46/46

Index

A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X 

---

Numerics

12C verifier

about, 3.2.7.1

recommended by Oracle, 3.2.7.1

---

A

access control

encryption, problems not solved by, 12.1.1

enforcing, A.9.1

object privileges, 4.9.1

password encryption, 3.2.1

access control list (ACL)

examples

external network connection for email alert, 22.4.8.1

external network connections, 6.7

wallet access, 6.7

external network services

about, 6.2

advantages, 6.1

affect of upgrade from earlier release, 6.4

DBMS_NETWORK_ACL_ADMIN package, general process, 6.5.1

email alert for audit violation tutorial, 22.4.8.1

finding information about, 6.13

network hosts, using wildcards to specify, 6.8

ORA-06512 error, 6.12

ORA-24247 error, 6.12

ORA-24247 errors, 6.4

order of precedence, hosts, 6.9

port ranges, 6.10

privilege assignments, about, 6.11.1

privilege assignments, database administrators checking, 6.11.2

privilege assignments, users checking, 6.11.3

revoking privileges, 6.5.3

wallet access

about, 6.3

advantages, 6.3

client certificate credentials, using, 6.6.1

finding information about, 6.13

non-shared wallets, 6.6.1

password credentials, 6.6.1

password credentials, using, 6.6.1

revoking, 6.6.5

revoking access, 6.6.5

shared database session, 6.6.1

wallets with sensitive information, 6.6.1

wallets without sensitive information, 6.6.1

account locking

example, 3.2.4.6

explicit, 3.2.4.6

password management, 3.2.4.6

PASSWORD_LOCK_TIME profile parameter, 3.2.4.6

accounting, RADIUS, 19.3.4

activating checksumming and encryption, 13.4.1

ad hoc tools

database access, security problems of, 4.8.7.1

adapters, 15.4

ADM_PARALLEL_EXECUTE_TASK role

about, 4.8.2

ADMIN OPTION

about, 4.14.1.1

revoking privileges, 4.15.1

revoking roles, 4.15.1

roles, 4.8.5.2

system privileges, 4.5.4

administrative privileges

about, 4.4.1

granting to users, 4.4.2

SYSBACKUP privilege, 4.4.4

SYSDBA privilege, 4.4.3

SYSDG privilege, 4.4.5

SYSKM privilege, 4.4.6

SYSOPER privilege, 4.4.3

administrative user passwords

default, importance of changing, A.5

administrative users

auditing, 22.2.6.1

mandatorily audited, 23.1.2

administrator privileges

access, A.9.2

operating system authentication, 3.3.3

passwords, 3.3.4, A.5

SYSDBA and SYSOPER access, centrally controlling, 3.3.2.1, 3.3.2.1

write, on listener.ora file, A.9.2

AES256 algorithm

converting to in Oracle wallets, F.3.2.7

alerts, used in fine-grained audit policy, 22.4.8.1

"all permissions", A.3

ALTER ANY LIBRARY statement

security guidelines, A.3

ALTER privilege statement

SQL statements permitted, 8.9.2

ALTER PROCEDURE statement

used for compiling procedures, 4.12.4

ALTER PROFILE statement

password management, 3.2.4.1

ALTER RESOURCE COST statement, 2.4.4.3, 2.4.4.4

ALTER ROLE statement

changing authorization method, 4.8.3.5

ALTER SESSION statement

schema, setting current, 8.8.1

ALTER USER privilege, 2.3.1

ALTER USER statement

default roles, 4.18.2

explicit account unlocking, 3.2.4.6

GRANT CONNECT THROUGH clause, 3.10.1.6

passwords, changing, 2.3.3.2

passwords, expiring, 3.2.4.11

profiles, changing, 3.2.4.11

REVOKE CONNECT THROUGH clause, 3.10.1.5

user profile, 3.2.4.1

altering users, 2.3.1

anonymous, 18.6.1.3.1

ANSI operations

Oracle Virtual Private Database affect on, 10.5.3

ANY system privilege

guidelines for security, A.6

application contexts

about, 9.1.1

as secure data cache, 9.1.4

benefits of using, 9.1.4

bind variables, 10.1.5

components, 9.1.2

DBMS_SESSION.SET_CONTEXT procedure, 9.3.3.7, 9.3.3.7

driving context, 9.6

editions, affect on, 9.1.5

finding errors by checking trace files, 9.6

finding information about, 9.6

global application contexts

authenticating user for multiple applications, 9.4.4.5

creating, 9.4.3.2

logon trigger, creating, 9.3.4

Oracle Virtual Private Database, used with, 10.1.5

performance, 10.4.2.9

policy groups, used in, 10.3.5.1

returning predicate, 10.1.5

session information, retrieving, 9.3.3.2

support for database links, 9.3.6.1

types, 9.2

users, nondatabase connections, 9.4.1, 9.4.4.6

where values are stored, 9.1.3

See also client session-based application contexts, database session-based application contexts, global application contexts

application developers

CONNECT role change, A.12.3.2

application security

restricting wallet access to current application, 6.6.1

revoking access control privileges from Oracle wallets, 6.6.5

sharing wallet with other applications, 6.6.1

specifying attributes, 9.3.2.3

application users who are database users

Oracle Virtual Private Database, how it works with, 10.5.9

applications

about security policies for, 8.1

database users, 8.2.1

enhancing security with, 4.8.1.3

object privileges, 8.9.1

object privileges permitting SQL statements, 8.9.2

One Big Application User authentication

security considerations, 8.2.2

security risks of, 8.2.1

Oracle Virtual Private Database, how it works with, 10.5.4

password handling, guidelines, 8.3.1.2

password protection strategies, 8.3

privileges, managing, 8.5

roles

multiple, 4.8.1.4.1

privileges, associating with database roles, 8.7

security, 4.8.7, 8.2.2

security considerations for use, 8.2

security limitations, 10.5.4

security policies, 10.3.5.3

validating with security policies, 10.3.5.5

AQ_ADMINISTRATOR_ROLE role

about, 4.8.2

AQ_USER_ROLE role

about, 4.8.2

archiving

operating system audit files, 23.2.1

standard audit trail, 23.2.2

timestamping audit trail, 23.3.3.4

asynchronous authentication mode in RADIUS, 19.2.2

attacks

See security attacks

audit files

operating system audit trail

archiving, setting timestamp, 23.3.3.4

operating system file

archiving, 23.2.1

standard audit trail

archiving, setting timestamp, 23.3.3.4

records, archiving, 23.2.2

audit policies

See also unified audit policies

audit policies, application contexts

about, 22.2.11.1

appearance in audit trail, 22.2.11.6

configuring, 22.2.11.2

disabling, 22.2.11.3

examples, 22.2.11.4

audit trail

archiving, 23.2.2

finding information about audit management, 23.4

finding information about usage, 22.5

unified

archiving, 23.2.2, 23.2.2

AUDIT_ADMIN role, 4.8.2

AUDIT_VIEWER role, 4.8.2

auditing

administrators, Database Vault, 22.2.14.2

audit options, 22.1

audit trail, sensitive data in, A.11

CDBs, 21.9

committed data, A.11.2

cursors, affect on auditing, 23.1.3

database user names, 3.5

Database Vault administrators, 22.2.14.2

databases, when unavailable, 23.1.5

distributed databases and, 21.10

DV_ADMIN role user, 22.2.14.2

DV_OWNER role user, 22.2.14.2

finding information about audit management, 23.4

finding information about usage, 22.5

fine-grained

See fine-grained auditing

functions, 22.2.7.10

functions, Oracle Virtual Private Database, 22.2.7.11

general steps

commonly used security-relevant activities, 22.1.2

specific fine-grained activities, 22.1.3

SQL statements and other general activities, 22.1.1

general steps for, 22.1

guidelines for security, A.11

historical information, A.11.2

INHERIT PRIVILEGE privilege, 5.5.5

keeping information manageable, A.11.1

loading audit records to unified audit trail, 23.1.5

mandatory auditing, 23.1.2

multitier environments

See standard auditing

One Big Application User authentication, compromised by, 8.2.1

operating-system user names, 3.5

Oracle Recovery Manager events, 22.2.13.2

Oracle Virtual Private Database policy functions, 22.2.7.11

packages, 22.2.7.10

performance, 21.3

PL/SQL packages, 22.2.7.10

predefined policies

general steps for using, 22.1.2

privileges required, 21.8

procedures, 22.2.7.10

purging records

example, 23.3.6

general steps for manual purges, 23.3.2.2

general steps for scheduled purges, 23.3.2.1

range of focus, 22.1

READ object privileges in policies, 22.2.8.2

READ privileges

about, 22.2.8.1

how recorded in audit trail, 22.2.8.3

recommended settings, A.11.4

Sarbanes-Oxley Act

auditing, meeting compliance through, 21.1

SELECT privileges

about, 22.2.8.1

how recorded in audit trail, 22.2.8.3

suspicious activity, A.11.3

triggers, 22.2.7.10

unified audit trail

about, 21.4

VPD predicates

fine-grained audit policies, 22.4.4

when audit options take effect, 23.1.1

when records are created, 23.1.1

See also unified audit policies

auditing, purging records

about, 23.3.1

cancelling archive timestamp, 23.3.5.4

creating audit trail

purge job, 23.3.3.1

creating the purge job, 23.3.3.5

DBMS_SCHEDULER package, 23.3.3.1

deleting a purge job, 23.3.5.3

disabling purge jobs, 23.3.5.1

enabling purge jobs, 23.3.5.1

general steps for, 23.3.2

purging audit trail manually, 23.3.4.1

roadmap, 23.3.2

scheduling the purge job, 23.3.3.5

setting archive timestamp, 23.3.3.4

time interval for named purge job, 23.3.5.2

AUTHENTICATEDUSER role, 4.8.2

authentication, 15.4

about, 3.1

administrators

operating system, 3.3.3

passwords, 3.3.4

SYSDBA and SYSOPER access, centrally controlling, 3.3.2.1

by database, 3.4

by SSL, 3.7.2.1

client, A.9.1

client-to-middle tier process, 3.10.1.8

configuring multiple methods, 20.3

database administrators, 3.3.1

databases, using

about, 3.4.1

advantages, 3.4.2

procedure, 3.4.3

directory service, 3.7.2

directory-based services, 3.6.2.4

external authentication

about, 3.8.1

advantages, 3.8.2

operating system authentication, 3.8.4

user creation, 3.8.3

global authentication

about, 3.7.1

advantages, 3.7.3

user creation for private schemas, 3.7.2.1

user creation for shared schemas, 3.7.2.2

methods, 15.3

middle-tier authentication

proxies, example, 3.10.1.10

modes in RADIUS, 19.2

multitier, 3.9

network authentication

Secure Sockets Layer, 3.6.1

third-party services, 3.6.2.1

One Big Application User, compromised by, 8.2.1

operating system authentication

about, 3.5

advantages, 3.5

disadvantages, 3.5

ORA-28040 errors, 3.2.7.3

proxy user authentication

about, 3.10.1.1

expired passwords, 3.10.1.5

public key infrastructure, 3.6.2.5

RADIUS, 3.6.2.3

remote, A.9.1, A.9.1

specifying when creating a user, 2.2.5

strong, A.5

SYSDBA on Windows systems, 3.3.3

Windows native authentication, 3.3.3

See also passwords, proxy authentication

AUTHENTICATION parameter, C.2.1

AUTHID DEFINER clause

used with Oracle Virtual Private Database functions, 10.1.4

authorization

about, 4

changing for roles, 4.8.3.5

global

about, 3.7.1

advantages, 3.7.3

multitier, 3.9

omitting for roles, 4.8.3.1

operating system, 4.8.4.4

roles, about, 4.8.4

automatic reparse

Oracle Virtual Private Database, how it works with, 10.5.5

---

B

banners

auditing user actions, configuring, 8.10.5

unauthorized access, configuring, 8.10.5

batch jobs, authenticating users in, 3.2.8.1

BFILEs

guidelines for security, A.6

bind variables

application contexts, used with, 10.1.5

BLOBS

encrypting, 12.2.6

---

C

CAPTURE_ADMIN role, 4.8.2

cascading revokes, 4.15.3

CDB_DBA role, 4.8.2

CDBs

auditing, how affects, 21.9

CBAC role grants with DELEGATE option, 5.7.5

common privilege grants, 4.6.1

granting privileges, 4.6.4

local privilege grants, 4.6.1

object privileges, 4.6.3

privilege management, 4.6

revoking privileges, 4.6.4

role management, 4.7

roles

altering, 4.8.3.5

creating common, 4.7.6

creating local, 4.7.8

granting common, 4.7.9

how common roles work, 4.7.2

privileges required to manage, 4.7.4

rules for creating common, 4.7.5

system privileges, 4.6.2

transparent sensitive data protection, 11.5

user accounts

creating, 2.2.10

local, 2.2.1.3

user privileges, how affects, 4.3

users

common, 2.2.1.1

viewing information about, 4.6.5.1

Virtual Private Database policies, 10.1.6

Center for Internet Security (CIS), 22.3.5

certificate, 18.2.2.2

certificate authority, 18.2.2.1

certificate key algorithm

Secure Sockets Layer, A.9.3

certificate revocation lists, 18.2.2.3

manipulating with orapki tool, 18.8.5.1

uploading to LDAP directory, 18.8.5.1

where to store them, 18.8.3

certificate revocation status checking

disabling on server, 18.8.4.2, 18.8.4.3

certificate validation error message

CRL could not be found, 18.8.6.1

CRL date verification failed with RSA status, 18.8.6.1

CRL signature verification failed with RSA status, 18.8.6.1

Fetch CRL from CRL DP

No CRLs found, 18.8.6.1

OID hostname or port number not set, 18.8.6.1

certificates

creating signed with orapki, F.2

challenge-response authentication in RADIUS, 19.2.2

change_on_install default password, A.5

character sets

role names, multibyte characters in, 4.8.3.1

role passwords, multibyte characters in, 4.8.4.1

cipher suites

about, 18.6.1.3.1

procedure for specifying for server, 18.6.1.3.3

Secure Sockets Layer, A.9.3

Secure Sockets Layer (SSL), C.2.2.1

supported, 18.6.1.3.2

Cipher Suites

FIPS 140-2 settings, E.2.3.2

client authentication in SSL, 18.6.1.5

client connections

guidelines for security, A.9.1

secure external password store, 3.2.8.3

securing, A.9.1

client identifier

setting for applications that use JDBC, 3.10.2.5

client identifiers

about, 3.10.2.1

auditing users, 22.2.9

consistency between DBMS_SESSION.SET_IDENTIFIER and DBMS_APPLICATION_INFO.SET_CLIENT_INFO, 3.10.2.6

global application context, independent of, 3.10.2.4

setting with DBMS_SESSION.SET_IDENTIFIER procedure, 9.4.1

See also nondatabase users

client session-based application contexts

about, 9.5.1

CLIENTCONTEXT namespace, clearing value from, 9.5.4

CLIENTCONTEXT namespace, setting value in, 9.5.2

retrieving CLIENTCONTEXT namespace, 9.5.3

See also application contexts

CLIENT_IDENTIFIER USERENV attribute

setting and clearing with DBMS_SESSION package, 3.10.2.6

setting with OCI user session handle attribute, 3.10.2.5

See also USERENV namespace

CLIENTID_OVERWRITE event, 3.10.2.6

code based access control (CBAC)

about, 5.7.1

granting and revoking roles to program unit, 5.7.6

how works with definers rights, 5.7.4

how works with invoker’s rights, 5.7.3

privileges, 5.7.2

tutorial, 5.7.7

column masking behavior, 10.3.4.3

column specification, 10.3.4.3

restrictions, 10.3.4.3

columns

granting privileges for selected, 4.14.2.4

granting privileges on, 4.14.2.4

INSERT privilege and, 4.14.2.4

listing users granted to, 4.19.4

privileges, 4.14.2.4

pseudo columns

USER, 4.11.2

revoking privileges on, 4.15.2.4

command line recall attacks, 8.3.1.1, 8.3.1.4

committed data

auditing, A.11.2

common privilege grants

about, 4.6.1

granting, 4.6.4

revoking, 4.6.4

with object privileges, 4.6.3

with system privileges, 4.6.2

common roles

about, 4.7.1

auditing, 22.2.4.1

creating, 4.7.6

granting, 4.7.9

how they work, 4.7.2

privileges required to manage, 4.7.4

rules for creating, 4.7.5

common user accounts

creating, 2.2.10.1

enabling access to other PDBs, 4.6.5

granting privileges to, 4.6

common users

about, 2.2.1.1

accessing data in PDBs, 4.6.5.2

altering, 2.3.2

plug-in operations, 2.2.1.2

configuration

guidelines for security, A.8

configuration files

Kerberos, C.1

listener.ora, A.9.2

sample listener.ora file, A.9.2

server.key encryption file, A.9.3

tsnames.ora, A.9.3

typical directory, A.9.3, A.9.3

configuring

Kerberos authentication service parameters, 17.1.6.1

RADIUS authentication, 19.3.1

SSL, 18.6

on the client, 18.6.2

on the server, 18.6.1

thin JDBC support, 14.1

CONNECT role

about, A.12

applications

account provisioning, A.12.2.2

affects of, A.12.2

database upgrades, A.12.2.1

installation of, A.12.2.3

script to create, 4.8.2

users

application developers, impact, A.12.3.2

client-server applications, impact, A.12.3.3

general users, impact, A.12.3.1

how affects, A.12.3

why changed, A.12.1

connecting

with username and password, 20.1

connection pooling

about, 3.9

global application contexts, 9.4.1

nondatabase users, 9.4.4.6

proxy authentication, 3.10.1.8

connections

SYS privilege, A.3

container data objects

about, 4.6.5.1

container database (CDB)

See CDBs

controlled step-in procedures, 5.3

CPU time limit, 2.4.2.3

CREATE ANY LIBRARY statement

security guidelines, A.3

CREATE ANY PROCEDURE system privilege, 4.12.3

CREATE ANY TABLE statement

non-administrative users, A.3

CREATE CONTEXT statement

about, 9.3.2.2

example, 9.3.2.1

CREATE LIBRARY statement

security guidelines, A.3

CREATE PROCEDURE system privilege, 4.12.3

CREATE PROFILE statement

account locking period, 3.2.4.6

failed login attempts, 3.2.4.6

password aging and expiration, 3.2.4.8

password management, 3.2.4.1

passwords, example, 3.2.4.11

CREATE ROLE statement

IDENTIFIED EXTERNALLY option, 4.8.4.3

CREATE SCHEMA statement

securing, 8.8.1

CREATE SESSION statement

CONNECT role privilege, A.4

securing, 8.8.1

CREATE USER statement

explicit account locking, 3.2.4.6

IDENTIFIED BY option, 2.2.5

IDENTIFIED EXTERNALLY option, 2.2.5

passwords, expiring, 3.2.4.11

user profile, 3.2.4.1

CRL, 18.2.2.3

CRLAdmins directory administrative group, F.6.7

CRLs

disabling on server, 18.8.4.2, 18.8.4.3

where to store them, 18.8.3

cryptographic hardware devices, 18.2.2.5

CSW_USR_ROLE role, 4.8.2

CTXAPP role, 4.8.2

cursors

affect on auditing, 23.1.3

reparsing, for application contexts, 9.3.4

shared, used with Virtual Private Database, 10.1.5

custom installation, A.8, A.8

CWM_USER role, 4.8.2

---

D

data definition language (DDL)

roles and privileges, 4.8.1.7

data dictionary

protecting, A.6

securing with O7_DICTIONARY_ACCESSIBILITY, 4.5.2.2

data dictionary views

See views

data encryption and integrity parameters

about, B.2.1

SQLNET.CRYPTO_CHECKSUM_CLIENT, B.2.5

SQLNET.CRYPTO_CHECKSUM_SERVER, B.2.4

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT, B.2.9

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER, B.2.8

SQLNET.ENCRYPTION_CLIENT, B.2.3

SQLNET.ENCRYPTION_SERVER, B.2.2

SQLNET.ENCRYPTION_TYPES_CLIENT, B.2.7

SQLNET.ENCRYPTION_TYPES_SERVER, B.2.6

Data Encryption Standard (DES), 13.1.3

DES40 encryption algorithm, 13.1.4

Triple-DES encryption algorithm, 13.1.4

data files, A.6

guidelines for security, A.6

data manipulation language (DML)

privileges controlling, 4.10.1

data security

encryption, problems not solved by, 12.1.3

database administrators (DBAs)

access, controlling, 12.1.2

authentication, 3.3.1

malicious, encryption not solved by, 12.1.2

Database Configuration Assistant (DBCA)

default passwords, changing, A.5

user accounts, automatically locking and expiring, A.3

database links

application context support, 9.3.6.1

application contexts, 9.3.3.6

authenticating with Kerberos, 3.6.2.2

authenticating with third-party services, 3.6.2.1

global user authentication, 3.7.3

object privileges, 4.9.1

operating system accounts, care needed, 3.5

RADIUS not supported, 19.1

session-based application contexts, accessing, 9.3.3.6

database session-based application contexts

about, 9.3.1

cleaning up after user exits, 9.3.1

components, 9.3.1

creating, 9.3.2.2

database links, 9.3.3.6

dynamic SQL, 9.3.3.4

externalized, using, 9.3.8

how to use, 9.3

initializing externally, 9.3.6.1

initializing globally, 9.3.7.1

ownership, 9.3.2.1

parallel queries, 9.3.3.5

PL/SQL package creation, 9.3.3

session information, setting, 9.3.3.7

SYS_CONTEXT function, 9.3.3.2

trusted procedure, 9.1.2

tutorial, 9.3.5

See also application contexts

database upgrades and CONNECT role, A.12.2.1

databases

access control

password encryption, 3.2.1

additional security resources, 1.2

authentication, 3.4

database user and application user, 8.2.1

default password security settings, 3.2.4.5

DBCA-created databases, 3.2.4.5

manually-created databases, 3.2.4.5

default security features, summary, 1.1

granting privileges, 4.14

granting roles, 4.14

limitations on usage, 2.4.1

security and schemas, 8.8

security embedded, advantages of, 8.2.2

security policies based on, 10.1.2.1

DATAPUMP_EXP_FULL_DATABASE role, 4.8.2

DATAPUMP_IMP_FULL_DATABASE role, 4.8.2

DBA role

about, 4.8.2

DBA_CONTAINER_DATA data dictionary view, 4.6.5.1

DBA_HOST_ACES view, 6.11.1

DBA_ROLE_PRIVS view

application privileges, finding, 8.5

DBA_ROLES data dictionary view

PUBLIC role, 4.5.5

DBFS_ROLE role, 4.8.2

DBMS_APPLICATION.SET_CLIENT_INFO procedure

DBMS_SESSION.SET_IDENTIFIER value, overwriting, 3.10.2.6

DBMS_CREDENTIAL.CREATE_CREDENTIAL procedure, 8.4.2

DBMS_CRYPTO package

about, 12.3

encryption algorithms supported, 12.3

examples, 12.4.1

DBMS_CRYPTO PL/SQL package

enabling for FIPS 140-2, E.2.2

DBMS_FGA package

about, 22.4.7.1

ADD_POLICY procedure, 22.4.7.4.1

DISABLE_POLICY procedure, 22.4.7.6

DROP_POLICY procedure, 22.4.7.8

editions, 22.4.7.2

ENABLE_POLICY procedure, 22.4.7.7

PDBs, 22.4.7.3

DBMS_NETWORK_ACL_ADMIN.REMOVE_HOST_ACE procedure, 6.5.3

DBMS_RLS package

about, 10.3.1

DBMS_RLS.ADD_CONTEXT procedure, 10.3.1

DBMS_RLS.ADD_GROUPED_POLICY procedure, 10.3.1

DBMS_RLS.ADD_POLICY

sec_relevant_cols parameter, 10.3.4.1

sec_relevant_cols_opt parameter, 10.3.4.3

DBMS_RLS.ADD_POLICY procedure

about, 10.3.1

transparent sensitive data protection polices, 11.12.2

DBMS_RLS.ALTER_GROUPED_POLICY procedure, 10.3.1

DBMS_RLS.ALTER_POLICY procedure, 10.3.1

DBMS_RLS.CREATE_POLICY_GROUP procedure, 10.3.1

DBMS_RLS.DELETE_POLICY_GROUPS procedure, 10.3.1

DBMS_RLS.DISABLE_GROUPED_POLICY procedure, 10.3.1

DBMS_RLS.DROP_CONTEXT procedure, 10.3.1

DBMS_RLS.DROP_GROUPED_POLICY procedure, 10.3.1

DBMS_RLS.DROP_POLICY procedure, 10.3.1

DBMS_RLS.ENABLE_GROUPED_POLICY procedure, 10.3.1

DBMS_RLS.ENABLE_POLICY procedure, 10.3.1

DBMS_RLS.REFRESH_GROUPED_POLICY procedure, 10.3.1

DBMS_RLS.REFRESH_POLICY procedure, 10.3.1

DBMS_SESSION package

client identifiers, using, 3.10.2.6

global application context, used in, 9.4.4

SET_CONTEXT procedure

about, 9.3.3.7

application context name-value pair, setting, 9.3.3.1

DBMS_SESSION.SET_CONTEXT procedure

about, 9.3.3.7

syntax, 9.3.3.7

username and client_id settings, 9.4.4.3

DBMS_SESSION.SET_IDENTIFIER procedure

client session ID, setting, 9.4.1

DBMS_APPLICATION.SET_CLIENT_INFO value, overwritten by, 3.10.2.6

DBSNMP user account

password usage, A.5

DDL

See data definition language

debugging

Java stored procedures, 6.12

PL/SQL stored procedures, 6.12

default passwords, A.5, A.5, A.5, A.5

change_on_install or manager passwords, A.5

changing, importance of, 3.2.4.2

finding, 3.2.4.2

default permissions, A.6

default profiles

about, 3.2.4.3

default roles

setting for user, 2.2.11

specifying, 4.18.2

default users

accounts, A.3, A.3

Enterprise Manager accounts, A.3

passwords, A.5

defaults

tablespace quota, 2.2.7.1

user tablespaces, 2.2.6.1

definer’s rights

about, 5.2

code based access control

about, 5.7.1

granting and revoking roles to program unit, 5.7.6

how code based access control works, 5.7.4

compared with invoker’s rights, 5.1

example of when to use, 5.2

procedure privileges, used with, 5.2

procedure security, 5.2

schema privileges for, 5.2

secure application roles, 8.6.2.1

used with Oracle Virtual Private Database functions, 10.1.4

views, 5.6.1

DELETE privilege

SQL statements permitted, 8.9.2

DELETE_CATALOG_ROLE role

about, 4.8.2

SYS schema objects, enabling access to, 4.5.2.3

denial-of-service (DoS) attacks

bad packets, preventing, 8.10.1

networks, securing, A.9.2

denial-of-service attacks

about, Glossary

Department of Defense Database Security Technical Implementation Guide, 3.2.5.5, 3.2.5.6

DES. See Data Encryption Standard (DES)

dictionary protection mechanism, 4.5.2.2

dictionary tables

auditing, 22.2.7.4

Diffie-Hellman, 18.6.1.3.1

Diffie-Hellman key negotiation algorithm, 13.3

direct path load

fine-grained auditing effects on, 22.4.1

directories

auditing, 22.2.7.2

directory authentication, configuring for SYSDBA or SYSOPER access, 3.3.2.2

directory objects

granting EXECUTE privilege on, 4.14.1

directory-based services authentication, 3.6.2.4

disabling unnecessary services

FTP, TFTP, TELNET, A.9.2

dispatcher processes (Dnnn)

limiting SGA space for each session, 2.4.2.5

distributed databases

auditing and, 21.10

DML

See data manipulation language

driving context, 9.6

DROP PROFILE statement

example, 2.4.4.4

DROP ROLE statement

example, 4.8.6

security domain, affected, 4.8.6

DROP USER statement

about, 2.5.3

schema objects of dropped user, 2.5.4

DUAL table

about, 9.3.3.3

DVF schema

ORA_DV_AUDPOL predefined audit policy for, 22.3.7

DVS schema

ORA_DV_AUDPOL predefined audit policy for, 22.3.7

dynamic Oracle Virtual Private Database policy types, 10.3.6.2

DYNAMIC policy type, 10.3.6.2

---

E

editions

application contexts, how affects, 9.1.5

fine-grained auditing packages, results in, 9.4.4.2

global application contexts, how affects, 9.4.4.2

Oracle Virtual Private Database packages, results in, 9.4.4.2

EJBCLIENT role, 4.8.2

EM_EXPRESS_ALL role, 4.8.2

EM_EXPRESS_BASIC role, 4.8.2

email alert example, 22.4.8.1

encryption

access control, 12.1.1

BLOBS, 12.2.6

challenges, 12.2

data security, problems not solved by, 12.1.3

data transfer, A.9.2

DBMS_CRYPTO package, 12.3, 12.3

deleted encrypted data, A.6

examples, 12.4.1

finding information about, 12.5

fine-grained audit policies on encrypted columns, 22.4.7.4.1

indexed data, 12.2.1

key generation, 12.2.2

key storage, 12.2.4.1

key transmission, 12.2.3

keys, changing, 12.2.5

malicious database administrators, 12.1.2

network encryption, 13.4

network traffic, A.9.2

problems not solved by, 12.1

Transparent Data Encryption, 12.2.4.5

transparent tablespace encryption, 12.2.4.5

encryption and checksumming

activating, 13.4.1

negotiating, 13.4.2.1

parameter settings, 13.4.3

ENFORCE_CREDENTIAL configuration parameter

security guideline, A.10

enterprise directory service, 4.8.4.6

enterprise roles, 3.7.1, 4.8.4.6

enterprise user management, 8.2.1

Enterprise User Security

application context, globally initialized, 9.3.7.3

proxy authentication

Oracle Virtual Private Database, how it works with, 10.5.9

enterprise users

centralized management, 3.7.1

global role, creating, 4.8.4.6

One Big Application User authentication, compromised by, 8.2.1

proxy authentication, 3.10.1.1

shared schemas, protecting users, 8.8.2

error messages

ORA-12650, 13.4.1, 13.4.2.2, 13.4.2.3, B.2.6, B.2.7, B.2.8, B.2.9

errors

OPW-00005, 2.3.4.2

ORA-00036, 22.4.7.4.2, 22.4.7.4.2

ORA-01720, 4.11.1

ORA-06512, 6.12, 22.4.8.6

ORA-06598, 5.5.2

ORA-1000, 22.4.7.4.2, 22.4.7.4.2

ORA-1536, 2.2.7.3

ORA-24247, 6.4, 6.12, 22.4.8.6

ORA-28009, 4.5.2.2

ORA-28017, 2.3.4.1

ORA-28040, 3.2.7.3, 3.2.7.3, 3.4.1

ORA-28046, 2.3.4.1

ORA-28133, 22.4.7.4.1

ORA-28144, 22.4.7.4.2

ORA-28575, 8.4.1

ORA-45622, 11.6.6.2

examples

access control lists

external network connections, 6.7

wallet access, 6.7

account locking, 3.2.4.6

audit trail, purging unified trail, 23.3.6

auditing user SYS, 22.2.5.5

data encryption

encrypting and decrypting BLOB data, 12.4.3

encrypting and decrypting procedure with AES 256-Bit, 12.4.2

directory objects, granting EXECUTE privilege on, 4.14.1

encrypting procedure, 12.4.1

Java code to read passwords, 8.3.4

locking an account with CREATE PROFILE, 3.2.4.6

login attempt grace period, 3.2.4.11

nondatabase user authentication, 9.4.4.6

O7_DICTIONARY_ACCESSIBILITY initialization parameter, setting, 4.5.2.2

passwords

aging and expiration, 3.2.4.9

changing, 2.3.3.1

creating for user, 2.2.5

privileges

granting ADMIN OPTION, 4.14.1.1

views, 4.19.1

procedure privileges affecting packages, 4.12.5.2, 4.12.5.3

profiles, assigning to user, 2.2.9

roles

altering for external authorization, 4.8.3.5

creating for application authorization, 4.8.4.2

creating for external authorization, 4.8.4.3

creating for password authorization, 4.8.3.2, 4.8.3.3

default, setting, 4.18.2

global, 4.8.3.4

using SET ROLE for password-authenticated roles, 4.8.4.1

views, 4.19.1

secure external password store, 3.2.8.2

session ID of user

finding, 2.5.2

system privilege and role, granting, 4.14.1

tablespaces

assigning default to user, 2.2.6.2

quota, assigning to user, 2.2.7.2

temporary, 2.2.8.2

type creation, 4.13.5

users

account creation, 2.2.3

creating with GRANT statement, 4.14.1.2

dropping, 2.5.4

middle-tier server proxying a client, 3.10.1.6

object privileges granted to, 4.14.2.1

proxy user, connecting as, 3.10.1.6

See also tutorials

exceptions

WHEN NO DATA FOUND, used in application context package, 9.3.5.3

WHEN OTHERS, used in triggers

development environment (debugging) example, 9.3.4

production environment example, 9.3.4

Exclusive Mode

SHA-2 password hashing algorithm, enabling, 3.2.7.2

EXECUTE ANY LIBRARY statement

security guidelines, A.3

EXECUTE privilege

SQL statements permitted, 8.9.2

EXECUTE_CATALOG_ROLE role

about, 4.8.2

SYS schema objects, enabling access to, 4.5.2.3

execution time for statements, measuring, 10.3.6.2

EXEMPT ACCESS POLICY privilege

Oracle Virtual Private Database enforcements, exemption, 10.5.7.2

EXP_FULL_DATABASE role

about, 4.8.2

expiring a password

explicitly, 3.2.4.11

exporting data

direct path export impact on Oracle Virtual Private Database, 10.5.7.2

policy enforcement, 10.5.7.2

external authentication

about, 3.8.1

advantages, 3.8.2

network, 3.8.5

operating system, 3.8.4, 3.8.4

user creation, 3.8.3

external network services, fine-grained access to

See access control list (ACL)

external procedures

configuring extproc process for, 8.4.2

credentials, 8.4.1

DBMS_CREDENTIAL.CREATE_CREDENTIAL procedure, 8.4.2

legacy applications, 8.4.3

security guideline, A.10

external tables, A.6

extproc process

about, 8.4.1

configuring credential for, 8.4.2

legacy applications, 8.4.3

---

F

failed login attempts

account locking, 3.2.4.6

password management, 3.2.4.6

resetting, 3.2.4.6

Federal Information Processing Standard (FIPS), E.3.1

DBMS_CRYPTO package, E.2.2

FIPS 140-1

postinstallation checks, E.3.3

status information, E.3.4

FIPS 140-2

Cipher Suites, E.2.3.2

postinstallation checks, E.2.4

SSLFIPS_140, E.2.3.1

verifying connections, E.2.5

FIPS 140-2 Level 2 certification, Preface, E, E.1, E.2

physical security, E.3.5

sqlnet.ora FIPS 140-1 parameters, E.3.2.1

Transparent Data Encryption, E.2.2

files

BFILEs

operating system access, restricting, A.6

BLOB, 12.2.6

data

operating system access, restricting, A.6

external tables

operating system access, restricting, A.6

keys, 12.2.4.3

listener.ora file

guidelines for security, A.9.2, A.9.3

log

operating system access, restricting, A.6

restrict listener access, A.9.2

server.key encryption file, A.9.3

symbolic links, restricting, A.6

tnsnames.ora, A.9.3

trace

operating system access, restricting, A.6

fine-grained access control

See Oracle Virtual Private Database (VPD)

fine-grained auditing

about, 22.4.1

alerts, adding to policy, 22.4.8.1

archiving audit trail, 23.2.2

columns, specific, 22.4.7.4.3

DBMS_FGA package, 22.4.7.1

direct loads of data, 22.4.1, 22.4.1

edition-based redefinitions, 22.4.6

editions, results in, 9.4.4.2

encrypted table columns, 22.4.7.4.1

finding errors by checking trace files, 22.5

how audit records are generated, 22.4.2

how to use, 22.4.1

policies

adding, 22.4.7.4.1

disabling, 22.4.7.6

dropping, 22.4.7.8

enabling, 22.4.7.7

modifying, 22.4.7.4.1

privileges required, 22.4.3

records

archiving, 23.2.2

VPD predicates, 22.4.4

FIPS Parameter

Configuring, E.2.3

FIPS. See Federal Information Processing Standard (FIPS)

fips.ora file, E.2.3.1

firewalls

advice about using, A.9.2

database server location, A.9.2

ports, A.9.3

supported types, A.9.2

flashback query

Oracle Virtual Private Database, how it works with, 10.5.6

foreign keys

privilege to use parent key, 4.10.2

FTP service, A.9.2

functions

auditing, 22.2.7.2, 22.2.7.10

granting roles to, 4.8.5.3

Oracle Virtual Private Database

components of, 10.2.1

privileges used to run, 10.1.4

privileges for, 4.12.1

roles, 4.8.1.6

---

G

GATHER_SYSTEM_STATISTICS role, 4.8.2

global application contexts

about, 9.4.1

authenticating nondatabase users, 9.4.4.6

checking values set globally for all users, 9.4.4.4

clearing values set globally for all users, 9.4.4.4

components, 9.4.1

editions, affect on, 9.4.4.2

example of authenticating nondatabase users, 9.4.4.6

example of authenticating user moving to different application, 9.4.4.5

example of setting values for all users, 9.4.4.4

Oracle RAC environment, 9.4.2

Oracle RAC instances, 9.4.1

ownership, 9.4.3.1

PL/SQL package creation, 9.4.4.1

process, lightweight users, 9.4.7.2

process, standard, 9.4.7.1

sharing values globally for all users, 9.4.4.4

system global area, 9.4.1

tutorial for client session IDs, 9.4.6.1

used for One Big Application User scenarios, 10.5.9

user name retrieval with USER function, 9.4.4.3

uses for, 10.5.9

See also application contexts

global authentication

about, 3.7.1

advantages, 3.7.3

user creation for private schemas, 3.7.2.1

user creation for shared schemas, 3.7.2.2

global authorization

about, 3.7.1

advantages, 3.7.3

role creation, 4.8.4.6

roles, 3.7.1

global roles

about, 4.8.4.6

global users, 3.7.1

GLOBAL_AQ_USER_ROLE role, 4.8.2

GLOBAL_EXTPROC_CREDENTIAL configuration parameter

security guideline, 8.4.3

grace period for login attempts

example, 3.2.4.11

grace period for password expiration, 3.2.4.11

GRANT ALL PRIVILEGES statement

SELECT ANY DICTIONARY privilege, exclusion of, A.6

GRANT ANY OBJECT PRIVILEGE system privilege, 4.14.2.3, 4.15.2.3

GRANT ANY PRIVILEGE system privilege, 4.5.4

GRANT CONNECT THROUGH clause

consideration when setting FAILED_LOGIN_ATTEMPTS parameter, 3.2.4.3

for proxy authorization, 3.10.1.6

GRANT statement, 4.14.1

ADMIN OPTION, 4.14.1.1

creating a new user, 4.14.1.2

object privileges, 4.14.2.1, 8.9.1

system privileges and roles, 4.14

when takes effect, 4.18

WITH GRANT OPTION, 4.14.2.2

granting privileges and roles

about, 4.5.3

finding information about, 4.19.1

specifying ALL, 4.9.3.2

guidelines for security

auditing, A.11

custom installation, A.8, A.8

data files and directories, A.6

encrypting sensitive data, A.6

installation and configuration, A.8

networking security, A.9

operating system accounts, limiting privileges, A.6

operating system users, limiting number of, A.6

Oracle home default permissions, disallowing modification, A.6

ORACLE_DATAPUMP access driver, A.7

passwords, A.5

Secure Sockets Layer

mode, A.9.3

TCPS protocol, A.9.3

symbolic links, restricting, A.6

user accounts and privileges, A.3

---

H

hackers

See security attacks

handshake

SSL, 18.1.3

HS_ADMIN_EXECUTE_ROLE role

about, 4.8.2

HS_ADMIN_ROLE role

about, 4.8.2

HS_ADMIN_SELECT_ROLE role

about, 4.8.2

HTTP authentication

See access control lists (ACL), wallet access

HTTPS

port, correct running on, A.9.3

---

I

IMP_FULL_DATABASE role

about, 4.8.2

INDEX privilege

SQL statements permitted, 8.9.2

indexed data

encryption, 12.2.1

indirectly granted roles, 4.8.1.2

INHERIT ANY PRIVILEGE privilege

not audited, 22.2.5.3

INHERIT ANY PRIVILEGES privilege

about, 5.5.2

managing, 5.5.5

revoking from powerful users, 5.5.4

when it should be granted, 5.5.4

INHERIT PRIVILEGE privilege

not audited, 22.2.5.3

INHERIT PRIVILEGES privilege

about, 5.5.2

auditing, 5.5.5

managing, 5.5.5

when it should be granted, 5.5.3, 5.5.3

initialization parameter file

parameters for clients and servers using Kerberos, C.1

parameters for clients and servers using RADIUS, C.3

parameters for clients and servers using SSL, C.2

initialization parameters

application protection, 8.10

MAX_ENABLED_ROLES, 4.18.3, 4.18.3

O7_DICTIONARY_ACCESSIBILITY, 4.5.2.2

OS_AUTHENT_PREFIX, 3.8.1

OS_ROLES, 4.8.4.4

REMOTE_OS_AUTHENT, A.9.1

RESOURCE_LIMIT, 2.4.4.1

SEC_CASE_SENSITIVE_LOGON, 3.2.6.1

SEC_MAX_FAILED_LOGIN_ATTEMPTS, 8.10.3

SEC_PROTOCOL_ERROR_FURTHER_ACTION, 8.10.2

SEC_PROTOCOL_ERROR_TRACE_ACTION, 8.10.1

SEC_RETURN_SERVER_RELEASE_BANNER, 8.10.4

SEC_USER_AUDIT_ACTION_BANNER, 8.10.5

SEC_USER_UNAUTHORIZED_ACCESS_BANNER, 8.10.5

INSERT privilege

granting, 4.14.2.4

revoking, 4.15.2.4

SQL statements permitted, 8.9.2

installation

guidelines for security, A.8

intruders

See security attacks

invoker’s rights

about, 5.3

code based access control

about, 5.7.1

granting and revoking roles to program unit, 5.7.6

how code based access control works, 5.7.3

tutorial, 5.7.7

compared with definer’s rights, 5.1

controlled step-in, 5.3

procedure privileges, used with, 5.2

procedure security, 5.3

secure application roles, 8.6.2.1

secure application roles, requirement for enabling, 8.6.2.1

security risk, 5.5.1

views

about, 5.6.1

finding user who invoked invoker’s right view, 5.6.3

IP addresses

falsifying, A.9.2

---

J

Java Byte Code Obfuscation, 14.5

Java Database connectivity (JDBC)

implementation of Oracle Advanced Security, 14.1

Java Database Connectivity (JDBC)

configuration parameters, 14.6.1

Oracle extensions, 14.2

thin driver features, 14.3

Java Debug Wire Protocol (JDWP)

network access for debugging operations, 6.12

Java schema objects

auditing, 22.2.7.2

Java stored procedures

network access for debugging operations, 6.12

JAVA_ADMIN role, 4.8.2

JAVA_DEPLOY role, 4.8.2

JAVADEBUGPRIV role, 4.8.2

JAVAIDPRIV role, 4.8.2

JAVASYSPRIV role, 4.8.2

JAVAUSERPRIV role, 4.8.2

JDBC connections

JDBC Thin Driver proxy authentication

configuring, 3.10.1.1

with real user, 3.10.1.8

JDBC/OCI proxy authentication, 3.10.1.1

multiple user sessions, 3.10.1.8

Oracle Virtual Private Database, 10.5.9

JDBC. See Java Database Connectivity

JDeveloper

debugging using Java Debug Wire Protocol, 6.12

JMXSERVER role, 4.8.2

---

K

Kerberos, 15.3.1, 15.3.1

authentication adapter utilities, 17.2

configuring authentication, 17.1, 17.1.6.1

configuring for database server, 17.1.2

configuring for Windows 2008 Domain Controller KDC, 17.3

kinstance, 17.1.2

kservice, 17.1.2

realm, 17.1.2

sqlnet.ora file sample, B.1

system requirements, 15.5, 15.5

Kerberos authentication, 3.6.2.2

configuring for SYSDBA or SYSOPER access, 3.3.2.3

password management, A.5

Kerberos Key Distribution Center (KDC), 17.3

key generation

encryption, 12.2.2

key storage

encryption, 12.2.4.1

key transmission

encryption, 12.2.3

kinstance (Kerberos), 17.1.2

kservice (Kerberos), 17.1.2

---

L

LBAC_DBA role, 4.8.2

LBACSYS schema

ORA_DV_AUDPOL predefined audit policy for, 22.3.7

LBACSYS.ORA_GET_AUDITED_LABEL function

about, 22.2.15.8

ldap.ora

which directory SSL port to use for no authentication, 18.8.5.4

least privilege principle, A.3

about, A.3

granting user privileges, A.3

middle-tier privileges, 3.10.1.9

libraries

auditing, 22.2.7.2

security guidelines, A.3

lightweight users

example using a global application context, 9.4.6.1

Lightweight Directory Access Protocol (LDAP), 10.4.2.9

listener

endpoint

SSL configuration, 18.6.1.7

not an Oracle owner, A.9.2

preventing online administration, A.9.2

restrict privileges, A.9.2, A.9.2

secure administration, A.9.2

listener.ora file

administering remotely, A.9.2, A.9.2

default location, A.9.3

FIPS 140-2 Cipher Suite settings, E.2.3.2

online administration, preventing, A.9.2

Oracle wallet setting, C.2.5

TCPS, securing, A.9.3

local privilege grants

about, 4.6.1

granting, 4.6.4

revoking, 4.6.4

local roles

about, 4.7.1

creating, 4.7.8

rules for creating, 4.7.7, 4.7.7

local user accounts

creating, 2.2.10.3

local users

about, 2.2.1.3

lock and expire

default accounts, A.3

predefined user accounts, A.3

log files

owned by trusted user, A.6

logical reads limit, 2.4.2.4

logon triggers

externally initialized application contexts, 9.3.4

for application context packages, 9.3.4

running database session application context package, 9.3.4

secure application roles, 4.8.8

LOGSTDBY_ADMINISTRATOR role, 4.8.2

---

M

malicious database administrators

See also security attacks

manager default password, A.5

managing roles with RADIUS server, 19.3.8

materialized views

auditing, 22.2.7.2

MD5 message digest algorithm, 13.2.1

memory

users, viewing, 2.6.5

MERGE INTO statement, affected by DBMS_RLS.ADD_POLICY statement_types parameter, 10.3.3

methods

privileges on, 4.13

Microsoft Windows

Kerberos

configuring for Windows 2008 Domain Controller KDC, 17.3

middle-tier systems

client identifiers, 3.10.2.2

enterprise user connections, 3.10.1.12.2

password-based proxy authentication, 3.10.1.12.1

privileges, limiting, 3.10.1.9

proxies authenticating users, 3.10.1.10

proxying but not authenticating users, 3.10.1.11

reauthenticating user to database, 3.10.1.12

USERENV namespace attributes, accessing, 9.3.6.4

mining models

auditing, 22.2.7.2

mixed mode auditing capabilities, 21.7.3

monitoring user actions

See also auditing, standard auditing, fine-grained auditing

multiplex multiple-client network sessions, A.9.2

multitenant container database (CDB)

See CDBs

My Oracle Support

security patches, downloading, A.2.1

---

N

nCipher hardware security module

using Oracle Net tracing to troubleshoot, 18.9.5.1

Net8

See Oracle Net

Netscape Communications Corporation, 18.1

network authentication

external authentication, 3.8.5

guidelines for securing, A.5

roles, granting using, 4.17.1

Secure Sockets Layer, 3.6.1

smart cards, A.5

third-party services, 3.6.2.1

token cards, A.5

X.509 certificates, A.5

network connections

denial-of-service (DoS) attacks, addressing, A.9.2

guidelines for security, A.9, A.9.1, A.9.2

securing, A.9.2

network encryption

about, 13.4

configuring, 13.4

network IP addresses

guidelines for security, A.9.2

nondatabase users

about, 9.4.1

auditing, 22.2.24

clearing session data, 9.4.4.7

creating client session-based application contexts, 9.5.1

global application contexts

package example, 9.4.4.6

reason for using, 9.4.1

setting, 9.4.4.6

tutorial, 9.4.6.1

One Big Application User authentication

about, 10.5.9

features compromised by, 8.2.1

security risks, 8.2.1

Oracle Virtual Private Database

how it works with, 10.5.9

tutorial for creating a policy group, 10.4.3.1

See also application contexts, client identifiers

---

O

O7_DICTIONARY_ACCESSIBILITY initialization parameter

about, 4.5.2.2

data dictionary protection, A.6

default setting, A.6

securing data dictionary with, 4.5.2.2

obfuscation, 14.5

object privileges, A.3

about, 4.9.1

granting on behalf of the owner, 4.14.2.3

managing, 8.9

revoking, 4.15.2.1

revoking on behalf of owner, 4.15.2.3

schema object privileges, 4.9.1

See also schema object privileges

synonyms, 4.9.5

with common privilege grants, 4.6.3

object types

auditing, 22.2.7.2

objects

applications, managing privileges in, 8.9

granting privileges, 8.9.2

privileges

applications, 8.9.1

managing, 4.13

protecting in shared schemas, 8.8.2

protecting in unique schemas, 8.8.1

SYS schema, access to, 4.5.2.3

OEM_ADVISOR role, 4.8.2

OEM_MONITOR role, 4.8.2

okdstry

Kerberos adapter utility, 17.2

okinit

Kerberos adapter utility, 17.2

oklist

Kerberos adapter utility, 17.2

OLAP_DBA role, 4.8.2

OLAP_USER role, 4.8.2

OLAP_XS_ADMIN role, 4.8.2

One Big Application User authentication

See nondatabase users

operating systems

accounts, 4.17.2

authentication

about, 3.5

advantages, 3.5

disadvantages, 3.5

external, 3.8.4

roles, using, 4.17.1

default permissions, A.6

enabling and disabling roles, 4.17.5

operating system account privileges, limiting, A.6

role identification, 4.17.2

roles and, 4.8.1.8

roles, granting using, 4.17.1

users, limiting number of, A.6

OPTIMIZER_PROCESSING_RATE role, 4.8.2

OPW-00005 error, 2.3.4.2

ORA_ACCOUNT_MGMT predefined unified audit policy, 22.3.4

ORA_CIS_RECOMMENDATIONS predefined unified audit policy, 22.3.5

ORA_DATABASE_PARAMETER predefined unified audit policy, 22.3.3

ORA_DV_AUDPOL predefined unified audit policy, 22.3.7

ORA_LOGON_FAILURES predefined unified audit policy, 22.3.1

ORA_OLS_SESSION_LABELS application context, 22.2.15.3

ORA_SECURECONFIG predefined unified audit policy, 22.3.2

ORA-01720 error, 4.11.1

ORA-06512 error, 6.12, 22.4.8.6

ORA-06598 error, 5.5.2

ORA-12650 error, B.2.7

ORA-1536 error, 2.2.7.3

ORA-24247 error, 6.4, 6.12, 22.4.8.6

ORA-28009 error, 4.5.2.2

ORA-28017 error, 2.3.4.1

ORA-28040 error, 3.2.7.3, 3.4.1

ORA-28575 error, 8.4.1

ORA-40300 error, 18.9.5.2

ORA-40301 error, 18.9.5.2

ORA-40302 error, 18.9.5.2

ORA-45622 errors, 11.6.6.2

Oracle Advanced Security

checksum sample for sqlnet.ora file, B.1

configuration parameters, 14.6.1

disabling authentication, 20.2

encryption sample for sqlnet.ora file, B.1

Java implementation, 14.1, 14.4

network authentication services, A.5

network traffic encryption, A.9.2

SSL features, 18.1.2

user access to application schemas, 8.8.2

Oracle Call Interface (OCI)

application contexts, client session-based, 9.5.1

proxy authentication, 3.10.1.1

Oracle Virtual Private Database, how it works with, 10.5.9

proxy authentication with real user, 3.10.1.8

security-related initialization parameters, 8.10

Oracle Connection Manager

securing client networks with, A.9.2

Oracle Data Guard

SYSDG administrative privilege, 4.4.5

Oracle Data Pump

exported data from VPD policies, 10.5.8

Oracle Database Enterprise User Security

password security threats, 3.2.7.1

Oracle Database Real Application Clusters

archive timestamp for audit records, 23.3.3.4

global contexts, 9.4.1

Oracle Database Real Application Security

auditing, 22.2.12

Oracle Database Vault

auditing, 22.2.14

Oracle Developer Tools For Visual Studio (ODT)

debugging using Java Debug Wire Protocol, 6.12

Oracle Enterprise Manager

PDBs, 7

statistics monitor, 2.4.3

Oracle Enterprise Security Manager

role management with, 3.6.2.4

Oracle home

default permissions, disallowing modification, A.6

Oracle Internet Directory

Diffie-Hellman SSL port, 18.8.5.4

Oracle Internet Directory (OID)

authenticating with directory-based service, 3.6.2.4

SYSDBA and SYSOPER access, controlling, 3.3.2.1

Oracle Java Virtual Machine (OJVM)

permissions, restricting, A.3

Oracle Label Security

auditing, 22.2.15

Oracle Label Security (OLS)

Oracle Virtual Private Database, using with, 10.5.7.1

Oracle Net

firewall support, A.9.2

Oracle parameters

authentication, 20.4

Oracle Password Protocol, 14.4

Oracle Real Application Clusters

global application contexts, 9.4.2

Oracle Recovery Manager

auditing, 22.2.13

events that are audited, 22.2.13.2

SYSBACKUP administrative privilege, 4.4.4

Oracle Technology Network

security alerts, A.2.1

Oracle Virtual Private Database

exporting data using Data Pump Export, 10.5.8

Oracle Virtual Private Database (VPD)

about, 10.1.1

ANSI operations, 10.5.3

application contexts

tutorial, 10.4.2.1

used with, 10.1.5

applications

how it works with, 10.5.4

users who are database users, how it works with, 10.5.9

applications using for security, 8.2.2

automatic reparsing, how it works with, 10.5.5

benefits, 10.1.2

CDBs, 10.1.6

column level, 10.3.4.1

column masking behavior

enabling, 10.3.4.3

restrictions, 10.3.4.3

column-level display, 10.3.4.1

components, 10.2

configuring, 10.3

cursors, shared, 10.1.5

edition-based redefinitions, 10.5.1

editions, results in, 9.4.4.2

Enterprise User Security proxy authentication, how it works with, 10.5.9

exporting data, 10.5.7.2

finding information about, 10.6

flashback query, how it works with, 10.5.6

function

components, 10.2.1

how it is executed, 10.1.4

JDBC proxy authentication, how it works with, 10.5.9

nondatabase user applications, how works with, 10.5.9

OCI proxy authentication, how it works with, 10.5.9

Oracle Label Security

exceptions in behavior, 10.5.7.2

using with, 10.5.7.1

outer join operations, 10.5.3

performance benefit, 10.1.2.2

policies, Oracle Virtual Private Database

about, 10.3.1

applications, validating, 10.3.5.5

attaching to database object, 10.3.2

column display, 10.3.4.1

column-level display, default, 10.3.4.2

dynamic, 10.3.6.2

multiple, 10.3.5.4

optimizing performance, 10.3.6.1

privileges used to run, 10.1.4

SQL statements, specifying, 10.3.3

policy groups

about, 10.3.5.1

benefits, 10.3.5.1

creating, 10.3.5.2

default, 10.3.5.3

tutorial, implementation, 10.4.3.1

policy types

context sensitive, about, 10.3.6.6

context sensitive, altering existing policy, 10.3.6.6

context sensitive, creating, 10.3.6.6

context sensitive, refreshing, 10.3.6.6

context sensitive, restricting evaluation, 10.3.6.6

context sensitive, when to use, 10.3.6.8

context-sensitive, audited, 22.2.7.11

DYNAMIC, 10.3.6.2

dynamic, audited, 22.2.7.11

shared context sensitive, about, 10.3.6.7

shared context sensitive, when to use, 10.3.6.8

shared static, about, 10.3.6.4

shared static, when to use, 10.3.6.5

static, about, 10.3.6.3

static, audited, 22.2.7.11

static, when to use, 10.3.6.5

summary of features, 10.3.6.9

privileges required to create policies, 10.1.3

SELECT FOR UPDATE statements in policies, 10.5.2

tutorial, simple, 10.4.1.1

user models, 10.5.9

Web-based applications, how it works with, 10.5.9

Oracle Virtual Private Datebase (VPD)

predicates

audited in fine-grained audit policies, 22.4.4

Oracle Wallet Manager

X.509 Version 3 certificates, 3.6.2.5

Oracle wallets

authentication method, 3.6.2.5

setting location, 18.6.1.2

sqlnet.listener.ora setting, C.2.5

sqlnet.ora location setting, C.2.5

ORACLE_DATAPUMP access driver

guidelines for security, A.7

OracleMetaLink

See My Oracle Support

orapki utility

about, F.1

adding a certificate request to a wallet with, F.3.3

adding a root certificate to a wallet with, F.3.3

adding a trusted certificate to a wallet with, F.3.3

adding user certificates to a wallet with, F.3.3

cert create command, F.6.1

cert display command, F.6.2

certificate revocation lists, 18.8.5.1

changing the wallet password with, F.3.2.6

converting wallet to use AES256 algorithm, F.3.2.7

creating a local auto login wallet with, F.3.2.4

creating a wallet with, F.3.2.1

creating an auto login wallet with, F.3.2.2, F.3.2.3

creating signed certificates for testing, F.2

crl delete command, F.6.3

crl display command, F.6.4

crl hash command, F.6.5

crl list command, F.6.6

crl upload command, F.6.7

examples, F.5

exporting a certificate from a wallet with, F.3.4

exporting a certificate request from a wallet with, F.3.4

managing certificate revocation lists, F.4

syntax, F.1.1

viewing a test certificate with, F.2

viewing a wallet with, F.3.2.5

wallet add command, F.6.8

wallet convert command, F.6.9

wallet create command, F.6.10

wallet display command, F.6.11

wallet export command, F.6.12

ORAPWD utility

case sensitivity in passwords, 3.2.6.6

changing SYS password with, 2.3.4.1

password file authentication, 3.3.4

permissions to run, 3.3.4

ORDADMIN role, 4.8.2

OS_AUTHENT_PREFIX parameter, 20.4.2

OS_ROLES initialization parameter

operating system role grants, 4.17.5

operating-system authorization and, 4.8.4.4

REMOTE_OS_ROLES and, 4.17.6

using, 4.17.2

OSS.SOURCE.MY_WALLET parameter, 18.6.1.2, 18.6.2.3

outer join operations

Oracle Virtual Private Database affect on, 10.5.3

---

P

packages

auditing, 22.2.7.2, 22.2.7.10

examples, 4.12.5.3

examples of privilege use, 4.12.5.2

granting roles to, 4.8.5.3

privileges

divided by construct, 4.12.5.1

executing, 4.12.1, 4.12.5.1

parallel execution servers, 9.3.3.5

parallel query, and SYS_CONTEXT, 9.3.3.5

parameters

authentication

Kerberos, C.1

RADIUS, C.3

Secure Sockets Layer (SSL), C.2

configuration for JDBC, 14.6.1

encryption and checksumming, 13.4.3

pass phrase

read and parse server.key file, A.9.3

PASSWORD command

about, 2.3.3.2

password files

case sensitivity, effect on SEC_CASE_SENSITIVE_LOGON parameter, 3.2.6.2

how used to authenticate administrators, 3.3.4

PASSWORD_LIFE_TIME profile parameter, 3.2.4.8

PASSWORD_LOCK_TIME profile parameter, 3.2.4.6

PASSWORD_REUSE_MAX profile parameter, 3.2.4.7

PASSWORD_REUSE_TIME profile parameter, 3.2.4.7

passwords

about managing, 3.2.4.1

account locking, 3.2.4.6, 3.2.4.6

administrator

authenticating with, 3.3.4

guidelines for securing, A.5

aging and expiration, 3.2.4.8

ALTER PROFILE statement, 3.2.4.1

altering, 2.3.3.1

application design guidelines, 8.3.1.2

applications, strategies for protecting passwords, 8.3

brute force attacks, 3.2.1

case sensitivity setting, SEC_CASE_SENSITIVE_LOGIN, 3.2.6.1

case sensitivity, configuring, 3.2.6.1

changing for roles, 4.8.3.5

complexity verification

about, 3.2.5.1

guidelines for security, A.5

complexity, guidelines for enforcing, A.5

connecting without, 3.5

CREATE PROFILE statement, 3.2.4.1

danger in storing as clear text, A.5

database user authentication, 3.4.1

default profile settings

about, 3.2.4.3

default user account, A.5

default, finding, 3.2.4.2

delays for incorrect passwords, 3.2.1

duration, A.5

encrypting, 3.2.1, A.5

examples of creating, 3.2.2

expiring

explicitly, 3.2.4.11

procedure for, 3.2.4.8

proxy account passwords, 3.10.1.5

with grace period, 3.2.4.11

failed logins, resetting, 3.2.4.6

grace period, example, 3.2.4.11

guidelines for security, A.5

history, 3.2.4.7, 3.2.4.7, A.5

Java code example to read passwords, 8.3.4

length, A.5

life time set too low, 3.2.4.12

lifetime for, 3.2.4.8

lock time, 3.2.4.6

management rules, A.5

managing, 3.2.4

maximum reuse time, 3.2.4.7

ORAPWD utility, 3.2.6.6

password complexity verification, 3.2.5.1

how database checks, 3.2.5.2

ora12c_verify_function function, 3.2.5.5

privileges required, 3.2.5.3

verify_function_11G function, 3.2.5.4

password file risks, 3.3.5

PASSWORD_LOCK_TIME profile parameter, 3.2.4.6

PASSWORD_REUSE_MAX profile parameter, 3.2.4.7

PASSWORD_REUSE_TIME profile parameter, 3.2.4.7

policies, 3.2.4

privileges for changing for roles, 4.8.3.5

privileges to alter, 2.3.1

protections, built-in, 3.2.1

proxy authentication, 3.10.1.12.1

requirements

additional, A.5

minimum, 3.2.2

reusing, 3.2.4.7, A.5

reusing passwords, 3.2.4.7

role password case sensitivity, 3.2.6.3

roles authenticated by passwords, 4.8.3.1

roles enabled by SET ROLE statement, 4.8.4.1

secure external password store, 3.2.8.1

security risks, 3.3.5

SYS account, 2.3.4.1

SYS and SYSTEM, A.5, A.5

used in roles, 4.8.1.3

utlpwdmg.sql password script

password management, 3.2.5.1

verified using SHA-512 hash function, 3.2.7.3

See also authentication, and access control list (ACL), wallet access

PDB_DBA role, 4.8.2

PDBs

auditing

types of audit settings allowed, 21.9

unified audit policy syntax, 22.2.3

what can be audited, 21.1

common roles

about, 4.7.1

creating, 4.7.6

granting, 4.7.9

how they work, 4.7.2

privileges required for management, 4.7.4

revoking, 4.7.9

rules for creating, 4.7.5

common users

about, 2.2.1.1

accessing data in PDBs, 4.6.5.2

creating, 2.2.10.1

viewing privilege information, 4.6.5.1

Enterprise Manager

about, 7.1

creating common roles, 7.4.1

creating common users, 7.3.1

creating local roles, 7.4.5

creating local users, 7.3.4

dropping common roles, 7.4.3

dropping common users, 7.3.3

dropping local roles, 7.4.7

dropping local users, 7.3.6

editing common roles, 7.4.2

editing common users, 7.3.2

editing local roles, 7.4.6

editing local users, 7.3.5

logging in, 7.2.1

revoking common privilege grants, 7.4.4

revoking local privilege grants, 7.4.8

switching to different container, 7.2.2

fine-grained audit policies, 22.4.5

local roles

about, 4.7.1

creating, 4.7.8

rules for creating, 4.7.7

local users

about, 2.2.1.3

creating, 2.2.10.3

privileges

common, 4.6.2

granting, 4.6.4

how affected, 4.3

object, 4.6.3

revoking, 4.6.4

viewing information about, 4.6.5.1

PUBLIC role, 4.7.3

sqlnet.ora settings, 3.2.7.3

transparent sensitive data protection, 11.5

viewing information about, 4.6.5.1

Virtual Private Database policies, 10.1.6

performance

application contexts, 9.1.3

auditing, 21.3

Oracle Virtual Private Database policies, 10.1.2.2

Oracle Virtual Private Database policy types, 10.3.6.1

resource limits and, 2.4.1

permissions

default, A.6

run-time facilities, A.3

PKCS #11 devices, 18.2.2.5

PKCS #11 error

ORA-40300, 18.9.5.2

ORA-40301, 18.9.5.2

ORA-40302, 18.9.5.2

PKI

See public key infrastructure (PKI)

PL/SQL

roles in procedures, 4.8.1.6

PL/SQL packages

auditing, 22.2.7.2, 22.2.7.10

PL/SQL procedures

setting application context, 9.3.3.1

PL/SQL stored procedures

network access for debugging operations, 6.12

PMON background process

application contexts, cleaning up, 9.3.1

positional parameters

security risks, 8.3.1.4

principle of least privilege, A.3

about, A.3

granting user privileges, A.3

middle-tier privileges, 3.10.1.9

privileges

about, 4.1

access control lists, checking for external network services, 6.11.1

altering

passwords, 2.3.3.1

users, 2.3.1

altering role authentication method, 4.8.3.5

applications, managing, 8.5

auditing use of, 22.2.5.1

auditing, recommended settings for, A.11.4

cascading revokes, 4.15.3

column, 4.14.2.4

compiling procedures, 4.12.4

creating or replacing procedures, 4.12.3

creating users, 2.2.3

dropping profiles, 2.4.4.4

finding information about, 4.19.1

granting

about, 4.5.3, 4.14

examples, 4.12.5.2, 4.12.5.3

object privileges, 4.9.3.1, 4.14.2.1

system, 4.14.1

system privileges, 4.14

grants, listing, 4.19.2

grouping with roles, 4.8

managing, 8.9

middle tier, 3.10.1.9

object, 4.9.1, 4.9.3.2, 8.9.2

granting and revoking, 4.9.3.1

on selected columns, 4.15.2.4

procedures, 4.12.1

creating and replacing, 4.12.3

executing, 4.12.1

in packages, 4.12.5.1

READ ANY TABLE system privilege

about, 4.9.4.2

restrictions, 4.9.4.3

READ object privilege, 4.9.4.1

reasons to grant, 4.2

revoking privileges

about, 4.5.3

object, 4.15.2.1

object privileges, cascading effect, 4.15.3.2

object privileges, requirements for, 4.15.2.1

schema object, 4.9.3.1

revoking system privileges, 4.15.1

roles

creating, 4.8.3.1

dropping, 4.8.6

restrictions on, 4.8.1.7

roles, why better to grant, 4.2

schema object, 4.9.1

DML and DDL operations, 4.10

packages, 4.12.5.1

procedures, 4.12.1

SELECT system privilege, 4.9.4.1

SQL statements permitted, 8.9.2

synonyms and underlying objects, 4.9.5

system

granting and revoking, 4.5.3

SELECT ANY DICTIONARY, A.6

SYSTEM and OBJECT, A.3

system privileges

about, 4.5.1

trigger privileges, 5.2

used for Oracle Virtual Private Database policy functions, 10.1.4

view privileges

creating a view, 4.11.1

using a view, 4.11.2

views, 4.11

See also access control list (ACL) and system privileges, privilege captures

procedures

auditing, 22.2.7.2, 22.2.7.10

compiling, 4.12.4

definer’s rights

about, 5.2

roles disabled, 4.8.1.6.1

examples of, 4.12.5.3

examples of privilege use, 4.12.5.2

granting roles to, 4.8.5.3

invoker’s rights

about, 5.3

roles used, 4.8.1.6.2

privileges for procedures

create or replace, 4.12.3

executing, 4.12.1

executing in packages, 4.12.5.1

privileges required for, 4.12.3

security enhanced by, 5.2

process monitor process (PMON)

cleans up timed-out sessions, 2.4.2.5

PRODUCT_USER_PROFILE table, 4.8.7.2

SQL commands, disabling with, 4.8.7.2

products and options

install only as necessary, A.8

profile parameters

FAILED_LOGIN_ATTEMPTS, 3.2.4.3

PASSWORD_GRACE_TIME, 3.2.4.3, 3.2.4.11

PASSWORD_LIFE_TIME, 3.2.4.3, 3.2.4.9, 3.2.4.12

PASSWORD_LOCK_TIME, 3.2.4.3, 3.2.4.6

PASSWORD_REUSE_MAX, 3.2.4.3, 3.2.4.7

PASSWORD_REUSE_TIME, 3.2.4.3, 3.2.4.7

profiles, 2.4.4.1

about, 2.4.4.1

assigning to user, 2.4.4.3

creating, 2.4.4.2

dropping, 2.4.4.4, 2.4.4.4

finding information about, 2.6.1

finding settings for default profile, 2.6.4

managing, 2.4.4.1

password management, 3.2.4.1

privileges for dropping, 2.4.4.4

specifying for user, 2.2.9

viewing, 2.6.4

program units

granting roles to, 4.8.5.3

PROVISIONER role, 4.8.2

proxy authentication

about, 3.10.1.1, 3.10.1.1

advantages, 3.10.1.2

auditing operations, 3.9.1

auditing users, 22.2.9

client-to-middle tier sequence, 3.10.1.8

creating proxy user accounts, 3.10.1.3

middle-tier

authorizing but not authenticating users, 3.10.1.11

authorizing to proxy and authenticate users, 3.10.1.10

limiting privileges, 3.10.1.9

reauthenticating users, 3.10.1.12

passwords, expired, 3.10.1.5

privileges required for creating users, 3.10.1.3

secure external password store, used with, 3.10.1.7

security benefits, 3.10.1.2

users, passing real identity of, 3.10.1.8

proxy user accounts

privileges required for creation, 3.10.1.3

PROXY_USER attribute, 9.3.6.4

PROXY_USERS view, 3.10.1.5

pseudo columns

USER, 4.11.2

public key infrastructure (PKI), 15.3.3

about, 3.6.2.5

Public Key Infrastructure (PKI)

certificate, 18.2.2.2

certificate authority, 18.2.2.1

certificate revocation lists, 18.2.2.3

PKCS #11 hardware devices, 18.2.2.5

wallets, 18.2.2.4

PUBLIC role

about, 4.5.5

CDBs

PUBLIC role, 4.7.3

granting and revoking privileges, 4.16

procedures and, 4.16

security domain of users, 4.8.1.5

security risk in privileges granted to, 4.5.5

PUBLIC_DEFAULT profile

profiles, dropping, 2.4.4.4

---

Q

quotas

tablespace, 2.2.7.1

temporary segments and, 2.2.7.1

unlimited, 2.2.7.4

viewing, 2.6.3

---

R

RADIUS, 15.3.2, 15.3.2

accounting, 19.3.4

asynchronous authentication mode, 19.2.2

authentication modes, 19.2

authentication parameters, C.3

challenge-response

authentication, 19.2.2

user interface, D.1, D.2

configuring, 19.3.1

database links not supported, 19.1

initialization parameter file setting, C.3.3

location of secret key, 19.3.1.3.1

minimum parameters to set, C.3.2

smartcards and, 15.3.2, 19.2.2.2, 19.3.1.3.2, D.1

SQLNET.AUTHENTICATION_SERVICES parameter, C.3.1.1

sqlnet.ora file sample, B.1

SQLNET.RADIUS_ALTERNATE parameter, C.3.1.8

SQLNET.RADIUS_ALTERNATE_PORT parameter, C.3.1.9

SQLNET.RADIUS_ALTERNATE_RETRIES parameter, C.3.1.11

SQLNET.RADIUS_ALTERNATE_TIMEOUT parameter, C.3.1.10

SQLNET.RADIUS_AUTHENTICATION parameter, C.3.1.2

SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameter, C.3.1.14

SQLNET.RADIUS_AUTHENTICATION_PORT parameter, C.3.1.3

SQLNET.RADIUS_AUTHENTICATION_RETRIES parameter, C.3.1.5

SQLNET.RADIUS_CHALLENGE_KEYWORD parameter, C.3.1.13

SQLNET.RADIUS_CHALLENGE_RESPONSE parameter, C.3.1.12

SQLNET.RADIUS_CLASSPATH parameter, C.3.1.15

SQLNET.RADIUS_SECRET parameter, C.3.1.7

SQLNET.RADIUS_SEND_ACCOUNTING parameter, C.3.1.6

synchronous authentication mode, 19.2.1

system requirements, 15.5

RADIUS authentication, 3.6.2.3

RC4 encryption algorithm, 13.1.5

READ ANY TABLE system privilege

about, 4.9.4.2

restrictions, 4.9.4.3

READ object privilege

about, 4.9.4.1

guideline for using, A.3

SQL92_SECURITY initialization parameter, 4.9.4.3

reads

limits on data blocks, 2.4.2.4

realm (Kerberos), 17.1.2

RECOVERY_CATALOG_OWNER role

about, 4.8.2

REDACT_AUDIT transparent sensitive data protection default policy, 11.10.1

redo log files

auditing committed and rolled back transactions, A.11.2

REFERENCES privilege

CASCADE CONSTRAINTS option, 4.15.2.5

revoking, 4.15.2.4, 4.15.2.5

SQL statements permitted, 8.9.2

remote authentication, A.9.1, A.9.1

remote debugging

configuring network access, 6.12

REMOTE_OS_AUTHENT initialization parameter

guideline for securing, A.9.1

setting, 3.8.4

remote_os_authentication, A.9.1

REMOTE_OS_ROLES initialization parameter

OS role management risk on network, 4.17.6

setting, 4.8.4.5

resource limits

about, 2.4.1

call level, limiting, 2.4.2.2

connection time for each session, 2.4.2.5

CPU time, limiting, 2.4.2.3

determining values for, 2.4.3

idle time in each session, 2.4.2.5

logical reads, limiting, 2.4.2.4

private SGA space for each session, 2.4.2.5

profiles, 2.4.4.1, 2.4.4.1

session level, limiting, 2.4.2.1

sessions

concurrent for user, 2.4.2.5

elapsed connection time, 2.4.2.5

idle time, 2.4.2.5

SGA space, 2.4.2.5

types, 2.4.2

RESOURCE privilege

CREATE SCHEMA statement, needed for, 8.8.1

RESOURCE role, 4.13.1

about, 4.8.2

restrictions, 15.6

REVOKE CONNECT THROUGH clause

revoking proxy authorization, 3.10.1.5

REVOKE statement

system privileges and roles, 4.15.1

when takes effect, 4.18

revoking privileges and roles

cascading effects, 4.15.3

on selected columns, 4.15.2.4

REVOKE statement, 4.15.1

specifying ALL, 4.9.3.2

when using operating-system roles, 4.17.4

role identification

operating system accounts, 4.17.2

ROLE_SYS_PRIVS view

application privileges, 8.5

ROLE_TAB_PRIVS view

application privileges, finding, 8.5

roles

about, 4.1, 4.8.1.1

ADM_PARALLEL_EXECUTE_TASK role, 4.8.2

ADMIN OPTION and, 4.14.1.1

advantages in application use, 8.5

application, 4.8.1.4.1, 4.8.7, 8.7, 8.7, 8.9

application privileges, 8.5

applications, for user, 8.7

AQ_ADMINISTRATOR_ROLE role, 4.8.2

AQ_USER_ROLE role, 4.8.2

AUDIT_ADMIN role, 4.8.2

AUDIT_VIEWER role, 4.8.2

AUTHENTICATEDUSER role, 4.8.2

authorization, 4.8.4

authorized by enterprise directory service, 4.8.4.6

CAPTURE_ADMIN role, 4.8.2

CDB_DBA role, 4.8.2

changing authorization for, 4.8.3.5

changing passwords, 4.8.3.5

common, auditing, 22.2.4.1

common, granting, 4.7.9

CONNECT role

about, 4.8.2

create your own, A.4

CSW_USR_ROLE role, 4.8.2

CTXAPP role, 4.8.2

CWM_USER role, 4.8.2

database role, users, 8.7.1

DATAPUMP_EXP_FULL_DATABASE role, 4.8.2

DATAPUMP_IMP_FULL_DATABASE role, 4.8.2

DBA role, 4.8.2

DBFS_ROLE role, 4.8.2

DDL statements and, 4.8.1.7

default, 4.18.2

default, setting for user, 2.2.11

definer’s rights procedures disable, 4.8.1.6.1

DELETE_CATALOG_ROLE role, 4.8.2

dependency management in, 4.8.1.7

disabling, 4.18.1

dropping, 4.8.6

EJBCLIENT role, 4.8.2

EM_EXPRESS_ALL role, 4.8.2

EM_EXPRESS_BASIC role, 4.8.2

enabled or disabled, 4.8.1.2, 4.8.5.1

enabling, 4.18.1, 8.7

enterprise, 3.7.1, 4.8.4.6

EXECUTE_CATALOG_ROLE role, 4.8.2

EXP_FULL_DATABASE role, 4.8.2

finding information about, 4.19.1

functionality, 4.2, 4.8.1.2

functionality of, 4.8.1.2

GATHER_SYSTEM_STATISTICS role, 4.8.2

global authorization, 4.8.4.6

about, 4.8.4.6

global roles

about, 3.7.1

creating, 4.8.4.6

external sources, and, 4.8.4.3

GLOBAL_AQ_USER_ROLE role, 4.8.2

GRANT statement, 4.17.5

granted to other roles, 4.8.1.2

granting and revoking to program units, 5.7.6

granting roles

about, 4.14

methods for, 4.8.5.1

system, 4.14.1

system privileges, 4.5.3

granting to program units, 4.8.5.3

guidelines for security, A.4

HS_ADMIN_EXECUTE_ROLE role, 4.8.2

HS_ADMIN_ROLE role, 4.8.2

HS_ADMIN_SELECT_ROLE role, 4.8.2

IMP_FULL_DATABASE role, 4.8.2

in applications, 4.8.1.3

indirectly granted, 4.8.1.2

invoker’s rights procedures use, 4.8.1.6.2

JAVA_ADMIN role, 4.8.2

JAVA_DEPLOY role, 4.8.2

JAVADEBUGPRIV role, 4.8.2

JAVAIDPRIV role, 4.8.2

JAVASYSPRIV role, 4.8.2

JAVAUSERPRIV role, 4.8.2

JMXSERVER role, 4.8.2

job responsibility privileges only, A.4

LBAC_DBA role, 4.8.2

listing grants, 4.19.3

listing privileges and roles in, 4.19.7

listing roles, 4.19.6

LOGSTDBY_ADMINISTRATOR role, 4.8.2

management using the operating system, 4.17.1

managing roles

about, 4.8

categorizing users, 8.9

managing through operating system, 4.8.1.8

managing with RADIUS server, 19.3.8

maximum number a user can enable, 4.18.3

multibyte characters in names, 4.8.3.1

multibyte characters in passwords, 4.8.4.1

naming, 4.8.1.1

network authorization, 4.8.4.5

network client authorization, 4.8.4.5

OEM_ADVISOR role, 4.8.2

OEM_MONITOR role, 4.8.2

OLAP_DBA role, 4.8.2

OLAP_USER role, 4.8.2

OLAP_XS_ADMIN role, 4.8.2

One Big Application User, compromised by, 8.2.1

operating system, 4.17.2

operating system authorization, 4.8.4.4

operating system granting of, 4.17.5

operating system identification of, 4.17.2

operating system management and the shared server, 4.17.6

operating system-managed, 4.17.3, 4.17.4

operating-system authorization, 4.8.4.3

OPTIMIZER_PROCESSING_RATE role, 4.8.2

ORDADMIN role, 4.8.2

password case sensitivity, 3.2.6.3

PDB_DBA role, 4.8.2

predefined, 4.8.2

privileges for creating, 4.8.3.1

privileges for dropping, 4.8.6

privileges, changing authorization method for, 4.8.3.5

privileges, changing passwords, 4.8.3.5

PROVISIONER role, 4.8.2

RECOVERY_CATALOG_OWNER role, 4.8.2

RESOURCE role, 4.8.2

restricting from tool users, 4.8.7

restrictions on privileges of, 4.8.1.7

REVOKE statement, 4.17.5

revoking, 4.8.5.1, 4.15.1

revoking ADMIN option, 4.15.1

SCHEDULER_ADMIN role, 4.8.2

schemas do not contain, 4.8.1.1

security domains of, 4.8.1.5

SELECT_CATALOG_ROLE role, 4.8.2

SET ROLE statement

about, 4.8.4.1

example, 4.8.4.1

OS_ROLES parameter, 4.17.5

setting in PL/SQL blocks, 4.8.1.6.2

SPATIAL_CSW_ADMIN role, 4.8.2

SPATIAL_WFS_ADMIN role, 4.8.2

unique names for, 4.8.3.1

use of passwords with, 4.8.1.3

user, 4.8.1.4.2, 8.9

users capable of granting, 4.8.5.2

uses of, 4.8.1.2, 4.8.1.4

WFS_USR_ROLE role, 4.8.2

WITH GRANT OPTION and, 4.14.2.2

without authorization, 4.8.3.1

WM_ADMIN_ROLE role, 4.8.2

XDB_SET_INVOKER roles, 4.8.2

XDB_WEBSERVICES role, 4.8.2

XDB_WEBSERVICES_OVER_HTTP role, 4.8.2

XDB_WEBSERVICES_WITH_PUBLIC role, 4.8.2

XDBADMIN role, 4.8.2

XS_CACHE_ADMIN role, 4.8.2

XS_NSATTR_ADMIN role, 4.8.2

XS_RESOURCE role, 4.8.2, 4.8.2

See also secure application roles

root

viewing information about, 4.6.5.1

root file paths

for files and packages outside the database, A.3

row-level security

See fine-grained access control, Oracle Virtual Private Database (VPD)

RSA private key, A.9.3

run-time facilities, A.3

restriction permissions, A.3

---

S

sample schemas, A.8

Sample Schemas

remove or relock for production, A.8

test database, A.8

Sarbanes-Oxley Act

auditing to meet compliance, 21.1

SCHEDULER_ADMIN role

about, 4.8.2

schema object privileges, 4.9.1

schema objects

cascading effects on revoking, 4.15.3.2

default tablespace for, 2.2.6.1

dropped users, owned by, 2.5.1

granting privileges, 4.14.2.1

privileges

DML and DDL operations, 4.10

granting and revoking, 4.9.3.1

view privileges, 4.11

privileges on, 4.9.1

privileges to access, 4.9.3.2

privileges with, 4.9.3.2

revoking privileges, 4.15.2.1

schema-independent users, 8.8.2

schemas

auditing, recommended settings for, A.11.4

private, 3.7.2.1

shared among enterprise users, 3.7.2.2

shared, protecting objects in, 8.8.2

unique, 8.8

unique, protecting objects in, 8.8.1

SCOTT user account

restricting privileges of, A.4

scripts, authenticating users in, 3.2.8.1

SEC_CASE_SENSITIVE_LOGON initialization parameter

about, 3.2.6.1

deprecated, 3.2.6.1

SEC_CASE_SENSITIVE_LOGON parameter

conflict with SQLNET.ALLOWED_LOGON_VERSION_SERVER setting, 3.2.6.1

SEC_MAX_FAILED_LOGIN_ATTEMPTS initialization parameter, 8.10.3

SEC_PROTOCOL_ERROR_FURTHER_ACTION initialization parameter, 8.10.2

SEC_PROTOCOL_ERROR_TRACE_ACTION initialization parameter, 8.10.1

sec_relevant_cols_opt parameter, 10.3.4.3

SEC_RETURN_SERVER_RELEASE_BANNER initialization parameter, 8.10.4

SEC_USER_AUDIT_ACTION_BANNER initialization parameter, 8.10.5

SEC_USER_UNAUTHORIZED_ACCESS_BANNER initialization parameter, 8.10.5

secconf.sql script

password settings, 3.2.4.5

secret key

location in RADIUS, 19.3.1.3.1

secure application roles

about, 4.8.8

creating, 8.6.1

creating PL/SQL package, 8.6.2.1

finding with DBA_ROLES view, 4.19.1

invoker’s rights, 8.6.2.1

invoker’s rights requirement, 8.6.2.1

package for, 8.6.2.1

SET ROLE statement, 8.6.2.2

user environment information from SYS_CONTEXT SQL function, 8.6.2.1, 8.6.2.2

using to ensure database connection, 4.8.8

secure external password store

about, 3.2.8.1

client configuration, 3.2.8.3

examples, 3.2.8.2

how it works, 3.2.8.2

proxy authentication, used with, 3.10.1.7

Secure Sockets Layer (SSL), 15.3.3

about, 3.6.1

architecture, 18.3.1

AUTHENTICATION parameter, C.2.1

authentication parameters, C.2

authentication process in an Oracle environment, 18.1.3

certificate key algorithm, A.9.3

cipher suites, A.9.3, C.2.2.1

client and server parameters, C.2.1

client authentication parameter, C.2.4

client configuration, 18.6.2

combining with other authentication methods, 18.3, 18.3

configuration files, securing, A.9.3

configuring, 18.6

configuring for SYSDBA or SYSOPER access, 3.3.2.4

enabling, 18.6

filtering certificates, 18.6.2.7

FIPS mode setting (SSLFIPS_140), E.2.3.1

global users with private schemas, 3.7.2.1

guidelines for security, A.9.3, A.9.3

handshake, 18.1.3

industry standard protocol, 18.1

listener, administering, A.9.2

mode, A.9.3

multiple certificates, filtering, 18.6.2.7

pass phrase, A.9.3

requiring client authentication, 18.6.1.5

RSA private key, A.9.3

securing SSL connection, A.9.3

server configuration, 18.6.1

server.key file, A.9.3

SQLNET.AUTHENTICATION_SERVICES parameter, C.2.1

sqlnet.ora file sample, B.1

SSL_CIPHER_SUITES parameter, C.2.2

SSL_CLIENT_AUTHENTICATION, C.2.4

SSL_SERVER_CERT_DN, C.2.4.1.2

SSL_SERVER_DN_MATCH, C.2.4.1.1

SSL_VERSION parameter, C.2.3

system requirements, 15.5

TCPS, A.9.3

version parameter, C.2.3

wallet location, parameter, C.2.5

ways to configure parameters for, C.2

SecurID, 19.2.1.2

token cards, 19.2.1.2

security

application enforcement of, 4.8.1.3

default user accounts

locked and expired automatically, A.3

locking and expiring, A.3

domains, enabled roles and, 4.8.5.1

enforcement in application, 8.2.2

enforcement in database, 8.2.2

multibyte characters in role names, 4.8.3.1

multibyte characters in role passwords, 4.8.4.1

passwords, 3.4.1

policies

applications, 8.1

SQL*Plus users, restricting, 4.8.7

tables or views, 10.1.2.1

procedures enhance, 5.2

resources, additional, 1.2

roles, advantages in application use, 8.5

See also security risks

security alerts, A.2.1

security attacks

access to server after protocol errors, preventing, 8.10.2

application context values, attempts to change, 9.3.2.2

application design to prevent attacks, 8.3

command line recall attacks, 8.3.1.1, 8.3.1.4

denial of service, A.9.2

denial-of-service

bad packets, addressing, 8.10.1

denial-of-service attacks through listener, A.9.2

disk flooding, preventing, 8.10.1

eavesdropping, A.9.1

encryption, problems not solved by, 12.1.2

falsified IP addresses, A.9.1

falsified or stolen client system identities, A.9.1

hacked operating systems or applications, A.9.1

intruders, 12.1.2

password cracking, 3.2.1

password protections against, 3.2.1

preventing malicious attacks from clients, 8.10

preventing password theft with proxy authentication and secure external password store, 3.10.1.7

session ID, need for encryption, 9.4.5.3

shoulder surfing, 8.3.1.4

SQL injection attacks, 8.3.1.2

unlimited authenticated requests, preventing, 8.10.3

user session output, hiding from intruders, 9.3.4

See also security risks

security domains

enabled roles and, 4.8.1.2

security patches

about, A.2.1

downloading, A.2.1

security policies

See Oracle Virtual Private Database, policies

security risks

ad hoc tools, 4.8.7.1, 4.8.7.1

application users not being database users, 8.2.1

applications enforcing rather than database, 8.2.2

bad packets to server, 8.10.1

database version displaying, 8.10.4

encryption keys, users managing, 12.2.4.4

invoker’s rights procedures, 5.5.1

password files, 3.3.5

passwords exposed in large deployments, 3.2.8.1

passwords, exposing in programs or scripts, 8.3.1.4

positional parameters in SQL scripts, 8.3.1.4

privileges carelessly granted, 4.5.5

privileges granted to PUBLIC role, 4.5.5

remote user impersonating another user, 4.8.4.5

sensitive data in audit trail, A.11

server falsifying identities, A.9.3

users with multiple roles, 8.7.1

See also security attacks

security settings scripts

password settings

secconf.sql, 3.2.4.5

undopwd.sql, 3.2.4.5

Security Sockets Layer (SSL)

use of term includes TLS, 18.1.1

SELECT ANY DICTIONARY privilege

data dictionary, accessing, A.6

exclusion from GRANT ALL PRIVILEGES privilege, A.6

SELECT FOR UPDATE statement in Virtual Private Database policies, 10.5.2

SELECT object privilege

guideline for using, A.3

privileges enabled, 4.9.4.1

SELECT privilege

SQL statements permitted, 8.9.2

SELECT_CATALOG_ROLE role

about, 4.8.2

SYS schema objects, enabling access to, 4.5.2.3

separation of duty concepts, Glossary

sequences

auditing, 22.2.7.2

server.key file

pass phrase to read and parse, A.9.3

SESSION_ROLES data dictionary view

PUBLIC role, 4.5.5

SESSION_ROLES view

queried from PL/SQL block, 4.8.1.6.1

sessions

listing privilege domain of, 4.19.5

memory use, viewing, 2.6.5

time limits on, 2.4.2.5

when auditing options take effect, 23.1.1

SET ROLE statement

application code, including in, 8.7.2

associating privileges with role, 8.7.1

disabling roles with, 4.18.1

enabling roles with, 4.18.1

secure application roles, 8.6.2.2

when using operating-system roles, 4.17.5

SGA

See System Global Area (SGA)

SHA-512 cryptographic hash function

enabling exclusive mode, 3.2.7.3

Shared Global Area (SGA)

See System Global Area (SGA)

shared server

limiting private SQL areas, 2.4.2.5

operating system role management restrictions, 4.17.6

shoulder surfing, 8.3.1.4

smart cards

guidelines for security, A.5

smartcards, 15.3.2

and RADIUS, 15.3.2, 19.2.2.2, 19.3.1.3.2, D.1

SPATIAL_CSW_ADMIN role, 4.8.2

SPATIAL_WFS_ADMIN role, 4.8.2

SQL Developer

debugging using Java Debug Wire Protocol, 6.12

SQL injection attacks, 8.3.1.2

SQL statements

dynamic, 9.3.3.4

object privileges permitting in applications, 8.9.2

privileges required for, 4.9.1, 8.9.2

resource limits and, 2.4.2.2

restricting ad hoc use, 4.8.7.1, 4.8.7.1

SQL*Net

See Oracle Net Services

SQL*Plus

connecting with, 3.5

restricting ad hoc use, 4.8.7.1, 4.8.7.1

statistics monitor, 2.4.3

SQL92_SECURITY initialization parameter

READ object privilege impact, 4.9.4.3

SQLNET.ALLOWED_LOGON_VERSION

See SQLNET.ALLOWED_LOGON_VERSION_CLIENT, SQLNET.ALLOWED_LOGON_VERSION_SERVER,

SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter

conflict with SEC_CASE_SENSITIVE_LOGON FALSE setting, 3.2.6.1

effect on role passwords, 3.2.6.3

SQLNET.AUTHENTICATION_KERBEROS5_SERVICE parameter, 17.1.6.1

SQLNET.AUTHENTICATION_SERVICES parameter, 17.1.6.1, 18.6.1.6, 18.6.1.6, 18.6.2.6, 18.6.2.6, 19.3.1.1, 20.2, 20.3, C.2.1, C.3.1.1

SQLNET.CRYPTO_CHECKSUM_CLIENT parameter, 13.4.3.2, B.2.5

SQLNET.CRYPTO_CHECKSUM_SERVER parameter, 13.4.3.2, B.2.4

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter, 13.4.3.2, B.2.9, B.2.9

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter, 13.4.3.2, B.2.8, B.2.8

SQLNET.ENCRYPTION_CLIENT parameter, 13.4.3.1, B.2.3, B.2.3, E.3.2.3

SQLNET.ENCRYPTION_SERVER parameter, 13.4.3.1, B.2.2, B.2.2

SQLNET.ENCRYPTION_SERVER=REQUIRED parameter, E.3.2.2

SQLNET.ENCRYPTION_TYPES_CLIENT parameter, 13.4.3.1, B.2.7, B.2.7, E.3.2.5

SQLNET.ENCRYPTION_TYPES_SERVER parameter, 13.4.3.1, B.2.6, B.2.6, E.3.2.4

SQLNET.FIPS_140 parameter, E.3.2.6

SQLNET.KERBEROS5_CC_NAME parameter, 17.1.6.3

SQLNET.KERBEROS5_CLOCKSKEW parameter, 17.1.6.3

SQLNET.KERBEROS5_CONF parameter, 17.1.6.3, 17.1.6.3

SQLNET.KERBEROS5_KEYTAB parameter, 17.1.6.3

SQLNET.KERBEROS5_REALMS parameter, 17.1.6.3

sqlnet.ora file

Common sample, B.1

FIPS 140-1

parameters, E.3.2.1

FIPS 140-2

Cipher Suite settings, E.2.3.2

enabling tracing, E.2.5

Kerberos sample, B.1

Oracle Advanced Security checksum sample, B.1

Oracle Advanced Security encryption sample, B.1

Oracle wallet setting, C.2.5

OSS.SOURCE.MY_WALLET parameter, 18.6.1.2, 18.6.2.3

parameters for clients and servers using Kerberos, C.1

parameters for clients and servers using RADIUS, C.3

parameters for clients and servers using SSL, C.2

PDBs, 3.2.7.3

RADIUS sample, B.1

sample, B.1

SENCRYPTION_SERVER=REQUIRED parameter, E.3.2.2

SQLNET.AUTHENTICATION_KERBEROS5_SERVICE parameter, 17.1.6.1

SQLNET.AUTHENTICATION_SERVICES parameter, 17.1.6.1, 18.6.1.6, 18.6.1.6, 18.6.2.6, 18.6.2.6, 20.2, 20.3

SQLNET.CRYPTO_CHECKSUM_CLIENT parameter, 13.4.3.2

SQLNET.CRYPTO_CHECKSUM_SERVER parameter, 13.4.3.2

SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter, 13.4.3.2, B.2.9

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter, 13.4.3.2, B.2.8

SQLNET.ENCRYPTION_CLIENT parameter, B.2.3, E.3.2.3

SQLNET.ENCRYPTION_SERVER parameter, 13.4.3.1, B.2.2

SQLNET.ENCRYPTION_TYPES_CLIENT parameter, 13.4.3.1, B.2.7, E.3.2.5

SQLNET.ENCRYPTION_TYPES_SERVER parameter, 13.4.3.1, B.2.6, E.3.2.4

SQLNET.FIPS_140 parameter, E.3.2.6

SQLNET.KERBEROS5_CC_NAME parameter, 17.1.6.3

SQLNET.KERBEROS5_CLOCKSKEW parameter, 17.1.6.3

SQLNET.KERBEROS5_CONF parameter, 17.1.6.3, 17.1.6.3

SQLNET.KERBEROS5_KEYTAB parameter, 17.1.6.3

SQLNET.KERBEROS5_REALMS parameter, 17.1.6.3

SQLNET.SSL_EXTENDED_KEY_USAGE, 18.6.2.7

SSL sample, B.1

SSL_CLIENT_AUTHENTICATION parameter, 18.6.1.5

SSL_CLIENT_AUTHETNICATION parameter, 18.6.2.3

SSL_VERSION parameter, 18.6.1.4, 18.6.2.5

Trace File Set Up sample, B.1

SQLNET.RADIUS_ALTERNATE parameter, 19.3.1.3.3, C.3.1.8

SQLNET.RADIUS_ALTERNATE_PORT parameter, 19.3.1.3.3, C.3.1.9

SQLNET.RADIUS_ALTERNATE_RETRIES parameter, 19.3.1.3.3, C.3.1.11

SQLNET.RADIUS_ALTERNATE_TIMEOUT parameter, 19.3.1.3.3, C.3.1.10

SQLNET.RADIUS_AUTHENTICATION parameter, C.3.1.2

SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameter, C.3.1.14

SQLNET.RADIUS_AUTHENTICATION_PORT parameter, C.3.1.3

SQLNET.RADIUS_AUTHENTICATION_RETRIES parameter, C.3.1.5

SQLNET.RADIUS_CHALLENGE_KEYWORDparameter, C.3.1.13

SQLNET.RADIUS_CHALLENGE_RESPONSE parameter, C.3.1.12

SQLNET.RADIUS_CLASSPATH parameter, C.3.1.15

SQLNET.RADIUS_SECRET parameter, C.3.1.7

SQLNET.RADIUS_SEND_ACCOUNTING parameter, 19.3.4.1, C.3.1.6

SQLNET.SSL_EXTENDED_KEY_USAGE parameter, 18.6.2.7

SSL

See Secure Sockets Layer (SSL)

SSL_CIPHER_SUITES parameter, C.2.2

SSL_CLIENT_AUTHENTICATION parameter, 18.6.1.5, 18.6.2.3, C.2.4

SSL_SERVER_CERT_DN parameter, C.2.4.1.2

SSL_SERVER_DN_MATCH parameter, C.2.4.1.1

SSL_VERSION parameter, 18.6.1.4, 18.6.2.5, C.2.3

standard audit trail

records, purging, 23.2.1

standard auditing

affected by editions, 22.2.7.12

archiving audit trail, 23.2.2

privilege auditing

about, 22.2.5.1

multitier environment, 22.2.9

records

archiving, 23.2.2

statement auditing

multitier environment, 22.2.9

statement_types parameter of DBMS_RLS.ADD_POLICY procedure, 10.3.3

storage

quotas and, 2.2.7.1

unlimited quotas, 2.2.7.4

stored procedures

using privileges granted to PUBLIC role, 4.16

strong authentication

centrally controlling SYSDBA and SYSOPER access to multiple databases, 3.3.2.1

guideline, A.5

symbolic links

restricting, A.6

synchronous authentication mode, RADIUS, 19.2.1

synonyms

object privileges, 4.9.5

privileges, guidelines on, A.3

SYS account

auditing, 22.2.21.1

changing password, 2.3.4.1

policy enforcement, 10.5.7.2

SYS and SYSTEM

passwords, A.5, A.5

SYS and SYSTEM accounts

auditing, 22.2.21.1

SYS objects

auditing, 22.2.7.4

SYS schema

objects, access to, 4.5.2.3

SYS user

auditing example, 22.2.5.5

SYS_CONTEXT function

about, 9.3.3.1

auditing nondatabase users with, 22.2.24.2

database links, 9.3.3.6

dynamic SQL statements, 9.3.3.4

example, 9.3.3.7

parallel query, 9.3.3.5

STATIC policies, 10.3.6.5

syntax, 9.3.3.2, 9.3.3.2

unified audit policies, 22.2.10.1

used in views, 5.6.1

validating users, 8.6.2.1

SYS_DEFAULT Oracle Virtual Private Database policy group, 10.3.5.3

SYS_SESSION_ROLES namespace, 9.3.3.1

SYS.AUD$ table

archiving, 23.2.2

SYSBACKUP privilege

operations supported, 4.4.4

SYSDBA privilege, 4.4.3

SYSDG privilege

operations supported, 4.4.5

SYS.FGA_LOG$ table

archiving, 23.2.2

SYSKM privilege

operations supported, 4.4.6

SYSMAN user account, A.5, A.5

SYSOPER privilege, 4.4.3

SYS-privileged connections, A.3

System Global Area (SGA)

application contexts, storing in, 9.1.3

global application context information location, 9.4.1

limiting private SQL areas, 2.4.2.5

system privileges, A.3

about, 4.5.1

ADMIN OPTION, 4.5.4

ANY

guidelines for security, A.6

ANY system privileges, 4.5.2.1

CDBs, 4.6.2

GRANT ANY OBJECT PRIVILEGE, 4.14.2.3, 4.15.2.3

GRANT ANY PRIVILEGE, 4.5.4

granting, 4.14.1

granting and revoking, 4.5.3

power of, 4.5.1

restriction needs, 4.5.2.1

revoking, cascading effect of, 4.15.3.1

SELECT ANY DICTIONARY, A.6

with common privilege grants, 4.6.2

system requirements

Kerberos, 15.5

RADIUS, 15.5

SSL, 15.5

strong authentication, 15.5

---

T

tables

auditing, 22.2.7.2

privileges on, 4.10

tablespaces

assigning defaults for users, 2.2.6.1

default quota, 2.2.7.1

quotas for users, 2.2.7.1

quotas, viewing, 2.6.3

temporary

assigning to users, 2.2.8.1

unlimited quotas, 2.2.7.4

TCPS protocol

Secure Sockets Layer, used with, A.9.2

tnsnames.ora file, used in, A.9.3

TELNET service, A.9.2

TFTP service, A.9.2

thin JDBC support, 14.1

time measurement for statement execution, 10.3.6.2

TLS See Secure Sockets Layer (SSL)

token cards, 15.3.2, A.5

trace file

set up sample for sqlnet.ora file, B.1

trace files

access to, importance of restricting, A.6

bad packets, 8.10.1

FIPS 140-2, E.2.5

location of, finding, 9.6

TRANSLATE ANY SQL privilege

not audited, 22.2.5.3

TRANSLATE SQL privilege

not audited, 22.2.5.3

Transparent Data Encryption

about, 12.2.4.5

enabling for FIPS 140-2, E.2.2

SYSKM administrative privilege, 4.4.6

transparent sensitive data protection (TSDP)

about, 11.1

altering policies, 11.7

benefits, 11.1

bind variables

about, 11.10.1

expressions of conditions, 11.10.2.1

creating policies, 11.6

disabling policies, 11.8

disabling REDACT_AUDIT policy, 11.10.4

dropping policies, 11.9

enabling REDACT_AUDIT policy, 11.10.4

finding information about, 11.13

general steps, 11.2

PDBs, 11.5

privileges required, 11.4

REDACT_AUDIT policy, 11.10.1

sensitive columns in INSERT or UPDATE operations, 11.10.2.3

sensitive columns in same SELECT query, 11.10.2.2

sensitive columns in views, 11.10.3

use cases, 11.3

Virtual Private Database

DBMS_RLS.ADD_POLICY parameters, 11.12.2

general steps, 11.12.1

tutorial, 11.12.3

transparent tablespace encryption

about, 12.2.4.5

triggers

auditing, 22.2.7.2, 22.2.7.10

CREATE TRIGGER ON, 8.9.2

logon

examples, 9.3.4

externally initialized application contexts, 9.3.4

privileges for executing, 5.2

roles, 4.8.1.6

WHEN OTHERS exception, 9.3.4

troubleshooting, 17.4

finding errors by checking trace files, 9.6

trusted procedure

database session-based application contexts, 9.1.2

tsnames.ora configuration file, A.9.3

tutorials

application context, database session-based, 9.3.5

auditing

creating policy to audit nondatabase users, 22.2.24

creating policy using email alert, 22.4.8.1

external network services, using email alert, 22.4.8.1

global application context with client session ID, 9.4.6.1

invoker’s rights procedure using CBAC, 5.7.7

nondatabase users

creating Oracle Virtual Private Database policy group, 10.4.3.1

global application context, 9.4.6.1

Oracle Virtual Private Database

policy groups, 10.4.3.1

policy implementing, 10.4.2.1

simple example, 10.4.1.1

TSDP with VPD, 11.12.3

See also examples

types

creating, 4.13.5

privileges on, 4.13

user defined

creation requirements, 4.13.4

---

U

UDP and TCP ports

close for ALL disabled services, A.9.2

UGA

See User Global Area (UGA)

undopwd.sql script, 3.2.4.5

unified audit policies

about, 22.2.1, 22.2.1

best practices for creating, 22.2.2

dropping

about, 22.2.23.1

procedure, 22.2.23.2

location of, 22.2.3

predefined

ORA_ACCOUNT_MGMT, 22.3.4

ORA_CIS_RECOMMENDATIONS, 22.3.5

ORA_DATABASE_PARAMETER, 22.3.3

ORA_DV_AUDPOL, 22.3.7

ORA_LOGON_FAILURES, 22.3.1

ORA_SECURECONFIG, 22.3.2

syntax for creating, 22.2.3

users, applying to, 22.2.21.1

users, excluding, 22.2.21.1

users, success or failure, 22.2.21.1

unified audit policies, administrative users

example, 22.2.6.3

users that can be audited, 22.2.6.1

unified audit policies, administriave users

configuring, 22.2.6.2

unified audit policies, altering

about, 22.2.20.1

configuring, 22.2.20.2

examples, 22.2.20.3

unified audit policies, CDBs

about, 22.2.19.1

appearance in audit trail, 22.2.19.5

configuring, 22.2.19.2

examples, 22.2.19.3, 22.2.19.4

unified audit policies, conditions

about, 22.2.10.1

configuring, 22.2.10.2

examples, 22.2.10.4

unified audit policies, disabling

about, 22.2.21.1, 22.2.22.1

configuring, 22.2.22.2

unified audit policies, enabling

about, 22.2.21.1

configuring, 22.2.21.2

for groups of users through roles, 22.2.21.1

unified audit policies, object actions

about, 22.2.7.1

actions that can be audited, 22.2.7.2

appearance in audit trail, 22.2.7.9

configuring, 22.2.7.3

dictionary tables

auditing, 22.2.7.4

examples, 22.2.7.5

SYS objects, 22.2.7.4

unified audit policies, Oracle Data Miner

about, 22.2.16.1

unified audit policies, Oracle Data Mining

configuring, 22.2.16.3

how events appear in audit trail, 22.2.16.6

unified audit policies, Oracle Data Pump

about, 22.2.17.1

appearance in audit trail, 22.2.17.6, 22.2.18.5

configuring, 22.2.17.3

events to audit, 22.2.17.2

examples, 22.2.17.4

how events appear in audit trail, 22.2.17.6

unified audit policies, Oracle Database Real Application Security

about, 22.2.12.1

configuring, 22.2.12.3

events to audit, 22.2.12.2

examples, 22.2.12.4

how events appear in audit trail, 22.2.12.6

predefined

about, 22.3.6

ORA_RAS_POLICY_MGMT, 22.3.6.1

ORA_RAS_SESSION_MGMT, 22.3.6.2

unified audit policies, Oracle Database Vault

about, 22.2.14.1

appearance in audit trail, 22.2.14.7

attributes to audit, 22.2.14.3

configuring, 22.2.14.4

data dictionary views, 22.2.14.2

examples, 22.2.14.5

how events appear in audit trail, 22.2.14.7

unified audit policies, Oracle Label Security

about, 22.2.15.1

appearance in audit trail, 22.2.15.8

configuring, 22.2.15.4

events to audit, 22.2.15.2

examples, 22.2.15.5

how events appear in audit trail, 22.2.15.8

LBACSYS.ORA_GET_AUDITED_LABEL function, 22.2.15.8

user session label events, 22.2.15.3

unified audit policies, Oracle Recovery Manager

about, 22.2.13.1

appearance in audit trail, 22.2.13.3

how events appear in audit trail, 22.2.13.3

unified audit policies, Oracle SQL*Loader

about, 22.2.18.1

configuring, 22.2.18.3

events to audit, 22.2.18.2

example, 22.2.18.4

how events appear in audit trail, 22.2.18.5

unified audit policies, privileges

about, 22.2.5.1

appearance in audit trail, 22.2.5.7

configuring, 22.2.5.4

examples, 22.2.5.5

privileges that can be audited, 22.2.5.2

privileges that cannot be audited, 22.2.5.3

unified audit policies, roles

about, 22.2.4.1

configuring, 22.2.4.2

examples, 22.2.4.3

unified audit session ID, finding, 22.2.10.7

unified audit trail

about, 21.4

archiving, 23.2.2, 23.2.2

loading audit records to, 23.1.5

when records are created, 23.1.1

writing audit trail records to AUDSYS

about, 23.1.4.1

configuring modes, 23.1.4.2

immediate-write mode, 23.1.4.1

manually flushing records to AUDSYS, 23.1.4.3

minimum flush threshold for queues, 23.1.1

queued-write mode, 23.1.4.1

unified audit trail, object actions

READ object actions, 22.2.8.1

SELECT object actions, 22.2.8.2

unified audit trail, Oracle Data Mining

events to audit, 22.2.16.2

examples, 22.2.16.4

unified auditing

benefits, 21.5

compared with mixed mode auditing, 21.7.1

database creation, 21.7.2

disabling, 23.1.6

finding if migrated to, 21.6

mixed mode auditing

about, 21.7.1

capabilities, 21.7.3

purging records

example, 23.3.6

general steps for manual purges, 23.3.2.2

general steps for scheduledl purges, 23.3.2.1

tutorial, 22.2.24

UNLIMITED TABLESPACE privilege, 2.2.7.4, 2.2.7.4

UPDATE privilege

revoking, 4.15.2.4

user accounts

administrative user passwords, A.5

common

creating, 2.2.10.1

common user

about, 2.2.1.1

default user account, A.5

local

creating, 2.2.10.3

local user

about, 2.2.1.3

password guidelines, A.5

passwords, encrypted, A.5

privileges required to create, 2.2.2

proxy users, 3.10.1.3

USER function

global application contexts, 9.4.4.3

User Global Area (UGA)

application contexts, storing in, 9.1.3

user names

schemas, 8.8

user privileges

CDBs, 4.3

USER pseudo column, 4.11.2

user sessions, multiple within single database connection, 3.10.1.8

USERENV function, 9.3.3.2, 12.3

used in views, 5.6.1

USERENV namespace

about, 9.3.3.2

client identifiers, 3.10.2.1

See also CLIENT_IDENTIFIER USERENV attribute

users

administrative option (ADMIN OPTION), 4.14.1.1

altering, 2.3.1

altering common users, 2.3.2

altering local users, 2.3.2

application users not known to database, 3.10.2.1

assigning unlimited quotas for, 2.2.7.4

auditing, 22.2.21.1

database role, current, 8.7.1

default roles, changing, 2.2.11

default tablespaces, 2.2.6.1

dropping, 2.5.1, 2.5.3

dropping profiles and, 2.4.4.4

dropping roles and, 4.8.6

enabling roles for, 8.7

enterprise, 3.7.1, 4.8.4.6

enterprise, shared schema protection, 8.8.2

external authentication

about, 3.8.1

advantages, 3.8.2

assigning profiles, 2.4.4.3

operating system, 3.8.4

user creation, 3.8.3

finding information about, 2.6.1

finding information about authentication, 3.11

global, 3.7.1

assigning profiles, 2.4.4.3

hosts, connecting to multiple

See external network services, fine-grained access to

information about, viewing, 2.6.2

listing roles granted to, 4.19.3

memory use, viewing, 2.6.5

names

case sensitivity, 2.2.4.2

how stored in database, 2.2.4.2

network authentication, external, 3.8.5

nondatabase, 9.4.1, 9.4.4.6

objects after dropping, 2.5.1

operating system external authentication, 3.8.4

password encryption, 3.2.1

privileges

for changing passwords, 2.3.1

for creating, 2.2.3

granted to, listing, 4.19.2

of current database role, 8.7.1

profiles

assigning, 2.4.4.3

creating, 2.4.4.2

specifying, 2.2.9

proxy authentication, 3.10.1.1

proxy users, connecting as, 3.10.1.1

PUBLIC role, 4.8.1.5, 4.16

quota limits for tablespace, 2.2.7.3

restricting application roles, 4.8.7

restrictions on user names, 2.2.4.1

roles and, 4.8.1.3

for types of users, 4.8.1.4.2

schema-independent, 8.8.2

schemas, private, 3.7.2.1

security domains of, 4.8.1.5

security, about, 2.1

tablespace quotas, 2.2.7.1

tablespace quotas, viewing, 2.6.3

user accounts, creating, 2.2.3

user models and Oracle Virtual Private Database, 10.5.9

user name, specifying with CREATE USER statement, 2.2.4.1

views for finding information about, 2.6

utlpwdmg.sql

about, 3.2.5.1

UTLPWDMG.SQL

guidelines for security, A.5

---

V

valid node checking, A.9.2

views

about, 4.11

access control list data

external network services, 6.13

wallet access, 6.13

application contexts, 9.6

audit management settings, 23.4

audit trail usage, 22.5

audited activities, 22.5

auditing, 22.2.7.2

authentication, 3.11

bind variables in TSDP sensitive columns, 11.10.3

DBA_COL_PRIVS, 4.19.4

DBA_HOST_ACES, 6.11.1, 6.13

DBA_HOST_ACLS, 6.13

DBA_ROLE_PRIVS, 4.19.3

DBA_ROLES, 4.19.6

DBA_SYS_PRIVS, 4.19.2

DBA_TAB_PRIVS, 4.19.4

DBA_USERS_WITH_DEFPWD, 3.2.4.2

DBA_WALLET_ACES, 6.13

DBA_WALLET_ACLS, 6.13

definer’s rights, 5.6.1

encrypted data, 12.5

invoker’s rights, 5.6.1

Oracle Virtual Private Database policies, 10.6

privileges, 4.11, 4.19.1

profiles, 2.6.1

ROLE_ROLE_PRIVS, 4.19.7

ROLE_SYS_PRIVS, 4.19.7

ROLE_TAB_PRIVS, 4.19.7

roles, 4.19.1

security applications of, 4.11.2

SESSION_PRIVS, 4.19.5

SESSION_ROLES, 4.19.5

transparent sensitive data protection, 11.13

USER_HOST_ACES, 6.13

USER_WALLET_ACES, 6.13

users, 2.6.1

Virtual Private Database

See Oracle Virtual Private Database

VPD

See Oracle Virtual Private Database

vulnerable run-time call, A.3

made more secure, A.3

---

W

Wallet Manager

See Oracle Wallet Manager

wallets, 18.2.2.4

authentication method, 3.6.2.5

See also access control lists (ACL), wallet access

Web applications

user connections, 9.4.1, 9.4.4.6

Web-based applications

Oracle Virtual Private Database, how it works with, 10.5.9

WFS_USR_ROLE role, 4.8.2

WHEN OTHERS exceptions

logon triggers, used in, 9.3.4

WHERE clause, dynamic SQL, 10.2.1

Windows native authentication, 3.3.3

WITH GRANT OPTION clause

about, 4.14.2.2

user and role grants, 4.9.2

WM_ADMIN_ROLE role, 4.8.2

---

X

X.509 certificates

guidelines for security, A.5

XDB_SET_INVOKER role, 4.8.2

XDB_WEBSERVICES role, 4.8.2

XDB_WEBSERVICES_OVER_HTTP role

about, 4.8.2

XDB_WEBSERVICES_WITH_PUBLIC role, 4.8.2

XDBADMIN role, 4.8.2

XS_CACHE_ADMIN role, 4.8.2

XS_NSATTR_ADMIN role, 4.8.2

XS_RESOURCE role, 4.8.2, 4.8.2