function returns the host name of the computer on which the instance is running, in VARCHAR2 data type.

Syntax

DVF.F$DATABASE_HOSTNAME ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Host Name',
  rule_expr => 'DVF.F$DATABASE_HOSTNAME IN (''SHOBEEN'', ''MAU'')');
END;
/

F$DATABASE_INSTANCE Function

The F$DATABASE_INSTANCE function returns the instance identification number of the current database instance, in VARCHAR2 data type.

Syntax

DVF.F$DATABASE_INSTANCE ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Database Instance ID',
  rule_expr => 'DVF.F$DATABASE_INSTANCE = ''SALES_DB''');
END;
/

F$DATABASE_IP Function

The F$DATABASE_IP function returns the IP address of the computer on which the database instance is running, in VARCHAR2 data type.

Syntax

DVF.F$DATABASE_IP ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Database IP address',
  rule_expr => 'DVF.F$DATABASE_IP = ''192.0.2.5''');
END;
/

F$DATABASE_NAME Function

The F$DATABASE_NAME function returns the name of the database as specified in the DB_NAME initialization parameter, in VARCHAR2 data type.

Syntax

DVF.F$DATABASE_NAME ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Database DB_NAME Name',
  rule_expr => 'DVF.F$DATABASE_NAME = ''ORCL''');
END;
/

F$DOMAIN Function

The F$DOMAIN function returns a named collection of physical, configuration, or implementation-specific factors in the run-time environment (for example, a networked IT environment or subset of it) that operates at a specific sensitivity level. The return type is VARCHAR2.

You can identify a domain using factors such as host name, IP address, and database instance names of the Oracle Database Vault nodes in a secure access path to the database. Each domain can be uniquely determined using a combination of the factor identifiers that identify the domain. You can use these identifying factors and possibly additional factors to define the Maximum Security Label within the domain. This restricts data access and commands, depending on the physical factors about the Oracle Database Vault session. Example domains of interest may be Corporate Sensitive, Internal Public, Partners, and Customers.

Syntax

DVF.F$DOMAIN ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Domain',
  rule_expr => 'DVF.F$DOMAIN = ''EXAMPLE.COM''');
END;
/

F$ENTERPRISE_IDENTITY Function

The F$ENTERPRISE_IDENTITY function returns the enterprise-wide identity for a user, in VARCHAR2 data type:

  • For enterprise users: the Oracle Internet Directory DN.

  • For external users: the external identity (Kerberos principal name, Radius and DCE schema names, operating system user name, certificate DN).

  • For local users and SYSDBA/SYSOPER logins: NULL.

The value of the attribute differs by proxy method:

  • For a proxy with DN: the Oracle Internet Directory DN of the client.

  • For a proxy with certificate: the certificate DN of the client for external users; the Oracle Internet Directory DN for global users.

  • For a proxy with user name: the Oracle Internet Directory DN if the client is an enterprise user; NULL if the client is a local database user.

Syntax

DVF.F$ENTERPRISE_IDENTITY ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check User Enterprise Identity',
  rule_expr => 'DVF.F$ENTERPRISE_IDENTITY NOT IN (''JSMITH'', ''TSMITH'')');
END;
/

F$IDENTIFICATION_TYPE Function

The F$IDENTIFICATION_TYPE function returns the way the schema of a user was created in the database. Specifically, it reflects the IDENTIFIED clause in the CREATE/ALTER USER syntax. The return type is VARCHAR2. In the list that follows, the syntax used during schema creation is followed by the identification type returned:

  • IDENTIFIED BY password: LOCAL

  • IDENTIFIED EXTERNALLY: EXTERNAL

  • IDENTIFIED GLOBALLY: GLOBAL SHARED

  • IDENTIFIED GLOBALLY AS DN: GLOBAL PRIVATE

Syntax

DVF.F$IDENTIFICATION_TYPE ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check User Schema Creation Type',
  rule_expr => 'DVF.F$IDENTIFICATION_TYPE = ''GLOBAL SHARED''');
END;
/

F$LANG Function

The F$LANG function returns the ISO abbreviation for the language name, a shorter form than the existing LANGUAGE parameter, for the session of the user. The return type is VARCHAR2.

See Oracle Database Globalization Support Guide for a listing of supported languages for Oracle Database.

Syntax

DVF.F$LANG ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check ISO Abbreviated Language Name',
  rule_expr => 'DVF.F$LANG IN (''EN'', ''DE'', ''FR'')');
END;
/

F$LANGUAGE Function

The F$LANGUAGE function returns the language and territory currently used by a user session, in VARCHAR2 data type, along with the database character set, in the following form:

language_territory.characterset

See Oracle Database Globalization Support Guide for a listing of supported languages and territories for Oracle Database.

Syntax

DVF.F$LANGUAGE ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Session Language and Territory',
  rule_expr => 'DVF.F$LANGUAGE = ''AMERICAN_AMERICA.WE8ISO8859P1''');
END;
/

F$MACHINE Function

The F$MACHINE function returns the computer (host) name for the database client that established the database session. The return type is VARCHAR2.

Syntax

DVF.F$MACHINE ()
RETURN VARCHAR2;

Parameter

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Client Computer Host Name',
  rule_expr => 'DVF.F$MACHINE NOT IN (''SHOBEEN'', ''SEBASTIAN'')');
END;
/

F$NETWORK_PROTOCOL Function

The F$NETWORK_PROTOCOL function returns the network protocol being used for communication, as specified in the PROTOCOL=protocol portion of the connect string. The return type is VARCHAR2.

Syntax

DVF.F$NETWORK_PROTOCOL ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Network Protocol',
  rule_expr => 'DVF.F$NETWORK_PROTOCOL = ''TCP''');
END;
/

F$PROXY_ENTERPRISE_IDENTITY Function

The F$PROXY_ENTERPRISE_IDENTITY function returns the Oracle Internet Directory distinguished name (DN) when the proxy user is an enterprise user. The return type is VARCHAR2.

Syntax

DVF.F$PROXY_ENTERPRISE_IDENTITY ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Get OID DN of Enterprise User',
  rule_expr => 'DVF.F$PROXY_ENTERPRISE_IDENTITY = ''cn=Provisioning Admins''');
END;
/

F$SESSION_USER Function

The F$SESSION_USER function returns the database user name by which the current user is authenticated. This value remains the same throughout the session. The return type is VARCHAR2.

Syntax

DVF.F$SESSION_USER ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Database User Name',
  rule_expr => 'DVF.F$SESSION_USER IN (''JSMITH'', ''TSMITH'')');
END;
/

Oracle Database Vault PL/SQL Rule Functions

Oracle Database Vault provides a set of functions that you can use in rule sets to inspect the SQL statement that you want the rule set to protect. For example, if a rule set protects SELECT ON HR.EMPLOYEES under a command rule, then you could use these functions to make more informed decisions in the rule expression.

Table 15-9 lists the default rule functions.

Table 15-9 Installed Oracle Database Vault PL/SQL Rule Set Functions

Rule Set FunctionDescription

DV_SYSEVENT Function

Returns the system event firing the rule set

DV_LOGIN_USER Function

Returns the login user name

DV_INSTANCE_NUM Function

Returns the database instance number

DV_DATABASE_NAME Function

Returns the database name

DV_DICT_OBJ_TYPE Function

Returns the type of the dictionary object on which the database operation occurred (for example, table, procedure, view)

DV_DICT_OBJ_OWNER Function

Returns the owner of the dictionary object on which the database operation occurred

DV_DICT_OBJ_NAME Function

Returns the name of the dictionary object on which the database operation occurred

DV_SQL_TEXT Function

Returns the first 4000 characters of SQL text of the database statement used in the operation


DV_SYSEVENT Function

The DV_SYSEVENT function returns the system event firing the rule set, in VARCHAR2 data type. The event name is the same as that in the syntax of the SQL statement (for example, INSERT, CREATE.)

Syntax

DVSYS.DV_SYSEVENT ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Get System Event Firing the Maintenance Rule Set',
  rule_expr => 'DVSYS.DV_SYSEVENT = ''CREATE''');
END;
/

DV_LOGIN_USER Function

The DV_LOGIN_USER function returns the login user name, in VARCHAR2 data type.

Syntax

DVSYS.DV_LOGIN_USER ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check System Login User Name',
  rule_expr => 'DVSYS.DV_LOGIN_USER = ''SEBASTIAN''');
END;
/

DV_INSTANCE_NUM Function

The DV_INSTANCE_NUM function returns the database instance number, in NUMBER data type.

Syntax

DVSYS.DV_INSTANCE_NUM ()
RETURN NUMBER;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Database Instance Number',
  rule_expr => 'DVSYS.DV_INSTANCE_NUM BETWEEN 6 AND 9');
END;
/

DV_DATABASE_NAME Function

The DV_DATABASE_NAME function returns the database name, in VARCHAR2 data type.

Syntax

DVSYS.DV_DATABASE_NAME ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Database Name',
  rule_expr => 'DVSYS.DV_DATABASE_NAME = ''ORCL''');
END;
/

DV_DICT_OBJ_TYPE Function

The DV_DICT_OBJ_TYPE function returns the type of the dictionary object on which the database operation occurred (for example, table, procedure, or view). The return type is VARCHAR2.

Syntax

DVSYS.DV_DICT_OBJ_TYPE ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Dictionary Object Type',
  rule_expr => 'DVSYS.DV_DICT_OBJ_TYPE IN (''TABLE'', ''VIEW'')');
END;
/

DV_DICT_OBJ_OWNER Function

The DV_DICT_OBJ_OWNER function returns the name of the owner of the dictionary object on which the database operation occurred. The return type is VARCHAR2.

Syntax

DVSYS.DV_DICT_OBJ_OWNER ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Dictionary Object Owner',
  rule_expr => 'DVSYS.DV_DICT_OBJ_OWNER = ''JSMITH''');
END;
/

DV_DICT_OBJ_NAME Function

The DV_DICT_OBJ_NAME function returns the name of the dictionary object on which the database operation occurred. The return type is VARCHAR2.

Syntax

DVSYS.DV_DICT_OBJ_NAME ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Dictionary Object Name',
  rule_expr => 'DVSYS.DV_DICT_OBJ_NAME = ''SALES''');
END;
/

DV_SQL_TEXT Function

The DV_SQL_TEXT function returns the first 4000 characters of SQL text of the database statement used in the operation The return type is VARCHAR2.

Syntax

DVSYS.DV_SQL_TEXT ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check SQL Text',
  rule_expr => 'DVSYS.DV_SQL_TEXT = ''SELECT SALARY FROM HR.EMPLOYEES''');
END;
/

Oracle Database Vault PL/SQL Packages

Oracle Database Vault provides a collection of PL/SQL package APIs to support the maintenance and run-time behavior of Oracle Database Vault. Table 15-10 lists these packages. Chapter 12, "Using the DVSYS.DBMS_MACADM Package," describes these packages in detail.

Table 15-10 Oracle Database Vault Administrator and Run-Time PL/SQL Packages

PackageDescription

DVSYS.DBMS_MACADM

Provides for the administration of all aspects of the secure and access control configuration data. The realm owner of the Oracle Database Vault realm can grant the ability to run this package.

See Chapter 12, "Using the DVSYS.DBMS_MACADM Package," for more information.

DVSYS.DBMS_MACSEC_ROLES

Provides the CAN_SET_ROLE method to check whether the user invoking the method is authorized to use the specified Oracle Database Vault secure application role. The authorization is determined by checking the rule set associated with the role.

The API also provides a method to issue the SET ROLE statement for a Oracle Database Vault Secure Application Role. Before SET ROLE is issued, the CAN_SET_ROLE method is called to check the rule set associated with the role. Run-time rule set behavior such as auditing, failure processing, and event handling occur during this process. The package is available to the general database account population.

See Chapter 13, "Using the DVSYS.DBMS_MACSEC_ROLES Package," for more information.

DVSYS.DBMS_MACUTL

Defines several constants and utility methods that are commonly used by other Oracle Database Vault packages, such as code/message lookup, error handling, data conversion, and privilege checks. This package can be run by the general database account population. This allows for security developers to leverage the constants in scripted configuration files. Utility methods such as USER_HAS_ROLE can also be used in Oracle Database Vault rules.

See Chapter 14, "Using the DVSYS.DBMS_MACUTL Package," for more information.



Note:

There are several procedures in the DVSYS.DBMS_MACADM package that are not exposed in the Oracle Database Vault Administration Web application. The procedures that are not exposed include:

  • CREATE_DOMAIN_IDENTITY

  • CREATE_FACTOR_TYPE

  • DELETE_FACTOR_TYPE

  • RENAME_FACTOR_TYPE

  • UPDATE_FACTOR_TYPE


PK"PK)AOEBPS/preface.htm| Preface

Preface

Oracle Database Vault Administrator's Guide explains how to configure access control-based security in an Oracle Database environment by using Oracle Database Vault.

This preface contains the following topics:

Audience

This document is intended for security managers, audit managers, label administrators, and Oracle database administrators (DBAs) who are involved in the configuration of Oracle Database Vault.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

Related Documents

For more information refer to the following documents:

Oracle Documentation Search Engine

To access the database documentation search engine directly, visit:

http://tahiti.oracle.com/

Oracle Technology Network (OTN)

You can download free release notes, installation documentation, updated versions of this guide, white papers, or other collateral from the Oracle Technology Network (OTN). Visit

http://www.oracle.com/technetwork/index.html

For security-specific information on OTN, visit

http://www.oracle.com/technetwork/topics/security/whatsnew/index.html

For the latest version of the Oracle documentation, including this guide, visit

http://www.oracle.com/technetwork/documentation/index.html

Oracle Database Vault-Specific Sites

For OTN information specific to Oracle Database Vault, visit

http://www.oracle.com/technetwork/database/options/database-vault/index-085211.html

For frequently asked questions about Oracle Database Vault, visit

http://www.oracle.com/technetwork/database/security/dbv-faq-083210.html

Oracle Store

Printed documentation is available for sale in the Oracle Store at:

https://shop.oracle.com

My Oracle Support (formerly OracleMetaLink)

You can find information about security patches, certifications, and the support knowledge base by visiting My Oracle Support at:

https://support.oracle.com

Conventions

The following text conventions are used in this document:

ConventionMeaning
boldfaceBoldface type indicates graphical user interface elements associated with an action, or terms defined in text or the glossary.
italicItalic type indicates book titles, emphasis, or placeholder variables for which you supply particular values.
monospaceMonospace type indicates commands within a paragraph, URLs, code in examples, text that appears on the screen, or text that you enter.

PK8 Postinstallation Oracle Database Vault Procedures

C Postinstallation Oracle Database Vault Procedures

This appendix contains:

Registering (Enabling) Oracle Database Vault

After you install Oracle Database, you must register (that is, enable) Oracle Database Vault. Oracle Database includes Database Vault by default, but you must register it before you can use it. As part of the registration process, you create the Database Vault administrative accounts. The registration process also creates the Database Vault DVSYS and DVF schemas. This procedure applies to both single-instance and Oracle RAC installations. To check if Database Vault has already been enabled, see "Checking if Oracle Database Vault Is Enabled or Disabled".

  1. Ensure that the computer on which you want to register Oracle Database Vault has the Oracle Enterprise Manager Database Console available.

    You can check the status of the Database Console by running the emctl status dbconsole command. For example:

    ./emctl status dbconsole

  2. Stop the database, Database Control console process, and listener.

    • UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and shut down the database. Then from the command line, stop the Database Console process and listener.

      For example:

      sqlplus sys as sysoper
Enter password: password

SQL> SHUTDOWN IMMEDIATE
SQL> EXIT

$ emctl stop dbconsole
$ lsnrctl stop [listener_name]

      For Oracle RAC installations, shut down each database instance as follows:

      $ srvctl stop database -d db_name

    • Windows: Stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  3. Enable Oracle Database Vault as follows:

    • UNIX: Run the following commands. The make command enables both Oracle Database Vault (dv_on) and Oracle Label Security (lbac_on). You must enable Oracle Label Security before you can use Database Vault.

      $ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_on lbac_on ioracle

    • Windows: In the ORACLE_BASE\ORACLE_HOME\bin directory, rename the oradvll.dll.dbl file to oradvll.dll. Ensure that the name of the Oracle Label Security executable is oralbacll.dll (and not oralbacll.dll.dbl or some other backup name). You must enable Oracle Label Security before you can use Database Vault.

  4. Restart the database and listener. (Do not restart the Database Control console process yet.)

    • UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and restart the database. Then from the command line, restart the listener.

      For example:

      sqlplus sys as sysoper
Enter password: password

SQL> STARTUP
SQL> EXIT

$ lsnrctl start [listener_name]

      For Oracle RAC installations, restart each database instance as follows:

      $ srvctl start database -d db_name

    • Windows: Restart the database and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  5. Start Database Configuration Assistant.

    • UNIX: Enter the following command at a terminal window:

      dbca

      By default, dbca is in the $ORACLE_HOME/bin directory.

    • Windows: From the Start menu, click All Programs. Then, click Oracle - ORACLE_HOME, Configuration and Migration Tools, and then Database Configuration Assistant.

      Alternatively, you can start Database Configuration Assistant at a command prompt:

      dbca

      As with UNIX, typically, dbca is in the ORACLE_BASE\ORACLE_HOME\bin directory.

  6. In the Welcome page, click Next.

    The Operations page appears.

  7. Select Configure Database Options, and then click Next.

    The Database page appears.

  8. From the list, select the database where you installed Oracle Database and then click Next.

    The Database Content page appears.

  9. Perform one of the following actions:

    • If Oracle Label Security is already enabled: Select the Oracle Database Vault option, and then click Next.

    • If Oracle Label Security is not enabled: Select the Oracle Label Security option so that the Oracle Database Vault option becomes available for selection. Select the Oracle Database Vault option as well, and then click Next.

    The Oracle Database Vault Credentials page appears.

  10. Specify the name and password for the Database Vault Owner account (for example, DBVOWNER) and the Database Vault Account Manager (for example, DBVACCTMGR).

    Enter any password that is secure, according to the password guidelines described in Oracle Database Security Guide. Oracle Database Vault has additional password requirements, which are displayed if you try to create an incorrect password.

  11. Click Next.

    The Connection Mode page appears.

  12. Select either Dedicated Server Mode or Shared Server Mode (depending on the selection you made when you created this database), click Finish, and then click OK in the confirmation prompts.

    Database Configuration Assistant registers Oracle Database Vault, and then restarts the database instance.

  13. Exit Database Configuration Assistant.

  14. Restart the Database Control console process.

    • UNIX: Run the following command:

      $ emctl start dbconsole

    • Windows: Restart the Database Control console process (for example, OracleDBConsoleorcl if the name of the database is orcl) from the Services tool in the Control Panel.

After you have registered Oracle Database Vault with an Oracle database, you can start Oracle Database Vault Administrator. See "Starting Oracle Database Vault" for more information.

Checking the Locale and NLS Settings

Ensure that the value of the NLS_LANGUAGE initialization parameter matches the locale and NLS settings (either the NLS_LANG or LANG environment variables) used by the operating system of the computer on which Oracle Database is installed. If these values are inconsistent, then Database Vault Administrator does not display the default realms, command rules, rule sets, or factors.

For example, if the operating system locale (the variable $LANG) setting is en_US.UTF-8, then you must set the corresponding NLS_LANG environment variable to AMERICAN_AMERICA.AL32UTF8 and the database NLS_LANGUAGE initialization parameter value to be AMERICAN. The database NLS_LANGUAGE parameter is derived from the operating system NLS_LANG environment variable.

For more information about checking and configuring locale and NLS settings, see the appendix that covers globalization support in the Oracle Database Installation Guide for your platform.

Manually Deploying Oracle Database Vault Administrator

If you have created an Oracle database manually, and have configured Oracle Enterprise Manager Database Control by using Enterprise Manager Configuration Assistant, you must manually deploy Oracle Database Vault Administrator. This procedure deploys Database Vault Administrator in the same OC4J container as the current Enterprise Manager, rather than creating a new application.

This section contains:

Deploying Database Vault Administrator to a Standalone OC4J Container

You can manually deploy Database Vault Administrator to the Oracle Application Server Containers for J2EE (OC4J) home, which by default is in the $ORACLE_HOME/oc4j/j2ee/home directory.

To manually deploy Database Vault Administrator:

  1. Edit the file $ORACLE_HOME/oc4j/j2ee/home/config/server.xml. Enter the following line just before the last line that reads, </application-server>:

    <application name="dva" path="Oracle_home_dir/dv/jlib/dva_webapp.ear" auto-start="true" />

    Replace Oracle_home_dir with the relative or direct path to the Oracle home directory. (You cannot enter the $ORACLE_HOME environment variable.)

    For example:

    <application name="dva" path="/u00/app/oracle/oracle/product/dv12/dv/jlib/dva_webapp.ear" auto-start="true" />

  2. Edit the file $ORACLE_HOME/oc4j/j2ee/home/config/http-web-site.xml. Enter the following line just above the last line that reads, </web-site>:

    <web-app application="dva" name="dva_webapp" root="/dva" />

  3. Edit the file $ORACLE_HOME/oc4j/j2ee/home/config/global-web-application.xml. Search for <servlet-class>oracle.jsp.runtimev2.JspServlet</servlet-class>. Uncomment the following lines after this:

    <init-param>
   <param-name>main_mode</param-name>
   <param-value>justrun</param-value>
</init-param>

  4. Create the following directory:

    mkdir -p $ORACLE_HOME/dv/jlib/sysman/config

  5. Create the database connection configuration file, emoms.properties, in the configuration directory that you just created. Add the following lines to the file:

    oracle.sysman.emSDK.svlt.ConsoleMode=standalone
oracle.sysman.eml.mntr.emdRepRAC=FALSE
oracle.sysman.eml.mntr.emdRepDBName=oracle_sid
oracle.system.eml.mntr.emdRepConnectDescriptor=TNS_connection_string

    Follow these instructions:

    • For an Oracle RAC environment, set oracle.sysman.eml.mntr.emdRepRAC to TRUE.

    • For oracle.sysman.eml.mntr.emdRepConnectDescriptor, you can use an alias from $ORACLE_HOME/network/admin/tnsnames.ora. Alternatively, you can use the following syntax:

      oracle.sysman.eml.mntr.emdRepConnectDescriptor=
  (DESCRIPTION\=
    (ADDRESS_LIST\=(ADDRESS\=(PROTOCOL\=TCP) (HOST\=HOSTNAME)(PORT\=PORT))) 
    (CONNECT_DATA\=
       (SERVICE_NAME\=ORACLE_SID))

  6. Ensure that the correct environment variables are set.

    For example:

    ORACLE_SID=orcl
export ORACLE_SID
ORACLE_HOME=/u00/app/oracle/product/11.2/dv
export ORACLE_HOME
LD_LIBRARY_PATH=$ORACLE_HOME/bin:$ORACLE_HOME/lib:$ORACLE_HOME/jdbc/lib
export LD_LIBRARY_PATH
PATH=$ORACLE_HOME/bin:$ORACLE_HOME/jdk/bin:$PATH
export PATH

    Set the LD_LIBRARY_PATH variable to use the OCI-based JDBC libraries.

  7. Start OC4J using the following syntax:

    $ORACLE_HOME/jdk/bin/java -Djava.awt.headless=true -DEMDROOT=$ORACLE_HOME/dv/jlib -jar $ORACLE_HOME/oc4j/j2ee/home/oc4j.jar -userThreads -config $ORACLE_HOME/oc4j/j2ee/home/config/server.xml

After you complete these steps, you can start Database Vault Administrator. The HTTP port defaults to 8888 for this environment. Use the following syntax for the URL:

http://hostname:8888/dva

Deploying Database Vault Administrator to the Database Console OC4J Container

To manually deploy Database Vault Administrator to the Database Console OC4J container:

  1. Stop Oracle Database Console.

    • UNIX: Go to the $ORACLE_HOME/bin directory and run the following command:

      ./emctl stop dbconsole

    • Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu.

  2. Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4J_DBConsole_service_name/config/server.xml file.

  3. Add the following line before the </application-server> element:

    <application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" parent="default" start="true" />

    On Windows systems, replace $ORACLE_HOME with the absolute path to your Oracle Database home.

  4. Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4J_DBConsole_service_name/config/http-web-site.xml file.

  5. Add the following line before the </web-site> element:

    <web-app application="dva" name="dva_webapp" load-on-startup="true" root="/dva" shared="true"/>

  6. Restart Oracle Database Console.

    • UNIX: Go to the $ORACLE_HOME/bin directory and run the following command:

      ./emctl start dbconsole

    • Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Start from the menu.

After you complete these steps, you can start Oracle Database Vault Administrator by using the following URL:

https://hostname:port/dva

For example:

https://myserver:1158/dva

If you are unsure of the port number, open the ORACLE_HOME/host_sid/sysman/config/emd.properties file and search for REPOSITORY_URL. In most cases, the host name and port number are the same as Oracle Enterprise Manager Database Control.

Setting the Time-Out Value for Oracle Database Vault Administrator

By default, an Oracle Database Vault session lasts 35 minutes. If you want the session to last for a different time, follow the steps in this section.

To set the session time for Oracle Database Vault Administrator:

  1. Back up the web.xml file, which by default is in the $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF directory.

  2. In a text editor, open the web.xml file.

  3. Search for the following setting:

    <session-config>
 <session-timeout>35</session-timeout>
</session-config>

  4. Change the <session-timeout> setting to the amount of time in minutes that you prefer.

  5. Save and close the web.xml file.

  6. Stop and restart the Database Vault Administrator.

    • UNIX: Go to the $ORACLE_HOME/bin directory and run the following command:

      ./emctl stop dbconsole
./emctl start dbconsole

    • Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu. After the console stops, select Start.

Enabling Oracle Database Vault Administrator Accessibility

You can configure Database Vault Administrator to make data accessible and usable to the disabled community. The following sections explain how to enable Database Vault Administrator for full accessibility.

Enabling Oracle Database Vault Administrator Accessibility Mode

Oracle Database Vault Administrator takes advantage of user interface development technologies that improve the responsiveness of some user operations. For example, when you navigate to a new record set in a table, Oracle Database Vault Administrator does not redisplay the entire HTML page. However, this performance-improving technology is generally not supported by screen readers. To disable this feature, and as a result, make the Database Vault Administrator HTML pages more accessible for disabled users, use the following procedure.

To enable the display of an entire HTML page:

  1. Locate the uix-config.xml configuration file.

    By default, the uix-config.xml file is in the following directory:

    $ORACLE_HOME/oc4j/j2ee/oc4j_applications/applications/em/em/WEB-INF

  2. Open the uix-config.xml file using a text editor and locate the following entry:

    <!-- An alternate configuration that disables accessibility features  -->
<default-configuration>
  <accessibility-mode>inaccessible</accessibility-mode>
...
</default-configuration>

  3. Change the value of the accessibility-mode property from inaccessible to accessible.

  4. Save and close the uix-config.xml file.

  5. Restart Database Vault Administrator.

    See "Starting Oracle Database Vault".

Providing Textual Descriptions of Database Vault Administrator Charts

The Monitor page of Database Vault Administrator displays security policy data in a chart. However, charts do not convey information in a manner that can be read by a screen reader. To remedy this problem, you can configure Database Vault Administrator to provide a complete textual representation of each chart. By default, support for the textual representation of charts is disabled. When textual description for charts is enabled, Database Vault Administrator displays a textual representation of the chart data.

To enable the textual representation of charts:

  1. Locate the web.xml configuration file.

    To locate the web.xml file in a Oracle Database 10g installation, change directory to the following location in the Oracle home:

    $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF/

  2. Open the web.xml file with your favorite text editor and locate the following six lines of the file:

    <!-- Uncomment this to enable textual chart descriptions
<context-param>
<param-name>enableChartDescription</param-name>
<param-value>true</param-value>
</context-param>
-->

  3. Remove comments from this section by deleting the first line and the last line of this section so that the section consists of only these four lines:

    <context-param>
<param-name>enableChartDescription</param-name>
<param-value>true</param-value>
</context-param>

  4. Save and exit the web.xml file.

  5. Restart Database Vault Administrator.

    See "Starting Oracle Database Vault".

Configuring Oracle Database Vault on Oracle RAC Nodes

After you install Oracle Database Vault for an Oracle Real Application Clusters (Oracle RAC) instance, complete the following procedure for each Oracle RAC node. This procedure assumes that you have a separate Oracle home for each node.

  1. Log in to SQL*Plus as user SYS with the SYSDBA privilege.

    sqlplus sys as sysdba
Enter password: password

  2. Run the following ALTER SYSTEM statements:

    ALTER SYSTEM SET AUDIT_SYS_OPERATIONS=TRUE SCOPE=SPFILE;
ALTER SYSTEM SET OS_ROLES=FALSE SCOPE=SPFILE; 
ALTER SYSTEM SET RECYCLEBIN='OFF' SCOPE=SPFILE; 
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE='EXCLUSIVE' SCOPE=SPFILE;
ALTER SYSTEM SET SQL92_SECURITY=TRUE SCOPE=SPFILE;

  3. Restart Oracle Database.

    CONNECT SYS/AS SYSOPER
Enter password: password

SHUTDOWN IMMEDIATE
STARTUP

Adding Languages to Oracle Database Vault

By default, Oracle Database Vault loads only the English language tables. You can add more languages by running the DVSYS.DBMS_MACADM.ADD_NLS_DATA procedure for each new language that you want to add. You can add more than one language to Database Vault.

To add a new language to Oracle Database Vault:

  1. Log into SQL*Plus as a user who has been granted the DV_OWNER or DV_ADMIN role.

  2. Run the following procedure:

    EXEC DVSYS.DBMS_MACADM.ADD_NLS_DATA('language');

    You can specify the language setting using any case. For example:

    EXEC DVSYS.DBMS_MACADM.ADD_NLS_DATA('french');

EXEC DVSYS.DBMS_MACADM.ADD_NLS_DATA('JAPANESE');

    Replace language with one of the following supported languages:

    • ENGLISH

    • GERMAN

    • SPANISH

    • FRENCH

    • ITALIAN

    • JAPANESE

    • KOREAN

    • BRAZILIAN PORTUGUESE

    • SIMPLIFIED CHINESE

    • TRADITIONAL CHINESE

Deinstalling Oracle Database Vault

The following procedure removes Oracle Database Vault from an Oracle Database installation. It applies to both single-instance and Oracle RAC installations. The deinstallation process does not affect the initialization parameter settings, even those settings that were modified during the installation process.

To deinstall Oracle Database Vault:

  1. Stop the database, Database Control console process, and listener.

    For example:

    sqlplus sys as sysoper
Enter password: password
Connected.

SQL> SHUTDOWN IMMEDIATE
SQL> EXIT

$ emctl stop dbconsole
$ lsnrctl stop [listener_name]

    For Oracle RAC installations, shut down each database instance as follows:

    $ srvctl stop database -d db_name

    On Windows, you can stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  2. Run the following commands to turn off Oracle Database Vault and Oracle Label Security:

    $ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_off lbac_off ioracle

  3. Log in to SQL*Plus and then restart the database, Database Control console process, and listener.

    For example:

    SQL> STARTUP
SQL> EXIT

$ emctl stop dbconsole
$ lsnrctl start [listener_name]

    For each instance in an Oracle RAC installation:

    $ srvctl start database -d db_name

    On Windows, you can restart the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  4. In SQL*Plus, log in as user SYS with the SYSDBA privilege.

  5. Disable the recycle bin.

    To check if the recycle bin is enabled, enter the following command:

    SQL> SHOW PARAMETER RECYCLEBIN

    If the recycle bin is enabled, then disable it as follows:

    SQL> ALTER SYSTEM SET RECYCLEBIN = OFF SCOPE=SPFILE;
SQL> SHUTDOWN IMMEDIATE
SQL> STARTUP

    Disabling the recycle bin does not purge or otherwise affect objects that are already in the recycle bin. For better security, keep the recycle bin disabled. See "Security Considerations for the Recycle Bin".

  6. Run the following SQL script:

    SQL> @$ORACLE_HOME/rdbms/admin/dvremov.sql

  7. Manually drop the DV_OWNER and DV_ACCTMGR user accounts and the DV_REALM_RESOURCE and DV_REALM_OWNER roles.

    SQL> DROP DBV_OWNER CASCADE;
SQL> DROP DBV_ACCTMGR CASCADE;
SQL> DROP DV_REALM_RESOURCE;
SQL> DROP DV_REALM_OWNER;

  8. Enable Oracle Label Security.

    $ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk lbac_on ioracle

Afterward, you can double-check that Oracle Dadtabase Vault is truly deinstalled by logging in to SQL*Plus and entering the following statement:

SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

If Oracle Database Vault is deinstalled, the following output appears:

PARAMETER                     VALUE
----------------------------- -----------------------
Oracle Database Vault         FALSE

Reinstalling Oracle Database Vault

To reinstall Oracle Database Vault, follow the procedure under "Registering (Enabling) Oracle Database Vault".

PKmPK)AOEBPS/index.htm Index

Index

A  B  C  D  E  F  G  H  I  J  L  M  N  O  P  Q  R  S  T  U  V  W  X 

Symbols

% wildcard, 17.3

A

access control policy
configuring with tools and components
Oracle Label Security PL/SQL APIs, 1.2.5
Oracle Policy Manager, 1.2.5
reports
Core Database Vault Audit Report, 17.4.2.5
access control run-time PL/SQL procedures and functions, 15.1
Access to Sensitive Objects Report, 17.5.3.2
accessibility features, C.5
accounts
See database accounts
Accounts With DBA Roles Report, 17.5.5.2
Accounts with SYSDBA/SYSOPER Privilege Report, 17.5.3.4
ad hoc tools
preventing use of, 7.8.1
administrators
DBA operations in Oracle Database Vault, 10
restricting different types, 7.9.1
alerts
email alert in rule set, 5.8.1
Enterprise Manager Grid Control, 10.1.3
ALTER DATABASE statement
monitoring, 16.2
ALTER ROLE statement
monitoring, 16.3.1
ALTER SESSION privilege
enabling trace files, E.1
reports, ALTER SYSTEM or ALTER SESSION Report, 17.5.5.5
ALTER SESSION statement
guidelines on managing privileges, D.6.6
ALTER SYSTEM or ALTER SESSION Report, 17.5.5.5
ALTER SYSTEM privilege
reports, ALTER SYSTEM or ALTER SESSION Report, 17.5.5.5
ALTER SYSTEM statement
controlling with command rules, 6.1
guidelines on managing privileges, D.6.6
ALTER TABLE statement
monitoring, 16.2
ALTER USER statement
monitoring, 16.3.1
ANY privileges, 11.2.11
ANY System Privileges for Database Accounts Report, 17.5.2.4
APIs
See DVSYS.DBMS_MACADM package, DVSYS.DBMS_MACSEC_ROLES package, DVSYS.DBMS_MACUTL package
assistive technology, C.5
AUD$ table
See SYS.AUD$ table
audit policy change
monitoring, 16.3.1
AUDIT privilege, 17.5.5.10
AUDIT Privileges Report, 17.5.5.10
AUDIT_SYS_OPERATIONS initialization parameter, 2.1
AUDIT_TRAIL initialization parameter
effect on Core Database Audit Report, 17.5.8
AUDIT_TRAIL$ system table
affected by AUDIT_TRAIL initialization parameter, A.1.2
archiving, A.2
format, A.1.2
purging, A.2
auditing
archiving Database Vault audit trail, A.2
Core Database Audit Report, 17.5.8
DVSYS.DBMS_MACUTL fields, 14.2.1
factors
options, 7.3
intruders
using factors, 7.3
using rule sets, 5.3
Oracle Database audit settings, A.3
purging Database Vault audit trail, A.2
realms
DVSYS.DBMS_MACUTL fields, 14.2.1
options, 4.3
reports, 17.4.2
rule sets
DVSYS.DBMS_MACUTL fields, 14.2.1
options, 5.3
secure application roles
audit records, 8.8
troubleshooting, E.1
views used to audit events, 11.4.1
auditing policies
about, A
audit events
about, A.1.1
custom events
audit trail, A.1.2
events that are tracked, A.1.1
monitoring changes to, 16.3.1
authentication
Authentication_Method default factor, 7.2
command rules, 6.1
method, finding with DVF.F$AUTHENTICATION_METHOD, 15.2.1
realm procedures, 12.2
authorizations
Oracle Data Pump activities, 10.2.1
realms, 4.6
scheduling database jobs, 10.3.1

B

BECOME USER Report, 17.5.5.4
BECOME USER system privilege
about, 17.5.5.4

C

catalog-based roles, 17.5.5.9
child factors
See factors
clients
finding IP address with DVF.F$CLIENT_IP, 15.2.2
code groups
retrieving value with DVSYS.DBMS_MACUTL functions, 14.3
Command Rule Audit Report, 17.4.2.2
Command Rule Configuration Issues Report, 17.4.1.1
command rules
about, 6.1
creating, 6.4
data dictionary view, 6.10
data masking, 10.8.4
default command rules, 6.2
default command rules not showing in Database Vault Administrator, C.2
deleting, 6.5
diagnosing behavior, E.1
editing, 6.4
functions
DVSYS.DBMS_MACUTL (utility), 14.1
guidelines, 6.8
how command rules work, 6.6
objects
name, 6.4
owner, 6.4
performance effect, 6.9
procedures
DVSYS.DBMS_MACADM (configuration), 12.4
process flow, 6.6
propagating policies to other databases, 10.1.2
reports, 6.10
rule sets
selecting, 6.4
used with, 6.1
troubleshooting
general diagnostic advice, E.1
with auditing report, 17.4.2.2
tutorial, 6.7.1
views, 6.10, 11.4.2
See also rule sets
compliance
Oracle Database Vault addressing, 1.3
computer name
finding with DVF.F$MACHINE, 15.2.13
Machine default factor, 7.2
configuration
monitoring changes, 16.3.1
See also DVSYS.DBMS_MACADM package
CONNECT events, controlling with command rules, 6.1
core database
troubleshooting with Core Database Vault Audit Report, 17.4.2.5
Core Database Audit Report, 17.5.8
Core Database Vault Audit Trail Report, 17.4.2.5
CPU_PER_SESSION resource profile, 17.5.6.2
CREATE ANY JOB privilege, D.6.3
CREATE ANY JOB statement
guidelines on managing privileges, D.6.3
CREATE EXTERNAL JOB privilege, D.6.4
CREATE JOB privilege, D.6.3
CREATE JOB statement
guidelines on managing privileges, D.6.3
CREATE ROLE statement
monitoring, 16.3.1
CREATE TABLE statement
monitoring, 16.2
CREATE USER statement
monitoring, 16.3.1

D

data definition language (DDL)
statement
controlling with command rules, 6.1
data dictionary
adding DV_ACCTMGR role to realm, 3.2.2
Data Dictionary realm
data masking, 10.8.2
data manipulation language (DML)
statement
checking with DVSYS.DBMS_MACUTL.CHECK_DVSYS_DML_ALLOWED function, 14.3
controlling with command rules, 6.1
data masking
about, 10.8.1
adding users to realms for, 10.8.3
creating command rule for, 10.8.4
errors that can appear, 10.8.1
data Oracle Database Vault recognizes
See factors
Data Pump
See Oracle Data Pump
Database Account Default Password Report, 17.5.7.1
Database Account Status Report, 17.5.7.2
database accounts
counting privileges of, 17.5.4.1
DBSNMP
changing password, 10.1.5
granted DV_MONITOR role, 11.2.4
realm for, 4.2
DVSYS, 11.3
LBACSYS, 11.3
monitoring, 16.3.1
reports
Accounts With DBA Roles Report, 17.5.5.2
ALTER SYSTEM or ALTER SESSION Report, 17.5.5.5
ANY System Privileges for Database Accounts Report, 17.5.2.4
AUDIT Privileges Report, 17.5.5.10
BECOME USER Report, 17.5.5.4
Database Account Default Password Report, 17.5.7.1
Database Account Status Report, 17.5.7.2
Database Accounts With Catalog Roles Report, 17.5.5.9
Direct and Indirect System Privileges By Database Account Report, 17.5.2.2
Direct Object Privileges Report, 17.5.1.3
Direct System Privileges By Database Account Report, 17.5.2.1
Hierarchical System Privileges by Database Account Report, 17.5.2.3
Object Access By PUBLIC Report, 17.5.1.1
Object Access Not By PUBLIC Report, 17.5.1.2
OS Security Vulnerability Privileges, 17.5.5.11
Password History Access Report, 17.5.5.6
Privileges Distribution By Grantee Report, 17.5.4.1, 17.5.4.1, 17.5.4.1
Privileges Distribution By Grantee, Owner Report, 17.5.4.2, 17.5.4.2
Privileges Distribution By Grantee, Owner, Privilege Report, 17.5.4.3, 17.5.4.3
Roles/Accounts That Have a Given Role Report, 17.5.5.8
Security Policy Exemption Report, 17.5.5.3
WITH ADMIN Privilege Grants Report, 17.5.5.1
WITH GRANT Privileges Report, 17.5.5.7
solution for lockouts, B.1
suggested, 11.3
SYSMAN
realm for, 4.2
Database Accounts With Catalog Roles Report, 17.5.5.9
database administrative operations, 10
database configuration
monitoring changes, 16.2
database definition language (DDL)
statements
controlling with command rules, 6.1
database domains, Database_Domain default factor, 7.2
database objects
Oracle Database Vault, 11
reports
Object Dependencies Report, 17.5.1.4
See also objects
database options, installing, B.1
database roles
about, 11.2.1
counting privileges of, 17.5.4.1
default Oracle Database Vault, 11.2.1
DV_ACCTMGR
about, 11.2.11
adding to Data Dictionary realm, 3.2.2
DV_ADMIN, 11.2.3
DV_GOLDENGATE_ADMIN, 11.2.8
DV_GOLDENGATE_REDO_ACCESS, 11.2.9
DV_MONITOR, 11.2.4
DV_OWNER, 11.2.2
DV_PATCH_ADMIN, 11.2.10
DV_PUBLIC, 11.2.14
DV_REALM_OWNER, 11.2.12
DV_REALM_RESOURCE, 11.2.13
DV_SECANALYST, 11.2.5
DV_STREAMS_ADMIN, 11.2.6
DV_XSTREAM_ADMIN, 11.2.7
enabled, determining with DVSYS.ROLE_IS_ENABLED, 15.1.5
monitoring, 16.3.1
Oracle Database Vault, default, 11.2.1
reports
Accounts With DBA Roles Report, 17.5.5.2
ALTER SYSTEM or ALTER SESSION Report, 17.5.5.5
AUDIT Privileges Report, 17.5.5.10
BECOME USER Report, 17.5.5.4
Database Accounts With Catalog Roles Report, 17.5.5.9
OS Security Vulnerability Privileges, 17.5.5.11
Privileges Distribution By Grantee Report, 17.5.4.1
Roles/Accounts That Have a Given Role Report, 17.5.5.8
Security Policy Exemption Report, 17.5.5.3
WITH ADMIN Privilege Grants Report, 17.5.5.1
separation of duty enforcement, 2.3
database sessions, 7.3
controlling with Allow Sessions default rule set, 5.2
factor evaluation, 7.7.1
session user name, Proxy_User default factor, 7.2
Database Vault
See Oracle Database Vault
Database Vault Account Management realm
SYS access to, 4.2
Database Vault Administrator
setting URL in Oracle Enterprise Manager, 10.1.1
databases
dbconsole
checking process, 3.1.2
starting process, 3.1.2
defined with factors, 7.1
domain, Domain default factor, 7.2
event monitoring, E.1
grouped schemas
See realms
host names, Database_Hostname default factor, 7.2
instance, retrieving information with functions, 12.5
instances
Database_Instance default factor, 7.2
managing multiple instances, 3.1.2
names, finding with DVF.F$DATABASE_INSTANCE, 15.2.5
number, finding with DVSYS.DV_INSTANCE_NUM, 15.3.3
IP addresses
Database_IP default factor, 7.2
retrieving with DVF.F$DATABASE_IP, 15.2.6
log file location, 3.1.2
monitoring events, E.1
names
Database_Name default factor, 7.2
retrieving with DVF.F$DATABASE_NAME, 15.2.7
retrieving with DVSYS.DV_DATABASE_NAME, 15.3.4
parameters
Security Related Database Parameters Report, 17.5.6.1
roles that do not exist, 17.4.1.7
schema creation, finding with DVF.F$IDENTIFICATION_TYPE, 15.2.10
schema creation, Identification_Type default factor, 7.2
structural changes, monitoring, 16.2
user name, Session_User default factor, 7.2
DBA role
impact of Oracle Database Vault installation, 2.4
DBA_DV_CODE view, 11.4.1
DBA_DV_COMMAND_RULE view, 6.10, 11.4.2
DBA_DV_FACTOR view, 11.4.3
DBA_DV_FACTOR_LINK view, 11.4.4
DBA_DV_FACTOR_TYPE view, 11.4.5
DBA_DV_IDENTITY view, 11.4.6
DBA_DV_IDENTITY_MAP view, 11.4.7
DBA_DV_MAC_POLICY view, 11.4.8
DBA_DV_MAC_POLICY_FACTOR view, 11.4.9
DBA_DV_POLICY_LABEL view, 11.4.10
DBA_DV_PUB_PRIVS view, 11.4.11
DBA_DV_REALM view, 11.4.12
DBA_DV_REALM_AUTH view, 11.4.13
DBA_DV_REALM_OBJECT view, 11.4.14
DBA_DV_ROLE view, 11.4.15
DBA_DV_RULE view, 11.4.16
DBA_DV_RULE_SET view, 11.4.17
DBA_DV_RULE_SET_RULE view, 11.4.18
DBA_DV_USER_PRIVS view, 11.4.19
DBA_DV_USER_PRIVS_ALL view, 11.4.20
DBA_USERS_WITH_DEFPWD data dictionary view
access to in Oracle Database Vault, 2.4
dbconsole process
checking status, 3.1.2
starting, 3.1.2
DBMS_FILE_TRANSFER package, guidelines on managing, D.6.1
DBMS_RLS PL/SQL package
SYS granting or revoking EXECUTE on, Preface
DBSNMP user account
changing password, 10.1.5
granted DV_MONITOR role, 11.2.4
realm for, 4.2
deinstalling Oracle Database Vault, C.8
DELETE_CATALOG_ROLE role, 17.5.5.9
Denial of Service (DoS) attacks
reports
System Resource Limits Report, 17.5.6.3
Tablespace Quotas Report, 17.5.9.6
Direct and Indirect System Privileges By Database Account Report, 17.5.2.2
Direct Object Privileges Report, 17.5.1.3
direct system privileges, 17.5.2.3
Direct System Privileges By Database Account Report, 17.5.2.1
disabling system features with Disabled default rule set, 5.2
domains
defined with factors, 7.1
finding database domain with DVF.F$DATABASE_DOMAIN, 15.2.3
finding with DVF.F$DOMAIN, 15.2.8
DROP ROLE statement
monitoring, 16.3.1
DROP TABLE statement
monitoring, 16.2
DROP USER statement
monitoring, 16.3.1
dual key connection, dual key security
See two-person integrity (TPI)
DV_ACCTMGR role
about, 11.2.11
adding to Data Dictionary realm, 3.2.2
DV_ADMIN role
about, 11.2.3
changing password for user granted DV_ADMIN, 11.2.3
DV_GOLDENGATE_ADMIN role, 11.2.8
DV_GOLDENGATE_REDO_ACCESS role, 11.2.9
DV_MONITOR role, 11.2.4
DV_OWNER role
about, 11.2.2
changing password for user granted DV_OWNER, 11.2.2
DV_PATCH_ADMIN role, 11.2.10
DV_PUBLIC role, 11.2.14
DV_REALM_OWNER role, 11.2.12
DV_REALM_RESOURCE role, 11.2.13
DV_SECANALYST role
about, 11.2.5
changing password for user granted DV_SECANALYST, 11.2.5
DV_STREAMS_ADMIN role, 11.2.6
DV_XSTREAM_ADMIN role, 11.2.7
DVA
See Oracle Database Vault Administrator
DVF account
auditing policy, A.3
database accounts, 11.3
DVF schema, 15.2
about, 11.1.2
auditing policy, A.3
DVSYS account, 11.3
auditing policy, A.3
DVSYS schema
about, 11.1.1
auditing policy, A.3
command rules, 6.4
DV_OWNER role, 11.2.2
factor validation methods, 7.3
DVSYS.DBMS_MACADM package
about, 12.1
command rule procedures, listed, 12.4
factor procedures, listed, 12.5
Oracle Label Security policy procedures, listed, 12.7
realm procedures, listed, 12.2
rule set procedures, listed, 12.3
secure application role procedures, listed, 12.6
DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM procedure, 12.2.1
DVSYS.DBMS_MACADM.ADD_FACTOR_LINK procedure, 12.5.1
DVSYS.DBMS_MACADM.ADD_NLS_DATA
procedure, C.7
DVSYS.DBMS_MACADM.ADD_NLS_DATA procedure, 12.8.1
DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM procedure, 12.2.2
DVSYS.DBMS_MACADM.ADD_POLICY_FACTOR procedure, 12.5.2
DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET procedure, 12.3.1
DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER procedure, 12.8.2, 12.8.4
DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER procedure, 12.8.3
DVSYS.DBMS_MACADM.CHANGE_IDENTITY_FACTOR procedure, 12.5.3
DVSYS.DBMS_MACADM.CHANGE_IDENTITY_VALUE procedure, 12.5.4
DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE procedure, 12.4.1
DVSYS.DBMS_MACADM.CREATE_DOMAIN_IDENTITY procedure, 12.5.5
DVSYS.DBMS_MACADM.CREATE_FACTOR procedure, 12.5.6
DVSYS.DBMS_MACADM.CREATE_FACTOR_TYPE procedure, 12.5.7
DVSYS.DBMS_MACADM.CREATE_IDENTITY procedure, 12.5.8
DVSYS.DBMS_MACADM.CREATE_IDENTITY_MAP procedure, 12.5.9
DVSYS.DBMS_MACADM.CREATE_MAC_POLICY procedure, 12.7.1
DVSYS.DBMS_MACADM.CREATE_POLICY_LABEL procedure, 12.7.2
DVSYS.DBMS_MACADM.CREATE_REALM procedure, 12.2.3
DVSYS.DBMS_MACADM.CREATE_ROLE procedure, 12.6.1
DVSYS.DBMS_MACADM.CREATE_RULE procedure, 12.3.2
DVSYS.DBMS_MACADM.CREATE_RULE_SET procedure, 12.3.3
DVSYS.DBMS_MACADM.DELETE_AUTH_FROM_REALM procedure, 12.2.4
DVSYS.DBMS_MACADM.DELETE_COMMAND_RULE procedure, 12.4.2
DVSYS.DBMS_MACADM.DELETE_FACTOR procedure, 12.5.10
DVSYS.DBMS_MACADM.DELETE_FACTOR_LINK procedure, 12.5.11
DVSYS.DBMS_MACADM.DELETE_FACTOR_TYPE procedure, 12.5.12
DVSYS.DBMS_MACADM.DELETE_IDENTITY procedure, 12.5.13
DVSYS.DBMS_MACADM.DELETE_IDENTITY_MAP procedure, 12.5.14
DVSYS.DBMS_MACADM.DELETE_MAC_POLICY_CASCADE procedure, 12.7.3
DVSYS.DBMS_MACADM.DELETE_OBJECT_FROM_REALM procedure, 12.2.5
DVSYS.DBMS_MACADM.DELETE_POLICY_FACTOR procedure, 12.7.4
DVSYS.DBMS_MACADM.DELETE_POLICY_LABEL procedure, 12.7.5
DVSYS.DBMS_MACADM.DELETE_REALM procedure, 12.2.6
DVSYS.DBMS_MACADM.DELETE_REALM_CASCADE procedure, 12.2.7
DVSYS.DBMS_MACADM.DELETE_ROLE procedure, 12.6.2
DVSYS.DBMS_MACADM.DELETE_RULE procedure, 12.3.4
DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET procedure, 12.3.5
DVSYS.DBMS_MACADM.DELETE_RULE_SET procedure, 12.3.6
DVSYS.DBMS_MACADM.DROP_DOMAIN_IDENTITY procedure, 12.5.15
DVSYS.DBMS_MACADM.GET_INSTANCE_INFO function, 12.5.16
DVSYS.DBMS_MACADM.GET_SESSION_INFO function, 12.5.17
DVSYS.DBMS_MACADM.RENAME_FACTOR procedure, 12.5.18
DVSYS.DBMS_MACADM.RENAME_FACTOR_TYPE procedure, 12.5.19
DVSYS.DBMS_MACADM.RENAME_REALM procedure, 12.2.8
DVSYS.DBMS_MACADM.RENAME_ROLE procedure, 12.6.3
DVSYS.DBMS_MACADM.RENAME_RULE procedure, 12.3.7
DVSYS.DBMS_MACADM.RENAME_RULE_SET procedure, 12.3.8
DVSYS.DBMS_MACADM.SYNC_RULES procedure, 12.3.9
DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER procedure, 12.8.5
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE procedure, 12.4.3
DVSYS.DBMS_MACADM.UPDATE_FACTOR procedure, 12.5.20
DVSYS.DBMS_MACADM.UPDATE_FACTOR_TYPE procedure, 12.5.21
DVSYS.DBMS_MACADM.UPDATE_IDENTITY procedure, 12.5.22
DVSYS.DBMS_MACADM.UPDATE_MAC_POLICY procedure, 12.7.6
DVSYS.DBMS_MACADM.UPDATE_REALM procedure, 12.2.9
DVSYS.DBMS_MACADM.UPDATE_REALM_AUTH procedure, 12.2.10
DVSYS.DBMS_MACADM.UPDATE_ROLE procedure, 12.6.4
DVSYS.DBMS_MACADM.UPDATE_RULE procedure, 12.3.10
DVSYS.DBMS_MACADM.UPDATE_RULE_SET procedure, 12.3.11
DVSYS.DBMS_MACSEC_ROLES package
about, 13.1
functions, listed, 13.1
DVSYS.DBMS_MACSEC_ROLES.CAN_SET_ROLE function, 13.2
DVSYS.DBMS_MACSEC_ROLES.SET_ROLE procedure, 13.3
DVSYS.DBMS_MACUTL package
about, 14.1
constants (fields)
examples, 14.2.2
listed, 14.2.1
procedures and functions, listed, 14.3
DVSYS.DBMS_MACUTL.CHECK_DVSYS_DML_ALLOWED procedure, 14.3.1
DVSYS.DBMS_MACUTL.GET_CODE_VALUE function, 14.3.2
DVSYS.DBMS_MACUTL.GET_DAY function, 14.3.6
DVSYS.DBMS_MACUTL.GET_HOUR function, 14.3.5
DVSYS.DBMS_MACUTL.GET_MINUTE function, 14.3.4
DVSYS.DBMS_MACUTL.GET_MONTH function, 14.3.7
DVSYS.DBMS_MACUTL.GET_SECOND function, 14.3.3
DVSYS.DBMS_MACUTL.GET_YEAR function, 14.3.8
DVSYS.DBMS_MACUTL.IS_ALPHA function, 14.3.9
DVSYS.DBMS_MACUTL.IS_DIGIT function, 14.3.10
DVSYS.DBMS_MACUTL.IS_DVSYS_OWNER function, 14.3.11
DVSYS.DBMS_MACUTL.IS_OLS_INSTALLED function, 14.3.12
DVSYS.DBMS_MACUTL.IS_OLS_INSTALLED_VARCHAR function, 14.3.13
DVSYS.DBMS_MACUTL.USER_HAS_ROLE function, 14.3.14
DVSYS.DBMS_MACUTL.USER_HAS_ROLE_VARCHAR function, 14.3.15
DVSYS.DBMS_MACUTL.USER_HAS_SYSTEM_PRIVILEGE function, 14.3.16

E

email alert in rule set, 5.8.1
enabling system features with Enabled default rule set, 5.2
encrypted information, 17.5.9.5
enterprise identities, Enterprise_Identity default factor, 7.2
Enterprise Manager
See Oracle Enterprise Manager
errors
factor error options, 7.3
rule set error options, 5.3
event handler
rule sets, 5.3
examples
DVSYS.DBMS_MACUTL constants, 14.2.2
realms, 4.12
separation of duty matrix, D.1.3
See also tutorials
Execute Privileges to Strong SYS Packages Report, 17.5.3.1
EXECUTE_CATALOG_ROLE role, 17.5.5.9
impact of Oracle Database Vault installation, 2.4
EXEMPT ACCESS POLICY system privilege, 17.5.5.3
exporting data
See Oracle Data Pump
external network services, fine-grained access to
example using email alert, 5.8.1

F

Factor Audit Report, 17.4.2.3
Factor Configuration Issues Report, 17.4.1.2
Factor Without Identities Report, 17.4.1.3
factors
about, 7.1
assignment, 7.3
disabled rule set, 17.4.1.2
incomplete rule set, 17.4.1.2
validate, 7.3
assignment operation, 17.4.2.3
audit events, custom, A.1.1
audit options, 7.3
child factors
about, 7.3
Factor Configuration Issues Report, 17.4.1.2
mapping, 7.5.3, 7.5.3
creating, 7.3
creating names, 7.3
data dictionary views, 7.12
default factors, 7.2, 7.2
default factors not showing in Database Vault Administrator, C.2
deleting, 7.6
domain, finding with DVF.F$DOMAIN, 15.2.8
DVSYS.DBMS_MACUTL constants, example of, 14.2.2
editing, 7.4
error options, 7.3
evaluate, 7.3
evaluation operation, 17.4.2.3
factor type
about, 7.3
selecting, 7.3
factor-identity pair mapping, 7.5.3
functionality, 7.7
functions
DVSYS.DBMS_MACUTL (utility), 14.1
DVSYS.DBMS_MACUTL constants (fields), 14.2.1
guidelines, 7.10
identifying using child factors, 7.5.3
identities
about, 7.3, 7.5.1
adding to factor, 7.5
assigning, 7.3
configuring, 7.5.2
creating, 7.5.2
data dictionary views, 7.12
database session, 7.3
deleting, 7.5.2
determining with DVSYS.GET_FACTOR, 7.3
editing, 7.5.2
enterprise-wide users, 15.2.8
how factor identities work, 7.3
labels, 7.3, 7.5.2
mapping, about, 7.5.3
mapping, identified, 7.3
mapping, procedure, 7.5.3
mapping, tutorial, 7.9.1
Oracle Label Security labels, 7.3
reports, 7.12
resolving, 7.3
retrieval methods, 7.3
setting dynamically, 15.1.1
trust levels, 7.3, 7.5.2
with Oracle Label Security, 7.3
initialization, command rules, 6.1
invalid audit options, 17.4.1.2
label, 17.4.1.2
naming conventions, 7.3
Oracle Virtual Private Database, attaching factors to, 9.3
parent factors, 7.3
performance effect, 7.11
procedures
DVSYS.DBMS_MACADM (configuration), 12.5
process flow, 7.7
propagating policies to other databases, 10.1.2
reports, 7.12
retrieving, 7.7.2
retrieving with DVSYS.GET_FACTOR, 15.1.2
rule sets
selecting, 7.3
used with, 7.1
setting, 7.7.3
setting with DVSYS.SET_FACTOR, 15.1.1
troubleshooting
auditing report, 17.4.2.3
configuration problems, E.3
tips, E.2
type (category of factor), 7.3
validating, 7.3
values (identities), 7.1
views
DBA_DV_CODE, 11.4.1
DBA_DV_FACTOR_LINK, 11.4.4
DBA_DV_FACTOR_TYPE, 11.4.5
DBA_DV_IDENTITY, 11.4.6
DBA_DV_IDENTITY_MAP, 11.4.7
DBA_DV_MAC_POLICY_FACTOR, 11.4.9
ways to assign, 7.3
See also rule sets
features, new
See new features
functions
command rules
DVSYS.DBMS_MACUTL (utility), 14.1
DVSYS schema enabling, 15.1
factors
DVSYS.DBMS_MACUTL (utility), 14.1
Oracle Label Security policy
DVSYS.DBMS_MACADM (configuration), 12.7
realms
DVSYS.DBMS_MACUTL (utility), 14.1
rule sets
DVSYS.DBMS_MACADM (configuration), 12.3
DVSYS.DBMS_MACUTL (utility), 14.1
PL/SQL functions for inspecting SQL, 15.3
secure application roles
DVSYS.DBMS_MACADM (configuration), 12.6
DVSYS.DBMS_MACSEC_ROLES (configuration), 13.1
DVSYS.DBMS_MACUTL (utility), 14.1

G

general security reports, 17.5
GRANT statement
monitoring, 16.3.1
guidelines
ALTER SESSION privilege, D.6.6
ALTER SYSTEM privilege, D.6.6
command rules, 6.8
CREATE ANY JOB privilege, D.6.3
CREATE EXTERNAL JOB privilege, D.6.4
CREATE JOB privilege, D.6.3
DBMS_FILE_TRANSFER package, D.6.1
factors, 7.10
general security, D
LogMiner packages, D.6.5
managing DV_OWNER and DV_ACCTMGR accounts, 11.3
operating system access, D.2.4
Oracle software owner, D.4.2
performance effect, 7.11
realms, 4.14
recycle bin, D.6.2
root access, D.2.4
root user access, D.4.1
rule sets, 5.10
secure application roles, 8.3
SYSDBA access, D.4.3
SYSDBA privilege, limiting, D.2.3
SYSOPER access, D.4.4
SYSTEM schema and application tables, D.2.2
SYSTEM user account, D.2.1
trusted accounts and roles, D.3
using Database Vault in a production environment, D.5
UTL_FILE package, D.6.1

H

hackers
See security attacks
Hierarchical System Privileges by Database Account Report, 17.5.2.3
host names
finding with DVF.F$DATABASE_HOSTNAME, 15.2.4

I

identities
See factors, identities
Identity Configuration Issues Report, 17.4.1.4
IDLE_TIME resource profile, 17.5.6.2
IMP_FULL_DATABASE role
impact of Oracle Database Vault installation, 2.4
importing data
See Oracle Data Pump
incomplete rule set, 17.4.1.2
role enablement, 17.4.1.7
initialization parameters
Allow System Parameters default rule set, 5.2
modified after installation, 2.1
modified by Oracle Database Vault, 2.1
reports, 17.5.6
insider threats
See intruders
installations
security considerations, D.6
intruders
See security attacks
IP addresses
Client_IP default factor, 7.2
defined with factors, 7.1

J

Java Policy Grants Report, 17.5.9.1
jobs, scheduling
See scheduling database jobs

L

Label Security Integration Audit Report, 17.4.2.4
labels
about, 7.5.2
See also Oracle Label Security
languages
adding to Oracle Database Vault, C.7
consistency between Oracle Database and operating system, C.2
finding with DVF.F$LANG, 15.2.11
finding with DVF.F$LANGUAGE, 15.2.12
name
Lang default factor, 7.2
Language default factor, 7.2
LBACSYS account
about, 11.3
auditing policy, A.3
factor integration with OLS policy requirement, 9.4.3
See also Oracle Label Security
LBACSYS schema
auditing policy, A.3
locked out accounts, solution for, B.1
log files
Database Vault log files, A.1.2
location for Oracle Database logs, 3.1.2
logging on
Oracle Database Vault
Oracle Database Vault Owner account, 3.1.2
reports, Core Database Audit Report, 17.5.8
LogMiner packages
guidelines, D.6.5

M

maintenance on Oracle Database Vault, B.1
managing user accounts and profiles
Can Maintain Accounts/Profiles default rule set, 5.2
managing user accounts and profiles on own account, Can Maintain Own Accounts default rule set, 5.2
mapping identities, 7.5.3
monitoring
accessibility features, enabling, C.5.2
activities, 16
textual representation in charts, enabling, C.5.2
My Oracle Support, 7.8.3
about, Preface

N

naming conventions
factors, 7.3
realms, 4.3
rule sets, 5.3
rules, 5.5.1
network protocol
finding with DVF.F$NETWORK_PROTOCOL, 15.2.14
network protocol, Network_Protocol default factor, 7.2
new features, Preface
NOAUDIT statement
monitoring, 16.3.1
Non-Owner Object Trigger Report, 17.5.9.7
nonsystem database accounts, 17.5.1.3

O

Object Access By PUBLIC Report, 17.5.1.1
Object Access Not By PUBLIC Report, 17.5.1.2
Object Dependencies Report, 17.5.1.4
object owners
nonexistent, 17.4.1.1
reports
Command Rule Configuration Issues Report, 17.4.1.1
object privilege reports, 17.5.1
objects
command rule objects
name, 6.4
owner, 6.4
processing, 6.6
dynamic SQL use, 17.5.9.3
monitoring, 16.3.1
object names
finding with DVSYS.DV_DICT_OBJ_NAME, 15.3.7
object owners
finding with DVSYS.DV_DICT_OBJ_OWNER, 15.3.6
realms
object name, 4.5
object owner, 4.5
object type, 4.5
procedures for registering, 12.2
reports
Access to Sensitive Objects Report, 17.5.3.2
Accounts with SYSDBA/SYSOPER Privilege Report, 17.5.3.4
Direct Object Privileges Report, 17.5.1.3
Execute Privileges to Strong SYS Packages Report, 17.5.3.1
Non-Owner Object Trigger Report, 17.5.9.7
Object Access By PUBLIC Report, 17.5.1.1
Object Access Not By PUBLIC Report, 17.5.1.2
Object Dependencies Report, 17.5.1.4
Objects Dependent on Dynamic SQL Report, 17.5.9.3
OS Directory Objects Report, 17.5.9.2
privilege, 17.5.1
Public Execute Privilege To SYS PL/SQL Procedures Report, 17.5.3.3
sensitive, 17.5.3
System Privileges By Privilege Report, 17.5.2.5
types
finding with DVSYS.DV_DICT_OBJ_TYPE, 15.3.5
views, DBA_DV_REALM_OBJECT, 11.4.14
See also database objects
Objects Dependent on Dynamic SQL Report, 17.5.9.3
OEM
See Oracle Enterprise Manager (OEM)
OLS
See Oracle Label Security
operating system access
guideline for using with Database Vault, D.2.4
operating systems
reports
OS Directory Objects Report, 17.5.9.2
OS Security Vulnerability Privileges Report, 17.5.5.11
vulnerabilities, 17.5.5.11
ORA-00942 error, 8.6.7
ORA-01031 error, 5.3
ORA-01301 error, 10.8.1
ORA-06512 error, 5.8.4, 14.3.1
ORA-24247 error, 5.8.4
ORA-47305 error, 8.6.7
ORA-47400 error, 5.8.6, 10.8.1
ORA-47401 error, 4.10, 10.8.1
ORA-47408 error, 10.8.1
ORA-47409 error, 10.8.1
ORA-47920 error, 14.3.1
Oracle Data Guard
using with Oracle Database Vault, 9
Oracle Data Pump
Allow Oracle Data Pump Operation rule set, 5.2
archiving the Oracle Database Vault audit trail with, A.2
DVSYS.MACADM procedures for authorization, 12.8.2
granting authorization to use with Database Vault, 10.2.2
guidelines before performing an export or import, 10.2.3
revoking authorization from using with Database Vault, 10.2.4
using with Oracle Database Vault, 10.2.1
Oracle database
See databases
Oracle Database Vault
about, 1.1
components, 1.2, 1.2.1
deinstalling, C.8
disabling
checking if disabled, B.2
procedures for, B
reasons for, B.1
enabling
checking if enabled, B.2
procedures for, B
frequently asked questions, 1.1
integrating with other Oracle products, 9
maintenance, B.1
Oracle Database installation, affect on, 2
post-installation procedures, C
registering, C.1
reinstalling, C.9
Oracle Database Vault Administrator
starting, 3.1
starting without Oracle Enterprise Manager, 3.1.2
Oracle Database Vault Administrator (DVA)
accessibility features, enabling, C.5
accessibility mode, C.5.1
deploying manually
to Database Console OC4J container, C.3.2
to standalone OC4J container, C.3.1
logging on, 3.1
logging on from Oracle Enterprise Manager Database Control, 3.1.1.1
logging on from Oracle Enterprise Manager Grid Control, 3.1.1.2
logging on without Oracle Enterprise Manager, 3.1.2
textual representation in charts, C.5.2
time-out value, C.4
Oracle Database Vault Owner account
example of logging on with, 3.1.2
Oracle Enterprise Manager
DBSNMP account
changing password, 10.1.5
granted DV_MONITOR role, 11.2.4
realm for, 4.2
default realm used for, 4.2
performance tools, 4.15
setting URL for Database Vault Administrator, 10.1.1
SYSMAN account
realm for, 4.2
using Oracle Database Vault with, 10.1
Oracle Enterprise Manager Database Control
starting Oracle Database Vault from, 3.1.1.1
Oracle Enterprise Manager Grid Control
monitoring Database Vault for attempted violations, 11.2.4
propagating Database Vault policies to other databases, 10.1.2
starting Oracle Database Vault from, 3.1.1.2
Oracle Enterprise User Security, integrating with Oracle Database Vault, 9.1
Oracle GoldenGate
Database Vault role used for
DV_GOLDENGATE_ADMIN, 11.2.8
DV_GOLDENGATE_REDO_ACCESS, 11.2.9
in an Oracle Database Vault environment, 10.7
Oracle Internet Directory Distinguished Name, Proxy_Enterprise_Identity default factor, 7.2
Oracle Label Security (OLS)
audit events, custom, A.1.1
checking if installed using DVSYS.DBMS_MACUTL functions, 14.3
data dictionary views, 9.4.5
database option, 1.2.5
functions
DVSYS.DBMS_MACUTL (utility), 14.2.1
how Database Vault integrates with, 9.4.1
initialization, command rules, 6.1
integration with Oracle Database Vault
example, 9.4.4.1
Label Security Integration Audit Report, 17.4.2.4, 17.4.2.4
procedure, 9.4.3
requirements, 9.4.2
labels
about, 7.5.2
determining with GET_FACTOR_LABEL, 15.1.6
invalid label identities, 17.4.1.4
policies
accounts that bypass, 17.5.5.3
monitoring policy changes, 16.3.1
nonexistent, 17.4.1.2
Oracle Policy Manager, 1.2.5
procedures
DVSYS.DBMS_MACADM (configuration), 12.7
reports, 9.4.5
views
DBA_DV_MAC_POLICY, 11.4.8
DBA_DV_MAC_POLICY_FACTOR, 11.4.9
DBA_DV_POLICY_LABEL, 11.4.10
See also LBACSYS account
Oracle MetaLink
See My Oracle Support
Oracle Policy Manager
used with Oracle Label Security, 1.2.5
Oracle Real Application Clusters
compatibility with Oracle Database Vault, 1.1
configuring Database Vault on RAC nodes, C.6
deinstalling Oracle Database Vault from, C.8
multiple factor identities, 7.3
Oracle Recovery Manager (RMAN)
in an Oracle Database Vault environment, 10.4
Oracle software owner, guidelines on managing, D.4.2
Oracle Streams
Database Vault role used for, 11.2.6
in an Oracle Database Vault environment, 10.5
Oracle Virtual Private Database (VPD)
accounts that bypass, 17.5.5.3
factors, attaching to, 9.3
GRANT EXECUTE privileges with Grant VPD Administration default rule set, 5.2
using Database Vault factors with Oracle Label Security, 9.4.4.1
OS Directory Objects Report, 17.5.9.2
OS Security Vulnerability Privileges Report, 17.5.5.11
OS_ROLES initialization parameter, 2.1

P

parameters
modified after installation, 2.1
reports
Security Related Database Parameters Report, 17.5.6.1
parent factors
See factors
Password History Access Report, 17.5.5.6
passwords
forgotten, solution for, B.1
reports, 17.5.7
Database Account Default Password Report, 17.5.7.1
Password History Access Report, 17.5.5.6
Username/Password Tables Report, 17.5.9.5
patches
DV_PATCH_ADMIN requirement for, 11.2.10
security consideration, D.6
two-person integrity used for, 5.9.1
performance effect
command rules, 6.9
realms, 4.15
reports
Resource Profiles Report, 17.5.6.2
System Resource Limits Report, 17.5.6.3
rule sets, 5.11
secure application roles, 8.7
static evaluation for rule sets, 5.11
performance tools
Database Control, realms, 4.15
Oracle Enterprise Manager
command rules, 6.9
factors, 7.11
realms, 4.15
rule sets, 5.11
secure application roles, 8.7
Oracle Enterprise Manager Database Control
command rules, 6.9
factors, 7.11
rule sets, 5.11
secure application roles, 8.7
STATSPACK utility
command rules, 6.9
factors, 7.11
realms, 4.15
rule sets, 5.11
secure application roles, 8.7
TKPROF utility
command rules, 6.9
factors, 7.11
realms, 4.15
rule sets, 5.11
secure application roles, 8.7
PL/SQL
packages
summarized, 15.4
unwrapped bodies, 17.5.9.4
Unwrapped PL/SQL Package Bodies Report, 17.5.9.4
PL/SQL factor functions, 15.2
policy changes, monitoring, 16.3.1, 16.4
port number
finding, 3.1.2
Oracle Database Vault, 3.1.2
post-installation procedures, C
privileges
ANY privileges, 11.2.11
existing users and roles, Database Vault affect on, 2.4
least privilege principle
violations to, 17.5.9.1
monitoring
GRANT statement, 16.3.1
REVOKE statement, 16.3.1
Oracle Database Vault restricting, 2.2
reports
Accounts With DBA Roles Report, 17.5.5.2
ALTER SYSTEM or ALTER SESSION Report, 17.5.5.5
ANY System Privileges for Database Accounts Report, 17.5.2.4
AUDIT Privileges Report, 17.5.5.10
Database Accounts With Catalog Roles Report, 17.5.5.9
Direct and Indirect System Privileges By Database Account Report, 17.5.2.2
Direct System Privileges By Database Account Report, 17.5.2.1
Hierarchical System Privileges By Database Account Report, 17.5.2.3
listed, 17.5.4
OS Directory Objects Report, 17.5.9.2
Privileges Distribution By Grantee Report, 17.5.4.1
Privileges Distribution By Grantee, Owner Report, 17.5.4.2
Privileges Distribution By Grantee, Owner, Privilege Report, 17.5.4.3
WITH ADMIN Privilege Grants Report, 17.5.5.1
WITH GRANT Privileges Report, 17.5.5.7
roles
checking with DVSYS.DBMS_MACUTL.USER_HAS_ROLE_VARCHAR function, 14.3
system
checking with DVSYS.DBMS_MACUTL.USER_HAS_SYSTEM_PRIVILEGE function, 14.3
views
DBA_DV_PUB_PRIVS, 11.4.11
DBA_DV_USER_PRIVS, 11.4.19
DBA_DV_USER_PRIVS_ALL, 11.4.20
Privileges Distribution By Grantee Report, 17.5.4.1
Privileges Distribution By Grantee, Owner Report, 17.5.4.2
Privileges Distribution By Grantee, Owner, Privilege Report, 17.5.4.3
privileges using external password, 17.5.3.4
problems, diagnosing, E.1
procedures
command rules
DVSYS.DBMS_MACADM (configuration), 12.4
factors
DVSYS.DBMS_MACADM (configuration), 12.5
realms
DVSYS.DBMS_MACADM (configuration), 12.2
production environments
guidelines for securing, D.5
profiles, 17.5.6
PUBLIC access to realms, 4.9
Public Execute Privilege To SYS PL/SQL Procedures Report, 17.5.3.3
PUBLIC user account
impact of Oracle Database Vault installation, 2.4

Q

quotas
tablespace, 17.5.9.6

R

RAC
See Oracle Real Application Clusters
Realm Audit Report, 17.4.2.1
Realm Authorization Configuration Issues Report, 17.4.1.5
realms
about, 4.1
adding roles to as grantees, 4.14
audit events, custom, A.1.1
authentication-related procedures, 12.2
authorization
enabling access to realm-protected objects, 4.11
how realm authorizations work, 4.10
process flow, 4.10
troubleshooting, E.2
updating with DVSYS.DBMS_MACADM.UPDATE_REALM_AUTH, 12.2
authorizations
grantee, 4.6
rule set, 4.6
creating, 4.3
creating names, 4.3
data dictionary views, 4.16
data masking, 10.8.3
default realms
listed, 4.2
default realms not showing in Database Vault Administrator, C.2
deleting, 4.8
disabling, 4.7
DV_REALM_OWNER role, 11.2.12
DV_REALM_RESOURCE role, 11.2.13
DVSYS.DBMS_MACUTL constants, example of, 14.2.2
editing, 4.4
effect on other Oracle Database Vault components, 4.13
enabling, 4.7
enabling access to realm-protected objects, 4.11
example, 4.12
functions
DVSYS.DBMS_MACUTL (utility), 14.1
DVSYS.DBMS_MACUTL constants (fields), 14.2.1
guidelines, 4.14
how realms work, 4.9
naming conventions, 4.3
object-related procedures, 12.2
performance effect, 4.15
procedures
DVSYS.DBMS_MACADM (configuration), 12.2, 12.2
process flow, 4.9
propagating policies to other databases, 10.1.2
PUBLIC access, 4.9
realm authorizations
about, 4.6
realm secured objects
deleting, 4.5
editing, 4.5
object name, 4.5
object owner, 4.5
object type, 4.5
realm system authorizations
creating, 4.6
deleting, 4.6
editing, 4.6
realm-secured objects, 4.5
reports, 4.16
roles
DV_REALM_OWNER, 11.2.12
DV_REALM_RESOURCE, 11.2.13
secured object, 17.4.1.5
territory a realm protects, 4.5
troubleshooting, E.2, E.3
tutorial, 3.2.1
updating with DVSYS.DBMS_MACADM.UPDATE_REALM, 12.2
views
DBA_DV_CODE, 11.4.1
DBA_DV_REALM, 11.4.12
DBA_DV_REALM_AUTH, 11.4.13
DBA_DV_REALM_OBJECT, 11.4.14, 11.4.14
See also rule sets
RECOVERY_CATALOG_OWNER role, 17.5.5.9
recycle bin, guidelines on managing, D.6.2
RECYCLEBIN initialization parameter
default setting in Oracle Database Vault, 2.1
security considerations, D.6.2
registering Oracle Database Vault, C.1
reinstalling Oracle Database Vault, C.9
REMOTE_LOGIN_PASSWORDFILE initialization parameter, 2.1
reporting menu
report results page, 17.3
parameter, 17.3
reports
about, 17.1
Access to Sensitive Objects Report, 17.5.3.2
Accounts With DBA Roles Report, 17.5.5.2
Accounts with SYSDBA/SYSOPER Privilege Report, 17.5.3.4
ALTER SYSTEM or ALTER SESSION Report, 17.5.5.5
ANY System Privileges for Database Accounts Report, 17.5.2.4
AUDIT Privileges Report, 17.5.5.10
auditing, 17.4.2
BECOME USER Report, 17.5.5.4
categories of, 17.1
Command Rule Audit Report, 17.4.2.2
Command Rule Configuration Issues Report, 17.4.1.1
Core Database Audit Report, 17.5.8
Core Database Vault Audit Trail Report, 17.4.2.5
Database Account Default Password Report, 17.5.7.1
Database Account Status Report, 17.5.7.2
Database Accounts With Catalog Roles Report, 17.5.5.9
Direct and Indirect System Privileges By Database Account Report, 17.5.2.2
Direct Object Privileges Report, 17.5.1.3
Direct System Privileges By Database Account Report, 17.5.2.1
Enterprise Manager Grid Control, 10.1.4
Execute Privileges to Strong SYS Packages Report, 17.5.3.1
Factor Audit Report, 17.4.2.3
Factor Configuration Issues Report, 17.4.1.2
Factor Without Identities, 17.4.1.3
general security, 17.5
Hierarchical System Privileges by Database Account Report, 17.5.2.3
Identity Configuration Issues Report, 17.4.1.4
Java Policy Grants Report, 17.5.9.1
Label Security Integration Audit Report, 17.4.2.4
Non-Owner Object Trigger Report, 17.5.9.7
Object Access By PUBLIC Report, 17.5.1.1
Object Access Not By PUBLIC Report, 17.5.1.2
Object Dependencies Report, 17.5.1.4
Objects Dependent on Dynamic SQL Report, 17.5.9.3
OS Directory Objects Report, 17.5.9.2
OS Security Vulnerability Privileges, 17.5.5.11
Password History Access Report, 17.5.5.6
permissions for running, 17.2
privilege management, 17.5.4
Privileges Distribution By Grantee Report, 17.5.4.1
Privileges Distribution By Grantee, Owner Report, 17.5.4.2
Privileges Distribution By Grantee, Owner, Privilege Report, 17.5.4.3
Public Execute Privilege To SYS PL/SQL Procedures Report, 17.5.3.3
Realm Audit Report, 17.4.2.1
Realm Authorization Configuration Issues Report, 17.4.1.5
Resource Profiles Report, 17.5.6.2
Roles/Accounts That Have a Given Role Report, 17.5.5.8
Rule Set Configuration Issues Report, 17.4.1.6
running, 17.3
Secure Application Configuration Issues Report, 17.4.1.7
Secure Application Role Audit Report, 17.4.2.6
Security Policy Exemption Report, 17.5.5.3
Security Related Database Parameters, 17.5.6.1
security vulnerability, 17.5.9
System Privileges By Privilege Report, 17.5.2.5
System Resource Limits Report, 17.5.6.3
Tablespace Quotas Report, 17.5.9.6
Unwrapped PL/SQL Package Bodies Report, 17.5.9.4
Username /Password Tables Report, 17.5.9.5
WITH ADMIN Privileges Grants Report, 17.5.5.1
WITH GRANT Privileges Report, 17.5.5.7
required parameters page
% wildcard, 17.3
Resource Profiles Report, 17.5.6.2
resources
reports
Resource Profiles Report, 17.5.6.2
System Resource Limits Report, 17.5.6.3
REVOKE statement
monitoring, 16.3.1
roles
adding to realms as grantees, 4.14
catalog-based, 17.5.5.9
Database Vault default roles, 11.2.1
privileges, checking with DVSYS.DBMS_MACUTL.USER_HAS_ROLE_VARCHAR function, 14.3
role enablement in incomplete rule set, 17.4.1.7
role-based system privileges, 17.5.2.3
See also secure application roles
Roles/Accounts That Have a Given Role Report, 17.5.5.8
root access
guideline for using with Database Vault, D.2.4
root access, guidelines on managing, D.4.1
Rule Set Configuration Issues Report, 17.4.1.6
rule sets
about, 5.1
adding existing rules, 5.5.2
audit options, 5.3
command rules
disabled, 17.4.1.1
selecting for, 6.4
used with, 6.1
CONNECT role configured incorrectly, solution for, B.1
creating, 5.3
rules in, 5.5.1
creating names, 5.3
data dictionary views, 5.12
default rule sets, 5.2
default rule sets not showing in Database Vault Administrator, C.2
deleting
rule set, 5.6
rules from, 5.5.1, 5.5.1
disabled for
factor assignment, 17.4.1.2
realm authorization, 17.4.1.5
DVSYS.DBMS_MACUTL constants, example of, 14.2.2
editing
rule sets, 5.4
rules in, 5.5.1
error options, 5.3
evaluation of rules, 5.5
evaluation options, 5.3
event handlers, 5.3
events firing, finding with DVSYS.DV_SYSEVENT, 15.3.1
factors, selecting for, 7.3
factors, used with, 7.1
fail code, 5.3
fail message, 5.3
functions
DVSYS.DBMS_MACADM (configuration), 12.3
DVSYS.DBMS_MACUTL (utility), 14.1
DVSYS.DBMS_MACUTL constants (fields), 14.2.1
PL/SQL functions for rule sets, 15.3
guidelines, 5.10
how rule sets work, 5.7.1
incomplete, 17.4.1.1
naming conventions, 5.3
nested rules, 5.7.2
performance effect, 5.11
procedures
DVSYS.DBMS_MACADM (configuration), 12.3
process flow, 5.7.1
propagating policies to other databases, 10.1.2
reports, 5.12
rules that exclude one user, 5.7.3
static evaluation, 5.10
troubleshooting, E.2, E.3
views
DBA_DV_RULE, 11.4.16
DBA_DV_RULE_SET, 11.4.17
DBA_DV_RULE_SET_RULE, 11.4.18
See also command rules, factors, realms, rules, secure application roles
rules
about, 5.5
creating, 5.5.1
creating names, 5.5.1
data dictionary views, 5.12
deleting from rule set, 5.5.1
editing, 5.5.1
existing rules, adding to rule set, 5.5.2
naming conventions, 5.5.1
nested within a rule set, 5.7.2
removing from rule set, 5.5.1
reports, 5.12
troubleshooting, E.2
views
DBA_DV_RULE, 11.4.16
DBA_DV_RULE_SET_RULE, 11.4.18
See also rule sets
rules sets
audit event, custom, A.1.1

S

SCHEDULER_ADMIN role
impact of Oracle Database Vault installation, 2.4
scheduling database jobs
about, 10.3.1
Allow Scheduler Job rule set, 5.2
CREATE EXTERNAL JOB privilege security consideration, D.6.4
granting Oracle Database Vault authorization, 10.3.2
revoking Oracle Database Vault authorization, 10.3.3
schemas
DVF, 11.1.2
DVSYS, 11.1.1
Secure Application Configuration Issues Report, 17.4.1.7
secure application role, 8.1
Secure Application Role Audit Report, 17.4.2.6
secure application roles
audit event, custom, A.1.1
creating, 8.2
data dictionary view, 8.8
deleting, 8.4
DVSYS.DBMS_MACSEC_ROLES.SET_ROLE function, 8.2
functionality, 8.5
functions
DVSYS.DBMS_MACADM (configuration), 12.6
DVSYS.DBMS_MACSEC_ROLES (configuration), 13.1
DVSYS.DBMS_MACSEC_ROLES package, 13.1
DVSYS.DBMS_MACUTL (utility), 14.1
DVSYS.DBMS_MACUTL constants (fields), 14.2.1
guidelines on managing, 8.3
performance effect, 8.7
procedure
DVSYS.DBMS_MACADM (configuration), 12.6
procedures and functions
DVSYS.DBMS_MACUTL (utility), 14.3
propagating policies to other databases, 10.1.2
reports, 8.8
Rule Set Configuration Issues Report, 17.4.1.6
troubleshooting, E.3
troubleshooting with auditing report, 17.4.2.6
tutorial, 8.6.1
views
DBA_DV_ROLE, 11.4.15
See also roles, rule sets
security attacks
Denial of Service (DoS) attacks
finding system resource limits, 17.5.6.3
Denial of Service attacks
finding tablespace quotas, 17.5.9.6
eliminating audit trail, 17.5.5.10
monitoring security violations, 16.1
Oracle Database Vault addressing insider threats, 1.4
reports
AUDIT Privileges Report, 17.5.5.10
Objects Dependent on Dynamic SQL Report, 17.5.9.3
Privileges Distribution By Grantee, Owner Report, 17.5.4.2
Unwrapped PL/SQL Package Bodies Report, 17.5.9.4
SQL injection attacks, 17.5.9.3
tracking
with factor auditing, 7.3
with rule set auditing, 5.3
security policies
monitoring changes, 16.4
security policies, Oracle Database Vault addressing, 1.5
Security Policy Exemption Report, 17.5.5.3
Security Related Database Parameters Report, 17.5.6.1
security violations
monitoring attempts, 16.1
security vulnerabilities
how Database Vault addresses, 1.6
operating systems, 17.5.5.11
reports, 17.5.9
Security Related Database Parameters Report, 17.5.6.1
root operating system directory, 17.5.9.2
SELECT statement
controlling with command rules, 6.1
SELECT_CATALOG_ROLE role, 17.5.5.9
sensitive objects reports, 17.5.3
separation of duty concept
about, D.1.1
command rules, 6.2
database accounts, 11.3
database accounts, suggested, 11.3
database roles, 2.3
Database Vault Account Manager role, 11.3
documenting tasks, D.1.4
example matrix, D.1.3
how Oracle Database Vault addresses, 2.3
Oracle Database Vault enforcing, 1.1
realms, 1.6
restricting privileges, 2.2
roles, 11.2.1
tasks in Oracle Database Vault environment, D.1.2
session time, setting for Oracle Database Vault Administrator, C.4
sessions
audit events, custom, A.1.1
DVSYS.DBMS_MACUTL fields, 14.2.1
finding session user with DVF.F$SESSION_USER, 15.2.16
restricting data based on, 7.9.1
retrieving information with functions, 12.5
SQL injection attacks, detecting with Object Dependent on Dynamic SQL Report, 17.5.9.3
SQL statements
default command rules that protect, 6.2
SQL text, finding with DVSYS.DV_SQL_TEXT, 15.3.8
SQL92_SECURITY initialization parameter, 2.1
subfactors
See child factors under factors topic
SYS schema
command rules, 6.4
SYS user account
access to Database Vault Account Management realm, 4.2
adding to realm authorization, 4.14
granting or revoking EXECUTE on DBMS_RLS package, Preface
SYS.AUD$ table
location for Oracle Database Vault, 2.5.1
object owner for realm protection, 4.5
protecting with realm, 2.5.1
SYSDBA access
guidelines on managing, D.4.3
SYSDBA privilege
limiting, importance of, D.2.3
SYS.FGA_LOG$ table
protecting with realm, 2.5.1
SYSMAN user account
realm for, 4.2
SYSOPER access
guidelines on managing, D.4.4
system features
disabling with Disabled rule set, 5.2
enabling with Enabled rule set, 5.2
system privileges
checking with DVSYS.DBMS_MACUTL.USER_HAS_SYSTEM_PRIVILEGE function, 14.3
reports
System Privileges By Privileges Report, 17.5.2.5
System Privileges By Privilege Report, 17.5.2.5
System Resource Limits Report, 17.5.6.3
system root access, guideline on managing, D.4.1
SYSTEM schema
application tables in, D.2.2
SYSTEM user account
guidelines for using with Database Vault, D.2.1
SYSTEM.AUD$ table
location for Oracle Database Vault, 2.5.1

T

tablespace quotas, 17.5.9.6
Tablespace Quotas Report, 17.5.9.6
third party products, affected by Oracle Database Vault, B.1
time data
DVSYS.DBMS_MACUTL functions, 14.3
time-out value, setting for Oracle Database Vault Administrator, C.4
trace files
about, E.1
enabling, E.1
Transparent Data Encryption, used with Oracle Database Vault, 9.2
triggers
different from object owner account, 17.5.9.7
reports, Non-Owner Object Trigger Report, 17.5.9.7
troubleshooting
access security sessions, 17.4.2.5
auditing reports, using, 17.4.2
command rules, E.1
Database Vault Administrator not showing default realms, command rules, rule sets, or factors, C.2
events, E.1
factors, E.2
general diagnostic tips, E.2
locked out accounts, B.1
passwords, forgotten, B.1
realms, E.2
rule sets, E.2
rules, E.2
secure application roles, 17.4.2.6
trust levels
about, 7.5.2
determining for identities with DVSYS.GET_TRUST_LEVEL_FOR_IDENTITY, 15.1.4
determining with DVSYS.GET_TRUST_LEVEL, 15.1.3
factor identity, 7.5.2
factors, 7.5.2
for factor and identity requested, 15.1.4
identities, 7.3
of current session identity, 15.1.3
trusted users
accounts and roles that should be limited, D.4
default for Oracle Database Vault, D.3
tutorials
access, granting with secure application roles, 8.6.1
ad hoc tool access, preventing, 7.8.1
configuring two-person integrity (TPI), 5.9.1
Database Vault factors with Virtual Private Database and Oracle Label Security, 9.4.4.1
email alert in rule set, 5.8.1
factors, mapping identities, 7.9.1
Oracle Label Security integration with Oracle Database Vault, 9.4.4.1
restricting access based on session data, 7.9.1
restricting user activities with command rules, 6.7.1
schema, protecting with a realm, 3.2.1
See also examples
two-man rule security
See two-person integrity (TPI)
two-person integrity (TPI)
about, 5.9.1
configuring with a rule set, 5.9.1

U

Unwrapped PL/SQL Package Bodies Report, 17.5.9.4
user names
reports, Username/Password Tables Report, 17.5.9.5
USER_HISTORY$ table, 17.5.5.6
Username/Password Tables Report, 17.5.9.5
users
enterprise identities, finding with DVF.F$PROXY_ENTERPRISE_IDENTITY, 15.2.15
enterprise-wide identities, finding with DVF.F$ENTERPRISE_IDENTITY, 15.2.9
finding session user with DVF.F$SESSION_USER, 15.2.16
login user name, finding with DVSYS.DV_LOGIN_USER, 15.3.2
restricting access by factor identity, 7.9.1
utility functions
See DVSYS.DBMS_MACUTL package
UTL_FILE object, 17.5.1.4
UTL_FILE package, guidelines on managing, D.6.1

V

views
Oracle Database Vault-specific views, 11.4
See also names beginning with DBA_DV
VPD
See Oracle Virtual Private Database (VPD)

W

wildcard, %, 17.3
WITH ADMIN Privileges Grants Report, 17.5.5.1
WITH ADMIN status, 17.5.2.1, 17.5.2.2
WITH GRANT clause, 17.5.5.7
WITH GRANT Privileges Report, 17.5.5.7

X

XStream
Database Vault role used for, 11.2.7
in an Oracle Database Vault environment, 10.6
PK ,,PK)AOEBPS/apis_dbms_macadm.htm Using the DVSYS.DBMS_MACADM Package

12 Using the DVSYS.DBMS_MACADM Package

This chapter contains:

About the DVSYS.DBMS_MACADM Package

The procedures and functions within the DVSYS.DBMS_MACADM package allow you to write applications that configure the realms, factors, rule sets, command rules, secure application roles, and Oracle Label Security policies normally configured in Oracle Database Vault Administrator.

The DVSYS.DBMS_MACADM package is available only for users who have been granted the DV_ADMIN or DV_OWNER role.

Many of the parameters used in the procedures and functions in the DVSYS.DBMS_MACADM package can use the constants available in the DVSYS.DBMS_MACUTL package. See "DVSYS.DBMS_MACUTL Constants" for more information.

Oracle Database Vault also provides a set of PL/SQL interfaces that you can use with the DVSYS.DBMS_MACADM package. See Chapter 15, "Using the Oracle Database Vault PL/SQL Interfaces," for more information.

Realm Procedures Within DVSYS.DBMS_MACADM

Table 12-1 lists procedures within the DVSYS.DBMS_MACADM package that you can use to configure realms. For constants that you can use with these procedures, see Table 14-1 for more information.

Chapter 4, "Configuring Realms," describes realms in detail. See also Chapter 14, "Using the DVSYS.DBMS_MACUTL Package," for a set of general purpose utility procedures that you can use with the realm procedures.

Table 12-1 DVSYS.DBMS_MACADM Realm Configuration Procedures

ProcedureDescription

ADD_AUTH_TO_REALM Procedure

Authorizes a user or role to access a realm as an owner or a participant

ADD_OBJECT_TO_REALM Procedure

Registers a set of objects for realm protection

CREATE_REALM Procedure

Creates a realm

DELETE_AUTH_FROM_REALM Procedure

Removes the authorization of a user or role to access a realm

DELETE_OBJECT_FROM_REALM Procedure

Removes a set of objects from realm protection

DELETE_REALM Procedure

Deletes a realm and its related Database Vault configuration information

DELETE_REALM_CASCADE Procedure

Deletes a realm its related Database Vault configuration information

RENAME_REALM Procedure

Renames a realm. The name change takes effect everywhere the realm is used.

UPDATE_REALM Procedure

Updates a realm.

UPDATE_REALM_AUTH Procedure

Updates the authorization of a user or role to access a realm


ADD_AUTH_TO_REALM Procedure

The ADD_AUTH_TO_REALM procedure authorizes a user or role to access a realm as an owner or a participant. For detailed information about realm authorization, see "Defining Realm Authorization".

Optionally, you can specify a rule set that must be checked before allowing the authorization to proceed.

Syntax

DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name    IN VARCHAR2, 
  grantee       IN VARCHAR2, 
  rule_set_name IN VARCHAR2, 
  auth_options  IN NUMBER);

Parameters

Table 12-2 ADD_AUTH_TO_REALM Parameters

ParameterDescription

realm_name

Realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View".

grantee

User or role name to authorize as an owner or a participant.

To find the existing users and roles in the current database instance, query the DBA_USERS and DBA_ROLES views, described in Oracle Database Reference.

To find the authorization of a particular user or role, query the DVA_DV_REALM_AUTH view, described in "DBA_DV_REALM_AUTH View".

To find existing secure application roles used in privilege management, query the DVSYS.DBA_DV_ROLE view. Both are described in "Oracle Database Vault Data Dictionary Views".

rule_set_name

Optional. Rule set to check before authorizing. If the rule set evaluates to TRUE, then the authorization is allowed.

To find the available rule sets, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".

auth_options

Optional. Specify one of the following options to authorize the realm:

  • 0: Participant. This account or role provides system or direct privileges to access, manipulate, and create objects protected by the realm, provided these rights have been granted using the standard Oracle Database privilege grant process.

  • 1: Owner. This account or role has the same privileges as the realm participant, plus the authorization to grant or revoke realm-secured database roles. A realm can have multiple owners.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_REALM_AUTH_PARTICIPANT

  • G_REALM_AUTH_OWNER

See "Defining Realm Authorization" for more information on participants and owners.


Examples

The following example authorizes user SYSADM as a participant in the Performance Statistics Realm.

BEGIN
 DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name  => 'Performance Statistics Realm', 
  grantee     => 'SYSADM'); 
END;
/

This example sets user SYSADM as the owner of the Performance Statistics Realm.

BEGIN
 DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name   => 'Performance Statistics Realm', 
  grantee      => 'SYSADM', 
  auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER);
END;
/

The next example triggers the Check Conf Access rule set before allowing user SYSADM to be made the owner of the Performance Statistics Realm.

BEGIN
 DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name    => 'Performance Statistics Realm', 
  grantee       => 'SYSADM', 
  rule_set_name => 'Check Conf Access',
  auth_options  => DBMS_MACUTL.G_REALM_AUTH_OWNER);
END;
/

ADD_OBJECT_TO_REALM Procedure

The ADD_OBJECT_TO_REALM procedure registers a set of objects for realm protection.

Syntax

DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM(
  realm_name   IN VARCHAR2, 
  object_owner IN VARCHAR2, 
  object_name  IN VARCHAR2, 
  object_type  IN VARCHAR2);

Parameters

Table 12-3 ADD_OBJECT_TO_REALM Parameters

ParameterDescription

realm_name

Realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View"

object_owner

The owner of the object that is being added to the realm. If you add a role to a realm, the object owner of the role is shown as % (for all), because roles do not have owners.

To find the available users, query the DBA_USERS view, described in Oracle Database Reference.

To find the authorization of a particular user or role, query the DVA_DV_REALM_AUTH view, described in "DBA_DV_REALM_AUTH View".

object_name

Object name. (The wildcard % is allowed. See "Object Name" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) You can also use the DVSYS.DBMS_MACUTL G_ALL_OBJECT constant.

To find the available objects, query the ALL_OBJECTS view, described in Oracle Database Reference.

To find objects that are secured by existing realms, query the DVSYS.DBA_DV_REALM_OBJECT view, described in "DBA_DV_REALM_OBJECT View".

object_type

Object type, such as TABLE, INDEX, or ROLE. (The wildcard % is allowed. See "Object Types" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.)

You can also use the DVSYS.DBMS_MACUTL G_ALL_OBJECT constant.


Example

BEGIN
 DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM(
  realm_name   => 'Performance Statistics Realm', 
  object_owner => '%', 
  object_name  => 'GATHER_SYSTEM_STATISTICS', 
  object_type  => 'ROLE'); 
END;
/

CREATE_REALM Procedure

The CREATE_REALM procedure creates a realm. After you create the realm, use the following procedures to complete the realm definition:

  • ADD_OBJECT_TO_REALM procedure registers one or more objects for the realm.

  • ADD_AUTH_TO_REALM procedures authorize users or roles for the realm.

Syntax

DVSYS.DBMS_MACADM.CREATE_REALM(
  realm_name    IN VARCHAR2, 
  description   IN VARCHAR2, 
  enabled       IN VARCHAR2, 
  audit_options IN NUMBER);

Parameters

Table 12-4 CREATE_REALM Parameters

ParameterDescription

realm_name

Realm name, up to 90 characters in mixed-case.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View".

description

Description of the purpose of the realm, up to 1024 characters in mixed-case.

enabled

Y (yes) enables realm checking; N (no) disables it. The default is Y.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_YES

  • G_NO

audit_options

Specify one of the following options to audit the realm:

  • 0: Disables auditing for the realm (default)

  • 1: Creates an audit record when a realm violation occurs (for example, when an unauthorized user tries to modify an object that is protected by the realm)

  • 2: Creates an audit record for authorized activities on objects protected by the realm

  • 3: Creates an audit record for both authorized and unauthorized activities on objects protected by the realm

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_REALM_AUDIT_OFF (default)

  • G_REALM_AUDIT_SUCCESS

  • G_REALM_AUDIT_FAIL

  • G_REALM_AUDIT_FAIL + G_REALM_AUDIT_SUCCESS


Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_REALM(
  realm_name    => 'Performance Statistics Realm', 
  description   => 'Realm to measure performance', 
  enabled       => DBMS_MACUTL.G_YES, 
  audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + DBMS_MACUTL.G_REALM_AUDIT_SUCCESS);
END; 
/

See Also:

Example 14-1, "Creating a Realm Using DVSYS.DBMS_MACUTL Constants"

DELETE_AUTH_FROM_REALM Procedure

The DELETE_AUTH_FROM_REALM procedure removes the authorization of a user or role to access a realm.

Syntax

DVSYS.DBMS_MACADM.DELETE_AUTH_FROM_REALM(
  realm_name IN VARCHAR2,
  grantee    IN VARCHAR2);

Parameters

Table 12-5 DELETE_AUTH_FROM_REALM Parameters

ParameterDescription

realm_name

Realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View"

grantee

User or role name.

To find the authorization of a particular user or role, query the DVA_DV_REALM_AUTH view, described in "DBA_DV_REALM_AUTH View".


Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_AUTH_FROM_REALM(
  realm_name => 'Performance Statistics Realm',
  grantee    => 'SYS');
END;
/

DELETE_OBJECT_FROM_REALM Procedure

The DELETE_OBJECT_FROM_REALM procedure removes a set of objects from realm protection.

Syntax

DVSYS.DBMS_MACADM.DELETE_OBJECT_FROM_REALM(
  realm_name   IN VARCHAR2, 
  object_owner IN VARCHAR2, 
  object_name  IN VARCHAR2, 
  object_type  IN VARCHAR2);

Parameters

Table 12-6 DELETE_OBJECT_FROM_REALM Parameters

ParameterDescription

realm_name

Realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View"

object_owner

The owner of the object that was added to the realm.

To find the available users, query the DBA_USERS view, described in Oracle Database Reference.

object_name

Object name. (The wildcard % is allowed. See "Object Name" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) You can also use the DVSYS.DBMS_MACUTL G_ALL_OBJECT constant.

To find objects that are secured by existing realms, query the DVSYS.DBA_DV_REALM_OBJECT view, described in "DBA_DV_REALM_OBJECT View".

object_type

Object type, such as TABLE, INDEX, or ROLE. (The wildcard % is allowed. See "Object Types" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.)

You can also use the DVSYS.DBMS_MACUTL G_ALL_OBJECT constant.


Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_OBJECT_FROM_REALM(
  realm_name   => 'Performance Statistics Realm', 
  object_owner => 'SYS', 
  object_name  => 'GATHER_SYSTEM_STATISTICS', 
  object_type  => 'ROLE'); 
END;
/

DELETE_REALM Procedure

The DELETE_REALM procedure deletes a realm, including its related Database Vault configuration information that specifies who is authorized (DVSYS.DBA_DV_REALM_AUTH view) and what objects are protected (DVSYS.DBA_DV_REALM_OBJECT view). It does not delete the actual database objects or users. To find a listing of the realm-related objects, query the DVSYS.DBA_DV_REALM view. To find its authorizations, query DVSYS.DBA_DV_REALM_AUTH. Both are described under "Oracle Database Vault Data Dictionary Views".

If you want to remove the associated objects and authorizations and the realm, see "DELETE_REALM_CASCADE Procedure".

Syntax

DVSYS.DBMS_MACADM.DELETE_REALM(
  realm_name IN VARCHAR2);

Parameters

Table 12-7 DELETE_REALM Parameter

ParameterDescription

realm_name

Realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View"


Example

EXEC DVSYS.DBMS_MACADM.DELETE_REALM('Performance Statistics Realm');

DELETE_REALM_CASCADE Procedure

The DELETE_REALM_CASCADE procedure deletes a realm, including its related Database Vault configuration information that specifies who is authorized (DVSYS.DBA_DV_REALM_AUTH view) and what objects are protected (DVSYS.DBA_DV_REALM_OBJECT view). It does not delete the actual database objects or users. To find a listing of the realm-related objects, query the DVSYS.DBA_DV_REALM view. To find its authorizations, query DVSYS.DBA_DV_REALM_AUTH. Both are described under "Oracle Database Vault Data Dictionary Views".

Syntax

DVSYS.DBMS_MACADM.DELETE_REALM_CASCADE(
  realm_name IN VARCHAR2);

Parameters

Table 12-8 DELETE_REALM_CASCADE Parameter

ParameterDescription

realm_name

Realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View"


Example

EXEC DVSYS.DBMS_MACADM.DELETE_REALM_CASCADE('Performance Statistics Realm');

RENAME_REALM Procedure

The RENAME_REALM procedure renames a realm. The name change takes effect everywhere the realm is used.

Syntax

DVSYS.DBMS_MACADM.RENAME_REALM(
  realm_name IN VARCHAR2, 
  new_name   IN VARCHAR2);

Parameters

Table 12-9 RENAME_REALM Parameters

ParameterDescription

realm_name

Current realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View"

new_name

New realm name, up to 90 characters in mixed-case.


Example

BEGIN
 DVSYS.DBMS_MACADM.RENAME_REALM(
  realm_name => 'Performance Statistics Realm', 
  new_name   => 'Sector 2 Performance Statistics Realm');
END; 
/

UPDATE_REALM Procedure

The UPDATE_REALM procedure updates a realm.

Syntax

DVSYS.DBMS_MACADM.UPDATE_REALM(
  realm_name    IN VARCHAR2, 
  description   IN VARCHAR2, 
  enabled       IN VARCHAR2, 
  audit_options IN NUMBER DEFAULT NULL);

Parameters

Table 12-10 UPDATE_REALM Parameters

ParameterDescription

realm_name

Realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View"

description

Description of the purpose of the realm, up to 1024 characters in mixed-case.

enabled

Y (yes) enables realm checking; N (no) disables it.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_YES

  • G_NO

The default for enabled is the previously set value, which you can find by querying the DVSYS.DBA_DV_REALM data dictionary view. (This feature is available with Oracle Database 11g Release 2 (11.2.0.2).)

audit_options

Specify one of the following options to audit the realm:

  • 0: Disables auditing for the realm

  • 1: Creates an audit record when a realm violation occurs (for example, when an unauthorized user tries to modify an object that is protected by the realm

  • 2: Creates an audit record for authorized activities on objects protected by the realm.

  • 3: Creates an audit record for both authorized and unauthorized activities on objects protected by the realm

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_REALM_AUDIT_OFF

  • G_REALM_AUDIT_SUCCESS

  • G_REALM_AUDIT_FAIL

  • G_REALM_AUDIT_FAIL + G_REALM_AUDIT_SUCCESS

The default for audit_options is the previously set value, which you can find by querying the DVSYS.DBA_DV_REALM data dictionary view.


Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_REALM(
  realm_name    => 'Sector 2 Performance Statistics Realm', 
  description   => 'Realm to measure performance for Sector 2 applications', 
  enabled       => 'Y', 
  audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + G_REALM_AUDIT_SUCCESS); 
END;
/

UPDATE_REALM_AUTH Procedure

The UPDATE_REALM_AUTH procedure updates the authorization of a user or role to access a realm.

Syntax

DVSYS.DBMS_MACADM.UPDATE_REALM_AUTH(
  realm_name    IN VARCHAR2, 
  grantee       IN VARCHAR2, 
  rule_set_name IN VARCHAR2, 
  auth_options  IN NUMBER);

Parameters

Table 12-11 UPDATE_REALM_AUTH Parameters

ParameterDescription

realm_name

Realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View".

grantee

User or role name.

To find the available users and roles, query the DBA_USERS and DBA_ROLES views, described in Oracle Database Reference.

To find the authorization of a particular user or role, query the DVA_DV_REALM_AUTH view, described in DBA_DV_REALM_AUTH View.

To find existing secure application roles used in privilege management, query the DVSYS.DBA_DV_ROLE view, described in "DBA_DV_ROLE View".

rule_set_name

Optional Rule set to check before authorizing. If the rule set evaluates to TRUE, then the authorization is allowed.

To find the available rule sets, query the DVSYS.DBA_DV_RULE_SET view. To find rules that are associated with the rule sets, query the DBA_DB_RULE_SET_RULE view. Both are described in "Oracle Database Vault Data Dictionary Views".

auth_options

Optional. Specify one of the following options to authorize the realm:

  • 0: Participant. This account or role provides system or direct privileges to access, manipulate, and create objects protected by the realm, provided these rights have been granted using the standard Oracle Database privilege grant process.

  • 1: Owner. This account or role has the same privileges as the realm participant, plus the authorization to grant or revoke realm-secured database roles. A realm can have multiple owners.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_REALM_AUTH_PARTICIPANT

  • G_REALM_AUTH_OWNER

The default for auth_options value is the previously set value, which you can find by querying the DVSYS.DBA_DV_REALM_AUTH data dictionary view.


Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_REALM_AUTH(
  realm_name    => 'Sector 2 Performance Statistics Realm', 
  grantee       => 'SYSADM', 
  rule_set_name => 'Check Conf Access', 
  auth_options  => DBMS_MACUTL.G_REALM_AUTH_OWNER);
END; 
/

Rule Set Procedures Within DVSYS.DBMS_MACADM

Table 12-12 lists procedures within the DVSYS.DBMS_MACADM package that you can use to configure rule sets.


See Also:


Table 12-12 DVSYS.DBMS_MACADM Rule Set Configuration Procedures

ProcedureDescription

ADD_RULE_TO_RULE_SET Procedure

Adds a rule to a rule set

CREATE_RULE Procedure

Creates a rule

CREATE_RULE_SET Procedure

Creates a rule set

DELETE_RULE Procedure

Deletes a rule

DELETE_RULE_FROM_RULE_SET Procedure

Deletes a rule from a rule set

DELETE_RULE_SET Procedure

Deletes a rule set

RENAME_RULE Procedure

Renames a rule. The name change takes effect everywhere the rule is used.

RENAME_RULE_SET Procedure

Renames a rule set. The name change takes effect everywhere the rule set is used.

SYNC_RULES Procedure

Synchronizes the rules

UPDATE_RULE Procedure

Updates a rule

UPDATE_RULE_SET Procedure

Updates a rule set


ADD_RULE_TO_RULE_SET Procedure

The ADD_RULE_TO_RULE_SET procedure adds rule to a rule set, and lets you specify whether to have the rule be checked when the rule set is evaluated.

Syntax

DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(
  rule_set_name  IN VARCHAR2, 
  rule_name      IN VARCHAR2, 
  rule_order     IN NUMBER, 
  enabled        IN VARCHAR2);

Parameters

Table 12-13 ADD_RULE_TO_RULE_SET Parameters

ParameterDescription

rule_set_name

Rule set name.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".

rule_name

Rule to add to the rule set.

To find existing rules, query the DVSYS.DBA_DV_RULE view, described in "DBA_DV_RULE View".

To find rules that have been associated with rule sets, use DVSYS.DBA_DV_RULE_SET_RULE, described in "DBA_DV_RULE View".

rule_order

Does not apply to this release, but you must include a value for the ADD_RULE_TO_RULE_SET procedure to work. Enter 1.

enabled

Optional. Determines whether the rule should be checked when the rule set is evaluated. Possible values are:

  • Y (yes; default). Enables the rule to be checked during the rule set evaluation.

  • N (no). Prevents the rule from being checked during the rule set evaluation.

You can also enter the following DVSYS.DBMS_MACUTL constants:

  • G_YES (default)

  • G_NO

See Table 14-1 for more information.


Examples

The following example adds a rule to a rule set, and by omitting the enabled parameter, automatically enables the rule to be checked when the rule set is evaluated.

BEGIN
 DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(
  rule_set_name => 'Limit_DBA_Access', 
  rule_name     => 'Restrict DROP TABLE operations',
  rule_order    => 1);
END;
/

This example adds the rule to the rule set but disables rule checking.

BEGIN
 DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(
  rule_set_name => 'Limit_DBA_Access',
  rule_name     => 'Check UPDATE operations',
  rule_order    => 1,
  enabled       => DBMS_MACUTL.G_NO);
END;
/

CREATE_RULE Procedure

The CREATE_RULE procedure creates a rule. After you create a rule, you can add it to a rule set.

Syntax

DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name  IN VARCHAR2, 
  rule_expr  IN VARCHAR2);

Parameters

Table 12-14 CREATE_RULE Parameters

ParameterDescription

rule_name

Rule name, up to 90 characters in mixed-case. Spaces are allowed.

To find existing rules in the current database instance, query the DVSYS.DBA_DV_RULE view, described in "DBA_DV_RULE View".

To find rules that have been associated with rule sets, query DVSYS.DBA_DV_RULE_SET_RULE, described in "DBA_DV_RULE_SET_RULE View".

rule_expr

PL/SQL BOOLEAN expression.

If the expression contains quotation marks, do not use double quotation marks. Instead, use two single quotation marks. Enclose the entire expression within single quotation marks. For example:

'TO_CHAR(SYSDATE,''HH24'') = ''12'''

See "Creating a New Rule" for more information on rule expressions.


Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name  => 'Check UPDATE operations', 
  rule_expr  =>'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''SYSADM''');
END;
/

CREATE_RULE_SET Procedure

The CREATE_RULE_SET procedure creates a rule set. After you create a rule set, you can use the CREATE_RULE and ADD_RULE_TO_RULE_SET procedures to create and add rules to the rule set.

Syntax

DVSYS.DBMS_MACADM.CREATE_RULE_SET(
  rule_set_name    IN VARCHAR2, 
  description      IN VARCHAR2, 
  enabled          IN VARCHAR2, 
  eval_options     IN NUMBER, 
  audit_options    IN NUMBER, 
  fail_options     IN NUMBER, 
  fail_message     IN VARCHAR2, 
  fail_code        IN NUMBER, 
  handler_options  IN NUMBER, 
  handler          IN VARCHAR2,
  is_static        IN BOOLEAN DEFAULT FALSE);

Parameters

Table 12-15 CREATE_RULE_SET Parameters

ParameterDescription

rule_set_name

Rule set name, up to 90 characters in mixed-case. Spaces are allowed.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".

description

Description of the purpose of the rule set, up to 1024 characters in mixed-case.

enabled

Y (yes) enables the rule set; N (no) disables it. The default is Y.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_YES

  • G_NO

eval_options

If you plan to assign multiple rules to the rule set, enter one of the following settings:

  • 1: All rules in the rule set must evaluate to true for the rule set itself to evaluate to true (default).

  • 2: At least one rule in the rule set must evaluate to true for the rule set itself to evaluate to true.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_RULESET_EVAL_ALL (default)

  • G_RULESET_EVAL_ANY

audit_options

Select one of the following settings:

  • 0: Disables auditing for the rule set (default)

  • 1: Creates an audit record when a rule set violation occurs

  • 2: Creates an audit record for a successful rule set evaluation

  • 3: Creates an audit record for both successful and failed rule set evaluations

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_RULESET_AUDIT_OFF (default)

  • G_RULESET_AUDIT_SUCCESS

  • G_RULESET_AUDIT_FAIL

  • G_RULESET_AUDIT_FAIL + G_RULESET_AUDIT_SUCCESS

See "Audit Options" for more information.

fail_options

Options for reporting factor errors:

  • 1: Shows an error message (default)

  • 2: Does not show an error message

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_RULESET_FAIL_SHOW (default)

  • G_RULESET_FAIL_SILENT

See "Error Handling Options" for more information.

fail_message

Enter an error message for failure, up to 80 characters in mixed-case, to associate with the fail code you specify for fail_code.

fail_code

Enter a number in the range of -20000 to -20999 or 20000 to 20999 to associate with the fail_message parameter.

handler_options

Select one of the following settings:

  • 0: Disables error handling (default)

  • POWER(2,0): Calls handler on rule set failure

  • POWER(2,1): Calls handler on rule set success

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_RULESET_HANDLER_OFF (default)

  • G_RULESET_HANDLER_FAIL

  • G_RULESET_HANDLER_SUCCESS

See "Error Handling Options" for more information.

handler

Name of the PL/SQL function or procedure that defines the custom event handler logic.

See "Error Handling Options" for more information.

is_static

Optional. Determines how often a rule set is evaluated when it is accessed. The default is FALSE.

  • TRUE: The rule set is evaluated once during the user session. After that, the value is re-used.

  • FALSE: The rule set evaluated every time.


Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_RULE_SET(
  rule_set_name    => 'Limit_DBA_Access', 
  description      => 'DBA access through predefined processes', 
  enabled          => 'Y',
  eval_options     => 2,
  audit_options    => DBMS_MACUTL.G_RULESET_AUDIT_FAIL + DBMS_MACUTL.G_RULESET_AUDIT_SUCCESS,
  fail_options     => 2,
  fail_message     => '',
  fail_code        => 20461,
  handler_options  => DBMS_MACUTL.G_RULESET_HANDLER_FAIL, 
  handler          => 'dbavowner.email_alert',
  is_static        => TRUE);
END;
/

See Also:

Example 14-2, "Creating a Rule Set Using DVSYS.DBMS_MACUTL Constants"

DELETE_RULE Procedure

The DELETE_RULE procedure deletes a rule.

Syntax

DVSYS.DBMS_MACADM.DELETE_RULE(
  rule_name IN VARCHAR2);

Parameter

Table 12-16 DELETE_RULE Parameter

ParameterDescription

rule_name

Rule name.

To find existing rules in the current database instance, query the DVSYS.DBA_DV_RULE view, described in "DBA_DV_RULE View".

To find rules that have been associated with rule sets, query DVSYS.DBA_DV_RULE_SET_RULE, described in "DBA_DV_RULE_SET_RULE View".


Example

EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Check UPDATE operations');

DELETE_RULE_FROM_RULE_SET Procedure

The DELETE_RULE_FROM_RULE_SET procedure deletes a rule from a rule set.

Syntax

DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET(
  rule_set_name IN VARCHAR2, 
  rule_name     IN VARCHAR2);

Parameters

Table 12-17 DELETE_RULE_FROM_RULE_SET Parameters

ParameterDescription

rule_set_name

Rule set name.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".

rule_name

Rule to remove from the rule set.

To find existing rules in the current database instance, query the DVSYS.DBA_DV_RULE view, described in "DBA_DV_RULE View".

To find rules that have been associated with rule sets, query DVSYS.DBA_DV_RULE_SET_RULE, described in "DBA_DV_RULE_SET_RULE View".


Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET(
  rule_set_name => 'Limit_DBA_Access', 
  rule_name     => 'Check UPDATE operations');
END;
/

DELETE_RULE_SET Procedure

The DELETE_RULE_SET procedure deletes a rule set.

Syntax

DVSYS.DBMS_MACADM.DELETE_RULE_SET(
  rule_set_name IN VARCHAR2);

Parameters

Table 12-18 DELETE_RULE_SET Parameter

ParameterDescription

rule_set_name

Rule set name.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".


Example

EXEC DVSYS.DBMS_MACADM.DELETE_RULE_SET('Limit_DBA_Access');

RENAME_RULE Procedure

The RENAME_RULE procedure renames a rule. The name change takes effect everywhere the rule is used.

Syntax

DVSYS.DBMS_MACADM.RENAME_RULE(
  rule_name  IN VARCHAR2, 
  new_name   IN VARCHAR2);

Parameters

Table 12-19 RENAME_RULE Parameters

ParameterDescription

rule_name

Current rule name.

To find existing rules in the current database instance, query the DVSYS.DBA_DV_RULE view, described in "DBA_DV_RULE View".

To find rules that have been associated with rule sets, query DVSYS.DBA_DV_RULE_SET_RULE, described in "DBA_DV_RULE_SET_RULE View".

new_name

New rule name, up to 90 characters in mixed-case.


Example

BEGIN
 DVSYS.DBMS_MACADM.RENAME_RULE(
  rule_name  => 'Check UPDATE operations', 
  new_name   => 'Check Sector 2 Processes');
END; 
/

RENAME_RULE_SET Procedure

The RENAME_RULE_SET procedure renames a rule set. The name change takes effect everywhere the rule set is used.

Syntax

DVSYS.DBMS_MACADM.RENAME_RULE_SET(
  rule_set_name IN VARCHAR2, 
  new_name      IN VARCHAR2);

Parameters

Table 12-20 RENAME_RULE_SET Parameters

ParameterDescription

rule_set_name

Current rule set name.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".

new_name

New rule set name, up to 90 characters in mixed-case. Spaces are allowed.


Example

BEGIN
 DVSYS.DBMS_MACADM.RENAME_RULE_SET(
  rule_set_name => 'Limit_DBA_Access', 
  new_name      => 'Limit Sector 2 Access'); 
END;
/

SYNC_RULES Procedure

The SYNC_RULES procedure synchronizes the rules in Oracle Database Vault and Advanced Queuing Rules engine. You must perform this operation immediately after you roll back an ADD_RULE_TO_RULESET, a DELETE_RULE, or an UPDATE_RULE operation.

Syntax

DVSYS.DBMS_MACADM.SYNC_RULES();

Parameters

None.

Example

EXEC DVSYS.DBMS_MACADM.SYNC_RULES();

UPDATE_RULE Procedure

The UPDATE_RULE procedure updates a rule.

Syntax

DVSYS.DBMS_MACADM.UPDATE_RULE(
  rule_name  IN VARCHAR2, 
  rule_expr  IN VARCHAR2);

Parameters

Table 12-21 UPDATE_RULE Parameters

ParameterDescription

rule_name

Rule name.

To find existing rules in the current database instance, query the DVSYS.DBA_DV_RULE view, described in "DBA_DV_RULE View".

To find rules that have been associated with rule sets, query DVSYS.DBA_DV_RULE_SET_RULE, described in "DBA_DV_RULE_SET_RULE View".

rule_expr

PL/SQL BOOLEAN expression.

If the expression contains quotation marks, do not use double quotation marks. Instead, use two single quotation marks. Enclose the entire expression within single quotation marks. For example:

'TO_CHAR(SYSDATE,''HH24'') = ''12'''

See "Creating a New Rule" for more information on rule expressions.

To find existing rule expressions, query the DVSYS.DBA_DV_RULE view.


Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_RULE(
  rule_name  => 'Check UPDATE operations', 
  rule_expr  =>'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''SYSADM'' AND
               (
                 UPPER(SYS_CONTEXT(''USERENV'',''MODULE'')) LIKE ''APPSRVR%'' OR
                 UPPER(SYS_CONTEXT(''USERENV'',''MODULE'')) LIKE ''DBAPP%'' )'
               );
END;
/

UPDATE_RULE_SET Procedure

The UPDATE_RULE_SET procedure updates a rule set.

Syntax

DVSYS.DBMS_MACADM.UPDATE_RULE_SET(
  rule_set_name    IN VARCHAR2,
  description      IN VARCHAR2, 
  enabled          IN VARCHAR2, 
  eval_options     IN NUMBER, 
  audit_options    IN NUMBER, 
  fail_options     IN NUMBER, 
  fail_message     IN VARCHAR2, 
  fail_code        IN NUMBER, 
  handler_options  IN NUMBER, 
  handler          IN VARCHAR2,
  is_static        IN BOOLEAN DEFAULT FALSE);

Parameters

Table 12-22 UPDATE_RULE_SET Parameters

ParameterDescription

rule_set_name

Rule set name.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".

description

Description of the purpose of the rule set, up to 1024 characters in mixed-case.

enabled

Y (yes) enables rule set checking; N (no) disables it.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_YES

  • G_NO

The default for the enabled setting is the previously set value, which you can find by querying the DVSYS.DBA_DV_RULE_SET data dictionary view.

eval_options

If you plan to assign multiple rules to the rule set, enter one of the following settings:

  • 1: All rules in the rule set must evaluate to true for the rule set itself to evaluate to true.

  • 2: At least one rule in the rule set must evaluate to true for the rule set itself to evaluate to true.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_RULESET_EVAL_ALL

  • G_RULESET_EVAL_ANY

The default for eval_options is the previously set value, which you can find by querying the DVSYS.DBA_DV_RULE_SET data dictionary view.

audit_options

Select one of the following settings:

  • 0: Disables auditing for the rule set

  • 1: Creates an audit record when a rule set violation occurs

  • 2: Creates an audit record for a successful rule set evaluation

  • 3: Creates an audit record for both successful and failed rule set evaluations

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_RULESET_AUDIT_OFF

  • G_RULESET_AUDIT_FAIL

  • G_RULESET_AUDIT_SUCCESS

  • G_RULESET_AUDIT_FAIL + G_RULESET_AUDIT_SUCCESS

The default for audit_options is the previously set value, which you can find by querying the DVSYS.DBA_DV_RULE_SET data dictionary view.

See "Audit Options" for more information.

fail_options

Options for reporting factor errors:

  • 1: Shows an error message.

  • 2: Does not show an error message.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_RULESET_FAIL_SHOW

  • G_RULESET_FAIL_SILENT

The default for fail_options is the previously set value, which you can find by querying the DVSYS.DBA_DV_RULE_SET data dictionary view.

See "Error Handling Options" for more information.

fail_message

Error message for failure, up to 80 characters in mixed-case, to associate with the fail code you specify for fail_code.

fail_code

Enter a number in the range of -20000 to -20999 or 20000 to 20999 to associate with the fail_message parameter.

handler_options

Select one of the following settings:

  • 0: Disables error handling.

  • POWER(2,0): Call handler on rule set failure.

  • POWER(2,1): Call handler on rule set success.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_RULESET_HANDLER_OFF

  • G_RULESET_HANDLER_FAIL

  • G_RULESET_HANDLER_SUCCESS

The default for handler_options is the previously set value, which you can find by querying the DVSYS.DBA_DV_RULE_SET data dictionary view.

See "Error Handling Options" for more information.

handler

Name of the PL/SQL function or procedure that defines the custom event handler logic.

See "Error Handling Options" for more information.

is_static

Optional. Determines how often a rule set is evaluated when it is accessed by a SQL statement.

  • TRUE: The rule set is evaluated once during the user session. After that, the value is re-used.

  • FALSE: The rule set evaluated each time a SQL statement accesses it (default).


Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_RULE_SET(
  rule_set_name    => 'Limit_DBA_Access', 
  description      => 'DBA access through predefined processes', 
  enabled          => 'Y',
  eval_options     => 2,
  audit_options    => DBMS_MACUTL.G_RULESET_AUDIT_FAIL,
  fail_options     => DBMS_MACUTL.G_RULESET_FAIL_SHOW,
  fail_message     => 'Access denied!',
  fail_code        => 20900,
  handler_options  => DBMS_MACUTL.G_RULESET_HANDLER_OFF, 
  handler          => '',
  is_static        =  TRUE);
END;
/

Command Rule Procedures Within DVSYS.DBMS_MACADM

Table 12-23 lists procedures within the DVSYS.DBMS_MACADM package that you can use to configure command rules.

Chapter 6, "Configuring Command Rules," describes command rules in detail. See also Chapter 14, "Using the DVSYS.DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the command rule procedures.

Table 12-23 DVSYS.DBMS_MACADM Command Rule Configuration Procedures

ProcedureDescription

CREATE_COMMAND_RULE Procedure

Creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set

DELETE_COMMAND_RULE Procedure

Drops a command rule declaration

UPDATE_COMMAND_RULE Procedure

Updates a command rule declaration


CREATE_COMMAND_RULE Procedure

The CREATE_COMMAND_RULE procedure creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set.

Syntax

DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE(
  command         IN VARCHAR2, 
  rule_set_name   IN VARCHAR2, 
  object_owner    IN VARCHAR2, 
  object_name     IN VARCHAR2, 
  enabled         IN VARCHAR2);

Parameters

Table 12-24 CREATE_COMMAND_RULE Parameters

ParameterDescription

command

SQL statement to protect.

See also the following:

rule_set_name

Name of rule set to associate with this command rule.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".

object_owner

Database schema to which this command rule will apply. The wildcard % is allowed, except for the SELECT, INSERT, UPDATE, DELETE, and EXECUTE statements.

To find the available users, query the DBA_USERS view, described in Oracle Database Reference.

See also "Object Owner" in "Creating and Editing a Command Rule" for more information.

object_name

Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.)

To find the available objects, query the ALL_OBJECTS view, described in Oracle Database Reference.

enabled

Y (yes) enables the command rule; N (no) disables it. The default is Y.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_YES

  • G_NO


Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE(
  command         => 'SELECT', 
  rule_set_name   => 'Limit Sector 2 Access', 
  object_owner    => 'SYSADM', 
  object_name     => 'EMP_DATA', 
  enabled         => DBMS_MACUTL.G_YES);
END; 
/

DELETE_COMMAND_RULE Procedure

The DELETE_COMMAND_RULE procedure drops a command rule declaration.

Syntax

DVSYS.DBMS_MACADM.DELETE_COMMAND_RULE(
  command      IN VARCHAR2, 
  object_owner IN VARCHAR2, 
  object_name  IN VARCHAR2);

Parameters

Table 12-25 DELETE_COMMAND_RULE Parameters

ParameterDescription

command

SQL statement the command rule protects.

To find available command rules, query the DVSYS.DBA_DV_COMMAND_RULE view, described in "DBA_DV_COMMAND_RULE View"

object_owner

Database schema to which this command rule applies.

To find the available users in the current database instance, query the DBA_USERS view, described in Oracle Database Reference.

See also "Object Owner" in "Creating and Editing a Command Rule" for more information.

object_name

Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.)

To find the available objects, query the ALL_OBJECTS view, described in Oracle Database Reference.


Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_COMMAND_RULE(
  command      => 'SELECT', 
  object_owner => 'SYSADM', 
  object_name  => 'EMP_DATA'); 
END;
/

UPDATE_COMMAND_RULE Procedure

The UPDATE_COMMAND_RULE procedure updates a command rule declaration.

Syntax

DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
  command        IN VARCHAR2, 
  rule_set_name  IN VARCHAR2, 
  object_owner   IN VARCHAR2, 
  object_name    IN VARCHAR2, 
  enabled        IN VARCHAR2);

Parameters

Table 12-26 UPDATE_COMMAND_RULE Parameters

ParameterDescription

command

SQL statement to protect.

See also the following:

rule_set_name

Name of rule set to associate with this command rule.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "Oracle Database Vault Data Dictionary Views".

object_owner

Database schema to which this command rule applies.

To find the available users, query the DBA_USERS view, described in Oracle Database Reference. See also "Object Owner" in "Creating and Editing a Command Rule" for more information.

object_name

Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.)

To find the available objects, query the ALL_OBJECTS view, described in Oracle Database Reference.

enabled

Y (yes) enables the command rule; N (no) disables it.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_YES

  • G_NO

The default for enabled is the previously set value, which you can find by querying the DVSYS.DBA_DV_COMMAND_RULE data dictionary view.


Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
  command         => 'SELECT', 
  rule_set_name   => 'Limit Sector 2 Access', 
  object_owner    => 'SYSADM', 
  object_name     => '%', 
  enabled         => DBMS_MACUTL.G_NO);
END;
/

Factor Procedures and Functions Within DVSYS.DBMS_MACADM

Table 12-27 lists procedures and functions within the DVSYS.DBMS_MACADM package that you can use to configure factors.


See Also:


Table 12-27 DVSYS.DBMS_MACADM Factor Configuration Procedures

ProcedureDescription

ADD_FACTOR_LINK Procedure

Specifies a parent-child relationship for two factors

ADD_POLICY_FACTOR Procedure

Specifies that the label for a factor contributes to the Oracle Label Security label for a policy.

CHANGE_IDENTITY_FACTOR Procedure

Associates an identity with a different factor

CHANGE_IDENTITY_VALUE Procedure

Updates the value of an identity

CREATE_DOMAIN_IDENTITY Procedure

Adds an Oracle Real Application Clusters (Oracle RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.

CREATE_FACTOR Procedure

Creates a factor

CREATE_FACTOR_TYPE Procedure

Creates a factor type

CREATE_IDENTITY Procedure

Creates an identity

CREATE_IDENTITY_MAP Procedure

Defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors)

DELETE_FACTOR Procedure

Deletes a factor

DELETE_FACTOR_LINK Procedure

Removes a parent-child relationship for two factors

DELETE_FACTOR_TYPE Procedure

Deletes a factor type

DELETE_IDENTITY Procedure

Removes an identity

DELETE_IDENTITY_MAP Procedure

Removes an identity map from a factor

DROP_DOMAIN_IDENTITY Procedure

Removes an Oracle RAC database node from a domain

GET_INSTANCE_INFO Function

Returns information from the SYS.V_$INSTANCE system table about the current database instance; returns a VARCHAR2 value

GET_SESSION_INFO Function

Returns information from the SYS.V_$SESSION system table for the current session; returns a VARCHAR2 value

RENAME_FACTOR Procedure

Renames a factor. The name change takes effect everywhere the factor is used.

RENAME_FACTOR_TYPE Procedure

Renames a factor type. The name change takes effect everywhere the factor type is used.

UPDATE_FACTOR Procedure

Updates a factor

UPDATE_FACTOR_TYPE Procedure

Updates the description of a factor type

UPDATE_IDENTITY Procedure

Updates the trust level of a factor identity


ADD_FACTOR_LINK Procedure

The ADD_FACTOR_LINK procedure specifies a parent-child relationship for two factors.

Syntax

DVSYS.DBMS_MACADM.ADD_FACTOR_LINK(
  parent_factor_name IN VARCHAR2, 
  child_factor_name  IN VARCHAR2, 
  label_indicator    IN VARCHAR2);

Parameters

Table 12-28 ADD_FACTOR_LINK Parameters

ParameterDescription

parent_factor_name

Parent factor name.

To find existing parent and child factors in the current database instance, query the DVSYS.DBA_DV_FACTOR_LINK view, described in "DBA_DV_FACTOR_LINK View".

child_factor_name

Child factor name.

label_indicator

Indicates that the child factor being linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Specify either Y (for Yes) or N (for No).

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_YES

  • G_NO

To find the Oracle Label Security policies and labels associated with factors, query the following views, described in "Oracle Database Vault Data Dictionary Views":

  • DVSYS.DBA_DV_MAC_POLICY: Lists Oracle Label Security policies defined in the current database instance.

  • DVSYS.DBA_DV_MAC_POLICY_FACTOR: Lists the factors that are associated with Oracle Label Security policies for the current database instance.

  • DVSYS.DBA_DV_POLICY_LABEL: Lists the Oracle Label Security label for each factor identifier in the DVSYS.DBA_DV_IDENTITY view for each policy.


Example

BEGIN
 DVSYS.DBMS_MACADM.ADD_FACTOR_LINK(
  parent_factor_name => 'HQ_ClientID', 
  child_factor_name  => 'Div1_ClientID', 
  label_indicator    => 'Y');
END;
/

ADD_POLICY_FACTOR Procedure

The ADD_POLICY_FACTOR procedure specifies that the label for a factor contributes to the Oracle Label Security label for a policy.

Syntax

DVSYS.DBMS_MACADM.ADD_POLICY_FACTOR(
  policy_name  IN VARCHAR2, 
  factor_name  IN VARCHAR2);

Parameters

Table 12-29 ADD_POLICY_FACTOR Parameters

ParameterDescription

policy_name

Oracle Label Security policy name.

To find the policies defined in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".

To find factors that are associated with Oracle Label Security policies, query DVSYS.DBA_DV_MAC_POLICY_FACTOR, described in "DBA_DV_MAC_POLICY_FACTOR View".

factor_name

Factor name.

To find existing factors, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".


Example

BEGIN
 DVSYS.DBMS_MACADM.ADD_POLICY_FACTOR(
  policy_name  => 'AccessData', 
  factor_name  => 'Sector2_ClientID'); 
END;
/

CHANGE_IDENTITY_FACTOR Procedure

The CHANGE_IDENTITY_FACTOR procedure associates an identity with a different factor.

Syntax

DVSYS.DBMS_MACADM.CHANGE_IDENTITY_FACTOR(
  factor_name     IN VARCHAR2, 
  value           IN VARCHAR2, 
  new_factor_name IN VARCHAR2);

Parameters

Table 12-30 CHANGE_IDENTITY_FACTOR Parameters

ParameterDescription

factor_name

Current factor name.

To find existing factors, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

value

Value of the identity to update.

To find existing identities for each factor in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DBA_DV_IDENTITY View".

To find current identity mappings, query the DVSYS.DBA_DV_IDENTITY_MAP view, described in "DBA_DV_IDENTITY_MAP View".

new_factor_name

Name of the factor to associate with the identity, which you can find by querying the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".


Example

BEGIN
 DVSYS.DBMS_MACADM.CHANGE_IDENTITY_FACTOR(
  factor_name     => 'Sector2_ClientID', 
  value           => 'intranet', 
  new_factor_name => 'Sector4_ClientID'); 
END;
/

CHANGE_IDENTITY_VALUE Procedure

The CHANGE_IDENTITY_FACTOR procedure updates the value of an identity.

Syntax

DVSYS.DBMS_MACADM.CHANGE_IDENTITY_VALUE(
  factor_name  IN VARCHAR2, 
  value        IN VARCHAR2, 
  new_value    IN VARCHAR2);

Parameters

Table 12-31 CHANGE_IDENTITY_VALUE Parameters

ParameterDescription

factor_name

Factor name.

To find existing factors, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View"

value

Current value associated with the identity.

To find existing identities for each factor in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DBA_DV_IDENTITY View".

To find current identity mappings, query the DVSYS.DBA_DV_IDENTITY_MAP view, described in "DBA_DV_IDENTITY_MAP View".

new_value

New identity value, up to 1024 characters in mixed-case.


Example

BEGIN
 DVSYS.DBMS_MACADM.CHANGE_IDENTITY_VALUE(
  factor_name  => 'Sector2_ClientID', 
  value        => 'remote', 
  new_value    => 'intranet');
END; 
/

CREATE_DOMAIN_IDENTITY Procedure

The CREATE_DOMAIN_IDENTITY procedure adds an Oracle Real Application Clusters (Oracle RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.

Syntax

DVSYS.DBMS_MACADM.CREATE_DOMAIN_IDENTITY(
  domain_name  IN VARCHAR2, 
  domain_host  IN VARCHAR2, 
  policy_name  IN VARCHAR2 DEFAULT NULL, 
  domain_label IN VARCHAR2 DEFAULT NULL);

Parameters

Table 12-32 CREATE_DOMAIN_IDENTITY Parameters

ParameterDescription

domain_name

Name of the domain to which to add the host.

To find the logical location of the database within the network structure within a distributed database system, run the DVF.F$DATABASE_DOMAIN function, described in "Oracle Database Vault PL/SQL Factor Functions".

domain_host

Oracle Real Application Clusters host name being added to the domain.

To find host name of a database, run the DVF.F$DATABASE_HOSTNAME function, described in "Oracle Database Vault PL/SQL Factor Functions".

policy_name

Oracle Label Security policy name. If you omit the policy name, then the domain is not associated with any policy.

To find the available policies, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".

domain_label

Name of the domain to which to add the Oracle Label Security policy.


Examples

BEGIN
 DVSYS.DBMS_MACADM.CREATE_DOMAIN_IDENTITY(
  domain_name  => 'example', 
  domain_host  => 'mydom_host', 
  policy_name  => 'AccessData', 
  domain_label => 'sensitive'); 
END;
/

CREATE_FACTOR Procedure

The CREATE_FACTOR procedure creates a factor. After you create a factor, you can give it an identity by using the CREATE_IDENTITY procedure, described in "CREATE_IDENTITY Procedure".

Syntax

DVSYS.DBMS_MACADM.CREATE_FACTOR(
  factor_name       IN VARCHAR2, 
  factor_type_name  IN VARCHAR2, 
  description       IN VARCHAR2, 
  rule_set_name     IN VARCHAR2, 
  get_expr          IN VARCHAR2, 
  validate_expr     IN VARCHAR2, 
  identify_by       IN NUMBER, 
  labeled_by        IN NUMBER, 
  eval_options      IN NUMBER, 
  audit_options     IN NUMBER, 
  fail_options      IN NUMBER);

Parameters

Table 12-33 CREATE_FACTOR Parameters

ParameterDescription

factor_name

Factor name, up to 28 characters in mixed-case, without spaces.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

factor_type_name

Type of the factor, up to 30 characters in mixed-case, without spaces.

To find existing factor types, query the DBA_DV_FACTOR_TYPE view, described in "DBA_DV_FACTOR_TYPE View".

description

Description of the purpose of the factor, up to 1024 characters in mixed-case.

rule_set_name

Rule set name if you want to use a rule set to control when and how a factor identity is set.

To find existing rule sets, query the DVSYS.DBA_DV_RULE_SET view, described in "Oracle Database Vault Data Dictionary Views". See also "Assignment Rule Set" for more information about assigning rule sets to factors.

get_expr

Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Retrieval Method" for more information. See also the audit_options parameter.

validate_expr

Name of the procedure to validate the factor. This is a valid PL/SQL expression that returns a Boolean value (TRUE or FALSE) to validate the identity of the factor. See "Validation Method" for more information.

identify_by

Options for determining the identity of a factor, based on the expression set for the get_expr parameter:

  • 0: By constant

  • 1: By method

  • 2: By factor

  • 3: By context

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_IDENTIFY_BY_CONSTANT

  • G_IDENTIFY_BY_METHOD

  • G_IDENTIFY_BY_FACTOR

  • G_IDENTIFY_BY_CONTEXT

See "Factor Identification" for more information.

labeled_by

Options for labeling the factor:

  • 0: Labels the identities for the factor directly from the labels associated with an Oracle Label Security policy (default)

  • 1: Derives the factor identity label from the labels of its child factor identities.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_LABELED_BY_SELF (default)

  • G_LABELED_BY_FACTORS

See "Factor Labeling" for more information.

eval_options

Options for evaluating the factor when the user logs on:

  • 0: When the database session is created (default)

  • 1: Each time the factor is accessed

  • 2: On start-up

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_EVAL_ON_SESSION

  • G_EVAL_ON_ACCESS

  • G_EVAL_ON_STARTUP

See "Evaluation" for more information.

audit_options

Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record.

  • 0: Disables auditing.

  • POWER(2,0): Always audits.

  • POWER(2,1): Audits if get_expr returns an error.

  • POWER(2,2): Audits if get_expr is null.

  • POWER(2,3): Audits if the validation procedure returns an error.

  • POWER(2,4): Audits if the validation procedure is false.

  • POWER(2,5): Audits if there is no trust level set.

  • POWER(2,6): Audits if the trust level is negative.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_AUDIT_OFF

  • G_AUDIT_ALWAYS

  • G_AUDIT_ON_GET_ERROR

  • G_AUDIT_ON_GET_NULL

  • G_AUDIT_ON_VALIDATE_ERROR

  • G_AUDIT_ON_VALIDATE_FALSE

  • G_AUDIT_ON_TRUST_LEVEL_NULL

  • G_AUDIT_ON_TRUST_LEVEL_NEG

See "Audit Options" for more information.

fail_options

Options for reporting factor errors:

  • POWER(2,0): Shows an error message (default)

  • POWER(2,1): Does not show an error message

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_FAIL_WITH_MESSAGE (default)

  • G_FAIL_SILENTLY

See "Error Options" for more information.


Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_FACTOR(
  factor_name       => 'Sector2_DB', 
  factor_type_name  => 'Instance', 
  description       => ' ', 
  rule_set_name     => 'Limit_DBA_Access', 
  get_expr          => 'UPPER(SYS_CONTEXT(''USERENV'',''DB_NAME''))', 
  validate_expr     => 'dbavowner.check_db_access', 
  identify_by       => 2, 
  labeled_by        => 0, 
  eval_options      => DBMS_MACUTL.G_EVAL_ON_SESSION, 
  audit_options     => DBMS_MACUTL.G_AUDIT_OFF, 
  fail_options      => DBMS_MACUTL.G_FAIL_SILENTLY); 
END;
/

CREATE_FACTOR_TYPE Procedure

The CREATE_FACTOR_TYPE procedure creates a user-defined factor type.

Syntax

DVSYS.DBMS_MACADM.CREATE_FACTOR_TYPE(
  name        IN VARCHAR2, 
  description IN VARCHAR2);

Parameters

Table 12-34 CREATE_FACTOR_TYPE Parameters

ParameterDescription

name

Factor type name, up to 30 characters in mixed-case, without spaces.

To find existing factor types, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DBA_DV_FACTOR_TYPE View".

description

Description of the purpose of the factor type, up to 1024 characters in mixed-case.


Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_FACTOR_TYPE(
  name        => 'Sector2Instance', 
  description => 'Checks DB instances used in Sector 2');
END;
/

CREATE_IDENTITY Procedure

The CREATE_IDENTITY procedure assigns an identity and an associated trust level for a given factor. After you create a factor, you must assign it an identity.

Syntax

DVSYS.DBMS_MACADM.CREATE_IDENTITY(
  factor_name  IN VARCHAR2, 
  value        IN VARCHAR2, 
  trust_level  IN NUMBER);

Parameters

Table 12-35 CREATE_IDENTITY Parameters

ParameterDescription

factor_name

Factor name.

To find existing factors, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

value

The actual value of the factor, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12.

trust_level

Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted.

See "Creating and Configuring a Factor Identity" for more information about trust levels and label security.


Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_IDENTITY(
  factor_name  => 'Sector2_ClientID', 
  value        => 'intranet', 
  trust_level  => 5); 
END;
/

CREATE_IDENTITY_MAP Procedure

The CREATE_IDENTITY_MAP procedure defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors).

Syntax

DVSYS.DBMS_MACADM.CREATE_IDENTITY_MAP(
  identity_factor_name  IN VARCHAR2,
  identity_factor_value IN VARCHAR2, 
  parent_factor_name    IN VARCHAR2, 
  child_factor_name     IN VARCHAR2, 
  operation             IN VARCHAR2, 
  operand1              IN VARCHAR2, 
  operand2              IN VARCHAR2);

Parameters

Table 12-36 CREATE_IDENTITY_MAP Parameters

ParameterDescription

identity_factor_name

Factor the identity map is for.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "Oracle Database Vault Data Dictionary Views".

identity_factor_value

Value the factor assumes if the identity map evaluates to TRUE.

To find existing factor identities, query the DVSYS.DBA_DV_IDENTITY view, described in "DBA_DV_IDENTITY View".

To find current factor identity mappings, use DVSYS.DBA_DV_IDENTITY_MAP, described in "DBA_DV_IDENTITY_MAP View".

parent_factor_name

The parent factor link to which the map is related.

To find existing parent-child factor mappings, query the DVSYS.DBA_DV_IDENTITY_MAP view, described in "DBA_DV_IDENTITY_MAP View".

child_factor_name

The child factor link to which the map is related.

operation

Relational operator for the identity map (for example, <, >, =, and so on).

operand1

Left operand for the relational operator; refers to the low value you enter.

operand2

Right operand for the relational operator; refers to the high value you enter.


Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_IDENTITY_MAP(
  identity_factor_name  => 'Sector2_ClientID',
  identity_factor_value => 'intranet', 
  parent_factor_name    => 'HQ_ClientID', 
  child_factor_name     => 'Div1_ClientID', 
  operation             => '<', 
  operand1              => '192.0.2.50', 
  operand2              => '192.0.2.100');
END;
/

DELETE_FACTOR Procedure

The DELETE_FACTOR procedure deletes a factor.

Syntax

DVSYS.DBMS_MACADM.DELETE_FACTOR(
  factor_name IN VARCHAR2);

Parameters

Table 12-37 DELETE_FACTOR Parameter

ParameterDescription

factor_name

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".


Example

EXEC DVSYS.DBMS_MACADM.DELETE_FACTOR('Sector2_ClientID');

DELETE_FACTOR_LINK Procedure

The DELETE_FACTOR_LINK procedure removes a parent-child relationship for two factors.

Syntax

DVSYS.DBMS_MACADM.DELETE_FACTOR_LINK(
  parent_factor_name IN VARCHAR2, 
  child_factor_name  IN VARCHAR2);

Parameters

Table 12-38 DELETE_FACTOR_LINK Parameters

ParameterDescription

parent_factor_name

Factor name.

To find factors that are used in parent-child mappings in the current database instance, query the DVSYS.DBA_DV_FACTOR_LINK view, described in "DBA_DV_FACTOR_LINK View".

child_factor_name

Factor name.


Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_FACTOR_LINK(
  parent_factor_name => 'HQ_ClientID', 
  child_factor_name  => 'Div1_ClientID'); 
END;
/

DELETE_FACTOR_TYPE Procedure

The DELETE_FACTOR_TYPE procedure deletes a factor type.

Syntax

DVSYS.DBMS_MACADM.DELETE_FACTOR_TYPE(
  name IN VARCHAR2);

Parameters

Table 12-39 DELETE_FACTOR_TYPE Parameters

ParameterDescription

name

Factor type name.

To find existing factor types, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DBA_DV_FACTOR_TYPE View".


Example

EXEC DVSYS.DBMS_MACADM.DELETE_FACTOR_TYPE('Sector2Instance');

DELETE_IDENTITY Procedure

The DELETE_IDENTITY procedure removes an identity from an existing factor.

Syntax

DVSYS.DBMS_MACADM.DELETE_IDENTITY(
  factor_name IN VARCHAR2, 
  value       IN VARCHAR2);

Parameters

Table 12-40 DELETE_IDENTITY Parameters

ParameterDescription

factor_name

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

value

Identity value associated with the factor.

To find the identities for each factor in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DBA_DV_IDENTITY View".


Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_IDENTITY(
  factor_name => 'Sector2_ClientID', 
  value       => 'intranet'); 
END;
/

DELETE_IDENTITY_MAP Procedure

The DELETE_IDENTITY_MAP procedure removes an identity map for a factor.

Syntax

DVSYS.DBMS_MACADM.DELETE_IDENTITY_MAP(
  identity_factor_name  IN VARCHAR2, 
  identity_factor_value IN VARCHAR2,
  parent_factor_name    IN VARCHAR2, 
  child_factor_name     IN VARCHAR2, 
  operation             IN VARCHAR2, 
  operand1              IN VARCHAR2, 
  operand2              IN VARCHAR2);

Parameters

Table 12-41 DELETE_IDENTITY_MAP Parameters

ParameterDescription

identity_factor_name

Factor the identity map is for.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

identity_factor_value

Value the factor assumes if the identity map evaluates to TRUE.

To find existing factor identities, query the DVSYS.DBA_DV_IDENTITY view, described in "DBA_DV_IDENTITY View".

To find current factor identity mappings, query DVSYS.DBA_DV_IDENTITY_MAP, described in "DBA_DV_IDENTITY_MAP View".

parent_factor_name

The parent factor link to which the map is related.

To find existing parent-child factors, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR_LINK View".

child_factor_name

The child factor to which the map is related.

operation

Relational operator for the identity map (for example, <, >, =, and so on).

operand1

Left (low value) operand for the relational operator.

operand2

Right (high value) operand for the relational operator.


Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_IDENTITY_MAP(
  identity_factor_name  => 'Sector2_ClientID',
  identity_factor_value => 'intranet', 
  parent_factor_name    => 'HQ_ClientID', 
  child_factor_name     => 'Div1_ClientID', 
  operation             => '<', 
  operand1              => '192.0.2.10', 
  operand2              => '192.0.2.15');
END;
/

DROP_DOMAIN_IDENTITY Procedure

The DROP_DOMAIN_IDENTITY procedure removes an Oracle Real Application Clusters database node from a domain.

Syntax

DVSYS.DBMS_MACADM.DROP_DOMAIN_IDENTITY(
  domain_name  IN VARCHAR2, 
  domain_host  IN VARCHAR2);

Parameters

Table 12-42 DROP_DOMAIN_IDENTITY Parameters

ParameterDescription

domain_name

Name of the domain to which the host was added.

To find the domain of a database as specified by the DB_DOMAIN initialization parameter, run the DVF.F$DATABASE_DOMAIN function, described in "Oracle Database Vault PL/SQL Factor Functions".

domain_host

Oracle Real Application Clusters host name being that was added to the domain.

To find the host name for a specified database, run the DVF.F$DATABASE_HOSTNAME function, described in "Oracle Database Vault PL/SQL Factor Functions".


Example

BEGIN
 DVSYS.DBMS_MACADM.DROP_DOMAIN_IDENTITY(
  domain_name  => 'example', 
  domain_host  => 'mydom_host'); 
END;
/

GET_INSTANCE_INFO Function

The GET_INSTANCE_INFO function returns information from the SYS.V_$INSTANCE system table about the current database instance. The V$INSTANCE data dictionary view also contains database instance information from this table. See Oracle Database Reference for more information.

Syntax

DVSYS.DBMS_MACADM.GET_INSTANCE_INFO(
  p_parameter IN VARCHAR2)
RETURN VARCHAR2;

Parameters

Table 12-43 GET_INSTANCE_INFO Parameter

ParameterDescription

p_parameter

Column name in the SYS.V_$INSTANCE system table


Example

DECLARE
 instance_var varchar2 := null;
BEGIN 
 instance_var = DVSYS.DBMS_MACADM.GET_INSTANCE_INFO('INSTANCE_NAME'); 
END;
/

GET_SESSION_INFO Function

The GET_SESSION_INFO function returns information from the SYS.V_$SESSION system table for the current session. The V$SESSION data dictionary view also contains session information from this table. See Oracle Database Reference for more information.

Syntax

DVSYS.DBMS_MACADM.GET_SESSION_INFO(
  p_parameter IN VARCHAR2)
RETURN VARCHAR2;

Parameters

Table 12-44 GET_SESSION_INFO Parameter

ParameterDescription

p_parameter

Column name in the SYS.V_$SESSION system table.


Example

DECLARE
 session_var varchar2 := null;
BEGIN 
 session_var = DVSYS.DBMS_MACADM.GET_SESSION_INFO('PROCESS'); 
END;
/

RENAME_FACTOR Procedure

The RENAME_FACTOR procedure renames a factor. The name change takes effect everywhere the factor is used.

Syntax

DVSYS.DBMS_MACADM.RENAME_FACTOR(
  factor_name     IN VARCHAR2, 
  new_factor_name IN VARCHAR2);

Parameters

Table 12-45 RENAME_FACTOR Parameters

ParameterDescription

factor_name

Current factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

new_factor_name

New factor name, up to 28 characters in mixed-case, without spaces.


Example

BEGIN
 DVSYS.DBMS_MACADM.RENAME_FACTOR(
  factor_name     => 'Sector2_ClientID', 
  new_factor_name => 'Sector2_Clients');
END;
/

RENAME_FACTOR_TYPE Procedure

The RENAME_FACTOR procedure renames a factor type. The name change takes effect everywhere the factor type is used.

Syntax

DVSYS.DBMS_MACADM.RENAME_FACTOR_TYPE(
  old_name  IN VARCHAR2, 
  new_name  IN VARCHAR2);

Parameters

Table 12-46 RENAME_FACTOR_TYPE Parameters

ParameterDescription

old_name

Current factor type name.

To find existing factor types in the current database instance, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DBA_DV_FACTOR_TYPE View".

new_name

New factor type name, up to 30 characters in mixed-case, without spaces.


Example

BEGIN
 DVSYS.DBMS_MACADM.RENAME_FACTOR_TYPE(
  old_name  => 'Sector2Instance', 
  new_name  => 'Sector2DBInstance'); 
END;
/

UPDATE_FACTOR Procedure

The UPDATE_FACTOR procedure updates the description of a factor type.

Syntax

DVSYS.DBMS_MACADM.UPDATE_FACTOR(
  factor_name       IN VARCHAR2, 
  factor_type_name  IN VARCHAR2, 
  description       IN VARCHAR2, 
  rule_set_name     IN VARCHAR2, 
  get_expr          IN VARCHAR2, 
  validate_expr     IN VARCHAR2, 
  identify_by       IN NUMBER, 
  labeled_by        IN NUMBER, 
  eval_options      IN NUMBER, 
  audit_options     IN NUMBER, 
  fail_options      IN NUMBER);

Parameters

Table 12-47 UPDATE_FACTOR

ParameterDescription

factor_name

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

factor_type_name

Factor type name.

To find existing factor types, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DBA_DV_FACTOR_TYPE View".

description

Description of the purpose of the factor, up to 1024 characters in mixed-case.

rule_set_name

Name of the rule set used to control when and how a factor identity is set.

To find existing rule sets, query the DVSYS.DBA_DV_RULE_SET view, described in "Oracle Database Vault Data Dictionary Views".

See also "Assignment Rule Set" for more information about assigning rule sets to factors.

get_expr

Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Retrieval Method" for more information. See also the audit_options parameter.

validate_expr

Name of the procedure to validate factor. This is a valid PL/SQL expression that returns a Boolean value (TRUE or FALSE) to validate the identity of the factor. See "Validation Method" for more information.

identify_by

Options for determining the identity of a factor, based on the expression set for the get_expr parameter:

  • 0: By constant

  • 1: By method

  • 2: By factor

  • 3: By context

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_IDENTIFY_BY_CONSTANT

  • G_IDENTIFY_BY_METHOD

  • G_IDENTIFY_BY_FACTOR

  • G_IDENTIFY_BY_CONTEXT

See "Factor Identification" for more information.

labeled_by

Options for labeling the factor:

  • 0: Labels the identities for the factor directly from the labels associated with an Oracle Label Security policy

  • 1: Derives the factor identity label from the labels of its child factor identities.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_LABELED_BY_SELF

  • G_LABELED_BY_FACTORS

The default for labeled_by is the previously set value, which you can find by querying the DVSYS.DBA_DV_FACTOR data dictionary view.

See "Factor Labeling" for more information.

eval_options

Options for evaluating the factor when the user logs on:

  • 0: When the database session is created

  • 1: Each time the factor is accessed

  • 2: On start-up

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_EVAL_ON_SESSION

  • G_EVAL_ON_ACCESS

  • G_EVAL_ON_ACCESS

The default for eval_options is the previously set value, which you can find by querying the DVSYS.DBA_DV_FACTOR data dictionary view.

See "Evaluation" for more information.

audit_options

Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record.

  • 0: Disables auditing.

  • POWER(2,0): Always audits.

  • POWER(2,1): Audits if get_expr returns an error.

  • POWER(2,2): Audits if get_expr is null.

  • POWER(2,3): Audits if the validation procedure returns an error.

  • POWER(2,4): Audits if the validation procedure is false.

  • POWER(2,5): Audits if there is no trust level set.

  • POWER(2,6): Audits if the trust level is negative.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_AUDIT_OFF

  • G_AUDIT_ALWAYS

  • G_AUDIT_ON_GET_ERROR

  • G_AUDIT_ON_GET_NULL

  • G_AUDIT_ON_VALIDATE_ERROR

  • G_AUDIT_ON_VALIDATE_FALSE

  • G_AUDIT_ON_TRUST_LEVEL_NULL

  • G_AUDIT_ON_TRUST_LEVEL_NEG

The default for audit_options is the previously set value, which you can find by querying the DVSYS.DBA_DV_FACTOR data dictionary view.

See "Audit Options" for more information.

fail_options

Options for reporting factor errors:

  • POWER(2,0): Shows an error message.

  • POWER(2,1): Does not show an error message.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_FAIL_WITH_MESSAGE

  • G_FAIL_SILENTLY

The default for fail_options is the previously set value, which you can find by querying the DVSYS.DBA_DV_FACTOR data dictionary view.

See "Error Options" for more information.


Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_FACTOR(
  factor_name       => 'Sector2_DB', 
  factor_type_name  => 'Instance', 
  description       => ' ', 
  rule_set_name     => 'Limit_DBA_Access', 
  get_expr          => 'UPPER(SYS_CONTEXT(''USERENV'',''DB_NAME''))', 
  validate_expr     => 'dbavowner.check_db_access', 
  identify_by       => 2, 
  labeled_by        => 0, 
  eval_options      => DBMS_MACUTL.G_EVAL_ON_ACCESS, 
  audit_options     => DBMS_MACUTL.G_AUDIT_ALWAYS, 
  fail_options      => DBMS_MACUTL.G_FAIL_WITH_MESSAGE); 
END;
/

UPDATE_FACTOR_TYPE Procedure

The UPDATE_FACTOR_TYPE procedure updates a factor type.

Syntax

DVSYS.DBMS_MACADM.UPDATE_FACTOR_TYPE(
  name         IN VARCHAR2, 
  description  IN VARCHAR2);

Parameters

Table 12-48 UPDATE_FACTOR_TYPE Parameters

ParameterDescription

name

Factor type name.

To find existing factor types in the current database instance, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DBA_DV_FACTOR_TYPE View".

description

Description of the purpose of the factor type, up to 1024 characters in mixed case.


Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_FACTOR_TYPE(
  name        => 'Sector2DBInstance', 
  description => 'Checks DB instances used in Sector 2');
END;
/

UPDATE_IDENTITY Procedure

The UPDATE_IDENTITY procedure updates the trust level of a factor identity.

Syntax

DVSYS.DBMS_MACADM.UPDATE_IDENTITY(
  factor_name  IN VARCHAR2, 
  value        IN VARCHAR2, 
  trust_level  IN NUMBER);

Parameters

Table 12-49 UPDATE_IDENTITY Parameters

ParameterDescription

factor_name

Factor name.

To find existing factors in the current database instance, query the DBSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

To find factors that have identities, query DVSYS.DBA_DV_IDENTITY, described in "DBA_DV_IDENTITY View".

value

New factor identity, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12.

trust_level

Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted.

See "Creating and Configuring a Factor Identity" for more information about trust levels and label security.


Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_IDENTITY(
  factor_name  => 'Sector2_ClientID', 
  value        => 'intranet', 
  trust_level  => 10); 
END;
/

Secure Application Role Procedures Within DVSYS.DBMS_MACADM

Table 12-50 lists procedures within the DVSYS.DBMS_MACADM package that you can use to configure Oracle Database Vault secure application roles.

Chapter 8, "Configuring Secure Application Roles for Oracle Database Vault," describes secure application roles in detail. See also Chapter 14, "Using the DVSYS.DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the secure application role procedures.

Table 12-50 DVSYS.DBMS_MACADM Secure Application Role Configuration Procedures

ProcedureDescription

CREATE_ROLE Procedure

Creates an Oracle Database Vault secure application role

DELETE_ROLE Procedure

Deletes an Oracle Database Vault secure application role

RENAME_ROLE Procedure

Renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.

UPDATE_ROLE Procedure

Updates a Oracle Database Vault secure application role


CREATE_ROLE Procedure

The CREATE_ROLE procedure creates an Oracle Database Vault secure application role.

Syntax

DVSYS.DBMS_MACADM.CREATE_ROLE(
  role_name      IN VARCHAR2, 
  enabled        IN VARCHAR2,
  rule_set_name  IN VARCHAR2);

Parameters

Table 12-51 CREATE_ROLE Parameters

ParameterDescription

role_name

Role name, up to 30 characters, with no spaces. Preferably, enter the role name in upper case letters, though you are not required to do so.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DBA_DV_ROLE View".

enabled

Y (yes) makes the role available for enabling; N (no) prevents the role from being enabled. The default is Y.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_YES

  • G_NO

rule_set_name

Name of rule set to determine whether a user can set this secure application role.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".


Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_ROLE(
  role_name      => 'Sector2_APP_MGR', 
  enabled        => 'Y',
  rule_set_name  => 'Check App2 Access');
END;
/

DELETE_ROLE Procedure

The DELETE_ROLE procedure deletes an Oracle Database Vault secure application role.

Syntax

DVSYS.DBMS_MACADM.DELETE_ROLE(
  role_name IN VARCHAR2);

Parameters

Table 12-52 DELETE_ROLE Parameter

ParameterDescription

role_name

Role name.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DBA_DV_ROLE View".


Example

EXEC DVSYS.DBMS_MACADM.DELETE_ROLE('SECT2_APP_MGR');

RENAME_ROLE Procedure

The RENAME_ROLE procedure renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.

Syntax

DVSYS.DBMS_MACADM.RENAME_ROLE(
  role_name      IN VARCHAR2, 
  new_role_name  IN VARCHAR2);

Parameters

Table 12-53 RENAME_ROLE Parameters

ParameterDescription

role_name

Current role name. Preferably, enter the role name in upper case letters, though you are not required to do so.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DBA_DV_ROLE View".

new_role_name

Role name, up to 30 characters, in uppercase, with no spaces. Ensure that this name follows the standard Oracle naming conventions for role creation described in Oracle Database SQL Language Reference.


Example

BEGIN
 DVSYS.DBMS_MACADM.RENAME_ROLE(
  role_name      => 'SECT2_APP_MGR', 
  new_role_name  => 'SECT2_SYSADMIN');
END;
/

UPDATE_ROLE Procedure

The UPDATE_ROLE procedure updates a Oracle Database Vault secure application role.

Syntax

DVSYS.DBMS_MACADM.UPDATE_ROLE(
  role_name      IN VARCHAR2, 
  enabled        IN VARCHAR2, 
  rule_set_name  IN VARCHAR2);

Parameters

Table 12-54 UPDATE_ROLE Parameters

ParameterDescription

role_name

Role name.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DBA_DV_ROLE View".

enabled

Y (yes) makes the role available for enabling; N (no) prevents the role from being enabled.

You can also use the following DVSYS.DBMS_MACUTL constants:

  • G_YES

  • G_NO

The default for enabled is the previously set value, which you can find by querying the DVSYS.DBA_DV_ROLE data dictionary view.

rule_set_name

Name of rule set to determine whether a user can set this secure application role.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".


Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_ROLE(
  role_name      => 'SECT2_SYSADMIN', 
  enabled        => 'Y', 
  rule_set_name  => 'System Access Controls');
END;
/

Oracle Label Security Policy Procedures Within DVSYS.DBMS_MACADM

Table 12-55 lists procedures within the DVSYS.DBMS_MACADM package that you can use to configure Oracle Label Security policies for Oracle Database Vault.

Chapter 9, "Integrating Oracle Database Vault with Other Oracle Products," describes Oracle Label Security policies in detail. See also Chapter 14, "Using the DVSYS.DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the Oracle Label Security policy procedures.

Table 12-55 DVSYS.DBMS_MACADM Oracle Label Security Configuration Procedures

ProcedureDescription

CREATE_MAC_POLICY Procedure

Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label

CREATE_POLICY_LABEL Procedure

Labels an identity within an Oracle Label Security policy

DELETE_MAC_POLICY_CASCADE Procedure

Deletes all Oracle Database Vault objects related to an Oracle Label Security policy.

DELETE_POLICY_FACTOR Procedure

Removes the factor from contributing to the Oracle Label Security label

DELETE_POLICY_LABEL Procedure

Removes the label from an identity within an Oracle Label Security policy

UPDATE_MAC_POLICY Procedure

Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label


CREATE_MAC_POLICY Procedure

The CREATE_MAC_POLICY procedure specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.

Syntax

DVSYS.DBMS_MACADM.CREATE_MAC_POLICY(
  policy_name  IN VARCHAR2,
  algorithm    IN VARCHAR2);

Parameters

Table 12-56 CREATE_MAC_POLICY Parameters

ParameterDescription

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".

algorithm

Merge algorithm for cases when Oracle Label Security has merged two labels. Enter the code listed in Table 12-57 that corresponds to the merge algorithm you want. For example, enter HUU to if you want to select the Maximum Level/Union/Union merge algorithm.

For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide.


Table 12-57 Oracle Label Security Merge Algorithm Codes

CodeValue

HUU

Maximum Level/Union/Union

HIU

Maximum Level/Intersection/Union

HMU

Maximum Level/Minus/Union

HNU

Maximum Level/Null/Union

HUI

Maximum Level/Union/Intersection

HII

Maximum Level/Intersection/Intersection

HMI

Maximum Level/Minus/Intersection

HNI

Maximum Level/Null/Intersection

HUM

Maximum Level/Union/Minus

HIM

Maximum Level/Intersection/Minus

HMM

Maximum Level/Minus/Minus

HNM

Maximum Level/Null/Minus

HUN

Maximum Level/Union/Null

HIN

Maximum Level/Intersection/Null

HMN

Maximum Level/Minus/Null

HNN

Maximum Level/Null/Null

LUU

Minimum Level/Union/Union

LIU

Minimum Level/Intersection/Union

LMU

Minimum Level/Minus/Union

LNU

Minimum Level/Null/Union

LUI

Minimum Level/Union/Intersection

LII

Minimum Level/Intersection/Intersection

LMI

Minimum Level/Minus/Intersection

LNI

Minimum Level/Null/Intersection

LUM

Minimum Level/Union/Minus

LIM

Minimum Level/Intersection/Minus

LMM

Minimum Level/Minus/Minus

LNM

Minimum Level/Null/Minus

LUN

Minimum Level/Union/Null

LIN

Minimum Level/Intersection/Null

LMN

Minimum Level/Minus/Null

LNN

Minimum Level/Null/Null


Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_MAC_POLICY(
  policy_name  => 'Access Locations',
  algorithm    => 'HUU');
END;
/

CREATE_POLICY_LABEL Procedure

The CREATE_POLICY_LABEL procedure labels an identity within an Oracle Label Security policy.

Syntax

DVSYS.DBMS_MACADM.CREATE_POLICY_LABEL(
  identity_factor_name   IN VARCHAR2, 
  identity_factor_value  IN VARCHAR2, 
  policy_name            IN VARCHAR2, 
  label                  IN VARCHAR2);

Parameters

Table 12-58 CREATE_POLICY_LABEL Parameters

ParameterDescription

identity_factor_name

Name of the factor being labeled.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

To find factors that are associated with Oracle Label Security policies, use DVSYS.DBA_DV_MAC_POLICY_FACTOR, described in "DBA_DV_MAC_POLICY_FACTOR View".

See also "Label Security Policy Factors" for more information.

identity_factor_value

Value of identity for the factor being labeled.

To find the identities of existing factors in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DBA_DV_IDENTITY View".

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".

label

Oracle Label Security label name.

To find existing policy labels for factor identifiers, query the DVSYS.DBA_DV_POLICY_LABEL view, described in "DBA_DV_POLICY_LABEL View".


Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_POLICY_LABEL(
  identity_factor_name   => 'App_Host_Name', 
  identity_factor_value  => 'Sect2_Fin_Apps', 
  policy_name            => 'Access Locations', 
  label                  => 'Sensitive'); 
END;
/

DELETE_MAC_POLICY_CASCADE Procedure

The DELETE_MAC_POLICY_CASCADE procedure deletes all Oracle Database Vault objects related to an Oracle Label Security policy.

Syntax

DVSYS.DBMS_MACADM.DELETE_MAC_POLICY_CASCADE(
  policy_name  IN VARCHAR2);

Parameters

Table 12-59 DELETE_MAC_POLICY_CASCADE Parameter

ParameterDescription

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".


Example

EXEC DVSYS.DBMS_MACADM.DELETE_MAC_POLICY_CASCADE('Access Locations');

DELETE_POLICY_FACTOR Procedure

The DELETE_POLICY_FACTOR procedure removes the factor from contributing to the Oracle Label Security label.

Syntax

DVSYS.DBMS_MACADM.DELETE_POLICY_FACTOR(
  policy_name  IN VARCHAR2, 
  factor_name  IN VARCHAR2);

Parameters

Table 12-60 DELETE_POLICY_FACTOR Parameters

ParameterDescription

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".

factor_name

Name of factor associated with the Oracle Label Security label.

To find factors that are associated with Oracle Label Security policies, query DVSYS.DBA_DV_MAC_POLICY_FACTOR, described in "DBA_DV_MAC_POLICY_FACTOR View".


Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_POLICY_FACTOR(
  policy_name  => 'Access Locations', 
  factor_name  => 'App_Host_Name'); 
END;
/

DELETE_POLICY_LABEL Procedure

The DELETE_POLICY_LABEL procedure removes the label from an identity within an Oracle Label Security policy.

Syntax

DVSYS.DBMS_MACADM.DELETE_POLICY_LABEL(
  identity_factor_name   IN VARCHAR2, 
  identity_factor_value  IN VARCHAR2, 
  policy_name            IN VARCHAR2, 
  label                  IN VARCHAR2);

Parameters

Table 12-61 DELETE_POLICY_LABEL Parameters

ParameterDescription

identity_factor_name

Name of the factor that was labeled.

To find existing factors in the current database instance that are associated with Oracle Label Security policies, query DVSYS.DBA_DV_MAC_POLICY_FACTOR, described in "DBA_DV_MAC_POLICY_FACTOR View".

See also "Label Security Policy Factors" for more information.

identity_factor_value

Value of identity for the factor that was labeled.

To find the identities of existing factors in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DBA_DV_IDENTITY View".

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".

label

Oracle Label Security label name.

To find existing policy labels for factor identifiers, query the DVSYS.DBA_DV_POLICY_LABEL view, described in "DBA_DV_POLICY_LABEL View".


Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_POLICY_LABEL(
  identity_factor_name   => 'App_Host_Name', 
  identity_factor_value  => 'Sect2_Fin_Apps', 
  policy_name            => 'Access Locations', 
  label                  => 'Sensitive'); 
END;
/

UPDATE_MAC_POLICY Procedure

The UPDATE_MAC_POLICY procedure specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.

Syntax

DVSYS.DBMS_MACADM.UPDATE_MAC_POLICY(
  policy_name  IN VARCHAR2, 
  algorithm    IN VARCHAR2);

Parameters

Table 12-62 UPDATE_MAC_POLICY

ParameterDescription

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".

algorithm

Merge algorithm for cases when Oracle Label Security has merged two labels. See Table 12-57 for listing of the available algorithms.

For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide.


Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_MAC_POLICY(
  policy_name  => 'Access Locations',
  algorithm    => 'LUI');
END;
/

General System Maintenance Procedures Within DVSYS.DBMS_MACADM

Table 12-63 lists the procedures within the DVSYS.DBMS_MACADM PL/SQL package that you can use to perform general maintenance activities that require the protection of the DV_OWNER or DV_ADMIN role.

Table 12-63 DVSYS.DBMS_MACADM Disable/Enable Procedures

ProcedureDescription

ADD_NLS_DATA Procedure

Adds a new language to Oracle Database Vault

AUTHORIZE_DATAPUMP_USER Procedure

Authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled

AUTHORIZE_SCHEDULER_USER Procedure

Authorizes a user to schedule database jobs when Oracle Database Vault is enabled

UNAUTHORIZE_DATAPUMP_USER Procedure

Revokes the authorization that was granted by the DBMS_MACADM.AUTHORIZE_DATAPUMP_USER procedure

UNAUTHORIZE_SCHEDULER_USER Procedure

Revokes authorization that was granted by the DBMS_MACADM.AUTHORIZE_SCHEDULER_USER procedure


ADD_NLS_DATA Procedure

The ADD_NLS_DATA procedure adds a new language to Oracle Database Vault.

Syntax

DVSYS.DBMS_MACADM.ADD_NLS_DATA(
  language      IN VARCHAR );

Parameters

Table 12-64 ADD_NLS_DATA

ParameterDescription

language

Enter one of the following settings. (This parameter is case insensitive.)

  • ENGLISH

  • GERMAN

  • SPANISH

  • FRENCH

  • ITALIAN

  • JAPANESE

  • KOREAN

  • BRAZILIAN PORTUGUESE

  • SIMPLIFIED CHINESE

  • TRADITIONAL CHINESE


Examples

EXEC DVSYS.DBMS_MACADM.ADD_NLS_DATA('french');

AUTHORIZE_DATAPUMP_USER Procedure

The AUTHORIZE_DATAPUMP_USER procedure authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled. It applies to both the expdp and impdp utilities. See "Granting a Database Administrator Authorization to Use Oracle Data Pump" for full usage information, including the levels of additional authorization the user must have to use Oracle Data Pump in an Oracle Database Vault environment.

Syntax

DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER(
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2 DEFAULT NULL,
  table_name     IN VARCHAR2 DEFAULT NULL);

Parameters

Table 12-65 AUTHORIZE_DATAPUMP_USER

ParameterDescription

user_name

Name of the Oracle Data Pump user to whom you want to grant authorization.

To find a list of users who have privileges to use Oracle Data Pump (that is, the EXP_FULL_DATABASE and IMP_FULL_DATABASE roles), query the DBA_ROLE_PRIVS data dictionary view as follows:

SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE LIKE '%FULL%'

schema_name

Name of the database schema that the Oracle Data Pump user must export or import. If you omit this parameter, then the user is granted global authorization to export and import any schema in the database. In this case, ensure the user has been granted the DV_OWNER or DV_ADMIN role.

table_name

Name of the table within the schema specified by the schema_name parameter. If you omit this parameter, then the user you specified can export and import all tables within the schema specified by the schema_name parameter.


Examples

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR');

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR');

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR', 'EMPLOYEES');

AUTHORIZE_SCHEDULER_USER Procedure

The AUTHORIZE_SCHEDULER_USER procedure grants a user authorization to schedule database jobs when Oracle Database Vault is enabled. This authorization applies to anyone who has privileges to schedule database jobs. These privileges include any of the following: CREATE JOB, CREATE ANY JOB, CREATE EXTERNAL JOB, EXECUTE ANY PROGRAM, EXECUTE ANY CLASS, MANAGE SCHEDULER. See "Scheduling Database Jobs in an Oracle Database Vault Environment" full usage information, including the levels of authorization the user must have to schedule database jobs in an Oracle Database Vault environment.

Syntax

DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER(
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2 DEFAULT NULL);

Parameters

Table 12-66 AUTHORIZE_SCHEDULER_USER

ParameterDescription

user_name

Name of the user to whom you want to grant authorization.

To find a list of users who have privileges to schedule jobs, query the DBA_SYS_PRIVS data dictionary view for users who have privileges to schedule database jobs. See Step 2 in "Granting a Database Administrator Authorization to Use Oracle Data Pump".

schema_name

Name of the database schema for which a job will be scheduled. If you omit this parameter, then the user is granted global authorization to schedule a job for any schema in the database.


Examples

The following example authorizes the user JOB_MGR to run a job under any schema.

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR');

This example authorizes user JOB_MGR to run a job under the HR schema only.

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');

UNAUTHORIZE_DATAPUMP_USER Procedure

The UNAUTHORIZE_DATAPUMP_USER procedure revokes the authorization that was granted by the AUTHORIZE_DATAPUMP_USER procedure. When you run this procedure, ensure that its settings correspond exactly to the equivalent AUTHORIZE_DATAPUMP_USER procedure.

For example, the following two procedures will work because the parameters are consistent:

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('DP_MGR');

However, because the parameters in the following procedures are not consistent, the UNAUTHORIZE_DATAPUMP_USER procedure will not work:

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('JSMITH');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR');

Syntax

DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER(
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2 DEFAULT NULL,
  table_name     IN VARCHAR2 DEFAULT NULL);

Parameters

Table 12-67 UNAUTHORIZE_DATAPUMP_USER

ParameterDescription

user_name

Name of the Oracle Data Pump user from whom you want to revoke authorization.

To find a list of users and authorizations from the AUTHORIZE_DATAPUMP_USER procedure, query the DVSYS.DBA_DV_RULE_SET data dictionary view as follows:

SELECT RULE_EXPR FROM DVSYS.DBA_DV_RULE_SET WHERE RULE_SET_NAME = 'Allow Oracle Data Pump Operation';

schema_name

Name of the database schema that the Oracle Data Pump user is authorized to export or import.

table_name

Name of the table within the schema specified by the schema name parameter.


Examples

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR', 'SALARY');

UNAUTHORIZE_SCHEDULER_USER Procedure

The UNAUTHORIZE_SCHEDULER_USER procedure revokes the authorization that was granted by the AUTHORIZE_SCHEDULER_USER procedure. When you run this procedure, ensure that its settings correspond exactly to the equivalent AUTHORIZE_SCHEDULER_USER procedure.

For example, the following two procedures will work because the parameters are consistent:

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR');

However, because the parameters in the following procedures are not consistent, the UNAUTHORIZE_SCHEDULER_USER procedure will not work:

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');

Syntax

DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2 DEFAULT NULL);

Parameters

Table 12-68 UNAUTHORIZE_SCHEDULER_USER

ParameterDescription

user_name

Name of the job scheduling user from whom you want to revoke authorization.

To find a list of users and authorizations from the AUTHORIZE_SCHEDULER_USER procedure, query the DVSYS.DBA_DV_RULE_SET data dictionary view as follows:

SELECT RULE_EXPR FROM DVSYS.DBA_DV_RULE_SET WHERE RULE_SET_NAME = 'Allow Scheduler Job';

schema_name

Name of the database schema for which the user is authorized to schedule jobs.


Examples

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');
PKmRtPK)AOEBPS/img/security_concerns.gifGIF89aA635c[2ŅvvxYUgikSTVc5;ثFEGKLҡcW<ܐ޻¶䣥ȔeWTʗ-.3:ËSJGsge=||~̑dYƹkmo`adZ[]CFNNPprtC@AᨠIK"ޜXNO`QOڰw`M*'(?:<8EDWS!,AH*\ȰÇ#JHŋ3jȱǏ CIɓ>a˗0cʜI͛8sɳϟ@ JѣH*]ʴӧP`?Xjʵׯ`ÊKٳhӪ]˶۷pʝKݻx7f LÈ+^̸ǐL˘3k̹gLӨS^͚oѭc˞M۸پͻ ׻{ȓ+_8УKN}سkO>ӫ_˟=mXhE` 6蠃 >(ᄼDpBv (fn| `"iBpCJ8@taD C&l0P: Ѐ@S ( :hP&hiHছ%)g -Y'x |B0A:O`@ PdVZ>ЀC RЁ* Π . °æ`Ǫ XЂ Jp 7vV#pE@AtpB꫰k֫믽/"` `@Q޶fqXS@ #no[⫯*l_s?%r$ a' 6a@ #!B -ſz.v5wΠ&8M4H:+$l)}\ ɽ~K^,x70Nv* n84LN'HkA l|G?/gC4~=/Ϩg7{tЄI bȞ x'z! H+LbX/`KW@ 1SF8"Gt xNp^`{LD?FwS$!Cf1sW0P5 F?@ &ogR^'xTV Mءll._KjcjԀ%@c'L!8U '!s dvARv'*yIc"/H) x8LS nvvӕ8!fT'Q0~cHy'ޓ)%VI ‰L> Jhl0ԧ9?V(R5Hs|'0E&Ӫ(}VvMh@pJC 4;e*JSu%jzˤnh@JFygbK(jqA|CYW6}B DuhWReQN-TCJ:Z=)VKMBMM7p.h:ڟv-jYvѣjbS;vĭV0@zlMgJH6`=;֛֕, ySy^cT 6m^׽ m8*o"pG @ W7tUvW] 3/p/zdVϼ%mn= _)KrhmPBCfOx pgcm[Z2ͳ,d- Dp$Le3A,LLB֊A3 Jjִ9]O;O`˫jXm[0 `ZrF]xAp_Ötqgl ,8zF6]X^ @EcI awtmfc{ fmiK ~z7^s d Ň^8`?i1rn"\v.mdmGۮ9cMpЄ7(}k<uzEWCi+UCp7jΧ@>3]|e4˟hnwvSyP=Gws8 PCG%:Qf^Z7Kgԏss{ _Tj8{C }ӟgcfi}ʖoXorG~w{{gmwsO~s~@e,|g"vqyzxlTz{+xuvx^sۖi _O͑|#؄ta]ntxfg}4u\uƃwAhsrJh0nU"ww۷c2iWc(~eh{DpGdj'rh;IxwqR}V՗}z^hu ؈ o8'vy@8y8Xs`L(̈&xtw/xrrmVXx{khv&7IThnvNJuX}*'xsgx~um:'@ŗ`X&Η }؏WG:6Tٍ5{⸃ip~m8@0F, P7hh-&ׅy` kI zI菂x}$'G68^ِXve9hiٖ]i\:є}(.(x {%.7d蘸 g)jɖJYRAIV*ʹ%ٜ0zܨoɕɐYjh<ɛiIO )S!LɗRY]i (V8l : OK:SJP,-I٩2Ǣ5~D؎?ɠ k/s#1l @١ T}ٚlٕP:)Y4ڠJ9 t]0LYY',lx+zJi~j57S |:BjyG:1؟ I^Gڢw)Xڛ MЬ]Tڪ0ڨCi*xw5ZɈ:i3j٬M]1J>70Jʜhz7*کJ?z%q:8+zω᪫LzN:ZY>A%4iq+k/1iYW6 OvZ<{>@Z:$ )F *hnڰpJ:xۮ{SG۶n{kOk{[]X~6)'KkBڸq; ;ZvS`^jS j { m=򪠥ʬ۸b0sݚ0[XMʵ8+: kɧZڬYq`eK)۲v۹x+|{~۾ڵ+M %D#lKګ lʺ}ʱ֫؛(]q%\n翿;w 0&ZdxȘ{ <|>=k{durдE.ܦ,}ZЫ^LL&m$BrpƘ *̹s"jSYkxu \,JlȲ :ZRhlĎe,{)\r P x z<|_99z**ƈzƳ,P<ǫqlɼ,ŕ컵6<8\ |dh ל cgl̝缩u;;̻cʉ Pr%dϛK߼)䊼YxZ*͸(r"˰Ƶσ* ]KwҞl{̃|l>]DXC-O m҉)5ؘŧLl6mщ;}ϔތd]zœ(^ۋ=ۺKt}v(x\<זu%ڌ˃ϻl$-J2l4l13?\Ҭyӈמ1O$ُl`3V5]?Œ <(fW+ze6^phC8'RXmXV}כ-2"K}>^~ -1s#0<-9pڝLa:srFh'y''L.O0nUhY۽]љ x=@$q .+"/`'NPR>T^V~XZ\^`b>d^f~%Sp(rt.~xz^2UN=_~mg苮ގ~W:ɖ;ѷ<~Ҭ(IcNíiꪾ>^~븞뺾!n.wlXh}c5Z7Zild]5(@#b+9oQ;XJ&'v'}B^`۲Ppm1Ϩ#IQaF"7lέwPN> i%d.qo2o_FMss2)$m!^1#@, ,UW?} Pn2VD"$&?aFg>U%~'1(0%ja^:D|A/AJ}M؎=%fVWY>N&Df&Liq^$Rn!8Ov1p@ {?CEҾL_N_ZPno8&W.aUi@i[!@yO9So}/_8o>ZoɏaBc/dBV4 т %,ZlтF0<A?%MDҤ*]1*7XSN=}TPEETR5 TU\zO7]BFX5̞EF ܾG4u';޽kXD, >Xq?Vd)RF\Ɯf3f*|ҥM ؐzÀ \71lB`*dx!D/b# !4`Ϙ3}l]vݽ^vH>k֭^%+jٰ\v嫯6Cl1c0&C&a:-NPZ{-6j-z;hj!&踌8^(ტ:zn;>s?8J?k  , Alб)B,PC8 ~&ީ*MyJcW%rS9cms F@mC:FLv"[,eυ/! @^"{ cO,ó 1MխQDM9TWVH*-ʵ[t3d=U|m)LEB@$(4 *ͷvֳ{JLyh8W! OTD Z bؖX 47]f?\NhZڡ֨EjFXNz\:%6:]eb=[+ 1piuoo~qII.#:;[֖a)Eӷ/'|*H€^?K 'A2WvŒT;rԜ~nT#:eVn'L> J*a)[Q}2o2垄%#ISєcbkO{V u _d2' h>Axvr]⨥8sVGG}YMɫr};6xfrIJă}7kI㞇-2lUw_]ŌoI޾}S\v,`y?ާ+ :*˶۶S Sc(Ksį(>ӲüKs?2/@s;ԃ;9EJA>S>";@)rP9U<0@@S:sa;*=蓺ԣ"> @ -.C)8p(2D;õӵ456|vKCBA:Ak(d, ;cAt xdd?|DSBdIA [GJsȯLǎ#HMTBc|>'5 K9$?d|1kl$ȼ =L4J,BvD8=MCKHL>T2˜$̕t4NIξ LHIKF\>bGddtB?||TJs<7tNʜȤH8ڼNGR< V2 P89φJslRGK|vL̲ϳleMǒDKȓȔ9!%"xJ EO@?L Katb]?=ʑ˥MʺJ+# 789 =%erRR]^RKa$K4KHTKѿѤS{TkPL- HpS:%9fSzP>E(. T¼KO9I JmTYMY"aCbDNdZdmzؠC_H]4fu__F_Geeb;N[THP+XWXNYFG]!b^&ڷ^7^[-YaeevEg.9Hɦᮽ攦Fq\d5i6?7i8Sd5V~-j{&>hmK 8PЁ~Bj^i1a\\g]bbGaek[EkMOݎ0hE(@^żvlkFYG]Ijdۡ}"NVȦQ >]eM=.*&9p酁'H7U;͉8iy^3`H2l؜4ݮ[[lZ> z^k֎S$Ӭp(@WF蘶`M^j>b^ކߞ6%5?@nP@~@\ 8 8r/֦傾)Mh] ?ormAߢ|oOo|HׅS/VX'Y 65X(5,+("_( Or@pؚCD[\u+O-)>> i, 4/Ֆ:$ЀPҦ8'Ё\]ib"a::jNbIW:'^f S4 Q'U8hxnM `V`V '7GWgwx0wtdlBxby>!>?QyCvvMHIJ?S.Lo6i 8 sS. PZ`֘xR '7GWgwW{rViqvNy-Kzv֔49Ep@SGܫzRz'7}RU/Zklh'nO9Ͳŗw 7xkzgwԷ{.wMvؿMfc¿0j l~x/{7=?,( 2l!Ĉ'Rh"ƌ7rtʔ*W%̗fҬisΜ:sРB]-jhJҥ'bP@Rk Yi&Ο3&UVE>Xa^ ` $(\E 9hq %Ӡ 7P3?f0 WGӧIm۶մ1;&7n>.Mʗ3o9ҧSnE֧{}/_z5׫9{6llЧ}8Of1 SQMUUWeV_I8BX%AKDSZ=Vo%]v^|`Vb1dQffr\jہƀmS!Pmn%<QJeUV9%<%]rya9&ey(hv߹Axq9yn{g~`o:*B0'Xji$( bWzUXKh "ƕ]uݕ^W`cb5dXecq>V\fj$JB[Z{-2&z-&ֽ sgޝy'|~z(.ƣF^zB.Ƞ:XʪQJJ\&X,bL,9m/DmI0p39Q@ <@p4I+T #DT J=5U[m]ٮ'/z/$o0 )Tv0.LWUq[oƴؗ.b[rk,3rLaU-S]8Op5>{Y5]'@'-vKog2]p[i wŷ(᪂j8Ʋ+aF>UckȮLڲ5k&~- 9SrC2uw]?ـxųҶyzԩ-B^7C `UYcF‘9h~+S nc?n:7F | (F1F:uAYJ猺0 2 㡀yGR{<e2Ŧj/qt6[!dDzN'rP2q)XOVi@B)cG n`Cr6UV? .W@Rʳc )0Sz2'̇9$J"9Ì1҇H>ʍ3e*Q:t>+O";@gkTf@L UHeġ `R 73L*t.ra`/˳ӄkT[W¸Jhk =.$AF4\jؚ)n`lm0;v3 %Hj(H :v%$` JKp8H <@l\ 9ʕsl5+ضPU[LQͼ C╚#ګ6VdE48-idtO4ϧ@OC~Lj@T <$ȝO{< .@& pa@ V 'И ݌0p?SH@Z ;? h3]=8g`yƜsnޱQnkRc:Rw',CѤPp/t2]L)yry R.W_nߍĜR2#bC܅8N o~JC3gUڳLn 9@,5 x@u0k&q@ f(4@0?h .@(@ 0 A6?Z( `Tz360@` J D @AP'сd@(@M>\uAa-s ]m2 erܒG2ٻoFQp_SlL0TEwy` BAL:@ Rp.L XA_+B\ D Na@L! = {x. BWQTϲDA }@$ p~`<AtS D tAhO 4A^Vl-]s^ހYZ1TdLD^(]y ] yyHa}u $MpggXX ]aZ@X(U|@0 @잎4@@X5A08h$4q@A@ $hv@ @/ @(`n,a ?᠎U B ⡕  J25! =EiH!Mxq__T^{'pД 4 D<T| @O  @@<G4X֤/ԡƇIh āAD`) 1 LAA(A4eSf])Z DM l,t@< d^/FQ& OTqPFj$GR#As]}6E8N8V9nAd)ʓ#FIFQaec8{||ᙅKeAfٙ@Cof @$nAo p'JLFM%t@@$$3I$$rA p]MAUtA3D{[T>X]m>3B$5rfKAaY&@d#eƣeffFYyYS>z7hLa[MMHdfSEYhXȁDIp:@DIAL*r4vj @@ubvF'w}K-yA4|QtA2*c @%t tg\b~ڥpBEr*j#zc~,[B5: @ȹcDm(EeF=v۷hyv$$hkҞEI0/ |@m`@p&]@<ȹҤUN@ܡ"ri~iTF- k bA$, XڤLu)A D#L5a#W fr&7^jb:A}橪#iSfhj!jlXA!LRV@ l l@<@)%-b9@L}K@yb*A@`@D@ ]L~@mA|؂cH+^.M(j DDMq@@@O D@ ]HFn*(**-tU9n<ĺ *haƆ`j9aܜxMo.|lTfxfxM"uhًήljf Я ,%D6VfZh}Х$\ p ( @W^iL)AxR@թ]D@Bӹ< Lgh~>/O nk..a.b>(9F@ xM,! A@v(~超hvT_mYz idb*/NXfb @$gAdi@ iTf"dSOq(?UU q$)A[h U6K D@G@AXRh 2_Vc nٮ ;L1 8vUjOK,Waco&jRbYF=B/4!1k(1q7Zl6(NJ iğ U3D4(O>v/YNӁF(C?5TOCD{61^,d8@@ۨAHV@ |`4lI AMޣg諲ڱI͌jQ[Ni^ G5fg6Lu&CrADWafEJ{ uōP@HO(@AKø ;v< vNzqa{٬*,?SMdR5 rQfySgFU]h[sVW4ik샊vIhTLnxxHAowWBA4l@شfjgRG>sPς <Dv]q&āFΛ!8t{6v5ɂbVn ^7[ 8Owl Tyo[Xt LHx{nkAY`xnh㇋&αbO7c(A L(3li]mXqX68Wzq8gwJ{SY|o3 @gmXJ8Px\l os&:ʀ__ۣ_asyv!/v1M\ ("j`hMmoDG7A8{ /TThA:4P[yH7`?Wl@Atغ+܀8o<4==4>t8 5 $~ @k@rFUΧkEIkᅺn_ `Ap96+xA:D<>/f8n8wxvY>Y~`.>kBƵZ㶕@ P4<'kv@T8`A&Dl0c  dTQE @>X1DIPP BK $)E 79g ?Ҡ &UTBO T6X STXz@IK0k[ ĕ;W.nջo_/P  T4Ft*ҩ&uROX`@}QTH-F7PU3V?s4Xep]r6XB2Zߞ;6Kcqm(҉h@K0`kv[nVp/Ϗ̽toЙ QetGuKX뭹 F,ԃeLSqIXȊ<27r568b myK j N+z0sF5u>=:#A:?UZwi 7睺-Hkiq7LlN8/kXյ{l;HֹoXA/Bd9 q2 \+r\S>stn]=Ձ:Gjm;. ]C x7J&-yq 4$q,z)9X v@93(WlsqGhNWi PvtE-^ *Ȱuxj:XeLW N4C 2-@0ϗC0sߚH.+jbTE}%p'Aٖ. f3Uș2pSh7p KǬ9|/dNt3,8̖/!s # *K_,(re]9&CNqs L))xJ :l?r[j\y1Qv%㓼$PŜ1B ~?l"G"lbԴ{AȊGA5s3 ԖAV"5ʃem6T8crp1  HcO} m! D ٮ]4Z&9 ΐn]HRRSL)"n04k;{{%`ʁ#BP#7 eˈTW'fW[,K٬bzX"Ȝ4BJ9RfdK$^<,6%*acXq!seSGM:-N %+bR@09<#Hw  )P L_}QfV2ԝg֍++n[ 8 *XdL\RFdJ@^+WЄ ] b xR.(aS_wdE~_Vx0 Lh |OaGC0`%P /b*iuu)+bN`f 2)` 3r.%)  /x^ZRf{+'Sc * {' 7arg1יT):]&V!bI$Xb+E]0vR8նv\Aȭ}X-۵xӲ!>LvT0Q[Ycxcu}M6W9:S[) 0 :"AG%ݞkYVqcpIxqXܥMhSg @ =anU85DӼ\w_T=b:lJI8L ]B84 BEf|1a88##S)'jI*PsA+) %02d  N֓==cdRF@8c88?s2 4:q0A}GԳL3P-Us-t<147C'DET7o@KcTEEFYNN 2*6*3tNtwwN$BURTH@t=S n3P:`E>((9o@ wt:NMU4T)"&4. PQXЍJuQ@ d :hRREJ??SSS)sTT0TU-S5)VZu52I]nP4Dob @K+5?_t?cX]Su @5s*335`ZZ.[O/4VPmuD\U`'uR]^t. TUHG6e `cHM伓Osij[_3 Pqb\7 5RT%O94YePM/M*_Uje wf%<5gJ%g hh h SeXYcpGYCꞕGkeǪHck55luh5\ggU 1v8]5^[ůS5**ޔj+oUOTOYUf)qVIquJ3r'V(Wr76s;6iiLm^C3G)J*uWwzENHpW fpg6%cV\!g%wvg(Vi6dG5AzpEpvmVlalͷwRLc?dTd-)d !tEشZWTpwk3 |o5wǵ}+X nsnnUt=@jGca[eUakuw]%m7SLsgpyv9F8SUU%788c})}øsn7:A5Gu8vwv {kq6Bև59}QooeY$PؒUvwg?|8}k}KY7L Yd ?:xY$1 uWv5pV=9Yx'x+xFu)@Ѹ_*9wa򴒝5v؊#rs㶐{X~?oKV9uy'es9wyׅx͡w#:Y:T9z;I%MXq ٜϷqe:%Zy-:1*򙧹z`@6D\wL.29zIqlbሆ{}ٰm<B=4L7uO'?H'k]F(H@ڞ)%_N >NSL-V zw dy9r䨼s섹`t^Md;{;{;;j[k-/P;" P;{@x @Q[({^" W,|Tu <#(+0<3 9A `ILO~;Ɉj@;G T;.<\\-5;I|Q|ś B/X(!".O'@ 0۟!FJc5w Qsǵ1}|˻Ԍ?%@%(0s^}> e襦WP>/>۫A>=OF~7(]qa^re^iA>ا)&ؓ?#K5>9ۯ~D^_S(NÞ݁CcS,]S;~?%ӇBEz=5 dcFpy8a›kֈئ ,NRJ8yC ,[V3憙47  3fpH.M (P@ҥ)6}ꊩSMXz!\ZUX%Jh!4hA $с׀^7NbJ+iO*WƀÔ)r: 8]9:լUlٴk۾;ݼ{ <ċ?~:?8 z>n 2tQ"E5rR$I(Gt2̚3ogСE&]SOEUU]eV[uXa%AYgV[o5W]w嵗_FXa%cE6]f6h!wkFc:c>dB"s=tY@qB4PMFEG}H%Iў{+|WNPBeR( `Z1ؠFhZj\re^:ŗ_ FaP b9dfY3h#Cj kVdsI7uedwRRZ%zaGf{lf~rW Ч   *&!>ڡ V:b%r⧖:کȥ:kLp \둷*kwU^9ޖ]fHbҲ5˦Mn'~tw jg*.R腋j(Njjb) c N? uROZ!9k[1v|j -qܟwLݾ`Kf(z`>Xj#iK4Ֆ_ygpX3$E<%xV%y\#[.;PH r:A}:TwͯlS?vo;+Rs p)e Kz#:pi709!>lD6MilR T觬KoLby䕸 zqrEuQ'Hߘa[[H6Mq!H;1'ۣQnEXd6!.1#\)Ȃ+%/iǃ5IPf)|AXhT/pt(>Td&%'KbRr6 шJJS}0|DZܐ%\,7ݒw"=@᳐<$DFԑɌdA'igf1 ݤDԤh %n_+Jf&줥U OqO/%=8S$x l" EBOq jIT.J|_w8Fr"Mc L\6m"Ӹ[&P1Pj{k_ ?V7hT ;հol ;Y`lKX@.U+gyiiwPg5 MmUQܲqѩ 7,.K]vW>2k55x O7*PѪvkJKkVʴZkOcV>5+ 2x, ߦ]z;jޞ nɖ8[Dryx)\ l] 1C 49|B Ө^ꖜ!cdQ2.M\+{+rySȜ$o|,5׌LG͵ysa&gUJc5_UO:ZۋVʕbv˜բY.v8MODAd< \=)qR@2Yǘy=6߽*dFٷev[fuN6l:NY n˺-Amnٻ \ފY[sns2_o F5{h{[=9S.|ۼՁe~r^y#` [EqnIwS7O:Ww/Ǻs.xEO1s~4}rc+dlC[=CЋ-'=sM_ka^2tO:!/yPވbk wYO4]CȁkHsGssLjGvfg#\yu~|k_xgZgn؇x6Hscq8Gvyw1GgS&z'Ee %(d0{ft0H|v]R~UV`؃x`WWEHE:{GtVȇ¸7gƌh }X[ט$MEVyf~t&x|娅XeH(n zavn'qjXv׏pF~ wo~h_Y uAhxɊ"芎Ȇ; QO!)#HwƇ5Sؒh(2z7'E9{<ɕ={ v v*ٔ|3Vgؕ}iM>)@ /H%x9qnR3<.qs GyɈ~I(4AI.8WiIhI0O@S+ %ᶙ@hXq&Xd_y5i)v kM9C1#؅8ѧ3'cIIl朞gd[ܨgɋyG@i:I0 w ف6)[YjFal99 80@,.?8eXwц*s|( (u':!sCHhx5w4ifCjt哟-XWڀU1C P J 2d(Vi'x jdI׉N yVJ9h<ץ ۷nd: Sl:nZpjMA j:﨣Cx>: ǖ&9Zz*ʑ0} z)c5 ce +j#޸i~Ow;`.*OW*YJWj<]@j6eTYQ߸0@.WPiڰ ]b{hjr%Zmh ĩ AYq+J+J F9# 'OZuL +uɞ;؝?z{K$\M^+by4(;̇NS9zʷ#;xᘝCU p8ضHy87빽۷J=ۍ[ytjm=J`SGq3ʲZ麌1;U+cfiie:`I˅M[+ͨLbj૷kRMuGZٚ$ik];Z{˪Ϊ¸˟IJ4yhoK2˽aG+ L&ʤ"%rx+ uk&̗HLƑ*Aۯ3U]k+bQ;7eLJ B (w$`g!| iFlȣj#H}5cal`XTJo%ffy0&iH HnK(%|(/f0K]B\EhZp2 ,Ll ,L!#!@ύyR^%-Ȭ|2X|\Heg1!\!@!jAlQ3n#!t, OL?e&*GsQȪ/ .9;=? A-CMEmGIKMOOԃ _ a=MmiMO .#$({אhWW3Zp&54u $4]6m({ Y>AO+lj$%%:o%|d1#Q&LGN;RUV7[\h.pA P-|:ٟ}>+ʽwڤڬ ,mߨ#X". oa=&62 \# =}4@ݍ5=|ٜ +1ڤ Uv߱:F۷0C=hSܼఙܶȌKtY̅D _]>L}ݯ">Z[)$.^ڦ 1>5;,"B>fRG q2LRNnVP|Cc刄嶡^!._a~cNajl>4n6N絜^r;|nC.s|x hύY>f֒[^8ޤ⣮樝nN߮s߯.?x>eNƝͲt̾(T`]}nd>S=:.ou:w.>mč2Q>Qn/ x^gqTdЈOo!?SN$oȞ/bʟ+.9?;nA/>m".^ƞXOZo+- Ԛ8n~lrp._H{ "_}&[]ac/햏hj=/pr{^~>*I{.>3#o(O4/i:M#3.dPCla̘£!UTV4 dPӂ %tlтO0 Bѣ4hxAQNP`թf0 %[Yiծe[qΥ[[ aXȑ%lr̙#9 EOxS"TµeǎQvms@!7A#"lXD+^ĘcǏ!E4"ʕ+ZƜI&N;wthQI6}zjZ\ӆ[}߿z 0~0h t;" +<2pC+:C;BqD-J4D` [ܢ"7bFkQ#5znGGR=4ҺPrI` ( 갲J(BˢJO)B= -sN:NbbuVZkV\suW^{W`vXboK}<M,7kUlv[nm-&pbr5\tUw]vu]xw^z7c-LMSؤ6Tk5`Vozu\?"xb+b3xc;cCyf7M5Z8]xfkzx{gzMVvLfSecyjڙhk6zߤi. Qem۬:l{o^6Ӕ^YZn{nWѺo#|FpzqCzrSW]ldO.[h9Gv,ݬWw32fE5ܛwyz૷~Qe݆~|'k~}ucosb|'}o}3旼O FP"``0lm =9+` M Ks Bưj" Ox0p+`4HuPC$hPΆՏ,+b#^%KbX@Ѕbͨ,Ne]dcxAEm@' D{#+3TixHhS! BvC%-yILf md'u'=Wb$%c s'.Re-xRX%D3RK:)yǯ̑u,,myZ! ~C0~iNr<81w3L'=߉Hc:2cAHMvfCM3 ,)$Eϕw2Al \ &P()*"A;iO}S5BL. B,~VZ4[Lk?NA ڂQۨ0/ 7*WaA`T.c$90q\j˺U{zHլl>ʯvC@ ں\d];E_Y͂DWZf>ՙIbծeTb.T=kn/ct"܊M:v}is+5STWo}{_`S-tqT~BT=/sӋW*?n gXp;|@Q.nF.UMe+(! %6WpYCN C&vGy]:rWyZfH4%c6J7*=sf4Yk䫔-V~N9OPO@@MҸ+꘽X &lB& W==7?T3AB0?S?ⴿˊ*80+Al 7)%  ;˦7)8DH[DKB2<=Br$̳< 5hN( ,O4d ձKMkN0,kDļJGI鬏$%9XL5 P  P8\'8 DMdtJ¨D̋PD Ůij6,EXY@ͤ@ Ĉ¨8(R)(e= $՟-Dl|HOOLNeL?3LZ D( pEu'p%HDD7 KK+>O`(Uʐ.5/)ӫHQY5uQ7}LLH< 2<>ݴL %%ȥ$/ór0XT͟U&9@  T2}3MM6U\1O:5N;ժըhLaQt>cNd8$ȾXpjd%΄ @DXXXXXXX YY$El x7?$: ž\Wv}48ՉAVʎY?88e]X낇} 0XZZZZ}( 4Y[5%Ly{SA~UId6.p-[m\}\ȍܭ%04[܄ d[6s[9ыYM5cEZAZZI{5ܩZO] ^^-^=^M^]^m^}^]Y8ȥ5u՝t\4w3K)SU |S}Ӵ;!}ѳ #1e{)R%= -!CC*:WU63_j#Ft![zM]Y+Z@=ڏ7@X²83= `چZn((x Yϵ`4?@iȂ ^E]{e_u#F4e[5VcEYb.PxO;[ܤ`'~\H,8hM_]|}LbWW<*ྫ`a޵cn%9pR$L[]A(1L FU>H>?U@]ap/҄Me>5P$ZUWXYv׳,`u]bQRR9eb8`F\ V*8hVe$beuZ`k.dS-.^l܏ td)(uaNfxhijvk>8nۃʄʅ XUYd9:h]Y&eYwln_~HFa_Va=ڀNng;F,)ih&Xbǣ/ܺudon-IJjj~gSQbH7@T}c`zTS@P`Fjgl):!3e-e&^_m#;`N hS.l'8BH &Hl&T <#? hY9hI :l9'@0m.k&eΡ_6&ccpp .Pon $`ڨP(`%m%/?P M0M7&\r#.mo~qzbqvC;qv lPP XBp(۫ex'hO(,f$ s )@40؀?DC.vi;7 xhP>HA/q?H ȥ$q~[7Ҩ0=S>oZ V g-Yܱfqf84Gmggm+N%A(;4P=9צ( ??Х͟&l!I?J42MÂfLydc?n0()H?% >H %>颣 m66 ƒ.aȂ*3DS9ЅğhG˲fϢMv-ۂ(4@h{' ͫw/߾~{˜svЩ0`1ƎC!ŔeLqΞ?aBRTJr{Q+dӣ7u,{iY<^Mq ⹺z l'2,/ r2E.@J8WQ]ǍgALG St|l : h%( e90$@p7 t?cT2A F0$` jKo ()90'Pq80Hx:O@ӁFbqd7YE`f<0!j\#7,Ǧ22x&M qX0`) H)ēS!Y1`x^ɖ:4((>Fy+B6ǐ ^`} (ifGqrYAvHXt!_t554d/ S rpA Lږ  &h V $ T#TZU*RC\ ?!1(J hXRVP!3 P8Ujh$iZUMmS(CfFЪ3B PSZ9x-oزQ+!ۀ "!@@X]IQ҆Hơ8*t N!.wݦ6:} ݆` B8{7BGdTk;۪%m4"'ȎL"0 `I["{ c8nx3^i0g0On8*^1UOXOl%(EmF) %jHf.(@X{@$)(qR2̤1^9bs{ ' i^f69p~4cEԏmnCU ܠ".`G;rr3c:Ӛt3J/wo^5[WGmt[:׺5{_˨g:agC;5[h=, 6o;۾6_ش͞gEzҞ7motU*7efQ _8|t8;]6"o<"g5b튣<好3N#9kᒫ*9CuL㸵Zp#=J? >Z;{>7BJ8]\>G go psAAN-|#?ڷ`1B⏾ x߇M~(o?NU7?ƧOi!Z@ fOAXP_t$ 1I|(A؟] VֽZ("A҄DhaUH`K "y|D*9I $Y 2aYr Ja l]@x_ѱ<ppMD4Yq ERGtxGp@v<J4a j (U :""ʼŠ5[ܓYp6YlzH@$@A@A@`e\.Irt 0@JL\D |.1 "H b8D \^&92" ^r^E%RvPA8hK`G"DجAd`vt Md@AA&!HAxDmdA22^EPNcL 9MTMᡅ\p1QBA\# H?VDмHA8( CR@ Pw 0X D KE@G| FV@$!u ؀O@GʤL NZ# P E"RFR(AѰ?.$eL^M@"CcK%\NyLAaAa@@ B%,Cl@QbYSVvMdgA( ڤqAzgz{g_z {cfZ PP#QvTeU@fA@fTf@{DD `vfo lSbOE8ā$!D hwFXxhA&iꅒő)|^":Rp;zYf=6XEhT(feF&Ag\'zheGI\b6hd$L@>h=E tgg܀xF&*"qAPjAvzJfG*YXgbZcYdG?SA xXʼn @>E%:ӣi$J@$QHrO٣-5H0`p6j ,j@뫺Kv}öú}ꞕ#^ůDA:h? `@8^" xgA HH &ǥڣFVfŵ*E+jǪnm_$!&tY6l۶.)ܞ*A>_f~^e[Y IdǍ4_]vDA7IfG$WDD L1nElJjGX[zSЄ@A@$ (,JՆ#9f-z*׮gĪp t,_-rll&ʪ-A@v :q쪖r,Z`F Pg7iZ@ ȯ V/ H|@CpAo |';piKpn6eޫ+Ұ/0/-.lA$m/b^ tAvcֈof.orA A A$& &"r-" H~ FS8"ĵ*trj*.٪1^p! L m$1,2("tWr0c [/.Ɓ)mr( rE!۲2#$o/sKxg03Y:y272'r3vªY80?r9ZmGmPFǟ cs2/r^73N/K,K2C?"cD_!E^tf40sQ#`䬅4mrז*B4jG_{&!F1UC/4٪4^\æ*OG @r$Cb!\.5u'w-xj^E'_1@-F 6(`up3l`GvO$ n$5]142_&v6^`iǵvoumwkhCct2F;s p wq[7wno Bwx'u1uN 3Z,7Q77xwùA|^vzqf/oiYt}#8Y@pui[3wā'xS}{mgwm7Q|[8ַZUvﱝw_xxK[k7x˸en3I|E;ӷ+9i3u8mF'3jk9qR8GO9o#xpy$d8빕yY8F6IsQ;+z[D[KSz[czk_:彀:=K ' `[zz:啶 ;h)3{;C{KG;95lA{;{{{{㻽g{#A ||WA+3|'@|K<ďA[|ADs#8?O~ob`~ 0 4| &.Tq$H(cHrq2DHfL3_J(@3IsC5ziRK6ujTSVS@7L?t5AXaqs,jضUsn\lڰopMwB`.ŋEq2)Oqsf Pt"eDhѣ;6cBjիU p 7 w 0X B!H"ƍ=,!I*_pH&ҝ=|xɗ7}x5|.رeѦ]떭\貱kC 3S̱6"220:C4Nc bnm|;(Rp衈&2ڨ#`P)nnHk([&|(D+Ģ> /0@[cA{0B )B@P? c+Ѷt㍠߂s⎣rt[5#jPERM pˮ$ˬ.O1L4d07\YӲ;/=4]MP={Srt.9*%G,`"(%O}x块ޗ>hV[}5.̷jVspW6|832bO0X\64?}Vh]Pke!FQ"H1ܐx$RS#yB(wݙ} BCV]}_s`5@] 4p Nb)d1fÍ9c EтHœ5Tܗ`*]np!Р7i7fz`2K5Ϋ!έc9nlVے픽qwun}St2:>cwVze 눵se} ȖljE}mEeYqAUqW(v]GI N1nyJ fLrTÜòǹyk[F7>U+m+Nڶֵ/RjGL%wXCqʾT:KKk z&,XgFl"w8oq,!qL)< 1r2x+ü$E=U{WSEm+!8F1nj/; Fq]$(AGXJW,iYK[.yK_0YbZ I.uLё4kWI%6M| YNsT:w7@ ZPB $< D^MF7`7 "JYR1LiZS9NySAPt*ipHq2k'mIҙДnrS<'9xӞ?*P"}(E+QzO^1׾NS`y҅' X>gM0U$2.PCb{+ioBPi m$S5Ԩ>j{ߤx4mҀ$@<зt]5WS tR>ѝ eK Ә42sMf=fȴ\<RMB8{XJI'% ҹ[Uhp:܋գ{k_5ɹҕ)4׭,Y+0F@b6W,1İxby ٠6d!$z:Zawsn]2ko[-v6H 9Pʜsw-2K\^Zbqkrx>nҷ$5{xоC]W/Zzo S[ Ljgz1ɘm:ܮnW޵{ _=/WB"qv)F. ҳdVķtzb]x:sx\K&}| I_}Va=~=M܇z6޹o%a؍lͣ  ol]*bclŒ/Ŗ5VJDŽƬJmnĮ0ޜ/ @DPw< J'"?&OێLˆ0̍ꀏ\ OXp\p`P8oF%yP *h D&0nJm6 x/POp o< q0ؐ;*2m&dĔp˯c0o oO0ǴֺO.m qzn /m ;0l8Nc-/ -ʮ 0q)^ >^SQ|vժgQ 6 @oQ$G% H?-ĎP BPo q"1/TҐ$G YD W1&[ 9R  !Cy1p(!1 %q  2$.Q``B%a%q+1 7F(qW-3O#9 "T.?S` 81.i uOrR3"ג'(aN 0 ]<4`F4A- &ό0e,!ݯ1K s"%"13O 28>EO=K9 :MQ:S30WO ;mq; <O"O?E? 55, "Ess2-(1KPLu&t״t0KTNON3@AϒJu2{3BӓeGU`?2:[0T+I4N&Q@kIk3ARFyF}3=`.U_UZ)MkC%5CRwU&oW4I62Tr/ٔ[@4;5EUt]IP+SPmIU^/4_o*HYs`3uI 6XtEy2J]tAa]KuYO5.#b1g%L;V?qHU1`/WW7u2;TAq3-"!4K@v^skGkNMqR5d V@T6a,ՕA_aM5K8{fkVoklCdI15\5u\oNٖ,6]6n<(4_|&oVsopDs[WGpKVqV'VOr]Vrgr *Q7w+@nVcllI`Ww!1_q3rtr-q7p2wp q_I` h_hw@uzVzeziz {fW{ wlxuV\3is,TOfk.G{}Fc9t5v 8ySwyחug}XJO˓~ p4kww3؆k@cQQWM[рS3OUe6]jg.X^ >x}tͷ\QvXvtj J bNJ؎OE0PxU[m}Qqw[Yo:|G xXlU WdGxUׄ}YoXcԍUg+Y ` *|?y&7m9U6=5qSYn-xbyIJ ` >H7Oɘ`uOOXxYyI@\?X3 WmIؘِQ-Xj.T 8YOYtezTw- ȝZC@ x=l9x?5˙u @ (W `3Tֈ=6}gt 4@ۙ$\z 3}\CYiK[Vu@_:{**FI ȖצIǹԝ@@"نC{S V.:y9@7ڟ;Zeڲ2 @[w)"GT٪yyZZUHyۺbn*3Y?ڹCp xΔ{ V@l.a{@!V`GʙB_GR@`!fN  `I/cwkysv{/_uds?Irq;_ǟ_ן__ H;PKͱ ݬPK)AOEBPS/img/tde.gif[SGIF89a 0//UVWefhWͥ䄆otwyHGHۧŹŘѧw{ltyݭMUW\eiᇋWZ\ikm=>dcdMLL޾!DCDrrt8?@moqA@@tqrʎ]_a``bNOP #$QQS!, TyIkĹH}yH H}*\ȰÇkŋ3j48qǏ C #ɓ(S\Y$˗0cʜ%Mtɳϟ~0 Q?͈]SͧPٌ*OChʵ׭Y'!Yv?~f8A.׶A;m*_n~Pq%OÈ+^$13Ƙ1?Q&/gx3Hw56?ab4r۸sm$T 1 8#:pv0Ek 04[/{@31DGȚ!3(`$( 0t~8I\ўGNGjAu(RkQĈ HHA AY0 zfa@)D!lq?)F,Ѐ*HDhL `x2n0b HLnDxX M >՚_h!d84tA8!#8\hGRXsF(@`Ajꩨ*VL!jU,X1lǭ*_i34XC dQ @a_`!F4GˠnaF:D"L202X<,sLjXu,#r0 <xi9A\A C@iiH#ZC4Np&mB؅$@vٍ DFB堹TAc~vP8 uC\> A*¢(xp_B:hR3$L SC4?>Xi C`jJz JN>;¢:)պEŬZFN_7M o(a@CC6>1U@ko&\TUxR&l~`8XW0IxOI(W z4P1vrx`{p" h'S< 02R'i ZP7'28 , M\<_'Z @Hbԁ)'ThPKa\`bno8!@p;!H%P>%p{Іp$Pt @H0{PP!9P4煦`u5U`Yii`h%@; "{p+{p!>|XH:";PtȉP׎hYxH A.r9} 3x@`Z`R7a@P+@vP%S@`7X+uPiɍ~F!+`7$#R?pXR1{0Eg'|vf7QT%C`^' TӅ0#VC<61  _@nppG {8hmٖ;$Ph$ "Pq@cAKV!F)H/Ԑ[9R0B APRY1R@5]tUE 03G  G``\ y F`A@"o0 p8d)>1/ ɀ܉bP9)Xm: >-P%e PnPGW !`1vY wKz G`{R3ZOuOEi8TS c0*23Сf#b|Dؒr"Yn }A|0R5|h-6• 0_`z`p@@ȤN^0V0j 2j`{0eWp%AJ;ڨPFxe4>MVp`4pj6%P @C #p )XVE`ydbL x )uDpt]@Aݓ+=(JCV5woPn{˓6 @##Fk @|@!Z (CH ,08bseޖu@iXpA`c+826pZQ] @z`%Uvy`gZipph5tlP`YI]2R[R H)y`[_PuPe S`iA >\PP;>9,pP[nfp Hw)pQ08Ad{T0"GiGppD T F PZCsЛZ0[S`pz6VHx@0rBk@PeU@G)pSR`L 8Ԩ[ɞ ̶yp8@_ZAP0D>+K4 Pˀr=w bB8jrYMxP(4%u(Ze``tu5YUEF ƣe0Za@PֽXbQ" W9Pe(rfnEP\Y oݛewPPX/Q 9,geuqP.di R'#%,uЇYshkϧ6۸Aϓ鉖mHL U@bHz#0HKC44QM7HbpwMp0&9n1iE`[@-Ap*Y!p⚴Qm6;IB\p u͇w-nHPt8䙍+ 0hٗ.,=0V6khR2?@V}4 *&Cb+з{Hv/:,P&':PQ<7Gl?\9H`uހyR*Odk@4Pο+F2͟h %@A@t!lZG,HqVt! w뮴 T%,Pe@ x^6쳺yHx qEo>Fo@`F_9Dd( %I$AžpA ;0`i g0@;uPLqZ\IW@DuԐ4FVZ tdBJK[<Q\@HPfFdn_ pG nj6oAm-w+Z m/ 8`5`r09eH9P! ~( X6z^U@\0h!|C* Z( 9 ʀƔxX,P# ^"f ʗ A E(p1R"A Ѐ:葏}X  1pHёF`%P%X Y. B fX,j@ ].]`"@R$AoB  8(= k06!p\y@ `>3 \,܁t=7 ^/԰Uzp(Xoett M'Vvќr(C䀃l2u60kP"u{J^X/ CX'KY(1Ŵv{'-f|@9 r ?)AZA -?+z,U1KcƥfY@r ,P `X`48U6`Pe֣^n1-r\^RDW!AA!hp ڋUĠ}G<w>>`\Yù{䭇; a@61baA &3{*8XƲ:Yn2@^qL!W8 xƳLW)π,8Us%|%J͔30464G-<$! ZX@@Vih@@ixu F:tµjjYf;@" 'ζu 8 iliK:Ĕ?YjBMzRmlxf!x;\@^o9j^inCa{| pG>rk%Ax8.K@4Z 0'y>q8Ap'NthUڪ 7 8Amghȁ`S|Ҁ3 Qp%p`Dpѽ]56DSA0^D*D[.W3so3w]CK@ғʑRAR U7 Ձd0"Oa:"We4Nd.`/&v} @` [p`=2 ۳ Zm~9Y)t6tW:| l?Ղ-8@V4Xy#ZSZ" d` `R!pjF@Ck!cPTH:.`n"cf`8(J*h wOj vpXuE !9`b9i`p%@E,x!j4@x6Vq{`*k h cJe=p+6Њ+`pqHuSLy`TCH9`7,PfZ0) CUTR{@h7!>8PtBDxG3z677n HVm@kkeP[8mp 'Pq#Xס[+gy$( B6NQZ18UH3t@@JZ`8$rP^ GS8lu4/荦Y,q-Nyrd@TYVYP:0% nXPZ`ZAeIR@Xd0%xFe*!W%P WЍfDiVw_Jivm)y9 #M`u{iPM) ` PZix{QP"&%Pٛ!9VB  HB jS<0954:ٝ۩7/cu itpH0ӹc5~`9mPtp˩i;9)N}u`9#>bc 4(AB.j Z; : `p8I@~GF 0;4.r$9C@@Ǣ#X* 1J;3 Z xb*i@'@p Kgqjb*OcfYj[4] m3jhOʨz} kPb vm\hY:KSx0q 5X1m6:m~mi@JQՅYj4/QZjG lpZC@ppᚮ7jUHEª^zq6) mM*꧶, ZoH` nrڬ,w .+ -6+`ppM7R'),L+}e2ڭp2M[(``\KI@BvD[x^RP4vX< O <)^Ȏ<l@ {Kgwyy|<)Qʦ,_@ʧʅ ʦ, ˧P@\\ᰟLtl|,f\ Ь&;L LH׌!,q\ǼL`Qe`Ͷ ͽl`1lчnlBn;B^'ߔ~c M_0spP¦: ]cU+teޫ~1 }ЍCP2s@`%+4#sK^~ `@^c=0I0d̻nsNn 4=@.@0R@' `.TlW0 ] s@r@e#-_ X@P _F2 2@~3BfHﵣLL;/.E?q* ?^;%"A@mŅY/ r &(?f='@hk!!TnąyoG`A6 dOKı .~nO\ΒY=<O44Is<7_u># &I*pj/@k/`jE ^e ~0B~~Icpj8*'K44i/ Z 4K*86. cICC3jhļ~e ~ͮu8F?~| I=6 Z/'*26p=I],F+\ *lXǒ |HQ4i32֭c70jxbl HD($O ,YC yrBQ_*pˆʜ*(*,=z!WG1.WSD,>I cJ sȪߤ~6 DŨ"U+7 &HfA7ҤKZj`9ǏԐ. $^0mo2G;&dh6`1j`&3PigϻL=`6̭~(\ǏWӠ $CIfMdGB V=u)C|a5m{"_ ,7Bc/hqu;d`9-qj7W@`̤/>2QIʈVnMVߨ~ '@A%lP Pi( Ovϑi,%RK塈&db$裐g3X pң{*$a `@v%@]ĩ8 vRf18ɫ,NAk&~^,+BP)B~8#9ygO6)f+l3~4l'|pO(@ya,D^DdӃ *;PA`kZ!B=tl4G93z4b^ʿA@nlPG-T?-TDA\w͵kHTq4F"WH!yJi|BE6@8&+>`$ \(eQhQG\]6hhWTIeX ~DPD@D' &\ $ѪX!|E`w2܅sJG 4 @}恶 xF Vl<º`Ad?0 s (Uh@B˺`-  CT0, 6P0A>ܡ Pp-@ Fќ7 )!TWOz-J &0.T9PYDž6U'RA#AT d! +X D@M9&|Ow#:$HD <(g)V1!!cFuB̡ I8cyj?r]`C +z(`P@7 dCO\@'A $ LH(E)YMB Uʅ:M(TъZKCeJP!d`za(? 02?t@?8 Ipf`>0@@t!'=WQB& 8P1 }tbaShB >!'6Ёs%5KX:U%be :CD fBJ ZRъs/4%vH3 V̓P>s|l@ @VGE 50a؏~E`Z˸}LqX6` /| W[0Ea!+ !@KVTE"jC) d psW@ͥ08EC4X2Ѐ `,EN>hPvP1_! , /+$a`ȳg=/ wMhB(0A}vV!=h Ccb;/Ӡ.Đ$x~[ '0ȡ !8Ԑ d Yj $x@B VX(40BN@+; l;@Ne$+@A;Op@)`'Nq` 8x)ށ _8 p{aA xfN]Dp!peP]ZR v& 8ng|$ {@H/Bk1 [o{a$@*&k\$V ;_p[e(P?D *`zWfH=ĠûPR)ƙ]@@u +2-V@ X:{ B8Q e_ω"SX|W A zWzghy{rFa{% _w`(\P[~Kw|0?0B`2(8pŧY00@ZS!P$;/ $6I0 s/xp+m,_m7xp z wI RpwC+`'zzwp26sԇ@hy({Pixŗ*Y~0 `. 2*0w sWW#7Ehp!c06p~S/UzWZjIh8508STWf7gz}Hd fЌ@uh/]wi xwX" Sڤȍɘ_`Dxw0a`~F'k,(6 . A`f8l/S!0f,` s6e?(v`cxg645Nxb` @CW SW{c_Q4L `8T@"*i*Y!yP TV LP#ZhEZy,8{qƏkЁ#TX:5(HK:@6K5`L,K;9;0$/ +J@Tk MV"px뗒0>jR`^Qy03 W2WP[!UHw01p+w( S0UۙX:pF D`s@P2LjϰяP25 p ,pķJk~0@eP*nC$y@Ti T/Tw x`@' ^MYpHJob:0/6y@ 80IǤJIʤ,PPg@0q` bU[ؗI<iP-gUG$0b+ p:rw0 qNɿ[SL0"z% ~d.Q)Xe:5#5 &(K+h90ZH J4x@\0OݣL ZOV}ۖH\HUkl퇒 ~PpLF<: CP @qqt,GY 5<Ɨz95p'L *@+FRF`k4 '`;z0,` 0VCV2r(yP= ]ץFMpH4ZWk9u j+ pJ3%@S@L7g<5C ܧ EU|·0jMk5@}ɞ0O M XfB@YB n `VP y0.SkIipx`dK0:l1 _ C1`!P -ITHʛVZ0ϓ[{Mmi`3j@&RnLk =2BJK zr+|!bRmO %Mtps KjPk-k\(0֍޴ FWR~=.'# s@Q͖r @3` k}-;L01#E| ڷO wpDp=h`JN.a . !p~ k-b`xF[ iT.@aTz1 BTkc[PsM |Grx@ 0SDP  $,ŇcYp2?c4+V@ f0raPSP _P$`> t M4PΛ$HE; 80b nmm&HZywDPxjV0Y2~ O >v&fN\ \@g S #!q?_0L`2uggާ=/?irNt. 0e@y1.@FZ` ys 0g[ԛ0m@&,]_@Q^V7#`.u+{$ _ ~u8F{k~dEESt:Z6.6.jY~:tbssICsCClOTdY5HfU_`AbxHj(3*hC(R@-Z)& 1Z`HbDa*[d!6qT*ֆ$6JjhҤ$JEՊXfպkױ`.UA~hqdF n82AMphjlއ<QgňO,ƎL`I$ y̛7M9Ϡ[M<̅<.B"DWr > m?p BqUAp?ۂ}= x0w؅,Fdm%BM0r`! 䁠1 /5KYBtрA"/ 1UKWfDmI 6ۂlopplA\I'qStRM'4PQ)^S~Zyԍa$N$VtE7}m~,tfq]¸yZU]XpMe.&{,b[a A3841xpQil[ xEL(p,p F܁i/}CA4H/x\bGe@L HDq ۢxKjJd{ Gl0q\IG)# 8 7TQhDGgNp_LIG_}J_01 lrcl H6[->_aZ1n EVlx<`hXT(qx EnAE` h a n  t3'b@ 8@FpnHA34A4y@@dqŬi MGZPaqPOE"^ *p(p5%ǀ6Eph@) H>!!mYV D@0_Xoyar8 P!LiAfltX 6,lfha h : \Ȅ8`xȁ9 XC -C$P).60H4@ l#' 4pP? П13pa yC4jjCs*BTH-Qӣ4()$ F,8CPTRf  S(.z/l 0K ~p$%& " p<&hbj0(4ؘ%$$' > zl 9D <@($+-P PlzaHxA% #  p>0a@ý0 UR A/Z榠x.!'nX@l` ;T2oagIP2 Q(1vn0P9l0@ZuU  0*31<=0)8Atx!s"0м 1 288C@;Ox,kY;[x  @;yj Af`'s]jW`|0"rp0@`'3TІ j`s@`z01PVH/EhDz-&HeE9eRG0[Ǘ~p}tuYճ:'^vYsktPP0#_5y*+gk` +@ 0\<0[{蛾껾{% { ~80zvO0IpO8dfC=iBI@-{qUKo9 @&jZmr7Fʀ8P;9P"Ps4@.6i8@[A $0Qg0YvN^5dXǺM[dLP`VP*+@ %8v|xz|v|qmwC`wODllP7 j@{Lz;zp\@P0.y,$G&;<)Z{<+y˾偺`NVeÞpk>\+.BzE|lLeRPs P!| I`Q6ȋGc@@K,z@6˕x }[C Zjq!@5i/<-s7Z{ fIa! -Ng kj2푘baX[pRP|b/L l.+`fQPT`C^𷕓;'yɖ;19,`tqɡA11R{tYA7P 7,(-X,^1<t6*Om{A aY@V}c3PS@z`jg`zp/s4Y5RAYe:wY 689  \PŲMsI]I0k[ `py?<` hpUmߡ]@:"I N~m) fPNn,0EG~4T@b]GB6 rm%|VTpzݢuZ5%``pZ{-ʴ>( -7Ps-9e @P׆tdNPx}8|~Zg˩pPZ6g s!AMO~r=1md۩. f pz4T@ .{Y`>}j >Ru^7~,ePi/v`0 5lR:XNM{5#M;Ti_~S0Qig9p$01t}0SCQ|+*OCx&8$fN*0s`Z*9\I wJjQ6DPxW=_Cx`s \КDUa{uAu  fl.1Y@ ]㬟Wa_eoA @ @i.YepVkcj`*FTIb{)u5a8OE@x_>_C+`j@ 85<0,P\D C 4+$f ~G OsCj^~SV+MV_I@y8d86@cCc `Z%>ݿ+eyTCCfy8@pIsI_6,%fʄv 0W!k0e͙ɓPk ֭#TB Ȩ9yɲZhR/oؓA"\i@.b d)Χ jA`S_VH%wyJ2tGH4 Q"0c1Kfe ժ͊0J_͞;G,YEk3k̮̻V+v$aπ{+_)2*Nߕr3N' x;ܦmϿhF_|~c,04$-Hm.6$h(,h"PF .b,P-KȠB6Lc d+.NA2KksƮq&1vˣVk38AGȁԎkVbd+2oᄚl 7G,ALgwǩp $< f,0,4l8<@-D m>AE ;PK)[[PK)AOEBPS/img/realm.gifGIF89asebijmүZ[]tvxQRTCBDJJL;;@ghj+()# ~\RP!,&66&6< <  H*\ȰÇ-ŋ3jȱǏ Mɓ(S\ɲ徑.cʜI͛8ɳϟ@ ͷsѣH*]j(ӧPJJUӪXjʵծ`ÊKײhӪ]ٶpʝ-ݻxeiw߿/+Èu L؛#KL˘3k̹.C#,6T^ͺװc˞MmL(͛z <({C~#+ˣ]l دA d@0Ø)#_sצf yA!XAIsl! ͗{cŧtK<9`*7xaeI@F>n/~xby$r!#YN,x ܰF pF_< .ZF1CZ F 7=X 7! X@ | 0lsBOdXNV[Db `%[zCݠ  a08X0+hl~8\ XD l,!!dK`eii~Ŋ!-rɍG@GLlnLi G2[t3qD 6 Qr|;|K.u4T" rC3lAF1j` 8Dv#5 `u yl!NAΥrh~B@$y%ͥv$DeDiMgB*!1Qp7}ٍpM@/-)a qøv%ڌݍJhChl߈vv  XpуTD jq9bkE@`s5:鈵 AG(p7xDȀE ,aAЁa CZ  (n .P.HAX@64!{[ 6!`AVd*w$ (8j`@ڊ n , 0X$q 4Mz@)5h=@`m$ [  mZz'X?dA`h!4 9{0XBІ2;6m5|P2 0|(K=FE֙ =`@w͓iL遝C,)a9@ zJrҗLل a@B01ؓ'6prdY?b:`Fp\@D&Z"'Tx F.kja؀Ӷa IO! IAҪtr1· ^lT5% !2TKfXPA"agPA?EZTp1#DaC|ZY'@ J9px:ceBu*o+[aT3ke!STsb"`Z0B ,hsv B8~@ %P~p f!A Pj.pJ%U g؀@v4=m80m 36(Ё?TЄ3 A /6T`j28* *H  Tp= hwݨ7h`m_r^@ <0gg!Fpl.# [Y0i&2-`@MBЈNF;ѐ'bC8žESӂ" 6A"PAf@ 2w6om8a *@uLF675ʍR$DMrNv~ŁiMw 򕺣D@`AJ@"k,g@hr͍lh8D ȀOAI 2\%p HpG,8p%=! 7zR<%Dj[H j @9rcU)̀X(Pm <@Rp`Cl hv‚ ! @YP(B&[ cE0]01 ZR8 5>pFYD2 A}Ja}U}}}PBs@m8 x !1guexc8&(HJL,؄RH1SQtZx\x^(`hGb8.XTqFQ+Ԇ@pHr8tv>x z2чBOAAbMAepHb`  s Zp؊(=iALP@8i #qVڐrc!d2zȄcEP؍QLihA@aKXF0%P``^5P'DH)^5\@fӸ} MtXfpJ0%9r"qF n( 6 1;P=`'-Qs' VR`rXuUc 3;bXS< P`@0yc2c6 "8p&! Zjr `B&p!Ѓ p JlP8|4Ŕ rGPGQpِ@pL@:`􁖻 h2c1ޠQ66. !PUH5.pgykH21""С@I*pp4ӁQDHP0k]=1`D j)mi):)}rm 0S QW'P7FP!OFm0 |5~b ’g&FSl [2^LL^`BeJ , eRf0qёk=HR.ܰU58WRy5B'0`0ȶc@B  h XLNbyW@ S@e `xjZlʖy=t @iF`@`pmKJ`eR @?[e!9AFQ1M`J+ K;k ;뼿;{+ӻ ͻ i$j5BAx $,p (ж I@?>0nЋYg;```aPJGߋ ׫oR !p't!l `0Up"v^cp“ik0 ԭp`pXڀXCB ʆ\Ž+0iBR hoY @d%[0%Ev@C`3_APJ@yXW,{(.5`b\Rdf h K`&. xx p6"e "\9 Bp\ kf2{UPge8@*m5`^+k#pkDž`nGMiS gXR &`9 ;" 7pg4,e!`*'Ai"L!E|F5Zϼ)KPydKJv =&*p0^# pȗ YyV $g&`'@\dn?q7pp=J\ D٠ڢ=ڤ]ڦ}ڨڪڬڮ] :P6vf^ !@=7`pp0)p`:(2jI`%R07(55Mkp~ b  <&"p`4?w`p >^+;K=KV *`̿zs'@J" "0Uߪ 0 ik @>dj= Bà bLVNmx:Q>˵Ie0 ' 3p!k `@'@@?S;;@FPJ`# oI=6p>a>PG M@spPw 0EPz'6 ZU(|`? B'^F ۠$,^tJPY 08`{ f0Vn!KP*R=5i|ͬ p0 P!!b ZP@s̡55pI Q7O=.j"WYY[~}]^,dNN~\q2]/1\Q2q=8 tbڵOF <+ `Q~g)K,1>p@;![A1a<AB@p\'&CdR zߵ)7|C pw9opP; ss _[0 05 /ߦ?ocO @ kp&@ %OPvL8g_mgnQOLGLe=d1u+%M 66 M% 'ɬШ":9إ ZMMQ3hXC _* ^*H܈ s`'WoPcC%ԾZ,YlB 5;*# J1ɂS|+&͟ o4 MFlѣ!]qӧGqf RHB HǬ_8ՠ7Bydž I QFJ-d\B8*GV k 2d. 2l04lB)jNz@t3ۦ M)~L*nG7\ΦlaA|H@F)Cˣ ND@@ۇa7r2f}滢|`CHCapFWDž `ˍ4A@ @ 8C #4"xc"%w. J0}X) BoPЦ7"J<, Y!a :@7̠&`ThçMePeá)tX B@@(`jQ8Q'R,p Yq6,|'B  jCi;0QfH U,!IaHS Є| h0vb(?la XA(8)%pQ»Tp x *f`ṿ&DAQs.J&)B bEJzC"jjȑ#z@ *0 864f$p8b PdKQx(V!ѭ U5EEEqo s7hf)*x/U ]+,@c EYs De]! in;![Z\AXWïE`s,`CBI?,eX@Bq,@Qa p" 6D400T3Y[ /k_h!, n; Y({\`IH`(lAtFɆ̡l Y L;şw/p(8αw@Ldà 10nP x&f FMЂ3N nlR.\ G=`@4Bllt2 PD @EC>%"HW6N{ӠGMRԛ.l^̀ FgMZӺπ SAJl;kx aQ("CZ3lM @dpC Lp6 j@*Ds5oC|;&jI(@ h5@&9Pp6v o>v =;ʫɛ  &Q#a(xM;X6ھy.$GF6Z0\Y(5@@ XG v  tHB P@zv¥/," :q( \k!`&3Ȅ* q2 dAz̜a7P!`=H"IՉ`W?“J`&CE [= k2+ktS1|+܀K-xX@ѰP١`w1D`$\`<pk 1G` pQ:!oxG$xjc"b:2 a?@-1af0\`s db`[&aֵX gHp`H @f |D]Q16{ K>W}p}B}l6#3 j3`(0:f `0vKPt*ZB Sr`irQ`KYQu0k02L `z6І8kw#,!!`6/ =!`$dB@}nXA % NpIcp{12kF & '`ŀ)qHfdlqXnp>K7L  ;>b@g((!0Mx p Dr` [`~G0P&Ѝ`kGpw`6Q$W F q& @g X𜿹sv"ȗG `[PUg=1=

qGٖz 4O^२b0 2- I@j49=%30OuOɉz 5`[U*K l05W `gmgb"wr*  hxjꆁj%P0pj>m`ЩZ-q plw0_(,Ie?@aRʺ/e6WF!sruox lN)~ M"!t&@ C0oȹNK P# AIpPr{l!P"n FK 9+먱JƱF{Z ~p5P72 p` J]ie20\  R*õ2!C${ $ 0 "ER*e0[EPi@5Y2&BG`SNʻۼ;[{[:@oe+- n(E?W\Dp۾+#Z{[}_jŵ* kt[_lia', ,t[dLa" s[,c!|GA\1o'p%P=,j`x: ,1` >>rJ|n*޳DS;p>(sYZ+l[-_/ C!ÐJ& xq{!%,O@xD^#a|9"X<Ѫ!' QpǏDik,Xm_o ! me J0[ ($h)X@U?k@6$˓rX!p0:F`7!]9f&%, % 5)hNW\_ؠ˕t#G*~h^7= 1Rp(QsM5g9𓤐]0`t$p %}0  ۧYм5DF}HJLNPR=TM}& m@7 ٩6)\}uq܄$Tև8T"pa q7 <OJ8 WB[Sٞ٠ڢ=ڤ]ڦ}ڨڪVY͚s 9b8IDkP.`~ڴXПE? TԐvtMfpg dnson["b"E". R G< 5PY+T+&@˵6l{o0ؾʐ%<5q؇ _pZ.ggo, e 0 !L jU\B;Kpt_gf _h?s礡k`ЙWse5%dEplXdZ$fm& 6`p_ Gр( Y ^ _U;op_`[JP.r2HsMzg ;>! hX(X & @Fj> 8O*wN%M 66 M%ŗ 'fLҽپXX^A"vS4>J-JC*BL3ؠd0R4 !:L.AÙ`P'E6WdѲK/p8sꌆ-H4I[H*⦴an]v PԂl)C,*PƒᅁDaL7hqD)5:0PMZ(jbA &QQGH3d%\v9MZOci,RG_6tmVs:IZi  Rv BhO FFɏ4kTΆ&0Fm>~ă" K%ftg6C "> ! `4<< >; n|qI>`e4pqb+HCIlÄ+iР 6Zl^ Kmb6G x,*U4@5pB <P2R"0p$eЗD!`0"*l 7@=p " >LC*`h7!xцd4KIA<dO! .&*`l}XF"|Ep@!>F%\K!ȰΞ`ܰn: I2ig21.+q^4e\8/oxMW"okTg@dЀ]! fedA^F_6}8=&yepfTRd@Ё p|PѢ4;'#ra=Rg.&n01,1ӂ4D0&2ar"AH@6BBYk(GXB5'S8ABMI[ tU2h4cU*z_-X0@34!W^B*-Dh&$kQ 39C蟪mIg`a*:?4@4+P6.V*xn) A\ *BKHzкK %~A1' (pf۬"Ν!qFjqp`64m_*~4"I{E}c` cXd`  i:P\ a%0M5aR61 BjK`8BwX-͚T+g%鵍 _B8y>5m.^tcZ}Q<"PDA `׹$`T^G$s#m$=TЖIx2 Ha@ `Azy!|Ή\Іe6~PF7tяjOf^'m ? gdh0;ЏO[Ͼ?~&& D { C@zo SX8XxV1{~`~W=GM0>~ 'QGHq4*,؂.0284X6x7XyWltE!"Tr@H ! [rrk GIaI8[OW ]b"H!`ۃ` K ; grxp55 Qw|zQw S "(0%R#Sb\p3jr![e?n!\P ik`o/F.(`!ra I"p=hstXo$]i_H 5`^R@1dd/P'/v@)^@160k(jJ,l' l <@,g/(p$bdapo8¸@ksX2q F `8۸>H{& ]po-  JR !P"/ Y9H0`p y2@977 ]-}`nG/bCpJ`؅np,e? CN*Gsp0b:yI )& uEl ( 1dP 7ᚯ92 dPMV Ɓbp 3Hmu?mOR3ϰ4V ; !@`wpYLis"=oa8 0IB  :&Zer? cZ;`QPRSHJ0r"C5 Y- ҳ RRvuWl2 dA5 !hp8Vߴ(LwzZ-y / `wm78ťB U]@P0 M7P+]p07RpQx:#8`$q p"?`+F1'd&`KM@7O*i\i! :!@8ii(u(dDvL_pq pA-`J ``@H0VGBCt _q 'p IãPl`8QFA`&^nprJa@0Pa`p 2&@-'bL+&" |۷~;[{"0K =pWXD z 1`'sKƳ`P `e`I2:G0(@tRHw#Y%`IX@Pv=>0[{蛾껾 u b!0O8TX``lv;jPLPS Лp0hf6tXg^ A J0a`O@R 0 {jмJAY(Ir y{81K [);=$_ '.4ca,;o vCtH@x|U@ QĊE 6FjLpcGÙF 3^0gKнwĜZkEɄLh6\lp C@0PlҠĠ[[Q`ʍ 0F:<y] j&̅.LU`m!л4T nВe  0Ͼ Ўyn5m`ͫR0z jmep J-] /=Cp<:X`w R\ 1#!Pl)ꬱp/ D P; XX BF{֓Զ @O@ <ެt Lh`PMЖڰ.;~ ^ <}lג ]P`@ @o!}!1 h]Lٮg@8fh M~HPpבn@XаU9Ru-"ܪpٰER= "Cp"T} (π \3P+" >:ЯpE%ݵbwo YRl#`?1a3py<ma je@D5-ʰ=WB'LM "C KKr OFXR `g,``FT^(e3ڂd8F+Tt`8q$@-K(ػG0&N̽҆L.^T 2tYO&?Ȥ,w    /2$8qV0뵾 fpaڍ L:H`n%.uNӕ=9*봐 ǖD 6P4F4'q@Md Y Q# K*l- oP/ nMİ YF:[Q0<>m@ g 3p@l Cpi qLX 6oJ 01nP@`]C`@V* o!` 9@jl`WfD%LFJc?1n@Q6V?`X_[ (*L*nBX,X@ 66 M% '1@^eRb*3"^&(B7"7Egf'p( &"p3BKZH.G5;2m-, <Ԧ R<2sF& JC-Q(])JZɲ˗0Cb V̛8_ɓ"a"fL ?[l8&F(1۟dQaAhO$?a l]e@*C.d3$#>> Rᡔ4bHQF,@ 0G%dɺ׼f ۙvޝǐ3T>"z(3GY&xM`i8B |9C%(0Ǚ'`L3H*d2,цx!}%_fP#uB(eLQ ,$[M-ƈn2x"F  C %!<FGG$ITF Zj_ 襍W$apb@ ($fHh 9%@ aFLX!(DP t`(dL,̞< o0ǜ*-3)7cJi4E2;7'!?2ӷL'=T RkЪ1l#Sݚrg5L䄫z~g>7@0ypD\0}HܔϘKX79(eASzJFс^ !L7 A4l! '7G/Wo;yR! ` gp8/.G@ ,:'H Z`!Ps8@I5! ,$vPp\R8f!\H&:PH*ZX\P`&"{.  0Dh` ̰~\8r1$7cK@w ? xl` C&p|AȖĔ!S](% `.d 0 8\a AQ%l2ye:\B (!X8pdAL .F . JDH3ɚfIJ/$-rF a9HB?a0@y.'F7h͢ )-4*Rzm -JKAҕlKKg 5є0LoSH)v T*&m 8'@PP9$RrՋJ}D@a)` 8rh0@~*^ VG(&zw% `pD [&TDk $)p` A DkI8, plЀp%4! #Buā  ' Ád \s $`'-l4H@rkZAV;X`eN 2x% J{% *Xp8H }% dC. $! mb!@?$ @QM7/_H `g ! ! @j@l`8h4ۙ6 $͒9m\?,A O ]DCͶ g{"@b sY k+A~_";K !P2ULP0@Ag8^vcRpA.@Gү浕\?x!>BU6UYXedMk[ZPBU7ka+3k7aF (F L66@3 }4ħg`㑦px\"s s @Yb 3Tri)c6凘230PA~cp[oC@=k?xD[[ PqDPU\%nf>0ڝ'a+TaKpoi5ot@w*G9Ǵ h+ &x>Ue@@5"3`\HB z<p)jPG85Xe@j5@x.K pBA0=>ЄJeuZp"Hp}*EN,d  bmGQp gp8TB gPG0Cl g@^'p`wPL ! o!P=tIsrJ܂8)xaQGKsG,J` ubz&P'sf6*uz G#r.pap]1GvG8 6 ;Č]vT hl96w =pp xlrZF`nPk ``.W. @m`Apď"M MIRp@ kD5@(P(pEm' mPN%_`M LP0*,xvP4 A(h '[x(^obu@8F%a9'tl0@G0K ld bp8gĜΙ-:Rjyb!<#G1pXUIZY@ &|К`kpde Ri$`rv;`x <%33&3@ jN=XpН`FC/:z=V>`6\a(q`Czo -'"(6 ,M^ђ2 nzQ0 0L7MG-`.dP1פ d@^B'KHЕAI1pX@Xf ` ^Z@Qe a,Aդ<@ ; &qm@go0\ڥGJ0om@d$pZ4)1B EM5>^0 1(j'ErQa0\Wg7K0K"P$EP[^  B$5@a`]-YǬ Y)pgp"P,. M"R Y@G #% ൛| 䘧sc 6R_0 <@`a+< !maFpLH긇Sa gpUGH2 LMPk ''` P&dzb3⓬E?X` P wLOpLpusdm cK2?'A )3$ @B`%I%80[S`0"N!Ka } G  ?y|0 sT2]vadp&мv|0|.P~K - P8@@%+%|0'sTo(! T 7uÆ; ? PprG KPl0^X \Lp K`   @je `'@Т]yYpbV Y@4,`pT"00@ĚPEaw.ze7lQp!&. jW!T1iO hCGr[K' FXL[p~=u ^Pg@K  aJk0&Y৳ hLQz 5pJG!pd*K= gaSdpmcY/le&l}9fe`a} ,EDҡ`ҏ8ÝppfG;Y= 1QgQ2eS.eKe8rfdb0`pTc O`Q@-G;S*M^p 7)L[+s|M5%'W|`lȴ(6C0'^ dKdMmn@H`\(gqu<_d Y@gprXl a@[30&@Myq @`m,%J`vՄ~8 MZl=RC86sN@i@\$T+u "n pBP.y8J`tp޿f'yM >UmLPXż8;`)Lވ@&p; _q0hl߆50!1X`[\H;pU^1Fsɀ熰"n_`ak& `&p@nv6pmAp+GX00f i3Wp@=71]K""gFp[^_|LV;f(>` H`Iqp i`KO~ M 8sT.p;7 Y^^0Y}(`[˵xWc xkP. L /anpnM;doE?meo1~@Y  9`mڵq/&ipH`ig`HPc*;LG=/<~r0rl @, `PqX= `E0[5Po@ 66 3l[ş͟Z҃3C@ދȰ 0šqL `Y1\ H*\b! jCy(":\ɲ˗0cʜI͛8s,m\I3A8` Zo&1hgիXjʵׯ`ÊK?CN Jh.Nv X-ٛΓ8hJ pѦQxA I=0"μ}H D;J}(/5 ر(9CD><| x1? /'.߀g Di`!!FOH K <EJhb,  |*V01Dv P}aF BD6 TiXf\v`)de(&"!.JaQ(:*?.DvL<78y LyAZ4裐F*餔Vj饘f馜viLHȚ&*pv&'˝9RI"xhdv&""[JǪb @P#2`G3$沁 *&'Zb:Ҁ ^ F\p6\Ub7+M&ì*ebo kZ)h*p6A(0 ĐE#vL, A$Ϗ5?N4h C.0 I60TbKA .G`+'y7 Zd%6n@ `tHg B{" ( 8?`ApU  ]XJ`37YBgpP0p}R0c`!p(R@@ j;ЎY@Pk&xl\ yЅ_X ach< ws`*ёTXm% HDesd"K[V|p:Hf0Ui(P6'^ h>cePQPa?@X;`w9ncD7J(7P$0upJyXjYQwl'%w0rW0Gpr!P(=oA9lx =6W uكO0B3CG@4Am 0CP0TEK 7q;mn`M dhyhmN`QrPpCPP`ER0١)Z+30FeK0`~0U;_|@vhPh.0gJ2po8bwi5Fj)@po@@ @p^&_Sgep &Ig lp2 1PT` CgНPaGFfp:Y^PnF 0P3h_wpd >u^Hph(\3\4ePg@0Cun^` Ut]C\7URP,^T^ @脜RaY!|Gl`(S zZsd}4Xu`EBPTz:VO䅢%POQL%5HQB*Y`!5Q%|%^pg=@3$p JgR.^uUUۀX ! #-z҆7r7'5E=(@amF`aapga0505p5_ !G@`^y+ {}rqP"!`(X0We *3 {1OaZ Pqvm0;&Ok ț=㾪p@{K;0m@*9p=Z о; > [ v[k˿{OPJFPl   |/ 1?.@3 P!*Eе3| 1gfd@RÜ`B:8y p8PQlo2`ŷY\ [T< y3>x,`AƖ`^ ik,;m| tzŋ@nǍzdDb[\U\U p t2Z;T aɓÈÈ`Idg@Yt 1 L L z ˒ǕXhƥ˧>>d;@v%f J,1;ta ;0@̈́a͋ R`# ΐεlNuRUwu]w$!e/Cr1^PmpM)g*>]o " @~a(11 X]|~׀؂=؄]؆}؈؊)DU (xVh-I+G M-Q*љDphr7$.ܐ֊7!}! M3ۧx}؝ڽ=~:(3@ֈvJ>;.hipA@ p2'@dC k&A  ?TR00p܇= %ZP D@tgәٵ ДkB}8 ;4M O e%C"0l<N<#%N'N %O,^ ҝ0.=΀֥䇰;DppbNj[ B:{0P0%ٞA"nEkŀQ0Pw>Ƹ̛ڭgnE^|GfP(鈔fL`ibU1 G A`in IqA . 1S P?s>[p00`%p߀4nA?p^krSQ=E\@ FۙAH`@,i1!$ Ӑ `j|@ @6 JOyLPm8OO`ӑMTb^ cb;8„Npt D FInDbG@d+X@lހN'w 'dp aM`0/: } k J3x:w!(LRpO HW=I ^L 5t`^B_wݏ!EA`瀠80/YΘl0 k3Ft^!7&3$K5X8'' lefgZ 2&>9:" 66 M%Ŧ '-ObҰپ߽bL I)@XGGggn6H&Y`n@c?`H: `Q\;y3˟0g\S媗,Zpڵ͛ C3@U J'HmqcTfTɅN; !@(,!A8 SȠ &s&FD nlpL-qFn -hft@[zɪ֭\4iԂ ѥF6f`ZצLf5_:!F N|W`RHU5׺Cr!0l8z&{ aAa`!c?Q Ԡ*EdTf C |Hx$hl1x`L,2F$BT1!ωhJ XSJz^,>)bt!@4pR%.e/rܜ G睽'e14pX@d\TvPН@A0!\ >$``8(RX&+BdpZMX(4 8BVAu`@ pHD S r# #~Y"牶 L0ŘqXTsITxQ`Dy5T@4Zp: 0I"D?<iA . &Ѓ8H " CE!0;LQ,h5,Bp X(X a(Nqޠ+lj\(Lapq-% <mR̮v0hR$ K/5p%gM^X[>5PU+``**3 pQWYXSr H a, G`NVVT^P put~%0vJ=J^mzgfY~}Rܘ9$- p-V,xV̅N}4Ui[@N!?+X`Jܷ"&]0D s00dBBT19@T9Bz[_p `/榨M07ȁ_e(P$IAϤQ徱YTb@` j#*Q 0:P ިDH`fy#"(BJ1+*2@?x,E"%ya;8 (I'dh"~Ɋ!y82]gʧrM ϠP BU|٨`~S;`Mgj%t gK0=DCGCHG"{FUPR`'/R#R   GlPApX 2vtp,ɲ,xOp>lCX00` "?_FiBW:r r0Jp0IQ#02\fV 8 g-7 ׋?Al`2p0h& >a0y5A vr5Y5HQ gHJ K0I5p#f+xnbp`~Lj1BRC!t dpF 4"'U rp7p+9 J C(GgAW&'@3o"MuV ?>8Aprof܆$ ly $p`HPa x{i 4qqf ǐt %f ]2a8P5 򧠾@t5 WWzw i FeMk$m6ghpt0R`&3_8Yp q8\iK`EMwG@әr I { `g @vg 7xLѴ6jJהMT',2l (P/@GapʇX.pa"@p ^Z?@tDOvv]z_~aِ* ;@tE$@TFqu77KP ""6WbZ WZa =`5 :JpM i +晠 [z~ʠ Yv8|q >tixzɗh J gHpwe Ѐ<7 Jv:{y@B;D[F{HJL۴Nc"LjڡpOp`` xH>.Pq Sl`8G0D}z;{Xr  w+"ܢ鐒-Ss 79v; {q{0+۹;[{;{vhʡð6]Ggv& hV-e ͦmVF=B`8@Qnb2@)*kU^=i7wc;[K{#8' < V/ yEJ 0o0fǾK qɡV/X ?HH6!-𼨐 L8'0gE1CH- A.LIï{D@YNPRc0?u.+"X4yC uh /K @ (Bc!h < -ȸ,\*B8XZF{dHp c ;pKe UzVL ?`#p^v%iHБB@ plMur ^3m #0P}ȝʽ=ҽl~ҿ8ب;I3c;JP0 & d] 3 7pޭ Zbڦ!P&} -kѳ'0W{9@) ">$^&~(&N:0=U2 `t#OpWjZtJ8eޫcp_] ~D9)yJ C n j*Gܧ Gg- vL$M'+Jb# !0N$D-Z"brY]"p奰OM}%c.+p0^M!v=xMr>P{CUTGu/r` ާ`襠D݂M0g%"Q6v!'4 ndP4pin ydEDz륙/뼞 .@| npt">Z^6`Wuծ  @].j^ө1 3\npq=npprkH<^>*I&5  f 2R-w>04Kj0APpи`nq Q b{ CЀcR%M\n H'7 ( ۅYP_z"`PZp܌?%8 0@dtHz5;38@jݦ(_YkN{8b mD8k^ ,kdP&E`lPѧvOGdGGe9:" 66 M%[ae ``ʷ 'ބ)7lAJ5 \j>-KEJ2(aaX&#->2ÈST&s:} 5)M0I(SN˦KA^ʜ):vnG!LT  p`MDl&]?RȍhX!!h+bB#4n☉)Th $X"^\-&lnZ ($PPB@hA 6D0?@Bt3ZF8,d!!*qBH3T$e\W_J~?f bR=LqS8X"<l4qZ e| allg4f1wq2pA@Ѓ Akq[$tw|D^c-)} g$C'g MH%( 3!G a=Q""8Сh2, d@Qx,qM q7@`%J_ i  |L.0cjԂ .(bYlG 4$:idAIēO5QrL =Ц 3, ()EIa\ p|;-8*FE2F)HMc,QE>dH0!A_4v PxuK!H ^,G2t2PAہ`Ap  ( _rGB%@*>!$J &[P R& /0 Cl`Pf`Q4@AȠqF;`4hC00QNqK !x.%!XN \t&8UsTIpCW7o2% h`;;0Za[@Nq.(Jp+m/pHAm ,;`rZ1H}B  ($0 NZInWBX9㪈]&Lxx pdC(A xa% d e HBz8J")W$98pXqF71U}7+o ŭa[ p/6d M&wc?`h@Avl_Ao`*" <f0LA86 px6X-WA-_L8LF  R@yk"@##? ${sULGW Eoz !&YabSM.Z`&«Cfҽu/L35v2[Ԁ#(@/m( @)([>Jˁ,e)϶!g;!A ( $/VAߛPO;'NWa ѭ?k^ aP&`BCh"rĪU+3`7M@ЇNG\ַTǛ;ם&NWVW B82:1u}WX;d4{\3>g=p_ ~nu0{:!~x7>g5n$Kq-j=򩞼+y`/UUz1~W}JN)w^m{ۓ}9oy1|]/Ϻ~+h۱[}}oh O6D3+~4K68Px ؀8X /ug8Q>xs`jF.0284X6x8:<؃>X'Pׁ,G'.:w)h\+V8 |zb *r &j7UWp6gnXzmh'EzhlX |o~VXj8gXd8wwVGx]u8kU8WjxUXjxPϧHjOXG(WpϨzȌ(fɈOXwŘ^ԍx(eXGxX֎rwaFj؏ vX|Ҩv Vאc7tى} vّ6S)a>bXh6y8:K04m*PFyHJLٔNPOO`09?\ٕ^`5sfuhjlٖnpr9dqXyx|ٗQ~9yk٘٘9{y ٙyI9yȘ)|ٚcYoyyUY ٜ9Yyؙڹٝ9Yy虞깞ٞ<6p&P yٟ:Zz ڠ:Zz`;PK4PK)A OEBPS/img/sec_policy_changes.gif*[GIF87ar24f4f̜|~|4ddfd4Μdf442\^4||ljDTd䤦TV,46´trDDFʼ|zL\Z,<> LJlnLtvDܼtdƬlLbdln .+R%zn j> &ڛo~꯻+o 0jY gι1ɶr'$loλp*|f 37n/Ƞ $"k6JoG=*?7-uR/FBZd\2dmi)_*=jՍv* q#J'Yt:-ev#nL)N =5vu^c,O+z糌}騧e+<8Tro)д)Kxǎ;hsOqy,sl=_=uRX0;<އ+?z[5Ĺ>»yͯ'y+#ն5m c`\a:Y%#;eJr+ڭa% `rԦfR^^UE =@TRdz0 a15s J*Z1z1ϋ4߄=kN|E6Ii{c=:l3nBG>V| IBtU"F:l"IJZ4NzYL'GIʉqLmVr1أ+gI˰L,^R20eyXeL>f:Ќ4{P̦6nCR 8Ir6)L:Nq)b} (=)Ђ0j56 [v1Q="ZFnEcAЃJQ(G+$!Z/GGzɂt8^CP҉iG3AXHMOTj ʔ)< 4XO-*ՈZ{.6*hS4R\*VY]%ƘJ>*WUn5P<U͚:$Nؐxq՞d:Wam+= ԐZ ijW.+Z=cFQ>C-Ug9fYwm"ibM[vX-IzW$/]np?WΎ%o]+Ϣ6 ,ZB񯼅mx;"v1wL`l{*x0Wֿ w&^U+[!lbߢFpfY kpNK_fؿ`VVH~;[3حƥk2a+'xwk!FN׼j-Ltv$ps>ǣ~6MBr>h ѐI[7N{ӠGMR:Ԩ4WjwD %[MZ#%,P3 Ѷѡk! J h%Њb RCd`  k3$ _B %[ < FPmY! ^L8`1"a( !h]ЀK7,Ѕx ,>)!(&Fa3j`aV΂C\`2a)=EWяN uN3wn @! 2Gmn@Txf`+xhgc"'cp+vZHѰ:։u$]y01`y*iy'gqCE]НYw2y|5ob &wvtO!=v;%yYzO-{"Ԡ-hͿ ^1H dy#|n}rP'׀| $wW~D~Go I`x8 ssGwwM|GR 8y(qw+x.oէ9ry& $FhlH8wx!xQh x%XNkuׂ=_1׃_h|`Ȇ 5pH+h86S( H}8G[h88*H>}ah}i8q8tvys@~Ph!xmWx0 Hy'/pXWa(|4HzƷyhz4pt607zk>O؍17qwCX *ϸl66(9`x: XInhH *\Ws/@h23xVq! #0$ m&%0z&q()t9am qIByi6F`:8RIVVyX6 P^`>n9h߰ 0ncqjyxig|ٗ:~v9y9 Y2i0ٙə Y|IiٚBɚ YH(ٛǛCYGƙÆٜƜYF֙ٝ~ƝsYHF晞ƙ Hr$P yZߐP`V6]iѐeU05eg>֟Y4% _cM_A%ZRjZ;SA1a'ZeZf,ZTTW ZcecN֞cf]*E%\!z#SEfav^)X$jeX5;\f\FNW^jfW\P:?j_*GeD T6_MZ=ڥnaQģ`zUէ~W}Z{ b?ZD%AsW Ec<@d<&:;d1C|LcteuiǚMeZ*T>Ye6T0zQeՅcj jʦʰڢUVCf2:\sݪۣkjaڬBEeQeú_:EڢzAj bZʥ*MڥYfƥNvh _*ǞTUQKjcbKB*eŊ99kj_A۱ʲ٦ﰲɠQ{ L۴  h Q Y۲N^۵R d k;m{vz۷ge ;[{۸;[{۹;[{{ɷ~ۺ''[b[K[|JW:y8xzQr'@Ghw>tɋ{;ˀ˼<؉+itͻꛋex潗)zۅEg uۉ۾GRz9VH+S' { l[x%g v \.Klϛ|m 1l}!>3+lӷ&<` ЗGw?8B Wx t[2C# l\׉l5 Ən?(|N܆UwAgKx;jh(naWY=]}_Pֺ9Rf=heU^t.e^cTZveֵ Prm5Sz|m^DF2 3^,E\Jcׇ횉`%`d ؕdT&eٛͮ`QER8;$JZڧ ڸۿڣڊڗc-Ut yMRa…Wדӽٕ]kaɕ"qiDj__S@&ZRMMN}VfPq|ح >^~ >"^$~&(*,.0>2^4~6^P%kM .T, EG^ IKMN C#g O Y [ ] _ ace gnRnzKn@`Š6`Op @`迠 dO>瘎噎 5q^鹀긠Ii- >.  n ~OnJ.q.~꛾i3A>L 0!܎qa~v>~>N> O ^^O?/#%OO'-/.//O3O_4(>_`N* ,oEO]o~]}/^.qb`T-F p/CO̐b/rz_CX\w4zgmq% \o;?OwoQ_dݧʍǽڵښ-l O8UW}/f=ۃگ_ת ]lu/OO-EaVn W>p`ڿ` 8HHp8x08II8 ɸ)Y 9xz +;K[k{zˋ+xpZp|<,[,܌ m+=M[m}.^[>Ι ).n\_ 엯`3É&R"F7 (lҍ& F'[܅H+1(Μk95 "o6z^O^eֳ?w௚zJGaW~(\w{ 8hN&X{ŧM܅Ƞa%rKhX,G)ʵc/a@&d3~H^j)9!:8d.(dEgFAɟ-SfNy~鍇)gv*gzHT)iguni& JFzҤ j*!t裔Z-YX2)Ciꅟz㝡i\:WY"䓿ͬz(tkA6ѮZlryov*,-'<+nj !n"}BZ8묯zB)7&\ d ljX?@.̰f˯jML*"$:1$L띺,\Ü⼏Α@΍?938lą.._:7z0eۦru4`fKł-oH]'su7|yǤI~J}4g6kGs*h⢬q%4Su'otD wkx(jmX1EMqsc4:bCeKdb#%-2qbj wD MyM:2Lc}"$-Q"U>'[$ߘ&:7E$%.Uѷmrf{!YLżKN:ӓ 4psnEth2vшzȉOqsv:WKiD&(|泟c(f))$yЉNGt(<6w/7,}F9ZNV";ԗǩt ԣ3=%D4Pl^T?=#zOGEKӔ3>USVOԩ 1@}XʳukI-J$H6dV9YM+ *KsǔZJd' &6S-IZEU,8X͍}Zgv)?V{:}qG4kYxK`ݙիn˰hbۊ|qSm<ț+e}`jkWPvpwdRZ ]H7];NW ȭ{160vӋ^Ee0;=8ѐUhLշmr݊Z-tc 6@]0 X1>0]ߋ' Y]RUԮ Mqz&+okăo(xC/yYx]NܕnF}&GPEld4jkqb5r7r'CcsXt67ds`gEΨ9ڭW _X:'g}\z׺D檨74J_ͷɴ`\ g#כ5cJ^4ȖFO<C[Q|mu\]j; 跓 8o-j~l}klۤvM06X%=FPŚtK76M7N8f~&{g?6!εjb#]q_<3)tyҩ}ps^2O:ρ}sGfv,3춡nw/q%^9A2~|.K^ qu|ĴQzyAG@O2n_wl^7WT:7yx/y o{'9=Wvc/Om6dh~G!D wGiǃ ⒯8r(iШ}59 8yQ ד?JIQxwΑZٖ?O9y@9ymmh)~rhtȔc9tIbxט՗,qH)~!I)lɒ<^ٌiYsy[)}$閱yyd{كΈkIp)49Ƒ9ٜɗ) کٝ y$yi IHؕ9lw 者ɠ4Xy +{ "$I!5ڒ/颧0$&1! ҘY2ҢʡM 7*%ڟi )JyYD:XHIRjy-aZXS312hf853ui\  :9:'{xfcM1Q&cJ_ jx1 thgi.i)u#lfWUFcRҢd :4j/aHfh_ەeh|lHz 皗y= z*|Zq|eF]UaHfjx 1:JJNJ: ; 09 )W.^hԅzS;( 9kۑ;Tʪɪ {lzZpڣz7[ЩH+KKVK _N i;+![qjqCYQ@yQ+Kk˸븏 +Kk˹*{K};$ k!TB뺯;L˺ $뻿;kL k'D6t9 Ѽ[=ܫef+ {z SJ !d} Ѿ6þk%[h4뫿6{l¨+ k8?Q !|ӖCtBФЂ\1 }ն@ٕ8#fXЧ"]DTM= =<ѺպSGX`V[\BlMn{p ;,!6Wqb"tv~Ll/БۘQa8Duwͷ -VmMKĭ'ܳM]ͻ֭ -= 'ޭm#MSӍ--M߿ڝ N~m g > Ns])!"N%^vn)&-x/.3f1N7;d=2ANEF2I^JMNQ~*KUnWY[]_a.cNeng;PK **PK)AOEBPS/img/dv_oem.gifZGIF87a"޵1cksJ99ccBJR)νcތs{{Zֽ9BΌkBJ!s{ZsƭksR{{{Zޥքkֵέƭ1cccc1R!!ޜJs1c޽ΥƜƜΥ֭֭BsBscޜc{sJ{1kZR{k֥ΜkkJs9k޽sƔƌƵ޽1c9k1Zέ)Z{)ZBsέƌ{!RֽΥ{εJ{1kJ{kΜRRBBccJJZZ99ss{{!!))kk11,"H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\2Ꮧ0cʜI&$B8sɳN Jѣ(]ʴӧPš:Uj5ր`Ê ٳhӪ],Y7ʕݻx߿ LÈ+^̸ǐ#KL˘3k̹ϠӨS^ͺװc˞M۫Gͻᅬ Nȓ+OΤysH!]%`سkνv݁SyOSʓpC]*>@PӫgocU`lxw 6F(_h+t!)H_¡p ~2 %e ''~H$pIa2 )(I(_!iYk&aUiX#EtU(di&l50]&*bg)"$#)wrJW(z `ɝLʈPBX*$jbJהH`Jz*ۥ&f9k_lf( ֣(;y`_r+t+0*x[-(fRʤ*:+;eKj*x$eisсYG,ė ʼn1ƝKrz" +2J*i`m_RIW%xBط  );:H{t 5`tRKɵW_-XT/h{ki oӝ7r w_=-7[HZ&b%xҲ)w&pr_"m_"*'( ЃuBJ(2gO5_]Nj <Ӹ>Xe^:Wo}tߍ7kOq38-םۏ=ݳ/aT~y*+2_J,=ˑ+ :`X&&HO'0^Wu0xWƵ̓!5(<]0 m37qo~ mp~ۛ KFvP،Gx&ZPTB6+:!I⋦(>UgRAw&WՎg6!nh<4¢w0Ldl؇D#0K"<=q}X$c7#.1}q&DQ &3P)F9E+q,,bgxF8O0ahG>6Mw$<wwG7BUy\3jZVz!7(Iy4Fnq&5Id➙%H}D^22`H%LTTNg&ȥ'JDTpIaQfbfK& xk]wy|%Dͯ~_.A *@ cTN|;x` %(a K`B7{  W;ưWL~el1NqWMC!! @`*[ $XM (w3s,ex9iVC3yьgK#>E@,;U$8q6CE|4= ;tRjLZi5QaX0Tuk\S׺ugz=b_ETpPЎ6$#\zv~j_涷CmM/&7ݗte`Klb}w}>CE8}y'*>v} Bc;h32mx9ƿgY'?M7_Gr37}]1GL 793UA)8<,!}C|osF{P8_}{>gfv4]͂ϯ߅}{`W^¶73w0/]#0ÂC:!AVPC` Z,?RL|<| x87zԇyO=N??Owp>QKw?ǟ_{xG~%gxrzaW?CGy7ykoWjO7}z'}pu{J :/dc{tWnu.+}}Uh+b4HPq駅W}]a_s[؂TXd\8}0aiH/qbws׆{y腷#$yJyh(1 pv1V8_2wAW J$WAjX`|UppjfRpx~!83Vxua(dž؋xsa(ȇ8v.SxX"؈xox숎)(wXȉGbXg,׌X! w( -ɀ0ٍX5ɇho؎؁(XgRg$ٌ%hPe!5(\.xuRkN*V}(Ixc`ijL9(m)wH HC#y?xBIDi)&CabzQ aLH/b`E/e{"g*P[s)؅fY)钤0_ai&hxc/ija)7i%9x瘋yDly$ya耄1U`e!dW0X` Z\]Y]"`@X}XtT9ܹ}|Vzgyrih&j~03*cbis,Z_4Yx?_ Z`RSФ9 n qڐڶFdXi^zgaUiIIkCxFڦiM uLHBiegc*]z/5c~Z_nZK*zک~zjjjf*jzѩ%0ZzB੾`A:ZzȚʺڬ:ꪰz*ފ*:Zz蚮::Zzگh1{ ۰;Z{۱ k"[&{(*,.ۤ$ۯ>:jR +\;ǻle˺^ VsBD̿ER|bZ [BNlXۿ/۸S\\o+)L{v?AL[8ƾ/{6'S\;#ۿV Vl~’AP PK;l`td.ʼnL5´L\Ǧ<t.zl<(;\U¨,ɄM,dz\Hl`KTL ͪ\Ȭ̻(|bܹX K'}|7ĜM}ȑ<,Tѐ;·ʋƞ^-Ͻ|ᬟ{ ӋuLL",L; |KЋZC+K|=q=~=ٔ==Ͱ؈=]ڐZԕڬmٰ&k׳ۺ۾=̽=}ȝ-0]}=&ԝݷ=]}ހ= }Ej>ݵcHe n ^N+YNǗ.XS*NJo|dM!38*>TIC-1!㜄I"?CMB^~< ~|"Gמ0N3DIZ+SND!8GT~+.sXj<{Bܻ>L}P~CO{\ RsNܴ7N/>唄~THuN>='>!筞|xnì.5M|xO.QfHDdc~7>^.IbI$>,~IJi>Lmp-H7\ӹ6|#nMĮC[NSCCCs~1TDNAMQ~Kt>znGk|~} ^~^98sIOI4I AuS완Nt.LWt=J>]oHd\>POFqN OZ>:SXlw^YOcc1Q!(.^D \.N8?I_#82~.CJŸl h_w]h/G >ڿ-?_oO!曌_,! @@ DPB >QD-^ĘQF=~RH%EJ-]SL5męSN=cTSPEETRM>TU^ŚUV]sJVXe͞EV-AkݾW\uѶW^}&8bƍ?p•;0s:CYe˘ >mQ]WG[쩓 flZ7ίn]po;q͝?3%2guЩWoQOGG^W'Hڸ|>n/8/?X#@B+. 7;#;F$Ds= )L@fTS6S0O?N,CC:U4!E1!H'5F#\NB!M48[kSTSO*0/TEVBX K 5GKa O[q3:i=tP:i}PT6ګTYWQ 4LM]m`mVT<3/wWZyw)jyv[WoO]s%'u4w]7~ct_^/{T6_M}ܑd%m;nLS]&C8^3gON3Bwe? 4믺29Y:3.fY.VQyan1F;mTUTV;n:(%,ܻoFĚpwHUgqx)}xG>gy^y駧k~J{ߡ Z_{ 5 T #ʗl~A^@0!eA0(v{2@ĂAO1!MDa e8CІ7aD^CЇ?!Dvv["XA D,B#U(,v1d|N)ĉQ\bMZюwcG>x8HBҐuc xH>&r%GT# 'I8qA U"rh&Cy6d%ASpA#e5I-aN2{.KOb2,&2 _|-9KL0)?j^؜f8eKPҘJsZ$:w3e rj$a8)En%QPCI(C%:<: -jHrTe9ѹEf/*#XГ4#E)H⳥Όd(Sgs-)#Nզ5-)OyԒOgHq*UNReiJJR~Ԫ7WݩLb=VNJQR՝;}MSR[ֵvE*MUAA 2:X;2 ,a{H"Vm,GɩOuUݧQ3ƢmM(aײhlNaʚդjEY"u)niKZݚԩ-lgߞnj}̖v-k&em]&ujF[d!c^ʷ#}7%pkɞѨm;?@R3+5{Y}Eដ nks^V氂5jssI`\w!+) ˝Za߈7ٻgשP,*`Mz,E3a,yd6_:p&pJiR5(^"Y\+oW6@z13/MY6ZYtQ2:ЙV-gYf iZvZ}rmgZ$A=6~ۜG`!N3=by׶|lg+^6}|fKVϸryEѝMn--"2-tZo8^R*o\[6kjెc|>#;n7kw{ު4Ê?R r϶\[oxk v-m[{r󜫗6׼t<}A:te?]yb|9j\=e;ў[~XasrXmg6c⶧="%^s=f?|Y\Z*v:)vB7᷊s9pЏo%#^%oB6A:׾.{*I_ϓmq}Ít>nҊ}/5'^>T_Of;B]!ݧ=m|ǣy|ߎֳG߿࿦s\:?9 ?m 9\#:h)@;S:A(A) [̶: X6A@A#Bss&t? dC B$Di60;B.Bb34'9 0( X;ÌT?LAdB:TE?\pDH(2#IGT,MLDhE(XA JU4T|담P@K8hYE[$,\EEG*0;Ɛps-..0h>,6 *{5`F#n˴el"E`vtwxylH|}GwG||Gcl WdEe|F[l qtH-fHlHkFrt+HQ8TɕdɖtɗIɚɛɖIɜI#JƐEk1c:&mۻ-{tڻ{;QZ'[ӫJ,<+$ʦʥh*<؛'kʋ4û:TrʥlJPϔS%Wds׊j]TR]^o*͌U"6}֟<@dyA6CBFEfQFHJdxKMދLOP&RQ6TViUvWVVY@Z\[^exa&fa~`4v_vf fdc昉e斱ykΒgf}dxPAtvLiY Y_ fwhdq. gs'iY`g=ɔΔ e@y^o.Hfnx&r&ޔƙiiF㎎ wi^ꕡ騮fje. inFCk>Q6jrfޚA.VTiVeT6h&[Vd^Ȧ&\~d&6FV^8h^^d٦dݶc6b`&^}\pX$bc<Ȱ g+l mnTEDO6S.UR2Ś[codUn,P>o.G\oe. ɪH>6o}1\p^%$opoGHppV!qnO[>L'J }K*$ZL`nd򫄽$JE</nYuBZq/M4M&'2w*1|61r8'Z->R#r߻rVˠEمb d$TmV)HP`Uq!MNNWN_z rbsXA7Se=U":^=5eVW[߸-R߬5ဣ^SohqLStMU[G #MnpMuJbTGI_ZUCt1]^aPUQ;a&l^m>ToQ4HvFOMkuvh ee_|ҟ}aUԟwW/ym~ݧVUgR6؉= <*`U{ﱳN};$א-,}? 8 x * ]Hx!j(zuu!%xk#q!ҥ"18#qX#8׍9#($(אvے5Y$D&%}ilOΦg\VeS9\W%f^fflh9Yi%gF5g|Z斟V^Ynkآt:JmX:[eiWr(^zzn'`:)EګաrZjuj̊jjb6k_"+_J ,w;.vJzjnrk+}ښ/~ڮKop"3*ͦ+ 0-[1®EloLkܯ˨ r1n<3:+13/2 ;=֯OW)ZZ2"z5l24sygm4\ 2Ew]Fk-R]VIYC. 7ˆu8L4-9Δb8i+=z*tkK,Cl~w;fk7ʞ]g 7R;O~ݰ[U(;Y$]pw]z'{s/^GL3>擯=ʈ{sW–ʫqt չM|f́gdl (9Zbab-E= B,WF<";%N|";ժ(RJ-R~=DQ1:6sF3tc2±vLs$G8># )AE2UA&ґ$&3Ur$(+d(SUAl%,cQҨ\9,s]%0D{)@`2L2)igmf{M$<':mS;)OMZ3F\;?g;9ρ'9 ~'|(FNp^=;ٙPnj=)J9IQrn4KGДAEDҊ4ތi@ꞏrB(FWК29BSR5Au*VsSbE-MQ}:եSG*HӬթiU VumeVOS?HϏZU_MzŞHէIך֥2֩y5^(UUYGJ״E)a;Ueu/!. _kL#LK ΐ+ s8Ɛt &>1K.~1c,Ӹ61s1,!F&1?,e(V2-s+2,18JnU&3,9_3II6o=3EΌ~4g?'M^1  Ҟ4PC4c#xAdPC"Nomb]׾-aթ.ΪeM׼n6-mF{d˙f'k-@dĹqɍn ~7y\xo-ܻ-g;&xp'/᏾7sS۳>tpuw8A>xm&.;{'& srz/9΅=<'GlTdGg:>9<=w:M#㖹ue?x10zJ;͛Y|{հs+^=C]L;|?cF/߯|??c_2@@]_5`*!qB =^N`T q [՝܅偠  :  ݸ}ݺ%am`6! _}[&ܹ)].VE\ ޕ!!^ᬽ˅!a2!1" [X̉aʠ#~EbQX!Y"!b ѡ'"bA")$X(/*.b\b#2a2F 1)Z *.4406#[#c57vcap^93=D#8.7ɩ#phcecƣ>5#Y#]`>7pȸcY\A"Dj?*dX6Edb!V$QHFކFzYfaĀr!=ZI\MICVCf`dPMvIedtddY  Z ޜ+Ҝ ڜuLn 'a ֠RYSSTO !!"\u] z!Y1aZN^`>ZFJRťPyb,2&*bVڡ6`^fR[aa2%Ɲc&b_Bf"_nf]dgK~[ōQ%'B!c"ށlncr"m֦A|戡*pe^[&m'`. 5sNH[vOnt˜+]d'ݹvg}+gv"'yd֙y:'tXRg(hm!:h8''Ԭ'^^(/JަY^=rh#:h*(Q (zMhɍ"ٍ ŵY1)hg茵hbb fY&#:閮eʘMi%+'u )2))S1[Q⩍i *kdIiiNih{ҧ͝NYj]]jz ~c'8*2I:*Qˑe^"f'Xj%"'ʠe}j7j*F*fʝo*`+w>B"답ܒju|V_]+"bifjjz++@ݲic*˽+f!Zqkjjdkj,",5+'BlfFź+̚*&Qfe֝RjXv!|v4k+=j^"_ёzFfjRNU]me-ת^ي~ږ؞m#Хmk--:ܖݚR#n-:j(Ҫ&A. _6n.nunZ.> ꮮR^h#.@܀ Z .F oF"~RN./%Y @بoF:k&Z`vbƯp7bbej2 x/@ 1Y&p0#zXzgbpF./ + /p ;!X grfbcnC/0>11 Z1;h7c킰130 p ?qn~,@ހgߣ w2rq&:ecnE& r(r 2rfgɪ&#[I$$; pE,o, 'ogoեdҬ3N2s3gJ:8r;;c=c[?s>K"9ht@ﳖ"t:)4]hVE_HD4?CyFj.rtC4tI[3LJ#*"M4Lt9O O4)&>ݴ*u$2u:u%3bJTSg8Z0~ou565qӯ{R/M+YgP5/3W3rau4r/qc^d_Xvt40h+14Kbo/*6{e*+Uapp .p6Rq,NvYlqt%ZoY/tSs'5)^,f71qW6Qf/7sGZ70(0.Ozue"6%zw3Q+wy6sr{71n'q!;oVqwJ}E++3,7wrzr *rjq7xdGysv-[_| m7V#xF5JWtRxw2=/sMvCU'KO9;SwyWP4F9y}Wdy昳J4Uy^92yd9CyGrߟ O V4:KdFv&}{uOoo6]kO0O:9U"!z+:'_Jhf+Qrz:2g+ɾi:K#{r*;5z1Ұ:k;ojXCv#&W; zpW; N{^8r7+ }:L;lyh˹?E^@,X$>g7S$[cE盅k~oV_A>61K>a>K߾?Gu<> +7_? s?{_gK?`~??>??W?@8@& A 6tH` 1fԸcGA9dI'QTeK/aƔ9fM7qԩ2%.hѢCGR4ZTRM'& ڐ(ՋBBZaV^;lYgѦUm[o3Ԥ>{ѪSwFT^J)4ncǏ!GO:7EAbT;}rt$I#P(MC#PHt=IER@4ԲST8QUZN;*UZ'U#WI7uu:gXKQ6bc)iNjseY锥8ʦ&cYHGԂtQR>*5,-`jC߬jӥ0hVGRn%YPeG8"eAVQ]hE XS`=ע:I}lZhXEʲx6ؿ李 [YIc 2ٶeXK׍֓ -ԌZSv$nwfSQkRBW}Dy򴕻cԮ3nԜZMn -iI5׷/YX^r̸no tM|EG, +i=!F҈M#-vbϘ5qvd|c=^k;񑑜d-2Ű<"+Un1xqf`Yk&,uRz~ہ,6,s׬3wY1,&3l}՚^ux+”2ր ^H.ҕҟhڐpchR2.jiU@fnG36l6u`e;[iZn[Z\%wˁtrϜ5/ms%8ρ\E7ω~t/IgӡpGUgԭu[} S<\T(gj=2{@GkJ;ػ2eװ?黿ZN;GwxP"0J/3'R~F!i+y{lxįVv<9?+^WU.sk- +?٬3xvpY6m]}SSu*+\9o694lK v_>oWH?WWk(I~xjLʭ8i-oMǂ x< HJ$)oJ̦tP |0i]v `jtJPNPҒpH *ePZ"IjIh~&ܭ+FPp|`Pׄlݔ  / IJ1 P(ѡİȐp[m *   ȣР\Qͣ:x 1҈mRq'ﰍ _dqpЫq^J mح㧬pp  ˨j8PܦP2 ?*p<]˹O K !hr-RK !LK* LK"/ 2s6q|# G# /  }D(,|JrG-j($)qҤ)))C1++=L*2,r,,?l+r-I-2.-.;NEr///30s0 0 031[N1!32%s2)2-21335s393=3A34Es4I4M4Q35Us5Y5]5a36es6i6m65S&7}738s88839s99S7B-M7::3;s;;;S9`$3<3=s=ٳ==3>s3?s???Y>_1T5]8D3EAEa4FetFi9E&H2U\sX`3w49}FHH4I/Fi"G+R54JsJ4KtKKIل@G@'.,M'SM%2 3tM;8KN4O8T&t24M)M#SJ3P#PmQ4R%uR)Rt7kL#BP 5RMAQSF39Q!ST}bUCUM[uUcQT)T-5WuuWyHsT$42?ӡz{K8:ϼ%^>} \w=}͝e>Uޚݞ>~ױ]^ۺz7_ϋ}K7OxރB]?[e$x}Cb}{0k:O3s/D0??? T? 7QkC?$7@Ab <0… 0ĉ+Z1ƍ;&1ȑ$K?_}d_7 kE5a=(ay'Lek߈&"b$X1֟'xY<@´, )HP'"*&ܓ/b9`PV\Ri 1ifufedKI*fCNʸ!V |6g{F)$H ~ON]^*[8y ":ߍv[(*y^:ުBrh뎱^j7*첋&}ĺj k-ֺkEz n[k"ѱYZ Y^+ ;o /*CZ6pgT ۩65R-,ļRqo<ԸJ+*qkP&lG+<\5|820'A,F;vtHASW> uROMuV_(uZou^ vbMvfvjvn wrMwZ;PKVBZZZPK)A'OEBPS/img/sec_policy_changes_detail.gifhGIF87a1Μd24f̜d|Lbdf2d2dd̜4,1@pH,Ȥrl:ШtJZجvzxL.zn|N~Bpǭѽvn11.mjzvks H761`w 6 w!8Edw1ŎnXɓYhE9M"M pEI`*׸`Y PaɓbFU5U[w XKK5Y_ˮJ-yZ=ʷ[I,&6iKRZ֕8&ٻnNƪC?ެĝK]ͺuj\hb\;HvA/Ȟm/L5sǻ*/{PسkG;@ awu{s^^yc>g5Om=(`yN %VtQQ\{5u XaƠ} b6tF8{h≲`R ބTIv!Fa3Ω!\ g :H$L6]^pAX@wQ8{0buiFxϑp /b`7"YΗ r6oZihYr`.q!ZaVQ&mZB$&ڞW2 fhE^(q=“ْk6C\׈V&[ @{ pVkm̺_J4dk֒dR+k,l' 7G,Wl1꺫q ,27l(Sr,2-+,4qj,Dt>1tEsB/t=3S)E7 X1uJ]5-0nG]s#-6xG:m7s-uwބ}罸ރmvl/۶rЍ :JOߕ/xq9ڏDNtZ|}{ˢ܌SMo'n: +W~lv{+.;`>=Gn ?9oosAM*t AЋV0, YQֻaC ӠGpXF >iov"WIp@?F0BmD#b30Y5('<sH0юk"طupt$!3Xwuϓ0ܧ@g`,4e H"ͨ,ڌ#)<@Rhh@EP i`Qfx iIOz X@X)d:µHELٰT8y(j!j:%ШKe7EҒz?X*T6 g DZ` P @\ԺCm+S z%"Y _b:֠m5+jֵkkfwfCS rs{#G?PlʁƖu gdߐ[Jl}uȿ>Om֋s?%ןa?1CNh|W{B { {7\}!0'{/!h0#8 /&H0%(}ӂ z/48/2.8/=06~B8wFX(C TOx}IH!xDXEb/HQf/C#"Ȇ*0]/fh{_h7SQ~||X/X/Njn #'ȅHn؈0XX0y/Ȉ}xX(0{0t腱؉엋 >H1((&S؁@ȌcHX/ȄX荛Ȅ}؂H](/h8Xghx)hȏiȏ⸆ɑ9#I!8 )َ9Rr" 9):Y6ؒ؃ Q@I8ⷐ؊:m8=?.P@9(IْgI1dXm)P)I]ɕYmoO) A)/4/6y/ɖ(|iBi㨖`Kـ8ٕi4؎$) YuYieh) YٚhϨ؛iWw`ɚiIiH}ֹ ٙI,)ti왚Y)OɁ9Ȗ+8홝IXCh9:"kyD /8ȟZS꛱) 1jfiy+ 5:9zv4C:~Y9z8Sщg+).ZzDL9iSڕZ=zɗ=x zK{Mɦm $jXʍ:"Z_9Jf/ɐ!yɌ@ڍelȪ*jyꕼ Zwʑ)Mh1:*ZZZ}ʘHʝϪ*1}窭ؚڙ/8Yz8ׯsȯ[{mu ˰Jװ;;{g {خ*,;j/}3۲;w:<۳>@B;D[F{HwzL۴NPR;T[V{XZz*`b;d[f{hjl۶cnr;tp[xz|w۷붃[g{0ֵ;۷[۹z{;kh ;[˻|k;Kɻtۼr Kk++5@۶D;ke;c۾˾bK+_ KC;˿E`[[ , ˾GP+髿\ '|+[+[|{ 9\ 6),k7LD|CGl!R@M? <: $\[|,HG m[-9Gm\EҶ=>-Z޸-ݸ$]ukn>p.q^ˣk^C͸y^ +n> 膎ń{}̷, ݉~z^k(m޶>.~]k>^~1hp @`ؠ @` ~ '  ~~ n". ~ N1P9JTn?vUU%AAD]3J_l;dfF]CN GcB+B)J㽟U# oھk~FZa)]Cqڥ@~l8@@~JcbE+6tȠdI_Hp7Z`C3ZTkoEX`:u@LjH;4FlEwzB? KWfGOEDz0@UEOi%?kN?K TDx4C6C7&UO%L Ϗ/AuO4@_KtI#H$a-DKdɯ@âhMNnIbUMiL[<㓛g{?om.ʰ+,kMjQi0P ͒Βt,mp3Q,t6434*PX2ױiV.IsYғNոX-.S\\1,6>x>}<XquLn Rݝk1#2{^3^Yc)|E,Y*RXc3aP%4:$2 4_SSnLj&E+(VJbZR9jS8O=jhSl.HG N"UrΕ4o)/VTVu_uG/q='k6T\ v0wJ[(_k59k_^.k-t:oϓ;:Ӣ9a_EnˎoA @,2UAc-#@ 5, òZ1DHܪ J\>a[DepF-b[rKQ6QCiAW]q<A .nG8nS J8*}:Q]cHۡ$TT צ@ ~!Pp3 9Ql>ht';W ޳fƲ614ԡEώv_gPp V!)ĎЅw0JvӠ&Qz EMo8I ѐ ȣYJH7: Z`1E ^uvT ۪?c*-$dL31(Rh$Ne2p]d jJd(խT$v@s^s>E6ubF^$8EnyR  5{GqYˆ~ǔK:~ϟLd?;iAjʯ٫mkad{__]OONki]úۭL\h:FP+4;pmd|HR[׀{yurph//.uslٽigZ˲Ƌ$)-ʹywrtrjfdVwtnw}zxgeXeimwupŨƩ}ľϷиεԾѺͳ϶̲ȬտɭӼӽۄѹɮǫз˱˰oomζǪԿҼδԽйʰ̳̱ƪ[kyOduktgr{39=tx}rȭ狯%,ܑ1>I@GMmZdlݼqofsȫϸϵӾи::2EIDATx Wye`ЅeSiwnI< кmK*4maP16^G/QӢ!IǦ!iҖTsfKwwgc;5o}Hk\{^ڨ輌~o-ҟsoX/-\^zc_Ӻ^97-\ <]u!LEU~U?"G})O 8Owd7Xj) 1G@iӣ\7^%}Nч2-Uy1'bqjy_:E_@/ޅp]yݰt)$nK,@*9%R9|R#>`G4D;K_RLA*?W/EA(r?Ù Gʹީ^)Gz'駟H7?뷹x׿~׸^W3:S_ jGF)VD$Y5"ADNӈH"_;*$";M","_KDv"+DMDO;s<9< %\"(J䋆 Ks"љ$DN |"rVJyZG"k:gSoK^)]?.qOJ\z]Ε`]_?Ttj^3;^/џ(Jvڟ|OU ՛ȗ;6}!i: DN!_N=jyI""HRg"O#"I"$"I"4"DD=ܼ8<߅c{7w9)5+?ڼ?}{o@"  C[˭iu_K61B_&7kX0^yմ+ ,/`rg" G݁-pqu#,2a݉lы͙!D:|f-4~Z|m-m~ub;VTH,X`<)oȚD2,.Y-~jHQJ.!l,Dбch6Ϣk,=fs~e7l^X9tl56o޹^j/mA*n7nE׳lv٦  ])9Z!"cSw&hzt)/:cb()M~S#rGD.VٳXòa?fOl>[;/Xg1I?]N3S,(qiRGt hAǨ"ɒě4=V9+:-|bq"' yRD,xk$"GG$s>6H9}yL~Y:'Hn?tЪ,|P磃n]74ӽhDRDv!oYF|cUƇo"IR?VICʿ纓fZPM"}ú *Cޅ+G&rysnM!GG}6^vJd9UC7}@|&rC=05¦^]"}-}ɣ+C6SDC ZXuI>4^DkFߗΪL;D&> V:+5ͰkVvrhXK.U gvrQA g[4i۴Id9P+KΪLR>Dʃ6뭬4 Cѽ}#)3HI6fSMAPDy*, A6ƵH"$"H"$"!D$Y="nSH"$"<"|>*䉫o>.W!b kg{ @iM>}#s̽y,I{I܈ȡ}8Y2#y*p4 `l>NƧ&LL;~";b:U>"wzfuy^G~ږ'&2߇?f=[Q*GCjyG^>2 gW)Όa|uH[iz O"}Yhڶ/3Ǯ VdzfP "|%L-:FBDִد| .EnD>bɌ䱫tB-M9>ϔ79{0:W}-+'R:Mu܈ȡ}CxFU:!eXK 2LJޙWg&gmZWOuk-H99X~3Ǯ `AM>[&Ld<鎩7㳗^L'~v$nF^縳&xD,zZec$ʓc̦;q"Wu>U$$|ȋHGDn;il$kWFqIDV3T(H" D&PJ"D䄉TDdD$ID}y҅:=ք}iHxnH6qL 1Ar|yQ #%ߨ*Jt(%=ȗe3Nd'w#-|.n⃼N\+#ȮeDk#r>|30=gTH1{ Dн8˘w$R2M䶙 y:|u5 |ϮCܕ@/-U'uXI}Ŧig >R$5=C֣S֌߻S9DҮ8 Ljnߵű9Nr&J)у1sQZN"kfl!uỒ>1jolYfkBƄ($kikҗ%%H4f?`gvrfZdȚ`c ?Pc!wMuHNrTVl D3z?l!9V#aW&&b$G{14lDjA8&݇7 qH{z7![Nj8y.XHB`ˀ hN%9d;XI=]Io9)yJ\($l_%uX&6J&$OV"\猳ѧ;6w:%{[۝}{m$B*s_IH$kW{\ۉH"$"3N=T"*D$Y "c,H"rD~$"MWU(gȎKh9y nbRr~P'yBc Dd)D&X ! ]V̺Ty'yBc DdyDr}f49."+1&zv<9'2$"!gk͖{WeLy[^2p3D> }kh "abY&Rʓ=^yvKD3Wx 9Dmdړܴy̥5fxr!䎓6ZD<щ;3F3~ V76z{c&3#ryrxB,ntȔ'9f<˿CD>}6)9!| y2HIDHID Dn'"I EDEd z"4y"HIDHT$D$CD$$"ID$iNDH"֩$D$$D$5Pg"oO?J?#?WR\؟mWCXn@߯%'2ZX~eBGz[nRrvmou7@5QXꪫjЅ\gz4׃>Xwߧ>)bUsϻc}Kw^Wq?6zG>GAB/IЇbVJ'wDS >u"u?-eQUMgRD>ڮ ݔ׺(& WDޞ! dM% !dA"?ܕWMdDvD2!2d?DHf dɛzy^m k|"/,Fdw#%^D~+YH><~#y]#90dd7 J乕"}9j>큍dyHdY"!J2|(ou#r 驶'a$ 9a(U."|p 騶;m2w2e!Y.P.DV!y ^mH L&P~}\DސB}advHfEGfdF^mOH!TzD^clHqjwf Fw].d/&RY{չӥyhz=Hd JˈșiHzj͈н/wBrh&ۨ`} DؐD]PIFMH1lO" 6$oDCrȌ6C#Yg).U"%?X߾:w%/Tݟ#qNvbO<}dKzQZ@թ]b:_ݔ2&26/_wt{Z}3ֲ SHFvV D$$""'"I!<"DDD$It#z"4v"; 2W =[JDl끁 dnxjEݚVgu-0BW.m8|D'ICT/"2P!R"10`ljIn!s--a6i04! 0q3:O"sSXgѹѹoeJcells+7b7Gp6v2"<؀[WnH@*t7%# SDPغ4B4QCrDޮy^;lV0Y6D`HA L!($hFCg[1i)DbU[k6rލHӚ+~ù {@ {YI䲵{.!RlΎZ[A w)H1l-3ob/y!0#"z˴MHgHP7o MB]ߺTK|G ؙQ!jLjEhG.뭆Bny'D.HBtOn qͦ}E+DL';Y"O2]%Ƭ[@rBen$"!Apughc-3P,цĿdH4p ?i^[75Qjm7$=gtDfHy^ȶPg-vK- v6fb˼0fcuiX]`c:E,M[(/dOg8$M7AdcV1 ~MGw7t"JyC)oY"xWq}2‰ȓȭ+[Yj,Acbc~O4|t|cik2fW+Wp؏^+8 ~@ťr\yDd1"WŶlqU[ ]f 9.cxq\s Z Lܭ؊2..&"D.]8fWxpGף}1E-H~P^^5ɸ̛$";y^H_XFph'kz⁈A9ytFmd\\MD}9n:wt%q4mي<:7A-J[Gy'%.`Ęy%>G)U"rҿYMDDAH08gq &wkٞ҂H W#KҖw|ĸ8d"rfz_:2^A{:7ESSOHod:;ۨ$zvm\W΍u;2 [nR vmoOt7@5I-)tUW9ՠ LڔޟR>{w}Ћ3Dzԫ"㠷EGPQ(H=\e[tq>SQpgA"SHܖ"ܘ!H 2d/"s|0}|H2V$Le)0;9rF7Gj yCW$02Y\,d*Dv ۧH@#E#LeG.2D6ۦHUo۔e&3*6U07vnF_oOad'&˂2Do3#yUFrzwH>2YP*POegȲnMHNޞÛTo3FzhSzHg&arh(ۈo3]aH:7%:#GrLB򎡈oS #of4m0A\7΋4qmP ?`Wj%9Eea|M̍ | 6,= =f#2" 5qI5"ؑVmsϭs9YNܵȑ]ssru6|yغuKk6[KluSD"aZ=+&LOzD UHG7e| 4еB״ZH >bT,"/.Dek-#k,kղ` 1ز8e(6[ٜڧ$YL_ebk#2loz"YS5dWSwB'4,H['FACjm}:naĞKϯY֏חվ}l(\Cx Ӯ|!3`957`WZRjiP)ޡFb"]15_j>nkH !S!J'DڵveblI O#"W@^ac'A d"w-2"G$Z3t] Y35" Z^Ld3LaaB9\F ӚI`ȇkmxy=i{abk}#*Ok6!ڦ4 殘H,*U9 O$̖ #"=)&6[*|tE-=!#'nD||$#,[n&ynrL܂$UB!&ri`Dަ53ЄjQ>5 iZ̻nc"\"@ yjCߠ!ߎ@.ϥĪ [9H(U9H"-4)"aG9 !=юdibVif꘏7 ֊VԎt$[N*krlW=iosʽ5rצڶ0;m̘i&q"]>GJpIC#e ׌H~ġ מz"#WMY%D6yyMvm:2w|Ñ#sGVa"4:"wb$U"w1mz-/aMkpϳ现H舼V1i"l.dq2t!"Ic!4]]|(z8ؑ9"4B"$DΉQ9|k? 4 7xVSy\֭tڴl5ihkmAGda{:N|:TluOV|7 mD|?s,A+l">>U9k7w䎑}/}2)eP~ұ2O4p'l!!r1̦V HF^Eq='ë ܡƍ /;~vq!).mXD۳fR6xt eF7UdH`+kuDŽ/\7  XNEԝLC3)R:VD0;!4BGx;2F;*Ϲ9-A"i`|D. GsKb|-tlڇbWWk9]O&l?rШ\& .%|úǫl_ĸ(&X'Ɓhe6ΩqoKΞ"jm1ƳMǀC5ሐUCx8Mʴ8Haj[ǣ@^lZk[*L?ؔK 4]db9$mG3#"eJ|Knt&"O q50DtClG&pY |vb`B,7ʌE*cx`+O\66;M S ۟% ~gHTfˈ0m&D۱)t֋y9邌&>c'D*?+̊Lǀu|UV#NHjmDs uhk4C)&=[x\D~C SO'jmc[j'UcY+ty-#MDDʔyDbED<}liFSJ!&xcd!khRجEDGDs kPz(e޳J!.چIJ1|@ 'qa䦉1N&6Ds [x_+e ?Q=""}9*4<ذ 1DMQ`a۞2}ZJQ4 ~ٸ^q!?ڐ6h10ĖmC{awӔ'3++:ZCeQ-}N%vF ;?#Z}: D\Z')R>w)H$"<,'T$"I 2I& D$$"6"c$H\KD&Edz z-i^WV>R"!dV$r Y!mum#58l J] "$Y!CS!0یmy !hyqFի;vƈ~{ 'apkWÓ5I&fH߻!" Qyrk MrD?# H&%ZC["N(j\&Z=mf)^Z!؜D]\d1et ,Xǣt*$bݒ\"DFDdmMrRY!rSB)^9< QGQ m*qK"e Y6"|R :>\D*9^3W" 1+_+qʏs`bU័T uO%w=Bч;:鋑ޛWu);YkH>4$C]@H^]L"A,Pvr`, yy# <$5ő<"Hc&_ʡTN,SdSE~ e(RQ9z{MɷoJdd̪{(C9qYBBFr"Y,Ee\,s3xOSrLH^5V$4}1YP7EdM1gLvMf;ۣhJs[0o.ɢfrL2,eg6{9z-)FrO39(JʮTe NH?{@"9LcrtfO&BY|ս"K){l9@ً,@2oM }܃W=>6"+[odQ39 eP,e!29zdCr,PYˮh?D=k9Xo3uѝiO}S.o 7F#<ۉ|ϟ>m1{JkF䟾_N!fTID&OD$$"I$U+HD-M"TQ" "ISAO>O?jOaZS~r lyFEZah7qKpwӃw\Яkl>L"-oL;$2V=Dtu ͬCjh?5y$M}( @o "#t=EO?<=֟=OjO>sgig=}'_Y O<][[NU6QYc\J$ t7G؆%BC齦#<2wK1D$y÷nAݩkki鄦c.޲-L/iN 2M@ByqsFDCd$IgLִܻ)h>~]nJ 9(䅛K*əHr\}w[fTh>s%dq~.Sr(S wی8pO fȳgH'. ]3O{^r<1Pb7ys_3;tjt56STIȂ2o} !pOȇڈg3@$g.rDJll[99^|hi/v4&Wr_ZD$$"ID$D'-"DD$"DD$"DD$"$"HIDzA)"T-"HID"?""IU>I""HI""HI""HpzӺ$D$$D$$D$$"H"DD'MDDE$$D$$D$$D$$"H"DDD$I""H"$UI]D$$"I}]~} RYɱ'*~̞D@7J]}Y]Hk u5B]ҽ RVyi]k[+Qu;eu*)&Ot[:*֛ .,3PDVɍ f,-SdPf,`KdHNEec2190QY~#f?$o.5(h,!,DvlJN7C[: Y#(mXeW:K rHѿ#B2LN\(0yXee9=H.ɡ,"ErmEPJe.WO "qHNɑC\Of9DvpWɢB5wQ39ps\&r(*;qY͒đݡ ]gYD:.Uw_Lk(;B9ţ7zy whwsg߃F ~7r d&azWn\q]؜,b.&ehH`g~#-hclꝧ#B9&VXz "Ÿ≴%ף+v { rHrޕxk2g`橧e矀gjC袌ꃟF*餔Vj饘f馜v駠*ꨤjꩨꪬ꫰*무j뭸X$ [& F;Vkm^fm-S/n9Ү,B};a;;:/;H 0+ Óh!++ TlGL6`q22L.!`pLn41g3|34wL5%=sl0s,ƻt7!Z4@Xg,60l|,U7,3̷?}s7΅-46E8Ņ߈/Hg>yކ{nҍsn9,np珇\ײyإoyڠ>wBÞ^;s^+<,{SG{+<3.;ݯ./}Ͼ#ξ \3f4y%cފ7ǵxw@90v \(hAqww" 890,a aȶrw+| 61 2,,a Xr UPr4 :%w["X NkZw:|W`"N/khd<,tIlc(Fꐏz#@ְFI:4i/Rd&B < ')HT1Y$@Rf(aYX_\$&?AT3C&U3YBOҕD|$w鵶d *jOBv?CLlRS_/HC.MnӃ|zL6m'IͲ/7nh٩Q{ }L1|fiɐf3CH)GBT+LQ gĔWNfyLiʓ$,Sjj.U(V6ͦc-(UmLyd㼴 ˛i ̱rULg49Ll[jWzՙ^E,ОV\Wn_$#'TCVo+)Ƴ qulڿfe{:l-݈H"1br f[hYa[i>׺ msvjwV6y-[]~]n|] -q}WTN 9&/aY2ρ=Y}6|5B'ІNE;si4'MH:_o=J{PdsV>ƭ_5ԴVMoOWFȽ)`bzu[juHܺQ`O{kĞu FL?(x_ ~AF?3/X#O'/ў%G?kqq7+Bջn6HŏVjϳCXPӼnX>jTg7 ^Ds{e̗FΛ/6Dv}ŷ=jX?׺%<6{_d u{a-g>v?ԅTe;tGf?¶bk?'Ppult% 8SĆ`H: (Ntru h<H96P=W&\EXP4nmVuQ]ٶL:AfsTLCmI|pJX%MeZ݆:EXC!reg |EPEdndtMi|nC4^GpP~DWz[%SuU~MI[ Gq%]^F~j08V^-S=tXbݕdSU^WLtSpuarF5Vq Ut05 ҆oYauX]g[8DsoX}Mx(XUpeu Dvqu|X7lYQ8ar:A7k؇a6fȕ_he_X^H^&_Ց5kbq \)Z8}Hi|*=íB\F D|Ji&jLřR*T\XűrZ^<*: u.:=5F})@])-/=HL-]ԁ|L-'B2}.j}իk;2]o-Xrћvl4~p}f=؄-<=s LԌSUM}hg==z) -ԝևˣ[ Фaٯӗȏڥ-^M6׶U-˱KM)m֕=ۘۿ]}|ܭз}V,9ܺO->Mܬܧݩmۆ--mڹMϻ|eMז~M NlwkmœM}] ͝muܺ]=̍,n#)J/n1nս(NB ^_-䛭㬲C.# = W9^ZӉ}ڸLޑܰ@q}t]~vHڀ>u>{.`nm} ٞFDnnM㙝ߍ>iܛ䕝b!܈>藾խNm~]^HNnAxl=?"@Ϟخa$., p^휞NS ^0/D2/..Qn^35P /G=;M(]8_ҽ^<޶4-)޳苭츞ƍw>~Mز,Hg\MR-N.P n5i.^|mȞ*$_ L?}Ynֿk7=뉗KǞyu?p{LO7_7sx`1uw1(`ͧ߆8an7jRb Jx h!bx+XՇc I]!v3b7@'zi~nY%(jg}fYHgVhJXMj ]JeI症QyjWcs,!XK%Ѷ n֊n[ԭg8rkK13Kjm;ʻoCo l0zm}';I _M r"Lr&2%or. s2Ls6ߌs:s> tBMt5ltJ/tN? uROMuV_ʹXou^ vbMvfojvn wrMstߍwzw~0Nxx7ۭx?yO4_yoιwz袏NzQnzꪯzzN{흣n{{X{O|1o|/ϼ7}O_}n~bw/~柏>~Oo=,:"p l x6b7 jpEE6Ac0# O r+Z QrB( BMxpa&x Ї?`B$n"y6qB1P"C.CܢǸ NQgHE,q"XF*Ћa#X4 hcD:*rSax@p$H>V24c PΎ,)ICz$! KVQeHyFSR4+eIKid*zH _hILNr`f5Gb2׬f%ipSrM3ts]9JsL=K\= P-e-AЄ*t m-H̀JtW'E/,F4h-ѐx IOt,mJ[ Ә2S4i^jӜq8ݩOڷ`D-*QԤMhj(0 D0@լxjTZ\ulqVJSzUT0VO,0AhSּTk+ u k( 8$u'*T!׿&@ aiR֦|csE}4΂"-kg=¦>ek)ԨdPYUbnWk -n^MPZ[*` ȭ}Hۊv-nvk\myi)v hu}YZ-mkQ[_;%uI{QT5K5,|˪/~S]kXB k`٫v}34kw&-wK ؄B5 5IhN=u1l_xQl]&KyA,e4\ 9d~ˌ漞K?u7wB3ss]N;7=^kNwG߹;o~jy>p[|iߧ]ϵȾl?;{ /7NnWw6.[t_|}Y7{?g7<9m|qf~e}lWWr̗8gwLj&jy72hFTp3lS+8R*Ȃ/Q.38Q2H7xO6;N:ȃ?L>C(JBHGa·KJȄOXN PdPh%PMUPVUeW(VU}U`bAAf9Y^c%3[hVQ_Kddu/%"nX#TW^Yce3A2HSXYm%]Hd`ȵY_b%_UdZ5Z6aaIbiy(ؑ^Pg`%bp cP*6 ;yؐY ^bhEi^fc# bVY,f.<݈Y vr}9US=Ucoo _:ydx9ɗ}(Śd`=vXNFGufEWy9GiDhYiɩY[a.HNʙ)չ=iYG)@k6@Sk'Hkj3 6jNy8~3ٞ艟Y2AeG3YXhg Cy!42 kjk ءCyJgNӧmHHfoPF{6{lmlcwnx9J&W~<פmQpwlŝhrt?s. stzg MEW{mz{U7qhyww)rxl|wxg^ʦ7|G|WkDjǢ~zx2xGJjyBʧB1ڦ{' ZGwAڧzyx7tTӠrGmW'Iz>Gz|\ cʫwuggI: 8zǬ|JNYh󉪹oZsǔWl晭 uZ}z7j@Zzgqzn C;:BKG9FK:˴O;J S9NKWX#[|_KU]U6e˶SxkE|`))Vms_VpuЙ3vYhz+3iIHްkFS~X|7XU[ub;{+47^Ř3ɋ뚽xc)鈊_y_{ (؊Uc[ѫI󸽨8k6҅[{ɵC|8x x ̐DY|;fz` # LHVeK$_\]K^?<=)9sq8[)cYa8La6ı[;\id -5KI,BX5iu?YyIYM쒹d<L^I{:ėiW4|dIV`ܔ+2vkžLXL] &޵1 \7L,dij Eb<̜a9gixi%gèyșį,¬I\vL^м i5ycL)bnlElkL؛dxȰH+϶  , i;Ж]Mфk_m ϧ3b;T/Y) J|2̓4-";420صAMO3EJsI=Ӕ'L +V$jֲR԰%|6{~ :*k1˧UM pm:V6{hMjw}o=_g3j}k iZhjiVc}Cz} ȥlGnGJp HL:v} NGm G֮mTj{86Vn/ lE*ˇͪ]`sZ''o}ėw-$giCǫMh J~= ^x*x wmʨ-*|jºؚߐӺ놀xJkw $'ک&~ݧ?.zzr:ભ̊g *nO~X^ :-}Z[>g.v[nGsmO}:ݽN.*o D8K}ʨ ~@ly~|MoOjkIWo}ΰ ;-7=բ@t~Bf :.B#H5NhŎF}JN޹N׮3Î.aN.Nɮ^NmI^A-/o 뢶hr P*OOmϷvN!iA WM*_ރ='ϱ) '/TnM;k+*Ft+nDSCLC-ӄfLMZTWO0H4Z6m>JH/ra_L0q&opHJ-JE2/s? ^+oW;P/OQ;'¢O@kϳ>3 ? 2?o o/ԑHǯ3 ͟ ү / Oȿ??O?W΂՘ئӡӯۇޙѻԕrZh͠Dݼcuj]~3jȱǏ COWq ^c%9A7Iɳϟ@  d }9''/cye^%ʵׯ`Ê(.=#M\MBVZ Lafbʌǐ#KL9rb[3k̹ϠCM:oӨS^eԎmM۸sz {ȓ+_8УKNسk]ËOӫ_^˟=nZhvE` 6"Vhfv ($h(,0(4h8;޲ @)HH&$!F.P (ȔTViXf\v`)dihlp)tixc;PKL/G/PK)AOEBPS/img/home_page.gif"/GIF89aD1c1k9kBsJ{!R)Z)Z1Z1c1c1k9k9k9sBsBsJsJ{J{J{JR{RRRZZZc1cccckkkksss{{{{焥Ƅ焵ƌc1cΜֵΜ֭!!))1199BBJJRRZZcckkss{{!,DH*\ȰÇ#JHŋ3jȱǏ CR,Cɓ(S\ɲ˗0cʜI͛8sɳϟ@ :S ѣH*]ʴӧPJ(իXjʵׯZKٳhӪ)v۷pʝK*x˷ж~SÈN<8q#KL˘3k̹rϟ22X/cc2^¬[%/sƥ۹llr<|Mꫳk߮/PAB$Vrd|y$?I&0qo2L@U a{F0R,^IEh]KPKURg RD$X∠&i]Y#J3T#O7]I]0QRTAŐT:pGqIXU@RcXuI1%$Q$'i%KYDtx-؄R2 XPOp)9 y:h,0S_ )h)8at¥RF{߭l'oDHM~m\n&qo 8@1K;ՈNmڏտϝt|e9UπBBІ:D'*&KAюޤ HGJҒT ` PeIgJӚ@(aӞ6 Pm4&RZP iQ5PZAxU`*WjUŪZ:lΡ@ n֐#+YI [vR.mza60z`u(NqL.`Ҡphq̀1h\R^\8 D0S"XP2K|@1vNjpcrǚ[EJѺ ~IdKx& >Y'γBvC;fIRM>A4 xӠGMRԨNWVհgMZָε? LɣݎbNf;64N#| ζn{t@@Nvvθ]η~[nO‡z 'N񊃻$7-{ *ˠq(O#>08Ϲŭzg;ЇN~*;PԧN[XϺַ{`NhO{u@n'}Q];NxϻOO;񐟻v U7{GOқOWֻgOO/ty{}G[OFҡOSF~O?.|'!}V ƀϡhxxg~R&#'&`s' ,UG4H]fmN7w55lx<W@'FVvJVINTMRSQ8VQUxZPY^N]bCa8f2exH?aCA!;THtr+jl{!RA88~y}J('xX(9;L5HM;(*{"膈H?3D{"XdC(5ḦϨ,0(ш5H6,؋:h8;h!(ƍ0hhXHH؎x'؏䘐p8'IgH:踎sؑËtAt,)1ӈb7ٓh>cBY\AFWJٔPNKRYDAV?Zٕ:(!U:Y;TQ?21y1hg"uhiL!uln5cISvɉA;y{.d9999٘ILL^L'ɗ}>THHv2虈يs1) C74pQH8dɛęC8t) s!`:X628C*d٘ѹ)Ή96)MiI6ȝ0to8GH) * j!e#c1й雜iI$ڞy0X'y9*<*D ٝ3ږ5 iH:۩/ RڛU18qC* iBH)'١h8*pæfZPSZbMJy1)*ىyyY٧~%ZjJZ3Hd+Yfk+ zC:JJaje :Yʖ]!O:ZzȚʺڬv& hzڭڭB:7Yʒ蚮ʍZjxjbدZ8k{R ۰Jk;AXޑ۱ ";$[&{(*,.02;4[6{8: DB;D[F{HJL۴NPR;T[V{XZ\+>O@۵b;d[f{hjl_Oa۶r;t[v{xiD U]KEkLF{+VKJ;۶G˹zC˷ɞi[~;빮[봆{k+kS+ [˗[;Q1[ +k;+›[˻[DI;>Z(A;K\L;| , | lHlK;K ,#|l ,4<۾>1:BHs+;# ')̿*,PWPK˹Z\l"Uhd\l,QS7jg 9;09T,̩!IߋLklR,x ǙM;rYǑɭkɘKʚɖ|ݻū˚k5T`f{<ɏž%LƓ|vek\w|,ɕ$(͠,ʌL{p\Cl(?|lȎ 8v ڤ]T8ғ͝ys$[۶}۸ۺۼ۾=]}|-ܥ=} @Ik+ҝz]ϝ;ѽ=ݸ=}=M7[A{ͳ>^~ 0 0΂^'x.~ ArEq*N/Q+5.i7^:'v1@>+9PCU(.G..JOO)i+M|:WLNmHEM@OY\K-03_[n5>n^>iE;w{AQUG~N@F~/~baNnpy>c^o|>?>mn~^?NꎎNFꞮ>8.믎|>^>~쑎>쀡ƞپ^.:~~Ǝn>~^b^_gM\O> Ӿ oO _.N.?>#O<3*Do@EIP/y94;^TNQN[O6oBm~$jo,nZ/ROkNy?~|o~Ŏ_/>_*Y>'/鵯G?]uvOOO)5=/Xhv:_"iNw<H_cO*hoQ  h *|`ARdX1#F BD%$)1"œ&7PcÖkFeC8Ut9QС)}$x(N*o7{c 8Ґ$ HF$sIJ;Y@&5p1 (K"ɐғ$&3sJhl )"KLR攴.T򕱄ejpYa:Fe1W&F (9gbv)MTb $7KCKpғg'өP>y'5יMe*}re?)Pkv1~:TeBϹЃ:4ҤEЉU+9эF iEc״4i~cήt&A)cƎ5k\XArc1d6sf5At=hBvp؜hFpэt iJpҕt/iN[8u%N~& !jSZld@bݘYADX- &5ek_Յuee7v6=m|:nKl:7[^_vnv&Vv o]I=oh[.qMz̦!>qXx5SMEN>yWr߳)rj8&3em~387J|~kF8ulKܻFxÏ{.dw^خg׷./}W_{oýۼ;uye}j8#>9w{;^^n9v|.s^xcNćk8{~qOI:~|߷Ǎa1>ŭg/6u~gǖ>5ի~3^'O=?W;{ӹ4=[o=@ : @<$K?3:ʛ,5SÓA0<[AA3ATA{ t{̓<#AX>STt',8B *A%B0l1dBz3ԳB5&9KC9\$v DB|8?DDjSE?G俜B3\5ˠDCJ2dOTMNt JYAS ?g{Ebk?BE;d t%:^E`\C)Tel?C@8,;;db\9EEKF4œ?F+De @lL 0EgTFs8)-$BQDG@B.Fs6F{lGy} ~DFesƈ,g Hr5P+}ePFrEPC  P? $ с5Q$e6rM} !%"5#E$U%e&u'(-R`!%+,-./01%253E4U5e6u78S3ʁ9<=>?@T8AEDUEeFuGB5Cҋ[SSLT2.8H>,T8U1F=+]/mUH-W¦w&* JQ}UVuL_T"hS%V3M`eeUEVaE^54^ubmY]2Z&rR-URVOeV9VNVm}W7VxWK)ӭ`ڼm`]bun\n[}]a>,e6᧕Z(m--b&ۚۚ]51?FZATZY=u_E$'ޢYGdڽG56V 3/:n/\T~]RVT5eUmS[]SS0' / 2`n做2ZdfvfsgihfFeBu$lT]orSΠn6ufvvlFg Rwz{fm6T|~e}T&6V.)ev臆舖艦芶xQLю/ޢ6,B键f(r~1[њ~@"46 jFi*j>Jj^j1kxj3jj.j/jFjDkꊳN"98븖빦뺶k<=n3"~FlIK"vlȶƦl*lM>m%ΠNli"  ĐmCm֦f NflFm n҈23nz q n.vmno2;hoP0)VonoNoongpooo0n^X ~pWp_p O) hmpq '"ܮNGq&_*r/B#p.7-r(q4qrWmBIri6m5ogoo7>w>pJqE,ItJ'LMGJHW9G>6"RW!OGu.Qh׉F?͈^N Cu8Axy ]G!L-Y)G 0%Ogv6vewvIׁHsk'Y;nU=j_dqoq}Oveov.9vq__ |n}' wkv+|V)IvvxQw wXOrqqu _~gy?)(Qy_z'J`v_wWבix?vrgzxv1:7u7x xyw[Gxixyy/ϝWO{xçj[| >U7|OGϯ=ƨmPOsBXtCgnv3wr2p_l8o'؟}_+_}όԏl܇p?t7wo7~7tBrws~wGq@o~Bj8_}~+?~6e$8`A 2pC%N| ƌ7r#Ȑ"G,i$ʔ*Wl$=ФY&D/֜X'ƄBmJʓ(RAw"řaMN. ŗZr+ذbNJ9!UuiѴr>]7Usfȗ*.lpX% 5hҵJN>1AY̎>]/^я)Gά1زgӮRܺw7epKj8ʗ3o9ҧS.: ;Ǔؽ<׳oӯ 8 X *}21 JH؁Zx!rTz!8"%')v("1梌5xW+1#=#A 9$Ey$I*$M:$QJ9%UZy%L;PKî'/"/PK)A)OEBPS/img/security_violation_attempts.gif3LGIF87aGΜ䜚dd24f|Lbdf2d2dd̜4,G@pH,Ȥrl:ШtJZجvzxL.4:n|N~B~n11.ol{srmp čM ,)DbXG~0G5&8ɓ(S(&!r-ƩkȊIn7TIѣXpra ݁Ԩ^șjjNz@ZثUWبdie6k]x;Ji1`(s&EFuV;=+7ִr 2̠7[1ӨS>ׅ (6ޭجV%OֽxҶ&m8ܒo'KwsCWKN]MaXq!CyY8#ߛg2z`Ab'WDb1UrM(zvU~va@1vX`o=(Ih" b"eAm)އ<3u^fGNy|>gJF1wr?v嗼 (lhhaWMedži[Zal~֦g\f)'iC)蠄 @iMUZIUߛy\gZzgJ&mjꩨ&d)+kj"+5+iF+-Nkf HAt+k覫+k,&"GWlQw,԰dA'2nsݴ|@uLhy'ŋ#6!z}w9s.~ߞqClp{?/~恏^57z;^?^|ᛯ[;m| b7yʓ?; Ӭw@AS"aPw?pXM6opc!g> Z~M }fC5D'LR}_ v42 㘇.F ?7D0mF 80xgՂB N cHHzT1j<҈?3K$'j` %U2i$$ߘJKčl,OuBC.wIZrP0I`/fblΌ@jZ̦6nz g5dLis K:wsuDJSԤ+Hwr)PC{9 &IBͨ: S Xu5uްAt W0sJz Nʧ'Z-ڨiƚIM0.๩N/ ⪧SYayx٠ᚮUj7箭h:vj*H {>*. G)F [Ks2+ ʠڱI5$n ^}(,/2>f49.8>?nADnEJ6npQD UW>Wn5YEa=S^^Hϭ`~brpc~KP>;~.p{>t.i.^btx.neo^f-]Nݞ>MnON^~.dnr~붾>뼎>˞.~.ʎਮ>ؾ.s~>^Нێnώ魮^N~>/~n O^ ߾nOo$"-N=7^0n/"_k>Iz.\lnL^h/'W?m~vRU8_* oM/D//l'>~b?U / n?v_qLo/6y7yO@0šQH<&M4JgQpn]dvY+i.U wVxFO{|.P-,P 1̱̭pmΫ(sShptJtt2pUw+6 ̘ytN6*ڹ957u6;7mX/.I8Z]1ҟ+pҢ3 V'9B)0*U xڰrdH4r[Hx(hRILZzyAO3"lqGM6E]~FfRII9mQL:`$w$Ys[ Џ7.VbnNjtk^{B^oÀqj3'Z5ldD9/:ט6 pqh͕5ljM{ךgp{ lkzrz;{\Y Sv)׳Ng~:ET ۼn3hAA,n-4F "4GFd P^H,8QFl+FVDQ2,pKHLȳ =:dƳȊ'$KV <1T3|S=*8aH;tM͔ꊰe6d0VPjL>m/eknu]7(ޝV∇~z)' ۓ(%j 0ia^ߌ':kg1zmH.[Ww]c2[i緟]l~e6um 8m;p}4jJ=%t=_\h쳔iy?o]m,xp y3n:{G|j{'y$3zuO^}Oɳ/{yz->|ǿV]@C`bg@/gd8" D[(x-.@ RU zS_I<Na vY*,`fHC{1$Ti [ "8@D_ȍ*v0X˜A9`Ů0(cYFH b8^u#qCc@J `{tF6$$dHvUk$Fzě$-KTKI@Mc#a3y 6Rp)e+`it19L?e/KZJsF4&XNR8YNsT:NwO@ ZPP>D0Q^F9Q~!)iFZҋVEiJY*ҕT/LiZS4 NOSnAP*SH*OӦ.Q*D?8UZդOVPv*P*XzԱi-iUҳo\JW.UvkRWꕭ8ÙC*UGV;z [?z،}=;YJe/W}M)2ِv="KYX-C]ں-gC+VAkZZVp?&Cum+Zֱw;Nt.Ry5*ݛv/y{Wuoyի7mny}0MSȢ-+ ߔ8uo]3р%`)pm 5$*i%X@& b3ab#:i`.:2d/kv-YX[vSlVqa3 B6nX*SE`%7FmV.{e ?:%q#!@Zcvs!\6yٜ`F;5dfvMq|]1;-^PzUMkESԆn9̔5L[kZԳ5 a76ynʶ0]b뵷v&*vѵ6jFװwVpY8|n8̻)eL˫n}gƍm}S*xmms'{ա}ikYirrnZ?7~) i힩|vy˾xթ~ 5(f\x9qs?mc=9nydhglf䣞wo9m5kyt*;N2} [PGOaп,sXLK{LK֢j=)uj u0ݜ , s 9 ǐip Y pP P;Џ2f/< _pMP50LLlOq 85Q 4vO*.q2q0=1_CMmh\1K:P QQp'/N0p +Q-N0 P}dopQrN̑xmQvD.! ,8N" 'r :2 0$) 5QV2!w2)6@'L ϫ:?r(P$+Q;)j/_J R+o+P�-ժ-Y,U R .*.#&=. R0/S)10r01*1r.[q1'!&%R3) /3333K4ې) /U3O) 6CP-E1_67 +z,p5%e5G9S:yS9a1:}183;16;9Ƅ7WPP723=70S3?#cr>s33m>@< A31wsT?BN@@71TCEDk-%tB3DSS SF*zA_FgD)HTXGQHh4/3Iү?B.FKIc=KJKJK<ϴ:є>(TNNNOTOOOP)ꈛ)镊)Q QۈzɎ)Ri?`JRQ-tS1u;aQiT'Lp@5U5SN(<`vaaƣMƣt>"!e5thjUj?rUW&GAD8NtZXQG8JxVLWC>•`%&EnՄch^qqabq`%ң1qZr4aQDZGQ_9) g=Wh2^6F%&b5gܵ]_big%Fc\beX(f t6G\8DF'ITh5Vb{&eDFnf`YVkc]vFJ`6(^k#dX0f"6h6uXV5F&*vr:Zv]del;_Vo;cf˖^5V= a]6e.ufhyjbk7[1"l6bc5a[yto]AVp`4uuV->bU]- chAlkdZ&vH%-b yeըo׆&k_I&xhg7iiu6xI\sQjEtǦoq3b%}Mw\fe1^@V C~!c%w3(z xIznsTA`C'$)Vu'zVFnwcOx(z51cVzUjNvwr Br׀Wf7"Bw,m#JqMOE# >Lc AKG&YrJQ^*cN*QH"zOm*7ML+-< p𲸯h~8 ;K,Q&RǮ'1&T/'#jާ c1*2_m0mj M>L/q;L>#c_?w1jDO_m!GrJ6Ou?ʑNHow? \_!'7?$٦qJO/:? $waP$ʤ9L:ҧ p^Wjs,F⮖i *-6fh.M}e AQ)e J&V5EBR]}L>Yry &BʵZV1yF">f.;[&FOwwa'gC1UMe;IGcލ}?}paxO] g7bHaMI&[=: lbztAIͥu>mR"Kg<ҏg"ǒKpӓfVjŋUh9Z nyi͌ݤ&R;oXOM-a~, /ӟbf<:7GLVU.-?\ZKsM/u؞B{#}[<'v*ỉJ{5Wv vګK-w9ڜy>M3a~ղq[ɳvˀDyx `E> 楠L4'=e2w=awXԩ^q^E[Ehye_!XQf*5`Q,է4 #^t"da%J3]K9`؂2Nz9MPj~dh"b&dˁygv3iN:EwV|R^肊2(i:XM]Z(LPz:j ezR_('j gj=4dZ, hʖڬf$CNt-,ނl;.)vkfҶʂ[ *.K\ ;)ö>*Qd҂d]".&19pv >˰ ] Yi/(~ r.|.KGiqzUbxPsȍɧM4CI(E0ZϺ٘ƌ3MCId|6ބb_ ǡt2a]xFNb?r,d?sgmuҚT*BO|=2~|.9ň#n[(^ϐ!¡޲=-xݱ._:'lHa+_f=V3<ÿ]|;` ]?cn"#](nY_"ӯ^BhJž.RC~Ӑhy}i H} D!zHqY,W ]B6lsV÷萆BTRD0Q0C.~FlbH1 _E-͊Od`1'*(B kcXl# +,zѺ/D2.gdǐ)2k IM [L2da!QM"XKuT'KIȀ,-_ZoW\ZJB%)xgfMT+ټ 0<3PMipD98艓@ռ5۹/1 wCra'F}lÁ c:ȉ_Dh-1>zOa mHS֓t) O-c_QB*Qjԣ"5J]*SԧB5R*Ujիb5Z*Wկ5b+Yjֳ5Uַ5r+]j׻u+_׿u,a k"6vbW:v,e;,g;UdIkZj]-k-l7K[޶-oj1a7.qk"7].sB7ҝ.ukb7.w 7Mn;PKg33PK)A#OEBPS/img/config_struct_changes.gifGIF87atΜ䜚dd24f|Lbdf2d2dd̜4,t@pH,Ȥrl:ШtJZجvzxL.46n|N~B‹noq11.m D p#?EBM8F{ CL.  X0eF8laCHgfҙ%"xdtѣH eD/zgOVdjj[e&]˖RMx1Ċg;FJ/X~ |b`z+K'cx#cE(DŽzJPreƎMoZ KΙOV۪2EM OC6;B.v~sOC^}y7,]w/Oߕn20"IgJYiF椔b&\iވ# .;j=ZbBʝn 릉"xe}V*찈nN9+l R[N{nFbV8؂j~ iJ[_w+:zxzs2̜fu{6œ.sw[ c:ay:J0 xNv埘qYr?C $ͳ- To)RHpV]J^-6"Hۍ-JjvG}6(rmp߭|w߀.`'7G.Wngw砇.褗n騧ꬷx.{{={o2s\ l@=cso޷!އMÎa_>߳~{m(3G 5j+`A0dJp A0"Fa 0dD=hrl)ozl@6<_ Pt aaj^< F.~1}`"PD4N"(F#эQ'?'HMG9ӡ+XB⑑MaGBvȠx>p G7E~G\c&:}#&eH!)%aYUrd"0eֲ%) )v2!-K,4Ebz2e0UYB-$4\$3ED*GT&8F}3u!˹Ci4<#I|g I ‘ hE%9ir,фrm&=qz<$gϦ )h|&4"~C:ԛ2jRVHeƫZ X- ŬcMkDֶUvl}\jsU^׾ `Kuvūbժg4V]dfTf!zY[`,4e H-ey1`v \@ h-ba+ˆ%,\K `o/p HEr{EA+w=sHo*%@Up[tu8<T74xsuThB`xXn\K6'p0&Ӄ wFm%J)̌A怇;_&Sl&pPG\L[>=|cr7lH[|^1mXGWɚN-"9"&J3`P9WN49Kc.;a2,0[fH^^mó zV{^2 Uhʹm=fbCzؕæi:opMMj]WW])Yn=nZҙ6lJ)f~ԣ?: =r"LcCPo;ƴ0p{מ@mj-勠Ϲ4*k[?:MM4!5Knr +'8]49uuy[~nyG`C)Nzk `@˼N5f+vry };&wH}.7q~N X5W?5b hg2?wga8ct`4_c[دp`{OOOϿ88~[P 8Xx؁ "8$X&x(*,؂.0xms8x96<@h9>D:CXsH:L؄4OV8:UxZ؅Å^b8dX:gX[XjH:R`om8#tx8vxz8l{j#~8XxXSP؈e؆8SV:؇h.!^h89K؇:C(㊖ChshHǨ8x9x(V8k،::] x8ϸX_89(9؋B8͈x؋Hӎc>Hȏ؏8Ǩ3IӌoD5㐗CɎyh899ÑӐ,'1Y##" h%Ɋ 9=EX<ٓp8YVHI8 8Xhf\ɔKy#ZpؒUɕX)]vy){(ioy} Rɐw̸٘n9ٍuIt|yk9 p 9ɖI隐虸xJQ|H(Ib薒Iٗ:Y))yx%)iFՉٞZٞɞi왈8)IXY)9ɞI  9yL!zYY뉡'ݙ&j# 3Ƀ7yJS=jڛ6IHAZNʜ! <*bPyRʘ49Cc%L c XZkI"jyqڄ7iSʋڦpzH:(4IC`:JjQ꧞O*WU^9ZChsʖ nڪ}:9|z:zjȦE?SZBIy٨Ѻsɚʋjx]:몠ψ\|v:S^ڢʆsz9~:[/iIʉb: ۬+|ȢyɊz`WJ J~  +5 +2Jo ~متku*5JG* s HY*Sʩj kꣲh죉1+/*Ckɘ9E; 9*|؆I{[:ڸŠ9z]{gl({;`;˺к;6H++{K˫HěԛXڻ۽;[{蛾2ؾ;[{(<\|  <\ ,"< $|l(*.-2b38':,<@B\8LFLTS\|X9\ #Lblf|\nir\ Lvx|{\yL}sp `D<lLEPɛȈ‚ƞɡlʪ,Gȝʖ|ə,ɲ<˱ ɜ<L~|ʶLɁƾlm`ȫș|ό˵<Ͱ,<ɩ|,Ɔ\<+ ЬL<θ<<Bl ]<,Ll =Ҍͳ LpϞ| KL0YLo0Δ2 @ל@E-ѣ<:?ѮV]VԶ|S&QF-ga#-lE<n ϥ,Ϻ1}#/}j}ք-r]-\O]ˎt|Ցbfػlɚտ׽\~4NE-{m h}2n,.^GCMN,:^B^[~cu>mUٝɨmJֽYnՒ})\էѡ}9nm &5s.ՔI~/^܋M@NⱎO᧪nw\.4l]lܼ^MPȮю՞tNܾ~,VD~N)v >5~ N  l0HN _8?T#"PR| 1@N`?#UjP>L eJeJe GPeJO_CD5NS~ >Z]_ _? 4ӿA&eN>MG=R@TkIoPiv=t'_(DhKA ceUhc?kC9P$ۆptvxLz_t\TR|5 JdK<o~oF:vFF oSmaοS0?Qo$J{_ ݯ o N$@y#lr&F"4OP4RdHT@EP.ȤuN>JiV VZs}` i*ʍ*2ѪRlpHqԨQQj53tկN3,2IRӑVԳ5X X8YOO 03vtQV 26w:Բ+tykZaٽ`5kC3mw`z !#Br3\ߕrȕ3LnY3K$dpfQɔ. V1Ř wZƍr+֏:ŃfZ!Tjn_sr鏗*s<ҕe"\Evh ցivPPS(ce;ġlv Y#̧6kU6's=s0bk'w}q9PRWPz3ӏswwf ꗳwv/g_5o9nA3ϹkA -$B(iC5:TkL<U\]|emuܑ} "<$\&Uq*,ܒ.0@2[韃~:xzͮ9S^˝hg&zc$mjyi쳧F{FZ)fʹnM:-/Nj\l;kE_]}^yKAT}pGyӟ(h;Qųbs77pv#D@re$#=ez+1DjLӣ/y7 K'-EΪe@ɑnW]!XBeG/qqa%_FHNb\,B҄aa9;^* IGЉe)$xi~^yx*y4hʦ/S>89PD(RY*p#ih DBA Operations in an Oracle Database Vault Environment

10 DBA Operations in an Oracle Database Vault Environment

This chapter contains:

Using Oracle Database Vault with Oracle Enterprise Manager

This section contains:

Setting the Database Vault Administrator URL in Oracle Enterprise Manager

You can configure Database Control or Grid Control to use a specific Database Vault Administrator URL.

  1. Access Oracle Database Vault Home page from Oracle Enterprise Manager.

    See "Accessing the Oracle Database Vault Pages from Oracle Enterprise Manager".

    If you want to save the Database Vault URL:

    • For Database Control: Ensure that in addition to being granted the DV_OWNER or DV_ADMIN role, that you are also an Enterprise Manager administrator.

    • For Grid Control: Ensure that you have been granted the OPERATOR privilege on the target database.

  2. Access the Database Vault Administrator URL page.

    From the Database Vault Home page, click the Administration tab, and then under Policy Administration, click the Launch Database Vault Administrator link.

    The Database Vault Administrator URL page appears.

  3. In the Database Vault Administrator URL field, enter the Database Vault Administrator URL that you want to use.

    For example:

    https://myserver.us.example.com:1148/dva

  4. To test the URL, click the Launch to test URL button.

  5. Click the Save button.

Propagating Oracle Database Vault Policies to Other Databases

If you have Oracle Database Vault installed in an Oracle Enterprise Manager Grid Control Release 10.2.0.5 environment, then you can propagate Database Vault policies to other Database Vault-protected databases. Note that you cannot use Grid Control to create Database Vault policies or perform the actions normally provided for in Database Vault Administrator. If you want to perform these functions, then use Database Vault Administrator.

To propagate Database Vault policies to other databases:

  1. Access Oracle Database Vault Administrator from Oracle Enterprise Manager, and log in to Database Vault as a user who has been granted the DV_OWNER or DV_ADMIN role.

    Ensure that you select the database that contains the policies that you want to propagate.

    See "Accessing the Oracle Database Vault Pages from Oracle Enterprise Manager".

  2. From the Database Vault home page, select the Administration subpage.

  3. In the Administration page, under Policy Propagation, select the Database Vault Policy Propagation link.

    The Available Policies area in the Policy Propagation subpage lists a summary of the Oracle Database Vault policies that were created for the database that you selected in Step 1. From here, you can propagate these policies to another database.

  4. Under Available Policies, select each policy that you want to propagate to another database.

    By default, all policies are selected.

    Description of dv_oem.gif follows
    Description of the illustration dv_oem.gif

  5. Under Destination Databases, click the Add button.

    Description of dv_oem2.gif follows
    Description of the illustration dv_oem2.gif

  6. Under Search and Select: Database Vault Enabled Destination Databases, search for the destination databases, and then select each database to which you want to propagate the policies. Then click the Select button.

  7. Under Destination Databases, do the following:

    1. Under Apply credentials across destination database(s), enter the user name and password of the administrator of the Database Vault database that contains the policies you want to propagate.

      This feature applies the Database Vault administrator's user name and password to all of the selected destination databases.

    2. Select each database to which you want to propagate the policies.

    3. Enter the Database Vault administrator user name and password for each database.

    4. Click the Apply button.

  8. In the Propagate Options page, select from the following options.

    Any changes made to the seeded realms, command rules, rule sets, and so on will not be propagated to the destination databases. Only custom-created data are propagated.

    • Restore on failure: If the policy propagation encounters errors, then the propagation is rolled back. That is, the original policies on the destination database are restored. If you do not select this option, then the policy propagation on the destination database continues and ignores any errors.

    • Skip propagation if user defined policies exist: If the destination databases already have the user-defined policies, then the policy propagation is not attempted. If you do not select this option, then regardless of whether user-defined policies exist on the destination database, all the existing policies are cleared, and the policies from the source database are applied to the destination database.

    • Propagate Enterprise Manager metric thresholds for database vault metrics: If the source database has Oracle Database Vault metric thresholds set, then these thresholds are also propagated to the destination databases. If you do not select this option, then only policies are propagated and not the Oracle Database Vault thresholds.

  9. Click the OK button.

  10. In the Confirmation window, click OK.

    A message indicating success or failure appears. If the propagation succeeds, then the policies are active right away in their destination databases.

Using Enterprise Manager Grid Control Alerts for Oracle Database Vault Policies

Grid Control generates Oracle Database Vault-specific alerts. To view these alerts, you must be granted the DV_OWNER, DV_ADMIN, or DV_SECANALYST role. The alerts are as follows:

  • Database Vault Attempted Realm Violations. This alert helps the Oracle Database Vault security analyst (DV_SECANALYST role) to monitor violation attempts on the Database Vault database. This user can select the realms to be affected by the alert and filter these realms based on the different types of attempts by using error codes. You can enable this metric from the Metrics and Policy Settings page. By default, the attempted realm violations are collected every 24 hours.

  • Database Vault Attempted Command Rule Violations. The functionality for this alert is the same as for Database Vault Attempted Realm Violations, except that it focuses on violations on command rules.

  • Database Vault Realm Configuration Issues. This metric tracks and raises an alert if users misconfigure realms. This metric is enabled when you install Oracle Database vault, and by default it collects data every one hour.

  • Database Vault Command Rule Configuration Issues. This functionality for this alert is that same as Database Vault Realm Configuration Issues, except that it focuses on configuration changes to command rules.

  • Database Vault Policy Changes. This metric raises an alert on any change to any Database Vault policy, such as policies for realms and command rules. It provides a detailed policy changes report.

Using Oracle Database Vault-Specific Reports in Enterprise Manager Grid Control

From the Database Vault home page, you can find information about the following types of violations:

  • Top five attempted violations on realm and command rule

  • Top five attempted violations by database users and client host

  • Time series-based graphical reports on attempted violations for more detailed analysis

To have full access to the Database Vault reports, you must log in to Database Vault Administrator as a user who has been granted the DV_OWNER, DV_ADMIN, or DV_SECANALYST role.

Changing the DBSNMP Account Password in an Oracle Database Vault Environment

Before you can change the password for the DBSNMP user account, you must revoke the DV_MONITOR role from this account. In an Oracle Database Vault environment, the DBSNMP user account is granted the DV_MONITOR role. (The DBSNMP user can change his or her own password directly, without having to have the DV_MONITOR role revoked first.)

To change the DBSNMP user password:

  1. Log in to SQL*Plus using an account that has been granted the DV_OWNER role.

  2. Revoke the DV_MONITOR role from the DBSNMP user account.

  3. Connect as a user who has been granted the DV_ACCTMGR role and then change the DBSNMP user account password.

  4. Connect as the DV_OWNER user and then grant the DV_MONITOR role back to the DBSNMP user account.

Alternatively, you can temporarily disable Oracle Database Vault, log on as a user who has been granted the ALTER USER privilege, and then modify the DBSNMP password. Afterward, re-enable Database Vault. See Appendix B, "Disabling and Enabling Oracle Database Vault," for more information.

Using Oracle Data Pump in an Oracle Database Vault Environment

This section contains:

About Using Oracle Data Pump in an Oracle Database Vault Environment

Database administrators who want to use Oracle Data Pump must have Oracle Database Vault-specific authorization, in addition to the standard Oracle Data Pump privileges, if they want to export and import data in an Oracle Database Vault environment. (Note that you cannot use the legacy EXP and IMP utilities if Oracle Database Vault is enabled.)

The level of authorization that you must grant depends on the following scenarios:

  • A database administrator wants to export or import data in a schema that has no realm protection. In this case, this user only needs the standard Oracle Data Pump privileges, not the Oracle Database Vault authorization.

  • A database administrator wants to export or import data in a protected schema. You must grant this user Database Vault-specific authorization by using the DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER procedure. This authorization applies to both the EXPDP and IMPDP utilities. Later on, you can revoke this authorization by using the DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER procedure.

  • A database administrator wants to export or import the contents of an entire database. In addition to the authorization granted by the DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER procedure, you must grant this user the DV_OWNER role.

Granting a Database Administrator Authorization to Use Oracle Data Pump

To authorize a database administrator to use Data Pump in an Oracle Database Vault environment:

  1. Log in to SQL*Plus as a user who has been granted the DV_OWNER or DV_ADMIN role.

  2. Ensure that the user to whom you want to grant authorization has been granted the EXP_FULL_DATABASE and IMP_FULL_DATABASE roles, which are required for using Oracle Data Pump.

    SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS 
 WHERE GRANTED_ROLE LIKE '%FULL%';

  3. Grant this user Oracle Database Vault authorization.

    For example, to authorize the Data Pump user dp_mgr to export and import objects for an entire database:

    EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('dp_mgr');

    Optionally, you can restrict dp_mgr's activities to a specific schema or even a table, as shown in the following examples:

    EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR');

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR', 'EMPLOYEES');

    See "AUTHORIZE_DATAPUMP_USER Procedure" for detailed information about this procedure.

    After you run the DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER procedure, the authorization is stored as a rule in the Allow Oracle Data Pump Operation rule set, described in "Default Rule Sets". You can refer to this rule set by querying the DVSYS.DBA_DV_RULE_SET view if you want to check the user's authorizations.

  4. If the objects that this user wants to import are associated with other objects that are protected by a realm, then authorize the user to have access to that realm.

    For example, suppose user dp_mgr wants to export the SCOTT schema. However, the SCOTT schema is associated with the SYSMAN.AQ$_MGMT_NOTIFY_QTABLE_S table, and the SYSMAN schema is protected by a realm. So, before user dp_mgr can export the SCOTT schema, he must be authorized as follows:

    First, ensure that this user is a realm participant. For example:

    BEGIN
 DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name   => 'SYSMAN Realm', 
  grantee      => 'DP_MGR', 
  auth_options => DBMS_MACUTL.G_REALM_AUTH_PARTICIPANT);
END;
/

    Next, run the following procedure to authorize the user for Oracle Data Pump operations:

    EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR','SYSMAN');

  5. If the user must export the entire database, then grant the user the DV_OWNER role.

    GRANT DV_OWNER TO dp_mgr;

  6. Ensure that the Allow Oracle Data Pump Operation rule set has been enabled by querying the DVSYS.DBA_DV_RULE_SET data dictionary view as follows:

    SELECT ENABLED FROM DVSYS.DBA_DV_RULE_SET 
 WHERE RULE_SET_NAME = 'Allow Oracle Data Pump Operation';

Guidelines for Exporting or Importing Data in an Oracle Database Vault Environment

After you have granted the database administrator who is using Data Pump the necessary authorization, this user is ready to perform any export or import operations that are necessary. Before this user begins work, he or she should follow these guidelines:

  • Create a full backup of the database datafiles. This way, if you or other users do not like the newly-imported data, you easily can revert the database to its previous state. This guideline is especially useful if an intruder had managed to modify Data Pump exported data to use his or her own policies.

  • Decide how to handle exporting and importing multiple schemas or tables. You cannot specify multiple schemas or tables in the DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER procedure, but you can use either of the following methods to accomplish this task:

    • Run individual DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER procedures for each schema or table, and then specify the list of these objects in the SCHEMAS or TABLES parameter of the expdp and impdp utilities.

    • Perform a full database export or import operation. If so, see the next guideline.

  • When performing an export or import operation for an entire database, set the expdp or impdp FULL option to Y. Remember that this setting will capture the DVSYS schema, so ensure that the user has been granted the DV_OWNER role. For detailed information about Oracle Data Pump, see Oracle Database Utilities.

Revoking Authorization from Databases Administrators Who Are Using Data Pump

To revoke authorization from the database administrator who is using Data Pump:

  1. If you granted the user the DV_OWNER role, optionally revoke this role.

    REVOKE DV_OWNER FROM dp_mgr;

  2. Query the DVSYS.DBA_DV_RULE_SET data dictionary view and then make a note of the user's authorizations that have been defined in the Allow Oracle Data Pump Operation rule set.

    SELECT RULE_EXPR FROM DVSYS.DBA_DV_RULE_SET_RULE
 WHERE RULE_SET_NAME = 'Allow Oracle Data Pump Operation';

    For example, if you had authorized user dp_mgr to perform export and import operations on the entire database, a rule defining this authorization appears in the list of rule expressions in the Allow Oracle Data Pump Operation rule set.

  3. Use the information you gathered from Step 2 to build the DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER command.

    For example:

    EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('DP_MGR');

    Ensure that this unauthorization complements the original authorization action. In other words, if you originally gave dp_mgr authorization over the entire database, then the following commands will not work:

    EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR', 'EMPLOYEES');

    See "UNAUTHORIZE_DATAPUMP_USER Procedure" for more information.

  4. If you needed to make the user a realm participant (for example, to access the SYSMAN.AQ$_MGMT_NOTIFY_QTABLE_S table objects, as described in Step 4 under "Granting a Database Administrator Authorization to Use Oracle Data Pump"), then remove the realm authorization for this user.

    For example:

    BEGIN
 DVSYS.DBMS_MACADM.DELETE_AUTH_FROM_REALM(
  realm_name => 'SYSMAN Realm',
  grantee    => 'DP_MGR');
END;
/

Scheduling Database Jobs in an Oracle Database Vault Environment

This section contains:

About Scheduling Database Jobs in an Oracle Database Vault Environment

Users who are responsible for scheduling database jobs must have Oracle Database Vault-specific administration, in addition to the standard system privileges required for scheduling database jobs.

The level of authorization that you must grant depends on the following scenarios:

  • An administrator wants to schedule a job in his or her own schema. An administrator who has been granted privileges to schedule database jobs can continue to do so without any Oracle Database Vault-specific authorizations, unless this schema is protected by a realm. In that case, ensure that this user is authorized to access the realm. See "Defining Realm Authorization" for instructions on granting a user realm authorization.

  • An administrator wants to run a job in another schema, but this job does not access any Oracle Database Vault realm or command rule protected object. In this case, this user only needs job related system privileges, not the Oracle Database Vault privileges.

  • An administrator wants to run a job under the schema of another user, including any schema in the database or a remote database. If this job accesses an Oracle Database Vault realm or command rule protected object, then you must grant this user Database Vault-specific authorization by using the DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER procedure. This authorization applies to both background and foreground jobs. For background jobs, the authorization applies to the last user who created or modified the job. In addition, ensure that the schema owner (the protected schema in which the job is created) authorized to the realm.

    Later on, you can revoke this authorization by using the DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER procedure. If the schema is not protected by a realm, then you do not need to run the DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER procedure for the user.

Granting a Job Scheduling Administrator Authorization for Oracle Database Vault

To authorize a user to schedule database jobs:

  1. Log in to SQL*Plus as a user who has been granted the DV_OWNER or DV_ADMIN role.

    Only a user who has been granted either of these roles can grant the necessary authorization.

  2. Ensure that the user to whom you want to grant authorization has been granted system privileges to schedule database jobs.

    These privileges include any of the following: CREATE JOB, CREATE ANY JOB, CREATE EXTERNAL JOB, EXECUTE ANY PROGRAM, EXECUTE ANY CLASS, MANAGE SCHEDULER. The DBA and SCHEDULER_ADMIN roles provide these privileges; however, when Oracle Database Vault is enabled, the privileges are revoked from these roles.

    For example:

    SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS 
 WHERE PRIVILEGE IN ('CREATE JOB', 'CREATE ANY JOB');

  3. Grant this user Oracle Database Vault authorization.

    For example, to authorize the user job_mgr to schedule jobs for any schema in the database:

    EXEC DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR');

    Optionally, you can restrict job_mgr's activities to a specific schema, as follows:

    EXEC DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');

    See "AUTHORIZE_SCHEDULER_USER Procedure" for detailed information about this procedure.

    After you run the DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER procedure, the authorization is stored as a rule in the Allow Scheduler Job rule set, described in "Default Rule Sets". You can refer to this rule set by querying the DVSYS.DBA_DV_RULE_SET view if you want to check the user's authorizations.

  4. Ensure that the user has been authorized by querying the DVSYS.DBA_DV_JOB_AUTH data dictionary view as follows:

    SELECT GRANTEE,OBJECT_OWNER FROM DVSYS.DBA_DV_JOB_AUTH 
WHERE GRANTEE = 'user_name';

Revoking Authorization from Job Scheduling Administrators

To revoke authorization from a user for scheduling database jobs.

  1. Query the DVSYS.DBA_DV_JOB_AUTH data dictionary view and then make a note of the user's authorizations that have been defined in the Allow Scheduler Job rule set.

    SELECT GRANTEE FROM DVSYS.DBA_DV_JOB_AUTH;

    For example, if you had authorized user job_mgr to perform schedule database jobs for the entire database, a rule defining this authorization appears in the list of rule expressions in the Allow Scheduler Job rule set.

  2. Use the information you gathered from Step 1 to build the DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER command.

    For example:

    EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR');

    Ensure that this unauthorization complements the original authorization action. In other words, if you originally gave job_mgr authorization over the entire database, then the following command will not work:

    EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');

    See "UNAUTHORIZE_SCHEDULER_USER Procedure" for more information.

Using Oracle Database Vault with Oracle Recovery Manager

You can +ouse Recovery Manager (RMAN) in an Oracle Database Vault environment. The functionality of RMAN with Oracle Database Vault is the same as its functionality in a standard Oracle Database environment.

For more information about RMAN, see the following documentation:

Using Oracle Streams in an Oracle Database Vault Environment

If you want to use Oracle Streams in an Oracle Database Vault environment, then you must have the following privileges:

  • You must be granted the DV_STREAMS_ADMIN role in order to configure the Oracle Streams capture process. See "DV_STREAMS_ADMIN Oracle Streams Configuration Role" for more information.

  • Before you can apply changes to any tables that are protected by a realm, you must be authorized to have access to that realm. For example:

    EXEC DBMS_MACADM.ADD_AUTH_TO_REALM('realm_name','username');

    See "ADD_AUTH_TO_REALM Procedure" for more information about the DBMS_MACADM.ADD_AUTH_TO_REALM procedure.

Using XStream in an Oracle Database Vault Environment

If you want to use XStream in an Oracle Database Vault environment, then you must have the following privileges:

  • You must be granted the DV_XSTREAM_ADMIN role in order to configure the XStream. See "DV_XSTREAM_ADMIN XStream Administrative Role" for more information.

  • Before you can apply changes to any tables that are protected by a realm, you must be authorized to have access to that realm. For example:

    EXEC DBMS_MACADM.ADD_AUTH_TO_REALM('realm_name','username');

    See "ADD_AUTH_TO_REALM Procedure" for more information about the DBMS_MACADM.ADD_AUTH_TO_REALM procedure.

Using Oracle GoldenGate in an Oracle Database Vault Environment

If you want to use Oracle GoldenGate in an Oracle Database Vault environment, then you must have the following privileges:

Using Data Masking in an Oracle Database Vault Environment

This section contains:

About Data Masking in an Oracle Database Vault Enabled Database

In an Oracle Database Vault-enabled database, only users who have Database Vault authorizations can mask data in Database Vault-protected database objects. In a non-Database Vault environment, users who have been granted the SELECT_CATALOG_ROLE and DBA roles can perform data masking. However, with Database Vault, users must have additional privileges. This section describes three ways that you can use to enable users to mask data in Database Vault-protected objects.

If users do not have the correct privileges, then the following errors can occur while creating the masking definition or when the job is executing:

ORA-47400: Command Rule violation for string on string 

ORA-47401: Realm violation for string on string. 

ORA-47408: Realm violation for the EXECUTE command 

ORA-47409: Command Rule violation for the EXECUTE command 

ORA-01301: insufficient privileges

Adding Data Masking Users to the Data Dictionary Realm Authorizations

The Oracle Data Dictionary controls access to the Oracle Database catalog schemas, such as SYS and SYSTEM. (See "Default Realms" for a full list of these schemas.) It also controls the ability to grant system privileges and database administrator roles. If you add users to the Data Dictionary realm, and assuming these users already have the privileges associated with the Oracle Data Dictionary, then these users will have these same privileges in a Database Vault environment. Therefore, if you do add a user to this realm, ensure that this user is a trusted user.

For example:

BEGIN
 DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name   => 'Data Dictionary Realm', 
  grantee      => 'DBA_JSMITH', 
  auth_options => DBMS_MACUTL.G_REALM_AUTH_PARTICIPANT);
END;
/

Giving Users Access to Tables or Schemas That They Want to Mask

If the table or schema of a table that is to be data masked is in a realm, then you must add the user responsible for data masking to the realm authorization as a participant or owner. If the table or schema has dependent objects that are in other realm-protected tables, then you must grant the user participant or owner authorization for those realms as well.

The following example shows how to grant user DBA_JSMITH authorization for the HR.EMPLOYEES table, which is protected by a realm called Business Apps Realm:

BEGIN
 DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name   => 'Business Apps Realm', 
  grantee      => 'DBA_JSMITH', 
  auth_options => DBMS_MACUTL.G_REALM_AUTH_PARTICIPANT;
END;
/

Creating a Command Rule to Enable Data Masking Privileges

For data masking, users must have the CREATE TABLE, SELECT TABLE, ALTER TABLE, and DROP TABLE privileges for the masking objects and if there are any dependent objects to be created, the user must have the appropriate privileges such as CREATE PACKAGE, CREATE TRIGGER, and so on.

You can create command rules to control data masking privileges at a granular level. To do so, create a command rule that can either prevent or allow the user access to objects that must have to be data masked. For example, you can create a command rule called Allow Data Masking that checks if the user is in a list of users who are responsible for data masking. If the user logging in is one of these users, then the command rule evaluates to true and the user is permitted to create the data mask for the protected object.

To create this type of command rule:

  1. Create the rule set rule.

    For example:

    BEGIN
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name  => 'Is HDRISCOLL or DBA_JSMITH User', 
  rule_expr  =>'USER IN(''HDRISCOLL'',''DBA_JSMITH'')';
END;
/

  2. Create a rule set and then add the rule to it:

    BEGIN
 DVSYS.DBMS_MACADM.CREATE_RULE_SET(
  rule_set_name    => 'Allow Data Masking', 
  description      => 'Allows users HDRISCOLL and DBA_JSMITH access', 
  enabled          => 'Y',
  eval_options     => 1,
  audit_options    => 1,
  fail_options     => 1,
  fail_message     => 'You do not have access to this object.',
  fail_code        => 20461,
  handler_options  => 0, 
  is_static        => TRUE);
END;
/
BEGIN
 DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(
  rule_set_name => 'Allow Data Masking', 
  rule_name     => 'Is HDRISCOLL or DBA_JSMITH User'),
  rule_order    => 1);
END;
/

  3. Create a command rule and then add this rule to it:

    BEGIN
 DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE(
  command         => 'CREATE TABLE', 
  rule_set_name   => 'Allow Data Masking', 
  object_owner    => 'HR', 
  object_name     => 'EMPLOYEES', 
  enabled         => DBMS_MACUTL.G_YES);
END; 
/

PKNR{PK)A,OEBPS/img_text/sec_policy_changes_detail.htmg Description of the illustration sec_policy_changes_detail.gif

This screen shows the Security Policy Changes Detail area with sample data. Categories are as follows: Timestamp, User Name, User Host, Action Name, Return Code, Action Object Name, Rule Set Name, Action Command.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKAxPK)AOEBPS/img_text/dv_oem2.htm Description of the illustration dv_oem2.gif

This screenshot focuses on the Destination Databases area of the Database Vault Policy Management page. Under "Destination Databases" is this legend:

"Select the databases to which these policies need to be applied. Database Vault administrator credentials are required for each of the destination databases to successfully propagate the policies.

"The table below shows the list of database targets to which these database policies will be applied."

Following the legend are Add and Remove buttons, which are followed by the table columns Select, Database Name, Database Type, Database Vault Administrator User Name, Database Vault Administrator Password. There are no databases listed yet in this screenshot.

Following the table is the Propagate Options area, which is described in the following steps of this procedure.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PK@kIO PK)A%OEBPS/img_text/sec_policy_changes.htm@ Description of the illustration sec_policy_changes.gif

This figure shows the Security Policy Changes By Category. X axis displays the time period; the Y axis shows the number of changes.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PK>E@PK)AOEBPS/img_text/dv_oem.htmp Description of the illustration dv_oem.gif

This screen shows the Database Vault Policy Management page, and focuses on the Available Policies area. Under "Database Vault Policy Management" is the following text :

"The Database Vault Policy Management feature enables the propagation of database vault policies like Realms, Command Rules, Secure Application roles, Factors and Rulesets from a source database to multiple destination databases.This allows to propagate database security policies across an enterprise."

Following this text is the Available Policies area, which has the legend "The following is the list of all the available database vault policies. Select the policies that need to be propagated to the destination databases." From left to right under it are the links Select All, Select None, Expand All, Collapse All.

In the table that follows are these columns: Select, Name, and Status. Under Name is a Policies list, which contains the different categories of Database Vault components: Realms, Command Rules, Secure Application Roles, and Rule Sets. This screenshot shows the Secure Application Roles link expanded, with two roles displayed.

Following Available Policies is the Destination Databases area, which isdescribed in the next step.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKp PK)AOEBPS/img_text/tde.htmJ Description of the illustration tde.gif

This figure shows a set of realms with data automatically being encrypted and decrypted through SQL. It also shows sensitive data encrypted on backup files.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKUhOJPK)A(OEBPS/img_text/config_struct_changes.htmx Description of the illustration config_struct_changes.gif

This figure shows the Database Configuration and Structural Changes table. Columns are: Timestamp, User Name, User Host, Action Name, Return Code, Owner, Object Name, and Comment Text.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKW}xPK)A$OEBPS/img_text/security_concerns.htm Description of the illustration security_concerns.gif

Surrounding text describes this figure.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PK_9PK)A.OEBPS/img_text/security_violation_attempts.htmh Description of the illustration security_violation_attempts.gif

This screen shows the Security Violation Attempts area with sample data. Categories are as follows: Timestamp, User Name, User Host, Action Name, Return Code, Action Object Name, Rule Set Name, Action Command.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKo:PK)AOEBPS/img_text/realm.htmm Description of the illustration realm.gif

This figure illustrates how realm authorization works for two realm owners, the Order Entry realm owner and the Human Resources realm owner. The Order Entry realm owner has the OE_ADMIN role, and the Human Resources realm own has HR_ADMIN role. Both of these realm owners have the following database privileges:

  • CREATE ANY TABLE

  • DROP ANY TABLE

  • SELECT ANY TABLE

  • GRANT/REVOKE

When these realm owners perform an action in their respective schemas—OE schema for the Order Entry realm owner and the HR schema for the Human Resources realm owner—the Oracle Database Vault realm authorizations allow them to perform any of the database privileges to which they are assigned.

However, they are not permitted to perform these actions in each other's realm. For example, the Order Entry realm owner cannot create tables in the HR schema, nor can the Human Resource realm owner drop tables from the OE schema.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PK{U*PK)AOEBPS/img_text/dvadm_vm_001.htmE Description of the illustration dvadm_vm_001.png

This figure illustrates how Oracle Database Vault roles are categorized. The roles fall into four categories, which are as follows, from top to bottom:

  • Security administrative roles: DV_OWNER, DV_ADMIN, DV_MONITOR, DV_SECANALYST, DV_PATCH_ADMIN, DV_STREAMS_ADMIN, DV_XSTREAMS_ADMIN, DV_GOLDENGATE_ADMIN, DV_GOLDENGATE_REDO_ACCESS

  • Account management responsibility role: DV_ACCTMGR

  • Resource management roles: DV_REALM_OWNER (for application management and granted to realm owners); DV_REALM_RESOURCE (for application access and granted to realm participants)

  • All responsibilities: DV_PUBLIC (granted by default to all database users to give access to the Oracle Database Vault public functions)

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PKPK)AOEBPS/img_text/home_page.htma Description of the illustration home_page.gif

This figure shows the Database Vault home page, right after you log in. The Administration tab displays by default, which lists links to the following components so that you can start to configure them:

  • Realms

  • Command Rules

  • Factors

  • Rule Sets

  • Secure Application Roles

  • Label Security Integration

Other tabs are Database Vault Reports, General Security Reports, and Monitor.

Oracle
Copyright © 2006, 2012, Oracle and/or its affiliates. All rights reserved.
Legal Notices
PK3PK)AOEBPS/guidelines.htm Oracle Database Vault Security Guidelines

D Oracle Database Vault Security Guidelines

This appendix contains:

Separation of Duty Guidelines

This section contains:

How Oracle Database Vault Handles Separation of Duty

Separation of duty means that you restrict each user's privileges only to the tasks he or she is responsible for, and no more. You should assign specific categories of privileges to specific users, rather than granting many privileges to one user. Simply put, separation of duty creates accountability for each task that your organization requires.

Separation of duty has taken on increased importance over the past 10 years. For many organizations, separation of duty is a new concept that continues to evolve. Database consolidation, regulatory compliance, and outsourcing are just a few of the drivers for increased separation of duty. Oracle Database Vault separation of duty strengthens security by separating security-related administration from day-to-day DBA operations. You can tailor your Database Vault separation of duty implementation to easily adapt to current and future business requirements. Small organizations, in particular, need flexibility as they attempt to increase their security profile with limited resources.

Defining Separate Tasks in an Oracle Database Vault Environment

Oracle Database Vault defines the following main responsibilities:

  • Account management. Account management entails creating, modifying, and dropping user accounts. The DV_ACCTMGR role provides these privileges.

  • Security administration. Security administration covers basic security tasks such as creating realms and command rules, setting security policies for database users' access, and authorizing database users for jobs they are allowed to perform. Security administrators also run security audit reports. The DV_OWNER and DV_ADMIN roles provide these privileges. (For an in-depth look at how the Oracle Database Vault roles provide for separation of duty, see "Oracle Database Vault Roles".)

    Optionally, you can consolidate the account management and security administrative responsibilities.

  • Resource management. Resource management refers to managing the database system but not accessing business data. It includes the following operations:

    • Backup operations require a predefined time to perform the backup using predefined tools.

    • Tuning and monitoring operations require ongoing performance monitoring and analysis.

    • Patching operations require temporary access only during the time the patching takes place

    For resource management, you should create a named account and a backup account for each of these tasks. Add these accounts as owners of the Data Dictionary realm. Use these accounts as the primary resource managers in the database.

You should have separate accounts for database account management, database security administration, and additional named accounts for backup operations. Auditors check for separate database accounts for different responsibilities and being able to track the actions of each account. Less important is the number of users assigned to specific tasks. Remember that Oracle Database Vault audit events are protected and that the Database Vault reports show all attempted violations.

Creating a Separation of Duty Matrix

Before separation of duty can be successful, you must understand who performs basic administration tasks in your environment and what these administration tasks are. Even if a single database administrator is responsible for managing both new database account provisioning and application patching, it is important to document and plan for each of these tasks.Using separate administration accounts for these types of tasks provides increased accountability and reduces associated risks. In midsize to large organizations, database administrators typically must perform common administration tasks but they do not need access to business data managed by the application. Creating a matrix for your separation of duty can help you plan your Database Vault deployment. As needed, you can include additional tasks and associated users to this list. This information should become part of the overall enterprise security documentation for your organization.

Table D-1 shows an example of a separation of duty matrix.

Table D-1 Example Separation of Duty Matrix

User, Process or ApplicationAccount CreationDatabase AdministrationSecurity Administrator
SYSDBABackupTuningPatchingMonitoring

...













JSMITH

X






SHARDY

X

PKESTNER

X





RTYLER

X



SANDERSON

X

X


SYSTEM

EBS patching



RMAN

X

X






In some cases, system management tasks may require temporary access to data through specific tools and programs. When this happens, build provisions for this temporary or emergency access into the Oracle Database Vault rules and rule sets.

Identifying and Documenting the Tasks of Users Who Access the Database System

You should document the following areas of the tasks your organization needs:

  • The responsibilities of each administrative user

  • The kind of access users need. For example, application owners should have data access and developers need access to development instances only.

  • Who must manage the system without accessing business data (for example, users who perform backup, patching, tuning, and monitoring operations)

  • The duties of each category of tasks (for example, the files that must be backed up, the applications that require patching, what exactly is monitored). Include the alternate user accounts for each of these tasks.

  • The databases and applications that must be protected. This includes Oracle applications, partner applications, and custom applications.

  • Who must be authorized to access business data, including the following:

    • Application owners through middle tier processes

    • Business users through an application interface

  • Emergency "what if" scenarios, such as how to handle a security breach

  • Reporting in a production environment, which should include the following:

    • Who runs the reports

    • Which reports must be run

    • The frequency with which each report is run

    • The users who must receive a copy of each report

  • In addition to a separation of duty matrix, the creation of the following matrices:

    • An Oracle Database Vault-specific matrix, which can cover the names and tasks of users who have been granted Database Vault roles

    • An application protection matrix, which can cover the applications to be protected and the types of protections you have put in place.

    Table D-2 shows an example of protections Oracle created for PeopleSoft Applications. You can download the scripts to create these security policies from the following URL:

    http://www.oracle.com/technetwork/database/options/database-vault/index-085211.html

    Table D-2 Example Application Protection Maxtrix

    Protection TypeAuthorized with Rule Set
    SYSADMPSFTDBASYSTEMDBA

    PeopleSoft Realm

    Owner

    Owner

    No Access

    No Access

    SELECT Command Rule

    Not Restricted

    Limit PSFTDB Rule Set

    No Access

    No Access

    CONNECT Command Rule

    PeopleSoftAccess Rule Set

    Not Restricted

    Not Restricted

    Not Restricted

    DROP TABLESPACE Command Rule

    Disabled Rule Set

    Disabled Rule Set

    Disabled Rule Set

    Disabled Rule Set


Managing Oracle Database Administrative Accounts

This section contains:

Using the SYSTEM User Account for General Administrative Uses

If you use the SYSTEM account for general database administrative purposes, create named database administrative accounts for your database administrators. Doing so increases accountability for administrative actions in the database.

Using the SYSTEM Schema for Application Tables

If your site holds application tables in the SYSTEM schema, then you should add the SYSTEM account to your realm authorizations for these tables so that these applications can continue to work normally. You can place restrictions on the SYSTEM account to increase or fine-tune security for these applications. For example, you can create a Database Vault rule set to restrict the SYSTEM user's access to specific IP addresses.

Limiting the SYSDBA Privilege

Limit the SYSDBA privilege only to users who must connect using this privilege when absolutely necessary and for applications that still require SYSDBA access, such as Oracle Recovery Manager (RMAN) and mandatory patching processes. For all other cases, create named database accounts to perform daily database administration.

Managing Root and Operating System Access

Oracle Database Vault prevents highly privileged database users from accessing sensitive data. In addition, if you are using Oracle Database itself, you can use transparent data encryption to prevent the most highly privileged operating system users from accessing sensitive data. Transparent data encryption enables you to hide individual table columns. (See Oracle Database Advanced Security Administrator's Guide for more information about transparent data encryption.) As a best practice, always carefully review and restrict direct access to the operating system.

You should have personalized accounts access the operating system. These personalized accounts should, in the Linux or UNIX environments, login using sudo to the oracle software owner when needed. With sudo, you can control which specific command each personalized user can execute. Be sure to prevent the use of the make, relink, gdb, or other commands that could potentially harm the database, for these users. However, if an administrative user must install a patch or perform some other emergency operation, you can enable the make and relink commands for a limited time, and audit their actions during this period.

Accounts and Roles Trusted by Oracle Database Vault

Oracle Database Vault restricts access to application data from many privileged users and roles in the database. However, in some cases, Oracle Database Vaults trusts certain roles and privileges.

Table D-3 lists the trusted roles and privileges that are created when you install Oracle Database Vault.

Table D-3 Trusted Oracle Database Vault Roles and Privileges

Role or Privilege       Status        Description

DV_ACCTMGR role

Open

Role created during installation and used for creating new database accounts

DV_OWNER role

Open

Role created during installation and used for managing realms, factors and command rules. This user cannot add himself or herself to realm authorizations, nor can users who have the DV_ACCTMGR role alter this user.

SYSDBA privilege

Enabled

Privilege created during Oracle Database installation. Required by some Oracle features. See "Managing SYSDBA Access" for guidelines on managing SYSDBA.

SYSOPER privilege

Enabled

Privilege created during Oracle Database installation. Database startup and shutdown. Granted to SYS only by default. See "Managing SYSOPER Access" for guidelines on managing SYSOPER.


Accounts and Roles That Should be Limited to Trusted Individuals

Several accounts and roles have very powerful privileges in a default Oracle Database installation. You should limit these accounts and roles only to trusted individuals.

Managing Users with Root Access to the Operating System

Users who have root user access have full control over the system, including the following activities:

  • Reading unencrypted files

  • Moving and deleting any files

  • Starting or stopping any program on the system

  • Logging in as any user, including the user who owns the Oracle Database installation

Oracle Database Vault does not provide protection against the operating system root access. Ensure that you grant root user privileges only to the appropriate people with the appropriate responsibility.

Managing the Oracle Software Owner

Users who have access to a system as the Oracle software owner have control over the Oracle software, including the following activities:

  • Disabling Oracle Database Vault in the given system

  • Reading unencrypted database files

  • Moving and deleting database files

  • Starting or stopping Oracle programs in the system

Oracle Database Vault does not provide protection against the operating system access of the Oracle software owner. Ensure that you grant Oracle software owner access only to the appropriate people with the appropriate responsibility.

Managing SYSDBA Access

The SYSDBA privilege is a trusted privilege in Oracle Database Vault. Grant this privilege to trusted users only.

Managing SYSOPER Access

By default, Oracle Database limits SYSOPER access to operating system users in the SYSOPER group and the user SYS. It prevents SYSOPER from modifying the Oracle data dictionary directly. The SYSOPER privilege has limited privileges within the database, but individuals with this role can start and shut down the Oracle database. Only grant the SYSOPER privilege to trusted individuals.

<9A/a>

Guidelines for Using Oracle Database Vault in a Production Environment

Follow these guidelines when running Oracle Database Vault in a production environment:

  • Run a full test of your applications to ensure that the Database Vault policies you have created are working as expected

  • Monitor the performance of your applications, and if necessary, tune your rule expressions

  • Assign responsibilities to the appropriate production support and security groups, as follows:

    • Assign security responsibilities to the database security administrator.

    • Assign account management to the database account manager.

    • Assign resource management tasks to database administrators.

  • Back up your Database Vault API scripts to a secure server.

Secure Configuration Guidelines

Follow these configuration and security guidelines:


Note:

  • Installing patches and new applications might re-grant some of the privileges that Oracle recommends that you revoke in this section. Check these privileges after you install patches and new applications to verify that they are still revoked.

  • When you revoke EXECUTE privileges on packages, ensure that you grant EXECUTE on the packages to the owner, check the package dependencies, and recompile any invalid packages after the revoke.

    To find users who have access to the package, log in to SQL*Plus as SYSTEM and issue the following query.

    SELECT * FROM DBA_TAB_PRIVS WHERE TABLE_NAME = package_name;

    package_name is the name of the package you are looking for.

    To find the users, packages, procedures, and functions that are dependent on the package, issue this query:

    SELECT OWNER, NAME, TYPE  FROM ALL_DEPENDENCIES 
WHERE REFERENCED_NAME = package_name;

    Note that these two queries do not identify references to packages made through dynamic SQL.


Security Considerations for the UTL_FILE and DBMS_FILE_TRANSFER Packages

The UTL_FILE package is owned by SYS and granted to PUBLIC. However, a user must have access to the directory object to manipulate the files in that operating system directory. You can configure the UTL_FILE package securely; see Oracle Database PL/SQL Packages and Types Reference for more information.

The DBMS_FILE_TRANSFER package is owned by SYS and granted to the EXECUTE_CATALOG_ROLE. Users with EXECUTE access on this package can move files from one location to another on the same file system. They also can move files between database instances, including databases on remote systems.

To secure the DBMS_FILE_TRANSFER package, do the following:

  • Revoke the EXECUTE privilege from the DBMS_FILE_TRANSFER package and grant the EXECUTE privilege only to trusted users who need it.

  • Create command rules to control the CREATE DATABASE LINK and CREATE DIRECTORY SQL statements. See "Creating and Editing a Command Rule" for information on creating command rules by using Oracle Database Vault Administrator.

Alternatively, Example D-1 and Example D-2 show how you can use the Oracle Database Vault DVSYS.DBMS_MACADM package to create command rules that limit and enable access to the CREATE DATABASE LINK statement, which is used to establish connections to remote databases. To use this method, log in to SQL*Plus using the Oracle Database Vault Owner account.

Example D-1 Creating a Command Rule to Deny Access to CREATE DATABASE LINK

BEGIN 
 DBMS_MACADM.CREATE_COMMAND_RULE (
  command       => 'CREATE DATABASE LINK', 
  rule_set_name => 'Disabled', 
  object_owner  => '%', 
  object_name   => '%', 
  enabled       => DBMS_MACUTL.G_YES); 
  END; 
  / 
COMMIT;

When a valid user must use the CREATE DATABASE LINK statement, the Oracle Database Vault owner can reenable it from Oracle Database Vault Administrator or issue the following commands in SQL*Plus.

Example D-2 Creating a Command Rule to Enable Access to CREATE DATABASE LINK

BEGIN 
 DBMS_MACADM.UPDATE_COMMAND_RULE (
  command       => 'CREATE DATABASE LINK', 
  rule_set_name => 'Enabled', 
  object_owner  => '%', 
  object_name   => '%', 
  enabled       => DBMS_MACUTL.G_YES); 
 END; 
 /  
COMMIT;

Similarly, Example D-3 shows command rules that disable and enable access to CREATE DIRECTORY.

Example D-3 Command Rules to Disable and Enable Access to CREATE DIRECTORY

-- Disable access to CREATE DIRECTORY
BEGIN
 DBMS_MACADM.CREATE_COMMAND_RULE (
  command       => 'CREATE DIRECTORY', 
  rule_set_name => 'Disabled', 
  object_owner  => '%', 
  object_name   => '%', 
  enabled       => dbms_macutl.g_yes); 
 END; 
  / 
COMMIT;

-- Enable access to CREATE DIRECTORY
BEGIN 
 dbms_macadm.update_command_rule (
  command       => 'CREATE DIRECTORY', 
  rule_set_name => 'Enabled', 
  object_owner  => '%', 
  object_name   => '%', 
  enabled       => dbms_macutl.g_yes); 
 END; 
 /
COMMIT;

Security Considerations for the Recycle Bin

In Oracle Database Vault, the ALTER SYSTEM command rule prevents the recycle bin feature from being enabled, but if the recycle bin is already enabled, it cannot prevent you from disabling it. When the recycle bin feature is enabled, realm-protected objects that are dropped go into the recycle bin. Once there, the objects are no longer protected by the realm. The exception is objects in the DVSYS schema: To keep DVSYS as a protected schema, you cannot drop its objects, even if the recycle bin is disabled. For better security for other realms, you should disable the recycle bin.

In SQL*Plus, you can check the contents of the recycle bin as follows:

SELECT * FROM RECYCLEBIN;
SELECT * FROM USER_RECYCLEBIN;

To purge the contents of the recycle bin, use the PURGE SQL statement:

PURGE RECYCLEBIN;
PURGE USER_RECYCLEBIN;

To disable the recycle bin:

  1. Log in to SQL*Plus as SYS using the SYSDBA privilege.

    sqlplus sys as sysdba
Enter password: password

  2. Ensure that the recycle bin is disabled.

    SHOW PARAMETER RECYCLEBIN

  3. If the recycle bin is on, then disable it.

    ALTER SYSTEM SET RECYCLEBIN=OFF SCOPE=SPFILE;

  4. Restart Oracle Database.

    SHUTDOWN IMMEDIATE
STARTUP

Security Considerations for the CREATE ANY JOB Privilege

The CREATE ANY JOB privilege has been revoked from the DBA and the SCHEDULER_ADMIN roles. Ensure that this change does not affect your applications.

See "Scheduling Database Jobs in an Oracle Database Vault Environment" for more information.

Security Considerations for the CREATE EXTERNAL JOB Privilege

The CREATE EXTERNAL JOB privilege was introduced in Oracle Database 10g Release 2 (10.2). It is required for database users who want to execute jobs that run on the operating system outside the database. By default, this privilege is granted to all users who have been granted the CREATE JOB privilege. For greater security, revoke this privilege from users who do not need it and then grant it only to those users who do need it.

Security Considerations for the LogMiner Packages

In this release of Oracle Database Vault, the role EXECUTE_CATALOG_ROLE no longer has the EXECUTE privilege granted by default on the following LogMiner packages:

  • DBMS_LOGMNR

  • DBMS_LOGMNR_D

  • DBMS_LOGMNR_LOGREP_DICT

  • DBMS_LOGMNR_SESSION

Ensure that this change does not affect your applications.

Security Considerations for the ALTER SYSTEM and ALTER SESSION Privileges

Be aware that trace and debug commands have the potential to show Oracle database memory information. Oracle Database Vault does not protect against these commands. To help secure the Oracle database memory information, Oracle recommends that you strictly control access to the ALTER SYSTEM and ALTER SESSION privileges. These privileges can be granted by the user SYS when connected as SYSDBA and by any user granted the DBA role.

Oracle also recommends that you add rules to the existing command rule for ALTER SYSTEM statement. You can use Oracle Database Vault Administrator to create a rule and add it to a rule set. You should grant the ALTER SESSION privilege only to trusted users. (For example, the ALTER SESSION statement can enable tracing.)

Example D-4 shows how you can create this type of rule. This rule prevent users with ALTER SYSTEM privilege from issuing the command ALTER SYSTEM DUMP. Log in to SQL*Plus as the Oracle Database Vault Owner when you create this command rule.

Example D-4 Adding Rules to the Existing ALTER SYSTEM Command Rule

CONNECT amalcolm_dvacctmgr
Enter password: password

BEGIN
 DBMS_MACADM.CREATE_RULE('NO_SYSTEM_DUMP',
 '(INSTR(UPPER(DVSYS.DV_SQL_TEXT),''DUMP'') = 0)');
 END;
/
EXEC DBMS_MACADM.ADD_RULE_TO_RULE_SET
  ('Allow Fine Grained Control of System Parameters','NO_SYSTEM_DUMP');

COMMIT;

Alternatively, you can use Oracle Database Vault Administrator to create and add this rule to the rule set. See "Creating a Rule to Add to a Rule Set" for more information.

PKQڛȹPK)AOEBPS/cfcmdaut.htm Configuring Command Rules

6 Configuring Command Rules

This chapter contains:

What Are Command Rules?

A command rule is a rule that you create to protect SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements that affect one or more database objects. To customize and enforce the command rule, you associate it with a rule set, which is a collection of one or more rules. The command rule is enforced at run time. Command rules affect anyone who tries to use the SQL statements it protects, regardless of the realm in which the object exists. If you want to protect realm-specific objects, see "Defining Realm Authorization".

A command rule has the following attributes, in addition to associating a command rule to a command:

  • SQL statement the command rule protects

  • Owner of the object the command rule affects

  • Database object the command rule affects

  • Whether the command rule is enabled

  • An associated rule set

For more information about SQL statements and operations, refer to Oracle Database SQL Language Reference. See also "SQL Statements That Can Be Protected by Command Rules".

Command rules can be categorized as follows:

  • Command rules that have a system-wide scope. With this type, you can only create one command rule for each database instance. Examples are command rules for the ALTER SYSTEM and CONNECT statements.

  • Command rules that are schema specific. An example is creating a command rule for the DROP TABLE statement.

  • Command rules that are object specific. An example is creating a command rule for the DROP TABLE statement with a specific table included in the command rule definition.

When a user executes a statement affected by a command rule, Oracle Database Vault checks the realm authorization first. If it finds no realm violation and if the associated command rules are enabled, then Database Vault evaluates the associated rule sets. If all the rule sets evaluate to TRUE, then the statement is authorized for further processing. If any of the rule sets evaluate to FALSE, then the statement is not authorized and a command rule violation is created. Chapter 5, "Configuring Rule Sets," describes rule sets in detail.

You can define a command rule that uses factors for the CONNECT event to permit or deny sessions after the usual steps–user authentication process, factor initialization, and Oracle Label Security integration–are complete.

For example, you can configure a command rule that allows DDL statements such as CREATE TABLE, DROP TABLE, and ALTER TABLE in the BIZAPP schema to be authorized after business hours, but not during business hours.

You can run reports on the command rules that you create in Oracle Database Vault. See "Related Reports and Data Dictionary View" for more information.

This chapter explains how to configure command rules by using Oracle Database Vault Administrator. To configure command rules by using the PL/SQL interfaces and packages provided by Oracle Database Vault, refer to the following chapters:

Default Command Rules

Table 6-1 lists default command rules that Oracle Database Vault provides.

Table 6-1 Default Command Rules

SQL StatementObject NameRule Set Name

ALTER PROFILE

-

Can Maintain Accounts/Profiles

ALTER SYSTEM

-

Allow Fine Grained Control of System Parameters

ALTER USER

-

Can Maintain Own Account

CREATE PROFILE

-

Can Maintain Accounts/Profiles

CREATE USER

-

Can Maintain Accounts/Profiles

DROP PROFILE

-

Can Maintain Accounts/Profiles

DROP USER

-

Can Maintain Accounts/Profiles


The following set of command rules helps you to achieve separation of duty for user management:

  • ALTER PROFILE

  • ALTER USER

  • CREATE PROFILE

  • CREATE USER

  • DROP PROFILE

  • DROP USER

To grant a user the ability to use these commands, you can grant the user the role that the rule set checks. For example, the CREATE USER command rule ensures that a user who tries to run a CREATE USER statement has the DV_ACCTMGR role.

SQL Statements That Can Be Protected by Command Rules

You can protect the following SQL statements by using command rules:

ALTER CLUSTERCREATE CONTEXTDROP DIRECTORY
ALTER DIMENSIONCREATE DATABASE LINKDROP FUNCTION
ALTER FUNCTIONCREATE DIMENSIONDROP INDEX
ALTER INDEXCREATE DIRECTORYDROP INDEXTYPE
ALTER INDEXTYPECREATE FUNCTIONDROP JAVA
ALTER JAVACREATE INDEXDROP LIBRARY
ALTER OPERATORCREATE INDEXTYPEDROP OPERATOR
ALTER OUTLINECREATE JAVADROP OUTLINE
ALTER PACKAGECREATE LIBRARYDROP PACKAGE
ALTER PACKAGE BODYCREATE OPERATORDROP PACKAGE BODY
ALTER PROCEDURECREATE OUTLINEDROP PROCEDURE
ALTER PROFILECREATE PACKAGEDROP PROFILE
ALTER RESOURCE COSTCREATE PACKAGE BODYDROP ROLE
ALTER ROLECREATE PROCEDUREDROP ROLLBACK SEGMENT
ALTER ROLLBACK SEGMENTCREATE PROFILEDROP SEQUENCE
ALTER SEQUENCECREATE ROLEDROP SNAPSHOT
ALTER SNAPSHOTCREATE ROLLBACK SEGMENTDROP SNAPSHOT LOG
ALTER SNAPSHOT LOGCREATE SCHEMADROP TABLE
ALTER SYNONYMCREATE SEQUENCEDROP TABLESPACE
ALTER SYSTEMCREATE SNAPSHOTDROP TRIGGER
ALTER TABLECREATE SNAPSHOT LOGDROP TYPE
ALTER TABLESPACECREATE SYNONYMDROP TYPE BODY
ALTER TRIGGERCREATE TABLEDROP USER
ALTER TYPECREATE TABLESPACEDROP VIEW
ALTER TYPE BODYCREATE TRIGGEREXECUTE
ALTER USERCREATE TYPEGRANT
ALTER VIEWCREATE TYPE BODYINSERT
ANALYZE CLUSTERCREATE USERNOAUDIT
ANALYZE INDEXCREATE VIEWRENAME
ANALYZE TABLEDELETEREVOKE
ASSOCIATE STATISTICSDISASSOCIATE STATISTICSSELECT
AUDITDROP CLUSTERTRUNCATE CLUSTER
COMMENTDROP CONTEXTTRUNCATE TABLE
CONNECTDROP DATABASE LINKUPDATE
CREATE CLUSTERDROP DIMENSION

Creating and Editing a Command Rule

Follow these steps:

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER or DV_ADMIN role.

    "Starting Oracle Database Vault" explains how to log in.

  2. In the Administration page, under Database Vault Feature Administration, click Command Rules.

  3. In the Command Rules page:

    • To create a new command rule, click Create.

    • To edit an existing command rule, select it from the list and then click Edit.

  4. In the Create (or Edit) Command Rule page, enter the following settings, and then click OK.

General

Enter the following settings:

  • Command: Select the SQL statement or operation for which you want to create a command rule. This attribute is mandatory.

  • Status: Select either Enabled or Disabled to enable or disable the command rule during run time. The default is Enabled. This attribute is mandatory.

Applicability

Enter the following settings:

  • Object Owner: From the list, select the owner of the object the command rule affects. You can use wildcard character % to select all owners. (However, you cannot use wildcard characters with text, such as EM% to select all owners whose names begin in EM.) This attribute is mandatory for all SQL statements that operate on objects within a specific schema. See "SQL Statements That Can Be Protected by Command Rules" for a list of supported SQL statements.

    Note that the SELECT, INSERT, UPDATE, DELETE, and EXECUTE statements are not allowed for a selection of all (%) or the SYS and DVSYS schemas.

  • Object Name: Enter the name of the database object that the command rule affects, or specify % to select all database objects. However, you cannot use wildcard characters with text (for example, EMP_% to specify all tables beginning with the characters EMP_). This attribute is mandatory, if you selected an object owner from the Object Owner list.

    You can run Oracle Database Vault reports on objects that the command rule affects. See the "Related Reports and Data Dictionary View" for more information.

Rule Set

From the list, select the rule set that you want to associate with the command rule. This attribute is mandatory.

If the rule set evaluates to true, then the SQL statement succeeds. If it evaluates to false, the statement fails, and then Oracle Database Vault raises a command rule violation. (You can track rule violations by using the Command Rule Configuration Issues Report, discussed in Chapter 17.) Any auditing and custom event handling associated with the rule set occurs as a part of the command rule processing.

See Chapter 5, "Configuring Rule Sets," for more information about rule sets.

Deleting a Command Rule

Before you delete a command rule, you can locate the various references to it by querying the command rule-related Oracle Database Vault views. See "Oracle Database Vault Data Dictionary Views" for more information.

To delete a command rule:

  1. In the Oracle Database Vault Administration page, select Command Rules.

  2. In the Command Rules page, select the command rule that you want to remove.

  3. Click Remove.

  4. In the Confirmation page, click Yes.

How Command Rules Work

"How Realms Work" describes what happens when a database account issues a SELECT, DDL, or DML statement that affects objects within a realm.

The following actions take place when SELECT, DDL, or DML statement is issued:

  1. Oracle Database Vault queries all the command rules that need to be applied.

    For SELECT, DDL, and DML statements, multiple command rules may apply because the object owner and object name support wildcard notation.

    You can associate rule sets with both command rules and realm authorizations. Oracle Database Vault evaluates the realm authorization rule set first, and then it evaluates the rule sets that apply to the command type being evaluated.

  2. For each command rule that applies, Oracle Database Vault evaluates its associated rule set.

  3. If the associated rule set of any of the applicable command rules returns false or errors, Oracle Database Vault prevents the command from executing. Otherwise, the command is authorized for further processing. The configuration of the rule set with respect to auditing and event handlers dictates the auditing or custom processing that occurs.

    Command rules override object privileges. You can disable (or set the Disabled setting for) either a command or a rule set of a command. If a command rule is disabled, then the command rule is not allowed to run regardless of its associated rule set. That is, the command rule itself is disabled. However, if you disable a rule set of a command rule, then the rule set is not checked. In that case, the command rule is allowed to run without any condition. If the command rule has been set to the Disabled setting, then you are prevented from querying the table even though you have the SELECT privilege on the table. (Only the rule set has been disabled, not the command rule itself.)

Tutorial: Using a Command Rule to Control Table Creations by a User

This section contains:


See Also:

"Tutorial: Creating an Email Alert for Security Violations" for another example of how a command rule can work with a rule set to send an email alert when a violation occurs

About This Tutorial

In this tutorial, you create a simple command rule that disables and then enables the ability of user SCOTT to create tables.

Step 1: Connect as User SCOTT and Create a Table

  1. Log in to SQL*Plus as user SCOTT.

    sqlplus scott
Enter password: password

    If the SCOTT account is locked and expired, then log in as the Database Vault Account Manager and unlock SCOTT and create a new password. For example:

    sqlplus amalcolm_dvacctmgr
Enter password: password

ALTER USER SCOTT ACCOUNT UNLOCK IDENTIFIED BY password;

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

    CONNECT SCOTT
Enter password: password

  2. As user SCOTT, create a table.

    CREATE TABLE t1 (num NUMBER);

  3. Now drop the table.

    DROP TABLE t1;

At this stage, user SCOTT can create and drop tables. Do not exit SQL*Plus yet, and remain connected as SCOTT. You must use it later on when SCOTT tries to create another table.

Step 2: Connect Using the DVOWNER or DV_ADMIN Role and Create a Command Rule

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER or DV_ADMIN role.

    "Starting Oracle Database Vault" explains how to log in.

  2. In the Oracle Database Vault Administrator Administration page, click Command Rules.

    The Command Rules page appears.

  3. Click Create.

    The Create Command Rule page appears.

  4. Enter the following settings:

    • Command list: Select CREATE TABLE

    • Status: Set to Enabled so that the command rule is active.

    • Object Owner: Select SCOTT.

    • Object Name: Set to % so that it applies to all objects in the SCOTT schema.

    • Rule Set: Select Disabled so that user SCOTT is prevented from creating tables.

  5. Click OK.

    Do not exit Database Vault Administrator

Command rules take effect immediately. Right away, user SCOTT is prevented from creating tables, even though he is still in the same user session he wasp% in a moment ago, before you created the CREATE TABLE command rule.

Step 3: Test the Command Rule

  1. In SQL*Plus, ensure that you are logged on as user SCOTT.

    CONNECT SCOTT
Enter password: password

  2. Try to create a table.

    CREATE TABLE t1 (num NUMBER);

    The following output should appear:

    ORA-47400: Command Rule violation for create table on SCOTT.T1

    As you can see, SCOTT is no longer allowed to create tables, even in his own schema.

  3. In Oracle Database Vault Administrator, do the following:

    1. In the Command Rules page, select the CREATE TABLE command rule and then click Edit.

    2. In the Edit Command Rule page, select Enabled from the Rule Set list.

    3. Click OK.

  4. In SQL*Plus, as user SCOTT, try creating the table again.

    CREATE TABLE t1 (num NUMBER);

Table created.

Now that the CREATE TABLE command rule is set to Enabled, user SCOTT is once again permitted to create tables. (Do not exit SQL*Plus.)

Step 4: Remove the Components for this Tutorial

  1. In Oracle Database Vault Administrator, remove the CREATE TABLE command rule as follows:

    • Return to the Command Rules page.

    • Select the CREATE TABLE command rule and then click Remove.

    • In the Confirmation page, click Yes.

  2. Log in to SQL*Plus as user SCOTT and remove the t1 table.

    DROP TABLE t1;

  3. If you no longer need the SCOTT account to be available, then connect as the Database Vault Account Manager and enter the following ALTER USER statement:

    CONNECT amalcolm_dvacctmgr
Enter password: password

ALTER USER SCOTT ACCOUNT LOCK PASSWORD EXPIRE;

Guidelines for Designing Command Rules

Follow these guidelines to design command rules:

  • Create finer-grained command rules, because they are far easier to maintain.

    For example, if you want to prevent SELECT statements from occurring on specific schema objects, then design multiple command rules to stop the SELECT statements on those specific schema objects, rather than creating a general command rule to prevent SELECT statements in the schema level.

  • When designing rules for the CONNECT event, be careful to include logic that does not inadvertently lock out the Oracle Database Vault Owner or Administrator.

    If the account has been locked out, you can disable Oracle Database Vault, correct the rule that is causing the lock-out problem, and then reenable Oracle Database Vault. Even when Oracle Database Vault is disabled, you still can use Database Vault Administrator and the Database Vault PL/SQL packages. See Appendix B, "Disabling and Enabling Oracle Database Vault," for instructions on disabling and reenabling Database Vault.

  • Sometimes you must temporarily relax an enabled command rule for an administrative task. Rather than disabling the command rule, have the Security Manager (the account with the DV_ADMIN or DV_OWNER role) log in, set the rule set to Enabled, turn on Auditing on Success or Failure for the default rule set named Enabled, and then set the command rule back to its original rule set when the task is complete.

  • When designing command rules, be careful to consider automated processes such as backup where these procedures may be inadvertently disabled. You can account for these tasks by creating rules that allow the command when a series of Oracle Database Vault factors is known to be true (for example, the program being used), and the account being used or the computer or network on which the client program is running.

How Command Rules Affect Performance

The performance of a command rule depends on the complexity of the rules in the rule set associated with the command rule. For example, suppose a rule set invokes a PL/SQL function that takes 5 seconds to run. In this case, a command rule that uses that rule set would take 5 seconds to grant access for the command statement to run.

You can check the system performance by running tools such as Oracle Enterprise Manager (including Oracle Enterprise Manager Database Control, which is installed by default with Oracle Database), Statspack, and TKPROF. For more information about Oracle Enterprise Manager, see the Oracle Enterprise Manager documentation set. For information about Database Control, refer to its online Help. Oracle Database Performance Tuning Guide describes the Statspack and TKPROF utilities.

Related Reports and Data Dictionary View

Table 6-2 lists Oracle Database Vault reports that are useful for analyzing command rules. See Chapter 17, "Oracle Database Vault Reports," for information about how to run these reports.

Table 6-2 Reports Related to Command Rules

ReportDescription

"Command Rule Audit Report"

Lists audit records generated by command rule processing operations

"Command Rule Configuration Issues Report"

Tracks rule violations, in addition to other configuration issues the command rule may have

"Object Privilege Reports"

Lists object privileges that the command rule affects

"Sensitive Objects Reports"

Lists objects that the command rule affects

"Rule Set Configuration Issues Report"

Lists rules sets that have no rules defined or enabled, which may affect the command rules that use them


You can use the DBA_DV_COMMAND_RULE data dictionary view to find the SQL statements that are protected by command rules. See "DBA_DV_COMMAND_RULE View" for more information.

PK{zpPK)AOEBPS/apis_dbms_macutl.htm Using the DVSYS.DBMS_MACUTL Package

14 Using the DVSYS.DBMS_MACUTL Package

This chapter contains:

About the DVSYS.DBMS_MACUTL Package

The DVSYS.DBMS_MACUTL package provides a set of general purpose utility procedures and functions that you can use throughout the application code you write for Oracle Database Vault. This package is available to all users.

DVSYS.DBMS_MACUTL Constants

This section contains:

DVSYS.DBMS_MACUTL Listing of Constants

Table 14-1 summarizes constant (that is, fields) descriptions for the DVSYS.DBMS_MACUTL package. You can use these constants with any of the Oracle Database Vault PL/SQL packages. Many of these constants have equivalents in the Oracle Database Vault package. For example, the enabled parameter, which is available in several procedures, can accept either Y (for Yes) or the constant G_YES. Choosing one over the other is a matter of personal preference. They both have the same result.

Table 14-1 DVSYS.DBMS_MACUTL Listing of Constants

Constant NameData Type          Description

G_ALL_OBJECT

VARCHAR2(1)

Used with the realm API object_name and object_type parameters as a wildcard to indicate all object names or all object types.

G_AUDIT_ALWAYS

NUMBER

Used with the factor API audit_options parameter to enable an audit.

G_AUDIT_OFF

NUMBER

Used with the factor API audit_options parameter to disable auditing.

G_AUDIT_ON_GET_ERROR

NUMBER

Used with the factor API audit_options parameter to audit if the expression specified in the get_expr parameter returns an error.

G_AUDIT_ON_GET_NULL

NUMBER

Used with the factor API audit_options parameter to audit if the expression in the get_expr field is null.

G_AUDIT_ON_TRUST_LEVEL_NEG

NUMBER

Used with the factor API audit_options parameter to audit if the trust level is negative.

G_AUDIT_ON_TRUST_LEVEL_NULL

NUMBER

Used with the factor API audit_options parameter to audit if no trust level exists.

G_AUDIT_ON_VALIDATE_ERROR

NUMBER

Used with the factor API audit_options parameter to audit if the validation function returns an error.

G_AUDIT_ON_VALIDATE_FALSE

NUMBER

Used with the factor API audit_options parameter to audit if validation function is false.

G_EVAL_ON_ACCESS

NUMBER

Used with the factor API eval_options parameter to reevaluate the factor each time it is accessed.

G_EVAL_ON_SESSION

NUMBER

Used with the factor API eval_options parameter to evaluate the factor only once, when the user logs in to the session.

G_FAIL_SILENTLY

NUMBER

Used with the fail_options parameter to fail and show no error message.

G_FAIL_WITH_MESSAGE

NUMBER

Used with the fail_options parameter to fail and show an error message.

G_IDENTIFY_BY_CONSTANT

NUMBER

Used with the factor API identify_by parameter: Fixed value in PL/SQL expression defined in the get_expr parameter.

G_IDENTIFY_BY_CONTEXT

NUMBER

Used with the factor API identify_by parameter to indicate context.

G_IDENTIFY_BY_FACTOR

NUMBER

Used with the factor API identify_by parameter for subfactors through the factor_link$ table.

G_IDENTIFY_BY_METHOD

NUMBER

Used with the factor API identify_by parameter: Expression in get_expr field

G_IDENTIFY_BY_RULESET

NUMBER

Used with the factor API identify_by parameter: Expression and Rule Set with the factor_expr$ table

G_LABELED_BY_FACTORS

NUMBER

Used with the factor API labeled_by parameter to derive the label from subfactor and merge algorithm.

G_LABELED_BY_SELF

NUMBER

Used with the factor API labeled_by parameter to label the factor identities.

G_MAX_SESSION_LABEL

VARCHAR2(30)

This is the highest label a user could set based on the factors. It does not consider the label for a user.

G_MIN_POLICY_LABEL

VARCHAR2(30)

The label to which a factor with a null label defaults.

G_NO

VARCHAR2(1)

Used with the following APIs:

  • The factor API label_indicator parameter to indicate that a child factor linked to a parent factor does not contribute to the label of the parent factor in an Oracle Label Security integration.

  • Any API that uses the enabled parameter.

G_OLS_SESSION_LABEL

VARCHAR2(30)

The Oracle Label Security session label for a user at the time init_session is run.

G_REALM_AUDIT_FAIL

NUMBER

Used with the realm API audit_options parameter to audit when the realm is violated.

G_REALM_AUDIT_OFF

NUMBER

Used with the realm API audit_options parameter to disable auditing.

G_REALM_AUDIT_SUCCESS

NUMBER

Used with the realm API audit_options parameter: Audit on successful realm access

G_REALM_AUTH_OWNER

NUMBER

Used with the realm API auth_options parameter to set the realm authorization to Owner.

G_REALM_AUTH_PARTICIPANT

NUMBER

Used with the realm API auth_options parameter to set the realm authorization to Participant.

G_RULESET_AUDIT_FAIL

NUMBER

Used with the rule set API audit_options parameter to audit on rule set failure.

G_RULESET_AUDIT_OFF

NUMBER

Used with the rule set API audit_options parameter to disable auditing.

G_RULESET_AUDIT_SUCCESS

NUMBER

Used with the rule set API audit_options parameter to audit on rule set success.

G_RULESET_EVAL_ALL

NUMBER

Used with the rule set API eval_options parameter to enable the rule set to succeed if all rules evaluate to true.

G_RULESET_EVAL_ANY

NUMBER

Used with the rule set API eval_options parameter to succeed if any of the rules evaluate to true.

G_RULESET_FAIL_SHOW

NUMBER

Used with the rule set API fail_options parameter to show an error message if the rule set fails.

G_RULESET_FAIL_SILENT

NUMBER

Used with the rule set API fail_options parameter to not show an error message if the rule set fails.

G_RULESET_HANDLER_FAIL

NUMBER

Used with the rule set API handler_options parameter to call a handler (specified by the handler parameter) if the rule set fails.

G_RULESET_HANDLER_OFF

NUMBER

Used with the rule set API handler_options parameter to disable calls to a handler or if no handler is used.

G_RULESET_HANDLER_SUCCESS

NUMBER

Used with the rule set API handler_options parameter to call a handler if the rule set succeeds.

G_USER_POLICY_LABEL

VARCHAR2(30)

This is what Oracle Label Security has decided the user's label should be set to after factoring in the preceding values.

G_YES

VARCHAR2(1)

Used with the following APIs:

  • The factor API label_indicator parameter to indicate that a child factor linked to a parent factor contributes to the label of the parent factor in an Oracle Label Security integration.

  • Any API that uses the enabled parameter.


Examples of Using the DVSYS.DBMS_MACUTL Constants

Example 14-1 shows how to use the G_YES and G_REALM_AUDIT_FAIL DBMS_MACUTL constants when creating a realm.

Example 14-1 Creating a Realm Using DVSYS.DBMS_MACUTL Constants

BEGIN
 DVSYS.DBMS_MACADM.CREATE_REALM(
  realm_name    => 'Performance Statistics Realm',
  description   => 'Realm to measure performance',
  enabled       =>  DVSYS.DBMS_MACUTL.G_YES,
  audit_options =>  DVSYS.DBMS_MACUTL.G_REALM_AUDIT_FAIL);
END;
/

Example 14-2 shows how to use several DVSYS.DBMS_MACUTL constants when creating a rule set.

Example 14-2 Creating a Rule Set Using DVSYS.DBMS_MACUTL Constants

BEGIN
 DVSYS.DBMS_MACADM.CREATE_RULE_SET(
  rule_set_name    => 'Limit_DBA_Access', 
  description      => 'DBA access through predefined processes', 
  enabled          => 'Y',
  eval_options     => DBMS_MACUTL.G_RULESET_EVAL_ALL,
  audit_options    => DBMS_MACUTL.G_RULESET_AUDIT_FAIL,
  fail_options     => DVSYS.DBMS_MACUTL.G_RULESET_FAIL_SHOW,
  fail_message     => 'Rule Set Limit_DBA_Access has failed.',
  fail_code        => 20000,
  handler_options  => DBMS_MACUTL.G_RULESET_HANDLER_FAIL, 
  handler          => 'dbavowner.email_alert');
END;
/

Example 14-3 shows how to use constants when creating a factor.

Example 14-3 Creating a Factor Using DVSYS.DBMS_MACUTL Constants

BEGIN
 DVSYS.DBMS_MACADM.CREATE_FACTOR(
  factor_name       => 'Sector2_DB', 
  factor_type_name  => 'Instance', 
  description       => ' ', 
  rule_set_name     => 'DB_access', 
  get_expr          => 'UPPER(SYS_CONTEXT(''USERENV'',''DB_NAME''))', 
  validate_expr     => 'dbavowner.check_db_access', 
  identify_by       => DBMS_MACUTL.G_IDENTIFY_BY_FACTOR, 
  labeled_by        => DVSYS.DBMS_MACUTL.G_LABELED_BY_SELF, 
  eval_options      => DVSYS.DBMS_MACUTL.G_EVAL_ON_SESSION, 
  audit_options     => DBMS_MACUTL.G_AUDIT_ALWAYS, 
  fail_options      => DVSYS.DBMS_MACUTL.G_FAIL_SILENTLY); 
END;
/

Procedures and Functions Within the DVSYS.DBMS_MACUTL Package

Table 14-2 lists the procedures and functions in the DVSYS.DBMS_MACUTL package. You can use these procedures or functions as standalone code, or within rule expressions. The examples in this section show a mixture of using both.

Table 14-2 DVSYS.DBMS_MACUTL Utility Functions

Procedure or FunctionDescriptions

CHECK_DVSYS_DML_ALLOWED Procedure

Verifies that public-packages are not being bypassed by users updating the Oracle Database Vault configuration

GET_CODE_VALUE Function

Looks up the value for a code within a code group.

GET_SECOND Function

Returns the seconds in Oracle SS format (00-59). Useful for rule expressions based on time data

GET_MINUTE Function

Returns the minute in Oracle MI format (00–59). Useful for rule expressions based on time data

GET_HOUR Function

Returns the month in Oracle HH24 format (00–23). Useful for rule expressions based on time data

GET_DAY Function

Returns the day in Oracle DD format (01–31). Useful for rule expressions based on time data

GET_MONTH Function

Returns the month in Oracle MM format (01–12). Useful for rule expressions based on time data

GET_YEAR Function

Returns the year in Oracle YYYY format (0001–9999). Useful for rule expressions based on time data

IS_ALPHA Function

Checks whether the character is alphabetic

IS_DIGIT Function

Checks whether the character is numeric

IS_DVSYS_OWNER Function

Determines whether a user is authorized to manage the Oracle Database Vault configuration

IS_OLS_INSTALLED Function

Returns an indicator regarding whether Oracle Label Security is installed

IS_OLS_INSTALLED_VARCHAR Function

Returns an indicator regarding whether Oracle Label Security is installed

USER_HAS_ROLE Function

Checks whether a user has a role privilege, directly or indirectly (through another role)

USER_HAS_ROLE_VARCHAR Function

Checks whether a user has a role privilege, directly or indirectly (through another role)

USER_HAS_SYSTEM_PRIVILEGE Function

Checks whether a user has a system privilege, directly or indirectly (through a role)


CHECK_DVSYS_DML_ALLOWED Procedure

The CHECK_DVSYS_DML_ALLOWED procedure verifies that public packages are not being bypassed by users updating the Oracle Database Vault configuration.

Syntax

DVSYS.DBMS_MACUTL.CHECK_DVSYS_DML_ALLOWED(
  p_user IN VARCHAR2 DEFAULT USER);

Parameter

Table 14-3 CHECK_DVSYS_DML_ALLOWED Parameter

ParameterDescription

p_user

User performing the operation.

To find existing users in the current database instance, query the following views:


Example

User SYSTEM fails the check:

EXEC DVSYS.DBMS_MACUTL.CHECK_DVSYS_DML_ALLOWED('system'); 

ERROR at line 1:
ORA-47920: Authorization failed for user system to perform this operation
ORA-06512: at "DVSYS.DBMS_MACUTL", line 23
ORA-06512: at "DVSYS.DBMS_MACUTL", line 372
ORA-06512: at "DVSYS.DBMS_MACUTL", line 508
ORA-06512: at "DVSYS.DBMS_MACUTL", line 572
ORA-06512: at line 1

User lbrown_dvowner, who has the DV_OWNER role, passes the check:

EXEC DVSYS.DBMS_MACUTL.CHECK_DVSYS_DML_ALLOWED('lbrown_dvowner');

PL/SQL procedure successfully completed.

GET_CODE_VALUE Function

The GET_CODE_VALUE function finds the value for a code within a code group, and then returns a VARCHAR2 value.

Syntax

DVSYS.DBMS_MACUTL.GET_CODE_VALUE(
  p_code_group IN VARCHAR2, 
  p_code       IN VARCHAR2)
RETURN VARCHAR2;

Parameters

Table 14-4 GET_CODE_VALUE Parameters

ParameterDescription

p_code_group

Code group (for example, AUDIT_EVENTS or BOOLEAN).

To find available code groups in the current database instance, query the DVSYS.DBA_DV_CODE view, described in "DBA_DV_CODE View".

p_code

ID of the code.

This ID is listed when you run the DVSYS.DBA_DV_CODE view.


Example

BEGIN 
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name => 'Get Label Algorithm for Maximum Level/Union/Null',
  rule_expr => 'DVSYS.DBMS_MACUTL.GET_CODE_VALUE(''LABEL_ALG'', ''HUN'') = ''Union''');
END;
/

GET_SECOND Function

The GET_SECOND function returns the seconds in Oracle SS (seconds) format (00–59), and then returns a NUMBER value. It is useful for rule expressions based on time data.

Syntax

DVSYS.DBMS_MACUTL.GET_SECOND(
  p_date IN DATE DEFAULT SYSDATE)
RETURN NUMBER;

Parameter

Table 14-5 GET_SECOND Parameter

ParameterDescription

p_date

Date in SS format (for example, 59).

If you do not specify a date, then Oracle Database Vault uses the Oracle Database SYSDATE function to retrieve the current date and time set for the operating system on which the database resides.


Example

SET SERVEROUTPUT ON
DECLARE 
  seconds number; 
BEGIN 
  seconds := DVSYS.DBMS_MACUTL.GET_SECOND(TO_DATE('03-APR-2009 6:56 PM', 
  'dd-mon-yyyy hh:mi PM')); 
  DBMS_OUTPUT.PUT_LINE('Seconds: '||seconds); 
END; 
/

This example, which uses a fixed date and time, returns the following:

Seconds: 56

GET_MINUTE Function

The GET_MINUTE function returns the minute in Oracle MI (minute) format (00–59), in a NUMBER value. It is useful for rule expressions based on time data.

Syntax

DVSYS.DBMS_MACUTL.GET_MINUTE(
  p_date IN DATE DEFAULT SYSDATE)
RETURN NUMBER;

Parameter

Table 14-6 GET_MINUTE Parameter

ParameterDescription

p_date

Date in MI format (for example, 30, as in 2:30).

If you do not specify a date, then Oracle Database Vault uses the Oracle Database SYSDATE function to retrieve the current date and time set for the operating system on which the database resides.


Example

SET SERVEROUTPUT ON
DECLARE 
  minute number; 
BEGIN 
  minute := DVSYS.DBMS_MACUTL.GET_MINUTE(SYSDATE); 
  DBMS_OUTPUT.PUT_LINE('Minute: '||minute); 
END; 
/

Output similar to the following appears:

Minute: 17

GET_HOUR Function

The GET_HOUR function returns the hour in Oracle HH24 (hour) format (00–23), in a NUMBER value. It is useful for rule expressions based on time data.

Syntax

DVSYS.DBMS_MACUTL.GET_HOUR(
  p_date IN DATE DEFAULT SYSDATE)
RETURN NUMBER;

Parameter

Table 14-7 GET_HOUR Parameter

ParameterDescription

p_date

Date in HH24 format (for example, 14 for 2:00 p.m.)

If you do not specify a date, then Oracle Database Vault uses the Oracle Database SYSDATE function to retrieve the current date and time set for the operating system on which the database resides.


Example

SET SERVEROUTPUT ON
DECLARE 
  hours number; 
BEGIN 
  hours := DVSYS.DBMS_MACUTL.GET_HOUR(SYSDATE); 
  DBMS_OUTPUT.PUT_LINE('Hour: '||hours); 
END; 
/

Output similar to the following appears:

Hour: 12

GET_DAY Function

The GET_DAY function returns the day in Oracle DD (day) format (01–31), in a NUMBER value. It is useful for rule expressions based on time data.

Syntax

DVSYS.DBMS_MACUTL.GET_DAY(
  p_date IN DATE DEFAULT SYSDATE)
RETURN NUMBER;

Parameter

Table 14-8 GET_DAY Parameter

ParameterDescription

p_date

Date in DD format (for example, 01 for the first day of the month).

If you do not specify a date, then Oracle Database Vault uses the Oracle Database SYSDATE function to retrieve the current date and time set for the operating system on which the database resides.


Example

SET SERVEROUTPUT ON
DECLARE 
  day number; 
BEGIN 
  day := DVSYS.DBMS_MACUTL.GET_DAY(SYSDATE); 
  DBMS_OUTPUT.PUT_LINE('Day: '||day); 
END; 
/

Output similar to the following appears:

Day: 3

GET_MONTH Function

The GET_MONTH function returns the month in Oracle MM (month) format (01–12), in a NUMBER value. It is useful for rule expressions based on time data.

Syntax

DVSYS.DBMS_MACUTL.GET_MONTH(
  p_date IN DATE DEFAULT SYSDATE)
RETURN NUMBER;

Parameter

Table 14-9 GET_MONTH Parameter

ParameterDescription

p_date

Date in MM format (for example, 08 for the month of August).

If you do not specify a date, then Oracle Database Vault uses the Oracle Database SYSDATE function to retrieve the current date and time set for the operating system on which the database resides.


Example

SET SERVEROUTPUT ON
DECLARE 
  month number; 
BEGIN 
  month := DVSYS.DBMS_MACUTL.GET_MONTH(SYSDATE); 
  DBMS_OUTPUT.PUT_LINE('Month: '||month); 
END; 
/

Output similar to the following appears:

Month: 4

GET_YEAR Function

The GET_YEAR function returns the year in Oracle YYYY (year) format (0001–9999), in a NUMBER value. It is useful for rule expressions based on time data.

Syntax

DVSYS.DBMS_MACUTL.GET_YEAR(
  p_date IN DATE DEFAULT SYSDATE)
RETURN NUMBER;

Parameter

Table 14-10 GET_YEAR Parameter

ParameterDescription

p_date

Date in YYYY format (for example, 1984).

If you do not specify a date, then Oracle Database Vault uses the SYSDATE function to retrieve the current date and time set for the operating system on which the database resides.


Example

SET SERVEROUTPUT ON
DECLARE 
  year number; 
BEGIN 
  year := DVSYS.DBMS_MACUTL.GET_YEAR(SYSDATE); 
  DBMS_OUTPUT.PUT_LINE('Year: '||year); 
END; 
/

IS_ALPHA Function

The IS_ALPHA function checks whether the character is alphabetic, and then returns a BOOLEAN value. IS_ALPHA returns TRUE if the character is alphabetic.

Syntax

DVSYS.DBMS_MACUTL.IS_ALPHA(
  c IN VARCHAR2)
RETURN BOOLEAN;

Parameter

Table 14-11 IS_ALPHA Parameter

ParameterDescription

c

String with one character


Example

SET SERVEROUTPUT ON
BEGIN 
 IF DVSYS.DBMS_MACUTL.IS_ALPHA('z')  
  THEN DBMS_OUTPUT.PUT_LINE('The alphabetic character was found');
 ELSE 
  DBMS_OUTPUT.PUT_LINE('No alphabetic characters today.'); 
 END IF; 
END;
/

IS_DIGIT Function

The IS_DIGIT function checks whether the character is numeric, and then returns a BOOLEAN value. IS_DIGIT returns TRUE if the character is a digit.

Syntax

DVSYS.DBMS_MACUTL.IS_DIGIT(
  c IN VARCHAR2)
RETURN BOOLEAN;

Parameter

Table 14-12 IS_DIGIT Parameter

ParameterDescription

c

String with one character


Example

SET SERVEROUTPUT ON
BEGIN 
 IF DVSYS.DBMS_MACUTL.IS_DIGIT('7')  
  THEN DBMS_OUTPUT.PUT_LINE('The numeric character was found');
 ELSE 
  DBMS_OUTPUT.PUT_LINE('No numeric characters today.'); 
 END IF; 
END;
/

IS_DVSYS_OWNER Function

The IS_DVSYS_OWNER function determines whether a user is authorized to manage the Oracle Database Vault configuration, and then returns a BOOLEAN value. IS_DVSYS_OWNER returns TRUE if the user is authorized.

Syntax

DVSYS.DBMS_MACUTL.IS_DVSYS_OWNER(
  p_user IN VARCHAR2 DEFAULT USER)
RETURN BOOLEAN;

Parameter

Table 14-13 IS_DVSYS_OWNER Parameter

ParameterDescription

p_user

User to check.

To find existing users, query the following views:


Example

SET SERVEROUTPUT ON
BEGIN 
 IF DVSYS.DBMS_MACUTL.IS_DVSYS_OWNER('PSMITH')
  THEN DBMS_OUTPUT.PUT_LINE('PSMITH is authorized to manage Database Vault.');
 ELSE 
  DBMS_OUTPUT.PUT_LINE('PSMITH is not authorized to manage Database Vault.'); 
 END IF; 
END;
/

IS_OLS_INSTALLED Function

The IS_OLS_INSTALLED function returns an indicator regarding whether Oracle Label Security is installed, and then returns a TRUE or FALSE BOOLEAN value. If Oracle Label Security is installed, IS_OLS_INSTALLED returns TRUE.

Syntax

DVSYS.DBMS_MACUTL.IS_OLS_INSTALLED()
RETURN BOOLEAN;

Parameters

None.

Example

SET SERVEROUTPUT ON
BEGIN 
 IF DVSYS.DBMS_MACUTL.IS_OLS_INSTALLED()  
  THEN DBMS_OUTPUT.PUT_LINE('OLS is installed');
 ELSE 
  DBMS_OUTPUT.PUT_LINE('OLS is not installed'); 
 END IF; 
END;
/

IS_OLS_INSTALLED_VARCHAR Function

The IS_OLS_INSTALLED_VARCHAR function returns an indicator regarding whether Oracle Label Security is installed, and then returns a Y or N VARCHAR2 value. If Oracle Label Security is installed, then IS_OLS_INSTALLED_VARCHAR returns Y.

Syntax

DVSYS.DBMS_MACUTL.IS_OLS_INSTALLED_VARCHAR()
RETURN VARCHAR2;

Parameters

None.

Example

See "IS_OLS_INSTALLED Function" for an example.

USER_HAS_ROLE Function

The USER_HAS_ROLE function checks whether a user has a role privilege, directly or indirectly (through another role), and then returns a BOOLEAN value. If the user has a role privilege, then USER_HAS_ROLE returns TRUE.

Syntax

DVSYS.DBMS_MACUTL.USER_HAS_ROLE(
  p_role IN VARCHAR2, 
  p_user IN VARCHAR2 DEFAULT USER)
RETURN BOOLEAN;

Parameters

Table 14-14 USER_HAS_ROLE Parameters

ParameterDescription

p_role

Role privilege to check.

To find existing roles, query the following views:

p_user

User to check.

To find existing users, query the following views:


Example

SET SERVEROUTPUT ON
BEGIN
 IF DVSYS.DBMS_MACUTL.USER_HAS_ROLE('SECTOR2_APP_MGR', 'PSMITH')
  THEN DBMS_OUTPUT.PUT_LINE('User PSMITH has the SECTOR2_APP_MGR role');
   ELSE 
  DBMS_OUTPUT.PUT_LINE('User PSMITH does not have the SECTOR2_APP_MGR role.'); 
 END IF;
END;
/

USER_HAS_ROLE_VARCHAR Function

The USER_HAS_ROLE_VARCHAR function checks whether a user has a role privilege, directly or indirectly (through another role), and then returns a VARCHAR2 value. If the user has the role privilege specified, then USER_HAS_ROLE_VARCHAR returns Y.

Syntax

DVSYS.DBMS_MACUTL.USER_HAS_ROLE_VARCHAR(
  p_role IN VARCHAR2, 
  p_user IN VARCHAR2 DEFAULT USER)
RETURN VARCHAR2;

Parameters

Table 14-15 USER_HAS_ROLE_VARCHAR Parameters

ParameterDescription

p_role

Role to check.

To find existing roles, query the following views:

p_user

User to check.

To find existing users, query the following views:


USER_HAS_SYSTEM_PRIVILEGE Function

The USER_HAS_SYSTEM_PRIVILEGE function checks whether a user has a system privilege, directly or indirectly (through a role), and then returns a BOOLEAN value. If the user has the system privilege specified, then USER_HAS_SYSTEM_PRIVILEGE returns TRUE.

Syntax

DVSYS.DBMS_MACUTL.USER_HAS_SYSTEM_PRIVILEGE(
  p_privilege  IN VARCHAR2, 
  p_user       IN VARCHAR2 DEFAULT USER)
RETURN BOOLEAN;

Parameters

Table 14-16 USER_HAS_SYSTEM_PRIVILEGE Parameters

ParameterDescription

p_privilege

System privilege to check for.

To find privileges for a database account excluding PUBLIC privileges, query the DVSYS.DBA_DV_USER_PRIVS view, described in "DBA_DV_USER_PRIVS View".

To find all privileges for a database account, use DVSYS.DBA_DV_USER_PRIVS_ALL, described in "DBA_DV_USER_PRIVS_ALL View".

p_user

User to check.

To find existing users, query the following views:


Example

SET SERVEROUTPUT ON
BEGIN
 IF DVSYS.DBMS_MACUTL.USER_HAS_SYSTEM_PRIVILEGE('EXECUTE', 'PSMITH')
  THEN DBMS_OUTPUT.PUT_LINE('User PSMITH has the EXECUTE ANY PRIVILEGE privilege.');
   ELSE 
  DBMS_OUTPUT.PUT_LINE('User PSMITH does not have the EXECUTE ANY PRIVILEGE privilege.'); 
 END IF;
END;
/
PKpPK)AOEBPS/cfrealms.htm Configuring Realms

4 Configuring Realms

This chapter contains:

What Are Realms?

A realm is a functional grouping of database schemas and roles that must be secured for a given application. Think of a realm as zone of protection for your database objects. A schema is a logical collection of database objects such as tables, views, and packages, and a role is a collection of privileges. By classifying schemas and roles into functional groups, you can control the ability of users to use system privileges against these groups and prevent unauthorized data access by the database administrator or other powerful users with system privileges. Oracle Database Vault does not replace the discretionary access control model in the existing Oracle database. It functions as a layer on top of this model for both realms and command rules.

After you create a realm, you can register a set of schema objects or roles (secured objects) for realm protection and authorize a set of users or roles to access the secured objects.

For example, after you install Oracle Database Vault, you can create a realm to protect all existing database schemas that are used in an accounting department. The realm prohibits any user who is not authorized to the realm to use system privileges to access the secured accounting data.

You can run reports on realms that you create in Oracle Database Vault. See "Related Reports and Data Dictionary Views" for more information.

This chapter explains how to configure realms by using Oracle Database Vault Administrator. To configure realms by using the PL/SQL interfaces and packages provided by Oracle Database Vault, refer to the following chapters:

Default Realms

Oracle Database Vault provides the following default realms:

  • Database Vault Account Management: Defines the realm for the administrators who manage and create database accounts and database profiles.

  • Oracle Data Dictionary: Defines the realm for the following Oracle Catalog schemas.


    		ANONYMOUSDBSNMPMDSYSSYS

    		BIEXFSYSMGMT_VIEWSYSMAN

    		CTXSYSMDDATAOUTLNSYSTEM

    This realm also controls the ability to grant system privileges and database administrator roles.

  • Oracle Database Vault: Defines the realm for the Oracle Database Vault schemas (DVSYS, DVF, and LBACSYS), such as configuration and roles information.

  • Oracle Enterprise Manager: Defines the realm for Oracle Enterprise Manager accounts (SYSMAN and DBSNMP) to access database information

Creating a Realm

In general, to enable realm protection, you first create the realm itself, and then you edit the realm to include realm-secured objects, roles, and authorizations. "Guidelines for Designing Realms" provides advice on creating realms.

To create a realm:

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER or DV_ADMIN role.

    "Starting Oracle Database Vault" explains how to log in.

  2. In the Administration page, under Database Vault Feature Administration, click Realms.

  3. In the Realms page, click Create.

  4. In the Create Realm page, enter the following settings:

    • Under General:

      • Name: Enter a name for the realm. It can contain up to 90 characters in mixed-case. This attribute is mandatory.

        Oracle suggests that you use the name of the protected application as the realm name (for example, hr_app for an human resources application).

      • Description: Enter a brief description of the realm. The description can contain up to 1024 characters in mixed-case. This attribute is optional.

        You may want to include a description the business objective of the given application protection and document all other security policies that compliment the realm's protection. Also document who is authorized to the realm, for what purpose, and any possible emergency authorizations.

      • Status: Select either Enabled or Disabled to enable or disable the realm. A realm is enabled by default. This attribute is mandatory.

    • Under Audit Options, select one of the following:

      • Audit Disabled: Does not create an audit record.

      • Audit On Failure: Default. Creates an audit record when a realm violation occurs (for example, when an unauthorized user tries to modify an object that is protected by the realm).

      • Audit On Success or Failure: Creates an audit record for any activity that occurs in the realm, including both authorized and unauthorized activities.

      For additional audit options, see "CREATE_REALM Procedure".

      Oracle Database Vault writes the audit trail to the DVSYS.AUDIT_TRAIL$ system file, described in Appendix A, "Auditing Oracle Database Vault."

  5. Click OK.

    The Realms Summary page appears, listing the new realm that you created.

After you create a new realm, you are ready to add schema and database objects to the realm for realm protection, and to authorize users and roles to access the realm. To do so, you edit the new realm and then add its objects and its authorized users.

Editing a Realm

To edit a realm:

  1. In the Oracle Database Vault Administration page, select Realms.

  2. In the Realm page, select the realm that you want to edit.

  3. Click Edit.

  4. Modify the realm as necessary, and then click OK.


See Also:


Creating Realm-Secured Objects

Realm-secured objects define the territory that a realm protects. The realm territory is a set of schema and database objects and roles. You can create the following types of protections:

  • Objects from multiple database accounts or schemas can be under the same realm.

  • One object can belong to multiple realms.

    If an object belongs to multiple realms, then Oracle Database Vault checks the realms for permissions. For SELECT, DDL, and DML statements, as long as a user is a participant in one of the realms, and if the command rules permit it, the commands the user enters are allowed. For GRANT and REVOKE operations of a database role in multiple realms, the person performing the GRANT or REVOKE operation must be the realm owner.

You can manage the objects secured by a realm from the Edit Realm page, which lets you create, edit, and delete realm secured objects.

To create a realm secured object:

  1. In the Oracle Database Vault Administration page, select Realms.

  2. In the Realms page, select the realm you want, and then select Edit.

  3. In the Edit Realm page, under Realm Secured Objects, do one of the following:

    • To create a new realm-secured object, select Create.

    • To modify an existing object, select it from the list and then select Edit.

  4. In the Create Realm Secured Object page, enter the following settings:

    • Object Owner: From the list, select the name of the database schema owner. This attribute is mandatory.

      If you are creating a realm around the AUD$ system table, then specify SYSTEM as the object owner. In an Oracle Database Vault environment, the AUD$ table is moved to the SYSTEM schema.

    • Object Type: From the list, select the object type of the database object, such as TABLE, INDEX, or ROLE. This attribute is mandatory.

      By default, the Object Type box contains the % wildcard character to include all object types for the specified Object Owner. However, it does not include roles, which do not have specific schema owners in the database and must be specified explicitly.

    • Object Name: Enter the name of the object in the database that the realm must protect, or enter % to specify all objects (except roles) for the object owner that you have specified. However, you cannot use wildcard characters with text such to specify multiple object names (for example, EMP_% to specify all tables beginning with the characters EMP_). Nor can you use the wildcard character to select multiple roles; you must enter role names individually. This attribute is mandatory.

      By default, the Object Name field contains the % wildcard character to encompass the entire schema specified for Object Type and Object Owner. Note that the % wildcard character applies to objects that do not yet exist and currently existing objects. Note also that the % wildcard character does not apply to roles. If you want to include multiple roles, you must specify each role separately.

  5. Click OK.

For example, to secure the EMPLOYEES table in the HR schema, you would enter the following settings in the Create Realm Secured Object page:

  • Object Owner: HR

  • Object Type: TABLE

  • Object Name: EMPLOYEES

Editing a Realm-Secured Object

To edit a realm-secured object:

  1. Select the object under Realm Secured Objects in the Edit Realm page.

  2. Click Edit.

  3. In the Edit Realm Secured Object page, edit the attributes as required.

  4. Click OK.

Deleting a Realm-Secured Object

To delete a realm-secured object:

  1. Select the object under Realm Secured Objects in the Edit Realm page.

  2. Click Remove.

    A confirmation page is displayed.

  3. Click Yes.

    This dissociates the object from the realm and unsecures it. (The regular database protections still apply.) However, it does not remove the object from the database.

Defining Realm Authorization

Realm authorizations establish the set of database accounts and roles that manage or access objects protected in realms. A realm authorization can be an account or role that is authorized to use its system privileges in the following situations:

  • When the user must create or access realm-secured objects

  • When a user must grant or revoke realm-secured roles

A user who has been granted realm authorization as either a realm owner or a realm participant can use its system privileges to access secured objects in the realm.

Note the following:

  • The authorization that you set up here does not affect regular users who have normal direct object privileges to the database objects that are protected by realms.

  • Realm owners cannot add other users to their realms as owners or participants. Only users who have the DV_OWNER or DV_ADMIN role are allowed to add users as owners or participants to a realm.

  • A realm owner, but not a realm participant, can grant or revoke realm secured database roles to anyone.

  • A user can be granted either as a realm owner or a realm participant, but not both. However, you can update the authorization options of a realm authorization.

Use the Edit Realm page to manage realm authorizations. You can create, edit, and remove realm authorizations. To track configuration information for the authorization of a realm, see "Realm Authorization Configuration Issues Report".

To create a realm authorization:

  1. In the Oracle Database Vault Administration page, select Realms.

  2. In the Realms page, select the realm you want, and then select Edit.

  3. In the Edit Realm page, under Realm Authorizations, do one of the following:

    • To create a new realm authorization, select Create.

    • To modify an existing realm authorization, select it from the list and then select Edit.

  4. Click Create under Realm Authorizations in the Edit Realm page.

  5. In the Create Realm Authorization page, enter the following settings:

    • Grantee: From the list, select the Oracle database account or role to whom you want to grant the realm authorization. This attribute is mandatory.

      This list shows all accounts and roles in the system, not just accounts with system privileges.

      You cannot select yourself (that is, the user logged in) or any account that has been granted the DV_ADMIN, DV_OWNER, or DV_SECANALYST roles from this list.

    • Authorization Type: Select either of the following. This attribute is mandatory.

      • Participant: Default. This account or role provides system or direct privileges to access, manipulate, and create objects protected by the realm, provided these rights have been granted using the standard Oracle Database privilege grant process. A realm can have multiple participants.

      • Owner: This account or role has the same privileges as the realm participant, plus the authorization to grant or revoke realm-secured database roles. The realm owner can grant privileges on realm-protected objects to other users. A realm can have multiple owners.

    • Authorization Rule Set: Select from the available rule sets that have been created for your site. You can select only one rule set, but the rule set can have multiple rules.

      See "Creating a Rule to Add to a Rule Set" for more information about defining rules to govern the realm authorization.

      Any auditing and custom event handling associated with the rule set occurs as part of the realm authorization processing.

  6. Click OK.

Editing a Realm Authorization

To edit a realm authorization:

  1. Select the realm authorization under Realm Authorizations in the Edit Realm page.

  2. Click Edit.

    The Edit Realm Authorization page is displayed.

  3. Edit the attributes as required.

  4. Click OK.

Deleting a Realm Authorization

To delete a realm authorization:

  1. Select the realm authorization under Realm Authorizations in the Edit Realm page.

  2. Click Remove.

    A confirmation page is displayed.

  3. Click Yes.

Disabling and Enabling a Realm

By default, when you create a realm, it is enabled. You can disable a realm (for example, for system maintenance such as patch updates), and then enable it again afterward.

To disable or enable a realm:

  1. In the Oracle Database Vault Administration page, select Realms.

  2. In the Realms page, select the realm you want to disable or enable, and then select Edit.

  3. In the Edit Realm page, under Status in the General section, select either Disabled or Enabled.

  4. Click OK.

Deleting a Realm

Before you delete a realm, you can locate the various references to it by querying the realm-related Oracle Database Vault views. See "Oracle Database Vault Data Dictionary Views" for more information.

To delete a realm:

  1. In the Oracle Database Vault Administration page, select Realms.

  2. In the Realms page, select the realm you want to delete, and then select Remove.

  3. In the Confirmation page, click Yes.

    Oracle Database Vault deletes the configuration for a realm (header, secure objects, and authorizations). It does not delete the rule sets within the realm.

How Realms Work

When a database account that has the appropriate privileges issues a SQL statement (that is, DDL, DML, EXECUTE, GRANT, REVOKE, or SELECT) that affects an object within a customer-defined realm, the following actions occur:

  1. Is the database account using a system privilege to execute the SQL statement?

    If yes, then go to Step 2. If no, then go to Step 6. If the session has object privileges on the object in question for SELECT, EXECUTE, and DML only, then the realm protection is not enforced. Realms protect against the use of any system privilege on objects or roles protected by the realm.

    Remember that if the O7_DICTIONARY_ACCESSIBILITY initialization parameter has been set to TRUE, then non-SYS users have access to SYS schema objects. For better security, ensure that O7_DICTIONARY_ACCESSIBILITY is set to FALSE.

  2. Does the SQL statement affect objects secured by a realm?

    If yes, then go to Step 3. If no, then realms do not affect the SQL statement; go to Step 6. If the object affected by the command is not secured in any realms, then realms do not affect the SQL statement being attempted.

  3. Is the database account a realm owner or realm participant?

    If yes, and if the command is a GRANT or REVOKE of a role that is protected by the realm, or the GRANT or REVOKE of an object privilege on an object protected by the realm, the session must be authorized as the realm owner directly or indirectly through roles. Remember that a role protected by realm is not the same as an authorized role in the realm. Then go to Step 4. Otherwise, realm violation occurs and the statement is not allowed to succeed. Note that SYS is the only realm owner in the default Oracle Data Dictionary Realm, and only SYS can grant system privileges to a database account or role.

  4. Is the realm authorization for the database account conditionally based on a rule set?

    If yes, then go to Step 5. If no, then go to Step 6.

  5. Does the rule set evaluate to true?

    If yes, then go to Step 6. If no, then there is a realm violation, so the SQL statement is not allowed to succeed.

  6. Does a command rule prevent the command from executing?

    If yes, then there is a command rule violation and the SQL statement fails. If no, there is no realm or command rule violation, so the command succeeds.

    For example, the HR account may have the DROP ANY TABLE privilege and may be the owner of the HR realm, but a command rule can prevent HR from dropping any tables in the HR schema unless it is during its monthly maintenance window. Command rules apply to the use of the ANY system privileges and direct object privileges and are evaluated after the realm checks.

In addition, because a session is authorized in a realm, it does not mean the account has full control on objects protected by the realm. Realm authorization does not implicitly grant extra privileges to the account. The account still must have system privileges or object privileges to access the objects. For example, an account or role may have the SELECT ANY table privilege and be a participant in the HR realm. This means the account or the account granted the role could query the HR.EMPLOYEES table. Being a participant in the realm does not mean the account or role can DROP the HR.EMPLOYEES table. Oracle Database Vault does not replace the discretionary access control model in the existing Oracle database. It functions as a layer on top of this model for both realms and command rules.

Note the following:

  • Protecting a table in a realm does not protect the view by default. Any view that must be protected should be added to the realm regardless of whether the view was created before or after the table was added to the realm.

  • For invoker's right procedures that access realm protected objects, the invoker of the procedure must be authorized to the realm.

  • The execution of PL/SQL procedures that are owned by SYS are subject to the Oracle Data Dictionary realm enforcement. (The Oracle Data Dictionary realm is one of the default realms provided by Oracle Database Vault. See "Default Realms" for more information.) However, the session must have EXECUTE privilege on the procedure as normally required in the Oracle database.

  • Be aware that realm protection does not protect a table if access to the table has been granted to PUBLIC. For example, if SELECT ON table_name is granted to PUBLIC, then every user has access to table_name, even if this table is protected by a realm. As a best practice, revoke unnecessary privileges from PUBLIC.

How Authorizations Work in a Realm

Realms protect data from access through system privileges; realms do not give additional privileges to its owner or participants. The realm authorization provides a run-time mechanism to check logically if a user's command is allowed to access objects specified in the command and to proceed with its execution.

System privileges are sweeping database privileges such as CREATE ANY TABLE and DELETE ANY TABLE. These privileges typically apply across schemas and bypass the need for direct privileges. Data dictionary views such as DBA_SYS_PRIVS, USER_SYS_PRIVS, and ROLE_SYS_PRIVS list the system privileges for database accounts and roles. Database authorizations work normally for objects not protected by a realm. However, a user must be authorized as a realm owner or participant to successfully use his or her system privileges on objects secured by the realm. A realm vDiolation prevents the use of system privileges and can be audited.

Example 4-1 shows what happens when an unauthorized user who has the CREATE ANY TABLE system privilege tries to create a table in a realm where the HR schema is protected by a realm.

Example 4-1 Unauthorized User Trying to Create a Table

CREATE TABLE HR.demo2 (col1 NUMBER(1));

The following output should appear

ORA-47401: Realm violation for CREATE TABLE on HR.DEMO2

As you can see, the attempt by the unauthorized user fails. Unauthorized use of system privileges such as SELECT ANY TABLE, CREATE ANY TABLE, DELETE ANY TABLE, UPDATE ANY TABLE, INSERT ANY TABLE, CREATE ANY INDEX, and others results in failure.

Example 4-2 shows what happens when an unauthorized database account tries to use his DELETE ANY TABLE system privilege to delete an existing record, the database session returns the following error.

Example 4-2 Unauthorized User Trying to Use the DELETE ANY TABLE Privilege

DELETE FROM HR.employees WHERE empno = 8002;

The following output should appear:

ERROR at line 1:
ORA-01031: insufficient privileges

Realms do not affect direct privileges on objects. For example, a user granted delete privileges to the HR.EMPLOYEES table can successfully delete records without requiring realm authorizations. Therefore, realms should minimally affect normal business application usage for database accounts.

Example 4-3 shows how an authorized user can perform standard tasks allowed within the realm.

Example 4-3 Authorized User Performing DELETE Operation

DELETE FROM HR.employees WHERE empno = 8002;

1 row deleted.

Enabling Access to Objects That Are Protected by a Realm

There are situations in which you may want to protect an object by a realm, but still enable access to objects that are part of this realm-protected object. For example, suppose you create a realm around a specific table. However, you want users to be able to create an index on this table. You can accomplish this as follows, depending on the following scenarios.

  • The user does not have the CREATE ANY INDEX privilege. As the realm owner of the table, grant the CREATE INDEX ON table privilege to the user who must create the realm.

  • The user has the CREATE ANY INDEX privilege. In this case, create another realm and make all index types as the secured objects and grant that user participant authorization to the realm. (Remember that having the CREATE ANY INDEX privilege alone is not sufficient for a non-realm participant to create an index in a realm-protected table.)

  • You want all of your database administrators to be able to create an index and they have the CREATE ANY INDEX privilege. In your data protection realm, specify all object types to be protected except the index types. This permits all of your administrators to create indexes for the protected table.

Example of How Realms Work

Figure 4-1 illustrates how data within a realm is protected. In this scenario, two users, each in charge of a different realm, have the same system privileges. The owner of a realm can be either a database account or a database role. As such, each of the two roles, OE_ADMIN and HR_ADMIN, can be protected by a realm as a secured object and be configured as the owner of a realm.

Further, only a realm owner, such as OE_ADMIN, can grant or revoke database roles that are protected by the realm. The realm owner cannot manage roles protected by other realms such as the DBA role created by SYS in the Oracle Data Dictionary realm. Any unauthorized attempt to use a system privilege to access realm-protected objects raises a realm violation, which can be audited. The powers of each realm owner are limited within the realm itself. For example, OE_ADMIN has no access to the Human Resources realm, and HR_ADMIN has no access to the Order Entry realm.

Figure 4-1 How Authorizations Work for Realms and Realm Owners

Description of Figure 4-1 follows
Description of "Figure 4-1 How Authorizations Work for Realms and Realm Owners"


See Also:

"Quick Start Tutorial: Securing a Schema from DBA Access" for a tutorial on how to create and use a realm

How Realms Affect Other Oracle Database Vault Components

Realms have no effect on factors, identities, or rule sets. They have an effect on command rules, in a sense, in that Oracle Database Vault evaluates the realm authorization first when processing SQL statements.

"How Realms Work" explains the steps that Oracle Database Vault takes to process SQL statements that affect objects in a realm. "How Command Rules Work" describes how command rules are processed.

Guidelines for Designing Realms

Follow these guidelines when designing realms:

  • Create realms based on the schemas and roles that form a database application.

    Define database roles with the minimum and specific roles and system privileges required to maintain the application objects and grant the role to named accounts. You then can add the role as an authorized member of the realm. For object-level privileges on objects protected by the realm and required by an application, create a role and grant these minimum and specific object-level privileges to the role, and then grant named accounts this role. In most cases, these types of roles do not need to be authorized in the realm unless ANY-style system privileges are already in use. A model using the principle of least privilege is ideal for any database application.

  • A database object can belong to multiple realms and an account or role can be authorized in multiple realms.

    To provide limited access to a subset of a database schema (for example, just the EMPLOYEES table in the HR schema), or roles protected by a realm, create a new realm with just the minimum required objects and authorizations.

  • If you want to add a role to a realm as a grantee, create a realm to protect the role. Doing so prevents users who have been granted the GRANT ANY ROLE system privilege, such as the SYSTEM user account, from granting the role to themselves.

  • If you want to add the SYS user account to a realm authorization, you must add user SYS explicitly and not through a role (such as the DBA role).

  • Be mindful of the privileges currently allowed to a role that you plan to add as a realm authorization.

    Realm authorization of a role can be accidentally granted and not readily apparent if an account such as SYS or SYSTEM creates a role for the first time and the Oracle Database Vault administrator adds this role as a realm authorization. This is because the account that creates a role is implicitly granted the role when it is created.

  • Sometimes you must temporarily relax realm protections for an administrative task. Rather than disabling the realm, have the Security Manager (DV_ADMIN or DV_OWNER) log in, add the named account to the authorized accounts for the realm, and set the authorization rule set to Enabled. Then in the enabled rule set, turn on all auditing for the rule set. You can remove the realm authorization when the administrative task is complete.

  • If you want to grant ANY privileges to new users, Oracle recommends that you add a database administrative user to the data dictionary realm so that this user can grant other users ANY privileges, if they need them. For example, using a named account to perform the GRANT of the ANY operations enables you to audit these operations, which creates an audit trail for accountability.

How Realms Affect Performance

DDL and DML operations on realm-protected objects do not have a measurable effect on Oracle Database. Oracle recommends that you create the realm around the entire schema, and then authorize specific users to perform only specific operations related to their assigned tasks. For finer-grained control, you can define realms around individual tables and authorize users to perform certain operations on them, and also have a realm around the entire schema to protect the entire application. Be aware, however, that this type of configuration may slow performance, but it does enable you to grant realm authorization to some of the objects in a schema.

Auditing affects performance. To achieve the best performance, Oracle recommends that you use fine-grained auditing rather than auditing all operations.

You can check the system performance by running tools such as Oracle Enterprise Manager (including Oracle Enterprise Manager Database Control, which is installed by default with Oracle Database), Statspack, and TKPROF. For more information about Oracle Enterprise Manager, see the Oracle Enterprise Manager documentation set. For information about Database Control, refer to its online Help. Oracle Database Performance Tuning Guide describes the Statspack and TKPROF utilities.

Related Reports and Data Dictionary Views

Table 4-1 lists Oracle Database Vault reports that are useful for analyzing realms. See Chapter 17, "Oracle Database Vault Reports," for information about how to run these reports.

Table 4-1 Reports Related to Realms

ReportPurpose

"Realm Audit Report"

Audits records generated by the realm protection and realm authorization operations

"Realm Authorization Configuration Issues Report"

Lists authorization configuration information, such as incomplete or disabled rule sets, or nonexistent grantees or owners that may affect the realm

"Rule Set Configuration Issues Report"

Lists rule sets that do not have rules defined or enabled, which may affect the realms that use them

"Object Privilege Reports"

Lists object privileges that the realm affects

"Privilege Management - Summary Reports"

Provides information about grantees and owners for a realm

"Sensitive Objects Reports"

Lists objects that the command rule affects


Table 4-2 lists data dictionary views that provide information about existing realms.

Table 4-2 Data Dictionary Views Used for Realms

Data Dictionary ViewDescription

"DBA_DV_REALM View"

Lists the realms created in the current database instance.

"DBA_DV_REALM_AUTH View"

lists the authorization of a named database user account or database role (GRANTEE) to access realm objects in a particular realm

"DBA_DV_REALM_OBJECT View"

Lists the database schemas, or subsets of schemas with specific database objects contained therein, that are secured by the realms


PK^_PK)AOEBPS/audplcy.htm Auditing Oracle Database Vault

A Auditing Oracle Database Vault

This appendix contains:

Oracle Database Vault Specific Audit Events

This section contains:

Oracle Database Vault Audit Events

Oracle Database Vault uses audit events to track the following activities:

  • Realm Audit. You can audit both successful and failed actions, based on the auditing option that you set when you created the realm. The exception to this is actions performed by the schema owner.

  • Rule Set Audit. Audits the rule set processing results. You can audit both successful and failed processing. Realm authorizations can be managed using rule sets. You can audit the rule set processing results. Factor assignments and secure application roles audits can be managed using a rule set.

  • Factor Audit. You can audit both successful and failed factor processing. For failed factor processing, you can audit on all or any of the following events: Retrieval Error, Retrieval Null, Validation Error, Validation False, Trust Level Null, or Trust Level Less Than Zero.

  • Oracle Label Security Session Initialization Failed. Audits instances where the Oracle Label Security session fails to initialize.

  • Oracle Label Security Attempt to Upgrade Session Label Failed. Audits instances where the Oracle Label Security component prevents a session from setting a label that exceeds the maximum session label.


See Also:


Format of the Oracle Database Vault Audit Trail

The Oracle Database Vault audit event records are stored in the AUDIT_TRAIL$ table, which is part of the DVSYS schema. These audit records are not part of the Oracle Database audit trail, and how auditing is enabled in the database has no effect how Oracle Database Vault collects its audit data in the AUDIT_TRAIL$ table. In fact, even if auditing has been disabled in Oracle Database, then the Oracle Database Vault audit functionality continues to write to the AUDIT_TRAIL$ table. Users who have been granted the DV_OWNER, DV_ADMIN, or DV_SECANALYST role can directly query the DVYS.AUDIT_TRAIL$ table.

Users who have been granted the DV_OWNER, DV_ADMIN, DV_SECANALYST or DV_MONITOR role can directly query the DVYS.AUDIT_TRAIL$ table.


Note:

Oracle Audit Vault can collect the audit data for Oracle Database Vault. See Oracle Audit Vault Administrator's Guide for more information.

Table A-1 describes the format of the audit trail, which you must understand if you plan to create custom reports that use the AUDIT_TRAIL$ table.

Table A-1 Oracle Database Vault Audit Trail Format

ColumnDatatype               NullDescription

ID#

NUMBER

NOT NULL

Numeric identifier for the audit record

OS_USERNAME

VARCHAR2(255)

Operating system login user name of the user whose actions were audited

USERNAME

VARCHAR2(30)

Name of the database user whose actions were audited

USERHOST

VARCHAR2(128)

Client computer name

TERMINAL

VARCHAR2(255)

Identifier for the user's terminal

TIMESTAMP

DATE

Date and time of creation of the audit trail entry (in the local database session time zone)

OWNER

VARCHAR2(30)

Creator of the object affected by the action, always DVSYS (because DVSYS is where objects are created)

OBJ_NAME

VARCHAR2(128)

Name of the object affected by the action. Expected values are:

  • ROLE$

  • REALM$

  • CODE$

  • FACTOR$

ACTION

NUMBER

NOT NULL

Numeric action type code. The corresponding name of the action type is in the ACTION_NAME column. Expected ACTION and ACTION_NAME values are:

  • 10000: Factor Evaluation Audit

  • 10001: Factor Assignment Audit

  • 10002: Factor Expression Audit

  • 10003: Realm Violation Audit

  • 10004: Realm Authorization Audit

  • 10005: Command Authorization Audit

  • 10006: Secure Role Audit

  • 10007: Access Control Session Initialization Audit

  • 10008: Access Control Command Authorization Audit

  • 10009: Oracle Label Security Session Initialization Audit

  • 10010: Oracle Label Security Attempt to Upgrade Label Audit

ACTION_NAME

VARCHAR2(128)

Name of the action type corresponding to the numeric code in the ACTION column

ACTION_OBJECT_ID

NUMBER

The unique identifier of the record in the table specified under OBJ_NAME

ACTION_OBJECT_NAME

VARCHAR2(128)

The unique name or natural key of the record in the table specified under OBJ_NAME

ACTION_COMMAND

VARCHAR2(4000)

The SQL text of the command procedure that was executed that resulted in the audit event being triggered

AUDIT_OPTION

VARCHAR2(4000)

The labels for all audit options specified in the record that resulted in the audit event being triggered. For example, a factor set operation that is supposed to audit on get failure and get NULL would indicate these two options.

RULE_SET_ID

NUMBER

The unique identifier of the rule set that was executing and caused the audit event to trigger

RULE_SET_NAME

VARCHAR2(30)

The unique name of the rule set that was executing and caused the audit event to trigger

RULE_ID

NUMBER

Not used

RULE_NAME

VARCHAR2(30)

Not used

FACTOR_CONTEXT

VARCHAR2(4000)

An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered

COMMENT_TEXT

VARCHAR2(4000)

Text comment on the audit trail entry, providing more information about the statement audited

SESSIONID

NUMBER

NOT NULL

Numeric identifier for each Oracle session

ENTRYID

NUMBER

NOT NULL

Same as the value in the ID# column

STATEMENTID

NUMBER

NOT NULL

Numeric identifier for the statement invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events.

RETURNCODE

NUMBER

NOT NULL

Oracle error code generated by the action. The error code for a statement or procedure invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events.

EXTENDED_TIMESTAMP

TIMESTAMP(6) WITH TIME ZONE

Time stamp of creation of the audit trail entry (time stamp of user login for entries) in UTC (Coordinated Universal Time) time zone

PROXY_SESSIONID

NUMBER

Proxy session serial number, if an enterprise user has logged in through the proxy mechanism

GLOBAL_UID

VARCHAR2(32)

Global user identifier for the user, if the user has logged in as an enterprise user

INSTANCE_NUMBER

NUMBER

Instance number as specified by the INSTANCE_NUMBER initialization parameter

OS_PROCESS

VARCHAR2(16)

Operating system process identifier of the Oracle process

CREATED_BY

VARCHAR2(30)

Database login user name of the user whose actions were audited

CREATE_DATE

DATE

Date on which the action occurred, based on the SYSDATE date

UPDATED_BY

VARCHAR2(30)

Same as CREATED_BY column value

UPDATE_DATE

DATE

Same as UPDATED_BY column value


Archiving and Purging the Oracle Database Vault Audit Trail

You can create an archive of the Oracle Database Vault audit trail by exporting the AUDIT_TRAIL$ system table, which is owned by DVSYS, to a dump file. You should periodically archive and then purge the audit trail to prevent it from growing too large.

To archive and purge the Oracle Database Vault audit trail:

  1. Ensure that you or the user performing the export operation has been granted the appropriate authorization.

    See "Using Oracle Data Pump in an Oracle Database Vault Environment" for more information.

  2. Disable Oracle Database Vault.

    See "Step 1: Disable Oracle Database Vault".

  3. At the operating system command prompt, create a directory for the Oracle Database Vault audit trail (for example, in $ORACLE_BASE/admin/$DB_UNIQUE_NAME/dvaudit).

    You may want to keep this directory in the same location as the operating system audit trail directories for Oracle Database, which by default is in the $ORACLE_BASE/admin/$DB_UNIQUE_NAME/adump directory. In SQL*Plus, you can check the location of the audit trail directory as follows:

    SHOW PARAMETER AUDIT_FILE_DEST

    Output similar to the following appears:

    NAME                 TYPE     VALUE
-------------------  -------  ---------------------------------------
audit_file_dest      string   /opt/oracle/app/oracle/admin/orcl/adump

  4. In SQL*Plus, create a directory object in which to generate the Oracle Database Vault audit trail. To do so, connect as SYS or as any user who has the CREATE ANY DIRECTORY privilege.

    For example:

    CREATE DIRECTORY dv_audit_dir AS '/opt/oracle/app/oracle/admin/orcl/dvaudit';

    Enclose the directory path in single quotation marks, not double quotation marks.

  5. In SQL*Plus, grant read and write privileges on the directory object to user DVSYS.

    For example:

    GRANT READ, WRITE ON DIRECTORY dvaudit TO dvsys;

  6. At the operating system command prompt, enter a command similar to the following to export the DVSYS.AUDIT_TRAIL$ audit table into a new dump file.

    EXPDP DVSYS
Enter password: password
DIRECTORY=dvaudit \
TABLES=DVSYS.AUDIT_TRAIL$ \
QUERY=DVSYS.AUDIT_TRAIL$:"WHERE timestamp < 2009-08-03:19:34:59" 
DUMPFILE=dv_audit_031607.dmp

    In this specification:

    • DIRECTORY: Enter the directory object that you created in Step 5. Ensure that that the user who is running EXPDP (DVSYS in this example) has read and write permissions on this directory object. If you created the directory object, then you automatically have read and write permissions on it.

    • TABLES: Enter DVSYS.AUDIT_TRAIL$, the name of the audit trail table.

    • QUERY: Optional. This setting writes a subset of the audit table contents to the dump file, in this case, audit records that are less than the timestamp column value of 2009-08-03:19:34:59.

    • DUMPFILE: Enter the name of the dump file that you want to create. The default extension is .dmp, but you can use any extension. Ensure that the file name you specify is unique.

  7. In SQL*Plus, purge the Oracle Database Vault audit trail table, now that you have archived it.

    For example, if you archived all audit trail records that are less than the timestamp column value of 2009-08-03:19:34:59, enter the following statement:

    DELETE FROM DVSYS.AUDIT_TRAIL$ WHERE TIMESTAMP < 2009-08-03:19:34:59;

    To completely purge the audit trail and remove the extents allocated to the audit trail table, enter the following statement:

    TRUNCATE TABLE DVSYS.AUDIT_TRAIL$;

  8. Exit SQL*Plus.

  9. Re-enable Oracle Database Vault.

    See "Step 3: Enable Oracle Database Vault".

Oracle Database Audit Settings Created for Oracle Database Vault

When you install Oracle Database Vault, it creates several AUDIT settings in the database. However, in order for these audit settings to take place, auditing must be enabled in this database. You can check if auditing is enabled by using the SHOW PARAMETER command to find the value of the AUDIT_TRAIL initialization parameter. By default, auditing is disabled in Oracle Database.

If the AUDIT_TRAIL parameter is set to NONE, then auditing is not enabled, so you must set AUDIT_TRAIL. For detailed information about the AUDIT_TRAIL parameter settings, see Oracle Database Security Guide and Oracle Database Reference.

Table A-2 lists the AUDIT settings that Oracle Database Vault adds to the database.

Table A-2 Audit Policy Settings Oracle Database Vault Adds to Oracle Database

Audit Setting TypeAudited Statements (BY ACCESS and on Success or Failure Unless Otherwise Noted)

System Audit Settings/System Privilege Usage

ALTER ANY

CREATE ANY

DELETE ANY

DROP ANY

EXECUTE ANY (WHENEVER NOT SUCCESSFUL)

FORCE ANY

GRANT ANY

INSERT ANY

UPDATE ANY

System Audit Settings/Object Management

ALTER DATABASE, PROFILE, ROLLBACK SEGMENT, SESSION, SYSTEM, TABLE, TABLESPACE, USER

CREATE CLUSTER, DATABASE LINK, INDEXTYPE, LIBRARY, OPERATOR, PUBLIC SYNONYM, PROCEDURE, PROFILE, ROLE, ROLLBACK ~SEGMENT, SEQUENCE, SESSION, SNAPSHOT, SYNONYM, TABLE, TABLESPACE, TRIGGER, TYPE, USER, VIEW

TRUNCATE

System Audit Settings/Intrusive Commands

ALTER SESSION

BECOME USER

CREATE SESSION

DEBUG CONNECT SESSION

RESTRICTED SESSION

System Audit Settings/Administration Commands

ADMINISTER DATABASE TRIGGER

BACKUP ANY TABLE

EXEMPT ACCESS POLICY

MANAGE TABLESPACE

System Audit Settings/Audit Commands

AUDIT ANY

AUDIT SYSTEM

System Audit Settings/Access Control

GRANT ANY PRIVILEGE/ANY OBJECT PRIVILEGE/ROLE

GRANT DIRECTORY

GRANT SEQUENCE

GRANT TABLE

GRANT TYPE

User Audit Settings for DVSYS/DVF

User Audit Settings for LBACSYS

See Table 11-2, "Database Accounts Used by Oracle Database Vault" for more information about these accounts.

See also these sections for detailed information on the DVSYS and DVF schemas:

ADMINISTER DATABASE TRIGGER

ALTER object

AUDIT SYSTEM

BECOME USER

CLUSTER

COMMENT

CONTEXT

CREATE object

DATABASE LINK

DEBUG

DIRECTORY

DROP object

EXECUTE LIBRARY (WHENEVER NOT SUCCESSFUL)

EXECUTE PROCEDURE (WHENEVER NOT SUCCESSFUL)

EXEMPT ACCESS POLICY

EXPORT FULL DATABASE

GRANT object

IMPORT FULL DATABASE

INDEX

MANAGE SCHEDULER

MANAGE TABLESPACE

MATERIALIZED VIEW (audits both accessing and creating materialized views)

SELECT SEQUENCE (WHENEVER NOT SUCCESSFUL)

SELECT TABLE (WHENEVER NOT SUCCESSFUL)

Object Audit Settings for DVF

AUDIT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE

COMMENT TABLE/VIEW

DELETE TABLE/VIEW

EXECUTE PACKAGE/PROCEDURE/FUNCTION (WHENEVER NOT SUCCESSFUL)

GRANT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE

RENAME PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/VIEW/TABLE

SELECT SEQUENCE/TABLE/VIEW (WHENEVER NOT SUCCESSFUL)

Object Audit Settings for DVSYS

Object Audit Settings for LBACSYS

AUDIT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE

COMMENT TABLE/VIEW

DELETE TABLE/VIEW

EXECUTE PACKAGE/PROCEDURE/FUNCTION (WHENEVER NOT SUCCESSFUL)

GRANT PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/TABLE

INSERT TABLE/VIEW

RENAME PACKAGE/PROCEDURE/FUNCTION/SEQUENCE/VIEW/TABLE

SELECT SEQUENCE/TABLE/VIEW (WHENEVER NOT SUCCESSFUL)

UPDATE TABLE/VIEW


PKGp~PK)A OEBPS/toc.ncx1 Oracle® Database Vault Administrator's Guide, 11g Release 2 (11.2) Cover Table of Contents List of Examples List of Figures List of Tables Oracle Database Vault Administrator's Guide 11g Release 2 (11.2) Preface What's New in Oracle Database Vault? Introducing Oracle Database Vault What to Expect After You Install Oracle Database Vault Getting Started with Oracle Database Vault Configuring Realms Configuring Rule Sets Configuring Command Rules Configuring Factors Configuring Secure Application Roles for Oracle Database Vault Integrating Oracle Database Vault with Other Oracle Products DBA Operations in an Oracle Database Vault Environment Oracle Database Vault Objects Using the DVSYS.DBMS_MACADM Package Using the DVSYS.DBMS_MACSEC_ROLES Package Using the DVSYS.DBMS_MACUTL Package Using the Oracle Database Vault PL/SQL Interfaces Monitoring Oracle Database Vault Oracle Database Vault Reports Auditing Oracle Database Vault Disabling and Enabling Oracle Database Vault Postinstallation Oracle Database Vault Procedures Oracle Database Vault Security Guidelines Troubleshooting Oracle Database Vault Index Copyright PKPK)AOEBPS/troubleshooting.htm/ Troubleshooting Oracle Database Vault

E Troubleshooting Oracle Database Vault

This appendix contains:

Using Trace Files to Diagnose Events in the Database

You can monitor your Oracle Database Vault database instance for server and background process events by checking the database instance trace files. Trace files reveal events such as the logic that the Oracle Database Vault security enforcement engine executes, and internal errors, block corruption errors, deadlock errors, administrative actions that may have occurred, values of parameters that had nondefault settings when the database instance started, and other information.

Be careful about enabling trace files, however. Doing so can increase the overhead of the database instance operation, which could decrease performance. Contact Oracle Support before you decide to enable tracing.

The USER_DUMP_DEST initialization parameter specifies the current location of the trace files. You can find the value of this parameter by issuing SHOW PARAMETER USER_DUMP_DEST in SQL*Plus.

To enable tracing, log in to SQL*Plus as a user who has the ALTER SESSION privilege and then issue the following statement:

ALTER SESSION SET EVENTS '47998 trace name context forever, level 12'

For example, suppose you have an account that is trying to use a statement that is protected by a command rule, but the statement is not working as expected. You can diagnose the enforcement logic for this account by granting it the ALTER SESSION privilege, issuing the ALTER SESSION statement, and then retrying the statement. Afterward, check the trace files to determine what is going on.

You can disable tracing by issuing the following statement:

ALTER SESSION SET EVENTS '47998 trace name context off'

For more information about how to manage trace files, see Oracle Database Administrator's Guide.

General Diagnostic Tips

Follow these general tips for diagnosing problems in realms, factors, and rule sets:

  • For realm protections, verify that a user has the underlying system or object privileges (granted directly or through a role) that might affect the command.

  • If a realm authorization is not working, verify that the account roles are set correctly.

  • For PL/SQL expressions used in factors and rule sets, grant the EXECUTE privilege on the PL/SQL package functions used in these expressions directly to the account and determine if the results appear to be correct.

  • Use the auditing reports to diagnose problems in general. See "Oracle Database Vault Auditing Reports" for more information.

Configuration Problems with Oracle Database Vault Components

If you suspect problems with the configuration of realms, command rules, factors, rule sets, or secure application roles, you can run the appropriate configuration report. See the following sections for more information:

To run these reports, see "How to Run Oracle Database Vault Reports".

PK{\PK)AOEBPS/monitoring.htmE3 Monitoring Oracle Database Vault

16 Monitoring Oracle Database Vault

This chapter contains:


See Also:

"Providing Textual Descriptions of Database Vault Administrator Charts" for information about configuring the charts in the Monitor page to provide textual descriptions for screen readers

Security Violation Attempts

You can check for security violations, such as realm or command rule violations. This feature displays data such as the user name of the person committing the violation, the action they committed, and a time stamp of the activity.

Before you can view these events, you must ensure that the AUDIT_TRAIL initialization parameter is set to DB or DB, EXTENDED. For detailed information about the AUDIT_TRAIL parameter settings, see Oracle Database Security Guide.

To check for security violations:

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER, DV_ADMIN, DV_MONITOR, or DV_SECANALYST role.

    "Starting Oracle Database Vault" explains how to log in.

  2. In the Administration page, click Monitor.

  3. At the top of the Monitor page, set a period for the monitoring action by selecting from the Show Records For list and clicking Go.

    This section of the Monitor page also indicates the last time the data on the page was refreshed.

  4. In the Monitor page, click Security Violation Attempts.

    A table appears, listing security policy changes.

    Description of security_violation_attempts.gif follows
    Description of the illustration security_violation_attempts.gif

Database Configuration and Structural Changes

You can view structural changes to the database or database schema objects. This feature also audits statements such as CREATE TABLE, ALTER TABLE, DROP TABLE, and ALTER DATABASE. It audits all commands, not just commands that are used in command rules. For example, if someone has unexpectedly altered a table on a production system, you can use this feature to determine what is happening.

Before you can view these events, you must ensure that the AUDIT_TRAIL initialization parameter is set to DB or DB, EXTENDED. For detailed information about the AUDIT_TRAIL parameter settings, see Oracle Database Security Guide.

Follow these steps:

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER, DV_ADMIN, DV_MONITOR, or DV_SECANALYST role.

    "Starting Oracle Database Vault" explains how to log in.

  2. In the Administration page, click Monitor.

  3. At the top of the Monitor page, set a period for the monitoring action by selecting from the Show Records For list and clicking Go.

    This section of the Monitor page also indicates the last time the data on the page was refreshed.

  4. In the Monitor page, click Database Configuration and Structural Changes.

    A table similar to the following appears:

    Database Configuration and Structural Changes table
    Description of the illustration config_struct_changes.gif

Security Policy Changes by Category

This section contains:

About Monitoring Security Policy Changes by Category

You can check the number of policy changes for the categories in the following list. These categories reflect changes to the database security policy (that is, its configuration) in any given environment. If something changes that is security related, you can use the chart and tables to drill down to find unexpected changes that should be investigated.

Before you can view these events, you must ensure that the AUDIT_TRAIL initialization parameter is set to DB or DB, EXTENDED. For detailed information about the AUDIT_TRAIL parameter settings, see Oracle Database Security Guide.

  • Database Vault policy: Shows changes made through the Oracle Database Vault administrative packages or user interface, indicating Oracle Database Vault configuration or policy changes.

  • Label Security policy: Shows changes made through the Oracle Database Vault administrative packages or user interface, indicating Oracle Label Security policy or privilege changes.

  • Audit Policy: Shows changes to the database audit policy coming from AUDIT or NOAUDIT statements.

  • Privilege Grants: Shows changes to system or object privilege GRANT statements.

  • Privilege Revokes: Shows changes to system or object privilege REVOKE statements.

  • Database Account: Shows changes to CREATE USER, ALTER USER, or DROP USER statements.

  • Database Role: Shows changes to CREATE ROLE, ALTER ROLE, or DROP ROLE statements.

Procedure for Monitoring Security Policy Changes by Category

To monitor security policy changes by category:

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER, DV_ADMIN, DV_MONITOR, or DV_SECANALYST role.

    "Starting Oracle Database Vault" explains how to log on.

  2. In the Administration page, click Monitor.

  3. At the top of the Monitor page, set a period for the monitoring action by selecting from the Show Records For list and clicking Go.

    This section of the Monitor page also indicates the last time the data on the page was refreshed.

  4. In the Monitor page, check the graph under Security Policy Changes by Category.

    A graph similar to the following appears, which shows the number of security policy changes based on the following categories: Oracle Database Vault policy, Oracle Label Security policy, audit policy, privilege grants and revokes, database accounts, and database roles.

    Graph showing Security Policy Changes.
    Description of the illustration sec_policy_changes.gif

Security Policy Changes Detail

You can check the details of security policy changes, such the user who made the change, the action that occurred, the time stamp of the change, and so on.

Before you can view these events, you must ensure that the AUDIT_TRAIL initialization parameter is set to DB or DB, EXTENDED. For detailed information about the AUDIT_TRAIL parameter settings, see Oracle Database Security Guide.

To monitor security policy changes by detail:

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER, DV_ADMIN, DV_MONITOR, or DV_SECANALYST role.

    "Starting Oracle Database Vault" explains how to log in.

  2. In the Administration page, click Monitor.

  3. At the top of the Monitor page, set a period for the monitoring action by selecting from the Show Records For list and clicking Go.

    This section of the page also indicates the last time the data on the page was refreshed.

  4. In the Monitor page, click Security Policy Changes by Detail.

    A table appears, listing the details for security policy changes.

    Description of sec_policy_changes_detail.gif follows
    Description of the illustration sec_policy_changes_detail.gif

PKuJ3E3PK)AOEBPS/content.opf- Oracle® Database Vault Administrator's Guide, 11g Release 2 (11.2) en-US E23090-05 Oracle Corporation Oracle Corporation Oracle® Database Vault Administrator's Guide, 11g Release 2 (11.2) 2012-03-03T07:02:50Z Explains how to configure an Oracle database to use Oracle Database Vault, which enables users to restrict and monitor administrative user access. PK]<--PK)A OEBPS/lof.htmm List of Figures

List of Figures

PK8pPK)AOEBPS/dcommon/prodbig.gif GIF87a!!!)))111BBBZZZsss{{ZRRcZZ!!1!91)JB9B9)kkcJJB991ssc絽Zcc!!{祽BZc!9B!c{!)c{9{Z{{cZB1)sJk{{Z{kBsZJ91)Z{!{BcsRsBc{9ZZk甽kBkR!BZ9c)JJc{!))BZks{BcR{JsBk9k)Zck!!BZ1k!ZcRBZcZJkBk1Z9c!R!c9kZRZRBZ9{99!R1{99R{1!1)c1J)1B!BJRkk{ƽ絵ތkk絵RRs{{{{JJsssBBkkk!!9ss{{ZZssccJJZZRRccRRZZ))cBBJJ99JJ!!c11991199Z11!c!!))Z!!!1BRck{)!cJBkZRZ,HP)XRÇEZ֬4jJ0 @ "8pYҴESY3CƊ@*U:lY0_0#  5tX1E: C_xޘeKTV%ȣOΏ9??:a"\fSrğjAsKJ:nOzO=}E1-I)3(QEQEQEQEQEQEQE֝Hza<["2"pO#f8M[RL(,?g93QSZ uy"lx4h`O!LŏʨXZvq& c՚]+: ǵ@+J]tQ]~[[eϸ (]6A&>ܫ~+כzmZ^(<57KsHf妬Ϧmnẁ&F!:-`b\/(tF*Bֳ ~V{WxxfCnMvF=;5_,6%S>}cQQjsOO5=)Ot [W9 /{^tyNg#ЄGsֿ1-4ooTZ?K Gc+oyڙoNuh^iSo5{\ܹ3Yos}$.nQ-~n,-zr~-|K4R"8a{]^;I<ȤL5"EԤP7_j>OoK;*U.at*K[fym3ii^#wcC'IIkIp$󿉵|CtĈpW¹l{9>⪦׺*ͯj.LfGߍԁw] |WW18>w.ӯ! VӃ :#1~ +މ=;5c__b@W@ +^]ևՃ7 n&g2I8Lw7uҭ$"&"b eZ":8)D'%{}5{; w]iu;_dLʳ4R-,2H6>½HLKܹR ~foZKZ࿷1[oZ7׫Z7R¢?«'y?A}C_iG5s_~^ J5?œ tp]X/c'r%eܺA|4ծ-Ե+ْe1M38Ǯ `|Kյ OVڅu;"d56, X5kYR<̭CiطXԮ];Oy)OcWj֩}=܅s۸QZ*<~%뺃ȶp f~Bðzb\ݳzW*y{=[ C/Ak oXCkt_s}{'y?AmCjޓ{ WRV7r. g~Q"7&͹+c<=,dJ1V߁=T)TR՜*N4 ^Bڥ%B+=@fE5ka}ędܤFH^i1k\Sgdk> ֤aOM\_\T)8靠㡮3ģR: jj,pk/K!t,=ϯZ6(((((((49 xn_kLk&f9sK`zx{{y8H 8b4>ÇНE|7v(z/]k7IxM}8!ycZRQ pKVr(RPEr?^}'ðh{x+ՀLW154cK@Ng C)rr9+c:׹b Жf*s^ fKS7^} *{zq_@8# pF~ [VPe(nw0MW=3#kȵz晨cy PpG#W:%drMh]3HH<\]ԁ|_W HHҡb}P>k {ZErxMX@8C&qskLۙOnO^sCk7ql2XCw5VG.S~H8=(s1~cV5z %v|U2QF=NoW]ո?<`~׮}=ӬfԵ,=;"~Iy7K#g{ñJ?5$y` zz@-~m7mG宝Gٱ>G&K#]؃y1$$t>wqjstX.b̐{Wej)Dxfc:8)=$y|L`xV8ߙ~E)HkwW$J0uʟk>6Sgp~;4֌W+חc"=|ř9bc5> *rg {~cj1rnI#G|8v4wĿhFb><^ pJLm[Dl1;Vx5IZ:1*p)إ1ZbAK(1ׅ|S&5{^ KG^5r>;X׻K^? s fk^8O/"J)3K]N)iL?5!ƾq:G_=X- i,vi2N3 |03Qas ! 7}kZU781M,->e;@Qz T(GK(ah(((((((Y[×j2F}o־oYYq $+]%$ v^rϭ`nax,ZEuWSܽ,g%~"MrsrY~Ҿ"Fت;8{ѰxYEfP^;WPwqbB:c?zp<7;SBfZ)dϛ; 7s^>}⍱x?Bix^#hf,*P9S{w[]GF?1Z_nG~]kk)9Sc5Ո<<6J-ϛ}xUi>ux#ţc'{ᛲq?Oo?x&mѱ'#^t)ϲbb0 F«kIVmVsv@}kҡ!ˍUTtxO̧]ORb|2yԵk܊{sPIc_?ħ:Ig)=Z~' "\M2VSSMyLsl⺿U~"C7\hz_ Rs$~? TAi<lO*>U}+'f>7_K N s8g1^CeКÿE ;{+Y\ O5|Y{/o+ LVcO;7Zx-Ek&dpzbӱ+TaB0gNy׭ 3^c T\$⫫?F33?t._Q~Nln:U/Ceb1-im WʸQM+VpafR3d׫é|Aү-q*I P7:y&]hX^Fbtpܩ?|Wu󭏤ʫxJ3ߴm"(uqA}j.+?S wV ~ [B&<^U?rϜ_OH\'.;|.%pw/ZZG'1j(#0UT` Wzw}>_*9m>󑓀F?EL3"zpubzΕ$+0܉&3zڶ+jyr1QE ( ( ( ( ( ( ( (UIdC0EZm+]Y6^![ ԯsmܶ捆?+me+ZE29)B[;я*wGxsK7;5w)}gH~.Ɣx?X\ߚ}A@tQ(:ͧ|Iq(CT?v[sKG+*רqҍck <#Ljα5݈`8cXP6T5i.K!xX*p&ќZǓϘ7 *oƽ:wlຈ:Q5yIEA/2*2jAҐe}k%K$N9R2?7ýKMV!{W9\PA+c4w` Wx=Ze\X{}yXI Ү!aOÎ{]Qx)#D@9E:*NJ}b|Z>_k7:d$z >&Vv󃏽WlR:RqJfGإd9Tm(ҝEtO}1O[xxEYt8,3v bFF )ǙrPNE8=O#V*Cc𹾾&l&cmCh<.P{ʦ&ۣY+Gxs~k5$> ӥPquŽўZt~Tl>Q.g> %k#ú:Kn'&{[yWQGqF}AЅ׮/}<;VYZa$wQg!$;_ $NKS}“_{MY|w7G!"\JtRy+贾d|o/;5jz_6fHwk<ѰJ#]kAȎ J =YNu%dxRwwbEQEQEQEQEQEQEQEQEQE'fLQZ(1F)hQ@X1KEQE-Q@ 1KE3h=iPb(((1GjZ(-ʹRPbR@ 1KE7`bڒyS0(-&)P+ ڎԴP11F)h&:LRmQ@Q@Š(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((?l:ϊw "{{-3j3%{sj~2= 7 ~MڅKrHb|P3 r=Ҁ +Ş/$iu7=q2dԂxn⸷9$l]H #WI񯄴;\[ݚD8C3p&0U9^AnK vI+!I8>5(zqj03Y.X ,@85ߛ8>pq8=} \xmm常8` $Q@$v7zwp]ɝA GX;y_]覮O&4 SPtY.X),@84U=7Vuv K4,$g{@<+uqtiGw3; I@ORմn5MBp%8'ƫ%u6uBJrHRN2@ϸ J(9i[[mG=g<1?3wcÚ/E\dMy0"f&] gvyŒmO^ &uZzW:K"0Y2Fd˧xt$M>S/qp#fX[rSz]Yk}/[oT.$ d$$ {ݷ.uRO-$v{M& (E1%;L'f? '6{>/,̤F)I`z`\/n-jMn%Y-xUQ^71 ISz_7g7RFV$r aӸJ> jIĞտ4_.XYH|x|۸>1}ޟ?x"7VQ,7I4vT10NMzEq|.,},r=ݲA30HPŔw Q χuI# 2;;c,@YJ v&~!xj͢$4>YK2y`r~sy^==4Ye9Rc =KikRi:Lw -ܫ2$PU{#r*3+*Ohȗw(/.ĈY%JvP\ljn<$m=\)@27'p<ēIYcŐFG^AO#sj:^5pcz੒ݷʁ$x *ڏ'B;o \ p$u .xAb0Ms:{{HุXUr`:jx{Nş A@*E5y|͟?i]N]Y|q[\1DJ~U ON ]ω6eeX7[CO3@v-` _Ht/x҉+jEE]/$:D?O5 cFw[>!V"OIDc6۩o߅oXhvdS3'e'ʼ Vßοsǧ鈖~9xdeH{iͻ\iz KYU pJ3=\(((((((((((((((((((?|;ol.'Gv7}\)//@)N[X]bR$(8gU(n%;yfE(ڷ"? fH&ՠ-D#R#]z_t l&vܧ  co߅|#_d# ?%(H$a؎?*(oľ t G mFr@9N:o6=ޗZN| + o  k34G>ϲ}vlۻ;}럸YK@m2 >dDvONQ@C L-$ew-nqf5]*\4N;;,OчG FPc:}wPr3VrJ1n35Q@7VEJ$E `+뛉gG.;A'<* =v:nn^ic9vK` aW( I¾.c4G_DŽ0V?uPT]*\4N;;,OчG FPc:}wPr3:DWqh'ڢhdwI#+#vbɕviϰŠ4M;Ú<No{7yqog۹Xy$j-xGNC%<ד.@=~UEs$?]sHHlr3ބ6ߘNq hӤk$fO5ː9rOElQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@|k^4u U=vCiq 4GB|Eí^9|"5Y$C!A/zu߅~*_ [G۽̫+ȡn ~26@PyA<7V\[J6 dGjJ?ڇo4[)&U\My@2c3,֩·rZZΓP.O@%Yӻ+CaQn*3垙}@&kߚ#]7c/H|w!?ϻ|ӏJ +cGu/:fO֑} o -̧Ϧj>YWמ 𮽪zlOsijUUeb@Q^xgVMcJ6%$DH_u+h>&nKn;sc<H-zg< _|1h>Wm6pzWa^?J o]$:DtWS4𖓩_]Z?Y@kЫr,G5cj 09 RyOpv)ۀۃF0/%~!ƭ_;^F?獶p]x( *mn|j>Ci"k5%ep nz%zWŸ${v_]zyϲ,Ws\k,B|뺕sp 1Rۆ:98Q@o^<֩Ai ^2P;r翥w'o<+ujz3z궲"P;r翥z}6En4V*D3(( |i-'S񆿪`RW XOk_/=hx}ZeG8p\D`q?.H%O`@|:[ |KZ Y LaX \su-Y$m*SP GRxvp1O^(Wt-#E 0g]_,A8td'm*{wGz-3W/ F:׵3yҢwNy]ܕBʼe.v񜞆; +1QOڬ\VЕEݵߵH $ཋT/<{/47??NB9s |Q^GdOs}Ͻuַ4mc!uMj;E +F!6U VԦ|O˨]L$mgϭzc[FE߉`٫!sPvoy^oچ>k] yKFn6ʾfh?L)=O͟>0My9("9Mvceqw%%̙3*\䓒FzM\#WQx_]ftáHVlA\\?=? U?O3>QW<#&9@dHgUlr#=3+sVt_#װjzcie#w":}Ŋ'x%xj>i,Ү绶Ү>isj VR2y;#:[iՌwvbTYH*z8$t&$4;C[=1"Ҥgvr1 漏V⯈Ȱ^q`Ա|iyKƹ(G#^vGYL*$,PG ڣy9 ='CGנxIuVcGOvu qo,l1sݯRzcVatk.X/m䷑ 0WR3h%$B(PTz xn>$K[]vg9 ՏjOi(t-R{n>lv܍ʒFch%Oow:'k:{=shX]BnFI#1u5s>w.;'fq uQڀ+I熿k?t>T zãh:]HY[oHAbA8gV=i0{X[xW_( ۜ~ ( *mzfe&si_f(žP }NOi(t-R{n>lv܍ʒFckC_-j;B1*UB=FA:@o֯>ٶƽčXs ;[On}J=NBH,/HH b0WO:6keKfw,GqTѺ2p:rI&#@m-t;K@),YRĖ=I<:@_7 xSYc3Z(’:J]'$:DuO?!f}QRIv#1fsXI ]F7Ux>yOKx-Ĉ%R%H3ǯJO<5`_׾(xoZhLxDK381gM'MFѬtv6QBpE֖:RXOH# A89Om_W|xU[ 9cH_qyVOhhj)y*j[0VU  E]1ʐNA^ |Ms ptQ @xW_Ļv1;e2s*8bRe=k^k :<˦eH$!UX w xXmZZI:[IpP>P:溏 xn>$K[]vg9 Տjmnx(6 v2J8߯/IVY~6]TvsU2FAEn:GON+ "@TP0%x_uO|CnX]钾!Tn+ ٶJt/ً]sL5H'k2h0x H'+yc P yoc\ #DVt2jP>*[W ;pHgmk𧀴:g_YVY!b8\UFT^ l|y)Ρn-卝|F2nsOSyiŸ|'MLH4U{e6s^[c$qϪ_k^ɭ_ }PiR39ssQ%JU#GBkgZ^G<귱s +qׂ:zq@(u|@-E+@w8$g!y 9ԮwpuR,PH39 !I}ž7IeYdr5UTo#<V@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@v:42?L5p$WLD[[,2࣯sǧzMo^pkaJ yj<{PQEp~5D:omդ.- I*?շ<|Q>,O}>qp(mҫTJjJ(((>)^+m-tA wo$8W5/|Tkn|Gڏ-\ƻC1a*[_ZDBH܌S#X+Ɠk_[$3Ŧ\rFYDG hr_j tk4_Ai,/HJ`rkts.im$-z#sRWW(|koைZ} Yj0(p a\*BGPE~*յ/|YҼvvzr}Yfx""AV *p8PQTi/ѯ}A-kX8W)اl+ѡdW nu1ж9%B~}Ӡ+the~ijVH*XeӝG^@=\|`<-~ y.-`)QAo-Xj(?7+`Ou\y:!Cd ` (I;>nvgٻ<}km Ų>itZ;!pQbOFT +-^M'z=ߑ\*j6+pV+ېx z%[_ZDBH܌S#X((((((((((((('u^^?: *O=(A%wG\xmm常8` $Q@$ב ;£FWxSnaguuC nsld2H@?Gߋm; j9d]87d Gb$/m/ği]ljo%Wբg`>nq8fl]m`=/Fc{9.T}OulWºfnc{պ$Rn`z(6!D>U&ϻ)7/_Z^.CTxdHH_yFI-R|3д}oğm*Otfe83UϊC,ҵmjj%sNM<5ͣxWH6y2JD HQJ.s))*|i#8ڹ< Fua'4Z&Kԑ1 Ppy5 jXK yJ$A[rnJT9\||Uuo-Mfh%BG"JF ς&>ZMZ=wYVE@@ ~9@|CI\x⏈ockO:rLN *~fG/$:D j5o;n:UsaLIU[IPWg7ë 176w )PM AAcZNj OwXm/TG;2.UK;fݏWwRĺ|CԞ%&bHȅ8%c$8⽒ ('׎Mg\>u26 3Ý?(oǿ?i^V̨fpEr.= XX6L5ۮs' =$W%+U/O>{WxV|m卤anpG=yV?-{x$O*Z (<?t>T {x|'`? (xmm常8` $Q@$(((((((((((((kK46Z_n)ekP۝BvyHuI~$OB"kw2¿>fֽ cŸom/Xmݜntu~5&f/[Mmjkf;dk4Zi;ϝنrxlQ@G&|Kkޏy5ıcRU2wFyǏi޷}Ns(b\26z~C:g=ô-Fbz8< uߍ.$PQ3 ;(8OVW|#gsYtx!(T)$r(eu#x 1RQ@7%uy/p٤{un[q :y,qq㟄_5kv-/w :R8!@Ey+ F-f}#]iKaH*ι2HPQ@GmJ&Oj|l2z}"oi>9tn`#P 6r9(i|mWMyZEq⒨fqt|-M'^u)I-M;wu  ( /ƺvimwi&6K! u?)S99>Z!k:0`wm /#Fz lʋ v@{Z< cŸom/XmݜntuŠ↓O/>ѭgȔn߻6<=ohɻ[7suۍ=<^48>'jd0C$h$($YkfSO[!\ *_t  Exr%*_}!#U #4 & ֩3|b]L ]t b+Da&R_2lEٱZ`aC)/яmvUkS r(-iPE Vv_{z GLt\2s!F A#葡JY r|AA,hB}q|B`du }00(䡆<pb,G+oB C0p/x$…– ]7 @2HFc ) @AD \0 LHG',(A` `@SC)_" PH`}Y+_|1.K8pAKMA @?3҄$[JPA)+NH I ,@8G0/@R T,`pF8Ѓ)$^$ DDTDlA@ s;PKPK)AOEBPS/dcommon/darbbook.cssPKPK)A!OEBPS/dcommon/O_signature_clr.JPG"(JFIF``C    $.' ",#(7),01444'9=82<.342C  2!!22222222222222222222222222222222222222222222222222" }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (?O '~MQ$Vz;OlJi8L%\]UFjޙ%ԯS;rA]5ފ<׈]j7Ouyq$z'TQuw7Ŀ KX߁M2=S'TQt?.5w'97;~pq=" ~k?`'9q6 E|yayM^Om'fkC&<5x' ?A?Zx'jß={=SßM gVC.5+Hd֪xc^)Җufz{Cީ|D Vkznq|+Xa+{50rx{|OG.OϞ~f/ xxX[2H )c+#jpUOZYX\=SG ߨC|K@;_߆'e?LT?]:?>w ڔ`D^So~xo[Ӡ3i7B:Q8 Vc-ďoi:FM292~y_*_闱YN\Fr=xZ3鳎OwW_QEzW~c]REeaSM}}Hӏ4&.E]u=gMѠ+mF`rNn$w9gMa꺢nTuhf2Xv>އ a(Û6߭?<=>z'TQuw7Ŀ KX߁M2=S'TQt?.5Kko\.8S$TOX߀Gw?Zx汴X)C7~.i6(Щ=+4{mGӭ¸-]&'t_kV*I<1)4thtIsqpQJ+> \m^[aJ5)ny:4o&QEnyAEPEEss 72,PDۢ׃K W{Wjr+wگ iM/;pd?~&?@;7E4gv8 $l'z'TQuw7Ŀ Gֱ=ɿ&G?. iR(5W*$|?w᫼gkmIbHe/_t>tg%y.l}N5[]+Mk0ĠeHdPrsst'UiC,y8`V%9ZIia|ܪvi מYG,o}+kk{YbyIeb*sAtի82zWoEK5z*o-eo;n(P u-I)4Š(HQEQEQEQEhz(X/Đ?}Bk˩ ݏrk0]4>8XzV? }6$}d^F>nU K ?Bտk_9׾x~w'ߞ  uDŽtL ؈5c-E/"|_Oo.IH쐍=i*Iw5(ںw?t5s.)+tQ2dUt5Vĺ.jZ"@IRrZƅY4ߡ_;}ų(KyQf1Aǵt?sZg+?F5_oQR&Dg߿]6FuRD u>ڿxl7?IT8'shj^=.=J1rj1Wl$얲cPx;E,p$֟ˏkw qg"45(ǛkV/=+ũ)bYl~K#˝J_כ5&\F'I#8/|wʾ_Xj Q:os^T1.M_|TO.;?_  jF?g N 8nA2F%i =qW,G=5OU u8]Rq?wr'˻S+۾.ܼ 87Q^elo/T*?L|ۚ<%<,/v_OKs B5f/29n0=zqQq(ª=VX@*J(э(f5qJN_EVǞQEOuoѕOuoa5}gO?:߂8Wא|cڽ~]N&O( (<]>͠@VQ=^~U ̴m&\խ5i:}|}r~9՝f}_>'vVֲ$~^f30^in{\_.O F8to}?${φ|#x^#^n~w=~k~?'KRtO.㌡h![3Zu*ٷճ(ԟ]z_/W1(ԟ]v~g|Yq<ז0 ; b8֮s,w9\?uEyStKaª@\,)) (!EPEPEPEPEPzѧts{v>C/"N6`d*J2gGӧWqBq_1ZuΓ\X]r?=Ey88Mp&pKtO-"wR2 K^-Z< \c>V0^@O7x2WFjs<׻kZ(<Т(OFw/6$1[:ޯԯ#q~4|,LVPem=@=YLUxӃV}AUbcUB.Ds5*kٸAeG>PJxt͝ b88?*$~@ׯD VkraiJs}Q.20x&mXξ,Z]“A-J#`+-E/"<]\a'tZGy.(|lދ~gMK OZdxDŽU9T6ϯ^<Ϡt5CZ]].t۫S=s`ڳ%8iVK:nqe+#<.T6U>zWoy3^I {F?J~=G}k)K$$;$de8*G Uӟ4Ocºw}|]4=ݣ\x$ʠms?q^ipw\"ȿPs^Z Q_0GڼU.t}ROM[G#]8wٞ ӫ87}Cgw vHȩBM55vof =A_٭`Ygx[6 P,5}>蚊(0(+?>+?> k|TuXq6_ +szk :u_ Z߶Ak_U}Jc2u/1[_»ݸG41-bሬ۴}}Eȹפ_c?5gi @cL\L<68hF_Ih>X4K7UТ sMj =J7CKo>Օ5s:߀t ~ηaٿ?|gdL8+gG%o?x`دOqȱwc¨&TW_V_aI=dpG!wu۞սZ1yL50$(l3(:~'ַo A}a3N*[0ǭ HKQV}G@֜$ 9of$ArNqUOgË05#m?D)^_h//5_/<?4}Jį+GkpG4"$ r| >S4Ђ"S 1%R:ȝ 8;PKPz PK)AOEBPS/dcommon/feedback.gif7GIF89a'%(hp|fdx?AN5:dfeDGHɾTdQc`g*6DC\?ؘ||{;=E6JUՄfeA= >@,4`H.|`a (Q 9:&[|ځ,4p Y&BDb,!2@, $wPA'ܠǃ@CO~/d.`I @8ArHx9H75j L 3B/` P#qD*s 3A:3,H70P,R@ p!(F oԥ D;"0 ,6QBRɄHhI@@VDLCk8@NBBL2&pClA?DAk%$`I2 #Q+l7 "=&dL&PRSLIP)PɼirqМ'N8[_}w;PK-PK)AOEBPS/dcommon/booklist.gifGIF89a1޵֥΄kZ{Jk1Rs!BZ)B),@I9Z͓Ca % Dz8Ȁ0FZЌ0P !x8!eL8aWȠFD(~@p+rMS|ӛR$ v "Z:]ZJJEc{*=AP  BiA ']j4$*   & 9q sMiO?jQ = , YFg4.778c&$c%9;PKː5PK)AOEBPS/dcommon/cpyr.htm1 Oracle Legal Notices

Oracle Legal Notices

Copyright Notice

Copyright © 1994-2012, Oracle and/or its affiliates. All rights reserved.

Trademark Notice

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

License Restrictions Warranty/Consequential Damages Disclaimer

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

Warranty Disclaimer

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

Restricted Rights Notice

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle America, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

Hazardous Applications Notice

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Third-Party Content, Products, and Services Disclaimer

This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

Alpha and Beta Draft Documentation Notice

If this document is in prerelease status:

This documentation is in prerelease status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.

Oracle Logo

PKN61PK)AOEBPS/dcommon/masterix.gif.GIF89a1ޜΌscJk1Rs!Bc1J),@IS@0"1 Ѿb$b08PbL,acr B@(fDn Jx11+\%1 p { display: none; } /* Class Selectors */ .ProductTitle { font-family: sans-serif; } .BookTitle { font-family: sans-serif; } .VersionNumber { font-family: sans-serif; } .PrintDate { font-family: sans-serif; font-size: small; } .PartNumber { font-family: sans-serif; font-size: small; } PKeӺ1,PK)AOEBPS/dcommon/larrow.gif#GIF87a絵ƌֵƽ{{ss֜ƔZZ{{{{ZZssZZccJJJJRRBBJJJJ991111))!!{,@pH,Ȥrl:ШtpHc`  өb[.64ꑈ53=Z]'yuLG*)g^!8C?-6(29K"Ĩ0Яl;U+K9^u2,@@ (\Ȱ Ë $P`lj 8x I$4H *(@͉0dа8tA  DсSP v"TUH PhP"Y1bxDǕ̧_=$I /& .)+ 60D)bB~=0#'& *D+l1MG CL1&+D`.1qVG ( "D2QL,p.;u. |r$p+5qBNl<TzB"\9e0u )@D,¹ 2@C~KU 'L6a9 /;<`P!D#Tal6XTYhn[p]݅ 7}B a&AƮe{EɲƮiEp#G}D#xTIzGFǂEc^q}) Y# (tۮNeGL*@/%UB:&k0{ &SdDnBQ^("@q #` @1B4i@ aNȅ@[\B >e007V[N(vpyFe Gb/&|aHZj@""~ӎ)t ? $ EQ.սJ$C,l]A `8A o B C?8cyA @Nz|`:`~7-G|yQ AqA6OzPbZ`>~#8=./edGA2nrBYR@ W h'j4p'!k 00 MT RNF6̙ m` (7%ꑀ;PKl-OJPK)AOEBPS/dcommon/index.gifGIF89a1޵ΥΥ{sc{BZs,@IM" AD B0 3.R~[D"0, ]ШpRNC  /& H&[%7TM/`vS+-+ q D go@" 4o'Uxcxcc&k/ qp zUm(UHDDJBGMԃ;PK(PK)AOEBPS/dcommon/bookbig.gif +GIF89a$!!!)))111999BBBJJJRRRZZZccckkksss{{{skkB991)))!!B11))1!JB9B9!!cZ9ƭƽssk{ZZRccZRRJJJBBB9c!!ν)1)k{s絽ƌkssֽZccJRRBJJ{9BB)11)99!!))11!!k!JZ!)RcJccBcs)1c)JZ!BR!)BZ)99J!Rk9!c11B)Z{)9Bkc1kB9BZ!Z{9Rs)Jkksk9kB1s1Jk9Rƥc{k9s)Z{1k91)s1Rk)Jc1J!))BZ!1k{csc{)19B!)Bcsc{ksc{kZs!RkJkJkքc{9Zks{ck9R)Bks9R9R1J!)Z1B!)c)9)99BR19kksBBJcc{ccBBZ))9kk!!199c11ZBB{9!!R!!Z!!c))!!kR!!s!!BcksRZ1c9B)R91c1)Z!R9B9k1)RcZ{)!1B9JB9B)!)J9B!& Imported from GIF image: bookbig.gif,$!!!)))111999BBBJJJRRRZZZccckkksss{{{skkB991)))!!B11))1!JB9B9!!cZ9ƭƽssk{ZZRccZRRJJJBBB9c!!ν)1)k{s絽ƌkssֽZccJRRBJJ{9BB)11)99!!))11!!k!JZ!)RcJccBcs)1c)JZ!BR!)BZ)99J!Rk9!c11B)Z{)9Bkc1kB9BZ!Z{9Rs)Jkksk9kB1s1Jk9Rƥc{k9s)Z{1k91)s1Rk)Jc1J!))BZ!1k{csc{)19B!)Bcsc{ksc{kZs!RkJkJkքc{9Zks{ck9R)Bks9R9R1J!)Z1B!)c)9)99BR19kksBBJcc{ccBBZ))9kk!!199c11ZBB{9!!R!!Z!!c))!!kR!!s!!BcksRZ1c9B)R91c1)Z!R9B9k1)RcZ{)!1B9JB9B)!)J9BH`\Ȑ:pظа"A6DBH,V@Dڹ'G"v Æ ܥ;n;!;>xAܽ[G.\rQC wr}BŊQ A9ᾑ#5Y0VȒj0l-GqF>ZpM rb ;=.ސW-WѻWo ha!}~ْ ; t 53 :\ 4PcD,0 4*_l0K3-`l.j!c Aa|2L4/1C`@@md;(H*80L0L(h*҇҆o#N84pC (xO@ A)J6rVlF r  fry†$r_pl5xhA+@A=F rGU a 1х4s&H Bdzt x#H%Rr (Ѐ7P`#Rщ'x" #0`@~i `HA'Tk?3!$`-A@1l"P LhʖRG&8A`0DcBH sq@AXB4@&yQhPAppxCQ(rBW00@DP1E?@lP1%T` 0 WB~nQ@;PKGC PK)AOEBPS/dcommon/rarrow.gif/GIF87a絵ƌֵƽ{{ss֜ƔZZ{{{{ZZssZZccJJJJRRBBJJJJ991111))!!{,@pH,Ȥrl:ШLlԸ NCqWEd)#34vwwpN|0yhX!'+-[F 'n5 H $/14w3% C .90" qF 7&E "D mnB|,c96) I @0BW{ᢦdN p!5"D`0 T 0-]ʜ$;PKJV^PK)AOEBPS/dcommon/mix.gifkGIF89aZZZBBBJJJkkk999sss!!!111cccֽ{{{RRR)))猌ƭ{s{sks!,@@pH,B$ 8 t:<8 *'ntPP DQ@rIBJLNPTVEMOQUWfj^!  hhG H  kCúk_a Ǥ^ h`B BeH mm  #F` I lpǎ,p B J\Y!T\(dǏ!Gdˆ R53ټ R;iʲ)G=@-xn.4Y BuU(*BL0PX v`[D! | >!/;xP` (Jj"M6 ;PK枰pkPK)AOEBPS/dcommon/doccd_epub.jsM /* Copyright 2006, 2012, Oracle and/or its affiliates. All rights reserved. Author: Robert Crews Version: 2012.3.17 */ function addLoadEvent(func) { var oldOnload = window.onload; if (typeof(window.onload) != "function") window.onload = func; else window.onload = function() { oldOnload(); func(); } } function compactLists() { var lists = []; var ul = document.getElementsByTagName("ul"); for (var i = 0; i < ul.length; i++) lists.push(ul[i]); var ol = document.getElementsByTagName("ol"); for (var i = 0; i < ol.length; i++) lists.push(ol[i]); for (var i = 0; i < lists.length; i++) { var collapsible = true, c = []; var li = lists[i].getElementsByTagName("li"); for (var j = 0; j < li.length; j++) { var p = li[j].getElementsByTagName("p"); if (p.length > 1) collapsible = false; for (var k = 0; k < p.length; k++) { if ( getTextContent(p[k]).split(" ").length > 12 ) collapsible = false; c.push(p[k]); } } if (collapsible) { for (var j = 0; j < c.length; j++) { c[j].style.margin = "0"; } } } function getTextContent(e) { if (e.textContent) return e.textContent; if (e.innerText) return e.innerText; } } addLoadEvent(compactLists); function processIndex() { try { if (!/\/index.htm(?:|#.*)$/.test(window.location.href)) return false; } catch(e) {} var shortcut = []; lastPrefix = ""; var dd = document.getElementsByTagName("dd"); for (var i = 0; i < dd.length; i++) { if (dd[i].className != 'l1ix') continue; var prefix = getTextContent(dd[i]).substring(0, 2).toUpperCase(); if (!prefix.match(/^([A-Z0-9]{2})/)) continue; if (prefix == lastPrefix) continue; dd[i].id = prefix; var s = document.createElement("a"); s.href = "#" + prefix; s.appendChild(document.createTextNode(prefix)); shortcut.push(s); lastPrefix = prefix; } var h2 = document.getElementsByTagName("h2"); for (var i = 0; i < h2.length; i++) { var nav = document.createElement("div"); nav.style.position = "relative"; nav.style.top = "-1.5ex"; nav.style.left = "1.5em"; nav.style.width = "90%"; while (shortcut[0] && shortcut[0].toString().charAt(shortcut[0].toString().length - 2) == getTextContent(h2[i])) { nav.appendChild(shortcut.shift()); nav.appendChild(document.createTextNode("\u00A0 ")); } h2[i].parentNode.insertBefore(nav, h2[i].nextSibling); } function getTextContent(e) { if (e.textContent) return e.textContent; if (e.innerText) return e.innerText; } } addLoadEvent(processIndex); PKo"nR M PK)AOEBPS/dcommon/toc.gifGIF89a1ΥΥ{c{Z{JkJk1Rk,@IK% 0| eJB,K-1i']Bt9dz0&pZ1o'q(؟dQ=3S SZC8db f&3v2@VPsuk2Gsiw`"IzE%< C !.hC IQ 3o?39T ҍ;PKv I PK)AOEBPS/dcommon/topnav.gifGIF89a1ֽ筽ޭƔkZZk{Bc{,@ ) l)-'KR$&84 SI) XF P8te NRtHPp;Q%Q@'#rR4P fSQ o0MX[) v + `i9gda/&L9i*1$#"%+ ( E' n7Ȇ(,҅(L@(Q$\x 8=6 'נ9tJ&"[Epljt p#ѣHb :f F`A =l|;&9lDP2ncH R `qtp!dȐYH›+?$4mBA9 i@@ ]@ꃤFxAD*^Ŵ#,(ε  $H}F.xf,BD Z;PK1FAPK)AOEBPS/dcommon/bp_layout.css# @charset "utf-8"; /* bp_layout.css Copyright 2007, Oracle and/or its affiliates. All rights reserved. */ body { margin: 0ex; padding: 0ex; } h1 { display: none; } #FOOTER { border-top: #0d4988 solid 10px; background-color: inherit; color: #e4edf3; clear: both; } #FOOTER p { font-size: 80%; margin-top: 0em; margin-left: 1em; } #FOOTER a { background-color: inherit; color: gray; } #LEFTCOLUMN { float: left; width: 50%; } #RIGHTCOLUMN { float: right; width: 50%; clear: right; /* IE hack */ } #LEFTCOLUMN div.portlet { margin-left: 2ex; margin-right: 1ex; } #RIGHTCOLUMN div.portlet { margin-left: 1ex; margin-right: 2ex; } div.portlet { margin: 2ex 1ex; padding-left: 0.5em; padding-right: 0.5em; border: 1px #bcc solid; background-color: #f6f6ff; color: black; } div.portlet h2 { margin-top: 0.5ex; margin-bottom: 0ex; font-size: 110%; } div.portlet p { margin-top: 0ex; } div.portlet ul { list-style-type: none; padding-left: 0em; margin-left: 0em; /* IE Hack */ } div.portlet li { text-align: right; } div.portlet li cite { font-style: normal; float: left; } div.portlet li a { margin: 0px 0.2ex; padding: 0px 0.2ex; font-size: 95%; } #NAME { margin: 0em; padding: 0em; position: relative; top: 0.6ex; left: 10px; width: 80%; } #PRODUCT { font-size: 180%; } #LIBRARY { color: #0b3d73; background: inherit; font-size: 180%; font-family: serif; } #RELEASE { position: absolute; top: 28px; font-size: 80%; font-weight: bold; } #TOOLS { list-style-type: none; position: absolute; top: 1ex; right: 2em; margin: 0em; padding: 0em; background: inherit; color: black; } #TOOLS a { background: inherit; color: black; } #NAV { float: left; width: 96%; margin: 3ex 0em 0ex 0em; padding: 2ex 0em 0ex 4%; /* Avoiding horizontal scroll bars. */ list-style-type: none; background: transparent url(../gifs/nav_bg.gif) repeat-x bottom; } #NAV li { float: left; margin: 0ex 0.1em 0ex 0em; padding: 0ex 0em 0ex 0em; } #NAV li a { display: block; margin: 0em; padding: 3px 0.7em; border-top: 1px solid gray; border-right: 1px solid gray; border-bottom: none; border-left: 1px solid gray; background-color: #a6b3c8; color: #333; } #SUBNAV { float: right; width: 96%; margin: 0ex 0em 0ex 0em; padding: 0.1ex 4% 0.2ex 0em; /* Avoiding horizontal scroll bars. */ list-style-type: none; background-color: #0d4988; color: #e4edf3; } #SUBNAV li { float: right; } #SUBNAV li a { display: block; margin: 0em; padding: 0ex 0.5em; background-color: inherit; color: #e4edf3; } #SIMPLESEARCH { position: absolute; top: 5ex; right: 1em; } #CONTENT { clear: both; } #NAV a:hover, #PORTAL_1 #OVERVIEW a, #PORTAL_2 #OVERVIEW a, #PORTAL_3 #OVERVIEW a, #PORTAL_4 #ADMINISTRATION a, #PORTAL_5 #DEVELOPMENT a, #PORTAL_6 #DEVELOPMENT a, #PORTAL_7 #DEVELOPMENT a, #PORTAL_11 #INSTALLATION a, #PORTAL_15 #ADMINISTRATION a, #PORTAL_16 #ADMINISTRATION a { background-color: #0d4988; color: #e4edf3; padding-bottom: 4px; border-color: gray; } #SUBNAV a:hover, #PORTAL_2 #SEARCH a, #PORTAL_3 #BOOKS a, #PORTAL_6 #WAREHOUSING a, #PORTAL_7 #UNSTRUCTURED a, #PORTAL_15 #INTEGRATION a, #PORTAL_16 #GRID a { position: relative; top: 2px; background-color: white; color: #0a4e89; } PK3( # PK)AOEBPS/dcommon/bookicon.gif:GIF87a!!!)))111999BBBJJJRRRZZZccckkksss{{{ޭ{{ZRRcZZRJJJBB)!!skRB9{sν{skskcZRJ1)!֭ƽ{ZZRccZJJBBB999111)JJ9BB1ZZB!!ﭵBJJ9BB!!))Jk{)1!)BRZJ{BsR!RRJsJ!J{s!JsBkks{RsB{J{c1RBs1ZB{9BJ9JZ!1BJRRs!9R!!9Z9!1)J19JJRk19R1Z)!1B9R1RB!)J!J1R)J119!9J91!9BkksBBJ119BBR!))9!!!JB1JJ!)19BJRZckތ1)1J9B,H*\hp >"p`ƒFF "a"E|ժOC&xCRz OBtX>XE*O>tdqAJ +,WxP!CYpQ HQzDHP)T njJM2ꔀJ2T0d#+I:<жk 'ꤱF AB @@nh Wz' H|-7f\A#yNR5 /PM09u UjćT|q~Yq@&0YZAPa`EzI /$AD Al!AAal 2H@$ PVAB&c*ؠ p @% p-`@b`uBa l&`3Ap8槖X~ vX$Eh`.JhAepA\"Bl, :Hk;PKx[?:PK)AOEBPS/dcommon/conticon.gif^GIF87a!!!)))111999BBBJJJRRRZZZccckkksss{{{ZRR޽{{ssskkkcccZ991ccRZZBBJJZck)19ZcsBJZ19J!k{k)Z1RZs1!B)!J91{k{)J!B!B911)k{cs!1s!9)s!9!B!k)k1c!)Z!R{9BJcckZZcBBJ99B119{{!!)BBRBBZ!))999R99Z!!999c1!9!)19B1)!B9R,  oua\h2SYPa aowwxYi 9SwyyxxyYSd $'^qYȵYvh ч,/?g{н.J5fe{ڶyY#%/}‚e,Z|pAܠ `KYx,ĉ&@iX9|`p ]lR1khٜ'E 6ÅB0J;t X b RP(*MÄ!2cLhPC <0Ⴁ  $4!B 6lHC%<1e H 4p" L`P!/,m*1F`#D0D^!AO@..(``_؅QWK>_*OY0J@pw'tVh;PKp*c^PK)AOEBPS/dcommon/blafdoc.cssL@charset "utf-8"; /* Copyright 2002, 2011, Oracle and/or its affiliates. All rights reserved. Author: Robert Crews Version: 2011.10.7 */ body { font-family: Tahoma, sans-serif; /* line-height: 125%; */ color: black; background-color: white; font-size: small; } * html body { /* http://www.info.com.ph/~etan/w3pantheon/style/modifiedsbmh.html */ font-size: x-small; /* for IE5.x/win */ f\ont-size: small; /* for other IE versions */ } h1 { font-size: 165%; font-weight: bold; border-bottom: 1px solid #ddd; width: 100%; } h2 { font-size: 152%; font-weight: bold; } h3 { font-size: 139%; font-weight: bold; } h4 { font-size: 126%; font-weight: bold; } h5 { font-size: 113%; font-weight: bold; display: inline; } h6 { font-size: 100%; font-weight: bold; font-style: italic; display: inline; } a:link { color: #039; background: inherit; } a:visited { color: #72007C; background: inherit; } a:hover { text-decoration: underline; } a img, img[usemap] { border-style: none; } code, pre, samp, tt { font-family: monospace; font-size: 110%; } caption { text-align: center; font-weight: bold; width: auto; } dt { font-weight: bold; } table { font-size: small; /* for ICEBrowser */ } td { vertical-align: top; } th { font-weight: bold; text-align: left; vertical-align: bottom; } ol ol { list-style-type: lower-alpha; } ol ol ol { list-style-type: lower-roman; } td p:first-child, td pre:first-child { margin-top: 0px; margin-bottom: 0px; } table.table-border { border-collapse: collapse; border-top: 1px solid #ccc; border-left: 1px solid #ccc; } table.table-border th { padding: 0.5ex 0.25em; color: black; background-color: #f7f7ea; border-right: 1px solid #ccc; border-bottom: 1px solid #ccc; } table.table-border td { padding: 0.5ex 0.25em; border-right: 1px solid #ccc; border-bottom: 1px solid #ccc; } span.gui-object, span.gui-object-action { font-weight: bold; } span.gui-object-title { } p.horizontal-rule { width: 100%; border: solid #cc9; border-width: 0px 0px 1px 0px; margin-bottom: 4ex; } div.zz-skip-header { display: none; } td.zz-nav-header-cell { text-align: left; font-size: 95%; width: 99%; color: black; background: inherit; font-weight: normal; vertical-align: top; margin-top: 0ex; padding-top: 0ex; } a.zz-nav-header-link { font-size: 95%; } td.zz-nav-button-cell { white-space: nowrap; text-align: center; width: 1%; vertical-align: top; padding-left: 4px; padding-right: 4px; margin-top: 0ex; padding-top: 0ex; } a.zz-nav-button-link { font-size: 90%; } div.zz-nav-footer-menu { width: 100%; text-align: center; margin-top: 2ex; margin-bottom: 4ex; } p.zz-legal-notice, a.zz-legal-notice-link { font-size: 85%; /* display: none; */ /* Uncomment to hide legal notice */ } /*************************************/ /* Begin DARB Formats */ /*************************************/ .bold, .codeinlinebold, .syntaxinlinebold, .term, .glossterm, .seghead, .glossaryterm, .keyword, .msg, .msgexplankw, .msgactionkw, .notep1, .xreftitlebold { font-weight: bold; } .italic, .codeinlineitalic, .syntaxinlineitalic, .variable, .xreftitleitalic { font-style: italic; } .bolditalic, .codeinlineboldital, .syntaxinlineboldital, .titleinfigure, .titleinexample, .titleintable, .titleinequation, .xreftitleboldital { font-weight: bold; font-style: italic; } .itemizedlisttitle, .orderedlisttitle, .segmentedlisttitle, .variablelisttitle { font-weight: bold; } .bridgehead, .titleinrefsubsect3 { font-weight: bold; } .titleinrefsubsect { font-size: 126%; font-weight: bold; } .titleinrefsubsect2 { font-size: 113%; font-weight: bold; } .subhead1 { display: block; font-size: 139%; font-weight: bold; } .subhead2 { display: block; font-weight: bold; } .subhead3 { font-weight: bold; } .underline { text-decoration: underline; } .superscript { vertical-align: super; } .subscript { vertical-align: sub; } .listofeft { border: none; } .betadraft, .alphabetanotice, .revenuerecognitionnotice { color: #e00; background: inherit; } .betadraftsubtitle { text-align: center; font-weight: bold; color: #e00; background: inherit; } .comment { color: #080; background: inherit; font-weight: bold; } .copyrightlogo { text-align: center; font-size: 85%; } .tocsubheader { list-style-type: none; } table.icons td { padding-left: 6px; padding-right: 6px; } .l1ix dd, dd dl.l2ix, dd dl.l3ix { margin-top: 0ex; margin-bottom: 0ex; } div.infoboxnote, div.infoboxnotewarn, div.infoboxnotealso { margin-top: 4ex; margin-right: 10%; margin-left: 10%; margin-bottom: 4ex; padding: 0.25em; border-top: 1pt solid gray; border-bottom: 1pt solid gray; } p.notep1 { margin-top: 0px; margin-bottom: 0px; } .tahiti-highlight-example { background: #ff9; text-decoration: inherit; } .tahiti-highlight-search { background: #9cf; text-decoration: inherit; } .tahiti-sidebar-heading { font-size: 110%; margin-bottom: 0px; padding-bottom: 0px; } /*************************************/ /* End DARB Formats */ /*************************************/ @media all { /* * * { line-height: 120%; } */ dd { margin-bottom: 2ex; } dl:first-child { margin-top: 2ex; } } @media print { body { font-size: 11pt; padding: 0px !important; } a:link, a:visited { color: black; background: inherit; } code, pre, samp, tt { font-size: 10pt; } #nav, #search_this_book, #comment_form, #comment_announcement, #flipNav, .noprint { display: none !important; } body#left-nav-present { overflow: visible !important; } } PKʍPK)AOEBPS/dcommon/rightnav.gif&GIF89a1ֽ筽ޭƔkZZk{Bc{,@ ) l)- $CҠҀ ! D1 #:aS( c4B0 AC8 ְ9!%MLj Z * ctypJBa H t>#Sb(clhUԂ̗4DztSԙ9ZQҀEPEPEPEPEPEPEPM=iԍP Gii c*yF 1׆@\&o!QY00_rlgV;)DGhCq7~..p&1c:u֫{fI>fJL$}BBP?JRWc<^j+χ5b[hֿ- 5_j?POkeQ^hֿ1L^ H ?Qi?z?+_xɔŪ\썽O]χ>)xxV/s)e6MI7*ߊޛv֗2J,;~E4yi3[nI`Ѱe9@zXF*W +]7QJ$$=&`a۾?]N T䏟'X)Ɣkf:j |>NBWzYx0t!* _KkoTZ?K Gc+UyڹgNuh^iSo5{\ܹ3Yos}.>if FqR5\/TӮ#]HS0DKu{($"2xִ{SBJ8=}Y=.|Tsц2UЫ%.InaegKo z ݎ3ֹxxwM&2S%';+I',kW&-"_¿_ Vq^ܫ6pfT2RV A^6RKetto^[{w\jPZ@ޢN4/XN#\42j\(z'j =~-I#:q[Eh|X:sp* bifp$TspZ-}NM*B-bb&*xUr#*$M|QWY ~p~- fTED6O.#$m+t$˙H"Gk=t9r娮Y? CzE[/*-{c*[w~o_?%ƔxZ:/5𨴟q}/]22p qD\H"K]ZMKR&\C3zĽ[PJm]AS)Ia^km M@dК)fT[ijW*hnu Ͳiw/bkExG£@f?Zu.s0(<`0ֹoxOaDx\zT-^ѧʧ_1+CP/p[w 9~U^[U<[tĽwPv[yzD1W='u$Oeak[^ |Gk2xv#2?¹TkSݕ| rݞ[Vi _Kz*{\c(Ck_܏|?u jVڔ6f t?3nmZ6f%QAjJf9Rq _j7Z-y.pG$Xb]0')[_k;$̭?&"0FOew7 z-cIX岛;$u=\an$ zmrILu uٞ% _1xcUW%dtÀx885Y^gn;}ӭ)場QEQ@Q@Q@Q@Q@Q@!4xPm3w*]b`F_931˜[ן+(> E ly;<;MF-qst+}DH @YKlLmؤciN<|]IU)Lw(8t9FS(=>og<\Z~u_+X1ylsj'eՃ*U3`C!N9Q_WܱhKc93^ua>H ƕGk=8~e#_?{ǀe-[2ٔ7;=&K挑5zsLdx(e8#{1wS+ΝVkXq9>&yஏh$zq^0~/j@:/«Vnce$$uoPp}MC{$-akH@ɫ1O !8R9s5ԦYmϧ'OUṡ5T,!Ԛ+s#1Veo=[)g>#< s)ƽُA^䠮ωFUj(ǩ|N3Jڷ睁ϱuږZYGOTsI<&drav?A^_f׻B$,O__ԿC`it{6>G׈C~&$y؎v1q9Sc1fH[ѽ>,gG'0'@Vw,BO [#>ﱺg5ΒFVD%Yr:O5 Tu+O멃]ی38Ze}R&ѝ_xzc1DXgس;<,_,{ƽY'AS#oF.M#~cBuEx7G+Y)(5q+GCV;qF+CLQ)qEC&6z𿊘z}?&w=+)??&\g{;V??׻xGœdٿ׼-Nc')3K]N)iLTӿCdb7Q^a N sd>Fz[0S^s'Zi 77D}kWus ab~~H(>.fif9,~|Jk;YN3H8Y(t6Q݉k͇_÷Z+2߄&[ +Tr^藺97~c܎=[f1RrBǓ^kEMhxYVm<[џ6| kqbѱ| YA{G8p?\UM7Z66 g1U1igU69 u5Pƪ:VVZC=[@ҹ¨$kSmɳО\vFz~i3^a Osŧυ9Q}_3 όO{/wgoet39 vO2ea;Ύ7$U#?k+Ek&dpzbӱ+TaB0gN{[N7Gי}U7&@?>Fz~E!a@s ?'67XxO*!?qi]֏TQN@tI+\^s8l0)2k!!iW8F$(yOּT.k,/#1:}8uT˾+5=O/`IW G֯b.-<= HOm;~so~hW5+kS8s.zwE| ?4ӿw/K N 9?j(#0UT` Wzw}:_*9m>󑓀F?ELzv=8q:=WgJ`nDr Zе<ֹ](Q@Q@Q@Q@Q@Q@Q@Q@ 'IdC0EYJVcMty_~u+Sw-aO n<[YJgL#6i g5ЖDZ14cʝ!!\/M}/_AYR__>oC? _?7_G#RERW쏞KB}JxGSkǕA pƱơP m]hwB7U$Zq M95"3q1ioATߚ{g.t uu2k=;h#YB= fgS :TdLԃ!44mFK{Hrd^7oz|BVr<{)6AXգV»|>*/hS܏z͆OM=Εq (s|s׊LKQI :9NJ)P+!ʣoAF>+=@I}"x/}۠1aנc¹4emC:>p_xWKX` >R3_S½èųp3޺u3N e یbmͺ<_ mnݮ1Op?Gm)Qb%N585'%Ahs\6yw!"&Ɨ._wk)}GP;Z!#\"< *oƾ\)}N>"լ/~]Lg}pBG X?<zZ#x69S=6) jzx=y9O&>+e!!? ?s~k5Gʏ)?*ce7Ox~k5􇔾Q/e7/Ԑ#3OgNC0] ;_FiRl>Q.g>!%k#ú:Kn'&}?U@\pџPtp)v<{_i}Oվֲ3XIYIx~b<D?(=_JXH=bbi=Oh?_ C_O)}oW쏜? %Ƶ;-RYFi`wۭ{ϖZMtQ$"c_+ԃx1*0b;ԕ݋ESQEQEQEQEQEQEQEQEQEQZ(1F)h1K@XLRE&9P (bf{RӨ&)PEPEPbԴPGKZ(iإbn(:A%S0(-&)P+ ڎԴP11F)h&:LRmQ@Q@Š(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((PKje88PK)AOEBPS/dcommon/help.gif!GIF89a1εֵ֜֜{kZsBc{,@ )sƠTQ$8(4ʔ%ŌCK$A HP`$h8ŒSd+ɡ\ H@%' 6M HO3SJM /:Zi[7 \( R9r ERI%  N=aq   qƦs *q-n/Sqj D XZ;PKއ{&!PK)AOEBPS/apis_macsec_roles.htm! Using the DVSYS.DBMS_MACSEC_ROLES Package

13 Using the DVSYS.DBMS_MACSEC_ROLES Package

This chapter contains:

About the DVSYS.DBMS_MACSEC_ROLES Package

You can modify your applications to use the procedures within the DVSYS.DBMS_MACSEC_ROLES package to check the authorization for a user or to set an Oracle Database Vault secure application role. The DVSYS.DBMS_MACSEC_ROLES package is available to all users.

Chapter 8, "Configuring Secure Application Roles for Oracle Database Vault," describes secure application roles in detail. See also Chapter 14, "Using the DVSYS.DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the secure application role procedures.

Table 13-1 lists the DVSYS.DBMS_MACSEC_ROLES package function and procedure.

Table 13-1 DVSYS.DBMS_MACSEC_ROLES Oracle Label Security Configuration Procedures

Function or ProcedureDescription

CAN_SET_ROLE Function

Checks whether the user invoking the method is authorized to use the specified Oracle Database Vault secure application role. Returns a BOOLEAN value.

SET_ROLE Procedure

Issues the SET ROLE statement for an Oracle Database Vault secure application role.


CAN_SET_ROLE Function

The CAN_SET_ROLE function checks whether the user invoking the method is authorized to use the specified Oracle Database Vault secure application role.

Syntax

DVSYS.DBMS_MACSEC_ROLES.CAN_SET_ROLE(
  p_role IN VARCHAR2)
RETURN BOOLEAN;

Parameters

Table 13-2 CAN_SET_ROLE Parameter

ParameterDescription

p_role

Role name.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DBA_DV_ROLE View".


Example

SET SERVEROUTPUT ON
BEGIN
 IF DVSYS.DBMS_MACSEC_ROLES.CAN_SET_ROLE('SECTOR2_APP_MGR')
  THEN DBMS_OUTPUT.PUT_LINE('''SECTOR2_APP_MGR'' can be enabled.');
 END IF;
END;
/

SET_ROLE Procedure

The SET_ROLE procedure issues the SET ROLE PL/SQL statement for specified roles, including both Oracle Database Vault secure application roles and regular Oracle Database roles. This procedure sets an Oracle Database Vault secure application role only if the rule set that is associated with the role evaluates to true.

Syntax

DVSYS.DBMS_MACSEC_ROLES.SET_ROLE(
  p_role IN VARCHAR2);

Parameters

Table 13-3 SET_ROLE Parameter

ParameterDescription

p_role

Role names. You can enter multiple roles, including secure application roles and regular roles.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DBA_DV_ROLE View".

To find all of the existing roles in the database, query the DBA_ROLES data dictionary view, described in Oracle Database Reference.


Example

EXEC DVSYS.DBMS_MACSEC_ROLES.SET_ROLE('SECTOR2_APP_MGR, APPS_MGR');

You can enter the name of the role in any case (for example, Sector2_APP_MGR).

PK7 !!PK)AOEBPS/cfgfact.htm Configuring Factors

7 Configuring Factors

This chapter contains:

What Are Factors?

A factor is a named variable or attribute, such as a user location, database IP address, or session user, that Oracle Database Vault can recognize. You can use factors for activities such as authorizing database accounts to connect to the database or creating filtering logic to restrict the visibility and manageability of data.

Oracle Database Vault provides a selection of factors that lets you set controls on such components as the domain for your site, IP addresses, databases, and so on. "Default Factors" describes the default factors in detail. You also can create custom factors, using your own PL/SQL retrieval methods.

You can use factors in combination with rules in rule sets. The DVF factor functions described in "Oracle Database Vault PL/SQL Factor Functions" are factor-specific functions that you can use in rule expressions.

Factors have values (identities) and are further categorized by their factor types. "Factor Identification" explains more about factor identities. See "Factor Type" under "General" for information about factor types.

You also can integrate factors with Oracle Label Security labels. "Integrating Oracle Database Vault with Oracle Label Security" explains how. See "Tutorial: Integrating Oracle Database Vault with Oracle Label Security" for more information.

You can run reports on the factors that you create in Oracle Database Vault. See "Related Reports and Data Dictionary Views" for more information.

This chapter explains how to configure factors by using Oracle Database Vault Administrator. To configure factors by using the PL/SQL packages and interfaces provided by Oracle Database Vault, refer to the following chapters:

Default Factors

Oracle Database Vault provides a set of default factors. For each of these factors, there is an associated function that retrieves the value of the factor. See "Oracle Database Vault PL/SQL Factor Functions" for a listing of these functions.

You can create custom factors by using your own PL/SQL retrieval methods. A useful PL/SQL function you can use (which is used for many of the default factors) is the SYS_CONTEXT SQL function, which retrieves data about the user session. After you create the custom factor, you can query its values similar to the functions used to query the default factors. "Tutorial: Preventing Ad Hoc Tool Access to the Database" shows an example of how to create and query a custom factor.

See Oracle Database SQL Language Reference for more information about the SYS_CONTEXT function.

You can use the default factors in your own security configurations. If you do not need them, you can remove them. (That is, they are not needed for internal use by Oracle Database Vault.)

The default factors are as follows:

  • Authentication_Method: Is the method of authentication. In the list that follows, the type of user is followed by the method returned:

    • Password-authenticated enterprise user, local database user, or SYSDBA/SYSOPER using Password File; proxy with user name using password: PASSWORD

    • Kerberos-authenticated enterprise or external user: KERBEROS

    • SSL-authenticated enterprise or external user: SSL

    • Radius-authenticated external user: RADIUS

    • Operating system-authenticated external user or SYSDBA/SYSOPER: OS

    • DCE-authenticated external user: DCE

    • Proxy with certificate, distinguished name (DN), or user name without using password: NONE

    You can use IDENTIFICATION_TYPE to distinguish between external and enterprise users when the authentication method is Password, Kerberos, or SSL.

  • Client_IP: Is the IP address of the machine from which the client is connected.

  • Database_Domain: Is the domain of the database as specified in the DB_DOMAIN initialization parameter.

  • Database_Hostname: Is the host name of the computer on which the instance is running.

  • Database_Instance: Is the instance identification number of the current instance.

  • Database_IP: Is the IP address of the computer on which the instance is running.

  • Database_Name: Is the name of the database as specified in the DB_NAME initialization parameter.

  • Domain: Is a named collection of physical, configuration, or implementation-specific factors in the run-time environment (for example, a networked IT environment or subset of it) that operates at a specific sensitivity level. You can identify a domain using factors such as host name, IP address, and database instance names of the Database Vault nodes in a secure access path to the database. Each domain can be uniquely determined using a combination of the factor identifiers that identify the domain. You can use these identifying factors and possibly additional factors to define the Maximum Security Label within the domain. This restricts data access and commands, depending on the physical factors about the Database Vault session. Example domains of interest may be Corporate Sensitive, Internal Public, Partners, and Customers.

  • Enterprise_Identity: Is the enterprise-wide identity for the user:

    • For enterprise users: the Oracle Internet Directory-distinquished name (DN).

    • For external users: the external identity (Kerberos principal name, Radius and DCE schema names, operating system user name, certificate DN).

    • For local users and SYSDBA and SYSOPER logins: NULL.

    The value of the attribute differs by proxy method:

    • For a proxy with DN: the Oracle Internet Directory DN of the client.

    • For a proxy with certificate: the certificate DN of the client for external users; the Oracle Internet Directory DN for global users.

    • For a proxy with user names: the Oracle Internet Directory DN if the client is an enterprise user; NULL if the client is a local database user.

  • Identification_Type: Is the way the user schema was created in the database. Specifically, it reflects the IDENTIFIED clause in the CREATE/ALTER USER syntax. In the list that follows, the syntax used during schema creation is followed by the identification type returned:

    • IDENTIFIED BY password: LOCAL

    • IDENTIFIED EXTERNALLY: EXTERNAL

    • IDENTIFIED GLOBALLY: GLOBAL SHARED

    • IDENTIFIED GLOBALLY AS DN: GLOBAL PRIVATE

  • Lang: Is the ISO abbreviation for the language name, a shorter form than the existing LANGUAGE parameter.

  • Language: Is the language and territory your session currently uses, along with the database character set, in the following form:

    language_territory.characterset

    For example:

    AMERICAN_AMERICA.WE8MSWIN1252

    Refer to Oracle Database Globalization Support Guide for more information about languages, territories, and character sets.

  • Machine: Is the host name for the database client that established the current session. If you must find out whether the computer was used for a client or server session, then you can compare this setting with the Database_Hostname factor to make the determination.

  • Network_Protocol: Is the network protocol being used for communication, as specified in the PROTOCOL=protocol portion of the connect string.

  • Proxy_Enterprise_Identity: Is the Oracle Internet Directory DN when the proxy user is an enterprise user.

  • Proxy_User: Is the name of the database user who opened the current session on behalf of SESSION_USER.

  • Session_User: Is the database user name by which the current user is authenticated. This value remains the same throughout the session.

Creating a Factor

In general, to create a factor, you first create the factor itself, and then you edit the factor to include its identity. "Guidelines for Designing Factors" provides advice on designing factors.

To create a factor:

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER or DV_ADMIN role.

    "Starting Oracle Database Vault" explains how to log in.

  2. In the Administration page, under Database Vault Feature Administration, click Factors.

  3. In the Factors page, click Create.

  4. In the Create Factor page, enter the following settings, and then click OK:

General

In the General area, enter the following information:

  • Name: Enter a name up to 28 characters in mixed-case, without spaces. Oracle Database Vault creates a valid Oracle identifier for the factor function to be created in the DVF schema based on the name of the factor chosen. For example, if you create a factor named GetNetworkIP, Oracle Database Vault creates the DVF.F$GETNETWORKIP function. This attribute is mandatory.

    Oracle suggests that you start the name with a noun and complete the name with a brief description of the derived value.

    "Oracle Database Vault PL/SQL Factor Functions" describes the DVF factor functions.

  • Description: Enter a text description of the factor. It can have up to 1024 characters in mixed-case. This attribute is optional.

  • Factor Type: From the list, select the type or category of the factor. This attribute is mandatory.

    Factor types have a name and description and are used only to help classify factors. A factor type is the category name used to classify the factor. The default physical factor types include authentication method, host name, host IP address, instance identifiers, database account information, and others. You can create user-defined factor types, such as application name, certificate information, and so on in addition to the installed factor types, such as time and authentication method.

    You can find the factors that are associated with a particular factor type by querying the DBA_DV_FACTOR data dictionary view. For example:

    SELECT NAME 
FROM DVSYS.DBA_DV_FACTOR 
WHERE FACTOR_TYPE_NAME='Authentication Method';

    The output is:

    NAME
------------------------------
Network_Protocol
Authentication_Method
Identification_Type

    Note:

    To create user-defined factor types by using the Oracle Database Vault DVSYS.DBMS_MACADM package, use the CREATE_FACTOR_TYPE procedure, described in "CREATE_FACTOR_TYPE Procedure".

Factor Identification

Under Factor Identification, select how to resolve the identity of a factor. This attribute is mandatory. The values are as follows:

  • By Method: Default. Sets the factor identity by executing the PL/SQL expression specified in the Retrieval Method field.

    For example, suppose the expression retrieves the system date:

    to_char(sysdate,'yyyy-mm-dd')

    On December 6, 2009, the By Method option would return the following value:

    2009-12-06

  • By Constant: Resolves the factor identity by retrieving the constant value found in the Retrieval Method field.

  • By Factors: Determines the factor identity by mapping the identities of the child factor to its parent factor. A parent factor is a factor whose values are resolved based on a second factor, called a child factor. To establish their relationship, you map their identities. (You do not need to specify a Retrieval Method expression for this option.)

    See "Using Identity Mapping to Configure an Identity to Use Other Factors" for more information about mapping identities.

A factor identity is the actual value of a factor (for example, the IP address for a factor that uses the IP_Address type). A factor can have several identities depending on its retrieval method or its identity mapping logic. For example, a factor such as Database_Hostname could have multiple identities in an Oracle Real Application Clusters environment; a factor such as Client_IP can have multiple identities in any RDBMS environment. The retrieval method for these types of factors may return different values because the retrieval method is based on the database session.

Several reports allow you to track the factor identity configuration. See "Related Reports and Data Dictionary Views" for more information.

You can configure the assignment of a factor in the following ways:

  • Assign the factor at the time a database session is established.

  • Configure individual requests to retrieve the identity of the factor.

With the Oracle Label Security integration, you can label identities with an Oracle Label Security label. You can also assign an identity trust levels, which are numbers that indicate the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. Negative trust levels are not trusted.


See Also:

"Adding an Identity to a Factor" for more information about factor identities

Within a database session, a factor assigned identity is available to Oracle Database Vault and any application with a publicly accessible PL/SQL function that exists in the DVF schema (which contains functions that retrieve factor values) as follows:

dvf.f$factor_name

This allows the identifier for a factor to be accessed globally from within the Oracle database (using PL/SQL, SQL, Oracle Virtual Private Database, triggers, and so on). For example, in SQL*Plus:

CONNECT lbrown_dvowner
Enter password: password    

SELECT DVF.F$DATABASE_IP FROM DUAL;

Output similar to the following appears:

SELECT DVF.F$DATABASE_IP FROM DUAL;

F$DATABASE_IP
-------------------------------------------------------------
192.0.2.1

You can also use the DVSYS.GET_FACTOR function to find the identity of a factor that is made available for public access. For example:

SELECT GET_FACTOR('DATABASE_IP') FROM DUAL;

The following output appears:

GET_FACTOR('DATABASE_IP')
-------------------------------------------------------------
192.0.2.1

Evaluation

Under Evaluation, select how you want the factor to be evaluated and assigned an identity. See "How Factors Affect Performance" for the performance effect of session factors. This attribute is mandatory.

The values are as follows:

  • By Session: Default. Evaluates the factor when a database session is created.

  • By Access: Evaluates the factor each time it is accessed (for example, referenced by an application) and when the database session is first created.

Factor Labeling

Under Factor Labeling, select how you want the factor identity to retrieve an Oracle Label Security (OLS) label. This setting applies if you plan to use the Oracle Label Security integration. This attribute is mandatory if you want to use an OLS label. (See also "Integrating Oracle Database Vault with Oracle Label Security" for information on integrating OLS labels with a factors.

The values are as follows:

  • By Self: Default. Labels the identities for the factor directly from the labels associated with an Oracle Label Security policy.

  • By Factors: If there are multiple child factor labels, then Oracle Database Vault merges the labels by using the Oracle Label Security algorithm that is associated with the applicable Oracle Label Security policy. For each applicable Oracle Label Security policy, a factor identity can have an assigned label.

Retrieval Method

Under Retrieval Method, enter a PL/SQL expression that retrieves the identity of a factor or a constant. It can use up to 255 characters in mixed-case. The Retrieval Method identifies factors where the factor identification is by method or constant. If the factor identification is by factors, Oracle Database Vault identifies it by its identity mappings.

You can create your own PL/SQL retrieval methods, or use the functions supplied with Oracle Database Vault. See the following sections for factor-specific and general utility functions that you can use to build the retrieval method:

The following retrieval method sets a value of the DB_NAME factor by retrieving the database name (DB_NAME) from the USERENV namespace in a user's session.

UPPER(SYS_CONTEXT('USERENV','DB_NAME'))

See also the default factors provided with Oracle Database Vault for examples of retrieval methods. "Default Factors" describes these factors.

The Retrieval Method field is mandatory if you have selected the following settings under Factor Identification:

  • By Method: Enter a method in the Retrieval Method field.

  • By Constant: Enter a constant in the Retrieval Method field.

The value returned as the factor identity must be a VARCHAR2 string or otherwise convertible to one.

You can include any package function or standalone function in the expression. Ensure that the expression is a fully qualified function, such as schema.function_name. Do not include complete SQL statements. If you are using application packages or functions, you must provide DVSYS with the GRANT EXECUTE privilege on the object.

Write the function signature using the following format:

FUNCTION GET_FACTOR RETURN VARCHAR2

Validation Method

Under Validation Method, enter a PL/SQL expression that returns a Boolean value (TRUE or FALSE) to validate the identity of a factor being retrieved (with the DVSYS.GET_FACTOR function) or the value to be assigned to a factor (with the DVSYS.SET_FACTOR function). If the method is evaluated to false for the value being retrieved or to be assigned, then the factor identity is set to null. This optional feature provides an additional level of assurance that the factor is properly retrieved and set. This field can have up to 255 characters in mixed-case.

You can include any package function or standalone function in the expression. Ensure that the expression is a fully qualified function, such as schema.function_name. Do not include complete SQL statements. If you are using application packages or functions, you must provide DVSYS with the GRANT EXECUTE privilege on the object.

Write the function using one of the following formats:

  • FUNCTION IS_VALID RETURN BOOLEAN

    In this form, you can use the DVF.F$factor_name function inside the function logic. This is more appropriate for factors that are evaluated by session.

  • FUNCTION IS_VALID(p_factor_value VARCHAR2) RETURN BOOLEAN

    In this form, the factor value is passed to the validation function directly. This is more appropriate for factors that are evaluated by access. It is also valid for factors evaluated by session.

See the following sections for factor-specific and general utility functions that you can use to build the validation method:

Assignment Rule Set

Under Assignment Rule Set, select a rule set from the list if you want to use a rule set to control when and how a factor identity is set. For example, you can use a rule set to determine when a database session originates from a known application server or program. Chapter 5, "Configuring Rule Sets," explains how to create rule sets.

This attribute is particularly useful for situations where database applications, such as a Web application using a JDBC connection pool, must dynamically set a factor identity for the current database session. For example, a Web application may want to assign the geographic location for a database account logging in to the Web application. To do so, the Web application can use the JDBC Callable Statement, or Oracle Data Provider for .NET (ODP.NET) to execute the PL/SQL function DVSYS.SET_FACTOR, for example:

BEGIN 
 DVSYS.SET_FACTOR('GEO_STATE','VIRGINIA');
END;

Then you can create an assignment rule for the GEO_STATE factor to allow or disallow the setting of the GEO_STATE factor based on other factors or rule expressions. See "How Factors Are Set" for more information.

Audit Options

Under Audit Options, select from the settings to generate an audit trail. Oracle Database Vault writes the audit trail to the DVSYS.AUDIT_TRAIL$ system file, described in Appendix A, "Auditing Oracle Database Vault."

You can use the Factor Audit Report to display the generated audit records. (See "Related Reports and Data Dictionary Views" for more information.) In addition, you can select multiple audit options at a time. Each option is converted to a bit mask and added to determine the aggregate behavior. Note that there is little performance impact in auditing, unless the factor has errors. This attribute is mandatory. The values are as follows:

  • Never: Does not audit.

  • Always: Always creates an audit record when a factor is evaluated. You can select from the conditions, described next.

  • Sometimes: Creates an audit record based on one or more conditions. When you select Sometimes, by default the Retrieval Error and Retrieval NULL options are selected.

    You can select from the following conditions listed next.

Conditions that you can select for the Always and Sometimes options are as follows:

  • Retrieval Error: Creates an audit record when the identity of a factor cannot be resolved and assigned, due to an error (such as No data found or Too many rows).

  • Retrieval NULL: Creates an audit record when the identity of a factor is resolved to NULL.

  • Validation Error: Creates an audit record when the validation method (if provided) returns an error.

  • Validation False: Creates an audit record when the validation method (if provided) returns FALSE.

  • Trust Level NULL: Creates an audit record when the resolved identity of a factor has an assigned trust level of NULL.

    See "Creating and Configuring a Factor Identity" for more information about trust levels.

  • Trust Level Less Than Zero: Creates an audit record when the resolved identity of a factor has an assigned trust level less than zero.

Error Options

Under Error Options, select from the following to specify the processing that occurs when a factory identity cannot be resolved. This attribute is mandatory.

The values are as follows:

  • Show Error Message: Default. Displays an error message to the database session.

  • Do Not Show Error Message: Does not display the error message.

    An advantage of selecting Do Not Show Error Message and then enabling auditing is that you can track the activities of a potential intruder. The audit report reveals the activities of the intruder, yet the intruder is unaware that you are doing this because he or she does not see any error messages.

After you have created a new factor, you are ready to configure its identity. To do so, edit the factor and then add its identity.

Editing a Factor

To edit a factor:

  1. In the Oracle Database Vault Administration page, select Factors.

  2. In the Factors page, select the factor that you want to edit.

  3. Click Edit.

  4. Modify the factor as necessary, and then click OK.


See Also:


Adding an Identity to a Factor

After you create a new factor, you optionally can add an identity to it. An identity is the actual value of the factor. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.4.

This section contains:

About Factor Identities

A factor identity for a given database session is assigned at run time using the Factor Identification and Retrieval Method fields described in "Creating a Factor". You can further configure the identity for the following reasons:

  • To define the known identities for a factor

  • To add a trust level to a factor identity

  • To add an Oracle Label Security label to a factor identity

  • To resolve a factor identity through its child factors, by using Identity Mapping


See Also:


Creating and Configuring a Factor Identity

To create and configure an identity:

  1. In the Oracle Database Vault Administration page, select Factors.

  2. In the Factors page, select the factor to which you want to add the identity.

  3. Click Edit.

  4. In the Edit Factor page, scroll down to Identities and click Create.

  5. In the Create Identity page, enter the following settings and then click OK:

General

Enter the following values:

  • Value: Enter the value of the identity, up to 1024 characters in mixed-case. This attribute is mandatory.

  • Trust Level: Select one of the following trust levels:

    • Very Trusted: Assigns a trust level value of 10

    • Trusted: Assigns a trust level value of 5

    • Somewhat Trusted: Assigns a trust level value of 1

    • Untrusted: Assigns a trust level value of -1

    • Trust Level Not Defined: Assigns a trust level value of NULL (default)

Trust levels enable you to assign a numeric value to indicate the measure of trust allowed. A trust value of 1 signifies some trust. A higher value indicates a higher level of trust. A negative value or zero indicates distrust. When the factor identity returned from a factor retrieval method is not defined in the identity, Oracle Database Vault automatically assigns the identity a negative trust level.

To determine the trust level of a factor identity at run time, you can use the GET_TRUST_LEVEL and GET_TRUST_LEVEL_FOR_IDENTITY functions in the DVSYS schema.

For example, suppose you have created a factor named Network. You can create the following identities for the Network factor:

  • Intranet, with a trust level of 10

  • VPN (virtual private network), with a trust level of 5

  • Public, with a trust level of 1

You then can create rule expressions (or custom application code) that base policy decisions on the trust level. For example, you can use DVSYS.GET_TRUST_LEVEL to find trust levels greater than 5:

DVSYS.GET_TRUST_LEVEL('Network') > 5

Or, you can use a SELECT statement on the DVSYS.DBA_DV_IDENTITY data dictionary view to find trust levels for the Network factor greater than or equal to 5:

SELECT VALUE, TRUST_LEVEL FROM DVSYS.DBA_DV_IDENTITY 
   WHERE TRUST_LEVEL >= 5 
   AND FACTOR_NAME='Network'

Output similar to the following appears:

F$NETWORK GET_TRUST_LEVEL('NETWORK')
------------------------------------
VPN                                5
INTRANET                          10

In the preceding example, Network factor identity for VPN is trusted (value equals 5), and the identity for the INTRANET domain is 10, which implies a greater trust.

See Chapter 15, "Using the Oracle Database Vault PL/SQL Interfaces," for more information about the Oracle Database Vault functions.

Label Identity

You can assign Oracle Label Security (OLS) labels to factor identities. (In brief, a label acts as an identifier for a database table row to assign privileges to the row. For more information about labels, see Oracle Label Security Administrator's Guide.) The Factor Labeling attribute for a factor determines whether a factor is labeled By Self or By Factors. If you set the Factor Labeling attribute to By Self, then you can associate OLS labels with the factor identities. If you set the Factor Labeling attribute to By Factors, then Oracle Database Vault derives the factor identity labels from the labeling of child factor identities. When there are multiple child factor identities with labels, Oracle Database Vault merges the labels using the OLS algorithm associated with the applicable factor Oracle Label Security policy.

To label an identity:

  1. In the Create Identity page, under Label Identity, select the OLS label from the Available OLS Labels list.

    The list shows data labels from the Oracle Label Security installation for your site. For more information, refer to Oracle Label Security Administrator's Guide.


    Note:

    You can select multiple labels by holding down the Ctrl key as you click each label that is to be selected.

  2. Click Move to move the OLS label to the Selected OLS Labels list.

  3. Repeat Step 1 and Step 2 to select more OLS labels.

    You can select only one label for each OLS policy.

  4. Click OK to finish labeling the identity.

Editing a Factor Identity

To edit a factor identity:

  1. In the Edit Factor page, scroll down to Identities and select the identity you want to edit.

  2. Click Edit.

  3. In the Edit Identity page, modify the identity as necessary.

  4. Click OK.

Deleting a Factor Identity

Before you delete a factor identity, you can locate the various references to it by querying the factor-related Oracle Database Vault views. See "Oracle Database Vault Data Dictionary Views" for more information.

To delete a factor identity:

  1. In the Edit Factor page, scroll down to Identities and select the identity you want to remove.

  2. Click Remove.

  3. In the Confirmation page, click Yes.

Using Identity Mapping to Configure an Identity to Use Other Factors

After you create, edit, and save the factor identity, you can map it. Identity mapping is the process of identifying a factor by using other (child) factors. This is a way to transform combinations of factors into logical identities for a factor or to transform continuous identity values (for example, temperature) or large discrete identity values (for example, IP address ranges) into logical sets. To check configuration issues in the mapping for an identity, see "Identity Configuration Issues Report". See also "Tutorial: Restricting User Activities Based on Session Data" for an example of how to use identity mapping.

To map an identity to a factor:

  1. Create a parent factor and set the attribute Factor Identification to By Factors.

    "Creating a Factor" describes how to create factors.

  2. For the parent factor, create a new factor identity.

    "Creating and Configuring a Factor Identity" describes how to create an identity.

  3. Map the factor-identity pair of the parent to the factor-identity pairs of its children. Use the following process:

    1. In the Factors page, select the parent factor from the Factors page and then click Edit.

    2. In the Edit Factor page, under Identities, select the parent factor identity and then click Edit.

    3. In the Edit Identity page, click Create under Map Identity.

    4. In the Create Identity Map page, select a factor name from the Contributing Factor list.

      This is the child factor to which you want to map the parent factor.

    5. Select a Map Condition.

      This setting lets you select an operator to compare the contributing (child) factor values.

    6. Enter a value for the Low Value and High Value (optional) fields.

      For example, consider a scenario where the Contributing Factor to the Factor Network is set to Client_IP, the Map Condition is set to Between, the Low Value is set to 192.0.2.1 and the High Value is set to 192.0.2.24. This means that whenever the client IP address lies in the specified address range of 192.0.2.1 to 192.0.2.24, the parent factor evaluates to a predefined identity (for example, INTRANET).

    7. Click OK to map the parent factor-identity to the child factor-identity.

      You can map different identities of a parent factor to different identities of the contributing factor. For example, the INTRANET identity maps to an IP address range of 192.0.2.1 to 192.0.2.24. The REMOTE identity can map to an IP address range that excludes the address range 192.0.2.1 to 192.0.2.24.

      Based on identity mapping, you can create a security policy. For example, you can define a reduced set of privileges for an employee connecting over VPN (with REMOTE), as opposed to an employee connecting from within the corporate network (with INTRANET).

    8. Repeat Step c to Step g to add more contributing factors for a parent factor identity.

      For example, you can configure the Network factor to resolve to a value ACCOUNTING-SENSITIVE, when the Program factor resolves to "Oracle General Ledger" and the Client_IP is in between 192.0.2.1 and 192.0.2.24. So, if an authorized accounting financial application program, running on a client with IP address 192.0.2.12 accesses the database, then the Network factor is resolved to ACCOUNTING-SENSITIVE. A database session with the ACCOUNTING-SENSITIVE Network value would have more access privileges than one with the INTRANET Network value.

Deleting a Factor

Before you delete a factor, you can locate the various references to the factor and its identities by querying the factor-related Oracle Database Vault views. See "Oracle Database Vault Data Dictionary Views" for more information.

To delete a factor:

  1. Delete any references to the factor, such as factor identities, and Oracle Label Security policy associations.

    You cannot delete a factor that has references.

  2. In the Oracle Database Vault Administration page, select Factors.

  3. In the Factors page, select the factor that you want to remove.

  4. Click Remove.

  5. In the Confirmation page, click Yes.

How Factors Work

The following topics in this section explain how Oracle Database Vault processes factors:

How Factors Are Processed When a Session Is Established

When a database session is established, the following actions occur:

  1. At the start of each database session, Oracle Database Vault begins to evaluate all default and user-created factors in the database instance.

    This evaluation occurs after the normal database authentication of the session and the initialization of the Oracle Label Security session information, if applicable.

  2. In the factor evaluation stage, the factor initialization process executes the retrieval method for all factors that are identified by methods or constants, to resolve the factor identity for the session.

    The factor error options setting has no effect on the factor initialization process.

  3. If a factor has a validation method defined, Oracle Database Vault validates the identity (value) of the factor by executing this validation method. If the validation method fails or returns false, the identity of the factor is undefined (NULL).

  4. If a factor has any identities defined for it, Oracle Database Vault resolves the trust level of the factor based on the identities defined. If an identity of the factor is defined in this list of defined identities, then Oracle Database Vault assigns the trust level as configured; otherwise it sets it to -1. If there are no identities defined for the factor, the trust level is undefined (NULL).

  5. Depending on the outcome of this factor evaluation, factor validation, and trust level resolution, Database Vault audits the details of the evaluation as dictated by the factor audit configuration.

  6. When the evaluation of all factors that are identified by method or constant completes, Oracle Database Vault resolves the factors that are identified by other factors by using the identity maps that are defined for the factor configured identities.

    The evaluation order of the factor-configured identities is by ASCII sort on the identity values: Oracle Database Vault uses the first alphabetically sorted identity mapping that it evaluates. For example, suppose factor TEST has identities X and Y. Furthermore, identities X and Y have identity maps that are dependent on identities for factors A, B, and C. The following mapping occurs:

    • X is mapped when A=1 and B=1

    • Y is mapped when A=1, B=1, and C=2

    In this case, the first one evaluated is X. Y is not evaluated, but what if its C mapping meets the criteria that is needed for the TEST factor's success? You would need to reverse the mapping, that is, map Y before X so that A, B, and C can be evaluated first. To reverse the mapping, rename Y to V (or some alphabetic value that sorts before X) so that it can be correctly resolved.

    This algorithm works if the ASCII sort ordering is correct and the identities map the same number factors at some level.

  7. When the factor initialization completes, the Oracle Database Vault integration with Oracle Label Security occurs.

After this process completes, Oracle Database Vault checks to see if a command rule is associated with the CONNECT event. If a rule set associated with the CONNECT event, then Oracle Database Vault evaluates the rule set. If the rule set evaluates to false or results in an error, then the session is terminated. Oracle Database Vault executes any auditing or call handlers associated with the rule set before the session is terminated.


Note:

Be careful about associating command rules with the CONNECT event, because you can inadvertently lock out other users from of the database. In general, if you create a command rule for CONNECT, set its evaluation option of the associated rule set to Any True.

If you do inadvertently lock out users, then you should temporarily disable Oracle Database Vault, disable the CONNECT command rule, reenable Oracle Database Vault, and then fix the factor code that is causing the problem. "If the Test Fails" provides an example of how to accomplish this.


How Factors Are Retrieved

You can retrieve a factor in a database session at any time by using the DVF factor function or the DVSYS.GET_FACTOR function. To find a listing of available factors, query the DVS.DBA_DV_FACTOR data dictionary view, described in"DBA_DV_FACTOR View".

Example 7-1 shows an example of using the DVSYS.GET_FACTOR function.

Example 7-1 Using DVSYS.GET_FACTOR to Retrieve a Factor

SELECT GET_FACTOR('client_ip') FROM DUAL;

You can use the factor values retrieved from the DVF factor function or the DVSYS.GET_FACTOR in the following ways:

  • Oracle Database Vault rule expressions

  • Custom application code that is available to all database sessions in an Oracle Database Vault environment

"Oracle Database Vault PL/SQL Factor Functions" describes DVF factor functions in detail.

If you had set the factor evaluation to By Session, then Oracle Database Vault retrieves the value from the session context established, as described under "How Factors Are Processed When a Session Is Established".

If you had set the factor evaluation to By Access, then Oracle Database Vault performs Step 2 through Step 5 (or Step 6), as described under "How Factors Are Processed When a Session Is Established", whenever the factor is retrieved.

If you had defined error options for the factor and if an error occurs, then Oracle Database Vault displays the error message.

How Factors Are Set

You can have a factor identity assigned at any time during a database session, but only if you have defined a factor assignment rule set and that rule set evaluates to true. You can do this in the application code by using the DVSYS.SET_FACTOR function. In Java code, you can use the JDBC class java.sql.CallableStatement to set this value. For example:

java.sql.Connection connection ; 
...
java.sql.CallableStatement statement = 
   connection.prepareCall("{call DVSYS.SET_FACTOR('FACTOR_X', ?)}");
statement.setString(1, "MyValue");
boolean result = statement.execute();
...

Applications that can execute Oracle PL/SQL functions can use this procedure (for example, applications written using Oracle Data Provider for .NET (ODP.NET)).

This concept is similar to the standard Oracle DBMS_SESSION.SET_IDENTIFIER procedure with an added feature that a rule set controls when a factor value can be set. If the rule set evaluates to true, Steps 2 through 5 under "How Factors Are Processed When a Session Is Established" occur.

If you have not associated a assignment rule set for the factor or if the rule set returns false (or returns errors), then Oracle Database Vault sends an error message if you attempt to set the factor using the DVSYS.SET_FACTOR function.

Tutorial: Preventing Ad Hoc Tool Access to the Database

In this section:


See Also:


About This Tutorial

Many database applications contain features to explicitly control the actions of a user. However, an ad hoc query tool, such as SQL*Plus, may not have these controls. As a result, a user could use an ad hoc tool to perform actions in the database that he or she would normally be prevented from performing in a regular database application. You can use a combination of Oracle Database Vault factors, rule sets, and command rules to prevent unauthorized access to the database by ad hoc query tools.

In the following tutorial, you limit the use of SQL*Plus to only four users: the Database Vault Owner, the Database Vault Account Manager, SYSTEM, and SYS. To accomplish this, you must create a factor to find the applications on your system and a rule and rule set to limit SQL*Plus to these four users. Then you create a command rule for the CONNECT SQL statement, which is associated with the rule set. When you successfully complete this tutorial, then only the administrative users you specify should be able to connect to the database using SQL*Plus.

Step 1: Enable the SCOTT User Account

You must use the SCOTT account later on when you test the Oracle Database Vault components for this tutorial, so ensure that this account is active.

  1. Log in to SQL*Plus as a user who has been granted the DV_ACCTMGR role.

    For example:

    sqlplus amalcolm_dvacctmgr
Enter password: password

  2. Check the status of the SCOTT account.

    SELECT USERNAME, ACCOUNT_STATUS FROM DBA_USERS WHERE USERNAME = 'SCOTT';

  3. If the SCOTT account is expired and locked, then enter the following statement to make it active:

    ALTER USER SCOTT ACCOUNT UNLOCK IDENTIFIED BY password;

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

Step 2: Create the Module Factor

The Module factor uses the SYS_CONTEXT SQL function to find the names of the applications that are used to access the current instance of Oracle Database. As described previously, the SYS_CONTEXT SQL function provides many useful methods for finding the state of a user session. SYS_CONTEXT is a valuable tool for creating custom factors. See Oracle Database SQL Language Reference for more information about the SYS_CONTEXT function.


Note:

This type of factor is highly dependent on the security of the client session to ensure that it cannot be faked. See My Oracle Support (formerly OracleMetaLink) Note 281229.1 for more information. You can access My Oracle Support from the following Web site:

https://support.oracle.com


  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER or DV_ADMIN role.

    "Starting Oracle Database Vault" explains how to log in.

  2. In the Administration page, select Factors.

    The Factors page appears.

  3. Click Create to display the Create Factor page.

  4. Enter the following information:

    • Name: Enter Module.

    • Description: Enter Factor to find applications that can access Oracle Database.

    • Factor Type: From the list, select Application.

    • Factor Identification: Select By Method.

    • Evaluation: Select By Access.

    • Factor Labeling: Select By Self.

    • Retrieval Method: Enter the following retrieval method:

      UPPER(SYS_CONTEXT('USERENV', 'MODULE'))

    • Validation Method: Leave blank.

    • Assignment Rule Set: From the list, select <Non Selected>.

    • Audit Options: Select Never.

    • Error Options: Select Show Error Message.

  5. Click OK.

    Oracle Database Vault creates the factor. You now can query for the factor using the same syntax you would use to query the default factors, described "Oracle Database Vault PL/SQL Factor Functions".

  6. In SQL*Plus, perform a quick test of the Module factor.

    For example:

    sqlplus lbrown_dvowner
Enter password: password

SELECT DVF.F$MODULE FROM DUAL;

    The following output should appear:

    F$MODULE
-----------------------------
SQLPLUS.EXE

    Do not exit SQL*Plus. You must use it later on when you test the factor components.

Step 3: Create the Limit SQL*Plus Access Rule and Rule Set

  1. In Oracle Database Vault Administrator, return to the Administration page.

  2. Under Administration, select Rule Sets.

    The Rule Sets page appears.

  3. Click Create to display the Create Rule Set page.

  4. Enter the following settings:

    • Name: Enter Limit SQL*Plus Access.

    • Description: Enter Rule set to limit access to SQL*Plus.

    • Status: Select Enabled.

    • Evaluation Options: Select All True.

    • Audit Options: Select Audit Disabled.

    • Error Handling Options: Select Show Error Message.

    • Fail Code, Fail Message: Leave blank.

    • Custom Event Handler Option: Select Handler Disabled.

    • Custom Event Handler Logic: Leave blank.

  5. Click OK.

    The Rule Sets page appears.

  6. Select the Limit SQL*Plus rule set and then click Edit.

    The Edit Rule Set page appears.

  7. Under Rules Associated To The Rule Set, click Create.

    The Create Rule page appears.

  8. Enter the following settings:

    • Name: Enter Prevent non-admin access to SQL*Plus.

    • Rule Expression: Enter the following rule expression:

      DVF.F$MODULE != 'SQL*PLUS' AND DVF.F$SESSION_USER IN ('LBROWN_DVOWNER', 'AMALCOLM_DVACCTMGR', 'SYS', 'SYSTEM')

      Replace LBROWN_DVOWNER and AMALCOLM_DVACCTMGR with the user account names that you use for the Database Vault Owner and Database Vault Account Manager accounts. You must enter the user account names in upper case letters, because that is how the database stores user account names.

      This expression tells Oracle Database Vault only to allow these four users to use SQL*Plus. Another way to write the expression is to tell Database Vault to simply exclude certain users from using SQL*Plus. That way, everyone else has access to SQL*Plus. For example, to exclude users JSMITH and TSMITH from using SQL*Plus, you would create this expression:

      DVF.F$MODULE != 'SQL*PLUS' AND DVF.F$SESSION_USER NOT IN ('JSMITH', 'TSMITH')

      However, for this tutorial, use the first expression, in which only the four administrative users are allowed to use SQL*Plus.

  9. Ensure that you have entered this rule expression exactly as shown in Step 8. If you enter it incorrectly, you cannot log in to SQL*Plus.

  10. Click OK.

Step 4: Create the CONNECT Command Rule

The CONNECT command rule controls the CONNECT SQL statement. It also applies to logging into SQL*Plus from the command line or other tools your site may use to access SQL*Plus.

  1. In Oracle Database Vault, return to the Administration page.

  2. Select Command Rules.

    The Command Rules page appears.

  3. Click Create to display the Create Command Rule page.

  4. Enter the following settings:

    • Command: Select CONNECT from the list.

    • Status: Select Enabled.

    • Object Owner, Object Name: Set to % so that the command rule applies to anyone who logs in.

    • Rule Set: Select Limit SQL*Plus Access from the list.

  5. Click OK.

Step 5: Test the Ad Hoc Tool Access Restriction

You have been logged in to SQL*Plus all along, but note that you do not need to restart your SQL*Plus session in order for the Oracle Database Vault changes to take effect. They take effect right away.

  1. In SQL*Plus, try to connect as user SCOTT:

    CONNECT SCOTT
Enter password: password

    The following output should appear:

    ERROR:
ORA-47400: Command Rule violation for CONNECT on LOGON

Warning: You are no longer connected to ORACLE.

    User SCOTT should be prevented from using SQL*Plus.

  2. Now try to connect as user SYSTEM:

    CONNECT SYSTEM
Enter password: password
Connected.

    User SYSTEM should be able to log in to SQL*Plus. So should SYS, the Database Vault Owner account, and the Database Vault Account Manager account.

If the Test Fails

If you cannot log in to SQL*Plus as SYSTEM (or as any of the other administrative users listed in your rule expression), then you are prevented from using both SQL*Plus and Oracle Database Vault Administrator. But do not fear, you can remedy the problem as follows:

  1. Temporarily disable Oracle Database Vault.

    See Appendix B, "Disabling and Enabling Oracle Database Vault," for instructions on disabling Oracle Database Vault. After you disable Oracle Database Vault, you can log in to SQL*Plus.

  2. Log in to SQL*Plus as a user who has been granted the DV_OWNER or DV_ADMIN role.

    For example:

    CONNECT lbrown_dvowner
Enter password: password

  3. Enter the following statement to drop the CONNECT command rule.

    EXEC DVSYS.DBMS_MACADM.DELETE_COMMAND_RULE ('CONNECT', '%', '%');

    Even though you have disabled Oracle Database Vault, you still can use its PL/SQL Packages and Database Vault Administrator.

  4. Exit SQL*Plus.

  5. Reenable Oracle Database Vault.

    See Appendix B, "Disabling and Enabling Oracle Database Vault," for instructions on enabling Oracle Database Vault.

  6. In Oracle Database Vault Administrator, check the rule expression for any errors and then correct them. Recreate the CONNECT command rule, and then test it.

Step 6: Remove the Components for This Tutorial

  1. In Database Vault Administrator, return to the Administrator page.

  2. Select Command Rules.

  3. In the Command Rules page, select the CONNECT command rule, and then click Remove. Select Yes in the Confirmation page.

  4. In the Administrator page, select Rule Sets.

  5. In the Rule Sets page, select the Limit SQL*Plus Access rule set and click Remove. Select Yes in the Confirmation page.

  6. In the Administration page, select Factors.

  7. In the Factors page, select the Module factor, and then click Remove. Select Yes in the Confirmation page.

  8. As the Database Vault Owner, log in to SQL*Plus and then remove the Prevent Non-admin access to SQL*Plus rule.

    For example:

    CONNECT lbrown_dvowner
Enter password: password

EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Prevent non-admin access to SQL*Plus');

  9. If necessary, connect as the Oracle Database Vault Account Manager and then lock and expire the SCOTT account.

    For example:

    CONNECT amalcolm_dvacctmgr
Enter password: password

ALTER USER SCOTT ACCOUNT LOCK PASSWORD EXPIRE;

Tutorial: Restricting User Activities Based on Session Data

This section contains:

About This Tutorial

You can use factor identity mapping to set session-based user restrictions for database activities. For example, suppose you wanted to restrict administrative access to a database using the following criteria:

  • Ensure that the administrator is accessing the database from the correct IP address.

  • Limit the database access to the standard business hours of the administrator.

This type of configuration is useful for restricting different types of administrators: not only local, internal administrators, but offshore and contract administrators as well.

In this tutorial, you modify the Domain factor to include identities for a secure and non-secure network access, which are based on the IP address of the computer the administrator is using. If the administrator tries to perform an action outside the standard working hours or from a different IP address, then Oracle Database Vault prevents him from doing so.

Step 1: Create an Administrative User

  1. In SQL*Plus, log in as a user who has been granted the DV_ACCTMGR role, and then create the user account mwaldron.

    For example:

    sqlplus amalcolm_dvacctmgr
Enter password: password

CREATE USER mwaldron IDENTIFIED BY password;

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

  2. Connect as SYS using the SYSDBA privilege, and then grant user mwaldron DBA privileges.

    CONNECT SYS AS SYSDBA
Enter password: password

GRANT CREATE SESSION, DBA TO mwaldron;

Step 2: Add Identities to the Domain Factor

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER or DV_ADMIN role.

    "Starting Oracle Database Vault" explains how to log in.

  2. In the Administration page, select Factors.

    The Factors page appears.

  3. Select the Domain factor and then select Edit.

    The Domain factor is the parent factor.

  4. Under Identities, select Create.

  5. In the Create Identity page, enter the following information:

    • Value: Enter HIGHLY SECURE INTERNAL NETWORK

    • Trust Level: Select Very Trusted

  6. Click OK.

  7. In the Edit Factor:Domain page, create a second identity called NOT SECURE, and then set its trust level to Untrusted.

Step 3: Map the Domain Factor Identities to the Client_IP Factor

  1. In Oracle Database Vault Administrator, in the Edit Factor: Domain page, select the HIGHLY SECURE INTERNAL NETWORK identity and then select Edit.

  2. Under Map Identity, select Create.

  3. In the Create Identity Map page, enter the following information:

    • Contributing Factor: Select Client_IP to be the child factor.

    • Map Condition: Select Equal, and then in the Low Value box, enter the IP address for the Virtual Machine (for example, 192.0.2.12). (This is the computer that user maldron uses. For this tutorial, you can enter the IP address of your own computer. If you are using Microsoft Windows, use the IP address assigned to the Loopback Adapter.)

  4. Click OK, and then click OK again to return to the Edit Factor: Domain page.

  5. Create the following two identity maps for the NOT SECURE identity:


    		Child Factor NameOperation ValueOperand 1Operand 2

    		Client_IPLess192.0.2.5(Leave blank)

    		Client_IPGreater192.0.2.20(Leave blank)

    The identity maps in the NOT SECURE identity are in a range of IP addresses outside the IP address that user mwaldron uses (192.0.2.12). The IP addresses here must be in any range outside mwaldron's IP address.

    This identity mapping creates the following condition: If the user logs in from the correct IP address, then Oracle Database Vault decides that the connection is secure, through the HIGHLY SECURE INTERNAL NETWORK identity. However, if the user logs in from an IP address that is less than 192.0.2.5 or greater than 192.0.2.20, then the connection is deemed not secure, through the NO SECURE identity.

  6. Click OK to return to the Edit Factor: Domain page, then click OK again to return to the Factors page.

  7. Test the factor identities.

    First, in SQL*Plus, connect as user mwaldron but do not specify a database instance.

    CONNECT mwaldron
Enter password: password

SELECT DVF.F$CLIENT_IP FROM DUAL;

    The following output should appear:

    F$CLIENT_IP
-------------------------------------

    Next:

    SELECT DVF.F$DOMAIN FROM DUAL;

    The following output should appear:

    F$DOMAIN
-------------------------------------
NOT SECURE

    Because user mwaldron is not connecting directly to the database instance, Oracle Database Vault does not recognize the IP address from which he is connecting. In this case, Oracle Database uses the IPC protocol to perform the connection, which sets the IP value to null. Therefore, the identity for this connection is set to NOT SECURE.

    Now connect to SQL*Plus by specifying the database instance (for example, orcl), and then check the factor identities again:

    CONNECT mwaldron@orcl
Enter password: password

SELECT DVF.F$CLIENT_IP FROM DUAL;

    The following output should appear:

    F$CLIENT_IP
-------------------------------------
192.0.2.12

    Next:

    SELECT DVF.F$DOMAIN FROM DUAL;

    The following output should appear:

    F$DOMAIN
-------------------------------------
HIGHLY SECURE INTERNAL NETWORK

    Now that user mwaldron is connecting to the orcl database instance, his IP address is recognized. This is because the database uses the TCP protocol, so now the host IP value can be populated appropriately. Because the IP address is within the correct range, the factor identity is set to HIGHLY SECURE INTERNAL NETWORK.

Step 4: Create a Rule Set to Set the Hours and Select the Factor Identity

  1. In Oracle Database Vault, return to the Administration page.

  2. Select Rule Sets.

  3. In the Rule Sets page, select Create.

  4. In the Create Rule Set page, enter the following settings:

    • Name: Enter Internal DBA Standard Working Hours.

    • Status: Select Enabled.

    • Evaluation Options: Select All True.

    Leave the remaining settings at their defaults.

  5. Click OK.

  6. In the Rule Sets page, select the Internal DBA Standard Working Hours rule set, and then select Edit.

  7. In the Edit Rule Set: Internal DBA Standard Working Hours page, under Rules Associated To The Rule Set, select Create.

  8. In the Create Rule page, create the following rules:

    • Name: Internal DBA

      Rule Expression: DVF.F$SESSION_USER='MWALDRON'

      (When you create an expression with a user name, enter the user name in upper case letters, because that is how the database stores user names.)

    • Name: Internal Network Only

      Rule Expression: DVF.F$DOMAIN='HIGHLY SECURE INTERNAL NETWORK'

    • Name: Week Day

      Rule Expression: TO_CHAR(SYSDATE, 'D') BETWEEN '2' AND '6'

    • Name: Week Working Day Hours

      Rule Expression: TO_CHAR(SYSDATE, 'HH24') BETWEEN '08' AND '19'

  9. Click OK to return to the Rule Sets page.

Step 5: Create a Command Rule That Uses the Rule Set

  1. In Oracle Database Vault Administrator, return to the Administration page.

  2. Select Command Rules, and in the Command Rules page, select Create.

  3. In the Create Command Rule page, enter the following settings:

    • Command: Select CREATE TABLE from the list.

    • Rule Set: Select Internal DBA Standard Working Hours from the list.

    Leave the remaining settings at their defaults.

  4. Click OK.

Step 6: Test the Factor Identity Settings

Test the settings by resetting the system clock, logging in as the mwaldron administrative user, and then trying to create a table.

  1. Set the system time to 9 p.m.

    UNIX: Log in as root and use the date command to set the time. For example, assuming the date today is December 14 2011, you would enter the following:

    su root
Password: password

date --set="14 DEC 2011 21:00:00"

    Windows: Double-click the clock icon, which is typically at the lower right corner of the screen. In the Date and Time Properties window, set the time to 9 p.m., and then click OK.

  2. In SQL*Plus, connect as user mwaldron and try to create a table. In the following, replace orcl with the name of your database instance.

    CONNECT mwaldron@orcl
Enter password: password

CREATE TABLE TEST (num number);

    The following output should appear:

    ORA-47400: Command Rule violation for create table on MWALDRON.TEST

    Because user mwaldron is create a table outside working hours, Database Vault prevents him.

  3. Reset the system time back to the local time.

  4. In SQL*Plus, as user mwaldron, try to create the table again.

    CREATE TABLE TEST (num number);

Table created.

DROP TABLE TEST;
Table dropped.

    Now that user maldron is working during his local hours and from the IP address associated with the HIGHLY SECURE INTERNAL NETWORK identity, he can create tables.

  5. Reconnect as user mwaldron but without adding the database instance name to the connection command, and then try to select from the OE.ORDERS table again.

    CONNECT mwaldron
Enter password: password

CREATE TABLE TEST (num number);

    The following output should appear:

    ORA-47400: Command Rule violation for create table on MWALDRON.TEST

    Even though user mwaldron is trying to create a table during the correct time, he cannot because is not directly logged in to the orcl database instance. Oracle Database Vault deems him to be using the NOT SECURE identity, and then denies him access.

Step 7: Remove the Components for This Tutorial

  1. Log in to SQL*Plus as the DV_ACCTMGR user and drop user mwaldron.

    sqlplus amalcolm_dvacctmgr
Enter password: password

DROP USER mwaldron CASCADE;

  2. Remove the CREATE TABLE command rule.

    Return the Administration page and select Command Rules. Select the CREATE TABLE command rule and then select Remove. In the Confirmation page, select Yes.

  3. Remove the Internal DBA Standard Working Hours rule set.

    In Oracle Database Vault Administrator, select Rule Sets in the Administration page. In the Rule Sets page, select the Internal DBA Standard Working Hours rule set, and then select Remove. In the Confirmation page, select Yes.

  4. In SQL*Plus, delete the rules associated with the Internal DBA Standard Working Hours rule set.

    CONNECT lbrown_dvowner
Enter password: password

EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Internal DBA');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Internal Network Only');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Week Day');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Week Day Working Hours'); 
COMMIT;

  5. Remove the HIGHLY SECURE INTERNAL NETWORK and NOT SECURE factor identities from the Domain factor.

    Return to the Administration page and select Factors. Select the Domain factor, select Edit, and under Identities, remove the HIGHLY SECURE INTERNAL NETWORK and NOT SECURE factor identities. In the Confirmation page, select Yes.

Guidelines for Designing Factors

Follow these guidelines for designing factors:

  • You can use the Oracle utility packages such as UTL_TCP, UTL_HTTP, DBMS_LDAP, and DBMS_PIPE to integrate security or other contextual information about the session from external systems.

  • Do not specify a retrieval method if the factor identification is set to Identified By Factors. Retrieval methods are only needed if you set the factor to By Method or By Constant.

  • Consider using a validation method if a factor has an assignment rule set. Doing so helps to verify that invalid identities are not submitted.

  • Use the client-supplied factors such as Program, OS User, and others with caution, because the values that are supplied can only be trusted when the client software is trusted and the communications channel from the client software is known to be secure.

  • Only specify an evaluation option of By Access if the value returned by the retrieval method could change from one invocation to the next in the same session (for example, v'time-based factors).

  • Optimize the internal logic of a function used for the factor retrieval method using traditional SQL and PL/SQL optimization techniques. For more information about performance and optimization, see Oracle Database Performance Tuning Guide.

  • If the discrete values returned by the retrieval method are known, be sure to define identities for each value so that you can assign trust levels for them. Trust levels add value to factors as you also can use the trust level in application logic based on factors.

  • A security policy based on more factors is generally considered stronger than one based on fewer factors. You can create a new factor that is identified by other factors to store combinations of factors into logical grouping using identity maps. This also makes it easier to label the parent factor when you integrate the factors with the Oracle Label Security labels. (See "Integrating Oracle Database Vault with Oracle Label Security" for more information.)

  • It is generally easier to configure and debug a factor that is labeled By Self than one labeled By Factors when integrating the Oracle Label Security.

  • You can design a database client application to pass one or more security, end-user, or environmental attributes so that they are available to an associated database session. To do this, create a single factor for each attribute and then use an assignment rule set to control when these attributes can be assigned (for example only when using a specific Web application on specified named application server computers). Oracle Database Vault factors used in this fashion are very much like the Oracle procedure DBMS_SESSION.SET_IDENTIFIER but also include a capability to control when they can be set. For more information about the DBMS_SESSION package, see Oracle Database PL/SQL Packages and Types Reference.

How Factors Affect Performance

Each factor has elements that are processed, such as its validation method, trust level, and so on. For factors that are evaluated by the session, such as Database_Hostname and Proxy_User, Oracle Database Vault performs this processing during session initialization, and then caches the results for subsequent requests for that value.

The 17 default factors listed in "Default Factors" are cached because they are likely candidates for a typical security policy. However, if you only use five factors (for example, in rule sets or other components), then the other factors consume resources that could otherwise be used elsewhere. In this case, you should remove the unnecessary factors by deleting them. (Oracle Database Vault does not use any of these factors internally, so you can remove them if you do not need them.)

If you have a large number of users or if your application server frequently must create and destroy connections, the resources used can affect system performance. You can delete the unnecessary factors.

You can check system performance by running tools such as Oracle Enterprise Manager (including Oracle Enterprise Manager Database Control, which is installed by default with Oracle Database), Statspack, and TKPROF. For more information about Oracle Enterprise Manager, see the Oracle Enterprise Manager documentation set. For information about Database Control, refer to its online Help. Oracle Database Performance Tuning Guide describes the Statspack and TKPROF utilities.

Related Reports and Data Dictionary Views

Table 7-1 lists Oracle Database Vault reports that are useful for analyzing factors and their identities. See Chapter 17, "Oracle Database Vault Reports," for information about how to run these reports.

Table 7-1 Reports Related to Factors and Their Identities

ReportDescription

"Factor Audit Report"

Audits factors (for example, to find factors that failed to be evaluated)

"Factor Configuration Issues Report"

Lists configuration issues, such as disabled or incomplete rule sets, or to audit issues that may affect the factor

"Factor Without Identities Report"

Lists factors that have had no identities assigned yet

"Identity Configuration Issues Report"

Lists factors that have invalid label identities or no map for the identity

"Rule Set Configuration Issues Report"

Lists rule sets that have no rules defined or enabled, which may affect the factors that use them


Table 7-2 lists data dictionary views that provide information about existing factors and factor identities.

Table 7-2 Data Dictionary Views Used for Factors and Factor Identities

Data Dictionary ViewDescription

"DBA_DV_FACTOR View"

Lists the existing factors in the current database instance

"DBA_DV_FACTOR_LINK View"

Shows the relationships of each factor whose identity is determined by the association of child factors

"DBA_DV_FACTOR_TYPE View"

Lists the names and descriptions of factor types used in the system

"DBA_DV_IDENTITY View"

Lists the identities for each factor

"DBA_DV_IDENTITY_MAP View"

Lists the mappings for each factor identity


PKӊvPK)A OEBPS/toc.htm Table of Contents

Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

What's New in Oracle Database Vault?

1 Introducing Oracle Database Vault

2 What to Expect After You Install Oracle Database Vault

3 Getting Started with Oracle Database Vault

4 Configuring Realms

5 Configuring Rule Sets

6 Configuring Command Rules

7 Configuring Factors

8 Configuring Secure Application Roles for Oracle Database Vault

9 Integrating Oracle Database Vault with Other Oracle Products

10 DBA Operations in an Oracle Database Vault Environment

11 Oracle Database Vault Objects

12 Using the DVSYS.DBMS_MACADM Package

13 Using the DVSYS.DBMS_MACSEC_ROLES Package

14 Using the DVSYS.DBMS_MACUTL Package

15 Using the Oracle Database Vault PL/SQL Interfaces

16 Monitoring Oracle Database Vault

17 Oracle Database Vault Reports

A Auditing Oracle Database Vault

B Disabling and Enabling Oracle Database Vault

C Postinstallation Oracle Database Vault Procedures

D Oracle Database Vault Security Guidelines

E Troubleshooting Oracle Database Vault

Index

PK_qPK)AOEBPS/reports.htm Oracle Database Vault Reports

17 Oracle Database Vault Reports

This chapter contains:

Categories of Oracle Database Vault Reports

Oracle Database Vault provides a selection of reports that display security-related information from the database. These reports also show custom Oracle Database Vault audit event information. The reports are in two categories:

  • Database Vault Reports. These reports allow you to check configuration issues with realms, command rules, factors, factor identities, rule sets, and secure application roles. These reports also reveal realm violations, auditing results, and so on.

  • General Security Reports. These reports allow you to check the status of object privileges, database account system privileges, sensitive objects, privilege management, powerful database accounts and roles, initialization parameters, profiles, account passwords, security audits, and other security vulnerability reports.

Who Can Run the Oracle Database Vault Reports?

You must log on using an account that has the DV_OWNER, DV_ADMIN, or DV_SECANALYST role before you can run the Oracle Database Vault reports. For more information about these roles, see the following sections:

How to Run Oracle Database Vault Reports

To run Oracle Database Vault reports:

  1. Log in to Database Vault Administrator as a user who has been granted the DV_OWNER, DV_ADMIN, or DV_SECANALYST role.

    "Starting Oracle Database Vault" explains how to log in.

  2. Select either Database Vault Reports or General Security Reports.

    These report categories are described in the following sections:

  3. Select a report and click Run Report to run the report.

    You can run many of the reports without any input parameters. For example, if you select the Audit Privileges Report, and click Run Report, then you can immediately see the report results. However, some of the available reports require at least one input parameter before the results can be displayed.

    The Report Results page displays the report content in a tabular fashion with the column headings shown at the top of the report. The page displays the report title and the date and time when the report was run. Click Return to Reports Menu to return to the Reports page, so that you can select and run a different report if you want.

    Some of the reports require at least one input parameter to be provided before they can be run. For example, when you select Object Dependencies Report and click Run Report, the Report Parameters page is displayed. The Owner box enables you to select the database account that owns the object. The Object Name field specifies the name of the object. You can use wildcard characters like the percentage sign (%), which defaults to all object names. The Result Set Size parameter determines the maximum number of result rows that are displayed. If you want all records to be displayed, then select All.The parameters that you enter on this page are passed directly to the SQL query that generates the report results. Click Run Report to display the report results based on the specified parameters.

Generating Oracle Database Vault Reports

To generate Oracle Database Vault reports, click the Database Vault Reports tab, and then select from the following categories of reports:

Oracle Database Vault Configuration Issues Reports

The configuration issues reports are:

Command Rule Configuration Issues Report

The Command Rule Configuration Issues Report displays command rules for which the following configuration issues exist:

  • Rule set for the command rule is disabled.

  • Rule set for the command rule is incomplete.

  • Object owner for the command rule does not exist. This can happen when the user account for the object has been dropped.

Factor Configuration Issues Report

The Factor Configuration Issues Report displays Oracle Database Vault factors for which the following configuration issues exist:

  • Rule set for factor assignment is disabled.

  • Rule set for factor assignment is incomplete.

  • Audit options for the factor are invalid.

  • No factor retrieval method or constant exists.

  • No subfactors (that is, child factors) are linked to a factor identity.

  • No subfactors (child factors) are linked to a label factor.

  • Oracle Label Security policy does not exist for the factor.

Factor Without Identities Report

The Factor Without Identities Report displays Oracle Database Vault factors that have no identities defined in the access control configuration. For some factors such as Background_Job_Id, this may not be a real problem, but the report can help you determine whether your access control configuration is complete and whether you have accounted for all factor configuration.

Identity Configuration Issues Report

The Identity Configuration Issues Report displays Oracle Database Vault factor identities where the following configuration issues exist:

  • Label identity for the Oracle Label Security label for this identity has been removed and no longer exists.

  • No map exists for the identity.

Realm Authorization Configuration Issues Report

The Realm Authorization Configuration Issues Report displays Oracle Database Vault realm information where the following configuration issues exist.

  • Rule set for a realm authorization is disabled.

  • Grantee does not exist for a realm authorization.

  • Owner does not exist for a realm-secured object. This can happen when the user account has been dropped.

In most cases, however, these types of issues are caught when you configure the realm and during validation.

Rule Set Configuration Issues Report

The Rule Set Configuration Issues Report displays Oracle Database Vault rule set information when no rules are defined or enabled for a rule set.

Secure Application Configuration Issues Report

The Secure Application Configuration Issues Report displays Database Vault secure application role information where the following configuration issues exist:

  • The database role does not exist. This can happen when the database role has been dropped.

  • The rule set for role is disabled.

  • The rule set for role is incomplete.

Oracle Database Vault Auditing Reports

The auditing reports are:

Realm Audit Report

The Realm Audit Report shows audit records generated by the realm protection and realm authorization operations. You can manage realm authorizations by using rule sets, and then audit the rule set processing results. A realm violation occurs when the database account, performing an action on a realm-protected object, is not authorized to perform that action. Oracle Database Vault audits the violation even if you do not specify any rule sets attached to the realm. When you configure a realm, you can set it to audit instances of realm violations. You can use this information to investigate attempts to break security.

Command Rule Audit Report

The Command Rule Audit Report shows audit records generated by command rule processing operations. When you configure a command rule, you can set it to audit the rule set processing results.

Factor Audit Report

The Factor Audit Report shows factors that failed to evaluate or were set to create audit records under various conditions. It also shows failed attempts to set factors.

You can audit instances where a factor identity cannot be resolved and assigned (such as No data found or Too many rows). A factor can have an associated rule set that assigns an identity to the factor at run time. When you configure a factor, you can set it to audit the rule set processing results.

Label Security Integration Audit Report

The Label Security Integration Audit Report shows audit records generated by the session initialization operation and the session label assignment operation of label security. You can audit instances where the label security session fails to initialize, and where the label security component prevents a session from setting a label that exceeds the maximum session label.

Core Database Vault Audit Trail Report

The Core Database Vault Audit Trail Report shows audit records generated by the core access security session initialization operation. You can audit instances where the access security session fails to initialize. It displays the following data:

Violation AttemptInstance Number
TimestampObject Name
Return CodeRule Set
AccountCommand
User Host

Secure Application Role Audit Report

The Secure Application Role Audit Report shows the audit records generated by the secure application role-enabling operation for Oracle Database Vault.

Generating General Security Reports

To generate general security reports, click the General Security Reports tab, and then select from the following reports:

Object Privilege Reports

The object privilege reports are:

Object Access By PUBLIC Report

The Object Access By PUBLIC Report lists all objects whose access has been granted to PUBLIC. It details all the object access the database accounts that you specify on the Report Parameters page, through object grants to PUBLIC. On the Reports Parameters page, you can filter the results based on the privilege, the object owner, or the object name.


Note:

This report can be quite large if you choose the defaults.

Object Access Not By PUBLIC Report

The Object Access Not By PUBLIC Report describes all the object access the database accounts that you specify on the Report Parameters page, through grants to the account directly or through a role, but excluding the grants to PUBLIC. On the Reports Parameters page, you can filter the results based on the privilege, the object owner or the object name.


Note:

This report can be quite large if you choose the defaults.

Direct Object Privileges Report

The Direct Object Privileges Report shows the direct object privileges granted to nonsystem database accounts. The following database accounts are excluded from the report:

CTXSYSLBACSYSSYSWMSYS
DMSYSMDSYSSYSMAN
DVSYSORDSYSSYSTEM
EXFSYSPUBLICWKSYS

Object Dependencies Report

The Object Dependencies Report describes all dependencies in the database between procedures, packages, functions, package bodies, and triggers, including dependencies on views created without any database links. It can help you develop a security policy using the principle of least privilege for existing applications. If a database object, such as a UTL_FILE package, has privileges granted to PUBLIC or some other global role, then you can use the Object Dependencies Report to determine an account that may depend on the object and to determine how the account uses the object. To run the report, enter the database account you are inspecting for dependency and the object it may be dependent on, in the Report Parameters page.

The Report Results page shows the dependent object and object type and the source object name and type. This report shows where the potentially sensitive object is being used. By looking at several accounts, you might be able to see patterns that can help you develop restricted roles. These restricted roles can replace PUBLIC grants on widely used sensitive objects.

Database Account System Privileges Reports

The database account system privileges reports are:

Direct System Privileges By Database Account Report

The Direct System Privileges By Database Account Report displays all system privileges that have been directly granted to the database account selected on the Report Parameters page. It also shows whether a privilege has been granted the WITH ADMIN option.

Direct and Indirect System Privileges By Database Account Report

The Direct and Indirect System Privileges By Database Account Report displays all the system privileges for the database account selected on the Report Parameters page. The system privileges may have been granted directly or granted through a database role that has the WITH ADMIN status.

Hierarchical System Privileges by Database Account Report

The Hierarchical System Privileges by Database Account Report displays a hierarchical breakdown of role-based system privileges and direct system privileges granted to the database account specified on the Report Parameters page.

ANY System Privileges for Database Accounts Report

The ANY System Privileges for Database Accounts Report shows all ANY system privileges granted to the specified database account or role. ANY system privileges are very powerful and should be judiciously assigned to accounts and roles.

System Privileges By Privilege Report

The System Privileges By Privilege Report displays the database accounts and roles that have the system privilege selected on the Report Parameters page.

Sensitive Objects Reports

The sensitive objects reports are:

Execute Privileges to Strong SYS Packages Report

The Execute Privileges to Strong SYS Packages Report shows the database accounts and roles that have the EXECUTE privilege on system packages that can be used to access operating system resources or other powerful system packages. The following system PL/SQL packages are included:

DBMS_ALERTDBMS_RANDOM
DBMS_BACKUP_RESTOREDBMS_REPAIR
DBMS_CAPTURE_ADMDBMS_REPCAT
DBMS_DDLDBMS_REPCAT_ADMIN
DBMS_DISTRIBUTED_TRUST_ADMINDBMS_RESOURCE_MANAGER
DBMS_FGADBMS_RESOURCE_MANAGER_PRIVS
DBMS_JOBDBMS_RLS
DBMS_LDAPDBMS_SESSION
DBMS_LOBDEBUG_EXTPROC
DBMS_LOGMNRUTL_FILE
DBMS_LOGMNR_DUTL_HTTP
DBMS_OBFUSCATION_TOOLKITUTL_SMTP
DBMS_ORACLE_TRACE_AGENTUTL_TCP
DBMS_PIPE

Access to Sensitive Objects Report

The Access to Sensitive Objects Report shows the database accounts and roles that have object privileges on system tables or views that contain sensitive information. It includes the following system tables and views:

ALL_SOURCEPROFILE$
ALL_USERSPROXY_ROLE_DATA$
APPROLE$PROXY_ROLE_INFO$
AUD$ROLE_ROLE_PRIVS
AUDIT_TRAIL$SOURCE$
DBA_ROLE_PRIVSSTATS$SQLTEXT
DBA_ROLESSTATS$SQL_SUMMARY
DBA_TAB_PRIVSSTREAMS$_PRIVILEGED_USER
DBMS_BACKUP_RESTORESYSTEM_PRIVILEGE_MAP
DEFROLE$TABLE_PRIVILEGE_MAP
FGA_LOG$TRIGGER$
LINK$USER$
OBJ$USER_HISTORY$
OBJAUTH$USER_TAB_PRIVS
OBJPRIV$SYSTEM_PRIVILEGE_MAP

Public Execute Privilege To SYS PL/SQL Procedures Report

The Public Execute Privilege to SYS PL/SQL Procedures Report shows all database accounts and roles that have execute privileges on packages owned by SYS. This can be used to determine which privileges can be revoked from PUBLIC, or from other accounts and roles. This reduces vulnerabilities as part of an overall security policy implementation using the principle of least privilege.

Accounts with SYSDBA/SYSOPER Privilege Report

The Accounts with SYSDBA/SYSOPER Privilege Report displays database accounts that have SYS-privileged connection privileges. It also shows whether the accounts use an external password. However, note that this report does not include operating system users who can become SYSDBA.

Privilege Management - Summary Reports

The privilege management summary reports are:


See Also:

"DBA_DV_PUB_PRIVS View" to find the values on which the counts listed in these reports are based

Privileges Distribution By Grantee Report

The Privileges Distribution By Grantee Report displays the count of privileges granted to a database account or role. This provides insight into accounts and roles that may have powerful privileges.

Privileges Distribution By Grantee, Owner Report

The Privileges Distribution By Grantee, Owner Report displays a count of privileges based on the grantee and the owner of the object. This provides insight into accounts or roles that may have powerful privileges. You can use this report if you suspect potential intruders or insider threats are looking for accounts that have powerful privileges as accounts to attack or compromise. If intruders can compromise the account (for example, by guessing the password), they can get more privileges than they already have.

Privileges Distribution By Grantee, Owner, Privilege Report

The Privileges Distribution By Grantee, Owner, Privilege Report displays a count of privileges based on the privilege, the grantee, and the owner of the object. This provides insight into the accounts or roles that may have powerful privileges.

Powerful Database Accounts and Roles Reports

The powerful database accounts and roles reports are:

WITH ADMIN Privilege Grants Report

The WITH ADMIN Privileges Grants Report shows all database accounts and roles that have been granted privileges with the WITH ADMIN clause. This privilege can be misused to give another account more system privileges than required.

Accounts With DBA Roles Report

The Accounts With DBA Roles Report shows all database accounts that have the DBA role granted to them. The DBA role is a privileged role that can be misused. It is often granted to a database account to save time and to avoid having to determine the least number of privileges an account really needs. This report can help you to start applying a policy using the principle of least privilege to an existing database.

For guidelines on deciding who should have privileged roles, see Appendix D, "Oracle Database Vault Security Guidelines."

Security Policy Exemption Report

The Security Policy Exemption Report shows database (but not Oracle Database Vault) accounts and roles that have the EXEMPT ACCESS POLICY system privilege granted to them. Accounts that have this privilege can bypass all Virtual Private Database (VPD) policy filters and any Oracle Label Security policies that use Oracle Virtual Private Database indirectly. This is a powerful system privilege that should be granted only if absolutely necessary, as it presents a target to gain access to sensitive information in tables that are protected by Oracle Virtual Private Database or Oracle Label Security. You can use the auditing policies described in Appendix A, "Auditing Oracle Database Vault," to audit the use of this privilege.

BECOME USER Report

The BECOME USER Report shows all database accounts roles that have the BECOME USER system privilege. This is a very powerful system privilege: it enables the IMP_FULL_DATABASE and EXP_FULL_DATABASE roles for use with Oracle Data Pump. Accounts that possess this privilege can be misused to get sensitive information or to compromise an application.

ALTER SYSTEM or ALTER SESSION Report

The ALTER SYSTEM or ALTER SESSION Report shows all database accounts and roles that have the ALTER SYSTEM or ALTER SESSION privilege. Oracle recommends that you restrict these privileges only to those accounts and roles that truly need them (for example, the SYS account and the DV_ADMIN role). The ALTER SYSTEM statement can be used to change the security-related database initialization parameters that are set to recommended values as part of the Oracle Database Vault security strengthening service. Both the ALTER SYSTEM and ALTER SESSION statements can be used to dump database trace files, potentially containing sensitive configuration information, to the operating system.

For guidelines on using the ALTER SYSTEM and ALTER SESSION privileges, see "Security Considerations for the ALTER SYSTEM and ALTER SESSION Privileges".

Password History Access Report

The Password History Access Report shows database accounts that have access to the USER_HISTORY$ table that stores hashed passwords that were previously used by each account. Access to this table can make guessing the existing password for an account easier for someone hacking the database.

WITH GRANT Privileges Report

The WITH GRANT Privileges Report shows all database accounts that have been granted privileges with the WITH GRANT clause. Remember that WITH GRANT is used for object-level privileges: An account that has been granted privileges using the WITH GRANT option can be misused to grant object privileges to another account.

Roles/Accounts That Have a Given Role Report

This report displays the database accounts and roles to which a role has been granted. This report is provided for dependency analysis.

Database Accounts With Catalog Roles Report

The Database Accounts With Catalog Roles Report displays all database accounts and roles that have the following roles granted to them:

  • DELETE_CATALOG_ROLE

  • EXECUTE_CATALOG_ROLE

  • RECOVERY_CATALOG_OWNER

  • SELECT_CATALOG_ROLE

These catalog-based roles have a very large number of powerful privileges. They should be granted with caution, much like the DBA role, which uses them.

AUDIT Privileges Report

The AUDIT Privileges Report displays all database accounts and roles that have the AUDIT ANY or AUDIT SYSTEM privilege. This privilege can be used to disable auditing, which could be used to eliminate the audit trail record of a intruder who has compromised the system. The accounts that have this privilege could be targets for intruders.

OS Security Vulnerability Privileges Report

The OS Security Vulnerability Privileges Report shows the database accounts and roles that have the required system privileges to export sensitive or otherwise protected information to the operating system.  

Initialization Parameters and Profiles Reports

The initialization parameters and profiles reports are:

Security Related Database Parameters Report

The Security Related Database Parameters Report displays database parameters that can cause security vulnerabilities, if not set correctly. This report can be used to compare the recommended settings with the current state of the database parameter values.

Resource Profiles Report

The Resource Profiles Report provides a view of resource profiles, such as CPU_PER_SESSION and IDLE_TIME, that may be allowing unlimited resource consumption. You should review the profiles that might need a cap on the potential resource usage.

System Resource Limits Report

The System Resource Limits Report provides insight into the current system resource usage by the database. This helps determine whether any of these resources are approaching their limits under the existing application load. Resources that show large increases over a short period may point to a denial-of-service (DoS) attack. You might want to reduce the upper limit for the resource to prevent the condition in the future.

Database Account Password Reports

The database account password reports are:

Database Account Default Password Report

The Database Account Default Password Report lists the database accounts that have default passwords. Default passwords are provided during the Oracle Database installation.

You should change the passwords for accounts included in this report to nondefault, complex passwords to help secure the database.

Database Account Status Report

The Database Account Status Report provides a quick view of existing database accounts. The report shows the account status for each account, which helps you identify accounts that must be locked. Lock and expiry dates provide information that helps determine whether the account was locked as a result of password aging. If a special password and resource secure profile is used, then you can identify accounts that are not using them. Accounts not using organizationally defined default tablespaces also can be identified, and the temporary tablespace for accounts can be determined. This report also identifies accounts that use external passwords.

Security Audit Report: Core Database Audit Report

The Core Database Audit Report returns audit records for the audit policy defined in Appendix A, "Auditing Oracle Database Vault," and any auditing records that are generated for audit statements you have defined.

This report only displays audit records that are captured if the database initialization parameter AUDIT_TRAIL has been set to DB. For more information about the AUDIT_TRAIL parameter, see Oracle Database SQL Language Reference.

Other Security Vulnerability Reports

The other security vulnerability reports are:

Java Policy Grants Report

The Java Policy Grants Report shows the Java policy permissions stored in the database. It helps reveal violations to the principle of least privilege. Look for GRANT, READ, or WRITE privileges to PUBLIC or other accounts and roles that do not necessarily need the privilege. It is advisable to disable Java loading privileges from PUBLIC, if Java is not required in the database.


Note:

Oracle JVM, the Java virtual machine option provided with Oracle Database Vault, must be installed before you can run the Java Policy Grants Report.

OS Directory Objects Report

The OS Directory Objects Report shows all directory objects that exist in the database, whether they are available to PUBLIC, and what their privileges are. Directory objects should exist only for secured operating system (OS) directories, and access to them within the database should be protected. You should never use the root operating system directory on any storage device (for example, /), because it allows remote database sessions to look at all files on the device.

Objects Dependent on Dynamic SQL Report

The Objects Dependent on Dynamic SQL Report shows objects that leverage dynamic SQL. Potential intruders have a greater chance of using this channel if parameter checking or bind variables are not used. The report helps by narrowing the scope of where to look for problems by pointing out who is using dynamic SQL. Such objects can be a target for a SQL injection attack and must be secured to avoid this type of attack. After determining the objects that use dynamic SQL, do the following:

  • Check the privileges that client applications (for example, a Web application) have over the object.

  • Check the access granted for the object to PUBLIC or a wider account base.

  • Validate parameters.

  • Use bind variables where possible.

Unwrapped PL/SQL Package Bodies Report

The Unwrapped PL/SQL Package Bodies Report displays PL/SQL package procedures that are not wrapped. Oracle provides a wrap utility that obfuscates code to the point where it cannot be read in the data dictionary or from the data dictionary views. This helps reduce the ability of an intruder to circumvent data protection by eliminating the ability to read source code that manipulates data.

Username/Password Tables Report

The Username/Password Tables Report helps to identify application tables in the database that store user names and password strings. You should examine these tables to determine if the information is encrypted. (Search for column names such as %USER%NAME% or %PASSWORD%.) If it is not, modify the code and applications using these tables to protect them from being visible to database sessions.

Tablespace Quotas Report

The Tablespace Quotas Report shows all database accounts that have quotas on one or more tablespaces. These tablespaces can become potential targets for denial-of-service (DoS) attacks.

Non-Owner Object Trigger Report

The Non-Owner Object Trigger Report lists triggers that are owned by a database account that is different from the account that owns the database object on which the trigger acts. If the trigger is not part of a trusted database application, then it can steal sensitive data, possibly from tables protected through Oracle Label Security or Virtual Private Database (VPD), and place it into an unprotected table for subsequent viewing or export.

PKkPK)AOEBPS/dv_ols.htm Integrating Oracle Database Vault with Other Oracle Products

9 Integrating Oracle Database Vault with Other Oracle Products

This chapter contains:


Note:

If you plan to use Oracle Data Guard with Oracle Database Vault, see My Oracle Support Note 754065.1. You can access My Oracle Support from the following Web site:

https://support.oracle.com


Integrating Oracle Database Vault with Enterprise User Security

You can integrate Oracle Database Vault with Oracle Enterprise User Security. Enterprise User Security enables you to centrally manage database users and authorizations in one place. It is combined with Oracle Identity Management and is available in Oracle Database Enterprise Edition.

In general, to integrate Oracle Database Vault with Oracle Enterprise User Security, you configure the appropriate realms to protect the data that you want to protect in the database.

After you define the Oracle Database Vault roles as needed, you can create a rule set for the Enterprise users to allow or disallow their access.

To configure an Enterprise User authorization:

  1. Create a rule to allow or disallow user access.

    Follow the instructions in "Creating a Rule to Add to a Rule Set" to create a new rule. In the Create Rule page, enter the following PL/SQL in the Rule Expression field:

    SYS_CONTEXT('USERENV','AUTHENTICATED_IDENTITY') = 'user_domain_name'

    Replace user_domain_name with the domain, for example:

    SYS_CONTEXT('USERENV','AUTHENTICATED_IDENTITY') = 'myserver.us.example.com'

  2. Add this rule to a new rule set.

    "Creating a Rule Set" explains how to create a new rule set, including how to add an existing rule to it.

  3. Add this rule set to the realm authorization for the database that you want to protect.

    "Defining Realm Authorization" explains how to create realm authorizations. In the Authorization Rule Set list, select the rule set that you created in Step 2. Afterward, the realm authorization applies to all users.

For more information about Enterprise User Security, see Oracle Database Enterprise User Security Administrator's Guide.

Integrating Oracle Database Vault with Transparent Data Encryption

Transparent Data Encryption complements Oracle Database Vault in that it provides data protection when the data leaves the secure perimeter of the database. With Transparent Data Encryption, a database administrator or database security administrator can simply encrypt columns with sensitive content in application tables, or encrypt entire application tablespaces, without any modification to the application. For detailed information about Transparent Data Encryption, see Oracle Database Advanced Security Administrator's Guide.

If a user passes the authentication and authorization checks, Transparent Data Encryption automatically encrypts and decrypts information for the user. This way, you can implement encryption without having to change your applications.

Before you can use Oracle Database Vault with Transparent Data Encryption, you must enable the SYSTEM user (or other user with privileges to manage Transparent Data Encryption) as at minimum a participant of the Database Dictionary Realm. See "ADD_AUTH_TO_REALM Procedure" for more information about adding a user to a realm.

Once you have granted the Transparent Data Encryption user the appropriate privileges, then Transparent Data Encryption can be managed as usual and be used complimentary to Database Vault.

Figure 9-1 shows how Oracle Database Vault realms handle encrypted data.

Figure 9-1 Encrypted Data and Oracle Database Vault

Encrypted Data and Oracle Database Vault
Description of "Figure 9-1 Encrypted Data and Oracle Database Vault"

Attaching Factors to an Oracle Virtual Private Database

You can attach factors to an Oracle Virtual Private Database. To do so, define a policy predicate that is a PL/SQL function or expression. Then, for each function or expression, you can use the DVF.F$ PL/SQL function that is created for each factor.

For more information about Oracle Virtual Private Database, see Oracle Database Security Guide.

Integrating Oracle Database Vault with Oracle Label Security

This section includes the following topics:

How Oracle Database Vault Is Integrated with Oracle Label Security

When you integrate Oracle Database Vault with Oracle Label Security, it means that you can assign an Oracle Label Security label to an Oracle Database Vault factor identity.

In Oracle Label Security, you can restrict access to records in database tables or PL/SQL programs. For example, Mary may be able to see data protected by the HIGHLY SENSITIVE label, an Oracle Label Security label on the EMPLOYEE table that includes records that should have access limited to certain managers. Another label can be PUBLIC, which allows more open access to this data.

In Oracle Database Vault, you can create a factor called Network, for the network on which the database session originates, with the following identities:

  • Intranet: Used for when an employee is working on site within the intranet for your company.

  • Remote: Used for when the employee is working at home from a VPN connection.

You then assign a maximum session label to both. For example:

  • Assign the Intranet identity to the HIGHLY SENSITIVE Oracle Label Security label.

  • Assign the Remote identity to the PUBLIC label.

This means that when Mary is working at home using her VPN connection, she has access only to the limited table data protected under the PUBLIC identity. But when she is in the office, she has access to the HIGHLY SENSITIVE data, because she is using the Intranet identity. "Tutorial: Integrating Oracle Database Vault with Oracle Label Security" provides an example of how to accomplish this type of integration.

You can audit the integration with Oracle Label Security by using the Label Security Integration Audit Report. See "Label Security Integration Audit Report" for more information. Oracle Database Vault writes the audit trail to the DVSYS.AUDIT_TRAIL$ system file, described in Appendix A, "Auditing Oracle Database Vault."

You can use the Oracle Database Vault APIs to integrate Oracle Database Vault with Oracle Label Security. See Chapter 12, "Using the DVSYS.DBMS_MACADM Package," for more information.

For more information about Oracle Label Security labels, levels, and policies, see Oracle Label Security Administrator's Guide.

You can run reports on the Oracle Database Vault and Oracle Label Security integration. See "Related Reports and Data Dictionary Views" for more information.

Requirements for Using Oracle Database Vault with Oracle Label Security

You must have the following requirements in place before you use Oracle Database Vault with Oracle Label Security:

  • Oracle Label Security is licensed separately. Ensure that you have purchased a license to use it.

  • Before you install Oracle Database Vault, you must have already installed Oracle Label Security.

  • The installation process for Oracle Label Security creates the LBACSYS user account. As a user who has been granted the DV_ACCTMGR role, unlock this account and grant it a new password. For example:

    sqlplus amalcolm_dvacctmgr
Enter password: password

ALTER USER LBACSYS ACCOUNT UNLOCK IDENTIFIED BY password;

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

  • If you plan to use the LBACSYS user account in Oracle Enterprise Manager, then log in to Enterprise Manager as user SYS with the SYSDBA privilege, and grant this user the SELECT ANY DICTIONARY and SELECT_CATALOG_ROLE system privileges.

  • Ensure that you have the appropriate Oracle Label Security policies defined. For more information, see Oracle Label Security Administrator's Guide.

Using Oracle Database Vault Factors with Oracle Label Security Policies

Oracle Database Vault controls the maximum security clearance for a database session by merging the maximum allowable data for each label in a database session by merging the labels of Oracle Database Vault factors that are associated to an Oracle Label Security policy. In brief, a label acts as an identifier for the access privileges of a database table row. A policy is a name associated with the labels, rules, and authorizations that govern access to table rows. See Oracle Label Security Administrator's Guide for more information about row labels and policies.

Use the following steps to define factors that contribute to the maximum allowable data label of an Oracle Label Security policy:

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER or DV_ADMIN role.

    "Starting Oracle Database Vault" explains how to log in.

  2. Make the user LBACSYS account an owner of the realm that contains the schema to which a label security policy has been applied.

    This enables the LBACSYS account to have access to all the protected data in the realm, so that it can properly classify the data.

    The LBACSYS account is created in Oracle Label Security using the Oracle Universal Installer custom installation option. Before you can create an Oracle Label Security policy for use with Oracle Database Vault, you must make LBACSYS an owner for the realm you plan to use. See "Defining Realm Authorization" for more information.

  3. Authorize the schema owner (on which the label security policy has been applied) as either a realm participant or a realm owner.

  4. In the Administration page, under Database Vault Feature Administration, click Label Security Integration.

  5. In the Label Security Policies page:

    • To register a new label security policy, click Create.

    • To edit an existing label security policy, select it from the list and then click Edit.

  6. Enter the following settings and then click OK:

General

Under General, enter the following settings:

  • Label Security Policy: From the list, select the Oracle Label Security policy that you want to use.

  • Algorithm: Optionally change the label-merging algorithm for cases when Oracle Label Security has merged two labels. In most cases, you may want to select LII - Minimum Level/Intersection/Intersection. This setting is the most commonly used method that Oracle Label Security administrators use when they want to merge two labels. This setting provides optimum flexibility when your applications must determine the resulting label that is required when combining two data sets that have different labels. It is also necessary for situations in which you must perform queries using joins on rows with different data labels.

    For more information on these label-merging algorithms, see Oracle Label Security Administrator's Guide. If you want to use the DVSYS.DBMS_MACADM package to specify a merge algorithm, see Table 12-57, "Oracle Label Security Merge Algorithm Codes" for a full listing of possible merge algorithms.

  • Label for Initialization Errors: Optionally enter a label for initialization errors. The label specified for initialization errors is set when a configuration error or run-time error occurs during session initialization. You can use this setting to assign the session a data label that prevents access or updates to any data the policy protects until the issue is resolved.

Label Security Policy Factors

To select a factor to associate with an Oracle Label Security policy:

  1. In the Available Factors list under Label Security Policy Factors, select the factor that you want to associate with the Oracle Label Security policy.

  2. Click Move to move the factor to the Selected Factors list.


    Note:

    You can select multiple factors by holding down the Ctrl key as you click each factor that you want to select.

After you associate a factor with an Oracle Label Security policy, you can label the factor identities using the labels for the policy. "Adding an Identity to a Factor" provides detailed information.


Note:

If you do not associate an Oracle Label Security policy with factors, then Oracle Database Vault maintains the default Oracle Label Security behavior for the policy.

Tutorial: Integrating Oracle Database Vault with Oracle Label Security

This section contains:

About This Tutorial

You can use Oracle Database Vault factors with Oracle Label Security and Oracle Virtual Private Database (VPD) technology to restrict access to sensitive data. You can restrict this data so that it is only exposed to a database session when the correct combination of factors exists, defined by the security administrator, for any given database session.

This tutorial shows how you can integrate Oracle Database Vault with Oracle Label Security to grant two administrative users who normally have the same privileges different levels of access.

Step 1: Create Users for This Tutorial

  1. Log in to SQL*Plus as a user who has been granted the DV_ACCTMGR role.

    For example:

    sqlplus amalcolm_dvacctmgr
Enter password: password

  2. Create the following users:

    CREATE USER mdale IDENTIFIED BY password;
CREATE USER jsmith IDENTIFIED BY password;

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

  3. Connect as user SYS with the SYSDBA privilege and then grant administrative privileges to users mdale and jsmith.

    CONNECT SYS AS SYSDBA
Enter password: password

GRANT CREATE SESSION, DBA TO mdale, jsmith;

    At this stage, users mdale and jsmith have identical administrative privileges.

Step 2: Create the Oracle Label Security Policy

  1. In SQL*Plus, connect as the Oracle Label Security administrator, LBACSYS.

    CONNECT LBACSYS
Enter password: password

    If user LBACSYS is locked and expired, connect as the Database Vault Account Manager, unlock and unexpire the LBACSYS account, and then log back in as LBACSYS.

    For example:

    CONNECT amalcolm_dvacctmgr
Enter password: password

ALTER USER LBACSYS ACCOUNT UNLOCK IDENTIFIED BY password;

CONNECT LBACSYS
Enter password: password

  2. Create a new Oracle Label Security policy:

    EXEC SA_SYSDBA.CREATE_POLICY('PRIVACY','PRIVACY_COLUMN','NO_CONTROL');

  3. Create the following levels for the PRIVACY policy:

    EXEC SA_COMPONENTS.CREATE_LEVEL('PRIVACY',2000,'S','SENSITIVE');
EXEC SA_COMPONENTS.CREATE_LEVEL('PRIVACY',1000,'C','CONFIDENTIAL');

  4. Create the PII compartment.

    EXEC SA_COMPONENTS.CREATE_COMPARTMENT('PRIVACY',100,'PII','PERS_INFO');

  5. Grant users mdale and jsmith the following labels:

    EXEC SA_USER_ADMIN.SET_USER_LABELS('PRIVACY','mdale','S:PII');
EXEC SA_USER_ADMIN.SET_USER_LABELS('PRIVACY','jsmith','C');

    User mdale is granted the more sensitive label, Sensitive, which includes the PII compartment. User jsmith gets the Confidential label, which is less sensitive.

Step 3: Create Oracle Database Vault Rules to Control the OLS Authorization

  1. Connect to SQL*Plus as the Database Vault Owner.

    For example:

    CONNECT lbrown_dvowner
Enter password: password

  2. Create the following rule set:

    EXEC DVSYS.DBMS_MACADM.CREATE_RULE_SET('PII Rule Set',
 'Protect PII data from privileged users','Y',1,0,2,NULL,NULL,0,NULL);

  3. Create a rule for the PII Rule Set.

    EXEC DVSYS.DBMS_MACADM.CREATE_RULE('Check OLS Factor', 
 'dominates(sa_utl.numeric_label(''PRIVACY''), 
  char_to_label(''PRIVACY'',''S:PII'')) = ''1''');

    Ensure that you use single quotes, as shown in this example, and not double quotes.

  4. Add the Check OLS Factor rule to the PII Rule Set.

    EXEC DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET('PII Rule Set', 
 'Check OLS Factor');

  5. Synchronize the Check OLS factor rule.

    EXEC DVSYS.DBMS_MACADM.SYNC_RULES;
COMMIT;

Step 4: Update the ALTER SYSTEM Command Rule to Use the Rule Set

  1. As the Database Vault Owner, check the current value of the ALTER SYSTEM command rule, which is one of the default command rules when you install Oracle Database Vault.

    SELECT * FROM DVSYS.DBA_DV_COMMAND_RULE WHERE COMMAND = 'ALTER SYSTEM';

  2. Make a note of these settings so that you can revert them to their original values later on.

    In a default installation, the ALTER SYSTEM command rule uses the Allow System Parameters rule set, has no object owner or name, and is enabled.

  3. Update the ALTER SYSTEM command rule to include the PII Rule Set.

    EXEC DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE('ALTER SYSTEM', 'PII Rule Set', '%', '%', 'Y');

    This command adds the PII Rule Set to the ALTER SYSTEM command rule, applies it to all object owners and object names, and enables the command rule.

Step 5: Test the Authorizations

  1. In SQL*Plus, log on as user mdale.

    CONNECT mdale
Enter password: password

  2. Check the current setting for the AUDIT_TRAIL initialization parameter.

    SHOW PARAMETER AUDIT_TRAIL

NAME                                 TYPE        VALUE
------------------------------------ ----------- ----------------------
audit_trail                          string      DB

    Make a note of this setting, so that you can revert it to its original setting later on.

  3. As user mdale, use the ALTER SYSTEM statement to modify the AUDIT_TRAIL parameter.

    ALTER SYSTEM SET AUDIT_TRAIL=OS, EXTENDED SCOPE=SPFILE;
System altered.

    Because user mdale was assigned the Sensitive label with the PII compartment, he can use the ALTER SYSTEM statement to modify the AUDIT_TRAIL system parameter.

  4. Set the AUDIT_TRAIL parameter back to its original value, for example:

    ALTER SYSTEM SET AUDIT_TRAIL=DB, EXTENDED SCOPE=SPFILE;

  5. Log in as user jsmith and then issue the same ALTER SYSTEM statement:

    CONNECT jsmith
Enter password: password

ALTER SYSTEM SET AUDIT_TRAIL=OS, EXTENDED SCOPE=SPFILE;

    The following output should appear:

    ERROR at line 1:
ORA-01031: insufficient privileges

    Because user jsmith was assigned only the Confidential label, he cannot perform the ALTER SYSTEM statement.

  6. Now log in as user SYSTEM, who normally has the ALTER SYSTEM privilege, and issue the same ALTER SYSTEM statement:

    CONNECT SYSTEM
Enter password: password

    The following output should appear:

    ERROR at line 1:
ORA-01031: insufficient privileges

    SYSTEM no longer has sufficient privileges needed to perform an ALTER SYSTEM statement. Only users who have been assigned the Sensitive label, as with user mdale, can use the ALTER SYSTEM statement.

Step 6: Remove the Components for This Tutorial

  1. Connect as the Oracle Label Security administrator and remove the label policy and its components.

    CONNECT LBACSYS
Enter password: password

EXEC SA_SYSDBA.DROP_POLICY('PRIVACY', TRUE);

  2. Connect as the Oracle Database Vault Owner and issue the following commands in the order shown, to set the ALTER SYSTEM command rule back to its previous setting and remove the rule set.

    For example:

    CONNECT lbrown_dvowner
Enter password: password

EXEC DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE('ALTER SYSTEM', 'Allow System Parameters','%', '%', 'Y');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET('PII Rule Set', 'Check OLS Factor');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Check OLS Factor');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE_SET('PII Rule Set');
COMMIT;

  3. Connect as the Database Vault Account Manager and remove users mdale and jsmith.

    CONNECT amalcolm_dvacctmgr
Enter password: password

DROP USER mdale;
DROP USER jsmith;

Related Reports and Data Dictionary Views

Table 9-1 lists Oracle Database Vault reports that are useful for analyzing the integration of Oracle Database Vault and Oracle Label Security. See Chapter 17, "Oracle Database Vault Reports," for information about how to run these reports.

Table 9-1 Reports Related to Database Vault and Oracle Label Security Integration

"Factor Configuration Issues Report"


ReportDescription

Lists factors in which the Oracle Label Security policy does not exist.

"Identity Configuration Issues Report"

Lists invalid label identities (the Oracle Label Security label for this identity has been removed and no longer exists).

"Security Policy Exemption Report"

Lists accounts and roles that have the EXEMPT ACCESS POLICY system privilege granted to them. Accounts that have this privilege can bypass all Virtual Private Database policy filters and any Oracle Label Security policies that use Oracle Virtual Private Database indirectly.


Table 9-2 lists data dictionary views that provide information about existing Oracle Label Security policies used with Oracle Database Vault.

Table 9-2 Data Dictionary Views Used for Oracle Label Security

Data Dictionary ViewDescription

"DBA_DV_MAC_POLICY View"

Lists the Oracle Label Security policies defined

"DBA_DV_MAC_POLICY_FACTOR View"

Lists the factors that are associated with Oracle Label Security policies

"DBA_DV_POLICY_LABEL View"

Lists the Oracle Label Security label for each factor identifier in the DBA_DV_IDENTITY view for each policy


PK^ޕPK)AOEBPS/dvintro.htmaE Introducing Oracle Database Vault

1 Introducing Oracle Database Vault

This chapter contains:

What Is Oracle Database Vault?

Oracle Database Vault restricts access to specific areas in an Oracle database from any user, including users who have administrative access. For example, you can restrict administrative access to employee salaries, customer medical records, or other sensitive information.

This enables you to apply fine-grained access control to your sensitive data in a variety of ways. It hardens your Oracle Database instance and enforces industry standard best practices in terms of separating duties from traditionally powerful users. Most importantly, it protects your data from super-privileged users but still allows them to maintain your Oracle databases. Oracle Database Vault is an integral component of your enterprise.

With Oracle Database Vault, you address the most difficult security problems remaining today: protecting against insider threats, meeting regulatory compliance requirements, and enforcing separation of duty.

You configure Oracle Database Vault to manage the security of an individual Oracle Database instance. You can install Oracle Database Vault on standalone Oracle Database installations, in multiple Oracle homes, and in Oracle Real Application Clusters (Oracle RAC) environments.

For frequently asked questions about Oracle Database Vault, visit

http://www.oracle.com/technetwork/database/focus-areas/security/dbv-faq-083210.html

For Oracle Technology Network (OTN) information specific to Oracle Database Vault, visit

http://www.oracle.com/technetwork/database/options/database-vault/index-085211.html

Components of Oracle Database Vault

Oracle Database Vault has the following components:

Oracle Database Vault Access Control Components

Oracle Database Vault enables you to create the following components to manage security for your database instance:

  • Realms. A realm is a functional grouping of database schemas, objects, and roles that must be secured. For example, you can group a set of schemas, objects, and roles that are related to accounting, sales, or human resources. After you have grouped these into a realm, you can use the realm to control the use of system privileges to specific accounts or roles. This enables you to provide fine-grained access controls for anyone who wants to use these schemas, objects, and roles. Chapter 4, "Configuring Realms," discusses realms in detail.

  • Command rules. A command rule is a special rule that you can create to control how users can execute almost any SQL statement, including SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements. Command rules must work with rule sets to determine whether the statement is allowed. Chapter 6, "Configuring Command Rules," discusses command rules in detail.

  • Factors. A factor is a named variable or attribute, such as a user location, database IP address, or session user, which Oracle Database Vault can recognize and secure. You can use factors for activities such as authorizing database accounts to connect to the database or creating filtering logic to restrict the visibility and manageability of data. Each factor can have one or more identities. An identity is the actual value of a factor. A factor can have several identities depending on the factor retrieval method or its identity mapping logic. Chapter 7, "Configuring Factors," discusses factors in detail.

  • Rule sets. A rule set is a collection of one or more rules that you can associate with a realm authorization, command rule, factor assignment, or secure application role. The rule set evaluates to true or false based on the evaluation of each rule it contains and the evaluation type (All True or Any True). The rule within a rule set is a PL/SQL expression that evaluates to true or false. You can have the same rule in multiple rule sets. Chapter 5, "Configuring Rule Sets," discusses rule sets in detail.

  • Secure application roles. A secure application role is a special Oracle Database role that can be enabled based on the evaluation of an Oracle Database Vault rule set. Chapter 8, "Configuring Secure Application Roles for Oracle Database Vault," discusses secure application roles in detail.

To augment these components, Oracle Database Vault provides a set of PL/SQL interfaces and packages. "Oracle Database Vault PL/SQL Interfaces and Packages" provides an overview.

In general, the first step you take is to create a realm composed of the database schemas or database objects that you want to secure. You can further secure the realm by creating rules, command rules, factors, identities, rule sets, and secure application roles. In addition, you can run reports on the activities these components monitor and protect. Chapter 3, "Getting Started with Oracle Database Vault," provides a simple tutorial that will familiarize you with basic Oracle Database Vault functionality. Chapter 17, "Oracle Database Vault Reports," provides more information about how you can run reports to check the configuration and other activities that Oracle Database Vault performs.

Oracle Database Vault Administrator

Oracle Database Vault Administrator (DVA) is a Java application that is built on top of the Oracle Database Vault PL/SQL application programming interfaces (API). This application allows security managers who may not be proficient in PL/SQL to configure the access control policy through a user-friendly interface. Oracle Database Vault Administrator provides an extensive collection of security-related reports that assist in understanding the baseline security configuration. These reports also help point out deviations from this baseline.

Chapter 4 through Chapter 9 explain how to use Oracle Database Vault Administrator to configure access control policy defined in realms, command rules, factors, rule sets, secure application roles, and how to integrate Oracle Database Vault with other Oracle products. Chapter 17, "Oracle Database Vault Reports," explains Oracle Database Vault reporting.

Oracle Database Vault DVSYS and DVF Schemas

Oracle Database Vault provides a schema, DVSYS, which stores the database objects needed to process Oracle data for Oracle Database Vault. This schema contains the roles, views, accounts, functions, and other database objects that Oracle Database Vault uses. The DVF schema contains public functions to retrieve (at run time) the factor values set in the Oracle Database Vault access control configuration.

Chapter 11, "Oracle Database Vault Objects," describes these schemas in detail.

Oracle Database Vault PL/SQL Interfaces and Packages

Oracle Database Vault provides a collection of PL/SQL interfaces and packages that allow security managers or application developers to configure the access control policy as required. The PL/SQL procedures and functions allow the general database account to operate within the boundaries of access control policy in the context of a given database session.

See Chapter 15, "Using the Oracle Database Vault PL/SQL Interfaces," and Chapter 12, "Using the DVSYS.DBMS_MACADM Package," for more information.

Oracle Database Vault and Oracle Label Security PL/SQL APIs

Oracle Database Vault provides access control capabilities that can be integrated with Oracle Label Security. The Oracle Label Security database option is integrated with Oracle Enterprise Manager Database Control, which enables the security manager to define label security policy and apply it to database objects. Oracle Label Security also provides a collection of PL/SQL packages that can be used by a database application developer to provide label security policy and protections.

See "Integrating Oracle Database Vault with Oracle Label Security" for more information on how Oracle Database Vault works with Oracle Label Security. See also Oracle Label Security Administrator's Guide for more information about Oracle Policy Manager.

Oracle Database Vault Reporting and Monitoring Tools

You can generate reports on the various activities that Oracle Database Vault monitors. In addition, you can monitor policy changes, security violation attempts, and database configuration and structural changes.

See Chapter 17, "Oracle Database Vault Reports," for more information about the reports that you can generate. Chapter 16, "Monitoring Oracle Database Vault," explains how to monitor Oracle Database Vault.

How Oracle Database Vault Addresses Compliance Regulations

One of the biggest side benefits resulting from regulatory compliance has been security awareness. Historically, the focus of the information technology (IT) department has been on high availability and performance. The focus on regulatory compliance has required everyone to take a step back and look at their IT infrastructure, databases, and applications from a security angle. Common questions include:

  • Who has access to this information?

  • Where is the sensitive information stored?

Regulations such as the Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA), International Convergence of Capital Measurement and Capital Standards: a Revised Framework (Basel II), Japan Privacy Law, Payment Card Industry Data Security Standard (PCI DSS), and the European Union Directive on Privacy and Electronic Communications have common themes that include internal controls, separation of duty, and access control.

While most changes required by regulations such as Sarbanes-Oxley and HIPAA are procedural, the remainder may require technology investments. A common security requirement found in regulations is stringent internal controls. The degree to which Oracle Database Vault helps an organization achieve compliance varies with the regulation. In general, Oracle Database Vault realms, separation of duty features, command rules, and factors help reduce the overall security risks that regulation provisions worldwide address.

Table 1-1 lists regulations that address potential security threats.

Table 1-1 Regulations That Address Potential Security Threats

RegulationPotential Security Threat

Sarbanes-Oxley Section 302

Unauthorized changes to data

Sarbanes-Oxley Section 404

Modification to data, unauthorized access

Sarbanes-Oxley Section 409

Denial of service, unauthorized access

Gramm-Leach-Bliley

Unauthorized access, modification, or disclosure

Health Insurance Portability and Accountability Act (HIPAA) 164.306

Unauthorized access to data

HIPAA 164.312

Unauthorized access to data

Basel II – Internal Risk Management

Unauthorized access to data

CFR Part 11

Unauthorized access to data

Japan Privacy Law

Unauthorized access to data

EU Directive on Privacy and Electronic Communications

Unauthorized access to data

Payment Card Industry Data Security Standard (PCI DSS)

Unauthorized changes to data


How Oracle Database Vault Addresses Insider Threats

For many years, worms, viruses, and the external intruder (hacker) have been perceived as the biggest threats to computer systems. Unfortunately, what is often overlooked is the potential for trusted users or privileged users to steal or modify data.

Oracle Database Vault protects against insider threats by using realms, factors, and command rules. Combined, these provide powerful security tools to help secure access to databases, applications, and sensitive information. You can combine rules and factors to control the conditions under which commands in the database are allowed to execute, and to control access to data protected by a realm. For example, you can create rules and factors to control access to data based on IP addresses, the time of day, and specific programs. These can limit access to only those connections pass these conditions. This can prevent unauthorized access to the application data and access to the database by unauthorized applications.

Oracle Database Vault provides built-in factors that you can use in combination with rules to control access to the database, realm-protected applications, and commands within the database.

You can associate rules and factors with dozens of commands within the database to provide stronger internal controls within the database. You can customize these to meet the operational policies for your site. For example, you could define a rule to limit execution of the ALTER SYSTEM statement to a specific IP address and host name.

How Oracle Database Vault Allows for Flexible Security Policies

Oracle Database Vault helps you design flexible security policies for your database. For example, any database user, such as SYSTEM, who has the DBA role, can make modifications to basic parameters in a database. Suppose an inexperienced administrator who has system privileges decides to start a new redo log file but does not realize that doing so at a particular time may cause problems for the database. With Oracle Database Vault, you can create a command rule to prevent this user from making such modifications by limiting his or her usage of the ALTER SYSTEM SWITCH LOGFILE statement. Furthermore, you can attach rules to the command rule to restrict activity further, such as limiting the statement's execution in the following ways:

  • By time (for example, only during 4 p.m. and 5 p.m. on Friday afternoons)

  • By local access only, that is, not remotely

  • By IP address (for example, allowing the action to only a specified range of IP addresses)

In this way, you can carefully control and protect your system. You can disable and reenable command rules when you need to, and easily maintain them from one central location using Oracle Database Vault Administrator.

How Oracle Database Vault Addresses Database Consolidation Concerns

Oracle customers today still have hundreds and even thousands of databases distributed throughout the enterprise and around the world. However, database consolidation will continue as a cost-saving strategy in the coming years. The physical security provided by the distributed database architecture must be available in the consolidated environment. Oracle Database Vault addresses the primary security concerns of database consolidation.

Figure 1-1 illustrates how Oracle Database Vault addresses the following database security concerns:

  • Administrative privileged account access to application data: In this case, Oracle Database Vault prevents the DBA from accessing the schemas that are protected by the FIN Realm. Although the DBA is the most powerful and trusted user, the DBA does not need access to application data residing within the database.

  • Separation of duties for application data access: In this case, the FIN Realm Owner, created in Oracle Database Vault, has access to the FIN Realm schemas.

Figure 1-1 Oracle Database Vault Security

Description of Figure 1-1 follows
Description of "Figure 1-1 Oracle Database Vault Security"

Database consolidation can result in multiple powerful user accounts residing in a single database. This means that in addition to the overall database DBA, individual application schema owners also may have powerful privileges. Revoking some privileges may adversely affect existing applications. Using Oracle Database Vault realms, you can enforce access to applications through a trusted path, preventing database users who have not been specifically authorized access from using powerful privileges to look at application data. For example, a DBA who has the SELECT ANY TABLE privilege can be prevented from using that privilege to view application data.

PK ;aaPK)A OEBPS/lot.htm." List of Tables

List of Tables

PKM..PK)AOEBPS/cfseappr.htmvm Configuring Secure Application Roles for Oracle Database Vault

8 Configuring Secure Application Roles for Oracle Database Vault

This chapter contains:

What Are Secure Application Roles in Oracle Database Vault?

In Oracle Database Vault, you can create a secure application role that you enable with an Oracle Database Vault rule set. Regular Oracle Database secure application roles are enabled by custom PL/SQL procedures. You use secure application roles to prevent users from accessing data from outside an application. This forces users to work within the framework of the application privileges that have been granted to the role.

The advantage of basing database access for a role on a rule set is that you can store database security policies in one central place, as opposed to storing them in all your applications. Basing the role on a rule set provides a consistent and flexible method to enforce the security policies that the role provides. In this way, if you must update the security policy for the application role, you do it in one place, the rule set. Furthermore, no matter how the user connects to the database, the result is the same, because the rule set is bound to the role. All you need to do is to create the role and then associate it with a rule set. The associated rule set validates the user who is trying to enable the role.

You can run reports on secure application roles that you create in Oracle Database Vault. See "Related Reports and Data Dictionary View" for more information.

This chapter explains how to configure secure application roles by using Oracle Database Vault Administrator. To configure secure application roles by using the PL/SQL interfaces and packages provided by Oracle Database Vault, refer to the following chapters:

Creating and Editing Secure Application Roles

Follow these steps:

  1. Create a rule set that contains at least one rule to set the conditions for allowing or disallowing the user to enable the role.

    When you create the underlying rule for the rule set, remember that the rule should validate the user who is trying to enable the role. The rule should validate the user who is trying to log in. See Chapter 5, "Configuring Rule Sets," for more information about rule sets.

  2. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER or DV_ADMIN role.

    "Starting Oracle Database Vault" explains how to log in.

  3. In the Administration page, under Database Vault Feature Administration, click Secure Application Roles.

  4. In the Secure Application Roles page:

    • To create a new secure application role, click Create.

    • To edit an existing secure application role, select it from the list and then click Edit.

      Remember that you can modify an existing secure application role only if it has been created in Oracle Database Vault. You cannot modify secure application roles or database roles that have been created outside of Oracle Database Vault. If you want to modify an existing Oracle Database role so that it can work with Oracle Database Vault, create a new secure application role in Oracle Database Vault and then grant the existing role to the secure application role. For example, in SQL*Plus:

      GRANT myExistingDBrole TO myDVrole;

      After you create a new secure application role, you must modify your code to use this new role. You can use DVSYS.DBMS_MACSEC_ROLES.SET_ROLE in your application code to accomplish this. See "SET_ROLE Procedure" for more information about the SET_ROLE function.

  5. In the Create (or Edit) Role page, enter the following settings and then click OK.

General

Enter the following settings:

  • Role: Enter the name using no more than 30 characters, with no spaces. Preferably, enter the role name in upper case letters, though you are not required to do so. Ensure that this name follows the standard Oracle naming conventions for role creation using the CREATE ROLE statement, described in Oracle Database SQL Language Reference. This attribute is mandatory.

  • Status: Select either Enabled or Disabled to enable or disable the secure application role during run time. The default is Enabled. This attribute is mandatory.

    • Enabled: Enables the role to be available for use. That is, users are allowed to call the DVSYS.DBMS_MACSEC_ROLES.SET_ROLE function to try to enable the role. Note that whether or not the role will be enabled depends on the evaluation result of the associated rule set.

      See "SET_ROLE Procedure" for more information about this function.

    • Disabled: Disables the role from being available for use. The DVSYS.DBMS_MACSEC_ROLES.SET_ROLE function will not be able to enable the role.

    See "Oracle Database Vault PL/SQL Packages" for more information about the DVSYS.DBMS_MACSEC_ROLES.SET_ROLE function.

Rule Set

From the list, select the rule set that you want to associate with the secure application role. This attribute is mandatory.

When calling DVSYS.DBMS_MACSEC_ROLES.SET_ROLE, if the rule set evaluates to true, then Oracle Database Vault sets the role for the database session. If the rule set evaluates to false, then the role is not set.

See Chapter 5, "Configuring Rule Sets," for more information about rule sets.

Securing a Secure Application Role

Users who have database administrative privileges may try to use the DROP ROLE SQL statement to delete secure application roles that were created using Oracle Database Vault.

Whenever an Oracle Database Vault secure application role has been created, Database Vault adds the secure application role to the Database Vault realm. This prevents the database administrator from deleting the secure application role.

Deleting a Secure Application Role

Before you delete a secure application role, you can locate the various references to it by querying the role-related Oracle Database Vault views. See "Oracle Database Vault Data Dictionary Views" for more information.

To delete a secure application role:

  1. Check and modify any applications that may be using the secure application role that you want to delete.

  2. In the Oracle Database Vault Administration page, select Secure Application Roles.

  3. In the Secure Application Roles page, select the role that you want to remove.

  4. Click Remove.

  5. In the Confirmation page, click Yes.

How Secure Application Roles Work

The process flow for a secure application role that is managed by Oracle Database Vault is as follows:

  1. Create or update the role either in Oracle Database Vault Administrator or by using the secure application role-specific functions in the DVSYS.DBMS_MACADM package.

    See "Secure Application Role Procedures Within DVSYS.DBMS_MACADM" for more information.

  2. Modify your application to call the role, by using the DVSYS.DBMS_MACSEC_ROLES.SET_ROLE function.

    See "SET_ROLE Procedure" for more information.

  3. Oracle Database Vault then evaluates the rule set associated with the secure application role.

    If the rule set evaluates to true, then Oracle Database Vault enables the role for the current session. If the rule set evaluates to false, the role is not enabled. In either case, Oracle Database Vault processes the associated auditing and custom event handlers for the rule set associated with the secure application role.

Tutorial: Granting Access with Database Vault Secure Application Roles

This section contains:

About This Tutorial

In this tutorial, you restrict the SELECT SQL statement on the ORDERS table in the OE schema to a specific set of users. Furthermore, these users can only perform these statements on the OE.ORDERS table from within the office, not from a remote connection. To accomplish this, you create an Oracle Database Vault secure application role that is enabled for the user only if the user passes the checks enforced by the rule set that you associate with the secure application role.

Step 1: Create Users for This Tutorial

  1. Log in to SQL*Plus as a user who has been granted the DV_ACCTMGR role.

    For example:

    sqlplus amalcolm_dvacctmgr
Enter password: password

  2. Create the following user accounts:

    CREATE USER eabel IDENTIFIED BY password;
CREATE USER ahutton IDENTIFIED BY password;
CREATE USER ldoran IDENTIFIED BY password;

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

  3. Connect as SYS using the SYSDBA privilege, and then grant these users the CREATE SESSION privilege.

    CONNECT SYS AS SYSDBA
Enter password: password

GRANT CREATE SESSION TO eabel, ahutton, ldoran;

Step 2: Enable the OE User Account

  1. In SQL*Plus, connect as the DV_ACCTMGR user.

    For example:

    CONNECT amalcolm_dvacctmgr
Enter password: password

  2. Check the account status of the OE account.

    SELECT USERNAME, ACCOUNT_STATUS FROM DBA_USERS WHERE USERNAME = 'OE';

  3. If the OE account is locked and expired, unlock it and assign it a new password.

    ALTER USER OE ACCOUNT UNLOCK IDENTIFIED BY password;

Step 3: Create the Rule Set and Its Rules

  1. Log in to Oracle Database Vault Administrator as a user who has been granted the DV_OWNER or DV_ADMIN role.

    "Starting Oracle Database Vault" explains how to log in.

  2. In the Administration page, select Rule Sets.

    The Rule Sets page appears.

  3. Click Create.

    The Create Rule Set page appears.

  4. Enter the following information:

    • Name: Can Modify Orders

    • Description: Rule set to control who can modify orders in the OE.ORDERS table

  5. Leave the remaining settings and their defaults, and then click OK.

  6. In the Rule Sets page, select the Can Modify Orders rule set, and then click Edit.

    The Edit Rule Set: Can Modify Orders page appears.

  7. Scroll to the bottom of the page and under Rules Associated To The Rule Set, click Create.

  8. Create the following two rules:


    		Rule NameRule Expression

    		Check IP AddressDVF.F$CLIENT_IP = '192.0.2.12'

    		Check Session UserDVF.F$SESSION_USER IN ('EABEL', 'AHUTTON')

    For the Check IP Address rule, replace 123.45.67.89 with the IP address for your own computer. In a real-world scenario, you would create an expression that includes all the IP addresses for the users who should be allowed access.

    Both of these rules use the default factors Client_IP and Session_User. See "Default Factors" for more information about these factors. If these factors have been removed or modified, you can use the following rule expressions instead:

    • Check IP Address: UPPER(SYS_CONTEXT('USERENV','IP_ADDRESS')) = '192.0.2.12'

    • Check Session User: UPPER(SYS_CONTEXT('USERENV','SESSION_USER')) IN ('EABEL', 'AHUTTON')

  9. Ensure that the Status setting for the Can Modify Orders table is set to Enabled and Evaluation Options is set to All True.

  10. Click OK.

Step 4: Create the Database Vault Secure Application Role

  1. In Oracle Database Vault, return to the Administration page.

  2. Under Administration, select Secure Application Roles.

    The Secure Application Roles page appears.

  3. Click Create.

    The Create Role page appears.

  4. In the Role box, enter ORDERS_MGMT to name the role.

  5. Under Rule Set, select Can Modify Orders.

  6. Click OK.

At this stage, the Database Vault secure application role and its associated rule set are created, though the role does not yet have any privileges.

Step 5: Grant the SELECT Privilege to the Secure Application Role

  1. In SQL*Plus, connect as user OE.

    CONNECT OE
Enter password: password

  2. Grant the SELECT privilege to the ORDERS_MGMT Database Vault Secure application role.

    GRANT SELECT ON ORDERS TO ORDERS_MGMT;

Step 6: Test the Database Vault Secure Application Role

  1. In SQL*Plus, connect directly to the database as user eabel.

    CONNECT eabel@orcl
Enter password: password

    Replace orcl with the name of your database instance.

  2. Set the ORDERS_MGMT role.

    EXEC DVSYS.DBMS_MACSEC_ROLES.SET_ROLE('ORDERS_MGMT');

    Typically, you would embed this call in the application that the user logs in to.

  3. Select from the OE.ORDERS table.

    SELECT COUNT(*) FROM OE.ORDERS;

    The following output should appear:

      COUNT(*)
----------
       105

    Because user eabel is logging directly into the database from the correct IP address and is listed as a valid session user, she can select from the OE.ORDERS table. If user ahutton logs in to SQL*Plus in the same manner, she also can select from the OE.ORDERS table.

  4. Reconnect as user eabel without specifying the database instance, and then try to select from the OE.ORDERS table again.

    CONNECT eabel
Enter password: password

EXEC DVSYS.DBMS_MACSEC_ROLES.SET_ROLE('ORDERS_MGMT');

    The following output should appear:

    Error at line 1: 
ORA-47305: Rule Set Violation on SET ROLE (Can Modfiy Orders)
...

    Next:

    SELECT COUNT(*) FROM OE.ORDERS;

    The following output should appear:

    ERROR at line 1:
ORA-00942: table or view does not exist

    Even though user eabel is a valid user, she has violated the Check IP Address rule in the rule set, so she is not granted the ORDERS_MGMT role. The only way for the IP address to be recognized is to connect by specifying the database instance, as user eabel did in Step 1. (For an explanation about how this works, see Step 7 in "Step 3: Map the Domain Factor Identities to the Client_IP Factor", in Chapter 7.)

  5. Connect as user ldoran and then enter the following statements:

    EXEC DVSYS.DBMS_MACSEC_ROLES.SET_ROLE('ORDERS_MGMT');
SELECT COUNT(*) FROM OE.ORDERS;

    Because user ldoran is not a valid user, she is not granted the ORDERS_MGMT role. Therefore, she cannot select from the OE.ORDERS table.

Step 7: Remove the Components for This Tutorial

  1. Log into SQL*Plus as the DV_OWNER or DV_ADMIN user.

    For example:

    CONNECT lbrown_dvowner
Enter password: password

  2. Delete the ORDERS_MGMT secure application role.

    EXEC DVSYS.DBMS_MACADM.DELETE_ROLE('ORDERS_MGMT');

  3. Enter the following commands in the order shown to remove the Can Modify Orders rule set.

    EXEC DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET('Can Modify Orders', 'Check IP Address');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET('Can Modify Orders', 'Check Session User');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Check IP Address');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Check Session User');
EXEC DVSYS.DBMS_MACADM.DELETE_RULE_SET('Can Modify Orders');
COMMIT;

  4. Connect as the Database Vault Account Manager and drop the users.

    For example:

    CONNECT amalcolm_dvacctmgr
Enter password: password

DROP USER eabel;
DROP USER ahutton;
DROP USER ldoran;

  5. If uneccessary, lock and expire the OE user account.

    ALTER USER OE ACCOUNT LOCK PASSWORD EXPIRE;

How Secure Application Roles Affect Performance

You can check system performance by running tools such as Oracle Enterprise Manager (including Oracle Enterprise Manager Database Control, which is installed by default with Oracle Database), Statspack, and TKPROF. For more information about Oracle Enterprise Manager, see the Oracle Enterprise Manager documentation set. For information about Database Control, refer to its online Help. Oracle Database Performance Tuning Guide describes the Statspack and TKPROF utilities.

Related Reports and Data Dictionary View

Table 8-1 lists Oracle Database Vault reports that are useful for analyzing Oracle Database Vault secure application roles. See Chapter 17, "Oracle Database Vault Reports," for information about how to run these reports.

Table 8-1 Reports Related to Secure Application Roles

ReportDescription

"Secure Application Role Audit Report"

Lists audit records generated by the Oracle Database Vault secure application role-enabling operation.

To generate this type of audit record, enable auditing for the rule set associated with the role.

"Secure Application Configuration Issues Report"

Lists secure application roles that have nonexistent database roles, or incomplete or disabled rule sets

"Rule Set Configuration Issues Report"

Lists rule sets that have no rules defined or enabled, which may affect the secure application roles that use them

"Powerful Database Accounts and Roles Reports"

Provides information about powerful database accounts and roles


You can use the DBA_DV_ROLE data dictionary view to find the Oracle Database Vault secure application roles used in privilege management. See "DBA_DV_ROLE View" for more information.

PKŅvvvPK)AOEBPS/db_objects.htm Oracle Database Vault Objects

11 Oracle Database Vault Objects

This chapter contains:

Oracle Database Vault Schemas

The Oracle Database Vault objects include two schemas with database tables, sequences, views, triggers, roles, packages, procedures, functions, and contexts that support the administration and run-time processing of Oracle Database Vault.

Oracle Database Vault has the following schemas:

  • DVSYS Schema: Owns the Oracle Database Vault schema and related objects

  • DVF Schema: Owns the Oracle Database Vault functions that are created to retrieve factor identities

DVSYS Schema

The DVSYS schema contains Oracle Database Vault database objects, which store Oracle Database Vault configuration information and support the administration and run-time processing of Oracle Database Vault. In a default installation, the DVSYS schema is locked. The DVSYS schema also owns the AUDIT_TRAIL$ table.

Oracle Database Vault secures the DVSYS schema by using a protected schema design. A protected schema design guards the schema against improper use of system privileges (for example, SELECT ANY TABLE, CREATE ANY VIEW, or DROP ANY).

Oracle Database Vault protects and secures the DVSYS schema in the following ways:

  • The DVSYS protected schema and its administrative roles cannot be dropped. By default, the DVSYS account is locked.

  • Statements such as CREATE USER, ALTER USER, DROP USER, CREATE PROFILE, ALTER PROFILE, and DROP PROFILE can only be issued by a user with the DV_ACCTMGR role. SYSDBA can issue these statements only if it is allowed to do so by modifying the Can Maintain Accounts/Profiles rule set.

  • The powerful ANY system privileges for database definition language (DDL) and data manipulation language (DML) commands are blocked in the protected schema. This means that the objects in the DVSYS schema must be created by the schema account itself. Also, access to the schema objects must be authorized through object privilege grants.

  • Object privileges in the DVSYS schema can only be granted to administrative roles in the schema. This means that users can access the protected schema only through predefined administrative roles.

  • Only the protected schema account DVSYS can issue ALTER ROLE statements on predefined administrative roles of the schema. "Oracle Database Vault Roles" describes Oracle Database Vault administrative roles in detail.

  • Only the protected schema account DVSYS can grant predefined roles to users along with the ADMIN OPTION. This means that a grantee with the ADMIN OPTION can grant the role to another user without the ADMIN OPTION.

  • The SYS.DBMS_SYS_SQL.PARSE_AS_USER procedure cannot be used to run SQL statements on behalf of the protected schema DVSYS.


Note:

Database users can grant additional object privileges and roles to the Oracle Database Vault Administrative roles (DV_ADMIN and DV_OWNER, for example) provided they have sufficient privileges to do so.

DVF Schema

The DVF schema is the owner of the Oracle Database Vault DBMS_MACSEC_FUNCTION PL/SQL package, which contains the functions that retrieve factor identities. After you install Oracle Database Vault, the installation process locks the DVF account to better secure it. When you create a new factor, Oracle Database Vault creates a new retrieval function for the factor and saves it in this schema.

Oracle Database Vault Roles

This section describes the default roles Oracle Database Vault provides. It includes the following topics:

About Oracle Database Vault Roles

Oracle Database Vault provides a set of roles that are required for managing Oracle Database Vault.

Figure 11-1 illustrates how these roles are designed to implement the first level of separation of duties within the database. How you use these roles depends on the requirements that your company has in place.


See Also:

Oracle Database Security Guide for general guidelines on managing roles

Figure 11-1 How Oracle Database Vault Roles Are Categorized

Description of Figure 11-1 follows
Description of "Figure 11-1 How Oracle Database Vault Roles Are Categorized"


Note:

You can grant additional object privileges and roles to the Oracle Database Vault roles to extend their scope of privileges. For example, SYSDBA can grant object privileges to an Oracle Database Vault role as long as the object is not in the DVSYS schema or realm.

Table 11-1 summarizes the privileges available with Oracle Database Vault roles. (The DV_PATCH_ADMIN, DV_STREAMS_ADMIN, DV_XSTREAM, DV_GOLDENGATE_ADMIN, and DV_GOLDENGATE_REDO_ACCESS roles are not included because they have no system privileges.)

Table 11-1 Privileges of Oracle Database Vault Roles

PrivilegeDV_OWNERDV_ADMINDV_MONITORDV_SECANALYSTDV_ACCTMGRDV_REALM_OWNER DV_REALM_RESOURCEDV_PUBLIC

DVSYS schema, EXEC

YesFoot 1 

YesFoot 2 

No

No

No

No

No

No

DVSYS packages, EXECUTE

Yes

Yes

No

No

No

No

No

No

DVSYS schema, SELECT

Yes

Yes

Yes

Yes, on some Database Vault viewsFoot 3 

No

No

No

NoFoot 4 

DVSYS schema, grant privileges on objects

No

No

No

No

No

No

No

No

DVF schema, EXECUTE

Yes

No

No

No

No

No

No

No

DVF schema, SELECT

No

No

No

Yes

No

No

No

No

Monitor Database Vault

Yes

Yes

Yes

Yes

No

No

No

No

Run Database Vault reports

Yes

Yes

No

Yes

No

No

No

No

SYS schema, SELECT

Yes

No

Yes

Yes, on the same system views as DV_OWNER and DV_ADMIN

No

No

No

No

SYSMAN schema, SELECT

No

No

No

Yes, portions of

No

No

No

No

CREATE, ALTER, DROP user accounts and profilesFoot 5 

No

No

No

No

Yes

No

No

No

Manage objects in schemas that define a realmFoot 6 

No

No

No

No

No

YesFoot 7 

No

No

RESOURCE role privilegesFoot 8 

No

No

No

No

No

No

Yes

No


Footnote 1 Includes the EXECUTE privilege on all Oracle Database Vault PL/SQL packages.

Footnote 2 Includes the EXECUTE privilege on all Oracle Database Vault PL/SQL packages.

Footnote 3 DV_SECANALYST can query DVSYS schema objects through Oracle Database Vault-supplied views only.

Footnote 4 DV_PUBLIC can query DVSYS schema objects through Oracle Database Vault-supplied views only.

Footnote 5 This privilege does not include the ability to drop or alter the DVSYS account, nor change the DVSYS password.

Footnote 6 This privilege includes ANY privileges, such as CREATE ANY, ALTER ANY, and DROP ANY.

Footnote 7 The user with this role also must be the realm participant or owner to exercise his or her system privileges

Footnote 8 The RESOURCE role provides the following system privileges: CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER, CREATE TYPE.

DV_OWNER Database Vault Owner Role

Use the DV_OWNER role to manage the Oracle Database Vault roles and its configuration. In this guide, the example account that uses this role is lbrown_dvowner.

Privileges Associated with the DV_OWNER Role

The DV_OWNER role has the administrative capabilities that the DV_ADMIN role provides, and the reporting capabilities the DV_SECANALYST role provides. It also provides privileges for monitoring Oracle Database Vault. It is created when you install Oracle Database Vault, and has the most privileges on the DVSYS schema. In addition to DV_ADMIN role, the DV_OWNER role has the GRANT ANY ROLE, ADMINISTER DATABASE TRIGGER, and ALTER ANY TRIGGER privileges.


Tip:

Consider creating a separate, named account for the DV_OWNER user. This way, if the user is no longer available (for example, he or she left the company), then you can easily recreate this user account and then grant this user the DV_OWNER role.

To find the full list of system and object privileges associated with the DV_OWNER role, log in to SQL*Plus with administrative privileges and then enter the following queries:

SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_OWNER';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_OWNER';

When you install and register Oracle Database Vault, the DV_OWNER account is created. The user who is granted this role is also granted the ADMIN option and can run any Oracle Database Vault roles (except DV_ACCTMGR) without the ADMIN OPTION to any account. Users granted this role also can run Oracle Database Vault reports and monitor Oracle Database Vault.

How Are GRANT and REVOKE Operations Affected by the DV_OWNER Role?

Anyone with the DV_OWNER role can grant the DV_OWNER and DV_ADMIN roles to another user. The account granted this role can revoke any granted protected schema role from another account. Accounts such as SYS or SYSTEM, with the GRANT ANY ROLE system privilege alone (directly granted or indirectly granted using a role) do not have the right to grant or revoke the DV_OWNER role to or from any other database account. Note also that a user with the DV_OWNER role cannot grant or revoke the DV_ACCTMGR role.

Managing Password Changes for Users Who Have the DV_OWNER Role

Before you can change the password for another user who has been granted the DV_OWNER role, you must revoke the DV_OWNER role from that user account. However, be cautious about revoking the DV_OWNER role. At least one user on your site must have this role granted. If another DV_OWNER user has been granted this role and needs to have his or her password changed, then you can temporarily revoke DV_OWNER from that user. Note also that if you have been granted the DV_OWNER role, then you can change your own password without having to revoke the role from yourself.

To change the DV_OWNER user password:

  1. Log in to SQL*Plus using an account that has been granted the DV_OWNER role.

  2. Revoke the DV_OWNER role from the user account whose password needs to change.

  3. Connect as a user who has been granted the DV_ACCTMGR role and then change the password for this user.

  4. Connect as the DV_OWNER user and then grant the DV_OWNER role back to the user whose password you changed.

Alternatively, you can temporarily disable Oracle Database Vault, log on as a user who has been granted the ALTER USER privilege, and then modify the DV_OWNER user password. Afterward, re-enable Database Vault. See Appendix B, "Disabling and Enabling Oracle Database Vault," for more information.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.

Appendix B, "Disabling and Enabling Oracle Database Vault," explains how disable and enable Oracle Database Vault.

DV_ADMIN Database Vault Configuration Administrator Role

The DV_ADMIN role controls the Oracle Database Vault PL/SQL packages.

Privileges Associated with the DV_ADMIN Role

The DV_ADMIN role has the EXECUTE privilege on the DVSYS packages (DBMS_MACADM, DBMS_MACSECROLES, and DBMS_MACUTL). DV_ADMIN also has the capabilities provided by the DV_SECANALYST role, which allow the user to run Oracle Database Vault reports and monitor Oracle Database Vault. During installation, the DV_ADMIN role is granted to the DV_OWNER role with the ADMIN OPTION during installation.

To find the full list of system and object privileges associated with the DV_ADMIN role, log in to SQL*Plus with administrative privileges and then enter the following queries:

SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ADMIN';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ADMIN';

How Are GRANT and REVOKE Operations Affected by the DV_ADMIN Role?

Accounts such as SYS or SYSTEM, with the GRANT ANY ROLE system privilege alone do not have the rights to grant or revoke DV_ADMIN from any other database account. The user with the DV_OWNER or DV_ADMIN role can grant or revoke this role to and from any database account.

Managing Password Changes for Users Who Have the DV_ADMIN Role

Before you can change the password for a user who has been granted the DV_ADMIN role, you must revoke the DV_ADMIN role from this account. If you have been granted the DV_ADMIN role, then you can change your own password without having to revoke the role from yourself.

To change the DV_ADMIN user password:

  1. Log in to SQL*Plus using an account that has been granted the DV_OWNER role.

  2. Revoke the DV_ADMIN role from the user account whose password needs to change.

  3. Connect as a user who has been granted the DV_ACCTMGR role and then change the password for this user.

  4. Connect as the DV_OWNER user and then grant the DV_ADMIN role back to the user whose password you changed.

Alternatively, you can temporarily disable Oracle Database Vault, log on as a user who has been granted the ALTER USER privilege, and then modify the DV_ADMIN user password. Afterward, re-enable Database Vault. See Appendix B, "Disabling and Enabling Oracle Database Vault," for more information.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.

Appendix B, "Disabling and Enabling Oracle Database Vault," explains how disable and enable Oracle Database Vault.

DV_MONITOR Database Vault Monitoring Role

The DV_MONITOR role enables the Oracle Enterprise Manager Grid Control agent to monitor Oracle Database Vault for attempted violations and configuration issues with realm or command rule definitions. This enables Grid Control to read and propagate realm definitions and command rule definitions between databases.

Privileges Associated with the DV_MONITOR Role

There are no system privileges associated with the DV_MONITOR role, but it does have some the SELECT privilege on some SYS and DVSYS objects. To find the full list of DV_MONITOR object privileges, log in to SQL*Plus with administrative privileges and then enter the following query:

SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_MONITOR';

How Are GRANT and REVOKE Operations Affected by the DV_MONITOR Role?

By default, this role is granted to the DV_OWNER role, the DV_ADMIN role, the DV_SECANALYST role, and the DBSNMP user. Only a user who has been granted the DV_OWNER privilege can grant or revoke the DV_MONITOR role to another user. You cannot grant this role with the ADMIN option.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.

Appendix B, "Disabling and Enabling Oracle Database Vault," explains how disable and enable Oracle Database Vault.

DV_SECANALYST Database Vault Security Analyst Role

Use the DV_SECANALYST role to run Oracle Database Vault reports and monitor Oracle Database Vault. This role is also used for database-related reports. In addition, this role enables you to check the DVSYS configuration by querying the DVSYS views described in "Oracle Database Vault Data Dictionary Views".

Privileges Associated with the DV_SECANALYST Role

There are no system privileges associated with the DV_SECANALYST role, but it does have the SELECT privilege for the DVSYS object schema and portions of the SYS and SYSMAN schema objects for reporting on DVSYS- and DVF-related entities. To find the full list of DV_SECANALYST object privileges, log in to SQL*Plus with administrative privileges and then enter the following query:

SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_SECANALYST';

How Are GRANT and REVOKE Operations Affected by the DV_SECANALYST Role?

Any account, such as SYS or SYSTEM, with the GRANT ANY ROLE system privilege alone does not have the rights to grant this role to or revoke this role from any other database account. Only the user with the DV_OWNER role can grant or revoke this role to and from another user.

Managing Password Changes for Users Who Have the DV_SECANALYST Role

Before you can change the password for a user who has been granted the DV_SECANALYST role, you must revoke the DV_SECANALYST role from this account. If you have been granted the DV_SECANALYST role, then you can change your own password without having to revoke the role from yourself.

To change the DV_SECANALYST user password:

  1. Log in to SQL*Plus using an account that has been granted the DV_OWNER role.

  2. Revoke the DV_SECANALYST role from the user account whose password needs to change.

  3. Connect as a user who has been granted the DV_ACCTMGR role and then change the password for this user.

  4. Connect as the DV_OWNER user and then grant the DV_SECANALYST role back to the user whose password you changed.

Alternatively, you can temporarily disable Oracle Database Vault, log on as a user who has been granted the ALTER USER privilege, and then modify the DV_SECANALYST user password. Afterward, re-enable Database Vault. See Appendix B, "Disabling and Enabling Oracle Database Vault," for more information.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.

Appendix B, "Disabling and Enabling Oracle Database Vault," explains how disable and enable Oracle Database Vault.

DV_STREAMS_ADMIN Oracle Streams Configuration Role

Grant the DV_STREAMS_ADMIN role to any user who is responsible for configuring Oracle Streams in an Oracle Database Vault environment. This enables the management of Oracle Streams processes to be tightly controlled by Database Vault, but does not change or restrict the way an administrator would normally configure Oracle Streams.

Privileges Associated with the DV_STREAMS_ADMIN Role

There are no system privileges associated with the DV_STREAMS_ADMIN role, but it does have the SELECT privilege on DVSYS objects. To find the full list of DV_STREAMS_ADMIN object privileges, log in to SQL*Plus with administrative privileges and then enter the following query:

SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_STREAMS_ADMIN';

Be aware that the DV_STREAMS_ADMIN role does not provide a sufficient set of database privileges for configuring Oracle Streams. Rather, the DV_STREAMS_ADMIN role is an additional requirement (that is, in addition to the privileges that Oracle Streams currently requires) for database administrators to configure Oracle Streams in an Oracle Database Vault environment.

How Are GRANT and REVOKE Operations Affected by the DV_STREAMS_ADMIN Role?

You cannot grant the DV_STREAMS_ADMIN role with ADMIN OPTION. Only users who have been granted the DV_OWNER role can grant or revoke the DV_STREAMS_ADMIN role to or from other users.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.

DV_XSTREAM_ADMIN XStream Administrative Role

Grant the DV_XSTREAM_ADMIN role to any user who is responsible for configuring XStream in an Oracle Database Vault environment. This enables the management of XStream processes to be tightly controlled by Database Vault, but does not change or restrict the way an administrator would normally configure XStream.

Privileges Associated with the DV_XSTREAM_ADMIN Role

There are no privileges associated with the DV_XSTREAM_ADMIN role.

Be aware that the DV_XSTREAM_ADMIN role does not provide a sufficient set of database privileges for configuring XStream. Rather, the DV_XSTREAM_ADMIN role is an additional requirement (that is, in addition to the privileges that XStream currently requires) for database administrators to configure XStream in an Oracle Database Vault environment.

How Are GRANT and REVOKE Operations Affected by the DV_XSTREAM_ADMIN Role?

You cannot grant the DV_XSTREAM_ADMIN role with ADMIN OPTION. Only users who have been granted the DV_OWNER role can grant or revoke the DV_XSTREAM_ADMIN role to or from other users.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.

DV_GOLDENGATE_ADMIN Oracle GoldenGate Administrative Role

Grant the DV_GOLDENGATE_ADMIN role to any user who is responsible for configuring Oracle GoldenGate in an Oracle Database Vault environment. This enables the management of Oracle GoldenGate processes to be tightly controlled by Database Vault, but does not change or restrict the way an administrator would normally configure Oracle GoldenGate.

Privileges Associated with the DV_GOLDENGATE_ADMIN Role

There are no privileges associated with the DV_GOLDENGATE_ADMIN role.

Be aware that the DV_GOLDENGATE_ADMIN role does not provide a sufficient set of database privileges for configuring Oracle GoldenGate. Rather, the DV_GOLDENGATE_ADMIN role is an additional requirement (that is, in addition to the privileges that Oracle GoldenGate currently requires) for database administrators to configure XStream in an Oracle Database Vault environment.

How Are GRANT and REVOKE Operations Affected by the DV_GOLDENGATE_ADMIN Role?

You cannot grant the DV_GOLDENGATE_ADMIN role with ADMIN OPTION. Only users who have been granted the DV_OWNER role can grant or revoke the DV_GOLDENGATE_ADMIN role to or from other users.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.

DV_GOLDENGATE_REDO_ACCESS Oracle GoldenGate Redo Log Access Role

Grant the DV_GOLDENGATE_REDO_ACCESS role to any user who is responsible for using the Oracle GoldenGate TRANLOGOPTIONS DBLOGREADER method to access redo logs in an Oracle Database Vault environment. This enables the management of Oracle GoldenGate processes to be tightly controlled by Database Vault, but does not change or restrict the way an administrator would normally configure Oracle GoldenGate.

Privileges Associated with the DV_GOLDENGATE_REDO_ACCESS Role

There are no privileges associated with the DV_GOLDENGATE_REDO_ACCESS role.

Be aware that the DV_GOLDENGATE_REDO_ACCESS role does not provide a sufficient set of database privileges for configuring Oracle GoldenGate. Rather, the DV_GOLDENGATE_REDO_ACCESS role is an additional requirement (that is, in addition to the privileges that Oracle GoldenGate currently requires) for database administrators to configure Oracle Streams in an Oracle Database Vault environment.

How Are GRANT and REVOKE Operations Affected by the DV_GOLDENGATE_REDO_ACCESS Role?

You cannot grant the DV_GOLDENGATE_REDO_ACCESS role with ADMIN OPTION. Only users who have been granted the DV_OWNER role can grant or revoke the DV_GOLDENGATE_REDO_ACCESS role to or from other users.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.


See Also:


DV_PATCH_ADMIN Database Vault Database Patch Role

Temporarily grant the DV_PATCH_ADMIN role to any database administrator who is responsible for performing database patching or adding languages to Database Vault. After the patch operation or language addition is complete, you should immediately revoke this role.

Privileges Associated with the DV_PATCH_ADMIN Role

This role does not provide access to any secured data.

How Are GRANT and REVOKE Operations Affected by the DV_OWNER Role?

Only a user who has the DV_OWNER role can grant or revoke the DV_PATCH_ADMIN role to and from another user. You cannot grant the DV_PATCH_ADMIN role with the ADMIN option.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.

Appendix B, "Disabling and Enabling Oracle Database Vault," explains how disable and enable Oracle Database Vault.

DV_ACCTMGR Database Vault Account Manager Role

Use the DV_ACCTMGR role to create and maintain database accounts and database profiles. In this manual, the example DV_ACCTMGR role is assigned to a user named amalcolm_dvacctmgr.

Privileges Associated with the DV_ACCTMGR Role

A user who has been granted this role can use the CREATE, ALTER, and DROP statements for users or profiles. However, a person who has been granted the DV_ACCTMGR role cannot perform the following operations:

  • ALTER or DROP statements on the DVSYS account

  • ALTER or DROP statements on users who have been granted the DV_ADMIN, DV_OWNER, DV_SECANALYST, and DV_MONITOR roles

  • Change passwords for users who have been granted the DV_ADMIN, DV_OWNER, DV_SECANALYST, and DV_MONITOR roles

To find the full list of system and object privileges associated with the DV_ACCTMGR role, log in to SQL*Plus with administrative privileges and then enter the following queries:

SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';

Tips:

  • Oracle recommends that you add the user who has the DV_ACCTMGR role to the data dictionary realm. See "Step 1: Adding the SYSTEM User to the Data Dictionary Realm" for an example.

  • If you want the DV_ACCTMGR user to be able to grant other users ANY privileges, then log in as user SYS with the SYSDBA privilege and grant this user the GRANT ANY PRIVILEGE privilege.

  • Consider creating a separate, named account for the DV_ACCTMGR user. This way, if this user forgets his or her password, you can log in as the original DV_ACCTMGR account when you recreate the user's password. Otherwise, you must disable Oracle Database Vault, log in as SYS or SYSTEM to recreate the password, and then re-enable Database Vault.


How Are GRANT and REVOKE Operations Affected by the DV_ACCTMGR Role?

Any account, such as SYS or SYSTEM, with the GRANT ANY ROLE system privilege alone does not have the rights to grant this role to or revoke this role from any other database account. The account with the DV_ACCTMGR role and the ADMIN OPTION can grant this role without the ADMIN OPTION to any given database account and revoke this role from another account.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.

Appendix B, "Disabling and Enabling Oracle Database Vault," explains how disable and enable Oracle Database Vault.

DV_REALM_OWNER Database Vault Realm DBA Role

Use the DV_REALM_OWNER role to manage database objects in multiple schemas that define a realm. Grant this role to the database account owner who is responsible for managing one or more schema database accounts within a realm and the roles associated with the realm.

Privileges Associated with the DV_REALM_OWNER Role

A user who has been granted this role can use powerful system privileges like CREATE ANY, ALTER ANY, and DROP ANY within the realm. However, before this user can exercise these privileges, you must make this user either a participant or an owner for the realm. See "Defining Realm Authorization" for instructions.

There are no object privileges granted to the DV_REALM_OWNER role, but it does have some system privileges. To find the full list of DV_REALM_OWNER system privileges, log in to SQL*Plus with administrative privileges and enter the following query:

SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_REALM_OWNER';

How Are GRANT and REVOKE Operations Affected by the DV_REALM_OWNER Role?

The realm owner of the Oracle Data Dictionary realm, such as SYS, can grant this role to any given database account or role. Note that though this role has system privilege grants that SYS controls, it does not have the DV_OWNER or DV_ADMIN roles.

If you want to attach this role to a specific realm, then you must assign it to an account or business-related role, then authorize that account or role in the realm.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.

Appendix B, "Disabling and Enabling Oracle Database Vault," explains how disable and enable Oracle Database Vault.

DV_REALM_RESOURCE Database Vault Application Resource Owner Role

Use the DV_REALM_RESOURCE role for operations such as creating tables, views, triggers, synonyms, and other objects that a realm would typically use.

Privileges Associated with the DV_REALM_RESOURCE Role

The DV_REALM_RESOURCE role provides the same system privileges as the Oracle RESOURCE role. In addition, both CREATE SYNONYM and CREATE VIEW are granted to this role.

There are no object privileges granted to the DV_REALM_RESOURCE role, but it does have some system privileges. To find the full list of DV_REALM_RESOURCE system privileges, log in to SQL*Plus with administrative privileges and enter the following query:

SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_REALM_RESOURCE';

Though this role has system privilege grants that SYS controls, it does not have the DV_OWNER or DV_ADMIN role.

How Are GRANT and REVOKE Operations Affected by the DV_REALM_RESOURCE Role?

You can grant the DV_REALM_RESOURCE role to a database account that owns database tables, objects, triggers, views, procedures, and so on that are used to support any database application. This is a role designed for a schema type database account. The realm owner of the Oracle Data Dictionary realm, such as SYS, can grant this role to any database account or role.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.

Appendix B, "Disabling and Enabling Oracle Database Vault," explains how disable and enable Oracle Database Vault.

DV_PUBLIC Database Vault PUBLIC Role

Use the DV_PUBLIC role to grant privileges on specific objects in the DVSYS schema. (Remember that in a default installation, the DVSYS schema is locked.)

Privileges Associated with the DV_PUBLIC Role

The following Oracle Database Vault objects are accessible through DV_PUBLIC:

There are no system privileges granted to the DV_PUBLIC role, but it does have some object privileges. To find the full list of DV_PUBLIC object privileges, log in to SQL*Plus with administrative privileges and enter the following query:

SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_PUBLIC';

How Are GRANT and REVOKE Operations Affected by the DV_PUBLIC Role?

Oracle Database Vault does not enable you to directly grant object privileges in the DVSYS schema to PUBLIC. You must grant the object privilege on the DVSYS schema object the DV_PUBLIC role, and then grant DV_PUBLIC to PUBLIC. However, if you do this, it is important that you do not add more object privileges to the PUBLIC role. Doing so may undermine Oracle Database Vault security.

What Happens When Oracle Database Vault Security Is Disabled?

The granting and revoking of all protected schema roles, including DV_OWNER, is enforced only if Oracle Database Vault is enabled. If Oracle Database Vault is disabled, then any account with the GRANT ANY ROLE system privilege can perform GRANT and REVOKE operations on protected schema roles.

Appendix B, "Disabling and Enabling Oracle Database Vault," explains how disable and enable Oracle Database Vault.

Oracle Database Vault Accounts

Oracle Database Vault prompts for two accounts during installation: Oracle Database Vault Owner and Oracle Database Vault Account Manager. You must supply an account name and password for the Oracle Database Vault Owner account during installation. Creating an Oracle Database Vault Account Manager is optional.

The Oracle Database Vault Owner account is granted the DV_OWNER role. This account can manage Oracle Database Vault roles and configuration. (See "DV_OWNER Database Vault Owner Role" for detailed information about this role.)

The Oracle Database Vault Account Manager account is granted the DV_ACCTMGR role. This account is used to manage database user accounts to facilitate separation of duties. (See "DV_ACCTMGR Database Vault Account Manager Role" for detailed information about this role.)

If you choose not to create the Oracle Database Vault Account Manager account during installation, then both the DV_OWNER and DV_ACCTMGR roles are granted to the Oracle Database Vault Owner user account.


Tip:

Oracle recommends that you grant the DV_OWNER and DV_ACCTMGR roles to existing user accounts. However, continue to maintain the original DV_OWNER and DV_ACCTMGR user accounts that you created during installation. This way, for example, if a user who has been granted one of these roles forgets his or her password, then you can log in as the original Database Vault Account Manager user and then recreate the password without having to disable Oracle Database Vault.

Table 11-2 lists the Oracle Database Vault database accounts that are needed in addition to the accounts that you create during installation.

Table 11-2 Database Accounts Used by Oracle Database Vault

Database AccountRoles and PrivilegesDescription

DVSYS

Several system and object privileges are provided to support Oracle Database Vault. The ability to create a session with this account is revoked at the end of the installation, and the account is locked.

Owner of Oracle Database Vault schema and related objects

DVF

A limited set of system privileges are provided to support Oracle Database Vault. The ability to create a session with this account is revoked at the end of the installation, and the account is locked.

Owner of the Oracle Database Vault functions that are created to retrieve factor identities

LBACSYS

This account is created when you install Oracle Label Security by using the Oracle Universal Installer custom installation option. (It is not created when you install Oracle Database Vault.) Do not drop or re-create this account.

If you plan to integrate a factor with an Oracle Label Security policy, you must assign this user as the owner of the realm that uses this factor. See "Using Oracle Database Vault Factors with Oracle Label Security Policies" for more information.

Owner of the Oracle Label Security schema


You can create different database accounts to implement the separation of duties requirements for Oracle Database Vault. Table 11-3 lists some model database accounts that can act as a guide. (The accounts listed in Table 11-3 serve as a guide to implementing Oracle Database Vault roles. These are not actual accounts that are created during installation.)

Table 11-3 Model Oracle Database Vault Database Accounts

Database AccountRoles and PrivilegesDescription

EBROWN

DV_OWNER (with DV_ADMIN and DV_SECANALYST)

Account that is the realm owner for the DVSYS realm. This account can:

  • Run DVSYS packages

  • Have EXECUTE privileges in the DVSYS schema

  • Grant privileges on the DVSYS schema objects

  • Select objects in the schema

  • Monitor Oracle Database Vault activity

  • Run reports on the Oracle Database Vault configuration

JGODFREY

DV_ACCTMGR

Account for administration of database accounts and profiles. This account can:

  • Create, alter, or drop users

  • Create, alter, or drop profiles

  • Grant the DV_ACCTMGR role

  • Grant the CONNECT role

Note: This account cannot create roles, or grant the RESOURCE or DBA roles.

RLAYTON

DV_ADMIN (with DV_SECANALYST)

Account to serve as the access control administrator. This account can:

  • Execute DVSYS packages

  • Have EXECUTE privileges in the DVSYS schema

  • Monitor Oracle Database Vault activity

  • Run reports on the Oracle Database Vault configuration

Note: This account cannot directly update the DVSYS tables.

PSMYTHE

DV_SECANALYST

Account for running Oracle Database Vault reports in the Oracle Database Vault Administration application.


Oracle Database Vault Data Dictionary Views

Oracle Database Vault provides a set of DBA-style data dictionary views that can be accessed through the DV_SECANALYST role or the DV_ADMIN role. (Alternatively, you can run reports on Oracle Database Vault. See Chapter 17, "Oracle Database Vault Reports," for more information.) These views provide access to the various underlying Oracle Database Vault tables in the DVSYS and LBACSYS schemas without exposing the primary and foreign key columns that may be present. These views are intended for the database administrative user to report on the state of the Oracle Database Vault configuration without having to perform the joins required to get the labels for codes that are stored in the core tables or from the related tables.

This section contains:

DBA_DV_CODE View

The DBA_DV_CODE data dictionary view lists generic lookup codes for the user interface, error messages, constraint checking, and so on. These codes are used for the user interface, views, and for validating input in a translatable fashion.

For example:

SELECT CODE, VALUE FROM DVSYS.DBA_DV_CODE WHERE CODE_GROUP = 'BOOLEAN';

Output similar to the following appears:

CODE    VALUE
------- --------
Y       True
N       False
ColumnDatatype           NullDescription
CODE_GROUPVARCHAR(30)NOT NULLDisplays one of the following code groups:

  • AUDIT_EVENTS: Contains the action numbers and action names that are used for the custom event audit trail records

  • BOOLEAN: A simple Yes or No or True or False lookup

  • DB_OBJECT_TYPE: The database object types that can be used for realm objects and command authorizations

  • SQL_CMDS: The DDL commands that can be protected through command rules

  • FACTOR_AUDIT: The auditing options for factor retrieval processing

  • FACTOR_EVALUATE: The evaluation options (by session or by access) for factor retrieval

  • FACTOR_FAIL: The options for propagating errors when a factor retrieval method fails

  • FACTOR_IDENTIFY: The options for determining how a factor identifier is resolved (for example, by method or by factors)

  • FACTOR_LABEL: The options for determining how a factor identifier is labeled in the session establishment phase

  • LABEL_ALG: The algorithms that can be used to determine the maximum session label for a database session for each policy. See Table 12-57, "Oracle Label Security Merge Algorithm Codes" for a listing of the Oracle Label Security merge algorithm codes.

  • OPERATORS: The Boolean operators that can be used for identity maps

  • REALM_AUDIT: The options for auditing realm access or realm violations

  • REALM_OPTION: The options for ownership of a realm

  • RULESET_AUDIT: The options for auditing rule set execution or rule set errors

  • RULESET_EVALUATE: The options for determining the success or failure of a rule set based on all associated rules being true or any associated rule being true

  • RULESET_EVENT: The options to invoke a custom event handler when a rule set evaluates to Succeeds or Fails

  • RULESET_FAIL: The options to determine the run-time visibility of a rule set failing

CODEVARCHAR(30)NOT NULLBoolean code used; either Y (yes) or N (no).
VALUEVARCHAR(4000)Boolean value used; either True if the Boolean code is Y or False if the Boolean code is N.
LANGUAGEVARCHAR(3)NOT NULLLanguage for this installation of Oracle Database Vault.

See Adding Languages to Oracle Database Vault for a list of supported languages.

DESCRIPTIONVARCHAR(1024)Brief description of the code group.

DBA_DV_COMMAND_RULE View

The DBA_DV_COMMAND_RULE data dictionary view lists the SQL statements that are protected by command rules. See Chapter 6, "Configuring Command Rules," for more information about command rules.

For example:

SELECT COMMAND, RULE_SET_NAME FROM DVSYS.DBA_DV_COMMAND_RULE;

Output similar to the following appears:

COMMAND         RULE_SET_NAME
--------------- -----------------------------
GRANT           Can Grant VPD Administration
REVOKE          Can Grant VPD Administration
ALTER SYSTEM    Allow System Parameters
ALTER USER      Can Maintain Own Account
CREATE USER     Can Maintain Account/Profiles
DROP USER       Can Maintain Account/Profiles
CREATE PROFILE  Can Maintain Account/Profiles
DROP PROFILE    Can Maintain Account/Profiles
ALTER PROFILE   Can Maintain Account/Profiles
ColumnDatatype              NullDescription
COMMANDVARCHAR(30)NOT NULLName of the command rule. For a list of default command rules, see Default Command Rules.
RULE_SET_NAMEVARCHAR(90)NOT NULLName of the rule set associated with this command rule.
OBJECT_OWNERVARCHAR(30)NOT NULLThe owner of the object that the command rule affects.
OBJECT_NAMEVARCHAR(128)NOT NULLThe name of the database object the command rule affects (for example, a database table).
ENABLEDVARCHAR(1)NOT NULLY indicates the command rule is enabled; N indicates it is disabled.

DBA_DV_FACTOR View

The DBA_DV_FACTOR data dictionary view lists the existing factors in the current database instance.

For example:

SELECT NAME, GET_EXPR FROM DVSYS.DBA_DV_FACTOR WHERE NAME = 'Session_User';

Output similar to the following appears:

NAME          GET_EXPR
------------- ---------------------------------------------
Session_User  UPPER(SYS_CONTEXT('USERENV', 'SESSION_USER'))

Related Views

ColumnDatatype                 NullDescription
NAMEVARCHAR2(30)NOT NULLName of the factor. See "Default Factors" for a list of default factors.
DESCRIPTIONVARCHAR2(4000)
Description of the factor.
FACTOR_TYPE_NAMEVARCHAR2(90)NOT NULLCategory of the factor, which is used to classify the purpose of the factor.
ASSIGN_RULE_SET_NAMEVARCHAR2(90)
Rule set used to control the identify of the factor.
GET_EXPRVARCHAR2(1024)
PL/SQL expression that retrieves the identity of a factor.
VALIDATE_EXPRVARCHAR2(1024)
PL/SQL expression used to validate the identify of the factor. It returns a Boolean value.
IDENTIFIED_BYNUMBERNOT NULLDetermines the identity of a factor, based on the expression listed in the GET_EXPR column. Possible values are:

  • 0: By constant

  • 1: By method

  • 2: By factors

IDENTIFIED_BY_MEANINGVARCHAR2(4000)
Provides a text description for the corresponding value in the IDENTIFIED_BY column. Possible values are:

  • By Constant: If IDENTIFIED_COLUMN is 0

  • By Method: If IDENTIFIED_COLUMN is 1

  • By Factors: If IDENTIFIED_COLUMN is 2

LABELED_BYNUMBERNOT NULLDetermines the labeling the factor:

  • 0: Labels the identities for the factor directly from the labels associated with an Oracle Label Security policy

  • 1: Derives the factor identity label from the labels of its child factor identities.

LABELED_BY_MEANINGVARCHAR2(4000)
Provides a text description for the corresponding value in the LABELED_BY column. Possible values are:

  • By Self: If LABELED_BY column is 0

  • By Factors: If LABELED_BY column is 1

EVAL_OPTIONSNUMBERNOT NULLDetermines how the factor is evaluated when the user logs on:

  • 0: When the database session is created

  • 1: Each time the factor is accessed

  • 2: On start-up

EVAL_OPTIONS_MEANINGVARCHAR2(4000)
Provides a text description for the corresponding value in the EVAL_OPTIONS column. Possible values are:

  • For Session: If EVAL_OPTIONS is 0

  • By Access: If EVAL_OPTIONS is 1

  • On Startup: If EVAL_OPTIONS is 2

AUDIT_OPTIONSNUMBERNOT NULLOption for auditing the factor if you want to generate a custom Oracle Database Vault audit record. Possible values are:

  • 0: No auditing set

  • 1: Always audits

  • 2: Audits if get_expr returns an error

  • 4: Audits if get_expr is null

  • 8: Audits if the validation procedure returns an error

  • 16: Audits if the validation procedure is false

  • 32: Audits if there is no trust level set

  • 64: Audits if the trust level is negative.

FAIL_OPTIONSNUMBERNOT NULLOptions for reporting factor errors:

  • 1: Shows an error message.

  • 2: Does not show an error message.

FAIL_OPTIONS_MEANINGVARCHAR2(4000)
Provides a text description for the corresponding value in the FAIL_OPTIONS column. Possible values are:

  • Show Error Message

  • Do Not Show Error Message:


DBA_DV_FACTOR_LINK View

The DBA_DV_FACTOR_LINK data dictionary view shows the relationships of each factor whose identity is determined by the association of child factors. The view contains one entry for each parent factor and child factor. You can use this view to resolve the relationships from the factor links to identity maps.

For example:

SELECT PARENT_FACTOR_NAME, CHILD_FACTOR_NAME FROM DVSYS.DBA_DV_FACTOR_LINK;

Output similar to the following appears:

PARENT_FACTOR_NAME             CHILD_FACTOR_NAME
------------------------------ ------------------------------
Domain                         Database_Instance
Domain                         Database_IP
Domain                         Database_Hostname

Related Views

ColumnDatatype          NullDescription
PARENT_FACTOR_NAMEVARCHAR(30)NOT NULLName of the parent factor.
CHILD_FACTOR_NAMEVARCHAR(30)NOT NULLName of the child factor of the parent factor.
LABEL_INDVARCHAR(1)NOT NULLIndicates whether the child factor that is linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Possible values are:

  • Y (for Yes)

  • N (for No)


DBA_DV_FACTOR_TYPE View

The DBA_DV_FACTOR_TYPE data dictionary view lists the names and descriptions of factor types used in the system.

For example:

SELECT * FROM DVSYS.DBA_DV_FACTOR_TYPE WHERE NAME = 'Hostname';

Output similar to the following appears:

NAME      DESCRIPTION
--------- ----------------------------------------------------------------------
Time      Time-based factor

Related Views

ColumnDatatype             NullDescription
NAMEVARCHAR(90)NOT NULLName of the factor type.
DESCRIPTIONVARCHAR(1024)
Description of the factor type.

DBA_DV_IDENTITY View

The DBA_DV_IDENTITY data dictionary view lists the identities for each factor.

For example:

SELECT * FROM DVSYS.DBA_DV_IDENTITY WHERE VALUE = 'GLOBAL SHARED';

Output similar to the following appears, assuming you have created only one factor identity:

FACTOR_NAME          VALUE          TRUST_LEVEL
----------------     -------------- ------------
Identification_Type  GLOBAL SHARED  1

Related Views

ColumnDatatype             NullDescription
FACTOR_NAMEVARCHAR(30)NOT NULLName of the factor.
VALUEVARCHAR(1024)NOT NULLValue of the factor.
TRUST_LEVELNUMBERNOT NULLNumber that indicates the magnitude of trust relative to other identities for the same factor.

DBA_DV_IDENTITY_MAP View

The DBA_DV_IDENTITY_MAP data dictionary view lists the mappings for each factor identity. The view includes mapping factors that are identified by other factors to combinations of parent-child factor links. For each factor, the maps are joined by the OR operation, and for different factors, the maps are joined by the AND operation.

You can use this view to resolve the identity for factors that are identified by other factors (for example, a domain) or for factors that have continuous domains (for example, Age or Temperature).

For example:

SELECT FACTOR_NAME, IDENTITY_VALUE FROM DVSYS.DBA_DV_IDENTITY_MAP;

Output similar to the following appears:

FACTOR_NAME      IDENTITY_VALUE
---------------- --------------------
Sector2_Program  Accounting-Sensitive

Related Views

ColumnDatatype                NullDescription
FACTOR_NAMEVARCHAR(30)NOT NULLFactor the identity map is for.
IDENTITY_VALUEVARCHAR(1024)NOT NULLValue the factor assumes if the identity map evaluates to TRUE.
OPERATION_VALUEVARCHAR(4000)
Relational operator for the identity map (for example, <, >, =, and so on)
OPERAND1VARCHAR(1024)
Left operand for the relational operator; refers to the low value you enter.
OPERAND2VARCHAR(1024)
Right operand for the relational operator; refers to the high value you enter.
PARENT_FACTOR_NAMEVARCHAR(30)
The parent factor link to which the map is related.
CHILD_FACTOR_NAMEVARCHAR(30)
The child factor link to which the map is related.
LABEL_INDVARCHAR(1)
Indicates whether the child factor being linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Possible values are:

  • Y (for Yes)

  • N (for No)


DBA_DV_MAC_POLICY View

The DBA_DV_MAC_POLICY data dictionary view lists the Oracle Label Security policies defined for use with Oracle Database Vault.

For example:

SELECT POLICY_NAME, ALGORITHM_CODE, ALGORITHM_MEANING 
 FROM DVSYS.DBA_DV_MAC_POLICY;

Output similar to the following appears:

POLICY_NAME     ALGORITHM_CODE    ALGORITHM_MEANING
--------------- ----------------- -----------------------
ACCESS_DATA     LUI               Minimum Level/Union/Intersection

Related Views

ColumnDatatype             NullDescription
POLICY_NAMEVARCHAR(30)NOT NULLName of the policy.
ALGORITHM_CODEVARCHAR(30)NOT NULLMerge algorithm code used for the policy. See Table 12-57 for a listing of algorithm codes.
ALGORITHM_MEANINGVARCHAR(4000)
Provides a text description for the corresponding value in the ALGORITHM_CODE column. See Table 12-57 for a listing of algorithm code descriptions.
ERROR_LABELVARCHAR(4000)
Label specified for initialization errors, to be set when a configuration error or run-time error occurs during session initialization.

DBA_DV_MAC_POLICY_FACTOR View

The DBA_DV_MAC_POLICY data dictionary view lists the factors that are associated with Oracle Label Security policies.

You can use this view to determine what factors contribute to the maximum session label for each policy using the DBA_DV_MAC_POLICY view.

For example:

SELECT * FROM DVSYS.DBA_DV_MAC_POLICY_FACTOR;

Output similar to the following appears:

FACTOR_NAME    MAC_POLICY_NAME
-------------- ------------------
App_Host_Name  Access Locations

Related Views

ColumnDatatype            NullDescription
FACTOR_NAMEVARCHAR(30)NOT NULLName of the factor.
MAC_POLICY_NAMEVARCHAR(30)NOT NULLName of the Oracle Label Security policy associated with this factor.

DBA_DV_POLICY_LABEL View

The DBA_DV_POLICY_LABEL data dictionary view lists the Oracle Label Security label for each factor identifier in the DBA_DV_IDENTITY view for each policy.

For example:

SELECT * FROM DVSYS.DBA_DV_POLICY_LABEL;

Output similar to the following appears:

IDENTITY_VALUE   FACTOR_NAME     POLICY_NAME       LABEL
---------------- --------------  ----------------  ---------
App_Host_Name    Sect2_Fin_Apps  Access Locations  Sensitive

Related Views

ColumnDatatype               NullDescription
IDENTITY_VALUEVARCHAR(1024)NOT NULLName of the factor identifier.
FACTOR_NAMEVARCHAR(30)NOT NULLName of the factor associated with the factor identifier.
POLICY_NAMEVARCHAR(30)NOT NULLName of the Oracle Label Security policy associated with this factor.
LABELVARCHAR(4000)NOT NULLName of the Oracle Label Security label associated with the policy.

DBA_DV_PUB_PRIVS View

The DBA_DV_PUB_PRIVS data dictionary view lists data reflected in the Oracle Database Vault privilege management reports used in the Oracle Database Vault Administrator (DV_ADMIN). See also "Privilege Management - Summary Reports".

For example:

SELECT USERNAME, ACCESS_TYPE FROM DVSYS.DBA_DV_PUB_PRIVS WHERE USERNAME = 'OE';

Output similar to the following appears:

USERNAME    ACCESS_TYPE
----------- -----------------
OE          PUBLIC

Related Views

ColumnDatatype            NullDescription
USERNAMEVARCHAR(30)NOT NULLDatabase schema in the current database instance.acces
ACCESS_TYPEVARCHAR(30)
Access type granted to the user listed in the USERNAME column (for example, PUBLIC).
PRIVILEGEVARCHAR(40)NOT NULLPrivilege granted to the user listed in the USERNAME column.
OWNERVARCHAR(30)NOT NULLOwner of the database schema to which the USERNAME user has been granted privileges.
OBJECT_NAMEVARCHAR(30)NOT NULLName of the object within the schema listed in the OWNER column.

DBA_DV_REALM View

The DBA_DV_REALM data dictionary view lists the realms created in the current database instance.

For example:

SELECT NAME, AUDIT_OPTIONS, ENABLED FROM DVSYS.DBA_DV_REALM 
  WHERE AUDIT_OPTIONS = 'N';

Output similar to the following appears:

NAME                          AUDIT_OPTIONS    ENABLED
----------------------------- ---------------- --------
Performance Statistics Realm  N                1

Related Views

ColumnDatatype              NullDescription
NAMEVARCHAR(90)NOT NULLNames of the realms created. See"Default Realms" for a listing of default realms.
DESCRIPTIONVARCHAR(1024)NOT NULLDescription of the realm created.
AUDIT_OPTIONSNUMBERNOT NULLSpecifies whether auditing is enabled. Possible values are:

  • 0: No auditing for the realm.

  • 1: Creates an audit record when a realm violation occurs (for example, when an unauthorized user tries to modify an object that is protected by the realm).

  • 2: Creates an audit record for authorized activities on objects protected by the realm.

  • 3: Creates an audit record for both authorized and unauthorized activities on objects protected by the realm.

ENABLEDVARCHAR(1)NOT NULLSpecifies whether realm checking is enabled. Y (yes) indicates it is enabled; N (no) indicates it is not.

DBA_DV_REALM_AUTH View

The DBA_DV_REALM_AUTH data dictionary view lists the authorization of a named database user account or database role (GRANTEE) to access realm objects in a particular realm. See Defining Realm Authorization for more information.

For example:

SELECT REALM_NAME, GRANTEE, AUTH_RULE_SET_NAME FROM DVSYS.DBA_DV_REALM_AUTH;

Output similar to the following appears:

REALM_NAME                    GRANTEE  AUTH_RULE_SET_NAME
---------------------------- --------- ---------------------
Performance Statistics Realm  SYSADM   Check Conf Access

Related Views

ColumnDatatype                NullDescription
REALM_NAMEVARCHAR(90)NOT NULLName of the realm.
GRANTEEVARCHAR(30)NOT NULLUser or role name to authorize as owner or participant.
AUTH_RULE_SET_NAMEVARCHAR(90)
Rule set to check before authorizing. If the rule set evaluates to TRUE, then the authorization is allowed.
AUTH_OPTIONSVARCHAR(4000)
Type of realm authorization: either Participant or Owner.

DBA_DV_REALM_OBJECT View

The DBA_DV_REALM_OBJECT data dictionary view lists the database schemas, or subsets of schemas with specific database objects contained therein, that are secured by the realms. See "Creating Realm-Secured Objects" for more information.

For example:

SELECT REALM_NAME, OWNER, OBJECT_NAME FROM DVSYS.DBA_DV_REALM_OBJECT;

Output similar to the following appears:

REALM_NAME                   OWNER    OBJECT_NAME
---------------------------- -------- -----------
Performance Statistics Realm OE       ORDERS

Related Views

ColumnDatatype           NullDescription
REALM_NAMEVARCHAR(90)NOT NULLName of the realm.
OWNERVARCHAR(90)NOT NULLDatabase schema owner who owns the realm.
OBJECT_NAMEVARCHAR(90)NOT NULLName of the object the realm protects.
OBJECT_TYPEVARCHAR(90)NOT NULLType of object the realm protects, such as a database table, view, index, or role.

DBA_DV_ROLE View

The DBA_DV_ROLE data dictionary view lists the Oracle Database Vault secure application roles used in privilege management.

For example:

SELECT ROLE, RULE_NAME FROM DVSYS.DBA_DV_ROLE;

Output similar to the following appears:

ROLE               RULE_NAME
------------------ --------------------
Sector2_APP_MGR    Check App2 Access
Sector2_APP_DBA    Check App2 Access

Related Views

ColumnDatatype              NullDescription
ROLEVARCHAR(30)NOT NULLName of the secure application role.
RULE_NAMEVARCHAR(90)NOT NULLName of the rule set associated with the secure application role.
ENABLEDVARCHAR(1)NOT NULLIndicates whether the secure application role is enabled. Y (yes) enables the role; N (no) disables it.

DBA_DV_RULE View

The DBA_DV_RULE data dictionary view lists the rules that have been defined.

For example:

SELECT * FROM DVSYS.DBA_DV_RULE WHERE NAME = 'Maintenance Window';

Output similar to the following appears:

NAME                RULE_EXP
------------------- ----------------------------------------------
Maintenance Window  TO_CHAR(SYSDATE,'HH24') BETWEEN '10' AND '12'

To find the rule sets that use specific rules, query the DBA_DV_RULE_SET_RULE view.

Related Views

ColumnDatatype             NullDescription
NAMEVARCHAR(90)NOT NULLName of the rule.
RULE_EXPRVARCHAR(1024)NOT NULLPL/SQL expression for the rule.

DBA_DV_RULE_SET View

The DBA_DV_RULE_SET data dictionary view lists the rules sets that have been created.

For example:

SELECT RULE_SET_NAME, HANDLER_OPTIONS, HANDLER FROM DVSYS.DBA_DV_RULE_SET
 WHERE RULE_SET_NAME = 'Maintenance Period';

Output similar to the following appears:

RULE_SET_NAME       HANDLER_OPTIONS  HANDLER
------------------- ---------------- ----------------------
Maintenance Period                   1 dbavowner.email_alert

Related Views

ColumnDatatype               NullDescription
RULE_SET_NAMEVARCHAR(90)NOT NULLName of the rule set.
DESCRIPTIONVARCHAR(1024)
Description of the rule set.
ENABLEDVARCHAR(1)NOT NULLIndicates whether the rule set has been enabled. Y (yes) enables the rule set; N (no) disables it.
EVAL_OPTIONS_MEANINGVARCHAR(4000)
For rules sets that contain multiple rules, determines how many rules are evaluated. Possible values are:

  • All True: All rules in the rule set must evaluate to true for the rule set itself to evaluate to TRUE.

  • Any True: At least one rule in the rule set must evaluate to true for the rule set itself to evaluate to TRUE.

AUDIT_OPTIONSNUMBERNOT NULLIndicates when auditing is used. Possible values are:

  • 0: No auditing

  • 1: Audit on failure

  • 2: Audit on success

  • 3: Audit on both failure and success

FAIL_OPTIONS_MEANINGVARCHAR(4000)
Determines when an audit record is created for the rule set. Possible values are:

  • Do Not Show Error Message.

  • Show Error Message

FAIL_MESSAGEVARCHAR(80)
Error message for failure that is associated with the fail code listed in the FAIL_CODE column.
FAIL_CODEVARCHAR(10)
The error message number associated with the message listed in the FAIL_MESSAGE column. Possible values are in the ranges of -20000 to -20999 or 20000 to 20999.
HANDLER_OPTIONSNUMBERNOT NULLDetermines how error handling is used. Possible values are:

  • 0: Disables error handling.

  • 1: Call handler on rule set failure.

  • 2: Call handler on rule set success.

HANDLERVARCHAR(1024)
Name of the PL/SQL function or procedure that defines the custom event handler logic.
IS_STATICVARCHAR2(5)
Indicates how often the rule set is evaluated during a user session. Possible values are:

  • TRUE: The rule set is evaluated once, and result of the rule set is reused throughout the user session.

  • FALSE (default): The rule set is evaluated each time it is accessed during the user session.


DBA_DV_RULE_SET_RULE View

The DBA_DV_RULE_SET_RULE data dictionary view lists rules that are associated with existing rule sets.

For example:

SELECT RULE_SET_NAME, RULE_NAME, RULE_EXPR FROM DVSYS.DBA_DV_RULE_SET_RULE
 WHERE RULE_NAME = 'Is Security Officer';

Output similar to the following appears:

RULE_SET_NAME                RULE_NAME          RULE_EXP
---------------------------- ------------------ ---------------------------------
Can Grant VPD Administration Is Security Owner  DVSYS.DBMS_MACUTL.USER_HAS_ROLE_
                                                VARCHAR('DV_OWNER',dvsys.dv_
                                                login_user) = 'Y'

Related Views

ColumnDatatype             NullDescription
RULE_SET_NAMEVARCHAR(90)NOT NULLName of the rule set that contains the rule.
RULE_NAMEVARCHAR(90)NOT NULLName of the rule.
RULE_EXPRVARCHAR(1024)NOT NULLPL/SQL expression that defines the rule listed in the RULE_NAME column.
ENABLEDVARCHAR(1)
Indicates whether the rule is enabled or disabled. Y (yes) enables the rule set; N (no) disables it.
RULE_ORDERNUMBERNOT NULLThe order in which rules are used within the rule set. Does not apply to this release.

DBA_DV_USER_PRIVS View

The DBA_DV_USER_PRIVS data dictionary view lists the privileges for a database user account excluding privileges granted through the PUBLIC role.

For example:

SELECT USERNAME, ACCESS_TYPE, PRIVILEGE FROM DVSYS.DBA_DV_USER_PRIVS;

Output similar to the following appears:

USERNAME  ACCESS_TYPE          PRIVILEGE
--------- -------------------- ------------
DVSYS     DV_PUBLIC            EXECUTE
DVOWNER   DV_ADMIN             SELECT
SYS       SELECT_CATALOG_ROLE  SELECT
...

Related Views

ColumnDatatype            NullDescription
USERNAMEVARCHAR(30)NOT NULLName of the database schema account in which privileges have been defined.</td>
ACCESS_TYPEVARCHAR(30)
Role the database user account listed in the USERNAME column uses to access the database. Oracle Database Vault accounts have direct access.
PRIVILEGEVARCHAR(40)NOT NULLPrivilege granted to the user listed in the USERNAME column.
OWNERVARCHAR(30)NOT NULLName of the database user account.
OBJECT_NAMEVARCHAR(30)NOT NULLName of the PL/SQL function or procedure used to define privileges.

DBA_DV_USER_PRIVS_ALL View

The DBA_DV_USER_PRIVS_ALL data dictionary view lists the privileges for a database account including privileges granted through PUBLIC.     

For example:

SELECT USERNAME, ACCESS_TYPE, PRIVILEGE FROM DVSYS.DBA_DV_USER_PRIVS;

Output similar to the following appears:

USERNAME            ACCESS_TYPE  PRIVILEGE
------------------- ------------ -----------------
AMALCOLM_DVACCTMGR  CONNECT      CREATE_SESSION
LBROWN_DVOWNER      DIRECT       CREATE PROCEDURE
...

Related Views

ColumnDatatype             NullDescription
USERNAMEVARCHAR(30)
Name of the database schema account in which privileges have been defined.
ACCESS_TYPEVARCHAR(30)
Role the database user account listed in the USERNAME column uses to access the database. Oracle Database Vault accounts have direct access.
PRIVILEGEVARCHAR(40)
Privilege granted to the user listed in the USERNAME column.
OWNERVARCHAR(30)
Name of the database user account.
OBJECT_NAMEVARCHAR(30)
Name of the PL/SQL function or procedure used to define privileges.

PK*U,PK)AOEBPS/dvdisabl.htm2 Disabling and Enabling Oracle Database Vault

B Disabling and Enabling Oracle Database Vault

This appendix contains:

When You Must Disable Oracle Database Vault

You may need to disable Oracle Database Vault to perform upgrade tasks or correct erroneous configurations. You can reenable Oracle Database Vault after you complete the corrective tasks.


Note:

Be aware that if you disable Oracle Database Vault, the privileges that were revoked from existing users and roles during installation remain in effect. See "Privileges That Are Revoked or Prevented from Existing Users and Roles" for a listing of the revoked privileges.

The following situations require you to disable Oracle Database Vault:

  • The Oracle Database Vault user accounts have been inadvertently locked or their passwords forgotten. (See the tip under "Oracle Database Vault Accounts" for a guideline for avoiding this problem in the future.)

  • A rule set associated with the CONNECT role has been configured incorrectly. This is resulting in failed database logins for all accounts, including those with the DV_OWNER or DV_ADMIN role, who could correct this problem.

  • You must perform maintenance tasks on Oracle Database Vault.

  • You must install any of the Oracle Database optional products or features, such as Oracle Spatial, or Oracle Multimedia, by using Database Configuration Assistant (DBCA).

  • You are about to install a third-party product, install an Oracle product, or perform an Oracle patch update whose installation may be prevented if Oracle Database Vault is running.

  • You must archive the Oracle Database Vault audit trail.

Checking if Oracle Database Vault Is Enabled or Disabled

You can check if Oracle Database Vault is enabled or disabled by querying the V$OPTION data dictionary view. Any user can query this view. If Oracle Database Vault is enabled, the query returns TRUE. Otherwise, it returns FALSE.

Remember that the PARAMETER column value is case sensitive. For example:

SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

If Oracle Database Vault is enabled, the following output appears:

PARAMETER                     VALUE
----------------------------- -----------------------
Oracle Database Vault         TRUE

Step 1: Disable Oracle Database Vault

To disable Oracle Database Vault:

  1. Stop the database, Database Control console process, and listener.

    • UNIX: Ensure that the environment variables, ORACLE_HOME, ORACLE_SID, and PATH are correctly set. Log in to SQL*Plus as user SYS with the SYSOPER privilege and shut down the database. Then from the command line, stop the Database Control console process and listener.

      For example:

      sqlplus sys as sysoper
Enter password: password

SQL> SHUTDOWN IMMEDIATE
SQL> EXIT

$ emctl stop dbconsole
$ lsnrctl stop [listener_name]

      For Oracle RAC installations, shut down each database instance as follows:

      $ srvctl stop database -d db_name

    • Windows: Stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  2. Disable Oracle Database Vault as follows:

    • UNIX: Run the following commands:

      $ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_off ioracle

    • Windows: In the ORACLE_HOME\bin directory, rename the oradvll.dll file to another name, such as oradvll.dll.dbl.

  3. Restart the database, Database Control console process, and listener.

    • UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and restart the database. Then from the command line, restart the Database Control process and listener.

      For example:

      sqlplus sys as sysoper
Enter password: password

SQL> STARTUP
SQL> EXIT

$ emctl start dbconsole
$ lsnrctl start [listener_name]

      For Oracle RAC installations, restart each database instance as follows:

      $ srvctl start database -d db_name

    • Windows: Restart the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  4. For Oracle RAC installations, repeat these steps for each node on which the database is installed.

Step 2: Perform the Required Tasks

At this stage, Oracle Database Vault is disabled. You can perform the following types of activities:

  • Use the Oracle Database Vault PL/SQL packages and functions. For example, to correct a login or CONNECT rule set error, use the DBMS_MACADM PL/SQL package or the Oracle Database Vault Administrator interface.

  • Use the SYSTEM or SYS accounts to perform tasks such as creating or changing passwords, or locking and unlocking accounts. In addition to modifying regular database and administrative user accounts, you can modify passwords and the lock status of any of the Oracle Database Vault-specific accounts, such as users who have been granted the DV_ADMIN or DV_ACCTMGR roles. (See the tip under "Oracle Database Vault Accounts" for a guideline for avoiding this problem in the future.)

  • Perform the installation, upgrade, or other tasks that require security protections to be disabled.

Step 3: Enable Oracle Database Vault

To enable Oracle Database Vault:

  1. Stop the database, Database Control console process, and listener.

    • UNIX: Ensure that the environment variables, ORACLE_HOME, ORACLE_SID, and PATH are correctly set. Log in to SQL*Plus as user SYS with the SYSOPER privilege and shut down the database. Then from the command line, stop the Database Control console process and listener.

      For example:

      sqlplus sys as sysoper
Enter password: password

SQL> SHUTDOWN IMMEDIATE
SQL> EXIT

$ emctl stop dbconsole
$ lsnrctl stop [listener_name]

      For Oracle RAC installations, shut down each database instance as follows:

      $ srvctl stop database -d db_name

    • Windows: Stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  2. Enable Oracle Database Vault as follows:

    • UNIX: Run the following commands. The make command enables both Oracle Database Vault (dv_on) and Oracle Label Security (lbac_on). You must enable Oracle Label Security before you can use Database Vault.

      $ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_on lbac_on ioracle

    • Windows: In the ORACLE_HOME\bin directory, rename the backed up copy of the oradvll.dll file (for example, oradv11.dll.dbl) to oradvll.dll. Ensure that the name of the Oracle Label Security executable is oralbacll.dll (and not oralbacll.dll.dbl or some other backup name). You must enable Oracle Label Security before you can use Database Vault.

  3. Restart the database, Database Control console process, and listener.

    • UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and restart the database. Then from the command line, restart the Database Control console process and listener.

      For example:

      sqlplus sys as sysoper
Enter password: password

SQL> STARTUP
SQL> EXIT

$ emctl start dbconsole
$ lsnrctl start [listener_name]

      For Oracle RAC installations, restart each database instance as follows:

      $ srvctl start database -d db_name

    • Windows: Restart the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  4. For Oracle RAC installations, repeat these steps for each node on which the database is installed.

PKA@ְ22PK )Aoa,mimetypePK)AUFVQ:iTunesMetadata.plistPK)AYuMETA-INF/container.xmlPK)A3gCf?#0#OEBPS/cfrulset.htmPK)A΄/ XX|)OEBPS/dv_impact.htmPK)A[pTOǁOEBPS/cover.htmPK)Ay$AAAXOEBPS/whatsnew.htmPK)A;iQOEBPS/title.htmPK)AFܻP K 4OEBPS/loe.htmPK)AٔNhOEBPS/getting_started.htmPK)A"hOEBPS/plsql_interfaces.htmPK)A8E@% OEBPS/img_text/sec_policy_changes.htmPK)Ap s OEBPS/img_text/dv_oem.htmPK)AUhOJNOEBPS/img_text/tde.htmPK)AW}x(OEBPS/img_text/config_struct_changes.htmPK)A_9$ OEBPS/img_text/security_concerns.htmPK)Ao:.OEBPS/img_text/security_violation_attempts.htmPK)A{U*OEBPS/img_text/realm.htmPK)AOEBPS/img_text/dvadm_vm_001.htmPK)A3 OEBPS/img_text/home_page.htmPK)AQڛȹ%OEBPS/guidelines.htmPK)A{zpOEBPS/cfcmdaut.htmPK)ApOEBPS/apis_dbms_macutl.htmPK)A^_lOEBPS/cfrealms.htmPK)AGp~YOEBPS/audplcy.htmPK)A bOEBPS/toc.ncxPK)A{\pOEBPS/troubleshooting.htmPK)AuJ3E3 OEBPS/monitoring.htmPK)A]<--TOEBPS/content.opfPK)A8p IOEBPS/lof.htmPK)A_ OEBPS/dcommon/prodbig.gifPK)AY@ pOEBPS/dcommon/doclib.gifPK)AĚikkŐOEBPS/dcommon/oracle-logo.jpgPK)AOEBPS/dcommon/contbig.gifPK)AOEBPS/dcommon/darbbook.cssPK)AMά""!OEBPS/dcommon/O_signature_clr.JPGPK)APz &OEBPS/dcommon/feedbck2.gifPK)A-q'OEBPS/dcommon/feedback.gifPK)Aː5.OEBPS/dcommon/booklist.gifPK)AN61/OEBPS/dcommon/cpyr.htmPK)A!:3.cBOEBPS/dcommon/masterix.gifPK)AeӺ1,COEBPS/dcommon/doccd.cssPK)A7 TFOEBPS/dcommon/larrow.gifPK)A#{HOEBPS/dcommon/indxicon.gifPK)AS'"JOEBPS/dcommon/leftnav.gifPK)Ahu,TLOEBPS/dcommon/uarrow.gifPK)Al-OJoOOEBPS/dcommon/oracle.gifPK)A(XOEBPS/dcommon/index.gifPK)AGC JYOEBPS/dcommon/bookbig.gifPK)AJV^jcOEBPS/dcommon/rarrow.gifPK)A枰pkeOEBPS/dcommon/mix.gifPK)Ao"nR M 8hOEBPS/dcommon/doccd_epub.jsPK)Av I rOEBPS/dcommon/toc.gifPK)A r~$ tOEBPS/dcommon/topnav.gifPK)A1FAuOEBPS/dcommon/prodicon.gifPK)A3( # yOEBPS/dcommon/bp_layout.cssPK)Ax[?:OEBPS/dcommon/bookicon.gifPK)Ap*c^OEBPS/dcommon/conticon.gifPK)AʍOEBPS/dcommon/blafdoc.cssPK)A+&OEBPS/dcommon/rightnav.gifPK)Aje88-OEBPS/dcommon/oracle-small.JPGPK)Aއ{&!nOEBPS/dcommon/help.gifPK)A7 !!OEBPS/apis_macsec_roles.htmPK)AӊvOEBPS/cfgfact.htmPK)A_q OEBPS/toc.htmPK)AkmOEBPS/reports.htmPK)A^ޕjOEBPS/dv_ols.htmPK)A ;aaOEBPS/dvintro.htmPK)AM.. ZOEBPS/lot.htmPK)AŅvvvOEBPS/cfseappr.htmPK)A*U,OEBPS/db_objects.htmPK)AA@ְ22*OEBPS/dvdisabl.htmPKZZqU