Oracle data access restriction

oracleSecurity

I am working on some data access restriction feature in Oracle 11g and have been struggling since then.

What I want to achieve is, that I want to allow a specific group only to access a particular set of data and the rest should not be able to see them (or have them hashed) …

Let's image two users

USER_JOHN and USER_TIMMY

The role settings for them is following

USER_JOHN
  - it_analyst
  - sales_analyst
  - read_all

USER_TIMMY
  - risk_analyst

The %_ANALYST roles are just for the sake of demonstration only .. the only important role in this case is the READ_ALL role which allows JOHN to access the "privileged" data …

Example of privileged data (columns marked with * are considered "privileged"):

CLIENT_TABLE
-------------------------------------------------------------
ID  |  Name   |   Date of Birth * |    Address *  |   Sex   |
-------------------------------------------------------------
 1  | Franco  |     8/1/1990      | Sesame Street |  Male   |
 2  |  Jane   |     1/18/1976     | Corner Road   | Female  |

When a user (with READ_ALL) role queries this table I want him to get the same data set as you can see above

USER_JOHN:$> SELECT * FROM client_table;

-------------------------------------------------------------
ID  |  Name   |   Date of Birth * |    Address *  |   Sex   |
-------------------------------------------------------------
 1  | Franco  |     8/1/1990      | Sesame Street |  Male   |
 2  |  Jane   |     1/18/1976     | Corner Road   | Female  |

But if a user without this READ_ALL role queries this table, they should get only non-privileged data in a read-able form … see below

USER_TIMMY:$> SELECT * FROM client_table;

-------------------------------------------------------------
ID  |  Name   |   Date of Birth * |    Address *  |   Sex   |
-------------------------------------------------------------
 1  | Franco  |    3978005636     |  4259532014   |  Male   |
 2  |  Jane   |    2282325776     |  1146039631   | Female  |

As you can see, these "privileged" records are hashed … they can even be empty or not select.able at all .. thus the result will look like this

USER_TIMMY:$> SELECT * FROM client_table;

--------------------------
ID  |  Name   |    Sex   |
--------------------------
 1  | Franco  |   Male   |
 2  |  Jane   |  Female  |

Is there some solution to achieve this? The best result for me would be hashed values …. I have read something about Oracle VPD which should do the same I just do not know, how to apply that on roles globally …

What I have done so far is that I have created the same object within different schema …

SCHEMA_RAW.CLIENT_TABLE -> accessible for READ_ALL; not accessible for others
SCHEMA_HASHED.CLIENT_TABLE -> accessible for all

I know it's not the best solution but at least I do have some data protection implemented .. the major drawback of this solution is the script-sharing .. if there is a user that has an access to SCHEMA_RAW only .. they need to change the script provided by users that have an access to SCHEMA_HASHED only …

Note: there is not just this single table … there are many (hundreds of them) that needs to be secured this way …

EDIT: Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 – 64bit

Best Answer

found it ...

ANSWER: Oracle Data Masking and SubSetting

https://www.oracle.com/technetwork/database/options/data-masking-subsetting/overview/index.html

Related Solutions

Is Oracle Configuration Manager HIPAA compliant

Yes, as long as the data being transmitted is monitored in a "reasonable" way.

If the database hosts PHI and oracle is assisting in the management of the database you must have a written contract with the vendor.

Standard: Business associate contracts and other arrangements. A covered entity, in accordance with §164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information.

Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a).

You have to log the vendors access into the database and ensure they cannot access PHI.

(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

(B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

If they access PHI you will have to log the incident and report it.

Please see http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf page 38 for more information on HIPAA IT policy's.

The thing about HIPPA is that most of the requirements are vague and it asks you to make "reasonable" steps to prevent a PHI information breach (It marks these items as addressable). I've been through a couple of HIPAA audits myself.

What all to start for oracle database server

If you have the entries for your instance added to /etc/oratab (that should be "orcl:/your/oracle/home:Y" ) and you did run the root.sh in the end of that installation and the root.sh placed the environment scripts in /usr/locla/bin (the default), you can issue:

ORACLE_SID=orcl
ORAENV_ASK=NO
. /usr/local/bin/oraenv
unset ORAENV_ASK
$ORACLE_HOME/bin/dbstart

What oraenv does is mainly setting environment variables like ORACLE_HOME, ORACLE_BASE and PATH. PATH is made up of $ORACLE_HOME/bin. You could add the environment setup to your .profile and of course, you can start the database manually using sqlplus.

The dbstart script starts all databases that are registered in the oratab file, that have a 'Y' in the third column.

Manually starting, after the environment has been setup for a specific instance as shown above:

sqlplus / as sysdba
startup

If you want to switch to a different database just issue . oraenv (if /usr/local/bin is in the PATH) and give it the ORACLE_SID of the database that you want to manage.

Most databases will be accessed using a client from an other machine/VM. In that case you also might want to start the listener: lsnrctl start

Best Answer

Related Solutions

Is Oracle Configuration Manager HIPAA compliant

What all to start for oracle database server

Related Question