petefinnigan
10th November 2003, 15:08
Hi everyone,
I have recently written a paper on row level security in Oracle for
publication by security focus. This paper is a two part paper and the
first part is published, the second part will be published later this
week.
part one introduces row level security, talks about the various names it
has and also why you might want to use it with listed advantages. I go
on to talk about how it works and how to implement a simple example
working through the various steps with example code. I then go on to
test the example with differing scenarios to check it performs against
the business rules defined. I talk about a couple of issues and tips.
part two goes on to look into how to explore the database looking at
what row level security settings are in use or indeed if it is in use,
by querying v$ views, I also discuss how to use the dictionary views to
understand the setup and then go on to explore how to derive the SQL
including predicate from the database and also how to see if row level
security is in use by inference. I also discuss some of the issues with
its use. As usual I also throughout make suggestions about protecting
what configuration can be read from the database.
A link to part one can be found here:
http://www.petefinnigan.com/orasec.htm
kind regards
Pete
--
Pete Finnigan
email:pete@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
I have recently written a paper on row level security in Oracle for
publication by security focus. This paper is a two part paper and the
first part is published, the second part will be published later this
week.
part one introduces row level security, talks about the various names it
has and also why you might want to use it with listed advantages. I go
on to talk about how it works and how to implement a simple example
working through the various steps with example code. I then go on to
test the example with differing scenarios to check it performs against
the business rules defined. I talk about a couple of issues and tips.
part two goes on to look into how to explore the database looking at
what row level security settings are in use or indeed if it is in use,
by querying v$ views, I also discuss how to use the dictionary views to
understand the setup and then go on to explore how to derive the SQL
including predicate from the database and also how to see if row level
security is in use by inference. I also discuss some of the issues with
its use. As usual I also throughout make suggestions about protecting
what configuration can be read from the database.
A link to part one can be found here:
http://www.petefinnigan.com/orasec.htm
kind regards
Pete
--
Pete Finnigan
email:pete@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.