Using FACTORS in Database Vault to restrict access

Problem Statement: User should be able to connect to database from a specific host

Following is the list of pre-defined factors

SQL> SELECT OBJECT_NAME, OBJECT_TYPE FROM DBA_OBJECTS WHERE OWNER=’DVF’ AND OBJECT_NAME LIKE ‘F$%’
/

OBJECT_NAME OBJECT_TYPE
—————————————————–
F$AUTHENTICATION_METHOD FUNCTION
F$CLIENT_IP FUNCTION
F$DATABASE_DOMAIN FUNCTION
F$DATABASE_HOSTNAME FUNCTION
F$DATABASE_INSTANCE FUNCTION
F$DATABASE_IP FUNCTION
F$DATABASE_NAME FUNCTION
F$DOMAIN FUNCTION
F$ENTERPRISE_IDENTITY FUNCTION
F$IDENTIFICATION_TYPE FUNCTION
F$LANG FUNCTION
F$LANGUAGE FUNCTION
F$MACHINE FUNCTION
F$NETWORK_PROTOCOL FUNCTION
F$PROXY_ENTERPRISE_IDENTITY FUNCTION
F$PROXY_USER FUNCTION
F$SESSION_USER FUNCTION

17 rows selected.

We can also create a new factor, which will internally create a function F$. We’ll make use of pre-defined MACHINE factor, in the example.

Create a RULE SET

Now in the Rule section, create a rule based on a FACTOR

We want to force this restriction on all users connecting to the database. So in the command rules section, create a command rule CONNECT & assign the rule set.

Now to test the rule by logging from the different host mentioned in the FACTOR expression.

C:\>sqlplus system@devdb

SQL*Plus: Release 9.2.0.1.0 – Production on Tue Apr 29 15:40:10 2008

Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.

Enter password:
ERROR:
ORA-47400: Command Rule violation for CONNECT on LOGON

To remove the objects, remove the command rule connect, then the rule set.

Advertisements
This entry was posted in Oracle Database Vault, Oracle Security and tagged . Bookmark the permalink.

7 Responses to Using FACTORS in Database Vault to restrict access

  1. anusha says:

    Hi,

    Great tips on database vault. I am a beginner to database vault. Can you please guide me in using DBV to restrict access to a database. The actual problem is: For example we want the users to be able to use sqlplus and do queries from 8am-11am but not able to access from 12pm-10pm but then can again from 10pm-6am. Please provide examples how to do the latter in the database.

    Thanks a lot!!
    Anusha

  2. ybhandarkar says:

    Hello Anusha,

    Please check following links. You will get some idea, what you’ll have to do

    Using Identities in Data Vault to Restrict User Activities
    https://oraclehandson.wordpress.com/2008/05/12/using-identities-in-data-vault-to-restrict-user-activities/

    Using RULE SET in Database Vault to restrict specific actions
    https://oraclehandson.wordpress.com/2008/05/09/using-rule-set-in-database-vault-to-restrict-specific-actions/

    -Yogesh

  3. Nikolodeon says:

    Hi,

    I’ve found your blog on google searching for DV. Currently I have an issue with the COMMAND RULE CONNECT:

    I want to enable it only for a specific user; however, configuring the user on the owner field doesn’t limit the rule to that user only.

    Is the COMMAND RULE CONNECT have a different behavior from the rest?

    Thanks in advance

  4. Shakti says:

    I know this is very old blog but I am trying to use db vault to restrict users to access database for limited period time like for month end 4 days. Can you please suggest if we can do it and how ?

    • I do not have DV setup right now. But I guess this is something which you can do without DV as well. May be logon triggers?

      • Shakti says:

        Thanks for the response Yogesh. I figured it out. We can create a ruleset with rule with where clause (sysdate between ( LAST_DAY(SYSDATE)-1) and ( LAST_DAY(SYSDATE)+3)) and assigning the ruleset to the authorized user.

        Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s