Merge pull request #1448 from oracle-devrel/oag-dbat-integration

oheimburger · web-flow · commit 894e3ac7ce1b · 2025-02-25T14:11:57.000+01:00
OAG DBAT integration asset
diff --git a/security/identity-and-access-management/oracle-access-governance/README.md b/security/identity-and-access-management/oracle-access-governance/README.md
@@ -2,7 +2,7 @@
 
 Access Governance is a cloud native identity governance and administration (IGA) service that provides enterprisewide visibility to govern access to cloud and on-premises environments. With an intuitive user experience, dynamic access control, and a prescriptive analytics-driven access review process, it helps customers automate access provisioning, get insights into access permission and cloud infrastructure policy reviews, identify anomalies, and remediate security risks.
 
-Reviewed: 28.10.2024
+Reviewed: 10.02.2025
 
 # Useful Links
 
@@ -23,11 +23,17 @@ Reviewed: 28.10.2024
 ## OAG Training & Live Labs
 
 - [Cloud Coaching - Oracle Access Governance - Identity Governance and Access Reviews (Video)](https://www.youtube.com/watch?v=9reHN697x6g)
-- [Demo & Labs](https://luna.oracle.com/lab/6345863c-42c4-4f17-96fc-130278ac4b1f/steps) 
+- [Demo & Labs](https://luna.oracle.com/lab/6345863c-42c4-4f17-96fc-130278ac4b1f/steps)
+
+# Reusable Assets Overview
+
+**Note:** The below assets are provided for reference purposes only and for use in demos/PoC activities where required.
+
+- [DBAT OS Account Sample integration for OAG](dbat-os-accounts-sample/README.md)
 
 # License
 
-Copyright (c) 2024 Oracle and/or its affiliates.
+Copyright (c) 2025 Oracle and/or its affiliates.
 
 Licensed under the Universal Permissive License (UPL), Version 1.0.
 
diff --git a/security/identity-and-access-management/oracle-access-governance/dbat-os-accounts-sample/LICENSE b/security/identity-and-access-management/oracle-access-governance/dbat-os-accounts-sample/LICENSE
@@ -0,0 +1,35 @@
+Copyright (c) 2025 Oracle and/or its affiliates.
+
+The Universal Permissive License (UPL), Version 1.0
+
+Subject to the condition set forth below, permission is hereby granted to any
+person obtaining a copy of this software, associated documentation and/or data
+(collectively the "Software"), free of charge and under any and all copyright
+rights in the Software, and any and all patent rights owned or freely
+licensable by each licensor hereunder covering either (i) the unmodified
+Software as contributed to or provided by such licensor, or (ii) the Larger
+Works (as defined below), to deal in both
+
+(a) the Software, and
+(b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+one is included with the Software (each a "Larger Work" to which the Software
+is contributed by such licensors),
+
+without restriction, including without limitation the rights to copy, create
+derivative works of, display, perform, and distribute the Software and make,
+use, sell, offer for sale, import, export, have made, and have sold the
+Software and the Larger Work(s), and to sublicense the foregoing rights on
+either these or other terms.
+
+This license is subject to the following condition:
+The above copyright notice and either this complete permission notice or at
+a minimum a reference to the UPL must be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/security/identity-and-access-management/oracle-access-governance/dbat-os-accounts-sample/README.md b/security/identity-and-access-management/oracle-access-governance/dbat-os-accounts-sample/README.md
@@ -0,0 +1,108 @@
+# DBAT OS Accounts Sample
+
+This asset contains the code and deployment steps required to integrate an Oracle Access Governance system with an Oracle Database for the purposes of trusted/target recon which simulates the granting of OS level access to POSIX hosts.
+
+At the time of writing, this capability is not offered natively in OAG.
+
+The described integration and data can be used for all supported user/account lifecycle operations in OAG, including use in access certification. Note that this simulates a connected system, therefore changes to OS level user access will be reflected in the targeted database tables.
+
+Review Date: 10.02.2025
+
+# When to use this asset?
+
+Whenever a system that needs to be integrated with OAG does not have a natively supported connector, but can be easily modeled as data stored inside of database tables.
+
+# How to use this asset?
+
+## Pre-requisites and dependencies
+
+The following components are required and assumed to already be available in this guide:
+- A Premium license Oracle Access Governance instance.
+- An Oracle Database installation or Oracle Autonomous Database instance (for supported database types and versions, please consult [the OAG integration documentation](https://docs.oracle.com/en/cloud/paas/access-governance/tatoi/index.html#GUID-8C827C87-8D8F-4FCB-9895-F370F25FEB00)).
+- A podman/docker installation for the OAG DBAT agent deployment. This installation can be performed on the same host as the Oracle Database, if preferred. Note that otherwise this system must have network access to the above Oracle Database deployment, for a direct DB connection.
+
+## Deployment steps
+
+Please ensure the requirements listed above have been satisfied.
+
+**Once a database installation/instance is available** follow the below steps to deploy the provided sample SQL schema:
+
+1. Connect to the database as dba (with sysdba role) and create a schema user for the purposes of the integration, by running:
+
+```
+CREATE USER OAG IDENTIFIED BY <your_secure_password>
+DEFAULT TABLESPACE oagts
+TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON oagts;
+
+GRANT SELECT on dba_role_privs TO OAG;
+GRANT SELECT on dba_sys_privs TO OAG;
+GRANT SELECT on dba_ts_quotas TO OAG;
+GRANT SELECT on dba_tablespaces TO OAG;
+GRANT SELECT on dba_users TO OAG;
+GRANT CREATE USER TO OAG;
+GRANT ALTER ANY TABLE TO OAG;
+GRANT GRANT ANY PRIVILEGE TO OAG;
+GRANT GRANT ANY ROLE TO OAG;
+GRANT DROP USER TO OAG;
+GRANT SELECT on dba_roles TO OAG;
+GRANT SELECT ON dba_profiles TO OAG;
+GRANT ALTER USER TO OAG;
+GRANT CREATE ANY TABLE TO OAG;
+GRANT DROP ANY TABLE TO OAG;
+GRANT CREATE ANY PROCEDURE TO OAG;
+GRANT DROP ANY PROCEDURE TO OAG;
+```
+
+2. Connect to the database as the newly create OAG user (using the password you've set with the above command), and execute the `OS_Account.sql` file. This will create all the quired table schema and populate it with sample data.
+
+**In order to achieve the DBAT integration in Oracle Access Governance**, follow the below steps to create a new orchestrated system:
+
+**Note:** The Connect URL format provided below is meant for pluggable databases using DB service names. Please adjust it as needed. All types of jdbc URL formats are supported, including basic SID-based URLs such as: `jdbc:oracle:thin:@hostname:port:SID`.
+
+1. Go to **Service Administration -> Manage orchestrated systems**.
+2. Click on **+ Add an Orchestrated system**.
+3. In the **Select System** step, pick `Database Application Table (Oracle DB)`, and click on Next.
+4. In the **Enter Details** step, enter the details provided below. Optionally untick `This is the authoritative source for my identities.` should you want to create the identities through other means, otherwise, for the purposes of this example, the identities will be imported using data from the **OS_ACCOUNT** table. Click on Next.
+
+```
+What do you want to call this system?: OS Account
+How do you want to describe this system: OS level user account
+```
+
+5. Click on Confirm if you are using both authoritative and manager permission integration modes.
+6. In the **Add Owners** step, use the default values and click on Next.
+7. In the **Account Settings** step, use the default values and click on Next.
+8. In the **Integration** step, enter the following details, adjusted to your particular deployment settings. Leave the rest of the fields on their default values, and click on Add.
+
+```
+Easy Connect URL for Oracle Database: jdbc:oracle:thin:@//hostname:port/dbservicename
+User Name: OAG
+Password: <your_secure_password>
+Confirm password: <your_secure_password>
+User account table name: OS_ACCOUNT
+Permissions tables: OS_HOST
+Account permission tables: OS_ACCOUNT_HOST
+Lookup tables: OS_COUNTRY
+Key column mappings: OS_ACCOUNT:USERID,OS_HOST:HOSTID,OS_COUNTRY:COUNTRYCODE
+Name column mappings: OS_ACCOUNT:USERNAME,OS_HOST:HOSTNAME,OS_COUNTRY:COUNTRYNAME
+User account table password column mapping: OS_ACCOUNT:PASSWORD
+User account table status column mapping: OS_ACCOUNT:STATUS
+```
+
+9. On the **Finish up** step, first click on the `Download` link and save the agent package, then select `Activate and prepare the data load with the provided defaults` and click on I'm done.
+10. Use the downloaded `OS_Account.zip` archive to deploy the OAG agent as per the steps covered in [this guide](https://docs.oracle.com/en/cloud/paas/access-governance/lllho/index.html#GUID-67A8B48F-9358-4B95-A36C-5871E3726FAB). Once the agent is deployed and started, it will automatically validate the configurations and import the data into OAG, and you can start using the integration.
+
+Please also see the useful link below for more detailed deployment steps.
+
+# Useful Links
+
+[Identity Orchestration: Unifying Diverse Systems for Seamless Identity Governance and Management](https://docs.oracle.com/en/cloud/paas/access-governance/seihs/#articletitle)
+[Integrate with Database Application Tables (Oracle)](https://docs.oracle.com/en/cloud/paas/access-governance/bdato/#articletitle)
+
+# License
+
+Copyright (c) 2025 Oracle and/or its affiliates.
+
+Licensed under the Universal Permissive License (UPL), Version 1.0.
+
+See [LICENSE](https://github.com/oracle-devrel/technology-engineering/blob/main/LICENSE) for more details.
diff --git a/security/identity-and-access-management/oracle-access-governance/dbat-os-accounts-sample/files/OS_Account.sql b/security/identity-and-access-management/oracle-access-governance/dbat-os-accounts-sample/files/OS_Account.sql
@@ -0,0 +1,122 @@
+/*******************************************************************************
+ * Copyright (c) 2025 Oracle and/or its affiliates. All rights reserved. DO NOT
+ * ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * The Universal Permissive License (UPL), Version 1.0
+ *
+ * Subject to the condition set forth below, permission is hereby granted to any
+ * person obtaining a copy of this software, associated documentation and/or
+ * data (collectively the "Software"), free of charge and under any and all
+ * copyright rights in the Software, and any and all patent rights owned or
+ * freely licensable by each licensor hereunder covering either (i) the
+ * unmodified Software as contributed to or provided by such licensor, or (ii)
+ * the Larger Works (as defined below), to deal in both
+ *
+ * (a) the Software, and
+ *
+ * (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+ * one is included with the Software each a "Larger Work" to which the Software
+ * is contributed by such licensors),
+ *
+ * without restriction, including without limitation the rights to copy, create
+ * derivative works of, display, perform, and distribute the Software and make,
+ * use, sell, offer for sale, import, export, have made, and have sold the
+ * Software and the Larger Work(s), and to sublicense the foregoing rights on
+ * either these or other terms.
+ *
+ * This license is subject to the following condition:
+ *
+ * The above copyright notice and either this complete permission notice or at a
+ * minimum a reference to the UPL must be included in all copies or substantial
+ * portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ *******************************************************************************/
+
+CREATE TABLE OS_COUNTRY
+  (COUNTRYCODE VARCHAR2(32 BYTE) NOT NULL ENABLE,
+   COUNTRYNAME VARCHAR2(255 BYTE) NOT NULL ENABLE,
+   CONSTRAINT OSCOUNTRY_PK PRIMARY KEY (COUNTRYCODE));
+
+CREATE TABLE OS_ACCOUNT
+  (USERID VARCHAR2(255 BYTE) NOT NULL ENABLE,
+   USERNAME VARCHAR2(255 BYTE) NOT NULL ENABLE,
+   FIRSTNAME VARCHAR2(255 BYTE),
+   LASTNAME VARCHAR2(255 BYTE),
+   PASSWORD VARCHAR2(255 BYTE),
+   EMAIL VARCHAR2(255 BYTE) NOT NULL ENABLE,
+   PROVISIONDATE DATE,
+   STATUS VARCHAR2(32 BYTE),
+   COUNTRYCODE VARCHAR2(32 BYTE),
+   CONSTRAINT OSACCOUNT_PK PRIMARY KEY (USERID),
+   CONSTRAINT OSCOUNTRY_FK FOREIGN KEY(COUNTRYCODE) REFERENCES OS_COUNTRY(COUNTRYCODE) ON DELETE CASCADE);
+
+CREATE TABLE OS_HOST
+  (HOSTID VARCHAR2(255 BYTE) NOT NULL ENABLE,
+   HOSTNAME VARCHAR2(255 BYTE) NOT NULL ENABLE,
+   CONSTRAINT OSHOSTS_PK PRIMARY KEY (HOSTID));
+
+CREATE TABLE OS_ACCOUNT_HOST
+  (USERID VARCHAR2(255 BYTE) NOT NULL ENABLE,
+   HOSTID VARCHAR2(255 BYTE) NOT NULL ENABLE,
+   CONSTRAINT OSACCOUNTHOST_PK PRIMARY KEY (USERID, HOSTID),
+   CONSTRAINT OSACCOUNT_FK FOREIGN KEY(USERID) REFERENCES OS_ACCOUNT(USERID) ON DELETE CASCADE,
+   CONSTRAINT OSHOST_FK FOREIGN KEY(HOSTID) REFERENCES OS_HOST(HOSTID) ON DELETE CASCADE);
+
+/* NOTE: Below entries are provided as sample/reference only.
+         Included names and dates are randomly generated and used fictitiously.
+         Any resemblance to locales or persons, living or dead, is entirely coincidental. */
+
+INSERT INTO OS_COUNTRY (COUNTRYCODE,COUNTRYNAME) values ('DE', 'Germany');
+INSERT INTO OS_COUNTRY (COUNTRYCODE,COUNTRYNAME) values ('AT', 'Austria');
+INSERT INTO OS_COUNTRY (COUNTRYCODE,COUNTRYNAME) values ('CH', 'Switzerland');
+
+INSERT INTO OS_ACCOUNT (USERID,USERNAME,FIRSTNAME,LASTNAME,PASSWORD,EMAIL,PROVISIONDATE,STATUS,COUNTRYCODE) values ('BFRANK','BFRANK','Bernd','Frank',,'bernd.frank@oracledemo.com',to_date('24-OCT-24','DD-MON-RR'),'ACTIVE','DE');
+INSERT INTO OS_ACCOUNT (USERID,USERNAME,FIRSTNAME,LASTNAME,PASSWORD,EMAIL,PROVISIONDATE,STATUS,COUNTRYCODE) values ('DSTAUSS','DSTAUSS','Dirk','Stauss',,'dirk.stauss@oracledemo.com',to_date('24-OCT-24','DD-MON-RR'),'ACTIVE','AT');
+INSERT INTO OS_ACCOUNT (USERID,USERNAME,FIRSTNAME,LASTNAME,PASSWORD,EMAIL,PROVISIONDATE,STATUS,COUNTRYCODE) values ('DJONES','DJONES','Dora','Jones',,'dora.jones@oracledemo.com',to_date('24-OCT-24','DD-MON-RR'),'ACTIVE','DE');
+INSERT INTO OS_ACCOUNT (USERID,USERNAME,FIRSTNAME,LASTNAME,PASSWORD,EMAIL,PROVISIONDATE,STATUS,COUNTRYCODE) values ('EBRANDT','EBRANDT','Ewald','Brandt',,'ewald.brandt@oracledemo.com',to_date('24-OCT-24','DD-MON-RR'),'ACTIVE','CH');
+INSERT INTO OS_ACCOUNT (USERID,USERNAME,FIRSTNAME,LASTNAME,PASSWORD,EMAIL,PROVISIONDATE,STATUS,COUNTRYCODE) values ('GKLEIN','GKLEIN','Gerrit','Klein',,'gerrit.klein@oracledemo.com',to_date('24-OCT-24','DD-MON-RR'),'ACTIVE','DE');
+INSERT INTO OS_ACCOUNT (USERID,USERNAME,FIRSTNAME,LASTNAME,PASSWORD,EMAIL,PROVISIONDATE,STATUS,COUNTRYCODE) values ('GVOGT','GVOGT','Gitta','Vogt',,'gitta.vogt@oracledemo.com',to_date('24-OCT-24','DD-MON-RR'),'ACTIVE','CH');
+INSERT INTO OS_ACCOUNT (USERID,USERNAME,FIRSTNAME,LASTNAME,PASSWORD,EMAIL,PROVISIONDATE,STATUS,COUNTRYCODE) values ('HSCHUMACHER','HSCHUMACHER','Helene','Schumacher',,'helene.schumacher@oracledemo.com',to_date('24-OCT-24','DD-MON-RR'),'ACTIVE','DE');
+INSERT INTO OS_ACCOUNT (USERID,USERNAME,FIRSTNAME,LASTNAME,PASSWORD,EMAIL,PROVISIONDATE,STATUS,COUNTRYCODE) values ('LSCHULTE','LSCHULTE','Lothur','Schulte',,'lothur.schulte@oracledemo.com',to_date('24-OCT-24','DD-MON-RR'),'ACTIVE','AT');
+INSERT INTO OS_ACCOUNT (USERID,USERNAME,FIRSTNAME,LASTNAME,PASSWORD,EMAIL,PROVISIONDATE,STATUS,COUNTRYCODE) values ('LDERICHS','LDERICHS','Lutz','Derichs',,'lutz.derichs@oracledemo.com',to_date('24-OCT-24','DD-MON-RR'),'ACTIVE','AT');
+INSERT INTO OS_ACCOUNT (USERID,USERNAME,FIRSTNAME,LASTNAME,PASSWORD,EMAIL,PROVISIONDATE,STATUS,COUNTRYCODE) values ('RPROTZ','RPROTZ','Rosemarie','Protz',,'rosemarie.protz@oracledemo.com',to_date('24-OCT-24','DD-MON-RR'),'ACTIVE','DE');
+INSERT INTO OS_ACCOUNT (USERID,USERNAME,FIRSTNAME,LASTNAME,PASSWORD,EMAIL,PROVISIONDATE,STATUS,COUNTRYCODE) values ('WSCHUBERT','WSCHUBERT','Wolf','Schubert',,'wolf.schubert@oracledemo.com',to_date('24-OCT-24','DD-MON-RR'),'ACTIVE','DE');
+
+INSERT INTO OS_HOST (HOSTID,HOSTNAME) values ('host001','unixhost1');
+INSERT INTO OS_HOST (HOSTID,HOSTNAME) values ('host002','unixhost2');
+INSERT INTO OS_HOST (HOSTID,HOSTNAME) values ('host003','linuxhost1');
+INSERT INTO OS_HOST (HOSTID,HOSTNAME) values ('host004','linuxhost2');
+
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('BFRANK','host001');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('BFRANK','host002');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('BFRANK','host003');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('DJONES','host001');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('DJONES','host002');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('DJONES','host003');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('DSTAUSS','host001');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('DSTAUSS','host003');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('EBRANDT','host001');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('EBRANDT','host003');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('GKLEIN','host001');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('GKLEIN','host003');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('GKLEIN','host004');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('GVOGT','host001');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('GVOGT','host003');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('HSCHUMACHER','host001');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('HSCHUMACHER','host003');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('LDERICHS','host001');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('LDERICHS','host003');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('LSCHULTE','host001');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('LSCHULTE','host003');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('RPROTZ','host001');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('RPROTZ','host003');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('RPROTZ','host004');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('WSCHUBERT','host001');
+INSERT INTO OS_ACCOUNT_HOST (USERID,HOSTID) values ('WSCHUBERT','host003');
