This content has been marked as final. Show 3 replies
Command rules and rule sets are components of database vault.
Rule sets are simple set of rules. For instance if you want to create rule set "working hours" - to check wether someone is accessing data during work hours, you will create two rules. One will check is it a working day (monday to friday) and second one will check the time (for instance from 9AM to 5PM). Rule sets doesn't do anything if they are not used in some other database vault component (like realm or command rule). As a factor you can use current time.
Command rule defines rules (usually use rule set) that must be true so the user can execute specific command on specific object. For instance, if you want to restrict that employee's salary can be changed only during work hours, you will create command rule that will protect update command on employees table, and as a rule you will put our previously created rule set "working hours". Now update on employees table can be done only during work hours - that is command rule.
Realm protects database object from privileged users. If you create realm on schema or table, then only realm authorized users can use their strong privileges to access protected data (for instance users with select any table cannot select from realm protected objects if they are not added as participants or owners in realm).
You can use this components on same or different objects to create a more secure system.
Edited by: Zoran Pavlovic on Nov 28, 2012 10:45 PM
thanx a lot...
one more thing i want to ask,you said that,we can prevent other to access data or perform ddl or dml command.like alter,select,drop,create etc.....
so my question is that.CAN WE PREVENT 'SHUT IMMEDIATE' COMMAND THROUGH ALL THIS,SO NO ONE FROM ANY WHERE EVEN REMOTELY CAN FIRE THIS COMMAND EXCEPT DBV_OWNER OR DBV_ACCTMGR.
No you cannot create command rule that will secure shutdown command. Shutdown is supposed to be done as a part of dba activities by users with sysdba and sysoper privileges. This two roles (DBV_OWNER OR DBV_ACCTMGR) are for managing database security and not for database administration.
I have seen that you have some questions but you haven't gave any points (helpful or correct) to anyone who has responded to your questions?