Skip Headers
Oracle® Database Vault Administrator's Guide
10g Release 2 (10.2)

Part Number B25166-04
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

6 Configuring Rule Sets

This chapter describes how to create and manage rule sets and the rules within them. It includes the following sections:

6.1 What Are Rule Sets?

A rule set is a collection of one or more rules that you can associate with a realm authorization, factor assignment, command rule, or secure application role. The rule set evaluates to true or false based on the evaluation of each rule it contains and the evaluation type (All True or Any True). A rule within a rule set is a PL/SQL expression that evaluates to true or false. You can create a rule and add the rule to multiple rule sets.

You can use rule sets to accomplish the following activities:

When you create a rule set, Oracle Database Vault makes it available for selection when you configure the authorization for a realm, command rule, factor, or secure application role.

You can run reports on the rule sets that you create in Oracle Database Vault. See "Related Reports" for more information.

This chapter explains how to configure rule sets by using Oracle Database Vault Administrator. To configure rule sets by using the PL/SQL interfaces and packages provided by Oracle Database Vault, refer to the following appendixes:

6.2 Creating a Rule Set

In general, to create a rule set, you first create the rule set itself, and then you edit the rule set, create and immediately associate a new rule with the rule set, add existing rules to the rule set, or delete a rule association from the rule set. You also can create the rule set without any rules to use as a template for future rule sets.

See also the following sections:

To create a rule set:

  1. Log in to Oracle Database Vault Administrator using a database account granted with the DV_OWNER role.

    At a minimum, you must have the DV_ADMIN role. "Starting Oracle Database Vault Administrator" explains how to log in.

  2. In the Administration page, under Database Vault Feature Administration, click Rule Sets.

  3. In the Rule Sets page, click Create.

  4. In the Create Rule Set page, enter the following settings, and then click OK:

General

Enter the following settings:

Audit Options

Select from the following options to determine when an audit record is created for the rule set. This attribute is mandatory. The settings are:

The Oracle Database Vault audit trail contains the fields Rule_Set_Name and Rule_Set_ID. These fields are populated when a rule set is associated with a realm authorization and a command authorization, and the rule set is configured to audit under some circumstances.

See Appendix A, "Auditing Policies" for more information. Table A-2, "Audit Trail Format" lists the information that is audited.

Error Handling Options

Enter the following settings to control the messaging to the database session when the rule set evaluates to false or one of the associated rules contains an invalid PL/SQL expression:

After you create a rule set, you are ready to create rules to attach to the rule set. To do so, you edit the new rule set, and then define its rules.

6.3 Editing a Rule Set

To edit a rule set:

  1. In the Oracle Database Vault Administration page, select Rule Sets.

  2. In the Rule Set page, select the rule set that you want to edit.

  3. Click Edit.

  4. Modify the rule set as necessary, and then click OK.

See Also:

6.4 Creating a Rule to Add to a Rule Set

After you create a new rule set, you can associate it with one or more rules. When you create a new rule, it is automatically added to the current rule set. You also can add existing rules to the rule set. Alternatively, you can omit adding rules to the rule set and use it as a template for rule sets you may want to create in the future.

The rule set evaluation depends on the evaluation of its rules using the Evaluation Options (All True or Any True). If a rule set is disabled, Oracle Database Vault evaluates the rule set to true without evaluating its rules.

6.4.1 Creating a New Rule

To create and add a rule to a rule set:

  1. In the Oracle Database Vault Administration page, select Rule Sets.

  2. In the Rule Sets page, select the rule set to which you want to create and add a rule, and then select Edit.

  3. In the Edit Rule Set Page, scroll down to Rules Associated To The Rule Set and select Create.

  4. In the Create Rule page, enter the following settings:

    • Name: Enter a name for the rule. Use up to 90 characters in mixed-case.

    • Rule Expression: Enter a PL/SQL expression that fits the following requirements:

      • It is valid in a SQL WHERE clause.

      • It can be a freestanding and valid PL/SQL Boolean expression such as the following:

        TO_CHAR(SYSDATE,'HH24') = '12'
        
        
      • It must evaluate to a Boolean (TRUE or FALSE) value.

      • It must be no more than 255 characters long.

      • It can contain existing and compiled PL/SQL functions from the current database instance. Ensure that these are fully qualified functions (such as schema. function_name). Do not include complete SQL statements. For example:

        SYS.CLIENT_IP_ADDRESS
        
        

        If you want to use application package functions or standalone functions, you must grant the DVSYS account the GRANT EXECUTE privilege on the function.

      See the following sections for functions that you can use in the rule set expression:

      See also the rule defined in the rule sets provided with Oracle Database Vault for example expressions. "Default Rule Sets" lists these rule sets.

  5. Click OK.

    The Edit Rule Set page appears. By default, the new rule is added to the rule set.

Editing a Rule

To edit a rule:

  1. In the Edit Rule Set page, scroll to Rules Associated To The Rule Set.

  2. Select the rule you want to edit and click Edit.

  3. In the Edit Rule page, modify the rule as necessary.

  4. Click OK.

Removing a Rule from a Rule Set

Before you remove a rule from a rule set, you can locate the various references to it by querying the rules-related Oracle Database Vault views. See "Oracle Database Vault Public Views" for more information.

To remove a rule from a rule set:

  1. In the Edit Rule Set page, scroll to Rules Associated To The Rule Set.

  2. Select the rule you want to delete and click Remove.

  3. In the Confirmation page, click Yes.

After you remove the rule from the rule set, it still exists and is available to be associated with other rule sets. If you want to delete the rule, use the DVSYS.DBMS_MACADM.DELETE_RULE function, described in "Rule Set Functions Within DVSYS.DBMS_MACADM".

6.4.2 Adding Existing Rules to a Rule Set

To add existing rules to a rule set:

  1. In the Rule Sets page, select the rule set that you want to add rules to, and then select Edit.

  2. Under Rules Associated To The Rule Set, select Add Existing Rules.

  3. In the Add Existing Rules page, select the rules you want, and then click Move (or Move All, if you want all of them) to move them to the Selected Rules list.

    You can select multiple rules by holding down the Ctrl key as you click each rule.

  4. Click OK.

6.5 Deleting a Rule Set

Before you delete a rule set, you can locate the various references to it by querying the rules-related Oracle Database Vault views. See "Oracle Database Vault Public Views" for more information.

To delete a rule set:

  1. If other Database Vault objects, such as command rules, reference the rule set, then remove the reference.

    You can delete a rule set only if no other Database Vault objects are referencing it.

  2. In the Oracle Database Vault Administration page, select Rule Sets.

  3. In the Rule Set page, select the rule set that you want to remove.

  4. Click Remove.

  5. In the Confirmation page, click Yes.

    The rule set is deleted. However, the rules associated with the rule set are not deleted.

6.6 How Rule Sets Work

Oracle Database Vault evaluates the rules within a rule set as an unordered collection of expressions. If you have set Evaluation Options to All True and if a rule fails the evaluation, then the evaluation stops at that point, instead of attempting to evaluate the rest of the rules in the rule set. Similarly, if Evaluation Options is set to Any True and if a rule evaluates to true, the evaluation stops at that point. If a rule set is disabled, Oracle Database Vault evaluates it to true without evaluating its rules.

6.7 Example of How Rule Sets Work

In the following example, the Can Maintain Tables rule set has been created to control when table objects can be created, altered, or dropped. In Oracle Database Vault Administrator, Can Maintain Tables has the following settings:

The secmanager.raise_security_alert event handler can raise a security alert to a set of pagers, or it can be used to integrate Oracle Database Vault with existing systems that provide security monitoring.

To complete the rule set, you can create one or more rules to associate with the rule set. For example:

You can use rule sets with realms, command rules, factors, and secure application roles. For example, to restrict a DROP TABLE statement on any table in the BIZAPP schema to execute only on the corporate network between 10:00 p.m. and 10:59 p.m., you could create a command rule that uses the Can Maintain Tables rule set. Figure 6-1 shows how to create this command rule.

Figure 6-1 Rule Set Used in Command Rule

Command rule using rule set
Description of "Figure 6-1 Rule Set Used in Command Rule"

With this command rule in place, a database administrator can be prevented from intentionally or accidentally destroying data assets outside the security policy constraints.

Example 6-1 illustrates what happens when a database administrator attempts to destroy data outside the security policy constraints.

Example 6-1 Database Administrator Attempting to Destroy Data

SQL> CONNECT SYSTEM
Enter password: password
Connected.
SQL> DROP TABLE bizapp.accounts_payable;
ERROR at line 1:
ORA-01031: insufficient privileges

6.8 Default Rule Sets

By default, Oracle Database Vault provides the following selections for rule sets:

6.9 Guidelines for Designing Rule Sets

Follow these guidelines for designing rule sets:

6.10 How Rule Sets Affect Performance

In general, the more rules and more complex the rules, the worse the performance for execution of certain operations governed by these rule sets. For example, if you have a very large number of rules in a rule set governing a SELECT statement, rather than one rule in the rule set, performance could degrade significantly.

If you have rule sets that require many rules, performance improves if you move all the rules to logic defined in a single PL/SQL standalone or package function.

However, if a rule is used by other rule sets, there is little performance effect on your system.

You can check system performance by running tools such as Oracle Enterprise Manager (including Oracle Enterprise Manager Database Control, which is installed by default with Oracle Database), Statspack, and TKPROF. For more information about Oracle Enterprise Manager, see the Oracle Enterprise Manager documentation set. For information about Database Control, refer to its online Help. Oracle Database Performance Tuning Guide describes the Statspack and TKPROF utilities.

6.11 Related Reports

Table 6-1 lists Oracle Database Vault reports that are useful for analyzing rule sets and the rules within them. See Chapter 9, "Generating Oracle Database Vault Reports" for information about how to run these reports.

Table 6-1 Reports Related to Rule Sets

Report Purpose

"Rule Set Configuration Issues Report"


To find rule sets that have no rules defined or enabled

"Secure Application Configuration Issues Report"


To find secure application roles that have incomplete or disabled rule sets

"Command Rule Configuration Issues Report"


To find rule sets that are incomplete or disabled