Oracle® Database
Security Guide
10g Release 2 (10.2)
B14266-09
July 2012
Oracle Database Security Guide 10g Release 2 (10.2)
B14266-09
Copyright © 2003, 2012, Oracle and/or its affiliates. All rights reserved.
Primary Author: Sumit Jeloka
Contributing Authors: Don Gosselin, Richard Smith
Contributors: Gopal Mulagund, Nina Lewis, Janaki Narasinghanallur, Srividya Tata, Narendra Manappa
This software and related documentation are provided under a license agreement containing restrictions on
use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your
license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,
transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse
engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is
prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If
you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it
on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data
delivered to U.S. Government customers are "commercial computer software" or "commercial technical data"
pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As
such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and
license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of
the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software
License (December 2007). Oracle America, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
This software or hardware is developed for general use in a variety of information management
applications. It is not developed or intended for use in any inherently dangerous applications, including

applications that may create a risk of personal injury. If you use this software or hardware in dangerous
applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other
measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages
caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of
their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks
are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD,
Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced
Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information on content, products,
and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly
disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle
Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your
access to or use of third-party content, products, or services.
iii
Contents
Preface xxi
Audience xxi
Documentation Accessibility xxi
Organization xxii
Related Documentation xxiv
Conventions xxv
What's New in Oracle Database Security? xxvii
New Features in Virtual Private Database xxvii
New Features in Auditing xxviii
New PL/SQL Encryption Package: DBMS_CRYPTO xxix
Part I Overview of Security Considerations and Requirements
1 Security Requirements, Threats, and Concepts
Identity Management: Security in Complex, High-Volume Environments 1-3

Desired Benefits of Identity Management 1-4
Components of Oracle Identity Management Infrastructure 1-5
2 Security Checklists and Recommendations
Physical Access Control Checklist 2-1
Personnel Checklist 2-2
Secure Installation and Configuration Checklist 2-2
Networking Security Checklists 2-5
SSL Checklist 2-5
Client Checklist 2-6
Listener Checklist 2-7
Network Checklist 2-7
3 Security Policies and Tips
Introduction to Database Security Policies 3-1
Security Threats and Countermeasures 3-1
What Information Security Policies Can Cover 3-2
Recommended Application Design Practices to Reduce Risk 3-3
iv
Tip 1: Enable and Disable Roles Promptly 3-4
Tip 2: Encapsulate Privileges in Stored Procedures 3-5
Tip 3: Use Role Passwords Unknown to the User 3-5
Tip 4: Use Proxy Authentication and a Secure Application Role 3-5
Tip 5: Use Secure Application Roles to Verify IP Address 3-6
Tip 6: Use Application Context and Fine-Grained Access Control 3-7
Part II Security Features, Concepts, and Alternatives
4 Authentication Methods
Authentication by the Operating System 4-1
Authentication by the Network 4-2
Authentication Using SSL 4-2
Authentication Using Third-Party Services 4-2
Kerberos Authentication 4-3

PKI-Based Authentication 4-3
Authentication with RADIUS 4-4
Directory-Based Services 4-5
Authentication by Oracle Database 4-5
Password Encryption While Connecting 4-6
Account Locking 4-6
Password Lifetime and Expiration 4-6
Password History 4-6
Password Complexity Verification 4-7
Multitier Authentication and Authorization 4-7
Clients, Application Servers, and Database Servers 4-8
Security Issues for Middle-Tier Applications 4-9
Identity Issues in a Multitier Environment 4-9
Restricted Privileges in a Multitier Environment 4-9
Client Privileges 4-10
Application Server Privileges 4-10
Authentication of Database Administrators 4-10
5 Authorization: Privileges, Roles, Profiles, and Resource Limitations
Introduction to Privileges 5-1
System Privileges 5-2
Granting and Revoking System Privileges 5-2
Who Can Grant or Revoke System Privileges? 5-3
Schema Object Privileges 5-3
Granting and Revoking Schema Object Privileges 5-3
Who Can Grant Schema Object Privileges? 5-4
Using Privileges with Synonyms 5-4
Table Privileges 5-5
DML Operations 5-5
DDL Operations 5-5
View Privileges 5-6

v
Privileges Required to Create Views 5-6
Increasing Table Security with Views 5-6
Procedure Privileges 5-7
Procedure Execution and Security Domains 5-7
System Privileges Needed to Create or Alter a Procedure 5-9
Packages and Package Objects 5-9
Type Privileges 5-10
System Privileges for Named Types 5-11
Object Privileges 5-11
Method Execution Model 5-11
Privileges Required to Create Types and Tables Using Types 5-11
Example of Privileges for Creating Types and Tables Using Types 5-12
Privileges on Type Access and Object Access 5-13
Type Dependencies 5-14
Introduction to Roles 5-14
Properties of Roles 5-15
Common Uses of Roles 5-16
Application Roles 5-16
User Roles 5-17
Granting and Revoking Roles 5-17
Who Can Grant or Revoke Roles? 5-17
Security Domains of Roles and Users 5-17
PL/SQL Blocks and Roles 5-18
Named Blocks with Definer's Rights 5-18
Anonymous Blocks with Invoker's Rights 5-18
DDL Statements and Roles 5-18
Predefined Roles 5-19
Operating System and Roles 5-20
Roles in a Distributed Environment 5-20

Secure Application Roles 5-20
Creation of Secure Application Roles 5-20
User Resource Limits 5-21
Types of System Resources and Limits 5-22
Session Level 5-22
Call Level 5-22
CPU Time 5-22
Logical Reads 5-22
Limiting Other Resources 5-23
Profiles 5-24
Determining Values for Resource Limits 5-24
6 Access Control on Tables, Views, Synonyms, or Rows
Introduction to Views 6-2
Fine-Grained Access Control 6-3
Dynamic Predicates 6-4
Application Context 6-5
Dynamic Contexts 6-6
vi
Security Followup: Auditing and Prevention 6-7
7 Security Policies
System Security Policy 7-1
Database User Management 7-1
User Authentication 7-2
Operating System Security 7-2
Data Security Policy 7-2
User Security Policy 7-3
General User Security 7-3
Password Security 7-3
Privilege Management 7-4
End-User Security 7-4

Using Roles for End-User Privilege Management 7-4
Using a Directory Service for End-User Privilege Management 7-5
Administrator Security 7-5
Protection for Connections as SYS and SYSTEM 7-6
Protection for Administrator Connections 7-6
Using Roles for Administrator Privilege Management 7-6
Application Developer Security 7-7
Application Developers and Their Privileges 7-7
Application Developer Environment: Test and Production Databases 7-7
Free Versus Controlled Application Development 7-8
Roles and Privileges for Application Developers 7-8
Space Restrictions Imposed on Application Developers 7-9
Application Administrator Security 7-9
Password Management Policy 7-9
Account Locking 7-10
Password Aging and Expiration 7-10
Setting the PASSWORD_LIFE_TIME Profile Parameter to a Low Value 7-11
Password History 7-12
Password Complexity Verification 7-12
Password Verification Routine Formatting Guidelines 7-13
Sample Password Verification Routine 7-13
Auditing Policy 7-15
A Security Checklist 7-16
8 Database Auditing: Security Considerations
Auditing Types and Records 8-2
Audit Records and Audit Trails 8-3
Database Audit Trail (DBA_AUDIT_TRAIL) 8-3
Operating System Audit Trail 8-4
Syslog Audit Trail 8-5
Operating System and Syslog Audit Records 8-5

Records Always in the Operating System and Syslog Audit Trail 8-6
When Are Audit Records Created? 8-6
Statement Auditing 8-7
vii
Privilege Auditing 8-7
Schema Object Auditing 8-8
Schema Object Audit Options for Views, Procedures, and Other Elements 8-8
Focusing Statement, Privilege, and Schema Object Auditing 8-9
Auditing Statement Executions: Successful, Unsuccessful, or Both 8-9
Number of Audit Records from Multiple Executions of a Statement 8-10
BY SESSION 8-10
BY ACCESS 8-11
Audit by User 8-11
Auditing in a Multitier Environment 8-12
Fine-Grained Auditing 8-12
Part III Security Implementation, Configuration, and Administration
9 Secure External Password Store
How Does the External Password Store Work? 9-1
Configuring Clients to Use the External Password Store 9-2
Managing External Password Store Credentials 9-4
Listing External Password Store Contents 9-4
Adding Credentials to an External Password Store 9-4
Modifying Credentials in an External Password Store 9-5
Deleting Credentials from an External Password Store 9-5
10 Administering Authentication
User Authentication Methods 10-1
Database Authentication 10-1
Creating a User Who Is Authenticated by the Database 10-2
Advantages of Database Authentication 10-2
External Authentication 10-2

Creating a User Who Is Authenticated Externally 10-3
Operating System Authentication 10-3
Network Authentication 10-4
Advantages of External Authentication 10-4
Global Authentication and Authorization 10-4
Creating a User Who Is Authorized by a Directory Service 10-5
Advantages of Global Authentication and Global Authorization 10-5
Proxy Authentication and Authorization 10-6
Authorizing a Middle Tier to Proxy and Authenticate a User 10-7
Authorizing a Middle Tier to Proxy a User Authenticated by Other Means 10-7
11 Administering User Privileges, Roles, and Profiles
Managing Oracle Users 11-1
Creating Users 11-1
Specifying a Name 11-2
Setting Up User Authentication 11-3
Assigning a Default Tablespace 11-3
viii
Assigning Tablespace Quotas 11-3
Assigning a Temporary Tablespace 11-4
Specifying a Profile 11-5
Setting Default Roles 11-5
Altering Users 11-5
Changing User Authentication Mechanism 11-6
Changing User Default Roles 11-6
Dropping Users 11-6
Viewing Information About Database Users and Profiles 11-7
User and Profile Information in Data Dictionary Views 11-7
Listing All Users and Associated Information 11-8
Listing All Tablespace Quotas 11-8
Listing All Profiles and Assigned Limits 11-9

Viewing Memory Use for Each User Session 11-10
Managing Resources with Profiles 11-10
Dropping Profiles 11-11
Understanding User Privileges and Roles 11-11
System Privileges 11-11
Restricting System Privileges 11-12
Accessing Objects in the SYS Schema 11-12
Object Privileges 11-13
User Roles 11-13
Managing User Roles 11-15
Creating a Role 11-15
Specifying the Type of Role Authorization 11-16
Role Authorization by the Database 11-16
Role Authorization by an Application 11-16
Role Authorization by an External Source 11-17
Role Authorization by an Enterprise Directory Service 11-17
Dropping Roles 11-18
Granting User Privileges and Roles 11-18
Granting System Privileges and Roles 11-18
Granting the ADMIN OPTION 11-19
Creating a New User with the GRANT Statement 11-19
Granting Object Privileges 11-19
Specifying the GRANT OPTION 11-20
Granting Object Privileges on Behalf of the Object Owner 11-20
Granting Privileges on Columns 11-21
Row-Level Access Control 11-22
Revoking User Privileges and Roles 11-22
Revoking System Privileges and Roles 11-22
Revoking Object Privileges 11-22
Revoking Object Privileges on Behalf of the Object Owner 11-23

Revoking Column-Selective Object Privileges 11-24
Revoking the REFERENCES Object Privilege 11-24
Cascading Effects of Revoking Privileges 11-24
System Privileges 11-24
ix
Object Privileges 11-25
Granting to and Revoking from the PUBLIC Role 11-25
When Do Grants and Revokes Take Effect? 11-26
The SET ROLE Statement 11-26
Specifying Default Roles 11-26
Restricting the Number of Roles that a User Can Enable 11-27
Granting Roles Using the Operating System or Network 11-27
Using Operating System Role Identification 11-28
Using Operating System Role Management 11-29
Granting and Revoking Roles When OS_ROLES=TRUE 11-29
Enabling and Disabling Roles When OS_ROLES=TRUE 11-29
Using Network Connections with Operating System Role Management 11-29
Viewing Privilege and Role Information 11-29
Listing All System Privilege Grants 11-31
Listing All Role Grants 11-31
Listing Object Privileges Granted to a User 11-31
Listing the Current Privilege Domain of Your Session 11-32
Listing Roles of the Database 11-32
Listing Information About the Privilege Domains of Roles 11-33
12 Configuring and Administering Auditing
Actions Audited by Default 12-1
Guidelines for Auditing 12-2
Keeping Audited Information Manageable 12-2
Auditing Normal Database Activity 12-3
Auditing Suspicious Database Activity 12-3

Auditing Administrative Users 12-3
Using Triggers 12-5
Deciding Whether to Use the Database or Operating System Audit Trail 12-5
What Information Is Contained in the Audit Trail? 12-6
Database Audit Trail Contents 12-7
Audit Information Stored in an Operating System File 12-8
Managing the Standard Audit Trail 12-9
Enabling and Disabling Standard Auditing 12-9
Setting the AUDIT_TRAIL Initialization Parameter 12-10
Specifying a Directory for the Operating System Auditing Trail 12-10
Specifying the Syslog Level 12-11
Standard Auditing in a Multitier Environment 12-11
Enabling Standard Auditing Options 12-12
Enabling Statement Auditing 12-13
Enabling Privilege Auditing 12-13
Enabling Object Auditing 12-14
Enabling Network Auditing 12-14
Disabling Standard Audit Options 12-15
Turning Off Statement and Privilege Auditing 12-15
Turning Off Object Auditing 12-16
Turning Off Network Auditing 12-16
x
Controlling the Growth and Size of the Standard Audit Trail 12-16
Purging Audit Records from the Audit Trail 12-17
Archiving Audit Trail Information 12-18
Reducing the Size of the Audit Trail 12-18
Protecting the Standard Audit Trail 12-18
Auditing the Standard Audit Trail 12-18
Viewing Database Audit Trail Information 12-19
Audit Trail Views 12-19

Using Audit Trail Views to Investigate Suspicious Activities 12-20
Listing Active Statement Audit Options 12-21
Listing Active Privilege Audit Options 12-21
Listing Active Object Audit Options for Specific Objects 12-21
Listing Default Object Audit Options 12-22
Listing Audit Records 12-22
Listing Audit Records for the AUDIT SESSION Option 12-22
Deleting the Audit Trail Views 12-22
The SYS.AUD$ Auditing Table: Example 12-22
Fine-Grained Auditing 12-24
Policies in Fine-Grained Auditing 12-25
Advantages of Fine-Grained Auditing over Triggers 12-25
Extensible Interface Using Event Handler Functions 12-26
Functions and Relevant Columns in Fine-Grained Auditing 12-26
Audit Records in Fine-Grained Auditing 12-26
NULL Audit Conditions 12-27
Defining FGA Policies 12-27
An Added Benefit to Fine-Grained Auditing 12-27
The DBMS_FGA Package 12-29
ADD_POLICY Procedure 12-29
Syntax 12-29
Parameters 12-30
Usage Notes 12-30
V$XML_AUDIT_TRAIL View 12-33
Examples 12-34
DISABLE_POLICY Procedure 12-34
Syntax 12-34
Parameters 12-34
DROP_POLICY Procedure 12-35
Syntax 12-35

Parameters 12-35
Usage Notes 12-35
ENABLE_POLICY Procedure 12-35
Syntax 12-35
Parameters 12-35
13 Introducing Database Security for Application Developers
About Application Security Policies 13-1
Considerations for Using Application-Based Security 13-2
xi
Are Application Users Also Database Users? 13-2
Is Security Enforced in the Application or in the Database? 13-3
Managing Application Privileges 13-3
Creating Secure Application Roles 13-4
An Example of Creating a Secure Application Role 13-5
Associating Privileges with User Database Roles 13-6
Using the SET ROLE Statement 13-7
Using the SET_ROLE Procedure 13-7
Examples of Assigning Roles with Static and Dynamic SQL 13-8
Protecting Database Objects by Using Schemas 13-9
Unique Schemas 13-9
Shared Schemas 13-9
Managing Object Privileges 13-9
What Application Developers Need to Know About Object Privileges 13-10
SQL Statements Permitted by Object Privileges 13-10
14 Using Virtual Private Database to Implement Application Security Policies
About Virtual Private Database, Fine-Grained Access Control, and Application Context 14-1
Introduction to VPD 14-2
Column-Level VPD 14-3
Column-Level VPD with Column-masking Behavior 14-3
VPD Security Policies and Applications 14-3

Introduction to Fine-Grained Access Control 14-4
Features of Fine-Grained Access Control 14-4
Security Policies Based on Tables, Views, and Synonyms 14-4
Multiple Policies for Each Table, View, or Synonym 14-5
Grouping of Security Policies 14-5
High Performance 14-5
Default Security Policies 14-5
About Creating a VPD Policy with Oracle Policy Manager 14-6
Introduction to Application Context 14-7
Features of Application Context 14-7
Specifying Attributes for Each Application 14-7
Providing Access to Predefined Attributes Through the USERENV Namespace 14-7
Externalized Application Contexts 14-12
Ways to Use Application Context with Fine-Grained Access Control 14-13
Secure Data Caching 14-13
Returning a Specific Predicate (Security Policy) 14-13
Providing Attributes Similar to Bind Variables in a Predicate 14-14
Introduction to Global Application Context 14-14
Enforcing Application Security 14-15
Use of Ad Hoc Tools: A Potential Security Problem 14-15
Restricting SQL*Plus Users from Using Database Roles 14-15
Limiting Roles Through PRODUCT_USER_PROFILE 14-15
Using Stored Procedures to Encapsulate Business Logic 14-16
Using VPD for Highest Security 14-16
VPD and Oracle Label Security Exceptions and Exemptions 14-16
xii
User Models and VPD 14-17
15 Implementing Application Context and Fine-Grained Access Control
About Using Application Context 15-1
Using Secure Session-Based Application Context 15-4

Task 1: Create a PL/SQL Package that Sets the Secure Context for Your Application 15-4
SYS_CONTEXT Syntax 15-4
SYS_CONTEXT Example 15-4
Using Dynamic SQL with SYS_CONTEXT 15-5
Using SYS_CONTEXT in a Parallel Query 15-5
Using SYS_CONTEXT with Database Links 15-6
Task 2: Create a Unique Secure Context and Associate It with the PL/SQL Package 15-6
Task 3: Set the Secure Context Before the User Retrieves Data 15-6
Task 4: Use the Secure Context in a VPD Policy Function 15-6
Examples: Secure Application Context Within a Fine-Grained Access Control Function 15-7
Example 1: Implementing the Policy 15-7
Step 1: Create a PL/SQL Package To Set the Secure Context for the Application 15-7
Step 2: Create a Secure Application Context 15-8
Step 3: Access the Secure Application Context Inside the Package 15-8
Step 4: Create the New Security Policy 15-8
Example 2: Controlling User Access with an Application 15-10
Step 1: Create a PL/SQL Package to Set the Secure Context 15-10
Step 2: Create the Secure Context and Associate It with the Package 15-11
Step 3: Create the Initialization Script for the Application 15-11
Example 3: Event Triggers, Secure Application Context, Fine-Grained Access Control, and
Encapsulation of Privileges 15-11
Initializing Secure Application Context Externally 15-15
Obtaining Default Values from Users 15-15
Obtaining Values from Other External Resources 15-15
Initializing Secure Application Context Globally 15-16
Using Secure Application Context with LDAP 15-16
How Globally Initialized Secure Application Context Works 15-17
Example: Initializing Secure Application Context Globally 15-17
Using Client Session-Based Application Context 15-19
Setting a Value in CLIENTCONTEXT 15-19

Clearing a Particular Setting in CLIENTCONTEXT 15-20
Clearing all Settings in CLIENTCONTEXT 15-20
How to Use Global Application Context 15-20
Using the DBMS_SESSION Interface to Manage Application Context in Client Sessions 15-21
Examples: Global Application Context 15-21
Example 1: Global Application Context Process 15-21
Example 2: Global Application Context for Lightweight Users 15-22
How Fine-Grained Access Control Works 15-23
How to Establish Policy Groups 15-24
The Default Policy Group: SYS_DEFAULT 15-25
New Policy Groups 15-25
How to Implement Policy Groups 15-26
xiii
Step 1: Set Up a Driving Context 15-26
Step 2: Add a Policy to the Default Policy Group. 15-26
Step 3: Add a Policy to the HR Policy Group 15-27
Step 4: Add a Policy to the FINANCE Policy Group 15-27
Validating the Application Used to Connect to the Database 15-28
How to Add a Policy to a Table, View, or Synonym 15-28
DBMS_RLS.ADD_POLICY Procedure Policy Types 15-29
Optimizing Performance by Enabling Static and Context Sensitive Policies 15-31
About Static Policies 15-31
About Context-Sensitive Policies 15-32
Adding Policies for Column-Level VPD 15-32
Default Behavior 15-33
Column-masking Behavior 15-33
Enforcing VPD Policies on Specific SQL Statement Types 15-35
Enforcing Policies on Index Maintenance 15-35
How to Check for Policies Applied to a SQL Statement 15-35
Users Exempt from VPD Policies 15-36

SYS User Exempted from VPD Policies 15-36
EXEMPT ACCESS POLICY System Privilege 15-36
Automatic Reparse 15-36
VPD Policies and Flashback Query 15-37
16 Preserving User Identity in Multitiered Environments
Security Challenges of Three-Tier Computing 16-1
Who Is the Real User? 16-1
Does the Middle Tier Have Too Many Privileges? 16-1
How to Audit? Whom to Audit? 16-2
What Are the Authentication Requirements for Three-Tier Systems? 16-2
Client to Middle Tier Authentication 16-2
Middle Tier to Database Authentication 16-2
Client Reauthentication Through Middle Tier to Database 16-2
Oracle Database Solutions for Preserving User Identity 16-3
Proxy Authentication 16-3
Passing Through the Identity of the Real User by Using Proxy Authentication 16-4
Limiting the Privilege of the Middle Tier 16-5
Reauthenticating the User Through the Middle Tier to the Database 16-5
Auditing Actions Taken on Behalf of the Real User 16-7
Advantages of Proxy Authentication 16-7
Client Identifiers 16-8
Support for Application User Models by Using Client Identifiers 16-8
Using the CLIENT_IDENTIFIER Attribute to Preserve User Identity 16-8
Using CLIENT_IDENTIFIER Independent of Global Application Context 16-9
17 Developing Applications Using Data Encryption
Securing Sensitive Information 17-1
Principles of Data Encryption 17-2
xiv
Principle 1: Encryption Does Not Solve Access Control Problems 17-2
Principle 2: Encryption Does Not Protect Against a Malicious DBA 17-3

Principle 3: Encrypting Everything Does Not Make Data Secure 17-4
Stored Data Encryption Using DBMS_CRYPTO 17-4
DBMS_CRYPTO Hashing and Encryption Capabilities 17-4
Data Encryption Challenges 17-6
Encrypting Indexed Data 17-7
Key Generation 17-7
Key Transmission 17-7
Key Storage 17-7
Storing the Keys in the Database 17-8
Storing the Keys in the Operating System 17-9
Users Managing Their Own Keys 17-9
Using Transparent Database Encryption 17-10
Changing Encryption Keys 17-10
BLOBS 17-10
Example of a Data Encryption Procedure 17-10
Example of AES 256-Bit Data Encryption and Decryption Procedures 17-11
Example of Encryption and Decryption Procedures for BLOB Data 17-12
Part IV Appendixes
A Addressing The CONNECT Role Change
How Applications Are Affected A-2
Database Upgrade A-2
Account Provisioning A-2
Installation of Applications Using New Databases A-2
How Users Are Affected A-2
General Users A-2
Application Developers A-3
Client Server Applications A-3
Approaches to Addressing the CONNECT Role Change A-3
Approach 1 - Create a new database role A-3
Approach 2 - Restore CONNECT privileges A-4

New View Showing CONNECT Grantees A-5
Approach 3 - Conduct least privilege analysis A-5
B Verifying Data Integrity with DBMS_SQLHASH
Overview of the DBMS_SQLHASH Package B-1
The DBMS_SQLHASH.GETHASH Function B-1
Syntax B-1
Parameters B-2
Glossary
Index
xv
xvi
List of Tables
1–1 Security Issues by Category 1-2
3–1 Issues and Actions that Security Policies Must Address 3-2
3–2 Reference Terms and Chapters for Oracle Features and Products 3-3
5–1 System Privileges for Named Types 5-11
5–2 Privileges for Object Tables 5-13
5–3 Properties of Roles and Their Description 5-15
6–1 Policy Types and Run-Time Efficiencies 6-7
7–1 Parameters Controlling Reuse of an Old Password 7-12
7–2 Default Accounts and Their Status (Standard Installation) 7-17
8–1 Auditing Types and Descriptions 8-2
8–2 Columns Shown in the Database Audit Trail (DBA_AUDIT_TRAIL) 8-3
8–3 Auditing Actions Newly Enabled by Oracle Database 10g 8-9
11–1 Predefined Roles 11-14
12–1 Audit Trail Record Data 12-7
12–2 Auditable Network Error Conditions 12-15
12–3 ADD_POLICY Procedure Parameters 12-30
12–4 Elements in the V$XML_AUDIT_TRAIL Dynamic View 12-33
12–5 DISABLE_POLICY Procedure Parameters 12-34

12–6 DROP_POLICY Procedure Parameters 12-35
12–7 ENABLE_POLICY Procedure Parameters 12-35
13–1 How Privileges Relate to Schema Objects 13-10
13–2 SQL Statements Permitted by Database Object Privileges 13-10
14–1 Key to Predefined Attributes in USERENV Namespace 14-8
14–2 Deprecated Attributes of Namespace USERENV 14-12
14–3 VPD in Different User Models 14-18
15–1 Types of Application Contexts 15-3
15–2 DBMS_RLS Procedures 15-28
15–3 DBMS_RLS.ADD_POLICY Policy Types At a Glance 15-30
15–4 V$VPD_POLICY 15-35
17–1 DBMS_CRYPTO and DBMS_OBFUSCATION_TOOLKIT Feature Comparison 17-5
A–1 Columns and Contents for DBA_CONNECT_ROLE_GRANTEES A-5
B–1 GETHASH Function Parameters B-2
xvii
xviii
List of Examples
9–1 Sample SQLNET.ORA File with Wallet Parameters Set 9-3
11–1 Create a User and Grant the Create Session System Privilege 11-2
15–1 Syntax for Enabling Policy Types with DBMS_RLS.ADD_POLICY 15-30
15–2 Creating and Adding a Column-Level VPD Policy 15-33
15–3 Adding a Column-level VPD Policy with Column-masking Behavior 15-34
xix
List of Figures
1–1 Realms Needing Security in an Internet World 1-2
4–1 Oracle Public Key Infrastructure 4-4
4–2 Multitier Authentication 4-9
4–3 Database Administrator Authentication Methods 4-10
5–1 Common Uses for Roles 5-16
6–1 An Example of a View 6-2

7–1 User Roles 7-5
7–2 Chronology of Password Lifetime and Grace Period 7-11
15–1 Location of Application Context in LDAP Directory Information Tree 15-17
xx
xxi
Preface
This document provides a comprehensive overview of security for Oracle Database. It
includes conceptual information about security requirements and threats, descriptions
of Oracle Database security features, and procedural information that explains how to
use those features to secure your database.
This preface contains these topics:
■ Audience
■ Documentation Accessibility
■ Organization
■ Related Documentation
■ Conventions
Audience
The Oracle Database Security Guide is intended for database administrators (DBAs),
security administrators, application developers, and others tasked with performing
the following operations securely and efficiently:
■ Designing and implementing security policies to protect the organization's data,
users, and applications from accidental, inappropriate, or unauthorized actions
■ Creating and enforcing policies and practices of auditing and accountability for
any such inappropriate or unauthorized actions
■ Creating, maintaining, and terminating user accounts, passwords, roles, and
privileges
■ Developing applications that provide desired services securely in a variety of
computational models, leveraging database and directory services to maximize
both efficiency and client ease of use
To use this document, you need a basic understanding of how and why a database is

used, as well as at least basic familiarity with SQL queries or programming.
Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle
Accessibility Program website at
/>.
xxii
Access to Oracle Support
Oracle customers have access to electronic support through My Oracle Support. For
information, visit
/> or
visit
/> if you are hearing
impaired.
Organization
This document contains:
Part I, "Overview of Security Considerations and Requirements"
Part I presents fundamental concepts of data security, and offers checklists and policies
to aid in securing your site's data, operations, and users.
Chapter 1, "Security Requirements, Threats, and Concepts"
This chapter presents fundamental concepts of data security requirements and threats.
Chapter 2, "Security Checklists and Recommendations"
This chapter presents checklists, with brief explanations, for policies and practices that
reduce your installation's vulnerabilities.
Chapter 3, "Security Policies and Tips"
This chapter presents basic general security policies, with specific chapter references,
that apply to every site. These you must understand and apply to the unique
considerations of your own site. The chapter also introduces general application
design practices regarding roles and privileges.
Part II, "Security Features, Concepts, and Alternatives"
Part II presents methods and features that address the security requirements, threats,

and concepts described in Part I.
Chapter 4, "Authentication Methods"
This chapter deals with verifying the identity of anyone who wants to use data,
resources, or applications. Authentication establishes a trust relationship for further
interactions as well as accountability linking access and actions to a specific identity.
Chapter 5, "Authorization: Privileges, Roles, Profiles, and Resource Limitations"
This chapter describes standard authorization processes that allow an entity to have
certain levels of access and action, but which also limit the access, actions, and
resources permitted to that entity.
Chapter 6, "Access Control on Tables, Views, Synonyms, or Rows"
This chapter discusses protecting objects by using object-level privileges and views, as
well as by designing and using policies to restrict access to specific tables, views,
synonyms, or rows. Such policies invoke functions that you design to specify dynamic
predicates establishing the restrictions.
Chapter 7, "Security Policies"
This chapter discusses security policies in separate sections dealing with system
security, data security, user security, password management, and auditing. It
concludes with a more detailed version of the checklist first presented in Chapter 2.
xxiii
Chapter 8, "Database Auditing: Security Considerations"
This chapter presents auditing as the monitoring and recording of selected user
database actions. Auditing can be based either on individual actions, such as the type
of SQL statement executed, or on combinations of factors that can include user name,
application, time, and so on. Security policies can trigger auditing when specified
elements in an Oracle database are accessed or altered, including the contents within a
specified object.
Part III, "Security Implementation, Configuration, and Administration"
Part III presents the details of setting up, configuring, and administering Oracle
Database security features.
Chapter 9, "Secure External Password Store"

This chapter discusses the secure external password store which allows you to store
password credentials in a client side Oracle Wallet. It discusses client configuration for
using the external password store. It also discusses managing external password store
credentials.
Chapter 10, "Administering Authentication"
This chapter describes the methods for creating and administering authentication by
defining users and how they are to be identified and verified before access is granted.
Chapter 10 discusses the four primary methods as database, external, global, and
proxy authentication.
Chapter 11, "Administering User Privileges, Roles, and Profiles"
This chapter presents the interwoven tasks and considerations involved in granting,
viewing, and revoking database user privileges and roles, and the profiles that contain
them.
Chapter 12, "Configuring and Administering Auditing"
This chapter describes auditing and accountability to protect and preserve privacy for
the information stored in databases, detect suspicious activities, and enable
finely-tuned security responses.
Chapter 13, "Introducing Database Security for Application Developers"
This chapter provides an introduction to the security challenges that face application
developers and includes an overview of Oracle Database features they can use to
develop secure applications.
Chapter 14, "Using Virtual Private Database to Implement Application Security
Policies"
This chapter discusses developing secure applications by using application context,
fine-grained access control, or virtual private database to implement security policies.
Chapter 15, "Implementing Application Context and Fine-Grained Access Control"
This chapter provides several examples of applications developed using application
context, fine-grained access control, and virtual private database. It includes code
examples and their corresponding explanations.
Chapter 16, "Preserving User Identity in Multitiered Environments"

This chapter discusses developing secure multiple tier applications.
xxiv
Chapter 17, "Developing Applications Using Data Encryption"
This chapter discusses how you can use data encryption to develop secure
applications, and the strengths and weaknesses of using this feature.
Part IV, "Appendixes"
Part IV contains two appendixes. The first appendix discusses new changes to the
CONNECT role. The second appendix discusses the DBMS_SQLHASH package,
which is used to verify data integrity.
Appendix A, "Addressing The CONNECT Role Change"
This appendix discusses the consequences of the fact that all privileges have been
removed from the CONNECT role except the CREATE SESSION privilege.
Appendix B, "Verifying Data Integrity with DBMS_SQLHASH"
This appendix discusses the
DBMS_SQLHASH
package that can be used to verify data
integrity.
Glossary
Related Documentation
For more information, see these Oracle resources:
■ Oracle Database Concepts
■ Oracle Database Administrator's Guide
■ Oracle Data Warehousing Guide
■ Oracle Streams Advanced Queuing Java API Reference
■ Oracle Streams Advanced Queuing User's Guide and Reference
Many of the examples in this book use the sample schemas of the seed database, which
is installed by default when you install Oracle. Refer to Oracle Database Sample Schemas
for information on how these schemas were created and how you can use them
yourself.
Oracle Store

Printed documentation is available for sale in the Oracle Store at
/>Oracle Technology Network (OTN)
You can download free release notes, installation documentation, updated versions of
this guide, white papers, or other collateral from the Oracle Technology Network
(OTN). Visit
/>For security-specific information on OTN, visit
/>For the latest version of the Oracle documentation, including this guide, visit
/>xxv
Oracle Documentation Search Engine
To access the database documentation search engine directly, visit
/>My Oracle Support
You can find information about security patches, certifications, and the support
knowledge base by visiting My Oracle Support (formerly OracleMetaLink) at
/>Conventions
The following text conventions are used in this document:
Convention Meaning
boldface Boldface type indicates graphical user interface elements associated
with an action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables for
which you supply particular values.
monospace
Monospace type indicates commands within a paragraph, URLs, code
in examples, text that appears on the screen, or text that you enter.