Skip Headers
Oracle® Database Security Guide
11g Release 1 (11.1)
Part Number B28531-04
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Master Index
Master Index		 Go to Feedback page
Contact Us
Go to previous page
Previous
View PDF

Index

A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X 

A

access control
encryption, problems not solved by, 8.2.1
enforcing, 10.8.1
object privileges, 4.5.1
password encryption, 3.2.1
access control list (ACL)
about, 4.11.1
advantages, 4.11
affect of upgrade from earlier release, 4.11.2
creating, 4.11.3
DBMS_NETWORK_ACL package
using, 4.11.3.1
DBMS_NETWORK_ACL_ADMIN package
using, 4.11.3
examples, 4.11.4
finding information about, 4.11.10
hosts, assigning, 4.11.3.2
network hosts, using wildcards to specify, 4.11.5
ORA-24247 errors, 4.11.2
order of precedence
hosts, 4.11.6
port ranges, 4.11.7
privilege assignments
about, 4.11.8
database administrators checking, 4.11.8.1
users checking, 4.11.8.2
setting precedence
multiple roles, 4.11.9
multiple users, 4.11.9
syntax for creating, 4.11.3.1
account locking
example, 3.2.3.4
explicit, 3.2.3.4
password management, 3.2.3.4
PASSWORD_LOCK_TIME initialization parameter, 3.2.3.4
ad hoc tools
database access, security problems of, 4.4.7.1
ADMIN OPTION
about, 4.6.1.1
revoking privileges, 4.7.1
revoking roles, 4.7.1
roles, 4.4.5.1
system privileges, 4.3.4
administrative user passwords
default, importance of changing, 10.5
administrator privileges
access, 10.8.2
operating system authentication, 3.3.2
passwords, 3.3.3, 10.5
SYSDBA and SYSOPER access, centrally controlling, 3.3.1, 3.3.1
write, on listener.ora file, 10.8.2
adump audit files directory, 9.6.1
"all permissions", 10.3
ALTER privilege statement
SQL statements permitted, 5.8.2
ALTER PROFILE statement
password management, 3.2.3.1
ALTER RESOURCE COST statement, 2.4.4.2
ALTER ROLE statement
changing authorization method, 4.4.3
ALTER SESSION statement
schema, setting current, 5.7.1
ALTER USER privilege, 2.3
ALTER USER statement
default roles, 4.10.2
explicit account unlocking, 3.2.3.4
GRANT CONNECT THROUGH clause, 3.10.1.3
passwords, changing, 2.3.1
passwords, expiring, 3.2.3.6
profiles, changing, 3.2.3.6
REVOKE CONNECT THROUGH clause, 3.10.1.3
user profile, 3.2.3.1
altering users, 2.3
ANY system privilege
guidelines for security, 10.6
application contexts
about, 6.1
as secure data cache, 6.1
bind variables, 7.1.3
client session-based
about, 6.5.1
CLIENTCONTEXT namespace, clearing value from, 6.5.4
CLIENTCONTEXT namespace, setting value in, 6.5.2
retrieving client session ID, 6.5.3
database session-based
about, 6.3.1
cleaning up after user exits, 6.3.1
components, 6.3.1
creating, 6.3.2
database links, 6.3.3.5
dynamic SQL, 6.3.3.3
externalized, using, 6.3.8
how to use, 6.3
initializing externally, 6.3.6
initializing globally, 6.3.7
ownership, 6.3.2
parallel queries, 6.3.3.4
PL/SQL package creation, 6.3.3
session information, setting, 6.3.3.6
SYS_CONTEXT function, 6.3.3.2
trusted procedure, 6.1
tutorial, 6.3.5
DBMS_SESSION.SET_CONTEXT procedure, 6.3.3.6, 6.3.3.6
driving context, 6.6
finding information about, 6.6
global
about, 6.4.1
authenticating nondatabase users, 6.4.3.5
authenticating user for multiple applications, 6.4.3.4
components, 6.4.1
creating, 6.4.2
example of authenticating nondatabase users, 6.4.3.5
example of authenticating user moving to different application, 6.4.3.4
example of setting values for all users, 6.4.3.3
ownership, 6.4.2
PL/SQL package creation, 6.4.3.1
process, lightweight users, 6.4.6.2
process, standard, 6.4.6.1
reasons for using, 6.4.1
sharing values globally for all users, 6.4.3.3
tutorial for client session IDs, 6.4.5
used for One Big Application User scenarios, 7.5.5
user name retrieval with USER function, 6.4.3.2
uses for, 7.5.5
global application context
system global area, 6.4.1
logon trigger, creating, 6.3.4
performance, 7.4.2.7
policy groups, used in, 7.3.5.1
returning predicate, 7.1.3
session information, retrieving, 6.3.3.2
support for database links, 6.3.6
types, 6.2
users, nondatabase connections, 6.4.1, 6.4.3.5
Virtual Private Database, used with, 7.1.3
application developers
CONNECT role change, 10.10.3.2
application security
specifying attributes, 6.3.2
application users who are database users
Oracle Virtual Private Database, how it works with, 7.5.5
applications
about security policies for, 5.1
database users, 5.2.1
enhancing security with, 4.4.1.2
object privileges, 5.8.1
object privileges permitting SQL statements, 5.8.2
One Big Application User model, 5.2.2
about, 5.2.1
security risks of, 5.2.1
Oracle Virtual Private Database, how it works with, 7.5.1
password handling, guidelines, 5.3.1.2
password protection strategies, 5.3
privileges, managing, 5.4
roles
multiple, 4.4.1.3.1
privileges, associating with database roles, 5.6
security, 4.4.7, 5.2.2
security considerations for use, 5.2
security limitations, 7.5.1
security policies, 7.3.5.3
validating with security policies, 7.3.5.5
AQ_ADMINISTRATOR_ROLE role
about, 4.4.2
AQ_USER_ROLE role
about, 4.4.2
attacks
See security attacks
audit files
activities always written to, 9.2.2
archiving, 9.5.3.7.1
directory, 9.6.1
file names, form of, 9.6.1
fine-grained audit trail, 9.8.4
operating system file, contents, 9.5.4.1
where written to, 9.6.1
AUDIT statement
about, 9.5.3.5
schema objects, 9.5.9.3
statement auditing, 9.5.6.2
system privileges, 9.5.6.2
audit trail
about, 9.2.1
archiving, 9.9
deleting views, 9.10.3
finding information about, 9.10.1
interpreting, 9.10.2
types of, 9.2.1
See also SYS.AUD$ table, SYS.FGA_LOG$ table
See also standard audit trail
AUDIT_FILE_DEST initialization parameter
about, 9.5.4.3
setting for OS auditing, 9.5.4.3
AUDIT_SYS_OPERATIONS initialization parameter
auditing SYS, 9.6.1
AUDIT_TRAIL initialization parameter
about, 9.5.3.3
auditing SYS, 9.6.1
database, starting in read-only mode, 9.5.3.4
DB (database) setting, 9.5.3.4
DB, EXTENDED setting, 9.5.3.4
disabling, 9.5.3.4
OS (operating system) setting, 9.5.3.4
OS setting, Windows impact, 9.5.4.3
setting, 9.5.3.3
values, 9.5.3.4
XML setting, 9.5.3.4
XML, EXTENDED setting, 9.5.3.4
auditing
administrators
See standard auditing
audit options, 9.1.2
audit records, 9.2.1
audit trails, 9.2.1
database audit trail, using, 9.5.5
database user names, 3.5
default auditing, enabling, 9.4
distributed databases and, 9.1.3
finding information about, 9.10.1
fine-grained
See fine-grained auditing
guidelines for security, 10.9
historical information, 10.9.3
keeping information manageable, 10.9.2
LOBs, auditing
user-defined columns, 9.8.1
middle-tier systems, real user actions, 3.10.1.10
multitier environments
See standard auditing
network
See standard auditing
object columns, 9.8.1
objects
See standard auditing
One Big Application User, compromised by, 5.2.1
operating-system user names, 3.5
privileges
See standard auditing
range of focus, 9.1.2
recommened settings, 10.9.5
Sarbanes-Oxley Act
auditing, meeting compliance through, 9.4
meeting compliance through auditing, 10.9.1
schema objects
See standard auditing
SQL statements
See standard auditing
standard
See standard audit trail, standard auditing
statements
See standard auditing
suspicious activity, 10.9.4
views
active object options, 9.10.2.3
active privilege options, 9.10.2.2
active statement options, 9.10.2.1
default object options, 9.10.2.4
when audit options take effect, 9.5.3.1
See also SYS.AUD$ table, SYS.FGA_LOG$ table, standard auditing, standard audit trail, fine-grained auditing
AUTHENTICATEDUSER role, 4.4.2
authentication
about, 3.1
administrators
operating system, 3.3.2
passwords, 3.3.3
SYSDBA and SYSOPER access, centrally controlling, 3.3.1
by database, 3.4
by SSL, 3.7.1.1
certificate, 10.8.1
client, 10.8.1, 10.8.1
client-to-middle tier process, 3.10.1.5.1
database administrators, 3.3
databases, using
about, 3.4.1
advantages, 3.4.2
procedure, 3.4.3
directory service, 3.7.1
directory-based services, 3.6.2
external authentication
about, 3.8.1
advantages, 3.8.2
operating system authentication, 3.8.4
user creation, 3.8.3
global authentication
about, 3.7
advantages, 3.7.2
user creation for private schemas, 3.7.1.1
user creation for shared schemas, 3.7.1.2
middle-tier authentication
proxies, example, 3.10.1.7
multitier, 3.9
network authentication
Secure Sockets Layer, 3.6.1
third-party services, 3.6.2
One Big Application User, compromised by, 5.2.1
operating system authentication
about, 3.5
advantages, 3.5
disadvantages, 3.5
proxy user authentication
about, 3.10.1
expired passwords, 3.10.1.3
public key infrastructure, 3.6.2
RADIUS, 3.6.2
remote, 10.8.1, 10.8.1
specifying when creating a user, 2.2.3
strong, 10.5
user, 10.8.1
See also passwords, proxy authentication
authorization
about, 4
changing for roles, 4.4.3
global
about, 3.7
advantages, 3.7.2
multitier, 3.9
omitting for roles, 4.4.3
operating system, 4.4.4.3.1
roles, about, 4.4.4
automatic reparse
Oracle Virtual Private Database, how it works with, 7.5.2
Automatic Storage Management (ASM)
SYSASM privilege, Preface

B

banners
auditing user actions, configuring, 5.9.5
unauthorized access, configuring, 5.9.5
batch jobs, authenticating users in, 3.2.5.1
BFILEs
guidelines for security, 10.6
bind variables
application contexts, used with, 7.1.3
BLOBS
encrypting, 8.3.6

C

cascading revokes, 4.7.3
CATNOAUD.SQL script
about, 9.10.3
audit trail views, deleting with, 9.10.3
certificate authentication, 10.8.1
certificate key algorithm
Secure Sockets Layer, 10.8.3
certificates for user and server authentication, 10.8.1
change_on_install default password, 10.5
character sets
role names, multibyte characters in, 4.4.3
role passwords, multibyte characters in, 4.4.4.1
cipher suites
Secure Sockets Layer, 10.8.3
client connections
guidelines for security, 10.8.1
secure external password store, 3.2.5.3
securing, 10.8.1
client identifiers
about, 3.10.2
consistency between DBMS_SESSION.SET_IDENTIFIER and DBMS_APPLICATION_INFO.SET_CLIENT_INFO, 3.10.2.4
global application context, independent of, 3.10.2.3
setting with DBMS_SESSION.SET_IDENTIFIER procedure, 6.4.1
CLIENT_IDENTIFIER USERENV attribute
JDBC applications, setting for, 3.10.2.3
setting and clearing with DBMS_SESSION package, 3.10.2.4
setting for applications that use JDBC, 3.10.2.3
setting with OCI user session handle attribute, 3.10.2.3
See also USERENV namespace
CLIENTID_OVERWRITE event, 3.10.2.4
column masking behavior, 7.3.4.3
column specification, 7.3.4.3
restrictions, 7.3.4.3
columns
granting privileges for selected, 4.6.2.3
granting privileges on, 4.6.2.3
INSERT privilege and, 4.6.2.3
listing users granted to, 4.12.3
privileges, 4.6.2.3
pseudo columns
USER, 4.5.5.3
revoking privileges on, 4.7.2.2
command line recall attacks, 5.3.1.1, 5.3.1.4
configuration
guidelines for security, 10.7
configuration files
listener.ora, 10.8.2
sample listener.ora file, 10.8.2
server.key encryption file, 10.8.3
tsnames.ora, 10.8.3
typical directory, 10.8.3, 10.8.3
CONNECT role
about, 10.10
applications
account provisioning, 10.10.2.2
affects of, 10.10.2
database upgrades, 10.10.2.1
installation of, 10.10.2.3
script to create, 4.4.2
users
application developers, impact, 10.10.3.2
client-server applications, impact, 10.10.3.3
general users, impact, 10.10.3.1
how affects, 10.10.3
why changed, 10.10.1
connection pooling
about, 3.9
global application contexts, 6.4.1
nondatabase users, 6.4.3.5
proxy authentication, 3.10.1.5
connections
SYS privilege, 10.3
CPU time limit, 2.4.2.3
CREATE ANY TABLE statement
non-administrative users, 10.3
CREATE CONTEXT statement
about, 6.3.2
example, 6.3.2
CREATE EXTERNAL JOB privilege
scheduling job in grantee schema, 4.3.2.2
CREATE PROFILE statement
account locking period, 3.2.3.4
failed login attempts, 3.2.3.4
password aging and expiration, 3.2.3.6
password management, 3.2.3.1
passwords, example, 3.2.3.6
CREATE ROLE statement
IDENTIFIED BY option, 4.4.4.1
IDENTIFIED EXTERNALLY option, 4.4.4.3
CREATE SCHEMA statement
securing, 5.7.1
CREATE SESSION statement
CONNECT role privilege, 10.4
securing, 5.7.1
CREATE USER statement
explicit account locking, 3.2.3.4
IDENTIFIED BY option, 2.2.3
IDENTIFIED EXTERNALLY option, 2.2.3
passwords, expiring, 3.2.3.6
user profile, 3.2.3.1
CSW_USR_ROLE role, 4.4.2
CTXAPP role, 4.4.2
cursors
reparsing, for application contexts, 6.3.4
shared, used with Virtual Private Database, 7.1.3
custom installation, 10.7, 10.7
CWM_USER role, 4.4.2

D

data definition language (DDL)
roles and privileges, 4.4.1.6
standard auditing, 9.5.6.1
data dictionary
protecting, 10.6
securing with O7_DICTIONARY_ACCESSIBILITY, 4.3.2.1
data dictionary views
See views
data files, 10.6
guidelines for security, 10.6
data manipulation language (DML)
privileges controlling, 4.5.4.1
standard auditing, 9.5.6.1
data security
encryption, problems not solved by, 8.2.3
database administrators (DBAs)
access, controlling, 8.2.2
authentication, 3.3
malicious, encryption not solved by, 8.2.2
Database Configuration Assistant (DBCA)
default passwords, changing, 10.5
password settings in default profile, 3.2.3.3
user accounts, automatically locking and expiring, 10.3
database links
application context support, 6.3.6
application contexts, 6.3.3.5
auditing, 9.5.9.1
authenticating with Kerberos, 3.6.2
authenticating with third-party services, 3.6.2
global user authentication, 3.7.2
object privileges, 4.5.3
operating system accounts, care needed, 3.5
session-based application contexts, accessing, 6.3.3.5
database upgrades and CONNECT role, 10.10.2.1
databases
access control
password encryption, 3.2.1
additional security resources, 1.2
authentication, 3.4
database user and application user, 5.2.1
default security features, summary, 1.1
granting privileges, 4.6
granting roles, 4.6
limitations on usage, 2.4.1
read-only mode, starting in, 9.5.3.4
security and schemas, 5.7
security embedded, advantages of, 5.2.2
security policies based on, 7.1.2.1
DATAPUMP_EXP_FULL_DATABASE role, 4.4.2
DATAPUMP_IMP_FULL_DATABASE role, 4.4.2
DBA role
about, 4.4.2
DBA_NETWORK_ACL_PRIVILEGES view, 4.11.8
DBA_ROLE_PRIVS view
application privileges, finding, 5.4
DBCA
See Database Configuration Assistant (DBCA)
DBMS_APPLICATION.SET_CLIENT_INFO procedure
DBMS_SESSION.SET_IDENTIFIER value, overwriting, 3.10.2.4
DBMS_CRYPTO package
about, 8.4
encryption algorithms supported, 8.4
examples, 8.6.1
DBMS_FGA package
about, 9.8.5.1
ADD_POLICY procedure, 9.8.5.2
DISABLE_POLICY procedure, 9.8.5.4
DROP_POLICY procedure, 9.8.5.5
ENABLE_POLICY procedure, 9.8.5.4
DBMS_OBFUSCATION_TOOLKIT package
backward compatibility, 8.4
See also DBMS_CRYPTO package
DBMS_RLS package
about, 7.3.1
DBMS_RLS.ADD_CONTEXT procedure, 7.3.1
DBMS_RLS.ADD_GROUPED_POLICY procedure, 7.3.1
DBMS_RLS.ADD_POLICY
sec_relevant_cols parameter, 7.3.4.1
sec_relevant_cols_opt parameter, 7.3.4.3
DBMS_RLS.ADD_POLICY procedure
about, 7.3.1
DBMS_RLS.CREATE_POLICY_GROUP procedure, 7.3.1
DBMS_RLS.DELETE_POLICY_GROUPS procedure, 7.3.1
DBMS_RLS.DISABLE_GROUPED_POLICY procedure, 7.3.1
DBMS_RLS.DROP_CONTEXT procedure, 7.3.1
DBMS_RLS.DROP_GROUPED_POLICY procedure, 7.3.1
DBMS_RLS.DROP_POLICY procedure, 7.3.1
DBMS_RLS.ENABLE_GROUPED_POLICY procedure, 7.3.1
DBMS_RLS.ENABLE_POLICY procedure, 7.3.1
DBMS_RLS.REFRESH_GROUPED_POLICY procedure, 7.3.1
DBMS_RLS.REFRESH_POLICY procedure, 7.3.1
DBMS_SESSION package
client identifiers, using, 3.10.2.4
global application context, used in, 6.4.3
SET_CONTEXT procedure
about, 6.3.3.6
application context name-value pair, setting, 6.3.3.1
DBMS_SESSION.SET_CONTEXT procedure
about, 6.3.3.6
syntax, 6.3.3.6
username and client_id settings, 6.4.3.2
DBMS_SESSION.SET_IDENTIFIER procedure
client session ID, setting, 6.4.1
DBMS_APPLICATION.SET_CLIENT_INFO value, overwritten by, 3.10.2.4
DBMS_SQLHASH encryption package
about, 8.5.1
GETHASH function, 8.5.2
DBSEG60064|Using Default Auditing for Security-Relevant SQL Statements and Privileges, 9.4
DBSNMP user account
password usage, 10.5
DDL
See data definition language
default passwords, 10.5, 10.5, 10.5, 10.5
change_on_install or manager passwords, 10.5
changing, importance of, 3.2.3.2
finding, 3.2.3.2
default permissions, 10.6
default profiles
about, 3.2.3.3
default roles
setting for user, 2.2.8
specifying, 4.10.2
default user
accounts, 10.3
default users
accounts, 10.3
Enterprise Manager accounts, 10.3
passwords, 10.5
defaults
tablespace quota, 2.2.5
user tablespaces, 2.2.4
definer's rights
about, 4.5.6.2
procedure privileges, used with, 4.5.6.2
procedure security, 4.5.6.2
secure application roles, 5.5.2
DELETE privilege
SQL statements permitted, 5.8.2
DELETE_CATALOG_ROLE role
about, 4.4.2
SYS schema objects, enabling access to, 4.3.2.3
Denial of Service (DoS) attacks
audit trail, writing to operating system file, 9.5.3.4
bad packets, preventing, 5.9.1
networks, securing, 10.8.2
dictionary protection mechanism, 4.3.2.1
directory authentication, configuring for SYSDBA or SYSOPER access, 3.3.1.1
directory-based services authentication, 3.6.2
disabling unnecessary services
FTP, TFTP, TELNET, 10.8.2
dispatcher processes (Dnnn)
limiting SGA space for each session, 2.4.2.5
distributed databases
auditing and, 9.1.3
DML
See data manipulation language
driving context, 6.6
DROP PROFILE statement
example, 2.4.4.2
DROP ROLE statement
example, 4.4.6
security domain, affected, 4.4.6
DROP USER statement
about, 2.5
schema objects of dropped user, 2.5
DUAL table
about, 6.3.3.2
dynamic Oracle Virtual Private Database policy types, 7.3.6.1
DYNAMIC policy type, 7.3.6.1

E

eavesdropping
preventing by using SSL, 10.8.1
See also security attacks
EJBCLIENT role, 4.4.2
encryption
access control, 8.2.1
backup media, reason why to encrypt, 3.2.4
BLOBS, 8.3.6
challenges, 8.3
data security, problems not solved by, 8.2.3
DBMS_CRYPTO encryrption package, 8.4
DBMS_CRYPTO package, 8.4
deleted encrypted data, 10.6
examples, 8.6.1
finding information about, 8.7
indexed data, 8.3.1
key generation, 8.3.2
key storage, 8.3.4
key transmission, 8.3.3
keys, changing, 8.3.5
malicious database administrators, 8.2.2
network data encryption, 10.8.2
network traffic, 10.8.2
problems not solved by, 8.2
transparent data encryption, 8.3.4.4
transparent tablespace encryption, 8.3.4.4
enterprise directory service, 4.4.4.4
Enterprise Edition, 10.5
Enterprise Manager
granting roles, 4.4.5
statistics monitor, 2.4.3
enterprise roles, 3.7, 4.4.4.4
enterprise user management, 5.2.1
Enterprise User Security
application context, globally initialized, 6.3.7.2
proxy authentication
Oracle Virtual Private Database, how it works with, 7.5.5
enterprise users
centralized management, 3.7
global role, creating, 4.4.4.4
One Big Application User, compromised by, 5.2.1
proxy authentication, 3.10.1
shared schemas, protecting users, 5.7.2
examples
access control lists, 4.11.4
account locking, 3.2.3.4
data encryption
encrypting and decrypting BLOB data, 8.6.3
encrypting and decrypting procedure with AES 256-Bit, 8.6.2
encrypting procedure, 8.6.1
Java code to read passwords, 5.3.4
locking an account with CREATE PROFILE, 3.2.3.4
login attempt grace period, 3.2.3.6
O7_DICTIONARY_ACCESSIBILITY initialization parameter, setting, 4.3.2.1
passwords
aging and expiration, 3.2.3.6
changing, 2.3.1
creating for user, 2.2.3
privileges
granting ADMIN OPTION, 4.6.1.1
views, 4.12
procedure privileges affecting packages, 4.5.6.4, 4.5.6.4
profiles, assigning to user, 2.2.7
roles
altering for external authorization, 4.4.3
creating for application authorization, 4.4.4.2
creating for external authorization, 4.4.4.3
creating for password authorization, 4.4.3
default, setting, 4.10.2
views, 4.12
secure external password store, 3.2.5.2
session ID of user
finding, 2.5
terminating, 2.5
standard auditing
BY SESSION, 9.5.10.2.2
system privilege and role, granting, 4.6.1
tablespaces
assigning default to user, 2.2.4
quota, assigning to user, 2.2.5
temporary, 2.2.6
type creation, 4.5.7.5
users
account creation, 2.2.1
creating with GRANT statement, 4.6.1.2
dropping, 2.5
middle-tier server proxying a client, 3.10.1.3
naming, 2.2.2
object privileges granted to, 4.6.2
proxy user, connecting as, 3.10.1.3
See also tutorials
exceptions
WHEN NO DATA FOUND, used in application context package, 6.3.5.3
WHEN OTHERS, used in triggers
development environment (debugging) example, 6.3.4
production environment example, 6.3.4
exclusive mode
SHA-1 password hashing algorithm, enabling, 3.2.4
EXECUTE privilege
SQL statements permitted, 5.8.2
EXECUTE_CATALOG_ROLE role
about, 4.4.2
SYS schema objects, enabling access to, 4.3.2.3
execution time for statements, measuring, 7.3.6.1
EXEMPT ACCESS POLICY privilege
Oracle Virtual Private Database enforcements, exemption, 7.5.4.2
EXP_FULL_DATABASE role
about, 4.4.2
expiring a password
explicitly, 3.2.3.6
exporting data
direct path export impact on Oracle Virtual Private Database, 7.5.4.2
policy enforcement, 7.5.4.2
external authentication
about, 3.8.1
advantages, 3.8.2
network, 3.8.5
operating system, 3.8.4, 3.8.4
user creation, 3.8.3
external network services, fine-grained access to
See access control list (ACL)
external tables, 10.6

F

failed login attempts
account locking, 3.2.3.4
password management, 3.2.3.4
resetting, 3.2.3.4
features, new security
See new features, security
files
BFILEs
operating system access, restricting, 10.6
BLOB, 8.3.6
data
operating system access, restricting, 10.6
external tables
operating system access, restricting, 10.6
keys, 8.3.4.2
listener.ora file
guidelines for security, 10.8.2, 10.8.3
log
audit file location for Windows, 9.6.1
audit file locations, 9.5.4.3
operating system access, restricting, 10.6
restrict listener access, 10.8.2
server.key encryption file, 10.8.3
symbolic links, restricting, 10.6
tnsnames.ora, 10.8.3
trace
operating system access, restricting, 10.6
fine-grained access control
See Oracle Virtual Private Database (VPD)
fine-grained auditing
about, 9.8
activities always recorded, 9.8.3
adding alerts to policy, 9.8.5.3
advantages, 9.8.1, 9.8.1
archiving audit trail, 9.9
audit record locations, 9.2.1
columns, specific, 9.8.5.2
DBMS_FGA package, 9.8.5.1
how to use, 9.8.1
policies
adding, 9.8.5.2
disabling, 9.8.5.4
dropping, 9.8.5.5
enabling, 9.8.5.4
privileges needed, 9.8.2
records
archiving, 9.8.4
purging, 9.8.4
See also SYS.FGA_LOG$ table
firewalls
advice about using, 10.8.2
database server location, 10.8.2
ports, 10.8.3
supported types, 10.8.2
flashback query
auditing, used with, 9.3.1
Oracle Virtual Private Database, how it works with, 7.5.3
foreign keys
privilege to use parent key, 4.5.4.2
FTP service, 10.8.2
functions
PL/SQL
privileges for, 4.5.6.1
roles, 4.4.1.5

G

GATHER_SYSTEM_STATISTICS role, 4.4.2
global application contexts
See application contexts, global
global authentication
about, 3.7
advantages, 3.7.2
user creation for private schemas, 3.7.1.1
user creation for shared schemas, 3.7.1.2
global authorization
about, 3.7
advantages, 3.7.2
role creation, 4.4.4.4
roles, 3.7
global roles
about, 4.4.4.4
global users, 3.7
GLOBAL_AQ_USER_ROLE role, 4.4.2
grace period for login attempts
example, 3.2.3.6
grace period for password expiration, 3.2.3.6
GRANT ALL PRIVILEGES statement
SELECT ANY DICTIONARY privilege, exclusion of, 10.6
GRANT ANY OBJECT PRIVILEGE system privilege, 4.6.2.2, 4.7.2.1
GRANT ANY PRIVILEGE system privilege, 4.3.4
GRANT CONNECT THROUGH clause
for proxy authorization, 3.10.1.3
GRANT statement, 4.6.1
ADMIN OPTION, 4.6.1.1
creating a new user, 4.6.1.2
object privileges, 4.6.2, 5.8.1
system privileges and roles, 4.6
when takes effect, 4.10
WITH GRANT OPTION, 4.6.2.1
granting privileges and roles
about, 4.3.3
finding information about, 4.12
specifying ALL, 4.5.2
guidelines for security
auditing, 10.9
custom installation, 10.7, 10.7
data files and directories, 10.6
encrypting sensitive data, 10.6
installation and configuration, 10.7
networking security, 10.8
operating system accounts, limiting privileges, 10.6
operating system users, limiting number of, 10.6
Oracle home default permissions, disallowing modification, 10.6
passwords, 10.5
Secure Sockets Layer
mode, 10.8.3
TCPS protocol, 10.8.3
symbolic links, restricting, 10.6
user accounts and privileges, 10.3

H

hackers
See security attacks
HS_ADMIN_ROLE role
about, 4.4.2
HTTPS
port, correct running on, 10.8.3

I

IMP_FULL_DATABASE role
about, 4.4.2
INDEX privilege
SQL statements permitted, 5.8.2
indexed data
encryption, 8.3.1
initialization parameters
application protection, 5.9
AUDIT_FILE_DEST, 9.2.2, 9.6.1
AUDIT_SYS_OPERATIONS, 9.2.1, 9.6.1
AUDIT_SYSLOG_LEVEL, 9.2.1, 9.6.2.3
AUDIT_TRAIL
about, 9.5.3.3
using, 9.5.3.4
current value, checking, 9.5.3.3
FAILED_LOGIN_ATTEMPTS, 3.2.3.3
MAX_ENABLED_ROLES, 4.10.3
O7_DICTIONARY_ACCESSIBILITY, 4.3.2.1
OS_AUTHENT_PREFIX, 3.8.1
OS_ROLES, 4.4.4.3.1
PASSWORD_GRACE_TIME, 3.2.3.3, 3.2.3.6
PASSWORD_LIFE_TIME, 3.2.3.3, 3.2.3.6
PASSWORD_LOCK_TIME, 3.2.3.3, 3.2.3.4
PASSWORD_REUSE_MAX, 3.2.3.3, 3.2.3.5
PASSWORD_REUSE_TIME, 3.2.3.3, 3.2.3.5
REMOTE_OS_AUTHENT, 10.8.1
RESOURCE_LIMIT, 2.4.4
SEC_CASE_SENSITIVE_LOGIN, 3.2.3.8
SEC_MAX_FAILED_LOGIN_ATTEMPTS, 5.9.3
SEC_PROTOCOL_ERROR_FURTHER_ACTION, 5.9.2
SEC_PROTOCOL_ERROR_TRACE_ACTION, 5.9.1
SEC_RETURN_SERVER_RELEASE_BANNER, 5.9.4
SEC_USER_AUDIT_ACTION_BANNER, 5.9.5
SEC_USER_UNAUTHORIZED_ACCESS_BANNER, 5.9.5
INSERT privilege
granting, 4.6.2.3
revoking, 4.7.2.2
SQL statements permitted, 5.8.2
installation
guidelines for security, 10.7
intruders
See security attacks
invoker's rights
about, 4.5.6.2
procedure privileges, used with, 4.5.6.2
procedure security, 4.5.6.2
secure application roles, 5.5.2
secure application roles, requirement for enabling, 5.5.2
IP addresses
falsifying, 10.8.2
guidelines for security, 10.8.1

J

JAVA_ADMIN role, 4.4.2
JAVA_DEPLOY role, 4.4.2
JAVADEBUGPRIV role, 4.4.2
JAVAIDPRIV role, 4.4.2
JAVASYSPRIV role, 4.4.2
JAVAUSERPRIV role, 4.4.2
JDBC
proxy authentication
Oracle Virtual Private Database, how it works with, 7.5.5
JDBC (thick or thin)
proxy authentication with real user, 3.10.1.5
JDBC (thick)
proxy authentication, 3.10.1
JMXSERVER role, 4.4.2

K

Kerberos authentication, 3.6.2
configuring for SYSDBA or SYSOPER access, 3.3.1.2
password management, 10.5
key generation
encryption, 8.3.2
key storage
encryption, 8.3.4
key transmission
encryption, 8.3.3

L

LBAC_DBA role, 4.4.2
least privilege principle, 10.3
about, 10.3
granting user privileges, 10.3
middle-tier privileges, 3.10.1.6
lightweight users
example using a global application context, 6.4.5
Lightweight Directory Access Protocol (LDAP), 7.4.2.7
listener
not an Oracle owner, 10.8.2
preventing online administration, 10.8.2
restrict privileges, 10.8.2, 10.8.2
secure administration, 10.8.2
listener.ora file
administering remotely, 10.8.2, 10.8.2
default location, 10.8.3
online administration, preventing, 10.8.2
TCPS, securing, 10.8.3
LOBS
auditing, 9.8.1
lock and expire
default accounts, 10.3
predefined user accounts, 10.3
log files
auditing, default location, 9.5.4.3
owned by trusted user, 10.6
Windows Event Viewer, 9.6.1
logical reads limit, 2.4.2.4
logon triggers
examples, 6.3.4
externally initialized application contexts, 6.3.4
secure application roles, 4.4.8
LOGSTDBY_ADMINISTRATOR role, 4.4.2

M

malicious database administrators
See also security attacks
manager default password, 10.5
mandatory auditing, 9.2.3
MAX_ENABLED_ROLES initialization parameter
enabling roles and, 4.10.3
memory
users, viewing, 2.6.5
methods
privileges on, 4.5.7
MGMT_USER role, 4.4.2
middle-tier systems
auditing real user actions, 3.10.1.10
client identifiers, 3.10.2.1
enterprise user connections, 3.10.1.9.2
password-based proxy authentication, 3.10.1.9.1
privileges, limiting, 3.10.1.6
proxies authenticating users, 3.10.1.7
proxying but not authenticating users, 3.10.1.8
reauthenticating user to database, 3.10.1.9
USERENV namespace attributes, accessing, 6.3.6.3
monitoring user actions
See also auditing, standard auditing, fine-grained auditing
multiplex multiple-client network sessions, 10.8.2

N

Net8
See Oracle Net
network auditing
about, 9.5.11
disabling, 9.5.11.3
network authentication
external authentication, 3.8.5
guidelines for securing, 10.5
roles, granting using, 4.9
Secure Sockets Layer, 3.6.1
smart cards, 10.5
third-party services, 3.6.2
token cards, 10.5
X.509 certificates, 10.5
network connections
Denial of Service attacks, addressing, 10.8.2
guidelines for security, 10.8, 10.8.1, 10.8.2
securing, 10.8.2
network IP addresses
guidelines for security, 10.8.2
new features, security, Preface
NOAUDIT statement
audit options, disabling, 9.5.3.6
default object audit options, disabling, 9.5.9.4
network auditing, disabling, 9.5.11.3
object auditing, disabling, 9.5.9.4
privilege auditing, disabling, 9.5.7.3
statement auditing, disabling, 9.5.6.3, 9.5.6.3

O

O7_DICTIONARY_ACCESSIBILITY initialization parameter
about, 4.3.2.1
auditing privileges on SYS objects, 9.5.2
data dictionary protection, 10.6
default setting, 10.6
securing data dictionary with, 4.3.2.1
object auditing
disabling, 9.5.9.4
enabling, 9.5.9.3
object columns
auditing, 9.8.1
object privileges, 10.3
about, 4.5.3
granting on behalf of the owner, 4.6.2.2
managing, 5.8
revoking, 4.7.2
revoking on behalf of owner, 4.7.2.1
schema object privileges, 4.5.3
See also schema object privileges
objects
applications, managing privileges in, 5.8
granting privileges, 5.8.2
privileges
applications, 5.8.1
managing, 4.5.7
protecting in shared schemas, 5.7.2
protecting in unique schemas, 5.7.1
SYS schema, access to, 4.3.2.3
OEM_ADVISOR role, 4.4.2
OEM_MONITOR role, 4.4.2
OLAP_DBA role, 4.4.2
OLAP_USER role, 4.4.2
OLAP_XS_ADMIN role, 4.4.2
OLAPI_TRACE_USER role, 4.4.2
One Big Application User
about, 7.5.5
application context, global, 7.5.5
global application contexts, 6.4.1
global application contexts, nondatabase, 6.4.3.5
Oracle Virtual Private Database, how works with, 7.5.5
operating systems
accounts, 4.9.2
authentication
about, 3.5
advantages, 3.5
disadvantages, 3.5
roles, using, 4.9
authentication, external, 3.8.4
default permissions, 10.6
enabling and disabling roles, 4.9.5
operating system account privileges, limiting, 10.6
role identification, 4.9.2
roles and, 4.4.1.7
roles, granting using, 4.9
users, limiting number of, 10.6
Oracle Advanced Security
network authentication services, 10.5
network traffic encryption, 10.8.2
user access to application schemas, 5.7.2
Oracle Call Interface (OCI)
application contexts, client session-based, 6.5.1
proxy authentication, 3.10.1
Oracle Virtual Private Database, how it works with, 7.5.5
proxy authentication with real user, 3.10.1.5
security-related initialization parameters, 5.9
Oracle Connection Manager
securing client networks with, 10.8.2
Oracle Enterprise Security Manager
role management with, 3.6.2
Oracle home
default permissions, disallowing modification, 10.6
Oracle Internet Directory (OID)
authenticating with directory-based service, 3.6.2
SYSDBA and SYSOPER access, controlling, 3.3.1
Oracle Java Virtual Machine (OJVM)
permissions, restricting, 10.3
Oracle Label Security (OLS)
Oracle Virtual Private Database, using with, 7.5.4.1
Oracle Net
firewall support, 10.8.2
Oracle Technology Network
security alerts, 10.2.1
Oracle Virtual Private Database (VPD)
about, 7.1.1
application contexts
tutorial, 7.4.2
used with, 7.1.3
applications
how it works with, 7.5.1
users who are database users, how it works with, 7.5.5
applications using for security, 5.2.2
automatic reparsing, how it works with, 7.5.2
benefits, 7.1.2
column level, 7.3.4.1
column masking behavior
enabling, 7.3.4.3
restrictions, 7.3.4.3
column-level display, 7.3.4.1
components, 7.2
configuring, 7.3
cursors, shared, 7.1.3
Enterprise User Security proxy authentication, how it works with, 7.5.5
exporting data, 7.5.4.2
finding information about, 7.6
flashback query, how it works with, 7.5.3
function
components, 7.2.1
JDBC proxy authentication, how it works with, 7.5.5
OCI proxy authentication, how it works with, 7.5.5
One Big Application User, how works with, 7.5.5
Oracle Label Security
exceptions in behavior, 7.5.4.2
using with, 7.5.4.1
performance benefit, 7.1.2.2
policies, Oracle Virtual Private Database
about, 7.3.1
applications, validating, 7.3.5.5
attaching to database object, 7.3.2
column display, 7.3.4.1
column-level display, default, 7.3.4.2
dynamic, 7.3.6.1
multiple, 7.3.5.4
optimizing performance, 7.3.6
SQL statements, specifying, 7.3.3
policy groups
about, 7.3.5.1
benefits, 7.3.5.1
creating, 7.3.5.2
default, 7.3.5.3
tutorial, implementation, 7.4.3
policy types
context sensitive, about, 7.3.6.5
context sensitive, when to use, 7.3.6.7
DYNAMIC, 7.3.6.1
shared context sensitive, about, 7.3.6.6
shared context sensitive, when to use, 7.3.6.7
shared static, about, 7.3.6.3
shared static, when to use, 7.3.6.4
static, about, 7.3.6.2
static, when to use, 7.3.6.4
summary of features, 7.3.6.8
tutorial, simple, 7.4.1
user models, 7.5.5
Web-based applications, how it works with, 7.5.5
Oracle Wallet Manager
X.509 Version 3 certificates, 3.6.2
Oracle wallets
authentication method, 3.6.2
Oracle Warehouse Builder
roles, predefined, 4.4.2
OracleMetaLink
security patches, downloading, 10.2.1
ORAPWD password utility
case sensitivity in passwords, 3.2.3.8
password file authentication, 3.3.3
permissions to run, 3.3.3
ORDADMIN role, 4.4.2
OS_ROLES initialization parameter
operating system role grants, 4.9.5
operating-system authorization and, 4.4.4.3.1
REMOTE_OS_ROLES and, 4.9.6
using, 4.9.2
OWB$CLIENT role, 4.4.2
OWB_DESIGNCENTER_VIEW role, 4.4.2
OWB_USER role, 4.4.2

P

packages
auditing, 9.5.9.1
examples, 4.5.6.4
examples of privilege use, 4.5.6.4
privileges
divided by construct, 4.5.6.4
executing, 4.5.6.1, 4.5.6.4
parallel execution servers, 6.3.3.4
parallel query, and SYS_CONTEXT, 6.3.3.4
pass phrase
read and parse server.key file, 10.8.3
password files, 3.3.3
PASSWORD statement
about, 2.3.1
PASSWORD_LIFE_TIME initialization parameter, 3.2.3.6
PASSWORD_LOCK_TIME initialization parameter, 3.2.3.4
PASSWORD_REUSE_MAX initialization parameter, 3.2.3.5
PASSWORD_REUSE_TIME initialization parameter, 3.2.3.5
passwords
about managing, 3.2.3.1
account locking, 3.2.3.4, 3.2.3.4
administrator
authenticating with, 3.3.3
guidelines for securing, 10.5
aging and expiration, 3.2.3.6
ALTER PROFILE statement, 3.2.3.1
altering, 2.3.1
application design guidelines, 5.3.1.2
applications, strategies for protecting passwords, 5.3
brute force attacks, 3.2.1
case sensitivity setting, SEC_CASE_SENSITIVE_LOGIN, 3.2.3.8
case sensitivity, configuring, 3.2.3.8
changing for roles, 4.4.3
complexity verification
about, 3.2.3.7
guidelines for security, 10.5
complexity, guidelines for enforcing, 10.5
connecting without, 3.5
CREATE PROFILE statement, 3.2.3.1
danger in storing as clear text, 10.5
database user authentication, 3.4.1
default profile settings
about, 3.2.3.3
enabling using DBCA, 3.2.3.3
enabling using SQL statements, 3.2.3.3
default user account, 10.5
default, finding, 3.2.3.2
delays for incorrect passwords, 3.2.1
duration, 10.5
encrypting, 3.2.1, 10.5
examples of creating, 3.2.2
expiring
explicitly, 3.2.3.6
procedure for, 3.2.3.6
proxy account passwords, 3.10.1.3
with grace period, 3.2.3.6
failed logins, resetting, 3.2.3.4
grace period, example, 3.2.3.6
guidelines for security, 10.5
history, 3.2.3.5, 3.2.3.5, 10.5
Java code example to read passwords, 5.3.4
length, 10.5
lifetime for, 3.2.3.6
lock time, 3.2.3.4
management rules, 10.5
managing, 3.2.3
maximum reuse time, 3.2.3.5
ORAPWD password utility, 3.2.3.8
password complexity verification, 3.2.3.7
password file risks, 3.3.3
PASSWORD_LOCK_TIME initialization parameter, 3.2.3.4
PASSWORD_REUSE_MAX initialization parameter, 3.2.3.5
PASSWORD_REUSE_TIME initialization parameter, 3.2.3.5
policies, 3.2.3
privileges for changing for roles, 4.4.3
privileges to alter, 2.3
protections, built-in, 3.2.1
proxy authentication, 3.10.1.9.1
requirements, 3.2.2
reusing, 3.2.3.5, 10.5
reusing passwords, 3.2.3.5
roles, 4.4.4.1
secure external password store, 3.2.5.1
security risks, 3.3.3
SYS and SYSTEM, 10.5, 10.5
used in roles, 4.4.1.2
UTLPWDMG.SQL password script
password management, 3.2.3.7
verified using SHA-1 hashing algorithm, 3.2.4, 3.2.4
See also authentication
performance
application contexts, 6.1
Oracle Virtual Private Database policies, 7.1.2.2
Oracle Virtual Private Database policy types, 7.3.6
resource limits and, 2.4.1
permissions
default, 10.6
run-time facilities, 10.3
PKI
See public key infrastructure (PKI)
PL/SQL
auditing of statements within, 9.5.3.1
roles in procedures, 4.4.1.5
PL/SQL procedures
setting application context, 6.3.3.1
PMON background process
application contexts, cleaning up, 6.3.1
positional parameters
security risks, 5.3.1.4
principle of least privilege, 10.3
about, 10.3
granting user privileges, 10.3
middle-tier privileges, 3.10.1.6
privileges
about, 4.1
access control lists, checking, 4.11.8
altering
passwords, 2.3.1
users, 2.3
altering role authentication method, 4.4.3
applications, managing, 5.4
auditing system, 9.5.7.2
auditing use of, 9.5.7, 9.5.7.2
auditing, recommened settings for, 10.9.5
cascading revokes, 4.7.3
column, 4.6.2.3
creating users, 2.2.1
dropping profiles, 2.4.4.2
finding information about, 4.12
granting
about, 4.3.3, 4.6
examples, 4.5.6.4, 4.5.6.4
object privileges, 4.6.2
schema object privileges, 4.5.3.1
system, 4.6.1
system privileges, 4.6
grants, listing, 4.12.1
grouping with roles, 4.4
managing, 5.8
middle tier, 3.10.1.6
object, 4.5.1, 4.5.2, 5.8.2
on selected columns, 4.7.2.2
procedures, 4.5.6.1
creating and altering, 4.5.6.3
executing, 4.5.6.1
in packages, 4.5.6.4
reasons to grant, 4.2
revoking privileges
about, 4.3.3
object, 4.7.2
object privileges, cascading effect, 4.7.3.2
object privileges, requirements for, 4.7.2
schema object, 4.5.3.1
revoking system privileges, 4.7.1
roles
creating, 4.4.3
dropping, 4.4.6
restrictions on, 4.4.1.6
roles, why better to grant, 4.2
schema object, 4.5.3
DML and DDL operations, 4.5.4
granting and revoking, 4.5.3.1
packages, 4.5.6.4
procedures, 4.5.6.1
SQL statements permitted, 5.8.2
system
granting and revoking, 4.3.3
SELECT ANY DICTIONARY, 10.6
SYSTEM and OBJECT, 10.3
system privileges
about, 4.3.1
trigger privileges, 4.5.6.2
view privileges
creating a view, 4.5.5.2
using a view, 4.5.5.3
views, 4.5.5.1
See also system privileges.
procedures
auditing, 9.5.9.1, 9.5.9.2
definer's rights
about, 4.5.6.2
roles disabled, 4.4.1.5.1
examples of, 4.5.6.4
examples of privilege use, 4.5.6.4
invoker's rights
about, 4.5.6.2
roles used, 4.4.1.5.2
privileges for procedures
create or alter, 4.5.6.3
executing, 4.5.6.1
executing in packages, 4.5.6.4
security enhanced by, 4.5.6.2
process monitor process (PMON)
cleans up timed-out sessions, 2.4.2.5
PRODUCT_USER_PROFILE table, 4.4.7.2
SQL commands, disabling with, 4.4.7.2
products and options
install only as necessary, 10.7
profiles, 2.4.4
about, 2.4.4
creating, 2.4.4.1
dropping, 2.4.4.2, 2.4.4.2
finding information about, 2.6.1
managing, 2.4.4
password management, 3.2.3.1
privileges for dropping, 2.4.4.2
specifying for user, 2.2.7
viewing, 2.6.4
program global area (PGA)
effect of MAX_ENABLED_ROLES on, 4.10.3
proxy authentication
about, 3.10.1, 3.10.1.1
advantages, 3.10.1.2
auditing actions on behalf of real user, 3.10.1.10
auditing operatings, 3.9.1
client-to-middle tier sequence, 3.10.1.5.1
middle-tier
authorizing but not authenticating users, 3.10.1.8
authorizing to proxy and authenticate users, 3.10.1.7
limiting privileges, 3.10.1.6
reauthenticating users, 3.10.1.9
passwords, expired, 3.10.1.3
secure external password store, used with, 3.10.1.4
security benefits, 3.10.1.2
users, passing real identity of, 3.10.1.5
PROXY_USER attribute, 6.3.6.3
PROXY_USERS view, 3.10.1.3
pseudo columns
USER, 4.5.5.3
PUBLIC
procedures and, 4.8
user group, 4.8
public key infrastructure (PKI)
about, 3.6.2
PUBLIC privilege
guidelines for security, 10.3
PUBLIC user group
about, 4.4.1.4
granting and revoking privileges to, 4.8
security domain of users, 4.4.1.4
security guideline, 10.3
PUBLIC_DEFAULT profile
profiles, dropping, 2.4.4.2

Q

quotas
revoking from users, 2.2.5.1
setting to zero, 2.2.5.1
tablespace, 2.2.5
temporary segments and, 2.2.5
unlimited, 2.2.5.2
viewing, 2.6.3

R

RADIUS authentication, 3.6.2
read-only mode, affect on AUDIT_TRAIL parameter, 9.5.3.4
reads
limitis on data blocks, 2.4.2.4
RECOVERY_CATALOG_OWNER role
about, 4.4.2
REFERENCES privilege
CASCADE CONSTRAINTS option, 4.7.2.3
revoking, 4.7.2.2, 4.7.2.3
SQL statements permitted, 5.8.2
when granted through a role, 4.4.1.6
remote authentication, 10.8.1, 10.8.1
REMOTE_OS_AUTHENT initialization parameter
guideline for securing, 10.8.1
setting, 3.8.4
remote_os_authentication, 10.8.1
REMOTE_OS_ROLES initialization parameter
OS role management risk on network, 4.9.6
setting, 4.4.4.3.2
resource limits
about, 2.4.1
call level, limiting, 2.4.2.2
connection time for each session, 2.4.2.5
CPU time, limiting, 2.4.2.3
determining values for, 2.4.3
idle time in each session, 2.4.2.5
logical reads, limiting, 2.4.2.4
private SGA space for each session, 2.4.2.5
profiles, 2.4.4, 2.4.4
session level, limiting, 2.4.2.1
sessions
concurrent for user, 2.4.2.5
elapsed connection time, 2.4.2.5
idle time, 2.4.2.5
SGA space, 2.4.2.5
types, 2.4.2
RESOURCE privilege
CREATE SCHEMA statement, needed for, 5.7.1
RESOURCE role, 4.5.7.1
about, 4.4.2
REVOKE CONNECT THROUGH clause
revoking proxy authorization, 3.10.1.3
REVOKE statement
system privileges and roles, 4.7.1
when takes effect, 4.10
revoking privileges and roles
cascading effects, 4.7.3
on selected columns, 4.7.2.2
REVOKE statement, 4.7.1
specifying ALL, 4.5.2
when using operating-system roles, 4.9.4
role identification
operating system accounts, 4.9.2
ROLE_SYS_PRIVS view
application privileges, 5.4
ROLE_TAB_PRIVS view
application privileges, finding, 5.4
roles
about, 4.1, 4.4.1
ADMIN OPTION and, 4.6.1.1
advantages in application use, 5.4
application, 4.4.1.3.1, 4.4.7, 5.6, 5.6, 5.8
application privileges, 5.4
applications, for user, 5.6
AQ_ADMINISTRATOR_ROLE role, 4.4.2
AQ_USER_ROLE role, 4.4.2
audited when default auditing is enabled, 9.4
AUTHENTICATEDUSER role, 4.4.2
authorization, 4.4.4
authorized by enterprise directory service, 4.4.4.4
changing authorization for, 4.4.3
changing passwords, 4.4.3
CONNECT role
about, 4.4.2
create your own, 10.4
CSW_USR_ROLE role, 4.4.2
CTXAPP role, 4.4.2
CWM_USER role, 4.4.2
database authorization, 4.4.4.1
database role, users, 5.6.1
DATAPUMP_EXP_FULL_DATABASE role, 4.4.2
DATAPUMP_IMP_FULL_DATABASE role, 4.4.2
DBA role, 4.4.2
DDL statements and, 4.4.1.6
default, 4.10.2
default, setting for user, 2.2.8
definer's rights procedures disable, 4.4.1.5.1
DELETE_CATALOG_ROLE role, 4.4.2
dependency management in, 4.4.1.6
disabling, 4.10.1
dropping, 4.4.6
EJBCLIENT role, 4.4.2
enabled or disabled, 4.4.1.1, 4.4.5
enabling, 4.10.1, 5.6
enterprise, 3.7, 4.4.4.4
EXECUTE_CATALOG_ROLE role, 4.4.2
EXP_FULL_DATABASE role, 4.4.2
finding information about, 4.12
functionality, 4.2
functionality of, 4.4.1.1
GATHER_SYSTEM_STATISTICS role, 4.4.2
global, 3.7
global authorization, 4.4.4.4
about, 4.4.4.4
global roles
creating, 4.4.4.4
GLOBAL_AQ_USER_ROLE role, 4.4.2
GRANT statement, 4.9.5
granting roles
about, 4.6
methods for, 4.4.5
system, 4.6.1
system privileges, 4.3.3
guidelines for security, 10.4
HS_ADMIN_ROLE role, 4.4.2
IMP_FULL_DATABASE role, 4.4.2
in applications, 4.4.1.2
invoker's rights procedures use, 4.4.1.5.2
JAVA_ADMIN role, 4.4.2
JAVA_DEPLOY role, 4.4.2
JAVADEBUGPRIV role, 4.4.2
JAVAIDPRIV role, 4.4.2
JAVASYSPRIV role, 4.4.2
JAVAUSERPRIV role, 4.4.2
JMXSERVER role, 4.4.2
job responsibility privileges only, 10.4
LBAC_DBA role, 4.4.2
listing grants, 4.12.2
listing privileges and roles in, 4.12.6
listing roles, 4.12.5
LOGSTDBY_ADMINISTRATOR role, 4.4.2
management using the operating system, 4.9
managing roles
about, 4.4
categorizing users, 5.8
managing through operating system, 4.4.1.7
maximum, 4.10.3
MGMT_USER role, 4.4.2
multibyte characters in names, 4.4.3
multibyte characters in passwords, 4.4.4.1
naming, 4.4.1
network authorization, 4.4.4.3.2
network client authorization, 4.4.4.3.2
OEM_ADVISOR role, 4.4.2
OEM_MONITOR role, 4.4.2
OLAP_DBA role, 4.4.2
OLAP_USER role, 4.4.2
OLAP_XS_ADMIN role, 4.4.2
OLAPI_TRACE_USER role, 4.4.2
One Big Application User, compromised by, 5.2.1
operating system, 4.9.2
operating system authorization, 4.4.4.3.1
operating system granting of, 4.9.5
operating system identification of, 4.9.2
operating system management and the shared server, 4.9.6
operating system-managed, 4.9.3, 4.9.4
operating-system authorization, 4.4.4.3
ORDADMIN role, 4.4.2
OWB$CLIENT role, 4.4.2
OWB_DESIGNCENTER_VIEW role, 4.4.2
OWB_USER role, 4.4.2
passwords for enabling, 4.4.4.1
predefined, 4.4.2
privileges for creating, 4.4.3
privileges for dropping, 4.4.6
privileges, changing authorization method for, 4.4.3
privileges, changing passwords, 4.4.3
RECOVERY_CATALOG_OWNER role, 4.4.2
RESOURCE role, 4.4.2
restricting from tool users, 4.4.7
restrictions on privileges of, 4.4.1.6
REVOKE statement, 4.9.5
revoking, 4.4.5, 4.7.1
revoking ADMIN OPTION, 4.7.1
SCHEDULER_ADMIN role, 4.4.2
schemas do not contain, 4.4.1
security domains of, 4.4.1.4
SELECT_CATALOG_ROLE role, 4.4.2
SET ROLE statement, 4.9.5
setting in PL/SQL blocks, 4.4.1.5.2
SPATIAL_CSW_ADMIN role, 4.4.2
SPATIAL_WFS_ADMIN role, 4.4.2
unique names for, 4.4.3
use of passwords with, 4.4.1.2
user, 4.4.1.3.2, 5.8
users capable of granting, 4.4.5.1
uses of, 4.4.1.3
WFS_USR_ROLE role, 4.4.2
WITH GRANT OPTION and, 4.6.2.1
without authorization, 4.4.3
WKUSER role, 4.4.2
WM_ADMIN_ROLE role, 4.4.2
XDB_SET_INVOKER roles, 4.4.2
XDB_WEBSERVICES role, 4.4.2
XDB_WEBSERVICES_OVER_HTTP role, 4.4.2
XDB_WEBSERVICES_WITH_PUBLIC role, 4.4.2
XDBADMIN role, 4.4.2
See also secure application roles
root file paths
for files and packages outside the database, 10.3
row-level security
See fine-grained access control, Oracle Virtual Private Database (VPD)
RSA private key, 10.8.3
run-time facilities, 10.3
restriction permissions, 10.3

S

Sample Schemas
remove or relock for production, 10.7
test database, 10.7
sample schemas, 10.7
Sarbanes-Oxley Act
auditing to meet compliance, 9.4, 10.9.1
scheduler jobs and CREATE EXTERNAL JOB privilege, 4.3.2.2
SCHEDULER_ADMIN role
about, 4.4.2
schema object privileges, 4.5.3
schema objects
audit options, disabling, 9.5.9.4
auditing, 9.5.9
cascading effects on revoking, 4.7.3.2
default audit options, 9.5.9.3
default tablespace for, 2.2.4
disabling audit options, 9.5.7.3
dropped users, owned by, 2.5
enabling audit options on, 9.5.9.3
granting privileges, 4.6.2
in a revoked tablespace, 2.2.5.1
privileges
DML and DDL operations, 4.5.4
granting and revoking, 4.5.3.1
view privileges, 4.5.5.1
privileges on, 4.5.3
privileges to access, 4.5.2
privileges with, 4.5.2
revoking privileges, 4.7.2
schema-independent users, 5.7.2
schemas
auditing, recommended settings for, 10.9.5
private, 3.7.1.1
shared among enterprise users, 3.7.1.2
shared, protecting objects in, 5.7.2
unique, 5.7
unique, protecting objects in, 5.7.1
SCOTT user account
restricting privileges of, 10.4
script files
audit trail views, removing, 9.10.3
CATNOAUD.SQL, 9.10.3
scripts, authenticating users in, 3.2.5.1
SEC_CASE_SENSITIVE_LOGIN initialization parameter, 3.2.3.8
SEC_MAX_FAILED_LOGIN_ATTEMPTS initialization parameter, 5.9.3
SEC_PROTOCOL_ERROR_FURTHER_ACTION initialization parameter, 5.9.2
SEC_PROTOCOL_ERROR_TRACE_ACTION initialization parameter, 5.9.1
sec_relevant_cols_opt parameter, 7.3.4.3
SEC_RETURN_SERVER_RELEASE_BANNER initialization parameter, 5.9.4
SEC_USER_AUDIT_ACTION_BANNER initialization parameter, 5.9.5
SEC_USER_UNAUTHORIZED_ACCESS_BANNER initialization parameter, 5.9.5
secure application roles
about, 5.5
creating, 5.5.1
creating PL/SQL package, 5.5.2
finding with DBA_ROLES view, 4.12
invoker's rights, 5.5.2
invoker's rights requirement, 5.5.2
package for, 5.5.2
SET ROLE statement, 5.5.2
user environment information from SYS_CONTEXT SQL function, 5.5.2, 5.5.2
using to ensure database connection, 4.4.8
secure external password store
about, 3.2.5.1
client configuration, 3.2.5.3
examples, 3.2.5.2
how it works, 3.2.5.2
proxy authentication, used with, 3.10.1.4
Secure Sockets Layer (SSL)
about, 3.6.1
certificate key algorithm, 10.8.3
certificates, enabling for user and server, 10.8.1
cipher suites, 10.8.3
configuration files, securing, 10.8.3
configuring for SYSDBA or SYSOPER access, 3.3.1.3
global users with private schemas, 3.7.1.1
guidelines for security, 10.8.3, 10.8.3
listener, administering, 10.8.2
mode, 10.8.3
pass phrase, 10.8.3
RSA private key, 10.8.3
securing SSL connection, 10.8.3
server.key file, 10.8.3
TCPS, 10.8.3
security
application enforcement of, 4.4.1.2
default user accounts
locked and expired automatically, 10.3
locking and expiring, 10.3
domains, enabled roles and, 4.4.5
enforcement in application, 5.2.2
enforcement in database, 5.2.2
multibyte characters in role names, 4.4.3
multibyte characters in role passwords, 4.4.4.1
passwords, 3.4.1
policies
applications, 5.1
SQL*Plus users, restricting, 4.4.7
tables or views, 7.1.2.1
procedures enhance, 4.5.6.2
resources, additional, 1.2
roles, advantages in application use, 5.4
See also security risks
security alerts, 10.2.1
security attacks
access to server after protocol errors, preventing, 5.9.2
application context values, attempts to change, 6.3.2
application design to prevent attacks, 5.3
command line recall attacks, 5.3.1.1, 5.3.1.4
Denial of Service, 10.8.2
bad packets, addressing, 5.9.1
Denial of Service attacks through listener, 10.8.2
disk flooding, preventing, 5.9.1
eavesdropping, preventing by using SSL, 10.8.1
encryption, problems not solved by, 8.2.2
falsified IP addresses, 10.8.1
falsified or stolen client system identities, 10.8.1
hacked operating systems or applications, 10.8.1
intruders, 8.2.2
password cracking, 3.2.1
password protections against, 3.2.1
preventing malicious attacks from clients, 5.9
preventing password theft with proxy authentication and secure external password store, 3.10.1.4
session ID, need for encryption, 6.4.4.3
shoulder surfing, 5.3.1.4
SQL injection attacks, 5.3.1.2
unlimited authenticated requests, preventing, 5.9.3
user session output, hiding from intruders, 6.3.4
See also security risks
security domains
enabled roles and, 4.4.1.1
security patches
about, 10.2.1
downloading, 10.2.1
security policies
See Oracle Virtual Private Database, policies
security risks
ad hoc tools, 4.4.7.1, 4.4.7.1
application users not being database users, 5.2.1
applications enforcing rather than database, 5.2.2
audit records being tampered with, 9.6.2.1
bad packets to server, 5.9.1
database version displaying, 5.9.4
encryption keys, users managing, 8.3.4.3
password files, 3.3.3
passwords exposed in large deployments, 3.2.5.1
passwords, exposing in programs or scripts, 5.3.1.4
positional parameters in SQL scripts, 5.3.1.4
privileges carelessly granted, 4.3.5
PUBLIC privilege, objects created with, 4.3.5
remote user impersonating another user, 4.4.4.3.2
server falsifying identities, 10.8.3
standard audit trail, protecting, 9.5.3.8
users with multiple roles, 5.6.1
See also security attacks
SELECT ANY DICTIONARY privilege
data dictionary, accessing, 10.6
exclusion from GRANT ALL PRIVILEGES privilege, 10.6
SELECT privilege
SQL statements permitted, 5.8.2
SELECT_CATALOG_ROLE role
about, 4.4.2
SYS schema objects, enabling access to, 4.3.2.3
sequences
auditing, 9.5.9.1
server.key file
pass phrase to read and parse, 10.8.3
service-oriented architecture (SOA)
security enhancements for Oracle XML DB, Preface
SESSION_ROLES view
queried from PL/SQL block, 4.4.1.5.1
sessions
about, 9.5.10.2.2
auditing by, 9.5.3.5, 9.5.10.2.2
listing privilege domain of, 4.12.4
memory use, viewing, 2.6.5
time limits on, 2.4.2.5
when auditing options take effect, 9.5.3.1
SET ROLE statement
application code, including in, 5.6.2
associating privileges with role, 5.6.1
disabling roles with, 4.10.1
enabling roles with, 4.10.1
how password is set, 4.4.4.1
secure application roles, 5.5.2
when using operating-system roles, 4.9.5
SGA
See System Global Area (SGA)
SHA-1 hashing algorithm
enabling exclusive mode, 3.2.4
how it increases password safety, 3.2.4
Shared Global Area (SGA)
See System Global Area (SGA)
shared server
limiting private SQL areas, 2.4.2.5
operating system role management restrictions, 4.9.6
shoulder surfing, 5.3.1.4
SHOW PARAMETERS statement, 9.5.3.3
smart cards
guidelines for security, 10.5
SOA
See service-oriented architecture
SPATIAL_CSW_ADMIN role, 4.4.2
SPATIAL_WFS_ADMIN role, 4.4.2
SQL injection attacks, 5.3.1.2
SQL statements
audit options, 9.5.6.2
auditing
about, 9.5.6
disabling, 9.5.6.3
enabling, 9.5.6.2
executions, 9.5.10.1
when records generated, 9.5.3.1
dynamic, 6.3.3.3
object privileges permitting in applications, 5.8.2
privileges required for, 4.5.3, 5.8.2
resource limits and, 2.4.2.2
restricting ad hoc use, 4.4.7.1, 4.4.7.1
SQL*Net
See Oracle Net
SQL*Plus
connecting with, 3.5
restricting ad hoc use, 4.4.7.1, 4.4.7.1
statistics monitor, 2.4.3
SSL
See Secure Sockets Layer
standard audit trail
activities always recorded, 9.5.3.2
archiving, 9.5.3.7.1
AUDIT SQL statement, 9.5.3.5
auditing standard audit trail, 9.5.3.9
controlling size of, 9.5.3.7
disabling, 9.5.3.3
enabling, 9.5.3.3
maximum size of, 9.5.3.7
NOAUDIT SQL statement, 9.5.3.6
operating system, 9.2.3
protecting, 9.5.3.8
records, archiving, 9.5.3.7.1
records, purging, 9.5.3.7.2
size, reducing, 9.5.3.7.2
transaction independence, 9.5.3.1
when created, 9.5.3.1
standard auditing
about, 9.5.1
administrative users on all platforms, 9.6.1
administrators on UNIX systems, 9.6.2
archiving audit trail, 9.9
audit option levels, 9.5.3.5
audit trails
database, 9.3.1
auditing
default auditing, enabling, 9.4
by access
about, 9.5.10.2.1
setting, 9.5.3.5
by session
about, 9.5.10.2.2
prohibited with, 9.5.10.2
setting, 9.5.3.5
customized, 9.7
database audit trail records, 9.3.1
DDL statement auditing, 9.5.6.1
default options, 9.5.9.3
default options, disabling, 9.5.9.4
disabling, 9.5.3.6
disabling options versus auditing, 9.5.3.6
DML statements, 9.5.6.1
enabling options versus auditing, 9.5.3.5
executions, 9.5.10.1
information stored in OS file, 9.5.4.1
managing audit trail, 9.5.3
mandatory auditing, 9.2.3
network auditing, 9.1.2
about, 9.5.11
disabling, 9.5.11.3
enabling, 9.5.11.1
error types recorded, 9.5.11.2
object auditing
See standard auditing, schema object
operating system audit trail, 9.5.4
file location, 9.5.4.3
operating system audit trail using, 9.5.5
privilege auditing
about, 9.5.7
disabling, 9.5.7.3
enabling, 9.5.7.2
multitier environment, 9.5.8
options, 9.5.7.2
system privileges, 9.5.7.2
types, 9.5.7.1
privileges needed, 9.5.2
range of focus, 9.5.10
schema object auditing
about, 9.5.9
disabling, 9.5.9.4
enabling, 9.5.9.3
example, 9.5.9.3
options, 9.5.9.2
types, 9.5.9.1
SQL statement
See standard auditing, statement auditing
statement auditing
about, 9.5.6
disabling, 9.5.6.3
enabling, 9.5.6.2
multitier environment, 9.5.8
statement level, 9.5.6.2
successful, 9.5.3.5
types you can audit, 9.5.6.1
unsuccessful, 9.5.3.5
SYS users, 9.6.1, 9.6.1
system privileges, 9.5.6.2
trigger use for customized auditing, 9.7
user, 9.5.10.3
See also auditing, standard audit trail, SYS.AUD$ table
storage
quotas and, 2.2.5
revoking tablespaces and, 2.2.5.1
unlimited quotas, 2.2.5.2
stored procedures
using privileges granted to PUBLIC, 4.8
strong authentication
centrally controlling SYSDBA and SYSOPER access to multiple databases, 3.3.1
guideline, 10.5
symbolic links
restricting, 10.6
synonyms
inheriting privileges from object, 4.5.3.3
SYS account
policy enforcement, 7.5.4.2
SYS and SYSTEM
passwords, 10.5, 10.5
SYS schema
objects, access to, 4.3.2.3
SYS_CONTEXT function
about, 6.3.3.2
database links, 6.3.3.5
dynamic SQL statements, 6.3.3.3
example, 6.3.3.6
parallel query, 6.3.3.4
STATIC policies, 7.3.6.4
syntax, 6.3.3.2
SYS_CONTEXT SQL function, 5.5.2
validating users, 5.5.2
SYS_DEFAULT Oracle Virtual Private Database policy group, 7.3.5.3
SYSASM privilege, Preface
SYS.AUD$ table
about, 9.3.1
audit records, writing to, 9.5.3.4
auditing, 9.3.1
contents, 9.3.1
data values in audited statement, 9.3.1
too full or unavailable, 9.3.1
viewing contents, 9.3.1
XML, EXTENDED audit trail, 9.5.3.4
See also standard auditing
SYS.FGA_LOG$ table
about, 9.3.1
archiving, 9.8.4
auditing, 9.3.1
contents, 9.3.1
data values in audited statement, 9.3.1
purging, 9.8.4
too full or unvailable, 9.3.1
viewing contents, 9.3.1
SYS.FGA_LOGS$ table
See also fine-grained auditing
syslog audit trail
about, 9.6.2.1
configuring, 9.6.2.3
format, 9.6.2.2
SYSMAN user account, 10.5, 10.5
SYS-privileged connections, 10.3
System Global Area (SGA)
application contexts, storing in, 6.1
global application context information location, 6.4.1
limiting private SQL areas, 2.4.2.5
system privileges, 10.3
about, 4.3.1
ADMIN OPTION, 4.3.4
ANY
guidelines for security, 10.6
ANY system privileges, 4.3.2
GRANT ANY OBJECT PRIVILEGE, 4.6.2.2, 4.7.2.1
GRANT ANY PRIVILEGE, 4.3.4
granting, 4.6.1
granting and revoking, 4.3.3
power of, 4.3.1
restriction needs, 4.3.2
revoking, cascading effect of, 4.7.3.1
SELECT ANY DICTIONARY, 10.6
SYSASM privilege, Preface

T

tables
auditing, 9.5.9.1
privileges on, 4.5.4
tablespaces
assigning defaults for users, 2.2.4
default quota, 2.2.5
quotas for users, 2.2.5
quotas, viewing, 2.6.3
revoking from users, 2.2.5.1
temporary
assigning to users, 2.2.6
unlimited quotas, 2.2.5.2
TCPS protocol
Secure Sockets Layer, used with, 10.8.2
tnsnames.ora file, used in, 10.8.3
TELNET service, 10.8.2
TFTP service, 10.8.2
time measurement for statement execution, 7.3.6.1
token cards, 10.5
trace files
access to, importance of restricting, 10.6
bad packets, 5.9.1
location of, finding, 6.6
transparent data encryption, 8.3.4.4
transparent tablespace encryption, 8.3.4.4
triggers
auditing, 9.5.9.2
auditing, used for custom auditing, 9.7
CREATE TRIGGER ON, 5.8.2
logon
examples, 6.3.4
externally initialized application contexts, 6.3.4
privileges for executing, 4.5.6.2
roles, 4.4.1.5
WHEN OTHERS exception, 6.3.4
trusted procedure
database session-based application contexts, 6.1
tsnames.ora configuration file, 10.8.3
tutorials
application context, database session-based, 6.3.5
global application context with client session ID, 6.4.5
Oracle Virtual Private Database
policy groups, 7.4.3
policy implementing, 7.4.2
simple example, 7.4.1
standard auditing
SYS.AUD$ auditing table, changes to, 9.3.2
See also examples
types
creating, 4.5.7.5
privileges on, 4.5.7
user defined
creation requirements, 4.5.7.4

U

UDP and TCP ports
close for ALL disabled services, 10.8.2
UGA
See User Global Area (UGA)
UNIX systems, auditing administrators on, 9.6.2
UNLIMITED TABLESPACE privilege, 2.2.5.2, 2.2.5.2
UPDATE privilege
revoking, 4.7.2.2
user access
auditing by, 9.5.3.5
user accounts
administrative user passwords, 10.5
default user account, 10.5
password guidelines, 10.5
passwords, encrypted, 10.5
USER function
global application contexts, 6.4.3.2
User Global Area (UGA)
application contexts, storing in, 6.1
user names
schemas, 5.7
USER pseudo column, 4.5.5.3
user sessions, multiple within single database connection, 3.10.1.5
user-defined columns
auditing, 9.8.1
USERENV function, 6.3.3.2, 8.4
USERENV namespace
about, 6.3.3.2
client identifiers, 3.10.2
See also CLIENT_IDENTIFIER USERENV attribute
users
administrative option (ADMIN OPTION), 4.6.1.1
altering, 2.3
application users not known to database, 3.10.2
assigning unlimited quotas for, 2.2.5.2
auditing, 9.5.10.3
database role, current, 5.6.1
default roles, changing, 2.2.8
default tablespaces, 2.2.4
dropping, 2.5, 2.5
dropping profiles and, 2.4.4.2
dropping roles and, 4.4.6
enabling roles for, 5.6
enterprise, 3.7, 4.4.4.4
enterprise, shared schema protection, 5.7.2
external authentication
about, 3.8.1
advantages, 3.8.2
operating sytsem, 3.8.4
user creation, 3.8.3
finding information about, 2.6.1
global, 3.7
hosts, connecting to multiple
See external network services, fine-grained access to
information about, viewing, 2.6.2
listing roles granted to, 4.12.2
memory use, viewing, 2.6.5
network authentication, external, 3.8.5
nondatabase, 6.4.1, 6.4.3.5
objects after dropping, 2.5
operating system external authentication, 3.8.4
password encryption, 3.2.1
privileges
for changing passwords, 2.3
for creating, 2.2.1
granted to, listing, 4.12.1
of current database role, 5.6.1
profiles
creating, 2.4.4.1
specifying, 2.2.7
proxy authentication, 3.10.1
proxy users, connecting as, 3.10.1.1
PUBLIC group, 4.8
PUBLIC user group, 4.4.1.4
restricting application roles, 4.4.7
roles and, 4.4.1.2
for types of users, 4.4.1.3.2
schema-independent, 5.7.2
schemas, private, 3.7.1.1
security domains of, 4.4.1.4
security, about, 2.1
tablespace quotas, 2.2.5
tablespace quotas, viewing, 2.6.3
user accounts, creating, 2.2.1
user models and Oracle Virtual Private Database, 7.5.5
user name, specifying with CREATE USER statement, 2.2.2
views for finding information about, 2.6
UTLPWDMG.SQL
about, 3.2.3.7
guidelines for security, 10.5

V

valid node checking, 10.8.2
views
about, 4.5.5.1
access control list data, 4.11.10
application contexts, 6.6
audit trail, 9.10.1, 9.10.1
auditing, 9.5.9.1, 9.5.9.2
DBA_COL_PRIVS, 4.12.3
DBA_NETWORK_ACL_PRIVILEGES, 4.11.8, 4.11.10
DBA_NETWORK_ACLS, 4.11.10
DBA_ROLE_PRIVS, 4.12.2
DBA_ROLES, 4.12.5
DBA_SYS_PRIVS, 4.12.1
DBA_TAB_PRIVS, 4.12.3
DBA_USERS_WITH_DEFPWD, 3.2.3.2
encrypted data, 8.7
Oracle Virtual Private Database policies, 7.6
privileges, 4.5.5.1, 4.12
profiles, 2.6.1
ROLE_ROLE_PRIVS, 4.12.6
ROLE_SYS_PRIVS, 4.12.6
ROLE_TAB_PRIVS, 4.12.6
roles, 4.12
security applications of, 4.5.5.3
SESSION_PRIVS, 4.12.4
SESSION_ROLES, 4.12.4
USER_NETWORK_ACL_PRIVILEGES, 4.11.10
users, 2.6.1
Virtual Private Database
See Oracle Virtual Private Database
VPD
See Oracle Virtual Private Database
vulnerable run-time call, 10.3
made more secure, 10.3

W

Wallet Manager
See Oracle Wallet Manager
wallets
authentication method, 3.6.2
Web applications
user connections, 6.4.1, 6.4.3.5
Web services
security enhancements for Oracle XML DB, Preface
Web-based applications
Oracle Virtual Private Database, how it works with, 7.5.5
WFS_USR_ROLE role, 4.4.2
WHEN OTHERS exceptions
logon triggers, used in, 6.3.4
WHERE clause, dynamic SQL, 7.2.1
Windows operating system
audit trail setting, OS, 9.5.4.3
WKUSER role, 4.4.2
WM_ADMIN_ROLE role, 4.4.2

X

X.509 certificates
guidelines for security, 10.5
XDB_SET_INVOKER role, 4.4.2
XDB_WEBSERVICES role, 4.4.2
XDB_WEBSERVICES_OVER_HTTP role
about, 4.4.2
XDB_WEBSERVICES_WITH_PUBLIC role, 4.4.2
XDBADMIN role, 4.4.2
XML
AUDIT_TRAIL XML setting, 9.5.3.4
AUDIT_TRAIL XML, EXTENDED setting, 9.5.3.4
XML, EXTENDED AUDIT_TRAIL setting
used with DB in AUDIT_TRAIL, 9.5.3.4
used with XML in AUDIT_TRAIL, 9.5.3.4
Go to previous page
Previous
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Master Index
Master Index		 Go to Feedback page
Contact Us