| ORA-00904: invalid identifier on table audited with dbms_fga policy [message #286983] |
Mon, 10 December 2007 15:11  |
ladyhawkeye
Messages: 6
Registered: December 2007
|
Junior Member |
|
|
All -
I was hoping that someone may be able to help here. I have gone through all of the normal reference points and have been completely unsuccessful in resolving my issue.
We have implemented Fine-Grained Auditing on 2 tables that contain customer credit card and billing address information.
The problem that I have encountered is that I am receiving an ORA-00904: invalid identifier error everytime something tries to access the credit card table once the auditing policies are enabled.
We have set our audit_trail initialization parameter to AUDIT_TRAIL=DB and we have restarted the database instance. This error only occurs in production and did not occur in staging whilst I was testing my implementation.
We have created a user for managing all auditing activities called FGA_OWN, here are it's privileges:
create user FGA_OWN identified by FGA_OWN
default tablespace FGADATA
temporary tablespace TEMP
PROFILE ADMINISTRATOR;
grant resource to FGA_OWN;
grant create session to FGA_OWN;
grant select any dictionary to FGA_OWN;
alter user FGA_OWN quota unlimited on FGADATA;
grant execute on sys.dbms_fga to FGA_OWN;
create directory audit_dir as '/var/tmp/';
grant write on directory audit_dir to FGA_OWN;
grant select, delete on sys.aud$ to FGA_OWN;
grant delete on sys.fga_log$ to FGA_OWN;
grant select on dba_common_audit_trail to FGA_OWN;
grant select on dba_fga_audit_trail to FGA_OWN;
grant select on dba_audit_trail to FGA_OWN;
grant audit any to FGA_OWN;
grant audit system to FGA_OWN;
grant select on audit_actions to FGA_OWN;
The FGA policies look like the following:
begin
dbms_fga.add_policy(
object_schema=>'SCHEMA_NAME',
object_name=>'CREDIT_CARD_TABLE',
policy_name=>'ACCESS_CREDIT_CARD',
audit_condition=>'FGA_OWN.CANSEEIT > 0',-- func. defined below
audit_column=> NULL, -- audit all columns in table
handler_schema=> NULL,
handler_module=> NULL,
statement_types=>'SELECT,INSERT,UPDATE,DELETE',
enable=>TRUE);
begin
dbms_fga.add_policy(
object_schema=>'SCHEMA_NAME',
object_name=>'BILL_ADDR_TABLE',
policy_name=>'ACCESS_BILL_ADDR',
audit_condition=>'FGA_OWN.CANSEEIT > 0',-- func. defined below
audit_column=> NULL, -- audit all columns in table
handler_schema=> NULL,
handler_module=> NULL,
statement_types=>'SELECT,INSERT,UPDATE,DELETE',
enable=>TRUE);
And the FGA_OWN.CANSEEIT function is as follows:
create or replace function FGA_OWN.CANSEEIT return number
as
v_count integer:=0;
v_hostname VARCHAR2(100);
begin
select count(*) into v_count from
(select sys_context ('USERENV','SESSION_USER')
from dual
minus
select username from fgalogstby.allowed_to_use);
v_hostname := LOWER(sys_context('USERENV','HOST'));
if instr (v_hostname, '.') > 0 then
v_hostname := substr(v_hostname,1, instr(v_hostname, '.')-1);
end if;
if instr (v_hostname, '\') > 0 then
v_hostname := replace(v_hostname,chr(0));
end if;
if v_count = 0 then
select count(*) into v_count
from (select v_hostname
from dual
minus
select lower(machine) from fgalogstby.allowed_host
where lower(machine) = v_hostname);
end if;
return v_count;
end;
/
When I disable the policies using DBMS_FGA.DISABLE_POLICY - the error goes away and our system returns to normal (although we are not auditing access on the tables that we need, only the standard auditing is in place).
I have spent alot of time trying to research this issue on Technet and Metalink and cannot come up with anything. Do any of you have any insight? Have any of you ever seen this issue before?
Let me know if you need any more information.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
