Skip Headers

Oracle® Database Security Guide
10g Release 1 (10.1)
Part Number B10773-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Master Index
Master Index		 Go to Feedback page
Feedback
Go to previous page
Previous
 View PDF

Index

A  B  C  D  E  F  G  H  I  K  L  M  N  O  P  Q  R  S  T  U  V  W  X 

Symbols

"all permissions", 2-5, 7-27
"change_on_install" default password, 2-3, 7-24
"manager" default password, 2-3, 7-24

Numerics

07_DICTIONARY_ACCESSIBILITY, 7-8

A

access control, 5-2
enforce, 7-27
fine-grained access control, 6-3
password encryption, 4-8, 7-5
privileges, 5-2
account locking
explicit, 7-13
password management, 7-12
example, 7-13
PASSWORD_LOCK_TIME, 7-13
ADD_CONTEXT procedure, 14-36
ADD_GROUPED_POLICY procedure, 14-36
ADD_POLICY procedure, 14-35
ADMIN OPTION
about, 10-25
revoking roles/privileges, 10-30
roles, 5-23
system privileges, 5-4
administration
difficulties in complex environments, 1-4
administrative
delays, 1-4
passwords, 2-4, 7-24
privileges, 7-7
roles, 7-7
administrator
application security, 7-11
administrator connections, 7-7
administrator privileges
statement execution audited, 8-8
write, on listener.ora, 7-30
administrator security, 7-7
AES, i-xxxviii
algorithms
encryption, i-xxxviii
hash, i-xxxviii
ALTER privilege, 12-15
ALTER PROFILE
password management, 7-12
ALTER RESOURCE COST statement, 10-14
ALTER ROLE statement
changing authorization method, 10-21
ALTER SESSION SET SCHEMA statement, 13-12
ALTER SESSION statement
SET SCHEMA, 12-13
ALTER TABLE statement
auditing, 8-10
ALTER USER, 7-7, 7-12, 7-14
explicit account unlocking, 7-13
password
expire, 7-14
ALTER USER privilege, 10-7
ALTER USER statement
default roles, 10-36
GRANT CONNECT THROUGH clause, 9-8
REVOKE CONNECT THROUGH clause, 9-8
altering users, 10-7
ANONYMOUS, 7-22
anonymous PL/SQL blocks, 12-9
ANY system privilege, 7-24
application administrator security, 7-11
application administrators, 7-11
application context, 7-3
as secure data cache, 13-16, 14-1, 14-2
bind variables, 13-17
creating, 14-6
examples, 14-7
fine-grained access control, 3-9, 13-16
how to use session-based, 14-3
local versus global, 14-2
non-session-based (global), 14-2
parallel query, i-xxxvii, 14-5
performance, 14-11
returning predicate, 13-16
security features, 13-10
session-based, 14-2
setting, 14-7
support for database links, 14-18
USERENV namespace, 13-11
using in policy, 14-7
application developer environment
test and production databases, 7-10
application developer security, 7-9
application developers
privileges, 7-9
privileges for, 7-9
roles for, 7-10
application development
CREATE privileges, 7-11
free versus controlled, 7-10
object privileges, 7-11
roles and privileges, 7-10
security domain, 7-11
security for, 7-10
application roles, 12-5
application security
considerations for use, 12-2
limitations, 13-5
specifying attributes, 13-10
applications
about security policies for, 12-2
context, 6-6
database users, 12-2
enhancing security with, 5-21
One Big Application User model, 12-3, 12-4
roles, 12-8
roles and, 5-22
security, 12-4, 13-19
application context, 6-6
applications development
space restrictions, 7-11
tablespaces
developer restrictions, 7-11
AQ_ADMINISTRATOR_ROLE role, 10-20
AQ_USER_ROLE role, 10-19
AS SYSDBA, 2-4, 2-5
create, drop, delete, etc., 7-8
for administrator access, 2-4, 7-7, 7-8, 7-17, 7-25
AS SYSOPER, 2-4, 7-8
startup, shutdown, recovery, etc., 7-7
attacks
denial of service, 2-11, 7-32
attributes, USERENV, 13-12
audit files, 11-1, 11-5, 11-7, 11-9, 11-11, 11-14, 11-20
AUDIT statement
BY proxy clause, 11-13
schema objects, 11-16
statement auditing, 11-15
system privileges, 11-15
audit trail, 11-18
archiving, 11-20
controlling size of, 11-18
creating and deleting, 11-22
deleting views, 11-26
dropping, 11-22
interpreting, 11-23
maximum size of, 11-19
protecting integrity of, 11-21
purging records from, 11-19
reducing size of, 11-20
table that holds, 11-7
views on, 11-22
audit trail, uniform, i-xxxvii
AUDIT_FILE_DEST initialization parameter, 11-11, 11-12
setting for OS auditing, 11-12
AUDIT_SYS_OPERATIONS initialization parameter, 11-11
auditing SYS, 11-4
AUDIT_TRAIL initialization parameter, 11-11
auditing SYS, 11-5
setting, 11-11
AUDIT_TRAIL=DB, 11-11
AUDITED_CURSORID attribute, 13-12
auditing, 11-7
audit option levels, 11-13
audit options, 8-2
audit records, 8-3
audit trail records, 11-8
audit trails, 8-3
database, 8-4, 11-8
operating system, 8-5, 8-7
by access, 8-14
mandated for, 8-13
by session, 8-13
prohibited with, 8-13
compromised by One Big Application User, 12-3
database and operating-system usernames, 4-2
DDL statements, 8-9
default options, 11-16
described, 8-1
disabling default options, 11-18
disabling options, 11-10, 11-17, 11-18
disabling options versus auditing, 11-17
DML statements, 8-9
enabling options, 11-10
privileges for, 11-10
enabling options versus auditing, 11-14
fine-grained, 11-29
guidelines, 11-2
historical information, 11-3
information stored in OS file, 11-9
keeping information manageable, 11-3
managing the audit trail, 11-22
mandatory, 8-7
multi-tier environments, 11-13
new features, i-xxxvii
n-tier systems, 15-10
operating-system audit trails, 11-7
policies for, 7-20
privilege audit options, 11-15
privilege use, 8-3, 8-9
privileges required for object, 11-16
privileges required for system, 11-16
range of focus, 8-2, 8-12
schema object, 8-3, 8-10
schema objects, 11-16
security and, 8-6
session level, 11-15
statement, 8-3, 8-9, 11-15
statement level, 11-15
successful executions, 8-12
suspicious activity, 11-4
SYS, 11-4
system privileges, 11-15
to OS file, 11-12
transaction independence, 8-8
unsuccessful executions, 8-12
user, 8-15
using the database, 11-7
viewing
active object options, 11-25
active privilege options, 11-25
active statement options, 11-25
default object options, 11-26
views, 11-22
when options take effect, 8-8
auditing extensions, i-xxxviii
auditing policy, 7-20
authentication
by database, 9-1
by SSL, 9-1, 9-6
certificate, 7-31
client, 7-27, 7-31
compromised by One Big Application User, 12-3
database administrators, 4-14
described, 4-1
directory service, 9-6
external, 9-3
global, 9-5
multitier, 4-10
network, 4-3
n-tier systems, 15-5
operating system, 4-2
Oracle, 4-8
password policy, 7-4
proxy, 9-8
public key infrastructure, 4-4
remote, 4-6, 7-27, 7-28
specifying when creating a user, 10-3
strong, 7-24
user, 7-31
users, 7-2
ways to authenticate users, 9-1
AUTHENTICATION_DATA attribute, 13-12
AUTHENTICATION_TYPE attribute, 13-12
authorization
changing for roles, 10-21
global, 9-5
omitting for roles, 10-21
operating-system role management and, 10-23
roles, about, 10-21
Axent, 7-29

B

backups, 7-1
bfiles, 7-28
BG_JOB_ID attribute, 13-12
bind variables, 13-17
Block cipher, i-xxxviii

C

cascading revokes, 10-32
CATAUDIT.SQL script
running, 11-22
categories of security issues, 1-3
CATNOAUD.SQL, 11-26
CATNOAUD.SQL script
running, 11-26
central repository, 1-5
centralized management with distributable tools, 1-6
certificate authentication, 7-31
certificate key algorithm
Secure Sockets Layer
certificate key algorithm, 2-8
certificates for user and server authentication, 2-9
chaining mode, i-xxxviii
modifiers (CBC, CFB, ECB, OFB, i-xxxviii
character sets
multibyte characters in role names, 10-20
multibyte characters in role passwords, 10-22
checklists and recommendations
custom installation, 2-3, 7-20, 7-21
disallow modifying default permissions for Oracle Database home (installation) directory or its contents, 2-6
disallow modifying Oracle home default permissions, 7-28
limit the number of operating system users, 2-6, 7-28
limit the privileges of the operating system accounts, 2-6, 7-28
networking security, 2-7, 7-28
personnel, 2-2
physical access control, 2-2
restrict symbolic links, 2-6, 7-28
secure installation and configuration, 2-3, 7-20
CheckPoint, 7-29
cipher suites
Secure Sockets Layer, 2-8
Cisco, 7-29
client checklist, 2-8
CLIENT_IDENTIFIER
setting and clearing with DBMS_SESSION package, 15-13
setting for applications that use JDBC, 15-14
setting with OCI user session handle attribute, 15-13
CLIENT_IDENTIFIER attribute, 13-12
CLIENT_INFO attribute, USERENV, 13-12
column masking behavior, 13-4, 14-41
column masking behavior restrictions, 14-43
column masking behavior, VPD, i-xxxvi, 14-41
column-level VPD, 13-4, 14-40
adding policies for, 14-40
column masking behavior, 14-41
default behavior, 14-41
does not apply to synonyms, 14-40
new features, i-xxxvi
column-level VPD column masking restrictions, 14-43
columns
granting privileges for selected, 10-29
granting privileges on, 10-29
INSERT privilege and, 10-29
listing users granted to, 10-43
privileges, 10-29
pseudocolumns
USER, 5-9
revoking privileges on, 10-32
common platform for examples, 7-21
complex environments
administration difficulties, 1-4
concurrency
limits on
for each user, 5-30
configuration files, 2-8, 2-9, 2-11, 4-8, 4-10, 7-25, 7-30, 7-31, 7-32, 8-5, 9-4, 10-23, 10-40, 11-8, 11-11, 11-17, 14-46, 14-47
listener, 7-29
sample listener.ora, 7-30
SSL, 2-7
typical directory, 2-8
CONNECT, 7-25, 7-27
CONNECT /, 7-8
CONNECT role, 5-26, 10-18
connection pooling, 4-10
connections
auditing, 11-15
SYS-privileged, 2-5, 7-25
connections as SYS and SYSTEM, 7-7
context-sensitive policy type, i-xxxvi, 14-37, 14-39
controlled development, 7-10
CPU time limit, 5-30
CREATE
AS SYSDBA, 7-8
CREATE ANY TABLE, 2-5, 7-25
CREATE CONTEXT statement, 14-6
CREATE DBLINK, 7-27
CREATE PROCEDURE, 7-10
developers, 7-9
CREATE PROFILE, 7-12, 7-14
failed login attempts, 7-12
how long account is locked, 7-12
password aging and expiration, 7-13
password management, 7-12
CREATE ROLE statement
IDENTIFIED BY option, 10-21
IDENTIFIED EXTERNALLY option, 10-22
CREATE SCHEMA statement, 12-12
CREATE SESSION, 7-27
CREATE SESSION statement, 12-12
CREATE TABLE, 7-10
developers, 7-9
CREATE TABLE statement
auditing, 8-9, 8-12
CREATE USER, 7-12
explicit account locking, 7-13
password
expire, 7-14
CREATE USER statement
IDENTIFIED BY option, 10-3
IDENTIFIED EXTERNALLY option, 10-3
CREATE VIEW, 7-10
CREATE_POLICY_GROUP procedure, 14-36
creating an audit trail, 11-22
CTXSYS, 7-22
CURRENT_BIND attribute, 13-12
CURRENT_SCHEMA attribute, USERENV, 13-12
CURRENT_SCHEMAID attribute, 13-12
CURRENT_SQL attribute, 13-12
CURRENT_SQL_LENGTH attribute, 13-13
CURRENT_SQL1 to CURRENT_SQL7 attributes, 13-13
CURRENT_USER attribute, USERENV, 13-13
CURRENT_USERID attribute, 13-13
cursors
shared, 13-17
custom installation, 2-3, 7-20, 7-21

D

data
access to
fine-grained access control, 6-3
security level desired, 7-3
data definition language
auditing, 8-9
roles and privileges, 5-24
data dictionary protection, 2-5, 7-24
data dictionary tables, 7-7
data encryption, 3-3
data files, 7-28
data manipulation language
auditing, 8-9
privileges controlling, 5-6
data security level
based on data sensitivity, 7-3
data security policy, 7-3
database
granting privileges, 10-24
granting roles, 10-24
security and schemas, 12-12
user and application user, 12-2
database administrators
application administrator versus, 7-11
roles
for security, 7-8, 7-9
security for, 7-7
security officer versus, 7-1
database administrators (DBAs)
authentication, 4-14
DBA role, 5-26
password files, 4-15
database authentication, 9-1
Database Configuration Assistant, 2-3, 2-4, 7-21, 7-24
database descriptors, 7-29
database links, 14-18
database links, and SYS_CONTEXT, 14-6
database user management, 7-2
databases
access control
password encryption, 4-8, 7-5
limitations on usage, 5-28
production, 7-10, 7-11
test, 7-10
DB_DOMAIN attribute, USERENV, 13-13
DB_NAME attribute, 13-13
DBA role, 5-26, 10-18
DBA_COMMON_AUDIT_TRAIL view, i-xxxvii
DBA_ROLE_PRIVS view, 12-5
DBMS_CRYPTO, i-xxxviii, 16-6
DBMS_FGA package, 11-35
DBMS_OBFUSCATION_TOOLKIT, i-xxxviii, 16-6
DBMS_RLS package, 14-35
security policies, 6-5
uses definer's rights, 5-11
DBMS_RLS.ADD_POLICY
sec_relevant_cols parameter, 13-4, 14-41, 14-42
sec_relevant_cols_opt parameter, 14-41
DBMS_SESSION package
SET_CONTEXT procedure, 14-6
SET_ROLE procedure, 12-9, 12-10
DBMS_SQL package
SET_ROLE procedure, 12-12
DBSNMP, 2-4, 7-22, 7-23, 7-24
default
audit options, 11-16
disabling, 11-18
default accounts
ANONYMOUS, 7-22
CTXSYS, 7-22
DBSNMP, 7-22
DIP, 7-22
DMSYS, 7-22
EXFSYS, 7-22
HR, 7-22
MDDATA, 7-22
MDSYS, 7-22
MGMT_VIEW, 7-22
ODM, 7-22
ODM_MTR, 7-22
OE, 7-22
OLAPSYS, 7-22
ORDPLUGINS, 7-22
ORDSYS, 7-22
OUTLN, 7-22
PM, 7-22
QS, 7-22
QS_ADM, 7-22
QS_CB, 7-22
QS_CBADM, 7-22
QS_CS, 7-22
QS_ES, 7-22
QS_OS, 7-22
QS_WS, 7-22
RMAN, 7-22
SCOTT, 7-22
SH, 7-22
SI_INFORMTN_SCHEMA, 7-22
SYS, 7-22
SYSMAN, 7-22
SYSTEM, 7-22
WK_TEST, 7-22
WKPROXY, 7-22
WKSYS, 7-22
WMSYS, 7-22
XDB, 7-22
default passwords, 2-3, 2-4, 7-7, 7-17, 7-23, 7-24, 16-4
default permissions, 2-6, 7-28
default roles, 10-35
default user
accounts, 2-3, 2-4, 7-21
passwords, 2-4, 7-23, 7-24
default users
enterprise manager accounts, 7-23
defaults
"change_on_install" or "manager" passwords, 2-3, 7-24
role, 10-8
tablespace quota, 10-4
user tablespaces, 10-3
definer's rights
procedure security, 5-10
delays
administrative, 1-4
DELETE
AS SYSDBA, 7-8
DELETE privilege, 12-15
DELETE_CATALOG_ROLE role, 10-17, 10-19
DELETE_POLICY_GROUPS procedure, 14-36
denial of service attacks, 2-11, 7-32
DES, i-xxxviii, 7-5
developers, application, 7-9
development environment
free versus controlled, 7-10
dictionary protection mechanism, 10-15
DIP, 7-22
directory service
See also enterprise directory service.
disable unnecessary services
FTP, TFTP, TELNET, 7-32
DISABLE_GROUPED_POLICY procedure, 14-36
disabling
roles, 3-5
disabling audit options, 11-17, 11-18
disabling auditing, 11-10
disabling resource limits, 10-14
disallow modifying default permissions for database home directory or its contents, 2-6
disallow modifying Oracle home default permissions, 7-28
disconnections
auditing, 11-15
dispatcher processes (Dnnn)
limiting SGA space for each session, 5-31
distinguished names, i-xxxviii
DML support in fine-grained auditing, i-xxxvii
DMSYS, 7-22
DNs, i-xxxviii
DROP
AS SYSDBA, 7-8
DROP ANY TABLE, 7-25
DROP PROFILE statement, 10-14
DROP ROLE statement, 10-24
DROP TABLE statement
auditing, 8-9, 8-10
DROP USER privilege, 10-8
DROP USER statement, 10-9
DROP_CONTEXT procedure, 14-36
DROP_GROUPED_POLICY procedure, 14-36
DROP_POLICY procedure, 14-36
dropping an audit trail, 11-22
dropping profiles, 10-14
dropping users, 10-8
dynamic predicates
in security policies, 6-5
dynamic SQL, 13-3, 14-29
dynamic VPD policy types, 14-37
testing, 14-37

E

eavesdropping, 2-9
ENABLE_GROUPED_POLICY procedure, 14-36
ENABLE_POLICY procedure, 14-36
enabling
roles, 3-5
enabling resource limits, 10-14
encryption, 2-10, 3-3, 16-6
algorithms, i-xxxviii
database passwords, 9-2
network traffic, 7-32
stored data, 7-26
end-user security, 7-5
enforcement options
exemptions, 13-21
enterprise directory service, 7-7, 10-23
Enterprise Edition, 2-5, 7-24, 7-32
Enterprise Manager
granting roles, 5-23
statistics monitor, 5-32
enterprise roles, 7-7, 9-6, 10-23

enterprise user management, 12-3
Enterprise User Security, 14-22
enterprise users, 7-7, 9-6, 10-23, 12-13
Enterprise users are global users, i-xxxviii
ENTRYID attribute, 13-13
event triggers, 14-13
EXECUTE privilege, 2-5, 7-26, 12-15
EXECUTE_CATALOG_ROLE role, 10-16, 10-19
EXEMPT ACCESS POLICY privilege, 13-21
EXFSYS, 7-22
EXP_FULL_DATABASE role, 5-26, 10-19
expired & locked, 7-22
explicitly expiring a password, 7-14
Export utility
policy enforcement, 13-21
extensions to auditing, i-xxxviii
external authentication
by network, 9-5
by operating system, 9-4
external tables, 7-28
EXTERNAL_NAME attribute, USERENV, 13-13

F

failed login attempts
account locking, 7-12
password management, 7-12
resetting, 7-13
falsified IP addresses, 2-8
falsified or stolen client system identities, 2-8
features, new
See new features
Virtual Private Database, i-xxxvi
FG_JOB_ID attribute, 13-12, 13-13
files
audit, 11-1, 11-5, 11-7, 11-9, 11-11, 11-14, 11-20
bfiles, 2-6, 7-28
BLOB, 16-13
configuration, 2-8, 2-9, 2-11, 4-8, 4-10, 7-25, 7-30, 7-31, 8-5, 9-4, 10-23, 10-40, 11-8, 11-11, 11-17, 14-46, 14-47
data, 2-6, 7-28
external tables, 2-6, 7-28
init<sid>.ora, 7-25
init.ora, 8-5, 9-4, 10-23, 10-40, 11-8, 11-11, 11-17, 14-46, 14-47
keys, 16-12
listener.ora, 2-8, 2-9, 7-30, 7-31
log, 2-6, 7-28, 11-5, 11-12
password, 4-15
protocol.ora, 2-11, 7-31
restrict listener access, 2-9
restrict symbolic links, 2-6, 7-28
server.key, 2-8
sqlnet.ora, 4-8, 7-32
SSL, 2-7
trace, 2-6, 7-28
tsnames.ora, 2-8
UTLPWDMG.SQL, 4-10
fine-grained access control, 6-3, 7-3
application context, 3-9, 13-16
features, 13-6
performance, 13-8
fine-grained auditing, 11-29
DML support, i-xxxvii
extensions, i-xxxviii
introduction, 3-4
multiple objects, columns, statements, including INDEX, 7-20
policies, 7-20
Firewall-1, 7-29
firewalls, 2-10, 7-28
breach
vulnerable data, 2-10, 7-29
ill-configured, 7-29
no holes, 7-29
ports, 2-8
supported
packet-filtered, 7-28
proxy-enabled, 7-28
flashback query, 11-9, 14-47
foreign keys
privilege to use parent key, 5-7
formatting of password complexity verification routine, 7-16
free development, 7-10
FTP, 7-32
functions
PL/SQL
privileges for, 5-9
roles, 5-24

G

Gauntlet, 7-29
general user security, 7-4
global authentication and authorization, 9-5
global roles, 9-5, 10-23
global users, 9-5
identifiers, i-xxxviii
GLOBAL_CONTEXT_MEMORY attribute, 13-13
GLOBAL_UID attribute, 13-13
grace period
example, 7-14
password expiration, 7-13, 7-14
GRANT ALL PRIVILEGES
SELECT ANY DICTIONARY, 7-25
GRANT ANY OBJECT PRIVILEGE system privilege, 10-27, 10-31
GRANT ANY PRIVILEGE system privilege, 5-4
GRANT CONNECT THROUGH clause
for proxy authorization, 9-8
GRANT statement, 10-24
ADMIN OPTION, 10-25
creating a new user, 10-26
object privileges, 10-26, 12-13
system privileges and roles, 10-24
when takes effect, 10-35
WITH GRANT OPTION, 10-27
granting
privileges and roles, 5-3
granting privileges and roles
listing grants, 10-40
GT GlossaryTitle, Glossary-1
GUIDs, i-xxxviii

H

hacked operating systems or applications, 2-8
harden
operating system, 7-32
hash
keyed, i-xxxviii
hash algorithms, i-xxxviii
HOST attribute, 13-13
HR, 7-22
HS_ADMIN_ROLE role, 10-19
HTTP
potentially malicious data transmissions, 7-26
request and retrieve arbitrary data, 7-26
HTTPS port, 2-7

I

identity management
centralized management with distributable tools, 1-6
components, 1-6
desired benefits, 1-5
infrastructure, 1-6
Oracle's infrastructure components, 1-6
seamless timely distribution, 1-6
security, 1-4
single sign-on, 1-6
sngle point of integration, 1-6
solution, 1-5
IMP_FULL_DATABASE role, 5-26, 10-19
INDEX privilege, 12-15
init<sid>.ora file, 7-25
init.ora, 11-8, 11-11, 11-17, 14-46, 14-47
init.ora file, 8-5, 9-4, 10-23, 10-40
INSERT privilege, 12-15
granting, 10-29
revoking, 10-32
INSTANCE attribute, 13-13
INSTANCE_NAME attribute, 13-13
invoker's rights
procedure security, 5-11
supplied packages, 5-11
invoker's rights stored procedures, 12-9
IP address
fakeable, 2-10
IP addresses, 7-31
IP_ADDRESS attribute, 13-14
ISDBA attribute, USERENV, 13-14
iTAR, 7-33

K

Kerberos, 2-5, 7-24
keyed hash, i-xxxviii

L

LANG attribute, 13-14
LANGUAGE attribute, 13-14
least privilege principle, 2-5, 7-25
Lightweight Directory Access Protocol (LDAP), 14-11
limit operating system account privileges, 2-6, 7-28
limit sensitive data dictionary access, 7-8
limit the number of operating system users, 2-6, 7-28
listener, 7-29
checklist, 2-9
establish password, 2-10, 7-29, 7-30
not Oracle owner, 7-29
prevent on-line administration, 7-30
restrict privileges, 2-9, 7-29
sample configuration, 7-29
secure administration, 2-9, 2-10, 7-30
listener.ora, 2-8
add line, 7-30
control external procedures, 7-31
sample, 7-30
typical directory, 2-8
listener.ora file, 2-9, 7-30
lock and expire, 2-3, 2-4, 7-21, 7-24
unlock via ALTER USER, 7-7
log files, 7-28, 7-29, 11-5, 11-12
logical reads limit, 5-30
login triggers, 14-7
logon triggers, 14-3, 14-8

M

MAC, i-xxxviii
mail messages
arbitrary, 7-26
unauthorized, 7-26
managing roles, 10-20
mandatory auditing, 8-7
MAX_ENABLED_ROLES initialization parameter
enabling roles and, 10-36
MD4, i-xxxviii
MD5, i-xxxviii
MDDATA, 7-22
MDSYS, 7-22, 7-24
memory
viewing per user, 10-12
message authentication code, i-xxxviii
Metalink, 7-32
methods
privileges on, 5-14
MGMT_VIEW, 7-22
middle tier systems, 13-11
mode, SSL, 2-8
monitoring, 8-1
monitoring user actions, 8-1
multiple administrators
roles example, 7-8, 7-9
multiplex multiple client network sessions, 2-10
multi-tier environments
auditing clients, 11-13

N

Net8, 7-28
network
authentication, 9-5
Network Associates, 7-29
network authentication, 9-5
network authentication services, 2-5, 7-24
smart cards, 7-24
token cards, 7-24
X.509 certificates, 7-24
network connections
arbitrary transmissions, 7-26
outgoing, 7-26
network IP addresses, 2-11, 7-31
NETWORK_PROTOCOL attribute, 13-14
networking security checklists, 2-7, 7-28
client checklist, 2-8
listener checklist, 2-9
network checklist, 2-9
SSL, 2-7
configuration files, 2-7
mode, 2-8
tcps, 2-8
networks
network authentication service, 4-3
new features, i-xxxv
auditing, i-xxxvii
column-level VPD, i-xxxvi
policy types, i-xxxvi
Virtual Private Database, i-xxxvi
NLS_CALENDAR attribute, 13-14
NLS_CURRENCY attribute, 13-14
NLS_DATE_FORMAT attribute, 13-14
NLS_DATE_LANGUAGE attribute, 13-14
NLS_SORT attribute, 13-14
NLS_TERRITORY attribute, 13-14
NOAUDIT statement
disabling audit options, 11-17
disabling default object audit options, 11-18
disabling object auditing, 11-18
disabling statement and privilege auditing, 11-17

O

O7_DICTIONARY_ACCESSIBILITY, 2-5, 7-25, 10-15, 10-16
initialization parameter, 10-16
object privileges, 2-5, 5-4, 6-3, 7-25
developers, 7-11
granting on behalf of the owner, 10-27
revoking, 10-30
revoking on behalf of owner, 10-31
See also schema object privileges
objects
granting privileges, 12-15
privileges, 12-13
privileges on, 5-14
OCI
enabling roles, 3-6
ODM, 7-22
ODM_MTR, 7-22
OE, 7-22
OLAPSYS, 7-22
operating system
harden, 7-32
operating system authentication, 7-8
operating system security, 7-2
operating system username, 2-4
operating systems
accounts, 10-38
authentication, 9-4, 10-36
authentication by, 4-2
default permissions, 2-6, 7-28
enabling and disabling roles, 10-39
role identification, 10-37
roles and, 5-26, 10-36
security in, 7-2
optimization
query rewrite
in security policies, 6-5
Oracle Advanced Security, 2-5, 7-24, 7-32, 12-13
Oracle Connection Manager, 2-10
Oracle Delegated Administration Service, 1-7
Oracle Directory Integration and Provisioning, 1-6
Oracle Enterprise Security Manager, 4-7
Oracle Internet Directory, 1-6, 4-7, 15-4
Oracle Java Virtual Machine (OJVM), 2-5, 7-27
Oracle Net, 7-28
Oracle Net Manager, 7-32
Oracle Technology Network, 7-32
Oracle Universal Installer, 2-3
Oracle Wallet Manager, 4-5
Oracle wallets, 4-5
Oracle Worldwide Support Services, 7-33
OracleAS Certificate Authority, 1-7, 4-5
OracleAS Single Sign-On, 1-7
ORDPLUGINS, 7-22
ORDSYS, 7-22
OS username, 7-8
OS_ROLES parameter
operating-system authorization and, 10-23
REMOTE_OS_ROLES and, 10-40
using, 10-37
OS_USER attribute, USERENV, 13-14
OUTLN, 7-22

P

packages
auditing, 8-10
examples of, 5-12, 5-13
privileges
divided by construct, 5-12
executing, 5-9, 5-12
supplied packages
invoker's or definer's rights, 5-11
Padding forms, i-xxxviii
paragraph tags
GT GlossaryTitle, Glossary-1
parallel execution servers, 14-6
parallel query
and SYS_CONTEXT, i-xxxvii
application context, i-xxxvii
parallel query, and SYS_CONTEXT, 14-5
parameters
protocol.ora, 7-31
pass-phrase
to read and parse server.key file, 2-8
password
establish for listener, 2-10, 7-29, 7-30
password aging and expiration, 7-13
grace period, 7-13, 7-14
example, 7-14
password complexity verification, 4-10, 7-16
formatting of routine, 7-16
sample routine, 7-17
password files, 4-15, 7-8
password management
account locking, 7-12
explicit, 7-13
ALTER PROFILE, 7-12
CREATE PROFILE, 7-12
expiration grace period, 7-13, 7-14
explicitly expire, 7-14
failed login attempts, 7-12
failed logins resetting, 7-13
grace period
example, 7-14
history, 7-15
lifetime for password, 7-13
password complexity verification, 7-16
PASSWORD_LOCK_TIME, 7-13
PASSWORD_REUSE_MAX, 7-15
PASSWORD_REUSE_TIME, 7-15
sample password complexity verification routine, 7-17
UTLPWDMG.SQL
password management, 7-16
password management policy, 7-12
password security, 7-4
PASSWORD_LIFE_TIME, 7-13
PASSWORD_LOCK_TIME, 7-13
PASSWORD_REUSE_MAX, 7-15
PASSWORD_REUSE_TIME, 7-15
passwords
account locking, 4-9
administrative, 2-4, 7-24
change via ALTER USER, 7-7
changing for roles, 10-21
complexity verification, 4-10
connecting without, 4-2
database user authentication, 4-8
default, 7-7
duration, 2-4, 7-24
encryption, 4-8, 7-5, 9-2
history, 7-15
PASSWORD_REUSE_MAX, 7-15
PASSWORD_REUSE_TIME, 7-15
length, history, and complexity, 7-24
length, history, and complexity,, 2-4
management, 7-12
management rules, 2-4, 7-24
password files, 4-15
password reuse, 4-9
privileges for changing for roles, 10-21
privileges to alter, 10-7
reuse, 2-4, 7-24
role, 3-7
roles, 10-21
security policy for users, 7-4
SYS and SYSTEM, 2-3, 7-23, 7-24
used in roles, 5-21
user authentication, 9-1
performance
resource limits and, 5-28
permissions
server.key file, 2-8
personnel checklist, 2-2
personnel security, 1-3
physical access control checklist, 2-2
physical security, 1-3
PIX Firewall, 7-29
PKCS #5, i-xxxviii
PKI, 4-4
PL/SQL
anonymous blocks, 12-9
auditing of statements within, 8-8
dynamically modifying SQL statements, 13-3
roles in procedures, 5-24
setting context, 14-3
PM, 7-22
policies
auditing, 7-20
password management, 7-12
policy function, 7-4
policy types
context-sensitive, i-xxxvi, 14-37, 14-39
new features, i-xxxvi
shared, i-xxxvi, 14-37
static, i-xxxvi, 14-37, 14-39
POLICY_INVOKER attribute, 13-14
practical security concerns, 2-1
predicates
dynamic
in security policies, 6-5
principle of least privilege, 2-5, 7-25
privacy, 2-3, 7-20
privilege management, 7-5
granting privileges and roles
specifying ALL, 10-17
revoking privileges and roles
specifying ALL, 10-17
privileges, 10-15
See also system privileges.
administrator
statement execution audited, 8-8
altering
passwords, 10-8
users, 10-7
altering role authentication method, 10-21
application developers, 7-9
application developers and, 7-9
audit object, 11-16
auditing system, 11-16
auditing use of, 8-9, 11-15
cascading revokes, 10-32
column, 10-29
CREATE DBLINK, 7-27
creating roles, 10-20
creating users, 10-2
dropping profiles, 10-14
dropping roles, 10-24
encapsulating in stored procedures, 3-6
granting, 5-3, 5-5, 10-24
examples of, 5-12, 5-13
granting object privileges, 10-26
granting system privileges, 10-24
granting, about, 10-24
grouping with roles, 10-20
individual privilege names, 10-15
listing grants, 10-42
managing, 12-4, 12-13
middle tier, 15-7
object, 7-11, 10-17, 12-15
on selected columns, 10-32
overview of, 5-2
policies for managing, 7-5
procedures, 5-9
creating and altering, 5-12
executing, 5-9
in packages, 5-12
revoking, 5-3, 5-5, 10-30
revoking object, 10-30
revoking object privileges, 10-30, 10-33
revoking system privileges, 10-30
roles, 5-19
restrictions on, 5-25
schema object, 5-4, 6-3
DML and DDL operations, 5-6
granting and revoking, 5-5
packages, 5-12
procedures, 5-9
SQL statements permitted, 12-15
system, 5-3, 10-15
ANY, 7-24
CREATE, 7-11
DROP ANY TABLE, 7-25
granting and revoking, 5-3
SELECT ANY DICTIONARY, 7-25
SYSTEM and OBJECT, 2-5, 7-25
trigger privileges, 5-11
views, 5-8
creating, 5-8
using, 5-8
procedural security, 1-3
procedures
auditing, 8-10
definer's rights, 5-10
roles disabled, 5-24
examples of, 5-12, 5-13
invoker's rights, 5-11
roles used, 5-24
supplied packages, 5-11
privileges
create or alter, 5-12
executing, 5-9
executing in packages, 5-12
security enhanced by, 5-10
supplied packages
invoker's or definer's rights, 5-11
process monitor process (PMON)
cleans up timed-out sessions, 5-31
PRODUCT_USER_PROFILE table, 3-6, 13-19, 13-20
production environment, 7-24
products and options
install only as necessary, 7-21
profiles, 10-13
disabling resource limits, 10-14
dropping, 10-14
enabling resource limits, 10-14
listing, 10-9
managing, 10-13
password management, 4-9, 7-12
privileges for dropping, 10-14
viewing, 10-11
program global area (PGA)
effect of MAX_ENABLED_ROLES on, 10-36
protocol.ora file, 2-11, 7-31
parameters, 7-31
proxies, 4-11
auditing clients of, 11-13
proxy authentication and authorization, 9-8
proxy authentication, 9-8
proxy authorization, 9-8
proxy servers
auditing clients, 11-13
PROXY_USER attribute, 13-11, 13-14
PROXY_USERID attribute, 13-14
PROXY_USERS view, 9-8
pseudocolumns
USER, 5-9
PUBLIC, 2-5, 7-26
granting and revoking privileges to, 10-34
procedures and, 10-34
revoke all unnecessary privileges and roles, 7-26
user group, 5-24, 10-34
public key infrastructure, 4-4
PUBLIC_DEFAULT profile
dropping profiles and, 10-14

Q

QS, 7-22
QS_ADM, 7-22
QS_CB, 7-22
QS_CBADM, 7-22
QS_CS, 7-22
QS_ES, 7-22
QS_OS, 7-22
QS_WS, 7-22
query rewrite
dynamic predicates in security policies, 6-5
quotas
listing, 10-9
revoking from users, 10-5
setting to zero, 10-5
tablespace, 10-4
temporary segments and, 10-4
unlimited, 10-5
viewing, 10-11

R

RADIUS, 4-6
Raptor, 7-29
RC4, i-xxxviii
reads
data block
limits on, 5-30
reauthenticating clients, 15-4
RECOVERY_CATALOG_OWNER role, 10-19
REFERENCES privilege, 12-15
CASCADE CONSTRAINTS option, 10-32
revoking, 10-32
when granted through a role, 5-25
REFRESH_GROUPED_POLICY procedure, 14-36, 14-45
REFRESH_POLICY procedure, 14-36, 14-45
remote authentication, 2-6, 7-27, 7-28
REMOTE_OS_AUTHENT, 7-28
REMOTE_OS_AUTHENT initialization parameter
setting, 9-4
remote_os_authentication, 2-6, 7-28
REMOTE_OS_ROLES initialization parameter
setting, 10-23, 10-40
reparsing, 14-7
resetting failed login attempts, 7-13
resource limits
call level, 5-30
connect time for each session, 5-31
CPU time limit, 5-30
determining values for, 5-32
disabling, 10-14
enabling, 10-14
idle time in each session, 5-31
logical reads limit, 5-30
number of sessions for each user, 5-30
private SGA space for each session, 5-31
profiles, 10-13
RESOURCE privilege, 12-12
RESOURCE role, 5-26, 10-18
resources
profiles, 10-13
restrict symbolic links, 2-6, 7-28
restrictions
space
developers, 7-11
tablespaces, 7-11
REVOKE CONNECT THROUGH clause
revoking proxy authorization, 9-8
REVOKE statement, 10-30
when takes effect, 10-35
revoking privileges and roles
on selected columns, 10-32
REVOKE statement, 10-30
when using operating-system roles, 10-39
rewrite
predicates in security policies, 6-5
RMAN, 7-22
role, 7-3
typical developer, 7-10
role identification
operating system accounts, 10-38
ROLE_SYS_PRIVS view, 12-5
ROLE_TAB_PRIVS view, 12-5
roles, 5-19, 7-5, 7-26
ADMIN OPTION and, 10-25
administrative, 7-7
advantages, 12-5
application, 5-22, 12-8, 12-13, 13-19
application developers and, 7-10
AQ_ADMINISTRATOR_ROLE, 10-20
AQ_USER_ROLE, 10-19
authorization, 10-21
authorized by enterprise directory service, 10-23
changing authorization for, 10-21
changing passwords, 10-21
CONNECT, 7-27
CONNECT role, 5-26, 10-18
create your own, 7-27
database authorization, 10-21
DBA role, 5-26, 10-18
DDL statements and, 5-24
default, 10-8, 10-35
definer's rights procedures disable, 5-24
definition, 10-18
DELETE_CATALOG_ROLE, 10-19
dependency management in, 5-25
disabling, 10-35
dropping, 10-24
enabled or disabled, 5-22
enabling, 10-35, 12-8
enabling and disabling, 3-5
enterprise, 9-6, 10-23
example, 7-5, 7-6
explanation, 7-6
EXECUTE_CATALOG_ROLE, 10-19
EXP_FULL_DATABASE, 10-19
EXP_FULL_DATABASE role, 5-26
for multiple administrators
example, 7-8, 7-9
functionality, 5-2
global, 9-5, 10-23
global authorization, 10-23
GRANT statement, 10-39
granting, 5-3, 5-23, 10-24
granting, about, 10-24
HS_ADMIN_ROLE, 10-19
IMP_FULL_DATABASE, 10-19
IMP_FULL_DATABASE role, 5-26
in applications, 5-21
invoker's rights procedures use, 5-24
job responsibility privileges only, 7-27
listing, 10-44
listing grants, 10-42
listing privileges and roles in, 10-44
management using the operating system, 10-36
managing, 10-20, 12-13
managing through operating system, 5-26
maximum, 10-36
multibyte characters in names, 10-20
multibyte characters in passwords, 10-22
naming, 5-19
network authorization, 10-23
operating system, 10-38
operating system granting of, 10-37, 10-39
operating-system authorization, 10-22
OS management and the shared server, 10-40
passwords, 3-7
passwords for enabling, 10-21
predefined, 5-26, 10-18
privileges for creating, 10-20
privileges for dropping, 10-24
privileges, changing authorization method for, 10-21
privileges, changing passwords, 10-21
RECOVERY_CATALOG_OWNER, 10-19
RESOURCE role, 5-26, 10-18
restricting from tool users, 13-19
restrictions on privileges of, 5-25
REVOKE statement, 10-39
revoking, 5-23, 10-30
revoking ADMIN OPTION, 10-30
schemas do not contain, 5-19
secure application, 3-4
security and, 7-5
security domains of, 5-23
SELECT_CATALOG_ROLE, 10-19
SET ROLE statement, 10-39
setting in PL/SQL blocks, 5-24
unique names for, 10-20
use of passwords with, 5-21
usefulness compromised, 12-3
user, 5-22, 12-8, 12-13
users capable of granting, 5-23
uses of, 5-21
WITH GRANT OPTION and, 10-27
without authorization, 10-21
root file paths
for files and packages outside the database, 2-5, 7-27
row-level security
see fine-grained access control, virtual private database (VPD), and Oracle Label Security
rows
row-level security, 6-3
RSA private key, 2-8
run-time facilities, 2-5, 7-27

S

sample configuration
listener, 7-29
sample password complexity verification routine, 7-17
Sample Schemas, 7-21
remove or re-lock for production, 7-21
test database, 7-21
schema object privileges, 5-4, 6-3
DML and DDL operations, 5-6
granting and revoking, 5-5
views, 5-8
schema objects
auditing, 8-10
cascading effects on revoking, 10-33
default audit options, 11-16
default tablespace for, 10-3
disabling audit options, 11-18
enabling audit options on, 11-16
granting privileges, 10-26
in a revoked tablespace, 10-5
owned by dropped users, 10-8
privileges on, 5-4, 6-3
privileges to access, 10-17
privileges with, 10-17
revoking privileges, 10-30
schema-independent users, 9-6, 12-13
schemas
default, 13-12
unique, 12-12
SCOTT, 2-4, 7-23, 7-24, 7-27
script files, 11-26
CATNOAUD.SQL, 11-26
scripts, 4-10
seamless timely distribution, 1-6
sec_relevant_cols parameter, 13-4, 14-41, 14-42
sec_relevant_cols_opt parameter, 13-4, 14-41
secure application, 12-5
secure application role
using to ensure database connection, 12-8
secure installation and configuration checklist, 2-3, 7-20
Secure Sockets Layer, 2-7, 7-2, 7-31, 9-1, 9-6
certificate key algorithm, 2-8
checklist, 2-7
cipher suites, 2-8
configuration files, 2-7
mode, 2-8
pass-phrase, 2-8
RSA private key, 2-8
server.key file, 2-8
tcps, 2-8
Secure Sockets Layer (SSL) protocol, 15-4
security
accessing a database, 7-2
administrator of, 7-2
application administration, 7-11
application developers and, 7-9
application enforcement of, 5-21
auditing, 8-1, 8-6
auditing policies, 7-20
authentication of users, 7-2
breach effects, 1-4
data, 7-3
database security, 7-2
database users and, 7-2
default user accounts, 2-3, 7-21
dynamic predicates, 6-5
enforcement in application, 12-4
enforcement in database, 12-4
fine-grained access control, 6-3
general users, 7-4
identity management, 1-4
interaction complexity, 1-4
issues by category, 1-3
multibyte characters in role names, 10-20
multibyte characters in role passwords, 10-22
operating-system security and the database, 7-2
passwords, 4-8
personnel dimension, 1-3
physical dimension, 1-3
policies
administering, 14-35
applied within database, 13-4
centrally managed, 13-20
example, 14-29
implementing, 6-6, 13-16
multiple policies per table, 13-7
on tables or views, 13-6
technical issues, 3-2
policies for database administrators, 7-7
policy for applications, 12-2, 13-19
practical concerns, 2-1
privilege management policies, 7-5
privileges, 7-2
procedural dimension, 1-3
procedures enhance, 5-10
protecting the audit trail, 11-21
REMOTE_OS_ROLES parameter, 10-40
roles to force security, 7-5
roles, advantages, 12-5
security policies, 6-3
technical dimension, 1-3
test databases, 7-10
threats and countermeasures, 3-1
views enhance, 5-8
security alerts, 7-32
security domain
application development, 7-11
security domains
enabled roles and, 5-22
security patches and workarounds, 2-6, 7-32
security policy function, 7-4
security-relevant columns VPD, 13-4
SELECT ANY DICTIONARY, 7-25
SELECT privilege, 12-15
SELECT_CATALOG_ROLE role, 10-16, 10-19
sequences
auditing, 8-10
SERVER_HOST attribute, 13-14
server.key file, 2-8
pass-phrase to read and parse, 2-8
permissions on, 2-8
service names, 7-29
session primitives, 13-11
SESSION_ROLES view
queried from PL/SQL block, 5-24
SESSION_USER attribute, USERENV, 13-14
SESSION_USERID attribute, 13-14
SESSIONID attribute, 13-14
sessions
auditing by, 8-13
auditing connections and disconnections, 11-15
defined, 8-13
limits for each user, 5-30
listing privilege domain of, 10-43
time limits on, 5-31
viewing memory use, 10-12
when auditing options take effect, 8-8
SET ROLE statement
associating privileges with role, 12-9
at startup, 3-5
disabling, 3-6
equivalent to SET_ROLE, 12-9
how password is set, 10-21
role passwords, 3-7
used to enable/disable roles, 10-35
when using operating-system roles, 10-39
SET_CONTEXT procedure, 14-6
SET_ROLE procedure, 12-9
SH, 7-23
SHA-1, i-xxxviii
shared policy type, i-xxxvi, 14-37
shared server
limiting private SQL areas, 5-31
OS role management restrictions, 10-40
SI_INFORMTN_SCHEMA, 7-23
SID attribute, 13-14
single sign-on, 1-6
single source of truth, 1-5
smart cards, 7-24
sngle point of integration, 1-6
space restrictions
developers, 7-11
tablespaces, 7-11
SQL statements, i-xxxviii
auditing, 8-9, 8-12
when records generated, 8-7
disabling audit options, 11-17
dynamic, 14-5
enabling audit options on, 11-15
privileges required for, 5-4, 6-3, 12-15
resource limits and, 5-30
restricting ad hoc use, 13-18
SQL text, i-xxxviii
SQL*Net, 7-28
SQL*Plus
connecting with, 4-2
restricting ad hoc use, 13-18
statistics monitor, 5-32
sqlnet.ora, 7-32
sqlnet.ora file, 4-8
SSL, 1-7, 2-7, 7-2, 7-30, 7-31
SSL. See Secure Sockets Layer.
STATEMENTID attribute, 13-15
static, i-xxxvi, 14-37, 14-39
storage
quotas and, 10-4
revoking tablespaces and, 10-5
unlimited quotas, 10-5
stored procedures
encapsulating privileges, 3-6
invoker's rights, 12-9
using privileges granted to PUBLIC, 10-34
strong authentication, 7-24
supplied packages
invoker's or definer's rights, 5-11
symbolic links, 2-6, 7-28
synonyms
inherit privileges from object, 5-6
SYS, 7-23
SYS account
policies for protecting, 7-7
policy enforcement, 13-21
SYS and SYSTEM, 7-23
passwords, 2-3, 7-23, 7-24
SYS and SYSTEM connections, 7-7
SYS schema, 14-6
AS SYSDBA, 7-8
SYS username
statement execution audited, 8-8
SYS_CONTEXT
and parallel query, i-xxxvii
SYS_CONTEXT function
access control, 14-13
database links, 14-6
dynamic SQL statements, 14-5
parallel query, 14-5
syntax, 14-4
USERENV namespace, 13-12
SYS.AUD$, 11-11
SYS.AUD$ table
audit trail, 11-7
creating and deleting, 11-22
SYSMAN, 2-4, 7-23, 7-24
SYS-privileged connections, 2-5, 7-25
SYSTEM, 7-23
SYSTEM account
policies for protecting, 7-7
system global area (SGA)
limiting private SQL areas, 5-31
system privileges, 2-5, 5-3, 7-25, 10-15
ADMIN OPTION, 5-4
ANY, 7-24
CREATE, 7-11
described, 5-3, 10-15
DROP ANY TABLE, 7-25
GRANT ANY OBJECT PRIVILEGE, 10-27, 10-31
GRANT ANY PRIVILEGE, 5-4
granting, 10-24
granting and revoking, 5-3
SELECT ANY DICTIONARY, 7-25
system security policy, 7-1
database user management, 7-2
operating system security, 7-2
user authentication, 7-2

T

tables
auditing, 8-10
privileges on, 5-6
tablespaces
assigning defaults for users, 10-3
default quota, 10-4
quotas for users, 10-4
revoking from users, 10-5
temporary
assigning to users, 10-5
unlimited quotas, 10-5
viewing quotas, 10-11
tcps, 2-8, 7-30
technical security, 1-3
TELNET, 7-32
TERMINAL attribute, USERENV, 13-15
test and production databases
application developer environment, 7-10
testing VPD policies, 14-37
text level access
host operating system, 7-26
unauthorized, 7-26
TFTP, 7-32
TIGER, 7-24
time stamp, i-xxxviii
token cards, 7-24
trace files, 7-26, 7-28, 7-29, 8-7
triggers
auditing, 8-10
CREATE TRIGGER ON, 12-15
event, 14-13
login, 14-7
logon, 14-3, 14-8
privileges for executing, 5-11
roles, 5-24
Triple DES, i-xxxviii
tsnames.ora, 2-8
typical directory, 2-8
types
privileges on, 5-14
typical role, 7-10

U

UDP and TCP ports
close for ALL disabled services, 7-32
uniform audit trail, i-xxxvii
UNLIMITED, 7-15
UNLIMITED TABLESPACE privilege, 10-5
unlock locked accounts, 7-7
UPDATE privilege
revoking, 10-32
user authentication
methods, 7-2
user groups, 7-5
USER pseudocolumn, 5-9
user security policy, 7-4
USERENV function, 13-11, 15-9, 16-8
USERENV namespace, 13-11, 13-12
usernames
OS, 7-8
schemas, 12-12
users
altering, 10-7
assigning unlimited quotas for, 10-5
auditing, 8-15
authentication
about, 7-2, 9-1
authentication of, 4-1
changing default roles, 10-8
database authentication, 9-1
default tablespaces, 10-3
dropping, 10-8
dropping profiles and, 10-14
dropping roles and, 10-24
enabling roles for, 12-8
end-user security policies, 7-5
enterprise, 9-6, 10-23, 12-13
external authentication, 9-3
global, 9-5
listing, 10-9
listing privileges granted to, 10-42
listing roles granted to, 10-42
managing, 10-1
network authentication, 9-5
objects after dropping, 10-8
operating system authentication, 9-4
password encryption, 4-8, 7-5
password security, 7-4
policies for managing privileges, 7-5
privileges for changing passwords, 10-7
privileges for creating, 10-2
privileges for dropping, 10-8
proxy authentication and authorization, 9-8
PUBLIC group, 10-34
PUBLIC user group, 5-24
restricting application roles, 13-19
roles and, 5-20
for types of users, 5-22
schema-independent, 9-6, 12-13
security and, 7-2
security domains of, 5-23
security for general users, 7-4
specifying user names, 10-3
tablespace quotas, 10-4
viewing information on, 10-11
viewing memory use, 10-12
viewing tablespace quotas, 10-11
UTC, i-xxxviii
UTL_FILE, 7-26
UTL_HTTP, 7-26
UTL_SMTP, 7-26
UTL_TCP, 7-26
UTLPWDMG.SQL, 4-10, 7-16
formatting of password complexity verification routine, 7-16

V

valid node checking, 2-11, 7-31
view, 5-7
views, 7-3
auditing, 8-10
privileges for, 5-8
security applications of, 5-8
Virtual Private Database
new features, i-xxxvi
virtual private database (VPD), 3-6, 12-4, 13-2, 13-5, 13-20
column-level VPD, 14-40
defined, 13-2
policies, 13-6
VPD
column masking behavior, 13-4
column masking restrictions, 14-43
objects it applies to, 13-4
sec_relevant_cols parameter, 13-4
see virtual private database
sel_relevant_cols_opt parameter, 13-4
with flashback query, 14-47
VPD default behavior, 14-41
VPD policies
dynamic, 14-37
testing with dynamic policy type, 14-37
vulnerable data behind firewalls, 2-10, 7-29
vulnerable run-time call, 7-27
made more secure, 7-27

W

Wallet Manager, 4-5
wallets, 4-5
WHERE, 7-4
WHERE clause, dynamic SQL, 13-3
Windows operating system
OS audit trail, 11-7, 11-12
WK_TEST, 7-23
WKPROXY, 7-23
WKSYS, 7-23
WMSYS, 7-23

X

X.509 certificates, 7-24
X.509 Version 3 certificates, 4-5
XDB, 7-23
Go to previous page
Previous
 Oracle
Copyright © 2003 Oracle Corporation
All Rights Reserved.
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Master Index
Master Index		 Go to Feedback page
Feedback