Oracle RAC Environment Access Control Policy

advertisement
Oracle RAC Environment Access Control Policy
Version
1.0
TRIM file number
Short description
A policy on access to the Oracle RAC database
environment
Relevant to
All CSU employees
Authority
This Policy has been approved by Office of
Executive Director, Division of Information
Technology
Responsible officer
Senior Technical Specialist - Databases
Responsible office
Office of Executive Director, Division of Information
Technology
Date introduced
30 May 2013
Date(s) modified
Next scheduled review date
May 2015
Related University documents
Related legislation
Privacy Act 1988
Key words
Oracle, security, authorised, access.
Oracle RAC Access Control Policy
1.0 – 30 May 2013
Page 1
1.
PURPOSE
1.1
Charles Sturt University’s information resources are a valuable asset.
Increasingly, these information resources are stored in the CSU/DIT Oracle
RAC database environment. This policy defines what, who and how access to
this database environment is to be controlled, provisioned, managed and
logged.
1.2
The objectives of this policy are to:
(a) Define the controls used to protect CSU’s stored information assets from
unauthorised disclosure, use, loss or damage.
(b) Preserve the integrity and availability of those information assets.
(c)
2.
Ensure compliance with the Privacy Act 1988 (changes coming in 2014!)
SCOPE
2.1. This policy applies to:
(a) CSU and 3rd party application and database administrators, developers or
technical staff.
(b) Consuming applications and systems
2.2. This policy does not apply to:
(a) Information assets stored outside the CSU Oracle RAC database
environment.
3.
REFERENCES
This policy should be read in conjunction with:
(a) The Charles Sturt University “Policy for the Use of University Computing
Communication Facilities”
(b) The Charles Sturt University Information Security Policy
(c) Unix Administrator Access Control Policy
(d) The Charles Sturt University Information Security Management System Policy
(e) CSU Data standards
(f) TRIM Access and Security Policy
(g) Other policies as published at:
http://www.csu.edu.au/division/dit/about/policy.htm
Oracle RAC Access Control Policy
1.0 – 30 May 2013
Page 2
4.
DEFINITIONS
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
4.12
4.13
4.14
5.
DIT – Division of Information Technology
Oracle RAC environment – High availability database solution.
Consuming application/system – Any application or system that accesses,
reads, writes, processes or interacts with any data in the Oracle RAC
environment
Production data – Any data outside the Devel and QA environments.
Devel environment – application and systems development only
QA environment - application and systems quality assurance only
Admin VPN – Special full access Virtual private network service
Host – A server that comprises part of the Oracle RAC environment.
DBA – DIT Database administrator
UNIX admin – DIT UNIX system administrator
SD – Service Delivery
TI – Technology Integration.
DDL – Data Definition Language
DML – Data Manipulation Language
RESPONSIBILITIES
SD-systems – provisioning accounts on hosts
SD-networks – network layer access control management
SD and TI database administrators – Overall management of the RAC environment.
Provision individual access to data in the RAC environment as approved.
TI-systems – Defining host access via host based ACLs
TI-networks – defining DIT staff subnets.
Team leader SD systems – approval for DIT production data access. Approval for
non-DIT Devel and QA access.
6.
ACCESS CONTROLS
6.1
With the exception of individuals approved as per sections 6.3 and 6.4, no
individual will have direct access to production data hosted within the Oracle
RAC environment. This includes read, write, change or any other access.
6.2
All access to data in the Oracle RAC production environment shall be via the
provisioning or consuming system or application only.
6.3
Individual access to the database with the schema owner shall only be where a
structure change (ddl) is required.
6.4
Individual access to production data will be provisioned and de-provisioned as
required and approved – (see appendices)
6.5
Direct Devel, Prod and QA database SQL access is restricted to DIT staff as
defined by DIT network subnets.
6.6
Direct Devel, Prod and QA database SQL access for non-DIT staff is normally
via the admin VPN and will be provisioned on a case by case basis by request.
If necessary, Devel and QA data will be refreshed from Prod.
Oracle RAC Access Control Policy
1.0 – 30 May 2013
Page 3
6.7
Only identified and approved DBA’s and UNIX administrators shall have SSH
access enabled on their accounts for Oracle RAC hosts.
6.8
All user, administrator, individual and application access request to data in the
Oracle RAC environment will be logged.
6.9
Password management will align with the Unix systems Administrator access
control policy – section 6.4
APPENDICES
1. Process - Provisioning Individual DIT Staff Access to Production data
1.1 A DIT Maintenance account is available upon request to view data.
1.2 If changes are to be made to production data, the standard RFC process will be
followed.
1.3 Individuals requiring access to production data will apply for access via an email
request to the Team Leader Service Delivery or delegate. The email request needs
to specify a relevant incident or RFC number.
1.4 Requests for access will be reviewed and approved by the Team Leader Service
Delivery or delegate.
1.5 Approved requests will be forwarded to the appropriate CSU DBA for actioning.
1.6 If a data change (dml) is required, appropriate grants will be added to the
maintenance account to allow this to happen once approval is provided and will be
revoked once the change has been made.
2. Process - Provisioning Individual DIT Staff Access to Devel and QA data
2.1 The relevant maintenance account should be the preferred access option and will be
left unlocked for the purposes of standard devel and qa data access.
Table of amendments
Version
number
1.0
1.0
1.0
Date
7 May 2013
8 May 2013
30 May 2013
Oracle RAC Access Control Policy
1.0 – 30 May 2013
Short description of amendment
Initial policy
Review by LW and HC.
CAB approval
Page 4
Download