User Impersonation
This section describes how to impersonate a user in the Oracle database protector. The user impersonation feature enables you to perform operations and access resources on behalf of another user. Service users leverage this feature to impersonate individual users. However, to supply user context to execute a query, upper applications provide the CLIENT_IDENTIFIER. Set the impersonation parameter to YES in the config.ini file, to use the CLIENT_IDENTIFIER parameter of the inbuilt USERENV application context SYS_CONTEXT provided by the Oracle database.
To impersonate a user:
Log in to the node where the Oracle database is installed.
Navigate to the
/opt/protegrity/databaseprotector/oracle/data/directory.To open the
config.inifile, run the following command:vi config.iniPress ENTER.
The command opens the
config.inifile.############################################################################### # Protector configuration ############################################################################### [protector] # Cadence determines how often the protector connects with ESA / proxy to fetch the policy updates in background. # Default is 60 seconds. So by default, every 60 seconds protector tries to fetch the policy updates. # If the cadence is set to "0", then the protector will get the policy only once. # # Default 60. cadence = 60 ############################################################################### # Log Provider Config ############################################################################### [log] # In case that connection to fluent-bit is lost, set how audits/logs are handled # # drop : (default) Protector throws logs away if connection to the fluentbit is lost # error : Protector returns error without protecting/unprotecting # data if connection to the fluentbit is lost mode = drop # Host/IP to fluent-bit where audits/logs will be forwarded from the protector # # Default localhost host = localhostTo include the impersonation parameter and set the value to
YES, add the following code:[userimpersonation] impersonation = yes/no or YES/NOThe default value of the impersonation parameter is set to
NOorno.Assign 644 permissions to the
config.inifile. This is required only tf the ownership of theconfig.inifile is not set to theoracleuser and theoinstallgroup.Connect to the database session using the service account. For example,
USER1.To set the
CLIENT_IDENTIFIER, execute the following query:EXEC DBMS_SESSION.SET_IDENTIFIER ('USER2');Press ENTER. The query returns the name of the user for whom you set the
CLIENT_IDENTIFIERparameter.USER2To verify the value that is set for the
CLIENT_IDENTIFIERparameter, execute the following query:SQL> select sys_context('USERENV','CLIENT_IDENTIFIER') from dual; SYS_CONTEXT('USERENV','CLIENT_IDENTIFIER')Press ENTER. The query returns the name of the user for whom you set the
CLIENT_IDENTIFIERparameter.USER2Warning: When you set the value of the
impersonationparameter toyes/YES, then set a value for the theCLIENT_IDENTIFIERparameter. The protect/unprotect UDFs will run only after the value for theCLIENT_IDENTIFIERparameter is set. If you set the value of theimpersonationparameter toyes/YES, and fail to set the value for theCLIENT_IDENTIFIERparameter, then the PTY.WHOAMI() UDF will return the username as <no_user>. This will cause the protect/unprotect operations to fail with theFailed to retrieve usererror message.To verify the user who is logged into the database session, execute the following query:
select pty.whoami() from dual;Press ENTER. The query returns the name of the user that is logged into the current database session.
USER2To clear the value set for the
CLIENT_IDENTIFIERparameter, execute the following query:EXEC DBMS_SESSION.CLEAR_IDENTIFIER;
Feedback
Was this page helpful?