Cloud Documentation
Advanced Search

Using Oracle Database Cloud Service (Database Schema)
Close Window

Table of Contents

Show All | Collapse

1 Getting Started with Oracle Database Cloud Service (Database Schema)


This section provides a brief overview of Oracle Database Cloud Service (Database Schema), its key concepts, and an overview of developing applications for the service. To learn more about the Oracle Cloud, see Getting Started with Oracle Cloud.

See Oracle Cloud Terminology in Getting Started with Oracle Cloud for definitions of terms found in this and other documents in the Oracle Cloud library.

About Oracle Database Cloud Service (Database Schema)

Oracle Database Cloud Service (Database Schema) is a schema service that provides a multi-tenant cloud environment for using the Oracle Database. It is not to be confused with the Oracle Database 12c Multitenant option which supports Pluggable Databases.

Database Schema Service is built on Oracle Database technology, running on the Oracle Exadata Database Machine.

Database Schema Service has four main components:

Database Schema Service delivers the following advantages:

  • You can access your Database Schema Service from any supported browser on any platform.

  • Your Database Schema Service comes in several sizes, based on a simple storage and transfer metrics.

  • Your Database Schema Service has a simple monthly subscription cost, which includes all standard maintenance operations and Oracle Support. The service also provides a pre-paid subscription and a pay as you go subscription.

  • You can provision a complete Database Schema Service environment in a few minutes and immediately start to be productive. A Database Schema Service includes simple administrative tools that allow you to monitor usage, and add and drop user access. The Oracle Store enables you to modify your subscription package with a simple interface.

  • Your Database Schema Service includes a wide variety of tools and utilities, including development wizards and flexible interactive reporting. Most importantly, a Database Schema Service offers rapid application development and instant deployment, which allows developers and users to work together in real time to create optimal solutions for business needs.

Understanding Key Components


Oracle Database Cloud Service (Database Schema) is composed of several components which provide functionality and benefits.

About Oracle Database

The Oracle Database has been the standard for enterprise databases for more than two decades. With Oracle Database Cloud Service (Database Schema), you get the full power of this legendary platform. You can use the same SQL for data interaction that is used for hundreds of thousands of enterprise applications. You can use PL/SQL, the procedural extensions for the Oracle Database. All the optimizations and data structures which make the Oracle Database so robust are available in your Database Cloud Service.

The Oracle Java Cloud Service - SaaS Extension uses Database Schema Service for all data operations. This support enables you to deploy Java applications with the Java Cloud Service with the enterprise-strength of the Oracle Database.

Database Schema Service uses schema isolation to implement multi-tenancy, which allows full transparency while still providing efficient use of database resources. The Oracle Database is, at its core, a multiuser system for sharing data, so Database Schema Service simply uses the capabilities built up for the Oracle Database to share resources among multiple Database Schema Service customers.

About Oracle Exadata

Oracle Database Cloud Service (Database Schema) runs on Oracle Exadata hardware - the most advanced database platform in the world today. Oracle Exadata uses a variety of techniques and technology to dramatically improve the operation of the most time-consuming database operations. You get all the benefits of Oracle Exadata with your Database Schema Service.

About Oracle Application Express

Oracle Application Express is a robust rapid application development system that is included with the Oracle Database. Oracle Application Express gives developers the ability to create applications in minutes. Once development is complete, the applications are instantly available, allowing for a process of interactive development where developers work with users to quickly create and refine applications to achieve business goals.

The process of application creation with Oracle Application Express can take advantage of a wealth of wizards, which simplify and accelerate development. You can also extend Oracle Application Express applications to meet your specific business needs with PL/SQL, so the range of functionality you can implement is virtually unlimited.

These features mean that Oracle Application Express provides both extremely high levels of productivity for creating standard applications and the ability to create sophisticated mission critical applications.

Oracle Application Express includes a range of user productivity features, such as interactive reports, which let business users shape the analysis and presentation of their data without having to involve development or IT staff. End users can also created Websheets, which act like data-driven wikis, giving them full control of their business applications.

Oracle Application Express also includes capabilities for managing your data structures, and also functionality to help teams of developers manage their projects and communications.

Applications delivered through the Oracle Cloud can be accessed from a wide variety of client platforms, including Windows, Apple or mobile devices.

Oracle Application Express and your Oracle Application Express applications are built on technology that resides within an Oracle Database, so all your applications can be easily run on any Oracle platform - from Database Schema Service to your in-house data center to Oracle Database XE on your laptop.

About RESTful Web Services

RESTful Web services are services which adhere to an architecture which implements interactions with data sources with the use of URIs. RESTful Web services are one of the standard methods for accessing data in the Cloud.

Oracle Database Cloud Service (Database Schema) includes the ability to use RESTful Web services to access data in your Oracle Database. Database Schema Service includes a RESTful Web service wizard, which makes it easy for you to create services which implement any SQL statement or PL/SQL procedure to supply data to applications.

The RESTful Web service wizard lets you define a few attributes for a service and then use the full power of SQL and PL/SQL to perform database operations. By default, the wizard returns data in JSON format, although you can use PL/SQL to format data in any way. In addition, the wizard gives you the option of some more complex formats, such as the ability to return data from a result set with embedded links to a more detailed view of the data in the complete row, without any additional coding.

The support of RESTful Web services in Database Schema Service makes it easy to use the data in your Oracle Database in virtually any development tool, including dynamic languages.

About Packaged and Sample Applications

Oracle Database Cloud Service (Database Schema) includes a set of business productivity applications and sample code which can be installed with just a few clicks. Sample code is reference implementations of simple applications that can be installed and extended by a developer. Packaged applications and sample code are full production versions designed to provide real functionality, such as project management, shared calendars and shared checklist management.

All of these applications share the same privilege levels of administrator, contributor and reader, which grant differential access to functionality and features. All of these applications and samples can be installed or removed through the same administrative interface.

About Tools and Utilities

Oracle Database Cloud Service (Database Schema) includes a variety of tools and utilities which make it easy for you to use the environment. It includes browser-based tools for monitoring and modifying all your services from a central management page. You can create users across all your services with a simplified interface to Oracle's Identity Management solution. You can even upgrade your service from this environment for more storage and data transfer with a few clicks.

Each individual service also has a browser-based management console to provide a more detailed look at resource utilization and to install or remove business applications with a few simple clicks. The Oracle Application Express environment contains a set of administration applications which let administrators shape and monitor the environment. You can assign administrative responsibility for one or more services to an individual, giving you complete delegation capabilities to match your organization.

Database Schema Service includes Application Express SQL Workshop to manage the underlying Oracle Database and its structures. SQL Workshop is a browser-based component of the Oracle Application Express environment which gives you the ability to browse and manage all of your Oracle objects, run SQL or PL/SQL code, run scripts and even build queries through a graphical interface.

Security and Oracle Database Cloud Service (Database Schema)


One of the key concerns for organizations as they move to a shared resource model on the Cloud is insuring the security of their data. Oracle Database Cloud Service (Database Schema), like the Oracle Database that is the foundation of the Database Cloud, has been created from the beginning with the utmost concern for security.

This section reviews several aspects of security and the Oracle Cloud:

  • The basic architecture of the security domains used with Oracle Cloud

  • Security measures that apply to the overall service

  • Security measures that apply to an individual Database Schema Service

  • Application security options

  • Security options for RESTful Web Services that access Database Schema Service

Security Architecture


The Oracle Cloud uses a security architecture that includes different security domains and administrative and use privileges within a particular Database Schema Service.

Security Domains

There are several different security domains used with the overall implementation of the Database Schema Service.

  • Accounts

  • Identity Domain

  • Oracle Database Cloud Service (Database Schema)


Each and every Database Schema Service is owned by an account. An account is the top level in the security hierarchy. The individual who initially sets up an Account is known as the Buyer. A Buyer is automatically an Account Administrator as an Account Administrator can assign themselves privileges at the Identity Domain and Service level.

When you initially sign up for an Database Schema Service, you must have an user account. After you initially sign up for a service, you can grant the Account Administrator privilege to any other users. Any Account Administrator can remove the Account Administrator privilege from any other Account Administrator.

Account Administrators can see all services, PaaS or SaaS services, associated with an account.

Identity Domain

An Identity Domain is a pool of users. An account can have one or more Identity Domains, but each Domain is separate and distinct. You must define an Identity Domain when you initially request an account, and the requester is given a username within the Identity Domain.

Identity Domain membership and privileges are defined on the Security page in My Services.

Members of an Identity Domain can have security roles for one or more of the Cloud Services associated with the Identity Domain. These roles described in more detail below.

Identity Domain Administrators can see all Database Schema Service associated with the Identity Domain, and can assign and remove all security roles associated with these Database Schema Services, including the Administrator role for any of the Services.

Oracle Database Cloud Service (Database Schema)

An Database Schema Service is an individual service within the Oracle Cloud. Data within an individual Database Schema Service is completely separated from data in all other services in the Oracle Cloud, as described in more detail below.

Database Schema Service administrators can define users for the services that they administer. Database Schema Service users can be defined on the Security page in My Services or within the Administration area of the development platform for the service itself. If a user is defined on the Security page in My Services, they must use this page to manage their profile; if a user is defined through the Administration area of the development platform, they must manage their profile through that platform. Administrators and developers for an Database Schema Service must be defined on the Security page in My Services and given the appropriate security role.

Security Roles

There is an Administrator role at the Account, Identity Domain and Service levels. Administrators can grant this role at their level to other defined users.

There are three roles for each Oracle Database Cloud Service (Database Schema):

  • Service Administrator, who can create, modify and delete Database Schema Service users and their privileges, both on the Security page in My Services and the Administration area of the Database Schema Service development platform.

  • Developers, who can use the development platform within an Database Schema Service to create applications, but who cannot create, modify or delete users for that service.

  • End users, who can run applications within a Database Schema Service.

When an Database Schema Service is added to an Identity Domain, three individual roles which map to these levels are created within the Identity Domain. The Account Administrator and Identity Domain Administrator are automatically given the Service Administrator role for the initial Database Schema Service, but all other roles have to be explicitly assigned on the Security page in My Services.

Managing Users and Roles

All users and roles defined as part of the Cloud Identity Domain are administered on the Security page in My Services. On this page, an Identity Domain or Service administrator is allowed to add, delete and modify users, or to create, delete, assign or delete roles.

Identity Domain Administrators are allowed to access all users defined within their Identity Domain and their roles. Service Administrators only have access to the users defined for their Service, and users of a service can only modify their own user profile and reset their account password.

For more details, refer to Managing Users and Roles in Getting Started with Oracle Cloud.

Oracle Cloud Security Measures

All security is based on well-thought out and implemented practices and procedures. The Oracle Cloud is implemented with rigorous security practices and procedures based on decades of experience.

The security processes used for the overall Oracle Cloud include secure access to data centers, annual security audits by third parties to insure regulatory security compliance and full auditing of the entire Cloud stack on a quarterly basis.

All data stored in the Oracle Cloud benefits from the use of Transparent Data Encryption. Transparent Data Encryption encrypts data stored on disk and in backups, protecting against unauthorized direct file access. The encryption and decryption of your data is handled automatically by the Oracle Database, so you do not have to add programmatic steps to use this powerful security feature.

The Oracle Cloud has to be protected against the introduction of malicious code which could harm all users. To enforce this level of protection while still allowing users to load data into their Oracle Database Cloud Service (Database Schema), data loads are sent to a Secure FTP server, where they are scanned for viruses before the data in the files is loaded into the Database Schema Service using your database account information. With this approach, malicious data can never be loaded in such a way that it affects other accounts or breaches the security isolation. This two step process also automatically compresses the actual data to be loaded, reducing the time needed to upload data to the Oracle Cloud.

Oracle Database Cloud Service (Database Schema) Security Measures

Oracle Database Cloud Service (Database Schema) is built on a multi-tenant architecture, with database schemas providing the boundaries of tenant isolation. Schemas have been used in the Oracle Database as a method of separating data for decades. To enforce and protect the absolute security of tenants of a Database Schema Service, some standard Oracle features have been locked down.

For instance, access to any data dictionary view which allows a tenant to see the existence of other schemas has been prohibited. In addition, some SQL syntax is not allowed, such as GRANT or REVOKE, since accessing objects between one schema to another schema owner uses these options.

For a detailed list of syntax, objects and operations disallowed in Database Schema Service, see Oracle Database Cloud Service (Database Schema)Features and Implementation Considerations.

Application Security Options

Your Oracle Database Cloud Service (Database Schema) includes Application Express, which you can use to develop and deploy HTML-based applications through a declarative process. Application Express has been in production since 2004, with hundreds of thousands of enterprise applications deployed throughout the world. There are many features of Application Express that help you to develop secure applications in your Database Schema Service.

Application Express supports several authentication schemes used to insure that a particular user is properly identified. Application Express gives developers the ability to use authorization schemes, which are ways of allowing access to specific pages, regions within pages or items within regions, based on user identity. As a developer, you always have access to the identity of a user, so you can implement procedural limitations based on user identity.

Although Application Express includes robust monitoring tools, you can add in procedural logic to log application and session specific information for further security analysis.

Application Express includes protection against cross-site scripting attacks by providing a way to reference values that automatically escapes special characters, which will not allow any type of script to be included in pages returned to users through Database Schema Service applications.

In addition, Application Express gives you the option to automatically protect navigational URLs from being maliciously modified. This option, referred to as Session State Protection, generates checksums which are included with any parameters passed as part of a URL to retrieve a page in an application. In addition, you can prevent a page from ever being accessed by a URL, only allowing access as the destination of a navigation link or branch from another page within the application.

Application Express also includes reports which allow you to rapidly see the security options in force for a particular application, and also to monitor usage of applications and individual pages in applications.

RESTful Web Service Security Options


Application Express also includes reports which allow you to rapidly see the security options in force for a particular application, and also to monitor usage of applications and individual pages in applications.

You can also specify security on a RESTful Web Service in several ways. These ways are different from the traditional method of using schema users to implement security. An Oracle Database Cloud Service (Database Schema) is based on a single schema, and all RESTful Web Services which access data in this schema are executed by the user who owns the schema. Without any specific security implementations on a RESTful Web Service, the services will return all data that satisfies an SQL statement or is collected by a PL/SQL block.

There are three ways you can add security to your RESTful Web Services:

  • Based on the application using the RESTful Web Service

  • Based on the identity of the user calling the RESTful Web Service

  • Based on logic implemented in the RESTful Web Service call itself


RESTful Services support two types of authentication.

First party authentication is accomplished by the first-party authority, in this case the Application Express security system.

Third party authentication is accomplished by a third party authority, so the application requesting the authentication does not actually know the identity of the user.

Once a user is authenticated through either of these methods, you can limit authorization based on the identity of the user.

OAUTH2 Authentication

RESTful Web Services use the OAUTH2 model of authentication, as shown in the diagram below.

Description of restful.gif follows
Description of the illustration restful.gif

OAUTH2 authentication is one of the standard authentication flows used on the Internet. To understand how to implement application-based or user-based authentication, you need to understand how the OAUTH authentication process flow works.

OAUTH authentication requires two different tokens - a request token, which allows a client to request authorization, and an access token, which grants access to a specific user.

To limit access based on the application, you can grant access to the RESTful Web Services once authentication is complete. You can also use the username for specific authentication.

Logic-based Access

The method of implementing security described above grants access to one or more specific RESTful Web Services calls, similar to allowing a connection to a database. In traditional database security, access is granted based on the identity of the database user making the request. Since all RESTful Web Services in a specific Database Schema Service are executed by the same database user, this option is not available for these Services. In recognition of this architecture, the SQL command GRANT is not supported in a Database Schema Service.

However, this does not mean that you cannot limit access to data based on user identity. The identity of a user is established through the Database Schema Service authentication process, and this identity is available to developers as the :current_user bind variable, kept securely in the header of all RESTful Web Service requests.

You can use this value as part of a standard WHERE clause, which, for instance, could be used to limit the rows returned from a query to those for the same department as the current user. You could also use this value in more complex logic in either SQL or PL/SQL.

Oracle Database Cloud Service (Database Schema) Users

In addition to the roles and privileges described in Managing Users and Roles in Getting Started with Oracle Cloud, there are the following Database Schema Service roles used to access, develop and administer Application Express applications:

  • End Users. End users of an Oracle Application Express application managed by the Security page in My Services or Application Express authentication. Users that have been granted permission to access an Oracle Application Express application.

  • Developers. Developers of Oracle Application Express applications. Developers have access to the Application Builder and the SQL Workshop.

  • Workspace Administrators. Administrators given access to all Oracle Application Express application components. Additionally, they can manage application user accounts, groups and development services that use Oracle Application Express authorization.

About Developing Applications

Developing applications for a Oracle Database Cloud Service (Database Schema) is done with Oracle Application Express. Using Oracle Application Express you can perform the following:

To learn more, see Developing Applications for Oracle Database Cloud Service (Database Schema).

Accessing an Oracle Database Cloud Service (Database Schema)

To access a Database Schema Service, you need to go to the service URL for that service. The service URL is provided on the Service Detail page of the Cloud and in the Welcome email received during the service activation process.

Accessing the Service URL from the Service Detail Page

To find a service URL on the Detail Service page and access the service:

  1. From the Oracle Cloud home page, click Sign In.

    The Sign In page appears.

  2. Under My Services, select the data center and click Sign In to My Services.

  3. If not already signed in, the Sign in dialog displays. Enter your Database Schema Service credentials and click Sign In.

    The My Services page appears.

  4. Click the name of the Database Schema Service.

    The Service Detail page displays.

  5. Click the Open Service Console button or the Service Instance URL link.

    The Oracle Application Express home page displays.

    Description of apex_home.gif follows
    Description of the illustration apex_home.gif

Accessing the Service URL from the Welcome Email

To find a service URL in the Welcome email and access the service:

  1. Locate the Welcome to Oracle Cloud email received during service activation.

  2. Click the My Services URL.

    The My Services page displays.

  3. Click the name of the Database Schema Service.

    The Service Detail page displays.

  4. Click the Open Service Console button or the Service Instance URL link.

    The Oracle Application Express home page displays.

    Description of apex_home.gif follows
    Description of the illustration apex_home.gif