Using Identities in Data Vault to Restrict User Activities

Problem statement: Users should only be allowed to login from SECURE INTERNAL network.

Solution: to achieve this, we’ll be using the out-of-box DOMAIN factor.

First create the user, to be used

$sqlplus vowner

SQL> create user testuser identified by password;
User created.

$ sqlplus / as sysdba
SQL> grant create session, dba to testuser;

Grant succeeded.

Select Factors -> Domain factor ->Edit

In the Identities section, click to create two identities

1. Secured internal network
2. Not secured network

So now we have two identities created


Next step is to map the identities. In this case, we’ll map the identities with the IP addresses for secured & non-secured network.

In the create identity map, select contributing factor as CLIENT_IP. We can specify start and ending IP range. For testing purpose, I’ve used a specific IP address.

In the SECURED network, I’ve used EQUAL map condition. For NON-SECURED network it is NOT EQUAL.
Now it’s time to test the Factor identities. I’ll try to connect from the host, where factor identities are mapped

Note: I did not used any connect string.

$sqlplus testuser

SQL> SELECT DVF.F$CLIENT_IP FROM DUAL;

F$CLIENT_IP
——————————————————————————–

SQL> SELECT DVF.F$DOMAIN FROM DUAL;

F$DOMAIN
——————————————————————————–
NOT SECURED NETWORK

This connection will try to create BEQ connection to the database. So we’ll not find the IP information.

oracleDEVDB (DESCRIPTION=(LOCAL=YES)(ADDRESS=(PROTOCOL=beq)))

Now I’ll try same set of commands, but connection will be made using a connect string

$ sqlplus testuser@devdb

SQL> SELECT DVF.F$CLIENT_IP FROM DUAL;

F$CLIENT_IP
——————————————————————————–
10.26.16.30

SQL> SELECT DVF.F$DOMAIN FROM DUAL;

F$DOMAIN
——————————————————————————–
SECURED INTERNAL NETWORK

So based on the incoming IP address, we can now create the rule set & command rule to restrict the access to protected system.

Advertisements
This entry was posted in Oracle Database Vault, Oracle Security and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s