The Oracle Database Cloud is a multi-tenant environment, based on schema isolation. To ensure the security of each tenant's data, as well as the overall performance integrity of the entire Oracle Database Cloud environment, some aspects of the Oracle Database, Enterprise Edition, have to be curtailed or completely eliminated.
The limitations required to protect security and performance integrity are detailed in this section. None of the limitations listed in this section were put in place as an attempt to limit the functionality of the Oracle Database Cloud. Virtually all standard SQL and PL/SQL syntax and constructs used with the Oracle Database work in the Oracle Database Cloud.
A Database Cloud Service is an individual Service within the Oracle Database Cloud. Data within an individual Database Cloud Service is completely separated from data in all other Services in the Oracle Database Cloud, as described in more detail below.
Database Cloud Service administrators can define users for the Services that they administer. Database Cloud Service users can be defined with the Cloud Identity Manager or within the Administration area of the development platform for the Database Cloud Service itself. If a user is defined with the Cloud Identity Manager, they must use the same tool to manage their profile; if a user is defined through the Administration area of the development platform, they must manage their profile through that platform. Administrators and developers for a Database Cloud Service must be defined with the Cloud Identity Manager and given the appropriate security role, as described below.
This section outlines the Oracle Database Cloud Service specifications.
The current version of the Oracle Database Cloud Service is based on Oracle Database 11g Release 2, Enterprise Edition with each quarterly security patch set applied. The only option included in the Oracle Database Cloud Service is the Partitioning Option.
The following features and components are not part of the current version of the Oracle Database Cloud Service:
Oracle Database Extensions for .NET
Oracle Database Vault
Oracle Java VM
Oracle Label Security
Oracle Warehouse Builder
The following schemas and data are not accessible in the Oracle Database Cloud:
Local Enterprise Manager repository
Oracle Data Mining RDBMS APIs for file access
The following sections describe various SQL syntax in the Oracle Database Cloud Service.
CREATE statements have a broad range of syntax and options. The appendices for this paper list all allowed statements, but this list includes the most common allowed CREATE statements in an Oracle Database Cloud Service:
The following SQL statements cannot be used in an Oracle Database Cloud Service:
CREATE JOB (Background jobs can be created through the CLOUD_SCHEDULER package)
CREATE MATERIALIZED VIEW
CREATE DATABASE LINK
Some ALTER SESSION options, although most session level changes for NLS or character sets are still allowed
Additionally, parallel operations are not supported on the Oracle Database Cloud, so any SQL DDL clauses that allow for parallel operations are not supported.
Oracle Database 11g Release 2 includes many PL/SQL packages to deliver extended functionality. The following sections list the PL/SQL packages that are part of the Oracle Database Cloud Service and some prominent packages which are not included.
The following PL/SQL packages and types are included in the Oracle Database Cloud Service:
All DBMS_XML% packages and types
All DBMS_XQUERY% packages and types
All ODCI% packages and types
All OWA% packages and types
All UTL_NLA% packages and types
All XQ% packages and types
All packages not listed here are not available in the Oracle Database Cloud Service.
By default, all Application Express applications and RESTful Web Services execute with the privileges of the schema owner. You can create users within the Application Express environment and use authentication schemes to limit access to application objects at all levels in your application through Application Express.
You cannot use a GRANT command to assign access to another user, since other schema owners are not allowed to access your schema objects in the schema-isolation multi-tenant environment of the Oracle Database Cloud.
You can also assign security across multiple dimensions, including origin, application and users, for any RESTful Web Services. Please refer to the white paper on Oracle Database Cloud security for more details on these topics.
The following limitations apply to DDL, Data Definition Language, syntax: You cannot use any PARALLEL syntax in defining tables.
You cannot use quoted identifiers with special characters.
You cannot define BFILEs or external LOBs.
You cannot use external tables.
You cannot specify any caching for database objects.
By default, you can use all Oracle SQL syntax for SQL statements used against your Oracle Database Cloud Service. The following limitations apply to SQL queries:
No PARALLEL hints allowed
The core of the Oracle Database Cloud development environment is Application Express, which is also a no-cost option for all versions of the Oracle Database since Oracle Database 10g Release 2. There are three areas of functionality which are limited when used for applications within the Oracle Database Cloud environment:
Background Jobs - An Oracle Database Cloud Service will be able to submit jobs, but are limited to a maximum of 10 defined jobs and 5 jobs running or scheduled at any one time. Jobs will be subject to resource limitations imposed by Database Resource Manager, similar to the way overall resources are limited and described below. These limits and conditions will be implemented through a PL/SQL package called CLOUD_SCHEDULER.
E-mails - An Oracle Database Cloud Service will be limited to 5,000 emails in a 24 hour period.
Outbound Web Service calls - An Oracle Database Cloud Service application can make outbound Web Service calls through the APEX_WEB_SERVICE PL/SQL package. These calls can only use HTTPS or SSL and will use a proxy server from within the Oracle Database Cloud.
Access to standard data dictionary objects in the Oracle Database is limited, since the security requirements of schema isolation prevent any user from seeing or knowing the existence of other schemas.
The following data dictionary views and synonyms are accessible from an Oracle Database Cloud Service:
All USER_% views
You can also view schema objects in both SQL Developer and the SQL section of the Application Express development environment.
The Oracle Database excels at managing shared resources among thousands of database users. The Oracle Database Cloud Service uses this proven ability to distribute machine resources among tenants.
The Oracle Database Cloud uses Database Resource Manager consumer groups to prevent any tenant from impacting the performance of others tenants. All tenant operations are initially placed in a consumer group with maximum access to resources. If a user exceeds the resource limitations of this initial consumer group, their user process is pushed to a lower priority user group, with a much longer limit on resource consumption, but a lower priority. If a user process exceeds this limit, they are pushed to a lower priority group with a much higher resource limit.
If a user process should exceed this last limit, the process may be terminated. Please be aware that this lowest consumer group allows for the consumption of up to 30 seconds of dedicated CPU time, a threshold which is normally only crossed by runaway processes.