首页 > Linux操作系统 > Linux操作系统 > Using Oracle Database Vault 10gR2 With Apps 11i

Using Oracle Database Vault 10gR2 With Apps 11i

原创 Linux操作系统 作者:chen_7733 时间:2008-03-27 18:04:29 0 删除 编辑

I'm very pleased to announce that Oracle Database Vault 10gR2 is certified with the E-Business Suite Release 11i.  I've been working on this certification for the last year. In this article I will give you some insight into how Oracle E-Business Suite Release 11i can be configured to use Oracle Database Vault features to protect sensitive transactional data from powerful users like Apps DBAs.

What is Oracle Database Vault?

A key challenge for security administrators is protecting enterprise data from insider attacks.  Oracle Database Vault is an optional database feature that can help you defend against that class of threats, as well as build internal controls to help meet regulatory requirements for privacy and segregation of duties.

Oracle Database Vault can prevent highly privileged users, including powerful application DBAs and others, from accessing sensitive applications and data in Oracle databases outside their authorized responsibilities. You can use customizable Realms and rules to ensure that users, even administrators, have access only to what they need to do their job.

Database Vault example: Diagram showing how Database Vault prevents a privileged DBA user from accessing application data, while allowing the authorized Realm owner to access the same data

The figure above illustrates how Oracle Database Vault addresses the following database security concerns:
  • Administrative privileged account access to application data: In this case, Oracle Database Vault prevents the DBA from accessing the schemas that are protected by the FIN Realm. Although the DBA is the most powerful and trusted user, the DBA does not need access to application data residing within the database.
  • Separation of duties for application data access: In this case, the FIN Realm Owner, created in Oracle Database Vault, has access to the FIN Realm schemas.
Protecting Database Objects With Realms and Rules

Oracle Database Vault uses Realms to set up boundaries around set of objects in specific schemas; specific conditions must be met to access data protected by those boundaries. Realms specify a set of conditions that must be met before a given command can be executed on a set of database objects.

This provides very granular control over what can be done to certain objects, and by whom. You can define rules to restrict access based on business-specific factors such as data access connections from particular database, from a particular machine, and from specific IP addresses.  You can also specify the time of day or authentication modes for data access.

For details about various Oracle Database Vault Realms and customizable rules, see:
Minimum Requirements
Additional interoperability patches are also required. For complete details, see:
Preseeded Realms for the E-Business Suite

Oracle delivers a set of preseeded Database Vault Realms for your E-Business Suite Release 11i environment via the following patch:
This patch contains the master fnddvebs.sql script. The fnddbvebs.sql script. creates Realms around Oracle E-Business Suite 11i product schemas and gives authorization only to those users required to allow the Oracle E-Business Suite to function normally.

The fnddvebs.sql script. creates six Realms. Each realm protects different product schemas and has its own set of user authorizations.
  • EBS Realm
  • EBS Realm - Applsys Schema
  • EBS Realm - Applsyspub Schema
  • EBS Realm - Apps Schema
  • EBS Realm - MSC Schema
  • CTXSYS Data Dictionary
Oracle Supplied Ebiz 11i Realms: Screenshot of Database Vault 10g Realms definition screen, with pre-seeded Realms for the E-Business Suite Release 11i displayed

Extending Oracle-Supplied Realms

Oracle strongly recommends against modifying the preseeded Oracle-supplied Realms for the E-Business Suite. If you're familiar with the E-Business Suite data model, you can create your own realms and secure additional objects as needed. Improperly defined Realms can prevent the E-Business Suite from functioning normally, so careful testing of your custom Realms is advisable.

Metalink Note 428503.1 has a detailed example of extending Oracle E-Business suite 11i realms.

Key Considerations About Realms

The preseeded Realms are not intended to provide:
  1. Protection from user logged into the SYSTEM schema
  2. Protection during Application mid tier patching
Related Articles

来自 “ ITPUB博客 ” ,链接:,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录


  • 博文量
  • 访问量