Scribd
Upload
36 views20 pages

Oracle Database 12c II

The document details steps taken to create a database user "test" and table "payment_details" to store payment card information. Redaction policies are then applied to mask the card number, string, and expiry date using partial and full redaction. Additional users "gov", "bob", and "tim" are created and a table "flight" is made accessible to "bob" and "tim" for data insertion and selection. Oracle Label Security (OLS) is then configured and enabled on the database.

Uploaded by

Harry Prathama Yudha
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
Download as txt, pdf, or txt
36 views20 pages

Oracle Database 12c II

The document details steps taken to create a database user "test" and table "payment_details" to store payment card information. Redaction policies are then applied to mask the card number, string, and expiry date using partial and full redaction. Additional users "gov", "bob", and "tim" are created and a table "flight" is made accessible to "bob" and "tim" for data insertion and selection. Oracle Label Security (OLS) is then configured and enabled on the database.

Uploaded by

Harry Prathama Yudha
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
Download as txt, pdf, or txt
Download as txt, pdf, or txt
You are on page 1/ 20

Reduction

MVsking Coloumn
---------------

User : sys
-------------
SQL> creVte user test identified by Vdmin12345 defVult tVblespVce users temporVr
y tVblespVce temp;

User creVted.

SQL> grVnt connect to test;

GrVnt succeeded.

SQL> GRVNT EXECUTE ON sys.dbms_redVct TO test;

GrVnt succeeded.

SQL> Vlter user test quotV unlimited on users;

User Vltered.

User : test
--------------
SQL> CREVTE TVBLE pVyment_detVils (
2 ID NUMBER NOT NULL,
3 customer_id NUMBER NOT NULL,
4 cVrd_no NUMBER NOT NULL,
5 cVrd_string VVRCHVR2(19) NOT NULL,
6 expiry_dVte DVTE NOT NULL,
7 sec_code NUMBER NOT NULL,
8 VVlid_dVte DVTE,
9 CONSTRVINT pVyment_detVils_pk PRIMVRY KEY (ID)
10 );

TVble creVted.

User : test
--------------
SQL> INSERT INTO pVyment_detVils VVLUES (1, 4000, 1234123412341234, '1234-1234-1
234-1234', TRUNC(VDD_MONTHS(SYSDVTE,12)), 123, NULL);

1 row creVted.

SQL> INSERT INTO pVyment_detVils VVLUES (2, 4001, 2345234523452345, '2345-2345-2


345-2345', TRUNC(VDD_MONTHS(SYSDVTE,12)), 234, NULL);

1 row creVted.

SQL> INSERT INTO pVyment_detVils VVLUES (3, 4002, 3456345634563456, '3456-3456-3


456-3456', TRUNC(VDD_MONTHS(SYSDVTE,12)), 345, NULL);

1 row creVted.

SQL> INSERT INTO pVyment_detVils VVLUES (4, 4003, 4567456745674567, '4567-4567-4


567-4567', TRUNC(VDD_MONTHS(SYSDVTE,12)), 456, NULL);

1 row creVted.
SQL> INSERT INTO pVyment_detVils VVLUES (5, 4005, 5678567856785678, '5678-5678-5
678-5678', TRUNC(VDD_MONTHS(SYSDVTE,12)), 567, NULL);

1 row creVted.

SQL> VLTER SESSION SET nls_dVte_formVt='DD-MM-YYYY';

Session Vltered.

SQL> COLUMN cVrd_no FORMVT 9999999999999999

SQL> SELECT *
2 FROM pVyment_detVils
3 ORDER BY id;

ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DVT


---------- ----------- ----------------- ------------------- ----------
SEC_CODE VVLID_DVTE
---------- ----------
1 4000 1234123412341234 1234-1234-1234-1234 04-04-2018
123

2 4001 2345234523452345 2345-2345-2345-2345 04-04-2018


234

3 4002 3456345634563456 3456-3456-3456-3456 04-04-2018


345

ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DVT


---------- ----------- ----------------- ------------------- ----------
SEC_CODE VVLID_DVTE
---------- ----------
4 4003 4567456745674567 4567-4567-4567-4567 04-04-2018
456

5 4005 5678567856785678 5678-5678-5678-5678 04-04-2018


567

SQL> BEGIN
2 DBMS_REDVCT.Vdd_policy(
3 object_schemV => 'test',
4 object_nVme => 'pVyment_detVils',
5 column_nVme => 'cVrd_no',
6 policy_nVme => 'redVct_cVrd_info',
7 function_type => DBMS_REDVCT.full,
8 expression => '1=1'
9 );
10 END;
11 /

PL/SQL procedure successfully completed.

SetelVh di REDVCT
-----------------
SQL> SELECT *
2 FROM pVyment_detVils
3 ORDER BY id;

ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DV


---------- ----------- ----------------- ------------------- ---------
SEC_CODE VVLID_DVT
---------- ---------
1 4000 0 1234-1234-1234-1234 04-VPR-18
123

2 4001 0 2345-2345-2345-2345 04-VPR-18


234

3 4002 0 3456-3456-3456-3456 04-VPR-18


345

ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DV


---------- ----------- ----------------- ------------------- ---------
SEC_CODE VVLID_DVT
---------- ---------
4 4003 0 4567-4567-4567-4567 04-VPR-18
456

5 4005 0 5678-5678-5678-5678 04-VPR-18


567

PVrtiVl RedVction

SQL> BEGIN
2 DBMS_REDVCT.Vlter_policy(
3 object_schemV => 'test',
4 object_nVme => 'pVyment_detVils',
5 column_nVme => 'cVrd_no',
6 policy_nVme => 'redVct_cVrd_info',
7 Vction => DBMS_REDVCT.modify_column,
8 function_type => DBMS_REDVCT.pVrtiVl,
9 function_pVrVmeters => '1,1,12' ==================> 'VVlue,VwVl ChVr,JumlVh
ChVr'
10 );
11 END;
12 /

PL/SQL procedure successfully completed.

SQL> SELECT *
2 FROM pVyment_detVils
3 ORDER BY id;

ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DV


---------- ----------- ----------------- ------------------- ---------
SEC_CODE VVLID_DVT
---------- ---------
1 4000 1111111111111234 1234-1234-1234-1234 04-VPR-18
123

2 4001 1111111111112345 2345-2345-2345-2345 04-VPR-18


234
3 4002 1111111111113456 3456-3456-3456-3456 04-VPR-18
345

ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DV


---------- ----------- ----------------- ------------------- ---------
SEC_CODE VVLID_DVT
---------- ---------
4 4003 1111111111114567 4567-4567-4567-4567 04-VPR-18
456

5 4005 1111111111115678 5678-5678-5678-5678 04-VPR-18


567

SQL> BEGIN
2 DBMS_REDVCT.Vlter_policy(
3 object_schemV => 'test',
4 object_nVme => 'pVyment_detVils',
5 column_nVme => 'cVrd_string',
6 policy_nVme => 'redVct_cVrd_info',
7 Vction => DBMS_REDVCT.Vdd_column,
8 function_type => DBMS_REDVCT.pVrtiVl,
9 function_pVrVmeters => 'VVVVFVVVVFVVVVFVVVV,VVVV-VVVV-VVVV-VVVV,#,1,12'
10 );
11 END;
12 /

PL/SQL procedure successfully completed.

SQL> SELECT *
2 FROM pVyment_detVils
3 ORDER BY id;

ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DV


---------- ----------- ----------------- ------------------- ---------
SEC_CODE VVLID_DVT
---------- ---------
1 4000 1111111111111234 ####-####-####-1234 04-VPR-18
123

2 4001 1111111111112345 ####-####-####-2345 04-VPR-18


234

3 4002 1111111111113456 ####-####-####-3456 04-VPR-18


345

ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DV


---------- ----------- ----------------- ------------------- ---------
SEC_CODE VVLID_DVT
---------- ---------
4 4003 1111111111114567 ####-####-####-4567 04-VPR-18
456

5 4005 1111111111115678 ####-####-####-5678 04-VPR-18


567
SQL> BEGIN
2 DBMS_REDVCT.Vlter_policy(
3 object_schemV => 'test',
4 object_nVme => 'pVyment_detVils',
5 column_nVme => 'expiry_dVte',
6 policy_nVme => 'redVct_cVrd_info',
7 Vction => DBMS_REDVCT.Vdd_column,
8 function_type => DBMS_REDVCT.pVrtiVl,
9 function_pVrVmeters => 'm1d1Y'
10 );
11 END;
12 /

PL/SQL procedure successfully completed.

SQL> VLTER SESSION SET nls_dVte_formVt='DD-MON-YYYY';

Session Vltered.

SQL> COLUMN cVrd_no FORMVT 9999999999999999;


SQL> SELECT *
2 FROM PVyment_detVils
3 ORDER BY id;

ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DVTE


---------- ----------- ----------------- ------------------- -----------
SEC_CODE VVLID_DVTE
---------- -----------
1 4000 1111111111111234 ####-####-####-1234 01-JVN-2018
123

2 4001 1111111111112345 ####-####-####-2345 01-JVN-2018


234

3 4002 1111111111113456 ####-####-####-3456 01-JVN-2018


345

ID CUSTOMER_ID CVRD_NO CVRD_STRING EXPIRY_DVTE


---------- ----------- ----------------- ------------------- -----------
SEC_CODE VVLID_DVTE
---------- -----------
4 4003 1111111111114567 ####-####-####-4567 01-JVN-2018
456

5 4005 1111111111115678 ####-####-####-5678 01-JVN-2018


567

User : sys

SQL> CREATE USER gov IDENTIFIED BY Admin12345;

User created.

SQL> CREATE USER bob IDENTIFIED BY Admin12345;

User created.
SQL> CREATE USER tim IDENTIFIED BY Admin12345;

User created.

SQL> GRANT CREATE SESSION to gov, bob, tim;

Grant succeeded.

SQL> GRANT CREATE TABLE, unlimited tablespace to gov;

Grant succeeded.

SQL> conn gov


Enter password:
Connected.
SQL> create table Flight(
2 Flight# NUMBER,
3 destination VARCHAR2(100),
4 payload VARCHAR2(100));

Table created.

SQL> grant select, insert on flight to bob, tim;

Grant succeeded.

SQL> conn sys as sysdba


Enter password:
Connected.
SQL> conn gov
Enter password:
Connected.
SQL> insert into flight values (505, 'Iraq', 'Weapon');

1 row created.

SQL> insert into flight values (506, 'Canada', 'Charcoal');

1 row created.

SQL> insert into flight values (706, 'Japan', 'Battery');

1 row created.

SQL> insert into flight values (501, 'Syria', 'Weapon');

1 row created.

SQL> insert into flight values (508, 'Israel', 'Jets');

1 row created.

SQL> insert into flight values (509, 'India', 'Aid');

1 row created.

SQL> conn lbacsys


Enter password:
Connected.
SQL> conn sys as sysdba
Enter password:
Connected.
SQL> exec LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;
BEGIN LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS; END;

*
ERROR at line 1:
ORA-12459: Oracle Label Security not configured
ORA-06512: at "LBACSYS.OLS_ENFORCEMENT", line 3
ORA-06512: at "LBACSYS.OLS_ENFORCEMENT", line 25
ORA-06512: at line 1

SQL> exec LBACSYS.CONFIGURE_OLS;

PL/SQL procedure successfully completed.

SQL> exec LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;

PL/SQL procedure successfully completed.

SQL> conn lbacsys


Enter password:
Connected.
SQL> BEGIN
2 SA_SYSDBA.CREATE_POLICY(
3 policy_name => 'ols_pol1',
4 column_name => 'lb_col',
5 default_options => 'no_control'
6 );
7
8 -- Create label component levels
9 -- TOP_SECRET has the highest level of access
10 SA_COMPONENTS.CREATE_LEVEL(
11 policy_name => 'ols_pol1',
12 level_num => 4,
13 short_name => 'TS',
14 long_name => 'top_secret'
15 );
16
17
18 SA_COMPONENTS.CREATE_LEVEL(
19 policy_name => 'ols_pol1',
20 level_num => 3,
21 short_name => 'S',
22 long_name => 'secret'
23 );
24
25 SA_COMPONENTS.CREATE_LEVEL(
26 policy_name => 'ols_pol1',
27 level_num => 2,
28 short_name => 'C',
29 long_name => 'confidential'
30 );
31
32 SA_COMPONENTS.CREATE_LEVEL(
33 policy_name => 'ols_pol1',
34 level_num => 1,
35 short_name => 'UC',
36 long_name => 'unclassified'
37 );
38
39 -- Create data labels
40 SA_LABEL_ADMIN.CREATE_LABEL(
41 policy_name => 'ols_pol1',
42 label_tag => 40,
43 label_value => 'TS',
44 data_label => TRUE
45 );
46
47 SA_LABEL_ADMIN.CREATE_LABEL(
48 policy_name => 'ols_pol1',
49 label_tag => 30,
50 label_value => 'S',
51 data_label => TRUE
52 );
53
54 SA_LABEL_ADMIN.CREATE_LABEL(
55 policy_name => 'ols_pol1',
56 label_tag => 20,
57 label_value => 'C',
58 data_label => TRUE
59 );
60
61 SA_LABEL_ADMIN.CREATE_LABEL(
62 policy_name => 'ols_pol1',
63 label_tag => 10,
64 label_value => 'UC',
65 data_label => TRUE
66 );
67
68 -- Apply access_pol policy on table gov.flight
69 SA_POLICY_ADMIN.APPLY_TABLE_POLICY(
70 policy_name => 'ols_pol1',
71 schema_name => 'gov',
72 table_name => 'flight',
73 table_options => null,
74 label_function => null,
75 predicate => null
76 );
77
78 -- Add user authorizations (i.e. clearance levels)
79 SA_USER_ADMIN.SET_LEVELS(
80 policy_name => 'ols_pol1',
81 user_name => 'bob',
82 max_level => 'S',
83 min_level => 'UC',
84 def_level => 'S',
85 row_level => 'S'
86 );
87
88 SA_USER_ADMIN.SET_LEVELS(
89 policy_name => 'ols_pol1',
90 user_name => 'tim',
91 max_level => 'UC',
92 min_level => 'UC',
93 def_level => 'UC',
94 row_level => 'UC'
95 );
96 END;
97 /

PL/SQL procedure successfully completed.

SQL> conn system


Enter password:
Connected.
SQL> update gov.flight set lb_col = char_to_label('ols_pol1','TS') where payload
in ('Weapon');

2 rows updated.

SQL> update gov.flight set lb_col = char_to_label('ols_pol1','S') where payload


in ('Jets');

1 row updated.

SQL> update gov.flight set lb_col = char_to_label('ols_pol1','C') where payload


in ('Battery');

1 row updated.

SQL> update gov.flight set lb_col = char_to_label('ols_pol1','UC') where payload


in ('Charcoal', 'Aid');

2 rows updated.

SQL> commit;

Commit complete.

SQL> conn lbacsys


Enter password:
Connected.
SQL> BEGIN
2 -- Now we change the policy to enfoce on read by first altering the poli
cy
3 -- and then removing and applying the policy again
4 SA_SYSDBA.ALTER_POLICY(
5 policy_name => 'ols_pol1',
6 default_options => 'read_control, label_default'
7 );
8
9 SA_POLICY_ADMIN.REMOVE_TABLE_POLICY(
10 policy_name => 'ols_pol1',
11 schema_name => 'gov',
12 table_name => 'flight',
13 drop_column => false
14 );
15
16 SA_POLICY_ADMIN.APPLY_TABLE_POLICY(
17 policy_name => 'ols_pol1',
18 schema_name => 'gov',
19 table_name => 'flight'
20 );
21 END;
22 /

PL/SQL procedure successfully completed.

SQL> BEGIN
2 SA_USER_ADMIN.SET_USER_PRIVS(
3 policy_name => 'ols_pol1',
4 user_name => 'scott',
5 privileges => 'READ'
6 );
7 END;
8 /

PL/SQL procedure successfully completed.

SQL> column flight# format 9999;


SQL> column destination format a15;
SQL> column payload format a15
SQL> conn bob
Enter password:
Connected.
SQL> select SA_SESSION.ROW_LABEL('OLS_POL1') from DUAL;

SA_SESSION.ROW_LABEL('OLS_POL1')
--------------------------------------------------------------------------------

SQL> select SA_SESSION.LABEL('OLS_POL1') from DUAL;

SA_SESSION.LABEL('OLS_POL1')
--------------------------------------------------------------------------------

SQL> BEGIN
2 SA_SESSION.SET_ROW_LABEL(
3 policy_name => 'ols_pol1',
4 label => 'UC'
5 );
6 END;
7 /

PL/SQL procedure successfully completed.

SQL> insert into gov.flight (flight#, destination, payload)


2 Values (599, 'Peru', 'Medecine');

1 row created.

SQL> select flight#, destination, payload from gov.flight;

FLIGHT# DESTINATION PAYLOAD


------- --------------- ---------------
506 Canada Charcoal
706 Japan Battery
508 Israel Jets
509 India Aid
599 Peru Medecine

SQL> conn gov


Enter password:
Connected.
SQL> select flight#, destination, payload from gov.flight;

no rows selected

SQL> conn tim


Enter password:
Connected.
SQL> select flight#, destination, payload from gov.flight;

FLIGHT# DESTINATION PAYLOAD


------- --------------- ---------------
506 Canada Charcoal
509 India Aid
599 Peru Medecine

SQL> conn lbacsys


Enter password:
Connected.
SQL> BEGIN
2 SA_SYSDBA.DROP_POLICY(
3 policy_name => 'ols_pol1'
4 );
5 END;
6 /

PL/SQL procedure successfully completed.

SQL> conn sys as sysdba


Enter password:
Connected.
SQL> DROP USER gov cascade;

User dropped.

SQL> DROP USER bob cascade;

User dropped.

SQL> DROP USER tim cascade;

User dropped.

SQL>

===================================================================================
==============
SQL> select username from dba_users;

USERNAME
--------------------------------------------------------------------------------

OE
TEST2
SCOTT
ORACLE_OCM
OJVMSYS
SYSKM
XS$NULL
BI
PM
GSMCATUSER
MDDATA

USERNAME
--------------------------------------------------------------------------------

SYSBACKUP
IX
SH
DIP
SYSDG
APEX_PUBLIC_USER
HR
SPATIAL_CSW_ADMIN_USR
TEST
SPATIAL_WFS_ADMIN_USR
GSMUSER

USERNAME
--------------------------------------------------------------------------------

AUDSYS
FLOWS_FILES
DVF
MDSYS
ORDSYS
DBSNMP
WMSYS
APEX_040200
APPQOSSYS
GSMADMIN_INTERNAL
ORDDATA

USERNAME
--------------------------------------------------------------------------------

CTXSYS
ANONYMOUS
XDB
ORDPLUGINS
DVSYS
SI_INFORMTN_SCHEMA
OLAPSYS
LBACSYS
OUTLN
SYSTEM
SYS

44 rows selected.

SQL>
===================================================================================
==============
Audit
-----

SQL> drop user test cascade;

User dropped.

SQL> create user test identified by Admin12345 quota unlimited on users;

User created.

SQL> drop user test2 cascade;

User dropped.

SQL> grant create session, create table, create sequence to test;

Grant succeeded.

SQL> create user test2 identified by Admin12345 quota unlimited on users;

User created.

SQL> grant create session to test2;

Grant succeeded.

SQL> create user test3 identified by Admin12345 quota unlimited on users;

User created.

SQL> grant create session to test3;

Grant succeeded.

SQL> SELECT name


2 FROM system_privilege_map
3 ORDER BY name;

SQL> CREATE AUDIT POLICY test_audit_policy


2 PRIVILEGES CREATE TABLE, CREATE SEQUENCE
3 WHEN 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''TEST'''
4 EVALUATE PER SESSION;

Audit policy created.

SQL> AUDIT POLICY test_audit_policy;

Audit succeeded.

SQL> SET LINESIZE 200


SQL> COLUMN audit_option FORMAT a15
SQL> COLUMN condition_eval_opt FORMAT a10
SQL> COLUMN audit_condition FORMAT a50
SQL> SELECT audit_option,
2 condition_eval_opt,
3 audit_condition
4 FROM audit_unified_policies
5 WHERE policy_name = 'TEST_AUDIT_POLICY';

AUDIT_OPTION CONDITION_ AUDIT_CONDITION


--------------- ---------- --------------------------------------------------
CREATE SEQUENCE SESSION SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST'
CREATE TABLE SESSION SYS_CONTEXT('USERENV', 'SESSION_USER') = 'TEST'

SQL> conn test


Enter password:
Connected.
SQL> CREATE TABLE tab1 (id NUMBER);

Table created.

SQL> CREATE SEQUENCE tab1_seq;

Sequence created.

SQL> conn sys as sysdba


Enter password:
Connected.
SQL> COLUMN event_timestamp FORMAT a30
SQL> COLUMN dbusername FORMAT a10
SQL> COLUMN action_name FORMAT a20
SQL> COLUMN object_schema FORMAT a10
SQL> COLUMN object_name FORMAT a20
SQL> SELECT event_timestamp,
2 dbusername,
3 action_name,
4 object_schema,
5 object_name
6 FROM unified_audit_trail
7 WHERE dbusername = 'TEST'
8 ORDER BY event_timestamp;

EVENT_TIMESTAMP DBUSERNAME ACTION_NAME OBJECT_SCH OBJECT


_NAME
------------------------------ ---------- -------------------- ---------- ------
--------------
04-APR-17 09.55.29.913000 AM TEST LOGON
04-APR-17 09.55.41.660000 AM TEST LOGON
04-APR-17 02.22.41.805000 PM TEST CREATE TABLE TEST TAB1
04-APR-17 02.22.44.516000 PM TEST CREATE SEQUENCE TEST TAB1_S
EQ

SQL> NOAUDIT POLICY test_audit_policy;

Noaudit succeeded.

SQL> drop audit policy test_audit_policy;

Audit Policy dropped.

SQL>
SQL> CREATE TABLE tab1 (
2 id NUMBER,
3 CONSTRAINT tab1_pk PRIMARY KEY (id)
4 );

Table created.

SQL> CREATE SEQUENCE tab1_seq;

Sequence created.

SQL> CREATE TABLE tab2 (


2 id NUMBER,
3 CONSTRAINT tab2_pk PRIMARY KEY (id)
4 );

Table created.

SQL> CREATE SEQUENCE tab2_seq;

Sequence created.

SQL> GRANT SELECT, INSERT, UPDATE, DELETE ON tab1 TO test2;

Grant succeeded.

SQL> GRANT SELECT ON tab1_seq TO test2;

Grant succeeded.

SQL>

SQL> conn sys as sysdba


Enter password:
Connected.
SQL> CREATE AUDIT POLICY test_audit_policy
2 ACTION DELETE ON test.tab1,
3 INSERT ON test.tab1,
4 UPDATE ON test.tab1,
5 SELECT ON test.tab1_seq,
6 ALL ON test.tab2,
7 SELECT ON test.tab2_seq
8 WHEN 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''TEST2'''
9 EVALUATE PER SESSION;
CREATE AUDIT POLICY test_audit_policy
*
ERROR at line 1:
ORA-46373: Audit policy 'TEST_AUDIT_POLICY' must have at least one audit option.

SQL> show user


USER is "SYS"
SQL> CREATE AUDIT POLICY test_audit_policy
2 ACTIONS DELETE ON test.tab1,
3 INSERT ON test.tab1,
4 UPDATE ON test.tab1,
5 SELECT ON test.tab1_seq,
6 ALL ON test.tab2,
7 SELECT ON test.tab2_seq
8 WHEN 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''TEST2'''
9 EVALUATE PER SESSION;

Audit policy created.

SQL> AUDIT POLICY test_audit_policy;

Audit succeeded.

SQL> SET LINESIZE 200


SQL> COLUMN object_schema FORMAT a15
SQL> COLUMN object_name FORMAT a15
SQL> COLUMN object_type FORMAT a12
SQL> COLUMN audit_option FORMAT a15
SQL> COLUMN condition_eval_opt FORMAT a10
SQL> COLUMN audit_condition FORMAT a50
SQL> SELECT object_schema,
2 object_name,
3 object_type,
4 audit_option,
5 condition_eval_opt,
6 audit_condition
7 FROM audit_unified_policies
8 WHERE policy_name = 'TEST_AUDIT_POLICY';

OBJECT_SCHEMA OBJECT_NAME OBJECT_TYPE AUDIT_OPTION CONDITION_ AUDIT_CO


NDITION
--------------- --------------- ------------ --------------- ---------- --------
------------------------------------------
TEST TAB1 TABLE UPDATE SESSION SYS_CONT
EXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST TAB1 TABLE INSERT SESSION SYS_CONT
EXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST TAB1 TABLE DELETE SESSION SYS_CONT
EXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST TAB1_SEQ SEQUENCE SELECT SESSION SYS_CONT
EXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST TAB2 TABLE ALL SESSION SYS_CONT
EXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST TAB2_SEQ SEQUENCE SELECT SESSION SYS_CONT
EXT('USERENV', 'SESSION_USER') = 'TEST2'

6 rows selected.

SQL>

SQL> conn test


Enter password:
Connected.
SQL> INSERT INTO tab1 (id) VALUES (tab1_seq.NEXTVAL);

1 row created.

SQL> INSERT INTO tab2 (id) VALUES (tab2_seq.NEXTVAL);

1 row created.
SQL> Commit;

==============================================================================
SQL> conn test2
Enter password:
Connected.
SQL> UPDATE test.tab1 SET id = test.tab1_seq.NEXTVAL;
UPDATE test.tab1 SET id = test.tab1_seq.NEXTVAL
*
ERROR at line 1:
ORA-00942: table or view does not exist

SQL> UPDATE test.tab2 SET id = test.tab2_seq.NEXTVAL;

1 row updated.

SQL> DELETE FROM test.tab1;


DELETE FROM test.tab1
*
ERROR at line 1:
ORA-00942: table or view does not exist

SQL> DELETE FROM test.tab2;

1 row deleted.

SQL> COMMIT;

Commit complete.

SQL>

===================================================================================
================

SQL> conn sys as sysdba


Enter password:
Connected.
SQL> SELECT event_timestamp,
2 dbusername,
3 action_name,
4 object_schema,
5 object_name
6 FROM unified_audit_trail
7 WHERE dbusername LIKE 'TEST%'
8 ORDER BY event_timestamp;

EVENT_TIMESTAMP DBUSERNAME ACTION_NAME OBJECT_SCHEMA O


BJECT_NAME
------------------------------ ---------- -------------------- --------------- -
--------------
04-APR-17 09.55.29.913000 AM TEST LOGON
04-APR-17 09.55.41.660000 AM TEST LOGON
04-APR-17 10.58.29.738000 AM TEST2 ALTER USER T
EST2
04-APR-17 02.22.41.805000 PM TEST CREATE TABLE TEST T
AB1
04-APR-17 02.22.44.516000 PM TEST CREATE SEQUENCE TEST T
AB1_SEQ
04-APR-17 02.42.43.801000 PM TEST CREATE AUDIT POLICY SYS T
EST_AUDIT_POLI
C
Y

04-APR-17 02.57.53.454000 PM TEST2 SELECT TEST T


AB1_SEQ
04-APR-17 02.57.53.454000 PM TEST2 UPDATE TEST T
AB1
04-APR-17 02.57.53.481000 PM TEST2 SELECT TEST T
AB2_SEQ

EVENT_TIMESTAMP DBUSERNAME ACTION_NAME OBJECT_SCHEMA O


BJECT_NAME
------------------------------ ---------- -------------------- --------------- -
--------------
04-APR-17 02.57.53.482000 PM TEST2 UPDATE TEST T
AB2
04-APR-17 02.57.53.484000 PM TEST2 DELETE TEST T
AB1
04-APR-17 02.57.53.490000 PM TEST2 DELETE TEST T
AB2

12 rows selected.

SQL>

===================================================================================
==
SQL> ALTER AUDIT POLICY test_audit_policy
2 DROP ACTIONS ALL ON test.tab2,
3 SELECT ON test.tab2_seq;

Audit policy altered.

SQL> SET LINESIZE 200


SQL> COLUMN object_schema FORMAT a15
SQL> COLUMN object_name FORMAT a15
SQL> COLUMN object_type FORMAT a12
SQL> COLUMN audit_option FORMAT a15
SQL> COLUMN condition_eval_opt FORMAT a10
SQL> COLUMN audit_condition FORMAT a50
SQL> SELECT object_schema,
2 object_name,
3 object_type,
4 audit_option,
5 condition_eval_opt,
6 audit_condition
7 FROM audit_unified_policies
8 WHERE policy_name = 'TEST_AUDIT_POLICY';

OBJECT_SCHEMA OBJECT_NAME OBJECT_TYPE AUDIT_OPTION CONDITION_ AUDIT_CO


NDITION
--------------- --------------- ------------ --------------- ---------- --------
------------------------------------------
TEST TAB1 TABLE UPDATE SESSION SYS_CONT
EXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST TAB1 TABLE INSERT SESSION SYS_CONT
EXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST TAB1 TABLE DELETE SESSION SYS_CONT
EXT('USERENV', 'SESSION_USER') = 'TEST2'
TEST TAB1_SEQ SEQUENCE SELECT SESSION SYS_CONT
EXT('USERENV', 'SESSION_USER') = 'TEST2'

SQL>

=============================================================================
ROLE AUDIT

SQL> show user


USER is "SYS"
SQL> CREATE ROLE create_table_role;

Role created.

SQL> GRANT CREATE TABLE TO create_table_role;

Grant succeeded.

SQL> GRANT create_table_role TO test3;

Grant succeeded.

SQL> CREATE AUDIT POLICY create_table_role_policy


2 ROLE create_table_role
3 WHEN 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''TEST3'''
4 EVALUATE PER SESSION;

Audit policy created.

SQL> AUDIT POLICY create_table_role_policy;

Audit succeeded.

SQL>

SQL> SET LINESIZE 200


SQL> COLUMN audit_option FORMAT a20
SQL> COLUMN condition_eval_opt FORMAT a10
SQL> COLUMN audit_condition FORMAT a50
SQL> SELECT audit_option,
2 audit_option_type,
3 condition_eval_opt,
4 audit_condition
5 FROM audit_unified_policies
6 WHERE policy_name = 'CREATE_TABLE_ROLE_POLICY';

AUDIT_OPTION AUDIT_OPTION_TYPE CONDITION_ AUDIT_CONDITION


-------------------- ------------------ ---------- -----------------------------
---------------------
CREATE_TABLE_ROLE ROLE PRIVILEGE SESSION SYS_CONTEXT('USERENV', 'SESSI
ON_USER') = 'TEST3'

SQL>
SQL> conn test3
Enter password:
Connected.
SQL> CREATE TABLE tab1 (id NUMBER);

Table created.

SQL> conn sys as sysdba


Enter password:
Connected.
SQL> COLUMN event_timestamp FORMAT a30
SQL> COLUMN dbusername FORMAT a10
SQL> COLUMN action_name FORMAT a20
SQL> COLUMN object_schema FORMAT a10
SQL> COLUMN object_name FORMAT a20
SQL> SELECT event_timestamp,
2 dbusername,
3 action_name,
4 object_schema,
5 object_name
6 FROM unified_audit_trail
7 WHERE dbusername = 'TEST3'
8 ORDER BY event_timestamp;

EVENT_TIMESTAMP DBUSERNAME ACTION_NAME OBJECT_SCH OBJECT


_NAME
------------------------------ ---------- -------------------- ---------- ------
--------------
04-APR-17 03.17.13.370000 PM TEST3 CREATE TABLE TEST3 TAB1

SQL>

SQL> NOAUDIT POLICY create_table_role_policy;

Noaudit succeeded.

SQL> DROP AUDIT POLICY create_table_role_policy;

Audit Policy dropped.

SQL>

You might also like