Information, Security & Control: (COMP 1476)

Information, Security & Control
(COMP 1476)
University of Greenwich
By: - Shanmugam Thevapriyan

CONTENT
Part 1 Oracle/Database Topics
Database security Controls……………………………………….
Find-grained access controls using views…………………………
Virtual private Databases………………………………………….
Oracle Label Security………………………………………………
Part 2 Information Control Topics
Data classification and Processing Issues………………………….
Data Integrity Issues………………………………………………..
Data Confidentiality/Privacy Issues…………………………………..
Data Availability Issues……………………………………………….
Conclusion…………………………………………………………
Reference…………………………………………………………….
Laboratory Project 1
Security Controls, Users Password Control & Privileges
I have used the following query to change my account password.

ALTER USER st846 IDENTIFIED BY thevapriyan;
User altered.
In order to access my primary account I have used the following query for
connecting the yoda database.
SQL> connect st846@yoda
Enter password: ***********
Connected.
I have tried to connect my secondary account through the same query but it
requested the session privilege for my secondary account.
SQL> connect st846B@yoda
ERROR:
ORA-01045: user ST846B lacks CREATE SESSION privilege; logon denied
Warning: You are no longer connected to ORACLE.
This query will grant permission to create session privilege for my Secondary user
st846B.
SQL> GRANT CREATE SESSION TO st846B;
Grant succeeded.
Now I can able to access my secondary users as well.

SQL> connect st846C@yoda
Connected.
I have assigned profile name for my secondary account through the following
commands.
SQL> ALTER USER st846A PROFILE isc_limit1;
User altered.
SQL> ALTER USER st846B PROFILE isc_limit2;

User altered.
SQL> ALTER USER st846C PROFILE isc_limit3;

User altered.
Display the profile from the DBA_profile point of view.

SQL> select * from dba_profiles;
PROFILE RESOURCE_NAME RESOURCE
------------------------------ -------------------------------- --------
LIMIT
----------------------------------------
ISC_LIMIT3 COMPOSITE_LIMIT KERNEL
DEFAULT
DEFAULT
DEFAULT
PROFILE RESOURCE_NAME RESOURCE
------------------------------ -------------------------------- --------
LIMIT
----------------------------------------
STAFF_PROFILE COMPOSITE_LIMIT KERNEL
DEFAULT
STUD_PROFILE COMPOSITE_LIMIT KERNEL
DEFAULT
DEFAULT COMPOSITE_LIMIT KERNEL
UNLIMITED
The following query will create a table in main account schema with define data
types.
SQL> ed
Wrote file afiedt.buf
1 CREATE TABLE student(
2 student_id number(4),
3 firstname varchar2(15),
4 lastname varchar2(20),
5 street varchar2(25),
6 city varchar2(15),
7 postcode varchar2(9),
8 phone varchar2(15),
9 studentmode varchar2(10),
10 feestate varchar2(15)
11* )
12 /
Table created.
Then after I have insert my data’s into created student table from my main
account.
SQL> ed
1 Insert INTO student
2 (
3 student_id,
4 firstname,
5 lastname,
6 street,
7 city,
8 postcode,
9 phone,
10 studentmode,
11 feestate)
12 VALUES
13 (
14 9491,
15 'Thevapriyan',
16 'Shanmugam',
17 '33 Laughton Road',
18 'Northot',
19 'UB5 5LL',
20 '07529793001',
21 'Full Time',
22 'Paid'
23* )
SQL> /
1 row created.
Commit the changes to the student table.
SQL> commit;
Commit complete.
Then after I have inserted another data into student table.

SQL> ed
1 Insert INTO student
2 (
3 student_id,
4 firstname,
5 lastname,
6 street,
7 city,
8 postcode,
9 phone,
10 studentmode,
11 feestate)
12 VALUES
13 (
14 9492,
15 'Tony',
16 'Valsamidis',
17 '30 Park Row',
18 'Greenwich',
19 'SE10 9LS',
20 '02083317884',
21 'Full Time',
22 'Paid'
23* )
24 /
1 row created.
Granting the insert privileges to my secondary account (st846A) from my main

account.
SQL> ed
1* grant insert on student to st846A
2 /
Grant succeeded.
Now I am inserting new data to my main schema (student table) from my secondary
account.
SQL> ed
1 Insert INTO st846.student (
2 student_id,
3 firstname,
4 lastname,
5 street,
6 city,
7 postcode,
8 phone,
9 studentmode,
10 feestate)
11 VALUES
12 (
13 9493,
14 'Dave',
15 'Chadwick',
16 '30 Park Row',
17 'Greenwich',
18 'SE10 9LS',
19 '02083318509',
20 'Full Time',
21 'Paid'
22* )
SQL> /
1 row created.
Commit the changes to student table.

SQL> commit;
Commit complete.
Display the student’s table data from secondary account

SQL> select * from st846.student;
STUDENT_ID FIRSTNAME LASTNAME STREET
---------- --------------- -------------------- --------------------
CITY POSTCODE PHONE STUDENTMOD FEESTATE
--------------- --------- --------------- ---------- ---------------
9491 Thevapriyan Shanmugam 33 Laughton Road
Northot UB5 5LL 07529793001 Full Time Paid
9492 Tony Valsamidis 30 Park Row
Greenwich SE10 9LS 02083317884 Full Time Paid
9493 Dave Chadwick 30 Park Row
Use the Revoke method to remove the insert privileges to my secondary account.
SQL> Revoke insert on student from st846A;
Revoke succeeded.
After removing the insert privileges by using revoke function I have tried to insert
data in to my student table from my secondary account it didn’t inserted.
SQL> ed
1 Insert INTO st846.student (
2 student_id,
3 firstname,
4 lastname,
5 street,
6 city,
7 postcode,
8 phone,
9 studentmode,
10 feestate)
11 VALUES
12 (
13 9494,
14 'Dimitrios',
15 'Frangiskatos',
16 '30 Park Row',
17 'Greenwich',
18 'SE10 9LS',
19 '02083317973',
20 'Full Time',
21 'Paid'
22* )
23 /
Insert INTO st846.student (
*
ERROR at line 1:
ORA-01031: insufficient privileges
Then after I have added student mode to currentstudents view.

SQL> create or replace view currentstudents as
2 SELECT student_id,firstname,lastname,street,city,postcode,phone,studentmode
3 from student ;
View created.
Commit the changes I have made.
SQL> commit;
Commit complete.
Displaying the currentstudents view after I have added the studentmode to the view.
SQL> select * from currentstudents;
---------- --------------- -------------------- -------------------------
CITY POSTCODE PHONE STUDENTMOD
--------------- --------- --------------- ----------
9491 Thevapriyan Shanmugam 33 Laughton Road
Northot UB5 5LL 07529793001 Full Time
Greenwich SE10 9LS 02083317884 Full Time
Grant the update privileges to some column in currentstudent view to my secondary

account.
SQL> Grant update (firstname,lastname,street,city,postcode,phone) on currentstudents to
st846A ;
Grant succeeded.
I have try to update the student details for ‘Thevapriyan’ from my secondary
account but it didn’t work, because in my update privilege to secondary account I
have not given student mode column. So it throws an exception.
1 update st846.currentstudents
2 set city='East Acton', studentmode='Part Time',street= '30 The Vale ', postcode =
'W3 7SR'
3* where firstname='Thevapriyan'
SQL> /
update st846.currentstudents
*
ERROR at line 1:
Then after I have tried to check the given privileges are work properly from my
secondary account but this time I have eliminated the student mode for updating.
SQL> ed
1 update st846.currentstudents
2 set city='East Acton',street= '30 The Vale ', postcode = 'W3 7SR'
3* where firstname='Thevapriyan'
SQL> /
1 row updated.
Then after I commit the changes.

SQL> commit;
Commit complete.
Display the updated currentstudent view from my secondary account.

SQL> select * from st846.currentstudents;
---------- --------------- -------------------- ----------------
CITY POSTCODE PHONE STUDENTMOD
--------------- --------- --------------- ----------
9491 Thevapriyan Shanmugam 30 The Vale
East Acton W3 7SR 07529793001 Part Time
Display the main schema from my secondary account.

SQL> select * from st846.student;
---------- --------------- -------------------- --------------
CITY POSTCODE PHONE STUDENTMOD FEESTATE
--------------- --------- --------------- ---------- ---------
9491 Thevapriyan Shanmugam 30 The Vale
East Acton W3 7SR 07529793001 Part Time Paid
Connecting to my security account st846_sec.
SQL> connect st846_sec@yoda
Connected.
Checking the object privileges from my security account.

SQL> @t:\oracle\obj_privs
Checking object privileges:
The following lists the privileges a user has on an owner's objects
> Enter user's name :st846A
> Enter object owner's name :st846
PRIVILEGE Object Name Privilege Granted To
-------------------- -------------------- ------------------------------
SELECT CURRENTSTUDENTS ST846A
SELECT STUDENT ST846A
Here I am checking the password reusability after the two more time you can not
use the same password in oracle. There is a limit for the password.
password
Changing password for ST846B
Password changed
SQL> password
Password changed
SQL> password
ERROR:
ORA-28007: the password cannot be reused
Password unchanged
The taps I can access
select * from tab;
TNAME TABTYPE CLUSTERID

------------------------------ ------- ----------
STUDENT TABLE
CURRENTSTUDENTS VIEW
Dictionary view from main account.

SQL> SELECT * FROM dictionary;
TABLE_NAME
------------------------------
COMMENTS
--------------------------------------------------------------------------------
USER_RESOURCE_LIMITS
Display resource limit of the user
USER_PASSWORD_LIMITS
Display password limits of the user
USER_CATALOG
Tables, Views, Synonyms and Sequences owned by the user
TABLE_NAME
------------------------------
COMMENTS
--------------------------------------------------------------------------------
ALL_CATALOG
All tables, views, synonyms, sequences accessible to the user
USER_CLUSTERS
Descriptions of user's own clusters
ALL_CLUSTERS
Description of clusters accessible to the user
The use the dictionary view for my account.

SQL> describe dictionary ;
Name Null? Type
----------------------------------------- -------- ----------------------------
TABLE_NAME VARCHAR2(30)
COMMENTS VARCHAR2(4000)
Check the dictionary entries
SQL> select * from dictionary where rownum<2;
TABLE_NAME
------------------------------
COMMENTS
--------------------------------------------------------------------------------
ALL_XML_SCHEMAS
Description of all XML Schemas that user has privilege to reference
Find out the account created.

SQL> select * from user_users;
USERNAME USER_ID ACCOUNT_STATUS

------------------------------ ---------- --------------------------------
LOCK_DATE EXPIRY_DA DEFAULT_TABLESPACE
--------- --------- ------------------------------
TEMPORARY_TABLESPACE CREATED
INITIAL_RSRC_CONSUMER_GROUP
------------------------------ --------- ------------------------------
EXTERNAL_NAME
--------------------------------------------------------------------------------
ST846 667 OPEN
COMP3_1
TEMP 14-OCT-09 DEFAULT_CONSUMER_GROUP
Check the existence of user’s privileges.

SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_

------------------------------ ------------------------------ --- --- ---
ST846 STUDENT NO YES NO
Connecting to security account.

SQL> connect st846_sec@yoda
Connected.
Check the Security account user’s privileges.


------------------------------ ------------------------------ --- --- ---
ST846_SEC LBAC_DBA NO YES NO
ST846_SEC ST846_LP_DBA NO YES NO
ST846_SEC STUDENT NO YES NO
Check the security account date created.
SQL> select * from user_users;
USERNAME USER_ID ACCOUNT_STATUS

------------------------------ ---------- --------------------------------
LOCK_DATE EXPIRY_DA DEFAULT_TABLESPACE
--------- --------- ------------------------------
TEMPORARY_TABLESPACE CREATED
INITIAL_RSRC_CONSUMER_GROUP
------------------------------ --------- ------------------------------
EXTERNAL_NAME
--------------------------------------------------------------------------------
ST846_SEC 671 OPEN
COMP3_1
TEMP 14-OCT-09 DEFAULT_CONSUMER_GROUP
Connecting to main account.
Connected.
Check the user_tab_privs.

SQL> select * from user_tab_privs;
GRANTEE OWNER
------------------------------ ------------------------------
TABLE_NAME GRANTOR
------------------------------ ------------------------------
PRIVILEGE GRA HIE
---------------------------------------- --- ---
ST846A ST846
STUDENT ST846
SELECT NO NO
ST846 SEC_MGR
LAB_CTX_MGR SEC_MGR
EXECUTE NO NO
GRANTEE OWNER
------------------------------ ------------------------------
TABLE_NAME GRANTOR
------------------------------ ------------------------------
PRIVILEGE GRA HIE
---------------------------------------- --- ---
ST846A ST846
CURRENTSTUDENTS ST846
SELECT NO NO
Check all from all_tables for my secondary account .
SQL> select * from all_tables;
OWNER TABLE_NAME
------------------------------ ------------------------------
TABLESPACE_NAME CLUSTER_NAME
------------------------------ ------------------------------
IOT_NAME STATUS PCT_FREE PCT_USED INI_TRANS
------------------------------ -------- ---------- ---------- ----------
MAX_TRANS INITIAL_EXTENT NEXT_EXTENT MIN_EXTENTS
MAX_EXTENTS PCT_INCREASE
---------- -------------- ----------- ----------- ----------- ------------
FREELISTS FREELIST_GROUPS LOG B NUM_ROWS BLOCKS
EMPTY_BLOCKS AVG_SPACE
---------- --------------- --- - ---------- ---------- ------------ ----------
CHAIN_CNT AVG_ROW_LEN AVG_SPACE_FREELIST_BLOCKS
NUM_FREELIST_BLOCKS DEGREE
---------- ----------- ------------------------- ------------------- ----------
INSTANCES CACHE TABLE_LO SAMPLE_SIZE LAST_ANAL PAR IOT_TYPE
T S NES BUFFER_
---------- ----- -------- ----------- --------- --- ------------ - - --- -------
ROW_MOVE GLO USE DURATION SKIP_COR MON CLUSTER_OWNER
-------- --- --- --------------- -------- --- ------------------------------
DEPENDEN COMPRESS DRO
-------- -------- ---
SYS USER$ ----------------------------
Optional work
select * from user_tab_privs_made;
GRANTEE TABLE_NAME
------------------------------ ------------------------------
GRANTOR PRIVILEGE GRA HIE
------------------------------ ---------------------------------------- --- ---
ST846A STUDENT
ST846 SELECT NO NO
ST846A CURRENTSTUDENTS
ST846 SELECT NO NO
ST846A REQUIRENMENT1
ST846 SELECT NO NO
SQL> select * from user_tab_privs_recd;
OWNER TABLE_NAME
------------------------------ ------------------------------
GRANTOR PRIVILEGE GRA HIE
------------------------------ ---------------------------------------- --- ---
ST846_SEC CUSTOMERS
ST846_SEC SELECT NO NO
SEC_MGR LAB_CTX_MGR
SEC_MGR EXECUTE NO NO
SQL> select * from user_col_privs;

GRANTEE OWNER
------------------------------ ------------------------------
TABLE_NAME COLUMN_NAME
------------------------------ ------------------------------
GRANTOR PRIVILEGE GRA
------------------------------ ---------------------------------------- ---
ST846A ST846
CURRENTSTUDENTS FIRSTNAME
ST846 UPDATE NO
ST846A ST846
CURRENTSTUDENTS LASTNAME
ST846 UPDATE NO
SQL> describe all_tab_privs;
Name Null? Type
----------------------------------------- -------- ----------------------------
GRANTOR NOT NULL VARCHAR2(30)
GRANTEE NOT NULL VARCHAR2(30)
TABLE_SCHEMA NOT NULL VARCHAR2(30)
TABLE_NAME NOT NULL VARCHAR2(30)
PRIVILEGE NOT NULL VARCHAR2(40)
GRANTABLE VARCHAR2(3)
HIERARCHY VARCHAR2(3)
SQL> desc user_tab_privs;

Name Null? Type
----------------------------------------- -------- ----------------------------
GRANTEE NOT NULL VARCHAR2(30)
OWNER NOT NULL VARCHAR2(30)
TABLE_NAME NOT NULL VARCHAR2(30)
GRANTOR NOT NULL VARCHAR2(30)
PRIVILEGE NOT NULL VARCHAR2(40)
GRANTABLE VARCHAR2(3)
HIERARCHY VARCHAR2(3)
Personal Evaluation
From my first lab I got clear introduction about oracle database and security
controls available in the oracle database. I am familiar with my main account and
security account and secondary account and got the ability to handle the multiple
accounts.
Learn about user profile and understand the profile limits.
Learn about how to create table and inserting data into the table. Usage of table to
display the required view dependant on user privileges.
Got the clear idea about the user privileges and system privilege and I got the
ability to grant and revoke the privilege to my secondary account.
Understand the view concept and the purpose of the view. Learn about the
relation between table and view..
Learn how to use data dictionary to find information about users and security
information.
I understand user accounts and the schema enforce the first layer of the oracle security
controls .Only authorised users can accesses to perform the required action on the
database .System and object privileges is used to provide personalized action to each
user has access to the system. View is special in oracle database to increase the security
layer of the database. The views are logical table and dynamic therefore it is useful in the
application because we can grant direct access to view instead of our main table, so
which will make database more secure.
Self-assessment checklist
User Accounts Configured -
Password Control Tests -
Password Limits (specify) -
Profile Limits -
Table Access Privilege Experiments -
View Access Privilege Experiments -
Dictionary Information (Privileges) -
Optional work (specify) -
List of queries used is available -
Personal evaluation -
Fine-grained Access Control Using Views
I have created the table guides by following commands.

SQL> CREATE TABLE guides (
2 username varchar2(10) primary key,
3 fname varchar2(15),
4 lname varchar2(20),
8 grade varchar2(1),
9 nationality varchar2(20) not null,
10 salary number(6,2) default 0.00,
11 language varchar2(15),
12 altlanguage varchar2(15),
13 area varchar2(15) not null
14 );
Table created.
I have created the TOURS table through the following commands

SQL> CREATE TABLE TOURS
2 (
3 TourNo number Primary key,
4 Destination varchar2(25),
5 Type varchar2(20),
6 StartDate date,
7 Length varchar2(15),
8 CostPerPerson number(6,2),
9 MaxPeople number(3),
10 MinPeople number(2),
11 Area varchar2(15),
12 Guide varchar2(10),
13 Notes varchar2(100)
14 );
Table created.
Then after I have implemented the table called BOOKINGS through the following
command.
SQL> ed
1 CREATE TABLE BOOKINGS

2 (
3 BookingRef number primary key,
4 TourNo number,
5 Guide varchar2(10),
6 CustomerFname varchar2(15),
7 CustomerLname varchar2(25),
8 Address varchar2(60),
9 NoOfPeople number(2),
10 Cost number(8,2),
11 Deposit number(6,2),
12 FinalPayDate date
13* )
SQL> /
Table created.
Then after I have entered sample values into guides table by following methods
Eg 1 :-
SQL> ed
1 insert into guides values (
2* 'johnnyw', 'John', 'Wells', '15 Longholm St', 'London', 'SE3 2PL', 'B', 'British', 2600,
SQL> /
1 row created.
Eg 2:-

1 insert into guides values (
2* 'irisw', 'Iris', 'Wong', '15 Commercial Rd', 'London', 'E12 8UJ', 'D', 'British', 3000,
SQL> /
1 row created.
SQL> commit;
Commit complete.
I have entered sample value to tours table by following methods.
Eg 1 :-
SQL> ed
1 insert into tours values (
2* 200610, 'Bolivia', 'Package', '1-Feb-2008', '14 days', 2875, 50, 10, 'South America',
'pab
SQL> /
1 row created.
Eg 2 :-
1 insert into tours values (
2* 200645, 'Peru', 'Trek', '14-Mar-2008', '14 days', 2500, 16, 5, 'South America',
'pablop',
SQL> /
1 row created.
SQL> commit;
Commit complete.
I have entered sample value to bookings table by following methods.

Eg :- 1
SQL> ed
1 insert into bookings values(
2* 100080, 200590, 'abdulh', 'Hussein', 'Hussar', '47 Petersham Rd, London SE23 4JJ',
4, 3000
SQL> /
1 row created.
Eg :- 2
1 insert into bookings values(
2* 100082, 200600, 'fredas', 'Martha', 'Mason', '21 Torquay Rd, London EC3 4KK', 4,
3200, 100
SQL> /
1 row created.
SQL> commit;
Commit complete.
I have checked the tables for the data.
Check the guides table.

SQL> select * from guides;
USERNAME FNAME LNAME STREET
---------- --------------- -------------------- -------------------------
CITY POSTCODE G NATIONALITY SALARY
------------------------- --------------- - -------------------- ----------
LANGUAGE ALTLANGUAGE AREA
--------------- --------------- ---------------
pablop Pablo Perera 12 Green Lane
London SE20 4TH A Spanish 2500
Spanish French Europe
bepeg Bepe Giotto 27 Halsted Rd
London SE10 2UJ B Italian 2600
Italian Europe
Check the tours table

SQL> select * from tours;
TOURNO DESTINATION TYPE STARTDATE
---------- ------------------------- -------------------- ---------
LENGTH COSTPERPERSON MAXPEOPLE MINPEOPLE AREA
GUIDE
--------------- ------------- ---------- ---------- --------------- ----------
NOTES
--------------------------------------------------------------------------------
200610 Bolivia Package 01-FEB-08
14 days 2875 50 10 South America pablop
200645 Peru Trek 14-MAR-08
14 days 2500 16 5 South America pablop
Check the tours bookings table

SQL> select * from bookings ;
BOOKINGREF TOURNO GUIDE CUSTOMERFNAME CUSTOMERLNAME
---------- ---------- ---------- --------------- -------------------------
ADDRESS NOOFPEOPLE
------------------------------------------------------------ ----------
COST DEPOSIT FINALPAYD
---------- ---------- ---------
100057 200600 fredas John Hanson
16 Highland Ave, London EC2 1JH 8
6400 1400
100058 200645 pablop Hilary Backhouse
12 Victoria Rd, London WC1 3KJ 4
10000 2000 12-NOV-07
I have created the view for the requirement1
SQL> ed
1 create view requirenment1 as select

2* fname,lname,area,language,username from guides
SQL> /
View created.
Displaying the created view

SQL> select * from requirenment1;
FNAME LNAME AREA LANGUAGE USERNAME

--------------- -------------------- --------------- --------------- ----------
Pablo Perera Europe Spanish pablop
Bepe Giotto Europe Italian bepeg
John Wells USA Spanish johnnyw
Iris Wong Asia Mandarin irisw
Abdul Hussein Asia Arabic abdulh
Freda Smith USA fredas
Georgina Payne Europe georgiep
shanmugam Thevapriyan srilanka Tamil st846A
8 rows selected.
Then after I have created the view for requirement2

SQL> ed
1 create view requirenment2 as

2 select fname, lname, grade,username,nationality
3* from guides
SQL> /
View created.
Displaying the created view
FNAME LNAME G USERNAME NATIONALITY

--------------- -------------------- - ---------- --------------------
Pablo Perera A pablop Spanish
Bepe Giotto B bepeg Italian
John Wells B johnnyw British
Iris Wong D irisw British
Abdul Hussein C abdulh British
Freda Smith A fredas British
Georgina Payne A georgiep British
shanmugam Thevapriyan A st846A Srilankan
8 rows selected.
Created the view for requirement3

SQL> ed
1* create view requirenment3 as select fname, lname, username,salary from guides

SQL> /
View created.
Displaying the created view for the requirenment3

FNAME LNAME USERNAME SALARY

--------------- -------------------- ---------- ----------
Pablo Perera pablop 2500
Bepe Giotto bepeg 2600
John Wells johnnyw 2600
Iris Wong irisw 3000
Abdul Hussein abdulh 2800
Freda Smith fredas 2500
Georgina Payne georgiep 2500
shanmugam Thevapriyan st846A 2000
8 rows selected.
Created the view for requirement4
SQL> ed
1* create view requirenment4 as select * from guides

SQL> /
View created.
Display the created view for requirement4


---------- --------------- -------------------- -------------------------
------------------------- --------------- - -------------------- ----------
--------------- --------------- ---------------

Italian Europe
Granting the view access to the secondary account

SQL> ed
1* grant select on requirenment1 to st846A

2 /
Grant succeeded.
Connecting the secondary account

SQL> connect st846A@yoda
Enter password: ******
Connected.
Check the requirenment1 view from secondary account
SQL> ed
1* select * from st846.requirenment1

SQL> /
FNAME LNAME AREA LANGUAGE USERNAME

--------------- -------------------- --------------- --------------- ----------
Pablo Perera Europe Spanish pablop
Bepe Giotto Europe Italian bepeg
John Wells USA Spanish johnnyw
Iris Wong Asia Mandarin irisw
Abdul Hussein Asia Arabic abdulh
Freda Smith USA fredas
Georgina Payne Europe georgiep
shanmugam Thevapriyan srilanka Tamil st846A
8 rows selected.
I have tried to access the guides table but I could not retrieve the data, because I
have given access permission to view only not to the table. So it is a good security
layer of the Oracle.
SQL> select * from st846.guides;
select * from st846.guides
*
ERROR at line 1:
ORA-00942: table or view does not exist
Granting select and insert privileges to secondary account to the requirement2 view
from main account.
SQL> grant select on requirenment2 to st846A;
Grant succeeded.
SQL> grant insert on requirenment2 to st846A;
Grant succeeded.
I have checked the views to conform are they working properly from my secondary
account.
SQL> select * from st846.requirenment2;
FNAME LNAME G USERNAME NATIONALITY

--------------- -------------------- - ---------- --------------------
Pablo Perera A pablop Spanish
Bepe Giotto B bepeg Italian
John Wells B johnnyw British
Iris Wong D irisw British
Abdul Hussein C abdulh British
Freda Smith A fredas British
Georgina Payne A georgiep British
shanmugam Thevapriyan A st846A Srilankan
8 rows selected.
I have try to insert data into requrenment2 view but couldn’t insert values to the
view because one column in the base table is not null.
SQL> ed
1 insert into st846.requirenment2

2 values(
3* 'Sangeetha','Jeganathan','A','geetha','Srilankan')
SQL> /
insert into st846.requirenment2
*
ERROR at line 1:
ORA-01400: cannot insert NULL into (???)
Editing the guides table column area nut null into null from the main account.
SQL> ed
1* alter table guides modify area null

SQL> /
Table altered.
Thereafter I have tried to insert value into requrenment2 view then it is successfully
inserted.
SQL> ed
1 insert into st846.requirenment2

2 values(
3* 'Sangeetha','Jeganathan','A','geetha','Srilankan')
4 /
1 row created.
Connect the secondary account

Connected.
Insert the value into requirenment2 view from secondary account

SQL> ed
1 insert into st846.requirenment2 values(
2* 'Bala','shan','A','Shanuog','Srilankan')
SQL> /
1 row created.
I have tried to delete records from table but I couldn’t delete the data from the table
because I have given the permission for insert only not for deleting privileges .
SQL> delete * from st846.requirenment2 where nationality ='Srilankan';
delete * from st846.requirenment2 where nationality ='Srilankan'
*
ERROR at line 1:
ORA-00903: invalid table name
Granting only salary column update privileges to requirement3 this is a more secure
column level permission.
SQL> grant update(salary) on requirenment3 to st846A;
Grant succeeded.
Connecting the secondary user account.

Connected.
Try to update fname column but I couldn’t do that because I have given the
permission for salary column only.
SQL> update st846.requirenment3 set fname='priyanuog' where salary=2500;
update st846.requirenment3 set fname='priyanuog' where salary=2500
*
ERROR at line 1:
Now I have tried to update salary only, this time it works fine and dates are updated
in the view.
SQL> update st846.requirenment3 set salary=2700 where salary=2500;
3 rows updated.
Commit the updates.

SQL> commit;
Commit complete.
Granting select privileges to requirenment4 view.

SQL> grant select on requirenment4 to st846A;
Grant succeeded.
Granting delete privileges to requirenment4 view .

SQL> grant delete on requirenment4 to st846A;
Grant succeeded.
I have tried to check each privileges for requirenment4 view whether every
implemented privileges are working properly.
SELECT
Select privileges are working correctly because I have given the select privileges to
view requirenment 4.
SQL> select * from st846.requirenment4;

---------- --------------- -------------------- -------------------------
------------------------- --------------- - -------------------- ----------
--------------- --------------- ---------------

Italian Europe
UPDATE
Update a privilege is working correctly because I haven’t given the update privileges
to requirenment 4 view.
SQL> update st846.requirenment4 set lname='Jesan' where grade='A';
update st846.requirenment4 set lname='Jesan' where grade='A'
*
ERROR at line 1:
INSERT
Insert a privilege is working correctly because I haven’t given the insert privileges
to requirenment 4 view.
SQL> insert into st846.requirenment4 values(
2 'Nisha','Praba','Nishanthni','30 The vale Action', 'East Action','W3
7RS','B','Srilankan',3000,
'Sinhala','tamil', 'Asia');
insert into st846.requirenment4 values(
*
ERROR at line 1:
DELETE
Delete privileges is working correctly because I have given the delete privileges to
view requirenment 4 so it remove one row from the view where username geetha.
SQL> delete st846.requirenment4 where username='geetha';
1 row deleted.
Creating the requirement5 view

SQL> create or replace view requirement5 as
2 select
3 book.guide,
4 book.cost,
5 book.noofpeople noofbooked,
6 tour.destination,
7 tour.startdate,
8 tour.length,
9 tour.maxpeople
10 from tours tour,bookings book
11 where tour.tourno=book.tourno;
View created.
Displaying the created requirement5 view

SQL> select * from requirement5;
GUIDE COST NOOFBOOKED DESTINATION STARTDATE

---------- ---------- ---------- ------------------------- ---------
LENGTH MAXPEOPLE
--------------- ----------
fredas 6400 8 New York 25-MAR-08
4 days 20
pablop 10000 4 Peru 14-MAR-08

14 days 16
pablop 7500 3 Peru 14-MAR-08

14 days 16
Creating requirement6 view
SQL> ed
1 create or replace view requirement6 as

2 select tr.tourno ,tr.startdate, tr.maxpeople,tr.minpeople,sum(bk.noofpeople)
Totalnoofpeople
3 from tours tr , bookings bk
4 where tr.tourno = bk.tourno
5 group by tr.tourno ,tr.maxpeople,tr.minpeople,tr.startdate
6* having tr.minpeople >sum(bk.noofpeople)
SQL> /
View created.
Displaying the created view requirement6 from main account.

SQL> select * from requirement6;
TOURNO STARTDATE MAXPEOPLE MINPEOPLE TOTALNOOFPEOPLE

---------- --------- ---------- ---------- ---------------
200635 31-JAN-08 25 8 7
200695 11-APR-08 50 10 4
200657 12-FEB-08 25 8 2
200670 21-FEB-08 30 15 8
200625 15-FEB-08 25 8 3
200610 01-FEB-08 50 10 2
200615 01-FEB-08 40 10 4
7 rows selected.
Displaying the created view requirement6 from secondary account.

SQL> select * from st846.requirement6;
select * from st846.requirement6
*
ERROR at line 1:
ORA-00942: table or view does not exist
Granting the Select, update, delete permission to secondary user to requirement 6
view.
Select
SQL> grant select on requirement6 to st846A;
Grant succeeded.
Delete
SQL> grant delete on requirement6 to st846A;
Grant succeeded.
Update
SQL> grant update on requirement6 to st846A;
Grant succeeded.
Try check the Select privilege working correctly in secondary accounts

SQL> select * from st846.requirement6;
TOURNO STARTDATE MAXPEOPLE MINPEOPLE TOTALNOOFPEOPLE

---------- --------- ---------- ---------- ---------------
200635 31-JAN-08 25 8 7
200695 11-APR-08 50 10 4
200657 12-FEB-08 25 8 2
200670 21-FEB-08 30 15 8
200625 15-FEB-08 25 8 3
200610 01-FEB-08 50 10 2
200615 01-FEB-08 40 10 4
7 rows selected..
I have tried to update the aggregate function but it didn’t allow me to manipulate
my script.
SQL> update st846.requirement6
2 set maxpeople =45
3 where TOURNO=200615;
update st846.requirement6
*
ERROR at line 1:
ORA-01732: data manipulation operation not legal on this view.
Creating the requirement 7 view wich is GUIDEDETAILS.
create view GUIDEDETAILS as

2 select fname,lname,username,grade,
3 decode (username,'irisw',salary,NULL)
4 salary,area,language
5 from guides;
View created.
Displaying the created view of requirement 7 (GUIDEDETAILS).
SQL> Select * from GUIDEDETAILS ;

FNAME LNAME USERNAME G SALARY AREA
--------------- -------------------- ---------- - ---------- --------------
LANGUAGE
---------------
Pablo Perera pablop A Europe
Spanish
Bepe Giotto bepeg B Europe
Italian
John Wells johnnyw B USA
Spanish

--------------- -------------------- ---------- - ---------- --------------
LANGUAGE
---------------
Iris Wong irisw D 3000 Asia
Mandarin
Abdul Hussein abdulh C Asia
Arabic
Freda Smith fredas A USA
--------------- -------------------- ---------- - ---------- --------------
LANGUAGE
---------------
Georgina Payne georgiep A Europe
shanmugam Thevapriyan st846A A srilanka
Tamil
Sangeetha Jeganathan geetha A
9 rows selected.
I have created the view requirement8
SQL> ed
1 create view requirement8 as

2 select fname,lname,username,area,nvl(language,'English Only') Language,altlanguage
"ALTERNATE L
3* from guides
SQL> /
View created.
Display the created view of rquirement8.
FNAME LNAME USERNAME AREA LANGUAGE

--------------- -------------------- ---------- --------------- ---------------
ALTERNATE LANGU
---------------
Iris Wong irisw Asia Mandarin
Cantonese
Abdul Hussein abdulh Asia Arabic
Freda Smith fredas USA English Only
FNAME LNAME USERNAME AREA LANGUAGE

--------------- -------------------- ---------- --------------- ---------------
ALTERNATE LANGU
---------------
Georgina Payne georgiep Europe English Only
shanmugam Thevapriyan st846A srilanka Tamil

English
Sangeetha Jeganathan geetha English Only
9 rows selected.
I have tried to update the salary of view8 (GUIDEDETAILS) but it through an
exception.
SQL> update st846.guidedetails

2 set salary=salary * 1.1 ;
set salary=salary * 1.1
*
ERROR at line 2:
ORA-01733: virtual column not allowed here
Creating the trigger to give permission .

SQL> start t:\oracle\trigger;
Trigger created.
Update guidedetails view after the trigger created .

SQL> update st846.guidedetails
2 set salary=salary * 1.1;
9 rows updated.
Commit the change.

SQL> commit;
Commit complete.
Display the view of guidedetails

--------------- -------------------- ---------- - ---------- --------------
LANGUAGE
---------------
Iris Wong irisw D 3300 Asia
Mandarin
Abdul Hussein abdulh C Asia

Arabic
Freda Smith fredas A USA

--------------- -------------------- ---------- - ---------- --------------
LANGUAGE
---------------
Georgina Payne georgiep A Europe
shanmugam Thevapriyan st846A A srilanka

Tamil
Sangeetha Jeganathan geetha A
9 rows selected.
Creating the view for requirement 9 to display the Euro guides.

SQL> create view requirement9 as
2 select * from guides
3 where area='Europe';
View created.
Display the created view of requirement 9 which show you the European guide’s
details.
SQL> Select * from requirement9 ;

---------- --------------- -------------------- -------------------------
------------------------- --------------- - -------------------- ----------
--------------- --------------- ---------------

Italian Europe
Creating the view for requirement 10 to display the USA guides with check option.
Constraint.
SQL> create view requirement10 as
2 select * from guides where area ='usa'
3 with check option constraint requirement9;
View created.
Displaying the created requirement10.
SQL> select * from requirement10 ;
no rows selected
Creating the requirement_11 view

SQL> ed
1 create view requirement_11 as

2 select tours.tourno from tours , guides
3* where tours.guide=guides.username and guides.username='pablop'
SQL>
SQL> /
View created.
Displaying the created view requirement_11

SQL> select * from requirement_11;
TOURNO
----------
200610
200645
200695
Try to update the requirement 9 view

SQL> update requirement9
2 set language='Polish' where username='bepeg';
1 row updated.
Try to update the requirement10 view

SQL> update requirement10
2 set language='Spanish' where username='freda';
0 rows updated.
Personal evaluation
Understand the table design and make relationship with table in complicated
system
Implementing the different set of view in order to customize the visibility to the
end users.
Use the aggregate function to depersonalise data set the user requirements.
Learn about how to use row level security and column level security to enhance
the users’ security views and also got the ability to restrict the view using masking
functions.
Understand the grant and revoke access privilege to view for manipulation of
required data elements to individual users.
This lab starts with table creation and inserting data into table and makes relationship
with them. to joint table I can use different method .families with view to customize the
data visibility to the end user privileges. Limited the column level restriction using some
aggregate function .After the column level enforcement use the row level security
experiment with same data. The row and column level security facility are very important
for data privacy issues. Use the trigger function to grant the update privileges for the
users. This is a very useful concept in the oracle database.
Base table creation and population-
Views restricting column access
Experiments on views restricting columns
Aggregate function views
Experiments on aggregate function views
Masking function views
Experiments on masking function views
Optional – View 7a and tests
INSTEAD OF trigger and tests
Row restriction views
Experiments with row restriction views
Personal evaluation
Fine-grained Access Control: Virtual Private Database
First of all I have created the EMPLOYEE table according to given scenario.
SQL> create table EMPLOYEES
2 (
3 EmpNo varchar2(10) primary key,
4 fname varchar2(20) ,
5 lname varchar2(20),
6 username varchar2(20),
10 Grade varchar2(15),
11 position varchar2(20),
12 salary number(8,2),
13 bonuspct number(2,0),
14 deptno number,
15 startdate date,
16 finished date,
17 status varchar2(15)
18 )
19 ;
Table created.
Then after I have created the second table called Department according to given
scenario.
SQL> create table DEPARTMENTS
2 (
3 deprno varchar2(10) primary key,
4 deptname varchar2(30),
5 location varchar2(20),
6 manager number,
7 notes varchar2(100)
8 );
Table created.
Finally I have created the PAYMENT table according to given scenario.
SQL> create table PAYMENTS
2 (
3 PaymentRef number primary key,
4 DeptNo number,
5 EmpNo number,
6 BonusAmt number(6,2),
7 PayDay date,
8 Note varchar2(100)
9 );
Table created.
Then after I inserted the data into employee table.
SQL> insert into Employees
2 (
3 EmpNo ,
4 Fname ,
5 Lname ,
6 Username ,
7 Street ,
8 City ,
9 Postcode ,
10 Grade ,
11 Position,
12 Salary ,
13 BonusPct ,
14 DeptNo ,
15 StartDate ,
16 Finished ,
17 Status
18 )
19 values
20 (
21 501,
22 'Thevapriyan',
23 'Shanmugam',
24 'st846',
25 '33 Laughton Road',
26 'Northolt',
27 'UB5 5LL',
28 'G',
29 'IT Auditer',
30 6500,
31 2.2,
32 30,
33 cast ('01/Jan/2009 ' as date) ,
34 cast ('01/Aug/2009 ' as date) ,
35 'married'
36 )
37 ;
1 row created.
Similarly I have entered several data into employee Table.
Display the created table employee from my main account (st846)

SQL> select * from employee;
7 rows selected.
Grant the Select privileges to my secondary accounts.
SQL> grant select on employees to st846A;
Grant succeeded.
SQL> grant select on employees to st846B;
Grant succeeded.
SQL> grant select on employees to st846c;
Grant succeeded.
Grant the insert privileges to my secondary accounts.

SQL> grant insert on employees to st846A;
Grant succeeded.
SQL> grant insert on employees to st846B;
Grant succeeded.
SQL> grant insert on employees to st846c;
Grant succeeded.
Grant the update privileges to my secondary accounts.

SQL> grant update on employees to st846A;
Grant succeeded.
SQL> grant update on employees to st846B;
Grant succeeded.
SQL> grant update on employees to st846C;
Grant succeeded.
Part -1
Using application context
1) current_user
SQL> ed
1 select SYS_CONTEXT ( 'userenv','current_user')

2* from dual
3 /
SYS_CONTEXT('USERENV','CURRENT_USER')
----------------------------------------------------------------
ST846
2) session_user
SQL> ed
1 select SYS_CONTEXT ( 'userenv','session_user')

2* from dual
SQL> /
SYS_CONTEXT('USERENV','SESSION_USER')
-----------------------------------------------------------
ST846
3)ip_address
SQL> ed
1 select SYS_CONTEXT ( 'userenv','ip_address')

2* from dual
SQL> /
SYS_CONTEXT('USERENV','IP_ADDRESS')
------------------------------------------------------------------
172.16.18.153
4) host
SQL> ed
1 select SYS_CONTEXT ( 'userenv','host')

2* from dual
SQL> /
SYS_CONTEXT('USERENV','HOST')
------------------------------------------------------
CMS_DOMAIN\CMSVDI012
5) sessionid
SQL> ed
1 select SYS_CONTEXT ( 'userenv','sessionid')

2* from dual
SQL> /
SYS_CONTEXT('USERENV','SESSIONID')
----------------------------------------------------------
57452
6) authentication_type
SQL> ed
1 select SYS_CONTEXT ( 'userenv','authentication_type')

2* from dual
SQL> /
SYS_CONTEXT('USERENV','AUTHENTICATION_TYPE')
------------------------------------------------------------------
DATABASE
7) 'db_name'
SQL> ed
1 select SYS_CONTEXT ( 'userenv','db_name')

2* from dual
SQL> /
SYS_CONTEXT('USERENV','DB_NAME')
---------------------------------------------------------
Yoda
8) 'client_identifier
SQL> ed
1 select SYS_CONTEXT ( 'userenv','client_identifier')

2* from dual
SQL> /
SYS_CONTEXT('USERENV','CLIENT_IDENTIFIER')
9) current_schema
SQL> ed
1 select SYS_CONTEXT ( 'userenv','current_schema')

2* from dual
SQL> /
SYS_CONTEXT('USERENV','CURRENT_SCHEMA')
--------------------------------------------------------------
ST846
10)isdba
SQL> ed
1 select SYS_CONTEXT ( 'userenv','isdba')

2* from dual
SQL> /
SYS_CONTEXT('USERENV','ISDBA')
--------------------------------------------------------------
FALSE
11)current_sql
SQL> ed
1 select SYS_CONTEXT ( 'userenv','current_sql')

2* from dual
SQL> /
SYS_CONTEXT('USERENV','CURRENT_SQL')
--------------------------------------------------------------
12) client_info
SQL> ed
1 select SYS_CONTEXT ( 'userenv','client_info')

2* from dual
SQL> /
SYS_CONTEXT('USERENV','CLIENT_INFO')
-----------------------------------------------------------
PART -2
Using Context with Views
Creating the view presenting where the user only see their own records by
application context.
SQL> ed
1 create view users_own_view as

2 SELECT * FROM employees
3* WHERE username =SYS_CONTEXT('USERENV' , 'current_user')
SQL> /
View created.
Display the created view.

SQL> select * from users_own_view ;
EMPNO FNAME LNAME USERNAME

---------- -------------------- -------------------- --------------------
STREET CITY POSTCODE GRADE
------------------------- --------------- --------------- ---------------
POSITION SALARY BONUSPCT DEPTNO STARTDATE FINISHED
-------------------- ---------- ---------- ---------- --------- ---------
STATUS
---------------
506 sean Tomy ST846
18 Wotson place Greenford G3 8TW F
Tax officer 4000 3 10 20-JAN-09 20-JUN-09
married
Granting( user_own_view) view to select privileges to my secondary

Account(ST846B).
SQL> grant select on user_own_view to st846B;
Grant succeeded.
Display the view (user_own_view) from my secondly account (ST846A)
SQL> select * from st846.user_own_view;

---------- -------------------- -------------------- --------------------
------------------------- --------------- --------------- ---------------
-------------------- ---------- ---------- ---------- --------- ---------
STATUS
---------------
504 David chadwich ST846A
18 Melbone Avenue Laughton L3 8gS U
Office Administrator 3680 1 20 01-JAN-09 01-NOV-09
Single
Display the view (user_own_view) from my secondly account (ST846B)
SQL> select * from st846.user_own_view;

---------- -------------------- -------------------- --------------------
------------------------- --------------- --------------- ---------------
-------------------- ---------- ---------- ---------- --------- ---------
STATUS
---------------
502 Sangeetha Jeganathan ST846B
30 vale Road East action W3 7RS B
sales Assistance 3000 3 50 16-FEB-09 16-MAY-09
married
Creating another view which hide the salary and bonus column for the employee
table data except the currently connected user.
SQL> ed
1 create or replace view salary_bonus_onlyuser as

2 select
3 empno,
4 fname,
5 lname,username,
6 street,
7 city,
8 postcode,
9 grade,
10 position,
11 DECODE (username, SYS_CONTEXT('userenv', 'current_user'), salary, NULL)
SALARY ,
12 DECODE (username, SYS_CONTEXT('userenv', 'current_user'), bonuspct, NULL)
bonuspct ,
13 deptno,
14 startdate,
15 finished,
16 status
17* from employee
SQL> /
View created.
Testing the view from my main account(ST846)

SQL> select * from salary_bonus_onlyuser;
(Sean username is ST846 so the salary, Bonuspct column show for the current user)
Granting the view to my secondary accounts .
SQL> grant select on salary_bonus_onlyuser to st846A,st846B,st846C,st846_sec;
Grant succeeded.
Testing from my secondary account(ST846A)

SQL> select * from st846.salary_bonus_onlyuser;
(David only can see his salary,Bonuspct column because his username ST846A)
Testing from my secondary account(ST846C)

SQL> select * from st846.salary_bonus_onlyuser;
(Tony only can see his salary,Bonuspct column because his username ST846C)
In USER function you have to give username as well for specific data execution
however the application context way of view implementation is easy to execute
because it will automatically determine current users and their relevant fields.
I didn’t give insert and update privileges to my secondary accounts for the views
therefore in gave me an error when I was trying to update or delete the records.
Part 111
Implementing the Virtual Private Database
Creating the policy function for limiting the department

SQL> ed
1 CREATE OR REPLACE FUNCTION limit_dept

2 (p_schema IN VARCHAR2, p_object IN VARCHAR2)
3 RETURN VARCHAR2
4 AS
5 BEGIN
6 RETURN 'DeptNo != 50';
7* END;
SQL> /
Function created.
Then adding the policy function the employee table .

SQL> ed
1 begin
2 DBMS_RLS.add_policy
3 (
4 object_schema => 'st846',
5 object_name => 'EMPLOYEES',
6 policy_name => 'remove_dept',
7 function_schema => 'st846_sec',
8 policy_function => 'limit_dept');
9* END;
10 /
PL/SQL procedure successfully completed.

Display the employee table form main account and I can observe in the details there
are no employee belongs to department no 50 . so the policy working fine.
SQL> select * from employees;

---------- -------------------- -------------------- --------------------
------------------------- --------------- --------------- ---------------
-------------------- ---------- ---------- ---------- --------- ---------
STATUS
---------------
501 Thevapriyan Shanmugam st846
33 Laughton Road Northolt UB5 5LL G
IT Auditer 6500 2 30 01-JAN-09 01-AUG-09
Married
Display the view from my secondary account after grant the permission to
secondary account.
SQL> select * from st846.employees;

---------- -------------------- -------------------- --------------------
------------------------- --------------- --------------- ---------------
-------------------- ---------- ---------- ---------- --------- ---------
STATUS
---------------
501 Thevapriyan Shanmugam st846
33 Laughton Road Northolt UB5 5LL G
IT Auditer 6500 2 30 01-JAN-09 01-AUG-09
married
Try to insert the value to the employee from my secondly account and see that is
inserted into the employee table.
QL> ed
1 insert into st846.Employees

2 (
3 EmpNo ,
4 Fname ,
5 Lname ,
6 Username ,
7 Street ,
8 City ,
9 Postcode ,
10 Grade ,
11 Position,
12 Salary ,
13 BonusPct ,
14 DeptNo ,
15 StartDate ,
16 Finished ,
17 Status
18 )
19 values
20 (
21 510,
22 'Tony',
23 'Valsamidis',
24 'vt658',
25 'Old Royal Naval College ',
26 'Park Row ',
27 'SE10 9LS ',
28 'D',
29 'HR Manager ',
30 3000,
31 1.0,
32 40,
33 cast ('19/Jan/2009 ' as date) ,
34 cast ('16/Sep/2009 ' as date) ,
35 'married'
36* )
SQL> /
1 row created.
Then after Ichange the function into( =50) and re-execute the function(St846_sec)
SQL> ed
1 CREATE OR REPLACE FUNCTION limit_dept
2 (p_schema IN VARCHAR2, p_object IN VARCHAR2)
3 RETURN VARCHAR2
4 AS
5 BEGIN
6 RETURN 'DeptNo = 50';
7* END;
SQL> /
Function created.
View the employee table from my main account and now it has shown the employee
belongs to department number 50 only so the policy working fine.
SQL> select * from employees;

---------- -------------------- -------------------- --------------------
------------------------- --------------- --------------- ---------------
-------------------- ---------- ---------- ---------- --------- ---------
STATUS
---------------
502 Sangeetha Jeganathan sj865
30 vale Road East action W3 7RS B
sales Assistance 3000 3 50 16-FEB-09 16-MAY-09
married
Using the application context to restricts own view
First of all I have created the( restrict_own_row) function in my security account to

block the users own view details from employee table.
SQL> ed
1 create or replace function restrict_own_row

2 (p_schema in varchar2 ,
3 p_object in varchar2 )
4 return varchar2
5 as
6 begin
7 return 'USERNAME ! = sys_context(''USERENV'',''current_user'')';
8* end;
SQL> /
Function created.
Before applying policy with function my employee ( *rename from employees*)
my table has following details.
7 rows selected.
You can see from employee table

User Sean Tomy username is (ST846)
User Tony Valsmidis username is (ST846C).
Then after I have applied the policy with ( restrict_own_row) function in my main
account.
SQL> ed
1 begin
2 dbms_rls.add_policy(
3 object_schema => 'ST846',
4 object_name => 'employee',
5 policy_name => 'limit_own_row',
6 function_schema => 'ST846_sec',
7 policy_function => 'restrict_own_row'
8 );
9* end;
SQL> /

After all I have logon to my secondary account (St846C) and check the current users
function working properly.
After everything finish I have check with my user accounts to test how the policy
work fine or not .Depend on the results I find out the policy work fine.
ST846
SQL> select * from st846.employee;
6 rows selected.
(I can not see the Sean Tomy details here)
ST846C
SQL> select * from st846.employee;
6 rows selected.
(I can not see the Tony Valsmidis details here)
Part IV using user defined contexts and VPD techniques
First of all I have created the trigger in my secondary account st846c.

SQL> ed
1 create or replace trigger set_dept_context

2 after logon
3 on schema
4 begin
5 sec_mgr.lab_ctx_mgr.set_dept_no(40);
6 exception when no_data_found then null;
7 when others then null;
8* end;
9 /
Trigger created.
Then after I have check the context value working correctly of the given
department.
SQL> select sys_context ('lab_ctx','deptno') from dual;
SYS_CONTEXT('LAB_CTX','DEPTNO')
--------------------------------------------------------------------------------
40
Then after I have created the dept_only function in my security account.

SQL> ed
1 create or replace function dept_only (p_schema in varchar2 default null,

2 p_object in varchar2 default null) return varchar2 as
3 begin
4 return 'deptno = sys_context(''lab_ctx'',''deptno'')';
5* end;
6 /
Function created.
Thereafter I have applied the security policy into my main schema .
SQL> ed
1 begin
2 dbms_rls.add_policy(
3 object_schema => 'ST846',
4 object_name => 'employee',
5 policy_name => 'deptonly',
6 function_schema => 'ST846_sec',
7 policy_function => 'dept_only'
8 );
9* end;
10 /
Then after I have check the policy working correctly or not the employee table show
me only the staff who belongs to department no40 so the policy working fine .
EMPNO FNAME LNAME USERNAME STREET

CITY POSTCODE GRADE POSITION SALARY
BONUSPCT
---------- -------------------- -------------------- -------------------- ------------------------- ---------
------ --------------- --------------- -------------------- ---------- ----------
DEPTNO STARTDATE FINISHED STATUS
---------- --------- --------- ---------------
503 Tony Valsamidis ST846C Old Royal Naval College
Park Row SE10 9LS D HR Manager 3000 1
40 19-JAN-09 16-SEP-09 married
508 Barack Obama BO100 High street

washington dc WD 502687 A Head HR 5000 2
40 01-AUG-08 10-DEC-09 married
Lab4
Oracle Label Security (OLS)
First of all I have check my security account (st846_sec) user role privileges from
following commands,

------------------------------ ------------------------------ --- --- ---
ST846_SEC LBAC_DBA NO YES NO
ST846_SEC ST846_LP_DBA NO YES NO
ST846_SEC STUDENT NO YES NO
Then after I have created the customers table in my security account (st846_sec)
according to the given details.
SQL> ed
1 CREATE TABLE customers (

2 id NUMBER(10) NOT NULL,
3 cust_type VARCHAR2(10),
4 first_name VARCHAR2(30),
5 last_name VARCHAR2(30),
6 region VARCHAR2(15),
7 credit NUMBER(10,2),
8* CONSTRAINT customer_pk PRIMARY KEY (id))
9 /
Table created.
Thereafter I have entered the sample values to the customers tables.

SQL> INSERT INTO customers (id, cust_type, first_name, last_name, region, credit)
2 VALUES ( 1, 'SILVER', 'Harry', 'Hill', 'REGION 1', 11000.00);
1 row created.
SQL> INSERT INTO customers (id, cust_type, first_name, last_name, region, credit)
2 VALUES ( 2, 'SILVER', 'Vic', 'Reeves', 'REGION 2', 2000.00);
1 row created.
Commit the changes.

SQL> commit;
Commit complete.
Part 1, implementing Labels with Levels
MY LABEL RANGE IS (1300 – 1350)
First of all I have implemented the levels for the users.

SQL> ed
1 begin sa_components.create_level(
2 policy_name => 'st846_lp',
3 long_name => 'Level 1',
4 short_name => 'L1',
5 level_num =>1320);
6* end;
SQL> /
SQL> ed
1 begin
2 sa_components.create_level(
7* end;
SQL> /
SQL> ed
1 begin
2 sa_components.create_level(
7* end;
SQL> /

Then after have created the levels for the users.
SQL> ed
1 begin
2 sa_label_admin.create_label(
4 label_tag => 1320,
5 label_value => 'L1');
6* end;
SQL> /
PL/SQL procedure successfully completed
SQL> ed
1 begin
6* end;
SQL> /
SQL> ed
1 begin
6* end;
SQL> /

Then after I have applied the table policy to the customer tables.
SQL> ed
1 BEGIN
2 SA_POLICY_ADMIN.APPLY_TABLE_POLICY(
4 schema_name => 'st846_sec',
5 table_name => 'CUSTOMERS',
6 table_options => 'NO_CONTROL');
7* END;
SQL> /
After this processes I have updated the customers table according to the user
levels.
SQL> ed
1 update customers
2 set st846_lbl = char_to_label('st846_lp', 'L1')
3* where cust_type = 'SILVER'
SQL> /
5 rows updated.
SQL> ed
1 update customers
3* where cust_type = 'GOLD'
SQL> /
5 rows updated.
SQL> ed
1 update customers
3* where cust_type = 'PLATINUM'
SQL> /
5 rows updated.
Then after I have removed the table policy from customers tables.
SQL> ed
1 begin SA_POLICY_ADMIN.REMOVE_TABLE_POLICY
2 (
3 'st846_lp',
4 'st846_sec',
5 'CUSTOMERS');
6* end;
SQL> /
Again I have apply the table policy with correct options

SQL> ed
1 begin SA_POLICY_ADMIN.APPLY_TABLE_POLICY (
3 schema_name => 'st846_sec',
4 table_name => 'customers',
5 table_options => 'READ_CONTROL');
6* end;
SQL> /
After all I set the users to given levels.

SQL> ed
1 BEGIN
2 SA_USER_ADMIN.SET_USER_LABELS('ST846_lp','ST846','L3');
3 SA_USER_ADMIN.SET_USER_LABELS('ST846_lp','ST846A','L2');
4 SA_USER_ADMIN.SET_USER_LABELS('ST846_lp','ST846B','L1');
5* END;
6 /

Part -2 Testing
Then after I have granted the select privileges to my main accounts and secondary
accounts.
SQL> ed
1* grant select on customers to st846, st846a, st846b, st846c

SQL> /
Grant succeeded.
Then after I have logon to different user account and select the customers table
there is no record shown in the interface.
Connected.
SQL> select * from st846_sec.customers;
no rows selected
SQL> connect st846a@yoda

Connected.
no rows selected
SQL> connect st846b@yoda

Connected.
no rows selected
SQL> connect st846c@yoda

Connected.
no rows selected
When I remove the policy from the table only it shows me all the customers details
for all the accounts .because the NO-controls statement will restrict the select
privileges.
Part3 Compartments
First of all I have created the compartments for the regions.
SQL> ed
1 begin
2 SA_COMPONENTS.CREATE_COMPARTMENT(
4 comp_num => 1302,
5 short_name => 'R1',
6 long_name => 'Region 1');
7* end;
SQL> /
SQL> ed
1 begin
2 SA_COMPONENTS.CREATE_COMPARTMENT(
4 comp_num => 1303,
5 short_name => 'R2',
6 long_name => 'Region 2');
7* end;
SQL> /
Then after I have created the new labels for these levels with compartment details.
SQL> ed
1 begin
5 label_value => 'L3:R1,R2');
6* end;
SQL> /

SQL> ed
1 begin
5 label_value => 'L2:R1');
6* end;
SQL> /
SQL> ed
1 begin
6* end;
SQL> /
SQL> ed
1 begin
6* end;
SQL> /

SQL> ed
1 begin
6* end;
SQL> /
Then after I have remove the table policy

SQL> ed
1 begin
2 SA_POLICY_ADMIN.REMOVE_TABLE_POLICY(
3 'St846_lp',
4 'ST846_SEC',
5 'CUSTOMERS');
6* end;
SQL> /
Then after I have update the labels again with compartment details.
SQL> ed
1 update customers
2 set st846_lbl = char_to_label('st846_lp', 'L1:R1')
3* where cust_type = 'SILVER' and region = 'REGION 1'
SQL> /
3 rows updated.
SQL> ed
1 update customers
3* where cust_type = 'SILVER' and region = 'REGION 2'
4 /
2 rows updated.
SQL> ed
1 update customers
3* where cust_type = 'GOLD' and region = 'REGION 1'
4 /
2 rows updated.
SQL> ed
1 update customers
3* where cust_type = 'GOLD' and region = 'REGION 2'
4 /
3 rows updated.
SQL> ed
1 update customers
2 set st846_lbl = char_to_label('st846_lp', 'L1:R1,R2')
3* where cust_type = 'PLATINUM'
4 /
5 rows updated.
SQL> commit;
Commit complete.
Then I have applied the table policy to the customers table.

SQL> ed
1 begin
2 SA_POLICY_ADMIN.APPLY_TABLE_POLICY (
3 policy_name => 'ST846_LP',
4 schema_name => 'ST846_SEC',
5 table_name => 'customers',
6 table_options => 'READ_CONTROL');
7* end;
SQL> /

Then after I have set the labels to my accounts (st846,st846a,st846b,st846c).
SQL> ed
1 BEGIN
2 SA_USER_ADMIN.SET_USER_LABELS('st846_lp','ST846','L3:R1,R2');
3 SA_USER_ADMIN.SET_USER_LABELS('st846_lp','ST846A','L2:R1');
4 SA_USER_ADMIN.SET_USER_LABELS('st846_lp','ST846B','L2:R2');
5 SA_USER_ADMIN.SET_USER_LABELS('st846_lp','ST846C','L1:R1');
6 SA_USER_ADMIN.SET_USER_LABELS('st846_lp','DS68','L1:R2');
7* END;
SQL> /
Then after I have checked the customer table from my different accounts.
ST846
ST846A
ST846B
ST846C
.
Part 1
Implementation labels with levels
Part 2
Testing
Part 3
Compartments
Personal evaluation
Learn about the DBA roles about managing the data’s
Learn about how to define levels and labels
Learn about how to assign users to the labs
Under stand the compartment facility available for the data classification in
oracle.
From this lab session I have learn about the oracle label security facility and how we can
use it for data classification .Understand the hierarchical structure of the information
assets and assign to appropriate users level is one of the DBA roles , I have clearly gain
knowledge about this steps in typical organization. Labels security one of the advanced
security feature in oracle system.
Part 2 Information Control Topics
1. Data classification & Processing Issues
1. Advantages of addressing security during System Development process
Computer security plan can be developed for a system at any point in the life cycle, but it
is highly recommended approach is to concern at the beginning of the software
development life cycle (SDLC). Like other aspect of a system development, security also
best managed if it is planned throughout the SDLC. It is estimated adding security feature
at the later stage of the SDLC will cost more than ten times than concern at the initial
stages. The main reason for adding security feature to the system during the Software
development is that it is more difficult to implement it later. Adding security control to
the system after the security breach can be more expensive and less effective than the
security already integrated system. Security concern at the early stage of the software
development help to develop a security plan for the development process, and these plan
are a form of a documentation that help to ensure security consideration not only in the
development but also throughout the development. Involving security early in the SLDC
results happier business customer, no cost overruns due to late security designs, which
will make system security that is thoughtful, reasonable and appropriate.
2. Advantages of addressing security after System has been built
The software requirement may rapidly change during the development process, the
security of the system also similar to the requirement changes. The security concern at
the initial development of a system might change at the implementation of System phase
so security likely to be continuing after the system has been built. In software
development processes identifying the security requirements at the initial step are really
hard because the requirements are vague but in the final stage we can identify the security
requirement with customer’s expectation. Another important issue is some time due to
the security concern at the early stage of the development we have to repeat the unwanted
security issues repetitively which make time consume and cost as well.
3. Consultant’s Reasoned Opinion on Course of Action to Be Taken
Therefore the possible approach is security must be included as early as requirement

analyse phase, this will help to decision makers to retain the security focus throughout the
system development .Possibly security assessment of the proposed system can be
contacted in the initial stages. During the design phase thread modelling provides the
necessary security controls to be built in the system. In the testing phase we can conform
the security requirement with system assurance and system operation. Finally the
implementation phase to check actually the system meets the security requirement
expected by the business customers. So this possible way of integrating the security into
the system development.
2. Data Integrity Issues
1)
ISBN number is 0-563-48701-1 (The book ‘The MindMap by Tony Buzan )
Apply 11 modulus Check Digits to the Number.
Step1 Read 0 5 6 3 4 8 7 0 1 1
Step2 Assign the Weightings 10 9 8 7 6 5 4 3 2 1
Step3 Multiply digit by weight 0 45 48 21 24 40 28 0 2 1
Step4 Add Result 209 = (45 +48+21+24+40+28+2+1)
Step5 Apply modulo 11 209/11 = 19 (No reminder )
The reminder is zero therefore digits correctly entered.

2)
ISBN number is 0-471-38490-8 (The book ‘E-commerce and the Future of Business’ by David
Chadwick)
Apply 11 modulus Check Digits to the Number.
Step1 Read 0 4 7 1 3 8 4 9 0 8
Step3 Multiply digit by weight 0 36 56 7 18 40 16 27 0 8
Step4 Add Result 208 = (36 +56+7+18+40+16+27+8)
Step5 Apply modulo 11 208/11 = 18 (10 reminder )
The reminder is not zero (there are 10 remaining after you have divided the added value
by eleven) therefore the sales personal has entered the value incorrectly.
3)
Check the possibility of the ISBN number
Step1 Read 0 4 7 1 3 8 4 9 0 _
Step3 Multiply digit by weight 0 36 56 7 18 40 16 27 0 ?
Step4 Add Result 200 = (36 +56+7+18+40+16+27)
What is the next above

Step5 multiple of above 200 209
Step5 Calculate the check 0 4 7 1 3 8 4 9 0 9

digit As
(2009-200=9)
Therefore the correct ISBN number for the David Chadwick

‘E-commerce and the Future of Business’ book ‘ISBN number is 0-471-38490-9
3. Data Confidentiality
US- EU Safe Harbor
European Union Detectives on Data Protection (95/46/EU) prohibit the transfer of

personal data to Non- European nation that do not have equivalent privacy protection.
However united state approach to protection of their citizen privacy is far more different
to European Union nations. In order to bridge these privacy protections and provide
streamlined process for US companies to comply with the EU detectives, The US
department of commerce in consultation with the European commission developed the
Safe harbour frame work.
Safe harbour intended for the organization within the US or EU and provide prevent to
accidental information disclosure or loss of customers data. US companies can opt into
the programme as long as they adhere to the principles outline in the Directives.
Safe harbour principles are
1. Notice – Individual must be informed that their data is being collected and about
how it will be used
2. Choice – Individual must have the ability to opt out of the collection and forward
transfer of the data to third parties.
3. Onward Transfer- Transfer of data to third parties may only occur to other
organizations that follow adequate protection principles.
4. Security – Reasonable efforts must be made to prevent loss of collected
information.
5. Data Integrity – Data must be relevant and reliable for the purpose it was
collected for.
6. Access – Individual must be able to access information held about them, and
correct or delete if it is inaccurate.
7. Enforcement – There must be effective means of enforcing these rules.
The company wants to qualify for the safe harbor need to evaluate them self with safe
harbor requirement and can joint the agreement. Before joining the safe harbor, company
has to take following steps
1. Have to read the safe harbor overview and the benefits of joining it.
2. have to read the safe harbor document
3. Review the safe harbor workbook.
4. Review self certifying to comply with safe harbor.
Responsibility after decided to joint the safe harbor, The Company should;
1. Bring the company polices and practices into compliance with a safe harbor
requirements.
2. Verify that the company has done so far.
3. Wish to assure your company benefits, review the information required for
certification.
After the company information has been reviewed for completeness, the company can
acquired the certification from US Department of Commerce. This certification has to be
reconfirming annually by Department of Commerce United State.
4. Data Availability
The digital photo of young women with a flower is made up of 4m pixels.
01) IF the individual pixel colour is stored in 2byte then how many shade of colour
can be recorded for any pixel.
00000000 00000000 -Pure Black
11111111 11111111 -Pure White
1+2+8+16+32+64+126+256+512+1024+2048+
02) If each character is stored in one byte how many bits long is the message
ThisphotoisthecopyrightofphotographerDavidChadwick
Each character is stored in one byte is =50 character
Therefore byte in this message is = 50 bytes.

(Each character is stored in one byte)
However
1 byte = 8 bit
So,
Total bit in this message is =50 x 8
= 400 bits.
03) If twenty identical messages as in are to be stored as watermarks evenly
distributed throughout the picture then the sampling factor.
Number of messages stored in the picture = 20
The total bit each message contain in the picture = 400 bit
So,
Total bit stored as watermarks throughout the picture = 20x 400

=8000 bits.
Sampling factor = Number of pixel available for hiding

Total number of pixel
Therefore = 20 x 400
4,000,000
=0.002
04)
Gutty images can sue the unlicensed holders of the image under the UK Copy Right,
Design, and Patents Act .The law restrict to take a copy of the image and issue the
public. If Gutty image prove the similarity in the watermarking (Steganography
algorithm) of the image they can possibly win in the case. So this is successful way to
prevent pirated copy of images. It is extremely difficult to identify their watermarking
in a picture because the human eyes barely detect the difference.
Conclusion
From Information security & control subject I have learn the imports of protecting the
data assets. The theory part of this subject explain about the information security concept
CIA (confidentially, integrity, Availability) clearly and as well as the information hiding
methods and law enforcement in UK for data protection .The oracle practical are
excellent I have learn the oracle facilities for Information assets protection .I have learn
about oracle security concepts about user privileges, Fine-grained access controls, virtual
private database and label security. The forum is very useful for this subject and I would
like to say thanks to Sean for his help during this practical session.

Information, Security & Control: (COMP 1476)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information, Security & Control: (COMP 1476)

Uploaded by

Copyright:

Available Formats

Information, Security & Control

By: - Shanmugam Thevapriyan

Part 1 Oracle/Database Topics

Database security Controls……………………………………….

Find-grained access controls using views…………………………

Virtual private Databases………………………………………….

Oracle Label Security………………………………………………

Part 2 Information Control Topics

Data classification and Processing Issues………………………….

Data Integrity Issues………………………………………………..

Data Confidentiality/Privacy Issues…………………………………..

Data Availability Issues……………………………………………….

Security Controls, Users Password Control & Privileges

I have used the following query to change my account password.

Now I can able to access my secondary users as well.

SQL> ALTER USER st846B PROFILE isc_limit2;

SQL> ALTER USER st846C PROFILE isc_limit3;

Display the profile from the DBA_profile point of view.

Then after I have inserted another data into student table.

Granting the insert privileges to my secondary account (st846A) from my main

Commit the changes to student table.

Display the student’s table data from secondary account

Then after I have added student mode to currentstudents view.

Grant the update privileges to some column in currentstudent view to my secondary

Then after I commit the changes.

Display the updated currentstudent view from my secondary account.

Display the main schema from my secondary account.

Checking the object privileges from my security account.

TNAME TABTYPE CLUSTERID

Dictionary view from main account.

The use the dictionary view for my account.

Find out the account created.

USERNAME USER_ID ACCOUNT_STATUS

Check the existence of user’s privileges.

USERNAME GRANTED_ROLE ADM DEF OS_

Connecting to security account.

Check the Security account user’s privileges.

USERNAME GRANTED_ROLE ADM DEF OS_

USERNAME USER_ID ACCOUNT_STATUS

Check the user_tab_privs.

SQL> select * from all_tables;

select * from user_tab_privs_made;

SQL> select * from user_tab_privs_recd;

SQL> select * from user_col_privs;

SQL> desc user_tab_privs;

Learn about user profile and understand the profile limits.

Password Control Tests -

Password Limits (specify) -

Table Access Privilege Experiments -

View Access Privilege Experiments -

Dictionary Information (Privileges) -

Optional work (specify) -

List of queries used is available -

Fine-grained Access Control Using Views

I have created the table guides by following commands.

I have created the TOURS table through the following commands

1 CREATE TABLE BOOKINGS

Wrote file afiedt.buf

I have entered sample value to bookings table by following methods.

Check the guides table.

Check the tours table

Check the tours bookings table

1 create view requirenment1 as select