Real Application Security (RAS) and Oracle Application Express (APEX)
5 likes3,798 views
The document discusses Real Application Security (RAS) implemented in Oracle Application Express (APEX) by Dimitri Gielis, founder and CEO of apex R&D. It outlines security features including user authentication, authorization schemes, and fine-grained data access control while addressing challenges in data access control and providing examples. Additionally, it emphasizes RAS benefits such as stronger security, simpler development, and centralized management for application security.
Real Application Security (RAS) and Oracle Application Express (APEX)
- 1. Dimitri Gielis Real Application Security (RAS) in APEX www.apexRnD.be dgielis.blogspot.com @dgielis [email protected]
- 2. Dimitri Gielis ❖ Founder & CEO of APEX R&D ❖ 18+ years of Oracle Experience (OCP & APEX Certified) ❖ Oracle ACE Director ❖ “APEX Developer of the year 2009” by Oracle Magazine ❖ “Oracle Developer Choice award (ORDS)” in 2015 ❖ Author Expert Oracle Application Express ❖ Presenter at Oracle Conferences (OOW, ODTUG, OGh, UKOUG, …)
- 5. Agenda ❖ Security in an APEX app ❖ Introduction to Real Application Security (RAS) ❖ Using RAS in Oracle Application Express (APEX) ❖ Live demo implementing RAS in APEX app
- 7. Oracle APEX Security ❖ Authentication schemes ❖ Can I go in? - Users ❖ SSO, Custom table, APEX, DB… ❖ Authorization schemes ❖ What can I do? - Roles ❖ Defined on APEX components (page, item, navigation, …)
- 8. Access Control ❖ Easy wizard ❖ Creation of Authorization schemes & Admin screen ❖ Assign roles to users ❖ Targeted for UI, not for Data
- 10. Access Control admin screen
- 11. Challenges on Data Access Control What about data?
- 12. Challenges on Data Access Control ❖ Code executed under privileged user ❖ Database unaware of end users ❖ Data access policy (data security) is hard coded in ❖ Where-clause - application level ❖ Views - database level ❖ Virtual Private Database (VPD) - database level
- 13. Real Application Security (RAS)
- 14. Real Application Security (RAS) A database authorisation solution for end-to-end application security
- 15. RAS Key features ❖ Support Application Users and Sessions ❖ Schema-less user, security and application context in DB ❖ Support Application Privileges and Roles ❖ Support fine-grained data access control on rows and columns ❖ Based on user operation execution context ❖ Enforce security close to data
- 16. Example Application Security ❖ All employees can view public information ❖ An employee can view own record, update contact information ❖ Manager can view salary of his/her reports Name Manager SSN Salary Phone Number Adam Steven 515.123.4567 Neena Steven 515.123.4568 Nancy Neena 515.124.4569 Luis Nancy 515.124.4567 John Nancy 515.124.4269 Daniel Nancy 515.124.4469 Nancy Neena 108-51-4569 12030 650.111.3300 6900 8200 9000
- 17. RAS Concepts: Data Realms ❖ A group of rows representing a business object ❖ All employees ❖ My own employee record ❖ All employees under my report ❖ Assign privileges to columns ❖ viewSSN for SSN column ❖ viewSalary for Salary column Employee table My own My reports viewSSN viewSalary All records
- 18. RAS Concepts: Policy components ❖ Data Security policy is a collection of Data Realms and ACLs ❖ Each Data Realm has an associated ACL with grants Access Control List (ACL) -Grant select to Manager -Grant viewSalary to Manager Application Privilege -select,viewSalary Application Privilege -select,viewSalary Application Role - Manager Application Role - Manager Data Realm - Employees under my report Data Realm - Employees under my report Access Control List (ACL) -Grant select to Manager -Grant viewSalary to Manager Data Realm - Employees under my report Application Role - Manager Application Privilege -select,viewSalary
- 19. RAS: setup with PL/SQL API xs_principal.create_role(name => 'emp_role', enabled => true); xs_security_class.create_security_class( name => 'hr.hrprivs', parent_list => xs$name_list('sys.dml'), priv_list => xs$privilege_list(xs$privilege('view_salary')));
- 20. RAS Administration Tool 1. All records 2. My record 3. My reports Employees Table Restricted Salary & SSN Columns Privilege Grants Note: the RASADM (RAS Administration Tool) is written in APEX :)
- 21. RAS Administration Tool: ACLs Grants on my record Grants on all records Grants on my reports
- 22. RAS Administration Tool: Application Roles HR Representatives can view SSN Employees can view and update their own records Managers can view salaries of their reports
- 23. Real Application Security Features • VP delegating calendar management function to an AssistantControlled Delegation • Contractor getting access for a specific duration Effective-date support • Access to certain reports allowed only on intranetNegative grants • Batch programs with elevated privileges to summarize dataCode-based security • Conditional rendering of User InterfaceFunction Security • Application users, privileges, roles are known to databaseAuditing
- 24. Real Application Security Architecture Data Security Policy DB Sessions RAS Sessions SQL*PlusAPEX apps…
- 25. RAS in APEX
- 26. RAS Integration with APEX ❖ Application users continue to be provisioned in the database or identity stores ❖ User authentication remains in APEX ❖ RAS session contains application user, its roles, and session context ❖ Based on APEX user’s security context ❖ Application code executes within RAS session ❖ Attached and detached to a db session Page Request APEX Session Page Display Application code Detach RAS Session Attach RAS Session
- 27. RAS Integration with APEX 5 ❖ APEX can use RAS users, roles, and data security policy ❖ Instead of custom authorization using VPD ❖ RAS Session is transparently created based on APEX session ❖ For APEX authorization schemes, use RAS ACL check operators
- 28. Demo RAS in APEX
- 29. RAS Benefits ❖ Stronger security ❖ Enforced regardless of entry points: direct, APEX, or middleware ❖ Audit end-user activity in database audit trail ❖ Simpler development ❖ Declarative policy, relieves writing authorization code ❖ Native support for application roles, application privileges, application users ❖ High Performance Access Control ❖ Optimized for typical data access patterns within core database ❖ Simpler administration ❖ Centralized management, end-to-end uniform security across mid-tier and database
- 30. RAS - to know… ❖ One RAS repository for the whole database ❖ Takes a bit of time to get used to the implementation and naming ❖ RASADM can help, but … ❖ RASADM doesn’t expose all features ❖ RASADM app didn’t always behave as expected (had to patch it to get some things working ) ❖ Once you enable RAS make sure to test your app (!) APEX Advisor can’t check for the correct grants (yet).
- 31. References ❖ Oracle RAS Developer Guide docs.oracle.com/database/121 ❖ Oracle RAS Papers www.oracle.com/technetwork/database/security/real-application-security ❖ Presentation by Vikram Pesati ❖ Presentation by Joel Kallman & Tanvir Ahmed www.slideserve.com/odele/oracle-database-12c-real-application-security-for-oracle-application- express
- 33. ❖ Looking for consulting, training and development in Oracle Application Express (APEX)? ❖ Contact : www.apexRnD.be ❖ Mail : [email protected] Consulting, Development, Training