xx Applied Oracle Security
Recommend Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Oracle BI Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
BI Publisher Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Oracle Delivers Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Sample Web Catalog Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
SH Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Utilities Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Other Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Sample RPD Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Common to All RPDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Internal Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Internal Authentication with Act as Proxy Enabled . . . . . . . . . . . . . . . . . . . . . . 590
Column-based Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
Table-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
Database Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
SSO Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Foreword
racle’s business is information: managing it, making it useful, and securing
it. As Oracle’s Chief Architect, I have always had to ensure that our
technologies not only provide business value but also do so in a robust
manner. Security is a topic that comes up in practically every Customer
Executive Visit and it’s no wonder why. Today, security, privacy, and
governance are top issues for everyone. These are no longer “nice to have” issues but
rather “must have” requirements. As such, people are looking for ways to ensure they
have done what they need to do to meet these strenuous requirements.
This book provides the architectural and design scenarios as well as code to help Oracle
customers to create and lock down their information security systems. What’s most impressive

about the book is that it is written by the hands-on experts in Oracle. The authors are the
top engineers working with customers every day to bring together security solutions. Many
of Oracle’s products and technologies have been borne directly from the customer
experiences of these very authors.
You will undoubtedly find useful and insightful information in this book. I encourage
you to read it cover-to-cover, bookmark items of interest, and most importantly, implement
the suggestions presented herein.
—Edward Screven, Chief Corporate Architect
Oracle Corporation
O
xxi
This page intentionally left blank
Acknowledgments
would like to thank the collective team of authors who produced this book.
The knowledge they possess in their areas of specialty cannot be surpassed.
While I could have written an update on Oracle security, I believe this book
is truly the culmination of best practices, topics, ideas, and suggestions from
the world’s best on the topic of security as it relates to Oracle technologies.
I recognize that saying “I am writing a book” and actually writing a book are two vastly
different things, and I appreciate the team hanging in until the end and getting the content
not only written, but also written very well. Thank you Richard, Pat, Scott, Hamza, Tyler,
and Bryan for your hard, hard work and perseverance.
I would also like to thank my peers and management within Oracle. As writing books is
not why I was hired, I appreciate their support and encouragement to allow me to capture
the knowledge so it can be used by the entire Oracle community. Mark Tatum and Glen
Dodson have been especially supportive, and without Edward Screven’s support, the book
could not have been produced. I would also like to thank my teammates—Ed Montes, Fred
Justice, Joe Mazzafro, and Mark Lunny—for tolerating me during the production time for
this book. I would also like to acknowledge Vipin Samar and Paul Needham’s team for
their constant support over the years. Tammy Bednar in particular played a key role in

the production of this book.
Lastly, I would like thank my wife, Sandy, and the Knox boys. Sandy, you once again
gave me the time and space to do something I said I would never do again (write a book!).
I recognize your sacrifice and know that I could not have done it without your support. For
the Knox boys, it gave me great pains to tell you that I could not play with you while writing
this book. I hope you understand that sometimes daddy has to work but that you are truly
the most important thing to me. I love you very much. Now, let’s go play! You hide and I’ll
count. 1-2-3… Ready or not!
—David Knox
I
xxiii
xxiv Applied Oracle Security
Patrick Sack would like to thank Glen Dodson and Ray Prescott for providing an innovative
environment, where ideas can materialize, as well as a culture that drives these ideas into
solutions that create business value. Thanks Glen and Ray.
Scott Gaetjen would like to recognize that Patrick Sack’s strategic vision of what database
security should be and his keen awareness of customer security requirements are the primary
reasons Database Vault exists today. I want to thank Pat for extending the invitation to work with
him on Database Vault and for challenging me every day to reach a higher level of assurance in
all that I do.
Patrick Sack would like to offer a special thanks to Scott Gaetjen and William (Bill) Maroulis
for their diligence, positive attitude, and professionalism. Scott and William have developed some
key solutions around Database Vault concepts that inspired many examples and concepts presented
in this book. Special thanks to Scott and Bill.
We would also like to acknowledge the following people for inspiring the idea, clearing the
way, or getting the job done to make Database Vault a product: Glen Dodson, Raymond Prescott,
Jay Gladney, Jon Bakke, Wendy Delmolino, David Knox, Rusty Austin, Gail Wright, Jack Brinson,
Chi Ching Chui (and his team!), Chon Lei, Ben Chang, Vipin Samar, Paul Needham, Daniel Wong,
Kamal Tbeileh, Aravind Yalamanchi, Timothy Chorma, Frank Lee, Nina Lewis, Maria Chen, Cindy
Li, Matthew Mckerley, Xiaofang Wang, Martin Widjaja, Sumit Jeloka, Patricia Huey, Ernest Chen,

James Spiller, Tom Best, Duncan Harris, Howard Smith, Andy Webber, and Jeff Schaumuller.
We would like to recognize the sales and consulting teams of the Oracle National Security
Group (NSG) and the Oracle Database Security development teams. These Oracle groups work
together to deliver the industry’s best security products and solutions to some of the most
demanding customers in the information technology field.
—Patrick Sack and Scott Gaetjen
I want to acknowledge all my peer writers for all their hard work and dedication in making
this book happen. I would especially like to thank David Knox for his mentorship and friendship
at Oracle. I would also like to thank Richard Wark, Pat Davies, Al Kiessel, Matt Piermarini, and
Colin Nurse for their help and valuable support in many forms, including long, tasty lunches.
Finally, I would like to thank my two older siblings, Javed and Tabassum, for being a constant
force in my life to reach for bigger and better things. I am very grateful for their love, guidance,
and friendship.
—Hamza Jahangir
I would like to thank David Knox and Scott Spadafore for their leadership in the Oracle Security
community. Their work has directly influenced the security awareness of Oracle professionals, both
inside and outside of Oracle, and consequently countless applications and products. I would like
to express appreciation to Tim Ryan, Ken Currie, and Peter Doolan for fostering an environment
of creativity and innovation. I would also like to thank members of the Application Express
development team including Mike Hichwa and Joel Kallman, whose pragmatic philosophy,
emphasis on performance, and strong work ethic provided an ideal environment for me to hone
his skills. I would especially like to thank Tom Kyte for his years of mentoring, encouragement,
and lessons in critical thinking. These individuals are some of the best and brightest in the industry
and were a major influence in my professional development.
—Tyler Muth
I would like to thank Peter Wahl, product manager for Advanced Security, for his time,
friendship, and contributions to the transparent data encryption chapter. For their help, I would
like to acknowledge David Knox, Tammy Bednar, Al Kiessel, Hamza Jahangir, Matt Piermarini,
Pat Davies, Tom Kyte, and others who have corrected, educated, and debated the finer points of
electronic security along the way.

I would like to thank my Mum, family, friends, and co-workers for their support, encouragement,
love, and friendship—I am indebted to you all. Special thanks to Melanie Valdez for her editing
assistance and to Bridget, Jeff, Brice, Guy, and Joel for helping me blow off steam along the way.
—Richard Wark
Most importantly, I would like to thank Jennifer, my wife, for all of her wonderful support and
for the long nights and weekends where she ended up managing the family solo while I typed
away. Jennifer was also a tremendous help in developing my illustrations. I would like to thank
Alysia, Samantha, and Matthew for putting up with “Dad being in the workshop.”
The technical editors, Ben Ault, Robert Lindsley, and Derrick Cameron, have been incredibly
helpful, and I owe them a great deal of gratitude. They provided excellent feedback on the material
and examples. In addition to his technical feedback, Derrick also did some of the earliest work in
integrating Oracle BI with Oracle Database security. This whole process would have been much
harder without his work. The rest of my team here at Oracle have also been very helpful. They
provided an excellent sounding board and helped me better understand the material presented.
In particular, Jerry Conrad provided a great deal of feedback on the initial development of the
concepts I presented.
I would also like to thank Michael Yeganeh, Ken Currie, and Peter Doolan for the opportunities
they have provided at Oracle over the years. Their encouragement to innovate and integrate as part
of my daily job has helped shape both me as a person and the content of this book. I deeply
appreciate their support on this project.
Finally, I would like to thank David Knox for inviting me to work on this project and work
with this amazing group of people. I also want to thank him for all that he added to the material
I contributed to this book. I often learned more from the feedback he provided than I did from
researching or writing the subject.
—Bryan Wise
Acknowledgments xxv
This page intentionally left blank
PART
I
Oracle Database Security

New Features
This page intentionally left blank
CHAPTER
1
Security Blueprints and
New Thinking
3