This discussion is archived
2 Replies Latest reply: Jun 19, 2013 7:22 AM by jeff81 RSS

Database Vault Prevent Granting Proxy Privileges

jeff81 Newbie
Currently Being Moderated

Hi I have Database Vault running on our 11.2.0.2 database on Windows Server 2008 R2 and we want to prevent the data vault manager from granting proxies privileges on certain users.  So I came up with a rule that will use INSTR to parse sql text and return false if certain users are found. I then added this rule to the "Can Maintain Own Account" rule set.  But to get this to work I had to take the code from the rules "Is Alter DVSYS Allowed" and "Login User Is Object User" and add them in and changed the rule set options to ALL TRUE, then everything worked.  But I didn't notice until now that this changed prevented users from changing their own password.

Oh and I also created another rule to prevent using the "identified by values" command for certain users.

 

Does anybody know what is wrong with why it is preventing users from changing their own password?

 

Here is my code:

 

--Prevent Proxy Privileges
BEGIN
  dvsys.dbms_macadm.delete_rule(rule_name => 'NO_PROXY_PRIVILEGES');
END;  
/
BEGIN
DBMS_MACADM.CREATE_RULE(rule_name => 'NO_PROXY_PRIVILEGES',
rule_expr => '(INSTR(UPPER(DVSYS.DV_SQL_TEXT),''PR_DATA GRANT CONNECT THROUGH'') = 0
AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''JEFFL GRANT CONNECT THROUGH'') = 0
AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''ERICD GRANT CONNECT THROUGH'') = 0
AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''ATHENAG GRANT CONNECT THROUGH'') = 0
AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''ANGELAS GRANT CONNECT THROUGH'') = 0
AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''DENISED GRANT CONNECT THROUGH'') = 0
AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''KRISTAC GRANT CONNECT THROUGH'') = 0
AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''MAGGIEC GRANT CONNECT THROUGH'') = 0
AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''RICHARDK GRANT CONNECT THROUGH'') = 0)
AND (UPPER(dvsys.dv_login_user) = UPPER(dvsys.dv_dict_obj_name)
OR DVSYS.DBMS_MACADM.IS_ALTER_USER_ALLOW_VARCHAR(''"''||dvsys.dv_login_user||''"'') = ''Y'')');
commit;
END;
/
BEGIN
  DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(rule_set_name => 'Can Maintain Own Account',
                                         rule_name     => 'NO_PROXY_PRIVILEGES');
END;
/    
--Prevent alter user identified by values statement
BEGIN
  dvsys.dbms_macadm.delete_rule(rule_name => 'NO_IDENTIFIED_BY_VALUES');
END;  
/
BEGIN
  DBMS_MACADM.CREATE_RULE(rule_name => 'NO_IDENTIFIED_BY_VALUES',
                          rule_expr => '(INSTR(UPPER(DVSYS.DV_SQL_TEXT),''PR_DATA IDENTIFIED BY VALUES'') = 0
                            AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''JEFFL IDENTIFIED BY VALUES'') = 0
  AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''ERICD IDENTIFIED BY VALUES'') = 0
  AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''ATHENAG IDENTIFIED BY VALUES'') = 0
  AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''ANGELAS IDENTIFIED BY VALUES'') = 0
  AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''DENISED IDENTIFIED BY VALUES'') = 0
  AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''KRISTAC IDENTIFIED BY VALUES'') = 0
  AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''MAGGIEC IDENTIFIED BY VALUES'') = 0
  AND INSTR(UPPER(DVSYS.DV_SQL_TEXT),''RICHARDK IDENTIFIED BY VALUES'') = 0)
                            AND (UPPER(dvsys.dv_login_user) = UPPER(dvsys.dv_dict_obj_name)
                            OR DVSYS.DBMS_MACADM.IS_ALTER_USER_ALLOW_VARCHAR(''"''||dvsys.dv_login_user||''"'') = ''Y'')');
commit;
END;
/
BEGIN
  DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(rule_set_name => 'Can Maintain Own Account',
                                         rule_name     => 'NO_IDENTIFIED_BY_VALUES',
                                         rule_order    => 2);
END;
/    
--Change Can Maintain Own Account rule set eval options to ALL TRUE
BEGIN
  dvsys.DBMS_MACADM.UPDATE_RULE_SET(RULE_SET_NAME => 'Can Maintain Own Account', 
                                    DESCRIPTION => 'Rule set that controls the roles that can manage user accounts and profiles or your own account.', 
                                    ENABLED => 'Y', 
                                    EVAL_OPTIONS => DBMS_MACUTL.G_RULESET_EVAL_ALL, 
                                    AUDIT_OPTIONS => dbms_macutl.g_ruleset_audit_fail, 
                                    FAIL_OPTIONS => 1, 
                                    FAIL_MESSAGE => NULL, 
                                    FAIL_CODE => NULL, 
                                    HANDLER_OPTIONS => 0, 
                                    HANDLER => NULL);
END;
/       
BEGIN
  dvsys.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET(RULE_SET_NAME => 'Can Maintain Own Account',
                                              RULE_NAME => 'Is Alter DVSYS Allowed');
END;
/                                              
BEGIN
  dvsys.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET(RULE_SET_NAME => 'Can Maintain Own Account',
                                              RULE_NAME => 'Login User Is Object User');
END;
/

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points