Index
A B C D E F G H I J K L M N O P Q R S T U V W X
A
- access control
-
- encryption, problems not solved by, 8.2.1
- enforcing, 10.8.1
- object privileges, 4.5.1
- password encryption, 3.2.1
- access control list (ACL)
-
- about, 4.11.1
- advantages, 4.11
- affect of upgrade from earlier release, 4.11.2
- creating, 4.11.3
- DBMS_NETWORK_ACL package
-
- using, 4.11.3.1
- DBMS_NETWORK_ACL_ADMIN package
-
- using, 4.11.3
- examples, 4.11.4
- finding information about, 4.11.10
- hosts, assigning, 4.11.3.2
- network hosts, using wildcards to specify, 4.11.5
- ORA-24247 errors, 4.11.2
- order of precedence
-
- hosts, 4.11.6
- port ranges, 4.11.7
- privilege assignments
-
- about, 4.11.8
- database administrators checking, 4.11.8.1
- users checking, 4.11.8.2
- setting precedence
-
- multiple roles, 4.11.9
- multiple users, 4.11.9
- syntax for creating, 4.11.3.1
- account locking
-
- example, 3.2.3.4
- explicit, 3.2.3.4
- password management, 3.2.3.4
- PASSWORD_LOCK_TIME initialization parameter, 3.2.3.4
- ad hoc tools
-
- database access, security problems of, 4.4.7.1
- ADMIN OPTION
-
- about, 4.6.1.1
- revoking privileges, 4.7.1
- revoking roles, 4.7.1
- roles, 4.4.5.1
- system privileges, 4.3.4
- administrative user passwords
-
- default, importance of changing, 10.5
- administrator privileges
-
- access, 10.8.2
- operating system authentication, 3.3.2
- passwords, 3.3.3, 10.5
- SYSDBA and SYSOPER access, centrally controlling, 3.3.1, 3.3.1
- write, on listener.ora file, 10.8.2
- adump audit files directory, 9.6.1
- "all permissions", 10.3
- ALTER privilege statement
-
- SQL statements permitted, 5.8.2
- ALTER PROFILE statement
-
- password management, 3.2.3.1
- ALTER RESOURCE COST statement, 2.4.4.2
- ALTER ROLE statement
-
- changing authorization method, 4.4.3
- ALTER SESSION statement
-
- schema, setting current, 5.7.1
- ALTER USER privilege, 2.3
- ALTER USER statement
-
- default roles, 4.10.2
- explicit account unlocking, 3.2.3.4
- GRANT CONNECT THROUGH clause, 3.10.1.3
- passwords, changing, 2.3.1
- passwords, expiring, 3.2.3.6
- profiles, changing, 3.2.3.6
- REVOKE CONNECT THROUGH clause, 3.10.1.3
- user profile, 3.2.3.1
- altering users, 2.3
- ANY system privilege
-
- guidelines for security, 10.6
- application contexts
-
- about, 6.1
- as secure data cache, 6.1
- bind variables, 7.1.3
- client session-based
-
- about, 6.5.1
- CLIENTCONTEXT namespace, clearing value from, 6.5.4
- CLIENTCONTEXT namespace, setting value in, 6.5.2
- retrieving client session ID, 6.5.3
- database session-based
-
- about, 6.3.1
- cleaning up after user exits, 6.3.1
- components, 6.3.1
- creating, 6.3.2
- database links, 6.3.3.5
- dynamic SQL, 6.3.3.3
- externalized, using, 6.3.8
- how to use, 6.3
- initializing externally, 6.3.6
- initializing globally, 6.3.7
- ownership, 6.3.2
- parallel queries, 6.3.3.4
- PL/SQL package creation, 6.3.3
- session information, setting, 6.3.3.6
- SYS_CONTEXT function, 6.3.3.2
- trusted procedure, 6.1
- tutorial, 6.3.5
- DBMS_SESSION.SET_CONTEXT procedure, 6.3.3.6, 6.3.3.6
- driving context, 6.6
- finding information about, 6.6
- global
-
- about, 6.4.1
- authenticating nondatabase users, 6.4.3.5
- authenticating user for multiple applications, 6.4.3.4
- components, 6.4.1
- creating, 6.4.2
- example of authenticating nondatabase users, 6.4.3.5
- example of authenticating user moving to different application, 6.4.3.4
- example of setting values for all users, 6.4.3.3
- ownership, 6.4.2
- PL/SQL package creation, 6.4.3.1
- process, lightweight users, 6.4.6.2
- process, standard, 6.4.6.1
- reasons for using, 6.4.1
- sharing values globally for all users, 6.4.3.3
- tutorial for client session IDs, 6.4.5
- used for One Big Application User scenarios, 7.5.5
- user name retrieval with USER function, 6.4.3.2
- uses for, 7.5.5
- global application context
-
- system global area, 6.4.1
- logon trigger, creating, 6.3.4
- performance, 7.4.2.7
- policy groups, used in, 7.3.5.1
- returning predicate, 7.1.3
- session information, retrieving, 6.3.3.2
- support for database links, 6.3.6
- types, 6.2
- users, nondatabase connections, 6.4.1, 6.4.3.5
- Virtual Private Database, used with, 7.1.3
- application developers
-
- CONNECT role change, 10.10.3.2
- application security
-
- specifying attributes, 6.3.2
- application users who are database users
-
- Oracle Virtual Private Database, how it works with, 7.5.5
- applications
-
- about security policies for, 5.1
- database users, 5.2.1
- enhancing security with, 4.4.1.2
- object privileges, 5.8.1
- object privileges permitting SQL statements, 5.8.2
- One Big Application User model, 5.2.2
-
- about, 5.2.1
- security risks of, 5.2.1
- Oracle Virtual Private Database, how it works with, 7.5.1
- password handling, guidelines, 5.3.1.2
- password protection strategies, 5.3
- privileges, managing, 5.4
- roles
-
- multiple, 4.4.1.3.1
- privileges, associating with database roles, 5.6
- security, 4.4.7, 5.2.2
- security considerations for use, 5.2
- security limitations, 7.5.1
- security policies, 7.3.5.3
- validating with security policies, 7.3.5.5
- AQ_ADMINISTRATOR_ROLE role
-
- about, 4.4.2
- AQ_USER_ROLE role
-
- about, 4.4.2
- attacks
-
- See security attacks
- audit files
-
- activities always written to, 9.2.2
- archiving, 9.5.3.7.1
- directory, 9.6.1
- file names, form of, 9.6.1
- fine-grained audit trail, 9.8.4
- operating system file, contents, 9.5.4.1
- where written to, 9.6.1
- AUDIT statement
-
- about, 9.5.3.5
- schema objects, 9.5.9.3
- statement auditing, 9.5.6.2
- system privileges, 9.5.6.2
- audit trail
-
- about, 9.2.1
- archiving, 9.9
- deleting views, 9.10.3
- finding information about, 9.10.1
- interpreting, 9.10.2
- types of, 9.2.1
- See also SYS.AUD$ table, SYS.FGA_LOG$ table
- See also standard audit trail
- AUDIT_FILE_DEST initialization parameter
-
- about, 9.5.4.3
- setting for OS auditing, 9.5.4.3
- AUDIT_SYS_OPERATIONS initialization parameter
-
- auditing SYS, 9.6.1
- AUDIT_TRAIL initialization parameter
-
- about, 9.5.3.3
- auditing SYS, 9.6.1
- database, starting in read-only mode, 9.5.3.4
- DB (database) setting, 9.5.3.4
- DB, EXTENDED setting, 9.5.3.4
- disabling, 9.5.3.4
- OS (operating system) setting, 9.5.3.4
- OS setting, Windows impact, 9.5.4.3
- setting, 9.5.3.3
- values, 9.5.3.4
- XML setting, 9.5.3.4
- XML, EXTENDED setting, 9.5.3.4
- auditing
-
- administrators
-
- See standard auditing
- audit options, 9.1.2
- audit records, 9.2.1
- audit trails, 9.2.1
- database audit trail, using, 9.5.5
- database user names, 3.5
- default auditing, enabling, 9.4
- distributed databases and, 9.1.3
- finding information about, 9.10.1
- fine-grained
-
- See fine-grained auditing
- guidelines for security, 10.9
- historical information, 10.9.3
- keeping information manageable, 10.9.2
- LOBs, auditing
-
- user-defined columns, 9.8.1
- middle-tier systems, real user actions, 3.10.1.10
- multitier environments
-
- See standard auditing
- network
-
- See standard auditing
- object columns, 9.8.1
- objects
-
- See standard auditing
- One Big Application User, compromised by, 5.2.1
- operating-system user names, 3.5
- privileges
-
- See standard auditing
- range of focus, 9.1.2
- recommened settings, 10.9.5
- Sarbanes-Oxley Act
-
- auditing, meeting compliance through, 9.4
- meeting compliance through auditing, 10.9.1
- schema objects
-
- See standard auditing
- SQL statements
-
- See standard auditing
- standard
-
- See standard audit trail, standard auditing
- statements
-
- See standard auditing
- suspicious activity, 10.9.4
- views
-
- active object options, 9.10.2.3
- active privilege options, 9.10.2.2
- active statement options, 9.10.2.1
- default object options, 9.10.2.4
- when audit options take effect, 9.5.3.1
- See also SYS.AUD$ table, SYS.FGA_LOG$ table, standard auditing, standard audit trail, fine-grained auditing
- AUTHENTICATEDUSER role, 4.4.2
- authentication
-
- about, 3.1
- administrators
-
- operating system, 3.3.2
- passwords, 3.3.3
- SYSDBA and SYSOPER access, centrally controlling, 3.3.1
- by database, 3.4
- by SSL, 3.7.1.1
- certificate, 10.8.1
- client, 10.8.1, 10.8.1
- client-to-middle tier process, 3.10.1.5.1
- database administrators, 3.3
- databases, using
-
- about, 3.4.1
- advantages, 3.4.2
- procedure, 3.4.3
- directory service, 3.7.1
- directory-based services, 3.6.2
- external authentication
-
- about, 3.8.1
- advantages, 3.8.2
- operating system authentication, 3.8.4
- user creation, 3.8.3
- global authentication
-
- about, 3.7
- advantages, 3.7.2
- user creation for private schemas, 3.7.1.1
- user creation for shared schemas, 3.7.1.2
- middle-tier authentication
-
- proxies, example, 3.10.1.7
- multitier, 3.9
- network authentication
-
- Secure Sockets Layer, 3.6.1
- third-party services, 3.6.2
- One Big Application User, compromised by, 5.2.1
- operating system authentication
-
- about, 3.5
- advantages, 3.5
- disadvantages, 3.5
- proxy user authentication
-
- about, 3.10.1
- expired passwords, 3.10.1.3
- public key infrastructure, 3.6.2
- RADIUS, 3.6.2
- remote, 10.8.1, 10.8.1
- specifying when creating a user, 2.2.3
- strong, 10.5
- user, 10.8.1
- See also passwords, proxy authentication
- authorization
-
- about, 4
- changing for roles, 4.4.3
- global
-
- about, 3.7
- advantages, 3.7.2
- multitier, 3.9
- omitting for roles, 4.4.3
- operating system, 4.4.4.3.1
- roles, about, 4.4.4
- automatic reparse
-
- Oracle Virtual Private Database, how it works with, 7.5.2
- Automatic Storage Management (ASM)
-
- SYSASM privilege, Preface
B
- banners
-
- auditing user actions, configuring, 5.9.5
- unauthorized access, configuring, 5.9.5
- batch jobs, authenticating users in, 3.2.5.1
- BFILEs
-
- guidelines for security, 10.6
- bind variables
-
- application contexts, used with, 7.1.3
- BLOBS
-
- encrypting, 8.3.6
C
- cascading revokes, 4.7.3
- CATNOAUD.SQL script
-
- about, 9.10.3
- audit trail views, deleting with, 9.10.3
- certificate authentication, 10.8.1
- certificate key algorithm
-
- Secure Sockets Layer, 10.8.3
- certificates for user and server authentication, 10.8.1
- change_on_install default password, 10.5
- character sets
-
- role names, multibyte characters in, 4.4.3
- role passwords, multibyte characters in, 4.4.4.1
- cipher suites
-
- Secure Sockets Layer, 10.8.3
- client connections
-
- guidelines for security, 10.8.1
- secure external password store, 3.2.5.3
- securing, 10.8.1
- client identifiers
-
- about, 3.10.2
- consistency between DBMS_SESSION.SET_IDENTIFIER and DBMS_APPLICATION_INFO.SET_CLIENT_INFO, 3.10.2.4
- global application context, independent of, 3.10.2.3
- setting with DBMS_SESSION.SET_IDENTIFIER procedure, 6.4.1
- CLIENT_IDENTIFIER USERENV attribute
-
- JDBC applications, setting for, 3.10.2.3
- setting and clearing with DBMS_SESSION package, 3.10.2.4
- setting for applications that use JDBC, 3.10.2.3
- setting with OCI user session handle attribute, 3.10.2.3
- See also USERENV namespace
- CLIENTID_OVERWRITE event, 3.10.2.4
- column masking behavior, 7.3.4.3
-
- column specification, 7.3.4.3
- restrictions, 7.3.4.3
- columns
-
- granting privileges for selected, 4.6.2.3
- granting privileges on, 4.6.2.3
- INSERT privilege and, 4.6.2.3
- listing users granted to, 4.12.3
- privileges, 4.6.2.3
- pseudo columns
-
- USER, 4.5.5.3
- revoking privileges on, 4.7.2.2
- command line recall attacks, 5.3.1.1, 5.3.1.4
- configuration
-
- guidelines for security, 10.7
- configuration files
-
- listener.ora, 10.8.2
- sample listener.ora file, 10.8.2
- server.key encryption file, 10.8.3
- tsnames.ora, 10.8.3
- typical directory, 10.8.3, 10.8.3
- CONNECT role
-
- about, 10.10
- applications
-
- account provisioning, 10.10.2.2
- affects of, 10.10.2
- database upgrades, 10.10.2.1
- installation of, 10.10.2.3
- script to create, 4.4.2
- users
-
- application developers, impact, 10.10.3.2
- client-server applications, impact, 10.10.3.3
- general users, impact, 10.10.3.1
- how affects, 10.10.3
- why changed, 10.10.1
- connection pooling
-
- about, 3.9
- global application contexts, 6.4.1
- nondatabase users, 6.4.3.5
- proxy authentication, 3.10.1.5
- connections
-
- SYS privilege, 10.3
- CPU time limit, 2.4.2.3
- CREATE ANY TABLE statement
-
- non-administrative users, 10.3
- CREATE CONTEXT statement
-
- about, 6.3.2
- example, 6.3.2
- CREATE EXTERNAL JOB privilege
-
- scheduling job in grantee schema, 4.3.2.2
- CREATE PROFILE statement
-
- account locking period, 3.2.3.4
- failed login attempts, 3.2.3.4
- password aging and expiration, 3.2.3.6
- password management, 3.2.3.1
- passwords, example, 3.2.3.6
- CREATE ROLE statement
-
- IDENTIFIED BY option, 4.4.4.1
- IDENTIFIED EXTERNALLY option, 4.4.4.3
- CREATE SCHEMA statement
-
- securing, 5.7.1
- CREATE SESSION statement
-
- CONNECT role privilege, 10.4
- securing, 5.7.1
- CREATE USER statement
-
- explicit account locking, 3.2.3.4
- IDENTIFIED BY option, 2.2.3
- IDENTIFIED EXTERNALLY option, 2.2.3
- passwords, expiring, 3.2.3.6
- user profile, 3.2.3.1
- CSW_USR_ROLE role, 4.4.2
- CTXAPP role, 4.4.2
- cursors
-
- reparsing, for application contexts, 6.3.4
- shared, used with Virtual Private Database, 7.1.3
- custom installation, 10.7, 10.7
- CWM_USER role, 4.4.2
D
- data definition language (DDL)
-
- roles and privileges, 4.4.1.6
- standard auditing, 9.5.6.1
- data dictionary
-
- protecting, 10.6
- securing with O7_DICTIONARY_ACCESSIBILITY, 4.3.2.1
- data dictionary views
-
- See views
- data files, 10.6
-
- guidelines for security, 10.6
- data manipulation language (DML)
-
- privileges controlling, 4.5.4.1
- standard auditing, 9.5.6.1
- data security
-
- encryption, problems not solved by, 8.2.3
- database administrators (DBAs)
-
- access, controlling, 8.2.2
- authentication, 3.3
- malicious, encryption not solved by, 8.2.2
- Database Configuration Assistant (DBCA)
-
- default passwords, changing, 10.5
- password settings in default profile, 3.2.3.3
- user accounts, automatically locking and expiring, 10.3
- database links
-
- application context support, 6.3.6
- application contexts, 6.3.3.5
- auditing, 9.5.9.1
- authenticating with Kerberos, 3.6.2
- authenticating with third-party services, 3.6.2
- global user authentication, 3.7.2
- object privileges, 4.5.3
- operating system accounts, care needed, 3.5
- session-based application contexts, accessing, 6.3.3.5
- database upgrades and CONNECT role, 10.10.2.1
- databases
-
- access control
-
- password encryption, 3.2.1
- additional security resources, 1.2
- authentication, 3.4
- database user and application user, 5.2.1
- default security features, summary, 1.1
- granting privileges, 4.6
- granting roles, 4.6
- limitations on usage, 2.4.1
- read-only mode, starting in, 9.5.3.4
- security and schemas, 5.7
- security embedded, advantages of, 5.2.2
- security policies based on, 7.1.2.1
- DATAPUMP_EXP_FULL_DATABASE role, 4.4.2
- DATAPUMP_IMP_FULL_DATABASE role, 4.4.2
- DBA role
-
- about, 4.4.2
- DBA_NETWORK_ACL_PRIVILEGES view, 4.11.8
- DBA_ROLE_PRIVS view
-
- application privileges, finding, 5.4
- DBCA
-
- See Database Configuration Assistant (DBCA)
- DBMS_APPLICATION.SET_CLIENT_INFO procedure
-
- DBMS_SESSION.SET_IDENTIFIER value, overwriting, 3.10.2.4
- DBMS_CRYPTO package
-
- about, 8.4
- encryption algorithms supported, 8.4
- examples, 8.6.1
- DBMS_FGA package
-
- about, 9.8.5.1
- ADD_POLICY procedure, 9.8.5.2
- DISABLE_POLICY procedure, 9.8.5.4
- DROP_POLICY procedure, 9.8.5.5
- ENABLE_POLICY procedure, 9.8.5.4
- DBMS_OBFUSCATION_TOOLKIT package
-
- backward compatibility, 8.4
- See also DBMS_CRYPTO package
- DBMS_RLS package
-
- about, 7.3.1
- DBMS_RLS.ADD_CONTEXT procedure, 7.3.1
- DBMS_RLS.ADD_GROUPED_POLICY procedure, 7.3.1
- DBMS_RLS.ADD_POLICY
-
- sec_relevant_cols parameter, 7.3.4.1
- sec_relevant_cols_opt parameter, 7.3.4.3
- DBMS_RLS.ADD_POLICY procedure
-
- about, 7.3.1
- DBMS_RLS.CREATE_POLICY_GROUP procedure, 7.3.1
- DBMS_RLS.DELETE_POLICY_GROUPS procedure, 7.3.1
- DBMS_RLS.DISABLE_GROUPED_POLICY procedure, 7.3.1
- DBMS_RLS.DROP_CONTEXT procedure, 7.3.1
- DBMS_RLS.DROP_GROUPED_POLICY procedure, 7.3.1
- DBMS_RLS.DROP_POLICY procedure, 7.3.1
- DBMS_RLS.ENABLE_GROUPED_POLICY procedure, 7.3.1
- DBMS_RLS.ENABLE_POLICY procedure, 7.3.1
- DBMS_RLS.REFRESH_GROUPED_POLICY procedure, 7.3.1
- DBMS_RLS.REFRESH_POLICY procedure, 7.3.1
- DBMS_SESSION package
-
- client identifiers, using, 3.10.2.4
- global application context, used in, 6.4.3
- SET_CONTEXT procedure
-
- about, 6.3.3.6
- application context name-value pair, setting, 6.3.3.1
- DBMS_SESSION.SET_CONTEXT procedure
-
- about, 6.3.3.6
- syntax, 6.3.3.6
- username and client_id settings, 6.4.3.2
- DBMS_SESSION.SET_IDENTIFIER procedure
-
- client session ID, setting, 6.4.1
- DBMS_APPLICATION.SET_CLIENT_INFO value, overwritten by, 3.10.2.4
- DBMS_SQLHASH encryption package
-
- about, 8.5.1
- GETHASH function, 8.5.2
- DBSEG60064|Using Default Auditing for Security-Relevant SQL Statements and Privileges, 9.4
- DBSNMP user account
-
- password usage, 10.5
- DDL
-
- See data definition language
- default passwords, 10.5, 10.5, 10.5, 10.5
-
- change_on_install or manager passwords, 10.5
- changing, importance of, 3.2.3.2
- finding, 3.2.3.2
- default permissions, 10.6
- default profiles
-
- about, 3.2.3.3
- default roles
-
- setting for user, 2.2.8
- specifying, 4.10.2
- default user
-
- accounts, 10.3
- default users
-
- accounts, 10.3
- Enterprise Manager accounts, 10.3
- passwords, 10.5
- defaults
-
- tablespace quota, 2.2.5
- user tablespaces, 2.2.4
- definer's rights
-
- about, 4.5.6.2
- procedure privileges, used with, 4.5.6.2
- procedure security, 4.5.6.2
- secure application roles, 5.5.2
- DELETE privilege
-
- SQL statements permitted, 5.8.2
- DELETE_CATALOG_ROLE role
-
- about, 4.4.2
- SYS schema objects, enabling access to, 4.3.2.3
- Denial of Service (DoS) attacks
-
- audit trail, writing to operating system file, 9.5.3.4
- bad packets, preventing, 5.9.1
- networks, securing, 10.8.2
- dictionary protection mechanism, 4.3.2.1
- directory authentication, configuring for SYSDBA or SYSOPER access, 3.3.1.1
- directory-based services authentication, 3.6.2
- disabling unnecessary services
-
- FTP, TFTP, TELNET, 10.8.2
- dispatcher processes (Dnnn)
-
- limiting SGA space for each session, 2.4.2.5
- distributed databases
-
- auditing and, 9.1.3
- DML
-
- See data manipulation language
- driving context, 6.6
- DROP PROFILE statement
-
- example, 2.4.4.2
- DROP ROLE statement
-
- example, 4.4.6
- security domain, affected, 4.4.6
- DROP USER statement
-
- about, 2.5
- schema objects of dropped user, 2.5
- DUAL table
-
- about, 6.3.3.2
- dynamic Oracle Virtual Private Database policy types, 7.3.6.1
- DYNAMIC policy type, 7.3.6.1
E
- eavesdropping
-
- preventing by using SSL, 10.8.1
- See also security attacks
- EJBCLIENT role, 4.4.2
- encryption
-
- access control, 8.2.1
- backup media, reason why to encrypt, 3.2.4
- BLOBS, 8.3.6
- challenges, 8.3
- data security, problems not solved by, 8.2.3
- DBMS_CRYPTO encryrption package, 8.4
- DBMS_CRYPTO package, 8.4
- deleted encrypted data, 10.6
- examples, 8.6.1
- finding information about, 8.7
- indexed data, 8.3.1
- key generation, 8.3.2
- key storage, 8.3.4
- key transmission, 8.3.3
- keys, changing, 8.3.5
- malicious database administrators, 8.2.2
- network data encryption, 10.8.2
- network traffic, 10.8.2
- problems not solved by, 8.2
- transparent data encryption, 8.3.4.4
- transparent tablespace encryption, 8.3.4.4
- enterprise directory service, 4.4.4.4
- Enterprise Edition, 10.5
- Enterprise Manager
-
- granting roles, 4.4.5
- statistics monitor, 2.4.3
- enterprise roles, 3.7, 4.4.4.4
- enterprise user management, 5.2.1
- Enterprise User Security
-
- application context, globally initialized, 6.3.7.2
- proxy authentication
-
- Oracle Virtual Private Database, how it works with, 7.5.5
- enterprise users
-
- centralized management, 3.7
- global role, creating, 4.4.4.4
- One Big Application User, compromised by, 5.2.1
- proxy authentication, 3.10.1
- shared schemas, protecting users, 5.7.2
- examples
-
- access control lists, 4.11.4
- account locking, 3.2.3.4
- data encryption
-
- encrypting and decrypting BLOB data, 8.6.3
- encrypting and decrypting procedure with AES 256-Bit, 8.6.2
- encrypting procedure, 8.6.1
- Java code to read passwords, 5.3.4
- locking an account with CREATE PROFILE, 3.2.3.4
- login attempt grace period, 3.2.3.6
- O7_DICTIONARY_ACCESSIBILITY initialization parameter, setting, 4.3.2.1
- passwords
-
- aging and expiration, 3.2.3.6
- changing, 2.3.1
- creating for user, 2.2.3
- privileges
-
- granting ADMIN OPTION, 4.6.1.1
- views, 4.12
- procedure privileges affecting packages, 4.5.6.4, 4.5.6.4
- profiles, assigning to user, 2.2.7
- roles
-
- altering for external authorization, 4.4.3
- creating for application authorization, 4.4.4.2
- creating for external authorization, 4.4.4.3
- creating for password authorization, 4.4.3
- default, setting, 4.10.2
- views, 4.12
- secure external password store, 3.2.5.2
- session ID of user
-
- finding, 2.5
- terminating, 2.5
- standard auditing
-
- BY SESSION, 9.5.10.2.2
- system privilege and role, granting, 4.6.1
- tablespaces
-
- assigning default to user, 2.2.4
- quota, assigning to user, 2.2.5
- temporary, 2.2.6
- type creation, 4.5.7.5
- users
-
- account creation, 2.2.1
- creating with GRANT statement, 4.6.1.2
- dropping, 2.5
- middle-tier server proxying a client, 3.10.1.3
- naming, 2.2.2
- object privileges granted to, 4.6.2
- proxy user, connecting as, 3.10.1.3
- See also tutorials
- exceptions
-
- WHEN NO DATA FOUND, used in application context package, 6.3.5.3
- WHEN OTHERS, used in triggers
-
- development environment (debugging) example, 6.3.4
- production environment example, 6.3.4
- exclusive mode
-
- SHA-1 password hashing algorithm, enabling, 3.2.4
- EXECUTE privilege
-
- SQL statements permitted, 5.8.2
- EXECUTE_CATALOG_ROLE role
-
- about, 4.4.2
- SYS schema objects, enabling access to, 4.3.2.3
- execution time for statements, measuring, 7.3.6.1
- EXEMPT ACCESS POLICY privilege
-
- Oracle Virtual Private Database enforcements, exemption, 7.5.4.2
- EXP_FULL_DATABASE role
-
- about, 4.4.2
- expiring a password
-
- explicitly, 3.2.3.6
- exporting data
-
- direct path export impact on Oracle Virtual Private Database, 7.5.4.2
- policy enforcement, 7.5.4.2
- external authentication
-
- about, 3.8.1
- advantages, 3.8.2
- network, 3.8.5
- operating system, 3.8.4, 3.8.4
- user creation, 3.8.3
- external network services, fine-grained access to
-
- See access control list (ACL)
- external tables, 10.6
F
- failed login attempts
-
- account locking, 3.2.3.4
- password management, 3.2.3.4
- resetting, 3.2.3.4
- features, new security
-
- See new features, security
- files
-
- BFILEs
-
- operating system access, restricting, 10.6
- BLOB, 8.3.6
- data
-
- operating system access, restricting, 10.6
- external tables
-
- operating system access, restricting, 10.6
- keys, 8.3.4.2
- listener.ora file
-
- guidelines for security, 10.8.2, 10.8.3
- log
-
- audit file location for Windows, 9.6.1
- audit file locations, 9.5.4.3
- operating system access, restricting, 10.6
- restrict listener access, 10.8.2
- server.key encryption file, 10.8.3
- symbolic links, restricting, 10.6
- tnsnames.ora, 10.8.3
- trace
-
- operating system access, restricting, 10.6
- fine-grained access control
-
- See Oracle Virtual Private Database (VPD)
- fine-grained auditing
-
- about, 9.8
- activities always recorded, 9.8.3
- adding alerts to policy, 9.8.5.3
- advantages, 9.8.1, 9.8.1
- archiving audit trail, 9.9
- audit record locations, 9.2.1
- columns, specific, 9.8.5.2
- DBMS_FGA package, 9.8.5.1
- how to use, 9.8.1
- policies
-
- adding, 9.8.5.2
- disabling, 9.8.5.4
- dropping, 9.8.5.5
- enabling, 9.8.5.4
- privileges needed, 9.8.2
- records
-
- archiving, 9.8.4
- purging, 9.8.4
- See also SYS.FGA_LOG$ table
- firewalls
-
- advice about using, 10.8.2
- database server location, 10.8.2
- ports, 10.8.3
- supported types, 10.8.2
- flashback query
-
- auditing, used with, 9.3.1
- Oracle Virtual Private Database, how it works with, 7.5.3
- foreign keys
-
- privilege to use parent key, 4.5.4.2
- FTP service, 10.8.2
- functions
-
- PL/SQL
-
- privileges for, 4.5.6.1
- roles, 4.4.1.5
G
- GATHER_SYSTEM_STATISTICS role, 4.4.2
- global application contexts
-
- See application contexts, global
- global authentication
-
- about, 3.7
- advantages, 3.7.2
- user creation for private schemas, 3.7.1.1
- user creation for shared schemas, 3.7.1.2
- global authorization
-
- about, 3.7
- advantages, 3.7.2
- role creation, 4.4.4.4
- roles, 3.7
- global roles
-
- about, 4.4.4.4
- global users, 3.7
- GLOBAL_AQ_USER_ROLE role, 4.4.2
- grace period for login attempts
-
- example, 3.2.3.6
- grace period for password expiration, 3.2.3.6
- GRANT ALL PRIVILEGES statement
-
- SELECT ANY DICTIONARY privilege, exclusion of, 10.6
- GRANT ANY OBJECT PRIVILEGE system privilege, 4.6.2.2, 4.7.2.1
- GRANT ANY PRIVILEGE system privilege, 4.3.4
- GRANT CONNECT THROUGH clause
-
- for proxy authorization, 3.10.1.3
- GRANT statement, 4.6.1
-
- ADMIN OPTION, 4.6.1.1
- creating a new user, 4.6.1.2
- object privileges, 4.6.2, 5.8.1
- system privileges and roles, 4.6
- when takes effect, 4.10
- WITH GRANT OPTION, 4.6.2.1
- granting privileges and roles
-
- about, 4.3.3
- finding information about, 4.12
- specifying ALL, 4.5.2
- guidelines for security
-
- auditing, 10.9
- custom installation, 10.7, 10.7
- data files and directories, 10.6
- encrypting sensitive data, 10.6
- installation and configuration, 10.7
- networking security, 10.8
- operating system accounts, limiting privileges, 10.6
- operating system users, limiting number of, 10.6
- Oracle home default permissions, disallowing modification, 10.6
- passwords, 10.5
- Secure Sockets Layer
-
- mode, 10.8.3
- TCPS protocol, 10.8.3
- symbolic links, restricting, 10.6
- user accounts and privileges, 10.3
H
- hackers
-
- See security attacks
- HS_ADMIN_ROLE role
-
- about, 4.4.2
- HTTPS
-
- port, correct running on, 10.8.3
I
- IMP_FULL_DATABASE role
-
- about, 4.4.2
- INDEX privilege
-
- SQL statements permitted, 5.8.2
- indexed data
-
- encryption, 8.3.1
- initialization parameters
-
- application protection, 5.9
- AUDIT_FILE_DEST, 9.2.2, 9.6.1
- AUDIT_SYS_OPERATIONS, 9.2.1, 9.6.1
- AUDIT_SYSLOG_LEVEL, 9.2.1, 9.6.2.3
- AUDIT_TRAIL
-
- about, 9.5.3.3
- using, 9.5.3.4
- current value, checking, 9.5.3.3
- FAILED_LOGIN_ATTEMPTS, 3.2.3.3
- MAX_ENABLED_ROLES, 4.10.3
- O7_DICTIONARY_ACCESSIBILITY, 4.3.2.1
- OS_AUTHENT_PREFIX, 3.8.1
- OS_ROLES, 4.4.4.3.1
- PASSWORD_GRACE_TIME, 3.2.3.3, 3.2.3.6
- PASSWORD_LIFE_TIME, 3.2.3.3, 3.2.3.6
- PASSWORD_LOCK_TIME, 3.2.3.3, 3.2.3.4
- PASSWORD_REUSE_MAX, 3.2.3.3, 3.2.3.5
- PASSWORD_REUSE_TIME, 3.2.3.3, 3.2.3.5
- REMOTE_OS_AUTHENT, 10.8.1
- RESOURCE_LIMIT, 2.4.4
- SEC_CASE_SENSITIVE_LOGIN, 3.2.3.8
- SEC_MAX_FAILED_LOGIN_ATTEMPTS, 5.9.3
- SEC_PROTOCOL_ERROR_FURTHER_ACTION, 5.9.2
- SEC_PROTOCOL_ERROR_TRACE_ACTION, 5.9.1
- SEC_RETURN_SERVER_RELEASE_BANNER, 5.9.4
- SEC_USER_AUDIT_ACTION_BANNER, 5.9.5
- SEC_USER_UNAUTHORIZED_ACCESS_BANNER, 5.9.5
- INSERT privilege
-
- granting, 4.6.2.3
- revoking, 4.7.2.2
- SQL statements permitted, 5.8.2
- installation
-
- guidelines for security, 10.7
- intruders
-
- See security attacks
- invoker's rights
-
- about, 4.5.6.2
- procedure privileges, used with, 4.5.6.2
- procedure security, 4.5.6.2
- secure application roles, 5.5.2
- secure application roles, requirement for enabling, 5.5.2
- IP addresses
-
- falsifying, 10.8.2
- guidelines for security, 10.8.1
J
- JAVA_ADMIN role, 4.4.2
- JAVA_DEPLOY role, 4.4.2
- JAVADEBUGPRIV role, 4.4.2
- JAVAIDPRIV role, 4.4.2
- JAVASYSPRIV role, 4.4.2
- JAVAUSERPRIV role, 4.4.2
- JDBC
-
- proxy authentication
-
- Oracle Virtual Private Database, how it works with, 7.5.5
- JDBC (thick or thin)
-
- proxy authentication with real user, 3.10.1.5
- JDBC (thick)
-
- proxy authentication, 3.10.1
- JMXSERVER role, 4.4.2
K
- Kerberos authentication, 3.6.2
-
- configuring for SYSDBA or SYSOPER access, 3.3.1.2
- password management, 10.5
- key generation
-
- encryption, 8.3.2
- key storage
-
- encryption, 8.3.4
- key transmission
-
- encryption, 8.3.3
L
- LBAC_DBA role, 4.4.2
- least privilege principle, 10.3
-
- about, 10.3
- granting user privileges, 10.3
- middle-tier privileges, 3.10.1.6
- lightweight users
-
- example using a global application context, 6.4.5
- Lightweight Directory Access Protocol (LDAP), 7.4.2.7
- listener
-
- not an Oracle owner, 10.8.2
- preventing online administration, 10.8.2
- restrict privileges, 10.8.2, 10.8.2
- secure administration, 10.8.2
- listener.ora file
-
- administering remotely, 10.8.2, 10.8.2
- default location, 10.8.3
- online administration, preventing, 10.8.2
- TCPS, securing, 10.8.3
- LOBS
-
- auditing, 9.8.1
- lock and expire
-
- default accounts, 10.3
- predefined user accounts, 10.3
- log files
-
- auditing, default location, 9.5.4.3
- owned by trusted user, 10.6
- Windows Event Viewer, 9.6.1
- logical reads limit, 2.4.2.4
- logon triggers
-
- examples, 6.3.4
- externally initialized application contexts, 6.3.4
- secure application roles, 4.4.8
- LOGSTDBY_ADMINISTRATOR role, 4.4.2
M
- malicious database administrators
-
- See also security attacks
- manager default password, 10.5
- mandatory auditing, 9.2.3
- MAX_ENABLED_ROLES initialization parameter
-
- enabling roles and, 4.10.3
- memory
-
- users, viewing, 2.6.5
- methods
-
- privileges on, 4.5.7
- MGMT_USER role, 4.4.2
- middle-tier systems
-
- auditing real user actions, 3.10.1.10
- client identifiers, 3.10.2.1
- enterprise user connections, 3.10.1.9.2
- password-based proxy authentication, 3.10.1.9.1
- privileges, limiting, 3.10.1.6
- proxies authenticating users, 3.10.1.7
- proxying but not authenticating users, 3.10.1.8
- reauthenticating user to database, 3.10.1.9
- USERENV namespace attributes, accessing, 6.3.6.3
- monitoring user actions
-
- See also auditing, standard auditing, fine-grained auditing
- multiplex multiple-client network sessions, 10.8.2
N
- Net8
-
- See Oracle Net
- network auditing
-
- about, 9.5.11
- disabling, 9.5.11.3
- network authentication
-
- external authentication, 3.8.5
- guidelines for securing, 10.5
- roles, granting using, 4.9
- Secure Sockets Layer, 3.6.1
- smart cards, 10.5
- third-party services, 3.6.2
- token cards, 10.5
- X.509 certificates, 10.5
- network connections
-
- Denial of Service attacks, addressing, 10.8.2
- guidelines for security, 10.8, 10.8.1, 10.8.2
- securing, 10.8.2
- network IP addresses
-
- guidelines for security, 10.8.2
- new features, security, Preface
- NOAUDIT statement
-
- audit options, disabling, 9.5.3.6
- default object audit options, disabling, 9.5.9.4
- network auditing, disabling, 9.5.11.3
- object auditing, disabling, 9.5.9.4
- privilege auditing, disabling, 9.5.7.3
- statement auditing, disabling, 9.5.6.3, 9.5.6.3
O
- O7_DICTIONARY_ACCESSIBILITY initialization parameter
-
- about, 4.3.2.1
- auditing privileges on SYS objects, 9.5.2
- data dictionary protection, 10.6
- default setting, 10.6
- securing data dictionary with, 4.3.2.1
- object auditing
-
- disabling, 9.5.9.4
- enabling, 9.5.9.3
- object columns
-
- auditing, 9.8.1
- object privileges, 10.3
-
- about, 4.5.3
- granting on behalf of the owner, 4.6.2.2
- managing, 5.8
- revoking, 4.7.2
- revoking on behalf of owner, 4.7.2.1
- schema object privileges, 4.5.3
- See also schema object privileges
- objects
-
- applications, managing privileges in, 5.8
- granting privileges, 5.8.2
- privileges
-
- applications, 5.8.1
- managing, 4.5.7
- protecting in shared schemas, 5.7.2
- protecting in unique schemas, 5.7.1
- SYS schema, access to, 4.3.2.3
- OEM_ADVISOR role, 4.4.2
- OEM_MONITOR role, 4.4.2
- OLAP_DBA role, 4.4.2
- OLAP_USER role, 4.4.2
- OLAP_XS_ADMIN role, 4.4.2
- OLAPI_TRACE_USER role, 4.4.2
- One Big Application User
-
- about, 7.5.5
- application context, global, 7.5.5
- global application contexts, 6.4.1
- global application contexts, nondatabase, 6.4.3.5
- Oracle Virtual Private Database, how works with, 7.5.5
- operating systems
-
- accounts, 4.9.2
- authentication
-
- about, 3.5
- advantages, 3.5
- disadvantages, 3.5
- roles, using, 4.9
- authentication, external, 3.8.4
- default permissions, 10.6
- enabling and disabling roles, 4.9.5
- operating system account privileges, limiting, 10.6
- role identification, 4.9.2
- roles and, 4.4.1.7
- roles, granting using, 4.9
- users, limiting number of, 10.6
- Oracle Advanced Security
-
- network authentication services, 10.5
- network traffic encryption, 10.8.2
- user access to application schemas, 5.7.2
- Oracle Call Interface (OCI)
-
- application contexts, client session-based, 6.5.1
- proxy authentication, 3.10.1
-
- Oracle Virtual Private Database, how it works with, 7.5.5
- proxy authentication with real user, 3.10.1.5
- security-related initialization parameters, 5.9
- Oracle Connection Manager
-
- securing client networks with, 10.8.2
- Oracle Enterprise Security Manager
-
- role management with, 3.6.2
- Oracle home
-
- default permissions, disallowing modification, 10.6
- Oracle Internet Directory (OID)
-
- authenticating with directory-based service, 3.6.2
- SYSDBA and SYSOPER access, controlling, 3.3.1
- Oracle Java Virtual Machine (OJVM)
-
- permissions, restricting, 10.3
- Oracle Label Security (OLS)
-
- Oracle Virtual Private Database, using with, 7.5.4.1
- Oracle Net
-
- firewall support, 10.8.2
- Oracle Technology Network
-
- security alerts, 10.2.1
- Oracle Virtual Private Database (VPD)
-
- about, 7.1.1
- application contexts
-
- tutorial, 7.4.2
- used with, 7.1.3
- applications
-
- how it works with, 7.5.1
- users who are database users, how it works with, 7.5.5
- applications using for security, 5.2.2
- automatic reparsing, how it works with, 7.5.2
- benefits, 7.1.2
- column level, 7.3.4.1
- column masking behavior
-
- enabling, 7.3.4.3
- restrictions, 7.3.4.3
- column-level display, 7.3.4.1
- components, 7.2
- configuring, 7.3
- cursors, shared, 7.1.3
- Enterprise User Security proxy authentication, how it works with, 7.5.5
- exporting data, 7.5.4.2
- finding information about, 7.6
- flashback query, how it works with, 7.5.3
- function
-
- components, 7.2.1
- JDBC proxy authentication, how it works with, 7.5.5
- OCI proxy authentication, how it works with, 7.5.5
- One Big Application User, how works with, 7.5.5
- Oracle Label Security
-
- exceptions in behavior, 7.5.4.2
- using with, 7.5.4.1
- performance benefit, 7.1.2.2
- policies, Oracle Virtual Private Database
-
- about, 7.3.1
- applications, validating, 7.3.5.5
- attaching to database object, 7.3.2
- column display, 7.3.4.1
- column-level display, default, 7.3.4.2
- dynamic, 7.3.6.1
- multiple, 7.3.5.4
- optimizing performance, 7.3.6
- SQL statements, specifying, 7.3.3
- policy groups
-
- about, 7.3.5.1
- benefits, 7.3.5.1
- creating, 7.3.5.2
- default, 7.3.5.3
- tutorial, implementation, 7.4.3
- policy types
-
- context sensitive, about, 7.3.6.5
- context sensitive, when to use, 7.3.6.7
- DYNAMIC, 7.3.6.1
- shared context sensitive, about, 7.3.6.6
- shared context sensitive, when to use, 7.3.6.7
- shared static, about, 7.3.6.3
- shared static, when to use, 7.3.6.4
- static, about, 7.3.6.2
- static, when to use, 7.3.6.4
- summary of features, 7.3.6.8
- tutorial, simple, 7.4.1
- user models, 7.5.5
- Web-based applications, how it works with, 7.5.5
- Oracle Wallet Manager
-
- X.509 Version 3 certificates, 3.6.2
- Oracle wallets
-
- authentication method, 3.6.2
- Oracle Warehouse Builder
-
- roles, predefined, 4.4.2
- OracleMetaLink
-
- security patches, downloading, 10.2.1
- ORAPWD password utility
-
- case sensitivity in passwords, 3.2.3.8
- password file authentication, 3.3.3
- permissions to run, 3.3.3
- ORDADMIN role, 4.4.2
- OS_ROLES initialization parameter
-
- operating system role grants, 4.9.5
- operating-system authorization and, 4.4.4.3.1
- REMOTE_OS_ROLES and, 4.9.6
- using, 4.9.2
- OWB$CLIENT role, 4.4.2
- OWB_DESIGNCENTER_VIEW role, 4.4.2
- OWB_USER role, 4.4.2
P
- packages
-
- auditing, 9.5.9.1
- examples, 4.5.6.4
- examples of privilege use, 4.5.6.4
- privileges
-
- divided by construct, 4.5.6.4
- executing, 4.5.6.1, 4.5.6.4
- parallel execution servers, 6.3.3.4
- parallel query, and SYS_CONTEXT, 6.3.3.4
- pass phrase
-
- read and parse server.key file, 10.8.3
- password files, 3.3.3
- PASSWORD statement
-
- about, 2.3.1
- PASSWORD_LIFE_TIME initialization parameter, 3.2.3.6
- PASSWORD_LOCK_TIME initialization parameter, 3.2.3.4
- PASSWORD_REUSE_MAX initialization parameter, 3.2.3.5
- PASSWORD_REUSE_TIME initialization parameter, 3.2.3.5
- passwords
-
- about managing, 3.2.3.1
- account locking, 3.2.3.4, 3.2.3.4
- administrator
-
- authenticating with, 3.3.3
- guidelines for securing, 10.5
- aging and expiration, 3.2.3.6
- ALTER PROFILE statement, 3.2.3.1
- altering, 2.3.1
- application design guidelines, 5.3.1.2
- applications, strategies for protecting passwords, 5.3
- brute force attacks, 3.2.1
- case sensitivity setting, SEC_CASE_SENSITIVE_LOGIN, 3.2.3.8
- case sensitivity, configuring, 3.2.3.8
- changing for roles, 4.4.3
- complexity verification
-
- about, 3.2.3.7
- guidelines for security, 10.5
- complexity, guidelines for enforcing, 10.5
- connecting without, 3.5
- CREATE PROFILE statement, 3.2.3.1
- danger in storing as clear text, 10.5
- database user authentication, 3.4.1
- default profile settings
-
- about, 3.2.3.3
- enabling using DBCA, 3.2.3.3
- enabling using SQL statements, 3.2.3.3
- default user account, 10.5
- default, finding, 3.2.3.2
- delays for incorrect passwords, 3.2.1
- duration, 10.5
- encrypting, 3.2.1, 10.5
- examples of creating, 3.2.2
- expiring
-
- explicitly, 3.2.3.6
- procedure for, 3.2.3.6
- proxy account passwords, 3.10.1.3
- with grace period, 3.2.3.6
- failed logins, resetting, 3.2.3.4
- grace period, example, 3.2.3.6
- guidelines for security, 10.5
- history, 3.2.3.5, 3.2.3.5, 10.5
- Java code example to read passwords, 5.3.4
- length, 10.5
- lifetime for, 3.2.3.6
- lock time, 3.2.3.4
- management rules, 10.5
- managing, 3.2.3
- maximum reuse time, 3.2.3.5
- ORAPWD password utility, 3.2.3.8
- password complexity verification, 3.2.3.7
- password file risks, 3.3.3
- PASSWORD_LOCK_TIME initialization parameter, 3.2.3.4
- PASSWORD_REUSE_MAX initialization parameter, 3.2.3.5
- PASSWORD_REUSE_TIME initialization parameter, 3.2.3.5
- policies, 3.2.3
- privileges for changing for roles, 4.4.3
- privileges to alter, 2.3
- protections, built-in, 3.2.1
- proxy authentication, 3.10.1.9.1
- requirements, 3.2.2
- reusing, 3.2.3.5, 10.5
- reusing passwords, 3.2.3.5
- roles, 4.4.4.1
- secure external password store, 3.2.5.1
- security risks, 3.3.3
- SYS and SYSTEM, 10.5, 10.5
- used in roles, 4.4.1.2
- UTLPWDMG.SQL password script
-
- password management, 3.2.3.7
- verified using SHA-1 hashing algorithm, 3.2.4, 3.2.4
- See also authentication
- performance
-
- application contexts, 6.1
- Oracle Virtual Private Database policies, 7.1.2.2
- Oracle Virtual Private Database policy types, 7.3.6
- resource limits and, 2.4.1
- permissions
-
- default, 10.6
- run-time facilities, 10.3
- PKI
-
- See public key infrastructure (PKI)
- PL/SQL
-
- auditing of statements within, 9.5.3.1
- roles in procedures, 4.4.1.5
- PL/SQL procedures
-
- setting application context, 6.3.3.1
- PMON background process
-
- application contexts, cleaning up, 6.3.1
- positional parameters
-
- security risks, 5.3.1.4
- principle of least privilege, 10.3
-
- about, 10.3
- granting user privileges, 10.3
- middle-tier privileges, 3.10.1.6
- privileges
-
- about, 4.1
- access control lists, checking, 4.11.8
- altering
-
- passwords, 2.3.1
- users, 2.3
- altering role authentication method, 4.4.3
- applications, managing, 5.4
- auditing system, 9.5.7.2
- auditing use of, 9.5.7, 9.5.7.2
- auditing, recommened settings for, 10.9.5
- cascading revokes, 4.7.3
- column, 4.6.2.3
- creating users, 2.2.1
- dropping profiles, 2.4.4.2
- finding information about, 4.12
- granting
-
- about, 4.3.3, 4.6
- examples, 4.5.6.4, 4.5.6.4
- object privileges, 4.6.2
- schema object privileges, 4.5.3.1
- system, 4.6.1
- system privileges, 4.6
- grants, listing, 4.12.1
- grouping with roles, 4.4
- managing, 5.8
- middle tier, 3.10.1.6
- object, 4.5.1, 4.5.2, 5.8.2
- on selected columns, 4.7.2.2
- procedures, 4.5.6.1
-
- creating and altering, 4.5.6.3
- executing, 4.5.6.1
- in packages, 4.5.6.4
- reasons to grant, 4.2
- revoking privileges
-
- about, 4.3.3
- object, 4.7.2
- object privileges, cascading effect, 4.7.3.2
- object privileges, requirements for, 4.7.2
- schema object, 4.5.3.1
- revoking system privileges, 4.7.1
- roles
-
- creating, 4.4.3
- dropping, 4.4.6
- restrictions on, 4.4.1.6
- roles, why better to grant, 4.2
- schema object, 4.5.3
-
- DML and DDL operations, 4.5.4
- granting and revoking, 4.5.3.1
- packages, 4.5.6.4
- procedures, 4.5.6.1
- SQL statements permitted, 5.8.2
- system
-
- granting and revoking, 4.3.3
- SELECT ANY DICTIONARY, 10.6
- SYSTEM and OBJECT, 10.3
- system privileges
-
- about, 4.3.1
- trigger privileges, 4.5.6.2
- view privileges
-
- creating a view, 4.5.5.2
- using a view, 4.5.5.3
- views, 4.5.5.1
- See also system privileges.
- procedures
-
- auditing, 9.5.9.1, 9.5.9.2
- definer's rights
-
- about, 4.5.6.2
- roles disabled, 4.4.1.5.1
- examples of, 4.5.6.4
- examples of privilege use, 4.5.6.4
- invoker's rights
-
- about, 4.5.6.2
- roles used, 4.4.1.5.2
- privileges for procedures
-
- create or alter, 4.5.6.3
- executing, 4.5.6.1
- executing in packages, 4.5.6.4
- security enhanced by, 4.5.6.2
- process monitor process (PMON)
-
- cleans up timed-out sessions, 2.4.2.5
- PRODUCT_USER_PROFILE table, 4.4.7.2
-
- SQL commands, disabling with, 4.4.7.2
- products and options
-
- install only as necessary, 10.7
- profiles, 2.4.4
-
- about, 2.4.4
- creating, 2.4.4.1
- dropping, 2.4.4.2, 2.4.4.2
- finding information about, 2.6.1
- managing, 2.4.4
- password management, 3.2.3.1
- privileges for dropping, 2.4.4.2
- specifying for user, 2.2.7
- viewing, 2.6.4
- program global area (PGA)
-
- effect of MAX_ENABLED_ROLES on, 4.10.3
- proxy authentication
-
- about, 3.10.1, 3.10.1.1
- advantages, 3.10.1.2
- auditing actions on behalf of real user, 3.10.1.10
- auditing operatings, 3.9.1
- client-to-middle tier sequence, 3.10.1.5.1
- middle-tier
-
- authorizing but not authenticating users, 3.10.1.8
- authorizing to proxy and authenticate users, 3.10.1.7
- limiting privileges, 3.10.1.6
- reauthenticating users, 3.10.1.9
- passwords, expired, 3.10.1.3
- secure external password store, used with, 3.10.1.4
- security benefits, 3.10.1.2
- users, passing real identity of, 3.10.1.5
- PROXY_USER attribute, 6.3.6.3
- PROXY_USERS view, 3.10.1.3
- pseudo columns
-
- USER, 4.5.5.3
- PUBLIC
-
- procedures and, 4.8
- user group, 4.8
- public key infrastructure (PKI)
-
- about, 3.6.2
- PUBLIC privilege
-
- guidelines for security, 10.3
- PUBLIC user group
-
- about, 4.4.1.4
- granting and revoking privileges to, 4.8
- security domain of users, 4.4.1.4
- security guideline, 10.3
- PUBLIC_DEFAULT profile
-
- profiles, dropping, 2.4.4.2
Q
- quotas
-
- revoking from users, 2.2.5.1
- setting to zero, 2.2.5.1
- tablespace, 2.2.5
- temporary segments and, 2.2.5
- unlimited, 2.2.5.2
- viewing, 2.6.3
R
- RADIUS authentication, 3.6.2
- read-only mode, affect on AUDIT_TRAIL parameter, 9.5.3.4
- reads
-
- limitis on data blocks, 2.4.2.4
- RECOVERY_CATALOG_OWNER role
-
- about, 4.4.2
- REFERENCES privilege
-
- CASCADE CONSTRAINTS option, 4.7.2.3
- revoking, 4.7.2.2, 4.7.2.3
- SQL statements permitted, 5.8.2
- when granted through a role, 4.4.1.6
- remote authentication, 10.8.1, 10.8.1
- REMOTE_OS_AUTHENT initialization parameter
-
- guideline for securing, 10.8.1
- setting, 3.8.4
- remote_os_authentication, 10.8.1
- REMOTE_OS_ROLES initialization parameter
-
- OS role management risk on network, 4.9.6
- setting, 4.4.4.3.2
- resource limits
-
- about, 2.4.1
- call level, limiting, 2.4.2.2
- connection time for each session, 2.4.2.5
- CPU time, limiting, 2.4.2.3
- determining values for, 2.4.3
- idle time in each session, 2.4.2.5
- logical reads, limiting, 2.4.2.4
- private SGA space for each session, 2.4.2.5
- profiles, 2.4.4, 2.4.4
- session level, limiting, 2.4.2.1
- sessions
-
- concurrent for user, 2.4.2.5
- elapsed connection time, 2.4.2.5
- idle time, 2.4.2.5
- SGA space, 2.4.2.5
- types, 2.4.2
- RESOURCE privilege
-
- CREATE SCHEMA statement, needed for, 5.7.1
- RESOURCE role, 4.5.7.1
-
- about, 4.4.2
- REVOKE CONNECT THROUGH clause
-
- revoking proxy authorization, 3.10.1.3
- REVOKE statement
-
- system privileges and roles, 4.7.1
- when takes effect, 4.10
- revoking privileges and roles
-
- cascading effects, 4.7.3
- on selected columns, 4.7.2.2
- REVOKE statement, 4.7.1
- specifying ALL, 4.5.2
- when using operating-system roles, 4.9.4
- role identification
-
- operating system accounts, 4.9.2
- ROLE_SYS_PRIVS view
-
- application privileges, 5.4
- ROLE_TAB_PRIVS view
-
- application privileges, finding, 5.4
- roles
-
- about, 4.1, 4.4.1
- ADMIN OPTION and, 4.6.1.1
- advantages in application use, 5.4
- application, 4.4.1.3.1, 4.4.7, 5.6, 5.6, 5.8
- application privileges, 5.4
- applications, for user, 5.6
- AQ_ADMINISTRATOR_ROLE role, 4.4.2
- AQ_USER_ROLE role, 4.4.2
- audited when default auditing is enabled, 9.4
- AUTHENTICATEDUSER role, 4.4.2
- authorization, 4.4.4
- authorized by enterprise directory service, 4.4.4.4
- changing authorization for, 4.4.3
- changing passwords, 4.4.3
- CONNECT role
-
- about, 4.4.2
- create your own, 10.4
- CSW_USR_ROLE role, 4.4.2
- CTXAPP role, 4.4.2
- CWM_USER role, 4.4.2
- database authorization, 4.4.4.1
- database role, users, 5.6.1
- DATAPUMP_EXP_FULL_DATABASE role, 4.4.2
- DATAPUMP_IMP_FULL_DATABASE role, 4.4.2
- DBA role, 4.4.2
- DDL statements and, 4.4.1.6
- default, 4.10.2
- default, setting for user, 2.2.8
- definer's rights procedures disable, 4.4.1.5.1
- DELETE_CATALOG_ROLE role, 4.4.2
- dependency management in, 4.4.1.6
- disabling, 4.10.1
- dropping, 4.4.6
- EJBCLIENT role, 4.4.2
- enabled or disabled, 4.4.1.1, 4.4.5
- enabling, 4.10.1, 5.6
- enterprise, 3.7, 4.4.4.4
- EXECUTE_CATALOG_ROLE role, 4.4.2
- EXP_FULL_DATABASE role, 4.4.2
- finding information about, 4.12
- functionality, 4.2
- functionality of, 4.4.1.1
- GATHER_SYSTEM_STATISTICS role, 4.4.2
- global, 3.7
- global authorization, 4.4.4.4
-
- about, 4.4.4.4
- global roles
-
- creating, 4.4.4.4
- GLOBAL_AQ_USER_ROLE role, 4.4.2
- GRANT statement, 4.9.5
- granting roles
-
- about, 4.6
- methods for, 4.4.5
- system, 4.6.1
- system privileges, 4.3.3
- guidelines for security, 10.4
- HS_ADMIN_ROLE role, 4.4.2
- IMP_FULL_DATABASE role, 4.4.2
- in applications, 4.4.1.2
- invoker's rights procedures use, 4.4.1.5.2
- JAVA_ADMIN role, 4.4.2
- JAVA_DEPLOY role, 4.4.2
- JAVADEBUGPRIV role, 4.4.2
- JAVAIDPRIV role, 4.4.2
- JAVASYSPRIV role, 4.4.2
- JAVAUSERPRIV role, 4.4.2
- JMXSERVER role, 4.4.2
- job responsibility privileges only, 10.4
- LBAC_DBA role, 4.4.2
- listing grants, 4.12.2
- listing privileges and roles in, 4.12.6
- listing roles, 4.12.5
- LOGSTDBY_ADMINISTRATOR role, 4.4.2
- management using the operating system, 4.9
- managing roles
-
- about, 4.4
- categorizing users, 5.8
- managing through operating system, 4.4.1.7
- maximum, 4.10.3
- MGMT_USER role, 4.4.2
- multibyte characters in names, 4.4.3
- multibyte characters in passwords, 4.4.4.1
- naming, 4.4.1
- network authorization, 4.4.4.3.2
- network client authorization, 4.4.4.3.2
- OEM_ADVISOR role, 4.4.2
- OEM_MONITOR role, 4.4.2
- OLAP_DBA role, 4.4.2
- OLAP_USER role, 4.4.2
- OLAP_XS_ADMIN role, 4.4.2
- OLAPI_TRACE_USER role, 4.4.2
- One Big Application User, compromised by, 5.2.1
- operating system, 4.9.2
- operating system authorization, 4.4.4.3.1
- operating system granting of, 4.9.5
- operating system identification of, 4.9.2
- operating system management and the shared server, 4.9.6
- operating system-managed, 4.9.3, 4.9.4
- operating-system authorization, 4.4.4.3
- ORDADMIN role, 4.4.2
- OWB$CLIENT role, 4.4.2
- OWB_DESIGNCENTER_VIEW role, 4.4.2
- OWB_USER role, 4.4.2
- passwords for enabling, 4.4.4.1
- predefined, 4.4.2
- privileges for creating, 4.4.3
- privileges for dropping, 4.4.6
- privileges, changing authorization method for, 4.4.3
- privileges, changing passwords, 4.4.3
- RECOVERY_CATALOG_OWNER role, 4.4.2
- RESOURCE role, 4.4.2
- restricting from tool users, 4.4.7
- restrictions on privileges of, 4.4.1.6
- REVOKE statement, 4.9.5
- revoking, 4.4.5, 4.7.1
- revoking ADMIN OPTION, 4.7.1
- SCHEDULER_ADMIN role, 4.4.2
- schemas do not contain, 4.4.1
- security domains of, 4.4.1.4
- SELECT_CATALOG_ROLE role, 4.4.2
- SET ROLE statement, 4.9.5
- setting in PL/SQL blocks, 4.4.1.5.2
- SPATIAL_CSW_ADMIN role, 4.4.2
- SPATIAL_WFS_ADMIN role, 4.4.2
- unique names for, 4.4.3
- use of passwords with, 4.4.1.2
- user, 4.4.1.3.2, 5.8
- users capable of granting, 4.4.5.1
- uses of, 4.4.1.3
- WFS_USR_ROLE role, 4.4.2
- WITH GRANT OPTION and, 4.6.2.1
- without authorization, 4.4.3
- WKUSER role, 4.4.2
- WM_ADMIN_ROLE role, 4.4.2
- XDB_SET_INVOKER roles, 4.4.2
- XDB_WEBSERVICES role, 4.4.2
- XDB_WEBSERVICES_OVER_HTTP role, 4.4.2
- XDB_WEBSERVICES_WITH_PUBLIC role, 4.4.2
- XDBADMIN role, 4.4.2
- See also secure application roles
- root file paths
-
- for files and packages outside the database, 10.3
- row-level security
-
- See fine-grained access control, Oracle Virtual Private Database (VPD)
- RSA private key, 10.8.3
- run-time facilities, 10.3
-
- restriction permissions, 10.3
S
- Sample Schemas
-
- remove or relock for production, 10.7
- test database, 10.7
- sample schemas, 10.7
- Sarbanes-Oxley Act
-
- auditing to meet compliance, 9.4, 10.9.1
- scheduler jobs and CREATE EXTERNAL JOB privilege, 4.3.2.2
- SCHEDULER_ADMIN role
-
- about, 4.4.2
- schema object privileges, 4.5.3
- schema objects
-
- audit options, disabling, 9.5.9.4
- auditing, 9.5.9
- cascading effects on revoking, 4.7.3.2
- default audit options, 9.5.9.3
- default tablespace for, 2.2.4
- disabling audit options, 9.5.7.3
- dropped users, owned by, 2.5
- enabling audit options on, 9.5.9.3
- granting privileges, 4.6.2
- in a revoked tablespace, 2.2.5.1
- privileges
-
- DML and DDL operations, 4.5.4
- granting and revoking, 4.5.3.1
- view privileges, 4.5.5.1
- privileges on, 4.5.3
- privileges to access, 4.5.2
- privileges with, 4.5.2
- revoking privileges, 4.7.2
- schema-independent users, 5.7.2
- schemas
-
- auditing, recommended settings for, 10.9.5
- private, 3.7.1.1
- shared among enterprise users, 3.7.1.2
- shared, protecting objects in, 5.7.2
- unique, 5.7
- unique, protecting objects in, 5.7.1
- SCOTT user account
-
- restricting privileges of, 10.4
- script files
-
- audit trail views, removing, 9.10.3
- CATNOAUD.SQL, 9.10.3
- scripts, authenticating users in, 3.2.5.1
- SEC_CASE_SENSITIVE_LOGIN initialization parameter, 3.2.3.8
- SEC_MAX_FAILED_LOGIN_ATTEMPTS initialization parameter, 5.9.3
- SEC_PROTOCOL_ERROR_FURTHER_ACTION initialization parameter, 5.9.2
- SEC_PROTOCOL_ERROR_TRACE_ACTION initialization parameter, 5.9.1
- sec_relevant_cols_opt parameter, 7.3.4.3
- SEC_RETURN_SERVER_RELEASE_BANNER initialization parameter, 5.9.4
- SEC_USER_AUDIT_ACTION_BANNER initialization parameter, 5.9.5
- SEC_USER_UNAUTHORIZED_ACCESS_BANNER initialization parameter, 5.9.5
- secure application roles
-
- about, 5.5
- creating, 5.5.1
- creating PL/SQL package, 5.5.2
- finding with DBA_ROLES view, 4.12
- invoker's rights, 5.5.2
- invoker's rights requirement, 5.5.2
- package for, 5.5.2
- SET ROLE statement, 5.5.2
- user environment information from SYS_CONTEXT SQL function, 5.5.2, 5.5.2
- using to ensure database connection, 4.4.8
- secure external password store
-
- about, 3.2.5.1
- client configuration, 3.2.5.3
- examples, 3.2.5.2
- how it works, 3.2.5.2
- proxy authentication, used with, 3.10.1.4
- Secure Sockets Layer (SSL)
-
- about, 3.6.1
- certificate key algorithm, 10.8.3
- certificates, enabling for user and server, 10.8.1
- cipher suites, 10.8.3
- configuration files, securing, 10.8.3
- configuring for SYSDBA or SYSOPER access, 3.3.1.3
- global users with private schemas, 3.7.1.1
- guidelines for security, 10.8.3, 10.8.3
- listener, administering, 10.8.2
- mode, 10.8.3
- pass phrase, 10.8.3
- RSA private key, 10.8.3
- securing SSL connection, 10.8.3
- server.key file, 10.8.3
- TCPS, 10.8.3
- security
-
- application enforcement of, 4.4.1.2
- default user accounts
-
- locked and expired automatically, 10.3
- locking and expiring, 10.3
- domains, enabled roles and, 4.4.5
- enforcement in application, 5.2.2
- enforcement in database, 5.2.2
- multibyte characters in role names, 4.4.3
- multibyte characters in role passwords, 4.4.4.1
- passwords, 3.4.1
- policies
-
- applications, 5.1
- SQL*Plus users, restricting, 4.4.7
- tables or views, 7.1.2.1
- procedures enhance, 4.5.6.2
- resources, additional, 1.2
- roles, advantages in application use, 5.4
- See also security risks
- security alerts, 10.2.1
- security attacks
-
- access to server after protocol errors, preventing, 5.9.2
- application context values, attempts to change, 6.3.2
- application design to prevent attacks, 5.3
- command line recall attacks, 5.3.1.1, 5.3.1.4
- Denial of Service, 10.8.2
-
- bad packets, addressing, 5.9.1
- Denial of Service attacks through listener, 10.8.2
- disk flooding, preventing, 5.9.1
- eavesdropping, preventing by using SSL, 10.8.1
- encryption, problems not solved by, 8.2.2
- falsified IP addresses, 10.8.1
- falsified or stolen client system identities, 10.8.1
- hacked operating systems or applications, 10.8.1
- intruders, 8.2.2
- password cracking, 3.2.1
- password protections against, 3.2.1
- preventing malicious attacks from clients, 5.9
- preventing password theft with proxy authentication and secure external password store, 3.10.1.4
- session ID, need for encryption, 6.4.4.3
- shoulder surfing, 5.3.1.4
- SQL injection attacks, 5.3.1.2
- unlimited authenticated requests, preventing, 5.9.3
- user session output, hiding from intruders, 6.3.4
- See also security risks
- security domains
-
- enabled roles and, 4.4.1.1
- security patches
-
- about, 10.2.1
- downloading, 10.2.1
- security policies
-
- See Oracle Virtual Private Database, policies
- security risks
-
- ad hoc tools, 4.4.7.1, 4.4.7.1
- application users not being database users, 5.2.1
- applications enforcing rather than database, 5.2.2
- audit records being tampered with, 9.6.2.1
- bad packets to server, 5.9.1
- database version displaying, 5.9.4
- encryption keys, users managing, 8.3.4.3
- password files, 3.3.3
- passwords exposed in large deployments, 3.2.5.1
- passwords, exposing in programs or scripts, 5.3.1.4
- positional parameters in SQL scripts, 5.3.1.4
- privileges carelessly granted, 4.3.5
- PUBLIC privilege, objects created with, 4.3.5
- remote user impersonating another user, 4.4.4.3.2
- server falsifying identities, 10.8.3
- standard audit trail, protecting, 9.5.3.8
- users with multiple roles, 5.6.1
- See also security attacks
- SELECT ANY DICTIONARY privilege
-
- data dictionary, accessing, 10.6
- exclusion from GRANT ALL PRIVILEGES privilege, 10.6
- SELECT privilege
-
- SQL statements permitted, 5.8.2
- SELECT_CATALOG_ROLE role
-
- about, 4.4.2
- SYS schema objects, enabling access to, 4.3.2.3
- sequences
-
- auditing, 9.5.9.1
- server.key file
-
- pass phrase to read and parse, 10.8.3
- service-oriented architecture (SOA)
-
- security enhancements for Oracle XML DB, Preface
- SESSION_ROLES view
-
- queried from PL/SQL block, 4.4.1.5.1
- sessions
-
- about, 9.5.10.2.2
- auditing by, 9.5.3.5, 9.5.10.2.2
- listing privilege domain of, 4.12.4
- memory use, viewing, 2.6.5
- time limits on, 2.4.2.5
- when auditing options take effect, 9.5.3.1
- SET ROLE statement
-
- application code, including in, 5.6.2
- associating privileges with role, 5.6.1
- disabling roles with, 4.10.1
- enabling roles with, 4.10.1
- how password is set, 4.4.4.1
- secure application roles, 5.5.2
- when using operating-system roles, 4.9.5
- SGA
-
- See System Global Area (SGA)
- SHA-1 hashing algorithm
-
- enabling exclusive mode, 3.2.4
- how it increases password safety, 3.2.4
- Shared Global Area (SGA)
-
- See System Global Area (SGA)
- shared server
-
- limiting private SQL areas, 2.4.2.5
- operating system role management restrictions, 4.9.6
- shoulder surfing, 5.3.1.4
- SHOW PARAMETERS statement, 9.5.3.3
- smart cards
-
- guidelines for security, 10.5
- SOA
-
- See service-oriented architecture
- SPATIAL_CSW_ADMIN role, 4.4.2
- SPATIAL_WFS_ADMIN role, 4.4.2
- SQL injection attacks, 5.3.1.2
- SQL statements
-
- audit options, 9.5.6.2
- auditing
-
- about, 9.5.6
- disabling, 9.5.6.3
- enabling, 9.5.6.2
- executions, 9.5.10.1
- when records generated, 9.5.3.1
- dynamic, 6.3.3.3
- object privileges permitting in applications, 5.8.2
- privileges required for, 4.5.3, 5.8.2
- resource limits and, 2.4.2.2
- restricting ad hoc use, 4.4.7.1, 4.4.7.1
- SQL*Net
-
- See Oracle Net
- SQL*Plus
-
- connecting with, 3.5
- restricting ad hoc use, 4.4.7.1, 4.4.7.1
- statistics monitor, 2.4.3
- SSL
-
- See Secure Sockets Layer
- standard audit trail
-
- activities always recorded, 9.5.3.2
- archiving, 9.5.3.7.1
- AUDIT SQL statement, 9.5.3.5
- auditing standard audit trail, 9.5.3.9
- controlling size of, 9.5.3.7
- disabling, 9.5.3.3
- enabling, 9.5.3.3
- maximum size of, 9.5.3.7
- NOAUDIT SQL statement, 9.5.3.6
- operating system, 9.2.3
- protecting, 9.5.3.8
- records, archiving, 9.5.3.7.1
- records, purging, 9.5.3.7.2
- size, reducing, 9.5.3.7.2
- transaction independence, 9.5.3.1
- when created, 9.5.3.1
- standard auditing
-
- about, 9.5.1
- administrative users on all platforms, 9.6.1
- administrators on UNIX systems, 9.6.2
- archiving audit trail, 9.9
- audit option levels, 9.5.3.5
- audit trails
-
- database, 9.3.1
- auditing
-
- default auditing, enabling, 9.4
- by access
-
- about, 9.5.10.2.1
- setting, 9.5.3.5
- by session
-
- about, 9.5.10.2.2
- prohibited with, 9.5.10.2
- setting, 9.5.3.5
- customized, 9.7
- database audit trail records, 9.3.1
- DDL statement auditing, 9.5.6.1
- default options, 9.5.9.3
- default options, disabling, 9.5.9.4
- disabling, 9.5.3.6
- disabling options versus auditing, 9.5.3.6
- DML statements, 9.5.6.1
- enabling options versus auditing, 9.5.3.5
- executions, 9.5.10.1
- information stored in OS file, 9.5.4.1
- managing audit trail, 9.5.3
- mandatory auditing, 9.2.3
- network auditing, 9.1.2
-
- about, 9.5.11
- disabling, 9.5.11.3
- enabling, 9.5.11.1
- error types recorded, 9.5.11.2
- object auditing
-
- See standard auditing, schema object
- operating system audit trail, 9.5.4
-
- file location, 9.5.4.3
- operating system audit trail using, 9.5.5
- privilege auditing
-
- about, 9.5.7
- disabling, 9.5.7.3
- enabling, 9.5.7.2
- multitier environment, 9.5.8
- options, 9.5.7.2
- system privileges, 9.5.7.2
- types, 9.5.7.1
- privileges needed, 9.5.2
- range of focus, 9.5.10
- schema object auditing
-
- about, 9.5.9
- disabling, 9.5.9.4
- enabling, 9.5.9.3
- example, 9.5.9.3
- options, 9.5.9.2
- types, 9.5.9.1
- SQL statement
-
- See standard auditing, statement auditing
- statement auditing
-
- about, 9.5.6
- disabling, 9.5.6.3
- enabling, 9.5.6.2
- multitier environment, 9.5.8
- statement level, 9.5.6.2
- successful, 9.5.3.5
- types you can audit, 9.5.6.1
- unsuccessful, 9.5.3.5
- SYS users, 9.6.1, 9.6.1
- system privileges, 9.5.6.2
- trigger use for customized auditing, 9.7
- user, 9.5.10.3
- See also auditing, standard audit trail, SYS.AUD$ table
- storage
-
- quotas and, 2.2.5
- revoking tablespaces and, 2.2.5.1
- unlimited quotas, 2.2.5.2
- stored procedures
-
- using privileges granted to PUBLIC, 4.8
- strong authentication
-
- centrally controlling SYSDBA and SYSOPER access to multiple databases, 3.3.1
- guideline, 10.5
- symbolic links
-
- restricting, 10.6
- synonyms
-
- inheriting privileges from object, 4.5.3.3
- SYS account
-
- policy enforcement, 7.5.4.2
- SYS and SYSTEM
-
- passwords, 10.5, 10.5
- SYS schema
-
- objects, access to, 4.3.2.3
- SYS_CONTEXT function
-
- about, 6.3.3.2
- database links, 6.3.3.5
- dynamic SQL statements, 6.3.3.3
- example, 6.3.3.6
- parallel query, 6.3.3.4
- STATIC policies, 7.3.6.4
- syntax, 6.3.3.2
- SYS_CONTEXT SQL function, 5.5.2
-
- validating users, 5.5.2
- SYS_DEFAULT Oracle Virtual Private Database policy group, 7.3.5.3
- SYSASM privilege, Preface
- SYS.AUD$ table
-
- about, 9.3.1
- audit records, writing to, 9.5.3.4
- auditing, 9.3.1
- contents, 9.3.1
- data values in audited statement, 9.3.1
- too full or unavailable, 9.3.1
- viewing contents, 9.3.1
- XML, EXTENDED audit trail, 9.5.3.4
- See also standard auditing
- SYS.FGA_LOG$ table
-
- about, 9.3.1
- archiving, 9.8.4
- auditing, 9.3.1
- contents, 9.3.1
- data values in audited statement, 9.3.1
- purging, 9.8.4
- too full or unvailable, 9.3.1
- viewing contents, 9.3.1
- SYS.FGA_LOGS$ table
-
- See also fine-grained auditing
- syslog audit trail
-
- about, 9.6.2.1
- configuring, 9.6.2.3
- format, 9.6.2.2
- SYSMAN user account, 10.5, 10.5
- SYS-privileged connections, 10.3
- System Global Area (SGA)
-
- application contexts, storing in, 6.1
- global application context information location, 6.4.1
- limiting private SQL areas, 2.4.2.5
- system privileges, 10.3
-
- about, 4.3.1
- ADMIN OPTION, 4.3.4
- ANY
-
- guidelines for security, 10.6
- ANY system privileges, 4.3.2
- GRANT ANY OBJECT PRIVILEGE, 4.6.2.2, 4.7.2.1
- GRANT ANY PRIVILEGE, 4.3.4
- granting, 4.6.1
- granting and revoking, 4.3.3
- power of, 4.3.1
- restriction needs, 4.3.2
- revoking, cascading effect of, 4.7.3.1
- SELECT ANY DICTIONARY, 10.6
- SYSASM privilege, Preface
T
- tables
-
- auditing, 9.5.9.1
- privileges on, 4.5.4
- tablespaces
-
- assigning defaults for users, 2.2.4
- default quota, 2.2.5
- quotas for users, 2.2.5
- quotas, viewing, 2.6.3
- revoking from users, 2.2.5.1
- temporary
-
- assigning to users, 2.2.6
- unlimited quotas, 2.2.5.2
- TCPS protocol
-
- Secure Sockets Layer, used with, 10.8.2
- tnsnames.ora file, used in, 10.8.3
- TELNET service, 10.8.2
- TFTP service, 10.8.2
- time measurement for statement execution, 7.3.6.1
- token cards, 10.5
- trace files
-
- access to, importance of restricting, 10.6
- bad packets, 5.9.1
- location of, finding, 6.6
- transparent data encryption, 8.3.4.4
- transparent tablespace encryption, 8.3.4.4
- triggers
-
- auditing, 9.5.9.2
- auditing, used for custom auditing, 9.7
- CREATE TRIGGER ON, 5.8.2
- logon
-
- examples, 6.3.4
- externally initialized application contexts, 6.3.4
- privileges for executing, 4.5.6.2
-
- roles, 4.4.1.5
- WHEN OTHERS exception, 6.3.4
- trusted procedure
-
- database session-based application contexts, 6.1
- tsnames.ora configuration file, 10.8.3
- tutorials
-
- application context, database session-based, 6.3.5
- global application context with client session ID, 6.4.5
- Oracle Virtual Private Database
-
- policy groups, 7.4.3
- policy implementing, 7.4.2
- simple example, 7.4.1
- standard auditing
-
- SYS.AUD$ auditing table, changes to, 9.3.2
- See also examples
- types
-
- creating, 4.5.7.5
- privileges on, 4.5.7
- user defined
-
- creation requirements, 4.5.7.4
U
- UDP and TCP ports
-
- close for ALL disabled services, 10.8.2
- UGA
-
- See User Global Area (UGA)
- UNIX systems, auditing administrators on, 9.6.2
- UNLIMITED TABLESPACE privilege, 2.2.5.2, 2.2.5.2
- UPDATE privilege
-
- revoking, 4.7.2.2
- user access
-
- auditing by, 9.5.3.5
- user accounts
-
- administrative user passwords, 10.5
- default user account, 10.5
- password guidelines, 10.5
- passwords, encrypted, 10.5
- USER function
-
- global application contexts, 6.4.3.2
- User Global Area (UGA)
-
- application contexts, storing in, 6.1
- user names
-
- schemas, 5.7
- USER pseudo column, 4.5.5.3
- user sessions, multiple within single database connection, 3.10.1.5
- user-defined columns
-
- auditing, 9.8.1
- USERENV function, 6.3.3.2, 8.4
- USERENV namespace
-
- about, 6.3.3.2
- client identifiers, 3.10.2
- See also CLIENT_IDENTIFIER USERENV attribute
- users
-
- administrative option (ADMIN OPTION), 4.6.1.1
- altering, 2.3
- application users not known to database, 3.10.2
- assigning unlimited quotas for, 2.2.5.2
- auditing, 9.5.10.3
- database role, current, 5.6.1
- default roles, changing, 2.2.8
- default tablespaces, 2.2.4
- dropping, 2.5, 2.5
- dropping profiles and, 2.4.4.2
- dropping roles and, 4.4.6
- enabling roles for, 5.6
- enterprise, 3.7, 4.4.4.4
- enterprise, shared schema protection, 5.7.2
- external authentication
-
- about, 3.8.1
- advantages, 3.8.2
- operating sytsem, 3.8.4
- user creation, 3.8.3
- finding information about, 2.6.1
- global, 3.7
- hosts, connecting to multiple
-
- See external network services, fine-grained access to
- information about, viewing, 2.6.2
- listing roles granted to, 4.12.2
- memory use, viewing, 2.6.5
- network authentication, external, 3.8.5
- nondatabase, 6.4.1, 6.4.3.5
- objects after dropping, 2.5
- operating system external authentication, 3.8.4
- password encryption, 3.2.1
- privileges
-
- for changing passwords, 2.3
- for creating, 2.2.1
- granted to, listing, 4.12.1
- of current database role, 5.6.1
- profiles
-
- creating, 2.4.4.1
- specifying, 2.2.7
- proxy authentication, 3.10.1
- proxy users, connecting as, 3.10.1.1
- PUBLIC group, 4.8
- PUBLIC user group, 4.4.1.4
- restricting application roles, 4.4.7
- roles and, 4.4.1.2
-
- for types of users, 4.4.1.3.2
- schema-independent, 5.7.2
- schemas, private, 3.7.1.1
- security domains of, 4.4.1.4
- security, about, 2.1
- tablespace quotas, 2.2.5
- tablespace quotas, viewing, 2.6.3
- user accounts, creating, 2.2.1
- user models and Oracle Virtual Private Database, 7.5.5
- user name, specifying with CREATE USER statement, 2.2.2
- views for finding information about, 2.6
- UTLPWDMG.SQL
-
- about, 3.2.3.7
- guidelines for security, 10.5
V
- valid node checking, 10.8.2
- views
-
- about, 4.5.5.1
- access control list data, 4.11.10
- application contexts, 6.6
- audit trail, 9.10.1, 9.10.1
- auditing, 9.5.9.1, 9.5.9.2
- DBA_COL_PRIVS, 4.12.3
- DBA_NETWORK_ACL_PRIVILEGES, 4.11.8, 4.11.10
- DBA_NETWORK_ACLS, 4.11.10
- DBA_ROLE_PRIVS, 4.12.2
- DBA_ROLES, 4.12.5
- DBA_SYS_PRIVS, 4.12.1
- DBA_TAB_PRIVS, 4.12.3
- DBA_USERS_WITH_DEFPWD, 3.2.3.2
- encrypted data, 8.7
- Oracle Virtual Private Database policies, 7.6
- privileges, 4.5.5.1, 4.12
- profiles, 2.6.1
- ROLE_ROLE_PRIVS, 4.12.6
- ROLE_SYS_PRIVS, 4.12.6
- ROLE_TAB_PRIVS, 4.12.6
- roles, 4.12
- security applications of, 4.5.5.3
- SESSION_PRIVS, 4.12.4
- SESSION_ROLES, 4.12.4
- USER_NETWORK_ACL_PRIVILEGES, 4.11.10
- users, 2.6.1
- Virtual Private Database
-
- See Oracle Virtual Private Database
- VPD
-
- See Oracle Virtual Private Database
- vulnerable run-time call, 10.3
-
- made more secure, 10.3
W
- Wallet Manager
-
- See Oracle Wallet Manager
- wallets
-
- authentication method, 3.6.2
- Web applications
-
- user connections, 6.4.1, 6.4.3.5
- Web services
-
- security enhancements for Oracle XML DB, Preface
- Web-based applications
-
- Oracle Virtual Private Database, how it works with, 7.5.5
- WFS_USR_ROLE role, 4.4.2
- WHEN OTHERS exceptions
-
- logon triggers, used in, 6.3.4
- WHERE clause, dynamic SQL, 7.2.1
- Windows operating system
-
- audit trail setting, OS, 9.5.4.3
- WKUSER role, 4.4.2
- WM_ADMIN_ROLE role, 4.4.2
X
- X.509 certificates
-
- guidelines for security, 10.5
- XDB_SET_INVOKER role, 4.4.2
- XDB_WEBSERVICES role, 4.4.2
- XDB_WEBSERVICES_OVER_HTTP role
-
- about, 4.4.2
- XDB_WEBSERVICES_WITH_PUBLIC role, 4.4.2
- XDBADMIN role, 4.4.2
- XML
-
- AUDIT_TRAIL XML setting, 9.5.3.4
- AUDIT_TRAIL XML, EXTENDED setting, 9.5.3.4
- XML, EXTENDED AUDIT_TRAIL setting
-
- used with DB in AUDIT_TRAIL, 9.5.3.4
- used with XML in AUDIT_TRAIL, 9.5.3.4