Database Query Restriction
A user can connect to or access different objects in the database. This entitles that different users having different level of privileges can access different regions in the database. Thus, there is a need for a security policy that establishes methods for protecting your database from accidental or malicious destruction of data or damage to the database infrastructure.
This chapter will consists of the following:
- Before You begin
- Supported Access Types For Database to enable
- Create A server access policy
- Define Privileged Queries
- Edit a policy
- Edit a command from library
- Delete a policy
- Delete a Command from Library
Before you begin
- The User Group you wish to allow/deny access already exists.
Supported Access Types for Database to enable
- SQL Data Browser
- MySQL Data Browser
- Oracle Data Browser
Creating a server access policy
- Login to Sectona and select PAM from the product navigator.
- Navigate to Policies in the top navigation bar.
- Select Server Access Policy from the sidebar.
- Click on the Database section.
- Click on + Add Policy. A form will appear having 4 sections. Fill the essentials step by step.
- Policy Details: You need to enter the details of the policy that you require. Click on Next
- Policy Name: Provide the name of the policy you want to create.
- Description: Enter a short description about the policy.
- Policy Type: Select whether you want to allow or deny permissions.
- Expiry: Set the expiry date of the policy.
- User Groups: In the Enforced to User Group(s), tick the user groups on which the sever access policy will be applied. In the Exception User(s), mention the users that will be exempted from the server access policy. Click on Next
- Parameters: You can select the queries which you want to allow or restrict according to the policy. The Confirm option will allow you to ask the user who has hit the query saying whether he/she wants to execute the command. The Elevate option will allow the user to elevate the query. Click on Next
The Allow permission allows only the selected queries and restricts the rest of the queries. The Deny permission denies all the selected queries and allows the rest of the queries.We can select both the options i.e. confirm and elevate in front of the query to apply. The Confirm and Elevate options will appear only if the Policy Type is set as 'Allow' in the Policy details. You can select either from Confirm and Elevate options, both of them or none of them.
- Summary: This the summary of the configuration made. Click on Finish
Defining privileged queries
The main functionality of the Query repository is to provide the user with the inbuilt restricted or allowed queries to function for them. By default, there consist a list of general queries that are already stored in the query repository. But, if the user wants to add a new query into the repository, he/she needs to follow the steps below
- Login to Sectona and select PAM from the product navigator.
- Navigate to Policies in the navigation bar.
- Select the Server Access Policy from the sidebar.
- Click on the Database section.
- Click on Query Repository.
- Click on +Add Query.
- A page will appear. Fill in the essentials for your new command to be created.
- Risk category: This consists of various risk categories mentioned below. Choose the category according to the nature of the command
- Unusual user activity: If the user is performing some unusual activity in the system.
- User activity: If a certain user activity is bringing about a risk.
- Unusual account activity: If the activities of an account in the system are unusual.
- Data theft and ex-filtration: Accessing unauthorized data and retrieving it from a system or server.
- Privilege account abuse: When the privileged user ignores the policies or may be some malicious activity is taking place by access to unauthorized user.
- Accountability risk: Someone who might be responsible for stealing the data from the system or server.
- Identity theft: Someone who might pretend to be someone else in order to get the access.
- General: Some misbehavior of the activities due to user performing it wrongly.
- Leapfrogging: Adapting to the user and system activities directly in order to have secure access of the data.
- Command: Specify the command
- Command description: Describe the command description
- Asset command type: The command type may vary from the choice you make.
- Administrative
- Backup
- Configuration
- Remote access
- Status: You can toggle the status in order to activate and deactivate the query.
- Risk category: This consists of various risk categories mentioned below. Choose the category according to the nature of the command
- Click on Save.
Editing a policy
- Login to Sectona and select PAM from the product navigator.
- Navigate to Policies in the navigation bar.
- Select Server Access Policy from the sidebar.
- Click on the Database tab.
- As the new page open you will find the list of existing server access policies.
- Click on to the edit button next to the policy name and the form will appear in front of you where you can make necessary changes.
- Click on Finish.
Editing a command from library
- Login to Sectona and select PAM from the product navigator.
- Navigate to Policies option in the navigation bar.
- Select Server Access Policy from the sidebar.
- Click on the Database tab.
- Click on the Query Repository and the list of existing commands created will be displayed.
- Click on the edit button of any of the commands which you want to modify and make the necessary changes.
- Click on Update.
Deleting a policy
- Login to Sectona and select PAM from the product navigator.
- Navigate to Policies in the navigation bar.
- Select Server Access Policy from the sidebar.
- Click on the Database tab.
- As the new page open you will find the list of existing server access policies.
- Click on the edit button and then click on the delete button.
Deleting a command from library
- Login to Sectona and select PAM from the product navigator.
- Navigate to Policies in the navigation bar.
- Select Server Access Policy from the sidebar.
- Click on the Database tab.
- Click on Query Repository and the list of existing commands created will be in front of you.
- Click on the edit button next to the policy you would like to delete.
- Click on Delete .
If there are any changes made in the policy when a session is started, one needs to restart the session again to implement those changes.