Professional Documents
Culture Documents
(COMP 1476)
University of Greenwich
Conclusion…………………………………………………………
Reference…………………………………………………………….
Laboratory Project 1
User altered.
In order to access my primary account I have used the following query for
connecting the yoda database.
SQL> connect st846@yoda
Enter password: ***********
Connected.
I have tried to connect my secondary account through the same query but it
requested the session privilege for my secondary account.
SQL> connect st846B@yoda
ERROR:
ORA-01045: user ST846B lacks CREATE SESSION privilege; logon denied
Warning: You are no longer connected to ORACLE.
This query will grant permission to create session privilege for my Secondary user
st846B.
SQL> GRANT CREATE SESSION TO st846B;
Grant succeeded.
After removing the insert privileges by using revoke function I have tried to insert
data in to my student table from my secondary account it didn’t inserted.
SQL> ed
Wrote file afiedt.buf
1 Insert INTO st846.student (
2 student_id,
3 firstname,
4 lastname,
5 street,
6 city,
7 postcode,
8 phone,
9 studentmode,
10 feestate)
11 VALUES
12 (
13 9494,
14 'Dimitrios',
15 'Frangiskatos',
16 '30 Park Row',
17 'Greenwich',
18 'SE10 9LS',
19 '02083317973',
20 'Full Time',
21 'Paid'
22* )
23 /
Insert INTO st846.student (
*
ERROR at line 1:
ORA-01031: insufficient privileges
Displaying the currentstudents view after I have added the studentmode to the view.
SQL> select * from currentstudents;
STUDENT_ID FIRSTNAME LASTNAME STREET
---------- --------------- -------------------- -------------------------
CITY POSTCODE PHONE STUDENTMOD
--------------- --------- --------------- ----------
9491 Thevapriyan Shanmugam 33 Laughton Road
Northot UB5 5LL 07529793001 Full Time
9492 Tony Valsamidis 30 Park Row
Greenwich SE10 9LS 02083317884 Full Time
9493 Dave Chadwick 30 Park Row
Greenwich SE10 9LS 02083318509 Full Time
I have try to update the student details for ‘Thevapriyan’ from my secondary
account but it didn’t work, because in my update privilege to secondary account I
have not given student mode column. So it throws an exception.
Wrote file afiedt.buf
1 update st846.currentstudents
2 set city='East Acton', studentmode='Part Time',street= '30 The Vale ', postcode =
'W3 7SR'
3* where firstname='Thevapriyan'
SQL> /
update st846.currentstudents
*
ERROR at line 1:
ORA-01031: insufficient privileges
Then after I have tried to check the given privileges are work properly from my
secondary account but this time I have eliminated the student mode for updating.
SQL> ed
Wrote file afiedt.buf
1 update st846.currentstudents
2 set city='East Acton',street= '30 The Vale ', postcode = 'W3 7SR'
3* where firstname='Thevapriyan'
SQL> /
1 row updated.
Here I am checking the password reusability after the two more time you can not
use the same password in oracle. There is a limit for the password.
password
Changing password for ST846B
Password changed
SQL> password
Changing password for ST846B
Password changed
SQL> password
Changing password for ST846B
ERROR:
ORA-28007: the password cannot be reused
Password unchanged
The taps I can access
select * from tab;
TABLE_NAME
------------------------------
COMMENTS
--------------------------------------------------------------------------------
USER_RESOURCE_LIMITS
Display resource limit of the user
USER_PASSWORD_LIMITS
Display password limits of the user
USER_CATALOG
Tables, Views, Synonyms and Sequences owned by the user
TABLE_NAME
------------------------------
COMMENTS
--------------------------------------------------------------------------------
ALL_CATALOG
All tables, views, synonyms, sequences accessible to the user
USER_CLUSTERS
Descriptions of user's own clusters
ALL_CLUSTERS
Description of clusters accessible to the user
TABLE_NAME
------------------------------
COMMENTS
--------------------------------------------------------------------------------
ALL_XML_SCHEMAS
Description of all XML Schemas that user has privilege to reference
GRANTEE OWNER
------------------------------ ------------------------------
TABLE_NAME GRANTOR
------------------------------ ------------------------------
PRIVILEGE GRA HIE
---------------------------------------- --- ---
ST846A ST846
STUDENT ST846
SELECT NO NO
ST846 SEC_MGR
LAB_CTX_MGR SEC_MGR
EXECUTE NO NO
GRANTEE OWNER
------------------------------ ------------------------------
TABLE_NAME GRANTOR
------------------------------ ------------------------------
PRIVILEGE GRA HIE
---------------------------------------- --- ---
ST846A ST846
CURRENTSTUDENTS ST846
SELECT NO NO
Check all from all_tables for my secondary account .
OWNER TABLE_NAME
------------------------------ ------------------------------
TABLESPACE_NAME CLUSTER_NAME
------------------------------ ------------------------------
IOT_NAME STATUS PCT_FREE PCT_USED INI_TRANS
------------------------------ -------- ---------- ---------- ----------
MAX_TRANS INITIAL_EXTENT NEXT_EXTENT MIN_EXTENTS
MAX_EXTENTS PCT_INCREASE
---------- -------------- ----------- ----------- ----------- ------------
FREELISTS FREELIST_GROUPS LOG B NUM_ROWS BLOCKS
EMPTY_BLOCKS AVG_SPACE
---------- --------------- --- - ---------- ---------- ------------ ----------
CHAIN_CNT AVG_ROW_LEN AVG_SPACE_FREELIST_BLOCKS
NUM_FREELIST_BLOCKS DEGREE
---------- ----------- ------------------------- ------------------- ----------
INSTANCES CACHE TABLE_LO SAMPLE_SIZE LAST_ANAL PAR IOT_TYPE
T S NES BUFFER_
---------- ----- -------- ----------- --------- --- ------------ - - --- -------
ROW_MOVE GLO USE DURATION SKIP_COR MON CLUSTER_OWNER
-------- --- --- --------------- -------- --- ------------------------------
DEPENDEN COMPRESS DRO
-------- -------- ---
SYS USER$ ----------------------------
Optional work
GRANTEE TABLE_NAME
------------------------------ ------------------------------
GRANTOR PRIVILEGE GRA HIE
------------------------------ ---------------------------------------- --- ---
ST846A STUDENT
ST846 SELECT NO NO
ST846A CURRENTSTUDENTS
ST846 SELECT NO NO
ST846A REQUIRENMENT1
ST846 SELECT NO NO
OWNER TABLE_NAME
------------------------------ ------------------------------
GRANTOR PRIVILEGE GRA HIE
------------------------------ ---------------------------------------- --- ---
ST846_SEC CUSTOMERS
ST846_SEC SELECT NO NO
SEC_MGR LAB_CTX_MGR
SEC_MGR EXECUTE NO NO
ST846A ST846
CURRENTSTUDENTS LASTNAME
ST846 UPDATE NO
SQL> describe all_tab_privs;
Name Null? Type
----------------------------------------- -------- ----------------------------
GRANTOR NOT NULL VARCHAR2(30)
GRANTEE NOT NULL VARCHAR2(30)
TABLE_SCHEMA NOT NULL VARCHAR2(30)
TABLE_NAME NOT NULL VARCHAR2(30)
PRIVILEGE NOT NULL VARCHAR2(40)
GRANTABLE VARCHAR2(3)
HIERARCHY VARCHAR2(3)
From my first lab I got clear introduction about oracle database and security
controls available in the oracle database. I am familiar with my main account and
security account and secondary account and got the ability to handle the multiple
accounts.
Learn about how to create table and inserting data into the table. Usage of table to
display the required view dependant on user privileges.
Got the clear idea about the user privileges and system privilege and I got the
ability to grant and revoke the privilege to my secondary account.
Understand the view concept and the purpose of the view. Learn about the
relation between table and view..
Learn how to use data dictionary to find information about users and security
information.
I understand user accounts and the schema enforce the first layer of the oracle security
controls .Only authorised users can accesses to perform the required action on the
database .System and object privileges is used to provide personalized action to each
user has access to the system. View is special in oracle database to increase the security
layer of the database. The views are logical table and dynamic therefore it is useful in the
application because we can grant direct access to view instead of our main table, so
which will make database more secure.
Self-assessment checklist
User Accounts Configured -
Profile Limits -
Personal evaluation -
Laboratory Project 2
Then after I have entered sample values into guides table by following methods
Eg 1 :-
SQL> ed
Wrote file afiedt.buf
1 insert into guides values (
2* 'johnnyw', 'John', 'Wells', '15 Longholm St', 'London', 'SE3 2PL', 'B', 'British', 2600,
SQL> /
1 row created.
Eg 2:-
SQL> commit;
Commit complete.
I have entered sample value to tours table by following methods.
Eg 1 :-
SQL> ed
Wrote file afiedt.buf
1 insert into tours values (
2* 200610, 'Bolivia', 'Package', '1-Feb-2008', '14 days', 2875, 50, 10, 'South America',
'pab
SQL> /
1 row created.
Eg 2 :-
Wrote file afiedt.buf
1 insert into tours values (
2* 200645, 'Peru', 'Trek', '14-Mar-2008', '14 days', 2500, 16, 5, 'South America',
'pablop',
SQL> /
1 row created.
SQL> commit;
Commit complete.
Eg :- 2
Wrote file afiedt.buf
1 insert into bookings values(
2* 100082, 200600, 'fredas', 'Martha', 'Mason', '21 Torquay Rd, London EC3 4KK', 4,
3200, 100
SQL> /
1 row created.
SQL> commit;
Commit complete.
I have checked the tables for the data.
View created.
8 rows selected.
View created.
Displaying the created view
SQL> select * from requirenment2;
8 rows selected.
View created.
8 rows selected.
Created the view for requirement4
SQL> ed
Wrote file afiedt.buf
View created.
Grant succeeded.
8 rows selected.
I have tried to access the guides table but I could not retrieve the data, because I
have given access permission to view only not to the table. So it is a good security
layer of the Oracle.
SQL> select * from st846.guides;
select * from st846.guides
*
ERROR at line 1:
ORA-00942: table or view does not exist
Granting select and insert privileges to secondary account to the requirement2 view
from main account.
Grant succeeded.
Grant succeeded.
I have checked the views to conform are they working properly from my secondary
account.
SQL> select * from st846.requirenment2;
8 rows selected.
I have try to insert data into requrenment2 view but couldn’t insert values to the
view because one column in the base table is not null.
SQL> ed
Wrote file afiedt.buf
Editing the guides table column area nut null into null from the main account.
SQL> ed
Wrote file afiedt.buf
Table altered.
Thereafter I have tried to insert value into requrenment2 view then it is successfully
inserted.
SQL> ed
Wrote file afiedt.buf
1 row created.
I have tried to delete records from table but I couldn’t delete the data from the table
because I have given the permission for insert only not for deleting privileges .
SQL> delete * from st846.requirenment2 where nationality ='Srilankan';
delete * from st846.requirenment2 where nationality ='Srilankan'
*
ERROR at line 1:
ORA-00903: invalid table name
Granting only salary column update privileges to requirement3 this is a more secure
column level permission.
SQL> grant update(salary) on requirenment3 to st846A;
Grant succeeded.
Now I have tried to update salary only, this time it works fine and dates are updated
in the view.
SQL> update st846.requirenment3 set salary=2700 where salary=2500;
3 rows updated.
Commit complete.
Grant succeeded.
Grant succeeded.
I have tried to check each privileges for requirenment4 view whether every
implemented privileges are working properly.
SELECT
Select privileges are working correctly because I have given the select privileges to
view requirenment 4.
SQL> select * from st846.requirenment4;
UPDATE
Update a privilege is working correctly because I haven’t given the update privileges
to requirenment 4 view.
SQL> update st846.requirenment4 set lname='Jesan' where grade='A';
update st846.requirenment4 set lname='Jesan' where grade='A'
*
ERROR at line 1:
ORA-01031: insufficient privileges
INSERT
Insert a privilege is working correctly because I haven’t given the insert privileges
to requirenment 4 view.
SQL> insert into st846.requirenment4 values(
2 'Nisha','Praba','Nishanthni','30 The vale Action', 'East Action','W3
7RS','B','Srilankan',3000,
'Sinhala','tamil', 'Asia');
insert into st846.requirenment4 values(
*
ERROR at line 1:
ORA-01031: insufficient privileges
DELETE
Delete privileges is working correctly because I have given the delete privileges to
view requirenment 4 so it remove one row from the view where username geetha.
1 row deleted.
View created.
View created.
7 rows selected.
Select
SQL> grant select on requirement6 to st846A;
Grant succeeded.
Delete
SQL> grant delete on requirement6 to st846A;
Grant succeeded.
Update
SQL> grant update on requirement6 to st846A;
Grant succeeded.
7 rows selected..
I have tried to update the aggregate function but it didn’t allow me to manipulate
my script.
SQL> update st846.requirement6
2 set maxpeople =45
3 where TOURNO=200615;
update st846.requirement6
*
ERROR at line 1:
ORA-01732: data manipulation operation not legal on this view.
Creating the requirement 7 view wich is GUIDEDETAILS.
View created.
View created.
9 rows selected.
I have tried to update the salary of view8 (GUIDEDETAILS) but it through an
exception.
Trigger created.
9 rows updated.
Commit complete.
9 rows selected.
View created.
Display the created view of requirement 9 which show you the European guide’s
details.
SQL> Select * from requirement9 ;
Creating the view for requirement 10 to display the USA guides with check option.
Constraint.
SQL> create view requirement10 as
2 select * from guides where area ='usa'
3 with check option constraint requirement9;
View created.
Displaying the created requirement10.
SQL> select * from requirement10 ;
no rows selected
View created.
TOURNO
----------
200610
200645
200695
1 row updated.
0 rows updated.
Personal evaluation
Understand the table design and make relationship with table in complicated
system
Implementing the different set of view in order to customize the visibility to the
end users.
Use the aggregate function to depersonalise data set the user requirements.
Learn about how to use row level security and column level security to enhance
the users’ security views and also got the ability to restrict the view using masking
functions.
Understand the grant and revoke access privilege to view for manipulation of
required data elements to individual users.
This lab starts with table creation and inserting data into table and makes relationship
with them. to joint table I can use different method .families with view to customize the
data visibility to the end user privileges. Limited the column level restriction using some
aggregate function .After the column level enforcement use the row level security
experiment with same data. The row and column level security facility are very important
for data privacy issues. Use the trigger function to grant the update privileges for the
users. This is a very useful concept in the oracle database.
Self-assessment checklist
Base table creation and population-
Personal evaluation
Laboratory Project 3
Fine-grained Access Control: Virtual Private Database
First of all I have created the EMPLOYEE table according to given scenario.
SQL> create table EMPLOYEES
2 (
3 EmpNo varchar2(10) primary key,
4 fname varchar2(20) ,
5 lname varchar2(20),
6 username varchar2(20),
7 street varchar2(25),
8 city varchar2(15),
9 postcode varchar2(15),
10 Grade varchar2(15),
11 position varchar2(20),
12 salary number(8,2),
13 bonuspct number(2,0),
14 deptno number,
15 startdate date,
16 finished date,
17 status varchar2(15)
18 )
19 ;
Table created.
Then after I have created the second table called Department according to given
scenario.
SQL> create table DEPARTMENTS
2 (
3 deprno varchar2(10) primary key,
4 deptname varchar2(30),
5 location varchar2(20),
6 manager number,
7 notes varchar2(100)
8 );
Table created.
Finally I have created the PAYMENT table according to given scenario.
SQL> create table PAYMENTS
2 (
3 PaymentRef number primary key,
4 DeptNo number,
5 EmpNo number,
6 BonusAmt number(6,2),
7 PayDay date,
8 Note varchar2(100)
9 );
Table created.
Then after I inserted the data into employee table.
SQL> insert into Employees
2 (
3 EmpNo ,
4 Fname ,
5 Lname ,
6 Username ,
7 Street ,
8 City ,
9 Postcode ,
10 Grade ,
11 Position,
12 Salary ,
13 BonusPct ,
14 DeptNo ,
15 StartDate ,
16 Finished ,
17 Status
18 )
19 values
20 (
21 501,
22 'Thevapriyan',
23 'Shanmugam',
24 'st846',
25 '33 Laughton Road',
26 'Northolt',
27 'UB5 5LL',
28 'G',
29 'IT Auditer',
30 6500,
31 2.2,
32 30,
33 cast ('01/Jan/2009 ' as date) ,
34 cast ('01/Aug/2009 ' as date) ,
35 'married'
36 )
37 ;
1 row created.
7 rows selected.
Grant the Select privileges to my secondary accounts.
SQL> grant select on employees to st846A;
Grant succeeded.
Grant succeeded.
Grant succeeded.
Grant succeeded.
Grant succeeded.
Grant succeeded.
Grant succeeded.
Grant succeeded.
Grant succeeded.
Part -1
Using application context
1) current_user
SQL> ed
Wrote file afiedt.buf
SYS_CONTEXT('USERENV','CURRENT_USER')
----------------------------------------------------------------
ST846
2) session_user
SQL> ed
Wrote file afiedt.buf
SYS_CONTEXT('USERENV','SESSION_USER')
-----------------------------------------------------------
ST846
3)ip_address
SQL> ed
Wrote file afiedt.buf
SYS_CONTEXT('USERENV','IP_ADDRESS')
------------------------------------------------------------------
172.16.18.153
4) host
SQL> ed
Wrote file afiedt.buf
SYS_CONTEXT('USERENV','HOST')
------------------------------------------------------
CMS_DOMAIN\CMSVDI012
5) sessionid
SQL> ed
Wrote file afiedt.buf
SYS_CONTEXT('USERENV','SESSIONID')
----------------------------------------------------------
57452
6) authentication_type
SQL> ed
Wrote file afiedt.buf
SYS_CONTEXT('USERENV','AUTHENTICATION_TYPE')
------------------------------------------------------------------
DATABASE
7) 'db_name'
SQL> ed
Wrote file afiedt.buf
SYS_CONTEXT('USERENV','DB_NAME')
---------------------------------------------------------
Yoda
8) 'client_identifier
SQL> ed
Wrote file afiedt.buf
SYS_CONTEXT('USERENV','CLIENT_IDENTIFIER')
9) current_schema
SQL> ed
Wrote file afiedt.buf
SYS_CONTEXT('USERENV','CURRENT_SCHEMA')
--------------------------------------------------------------
ST846
10)isdba
SQL> ed
Wrote file afiedt.buf
SYS_CONTEXT('USERENV','ISDBA')
--------------------------------------------------------------
FALSE
11)current_sql
SQL> ed
Wrote file afiedt.buf
SYS_CONTEXT('USERENV','CURRENT_SQL')
--------------------------------------------------------------
12) client_info
SQL> ed
Wrote file afiedt.buf
SYS_CONTEXT('USERENV','CLIENT_INFO')
-----------------------------------------------------------
PART -2
Creating the view presenting where the user only see their own records by
application context.
SQL> ed
Wrote file afiedt.buf
View created.
Grant succeeded.
Display the view (user_own_view) from my secondly account (ST846A)
(Sean username is ST846 so the salary, Bonuspct column show for the current user)
Granting the view to my secondary accounts .
SQL> grant select on salary_bonus_onlyuser to st846A,st846B,st846C,st846_sec;
Grant succeeded.
(David only can see his salary,Bonuspct column because his username ST846A)
(Tony only can see his salary,Bonuspct column because his username ST846C)
In USER function you have to give username as well for specific data execution
however the application context way of view implementation is easy to execute
because it will automatically determine current users and their relevant fields.
I didn’t give insert and update privileges to my secondary accounts for the views
therefore in gave me an error when I was trying to update or delete the records.
Part 111
Function created.
1 begin
2 DBMS_RLS.add_policy
3 (
4 object_schema => 'st846',
5 object_name => 'EMPLOYEES',
6 policy_name => 'remove_dept',
7 function_schema => 'st846_sec',
8 policy_function => 'limit_dept');
9* END;
10 /
Display the view from my secondary account after grant the permission to
secondary account.
Try to insert the value to the employee from my secondly account and see that is
inserted into the employee table.
QL> ed
Wrote file afiedt.buf
Function created.
View the employee table from my main account and now it has shown the employee
belongs to department number 50 only so the policy working fine.
SQL> ed
Wrote file afiedt.buf
Function created.
Before applying policy with function my employee ( *rename from employees*)
my table has following details.
SQL> select * from employee;
7 rows selected.
Then after I have applied the policy with ( restrict_own_row) function in my main
account.
SQL> ed
Wrote file afiedt.buf
1 begin
2 dbms_rls.add_policy(
3 object_schema => 'ST846',
4 object_name => 'employee',
5 policy_name => 'limit_own_row',
6 function_schema => 'ST846_sec',
7 policy_function => 'restrict_own_row'
8 );
9* end;
SQL> /
After everything finish I have check with my user accounts to test how the policy
work fine or not .Depend on the results I find out the policy work fine.
ST846
6 rows selected.
(I can not see the Sean Tomy details here)
ST846C
6 rows selected.
(I can not see the Tony Valsmidis details here)
Part IV using user defined contexts and VPD techniques
Trigger created.
Then after I have check the context value working correctly of the given
department.
SQL> select sys_context ('lab_ctx','deptno') from dual;
SYS_CONTEXT('LAB_CTX','DEPTNO')
--------------------------------------------------------------------------------
40
Function created.
Thereafter I have applied the security policy into my main schema .
SQL> ed
Wrote file afiedt.buf
1 begin
2 dbms_rls.add_policy(
3 object_schema => 'ST846',
4 object_name => 'employee',
5 policy_name => 'deptonly',
6 function_schema => 'ST846_sec',
7 policy_function => 'dept_only'
8 );
9* end;
10 /
Then after I have check the policy working correctly or not the employee table show
me only the staff who belongs to department no40 so the policy working fine .
SQL> select * from employee;
Then after I have created the customers table in my security account (st846_sec)
according to the given details.
SQL> ed
Wrote file afiedt.buf
Table created.
1 row created.
SQL> INSERT INTO customers (id, cust_type, first_name, last_name, region, credit)
2 VALUES ( 2, 'SILVER', 'Vic', 'Reeves', 'REGION 2', 2000.00);
1 row created.
1 begin sa_components.create_level(
2 policy_name => 'st846_lp',
3 long_name => 'Level 1',
4 short_name => 'L1',
5 level_num =>1320);
6* end;
SQL> /
SQL> ed
Wrote file afiedt.buf
1 begin
2 sa_components.create_level(
3 policy_name => 'st846_lp',
4 long_name => 'Level 2',
5 short_name => 'L2',
6 level_num =>1330);
7* end;
SQL> /
SQL> ed
Wrote file afiedt.buf
1 begin
2 sa_components.create_level(
3 policy_name => 'st846_lp',
4 long_name => 'Level 3',
5 short_name => 'L3',
6 level_num =>1340);
7* end;
SQL> /
1 begin
2 sa_label_admin.create_label(
3 policy_name => 'st846_lp',
4 label_tag => 1320,
5 label_value => 'L1');
6* end;
SQL> /
SQL> ed
Wrote file afiedt.buf
1 begin
2 sa_label_admin.create_label(
3 policy_name => 'st846_lp',
4 label_tag => 1330,
5 label_value => 'L2');
6* end;
SQL> /
SQL> ed
Wrote file afiedt.buf
1 begin
2 sa_label_admin.create_label(
3 policy_name => 'st846_lp',
4 label_tag => 1340,
5 label_value => 'L3');
6* end;
SQL> /
1 BEGIN
2 SA_POLICY_ADMIN.APPLY_TABLE_POLICY(
3 policy_name => 'st846_lp',
4 schema_name => 'st846_sec',
5 table_name => 'CUSTOMERS',
6 table_options => 'NO_CONTROL');
7* END;
SQL> /
After this processes I have updated the customers table according to the user
levels.
SQL> ed
Wrote file afiedt.buf
1 update customers
2 set st846_lbl = char_to_label('st846_lp', 'L1')
3* where cust_type = 'SILVER'
SQL> /
5 rows updated.
SQL> ed
Wrote file afiedt.buf
1 update customers
2 set st846_lbl = char_to_label('st846_lp', 'L2')
3* where cust_type = 'GOLD'
SQL> /
5 rows updated.
SQL> ed
Wrote file afiedt.buf
1 update customers
2 set st846_lbl = char_to_label('st846_lp', 'L3')
3* where cust_type = 'PLATINUM'
SQL> /
5 rows updated.
Then after I have removed the table policy from customers tables.
SQL> ed
Wrote file afiedt.buf
1 begin SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
2 (
3 'st846_lp',
4 'st846_sec',
5 'CUSTOMERS');
6* end;
SQL> /
1 begin SA_POLICY_ADMIN.APPLY_TABLE_POLICY (
2 policy_name => 'st846_lp',
3 schema_name => 'st846_sec',
4 table_name => 'customers',
5 table_options => 'READ_CONTROL');
6* end;
SQL> /
1 BEGIN
2 SA_USER_ADMIN.SET_USER_LABELS('ST846_lp','ST846','L3');
3 SA_USER_ADMIN.SET_USER_LABELS('ST846_lp','ST846A','L2');
4 SA_USER_ADMIN.SET_USER_LABELS('ST846_lp','ST846B','L1');
5* END;
6 /
Grant succeeded.
Then after I have logon to different user account and select the customers table
there is no record shown in the interface.
SQL> connect st846@yoda
Connected.
SQL> select * from st846_sec.customers;
no rows selected
no rows selected
no rows selected
no rows selected
When I remove the policy from the table only it shows me all the customers details
for all the accounts .because the NO-controls statement will restrict the select
privileges.
Part3 Compartments
First of all I have created the compartments for the regions.
SQL> ed
Wrote file afiedt.buf
1 begin
2 SA_COMPONENTS.CREATE_COMPARTMENT(
3 policy_name => 'st846_lp',
4 comp_num => 1302,
5 short_name => 'R1',
6 long_name => 'Region 1');
7* end;
SQL> /
SQL> ed
Wrote file afiedt.buf
1 begin
2 SA_COMPONENTS.CREATE_COMPARTMENT(
3 policy_name => 'st846_lp',
4 comp_num => 1303,
5 short_name => 'R2',
6 long_name => 'Region 2');
7* end;
SQL> /
Then after I have created the new labels for these levels with compartment details.
SQL> ed
Wrote file afiedt.buf
1 begin
2 sa_label_admin.create_label(
3 policy_name => 'st846_lp',
4 label_tag => 1315,
5 label_value => 'L3:R1,R2');
6* end;
SQL> /
1 begin
2 sa_label_admin.create_label(
3 policy_name => 'st846_lp',
4 label_tag => 1314,
5 label_value => 'L2:R1');
6* end;
SQL> /
SQL> ed
Wrote file afiedt.buf
1 begin
2 sa_label_admin.create_label(
3 policy_name => 'st846_lp',
4 label_tag => 1313,
5 label_value => 'L2:R2');
6* end;
SQL> /
SQL> ed
Wrote file afiedt.buf
1 begin
2 sa_label_admin.create_label(
3 policy_name => 'st846_lp',
4 label_tag => 1312,
5 label_value => 'L1:R1');
6* end;
SQL> /
1 begin
2 sa_label_admin.create_label(
3 policy_name => 'st846_lp',
4 label_tag => 1311,
5 label_value => 'L1:R2');
6* end;
SQL> /
Then after I have update the labels again with compartment details.
SQL> ed
Wrote file afiedt.buf
1 update customers
2 set st846_lbl = char_to_label('st846_lp', 'L1:R1')
3* where cust_type = 'SILVER' and region = 'REGION 1'
SQL> /
3 rows updated.
SQL> ed
Wrote file afiedt.buf
1 update customers
2 set st846_lbl = char_to_label('st846_lp', 'L1:R2')
3* where cust_type = 'SILVER' and region = 'REGION 2'
4 /
2 rows updated.
SQL> ed
Wrote file afiedt.buf
1 update customers
2 set st846_lbl = char_to_label('st846_lp', 'L1:R1')
3* where cust_type = 'GOLD' and region = 'REGION 1'
4 /
2 rows updated.
SQL> ed
Wrote file afiedt.buf
1 update customers
2 set st846_lbl = char_to_label('st846_lp', 'L1:R2')
3* where cust_type = 'GOLD' and region = 'REGION 2'
4 /
3 rows updated.
SQL> ed
Wrote file afiedt.buf
1 update customers
2 set st846_lbl = char_to_label('st846_lp', 'L1:R1,R2')
3* where cust_type = 'PLATINUM'
4 /
5 rows updated.
SQL> commit;
Commit complete.
1 begin
2 SA_POLICY_ADMIN.APPLY_TABLE_POLICY (
3 policy_name => 'ST846_LP',
4 schema_name => 'ST846_SEC',
5 table_name => 'customers',
6 table_options => 'READ_CONTROL');
7* end;
SQL> /
1 BEGIN
2 SA_USER_ADMIN.SET_USER_LABELS('st846_lp','ST846','L3:R1,R2');
3 SA_USER_ADMIN.SET_USER_LABELS('st846_lp','ST846A','L2:R1');
4 SA_USER_ADMIN.SET_USER_LABELS('st846_lp','ST846B','L2:R2');
5 SA_USER_ADMIN.SET_USER_LABELS('st846_lp','ST846C','L1:R1');
6 SA_USER_ADMIN.SET_USER_LABELS('st846_lp','DS68','L1:R2');
7* END;
SQL> /
Then after I have checked the customer table from my different accounts.
ST846
ST846A
ST846B
ST846C
.
Self-assessment checklist
Part 1
Implementation labels with levels
Part 2
Testing
Part 3
Compartments
Personal evaluation
Under stand the compartment facility available for the data classification in
oracle.
From this lab session I have learn about the oracle label security facility and how we can
use it for data classification .Understand the hierarchical structure of the information
assets and assign to appropriate users level is one of the DBA roles , I have clearly gain
knowledge about this steps in typical organization. Labels security one of the advanced
security feature in oracle system.
Part 2 Information Control Topics
1. Data classification & Processing Issues
1. Advantages of addressing security during System Development process
Computer security plan can be developed for a system at any point in the life cycle, but it
is highly recommended approach is to concern at the beginning of the software
development life cycle (SDLC). Like other aspect of a system development, security also
best managed if it is planned throughout the SDLC. It is estimated adding security feature
at the later stage of the SDLC will cost more than ten times than concern at the initial
stages. The main reason for adding security feature to the system during the Software
development is that it is more difficult to implement it later. Adding security control to
the system after the security breach can be more expensive and less effective than the
security already integrated system. Security concern at the early stage of the software
development help to develop a security plan for the development process, and these plan
are a form of a documentation that help to ensure security consideration not only in the
development but also throughout the development. Involving security early in the SLDC
results happier business customer, no cost overruns due to late security designs, which
will make system security that is thoughtful, reasonable and appropriate.
The software requirement may rapidly change during the development process, the
security of the system also similar to the requirement changes. The security concern at
the initial development of a system might change at the implementation of System phase
so security likely to be continuing after the system has been built. In software
development processes identifying the security requirements at the initial step are really
hard because the requirements are vague but in the final stage we can identify the security
requirement with customer’s expectation. Another important issue is some time due to
the security concern at the early stage of the development we have to repeat the unwanted
security issues repetitively which make time consume and cost as well.
1)
Step1 Read 0 5 6 3 4 8 7 0 1 1
ISBN number is 0-471-38490-8 (The book ‘E-commerce and the Future of Business’ by David
Chadwick)
Step1 Read 0 4 7 1 3 8 4 9 0 8
The reminder is not zero (there are 10 remaining after you have divided the added value
by eleven) therefore the sales personal has entered the value incorrectly.
3)
Step1 Read 0 4 7 1 3 8 4 9 0 _
Safe harbour intended for the organization within the US or EU and provide prevent to
accidental information disclosure or loss of customers data. US companies can opt into
the programme as long as they adhere to the principles outline in the Directives.
Safe harbour principles are
1. Notice – Individual must be informed that their data is being collected and about
how it will be used
2. Choice – Individual must have the ability to opt out of the collection and forward
transfer of the data to third parties.
3. Onward Transfer- Transfer of data to third parties may only occur to other
organizations that follow adequate protection principles.
4. Security – Reasonable efforts must be made to prevent loss of collected
information.
5. Data Integrity – Data must be relevant and reliable for the purpose it was
collected for.
6. Access – Individual must be able to access information held about them, and
correct or delete if it is inaccurate.
7. Enforcement – There must be effective means of enforcing these rules.
The company wants to qualify for the safe harbor need to evaluate them self with safe
harbor requirement and can joint the agreement. Before joining the safe harbor, company
has to take following steps
1. Have to read the safe harbor overview and the benefits of joining it.
2. have to read the safe harbor document
3. Review the safe harbor workbook.
4. Review self certifying to comply with safe harbor.
Responsibility after decided to joint the safe harbor, The Company should;
1. Bring the company polices and practices into compliance with a safe harbor
requirements.
2. Verify that the company has done so far.
3. Wish to assure your company benefits, review the information required for
certification.
After the company information has been reviewed for completeness, the company can
acquired the certification from US Department of Commerce. This certification has to be
reconfirming annually by Department of Commerce United State.
4. Data Availability
01) IF the individual pixel colour is stored in 2byte then how many shade of colour
can be recorded for any pixel.
1+2+8+16+32+64+126+256+512+1024+2048+
02) If each character is stored in one byte how many bits long is the message
ThisphotoisthecopyrightofphotographerDavidChadwick
However
1 byte = 8 bit
So,
Total bit in this message is =50 x 8
= 400 bits.
03) If twenty identical messages as in are to be stored as watermarks evenly
distributed throughout the picture then the sampling factor.
The total bit each message contain in the picture = 400 bit
So,
Therefore = 20 x 400
4,000,000
=0.002
04)
Gutty images can sue the unlicensed holders of the image under the UK Copy Right,
Design, and Patents Act .The law restrict to take a copy of the image and issue the
public. If Gutty image prove the similarity in the watermarking (Steganography
algorithm) of the image they can possibly win in the case. So this is successful way to
prevent pirated copy of images. It is extremely difficult to identify their watermarking
in a picture because the human eyes barely detect the difference.
Conclusion
From Information security & control subject I have learn the imports of protecting the
data assets. The theory part of this subject explain about the information security concept
CIA (confidentially, integrity, Availability) clearly and as well as the information hiding
methods and law enforcement in UK for data protection .The oracle practical are
excellent I have learn the oracle facilities for Information assets protection .I have learn
about oracle security concepts about user privileges, Fine-grained access controls, virtual
private database and label security. The forum is very useful for this subject and I would
like to say thanks to Sean for his help during this practical session.