DBMS_RLS를 이용한 FINE GRANED ACCESS CONTROL (FGAC)의 개념 및 사용방법 (8I ~ 10G)

Similar Messages

• FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징

  제품 : ORACLE SERVER
  작성날짜 : 2005-11-24
  FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징
  =======================================================================
  PURPOSE
  row leve의 security 및 context관리 방법인 FGAC에 대한 간단한 개념 및 사용방법은
  <bul 23026>에 제시하였다.
  이 문서에는 FGAC를 위한 dbms_rls package의 8i ~ 10g까지의 version별 특징을
  정리하며, STATIC_POLICY와 POLCICY_TYPE parameter에 대해서는 예제를 이용하여
  자세히 살펴보도록 한다.
  Explanation & Examples
  dbms_rls.add_policy를 사용할 때 일반적으로 주는 value값의 예제는 다음과 같다.
  이중 대부분은 default값을 이용하여, 일반적으로는 앞의 5개의 parameter만
  value를 주면 된다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  > object_schema => 'SCOTT', -
  > object_name => 'EMP', -
  > policy_name => 'POL1', -
  > function_schema => 'SYS', -
  > policy_function => 'PREDICATE', -
  > statement_types => 'SELECT', -
  > static_policy => false, -
  > policy_type => DBMS_RLS.DYNAMIC
  > long_predicate => false);
  1. FGAC의 version별 특징
  (1) sec_relevant_cols/sec_relevant_cols_opt : 10G
  위에 기술한 add_policy procedure의 parameter외에 10g에서 추가된
  parameter로 다음 두 parameter가 존재한다.
  이 parameter는 해당되는 column이 조회될때만 policy가 작동하게 하기 위한
  것으로 metalink.oracle.com site에서 <Note 250795.1> 를 살펴보면 사용 방법
  및 예제를 확인 가능하다.
  - sec_relevant_cols
  - sec_relevant_cols_opt
  (2) long_predicate : 10G
  default는 false이며, true로 지정하는 경우 predicate이 4000 bytes이상이
  될 수 있다.
  (3) statement_types : 10G부터 INDEX type추가
  9i까지는 SELECT, INSERT, UPDATE, DELETE에 대해서는 FGAC를 적용할 수
  있었으나, 10g부터는 INDEX type도 지정 가능하다.
  index를 지정하는 경우, function-based index 생성을 제한할 수 있으며,
  자세한 예제는 metalink.oracle.com site에서 <Note 315687.1>를 조회하여
  확인할 수 있다.
  (4) EXEMPT ACCESS POLICY 권한 : 9i
  특정 user가 모든 fine-grained access control policy의 영향을 받지
  않도록 하려면 exempt access policy권한을 grant하면 되며, 이것은 9i부터
  소개되었다.
  SQL> grant exempt access policy to scott;
  와 같은 방식으로 권한을 부여하면 되며, 이에 대한 자세한 예제는
  metalink.oracle.com site에서 <Note 174799.1>를 통해 확인 가능하다.
  (5) synonym에 대한 policy설정 : 9.2
  synonym에 대해서 VPD (Virtudal Private Database)에 대한 policy를 설정하는
  것이 가능해 졌으며 이에 대해서는 metalink.oracle.com에서 <Note 174368.1>를
  조회하여 자세한 방법 및 예제를 살펴볼 수 있다.
  (6) static_policy : 8.1.7.4
  static_policy paramter는 8i에는 없던 것으로 9i에서 도입되면서, 8.1.7.4에도
  반영되었다. default값은 false이며, 8173까지는 항상 false인 형태로 동작한다.
  즉, policy function이 매번 object를 access할때마다 실행된다.
  8.1.7.4부터는 이 parameter를 true로 설정할 수 있는대, 이렇게 되면
  해당 session에서 policy function이 한번 실행되고 그 function이 shared pool에
  cache되어 있으면 재실행없이 그대로 사용된다.
  10g부터는 (7)번에 설명하는 policy_type parameter가 추가되어,
  이 parameter에 true로 지정하는 대신, static_type은 false로 두고,
  policy_type을 dbms_rls.static 으로 지정하면,
  9i와 8174에서 static_policy를 true로 한것과 같은 결과가 나타난다.
  (7) policy_type: 10g
  다음과 같이 5가지 value가 가능하며, 이 중 default는 dynamic이다.
  - STATIC
  policy fuction에 포함된 predicate이 runtime환경에 따라 다른 결과를 내지
  않는 경우 사용하게 된다. 예를 들어 sysdate의해 다른 결과를 return하는
  경우에는 사용하면 사용하면 문제가 될 수 있다.
  static을 사용하는 경우 policy function은 한번 실행되어 SGA에 올라온 다음
  이후 같은 session에서 같은 object를 사용시에는 재실행 없이 해당 predicate의
  결과를 그대로 사용한다.
  - SHARD_STATIC
  STATIC과 같으나, 이 값은 다른 object에 대해서도 같은 predicate function이
  사용되는 경우, 먼저 cache된 predicate을 찾아서 있으면 그 값을 이용한다.
  STATIC의 경우는 다른 object 사이에서는 공유하지 않으며 같은 object에
  대해서만 cache된 값을 사용한다.
  - CONTEXT_SENSITIVE
  한 session에서 context가 변경되면 그때 predicate를 재 실행시킨다.
  WAS(web application server)를 사용하는 경우 connection pooling방법을
  기본적으로 사용하는대, 이 경우 하나의 session을 여러 사용자가 이어서
  교대로 사용하는 방식이 된다. 이 경우 middle tier단에서 context를 설정해
  주면 context가 변경될때마다 predicate를 새로 실행시켜 변경된 sysdate나
  session_user등의 값을 다시 계산하게 되는것이다.
  jdbc에서 context설정에 관한 예제는 metalink.oracle.com에서
  <Note 110604.1>에서 확인가능하다.
  - SHARED_CONTEXT_SENSITIVE
  context_sensitive와 동일하며, 단 shared_static과 마찬가지로 여러 object에
  대해서 같은 predicate을 사용하는 경우 다른 object에 대한 같은 predicate이
  cache되어 있는지를 먼저 살펴본다.
  존재하면 session private application context가 변경되기 전까지 그 predicate의
  결과를 그대로 사용한다.
  - DYNAMIC
  이 값이 default값이다. 즉, predicate function이나 시스템이나 환경에
  영향을 받는다고 판단하여 statement가 실행될때마다 매번 predicate function을
  재 실행하여 환경에 맞는 값을 return하여 준다.
  아래에서 sysdate 값에 따라 다른 결과를 return하게 되어 있는
  predicate을 이용한 예제를 통해 정확한 메카니즘을 확인한다.
  2. static_policy 및 policy_type의 value에 따른 policy function의 작동예제
  (a) STATIC_POLICY => TRUE and POLICY_TYPE => NULL
  (1) 기존에 pol1 policy가 존재하는 경우 다음과 같이 drop시킨다.
  SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
  (2) 다음과 같이 predicate function을 scott user로 만들어둔다.
  SQL> create or replace function PREDICATE (obj_schema varchar2, obj_name varchar2)
  2 return varchar2 is d_predicate varchar2(2000);
  3 begin
  4 if to_char(sysdate, 'HH24') >= '06' and to_char(sysdate, 'MI')<'05' then
  5 d_predicate := 'ename = sys_context (''USERENV'' , ''SESSION'');
  6 else d_predicate := 'sal>=3000';
  7 end if;
  8 return d_predicate;
  9 end predicate;
  10 /
  (3) pol1을 새로 add시킨다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  object_schema => 'SCOTT', -
  object_name => 'EMP', -
  policy_name => 'POL1', -
  function_schema => 'SCOTT', -
  policy_function => 'PREDICATE', -
  statement_types => 'SELECT', -
  static_policy => TRUE, -
  policy_type => NULL);
  (4) adams user에서 scott.emp를 조회해 본다.
  단 다음과 같이 scott.emp에 대한 select권한을 king에게 주어야 한다.
  SQL>grant select on emp to king;
  SQL>!date
  Thu Nov 24 14:01:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  5분이후가 되어 predicate function의 if조건을 만족하지 않아도,
  king user는 같은 값을 emp table에 대해서 return한다.
  SQL>!date
  Thu Nov 24 14:10:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  (b) STATIC_POLICY => FALSE and POLICY_TYPE => DBMS_RLS.DYNAMIC
  (1) 기존의 policy를 다음과 같이 drop시킨다.
  SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
  (2) pol1을 새로 add시키는대 이대 static_policy와 policy_type을 다음과 같이
  변경한다.
  SQL> exec DBMS_RLS.ADD_POLICY ( -
  object_schema => 'SCOTT', -
  object_name => 'EMP', -
  policy_name => 'POL1', -
  function_schema => 'SCOTT', -
  policy_function => 'PREDICATE', -
  statement_types => 'SELECT', -
  static_policy => flase, -
  policy_type => dbms_rls.dynamic);
  (3) king user에서 조회해본다.
  predicate function은 위의 2-(a)에서 실행한 것을 그대로 사용한다.
  즉 (a)를 실행하지 않은 경우, 조회전에 (a)-(2)번을 실행해야 한다.
  SQL>!date
  Thu Nov 24 15:01:13 EST 2005
  SQL> connect king/king
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  5분 이후가 되어 다시한번 king user에서 실행해본다.
  SQL>!date
  Thu Nov 24 15:10:13 EST 2005
  SQL> select * from scott.emp;
  EMPNO ENAME JOB MGR HIREDATE SAL COMM
  DEPTNO
  7788 SCOTT ANALYST 7566 19-APR-87 3000
  20
  7839 KING PRESIDENT 17-NOV-81 5000
  10
  7902 FORD ANALYST 7566 03-DEC-81 3000
  20
  RELATED DOCUMENTS
  <Note 281970.1> 10g Enhancement on STATIC_POLICY with POLICY_TYPE Behaviors
  in DBMS_RLS.ADD_POLICY Procedure
  <Note 281829.1> Evolution of Fine Grain Access Control FGAC Feature From 8i
  to 10g

  first you could use default column values, not a trigger, which is more expensive.
  if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it )

• Got ORA-00439:  feature not enabled: Fine-grained access control

  Trying to implement VPD, I've got ORA-00439 when implementing Fine-grained access control. Will this be available on XE?

  Hi,
  lewisc: Yes. I mean "persistent package variables" and I know this feature is available in any version of Oracle. But, I don't know how It works whith HTMLDB when using "HTMLDB Authentication Scheme".
  i.e.: when I connect to an HTMLDB Application, I can see a new session on
  V$SESSION with username=ANONYMOUS with SID=xxx and SERIAL#=yyyy.
  1.-Will HTMLDB use the same session until User Press "logout" link?
  2.-Will this particular Database session be exclusive or shared for any HTMLDB sessions?
  3.-If I Logout from HTMLDB App, then Login again, Will HTMLDB reuse the same session?
  or will create a new one?
  -About VPD.
  VPD is a Personal Edition feature too. All features of EE is
  available on Personal Edition except RAC and a few others
  specials features.
  After all:
  Maybe with these examples you can see my question.
  CREATE OR REPLACE VIEW myviewname
  AS
  SELECT *
  FROM mytablename
  WHERE somecolumn = V('Fxxx_HTMLDB_ITEM_NAME')
  CREATE OR REPLACE TRIGGER mytriggername
  BEFORE
  INSERT
  ON mytablename
  FOR EACH ROW
  BEGIN
  :new.mycolumn1 := V('Fxxx_HTMLDB_ITEM_NAME');
  END;
  Can these two examples work? If so, maybe there is something wrong in my applications.
  Thanks GaryM for your issues and I already know this can be done that way

• Fine Grain Access Control gives ORA-02014

  Using Fine Grain Access Control on Oracle 8i 8.1.6, when a policy is enabled on a table then queries of the form "select * from table for update nowait" give "ORA-02014 cannot select FOR UPDATE from view with DISTINCT, GROUP BY, etc.".
  Similar queries without the "for update nowait" work OK.
  Does anyone have a fix or workaround?
  null

  I ran into this. If you're using a function to add to/add a where clause to your statement, when the where clause gets appended to the end and generates an error. You should be seeing trace files in the udump area of oracle that show you the actual sql line that is being created in error. I modified my function to add the FOR UPDATE NOWAIT in the correct place.

• Fine Grained Access Control

  I have three tables
  1. Grade table where information for each grade is maintained
  like basic, increments.
  2. graderole - here i have defined roles which can access each
  grade
  3. userrole users for each role.
  eg:
  userrole table has one user as ops$ravi who has access to 'MM'
  role
  graderole table has multiple records for role 'MM' who can
  access some grades.
  zarine_test table where all grades and its basic and increments
  are defined.
  I want ops$ravi to access only grades as per graderole table
  i.e. JM to MM grade
  I have tried this command with three tables.
  Some times it does not even allows me to login as ops$ravi
  saying that
  ERROR: ORA-00604: error occurred at recursive SQL level 1
  ORA-01031: insufficient privileges
  ORA-06512: at "SYS.DBMS_SESSION", line 58
  ORA-06512: at "OPS$PERDBA.CONTEXTPACKAGE", line 8
  ORA-06512: at line 2
  At one other instance, it allows to login as user but we get a
  error like FUNCTION POLICY NOT PROPERLY DEFINED FOR TABLE
  These are the steps I have followed:
  1. Create context perdba_ctxt      
  CREATE OR REPLACE CONTEXT perdba_ctxt USING
  perdba.contextpackage;
  CREATE OR REPLACE PACKAGE contextpackage AS
       PROCEDURE setcontext;
  END;
  2. Create context package
  Get login'ed users role from the initial group set for him eg:
  ops$ravi will fetch 'MM' group
  -- create context package body fg6
  CREATE OR REPLACE PACKAGE BODY contextpackage IS
  PROCEDURE setcontext IS
       l_persons_id     varchar2(30);
       l_logged_person     VARCHAR2(30);
       l_user_role     VARCHAR2(30);
       l_job          VARCHAR2(35);
  BEGIN
       DBMS_SESSION.SET_CONTEXT('PERDBA_CTXT','SETUP','TRUE');
       l_logged_person:= SYS_CONTEXT('USERENV','SESSION_USER');
       SELECT SUBSTR(initial_rsrc_consumer_group,1,4) INTO
  l_user_role FROM dba_users WHERE username = l_logged_person;
       IF l_user_role = 'MM' THEN
  BEGIN
            DBMS_SESSION.SET_CONTEXT
  ('PERDBA_CTXT','ROLE','MM');
            SELECT username INTO l_persons_id
            FROM userrole
            WHERE userNAME = SYS_CONTEXT
  ('USERENV','SESSION_USER');
            DBMS_SESSION.SET_CONTEXT
  ('PERDBA_CTXT','PERSONS_ID','L_PERSONS_ID');
       EXCEPTION
            WHEN NO_DATA_FOUND THEN
            DBMS_SESSION.SET_CONTEXT
  ('PERDBA_CTXT','PERSONS_ID',0);
       END;
       ELSIF l_user_role = 'CGM' THEN
  BEGIN
            DBMS_SESSION.SET_CONTEXT
  ('PERDBA_CTXT','ROLE','CGM');
            SELECT username INTO l_persons_id
            FROM userrole
            WHERE userNAME = SYS_CONTEXT
  ('USERENV','SESSION_USER');
            DBMS_SESSION.SET_CONTEXT
  ('PERDBA_CTXT','PERSONS_ID','L_PERSONS_ID');
       EXCEPTION
            WHEN NO_DATA_FOUND THEN
            DBMS_SESSION.SET_CONTEXT
  ('PERDBA_CTXT','PERSONS_ID',0);
       END;
       END IF;
       DBMS_SESSION.SET_CONTEXT('PERDBA_CTXT','SETUP','FALSE');
       END SETCONTEXT;
       END CONTEXTPACKAGE;
  3. create security package     
  CREATE OR REPLACE PACKAGE securitypackage AS
  FUNCTION gradeselectsecurity(OWNER IN VARCHAR2, OBJECT_NAME IN
  VARCHAR2)
  RETURN VARCHAR2;
  END SECURITYPACKAGE;
  4. create security package body     
  Here this condition will get attached to select when user log's
  in
  CREATE OR REPLACE PACKAGE BODY securitypackage IS
  FUNCTION gradeselectsecurity(OWNER IN VARCHAR2, OBJECT_NAME IN
  VARCHAR2)
  RETURN VARCHAR2 IS
  l_predicate VARCHAR2(200);
  l_get_role VARCHAR2(20);
  BEGIN
  l_predicate:='1=2';
  l_get_role := SYS_CONTEXT('PERDBA_CTXT','ROLE');
  DBMS_OUTPUT.PUT_LINE(L_GET_ROLE);
  IF (RTRIM(LTRIM(l_get_role)) = 'MM') THEN
  l_predicate := 'grd_id IN (SELECT GRD_ID FROM GRADEROLE
                 WHERE USERROLE = (SELECT USERROLE FROM
  userROLE WHERE USERROLE = ''MM'' AND USERNAME
  = ''OPS$PERDBA''))';
  --L_GET_ROLE AND
  --USERNAME = ''OPS$PERDBA''))';
  --SYS_CONTEXT(''PERDBA_CTXT'',''PERSONS_ID'')))';
  -This script does not work., thats why i fixed values as MM and
  ops$perdba
  END IF;
  RETURN l_predicate;
  END gradeselectsecurity;
  END SecurityPackage;
  5. create consumer group
  BEGIN
  DBMS_RESOURCE_MANAGER.CLEAR_PENDING_AREA();
  DBMS_RESOURCE_MANAGER.CREATE_PENDING_AREA();
  DBMS_RESOURCE_MANAGER.CREATE_CONSUMER_GROUP(CONSUMER_GROUP
  => 'MM', COMMENT => 'GROUP FOR GRADES JM TO MM');
  DBMS_RESOURCE_MANAGER.VALIDATE_PENDING_AREA();
  DBMS_RESOURCE_MANAGER.SUBMIT_PENDING_AREA();
  DBMS_RESOURCE_MANAGER.CLEAR_PENDING_AREA();
  END;
  6. create users          
  CREATE USER ops$ravi idetified by ravi
       default tablespace pay3_ts
       temporary tablespace temp_pay3_ts;
  grant connect , resource to ops$ravi;
  grant create session to ops$ravi;
  grant select on dba_users to ops$ravi;
  user ops$cgm also created in the same fashion.
  7. Assign initial consumer group
  -- assign initial consumer group
  BEGIN
  DBMS_RESOURCE_MANAGER_PRIVS.GRANT_SWITCH_CONSUMER_GROUP
  ('OPS$RAVI','MM',TRUE);
  DBMS_RESOURCE_MANAGER.SET_INITIAL_CONSUMER_GROUP
  ('OPS$RAVI','MM');
  END;
  8. Attach security policy
  --attach security policy fg11
  BEGIN
  DBMS_RLS.ADD_POLICY(     'OPS$PERDBA',
                 'ZARINE_TEST',
                 'GRADE_SELECT_POLICY',
                 'OPS$PERDBA',
                 'SECURITYPACKAGE.GRADESELECTSECURITY',
                 'SELECT',
                 TRUE
  END;
  12. create context trigger
  -- create context trigger fg12
  CREATE OR REPLACE TRIGGER PERDBA.setsecuritycontext
  AFTER LOGON ON DATABASE
  BEGIN
       PERDBA.CONTEXTPACKAGE.SETCONTEXT;
  --null;
  END;

  you have mistyped the username/schemaname, it is ops$perdba, not perdba

• Fine Grained Access ERROR on INSERT when generating unique keys

  I'm using VPD/Fine Grained Access Control (FGAC) to implement security on my 9i backend. I created a security policy function that returns the predicate 'owner = USER'; - each of the tables has an additional column titled OWNER which contains the name of the logged-in user. Every time a user inserts a record, a BEFORE INSERT trigger fires (for every row) and inserts the USER name into the OWNER column. This is fairly straightforward and ensures that users can see only their rows. Using the DBMS_RLS.add_policy procedure, I attached the security policy to several tables and made it effective upon SELECT, UPDATE, INSERT, and DELETE statements.
  However, the frontend Java application (custom-made) generates unique IDs (sequences are not used) by selecting max(ID)+1 from the primary key columns of the tables. The problem is that the predicate is appended to the SELECT max(ID)+1 query to limit the max(ID) to only those rows where 'owner = USER'. Therefore, the max(ID) generated is not the largest ID for the entire table, but only the largest among the USER rows.
  So unless that USER happens to have the the largest ID in the whole table (and it has worked then), a primary-key violation error will be returned and the INSERT operation will be aborted.
  How can I allow every USER to select from AND get the absolute largest ID from the PK column without allowing that user to select records that don't belong to him? If I had developed the application, I would have made use of sequences on the back-end to generate unique primary key IDs. Unfortunately, I don't have this option and must work with the application as is.
  NOTE: the front-end Java application understands only the base table names, NOT Views created by me on the server. If the answer to this problem involves views, how can I make use of them on the backend when the front-end code does not recognize them?
  Any help is greatly appreciated!
  Michael

  first you could use default column values, not a trigger, which is more expensive.
  if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it )

• Query: Best practice SAN switch (network) access control rules?

  Dear SAN experts,
  Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
  I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
  Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
  In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
  For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
  These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
  So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
  regards,
  Will.

  Hi William,
  That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
  Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
  for zones there are a few best practices:
  * Default Zone: Don't use it. unless you're running Ficon.
  * Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
  * Don't mix zoning types:  You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
  * Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
  * LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
  * Read-Only exists, but again any modern array should be able to make a lun read-only.
  * QoS on Zoning: Isn't really an ACL method, more of a congestion control.
  VSANs are a way to separate your physical fabric into several logical fabrics.  There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other.  A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
  When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
  Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
  They are quite logical to use  and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
  I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
  To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
  That's a very brief summary of the most important access-control-related Best Practices that come to mind.  If any of this isn't clear to you or you require more detail, let me know. HTH!

• User management and Access Control in HCM Cloud

  Hello,
  Information is scarce about User management and Access Control in Oracle Cloud generally. Today, I have two questions :
  - How can I bridge HCM Cloud user store with my on-premise IDM or security repository in order to allow identty governance to flow to HCM Cloud service ?
  The only information I got was that you can declare manually and by bulk import through files my users. This is not really interresting as I have an automatic IDM with workflows and identity control on provisioning and de-provisioning.
  Is there a SPML or proprietary endpoint to do it automatically ? What are the prerequisites ? Do I have to implement OIM on my side ?
  - Once my users are created, how can I do webSSO from my internal security repositories to the HCM Cloud service ?
  I do not want to distribute new set of login / passwords to my users. Is it possible to do Identity Federation (SAML 2.0 or WS-Fed) with HCM Cloud service ? What are the prerequisites ? Do I have to implement OAM on my side ?
  I accept all pieces of information you can give me on this topic to help me understand the funcitonalites, limits and options offered by Oracle Cloud and more precisely by HCM Cloud service.
  Best regards,

  OIDDAS has limited capability of access control and information hiding. Presently, the permissions and privileges can be set at a realm level, and fine grained access control / information hiding cannot be done.
  At present, the only way to restrict view and access control is by appplying ACLs (which is not the safest bet).

• HRMS Data access control

  Hi,
  Can fine grained access control (VPD) be used to implement access control security policy for HRMS sensitive data. The business requirement is that the HRMS data should not be visible to any querying tool other than Oracle applications core HRMS forms.
  What kind of a security policy be enforced to achive this and are there any compatibility issues/limitations of this.
  Thanks in advance,
  Regards,
  Mahesh
  null

  you are right, access control is very application dependent, and is therefore not a good target to turn into a generic framework.
  In my opinion the king of security frameworks is Spring Security, so you could take a look at that.
  [http://static.springsource.org/spring-security/site/|http://static.springsource.org/spring-security/site/]
  Other than that, I have used a simple setup using Javaserver Faces. I had a user bean with a set of boolean flags indicating the user's capabilities (directly mapped to a database table) and in the components I would have rendered="#{user.userRole}" attributes where necessary, to conditionally switch off elements when the user wasn't allowed to see it, in some cases rendering a readonly view in stead.
  Its a chore to test, but quite easy to maintain and to read IMO.

• Access Control, finer control of standard options.....

  Hi, is good to be able to place time limits on wireless access to those using my wireless access points.
  Am wondering though, is it possible to specify a total daily/weekly time limit, (a cumulative or rolling three hours in total per day for example as opposed to between 19:00 and 22:00)?
  Is there some Terminal trickery that exists?
  Thanks.

  Dear Andg and Himadama,
  The most recent SAP GRC Access Control 5.3 Installation Guide, published September, 2009, references the break-down of JCo connector information in Section 5. Post-Installation Configuration:
  5.1.1 Creating JCo Connections to Backend Systems:
  http://www.service.sap.com/
  http://service.sap.com/swdc
  http://help.sap.com
  http://service.sap.com/bestpractices
  http://www.sap.com/bestpractices
  Perhaps this excerpt may clarify the utilization options for SAP JCo connections in GRC Access Control 5.3 as of SP09.
  Thank you,
  Shiela
  Edited by: Shiela Maria Mangravito on Apr 1, 2010 1:50 PM

• ADF UIX Role Based Access Control Implementation

  Hi,
  Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
  The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
  Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
  Thanks a lot.
  Sathya

  Brenden,
  I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
  If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
  1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
  The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
  2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
  The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
  1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
  Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
  Two links that you might be interested in to read are:
  http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
  http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
  Frank

• Embedding MS Accessibility controls into pdf document.

  I have a pdf form running fine in a server with Adobe Proffesional 8.0,  We need to update to Adobe Pro 9.0 or Adobe Pro 10.  The app is not performing well in those higer versions of Adobe Pro because we need to capture data from a pop up window to name an output file, but the data can no be scraped from the pop up window.  I heard that the problem can be circumvented by embedding MS Accessibility Controls into the form.  Can sombody please help me understand what is "embedding MS Accessibility Controls into a pdf form"?
  Thanks

  We have the pdf rendered in a JVM in an Intranet.  The pdf is displayed using Adobe Prod 8.0, when all the required data is captured from a phone interview, a button (click) triggers a WebService to execute and send a file to a Lenux Server. 

• NWBC no option "Access Control" - can't start working with GRC 10.0

  I have installed GRC AC 10.0 and have followed the post-installation documentation. All seems to be fine so far.
  But when I run NWBC, I do not get the Icon/Option "Access Control".
  What can go wrong? My user has sap_all and sap_grac_all, so it shouldn't be the access rights...what else can I check?

  I have installed GRC AC 10.0 and have followed the post-installation documentation. All seems to be fine so far.
  But when I run transaction NWBC, the web-browser (Iexplorer) opens the HTML-NWBC, but I do not get the Icon/Option "Access Management". I see this option however on the screenshots of the documentation. And it seems to be the only way to work with the application - or can I work directly within SAP-GUI ?
  I see however the Icons "Office", "Cross-Application Components", "Accounting", "Information Systems", "Tools" and I can well drill down into the submenus and use the fonctionality.
  What can go wrong? My user has sap_all and sap_grac_all assigned, so it shouldn't be the access rights...what else can I check? any ideas are welcome... - thanks in advance...

• Access controll Logs and DNS entries

  Hello there,
  We have upgraded from Border Manager 3.5 to Border Manager 3.8 SP4 on
  new hardware. Everything runs fine except a little niggle. When we
  view the Access Control logs now all we see is IP addresses there are
  no host names. In real time monitoring we can click on DNS Host Name
  and get some of the names but most come back Unknown. Under the logs
  themselves the DNS host Name option is grayed out. Have I messed up
  the configuration in some manner?
  Dan

  Thanks Craig, We are indeed runing the transparent proxy. Is this a
  change between 3.5 and 3.8? When we ran the transparent Proxy under
  3.5 we were able to see the URL's.
  On Tue, 17 Jul 2007 21:36:53 GMT, Craig Johnson
  <[email protected]> wrote:
  >In article <[email protected]>, Dan Larson
  >wrote:
  >> When we
  >> view the Access Control logs now all we see is IP addresses there are
  >> no host names. In real time monitoring we can click on DNS Host Name
  >> and get some of the names but most come back Unknown. Under the logs
  >> themselves the DNS host Name option is grayed out. Have I messed up
  >> the configuration in some manner?
  >>
  >If you have transparent proxy working, you will get IP addresses of
  >hosts instead of URL's.
  >
  >If you are not using proxy authentication, you will get IP addresses of
  >user PC's instead of user names.
  >
  >Craig Johnson
  >Novell Support Connection SysOp
  >*** For a current patch list, tips, handy files and books on
  >BorderManager, go to http://www.craigjconsulting.com ***
  >

• Access control - Restricted access not working

  Hi
  I have an application I have created an Access Control administration page in. I have set the application mode to 'Restricted access. Only users defined in the access control list are allowed'. I have defined two users one with administrator and one with edit privileges. I have a third workspace user who is not listed on the access control page.
  I have added the authorisation scheme to the tabs, pages and page items I require. This appears to work fine if I change the privilege of one of the listed users to 'view' the items disappear and cannot be accessed.
  The issue I have is that the workspace user who is not listed can still log into the application, and has the same access as 'view' privilege. My understanding is that the 'Restricted Access' application mode should prevent this user from accessing this application as they are not explicitly listed?
  Have I missed some set-up, misunderstood the meaning of 'restricted access' or is it some sort of bug? I am assuming I have missed some set-up somewhere.
  PS This is APEX 4.0.2 on 11g
  Edited by: tlane on 15/02/2011 19:43

  I have set the application up on apex.Oracle.com
  http://apex.oracle.com/pls/apex/f?p=48123:101:506666493527664
  four users have been defined :
  control_admin
  control_edit
  control_view
  control_na
  The first 3 are defined on the access control page available on the user_admin tab when you login as control_admin user.
  user control_na is not listed but can still access the application.
  password for all users is : demo1234
  Thanks in advance for all help with this issue.