Row Level Security Part 2 – permissions November 20, 2012
Posted by mwidlake in internals, security, SQL.Tags: security, SQL, system development
trackback
<..Part 1, introduction..
..Part 3 summary in pictures..>
In this second post on the topic of “an introduction to Row Level Security” I want to cover a few things about what permissions you need to implement RLS and some of the consequences. In my introduction in part one I just said my main user has “DBA type Privileges”.
{NB This is all on Oracle V11.2 and I believe everything below is applicable to V10 as well. Also, I should point out that I am not an Oracle security expert – but despite repeatedly saying this, it seems like at least once a year I am asked to improve a system’s security on the grounds of “more than we have now is an improvement”}.
Firstly, you need the permission to create and drop RLS policies. This is controlled by having the EXECUTE privilege on SYS.DBMS_RLS. That is it. If you can execute this package you can create and drop RLS Policies, enable and disable them and also create, manage and use Policy Groups.
Obviously EXECUTE on SYS.DBMS_RLS is a privilege you need to restrict to only “empowered” accounts- but you also want to be very careful about your definition of empowered. If an account has this privilege, it can alter (disable!) any RLS policies that ANYONE created on the instance. You may need to think carefully about having several accounts that can alter all the RLS policies across all schemas in your instance.
You might want to create a single user that has the EXECUTE on SYS.DBMS_RLS and use that to implement and control RLS across the instance {and even have the account locked when it is not needed}. Of course, under normal Oracle anyone with SYS access can run the procedure – but you have SYS access under control already, don’t you?… :-).
By default, who has this privilege?
MDW> @obj_privs Enter value for obj_name: dbms_rls Enter value for obj_own: sys GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRA -------------------- ------------ ---------------------- -------- ------------ --- EXECUTE_CATALOG_ROLE SYS DBMS_RLS SYS EXECUTE NO XDB SYS DBMS_RLS SYS EXECUTE NO WMSYS SYS DBMS_RLS SYS EXECUTE NO -- -- and who has that EXECUTE_CATALOG_ROLE? -- select * from dba_role_privs where granted_role='EXECUTE_CATALOG_ROLE' GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- DBA EXECUTE_CATALOG_ROLE YES YES IMP_FULL_DATABASE EXECUTE_CATALOG_ROLE NO YES EXP_FULL_DATABASE EXECUTE_CATALOG_ROLE NO YES SYS EXECUTE_CATALOG_ROLE YES YES
So, our old friend the DBA role has that privilege, via the EXECUTE_CATALOG_ROLE and IMP_/EXP_FULL_DATABASE.
Let’s go back to creating policies. I’m sticking to row-level RLS for now, not column-level. When you create a policy you basically are saying “when object X is accessed, run function Y and apply the resulting string to all access, as a predicate”
Lifted an example from the manual, but adding in a couple of bits the authors were too lazy to put in { 🙂 } :-
DBMS_RLS.ADD_POLICY ( object_schema => 'hr' ,object_name => 'employees' ,policy_name => 'emp_policy' ,function_schema => 'hr_rls' ,policy_function => 'emp_sec' ,statement_types => 'select');
The function HR_RLS.EMP_SEC returns a string P1
When someone issues a statement that access the HR.EMPLOYEES table the function HR_RLS.EMP_SEC is executed as part of the parse and, internally, the following view is created and placed into the orginal statement:
SELECT * FROM hr.employees WHERE P1;
As this takes place as part of the parse part of the statement processing, errors with the function are found before any effort to access the actual data occur. It is also why it is not simple to avoid RLS – it is done as part of the overall SQL processing carried out by Oracle.
If the function is invalid, generates an error or the supplied “WHERE predicate” P1 causes the final statement to be syntactically incorrect, you get an error.
At this point Oracle fails “secure” and simply won’t fire the SQL statement. Even if you own the tables and have full privilege access to them. I think it is worth a quick demonstration
I am logged on as the owner of the table and RLS function, MDW:-
MDW> select * from test1
ID CP_NAME OTHER_NAME MASK_FL
---------- ------------------------------ ------------------------------ ----------
1 ERIC ERIC THE RED 1
2 BROWN BOB THE BROWN 2
3 GREEN GARY THE GREEN 1
4 BLUE BILL THE BLUE 3
5 BLACK DAVE THE BLACK 4
6 PURPLE PETE THE PURPLE 5
7 RED ROGER THE RED 6
--
--All works OK
MDW> @rls_func_damage
--
CREATE OR REPLACE FUNCTION hide_rows (
v_schema IN VARCHAR2
,v_objname IN VARCHAR2)
RETURN VARCHAR2 AS
con VARCHAR2 (200);
BEGIN
-- The line below states loser not user
con := (loser='''||v_schema||''' or MASK_FL > 3)';
RETURN (con);
END hide_rows;
/
Function created.
--
-- Let us check the predicate coming from the function
--
select hide_rows(v_schema=>user,v_objname=>'TEST1') from dual;
HIDE_ROWS(V_SCHEMA=>USER,V_OBJNAME=>'TEST1')
---------------------------------------------------------------------------------------
(loser='MDW' or MASK_FL > 3)
-- "loser" is not a valid piece of syntax or a known variable. So...
--
select * from TEST1
*
ERROR at line 1:
ORA-28113: policy predicate has error
-- I now damage the statement creating the function so that it is syntactically incorrect
CREATE OR REPLACE FUNCTION hide_rows (
...
-- missing quote
con := (loser='''||v_schema||''' or MASK_FL > 3)';
...
Warning: Function created with compilation errors.
select * from TEST1
*
ERROR at line 1:
ORA-28110: policy function or package MDW.HIDE_ROWS has error
--re-create the function as I started with
Function created.
select * from TEST1
ID CP_NAME OTHER_NAME MASK_FL
---------- ------------------------------ ------------------------------ ----------
1 ERIC ERIC THE RED 1
2 BROWN BOB THE BROWN 2
...
7 RED ROGER THE RED 6
--
-- Back to a working system
As you can see, you get ORA-28110 if the function used by the RLS policy is damaged and ORA-28113 if the function returns a non-valid WHERE Predicate. In either case, the data in those tables is now inaccessible. That could be a problem…
It is of course very interesting that RLS is kind of “blind” to the functions it uses until it uses it. You can alter RLS activity if you can alter the functions.
Last post I mentioned that, as you RLS security is based on these functions, you should give thought to who can see them and change them. Hopefully the above highlights that. There is another access aspect to these functions that is key.
In the first example where I use DBMS_RLS.ADD_POLICY, I state function_schema – this is who owns the PL/SQL function. It defaults to the person who creates the Policy. The function is fired in the standard way with DEFINER RIGHTS – i.e. the rights of the function owner. {You could override this when creating the function such that it runs with executioner rights – but that strikes me as a potentially very confusing and a source of much pain and anguish}.
So the function can see what the owner can see, not the executioner. This has two key effects:
- You can restrict the access to any DB objects that the function requires to the owner of the function. The end user does not need to have access and it may be more secure if they do not.
- You have to grant access to objects directly to the function owner, via either object grants or system grants. Stored PL/SQL does not “see” roles if executed with definer rights.
So eg if your function is owned by MDW and references a master table called SEC_MASTER.MASKED_USERS then you need to grant select on SEC_MASTER.MASKED_USERS to MDW. No using roles.
{of course, calling a table MASKED_USERS might give anyone acquiring access to the DB a clue that it is important. I tend to call such “security important” tables things that are “obviously” boring, like ROTA_DATA.}
Finally, that WHERE Predicate P1 is in effect added to your SQL statement. It can be pretty much anything. It can reference other database objects. If it references other database objects THE EXECUTING USER MUST BE ABLE TO SEE THEM. Not the owner of the function; that function has been fired and the WHERE Predicate generated already. On actually running the SQL, the executing user must have access to all objects referenced, including those introduced by the P1 WHERE Predicate. Oh, and remember synonyms!
There is there a way to sidestep RLS and you sometimes need to.
If your logon has the EXEMPT ACCESS POLICY system privilege then RLS functions are utterly ignored by you. No check is made to see if policies apply to your SQL statements, let alone run them. You may need to use this privilege if you need to access functionality that RLS has issues with (see comments by Dom Brooks and Tony Sleight on my first post). You might also need it if you have errors with the policies but you need access to the data to keep the business moving. You probably need a locked-down user somewhere with the EXEMPT ACCESS POLICY privilege if you use RLS.
Of course, great care has to be taken in making use of this privilege as it side-steps all RLS_based security.
If you have master users that have full access to the data, this privilege also removes the overhead of the SQL engine identifying any policies, firing the function and including the extra predicates.
One very final point. I have found myself writing RLS functions that all check if the user was the owner of the table and, if so, allowing them to see all data. By granting EXEMPT ACCESS POLICY to that user I was able to do away with those checks and make the functions much simpler. In this case I did not so much think of EXEMPT ACCESS POLICY turning off security but the lack of it turning it on for restricted users.
That will do for part 2.
Martin Widlake's Yet Another Oracle Blog 
[…] <..Part one intro and examples <….Part two Permissions […]
Thank you so much for these posts about RLS! I can finally see how it all fits together and can work for the specific requirements of my database. Many thanks!
Hi Marian,
I’m happy they have helped 🙂