Example Schema DDL. create table dept( deptno number(2,0), dname varchar2(14), loc varchar2(13), constraint pk_dept primary key (deptno) );

Similar documents
Chapter 1. Writing Basic. SQL Statements

Subqueries Chapter 6

Database Design. Marta Jakubowska-Sobczak IT/ADC based on slides prepared by Paula Figueiredo, IT/DB

Displaying Data from Multiple Tables. Chapter 4

Displaying Data from Multiple Tables

SQL Introduction Chapter 7, sections 1 & 4. Introduction to SQL. Introduction to SQL. Introduction to SQL

Producing Readable Output with SQL*Plus

Oracle/SQL Tutorial 1

SQL> SELECT ename, job, sal Salary. 1.4.Will the SELECT statement execute successfully? True/False

Relational Algebra. Query Languages Review. Operators. Select (σ), Project (π), Union ( ), Difference (-), Join: Natural (*) and Theta ( )

Data Models and Database Management Systems (DBMSs) Dr. Philip Cannata

Procedural Extension to SQL using Triggers. SS Chung

DECLARATION SECTION. BODY STATEMENTS... Required

Examine the structure of the EMPLOYEES table: EMPLOYEE_ID NUMBER Primary Key FIRST_NAME VARCHAR2(25) LAST_NAME VARCHAR2(25)

14 Triggers / Embedded SQL

SQL*Plus User s Guide and Reference

Aggregating Data Using Group Functions

RDBMS Using Oracle. Lecture Week 7 Introduction to Oracle 9i SQL Last Lecture. kamran.munir@gmail.com. Joining Tables

Hacking and Protecting Oracle DB. Slavik Markovich CTO, Sentrigo

Database Access from a Programming Language: Database Access from a Programming Language

Database Access from a Programming Language:

Training Guide. PL/SQL for Beginners. Workbook

Oracle PL/SQL Injection

Virtual Private Database Features in Oracle 10g.

Conversion Functions

Retrieval: Multiple Tables and Aggregation

COMS20700 DATABASES 13 PL/SQL. COMS20700 Databases Dr. Essam Ghadafi

Oracle Database Security Features in the Banking Environment. Dr. Matthias Mann, DOAG

9 Using Triggers. Using Triggers 9-1

Review your answers, feedback, and question scores below. An asterisk (*) indicates a correct answer.

David L. Fuston, Vlamis Software Solutions, Inc.,

Triggers & Packages. {INSERT [OR] UPDATE [OR] DELETE}: This specifies the DML operation.

Using TimesTen between your Application and Oracle. between your Application and Oracle. DOAG Conference 2011

Chapter 2: Security in DB2

Oracle 12c New Features For Developers

NEW AND IMPROVED: HACKING ORACLE FROM WEB. Sumit sid Siddharth 7Safe Limited UK

Oracle Database 12c: Introduction to SQL Ed 1.1

MONASH UNIVERSITY. Faculty of Information Technology

Objectives. Oracle SQL and SQL*PLus. Database Objects. What is a Sequence?

Oracle Database: Introduction to SQL

Oracle For Beginners Page : 1

CSC 443 Data Base Management Systems. Basic SQL

Oracle Database: Introduction to SQL

There are five fields or columns, with names and types as shown above.

Objectives of SQL. Terminology for Relational Model. Introduction to SQL

Fine Grained Auditing In Oracle 10G

Database programming 20/08/2015. DBprog news. Outline. Motivation for DB programming. Using SQL queries in a program. Using SQL queries in a program

Databases What the Specification Says

Oracle Database 10g: Introduction to SQL

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING DR.NAVALAR NEDUNCHEZHIAYN COLLEGE OF ENGINEERING, THOLUDUR , CUDDALORE DIST.

SQL, PL/SQL FALL Semester 2013

UnionSys Technologies Securing Stored Data Using Transparent Data Encryption And Disaster Recovery Solution

An Oracle White Paper June RESTful Web Services for the Oracle Database Cloud - Multitenant Edition

Oracle Database: Introduction to SQL

Best Practices for Dynamic SQL

Database Programming with PL/SQL: Learning Objectives

ORACLE 9I / 10G / 11G / PL/SQL COURSE CONTENT

Mini User's Guide for SQL*Plus T. J. Teorey

Instant SQL Programming

Review your answers, feedback, and question scores below. An asterisk (*) indicates a correct answer.

5. CHANGING STRUCTURE AND DATA

Part A: Data Definition Language (DDL) Schema and Catalog CREAT TABLE. Referential Triggered Actions. CSC 742 Database Management Systems

Advanced SQL Injection in Oracle databases. Esteban Martínez Fayó

Demystified CONTENTS Acknowledgments xvii Introduction xix CHAPTER 1 Database Fundamentals CHAPTER 2 Exploring Relational Database Components

Ch.5 Database Security. Ch.5 Database Security Review

How To Create A Table In Sql (Ahem)

DBMS Questions. 3.) For which two constraints are indexes created when the constraint is added?

Elena Baralis, Silvia Chiusano Politecnico di Torino. Pag. 1. Active database systems. Triggers. Triggers. Active database systems.

Presentation of database relational schema (schema 1) Create Universe step by step

Scheme G. Sample Test Paper-I

Oracle Application Express Best Practices. An Oracle White Paper January 2006

SQL Simple Queries. Chapter 3.1 V3.0. Napier University Dr Gordon Russell

VARRAY AND NESTED TABLE

Data Big and Small: How Publisher gain Value out of Data in the Future

Oracle Database: SQL and PL/SQL Fundamentals

Oracle Database 11g SQL

Handling Exceptions. Schedule: Timing Topic. 45 minutes Lecture 20 minutes Practice 65 minutes Total

AUTHENTICATION... 2 Step 1:Set up your LDAP server... 2 Step 2: Set up your username... 4 WRITEBACK REPORT... 8 Step 1: Table structures...

Database Query 1: SQL Basics

Introduction to SQL and database objects

How To Name A Program In Apl/Sql

Oracle to MySQL Migration

GUJARAT TECHNOLOGICAL UNIVERSITY

SQL interview questions and answers

Programming Database lectures for mathema

Oracle(PL/SQL) Training

The Structured Query Language. De facto standard used to interact with relational DB management systems Two major branches

Oracle Database 10g Express

SQL NULL s, Constraints, Triggers

Oracle 10g PL/SQL Training

EclipseLink. Developing Persistence Architectures Using EclipseLink Database Web Services Release 2.5. April Beta Draft

Oracle Database: SQL and PL/SQL Fundamentals NEW

Access to Relational Databases Using SAS. Frederick Pratter, Destiny Corp.

SQL DATA DEFINITION: KEY CONSTRAINTS. CS121: Introduction to Relational Database Systems Fall 2015 Lecture 7

Benefits of Normalisation in a Data Base - Part 1

Databases and BigData

Oracle For Beginners Page : 1

All About Oracle Auditing A White Paper February 2013

Oracle. Brief Course Content This course can be done in modular form as per the detail below. ORA-1 Oracle Database 10g: SQL 4 Weeks 4000/-

Oracle Database: SQL and PL/SQL Fundamentals

Transcription:

Example Schema I often use the EMP and DEPT tables for test and demonstration purposes. Both these tables are owned by the SCOTT user, together with two less frequently used tables: BONUS and SALGRADE. Execute the below code snippets to create and seed the EMP and DEPT tables in your own schema. The BONUS and SALGRADE tables are included as well, but are commented out. The DDL (data definition language) part creates the tables, the DML (data manipulation language) part inserts the data. DDL create table dept( deptno number(2,0), dname varchar2(14), loc varchar2(13), constraint pk_dept primary key (deptno) create table emp( empno number(4,0), ename varchar2(10), job varchar2(9), mgr number(4,0), hiredate date, sal number(7,2), comm number(7,2), deptno number(2,0), constraint pk_emp primary key (empno), constraint fk_deptno foreign key (deptno) references dept (deptno) /* create table bonus( ename varchar2(10), job varchar2(9), sal number, comm number create table salgrade( grade number, losal number, hisal number */ DML insert into dept values(10, 'ACCOUNTING', 'NEW YORK' insert into dept values(20, 'RESEARCH', 'DALLAS' insert into dept values(30, 'SALES', 'CHICAGO' insert into dept values(40, 'OPERATIONS', 'BOSTON'

7839,'KING','PRESIDENT',null, to_date('17-11-1981','dd-mm-yyyy'), 5000, null, 10 7698, 'BLAKE', 'MANAGER', 7839, to_date('1-5-1981','dd-mm-yyyy'), 2850, null, 30 7782, 'CLARK', 'MANAGER', 7839, to_date('9-6-1981','dd-mm-yyyy'), 2450, null, 10 7566, 'JONES', 'MANAGER', 7839, to_date('2-4-1981','dd-mm-yyyy'), 2975, null, 20 7788, 'SCOTT', 'ANALYST', 7566, to_date('13-jul-87','dd-mm-rr') - 85, 3000, null, 20 7902, 'FORD', 'ANALYST', 7566, to_date('3-12-1981','dd-mm-yyyy'), 3000, null, 20 7369, 'SMITH', 'CLERK', 7902, to_date('17-12-1980','dd-mm-yyyy'), 800, null, 20 7499, 'ALLEN', 'SALESMAN', 7698, to_date('20-2-1981','dd-mm-yyyy'), 1600, 300, 30 7521, 'WARD', 'SALESMAN', 7698, to_date('22-2-1981','dd-mm-yyyy'), 1250, 500, 30 7654, 'MARTIN', 'SALESMAN', 7698, to_date('28-9-1981','dd-mm-yyyy'), 1250, 1400, 30 7844, 'TURNER', 'SALESMAN', 7698, to_date('8-9-1981','dd-mm-yyyy'), 1500, 0, 30

7876, 'ADAMS', 'CLERK', 7788, to_date('13-jul-87', 'dd-mm-rr') - 51, 1100, null, 20 7900, 'JAMES', 'CLERK', 7698, to_date('3-12-1981','dd-mm-yyyy'), 950, null, 30 7934, 'MILLER', 'CLERK', 7782, to_date('23-1-1982','dd-mm-yyyy'), 1300, null, 10 /* insert into salgrade values (1, 700, 1200 insert into salgrade values (2, 1201, 1400 insert into salgrade values (3, 1401, 2000 insert into salgrade values (4, 2001, 3000 insert into salgrade values (5, 3001, 9999 */ commit; Example 1: Definer and Invoker Rights Definer right is the default because it is very hard to manage privileges with invoker rights. You would have to analyze what the procedure is using and granularly assign privileges to users who need to execute the procedure. Pendant in the unix world: setuid bit. One of the worst enemies of security best practices. SQL>connect scott SCOTT>create or replace procedure scott.definer_give_raise_to_all(raise_amount_number) IS BEGIN update scott.emp set sal=sal+raise_amount; commit; END; /

SCOTT>grant execute on scott.definer_give_raise_to_all to ron; Grant succeeded. ron does not have update privilege on scott.emp; SQL>connect ron RON>update scott.emp set sal=sal+10; * ERROR at line 1: ORA-01031: insufficient privileges RON>exec scott.definer_give_raise_to_all(10 PL/SQL procedure successfully completed. SQL>connect scott SCOTT>create or replace procedure scott.invoker_give_raise_to_all(raise_amount_number) AUTHID CURRENT_USER IS BEGIN update scott.emp set sal=sal+raise_amount; commit; END; / SCOTT>grant execute on scott.invoker_give_raise_to_all to ron; Grant succeeded. SQL>connect ron RON>exec scott. invoker_give_raise_to_all(10 BEGIN scott. invoker_give_raise_to_all(10 END; * ERROR at line 1: ORA-01031: insufficient privileges ORA-06512: at "SCOTT.INVOKER_GIVE_RAISE_TO_ALL", line7 ORA-06512: at line 1 SQL>connect scott SCOTT>grant update on scott.emp to ron; Grant succeeded. SQL>connect ron RON>exec scott. invoker_give_raise_to_all(10 PL/SQL procedure successfully completed.

Example 2: Secure Application Roles Goal: Provide access to scott.emp for users whose name is in ename and who are managers. Step 1: Define View and grant privileges SQL>connect scott SCOTT>create view emp_job as (select ename, job from emp View created. SCOTT>grant select on emp_job to blake, james; Grant succeeded. SCOTT>-- revoke access to the base table SCOTT>revoke select on emp from blake,james; Step 2: Create secure application role and grant object privileges SQL>create role manager_role identified using access_control_policy; Role created. SQL>grant select on scott.emp to manager_role; Grant succeeded. only a procedure can activate the role SQL>set role manager_role; * ERROR at line 1: ORA-28201: Not enough privileges to enable application role "MANAGER_ROLE" Step 3: Build the procedure that assigns the role. It looks up the currently logged on user in the emp_job view. If it is a manager it sets the role granting access to the table. SCOTT> create or replace procedure access_control_policy authid current_user AS v_user varchar2(50 v_job varchar2(50 BEGIN -- get the user from the context v_user := lower((sys_context('userenv','session_user'))

-- get the job description select job into v_job from scott.emp_job where lower(ename) = v_user; -- if we are a manager then set the role if v_job = 'MANAGER' then dbms_session.set_role('manager_role' else null end if; END access_control_policy; / Step 4: grant execute privileges to the appropriate users SCOTT>grant execute on access_control_policy to blake, james; Step 5: test manually SCOTT>select * from emp_job; ENAME JOB --------------------------- BLAKE MANAGER JAMES CLERK SQL>connect blake BLAKE>exec scott.access_control_policy; PL/SQL procedure successfully completed. BLAKE>select * from session_roles; ROLE ---------------------------- MANAGER_ROLE BLAKE>select max(sal) from scott.emp; MAX(SAL) ---------------------------- 5030 SQL>connect james JAMES>exec scott.access_control_policy; PL/SQL procedure successfully completed. JAMES>select * from session_roles; ROLE ---------------------------- CONNECT JAMES>select max(sal) from scott.emp; * ERROR at line 1: ORA-00942: table or view does not exist

Example 3a: Virtual Private database with Application Context Depending on the deptno of the database user the query to emp should return results or not. create an Application Context SQL>create context ctx_ex using sec_mgr.ctx_ex_mgr; SQL> ctx_ex : Namespace, ctx_ex_mgr: Namespace Manager SQL> create a lookup table SQL>create table lookup_dept as select ename username, deptno from emp; SQL> create the namespace manager SQL>create or replace package ctx_ex_mgr 1 as 2 procedure set_deptno; 3 procedure clear_deptno; 4 end; 5 / SQL> SQL>create or replace package body ctx_ex_mgr 1 as 2 procedure set_deptno 3 as 4 l_deptno number; 5 begin 6 select deptno into l_deptno from lookup_dept 7 where username = sys_context('userenv','session_user' 8 dbms_session.set_context(namespace=>'ctx_ex', 9 attribute=>'deptno', 10 value=>'l_deptno' 11 end set_deptno; 12 procedure clear_deptno 13 as 14 begin 15 dbms_session.clear_context(namespace=>'ctx_ex', 16 attribute=>'deptno' 17 end clear_deptno; 18 end ctx_ex_mgr; 19 / set the application context during logon automatically SQL>create or replace trigger set_user_deptno 1 after logon on database 2 begin

3 sec_mgr.ctx_ex_mgr.set_deptno; 4 exception 5 when no data found 6 then 7 null; 8 end; 9 / SQL> implement security policy manually create a view which restricts the user query to records within his dept. SQL>create or replace view my_dept_ctx 1 as 2 select * from emp where deptno=sys_context('ctx_ex','deptno'

Example 3b: Virtual Private database with Row Level security Depending on the deptno of the database user the query to emp should return results or not. define a predicate for the query rewriting SQL>create or replace function rls_dept(obj_owner in varchar2, 1 obj_name in varchar2) 2 return varchar2 3 as 4 deptno number; 5 predicate varchar2(200 6 begin 7 deptno:=sys_context('ctx_ex','dept' 8 if deptno is null then 9 predicate := '1=2'; 10 else 11 predicate := 'deptno=' deptno; 12 end if 13 return(predicate 14 end rls_dept; 15 / the delivered predicate value will be attached as where clause now create the VPD policy and attach it to the EMP table SQL>begin 1 dbms_rls.add_policy( 2 object_schema='scott', 3 object_name='emp', 4 policy_name='restrict_dept_policy', 5 function_schema='scott', 6 policy_function='rls_dept' 7 end; 8 / create another context for maintaining deptno SQL>create context ctx_ex2 using sec_mgr.set_ctx_ex2; SQL>create or replace procedure set_ctx_ex2 1 ( 2 deptno in number 3 ) 4 is 5 begin 6 dbms_session.set_context('ctx_ex2','dept',deptno 7 end; 8 / test the policy without setting the context SQL>select * from emp; No rows selected.

this is because of the '1=2' predicate which will used for the query rewrite; with context setting SQL>exec set_ctx_ex2(20 SQL>select * from emp; all rows with dept=20 becaue of the predicate deptn=20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information