We all know how critical it is to enable Oracle Database Auditing for our production environment. It is equally important to monitor the audit results and take actions. Though enabling auditing using the AUDIT_TRAIL initialization parameter plus using the AUDIT statements to enable different auditing options is the common approach, with the availability of FGA feature, it is time to take the next step.
FGA allows us to audit more specific business rules. Today, I will walk you through the steps to implement FGA for PeopleSoft.

Ensure that EnableDBMonitoring is set to 1 in psappsrv.cfg. This will enable PeopleSoft to populate CLIENT_INFO column in V$SESSION.

Identify the table and the criteria that we need to set for the policy. In this example, I will use the custom table PS_ABC_COMPANY_TBL. I need to audit any SELECT* statements on PS_ABC_COMPANY_TBL when user selects data related to
abc_company = ‘ABC Confidential’

We need to create a procedure that will populate the CLIENT_INFO so that we can identify the OPRID.

CREATE OR REPLACE PROCEDURE GET_OPRID (OBJECT_SCHEMA VARCHAR2, OBJECT_NAME VARCHAR2, POLICY_NAME VARCHAR2)

AS

V_CLIENT_INFO VARCHAR2(1000);

V_OPRID VARCHAR2(32);

BEGIN

V_CLIENT_INFO := SYS_CONTEXT(‘USERENV’,’CLIENT_INFO’);

IF ( LENGTH(V_CLIENT_INFO) IS NULL ) THEN

V_OPRID := ‘NOOPRID’;

ELSIF ( SUBSTR(V_CLIENT_INFO,1,1) = ‘,’ ) THEN

V_OPRID := ‘NOOPRID’;

ELSE

V_OPRID := SUBSTR(V_CLIENT_INFO, 1, INSTR(V_CLIENT_INFO,’,’,1)-1);

END IF;

DBMS_SESSION.SET_IDENTIFIER (V_OPRID);

END;

Create a policy as shown below

begin

dbms_fga.add_policy (
object_schema=>’SYSADM’,
object_name=>’PS_ABC_COMPANY_TBL’,
policy_name=>’ABC_COMPANY_TBL_ACCESS’,
audit_column => ‘ABC_COMPANY’,
audit_condition => ‘ABC_COMPANY = ”ABC Confidential”’,
handler_module => ‘GET_OPRID’
);
end;

That’s it!!

In my next post I will share the results of enabling this feature.
Posted by Nitin Pai
Comments (0)
February 5th, 2008

Comments (0)