Re: Real Application Security with centrally-managed users

From: Timur Akhmadeev <timur.akhmadeev_at_gmail.com>
Date: Thu, 15 Feb 2024 21:35:32 +0300
Message-ID: <CACGsLCLkA=bW3vzOpk7MYFxfO14PvADuU4pEzn6_8Sik4Uk+hw_at_mail.gmail.com>

Hi Tim,

I know a little bit of CMU and glanced at RAS documentation. My understanding is that those two have a few similarities.

CMU is a way to make a transparent authentication and (optionally) authorization via roles mappings for end users from AD. Depending on your requirements you may configure authorization (mapping of the AD roles to DB roles) with CMU, but it is not a requirement. You can use just the authentication part, and manage authorization manually.

Now the RAS, from what I quickly read, provides a fine grained authorization for application users beyond simple roles. Most of the docs mention creating apps users in the db via package xs_principal, and they also mention the users could be mapped to a directory server.
According to the docs
<https://docs.oracle.com/en/database/oracle/oracle-database/21/dbfsg/XS_PRINCIPAL-package.html#GUID-AB88CD3F-89B0-4C25-A404-D5C8D7FEB1AD> the password for those external users can't be set via set_password which makes me think the RAS can work as an authentication mechanism in a similar to CMU way. Otherwise, they would have to store passwords in the DB. So I would say if you're looking at RAS then possibly you don't even need CMU, as RAS should be able to support AD users. I haven't touched RAS and obviously may be wrong.

HTH On Wed, Feb 14, 2024 at 12:32 AM Tim Gorman <tim.evdbt_at_gmail.com> wrote:

> Friends and colleagues,
>
> I'm working on a problem involving two somewhat obscure -- but vitally
> important -- pieces of functionality in Oracle19c...
>
> - Real Application Security (RAS)
> - Centrally-managed users (CMU)
>
> In general, RAS is the successor to virtual private databases (VPDs),
> which was introduced way back in Oracle8i for fine-grained row-level
> security and column-level security. CMU is the management of database
> users by a centralized external authority such as Microsoft Active
> Directory, rather than an Oracle DBA using CREATE USER commands in each
> Oracle database.
>
> There is copious documentation and support for either mechanism, but I am
> hard-pressed to find anything indicates that both can be used together.
>
> We've already started down the road of devising a custom solution for
> integrating the two, but it is hitting difficulties, so I would like to
> find out if anyone on this list has any experience -- or knows of someone
> who has experience -- using both RAS and CMU together?
>
> If anyone from the security or identity-management product groups at
> Oracle could offer any advice, it would be gratefully accepted!
>
> Please let me know what you think?
>
> Thanks!
>
> -Tim
>

-- 
Regards
Timur Akhmadeev

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Feb 15 2024 - 19:35:32 CET

This message: [ Message body ]
Next message: Tim Gorman: "Re: Real Application Security with centrally-managed users"
Previous message: Laurentiu Oprea: "Re: reads vs writes"
In reply to: Tim Gorman: "Real Application Security with centrally-managed users"
In reply to Tim Gorman: "Real Application Security with centrally-managed users"
Next in thread: Tim Gorman: "Re: Real Application Security with centrally-managed users"
Reply: Tim Gorman: "Re: Real Application Security with centrally-managed users"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message