18 Managing Security for a Multitenant Environment
您可以使用SQL*Plus和Oracle Enterprise Manager管理多租户环境的普通用户和本地用户以及角色。
This chapter contains the following topics:
- Managing Security for a Multitenant Environment
You can manage common and local users and roles for a multitenant environment by using SQL*Plus or SQL Developer. - Using Application Contexts in a Multitenant Environment
An application context stores user identification that can enable or prevent a user from accessing data in the database. - Using Oracle Virtual Private Database in a Multitenant Environment
Oracle Virtual Private Database (VPD) enables you to filter users who access data. - Using Transport Layer Security in a Multitenant Environment
Transport Layer Security (TLS) can be used in a multitenant environment for application containers. - Oracle Data Redaction in a Multitenant Environment
In a multitenant environment, Oracle Data Redaction policies apply only to the objects within the current pluggable database (PDB). - Auditing in a Multitenant Environment
Auditing tracks changes that users make in the multitenant container database (CDB).
Parent topic: Administering a Multitenant Environment
18.1 Managing Security for a Multitenant Environment
You can manage common and local users and roles for a multitenant environment by using SQL*Plus or SQL Developer.
This section contains the following topics:
- Managing Commonly and Locally Granted Privileges
- Managing Common Roles and Local Roles
A common role is a role that is created in the root; a local role is created in a PDB. - Restricting Operations on PDBs Using PDB Lockdown Profiles
You can use PDB lockdown profiles in a multitenant environment to restrict sets of user operations in pluggable databases (PDBs).
Parent topic: Managing Security for a Multitenant Environment
18.1.1 Managing Commonly and Locally Granted Privileges
- How the Oracle Multitenant Option Affects Privileges
In a multitenant environment, all users, including common users, can exercise their privileges only within the current container. - About Commonly and Locally Granted Privileges
In a multitenant environment, both common users and local users can grant privileges to one another. - How Commonly Granted System Privileges Work
Users can exercise system privileges only within the PDB in which they were granted. - How Commonly Granted Object Privileges Work
Object privileges on common objects applies to the object as well as all associated links on this common object. - Granting or Revoking Privileges to Access a PDB
You can grant and revoke privileges for PDB access in a multitenant environment. - Example: Granting a Privilege in a Multitenant Environment
You can use the GRANT statement to grant privileges in a multitenant environment. - Enabling Common Users to View CONTAINER_DATA Object Information
Common users can view information aboutCONTAINER_DATAobjects in the root or for data in specific PDBs.
Parent topic: Managing Security for a Multitenant Environment
18.1.1.1 Oracle多租户选项如何影响特权
在多租户环境中,所有用户,包括普通用户,只能在当前容器中行使其特权。但是,连接到根的用户可以执行某些操作,这些操作会影响其他可插入数据库(PDBs)。这些操作包括ALTER PLUGGABLE DATABASE、CREATE USER、CREATE ROLE和ALTER USER。公共用户必须拥有支持这些操作的通常授予的特权。连接到根的普通用户可以通过根中的容器数据对象(例如,多租户容器数据库(CDB)视图和V$视图)查看与PDBs相关的元数据, 假设公共用户被授予了访问这些视图所需的特权,并且他的CONTAINER_DATA属性被设置为允许查看关于各种pdb的数据。普通用户不能在PDB中查询表或视图。
普通用户不能跨其他pdb行使其特权。他们必须首先切换到他们想要的PDB,然后从那里行使他们的特权。要切换到不同的容器,公共用户必须具有SET容器特权。必须通常授予SET容器特权,或者在用户试图切换到的容器中授予。或者,公共用户可以启动一个新的数据库会话,其初始当前容器就是该用户想要的容器,这依赖于PDB中的CREATE session特权。
请注意,通常授予的特权可能会干扰为单个pdb配置的安全性。例如,假设应用程序PDB数据库管理员希望阻止PDB中的任何用户修改特定的应用程序公共对象。通常授予PUBLIC或对象上的公共用户或公共角色的特权(如UPDATE)会绕过PDB数据库管理员的意图。
Related Topics
Parent topic: Managing Commonly and Locally Granted Privileges
18.1.1.2 关于一般的和本地授予的特权
In a multitenant environment, both common users and local users can grant privileges to one another.
特权本身既不是普通的,也不是地方性的。如何应用特权取决于特权是一般授予还是本地授予。
For commonly granted privileges:
-
A privilege that is granted commonly can be used in every existing and future container.
-
Only common users can grant privileges commonly, and only if the grantee is common.
-
A common user can grant privileges to another common user or to a common role.
-
The grantor must be connected to the root and must specify
CONTAINER=ALLin theGRANTstatement. -
Both system and object privileges can be commonly granted. (Object privileges become actual only with regard to the specified object.)
-
When a common user connects to or switches to a given container, this user's ability to perform various activities (such as creating a table) is controlled by privileges granted commonly as well as privileges granted locally in the given container.
-
Do not grant privileges to
PUBLICcommonly.
For locally granted privileges:
-
A privilege granted locally can be used only in the container in which it was granted. When the privilege is granted in the root, it applies only to the root.
-
Both common users and local users can grant privileges locally.
-
A common user and a local user can grant privileges to other common or local roles.
-
The grantor must be connected to the container and must specify
CONTAINER=CURRENTin theGRANTstatement. -
Any user can grant a privilege locally to any other user or role (both common and local) or to the
PUBLICrole.
Related Topics
- Overview of Privilege and Role Grants in a CDB
- How the PUBLIC Role Works in a Multitenant Environment
Parent topic: Managing Commonly and Locally Granted Privileges
18.1.1.3 通常授予的系统特权如何工作
用户只能在授予他们的PDB内行使系统特权。
例如,如果系统特权在本地授予PDB B中的公共用户a,那么用户a只能在连接到PDB B时使用该特权。
System privileges can apply in the root and in all existing and future PDBs if the following requirements are met:
-
The system privilege grantor is a common user and the grantee is a common user, a common role, or the
PUBLICrole. Do not commonly grant system privileges to thePUBLICrole, because this in effect makes the system privilege available to all users. -
The system privilege grantor possesses the
ADMIN OPTIONfor the commonly granted privilege -
The
GRANTstatement must contain theCONTAINER=ALLclause.
The following example shows how to commonly grant a privilege to the common user c##hr_admin.
CONNECT SYSTEM
Enter password: password
Connected.
GRANT CREATE ANY TABLE TO c##hr_admin CONTAINER=ALL;Related Topics
Parent topic: Managing Commonly and Locally Granted Privileges
18.1.1.4 通常授予的对象特权如何工作
公共对象上的对象特权应用于该对象以及该公共对象上的所有关联链接。
这些链接包括所有元数据链接、数据链接(以前称为对象链接)或与之关联的扩展数据链接,这些链接位于根目录和属于容器的所有PDBs(包括未来的PDBs)中(如果满足某些需求)。
这些要求如下:
-
The object privilege grantor is a common user and the grantee is a common user, a common role, or the
PUBLICrole. -
The object privilege grantor possesses the commonly granted
GRANT OPTIONfor the privilege -
The
GRANTstatement contains theCONTAINER=ALLclause.
The following example shows how to grant an object privilege to the common user c##hr_admin so that he can select from the DBA_PDBS view in the CDB root or in any of the associated PDBs that he can access.
CONNECT SYSTEM Enter password: password Connected. GRANT SELECT ON DBA_OBJECTS TO c##hr_admin CONTAINER=ALL;
Related Topics
- Oracle Database Security Guide
- Data Dictionary Architecture in a CDB
- Namespaces in a CDB
- How the PUBLIC Role Works in a Multitenant Environment
Parent topic: Managing Commonly and Locally Granted Privileges
18.1.1.5 授予或撤销访问PDB的特权
您可以在多租户环境中为PDB访问授予和撤销特权。
要在多租户环境中授予特权:
-
Include the
CONTAINERclause in theGRANTorREVOKEstatement.
将容器设置为ALL将该特权应用于所有现有和未来的容器;将其设置为CURRENT只对本地容器应用特权。省略CONTAINER子句将特权应用于本地容器。如果从根目录发出GRANT语句并省略CONTAINER子句,则特权将在本地应用。
Related Topics
Parent topic: Managing Commonly and Locally Granted Privileges
18.1.1.6 示例:在多租户环境中授予特权
您可以使用GRANT语句在多租户环境中授予特权。
示例18-1展示了如何通常将CREATE TABLE特权授予普通用户c##hr_admin,以便该用户可以在所有现有和未来容器中使用该特权。
示例18-1在多租户环境中授予特权
CONNECT SYSTEM
Enter password: password
Connected.
GRANT CREATE TABLE TO c##hr_admin CONTAINER=ALL;Parent topic: Managing Commonly and Locally Granted Privileges
18.1.1.7 允许普通用户查看CONTAINER_DATA对象信息
普通用户可以查看关于根目录中的CONTAINER_DATA对象的信息,或者查看特定PDBs中的数据。
- 在连接到根时查看关于根、CDB和PDBs的数据
当普通用户执行查询时,可以限制X$表和V$、GV$和CDB_*视图的视图信息。
允许普通用户在特定的PDBs中查询数据
通过调整用户的CONTAINER_DATA属性,可以让普通用户访问与特定PDBs相关的数据。
Parent topic: Managing Commonly and Locally Granted Privileges
18.1.1.7.1 在连接到根时查看关于根、CDB和PDBs的数据
当普通用户执行查询时,可以限制X$表和V$、GV$和CDB_*视图的视图信息。
当您不想公开关于其他pdb的敏感信息时,限制这些信息是有用的。要启用此功能,Oracle数据库将这些表和视图作为容器数据对象提供。您可以通过查询user_| dba_| ALL_VIEWS|表字典视图的TABLE_NAME、VIEW_NAME和CONTAINER_DATA列来确定特定的表或视图是否是容器数据对象。
To find information about the default (user-level) and object-specific CONTAINER_DATAattributes:
-
In SQL*Plus or SQL Developer, log in to the root.
-
Query the
CDB_CONTAINER_DATAdata dictionary view.For example:
COLUMN USERNAME FORMAT A15 COLUMN DEFAULT_ATTR FORMAT A7 COLUMN OWNER FORMAT A15 COLUMN OBJECT_NAME FORMAT A15 COLUMN ALL_CONTAINERS FORMAT A3 COLUMN CONTAINER_NAME FORMAT A10 COLUMN CON_ID FORMAT A6 SELECT USERNAME, DEFAULT_ATTR, OWNER, OBJECT_NAME, ALL_CONTAINERS, CONTAINER_NAME, CON_ID FROM CDB_CONTAINER_DATA ORDER BY OBJECT_NAME; USERNAME DEFAULT OWNER OBJECT_NAME ALL CONTAINERS CON_ID --------------- ------- --------------- --------------- --- ---------- ------ C##HR_ADMIN N SYS V$SESSION N CDB$ROOT 1 C##HR_ADMIN N SYS V$SESSION N SALESPDB 1 C##HR_ADMIN Y N HRPDB 1 C##HR_ADMIN Y N CDB$ROOT 1 DBSNMP Y Y 1 SYSTEM Y Y 1
Related Topics
Parent topic: Enabling Common Users to View CONTAINER_DATA Object Information
18.1.1.7.2 允许普通用户在特定的PDBs中查询数据
通过调整用户的CONTAINER_DATA属性,可以让普通用户访问与特定PDBs相关的数据。
为方便一般用户查阅特定产品类别的资料:
-
Issue the
ALTER USERstatement in the root.
Example 18-2 设置CONTAINER_DATA属性
这个例子展示了如何发出ALTER USER语句,以使普通用户c##hr_admin能够在V$SESSION视图中查看与CDB$ROOT、SALES_PDB和HRPDBcontainers相关的信息(假设该用户可以查询该视图)。
CONNECT SYSTEM
Enter password: password
Connected.
ALTER USER c##hr_admin
SET CONTAINER_DATA = (CDB$ROOT, SALESPDB, HRPDB)
FOR V$SESSION CONTAINER=CURRENT;
In this specification:
-
SET CONTAINER_DATAlists containers, data pertaining to which can be accessed by the user. -
FOR V$SESSIONspecifies theCONTAINER_DATAdynamic view, which common userc##hr_adminwill query. -
CONTAINER = CURRENTmust be specified because when you are connected to the root,CONTAINER=ALLis the default for theALTER USERstatement, but modification of theCONTAINER_DATAattribute must be restricted to the root.
如果您想让用户c##hr_admin查看与此用户可以访问的所有CONTAINER_DATA对象中的CDB$ROOT、SALES_PDB、HRPDB容器相关的信息,那么可以忽略V$会话。例如:
ALTER USER c##hr_admin
SET CONTAINER_DATA = (CDB$ROOT, SALESPDB, HRPDB)
CONTAINER=CURRENT;
Related Topics
Parent topic: Enabling Common Users to View CONTAINER_DATA Object Information
18.1.2 管理常见角色和本地角色
公共角色是在根目录中创建的角色;在PDB中创建一个本地角色。
- About Common Roles and Local Roles
- How Common Roles Work
Common roles are visible in the root and in every PDB of a container within which they are defined in a multitenant environment. - How the PUBLIC Role Works in a Multitenant Environment
All privileges that Oracle grants to thePUBLICrole are granted locally. - Privileges Required to Create, Modify, or Drop a Common Role
- Rules for Creating Common Roles
When you create a common role, you must follow special rules. - Creating a Common Role
You can use theCREATE ROLEstatement to create a common role. - Rules for Creating Local Roles
To create a local role, you must follow special rules. - Creating a Local Role
You can use theCREATE ROLEstatement to create a role. - Role Grants and Revokes for Common Users and Local Users
Role grants and revokes apply only to the scope of access of the common user or the local user.
Parent topic: Managing Security for a Multitenant Environment
18.1.2.1 关于常见角色和本地角色
本地角色只存在于一个PDB中,并且只能在这个PDB中使用。它没有任何通常授予的特权。
请注意以下几点:
-
Common users can both create and grant common roles to other common and local users.
-
You can grant a role (local or common) to a local user or role only locally.
-
If you grant a common role locally, then the privileges of that common role apply only in the container where the role is granted.
-
Local users cannot create common roles, but they can grant them to common and other local users.
Related Topics
Parent topic: Managing Common Roles and Local Roles
18.1.2.2 常见角色如何工作
在多租户环境中定义公共角色的容器的根和每个PDB中都可以看到公共角色。
如果:
-
The grantor is a common user.
-
The grantor possesses the commonly granted
ADMIN OPTIONfor the privilege that is being granted. -
The
GRANTstatement contains theCONTAINER=ALLclause.
If the common role contains locally granted privileges, then these privileges apply only within the PDB in which they were granted to the common role. A local role cannot be granted commonly.
Parent topic: Managing Common Roles and Local Roles
18.1.2.3 公共角色在多租户环境中如何工作
Oracle授予公共角色的所有特权都是本地授予的。
该特性允许您根据需要撤销在每个PDB中分别授予公共角色的特权或角色。如果您必须授予公共角色任何特权,那么就在本地授予它们。切勿向公众授予特权。
Related Topics
Parent topic: Managing Common Roles and Local Roles
18.1.2.4 Privileges Required to Create, Modify, or Drop a Common Role
Common users can also create local roles, but these roles are available only in the PDB in which they were created.
Parent topic: Managing Common Roles and Local Roles
18.1.2.5 Rules for Creating Common Roles
When you create a common role, you must follow special rules.
The rules are as follows:
Parent topic: Managing Common Roles and Local Roles
18.1.2.6 Creating a Common Role
You can use the CREATE ROLE statement to create a common role.
- Connect to the root of the CDB or the application container in which you want to create the common role.
For example:
CONNECT SYSTEM Enter password: password Connected. - Run the
CREATE ROLEstatement with theCONTAINERclause set toALL.For example:
CREATE ROLE c##sec_admin IDENTIFIED BY password CONTAINER=ALL;
Related Topics
Parent topic: Managing Common Roles and Local Roles
18.1.2.7 创建本地角色的规则
要创建本地角色,必须遵循特殊规则。
本规定如下:
-
You must be connected to the PDB in which you want to create the role, and have the
CREATE ROLEprivilege. -
The name that you give the local role must not start with the value of the
COMMON_USER_PREFIXparameter (which defaults toC##). -
You can include
CONTAINER=CURRENTin theCREATE ROLEstatement to specify the role as a local role. If you are connected to a PDB and omit this clause, then theCONTAINER=CURRENTclause is implied. -
You cannot have common roles and local roles with the same name. However, you can use the same name for local roles in different PDBs. To find the names of existing roles, query the
CDB_ROLESandDBA_ROLESdata dictionary views.
Parent topic: Managing Common Roles and Local Roles
18.1.2.8 Creating a Local Role
You can use the CREATE ROLE statement to create a role.
- Connect to the PDB in which you want to create the local role.
For example:
CONNECT SYSTEM@hrpdb Enter password: password Connected. - Run the
CREATE ROLEstatement with theCONTAINERclause set toCURRENT.For example:
CREATE ROLE sec_admin CONTAINER=CURRENT;
Related Topics
Parent topic: Managing Common Roles and Local Roles
18.1.2.9 角色为普通用户和本地用户授予和撤销
角色授予和撤销仅适用于公共用户或本地用户的访问范围。
普通用户可以向其他普通用户授予和撤销普通角色。本地用户可以向PDB中的任何用户(包括普通用户)授予公共角色,但这种授予仅适用于PDB。
The following example shows how to grant the common user c##sec_admin the AUDIT_ADMINcommon role for use in all containers.
CONNECT SYSTEM
Enter password: password
Connected.
GRANT AUDIT_ADMIN TO c##sec_admin CONTAINER=ALL;
Similarly, the next example shows how local user aud_admin can grant the common user c##sec_admin the AUDIT_ADMIN common role for use within the hrpdb PDB.
CONNECT aud_admin@hrpdb
Enter password: password
Connected.
GRANT AUDIT_ADMIN TO c##sec_admin CONTAINER=CURRENT;
This example shows how a local user aud_admin can revoke a role from another user in a PDB. If you omit the CONTAINER clause, then CURRENT is implied.
CONNECT aud_admin@hrpdb
Enter password: password
Connected.
REVOKE sec_admin FROM psmith CONTAINER=CURRENT;Related Topics
Parent topic: Managing Common Roles and Local Roles
18.1.3 使用PDB锁定配置文件限制PDB上的操作
您可以在多租户环境中使用PDB锁定配置文件来限制可插入数据库(PDBs)中的用户操作集。
本节包括以下主题:
- About PDB Lockdown Profiles
A PDB lockdown profile is a named set of features that controls a group of operations. - Default PDB Lockdown Profiles
The default PDB lockdown profiles arePRIVATE_DBAAS,PUBLIC_DBAAS, andSAAS. - Creating a PDB Lockdown Profile
To create a PDB lockdown profile, you must have theCREATE LOCKDOWN PROFILEsystem privilege. - Enabling or Disabling a PDB Lockdown Profile
To enable or disable a PDB lockdown profile, use thePDB_LOCKDOWNinitialization parameter - Dropping a PDB Lockdown Profile
To drop a PDB lockdown profile, you must have theDROP LOCKDOWN PROFILEsystem privilege and be logged into the CDB or application root.
Parent topic: Managing Security for a Multitenant Environment
18.1.3.1 关于PDB锁定配置文件
PDB锁定配置文件是控制一组操作的一组命名特性。
在某些情况下,您可以单独启用或禁用操作。例如,PDB锁定配置文件可以包含禁用ALTER SYSTEM语句附带的特定子句的设置。
PDB锁定配置文件限制用户对提供的功能的访问,类似于为用户定义的资源限制。顾名思义,您可以在CDB、应用程序容器或PDB或应用程序PDB中使用PDB锁定概要文件。您可以创建自定义配置文件来满足站点的需求。PDB概要文件使您能够为应用程序定义自定义安全策略。此外,您可以创建一个基于另一个概要文件的锁定概要文件,称为基本概要文件. 您可以在修改基本概要时将此概要配置为动态更新,或者在更新基本概要时将其配置为静态(不变)。锁定配置文件是为Oracle Cloud和内部环境设计的。
当身份在pdb之间共享时,可能存在提升的特权。您可以使用锁定配置文件来防止特权的提升。身份可以在以下情况下共享:
-
在操作系统级别,当数据库与操作系统资源(如文件或进程)交互时
在网络层,当数据库与其他系统通信时,网络身份是很重要的
在数据库内部,当PDBs访问或创建公共对象时,或者它们使用数据库链接等特性跨容器边界通信时
使用共享标识的特性以及从PDB锁定概要文件中获益的特性有以下几种:
-
网络访问功能。这些操作使用网络在PDB之外进行通信。例如,PL/SQL包UTL_TCP、UTL_HTTP、UTL_MAIL、UTL_SNMP、UTL_INADDR和DBMS_DEBUG_JDWP执行这类操作。目前,acl被用来控制这种共享网络身份的访问。
-
公共用户或对象访问。在这些操作中,PDB中的本地用户可以通过公共用户帐户或公共模式中的访问对象进行代理。这些类型的操作包括在一个公共模式中添加或替换对象、向公共对象授予特权、访问公共目录对象、向公共用户授予继承特权角色以及向公共用户操作用户代理。
-
操作系统访问。例如,您可以限制对UTL_FILE或DBMS_FILE_TRANSFER PL/SQL包的访问。
连接。例如,您可以限制普通用户连接到PDB,也可以限制具有SYSOPER管理特权的本地用户连接到以受限模式打开的PDB。
创建PDB锁定配置文件的一般过程是,首先使用create lockdown配置文件语句在CDB根或应用程序根中创建它,然后使用ALTER lockdown配置文件语句添加限制。
要启用PDB锁定配置文件,可以使用ALTER SYSTEM语句设置PDB_LOCKDOWN参数。通过连接到CDB或应用程序根并查询DBA_LOCKDOWN_PROFILES数据字典视图,可以找到关于现有PDB锁定概要文件的信息。本地用户可以通过查询V$LOCKDOWN_RULES动态数据字典视图来查找PDB锁定参数的内容。
Parent topic: Restricting Operations on PDBs Using PDB Lockdown Profiles
18.1.3.2 默认PDB锁定配置文件
默认的PDB锁定配置文件是PRIVATE_DBAAS、PUBLIC_DBAAS和SAAS。
默认情况下,这些配置文件是空的。它们被设计成占位符或模板,供您根据部署需求进行配置。
这些简介的详细资料如下:
-
PRIVATE_DBAAS合并了适用于私有云数据库即服务(DBaaS)部署的限制。这些限制包括:
每个PDB必须有相同的数据库管理员吗
允许不同的用户连接到数据库
不同的应用程序允许
PRIVATE_DBAAS允许用户连接到PDBs,但阻止用户使用Oracle数据库管理特性。 -
SAAS合并了适用于软件即服务(SAAS)部署的限制。这些限制包括:
每个PDB必须有相同的数据库管理员吗
允许不同的用户连接到数据库
必须使用相同的应用程序吗SAAS锁定配置文件比PRIVATE_DBAAS配置文件更具限制性。用户可以不同,但应用程序代码是相同的;用户不能直接连接,只能通过应用程序连接;用户不能执行任何管理功能。
-
PUBLIC_DBAAS合并了适用于公共云数据库即服务(DBaaS)部署的限制。限制条件如下:
每个PDB中有不同的dba
不同的用户
不同的应用程序
PUBLIC_DBAAS锁定配置文件是最严格的锁定配置文件。
Parent topic: Restricting Operations on PDBs Using PDB Lockdown Profiles
18.1.3.3 创建一个PDB锁定配置文件
要创建PDB锁定配置文件,您必须具有创建锁定配置文件系统特权。
创建锁定配置文件后,可以在启用它之前添加限制。
- Connect to the CDB root or the application root as a user who has the
CREATE LOCKDOWN PROFILEsystem privilege.For example, to connect to the CDB root:CONNECT c##sec_admin Enter password: password - Run the
CREATE LOCKDOWN PROFILEstatement to create the profile by using the following syntax:CREATE LOCKDOWN PROFILE profile_name [FROM static_base_profile | INCLUDING dynamic_base_profile];In this specification:
-
profile_name是分配锁定概要文件的名称。您可以通过查询DBA_LOCKDOWN_PROFILESdata dictionary视图的PROFILE_NAMES列来查找现有名称。
通过使用现有概要文件中的值,从static_base_profile创建一个新的锁定概要文件。对基本概要文件的任何后续更改都不会影响新概要文件。 -
包含dynamic_base_profile还可以使用来自现有基本概要的值创建一个新的锁定概要,但是这个新的锁定概要将继承组成基本概要的DISABLE语句规则,以及对基本概要的任何后续更改。如果显式添加到新概要文件中的规则与基本概要文件中的规则冲突,则优先考虑基本概要文件中的规则。例如,基本概要中的OPTION_VALUE子句优先于新概要中的OPTION_VALUE子句。
CREATE LOCKDOWN PROFILE hr_prof INCLUDING PRIVATE_DBAAS; CREATE LOCKDOWN PROFILE hr_prof2 FROM hr_prof;在第一个语句中,hr_prof继承对PRIVATE_DBAAS基本概要所做的任何更改。如果PRIVATE_DBAAS启用了一条新语句,那么hr_prof也将启用该语句。相反,在第二个语句中,当hr_prof发生变化时,hr_prof2不会发生变化,因为它独立于基本概要。
-
- Run the
ALTER LOCKDOWN PROFILEstatement to provide restrictions for the profile.For example:ALTER LOCKDOWN PROFILE hr_prof DISABLE STATEMENT = ('ALTER SYSTEM'); ALTER LOCKDOWN PROFILE hr_prof ENABLE STATEMENT = ('ALTER SYSTEM') clause = ('flush shared_pool'); ALTER LOCKDOWN PROFILE hr_prof DISABLE FEATURE = ('XDB_PROTOCOLS');In the preceding example:
-
禁用语句= ('ALTER SYSTEM')禁止对PDB使用所有ALTER SYSTEM语句。
ENABLE语句= ('ALTER SYSTEM')子句= ('flush shared_pool')只允许在ALTER系统中使用FLUSH_SHARED_POOL子句。
禁用FEATURE = ('XDB_PROTOCOLS')禁止此PDB使用XDB协议(FTP、HTTP、HTTPS)
After you create a PDB lockdown profile, you are ready to enable it by using the
ALTER SYSTEM SET PDB_LOCKDOWNSQL statement. -
Related Topics
Parent topic: Restricting Operations on PDBs Using PDB Lockdown Profiles
18.1.3.4 启用或禁用PDB锁定配置文件
要启用或禁用PDB锁定配置文件,请使用PDB_LOCKDOWN初始化参数
您可以使用ALTER SYSTEM SET PDB_LOCKDOWN在以下任何上下文中启用锁定配置文件:
国开行(影响所有PDBs)
应用程序根目录(影响容器中的所有应用程序pdb)
应用PDB
PDB
Note:
不需要重新启动实例来启用概要文件。当ALTER SYSTEM SET PDB_LOCKDOWN语句完成时,概要文件规则立即生效。
在CDB根中设置PDB_LOCKDOWN时,除非在容器级别设置PDB_LOCKDOWN,否则每个PDB和应用程序根都继承这个设置。要禁用锁定配置文件,请将PDB_LOCKDOWN设置为null。如果您在CDB根目录中将该参数设置为null,那么除了显式地在PDB内设置配置文件的配置文件外,所有PDB都禁用锁定配置文件。
通常授予SYSDBA管理特权或ALTER SYSTEM SYSTEM特权的CDB公共用户只能将PDB_LOCKDOWN设置为在CDB根目录中创建的锁定配置文件。具有应用程序公共SYSDBAadministrative特权或ALTER SYSTEM系统特权的应用程序公共用户只能将PDB_LOCKDOWN设置为在应用程序根目录中创建的锁定配置文件。
- Log in to the desired container as a user who has the commonly granted
ALTER SYSTEMor commonly grantedSYSDBAprivilege.For example, to enable the profile for all PDBs, log in to the CDB root:CONNECT c##sec_admin Enter password: password - Run the
ALTER SYSTEM SET PDB_LOCKDOWNstatement.For example, the following statement enables the lockdown profile namedhr_proffor all PDBs:
The following statement resets theALTER SYSTEM SET PDB_LOCKDOWN = hr_prof;PDB_LOCKDOWNparameter:
This variation of the preceding statement includes theALTER SYSTEM RESET PDB_LOCKDOWN;SCOPEclause::
The following statement disables all lockdown profiles in the CDB except those that are explicitly set at the PDB level:ALTER SYSTEM RESET PDB_LOCKDOWN SCOPE = BOTH;ALTER SYSTEM SET PDB_LOCKDOWN = '' SCOPE = BOTH;To find the names of PDB lockdown profiles, query the
PROFILE_NAMEcolumn of theDBA_LOCKDOWN_PROFILESdata dictionary view. - Optionally, review information about the profiles by querying
DBA_LOCKDOWN_PROFILES.For example, run the following query:SET LINESIZE 150 COL PROFILE_NAME FORMAT a20 COL RULE FORMAT a20 COL CLAUSE FORMAT a25 SELECT PROFILE_NAME, RULE, CLAUSE, STATUS FROM CDB_LOCKDOWN_PROFILES;Sample output appears below:
PROFILE_NAME RULE CLAUSE STATUS -------------------- -------------------- ------------------------- ------- HR_PROF XDB_PROTOCOLS DISABLE HR_PROF ALTER SYSTEM DISABLE HR_PROF ALTER SYSTEM FLUSH SHARED_POOL ENABLE HR_PROF2 EMPTY PRIVATE_DBAAS EMPTY PUBLIC_DBAAS EMPTY SAAS EMPTY
Parent topic: Restricting Operations on PDBs Using PDB Lockdown Profiles
18.1.3.5 删除PDB锁定配置文件
要删除PDB锁定配置文件,必须拥有下拉锁定配置文件系统特权,并登录到CDB或应用程序根目录。
You can find the names of existing PDB lockdown profiles by querying the DBA_LOCKDOWN_PROFILES data dictionary view.
- Connect to the CDB root or the application root as a user who has the
DROP LOCKDOWN PROFILEsystem privilege.For example, to connect to the CDB root:CONNECT c##sec_admin Enter password: password - Run the
DROP LOCKDOWN_PROFILEstatement.For example:DROP LOCKDOWN PROFILE hr_prof2;
- Optionally, review the current list of profiles by querying
DBA_LOCKDOWN_PROFILES.For example, run the following query:SET LINESIZE 150 COL PROFILE_NAME FORMAT a20 COL RULE FORMAT a20 COL CLAUSE FORMAT a25 SELECT PROFILE_NAME, RULE, CLAUSE, STATUS FROM CDB_LOCKDOWN_PROFILES;Sample output appears below:
PROFILE_NAME RULE CLAUSE STATUS -------------------- -------------------- ------------------------- ------- HR_PROF XDB_PROTOCOLS DISABLE HR_PROF ALTER SYSTEM DISABLE HR_PROF ALTER SYSTEM FLUSH SHARED_POOL ENABLE PRIVATE_DBAAS EMPTY PUBLIC_DBAAS EMPTY SAAS EMPTY
Parent topic: Restricting Operations on PDBs Using PDB Lockdown Profiles
18.2 在多租户环境中使用应用程序上下文
An application context stores user identification that can enable or prevent a user from accessing data in the database.
- What Is an Application Context?
An application context is a set of name-value pairs that Oracle Database stores in memory. - Application Contexts in a Multitenant Environment
Where you create an application in a multitenant environment determines where you must create the application context.
Parent topic: Managing Security for a Multitenant Environment
18.2.1 What Is an Application Context?
应用程序上下文是Oracle数据库存储在内存中的一组名称-值对。
上下文有一个称为名称空间的标签(例如,用于检索员工id的应用程序上下文的empno_ctx)。此上下文使Oracle数据库能够在身份验证期间查找关于数据库和非数据库用户的信息。
上下文内部是名称-值对(关联数组):名称指向内存中保存该值的位置。应用程序可以使用应用程序上下文访问关于用户的会话信息,例如用户ID或其他用户特定信息
然后,您可以使用这些信息来允许或阻止用户通过应用程序访问数据。您可以使用应用程序上下文对数据库和非数据库用户进行身份验证。
Related Topics
Parent topic: Using Application Contexts in a Multitenant Environment
18.2.2 多租户环境中的应用程序上下文
在多租户环境中创建应用程序的位置决定了必须在何处创建应用程序上下文。
如果应用程序安装在应用程序根或CDB根中,那么它就可以跨应用程序容器或系统容器以及相关的应用程序PDBs进行访问。您需要在这个根目录中创建一个公共应用程序上下文。
当您创建用于与应用程序容器一起使用的通用应用程序上下文时,请注意以下事项:
-
通过在create CONTEXT SQL语句中设置container子句,可以在多租户环境中创建应用程序上下文。例如,要在应用程序根目录中创建公共应用程序上下文,必须在容器设置为ALL的情况下执行创建上下文。要在PDB中创建应用程序上下文,请将容器设置为CURRENT。
您不能对本地应用程序上下文使用相同的名称。您可以通过运行以下查询来查找现有应用程序上下文的名称:SELECT OBJECT_NAME FROM DBA_OBJECTS WHERE OBJECT_TYPE ='CONTEXT'; -
创建用于管理公共应用程序上下文的PL/SQL包必须是公共PL/SQL包。也就是说,它必须存在于应用程序根或CDB根中。如果为特定的PDB创建应用程序上下文,则必须将关联的PL/SQL包存储在该PDB中。
-
当公共用户访问不同的容器时,您从应用程序容器或用于公共应用程序上下文的系统容器在公共会话应用程序上下文下设置的名称-值对无法从其他应用程序容器或系统容器访问。
-
在来自应用程序容器或系统容器的通用全局应用程序上下文下设置的名称-值对只能在相同容器中的相同用户会话中访问。
应用程序可以检索应用程序上下文的值,不管它是驻留在应用程序根、CDB根还是PDB中。 -
在将PDB插入CDB或应用程序容器的插件操作期间,如果公共应用程序上下文的名称与PDB的本地应用程序上下文冲突,那么PDB必须以受限模式打开。然后,数据库管理员需要在以正常模式打开PDB之前纠正冲突。
-
在拔出操作期间,公共应用程序上下文保留其公共语义,因此,如果将PDB插入到另一个具有相同名称的公共应用程序上下文的CDB中,它将继续表现为公共对象。如果将PDB插入到应用程序容器或系统容器中,其中不存在相同的公共应用程序上下文,则它的行为类似于本地对象。
要查找应用程序上下文是本地应用程序上下文还是应用程序通用应用程序上下文,请查询DBA_CONTEXT或ALL_CONTEXT数据字典视图的范围列。
Related Topics
Parent topic: Using Application Contexts in a Multitenant Environment
18.3 在多租户环境中使用Oracle虚拟私有数据库
Oracle Virtual Private Database (VPD) enables you to filter users who access data.
This section contains the following topics:
- What Is Oracle Virtual Private Database?
Oracle Virtual Private Database (VPD) creates security policies to control database access at the row and column level. - Oracle Virtual Private Database in a Multitenant Environment
Parent topic: Managing Security for a Multitenant Environment
18.3.1 What Is Oracle Virtual Private Database?
Oracle Virtual Private Database (VPD) creates security policies to control database access at the row and column level.
Note:
Oracle Database release 12c introduced Real Application Security (RAS) to supersede VPD. Oracle recommends that you use RAS for new projects that require row and column level access controls for their applications.
Essentially, Oracle Virtual Private Database adds a dynamic WHERE clause to a SQL statement that is issued against the table, view, or synonym to which an Oracle Virtual Private Database security policy was applied.
Oracle Virtual Private Database enforces security, to a fine level of granularity, directly on database tables, views, or synonyms. Because you attach security policies directly to these database objects, and the policies are automatically applied whenever a user accesses data, there is no way to bypass security.
When a user directly or indirectly accesses a table, view, or synonym that is protected with an Oracle Virtual Private Database policy, Oracle Database dynamically modifies the SQL statement of the user. This modification creates a WHERE condition (called a predicate) returned by a function implementing the security policy. Oracle Database modifies the statement dynamically, transparently to the user, using any condition that can be expressed in or returned by a function. You can apply Oracle Virtual Private Database policies to SELECT, INSERT, UPDATE, INDEX, and DELETE statements.
For example, suppose a user performs the following query:
SELECT * FROM OE.ORDERS;
The Oracle Virtual Private Database policy dynamically appends the statement with a WHERE clause. For example:
SELECT * FROM OE.ORDERS
WHERE SALES_REP_ID = 159;
In this example, the user can only view orders by Sales Representative 159.
If you want to filter the user based on the session information of that user, such as the ID of the user, then you can create the WHERE clause to use an application context. For example:
SELECT * FROM OE.ORDERS
WHERE SALES_REP_ID = SYS_CONTEXT('USERENV','SESSION_USER'); Note:
Oracle Virtual Private Database does not support filtering for DDLs, such as TRUNCATE or ALTER TABLE statements.
Related Topics
- Oracle Database Real Application Security Administrator's and Developer's Guide
- Oracle Database Security Guide
Parent topic: Using Oracle Virtual Private Database in a Multitenant Environment
18.3.2 多租户环境中的Oracle虚拟私有数据库
CDB限制也适用于与虚拟私有数据库策略相关的共享上下文敏感策略和视图。不能为整个多租户环境创建虚拟私有数据库策略。
Related Topics
Parent topic: Using Oracle Virtual Private Database in a Multitenant Environment
18.4 在多租户环境中使用传输层安全性
Transport Layer Security (TLS) can be used in a multitenant environment for application containers.
If you want to use Transport Layer Security (TLS) in a multitenant environment for an application container, then you must ensure that each PDB is able to use its own wallet with its own certificates for TLS authentication.
- Because there is no individual
sqlnet.orafile for each PDB, place the wallet in a subdirectory of thewalletdirectory where the name of the subdirectory is the GUID of the PDB that uses the wallet.For example, suppose theWALLET_LOCATIONparameter insqlnet.orais set as follows:(SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/home/oracle/wallet)))Place each PDB’s wallet in the
/home/oracle/walletdirectory. You can find the existing PDBs and their GUIDs by querying theDBA_PDBSdata dictionary view.If the
WALLET_LOCATIONparameter is not specified, then you must place the PDB wallet in a subdirectory of the default wallet path where the name of the subdirectory is the GUID of the PDB. For example:$ORACLE_BASE/admin/db_unique_name/wallet/PDB_GUIDOr if the
ORACLE_BASEenvironment variable is not set, then you can use the Oracle home:$ORACLE_HOME/admin/db_unique_name/wallet/PDB_GUIDThese default locations correspond to the default that is used by Oracle Enterprise User Security to locate wallets for authentication to LDAP.
Related Topics
Parent topic: Managing Security for a Multitenant Environment
18.5 Oracle Data Redaction in a Multitenant Environment
在多租户环境中,Oracle数据编校策略仅适用于当前可插拔数据库(PDB)中的对象。
无法为多租户容器数据库(CDB)创建数据编校策略。这是因为为其创建数据编校策略的对象通常驻留在PDB中。如果您拥有SYSDBA特权,那么您可以通过运行SHOW PDBs命令列出CDB中的所有PDBs。
与使用CDB根一样,您不能在应用程序根中创建数据编校策略。
Parent topic: Managing Security for a Multitenant Environment
18.6 Auditing in a Multitenant Environment
Auditing tracks changes that users make in the multitenant container database (CDB).
This section contains the following topics:
- About Auditing in a Multitenant Environment
You can use unified auditing in a multitenant environment. - Example: Auditing the DBA Role in a Multitenant Environment
TheCREATE AUDIT POLICYstatement can audit roles in a multitenant environment. - Unified Audit Policies or AUDIT Settings in a Multitenant Environment
In a multitenant environment, you can create unified audit policies for individual PDBs and in the root. - Fine-Grained Auditing in a Multitenant Environment
Parent topic: Managing Security for a Multitenant Environment
18.6.1 关于多租户环境中的审计
您可以在多租户环境中使用统一审计。
根据策略的类型,可以将审计设置应用于各个PDBs或CDB。在多租户环境中,每个PDB(包括根)都有自己的统一审计跟踪。
有关详情,请参阅以下部分:
-
使用CREATE audit POLICY和audit statement创建的统一审计策略:您可以为根和单个PDBs创建策略。
细粒度审计策略:您可以仅为单个PDBs创建策略,而不是为根策略。
清除审计跟踪:您可以对根目录和单个PDBs执行清除操作。
Related Topics
Parent topic: Auditing in a Multitenant Environment
18.6.2示例:审核多租户环境中的DBA角色
CREATE AUDIT POLICY语句可以审计多租户环境中的角色。
下面的示例显示如何审计多租户环境中预定义的公共角色DBA。
示例18-3审核多租户环境中的DBA角色
CREATE AUDIT POLICY role_dba_audit_pol
ROLES DBA
CONTAINER = ALL;
AUDIT POLICY role_dba_audit_pol;Parent topic: Auditing in a Multitenant Environment
18.6.3 多租户环境中的统一审计策略或审计设置
在多租户环境中,您可以为单个PDBs和根目录创建统一的审计策略。
- Traditional Auditing in a Multitenant Environment
In traditional auditing (not unified auditing), theAUDITandNOAUDITstatements can audit statements and privileges in a multitenant environment. - Configuring a Local Unified Audit Policy or Common Unified Audit Policy
TheCONTAINERclause is specific to multitenant environment use for theCREATE AUDIT POLICYstatement. - Example: Local Unified Audit Policy
The CREATE AUDIT POLICY statement can create a local unified audit policy in either the root or a PDB. - Example: CDB Common Unified Audit Policy
The CREATE AUDIT POLICY statement can create a CDB common unified audit policy. - Example: Application Common Unified Audit Policy
For application container common unified audit policies, you can audit action options and system privilege options, and refer to common objects and roles. - How Local or Common Audit Policies or Settings Appear in the Audit Trail
You can query unified audit policy views from either the root or the PDB in which the action occurred.
Parent topic: Auditing in a Multitenant Environment
18.6.3.1
这既适用于统一的审计策略,也适用于使用审计SQL语句创建的策略。
-
本地审计策略。这种类型的策略可以存在于根(CDB或应用程序)或PDB (CDB或应用程序)中。根目录中存在的本地审计策略可以包含本地和公共对象的对象审计选项。被授予AUDIT_ADMIN角色的本地用户和普通用户都可以启用本地策略:本地用户来自他们的PDBs,普通用户来自他们拥有特权的根用户或PDB。您可以为本地和普通用户以及角色启用本地审计策略。
您可以为应用程序本地对象和应用程序本地角色以及系统操作选项和系统特权选项创建本地审计策略。您不能跨所有容器为公共用户强制执行本地审计策略,也不能为本地用户强制执行公共审计策略。
-
CDB common audit policy. 多租户环境中的所有pdb都可以使用这种类型的策略。只有被授予AUDIT_ADMIN角色的普通用户才能创建和维护公共审计策略。您可以仅为普通用户启用公共审计策略。您必须仅在根目录中创建公共审计策略。这种类型的策略只能包含公共对象的对象审计选项,并且只能为公共用户启用。您可以仅为公共用户和角色启用公共审计策略。
不能跨所有容器为本地用户强制执行公共审计策略。
The following table explains how audit policies apply in different multitenant environments.
Parent topic: Unified Audit Policies or AUDIT Settings in a Multitenant Environment
18.6.3.2 多租户环境中的传统审计
在传统审计(非统一审计)中,审计和NOAUDIT报表可以审计多租户环境中的报表和特权
-
AUDIT DROP ANY TABLE BY SYSTEM BY ACCESS CONTAINER = CURRENT; -
AUDIT DROP ANY TABLE BY SYSTEM BY ACCESS CONTAINER = ALL;
Related Topics
See Also:
Oracle Database SQL Language Reference for more information about the traditional AUDIT and NOAUDIT SQL statements
Parent topic: Unified Audit Policies or AUDIT Settings in a Multitenant Environment
18.6.3.3 配置本地统一审计策略或公共统一审计策略
容器子句特定于CREATE AUDIT POLICY语句的多租户环境使用。
要在CDB环境或应用程序容器环境中创建本地或公共统一审计策略,请在create audit policy语句中包含container子句。
-
Use the following syntax to create a local or common unified audit policy:
CREATE AUDIT POLICY policy_name action1 [,action2 ] [CONTAINER = {CURRENT | ALL}];
In this specification:
-
CURRENTsets the audit policy to be local to the current PDB. -
ALLmakes the audit policy a common audit policy, that is, available to the entire multitenant environment.
For example, for a common unified audit policy:
CREATE AUDIT POLICY dict_updates
ACTIONS UPDATE ON SYS.USER$,
DELETE ON SYS.USER$,
UPDATE ON SYS.LINK$,
DELETE ON SYS.LINK$
CONTAINER = ALL;
Note the following:
-
You can set the
CONTAINERclause for theCREATE AUDIT POLICYstatement but not forALTER AUDIT POLICYorDROP AUDIT POLICY. If you want to change the scope of an existing unified audit policy to use this setting, then you must drop and re-create the policy. -
For
AUDITstatements, you can set theCONTAINERclause for audit settings only if you have an Oracle database that has not been migrated to the Release 12.x audit features. You cannot use theCONTAINERclause in anAUDITstatement that is used to enable a unified audit policy. -
If you are in a PDB, then you can only set the
CONTAINERclause toCURRENT, notALL. If you omit the setting while in the PDB, then the default isCONTAINER = CURRENT. -
If you are in the root, then you can set the
CONTAINERclause to eitherCURRENTif you want the policy to apply to the root only, or toALLif you want the policy to apply to the entire CDB. If you omit theCONTAINERclause, then default isCONTAINER = CURRENT. -
For objects:
-
Common audit policies can have common objects only and local audit policies can have both local objects and common objects.
-
You cannot set
CONTAINERtoALLif the objects involved are local. They must be common objects.
-
-
For privileges:
-
You can set the
CONTAINERtoCURRENT(or omit theCONTAINERclause) if the user accounts involved are a mixture of local and common accounts. This creates a local audit configuration that applies only to the current PDB. -
You cannot set
CONTAINERtoALLif the users involved are local users. They must be common users. -
If you set
CONTAINERtoALLand do not specify a user list (using theBYclause in theAUDITstatement), then the configuration applies to all common users in each PDB.
-
Related Topics
Parent topic: Unified Audit Policies or AUDIT Settings in a Multitenant Environment
18.6.3.4 例如:本地统一审计策略
CREATE AUDIT POLICY语句可以在根目录或PDB中创建本地统一审计策略。
当您在根目录中创建本地统一审计策略时,它只应用于根目录,而不是跨多租户环境。
下面的示例显示了由公共用户c##sec_admin从PDB创建并应用于公共用户c##hr_admin的本地统一审计策略。
Example 18-4 Local Unified Audit Policy
CONNECT c##sec_admin@hrpdb
Enter password: password
Connected.
CREATE AUDIT POLICY table_privs
PRIVILEGES CREATE ANY TABLE, DROP ANY TABLE
CONTAINER = CURRENT;
AUDIT POLICY table_privs BY c##hr_admin;Parent topic: Unified Audit Policies or AUDIT Settings in a Multitenant Environment
18.6.3.5 Example: CDB Common Unified Audit Policy
The CREATE AUDIT POLICY statement can create a CDB common unified audit policy.
Example 18-5 shows a common unified audit policy that has been created by the common user c##sec_admin from the root and applied to common user c##hr_admin.
Example 18-5 Common Unified Audit Policy
CONNECT c##sec_admin
Enter password: password
Connected.
CREATE AUDIT POLICY admin_pol
ACTIONS CREATE TABLE, ALTER TABLE, DROP TABLE
ROLES c##hr_mgr, c##hr_sup
CONTAINER = ALL;
AUDIT POLICY admin_pol BY c##hr_admin;Parent topic: Unified Audit Policies or AUDIT Settings in a Multitenant Environment
18.6.3.6 Example: Application Common Unified Audit Policy
对于应用程序容器公共统一审计策略,您可以审计操作选项和系统特权选项,并引用公共对象和角色。
您可以仅从应用程序根创建应用程序公共审计策略,并为应用程序公共用户和CDB公共用户启用该策略。
下面的示例展示了如何为应用程序容器app_pdb创建审计应用程序公共用户系统的策略。审计策略审计选择系统上的操作。utils_tab表和对容器数据库中的任何PDBs(包括CDB根)上的DROP表操作。该策略还审核跨所有容器的SELECT ANY TABLE系统特权的使用。
Example 18-6 Application Common Unified Audit Policy
CONNECT c##sec_admin@app_pdb
Enter password: password
Connected.
CREATE AUDIT POLICY app_pdb_admin_pol
ACTIONS SELECT ON hr_app_cdb.utils_tab, DROP TABLE
PRIVILEGES SELECT ANY TABLE
CONTAINER = ALL;
AUDIT POLICY app_pdb_admin_pol by SYSTEM, c##hr_admin;在前面的示例中,将容器设置为ALL只将策略应用于应用程序根中的所有相关对象访问以及属于应用程序根的所有应用程序pdb。它不适用于此范围之外的策略。
Parent topic: Unified Audit Policies or AUDIT Settings in a Multitenant Environment
18.6.3.7 本地或公共审计策略或设置如何出现在审计跟踪中
您可以从执行操作的根目录或PDB查询统一审计策略视图。
您可以执行以下类型的查询:
-
所有PDBs的审核记录。审计跟踪反映了在PDBs中执行的审计操作。例如,如果PDB1中的用户lbrown执行一个由公共审计策略或本地审计策略审计的操作,那么审计跟踪将捕获该操作。UNIFIED_AUDIT_TRAIL数据字典视图中的DBIDcolumn表示审计操作发生的PDB和策略应用的PDB。如果希望查看来自所有PDBs的审计记录,应该从根目录查询CDB_UNIFIED_AUDIT_TRAIL数据字典视图。
-
来自公共审计策略的审计记录。此位置是公共审计策略生成审计记录的位置。审计记录可以在多租户环境中的任何地方生成——根目录或PDBs,这取决于操作真正发生的位置。例如,公共审计策略fga_pol审计DBMS_FGAPL/SQL包上的EXECUTE特权,如果这个操作发生在PDB1中,那么审计记录将在PDB1中生成,而不是在根目录中生成。因此,审计记录可以在PDB1中看到。
如果策略名称包含WHERE子句(例如,其中UNIFIED_AUDIT_POLICIES = 'FGA_POL'),则可以从根目录或PDB查询策略的UNIFIED_AUDIT_TRAIL数据字典视图。
The following example shows how to find the results of a common unified audit policy:
CONNECT c##sec_admin
Enter password: password
Connected.
SELECT DBID, ACTION_NAME, OBJECT_SCHEMA, OBJECT_NAME FROM CDB_UNIFIED_AUDIT_TRAIL WHERE DBUSERNAME = 'c##hr_admin';
46892-1
DBID ACTION_NAME OBJECT_SCHEMA OBJECT_NAME
----------- ----------- ------------- -----------
653916017 UPDATE HR EMPLOYEES
653916018 UPDATE HR JOB_HISTORY
653916017 UPDATE HR JOBS Parent topic: Unified Audit Policies or AUDIT Settings in a Multitenant Environment
18.6.4 Fine-Grained Auditing in a Multitenant Environment
Note the following general rules about fine-grained audit policies in a multitenant environment:
-
You cannot create fine-grained audit policies on
SYSobjects. -
When you create a fine-grained audit policy in the CDB root, the policy cannot be applied to all PDBs. It only applies to objects within the CDB root. (In other words, there is no such thing as a common fine-grained audit policy for the CDB root.) If you want to create a fine-grained audit policy to audit a common object’s access in all the PDBs, then you must explicitly create that policy in each PDB and then enable it on the common objects that is accessible in the PDB.
-
When you create a fine-grained audit policy in a PDB, it applies only to objects within the PDB.
Related Topics
Parent topic: Auditing in a Multitenant Environment