Some time ago, I discussed security in Oracle databases with a customer and explained the role structure in the Oracle database. I explained to him that ultimately it’s the DBA who assigns roles and privileges to the users of an application and it’s the DBA who is the almighty, most powerful user with almost unlimited access to data and abilities to modify a database. With all this security in place, who’s going to prevent to DBA from using his powers in a malevolent way, was my customers question? To be honest, until that moment I’d never given that possibility a thought. I’d always seen DBA’s as hardworking, loyal and honest people who watch over their applications as a mother over her child. But obviously my customer was right about who’s going the check the DBA. This can’t be done be introducing another super-super user, because who’s going to check him?
The answer lies in the separation of duties. The DBA isn’t the all powerful user anymore but it’s privileges are spread over multiple users.
Oracle Database Vault is the product from Oracle which aim is to administrate and execute a database security approach with separation of duties. It lays an additional layer of security over your application (meta)data. The standard access control layer with roles and maybe a Virtual Private Database is still in place and fully operational. Only if a user complies with the rules of the two security systems, a user can access data or modify database components.
Oracle Database vault comes with 3 new terms:
- Realms: A realm is a (part of) an database schema. Only users with access to a realm can access the data. A DBA without access to a realm can’t see the data belonging to that realm.
- Command rules and factors. Command rules are roughly the equivalent of database privileges. Factors determine when and from where you can perform a command rule, e.g it’s possible to make a command rule which only allows to drop a table from 10:00PM to 02:00 AM from a certain list of IP addresses.
By default Oracle Database Vault comes with 3 separate (Oracle Vault) roles:
- A account management role for the administration of users
- A Security administrator, which can set up realms, command rules and factors but is prevented form giving access to business data to himself.
- A resource administration role, which allows users to perform the normal database maintenance tasks.
But this is only a start. The purpose of Oracle Database vault is to set up your own security policy with your own roles.
A nice introduction of Oracle Database Vault can be found on OTN