Skip to Main Content
  • Questions

  • FGA Auditing - How to avoid false positives when FGA is on a table column and that column is in a view and other view columns are selected?

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Bob.

Asked: October 26, 2017 - 4:16 pm UTC

Last updated: October 27, 2017 - 2:35 pm UTC

Version: 11.2.0.4

Viewed 1000+ times

You Asked

I'm new to FGA auditing and have created an FGA policy for SELECT on table T column SSN. This works well. Any user that specifically selects column T.SSN, generates a row in my audit table. (I'm using DB 11.2.0.4)

select T.SSN from T; -- generates an audit row
select * from T; -- generates and audit row

Then I have created a view V with 2 table columns. One of the table columns is T.SSN, the other is T.DOB.
So my view only has two columns, V.SSN and V.DOB

So now if I query view V:
select V.SSN from V; -- generates an audit row as expected
select * from V; -- generates an audit row as expected

now the false positive!!
select V.DOB from V; -- generates an audit row. Very Unexpected. The user actually never selected the SSN column but because the user was querying through a view which happens to contain the SSN, FGA audits the select.

Is there a way to prevent this false positive while still keeping the SSN column in the view?

Has anyone ever run into this before?


Thanks in advance for any advice you could offer.
Bob


and Connor said...

This is documented in MOS note 2233726.1. A view is merely stored text, so conceptually your query:

select dob from V

could be internally represented as:

select dob from
( select ssn, dob from T );

and hence you are "referencing" the ssn.


The workaround is to put FGA policies on the views, not the tables. Thus

Current
=======
Table T with audit policy
View V as select 2 cols from T

Proposed
========
Table T (rename to HIDDEN_T)
View T as select * from HIDDEN_T, FGA policy on this
View V as select 2 cols from HIDDEN_T, FGA policy on this

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Great Response. Thank you very much!

Bob Vignes, October 27, 2017 - 2:19 pm UTC

Hi Connor,
Thank you very much. You answered my question quickly and exactly. I googled for quite some time before posting here on "Ask TOM". Huge help!


Thanks.
Bob
Connor McDonald
October 27, 2017 - 2:35 pm UTC

glad we could help
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Security

All of the vital components for a secure database are covered in the Security guide.