Oracle RAS

Oracle Real Application Security

This is a built-in Enterprise Edition feature (no additional license required) introduced in Oracle 12c

Databases

Oracle

Oracle Security

Overview

Setup

Create RAS Administrator

Create DB Role with permissions on Target Schema

Create RAS Users and Roles

Create RAS Access Control Entities

Create masking and filtering realm policies

Associate Policies with Tables

Bibliography

Users

Overview

RAS implements virtual users who connect as XS$NULL with individual passwords and a manipulated view of the target schema objects (including data redaction without the need for an Advanced Security license and pruning of rows, similar to VPD)...

SELECT SYS_CONTEXT('userenv','current_user') FROM dual;

XS$NULL

SELECT SYS_CONTEXT('userenv','current_schema') FROM dual;

SCHEMA_USER

SELECT SYS_CONTEXT('userenv','authenticated_identity') FROM dual;

VIRTUAL_USER

Setup

Create RAS Administrator

GRANT dba, xs_session_admin TO &RAS_ADMIN;

Create DB Role with permissions on Target Schema

CREATE ROLE &target_role;

GRANT ALL ON &target_object TO &target_role;

Create RAS Users and Roles

exec xs_principal.create_role(name => '&low_priv', enabled => true);

exec xs_principal.create_role(name => '&mid_priv', enabled => true);

exec xs_principal.create_role(name => '&top_priv', enabled => true);

GRANT &target_role TO &low_priv,&mid_priv,&top_priv;

exec xs_principal.create_user(name => '&low_user', schema => '&target_schema');

Create RAS Access Control Entities

Create masking and filtering realm policies

Associate Policies with Tables

Bibliography

https://docs.oracle.com/database/apex-5.1/AEADM/configuring-security.htm