SlideShare a Scribd company logo

1 Database Security Lab 2 – Virtual Private Database.docx

Download as DOCX, PDF
J
jeremylockett77

This document outlines a database security lab focusing on the implementation of virtual private databases (VPD) using views, triggers, and application contexts. It details the steps for creating user accounts, tables, views, and triggers to enforce access control policies, ensuring users can only view and manage data they own. The document includes instructions for performing operations, testing security policies, and rolling back changes made during the lab exercises.

Education
1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
1 Database Security Lab 2 – Virtual Private Databases 2019 Part I: Implementing VPD by Views This lab shows an example of implementing access control through views and triggers. Notice: In this lab and the following ones, only the SYS user is the SYSDBA, the DBSEC user is a normal user. What to submit: Your answers to the questions in steps 5(a), 6, and 7. 1. Create DBSEC account. (using Database Control Tool) (a) For the sake of simplicity, set its password as dbsec. (b) Assign the following systems privileges to DBSEC. CREATE ANY CONTEXT CREATE PROCEDURE CREATE SESSION
CREATE SEQUENCE CREATE TABLE CREATE TRIGGER CREATE USER CREATE VIEW GRANT ANY OBJECT PRIVILEGE GRANT ANY PRIVILEGE GRANT ANY ROLE for USERS. 2. Create a user SCOTT. For the sake of simplicity, set its password as dbsec. Assign the following system privileges to SCOTT: CREATE SESSION 3. Logon as DBSEC and execute the following commands drop table employee; create table employee ( empID number(3) primary key, Fname varchar2(25),
Lname varchar2(25), Email varchar2(50), Tel char(11), Hdate Date, JobID varchar2(10), Salary number(6), ManagerID number(3), DeptID number(3), ctl_upd_user varchar2(25)); 2 drop view employee_view1; create view employee_view1 as select empID, Fname, Lname, Email, Tel, Hdate, JobID, Salary, managerID, deptID, ctl_upd_user user_name from employee
where ctl_upd_user = user; grant select, insert, delete, update on employee_view1 to scott; insert into employee_view1 values (100,'Sam','Doe', 'sdoe', '501-1112222', sysdate, 'job1','60000', 199, 1, user); commit; 4. Logon as SYS, and execute the following commands: create or replace trigger TRG_EMPLOYEE_VIEW1_BF_INS instead of insert on dbsec.EMPLOYEE_VIEW1 for each row begin insert into dbsec.EMPLOYEE values (:new.empID, :new.Fname, :new.Lname, :new.Email, :new.Tel, :new.Hdate, :new.J obID, :new.Salary, :new.ManagerID, :new.deptID, user); end; 5. Logon as SCOTT and execute the following commands: insert into dbsec.employee_view1 values (101,'Julia','Rice',
'sdoe', '501- 1013333', sysdate, 'job_julia','50000', 299, 1, user); commit; select * from dbsec.employee_view1; (a) Did the above query output the only rows that Scott is allowed to see? 6. Read the code of create or replace trigger TRG_EMPLOYEE_VIEW1_BF_INS. (in step 4) (a) It differs from the create trigger syntax that we discussed in PL/SQL review. Google the internet for the key words “instead of” and “trigger”, and explain what is instead of trigger mainly used for. (b) Explain what does Oracle do when Scott performs insert into dbsec.employee_view1 values (101,'Julia','Rice', 'sdoe', '501- 1013333', sysdate, 'job_julia','50000', 299, 1, user); commit;
3 (c) Create a trigger for update Employee_view1 and delete Employee_view1 respectively so that a user cannot update or delete the rows that created (owned) by other users. 7. Create another user Mary. Logon as Mary and insert a row into employee_view1, and demonstrate (by a query result) Mary can only see the row(s) that she has inserted. 8. Roll back the changes made by this project (a) Log on as SYS, and perform the following commands: drop trigger TRG_EMPLOYEE_VIEW1_BF_INS; COMMIT; (b) Log on as DBSEC and perform the following commands: drop table employee; drop view employee_view1; COMMIT; 4
Part II: VPD by Application Context The objective of this lab is to learn how to implement access control using application context. What to submit: Your answers to the questions in steps 2(b), 3(b), and 4. 1. Create a user HR. For the sake of simplicity, set its password as dbsec. Assign the following system privileges to HR: CREATE SESSION 2. Logon as SYS and execute the following commands: DROP TABLE APP_CONTEXT_USERS; CRATE TABLE APP_CONTEXT_USERS ( APP_CONTEXT_ATTR VARCHAR2(80), APP_CONTEXT_VALUE VARCHAR2(255), USER_NAME VARCHAR2(30) ); INSERT INTO APP_CONTEXT_USERS VALUES('SECURITY_LEVEL','1','SCOTT');
INSERT INTO APP_CONTEXT_USERS VALUES('SECURITY_LEVEL','2','HR'); INSERT INTO APP_CONTEXT_USERS VALUES('SECURITY_LEVEL','3','DBSEC'); DROP TABLE ORDERS; CREATE TABLE ORDERS ( ORDER_ID NUMBER, ORDER_DATE DATE, CUSTOMER_ID NUMBER, ORDER_AMOUNT NUMBER, CTL_REC_STAT NUMBER ); INSERT INTO ORDERS VALUES(1, SYSDATE, 200,1203.22,1); INSERT INTO ORDERS VALUES(2, SYSDATE, 210,5431.23,1); INSERT INTO ORDERS VALUES(3, SYSDATE, 212,100023.29,2);
INSERT INTO ORDERS VALUES(4, SYSDATE, 210,999210.55,3); DROP VIEW ORDER_VIEW; CREATE VIEW ORDER_VIEW AS SELECT ORDER_ID,ORDER_DATE,CUSTOMER_ID,ORDER_AMOUN T FROM ORDERS WHERE CTL_REC_STAT <= TO_NUMBER(SYS_CONTEXT('ORDERS_APP','SECURITY_L EVEL')); CREATE CONTEXT ORDERS_APP USING SYS.CONTEXT_PKG; CREATE OR REPLACE PACKAGE CONTEXT_PKG AS PROCEDURE SET_APP_CONTEXT(P_LEVEL VARCHAR2); END; CREATE OR REPLACE PACKAGE BODY CONTEXT_PKG AS PROCEDURE SET_APP_CONTEXT(P_LEVEL VARCHAR2) IS
BEGIN DBMS_SESSION.SET_CONTEXT('ORDERS_APP','SECURITY _LEVEL',P_LEVEL); 5 END; END; GRANT EXECUTE ON CONTEXT_PKG TO DBSEC; CREATE OR REPLACE TRIGGER TRG_DB_LOGON AFTER LOGON ON DATABASE DECLARE V_LEVEL VARCHAR2(255); BEGIN SELECT APP_CONTEXT_VALUE INTO V_LEVEL FROM APP_CONTEXT_USERS WHERE USER_NAME=USER;
CONTEXT_PKG.SET_APP_CONTEXT(V_LEVEL); END; commit; (a) Perform the following command: SELECT SYS_CONTEXT('ORDERS_APP','SECURITY_LEVEL') FROM DUAL; (b) What is the output of the above command, and why it is so? 3. Logon as HR and select from the view: SELECT SYS_CONTEXT('ORDERS_APP','SECURITY_LEVEL') FROM DUAL; SELECT * FROM SYS.ORDER_VIEW; (a) You will get an error from the above SELECT statement as below: ERROR at line 1: ORA-00942: table or view does not exist (b) How would you do to enable the users DBSEC and HR to
view the contents of ORDER_VIEW? 4. Logon as HR and execute the following SQL statement to demonstrate your solution to 3(b) is working properly. SELECT * FROM SYS.ORDER_VIEW; 5. Roll back the changes made by this project (a) Log on as SYS, and perform the following commands: DROP TRIGGER TRG_DB_LOGON; DROP TABLE ORDERS; DROP VIEW ORDER_VIEW; DROP CONTEXT ORDERS_APP; DROP PACKAGE CONTEXT_PKG; DROP TABLE APP_CONTEXT_USERS; COMMIT; 6 Part III: VPD -- Row Owner Security The objective of this lab is to learn, by example, how to
implement access control based on row owner security. The access control policy of this lab requires that a user can only access records he/she owns, which means only records with CTL_UPD_USER matching with user’s login name can be viewed by the user. What to submit: Your answers to the questions in steps 4(b), 5(b), and 7(for graduate students only). 1. Assign the following system privileges to DBSEC. CREATE ANY CONTEXT CREATE ANY TRIGGER CREATE PROCEDURE CREATE SEQUENCE CREATE SESSION CREATE TABLE CREATE USER CREATE VIEW GRANT ANY OBJECT PRIVILEGE
GRANT ANY PRIVILEGE 2. Log on as DBSEC and perform the following statements: (a) Create a customer table: DROP TABLE CUSTOMERS; CREATE TABLE CUSTOMERS ( SALES_REP_ID NUMBER(4), CUSTOMER_ID NUMBER(8), CTL_UPD_DTTM DATE, CTL_UPD_USER VARCHAR2(30), CTL_REC_STAT CHAR(1), primary key (sales_rep_id, customer_id) ); (b) Populate the customer table: insert into customers values (1000, 90000,NULL, 'VPD_CLERK1','1'); insert into customers values (1000, 90001,NULL, 'VPD_CLERK1','2'); insert into customers values (1000, 90002,NULL, 'VPD_CLERK2','3');
insert into customers values (1000, 90003,NULL, 'VPD_CLERK2','4'); insert into customers values (1000, 90004,NULL, 'VPD_CLERK3','5'); insert into customers values (1001, 90000,NULL, 'VPD_CLERK3','1'); insert into customers values (1001, 90001,NULL, 'VPD_CLERK2','2'); insert into customers values (1001, 90002,NULL, 'VPD_CLERK2','3'); insert into customers values (1001, 90003,NULL, 'VPD_CLERK1','4'); insert into customers values (1001, 90004,NULL, 'VPD_CLERK1','5'); insert into customers values (1002, 90005,NULL, 'VPD_CLERK2','1'); insert into customers values (1003, 90006,NULL, 'VPD_CLERK2','2'); insert into customers values (1004, 90007,NULL, 'VPD_CLERK3','3'); insert into customers values (1005, 90008,NULL, 'VPD_CLERK3','4');
7 insert into customers values (1006, 90009,NULL, 'VPD_CLERK1','5'); insert into customers values (1007, 90005,NULL, 'VPD_CLERK2','1'); insert into customers values (1008, 90006,NULL, 'VPD_CLERK3','2'); insert into customers values (1009, 90007,NULL, 'VPD_CLERK1','3'); insert into customers values (1010, 90008,NULL, 'VPD_CLERK3','4'); insert into customers values (1011, 90009,NULL, 'VPD_CLERK2','5'); commit; 3. Log in as SYS user (a) Create users VPD_CLERK1, VPD_CLERK2, and VPD_CLERK3 CREATE USER VPD_CLERK1 IDENTIFIED BY VPD_CLERK1; GRANT CREATE SESSION TO VPD_CLERK1;
CREATE USER VPD_CLERK2 IDENTIFIED BY VPD_CLERK2; GRANT CREATE SESSION TO VPD_CLERK2; CREATE USER VPD_CLERK3 IDENTIFIED BY VPD_CLERK3; GRANT CREATE SESSION TO VPD_CLERK3; (b) Grant access rights on customer table to VPD_CLERK1, VPD_CLERK2, and VPD_CLERK3 GRANT SELECT, INSERT, DELETE, UPDATE ON DBSEC.CUSTOMERS TO VPD_CLERK1; GRANT SELECT, INSERT, DELETE, UPDATE ON DBSEC.CUSTOMERS TO VPD_CLERK2; GRANT SELECT, INSERT, DELETE, UPDATE ON DBSEC.CUSTOMERS TO VPD_CLERK3; (c) Create a security policy function, which will be used by DBMS to perform access control. CREATE OR REPLACE FUNCTION DBSEC_ROW_OWNER_WHERE( P_SCHEMA_NAME IN VARCHAR2, P_OBJECT_NAME IN VARCHAR2)
RETURN VARCHAR2 AS con VARCHAR2 (200); BEGIN con := 'CTL_UPD_USER=USER'; RETURN (con); END; (d) execute the following command: (all should be in one line when executing it) 8 exec dbms_rls.add_policy(object_schema =>'DBSEC',object_name => 'CUSTOMERS',policy_name => 'dbsec_row_onwer_policy', function_schema => 'SYS', policy_function =>'DBSEC_ROW_OWNER_WHERE', enable => true); COMMIT; 4. Test the implementation (a) Logon as VPD_CLERK1 and what is the output of the following SQL statement?
SELECT * FROM DBSEC.CUSTOMERS; (b) Repeat the above steps as VPD_CLERK2, VPD_CLERK3 respectively and show the result of the SQL statement. 5. Log on as SYS, and perform the following commands: (all should be in one line when executing it) exec dbms_rls.drop_policy(object_schema =>'DBSEC',object_name => 'CUSTOMERS',policy_name => 'dbsec_row_onwer_policy'); COMMIT; (a) Logon as VPD_CLERK1 and execute the SQL statement: SELECT * FROM DBSEC.CUSTOMERS; (b) Is the result of the above SQL statement different from that in Step 4? If yes, why? 6. Roll back the changes made by this project (a) Log on as SYS and perform the following statements: REVOKE SELECT, INSERT, DELETE ON CUSTOMERS FROM VPD_CLERK1, VPD_CLERK2,
VPD_CLERK3; DROP TABLE CUSTOMERS; DROP FUNCTION DBSEC_ROW_OWNER_WHERE; COMMIT; 7. (For graduate students) Revise the code of this lab so that the user HR is able to see the rows owned by VPD_CLERK1 and VPD_CLERK3. (Hint: revise DBSEC_ROW_OWNER_WHERE function) (a) Demonstrate your implementation works properly by the SQL command SELECT * FROM DBSEC.CUSTOMERS; (b) Rollback the changes appropriately. (c) Submit your codes of implementation. 9 Part IV: VPD-- Role Security Level
The objective of this lab is to learn, by example, how to implement access control based on row security level. The access control policy of the scenario in this lab is as follows: sales_rep_id=1000. sales_rep_id=1001. h sales_rep_id=1002. What to submit: Your answers to the questions in steps 2(a), 3(a), 4, 5(c), and 5(d). 1. Log on as DBSEC and execute the following statements: DROP TABLE CUSTOMERS; CREATE TABLE CUSTOMERS ( SALES_REP_ID NUMBER(4), CUSTOMER_ID NUMBER(8), CTL_UPD_DTTM DATE, CTL_UPD_USER VARCHAR2(30), CTL_REC_STAT CHAR(1),
primary key (sales_rep_id, customer_id) ); insert into customers values (1000, 90000,NULL, 'VPD_CLERK1','1'); insert into customers values (1000, 90001,NULL, 'VPD_CLERK1','2'); insert into customers values (1000, 90002,NULL, 'VPD_CLERK2','3'); insert into customers values (1000, 90003,NULL, 'VPD_CLERK2','4'); insert into customers values (1000, 90004,NULL, 'VPD_CLERK3','5'); insert into customers values (1001, 90000,NULL, 'VPD_CLERK3','1'); insert into customers values (1001, 90001,NULL, 'VPD_CLERK2','2'); insert into customers values (1001, 90002,NULL, 'VPD_CLERK2','3'); insert into customers values (1001, 90003,NULL, 'VPD_CLERK1','4'); insert into customers values (1001, 90004,NULL, 'VPD_CLERK1','5');
insert into customers values (1002, 90005,NULL, 'VPD_CLERK2','1'); insert into customers values (1003, 90006,NULL, 'VPD_CLERK2','2'); insert into customers values (1004, 90007,NULL, 'VPD_CLERK3','3'); insert into customers values (1005, 90008,NULL, 'VPD_CLERK3','4'); insert into customers values (1006, 90009,NULL, 'VPD_CLERK1','5'); insert into customers values (1007, 90005,NULL, 'VPD_CLERK2','1'); insert into customers values (1008, 90006,NULL, 'VPD_CLERK3','2'); insert into customers values (1009, 90007,NULL, 'VPD_CLERK1','3'); insert into customers values (1010, 90008,NULL, 'VPD_CLERK3','4'); insert into customers values (1011, 90009,NULL, 'VPD_CLERK2','5'); GRANT SELECT, INSERT, DELETE ON CUSTOMERS TO VPD_CLERK1, VPD_CLERK2,
VPD_CLERK3; DROP TABLE DBSEC_CUSTOMERS_APP_CONTEXT; CREATE TABLE DBSEC_CUSTOMERS_APP_CONTEXT ( SALES_REP_ID NUMBER PRIMARY KEY, USER_NAME VARCHAR2(30)); GRANT SELECT ON DBSEC_CUSTOMERS_APP_CONTEXT 10 TO VPD_CLERK1, VPD_CLERK2, VPD_CLERK3; INSERT INTO DBSEC_CUSTOMERS_APP_CONTEXT VALUES (1000, 'VPD_CLERK1'); INSERT INTO DBSEC_CUSTOMERS_APP_CONTEXT VALUES (1001, 'VPD_CLERK2'); INSERT INTO DBSEC_CUSTOMERS_APP_CONTEXT VALUES (1002, 'VPD_CLERK3'); COMMIT;
2. Log on as SYS and execute the following statements: CREATE OR REPLACE PACKAGE PKG_DBSEC_CUST_SALES_REP AS PROCEDURE SET_CONTEXT; END; CREATE OR REPLACE PACKAGE BODY PKG_DBSEC_CUST_SALES_REP AS PROCEDURE SET_CONTEXT IS V_SALES_REP_ID NUMBER; BEGIN SELECT SALES_REP_ID INTO V_SALES_REP_ID FROM DBSEC.DBSEC_CUSTOMERS_APP_CONTEXT WHERE UPPER(USER_NAME)=USER; DBMS_SESSION.SET_CONTEXT('DBSEC_CUSTOMERS_SA LESREP','SALES_REPID',V_SALES_ REP_ID); EXCEPTION
WHEN NO_DATA_FOUND THEN DBMS_SESSION.SET_CONTEXT('DBSEC_CUSTOMERS_SA LESREP','SALES_REPID', 0); END; END; CREATE OR REPLACE CONTEXT DBSEC_CUSTOMERS_SALESREP USING PKG_DBSEC_CUST_SALES_REP; CREATE OR REPLACE FUNCTION DBSEC_CUST_SALESREP_WHERE( P_SCHEMA_NAME IN VARCHAR2, P_OBJECT_NAME IN VARCHAR2) RETURN VARCHAR2 IS V_WHERE VARCHAR2(4000); BEGIN if to_number(SYS_CONTEXT( 'DBSEC_CUSTOMERS_SALESREP','SALES_REPID'))= 0 then V_WHERE := '1=1';
else V_WHERE := 'SALES_REP_ID = ' || to_number( SYS_CONTEXT('DBSEC_CUSTOMERS_SALESREP','SALES_ REPID')); end if; RETURN V_WHERE; END; 11 CREATE OR REPLACE TRIGGER TRG_AFTER_LOGON AFTER LOGON ON DATABASE BEGIN PKG_DBSEC_CUST_SALES_REP.SET_CONTEXT; END; /* rem the following command should be executed in one line */
exec dbms_rls.add_policy(object_schema => 'dbsec',object_name => 'customers', policy_name =>'dbsec_cust_salesrep_policy',function_schema => 'dbsec',policy_function =>'dbsec_cust_salesrep_where', enable => true); COMMIT; (a) The last command is not working. How to correct it so that it is working? 3. Logon as VPD_CLERK1 and execute the following commands: select sys_context('USERENV', 'CURRENT_USER') from dual; select * from dbsec.customers; (a) Is the result of the last SQL statement correct? 4. Repeat Step 3 as VPD_CLERK2 and VPD_CLERK3 respectively. 5. Log on as DBSEC and perform the following steps:
(a) Execute the statements SELECT * FROM CUSTOMERS; GRANT SELECT, INSERT, DELETE ON CUSTOMERS TO VPD_CLERK1, VPD_CLERK2, VPD_CLERK3; GRANT SELECT, INSERT, DELETE ON CUSTOMERS TO HR; (b) Open a SQLDeveloper connection, logon as HR (created in the Lab 2 -- PartII with the password as dbsec) and execute the statement: SELECT * FROM DBSEC.CUSTOMERS; (c) We found out from 5(b) that the user HR can see all the tuples in CUSTOMERS. This might not be appropriate in practice. Assume the security policy states that only dbsec can view all the tuples of CUSTOMERS table, no other users can do so even if dbsec grant SELECT, UPDATE, DELETE on CUSTOMERS privileges to them. How would you revise the code of this lab to implement this policy accordingly? (Hint: you need to revised
DBSEC_CUST_SALESREP_WHERE of step 2) (d) Run the SQL statement in 5(b) as HR and demonstrate that your revised code works properly (that is, HR cannot see any tuples at all). 12 6. Roll back the changes made by this project (a) Log on as SYS, and perform the following commands: (the first command should be executed in one line.) exec dbms_rls.drop_policy(object_schema => 'dbsec', object_name => 'customers', policy_name =>'dbsec_cust_salesrep_policy'); DROP PACKAGE PKG_DBSEC_CUST_SALES_REP; DROP CONTEXT DBSEC_CUSTOMERS_SALESREP; DROP FUNCTION DBSEC_CUST_SALESREP_WHERE; DROP TRIGGER TRG_AFTER_LOGON; COMMIT;
(b) Log on as DBSEC, and perform the following commands: REVOKE SELECT, INSERT, DELETE ON CUSTOMERS FROM VPD_CLERK1, VPD_CLERK2, VPD_CLERK3, HR; DROP TABLE CUSTOMERS; DROP TABLE DBSEC_CUSTOMERS_APP_CONTEXT; COMMIT; Case Study: Portable Phones Inc. Portable Phones Inc. manufactures and sells wireless telephones for residential and commercial use. Portable Phones’ plant is organized by product line, with five phone assembly departments in total. Each of these five phone assembly departments is responsible for the complete production of a particular phone line, including manufacturing some parts, purchasing other parts, and assembling the unit. Each of the five phone assembly department managers reports to a product-line manager who has profit responsibility for his/her product. These five product-line managers have authority over pricing, marketing, distribution, and production of their product. Each of the five phone assembly departments is a cost center within its respective product-line profit center. A key component of each phone is the circuit board(s) containing the integrated circuit chips. Each phone assembly department purchases from outside vendors the basic boards and chips to be attached to its board(s). The board department of the
plant receives the boards and chips in kits from each phone assembly department and assembles them into completed boards ready for assembly into the phones. The board department (with a cost structure that is 80 percent fixed and 20 percent variable) uses a single highly automated assembly line of robotic insertion machines to precisely position each chip on the board and soldering machines to solder the chips onto the board. The board department is a common resource for the plant; all five of the phone assembly departments use the board department to assemble some or all of their boards. Since the board department has a single assembly line, it can only assemble boards for one type of phone at a time. The assembly departments have authority to seek the most competitive supplier for all their parts and services, including circuit board assembly. The board department’s assembly schedule is determined at the beginning of each month. The five assembly departments request a time during the month when they plan delivery of particular kits to the board department and specify the number of boards to be assembled. The manager of the board department then takes these requests and tries to satisfy the assembly departments’ requests. However, the board department manager finds that she has a peak load problem; the assembly departments tend to want their boards assembled at the same time. The only way to satisfy these requests is to work overtime shifts during these peak periods even though the board department has excess capacity at other times of the month. The total monthly costs of the board department (equipment depreciation, maintenance, direct labor, supervision, and engineering support) are assigned to the phone assembly departments based on an hourly rate. The board department’s total monthly costs are divided by the number of hours of capacity in the month (e.g., if a particular month has 22 working days, this is equivalent to 352 hours or 22 days Χ 2 shifts Χ 8 hours per shift) to arrive at a charge per hour. To
give the phone assembly departments incentives to have their kits (boards and chips) delivered to the board department in a timely manner, the phone assembly department is charged for the time from when the last job (a batch of boards assembled for a phone assembly department) was finished by the board department until the time when the next job is finished. For example, suppose phone assembly department A’s phones were finished at 9:00 a.m. and that department B delivered its kits at 1:00 p.m. and they were completed at 7:00 p.m. the same day. Department B would be charged for 10 hours of the board department’s costs even though the board department was idle for 4 of the 10 hours. When first installed, the board department was expected to be operating at full capacity, two shifts per day, six days per week. But due to increased competition and outsourcing of some models, the board department is now operating at about 70 percent of the initial planned capacity. Required: a. If you manage a phone assembly department, when during the month would you tend to request that your phone circuit boards be assembled by the board department (everything else being held constant)? Explain why. b. Identify various dysfunctional behaviors likely to occur among the phone assembly departments and the board department. c. What management changes would you suggest? In particular, what changes would you make in the accounting system? Explain why each change should be made. Case Study: Joon Joon manufactures and sells to retailers a variety of home care and personal care products. Joon has a single plant that
produces all four of its product lines: Stick Goods (brooms and mops), Floor Care (strippers, soaps, and waxes), Brushes (hair brushes and shoe brushes), and Aerosols (room deodorizers, bug spray, furniture wax). The following statement summarizes Joon’s financial performance for the most recent fiscal year. Direct labor costs $21 per hour. Fixed manufacturing overhead of $4.433 million is allocated to products based on direct labor hours. Last year, the fixed manufacturing overhead rate was $31 per direct labor hour ($4.433 million/143,000 direct labor hours). Variable manufacturing overhead is $3.50 per direct labor hour. Selling, general, and administrative (SG&A) expenses consist of fixed costs ($1.35 million) and variable costs ($2,951 million). The variable SG&A is 20 percent of revenues. The Joon plant has considerable excess capacity. Senior management has identified a potential acquisition target, Snuffy, that sells a line of automotive products (car waxes, soaps, brushes, and so forth) that are complementary to Joon’s existing products and that can be manufactured in Joon’s plant. Snuffy does not have any manufacturing facilities, but rather outsources the production of its products to contract manufacturers. Snuffy can be purchased for $38 million. The following table summarizes Snuffy’s current operating data: Senior management argues that the reason Joon is currently losing money is that volumes have fallen in the plant and that the remaining products are having to carry an increasingly larger share of the overhead. This has caused some Joon product managers to raise prices. Senior managers realize that they must drive more volume into the plant if Joon is to return to profitability. Since organic growth (i.e., growth from existing products) is difficult due to a very competitive marketplace,
management proposes to the board of directors the purchase of Snuffy as a way to drive additional volume into the plant. With volume of 60,000 cases and 1.9 direct labor hours per case, Snuffy’s car care product line will add 114,000 direct labor hours to the plant and increase volume about 80 percent (114,000/143,000). This additional volume will significantly reduce the overhead the existing products must absorb and allow the product managers to lower prices. To incorporate Snuffy’s manufacturing and distribution into Joon’s current operations, Joon will have to incur additional fixed manufacturing overhead of $450,000 per year for new equipment and $400,000 per year for additional SG&A expenses. Required: a. Prepare a pro forma financial statement that shows Joon’s financial performance (net income) for the most recent fiscal year assuming that Joon has already acquired Snuffy’s car care products and has incorporated them into Joon’s manufacturing and SG&A processes. In preparing your analysis, make the following assumptions: i. Snuffy’s products have the same fixed and variable cost structure as Joon’s existing lines (i.e., variable overhead is $3.50 per direct labor hour, and variable SG&A is 20 percent of revenues). ii. The addition of Snuffy products does not change the demand for Joon’s existing products. iii.
There are no positive or negative externalities in manufacturing from having the additional Snuffy volume in the plant. iv. There is sufficient excess capacity in the plant and the local labor markets to absorb the additional Snuffy volume without causing labor rates or raw material prices to rise. b. Based on your financial analysis in part (a), should Joon acquire Snuffy? c. Evaluate management’s arguments in favor of acquiring Snuffy. d. What other advice would you offer Joon’s management?

More Related Content

PPT
Vpd Virtual Private Database By Saurabh
guestd83b546
 
DOCX
(Lab Project) (2)Table of ContentsIntroduction.docx
aryan532920
 
PDF
OER Unit 4 Virtual Private Database
Girija Muscut
 
PPTX
OpenWorld Sep14 12c for_developers
Connor McDonald
 
PPTX
PLSQL.pptxokokokoo9oooodjdjfjfjfjrjejrjrrjrj
KathanPatel49
 
PPTX
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Nelson Calero
 
PPTX
Row Level Security in databases advanced edition
Alexander Tokarev
 
DOCX
1. Create a View that allows students to view their own informatio.docx
keturahhazelhurst
 
Vpd Virtual Private Database By Saurabh
guestd83b546
 
(Lab Project) (2)Table of ContentsIntroduction.docx
aryan532920
 
OER Unit 4 Virtual Private Database
Girija Muscut
 
OpenWorld Sep14 12c for_developers
Connor McDonald
 
PLSQL.pptxokokokoo9oooodjdjfjfjfjrjejrjrrjrj
KathanPatel49
 
Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle
Nelson Calero
 
Row Level Security in databases advanced edition
Alexander Tokarev
 
1. Create a View that allows students to view their own informatio.docx
keturahhazelhurst
 

Similar to 1 Database Security Lab 2 – Virtual Private Database.docx (20)

PPTX
DOODB_LAB.pptx
FilestreamFilestream
 
PDF
Overview of Oracle database12c for developers
Getting value from IoT, Integration and Data Analytics
 
PPTX
Row level security in enterprise applications
Alexander Tokarev
 
PPTX
Odtug2011 adf developers make the database work for you
Luc Bors
 
PPTX
Web Developer make the most out of your Database !
Jean-Marc Desvaux
 
PDF
Vpd
Sage Computing Services
 
PDF
12c for Developers - Feb 2014
Connor McDonald
 
PDF
Rdbms class test ii sep 2019
ARVIND SARDAR
 
DOCX
Database Security
Anar Godjaev
 
PPTX
DBA Commands and Concepts That Every Developer Should Know
Alex Zaballa
 
PDF
Using PostgreSQL for Data Privacy
Mason Sharp
 
DOCX
Triggers
Yaswanth Babu Gummadivelli
 
PPT
Less09 Data
vivaankumar
 
PPTX
A New View of Database Views
Michael Rosenblum
 
PPT
Chap 7
Karan Patil
 
PPTX
Database models and DBMS languages
DivyaKS12
 
PPTX
Introducing ms sql_server_updated
leetinhf
 
PDF
Oracle
Yo Seven
 
PDF
SQL
Srinath Reddy
 
PDF
Programming in Oracle with PL/SQL
lubna19
 
DOODB_LAB.pptx
FilestreamFilestream
 
Overview of Oracle database12c for developers
Getting value from IoT, Integration and Data Analytics
 
Row level security in enterprise applications
Alexander Tokarev
 
Odtug2011 adf developers make the database work for you
Luc Bors
 
Web Developer make the most out of your Database !
Jean-Marc Desvaux
 
Vpd
Sage Computing Services
 
12c for Developers - Feb 2014
Connor McDonald
 
Rdbms class test ii sep 2019
ARVIND SARDAR
 
Database Security
Anar Godjaev
 
DBA Commands and Concepts That Every Developer Should Know
Alex Zaballa
 
Using PostgreSQL for Data Privacy
Mason Sharp
 
Triggers
Yaswanth Babu Gummadivelli
 
Less09 Data
vivaankumar
 
A New View of Database Views
Michael Rosenblum
 
Chap 7
Karan Patil
 
Database models and DBMS languages
DivyaKS12
 
Introducing ms sql_server_updated
leetinhf
 
Oracle
Yo Seven
 
SQL
Srinath Reddy
 
Programming in Oracle with PL/SQL
lubna19
 
Ad

More from jeremylockett77 (20)

DOCX
M3 ch12 discussionConnecting Eligible Immigrant Families to Heal.docx
jeremylockett77
 
DOCX
Loudres eats powdered doughnuts for breakfast  and chocolate that sh.docx
jeremylockett77
 
DOCX
Lostinnocenceyoucouldexploreachildsoldierwhohasbeen.docx
jeremylockett77
 
DOCX
Lori Goler is the head of People at Facebook. Janelle Gal.docx
jeremylockett77
 
DOCX
Looking for someone to take these two documents- annotated bibliogra.docx
jeremylockett77
 
DOCX
Lorryn Tardy – critique to my persuasive essayFor this assignm.docx
jeremylockett77
 
DOCX
M450 Mission Command SystemGeneral forum instructions Answ.docx
jeremylockett77
 
DOCX
Lymphedema following breast cancer The importance of surgic.docx
jeremylockett77
 
DOCX
Love Beyond Wallshttpswww.lovebeyondwalls.orgProvid.docx
jeremylockett77
 
DOCX
Longevity PresentationThe purpose of this assignment is to exami.docx
jeremylockett77
 
DOCX
Look again at the CDCs Web page about ADHD.In 150-200 w.docx
jeremylockett77
 
DOCX
M8-22 ANALYTICS o TEAMS • ORGANIZATIONS • SKILLS .fÿy.docx
jeremylockett77
 
DOCX
Lombosoro theory.In week 4, you learned about the importance.docx
jeremylockett77
 
DOCX
Looking over the initial material on the definitions of philosophy i.docx
jeremylockett77
 
DOCX
Lucky Iron FishBy Ashley SnookPro.docx
jeremylockett77
 
DOCX
Lucky Iron FishBy Ashley SnookMGMT 350Spring 2018ht.docx
jeremylockett77
 
DOCX
look for a article that talks about some type of police activity a.docx
jeremylockett77
 
DOCX
Look at the Code of Ethics for at least two professional agencies,  .docx
jeremylockett77
 
DOCX
Locate an example for 5 of the 12 following types of communica.docx
jeremylockett77
 
DOCX
Locate and read the other teams’ group project reports (located .docx
jeremylockett77
 
M3 ch12 discussionConnecting Eligible Immigrant Families to Heal.docx
jeremylockett77
 
Loudres eats powdered doughnuts for breakfast  and chocolate that sh.docx
jeremylockett77
 
Lostinnocenceyoucouldexploreachildsoldierwhohasbeen.docx
jeremylockett77
 
Lori Goler is the head of People at Facebook. Janelle Gal.docx
jeremylockett77
 
Looking for someone to take these two documents- annotated bibliogra.docx
jeremylockett77
 
Lorryn Tardy – critique to my persuasive essayFor this assignm.docx
jeremylockett77
 
M450 Mission Command SystemGeneral forum instructions Answ.docx
jeremylockett77
 
Lymphedema following breast cancer The importance of surgic.docx
jeremylockett77
 
Love Beyond Wallshttpswww.lovebeyondwalls.orgProvid.docx
jeremylockett77
 
Longevity PresentationThe purpose of this assignment is to exami.docx
jeremylockett77
 
Look again at the CDCs Web page about ADHD.In 150-200 w.docx
jeremylockett77
 
M8-22 ANALYTICS o TEAMS • ORGANIZATIONS • SKILLS .fÿy.docx
jeremylockett77
 
Lombosoro theory.In week 4, you learned about the importance.docx
jeremylockett77
 
Looking over the initial material on the definitions of philosophy i.docx
jeremylockett77
 
Lucky Iron FishBy Ashley SnookPro.docx
jeremylockett77
 
Lucky Iron FishBy Ashley SnookMGMT 350Spring 2018ht.docx
jeremylockett77
 
look for a article that talks about some type of police activity a.docx
jeremylockett77
 
Look at the Code of Ethics for at least two professional agencies,  .docx
jeremylockett77
 
Locate an example for 5 of the 12 following types of communica.docx
jeremylockett77
 
Locate and read the other teams’ group project reports (located .docx
jeremylockett77
 
Ad

Recently uploaded (20)

PDF
1_English_Language_Set_2.pdf probationary
emailjagmeetsingh9
 
PPTX
CHAPTER IV. MAN AND BIOSPHERE AND ITS TOTALITY.pptx
greciamaycalambro
 
PDF
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
PDF
LNK 2025 (2).pdf MWEHEHEHEHEHEHEHEHEHEHE
NielDestora
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PPTX
Digestion and Absorption of Carbohydrates, Proteina and Fats
rekhapositivity
 
PDF
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
PDF
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
Orientation - ARALprogram of Deped to the Parents.pptx
JeromeTamayoSantiago1
 
PPTX
UV-Visible spectroscopy..pptx UV-Visible Spectroscopy – Electronic Transition...
Samruddhi Khonde
 
PPTX
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
PDF
advance database management system book.pdf
hinamannan364
 
PDF
medical_surgical_nursing_10th_edition_ignatavicius_TEST_BANK_pdf.pdf
victor kamau
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PPTX
History, Philosophy and sociology of education (1).pptx
tmdth1
 
PDF
A systematic review of self-coping strategies used by university students to ...
CleeveMoralde1
 
PDF
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
DOC
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
PPTX
Onco Emergencies - Spinal cord compression Superior vena cava syndrome Febr...
Medpopz
 
1_English_Language_Set_2.pdf probationary
emailjagmeetsingh9
 
CHAPTER IV. MAN AND BIOSPHERE AND ITS TOTALITY.pptx
greciamaycalambro
 
Practical Manual AGRO-233 Principles and Practices of Natural Farming
MilindKhedekar2
 
LNK 2025 (2).pdf MWEHEHEHEHEHEHEHEHEHEHE
NielDestora
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Digestion and Absorption of Carbohydrates, Proteina and Fats
rekhapositivity
 
OBE - B.A.(HON'S) IN INTERIOR ARCHITECTURE -Ar.MOHIUDDIN.pdf
ArchitectAFMMohiuddi
 
Empowerment Technology for Senior High School Guide
solthereseamericandr
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
Orientation - ARALprogram of Deped to the Parents.pptx
JeromeTamayoSantiago1
 
UV-Visible spectroscopy..pptx UV-Visible Spectroscopy – Electronic Transition...
Samruddhi Khonde
 
A powerpoint presentation on the Revised K-10 Science Shaping Paper
JericEstaco2
 
advance database management system book.pdf
hinamannan364
 
medical_surgical_nursing_10th_edition_ignatavicius_TEST_BANK_pdf.pdf
victor kamau
 
Lesson notes of climatology university.
sgladness67
 
History, Philosophy and sociology of education (1).pptx
tmdth1
 
A systematic review of self-coping strategies used by university students to ...
CleeveMoralde1
 
Weekly quiz Compilation Jan -July 25.pdf
Nitin Suresh
 
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
Onco Emergencies - Spinal cord compression Superior vena cava syndrome Febr...
Medpopz
 

1 Database Security Lab 2 – Virtual Private Database.docx

  • 1. 1 Database Security Lab 2 – Virtual Private Databases 2019 Part I: Implementing VPD by Views This lab shows an example of implementing access control through views and triggers. Notice: In this lab and the following ones, only the SYS user is the SYSDBA, the DBSEC user is a normal user. What to submit: Your answers to the questions in steps 5(a), 6, and 7. 1. Create DBSEC account. (using Database Control Tool) (a) For the sake of simplicity, set its password as dbsec. (b) Assign the following systems privileges to DBSEC. CREATE ANY CONTEXT CREATE PROCEDURE CREATE SESSION
  • 2. CREATE SEQUENCE CREATE TABLE CREATE TRIGGER CREATE USER CREATE VIEW GRANT ANY OBJECT PRIVILEGE GRANT ANY PRIVILEGE GRANT ANY ROLE for USERS. 2. Create a user SCOTT. For the sake of simplicity, set its password as dbsec. Assign the following system privileges to SCOTT: CREATE SESSION 3. Logon as DBSEC and execute the following commands drop table employee; create table employee ( empID number(3) primary key, Fname varchar2(25),
  • 3. Lname varchar2(25), Email varchar2(50), Tel char(11), Hdate Date, JobID varchar2(10), Salary number(6), ManagerID number(3), DeptID number(3), ctl_upd_user varchar2(25)); 2 drop view employee_view1; create view employee_view1 as select empID, Fname, Lname, Email, Tel, Hdate, JobID, Salary, managerID, deptID, ctl_upd_user user_name from employee
  • 4. where ctl_upd_user = user; grant select, insert, delete, update on employee_view1 to scott; insert into employee_view1 values (100,'Sam','Doe', 'sdoe', '501-1112222', sysdate, 'job1','60000', 199, 1, user); commit; 4. Logon as SYS, and execute the following commands: create or replace trigger TRG_EMPLOYEE_VIEW1_BF_INS instead of insert on dbsec.EMPLOYEE_VIEW1 for each row begin insert into dbsec.EMPLOYEE values (:new.empID, :new.Fname, :new.Lname, :new.Email, :new.Tel, :new.Hdate, :new.J obID, :new.Salary, :new.ManagerID, :new.deptID, user); end; 5. Logon as SCOTT and execute the following commands: insert into dbsec.employee_view1 values (101,'Julia','Rice',
  • 5. 'sdoe', '501- 1013333', sysdate, 'job_julia','50000', 299, 1, user); commit; select * from dbsec.employee_view1; (a) Did the above query output the only rows that Scott is allowed to see? 6. Read the code of create or replace trigger TRG_EMPLOYEE_VIEW1_BF_INS. (in step 4) (a) It differs from the create trigger syntax that we discussed in PL/SQL review. Google the internet for the key words “instead of” and “trigger”, and explain what is instead of trigger mainly used for. (b) Explain what does Oracle do when Scott performs insert into dbsec.employee_view1 values (101,'Julia','Rice', 'sdoe', '501- 1013333', sysdate, 'job_julia','50000', 299, 1, user); commit;
  • 6. 3 (c) Create a trigger for update Employee_view1 and delete Employee_view1 respectively so that a user cannot update or delete the rows that created (owned) by other users. 7. Create another user Mary. Logon as Mary and insert a row into employee_view1, and demonstrate (by a query result) Mary can only see the row(s) that she has inserted. 8. Roll back the changes made by this project (a) Log on as SYS, and perform the following commands: drop trigger TRG_EMPLOYEE_VIEW1_BF_INS; COMMIT; (b) Log on as DBSEC and perform the following commands: drop table employee; drop view employee_view1; COMMIT; 4
  • 7. Part II: VPD by Application Context The objective of this lab is to learn how to implement access control using application context. What to submit: Your answers to the questions in steps 2(b), 3(b), and 4. 1. Create a user HR. For the sake of simplicity, set its password as dbsec. Assign the following system privileges to HR: CREATE SESSION 2. Logon as SYS and execute the following commands: DROP TABLE APP_CONTEXT_USERS; CRATE TABLE APP_CONTEXT_USERS ( APP_CONTEXT_ATTR VARCHAR2(80), APP_CONTEXT_VALUE VARCHAR2(255), USER_NAME VARCHAR2(30) ); INSERT INTO APP_CONTEXT_USERS VALUES('SECURITY_LEVEL','1','SCOTT');
  • 8. INSERT INTO APP_CONTEXT_USERS VALUES('SECURITY_LEVEL','2','HR'); INSERT INTO APP_CONTEXT_USERS VALUES('SECURITY_LEVEL','3','DBSEC'); DROP TABLE ORDERS; CREATE TABLE ORDERS ( ORDER_ID NUMBER, ORDER_DATE DATE, CUSTOMER_ID NUMBER, ORDER_AMOUNT NUMBER, CTL_REC_STAT NUMBER ); INSERT INTO ORDERS VALUES(1, SYSDATE, 200,1203.22,1); INSERT INTO ORDERS VALUES(2, SYSDATE, 210,5431.23,1); INSERT INTO ORDERS VALUES(3, SYSDATE, 212,100023.29,2);
  • 9. INSERT INTO ORDERS VALUES(4, SYSDATE, 210,999210.55,3); DROP VIEW ORDER_VIEW; CREATE VIEW ORDER_VIEW AS SELECT ORDER_ID,ORDER_DATE,CUSTOMER_ID,ORDER_AMOUN T FROM ORDERS WHERE CTL_REC_STAT <= TO_NUMBER(SYS_CONTEXT('ORDERS_APP','SECURITY_L EVEL')); CREATE CONTEXT ORDERS_APP USING SYS.CONTEXT_PKG; CREATE OR REPLACE PACKAGE CONTEXT_PKG AS PROCEDURE SET_APP_CONTEXT(P_LEVEL VARCHAR2); END; CREATE OR REPLACE PACKAGE BODY CONTEXT_PKG AS PROCEDURE SET_APP_CONTEXT(P_LEVEL VARCHAR2) IS
  • 10. BEGIN DBMS_SESSION.SET_CONTEXT('ORDERS_APP','SECURITY _LEVEL',P_LEVEL); 5 END; END; GRANT EXECUTE ON CONTEXT_PKG TO DBSEC; CREATE OR REPLACE TRIGGER TRG_DB_LOGON AFTER LOGON ON DATABASE DECLARE V_LEVEL VARCHAR2(255); BEGIN SELECT APP_CONTEXT_VALUE INTO V_LEVEL FROM APP_CONTEXT_USERS WHERE USER_NAME=USER;
  • 11. CONTEXT_PKG.SET_APP_CONTEXT(V_LEVEL); END; commit; (a) Perform the following command: SELECT SYS_CONTEXT('ORDERS_APP','SECURITY_LEVEL') FROM DUAL; (b) What is the output of the above command, and why it is so? 3. Logon as HR and select from the view: SELECT SYS_CONTEXT('ORDERS_APP','SECURITY_LEVEL') FROM DUAL; SELECT * FROM SYS.ORDER_VIEW; (a) You will get an error from the above SELECT statement as below: ERROR at line 1: ORA-00942: table or view does not exist (b) How would you do to enable the users DBSEC and HR to
  • 12. view the contents of ORDER_VIEW? 4. Logon as HR and execute the following SQL statement to demonstrate your solution to 3(b) is working properly. SELECT * FROM SYS.ORDER_VIEW; 5. Roll back the changes made by this project (a) Log on as SYS, and perform the following commands: DROP TRIGGER TRG_DB_LOGON; DROP TABLE ORDERS; DROP VIEW ORDER_VIEW; DROP CONTEXT ORDERS_APP; DROP PACKAGE CONTEXT_PKG; DROP TABLE APP_CONTEXT_USERS; COMMIT; 6 Part III: VPD -- Row Owner Security The objective of this lab is to learn, by example, how to
  • 13. implement access control based on row owner security. The access control policy of this lab requires that a user can only access records he/she owns, which means only records with CTL_UPD_USER matching with user’s login name can be viewed by the user. What to submit: Your answers to the questions in steps 4(b), 5(b), and 7(for graduate students only). 1. Assign the following system privileges to DBSEC. CREATE ANY CONTEXT CREATE ANY TRIGGER CREATE PROCEDURE CREATE SEQUENCE CREATE SESSION CREATE TABLE CREATE USER CREATE VIEW GRANT ANY OBJECT PRIVILEGE
  • 14. GRANT ANY PRIVILEGE 2. Log on as DBSEC and perform the following statements: (a) Create a customer table: DROP TABLE CUSTOMERS; CREATE TABLE CUSTOMERS ( SALES_REP_ID NUMBER(4), CUSTOMER_ID NUMBER(8), CTL_UPD_DTTM DATE, CTL_UPD_USER VARCHAR2(30), CTL_REC_STAT CHAR(1), primary key (sales_rep_id, customer_id) ); (b) Populate the customer table: insert into customers values (1000, 90000,NULL, 'VPD_CLERK1','1'); insert into customers values (1000, 90001,NULL, 'VPD_CLERK1','2'); insert into customers values (1000, 90002,NULL, 'VPD_CLERK2','3');
  • 15. insert into customers values (1000, 90003,NULL, 'VPD_CLERK2','4'); insert into customers values (1000, 90004,NULL, 'VPD_CLERK3','5'); insert into customers values (1001, 90000,NULL, 'VPD_CLERK3','1'); insert into customers values (1001, 90001,NULL, 'VPD_CLERK2','2'); insert into customers values (1001, 90002,NULL, 'VPD_CLERK2','3'); insert into customers values (1001, 90003,NULL, 'VPD_CLERK1','4'); insert into customers values (1001, 90004,NULL, 'VPD_CLERK1','5'); insert into customers values (1002, 90005,NULL, 'VPD_CLERK2','1'); insert into customers values (1003, 90006,NULL, 'VPD_CLERK2','2'); insert into customers values (1004, 90007,NULL, 'VPD_CLERK3','3'); insert into customers values (1005, 90008,NULL, 'VPD_CLERK3','4');
  • 16. 7 insert into customers values (1006, 90009,NULL, 'VPD_CLERK1','5'); insert into customers values (1007, 90005,NULL, 'VPD_CLERK2','1'); insert into customers values (1008, 90006,NULL, 'VPD_CLERK3','2'); insert into customers values (1009, 90007,NULL, 'VPD_CLERK1','3'); insert into customers values (1010, 90008,NULL, 'VPD_CLERK3','4'); insert into customers values (1011, 90009,NULL, 'VPD_CLERK2','5'); commit; 3. Log in as SYS user (a) Create users VPD_CLERK1, VPD_CLERK2, and VPD_CLERK3 CREATE USER VPD_CLERK1 IDENTIFIED BY VPD_CLERK1; GRANT CREATE SESSION TO VPD_CLERK1;
  • 17. CREATE USER VPD_CLERK2 IDENTIFIED BY VPD_CLERK2; GRANT CREATE SESSION TO VPD_CLERK2; CREATE USER VPD_CLERK3 IDENTIFIED BY VPD_CLERK3; GRANT CREATE SESSION TO VPD_CLERK3; (b) Grant access rights on customer table to VPD_CLERK1, VPD_CLERK2, and VPD_CLERK3 GRANT SELECT, INSERT, DELETE, UPDATE ON DBSEC.CUSTOMERS TO VPD_CLERK1; GRANT SELECT, INSERT, DELETE, UPDATE ON DBSEC.CUSTOMERS TO VPD_CLERK2; GRANT SELECT, INSERT, DELETE, UPDATE ON DBSEC.CUSTOMERS TO VPD_CLERK3; (c) Create a security policy function, which will be used by DBMS to perform access control. CREATE OR REPLACE FUNCTION DBSEC_ROW_OWNER_WHERE( P_SCHEMA_NAME IN VARCHAR2, P_OBJECT_NAME IN VARCHAR2)
  • 18. RETURN VARCHAR2 AS con VARCHAR2 (200); BEGIN con := 'CTL_UPD_USER=USER'; RETURN (con); END; (d) execute the following command: (all should be in one line when executing it) 8 exec dbms_rls.add_policy(object_schema =>'DBSEC',object_name => 'CUSTOMERS',policy_name => 'dbsec_row_onwer_policy', function_schema => 'SYS', policy_function =>'DBSEC_ROW_OWNER_WHERE', enable => true); COMMIT; 4. Test the implementation (a) Logon as VPD_CLERK1 and what is the output of the following SQL statement?
  • 19. SELECT * FROM DBSEC.CUSTOMERS; (b) Repeat the above steps as VPD_CLERK2, VPD_CLERK3 respectively and show the result of the SQL statement. 5. Log on as SYS, and perform the following commands: (all should be in one line when executing it) exec dbms_rls.drop_policy(object_schema =>'DBSEC',object_name => 'CUSTOMERS',policy_name => 'dbsec_row_onwer_policy'); COMMIT; (a) Logon as VPD_CLERK1 and execute the SQL statement: SELECT * FROM DBSEC.CUSTOMERS; (b) Is the result of the above SQL statement different from that in Step 4? If yes, why? 6. Roll back the changes made by this project (a) Log on as SYS and perform the following statements: REVOKE SELECT, INSERT, DELETE ON CUSTOMERS FROM VPD_CLERK1, VPD_CLERK2,
  • 20. VPD_CLERK3; DROP TABLE CUSTOMERS; DROP FUNCTION DBSEC_ROW_OWNER_WHERE; COMMIT; 7. (For graduate students) Revise the code of this lab so that the user HR is able to see the rows owned by VPD_CLERK1 and VPD_CLERK3. (Hint: revise DBSEC_ROW_OWNER_WHERE function) (a) Demonstrate your implementation works properly by the SQL command SELECT * FROM DBSEC.CUSTOMERS; (b) Rollback the changes appropriately. (c) Submit your codes of implementation. 9 Part IV: VPD-- Role Security Level
  • 21. The objective of this lab is to learn, by example, how to implement access control based on row security level. The access control policy of the scenario in this lab is as follows: sales_rep_id=1000. sales_rep_id=1001. h sales_rep_id=1002. What to submit: Your answers to the questions in steps 2(a), 3(a), 4, 5(c), and 5(d). 1. Log on as DBSEC and execute the following statements: DROP TABLE CUSTOMERS; CREATE TABLE CUSTOMERS ( SALES_REP_ID NUMBER(4), CUSTOMER_ID NUMBER(8), CTL_UPD_DTTM DATE, CTL_UPD_USER VARCHAR2(30), CTL_REC_STAT CHAR(1),
  • 22. primary key (sales_rep_id, customer_id) ); insert into customers values (1000, 90000,NULL, 'VPD_CLERK1','1'); insert into customers values (1000, 90001,NULL, 'VPD_CLERK1','2'); insert into customers values (1000, 90002,NULL, 'VPD_CLERK2','3'); insert into customers values (1000, 90003,NULL, 'VPD_CLERK2','4'); insert into customers values (1000, 90004,NULL, 'VPD_CLERK3','5'); insert into customers values (1001, 90000,NULL, 'VPD_CLERK3','1'); insert into customers values (1001, 90001,NULL, 'VPD_CLERK2','2'); insert into customers values (1001, 90002,NULL, 'VPD_CLERK2','3'); insert into customers values (1001, 90003,NULL, 'VPD_CLERK1','4'); insert into customers values (1001, 90004,NULL, 'VPD_CLERK1','5');
  • 23. insert into customers values (1002, 90005,NULL, 'VPD_CLERK2','1'); insert into customers values (1003, 90006,NULL, 'VPD_CLERK2','2'); insert into customers values (1004, 90007,NULL, 'VPD_CLERK3','3'); insert into customers values (1005, 90008,NULL, 'VPD_CLERK3','4'); insert into customers values (1006, 90009,NULL, 'VPD_CLERK1','5'); insert into customers values (1007, 90005,NULL, 'VPD_CLERK2','1'); insert into customers values (1008, 90006,NULL, 'VPD_CLERK3','2'); insert into customers values (1009, 90007,NULL, 'VPD_CLERK1','3'); insert into customers values (1010, 90008,NULL, 'VPD_CLERK3','4'); insert into customers values (1011, 90009,NULL, 'VPD_CLERK2','5'); GRANT SELECT, INSERT, DELETE ON CUSTOMERS TO VPD_CLERK1, VPD_CLERK2,
  • 24. VPD_CLERK3; DROP TABLE DBSEC_CUSTOMERS_APP_CONTEXT; CREATE TABLE DBSEC_CUSTOMERS_APP_CONTEXT ( SALES_REP_ID NUMBER PRIMARY KEY, USER_NAME VARCHAR2(30)); GRANT SELECT ON DBSEC_CUSTOMERS_APP_CONTEXT 10 TO VPD_CLERK1, VPD_CLERK2, VPD_CLERK3; INSERT INTO DBSEC_CUSTOMERS_APP_CONTEXT VALUES (1000, 'VPD_CLERK1'); INSERT INTO DBSEC_CUSTOMERS_APP_CONTEXT VALUES (1001, 'VPD_CLERK2'); INSERT INTO DBSEC_CUSTOMERS_APP_CONTEXT VALUES (1002, 'VPD_CLERK3'); COMMIT;
  • 25. 2. Log on as SYS and execute the following statements: CREATE OR REPLACE PACKAGE PKG_DBSEC_CUST_SALES_REP AS PROCEDURE SET_CONTEXT; END; CREATE OR REPLACE PACKAGE BODY PKG_DBSEC_CUST_SALES_REP AS PROCEDURE SET_CONTEXT IS V_SALES_REP_ID NUMBER; BEGIN SELECT SALES_REP_ID INTO V_SALES_REP_ID FROM DBSEC.DBSEC_CUSTOMERS_APP_CONTEXT WHERE UPPER(USER_NAME)=USER; DBMS_SESSION.SET_CONTEXT('DBSEC_CUSTOMERS_SA LESREP','SALES_REPID',V_SALES_ REP_ID); EXCEPTION
  • 26. WHEN NO_DATA_FOUND THEN DBMS_SESSION.SET_CONTEXT('DBSEC_CUSTOMERS_SA LESREP','SALES_REPID', 0); END; END; CREATE OR REPLACE CONTEXT DBSEC_CUSTOMERS_SALESREP USING PKG_DBSEC_CUST_SALES_REP; CREATE OR REPLACE FUNCTION DBSEC_CUST_SALESREP_WHERE( P_SCHEMA_NAME IN VARCHAR2, P_OBJECT_NAME IN VARCHAR2) RETURN VARCHAR2 IS V_WHERE VARCHAR2(4000); BEGIN if to_number(SYS_CONTEXT( 'DBSEC_CUSTOMERS_SALESREP','SALES_REPID'))= 0 then V_WHERE := '1=1';
  • 27. else V_WHERE := 'SALES_REP_ID = ' || to_number( SYS_CONTEXT('DBSEC_CUSTOMERS_SALESREP','SALES_ REPID')); end if; RETURN V_WHERE; END; 11 CREATE OR REPLACE TRIGGER TRG_AFTER_LOGON AFTER LOGON ON DATABASE BEGIN PKG_DBSEC_CUST_SALES_REP.SET_CONTEXT; END; /* rem the following command should be executed in one line */
  • 28. exec dbms_rls.add_policy(object_schema => 'dbsec',object_name => 'customers', policy_name =>'dbsec_cust_salesrep_policy',function_schema => 'dbsec',policy_function =>'dbsec_cust_salesrep_where', enable => true); COMMIT; (a) The last command is not working. How to correct it so that it is working? 3. Logon as VPD_CLERK1 and execute the following commands: select sys_context('USERENV', 'CURRENT_USER') from dual; select * from dbsec.customers; (a) Is the result of the last SQL statement correct? 4. Repeat Step 3 as VPD_CLERK2 and VPD_CLERK3 respectively. 5. Log on as DBSEC and perform the following steps:
  • 29. (a) Execute the statements SELECT * FROM CUSTOMERS; GRANT SELECT, INSERT, DELETE ON CUSTOMERS TO VPD_CLERK1, VPD_CLERK2, VPD_CLERK3; GRANT SELECT, INSERT, DELETE ON CUSTOMERS TO HR; (b) Open a SQLDeveloper connection, logon as HR (created in the Lab 2 -- PartII with the password as dbsec) and execute the statement: SELECT * FROM DBSEC.CUSTOMERS; (c) We found out from 5(b) that the user HR can see all the tuples in CUSTOMERS. This might not be appropriate in practice. Assume the security policy states that only dbsec can view all the tuples of CUSTOMERS table, no other users can do so even if dbsec grant SELECT, UPDATE, DELETE on CUSTOMERS privileges to them. How would you revise the code of this lab to implement this policy accordingly? (Hint: you need to revised
  • 30. DBSEC_CUST_SALESREP_WHERE of step 2) (d) Run the SQL statement in 5(b) as HR and demonstrate that your revised code works properly (that is, HR cannot see any tuples at all). 12 6. Roll back the changes made by this project (a) Log on as SYS, and perform the following commands: (the first command should be executed in one line.) exec dbms_rls.drop_policy(object_schema => 'dbsec', object_name => 'customers', policy_name =>'dbsec_cust_salesrep_policy'); DROP PACKAGE PKG_DBSEC_CUST_SALES_REP; DROP CONTEXT DBSEC_CUSTOMERS_SALESREP; DROP FUNCTION DBSEC_CUST_SALESREP_WHERE; DROP TRIGGER TRG_AFTER_LOGON; COMMIT;
  • 31. (b) Log on as DBSEC, and perform the following commands: REVOKE SELECT, INSERT, DELETE ON CUSTOMERS FROM VPD_CLERK1, VPD_CLERK2, VPD_CLERK3, HR; DROP TABLE CUSTOMERS; DROP TABLE DBSEC_CUSTOMERS_APP_CONTEXT; COMMIT; Case Study: Portable Phones Inc. Portable Phones Inc. manufactures and sells wireless telephones for residential and commercial use. Portable Phones’ plant is organized by product line, with five phone assembly departments in total. Each of these five phone assembly departments is responsible for the complete production of a particular phone line, including manufacturing some parts, purchasing other parts, and assembling the unit. Each of the five phone assembly department managers reports to a product-line manager who has profit responsibility for his/her product. These five product-line managers have authority over pricing, marketing, distribution, and production of their product. Each of the five phone assembly departments is a cost center within its respective product-line profit center. A key component of each phone is the circuit board(s) containing the integrated circuit chips. Each phone assembly department purchases from outside vendors the basic boards and chips to be attached to its board(s). The board department of the
  • 32. plant receives the boards and chips in kits from each phone assembly department and assembles them into completed boards ready for assembly into the phones. The board department (with a cost structure that is 80 percent fixed and 20 percent variable) uses a single highly automated assembly line of robotic insertion machines to precisely position each chip on the board and soldering machines to solder the chips onto the board. The board department is a common resource for the plant; all five of the phone assembly departments use the board department to assemble some or all of their boards. Since the board department has a single assembly line, it can only assemble boards for one type of phone at a time. The assembly departments have authority to seek the most competitive supplier for all their parts and services, including circuit board assembly. The board department’s assembly schedule is determined at the beginning of each month. The five assembly departments request a time during the month when they plan delivery of particular kits to the board department and specify the number of boards to be assembled. The manager of the board department then takes these requests and tries to satisfy the assembly departments’ requests. However, the board department manager finds that she has a peak load problem; the assembly departments tend to want their boards assembled at the same time. The only way to satisfy these requests is to work overtime shifts during these peak periods even though the board department has excess capacity at other times of the month. The total monthly costs of the board department (equipment depreciation, maintenance, direct labor, supervision, and engineering support) are assigned to the phone assembly departments based on an hourly rate. The board department’s total monthly costs are divided by the number of hours of capacity in the month (e.g., if a particular month has 22 working days, this is equivalent to 352 hours or 22 days Χ 2 shifts Χ 8 hours per shift) to arrive at a charge per hour. To
  • 33. give the phone assembly departments incentives to have their kits (boards and chips) delivered to the board department in a timely manner, the phone assembly department is charged for the time from when the last job (a batch of boards assembled for a phone assembly department) was finished by the board department until the time when the next job is finished. For example, suppose phone assembly department A’s phones were finished at 9:00 a.m. and that department B delivered its kits at 1:00 p.m. and they were completed at 7:00 p.m. the same day. Department B would be charged for 10 hours of the board department’s costs even though the board department was idle for 4 of the 10 hours. When first installed, the board department was expected to be operating at full capacity, two shifts per day, six days per week. But due to increased competition and outsourcing of some models, the board department is now operating at about 70 percent of the initial planned capacity. Required: a. If you manage a phone assembly department, when during the month would you tend to request that your phone circuit boards be assembled by the board department (everything else being held constant)? Explain why. b. Identify various dysfunctional behaviors likely to occur among the phone assembly departments and the board department. c. What management changes would you suggest? In particular, what changes would you make in the accounting system? Explain why each change should be made. Case Study: Joon Joon manufactures and sells to retailers a variety of home care and personal care products. Joon has a single plant that
  • 34. produces all four of its product lines: Stick Goods (brooms and mops), Floor Care (strippers, soaps, and waxes), Brushes (hair brushes and shoe brushes), and Aerosols (room deodorizers, bug spray, furniture wax). The following statement summarizes Joon’s financial performance for the most recent fiscal year. Direct labor costs $21 per hour. Fixed manufacturing overhead of $4.433 million is allocated to products based on direct labor hours. Last year, the fixed manufacturing overhead rate was $31 per direct labor hour ($4.433 million/143,000 direct labor hours). Variable manufacturing overhead is $3.50 per direct labor hour. Selling, general, and administrative (SG&A) expenses consist of fixed costs ($1.35 million) and variable costs ($2,951 million). The variable SG&A is 20 percent of revenues. The Joon plant has considerable excess capacity. Senior management has identified a potential acquisition target, Snuffy, that sells a line of automotive products (car waxes, soaps, brushes, and so forth) that are complementary to Joon’s existing products and that can be manufactured in Joon’s plant. Snuffy does not have any manufacturing facilities, but rather outsources the production of its products to contract manufacturers. Snuffy can be purchased for $38 million. The following table summarizes Snuffy’s current operating data: Senior management argues that the reason Joon is currently losing money is that volumes have fallen in the plant and that the remaining products are having to carry an increasingly larger share of the overhead. This has caused some Joon product managers to raise prices. Senior managers realize that they must drive more volume into the plant if Joon is to return to profitability. Since organic growth (i.e., growth from existing products) is difficult due to a very competitive marketplace,
  • 35. management proposes to the board of directors the purchase of Snuffy as a way to drive additional volume into the plant. With volume of 60,000 cases and 1.9 direct labor hours per case, Snuffy’s car care product line will add 114,000 direct labor hours to the plant and increase volume about 80 percent (114,000/143,000). This additional volume will significantly reduce the overhead the existing products must absorb and allow the product managers to lower prices. To incorporate Snuffy’s manufacturing and distribution into Joon’s current operations, Joon will have to incur additional fixed manufacturing overhead of $450,000 per year for new equipment and $400,000 per year for additional SG&A expenses. Required: a. Prepare a pro forma financial statement that shows Joon’s financial performance (net income) for the most recent fiscal year assuming that Joon has already acquired Snuffy’s car care products and has incorporated them into Joon’s manufacturing and SG&A processes. In preparing your analysis, make the following assumptions: i. Snuffy’s products have the same fixed and variable cost structure as Joon’s existing lines (i.e., variable overhead is $3.50 per direct labor hour, and variable SG&A is 20 percent of revenues). ii. The addition of Snuffy products does not change the demand for Joon’s existing products. iii.
  • 36. There are no positive or negative externalities in manufacturing from having the additional Snuffy volume in the plant. iv. There is sufficient excess capacity in the plant and the local labor markets to absorb the additional Snuffy volume without causing labor rates or raw material prices to rise. b. Based on your financial analysis in part (a), should Joon acquire Snuffy? c. Evaluate management’s arguments in favor of acquiring Snuffy. d. What other advice would you offer Joon’s management?