Every database has a pseudorole named PUBLIC that includes every user.
Base tables and data dictionary views are stored in the SYS schema. SYSTEM schema tables are used for administrative information and by various Oracle tools and options.
Po połączeniu “as sysdba” można wykonać: startup, shutdown, alter database mount, alter database open, alter database backup control file, alter database archivelog, alter database recover, create database, drop database, create spfile, restricted session.
Sysoper nie może zrobić: create i drop database.
The CONNECT INTERNAL syntax supported in earlier releases of Oracle is no longer available. When operating system authentication is used, administrative users must be named in the OSDBA or OSOPER defined groups. For password file authentication, the file is created with the ORAPWD utility. Users are added by SYS or by those having SYSDBA privileges.
A policy is a way to extend your security framework. You can specify additional requirements in a policy that are checked whenever a user attempts to activate a role. Policies are written in PL/SQL and can be used, for example, to limit access to a particular IP address or to particular hours of the day.
FGAC - fine-grained access control. Security policies implemented as PL/SQL functions can be associated with tables or views enabling creation of a virtual private database (VPD).You can associate a security policy with a particular view or table by using the builtin PL/SQL package DBMS_RLS, which also allows youto refresh, enable, or disable a security policy.
Oracle Database 10g and newer database releases feature a VPD that is even more fine-grained, enabling enforced rewrites when a query references a specific column.
The Oracle Label Security Option eliminates the need to write VPD PL/SQL programs to enforce row-level label security.
Policies are created and applied, sensitivity labels are defined, and user labels are set and authorized through a policy manager tool accessible through EM.
Application developers can place a SET ROLE command at the beginning of an application to enable the appropriate role and disable others only while the application is running. Similarly, you can invoke a DBMS_SESSION.SET_ROLE procedure from PL/SQL.
Another way application security is sometimes accomplished is by encapsulating privileges in stored procedures. Instead of granting direct access to the various tables
for an application, youcan create stored procedures that provide access to the tables and grant access to the stored procedures instead of the tables. For example, instead of granting INSERT privileges for the EMPLOYEE table, youmight create and grant access to a stored procedure called HIRE_EMPLOYEE that accepts as parameters all the data for a new employee.
When you run a stored procedure normally, the procedure has the access rights that were granted to the owner of the procedure; that owner is the schema in which the procedure resides. If a particular schema has access to a particular database object, all stored procedures that reside in that schema have the same rights as the schema. When any user calls one of those stored procedures, that user has the same access rights to the underlying data objects that the procedure does.
If youattach the keyword AUTHID CURRENT_USER to a stored procedure when it is compiled, security restrictions will be enforced based on the username of the user invoking the procedure, rather than the schema that owns the stored procedure.
Global authentication allows you to maintain a single authentication list for multiple distributed databases.
In typical three-tier implementations, the Oracle Application Server runs some of the application logic, serves as an interface between the clients and database servers, and provides much of the Oracle Identity Management (OIM) infrastructure.
The Oracle Advanced Security Option (ASO), is used in distributed environments linked via Oracle Net in which there are concerns regarding secure access and transmission of data. This option specifically provides data encryption during transmission.
Transparent Data Encryption - the database does the work of encrypting and decrypting data automatically. Data sent to the database is encrypted by Oracle, and data requested from the database is decrypted. No additional code is required in an application. Oracle Database 11g allows youto encrypt entire tablespaces.
Compliance
The Oracle Database Vault Option - restricts DBAs and other highly privileged users from accessing application data to which they should not have access. Key parameters defined in the Oracle Database Vault Option are called factors. Factors include things such as specific application programs, locations, or times of day.
Rules can also be used to define database realms, which consist of a subset of the schemas and roles that an administrator can administer. (173)