Scribd Logo
Upload

Welcome to Scribd!

  • Lab3 OLSv2

    Uploaded by

    Juan Jose
    2 views7 pages

    Original Title

    Lab3_OLSv2

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views7 pages

    Lab3 OLSv2

    Uploaded by

    Juan Jose

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    Oracle Label Security (OLS)

    NOTA: Ejecutar el laboratorio con el sqlplus(consola) Activar el Spool como sustento del laboratorio. SPOOL ON; SPOOL C:\apellido_Nombre_OLS.TXT;

    Conectarse con el usuario SYS, y ejecutar 1. Creacin de usuario


    CREATE USER ols_xxx IDENTIFIED BY oracle DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp;

    XXX: deber ser la primera letra de su nombre y apellidos. 2. Otorgar permisos


    GRANT CONNECT, RESOURCE, SELECT_CATALOG_ROLE TO ols_xxx;

    3. Cambiar el password y desbloquear usuario lbacsys


    ALTER USER lbacsys IDENTIFIED BY oracle ACCOUNT UNLOCK;

    Conectarse con el usuario lbacsys, y ejecutar 4. Otorgar permisos de ejecucin sobre los objetos OLS
    GRANT EXECUTE ON sa_components TO ols_xxx WITH GRANT OPTION; GRANT EXECUTE ON sa_user_admin TO ols_xxx WITH GRANT OPTION; GRANT EXECUTE ON sa_user_admin TO ols_xxx WITH GRANT OPTION; GRANT EXECUTE ON sa_label_admin TO ols_xxx WITH GRANT OPTION; GRANT EXECUTE ON sa_policy_admin TO ols_xxx WITH GRANT OPTION; GRANT EXECUTE ON sa_audit_admin TO ols_xxx WITH GRANT OPTION; GRANT LBAC_DBA TO ols_xxx; GRANT EXECUTE ON sa_sysdba TO ols_xxx; GRANT EXECUTE ON to_lbac_data_label TO ols_xxx;

    Conectarse con el usuario ols_xxx, y ejecutar 5. Crear la poltica de seguridad region_policy

    BEGIN SA_SYSDBA.CREATE_POLICY( policy_name => 'region_policy_xxx', column_name => 'region_label_xxx'); END;

    XXX: deber ser la primera letra de su nombre y apellidos. En caso exista la poltica deber ejecutar:

    BEGIN SA_SYSDBA.DROP_POLICY ( POLICY_NAME => 'region_policy_xxx', DROP_COLUMN => TRUE); END;

    6. Dar permisos al rol asociado a la poltica creada


    GRANT region_policy_xxx_DBA TO ols_xxx;

    Conectarse con el usuario ols_xxx, y ejecutar 7. Crear los Niveles, Comportamientos y Grupos para hacer funcionar las polticas del Oracle Label a. Crear Niveles
    EXECUTE SA_COMPONENTS.CREATE_LEVEL('region_policy_xxx',20,'L1','Level 1'); EXECUTE SA_COMPONENTS.CREATE_LEVEL('region_policy_xxx',40,'L2','Level 2'); EXECUTE SA_COMPONENTS.CREATE_LEVEL('region_policy_xxx',60,'L3','Level 3');

    b. Crear Comportamiento
    EXECUTE SA_COMPONENTS.CREATE_COMPARTMENT('region_policy_xxx',100,'M','MANAGEMENT'); EXECUTE SA_COMPONENTS.CREATE_COMPARTMENT('region_policy_xxx',120,'E','EMPLOYEE');

    c.

    Crear Grupos

    EXECUTE SA_COMPONENTS.CREATE_GROUP('region_policy_xxx',20,'R20','REGION NORTH'); EXECUTE SA_COMPONENTS.CREATE_GROUP('region_policy_xxx',40,'R40','REGION SOUTH'); EXECUTE SA_COMPONENTS.CREATE_GROUP('region_policy_xxx',60,'R60','REGION EAST');

    EXECUTE SA_COMPONENTS.CREATE_GROUP('region_policy_xxx',80,'R80','REGION WEST');

    d. Dar permisos
    EXECUTE SA_USER_ADMIN.SET_USER_PRIVS('region_policy_xxx','ols_xxx','FULL,PROFILE_ACCESS ');

    En caso se tenga que borrar ejecutar:


    EXECUTE SA_COMPONENTS.DROP_GROUP('region_policy_xxx',20); EXECUTE SA_COMPONENTS.DROP_GROUP('region_policy_xxx',40); EXECUTE SA_COMPONENTS.DROP_GROUP('region_policy_xxx',60); EXECUTE SA_COMPONENTS.DROP_GROUP('region_policy_xxx',80); EXECUTE SA_COMPONENTS.DROP_COMPARTMENT('region_policy_xxx',100); EXECUTE SA_COMPONENTS.DROP_COMPARTMENT('region_policy_xxx',120); EXECUTE SA_COMPONENTS.DROP_LEVEL ('region_policy_xxx',20); EXECUTE SA_COMPONENTS.DROP_LEVEL ('region_policy_xxx',40); EXECUTE SA_COMPONENTS.DROP_LEVEL ('region_policy_xxx',60);

    Conectarse con el usuario ols_xxx, y ejecutar 8. Crear tabla y cargarla. a. Creacin de tabla
    CREATE TABLE customers ( id cust_type first_name last_name region credit NUMBER(10) NOT NULL, VARCHAR2(10), VARCHAR2(30), VARCHAR2(30), VARCHAR2(5), NUMBER(10,2),

    CONSTRAINT customer_pk PRIMARY KEY (id));

    b. Dar permisos
    GRANT SELECT, INSERT, UPDATE, DELETE ON customers TO PUBLIC;

    c. Cargar valores de la tabla


    INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES ( 1, 'SILVER', 'Harry', 'Hill', 'NORTH', 11000.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES ( 2, 'SILVER', 'Vic', 'Reeves', 'NORTH', 2000.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES ( 3, 'SILVER', 'Bob', 'Mortimer', 'WEST', 500.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES ( 4, 'SILVER', 'Paul', 'Whitehouse', 'SOUTH', 1000.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES ( 5, 'SILVER', 'Harry', 'Enfield', 'EAST', 20000.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES ( 6, 'GOLD', 'Jenifer', 'Lopez', 'WEST', 500.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES ( 7, 'GOLD', 'Kylie', 'Minogue', 'NORTH', 1000.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES ( 8, 'GOLD', 'Maria', 'Carey', 'WEST', 1000.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES ( 9, 'GOLD', 'Dani', 'Minogue', 'SOUTH', 20000.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES (10, 'GOLD', 'Whitney', 'Houston', 'EAST', 500.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES (11, 'PLATINUM', 'Robbie', 'Williams', 'SOUTH', 500.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES (12, 'PLATINUM', 'Thom', 'Yorke', 'NORTH', 2000.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES (13, 'PLATINUM', 'Gareth', 'Gates', 'WEST', 10000.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES (14, 'PLATINUM', 'Darius', 'Dinesh', 'EAST', 2000.00); INSERT INTO customers (id, cust_type, first_name, last_name, region, credit) VALUES (15, 'PLATINUM', 'Will', 'Young', 'EAST', 100.00);

    9. Creando la funcin de OLS


    CREATE OR REPLACE FUNCTION get_customer_label ( p_cust_type IN VARCHAR2, p_region p_credit IN VARCHAR2, IN NUMBER)

    RETURN LBACSYS.LBAC_LABEL AS v_label VARCHAR2(80); BEGIN IF p_credit > 2000 THEN v_label := 'L3:'; ELSIF p_credit > 500 THEN v_label := 'L2:'; ELSE v_label := 'L1:'; END IF; IF p_cust_type = 'PLATINUM' THEN v_label := v_label || 'M:'; ELSE v_label := v_label || 'E:'; END IF; IF p_region = 'NORTH' THEN v_label := v_label || 'R20'; ELSIF p_region = 'SOUTH' THEN v_label := v_label || 'R40'; ELSIF p_region = 'EAST' THEN v_label := v_label || 'R60'; ELSIF p_region = 'WEST' THEN v_label := v_label || 'R80'; END IF; RETURN TO_LBAC_DATA_LABEL('region_policy_xxx',v_label); END get_customer_label;

    10. Aplicando la poltica a la tabla


    BEGIN SA_POLICY_ADMIN.APPLY_TABLE_POLICY( policy_name => 'REGION_POLICY_xxx', schema_name => 'OLS_xxx', table_name => 'CUSTOMERS', table_options => 'NO_CONTROL'); END;

    11. Inicializando la columna Label


    UPDATE CUSTOMERS

    SET region_label_xxx = CHAR_TO_LABEL('REGION_POLICY_XXX','L1'); COMMIT;

    12. Aplicando nuevamente la poltica


    BEGIN SA_POLICY_ADMIN.REMOVE_TABLE_POLICY('REGION_POLICY_xxx','OLS_xxx','CUS TOMERS'); SA_POLICY_ADMIN.APPLY_TABLE_POLICY ( POLICY_NAME => 'REGION_POLICY_xxx', schema_name => 'OLS_xxx', table_name => 'CUSTOMERS', TABLE_OPTIONS => 'READ_CONTROL,WRITE_CONTROL,CHECK_CONTROL', label_function => 'ols_xxx.get_customer_label(:new.cust_type,:new.region,:new.credit)', predicate => NULL); END;

    13. Volviendo a etiquetar la columna


    UPDATE customers SET first_name = first_name; COMMIT;

    Conectarse con el usuario SYS, y ejecutar 14. Creando usuarios


    CREATE USER SALES_MANAGER_XXX IDENTIFIED BY password; CREATE USER sales_north_xxx IDENTIFIED BY password; CREATE USER SALES_SOUTH_XXX IDENTIFIED BY password; CREATE USER SALES_EAST_XXX IDENTIFIED BY password; CREATE USER SALES_WEST_XXX IDENTIFIED BY password; GRANT CONNECT TO sales_manager_XXX, sales_north_XXX, sales_south_XXX, sales_east_XXX, sales_west_XXX;

    Conectarse con el usuario ols_xxx, y ejecutar 15. Asociando los usuario creado con la poltica implantada
    BEGIN

    SA_USER_ADMIN.SET_USER_LABELS('region_policy_xxx','sales_manager_xxx','L3:M,E:R20 ,R40,R60,R80'); SA_USER_ADMIN.SET_USER_LABELS('region_policy_xxx','sales_north_xxx','L3:E:R20,R40'); SA_USER_ADMIN.SET_USER_LABELS('region_policy_xxx','sales_south_xxx','L3:E:R20,R40, R60,R80'); SA_USER_ADMIN.SET_USER_LABELS('region_policy_xxx','sales_east_xxx','L3:E:R60'); SA_USER_ADMIN.SET_USER_LABELS('region_policy_xxx','sales_west_xxx','L3:E:R80'); END;

    Ejercicio
    Crear un nuevo usuario que tenga acceso a lo siguiente Solo listado de las tarjetas platinium Con crdito mayor de 2000 Sean de la regin Este

    You might also like