Skip Headers
Oracle® Database Security Guide
12c Release 1 (12.1)

E48135-09
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
PDF · Mobi · ePub

Index

A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X 

Numerics

12C verifier
about, 3.2.7.1
recommended by Oracle, 3.2.7.1

A

access control
encryption, problems not solved by, 12.1.1
enforcing, A.9.1
object privileges, 4.9.1
password encryption, 3.2.1
access control list (ACL)
examples
external network connection for email alert, 22.4.7.1
external network connections, 6.7
wallet access, 6.7
external network services
about, 6.2
advantages, 6.1
affect of upgrade from earlier release, 6.4
DBMS_NETWORK_ACL_ADMIN package, general process, 6.5.1
email alert for audit violation tutorial, 22.4.7.1
finding information about, 6.13
network hosts, using wildcards to specify, 6.8
ORA-06512 error, 6.12
ORA-24247 error, 6.12
ORA-24247 errors, 6.4
order of precedence, hosts, 6.9
port ranges, 6.10
privilege assignments, about, 6.11.1
privilege assignments, database administrators checking, 6.11.2
privilege assignments, users checking, 6.11.3
revoking privileges, 6.5.3
wallet access
about, 6.3
advantages, 6.3
client certificate credentials, using, 6.6.1
finding information about, 6.13
non-shared wallets, 6.6.1
password credentials, 6.6.1
password credentials, using, 6.6.1
revoking, 6.6.5
revoking access, 6.6.5
shared database session, 6.6.1
wallets with sensitive information, 6.6.1
wallets without sensitive information, 6.6.1
account locking
example, 3.2.4.5
explicit, 3.2.4.5
password management, 3.2.4.5
PASSWORD_LOCK_TIME profile parameter, 3.2.4.5
accounting, RADIUS, 19.3.4
activating checksumming and encryption, 13.4.2
ad hoc tools
database access, security problems of, 4.8.7.1
adapters, 15.4
ADM_PARALLEL_EXECUTE_TASK role
about, 4.8.2
ADMIN OPTION
about, 4.14.1.1
revoking privileges, 4.15.1
revoking roles, 4.15.1
roles, 4.8.5.2
system privileges, 4.5.4
administrative privileges
about, 4.4.1
granting to users, 4.4.2
SYSBACKUP privilege, 4.4.4
SYSDBA privilege, 4.4.3
SYSDG privilege, 4.4.5
SYSKM privilege, 4.4.6
SYSOPER privilege, 4.4.3
administrative user passwords
default, importance of changing, A.5
administrative users
auditing, 22.2.6
mandatorily audited, 23.1.2
administrator privileges
access, A.9.2
operating system authentication, 3.3.3
passwords, 3.3.4, A.5
SYSDBA and SYSOPER access, centrally controlling, 3.3.2.1, 3.3.2.1
write, on listener.ora file, A.9.2
alerts, used in fine-grained audit policy, 22.4.7.1
"all permissions", A.3
ALTER ANY LIBRARY statement
security guidelines, A.3
ALTER privilege statement
SQL statements permitted, 8.9.2
ALTER PROCEDURE statement
used for compiling procedures, 4.12.4
ALTER PROFILE statement
password management, 3.2.4.1
ALTER RESOURCE COST statement, 2.4.4.3
ALTER ROLE statement
changing authorization method, 4.8.3.4
ALTER SESSION statement
schema, setting current, 8.8.1
ALTER USER privilege, 2.3.1
ALTER USER statement
default roles, 4.18.2
explicit account unlocking, 3.2.4.5
GRANT CONNECT THROUGH clause, 3.10.1.4
passwords, changing, 2.3.3
passwords, expiring, 3.2.4.8
profiles, changing, 3.2.4.8
REVOKE CONNECT THROUGH clause, 3.10.1.4
user profile, 3.2.4.1
altering users, 2.3.1
anonymous, 18.6.1.3
ANSI operations
Oracle Virtual Private Database affect on, 10.5.3
ANY system privilege
guidelines for security, A.6
application contexts
about, 9.1.1
as secure data cache, 9.1.4
benefits of using, 9.1.4
bind variables, 10.1.5
components, 9.1.2
DBMS_SESSION.SET_CONTEXT procedure, 9.3.3.6, 9.3.3.6
driving context, 9.6
editions, affect on, 9.1.5
finding errors by checking trace files, 9.6
finding information about, 9.6
global application contexts
authenticating user for multiple applications, 9.4.4.5
creating, 9.4.3
logon trigger, creating, 9.3.4
Oracle Virtual Private Database, used with, 10.1.5
performance, 10.4.2.8
policy groups, used in, 10.3.5.1
returning predicate, 10.1.5
session information, retrieving, 9.3.3.2
support for database links, 9.3.6
types, 9.2
users, nondatabase connections, 9.4.1, 9.4.4.6
where values are stored, 9.1.3
See also client session-based application contexts, database session-based application contexts, global application contexts
application developers
CONNECT role change, A.12.3.2
application security
restricting wallet access to current application, 6.6.1
revoking access control privileges from Oracle wallets, 6.6.5
sharing wallet with other applications, 6.6.1
specifying attributes, 9.3.2
application users who are database users
Oracle Virtual Private Database, how it works with, 10.5.9
applications
about security policies for, 8.1
database users, 8.2.1
enhancing security with, 4.8.1.3
object privileges, 8.9.1
object privileges permitting SQL statements, 8.9.2
One Big Application User authentication
security considerations, 8.2.2
security risks of, 8.2.1
Oracle Virtual Private Database, how it works with, 10.5.4
password handling, guidelines, 8.3.1.2
password protection strategies, 8.3
privileges, managing, 8.5
roles
multiple, 4.8.1.4.1
privileges, associating with database roles, 8.7
security, 4.8.7, 8.2.2
security considerations for use, 8.2
security limitations, 10.5.4
security policies, 10.3.5.3
validating with security policies, 10.3.5.5
AQ_ADMINISTRATOR_ROLE role
about, 4.8.2
AQ_USER_ROLE role
about, 4.8.2
archiving
operating system audit files, 23.2.1
standard audit trail, 23.2.2
timestamping audit trail, 23.3.3.4
asynchronous authentication mode in RADIUS, 19.2.2
attacks
See security attacks
audit files
operating system audit trail
archiving, setting timestamp, 23.3.3.4
operating system file
archiving, 23.2.1
standard audit trail
archiving, setting timestamp, 23.3.3.4
records, archiving, 23.2.2
audit policies
See also unified audit policies
audit policies, application contexts
about, 22.2.11.1
appearance in audit trail, 22.2.11.5
configuring, 22.2.11.2
disabling, 22.2.11.3
examples, 22.2.11.4
audit trail
finding information about audit management, 23.4
finding information about usage, 22.5
unified
archiving, 23.2.2, 23.2.2
AUDIT_ADMIN role, 4.8.2
AUDIT_VIEWER role, 4.8.2
auditing
administrators, Database Vault, 22.2.14.2
audit options, 22.1
audit trail, sensitive data in, A.11.1
CDBs, 21.9
committed data, A.11.3
cursors, affect on auditing, 23.1.3
database user names, 3.5
Database Vault administrators, 22.2.14.2
databases, when unavailable, 23.1.5
distributed databases and, 21.10
DV_ADMIN role user, 22.2.14.2
DV_OWNER role user, 22.2.14.2
finding information about audit management, 23.4
finding information about usage, 22.5
fine-grained
See fine-grained auditing
functions, 22.2.7.6
functions, Oracle Virtual Private Database, 22.2.7.7
general steps for, 22.1
guidelines for security, A.11
historical information, A.11.3
INHERIT PRIVILEGE privilege, 5.5.5
keeping information manageable, A.11.2
loading audit records to unified audit trail, 23.1.5
mandatory auditing, 23.1.2
multitier environments
See standard auditing
One Big Application User authentication, compromised by, 8.2.1
operating-system user names, 3.5
Oracle Recovery Manager events, 22.2.13.2
Oracle Virtual Private Database policy functions, 22.2.7.7
packages, 22.2.7.6
performance, 21.3
PL/SQL packages, 22.2.7.6
privileges required, 21.8
procedures, 22.2.7.6
purging records example, 23.3.6
range of focus, 22.1
READ object privileges in policies, 22.2.8.2
READ privileges
about, 22.2.8.1
how recorded in audit trail, 22.2.8.3
recommended settings, A.11.5
Sarbanes-Oxley Act
auditing, meeting compliance through, 21.1
SELECT privileges
about, 22.2.8.1
how recorded in audit trail, 22.2.8.3
suspicious activity, A.11.4
triggers, 22.2.7.6
unified audit trail
about, 21.4
when audit options take effect, 23.1.1
when records are created, 23.1.1
See also unified audit policies
auditing, purging records
about, 23.3.1
cancelling archive timestamp, 23.3.5.4
creating audit trail
purge job, 23.3.3.1
creating the purge job, 23.3.3.5
DBMS_SCHEDULER package, 23.3.3.1
deleting a purge job, 23.3.5.3
disabling purge jobs, 23.3.5.1
enabling purge jobs, 23.3.5.1
general steps for, 23.3.2
purging audit trail manually, 23.3.4.1
road map, 23.3.2
scheduling the purge job, 23.3.3.5
setting archive timestamp, 23.3.3.4
time interval for named purge job, 23.3.5.2
AUTHENTICATEDUSER role, 4.8.2
authentication, 15.4
about, 3.1
administrators
operating system, 3.3.3
passwords, 3.3.4
SYSDBA and SYSOPER access, centrally controlling, 3.3.2.1
by database, 3.4
by SSL, 3.7.2.1
client, A.9.1
client-to-middle tier process, 3.10.1.6
configuring multiple methods, 20.4
database administrators, 3.3.1
databases, using
about, 3.4.1
advantages, 3.4.2
procedure, 3.4.3
directory service, 3.7.2
directory-based services, 3.6.2
external authentication
about, 3.8.1
advantages, 3.8.2
operating system authentication, 3.8.4
user creation, 3.8.3
global authentication
about, 3.7.1
advantages, 3.7.3
user creation for private schemas, 3.7.2.1
user creation for shared schemas, 3.7.2.2
methods, 15.3
middle-tier authentication
proxies, example, 3.10.1.8
modes in RADIUS, 19.2
multitier, 3.9
network authentication
Secure Sockets Layer, 3.6.1
third-party services, 3.6.2
One Big Application User, compromised by, 8.2.1
operating system authentication
about, 3.5
advantages, 3.5
disadvantages, 3.5
ORA-28040 errors, 3.2.7.3
proxy user authentication
about, 3.10.1.1
expired passwords, 3.10.1.4
public key infrastructure, 3.6.2
RADIUS, 3.6.2
remote, A.9.1, A.9.1
specifying when creating a user, 2.2.5
strong, A.5
SYSDBA on Windows systems, 3.3.3
Windows native authentication, 3.3.3
See also passwords, proxy authentication
AUTHENTICATION parameter, C.3.1
AUTHID DEFINER clause
used with Oracle Virtual Private Database functions, 10.1.4
authorization
about, 4
changing for roles, 4.8.3.4
global
about, 3.7.1
advantages, 3.7.3
multitier, 3.9
omitting for roles, 4.8.3.1
operating system, 4.8.4.4
roles, about, 4.8.4
automatic reparse
Oracle Virtual Private Database, how it works with, 10.5.5

B

banners
auditing user actions, configuring, 8.10.5
unauthorized access, configuring, 8.10.5
batch jobs, authenticating users in, 3.2.8.1
BFILEs
guidelines for security, A.6
bind variables
application contexts, used with, 10.1.5
BLOBS
encrypting, 12.2.6

C

CAPTURE_ADMIN role, 4.8.2
cascading revokes, 4.15.3
CDB_DBA role, 4.8.2
CDBs
auditing, how affects, 21.9
CBAC role grants with DELEGATE option, 5.7.5
common privilege grants, 4.6.1
granting privileges, 4.6.4
local privilege grants, 4.6.1
object privileges, 4.6.3
privilege management, 4.6
revoking privileges, 4.6.4
role management, 4.7
roles
altering, 4.8.3.4
creating common, 4.7.5
creating local, 4.7.6
granting common, 4.7.7
how common roles work, 4.7.2
privileges required to manage, 4.7.4
system privileges, 4.6.2
transparent sensitive data protection, 11.10.3
user accounts
creating, 2.2.10
local, 2.2.1.3
user privileges, how affects, 4.3
users
common, 2.2.1.1
viewing information about, 4.6.5.1
Virtual Private Database policies, 10.1.6
certificate, 18.2.3.2
certificate authority, 18.2.3.1
certificate key algorithm
Secure Sockets Layer, A.9.3
certificate revocation lists, 18.2.3.3
manipulating with orapki tool, 18.8.5.1
uploading to LDAP directory, 18.8.5.1
where to store them, 18.8.3
certificate revocation status checking
disabling on server, 18.8.4.2, 18.8.4.3
certificate validation error message
CRL could not be found, 18.8.6.1
CRL date verification failed with RSA status, 18.8.6.1
CRL signature verification failed with RSA status, 18.8.6.1
Fetch CRL from CRL DP
No CRLs found, 18.8.6.1
OID hostname or port number not set, 18.8.6.1
certificates
creating signed with orapki, F.2
challenge-response authentication in RADIUS, 19.2.2
change_on_install default password, A.5
character sets
role names, multibyte characters in, 4.8.3.1
role passwords, multibyte characters in, 4.8.4.1
cipher suites
about, 18.6.1.3
procedure for specifying for server, 18.6.1.3
Secure Sockets Layer, A.9.3
Secure Sockets Layer (SSL), C.3.2.1
supported, 18.6.1.3
Cipher Suites
FIPS 140-2 settings, E.2.3.2
client authentication in SSL, 18.6.1.5
client connections
guidelines for security, A.9.1
secure external password store, 3.2.8.3
securing, A.9.1
client identifier
setting for applications that use JDBC, 3.10.2.4
client identifiers
about, 3.10.2.1
auditing users, 22.2.9
consistency between DBMS_SESSION.SET_IDENTIFIER and DBMS_APPLICATION_INFO.SET_CLIENT_INFO, 3.10.2.5
global application context, independent of, 3.10.2.4
setting with DBMS_SESSION.SET_IDENTIFIER procedure, 9.4.1
See also nondatabase users
client session-based application contexts
about, 9.5.1
CLIENTCONTEXT namespace, clearing value from, 9.5.4
CLIENTCONTEXT namespace, setting value in, 9.5.2
retrieving CLIENTCONTEXT namespace, 9.5.3
See also application contexts
CLIENT_IDENTIFIER USERENV attribute
setting and clearing with DBMS_SESSION package, 3.10.2.5
setting with OCI user session handle attribute, 3.10.2.4
See also USERENV namespace
CLIENTID_OVERWRITE event, 3.10.2.5
code based access control (CBAC)
about, 5.7.1
granting and revoking roles to program unit, 5.7.6
how works with definers rights, 5.7.4
how works with invoker’s rights, 5.7.3
privileges, 5.7.2
tutorial, 5.7.7
column masking behavior, 10.3.4.3
column specification, 10.3.4.3
restrictions, 10.3.4.3
columns
granting privileges for selected, 4.14.2.4
granting privileges on, 4.14.2.4
INSERT privilege and, 4.14.2.4
listing users granted to, 4.19.3
privileges, 4.14.2.4
pseudo columns
USER, 4.11.3
revoking privileges on, 4.15.2.2
command line recall attacks, 8.3.1.1, 8.3.1.4
committed data
auditing, A.11.3
common privilege grants
about, 4.6.1
granting, 4.6.4
revoking, 4.6.4
with object privileges, 4.6.3
with system privileges, 4.6.2
common roles
about, 4.7.1
creating, 4.7.5
granting, 4.7.7
how they work, 4.7.2
privileges required to manage, 4.7.4
common user accounts
creating, 2.2.10.1
enabling access to other PDBs, 4.6.5
granting privileges to, 4.6
common users
about, 2.2.1.1
accessing data in PDBs, 4.6.5.2
altering, 2.3.2
plug-in operations, 2.2.1.2
configuration
guidelines for security, A.8
configuration files
Kerberos, C.2
listener.ora, A.9.2
sample listener.ora file, A.9.2
server.key encryption file, A.9.3
tsnames.ora, A.9.3
typical directory, A.9.3, A.9.3
configuring
Kerberos authentication service parameters, 17.1.6.1
RADIUS authentication, 19.3.1
SSL, 18.6
on the client, 18.6.2
on the server, 18.6.1
thin JDBC support, 14.1
CONNECT role
about, A.12
applications
account provisioning, A.12.2.2
affects of, A.12.2
database upgrades, A.12.2.1
installation of, A.12.2.3
script to create, 4.8.2
users
application developers, impact, A.12.3.2
client-server applications, impact, A.12.3.3
general users, impact, A.12.3.1
how affects, A.12.3
why changed, A.12.1
connecting
with username and password, 20.2
connection pooling
about, 3.9
global application contexts, 9.4.1
nondatabase users, 9.4.4.6
proxy authentication, 3.10.1.6
connections
SYS privilege, A.3
container data objects
about, 4.6.5.1
container database (CDB)
See CDBs
controlled step-in procedures, 5.3
CPU time limit, 2.4.2.3
CREATE ANY LIBRARY statement
security guidelines, A.3
CREATE ANY PROCEDURE system privilege, 4.12.3
CREATE ANY TABLE statement
non-administrative users, A.3
CREATE CONTEXT statement
about, 9.3.2
example, 9.3.2
CREATE LIBRARY statement
security guidelines, A.3
CREATE PROCEDURE system privilege, 4.12.3
CREATE PROFILE statement
account locking period, 3.2.4.5
failed login attempts, 3.2.4.5
password aging and expiration, 3.2.4.7
password management, 3.2.4.1
passwords, example, 3.2.4.8
CREATE ROLE statement
IDENTIFIED EXTERNALLY option, 4.8.4.3
CREATE SCHEMA statement
securing, 8.8.1
CREATE SESSION statement
CONNECT role privilege, A.4
securing, 8.8.1
CREATE USER statement
explicit account locking, 3.2.4.5
IDENTIFIED BY option, 2.2.5
IDENTIFIED EXTERNALLY option, 2.2.5
passwords, expiring, 3.2.4.8
user profile, 3.2.4.1
CRL, 18.2.3.3
CRLAdmins directory administrative group, F.6.7
CRLs
disabling on server, 18.8.4.2, 18.8.4.3
where to store them, 18.8.3
cryptographic hardware devices, 18.2.3.5
CSW_USR_ROLE role, 4.8.2
CTXAPP role, 4.8.2
cursors
affect on auditing, 23.1.3
reparsing, for application contexts, 9.3.4
shared, used with Virtual Private Database, 10.1.5
custom installation, A.8, A.8
CWM_USER role, 4.8.2

D

data definition language (DDL)
roles and privileges, 4.8.1.7
data dictionary
protecting, A.6
securing with O7_DICTIONARY_ACCESSIBILITY, 4.5.2.2
data dictionary views
See views
data encryption and integrity parameters
about, B.3.1
SQLNET.CRYPTO_CHECKSUM_CLIENT, B.3.5
SQLNET.CRYPTO_CHECKSUM_SERVER, B.3.4
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT, B.3.9
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER, B.3.8
SQLNET.ENCRYPTION_CLIENT, B.3.3
SQLNET.ENCRYPTION_SERVER, B.3.2
SQLNET.ENCRYPTION_TYPES_CLIENT, B.3.7
SQLNET.ENCRYPTION_TYPES_SERVER, B.3.6
Data Encryption Standard (DES), 13.1.3
DES40 encryption algorithm, 13.1.4.1
Triple-DES encryption algorithm, 13.1.4
data files, A.6
guidelines for security, A.6
data manipulation language (DML)
privileges controlling, 4.10.2
data security
encryption, problems not solved by, 12.1.3
database administrators (DBAs)
access, controlling, 12.1.2
authentication, 3.3.1
malicious, encryption not solved by, 12.1.2
Database Configuration Assistant (DBCA)
default passwords, changing, A.5
user accounts, automatically locking and expiring, A.3
database links
application context support, 9.3.6
application contexts, 9.3.3.5
authenticating with Kerberos, 3.6.2
authenticating with third-party services, 3.6.2
global user authentication, 3.7.3
object privileges, 4.9.1
operating system accounts, care needed, 3.5
RADIUS not supported, 19.1
session-based application contexts, accessing, 9.3.3.5
database session-based application contexts
about, 9.3.1
cleaning up after user exits, 9.3.1
components, 9.3.1
creating, 9.3.2
database links, 9.3.3.5
dynamic SQL, 9.3.3.3
externalized, using, 9.3.8
how to use, 9.3
initializing externally, 9.3.6
initializing globally, 9.3.7.1
ownership, 9.3.2
parallel queries, 9.3.3.4
PL/SQL package creation, 9.3.3
session information, setting, 9.3.3.6
SYS_CONTEXT function, 9.3.3.2
trusted procedure, 9.1.2
tutorial, 9.3.5.1
See also application contexts
database upgrades and CONNECT role, A.12.2.1
databases
access control
password encryption, 3.2.1
additional security resources, 1.2
authentication, 3.4
database user and application user, 8.2.1
default password security settings, 3.2.4.4
DBCA-created databases, 3.2.4.4
manually-created databases, 3.2.4.4
default security features, summary, 1.1
granting privileges, 4.14
granting roles, 4.14
limitations on usage, 2.4.1
security and schemas, 8.8
security embedded, advantages of, 8.2.2
security policies based on, 10.1.2.1
DATAPUMP_EXP_FULL_DATABASE role, 4.8.2
DATAPUMP_IMP_FULL_DATABASE role, 4.8.2
DBA role
about, 4.8.2
DBA_CONTAINER_DATA data dictionary view, 4.6.5.1
DBA_HOST_ACES view, 6.11.1
DBA_ROLE_PRIVS view
application privileges, finding, 8.5
DBA_ROLES data dictionary view
PUBLIC role, 4.5.5
DBFS_ROLE role, 4.8.2
DBMS_APPLICATION.SET_CLIENT_INFO procedure
DBMS_SESSION.SET_IDENTIFIER value, overwriting, 3.10.2.5
DBMS_CREDENTIAL.CREATE_CREDENTIAL procedure, 8.4.2
DBMS_CRYPTO package
about, 12.3
encryption algorithms supported, 12.3
examples, 12.4.1
DBMS_CRYPTO PL/SQL package
enabling for FIPS 140-2, E.2.2
DBMS_FGA package
about, 22.4.6.1
ADD_POLICY procedure, 22.4.6.4
DISABLE_POLICY procedure, 22.4.6.5
DROP_POLICY procedure, 22.4.6.6
editions, 22.4.6.2
ENABLE_POLICY procedure, 22.4.6.5
PDBs, 22.4.6.3
DBMS_NETWORK_ACL_ADMIN.REMOVE_HOST_ACE procedure, 6.5.3
DBMS_RLS package
about, 10.3.1
DBMS_RLS.ADD_CONTEXT procedure, 10.3.1
DBMS_RLS.ADD_GROUPED_POLICY procedure, 10.3.1
DBMS_RLS.ADD_POLICY
sec_relevant_cols parameter, 10.3.4.1
sec_relevant_cols_opt parameter, 10.3.4.3
DBMS_RLS.ADD_POLICY procedure
about, 10.3.1
transparent sensitive data protection polices, 11.10.2.2
DBMS_RLS.ALTER_GROUPED_POLICY procedure, 10.3.1
DBMS_RLS.ALTER_POLICY procedure, 10.3.1
DBMS_RLS.CREATE_POLICY_GROUP procedure, 10.3.1
DBMS_RLS.DELETE_POLICY_GROUPS procedure, 10.3.1
DBMS_RLS.DISABLE_GROUPED_POLICY procedure, 10.3.1
DBMS_RLS.DROP_CONTEXT procedure, 10.3.1
DBMS_RLS.DROP_GROUPED_POLICY procedure, 10.3.1
DBMS_RLS.DROP_POLICY procedure, 10.3.1
DBMS_RLS.ENABLE_GROUPED_POLICY procedure, 10.3.1
DBMS_RLS.ENABLE_POLICY procedure, 10.3.1
DBMS_RLS.REFRESH_GROUPED_POLICY procedure, 10.3.1
DBMS_RLS.REFRESH_POLICY procedure, 10.3.1
DBMS_SESSION package
client identifiers, using, 3.10.2.5
global application context, used in, 9.4.4
SET_CONTEXT procedure
about, 9.3.3.6
application context name-value pair, setting, 9.3.3.1
DBMS_SESSION.SET_CONTEXT procedure
about, 9.3.3.6
syntax, 9.3.3.6
username and client_id settings, 9.4.4.3
DBMS_SESSION.SET_IDENTIFIER procedure
client session ID, setting, 9.4.1
DBMS_APPLICATION.SET_CLIENT_INFO value, overwritten by, 3.10.2.5
DBSNMP user account
password usage, A.5
DDL
See data definition language
debugging
Java stored procedures, 6.12
PL/SQL stored procedures, 6.12
default passwords, A.5, A.5, A.5, A.5
change_on_install or manager passwords, A.5
changing, importance of, 3.2.4.2
finding, 3.2.4.2
default permissions, A.6
default profiles
about, 3.2.4.3
default roles
setting for user, 2.2.11
specifying, 4.18.2
default users
accounts, A.3, A.3
Enterprise Manager accounts, A.3
passwords, A.5
defaults
tablespace quota, 2.2.7
user tablespaces, 2.2.6
definer’s rights
about, 5.2
code based access control
about, 5.7.1
granting and revoking roles to program unit, 5.7.6
how code based access control works, 5.7.4
compared with invoker’s rights, 5.1
example of when to use, 5.2
procedure privileges, used with, 5.2
procedure security, 5.2
schema privileges for, 5.2
secure application roles, 8.6.2
used with Oracle Virtual Private Database functions, 10.1.4
views, 5.6.1
DELETE privilege
SQL statements permitted, 8.9.2
DELETE_CATALOG_ROLE role
about, 4.8.2
SYS schema objects, enabling access to, 4.5.2.3
denial-of-service (DoS) attacks
bad packets, preventing, 8.10.1
networks, securing, A.9.2
denial-of-service attacks
about, Glossary
Department of Defense Database Security Technical Implementation Guide, 3.2.5.2
DES. See Data Encryption Standard (DES)
dictionary protection mechanism, 4.5.2.2
dictionary tables
auditing, 22.2.7.4
Diffie-Hellman, 18.6.1.3
Diffie-Hellman key negotiation algorithm, 13.3
direct path load
fine-grained auditing effects on, 22.4.1
directories
auditing, 22.2.7.2
directory authentication, configuring for SYSDBA or SYSOPER access, 3.3.2.2
directory objects
granting EXECUTE privilege on, 4.14.1
directory-based services authentication, 3.6.2
disabling unnecessary services
FTP, TFTP, TELNET, A.9.2
dispatcher processes (Dnnn)
limiting SGA space for each session, 2.4.2.5
distributed databases
auditing and, 21.10
DML
See data manipulation language
driving context, 9.6
DROP PROFILE statement
example, 2.4.4.3
DROP ROLE statement
example, 4.8.6
security domain, affected, 4.8.6
DROP USER statement
about, 2.5
schema objects of dropped user, 2.5
DUAL table
about, 9.3.3.2
dynamic Oracle Virtual Private Database policy types, 10.3.6.2
DYNAMIC policy type, 10.3.6.2

E

editions
application contexts, how affects, 9.1.5
fine-grained auditing packages, results in, 9.4.4.2
global application contexts, how affects, 9.4.4.2
Oracle Virtual Private Database packages, results in, 9.4.4.2
EJBCLIENT role, 4.8.2
EM_EXPRESS_ALL role, 4.8.2
EM_EXPRESS_BASIC role, 4.8.2
email alert example, 22.4.7.1
encryption
access control, 12.1.1
BLOBS, 12.2.6
challenges, 12.2
data security, problems not solved by, 12.1.3
data transfer, A.9.2
DBMS_CRYPTO package, 12.3, 12.3
deleted encrypted data, A.6
examples, 12.4.1
finding information about, 12.5
fine-grained audit policies on encrypted columns, 22.4.6.4
indexed data, 12.2.1
key generation, 12.2.2
key storage, 12.2.4
key transmission, 12.2.3
keys, changing, 12.2.5
malicious database administrators, 12.1.2
network encryption, 13.4
network traffic, A.9.2
problems not solved by, 12.1
Transparent Data Encryption, 12.2.4.4
transparent tablespace encryption, 12.2.4.4
encryption and checksumming
activating, 13.4.2
negotiating, 13.4.3.1
parameter settings, 13.4.4
ENFORCE_CREDENTIAL configuration parameter
security guideline, A.10
enterprise directory service, 4.8.4.6
enterprise roles, 3.7.1, 4.8.4.6
enterprise user management, 8.2.1
Enterprise User Security
application context, globally initialized, 9.3.7.3
proxy authentication
Oracle Virtual Private Database, how it works with, 10.5.9
enterprise users
centralized management, 3.7.1
global role, creating, 4.8.4.6
One Big Application User authentication, compromised by, 8.2.1
proxy authentication, 3.10.1.1
shared schemas, protecting users, 8.8.2
error messages
ORA-12650, 13.4.2, 13.4.3.2, 13.4.3.3, B.3.6, B.3.7, B.3.8, B.3.9
errors
OPW-00005, 2.3.4
ORA-00036, 22.4.6.4, 22.4.6.4
ORA-01720, 4.11.2
ORA-06512, 6.12, 22.4.7.6
ORA-06598, 5.5.2
ORA-1000, 22.4.6.4, 22.4.6.4
ORA-1536, 2.2.7.1
ORA-24247, 6.4, 6.12, 22.4.7.6
ORA-28009, 4.5.2.2
ORA-28017, 2.3.4
ORA-28040, 3.2.7.3, 3.2.7.3, 3.4.1
ORA-28046, 2.3.4
ORA-28133, 22.4.6.4
ORA-28144, 22.4.6.4
ORA-28575, 8.4.1
ORA-45622, 11.5.6
examples
access control lists
external network connections, 6.7
wallet access, 6.7
account locking, 3.2.4.5
audit trail, purging unified trail, 23.3.6
auditing user SYS, 22.2.5.5
data encryption
encrypting and decrypting BLOB data, 12.4.3
encrypting and decrypting procedure with AES 256-Bit, 12.4.2
directory objects, granting EXECUTE privilege on, 4.14.1
encrypting procedure, 12.4.1
Java code to read passwords, 8.3.4
locking an account with CREATE PROFILE, 3.2.4.5
login attempt grace period, 3.2.4.8
nondatabase user authentication, 9.4.4.6
O7_DICTIONARY_ACCESSIBILITY initialization parameter, setting, 4.5.2.2
passwords
aging and expiration, 3.2.4.7
changing, 2.3.3
creating for user, 2.2.5
privileges
granting ADMIN OPTION, 4.14.1.1
views, 4.19
procedure privileges affecting packages, 4.12.5.2, 4.12.5.3
profiles, assigning to user, 2.2.9
roles
altering for external authorization, 4.8.3.4
common, 4.7.5
creating for application authorization, 4.8.4.2
creating for external authorization, 4.8.4.3
creating for password authorization, 4.8.3.2, 4.8.3.2
default, setting, 4.18.2
global, 4.8.3.3
using SET ROLE for password-authenticated roles, 4.8.4.1
views, 4.19
secure external password store, 3.2.8.2
session ID of user
finding, 2.5
terminating, 2.5
system privilege and role, granting, 4.14.1
tablespaces
assigning default to user, 2.2.6
quota, assigning to user, 2.2.7
temporary, 2.2.8
type creation, 4.13.5
users
account creation, 2.2.3
creating with GRANT statement, 4.14.1.2
dropping, 2.5
middle-tier server proxying a client, 3.10.1.4
naming, 2.2.4
object privileges granted to, 4.14.2.1
proxy user, connecting as, 3.10.1.4
See also tutorials
exceptions
WHEN NO DATA FOUND, used in application context package, 9.3.5.4
WHEN OTHERS, used in triggers
development environment (debugging) example, 9.3.4
production environment example, 9.3.4
Exclusive Mode
SHA-2 password hashing algorithm, enabling, 3.2.7.2
EXECUTE ANY LIBRARY statement
security guidelines, A.3
EXECUTE privilege
SQL statements permitted, 8.9.2
EXECUTE_CATALOG_ROLE role
about, 4.8.2
SYS schema objects, enabling access to, 4.5.2.3
execution time for statements, measuring, 10.3.6.2
EXEMPT ACCESS POLICY privilege
Oracle Virtual Private Database enforcements, exemption, 10.5.7.2
EXP_FULL_DATABASE role
about, 4.8.2
expiring a password
explicitly, 3.2.4.8
exporting data
direct path export impact on Oracle Virtual Private Database, 10.5.7.2
policy enforcement, 10.5.7.2
external authentication
about, 3.8.1
advantages, 3.8.2
network, 3.8.5
operating system, 3.8.4, 3.8.4
user creation, 3.8.3
external network services, fine-grained access to
See access control list (ACL)
external procedures
configuring extproc process for, 8.4.2
credentials, 8.4.1
DBMS_CREDENTIAL.CREATE_CREDENTIAL procedure, 8.4.2
legacy applications, 8.4.3
security guideline, A.10
external tables, A.6
extproc process
about, 8.4.1
configuring credential for, 8.4.2
legacy applications, 8.4.3

F

failed login attempts
account locking, 3.2.4.5
password management, 3.2.4.5
resetting, 3.2.4.5
Federal Information Processing Standard (FIPS), E.3.1
DBMS_CRYPTO package, E.2.2
FIPS 140-1
postinstallation checks, E.3.3
status information, E.3.4
FIPS 140-2
Cipher Suites, E.2.3.2
FIPS_140, E.2.4
postinstallation checks, E.2.5
SSLFIPS_140, E.2.3.1
verifying connections, E.2.6
FIPS 140-2 Level 2 certification, Preface, E.1, E.2.1
physical security, E.3.5
sqlnet.ora FIPS 140-1 parameters, E.3.2.1
Transparent Data Encryption, E.2.2
files
BFILEs
operating system access, restricting, A.6
BLOB, 12.2.6
data
operating system access, restricting, A.6
external tables
operating system access, restricting, A.6
keys, 12.2.4.2
listener.ora file
guidelines for security, A.9.2, A.9.3
log
operating system access, restricting, A.6
restrict listener access, A.9.2
server.key encryption file, A.9.3
symbolic links, restricting, A.6
tnsnames.ora, A.9.3
trace
operating system access, restricting, A.6
fine-grained access control
See Oracle Virtual Private Database (VPD)
fine-grained auditing
about, 22.4.1
alerts, adding to policy, 22.4.7.1
columns, specific, 22.4.6.4
DBMS_FGA package, 22.4.6.1
direct loads of data, 22.4.1, 22.4.1
edition-based redefinitions, 22.4.5
editions, results in, 9.4.4.2
encrypted table columns, 22.4.6.4
finding errors by checking trace files, 22.5
how audit records are generated, 22.4.2
how to use, 22.4.1
policies
adding, 22.4.6.4
disabling, 22.4.6.5
dropping, 22.4.6.6
enabling, 22.4.6.5
modifying, 22.4.6.4
privileges required, 22.4.3
records
archiving, 23.2.2
FIPS Parameter
Configuring, E.2.3
FIPS. See Federal Information Processing Standard (FIPS)
fips.ora file, E.2.3.1, E.2.4
firewalls
advice about using, A.9.2
database server location, A.9.2
ports, A.9.3
supported types, A.9.2
flashback query
Oracle Virtual Private Database, how it works with, 10.5.6
foreign keys
privilege to use parent key, 4.10.3
FTP service, A.9.2
functions
auditing, 22.2.7.2, 22.2.7.6
granting roles to, 4.8.5.3
Oracle Virtual Private Database
components of, 10.2.1
privileges used to run, 10.1.4
privileges for, 4.12.1
roles, 4.8.1.6

G

GATHER_SYSTEM_STATISTICS role, 4.8.2
global application contexts
about, 9.4.1
authenticating nondatabase users, 9.4.4.6
components, 9.4.1
editions, affect on, 9.4.4.2
example of authenticating nondatabase users, 9.4.4.6
example of authenticating user moving to different application, 9.4.4.5
example of setting values for all users, 9.4.4.4
Oracle RAC environment, 9.4.2
Oracle RAC instances, 9.4.1
ownership, 9.4.3
PL/SQL package creation, 9.4.4.1
process, lightweight users, 9.4.7.2
process, standard, 9.4.7.1
sharing values globally for all users, 9.4.4.4
system global area, 9.4.1
tutorial for client session IDs, 9.4.6.1
used for One Big Application User scenarios, 10.5.9
user name retrieval with USER function, 9.4.4.3
uses for, 10.5.9
See also application contexts
global authentication
about, 3.7.1
advantages, 3.7.3
user creation for private schemas, 3.7.2.1
user creation for shared schemas, 3.7.2.2
global authorization
about, 3.7.1
advantages, 3.7.3
role creation, 4.8.4.6
roles, 3.7.1
global roles
about, 4.8.4.6
global users, 3.7.1
GLOBAL_AQ_USER_ROLE role, 4.8.2
GLOBAL_EXTPROC_CREDENTIAL configuration parameter
security guideline, 8.4.3
grace period for login attempts
example, 3.2.4.8
grace period for password expiration, 3.2.4.8
GRANT ALL PRIVILEGES statement
SELECT ANY DICTIONARY privilege, exclusion of, A.6
GRANT ANY OBJECT PRIVILEGE system privilege, 4.14.2.3, 4.15.2.1
GRANT ANY PRIVILEGE system privilege, 4.5.4
GRANT CONNECT THROUGH clause
consideration when setting FAILED_LOGIN_ATTEMPTS parameter, 3.2.4.3
for proxy authorization, 3.10.1.4
GRANT statement, 4.14.1
ADMIN OPTION, 4.14.1.1
creating a new user, 4.14.1.2
object privileges, 4.14.2.1, 8.9.1
system privileges and roles, 4.14
when takes effect, 4.18
WITH GRANT OPTION, 4.14.2.2
granting privileges and roles
about, 4.5.3
finding information about, 4.19
specifying ALL, 4.9.3.2
guidelines for security
auditing, A.11
custom installation, A.8, A.8
data files and directories, A.6
encrypting sensitive data, A.6
installation and configuration, A.8
networking security, A.9
operating system accounts, limiting privileges, A.6
operating system users, limiting number of, A.6
Oracle home default permissions, disallowing modification, A.6
ORACLE_DATAPUMP access driver, A.7
passwords, A.5
Secure Sockets Layer
mode, A.9.3
TCPS protocol, A.9.3
symbolic links, restricting, A.6
user accounts and privileges, A.3

H

hackers
See security attacks
handshake
SSL, 18.1.4
HS_ADMIN_EXECUTE_ROLE role
about, 4.8.2
HS_ADMIN_ROLE role
about, 4.8.2
HS_ADMIN_SELECT_ROLE role
about, 4.8.2
HTTP authentication
See access control lists (ACL), wallet access
HTTPS
port, correct running on, A.9.3

I

IMP_FULL_DATABASE role
about, 4.8.2
INDEX privilege
SQL statements permitted, 8.9.2
indexed data
encryption, 12.2.1
indirectly granted roles, 4.8.1.2
INHERIT ANY PRIVILEGE privilege
not audited, 22.2.5.3
INHERIT ANY PRIVILEGES privilege
about, 5.5.2
managing, 5.5.5
revoking from powerful users, 5.5.4
when it should be granted, 5.5.4
INHERIT PRIVILEGE privilege
not audited, 22.2.5.3
INHERIT PRIVILEGES privilege
about, 5.5.2
auditing, 5.5.5
managing, 5.5.5
when it should be granted, 5.5.3, 5.5.3
initialization parameter file
parameters for clients and servers using Kerberos, C.2
parameters for clients and servers using RADIUS, C.4
parameters for clients and servers using SSL, C.3
initialization parameters
application protection, 8.10
MAX_ENABLED_ROLES, 4.18.3, 4.18.3
O7_DICTIONARY_ACCESSIBILITY, 4.5.2.2
OS_AUTHENT_PREFIX, 3.8.1
OS_ROLES, 4.8.4.4
REMOTE_OS_AUTHENT, A.9.1
RESOURCE_LIMIT, 2.4.4.1
SEC_CASE_SENSITIVE_LOGON, 3.2.6.1
SEC_MAX_FAILED_LOGIN_ATTEMPTS, 8.10.3
SEC_PROTOCOL_ERROR_FURTHER_ACTION, 8.10.2
SEC_PROTOCOL_ERROR_TRACE_ACTION, 8.10.1
SEC_RETURN_SERVER_RELEASE_BANNER, 8.10.4
SEC_USER_AUDIT_ACTION_BANNER, 8.10.5
SEC_USER_UNAUTHORIZED_ACCESS_BANNER, 8.10.5
INSERT privilege
granting, 4.14.2.4
revoking, 4.15.2.2
SQL statements permitted, 8.9.2
installation
guidelines for security, A.8
intruders
See security attacks
invoker’s rights
about, 5.3
code based access control
about, 5.7.1
granting and revoking roles to program unit, 5.7.6
how code based access control works, 5.7.3
tutorial, 5.7.7
compared with definer’s rights, 5.1
controlled step-in, 5.3
procedure privileges, used with, 5.2
procedure security, 5.3
secure application roles, 8.6.2
secure application roles, requirement for enabling, 8.6.2
security risk, 5.5.1
views
about, 5.6.1
finding user who invoked invoker’s right view, 5.6.3
IP addresses
falsifying, A.9.2

J

Java Byte Code Obfuscation, 14.5
Java Database connectivity (JDBC)
implementation of Oracle Advanced Security, 14.1
Java Database Connectivity (JDBC)
configuration parameters, 14.6.1
Oracle extensions, 14.2
thin driver features, 14.3
Java Debug Wire Protocol (JDWP)
network access for debugging operations, 6.12
Java schema objects
auditing, 22.2.7.2
Java stored procedures
network access for debugging operations, 6.12
JAVA_ADMIN role, 4.8.2
JAVA_DEPLOY role, 4.8.2
JAVADEBUGPRIV role, 4.8.2
JAVAIDPRIV role, 4.8.2
JAVASYSPRIV role, 4.8.2
JAVAUSERPRIV role, 4.8.2
JDBC connections
JDBC Thin Driver proxy authentication
configuring, 3.10.1.1
with real user, 3.10.1.6
JDBC/OCI proxy authentication, 3.10.1.1
multiple user sessions, 3.10.1.6
Oracle Virtual Private Database, 10.5.9
JDBC. See Java Database Connectivity
JDeveloper
debugging using Java Debug Wire Protocol, 6.12
JMXSERVER role, 4.8.2

K

Kerberos, 15.3.1, 15.3.1
authentication adapter utilities, 17.2
configuring authentication, 17.1, 17.1.6.1
configuring for database server, 17.1.2
configuring for Windows 2008 Domain Controller KDC, 17.3
kinstance, 17.1.2
kservice, 17.1.2
realm, 17.1.2
sqlnet.ora file sample, B.2
system requirements, 15.5, 15.5
Kerberos authentication, 3.6.2
configuring for SYSDBA or SYSOPER access, 3.3.2.3
password management, A.5
Kerberos Key Distribution Center (KDC), 17.3
key generation
encryption, 12.2.2
key storage
encryption, 12.2.4
key transmission
encryption, 12.2.3
kinstance (Kerberos), 17.1.2
kservice (Kerberos), 17.1.2

L

LBAC_DBA role, 4.8.2
LBACSYS.ORA_GET_AUDITED_LABEL function
about, 22.2.15.6
ldap.ora
which directory SSL port to use for no authentication, 18.8.5.4
least privilege principle, A.3
about, A.3
granting user privileges, A.3
middle-tier privileges, 3.10.1.7
libraries
auditing, 22.2.7.2
security guidelines, A.3
lightweight users
example using a global application context, 9.4.6.1
Lightweight Directory Access Protocol (LDAP), 10.4.2.8
listener
endpoint
SSL configuration, 18.6.1.7
not an Oracle owner, A.9.2
preventing online administration, A.9.2
restrict privileges, A.9.2, A.9.2
secure administration, A.9.2
listener.ora file
administering remotely, A.9.2, A.9.2
default location, A.9.3
FIPS 140-2 Cipher Suite settings, E.2.3.2
online administration, preventing, A.9.2
Oracle wallet setting, C.3.5
TCPS, securing, A.9.3
local privilege grants
about, 4.6.1
granting, 4.6.4
revoking, 4.6.4
local roles
about, 4.7.1
creating, 4.7.6
local user accounts
creating, 2.2.10.2
local users
about, 2.2.1.3
lock and expire
default accounts, A.3
predefined user accounts, A.3
log files
owned by trusted user, A.6
logical reads limit, 2.4.2.4
logon triggers
externally initialized application contexts, 9.3.4
for application context packages, 9.3.4
running database session application context package, 9.3.4
secure application roles, 4.8.8
LOGSTDBY_ADMINISTRATOR role, 4.8.2

M

malicious database administrators
See also security attacks
manager default password, A.5
managing roles with RADIUS server, 19.3.8
materialized views
auditing, 22.2.7.2
MD5 message digest algorithm, 13.2.1
memory
users, viewing, 2.6.5
MERGE INTO statement, affected by DBMS_RLS.ADD_POLICY statement_types parameter, 10.3.3
methods
privileges on, 4.13
Microsoft Windows
Kerberos
configuring for Windows 2008 Domain Controller KDC, 17.3
middle-tier systems
client identifiers, 3.10.2.2
enterprise user connections, 3.10.1.10.2
password-based proxy authentication, 3.10.1.10.1
privileges, limiting, 3.10.1.7
proxies authenticating users, 3.10.1.8
proxying but not authenticating users, 3.10.1.9
reauthenticating user to database, 3.10.1.10
USERENV namespace attributes, accessing, 9.3.6.3
mining models
auditing, 22.2.7.2
mixed mode auditing capabilities, 21.7.3
monitoring user actions
See also auditing, standard auditing, fine-grained auditing
multiplex multiple-client network sessions, A.9.2
multitenant container database (CDB)
See CDBs
My Oracle Support
security patches, downloading, A.2.1

N

nCipher hardware security module
using Oracle Net tracing to troubleshoot, 18.9.5.1
Net8
See Oracle Net
Netscape Communications Corporation, 18.1.1
network authentication
external authentication, 3.8.5
guidelines for securing, A.5
roles, granting using, 4.17
Secure Sockets Layer, 3.6.1
smart cards, A.5
third-party services, 3.6.2
token cards, A.5
X.509 certificates, A.5
network connections
denial-of-service (DoS) attacks, addressing, A.9.2
guidelines for security, A.9, A.9.1, A.9.2
securing, A.9.2
network encryption
about, 13.4.1
configuring, 13.4
FIPS mode setting (FIPS_140), E.2.4
network IP addresses
guidelines for security, A.9.2
nondatabase users
about, 9.4.1
auditing, 22.2.24.1
clearing session data, 9.4.4.7
creating client session-based application contexts, 9.5.1
global application contexts
package example, 9.4.4.6
reason for using, 9.4.1
setting, 9.4.4.6
tutorial, 9.4.6.1
One Big Application User authentication
about, 10.5.9
features compromised by, 8.2.1
security risks, 8.2.1
Oracle Virtual Private Database
how it works with, 10.5.9
tutorial for creating a policy group, 10.4.3.1
See also application contexts, client identifiers

O

O7_DICTIONARY_ACCESSIBILITY initialization parameter
about, 4.5.2.2
data dictionary protection, A.6
default setting, A.6
securing data dictionary with, 4.5.2.2
obfuscation, 14.5
object privileges, A.3
about, 4.9.1
granting on behalf of the owner, 4.14.2.3
managing, 8.9
revoking, 4.15.2
revoking on behalf of owner, 4.15.2.1
schema object privileges, 4.9.1
See also schema object privileges
synonyms, 4.9.5
with common privilege grants, 4.6.3
object types
auditing, 22.2.7.2
objects
applications, managing privileges in, 8.9
granting privileges, 8.9.2
privileges
applications, 8.9.1
managing, 4.13
protecting in shared schemas, 8.8.2
protecting in unique schemas, 8.8.1
SYS schema, access to, 4.5.2.3
OEM_ADVISOR role, 4.8.2
OEM_MONITOR role, 4.8.2
okdstry
Kerberos adapter utility, 17.2
okinit
Kerberos adapter utility, 17.2
oklist
Kerberos adapter utility, 17.2
OLAP_DBA role, 4.8.2
OLAP_USER role, 4.8.2
OLAP_XS_ADMIN role, 4.8.2
One Big Application User authentication
See nondatabase users
operating systems
accounts, 4.17.2
authentication
about, 3.5
advantages, 3.5
disadvantages, 3.5
external, 3.8.4
roles, using, 4.17
default permissions, A.6
enabling and disabling roles, 4.17.5
operating system account privileges, limiting, A.6
role identification, 4.17.2
roles and, 4.8.1.8
roles, granting using, 4.17
users, limiting number of, A.6
OPTIMIZER_PROCESSING_RATE role, 4.8.2
OPW-00005 error, 2.3.4
ORA_ACCOUNT_MGMT predefined unified audit policy, 22.3.4
ORA_DATABASE_PARAMETER predefined unified audit policy, 22.3.3
ORA_OLS_SESSION_LABELS application context, 22.2.15.3
ORA_SECURECONFIG predefined unified audit policy, 22.3.2
ORA-01720 error, 4.11.2
ORA-06512 error, 6.12, 22.4.7.6
ORA-06598 error, 5.5.2
ORA-12650 error, B.3.7
ORA-1536 error, 2.2.7.1
ORA-24247 error, 6.4, 6.12, 22.4.7.6
ORA-28009 error, 4.5.2.2
ORA-28017 error, 2.3.4
ORA-28040 error, 3.2.7.3, 3.4.1
ORA-28575 error, 8.4.1
ORA-40300 error, 18.9.5.2
ORA-40301 error, 18.9.5.2
ORA-40302 error, 18.9.5.2
ORA-45622 errors, 11.5.6
Oracle Advanced Security
checksum sample for sqlnet.ora file, B.2
configuration parameters, 14.6.1
disabling authentication, 20.3
encryption sample for sqlnet.ora file, B.2
Java implementation, 14.1, 14.4
network authentication services, A.5
network traffic encryption, A.9.2
SSL features, 18.1.3
user access to application schemas, 8.8.2
Oracle Call Interface (OCI)
application contexts, client session-based, 9.5.1
proxy authentication, 3.10.1.1
Oracle Virtual Private Database, how it works with, 10.5.9
proxy authentication with real user, 3.10.1.6
security-related initialization parameters, 8.10
Oracle Connection Manager
securing client networks with, A.9.2
Oracle Data Guard
SYSDG administrative privilege, 4.4.5
Oracle Data Pump
exported data from VPD policies, 10.5.8
Oracle Database Enterprise User Security
password security threats, 3.2.7.1
Oracle Database Real Application Clusters
archive timestamp for audit records, 23.3.3.4
global contexts, 9.4.1
Oracle Database Real Application Security
auditing, 22.2.12
Oracle Database Vault
auditing, 22.2.14
Oracle Developer Tools For Visual Studio (ODT)
debugging using Java Debug Wire Protocol, 6.12
Oracle Enterprise Manager
PDBs, 7
statistics monitor, 2.4.3
Oracle Enterprise Security Manager
role management with, 3.6.2
Oracle home
default permissions, disallowing modification, A.6
Oracle Internet Directory
Diffie-Hellman SSL port, 18.8.5.4
Oracle Internet Directory (OID)
authenticating with directory-based service, 3.6.2
SYSDBA and SYSOPER access, controlling, 3.3.2.1
Oracle Java Virtual Machine (OJVM)
permissions, restricting, A.3
Oracle Label Security
auditing, 22.2.15
Oracle Label Security (OLS)
Oracle Virtual Private Database, using with, 10.5.7.1
Oracle Net
firewall support, A.9.2
Oracle parameters
authentication, 20.5
Oracle Password Protocol, 14.4
Oracle Real Application Clusters
global application contexts, 9.4.2
Oracle Recovery Manager
auditing, 22.2.13
events that are audited, 22.2.13.2
SYSBACKUP administrative privilege, 4.4.4
Oracle Technology Network
security alerts, A.2.1
Oracle Virtual Private Database
exporting data using Data Pump Export, 10.5.8
Oracle Virtual Private Database (VPD)
about, 10.1.1
ANSI operations, 10.5.3
application contexts
tutorial, 10.4.2.1
used with, 10.1.5
applications
how it works with, 10.5.4
users who are database users, how it works with, 10.5.9
applications using for security, 8.2.2
automatic reparsing, how it works with, 10.5.5
benefits, 10.1.2
CDBs, 10.1.6
column level, 10.3.4.1
column masking behavior
enabling, 10.3.4.3
restrictions, 10.3.4.3
column-level display, 10.3.4.1
components, 10.2
configuring, 10.3
cursors, shared, 10.1.5
edition-based redefinitions, 10.5.1
editions, results in, 9.4.4.2
Enterprise User Security proxy authentication, how it works with, 10.5.9
exporting data, 10.5.7.2
finding information about, 10.6
flashback query, how it works with, 10.5.6
function
components, 10.2.1
how it is executed, 10.1.4
JDBC proxy authentication, how it works with, 10.5.9
nondatabase user applications, how works with, 10.5.9
OCI proxy authentication, how it works with, 10.5.9
Oracle Label Security
exceptions in behavior, 10.5.7.2
using with, 10.5.7.1
outer join operations, 10.5.3
performance benefit, 10.1.2.2
policies, Oracle Virtual Private Database
about, 10.3.1
applications, validating, 10.3.5.5
attaching to database object, 10.3.2
column display, 10.3.4.1
column-level display, default, 10.3.4.2
dynamic, 10.3.6.2
multiple, 10.3.5.4
optimizing performance, 10.3.6.1
privileges used to run, 10.1.4
SQL statements, specifying, 10.3.3
policy groups
about, 10.3.5.1
benefits, 10.3.5.1
creating, 10.3.5.2
default, 10.3.5.3
tutorial, implementation, 10.4.3.1
policy types
context sensitive, about, 10.3.6.6
context sensitive, altering existing policy, 10.3.6.6
context sensitive, creating, 10.3.6.6
context sensitive, refreshing, 10.3.6.6
context sensitive, restricting evaluation, 10.3.6.6
context sensitive, when to use, 10.3.6.8
context-sensitive, audited, 22.2.7.7
DYNAMIC, 10.3.6.2
dynamic, audited, 22.2.7.7
shared context sensitive, about, 10.3.6.7
shared context sensitive, when to use, 10.3.6.8
shared static, about, 10.3.6.4
shared static, when to use, 10.3.6.5
static, about, 10.3.6.3
static, audited, 22.2.7.7
static, when to use, 10.3.6.5
summary of features, 10.3.6.9
privileges required to create policies, 10.1.3
SELECT FOR UPDATE statements in policies, 10.5.2
tutorial, simple, 10.4.1.1
user models, 10.5.9
Web-based applications, how it works with, 10.5.9
Oracle Wallet Manager
X.509 Version 3 certificates, 3.6.2
Oracle wallets
authentication method, 3.6.2
setting location, 18.6.1.2
sqlnet.listener.ora setting, C.3.5
sqlnet.ora location setting, C.3.5
ORACLE_DATAPUMP access driver
guidelines for security, A.7
OracleMetaLink
See My Oracle Support
orapki utility
about, F.1
adding a certificate request to a wallet with, F.3.3
adding a root certificate to a wallet with, F.3.3
adding a trusted certificate to a wallet with, F.3.3
adding user certificates to a wallet with, F.3.3
cert create command, F.6.1
cert display command, F.6.2
certificate revocation lists, 18.8.5.1
changing the wallet password with, F.3.2.4
creating a local auto login wallet with, F.3.2.2
creating a wallet with, F.3.2.1
creating an auto login wallet with, F.3.2.2, F.3.2.2
creating signed certificates for testing, F.2
crl delete command, F.6.3
crl display command, F.6.4
crl hash command, F.6.5
crl list command, F.6.6
crl upload command, F.6.7
examples, F.5
exporting a certificate from a wallet with, F.3.4
exporting a certificate request from a wallet with, F.3.4
managing certificate revocation lists, F.4
syntax, F.1.1
viewing a test certificate with, F.2
viewing a wallet with, F.3.2.3
wallet add command, F.6.8
wallet create command, F.6.9
wallet display command, F.6.10
wallet export command, F.6.11
ORAPWD utility
case sensitivity in passwords, 3.2.6.5
changing SYS password with, 2.3.4
password file authentication, 3.3.4
permissions to run, 3.3.4
ORDADMIN role, 4.8.2
OS_AUTHENT_PREFIX parameter, 20.5.2
OS_ROLES initialization parameter
operating system role grants, 4.17.5
operating-system authorization and, 4.8.4.4
REMOTE_OS_ROLES and, 4.17.6
using, 4.17.2
OSS.SOURCE.MY_WALLET parameter, 18.6.1.2, 18.6.2.3
outer join operations
Oracle Virtual Private Database affect on, 10.5.3

P

packages
auditing, 22.2.7.2, 22.2.7.6
examples, 4.12.5.3
examples of privilege use, 4.12.5.2
granting roles to, 4.8.5.3
privileges
divided by construct, 4.12.5.1
executing, 4.12.1, 4.12.5.1
parallel execution servers, 9.3.3.4
parallel query, and SYS_CONTEXT, 9.3.3.4
parameters
authentication
Kerberos, C.2
RADIUS, C.4
Secure Sockets Layer (SSL), C.3
configuration for JDBC, 14.6.1
encryption and checksumming, 13.4.4
pass phrase
read and parse server.key file, A.9.3
password files
case sensitivity, effect on SEC_CASE_SENSITIVE_LOGON parameter, 3.2.6.2
how used to authenticate administrators, 3.3.4
PASSWORD statement
about, 2.3.3
PASSWORD_LIFE_TIME profile parameter, 3.2.4.7
PASSWORD_LOCK_TIME profile parameter, 3.2.4.5
PASSWORD_REUSE_MAX profile parameter, 3.2.4.6
PASSWORD_REUSE_TIME profile parameter, 3.2.4.6
passwords
about managing, 3.2.4.1
account locking, 3.2.4.5, 3.2.4.5
administrator
authenticating with, 3.3.4
guidelines for securing, A.5
aging and expiration, 3.2.4.7
ALTER PROFILE statement, 3.2.4.1
altering, 2.3.3
application design guidelines, 8.3.1.2
applications, strategies for protecting passwords, 8.3
brute force attacks, 3.2.1
case sensitivity setting, SEC_CASE_SENSITIVE_LOGIN, 3.2.6.1
case sensitivity, configuring, 3.2.6.1
changing for roles, 4.8.3.4
complexity verification
about, 3.2.5.1
guidelines for security, A.5
complexity, guidelines for enforcing, A.5
connecting without, 3.5
CREATE PROFILE statement, 3.2.4.1
danger in storing as clear text, A.5
database user authentication, 3.4.1
default profile settings
about, 3.2.4.3
default user account, A.5
default, finding, 3.2.4.2
delays for incorrect passwords, 3.2.1
duration, A.5
encrypting, 3.2.1, A.5
examples of creating, 3.2.2
expiring
explicitly, 3.2.4.8
procedure for, 3.2.4.7
proxy account passwords, 3.10.1.4
with grace period, 3.2.4.8
failed logins, resetting, 3.2.4.5
grace period, example, 3.2.4.8
guidelines for security, A.5
history, 3.2.4.6, 3.2.4.6, A.5
Java code example to read passwords, 8.3.4
length, A.5
life time set too low, 3.2.4.9
lifetime for, 3.2.4.7
lock time, 3.2.4.5
management rules, A.5
managing, 3.2.4
maximum reuse time, 3.2.4.6
ORAPWD utility, 3.2.6.5
password complexity verification, 3.2.5.1
password file risks, 3.3.5
PASSWORD_LOCK_TIME profile parameter, 3.2.4.5
PASSWORD_REUSE_MAX profile parameter, 3.2.4.6
PASSWORD_REUSE_TIME profile parameter, 3.2.4.6
policies, 3.2.4
privileges for changing for roles, 4.8.3.4
privileges to alter, 2.3.1
protections, built-in, 3.2.1
proxy authentication, 3.10.1.10.1
requirements
additional, A.5
minimum, 3.2.2
reusing, 3.2.4.6, A.5
reusing passwords, 3.2.4.6
role password case sensitivity, 3.2.6.3
roles authenticated by passwords, 4.8.3.1
roles enabled by SET ROLE statement, 4.8.4.1
secure external password store, 3.2.8.1
security risks, 3.3.5
SYS account, 2.3.4
SYS and SYSTEM, A.5, A.5
used in roles, 4.8.1.3
utlpwdmg.sql password script
password management, 3.2.5.1
verified using SHA-512 hash function, 3.2.7.3
See also authentication, and access control list (ACL), wallet access
PDB_DBA role, 4.8.2
PDBs
auditing
types of audit settings allowed, 21.9
unified audit policy syntax, 22.2.3
what can be audited, 21.1
common roles
about, 4.7.1
creating, 4.7.5
granting, 4.7.7
how they work, 4.7.2
privileges required for management, 4.7.4
revoking, 4.7.7
common users
about, 2.2.1.1
accessing data in PDBs, 4.6.5.2
creating, 2.2.10.1
viewing privilege information, 4.6.5.1
Enterprise Manager
about, 7.1
creating common roles, 7.4.1
creating common users, 7.3.1
creating local roles, 7.4.5
creating local users, 7.3.4
dropping common roles, 7.4.3
dropping common users, 7.3.3
dropping local roles, 7.4.7
dropping local users, 7.3.6
editing common roles, 7.4.2
editing common users, 7.3.2
editing local roles, 7.4.6
editing local users, 7.3.5
logging in, 7.2.1
revoking common privilege grants, 7.4.4
revoking local privilege grants, 7.4.8
switching to different container, 7.2.2
fine-grained audit policies, 22.4.4
local roles
about, 4.7.1
creating, 4.7.6
local users
about, 2.2.1.3
creating, 2.2.10.2
privileges
common, 4.6.2
granting, 4.6.4
how affected, 4.3
object, 4.6.3
revoking, 4.6.4
viewing information about, 4.6.5.1
PUBLIC role, 4.7.3
sqlnet.ora settings, 3.2.7.3
transparent sensitive data protection, 11.10.3
viewing information about, 4.6.5.1
Virtual Private Database policies, 10.1.6
performance
application contexts, 9.1.3
auditing, 21.3
Oracle Virtual Private Database policies, 10.1.2.2
Oracle Virtual Private Database policy types, 10.3.6.1
resource limits and, 2.4.1
permissions
default, A.6
run-time facilities, A.3
PKCS #11 devices, 18.2.3.5
PKCS #11 error
ORA-40300, 18.9.5.2
ORA-40301, 18.9.5.2
ORA-40302, 18.9.5.2
PKI
See public key infrastructure (PKI)
PL/SQL
roles in procedures, 4.8.1.6
PL/SQL packages
auditing, 22.2.7.2, 22.2.7.6
PL/SQL procedures
setting application context, 9.3.3.1
PL/SQL stored procedures
network access for debugging operations, 6.12
PMON background process
application contexts, cleaning up, 9.3.1
positional parameters
security risks, 8.3.1.4
principle of least privilege, A.3
about, A.3
granting user privileges, A.3
middle-tier privileges, 3.10.1.7
privileges
about, 4.1
access control lists, checking for external network services, 6.11.1
altering
passwords, 2.3.3
users, 2.3.1
altering role authentication method, 4.8.3.4
applications, managing, 8.5
auditing use of, 22.2.5.1
auditing, recommended settings for, A.11.5
cascading revokes, 4.15.3
column, 4.14.2.4
compiling procedures, 4.12.4
creating or replacing procedures, 4.12.3
creating users, 2.2.3
dropping profiles, 2.4.4.3
finding information about, 4.19
granting
about, 4.5.3, 4.14
examples, 4.12.5.2, 4.12.5.3
object privileges, 4.9.3.1, 4.14.2.1
system, 4.14.1
system privileges, 4.14
grants, listing, 4.19.1
grouping with roles, 4.8
managing, 8.9
middle tier, 3.10.1.7
object, 4.9.1, 4.9.3.2, 8.9.2
granting and revoking, 4.9.3.1
on selected columns, 4.15.2.2
procedures, 4.12.1
creating and replacing, 4.12.3
executing, 4.12.1
in packages, 4.12.5.1
READ ANY TABLE system privilege
about, 4.9.4.2
restrictions, 4.9.4.3
READ object privilege, 4.9.4.1
reasons to grant, 4.2
revoking privileges
about, 4.5.3
object, 4.15.2
object privileges, cascading effect, 4.15.3.2
object privileges, requirements for, 4.15.2
schema object, 4.9.3.1
revoking system privileges, 4.15.1
roles
creating, 4.8.3.1
dropping, 4.8.6
restrictions on, 4.8.1.7
roles, why better to grant, 4.2
schema object, 4.9.1
DML and DDL operations, 4.10.1
packages, 4.12.5.1
procedures, 4.12.1
SELECT system privilege, 4.9.4.1
SQL statements permitted, 8.9.2
synonyms and underlying objects, 4.9.5
system
granting and revoking, 4.5.3
SELECT ANY DICTIONARY, A.6
SYSTEM and OBJECT, A.3
system privileges
about, 4.5.1
trigger privileges, 5.2
used for Oracle Virtual Private Database policy functions, 10.1.4
view privileges
creating a view, 4.11.2
using a view, 4.11.3
views, 4.11.1
See also access control list (ACL) and system privileges, privilege captures
procedures
auditing, 22.2.7.2, 22.2.7.6
compiling, 4.12.4
definer’s rights
about, 5.2
roles disabled, 4.8.1.6.1
examples of, 4.12.5.3
examples of privilege use, 4.12.5.2
granting roles to, 4.8.5.3
invoker’s rights
about, 5.3
roles used, 4.8.1.6.2
privileges for procedures
create or replace, 4.12.3
executing, 4.12.1
executing in packages, 4.12.5.1
privileges required for, 4.12.3
security enhanced by, 5.2
process monitor process (PMON)
cleans up timed-out sessions, 2.4.2.5
PRODUCT_USER_PROFILE table, 4.8.7.2
SQL commands, disabling with, 4.8.7.2
products and options
install only as necessary, A.8
profile parameters
FAILED_LOGIN_ATTEMPTS, 3.2.4.3
PASSWORD_GRACE_TIME, 3.2.4.3, 3.2.4.8
PASSWORD_LIFE_TIME, 3.2.4.3, 3.2.4.7, 3.2.4.9
PASSWORD_LOCK_TIME, 3.2.4.3, 3.2.4.5
PASSWORD_REUSE_MAX, 3.2.4.3, 3.2.4.6
PASSWORD_REUSE_TIME, 3.2.4.3, 3.2.4.6
profiles, 2.4.4.1
about, 2.4.4.1
creating, 2.4.4.2
dropping, 2.4.4.3, 2.4.4.3
finding information about, 2.6.1
finding settings for default profile, 2.6.4
managing, 2.4.4.1
password management, 3.2.4.1
privileges for dropping, 2.4.4.3
specifying for user, 2.2.9
viewing, 2.6.4
program units
granting roles to, 4.8.5.3
PROVISIONER role, 4.8.2
proxy authentication
about, 3.10.1.1, 3.10.1.1
advantages, 3.10.1.2
auditing operations, 3.9.1
auditing users, 22.2.9
client-to-middle tier sequence, 3.10.1.6
creating proxy user accounts, 3.10.1.3
middle-tier
authorizing but not authenticating users, 3.10.1.9
authorizing to proxy and authenticate users, 3.10.1.8
limiting privileges, 3.10.1.7
reauthenticating users, 3.10.1.10
passwords, expired, 3.10.1.4
privileges required for creating users, 3.10.1.3
secure external password store, used with, 3.10.1.5
security benefits, 3.10.1.2
users, passing real identity of, 3.10.1.6
proxy user accounts
privileges required for creation, 3.10.1.3
PROXY_USER attribute, 9.3.6.3
PROXY_USERS view, 3.10.1.4
pseudo columns
USER, 4.11.3
public key infrastructure (PKI), 15.3.3
about, 3.6.2
Public Key Infrastructure (PKI)
certificate, 18.2.3.2
certificate authority, 18.2.3.1
certificate revocation lists, 18.2.3.3
PKCS #11 hardware devices, 18.2.3.5
wallets, 18.2.3.4
PUBLIC role
about, 4.5.5
CDBs
PUBLIC role, 4.7.3
granting and revoking privileges, 4.16
procedures and, 4.16
security domain of users, 4.8.1.5
security risk in privileges granted to, 4.5.5
PUBLIC_DEFAULT profile
profiles, dropping, 2.4.4.3

Q

quotas
tablespace, 2.2.7
temporary segments and, 2.2.7
unlimited, 2.2.7.2
viewing, 2.6.3

R

RADIUS, 15.3.2, 15.3.2
accounting, 19.3.4
asynchronous authentication mode, 19.2.2
authentication modes, 19.2
authentication parameters, C.4
challenge-response
authentication, 19.2.2
user interface, D.1, D.2
configuring, 19.3.1
database links not supported, 19.1
initialization parameter file setting, C.4.3
location of secret key, 19.3.1.3
minimum parameters to set, C.4.2
smartcards and, 15.3.2, 19.2.2, 19.3.1.3, D.1
SQLNET.AUTHENTICATION_SERVICES parameter, C.4.1.1
sqlnet.ora file sample, B.2
SQLNET.RADIUS_ALTERNATE parameter, C.4.1.8
SQLNET.RADIUS_ALTERNATE_PORT parameter, C.4.1.9
SQLNET.RADIUS_ALTERNATE_RETRIES parameter, C.4.1.11
SQLNET.RADIUS_ALTERNATE_TIMEOUT parameter, C.4.1.10
SQLNET.RADIUS_AUTHENTICATION parameter, C.4.1.2
SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameter, C.4.1.14
SQLNET.RADIUS_AUTHENTICATION_PORT parameter, C.4.1.3
SQLNET.RADIUS_AUTHENTICATION_RETRIES parameter, C.4.1.5
SQLNET.RADIUS_CHALLENGE_KEYWORD parameter, C.4.1.13
SQLNET.RADIUS_CHALLENGE_RESPONSE parameter, C.4.1.12
SQLNET.RADIUS_CLASSPATH parameter, C.4.1.15
SQLNET.RADIUS_SECRET parameter, C.4.1.7
SQLNET.RADIUS_SEND_ACCOUNTING parameter, C.4.1.6
synchronous authentication mode, 19.2.1
system requirements, 15.5
RADIUS authentication, 3.6.2
RC4 encryption algorithm, 13.1.5
READ ANY TABLE system privilege
about, 4.9.4.2
restrictions, 4.9.4.3
READ object privilege
about, 4.9.4.1
guideline for using, A.3
SQL92_SECURITY initialization parameter, 4.9.4.3
reads
limits on data blocks, 2.4.2.4
realm (Kerberos), 17.1.2
RECOVERY_CATALOG_OWNER role
about, 4.8.2
REDACT_AUDIT transparent sensitive data protection default policy, 11.9.1
redo log files
auditing committed and rolled back transactions, A.11.3
REFERENCES privilege
CASCADE CONSTRAINTS option, 4.15.2.3
revoking, 4.15.2.2, 4.15.2.3
SQL statements permitted, 8.9.2
remote authentication, A.9.1, A.9.1
remote debugging
configuring network access, 6.12
REMOTE_OS_AUTHENT initialization parameter
guideline for securing, A.9.1
setting, 3.8.4
remote_os_authentication, A.9.1
REMOTE_OS_ROLES initialization parameter
OS role management risk on network, 4.17.6
setting, 4.8.4.5
resource limits
about, 2.4.1
call level, limiting, 2.4.2.2
connection time for each session, 2.4.2.5
CPU time, limiting, 2.4.2.3
determining values for, 2.4.3
idle time in each session, 2.4.2.5
logical reads, limiting, 2.4.2.4
private SGA space for each session, 2.4.2.5
profiles, 2.4.4.1, 2.4.4.1
session level, limiting, 2.4.2.1
sessions
concurrent for user, 2.4.2.5
elapsed connection time, 2.4.2.5
idle time, 2.4.2.5
SGA space, 2.4.2.5
types, 2.4.2
RESOURCE privilege
CREATE SCHEMA statement, needed for, 8.8.1
RESOURCE role, 4.13.1
about, 4.8.2
restrictions, 15.6
REVOKE CONNECT THROUGH clause
revoking proxy authorization, 3.10.1.4
REVOKE statement
system privileges and roles, 4.15.1
when takes effect, 4.18
revoking privileges and roles
cascading effects, 4.15.3
on selected columns, 4.15.2.2
REVOKE statement, 4.15.1
specifying ALL, 4.9.3.2
when using operating-system roles, 4.17.4
role identification
operating system accounts, 4.17.2
ROLE_SYS_PRIVS view
application privileges, 8.5
ROLE_TAB_PRIVS view
application privileges, finding, 8.5
roles
about, 4.1, 4.8.1.1
ADM_PARALLEL_EXECUTE_TASK role, 4.8.2
ADMIN OPTION and, 4.14.1.1
advantages in application use, 8.5
application, 4.8.1.4.1, 4.8.7, 8.7, 8.7, 8.9
application privileges, 8.5
applications, for user, 8.7
AQ_ADMINISTRATOR_ROLE role, 4.8.2
AQ_USER_ROLE role, 4.8.2
AUDIT_ADMIN role, 4.8.2
AUDIT_VIEWER role, 4.8.2
AUTHENTICATEDUSER role, 4.8.2
authorization, 4.8.4
authorized by enterprise directory service, 4.8.4.6
CAPTURE_ADMIN role, 4.8.2
CDB_DBA role, 4.8.2
changing authorization for, 4.8.3.4
changing passwords, 4.8.3.4
common, granting, 4.7.7
CONNECT role
about, 4.8.2
create your own, A.4
CSW_USR_ROLE role, 4.8.2
CTXAPP role, 4.8.2
CWM_USER role, 4.8.2
database role, users, 8.7.1
DATAPUMP_EXP_FULL_DATABASE role, 4.8.2
DATAPUMP_IMP_FULL_DATABASE role, 4.8.2
DBA role, 4.8.2
DBFS_ROLE role, 4.8.2
DDL statements and, 4.8.1.7
default, 4.18.2
default, setting for user, 2.2.11
definer’s rights procedures disable, 4.8.1.6.1
DELETE_CATALOG_ROLE role, 4.8.2
dependency management in, 4.8.1.7
disabling, 4.18.1
dropping, 4.8.6
EJBCLIENT role, 4.8.2
EM_EXPRESS_ALL role, 4.8.2
EM_EXPRESS_BASIC role, 4.8.2
enabled or disabled, 4.8.1.2, 4.8.5.1
enabling, 4.18.1, 8.7
enterprise, 3.7.1, 4.8.4.6
EXECUTE_CATALOG_ROLE role, 4.8.2
EXP_FULL_DATABASE role, 4.8.2
finding information about, 4.19
functionality, 4.2, 4.8.1.2
functionality of, 4.8.1.2
GATHER_SYSTEM_STATISTICS role, 4.8.2
global authorization, 4.8.4.6
about, 4.8.4.6
global roles
about, 3.7.1
creating, 4.8.4.6
external sources, and, 4.8.4.3
GLOBAL_AQ_USER_ROLE role, 4.8.2
GRANT statement, 4.17.5
granted to other roles, 4.8.1.2
granting and revoking to program units, 5.7.6
granting roles
about, 4.14
methods for, 4.8.5.1
system, 4.14.1
system privileges, 4.5.3
granting to program units, 4.8.5.3
guidelines for security, A.4
HS_ADMIN_EXECUTE_ROLE role, 4.8.2
HS_ADMIN_ROLE role, 4.8.2
HS_ADMIN_SELECT_ROLE role, 4.8.2
IMP_FULL_DATABASE role, 4.8.2
in applications, 4.8.1.3
indirectly granted, 4.8.1.2
invoker’s rights procedures use, 4.8.1.6.2
JAVA_ADMIN role, 4.8.2
JAVA_DEPLOY role, 4.8.2
JAVADEBUGPRIV role, 4.8.2
JAVAIDPRIV role, 4.8.2
JAVASYSPRIV role, 4.8.2
JAVAUSERPRIV role, 4.8.2
JMXSERVER role, 4.8.2
job responsibility privileges only, A.4
LBAC_DBA role, 4.8.2
listing grants, 4.19.2
listing privileges and roles in, 4.19.6
listing roles, 4.19.5
LOGSTDBY_ADMINISTRATOR role, 4.8.2
management using the operating system, 4.17
managing roles
about, 4.8
categorizing users, 8.9
managing through operating system, 4.8.1.8
managing with RADIUS server, 19.3.8
maximum number a user can enable, 4.18.3
multibyte characters in names, 4.8.3.1
multibyte characters in passwords, 4.8.4.1
naming, 4.8.1.1
network authorization, 4.8.4.5
network client authorization, 4.8.4.5
OEM_ADVISOR role, 4.8.2
OEM_MONITOR role, 4.8.2
OLAP_DBA role, 4.8.2
OLAP_USER role, 4.8.2
OLAP_XS_ADMIN role, 4.8.2
One Big Application User, compromised by, 8.2.1
operating system, 4.17.2
operating system authorization, 4.8.4.4
operating system granting of, 4.17.5
operating system identification of, 4.17.2
operating system management and the shared server, 4.17.6
operating system-managed, 4.17.3, 4.17.4
operating-system authorization, 4.8.4.3
OPTIMIZER_PROCESSING_RATE role, 4.8.2
ORDADMIN role, 4.8.2
password case sensitivity, 3.2.6.3
PDB_DBA role, 4.8.2
predefined, 4.8.2
privileges for creating, 4.8.3.1
privileges for dropping, 4.8.6
privileges, changing authorization method for, 4.8.3.4
privileges, changing passwords, 4.8.3.4
PROVISIONER role, 4.8.2
RECOVERY_CATALOG_OWNER role, 4.8.2
RESOURCE role, 4.8.2
restricting from tool users, 4.8.7
restrictions on privileges of, 4.8.1.7
REVOKE statement, 4.17.5
revoking, 4.8.5.1, 4.15.1
revoking ADMIN option, 4.15.1
SCHEDULER_ADMIN role, 4.8.2
schemas do not contain, 4.8.1.1
security domains of, 4.8.1.5
SELECT_CATALOG_ROLE role, 4.8.2
SET ROLE statement
about, 4.8.4.1
example, 4.8.4.1
OS_ROLES parameter, 4.17.5
setting in PL/SQL blocks, 4.8.1.6.2
SPATIAL_CSW_ADMIN role, 4.8.2
SPATIAL_WFS_ADMIN role, 4.8.2
unique names for, 4.8.3.1
use of passwords with, 4.8.1.3
user, 4.8.1.4.2, 8.9
users capable of granting, 4.8.5.2
uses of, 4.8.1.2, 4.8.1.4
WFS_USR_ROLE role, 4.8.2
WITH GRANT OPTION and, 4.14.2.2
without authorization, 4.8.3.1
WM_ADMIN_ROLE role, 4.8.2
XDB_SET_INVOKER roles, 4.8.2
XDB_WEBSERVICES role, 4.8.2
XDB_WEBSERVICES_OVER_HTTP role, 4.8.2
XDB_WEBSERVICES_WITH_PUBLIC role, 4.8.2
XDBADMIN role, 4.8.2
XS_CACHE_ADMIN role, 4.8.2
XS_NSATTR_ADMIN role, 4.8.2
XS_RESOURCE role, 4.8.2, 4.8.2
See also secure application roles
root
viewing information about, 4.6.5.1
root file paths
for files and packages outside the database, A.3
row-level security
See fine-grained access control, Oracle Virtual Private Database (VPD)
RSA private key, A.9.3
run-time facilities, A.3
restriction permissions, A.3

S

sample schemas, A.8
Sample Schemas
remove or relock for production, A.8
test database, A.8
Sarbanes-Oxley Act
auditing to meet compliance, 21.1
SCHEDULER_ADMIN role
about, 4.8.2
schema object privileges, 4.9.1
schema objects
cascading effects on revoking, 4.15.3.2
default tablespace for, 2.2.6
dropped users, owned by, 2.5
granting privileges, 4.14.2.1
privileges
DML and DDL operations, 4.10.1
granting and revoking, 4.9.3.1
view privileges, 4.11.1
privileges on, 4.9.1
privileges to access, 4.9.3.2
privileges with, 4.9.3.2
revoking privileges, 4.15.2
schema-independent users, 8.8.2
schemas
auditing, recommended settings for, A.11.5
private, 3.7.2.1
shared among enterprise users, 3.7.2.2
shared, protecting objects in, 8.8.2
unique, 8.8
unique, protecting objects in, 8.8.1
SCOTT user account
restricting privileges of, A.4
scripts, authenticating users in, 3.2.8.1
SEC_CASE_SENSITIVE_LOGON initialization parameter
about, 3.2.6.1
deprecated, 3.2.6.1
SEC_CASE_SENSITIVE_LOGON parameter
conflict with SQLNET.ALLOWED_LOGON_VERSION_SERVER setting, 3.2.6.1
SEC_MAX_FAILED_LOGIN_ATTEMPTS initialization parameter, 8.10.3
SEC_PROTOCOL_ERROR_FURTHER_ACTION initialization parameter, 8.10.2
SEC_PROTOCOL_ERROR_TRACE_ACTION initialization parameter, 8.10.1
sec_relevant_cols_opt parameter, 10.3.4.3
SEC_RETURN_SERVER_RELEASE_BANNER initialization parameter, 8.10.4
SEC_USER_AUDIT_ACTION_BANNER initialization parameter, 8.10.5
SEC_USER_UNAUTHORIZED_ACCESS_BANNER initialization parameter, 8.10.5
secconf.sql script
password settings, 3.2.4.4
secret key
location in RADIUS, 19.3.1.3
secure application roles
about, 4.8.8
creating, 8.6.1
creating PL/SQL package, 8.6.2
finding with DBA_ROLES view, 4.19
invoker’s rights, 8.6.2
invoker’s rights requirement, 8.6.2
package for, 8.6.2
SET ROLE statement, 8.6.2
user environment information from SYS_CONTEXT SQL function, 8.6.2, 8.6.2
using to ensure database connection, 4.8.8
secure external password store
about, 3.2.8.1
client configuration, 3.2.8.3
examples, 3.2.8.2
how it works, 3.2.8.2
proxy authentication, used with, 3.10.1.5
Secure Sockets Layer (SSL), 15.3.3
about, 3.6.1
architecture, 18.3.1
AUTHENTICATION parameter, C.3.1
authentication parameters, C.3
authentication process in an Oracle environment, 18.1.4
certificate key algorithm, A.9.3
cipher suites, A.9.3, C.3.2.1
client and server parameters, C.3.1
client authentication parameter, C.3.4
client configuration, 18.6.2
combining with other authentication methods, 18.3, 18.3
configuration files, securing, A.9.3
configuring, 18.6
configuring for SYSDBA or SYSOPER access, 3.3.2.4
enabling, 18.6
filtering certificates, 18.6.2.7
FIPS mode setting (SSLFIPS_140), E.2.3.1
global users with private schemas, 3.7.2.1
guidelines for security, A.9.3, A.9.3
handshake, 18.1.4
industry standard protocol, 18.1.1
listener, administering, A.9.2
mode, A.9.3
multiple certificates, filtering, 18.6.2.7
pass phrase, A.9.3
requiring client authentication, 18.6.1.5
RSA private key, A.9.3
securing SSL connection, A.9.3
server configuration, 18.6.1
server.key file, A.9.3
SQLNET.AUTHENTICATION_SERVICES parameter, C.3.1
sqlnet.ora file sample, B.2
SSL_CIPHER_SUITES parameter, C.3.2
SSL_CLIENT_AUTHENTICATION, C.3.4
SSL_SERVER_CERT_DN, C.3.4.1.2
SSL_SERVER_DN_MATCH, C.3.4.1.1
SSL_VERSION parameter, C.3.3
system requirements, 15.5
TCPS, A.9.3
version parameter, C.3.3
wallet location, parameter, C.3.5
ways to configure parameters for, C.3
SecurID, 19.2.1
token cards, 19.2.1
security
application enforcement of, 4.8.1.3
default user accounts
locked and expired automatically, A.3
locking and expiring, A.3
domains, enabled roles and, 4.8.5.1
enforcement in application, 8.2.2
enforcement in database, 8.2.2
multibyte characters in role names, 4.8.3.1
multibyte characters in role passwords, 4.8.4.1
passwords, 3.4.1
policies
applications, 8.1
SQL*Plus users, restricting, 4.8.7
tables or views, 10.1.2.1
procedures enhance, 5.2
resources, additional, 1.2
roles, advantages in application use, 8.5
See also security risks
security alerts, A.2.1
security attacks
access to server after protocol errors, preventing, 8.10.2
application context values, attempts to change, 9.3.2
application design to prevent attacks, 8.3
command line recall attacks, 8.3.1.1, 8.3.1.4
denial of service, A.9.2
denial-of-service
bad packets, addressing, 8.10.1
denial-of-service attacks through listener, A.9.2
disk flooding, preventing, 8.10.1
eavesdropping, A.9.1
encryption, problems not solved by, 12.1.2
falsified IP addresses, A.9.1
falsified or stolen client system identities, A.9.1
hacked operating systems or applications, A.9.1
intruders, 12.1.2
password cracking, 3.2.1
password protections against, 3.2.1
preventing malicious attacks from clients, 8.10
preventing password theft with proxy authentication and secure external password store, 3.10.1.5
session ID, need for encryption, 9.4.5.3
shoulder surfing, 8.3.1.4
SQL injection attacks, 8.3.1.2
unlimited authenticated requests, preventing, 8.10.3
user session output, hiding from intruders, 9.3.4
See also security risks
security domains
enabled roles and, 4.8.1.2
security patches
about, A.2.1
downloading, A.2.1
security policies
See Oracle Virtual Private Database, policies
security risks
ad hoc tools, 4.8.7.1, 4.8.7.1
application users not being database users, 8.2.1
applications enforcing rather than database, 8.2.2
bad packets to server, 8.10.1
database version displaying, 8.10.4
encryption keys, users managing, 12.2.4.3
invoker’s rights procedures, 5.5.1
password files, 3.3.5
passwords exposed in large deployments, 3.2.8.1
passwords, exposing in programs or scripts, 8.3.1.4
positional parameters in SQL scripts, 8.3.1.4
privileges carelessly granted, 4.5.5
privileges granted to PUBLIC role, 4.5.5
remote user impersonating another user, 4.8.4.5
sensitive data in audit trail, A.11.1
server falsifying identities, A.9.3
users with multiple roles, 8.7.1
See also security attacks
security settings scripts
password settings
secconf.sql, 3.2.4.4
undopwd.sql, 3.2.4.4
Security Sockets Layer (SSL)
use of term includes TLS, 18.1.2
SELECT ANY DICTIONARY privilege
data dictionary, accessing, A.6
exclusion from GRANT ALL PRIVILEGES privilege, A.6
SELECT FOR UPDATE statement in Virtual Private Database policies, 10.5.2
SELECT object privilege
guideline for using, A.3
privileges enabled, 4.9.4.1
SELECT privilege
SQL statements permitted, 8.9.2
SELECT_CATALOG_ROLE role
about, 4.8.2
SYS schema objects, enabling access to, 4.5.2.3
separation of duty concepts, Glossary
sequences
auditing, 22.2.7.2
server.key file
pass phrase to read and parse, A.9.3
SESSION_ROLES data dictionary view
PUBLIC role, 4.5.5
SESSION_ROLES view
queried from PL/SQL block, 4.8.1.6.1
sessions
listing privilege domain of, 4.19.4
memory use, viewing, 2.6.5
time limits on, 2.4.2.5
when auditing options take effect, 23.1.1
SET ROLE statement
application code, including in, 8.7.2
associating privileges with role, 8.7.1
disabling roles with, 4.18.1
enabling roles with, 4.18.1
secure application roles, 8.6.2
when using operating-system roles, 4.17.5
SGA
See System Global Area (SGA)
SHA-512 cryptographic hash function
enabling exclusive mode, 3.2.7.3
Shared Global Area (SGA)
See System Global Area (SGA)
shared server
limiting private SQL areas, 2.4.2.5
operating system role management restrictions, 4.17.6
shoulder surfing, 8.3.1.4
smart cards
guidelines for security, A.5
smartcards, 15.3.2
and RADIUS, 15.3.2, 19.2.2, 19.3.1.3, D.1
SPATIAL_CSW_ADMIN role, 4.8.2
SPATIAL_WFS_ADMIN role, 4.8.2
SQL Developer
debugging using Java Debug Wire Protocol, 6.12
SQL injection attacks, 8.3.1.2
SQL statements
dynamic, 9.3.3.3
object privileges permitting in applications, 8.9.2
privileges required for, 4.9.1, 8.9.2
resource limits and, 2.4.2.2
restricting ad hoc use, 4.8.7.1, 4.8.7.1
SQL*Net
See Oracle Net Services
SQL*Plus
connecting with, 3.5
restricting ad hoc use, 4.8.7.1, 4.8.7.1
statistics monitor, 2.4.3
SQL92_SECURITY initialization parameter
READ object privilege impact, 4.9.4.3
SQLNET.ALLOWED_LOGON_VERSION
See SQLNET.ALLOWED_LOGON_VERSION_CLIENT, SQLNET.ALLOWED_LOGON_VERSION_SERVER,
SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter
conflict with SEC_CASE_SENSITIVE_LOGON FALSE setting, 3.2.6.1
effect on role passwords, 3.2.6.3
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE parameter, 17.1.6.1
SQLNET.AUTHENTICATION_SERVICES parameter, 17.1.6.1, 18.6.1.6, 18.6.1.6, 18.6.2.6, 18.6.2.6, 19.3.1.1, 20.3, 20.4, C.3.1, C.4.1.1
SQLNET.CRYPTO_CHECKSUM_CLIENT parameter, 13.4.4.2, B.3.5
SQLNET.CRYPTO_CHECKSUM_SERVER parameter, 13.4.4.2, B.3.4
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter, 13.4.4.2, B.3.9, B.3.9
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter, 13.4.4.2, B.3.8, B.3.8
SQLNET.ENCRYPTION_CLIENT parameter, 13.4.4.1, B.3.3, B.3.3, E.3.2.3
SQLNET.ENCRYPTION_SERVER parameter, 13.4.4.1, B.3.2, B.3.2
SQLNET.ENCRYPTION_SERVER=REQUIRED parameter, E.3.2.2
SQLNET.ENCRYPTION_TYPES_CLIENT parameter, 13.4.4.1, B.3.7, B.3.7, E.3.2.5
SQLNET.ENCRYPTION_TYPES_SERVER parameter, 13.4.4.1, B.3.6, B.3.6, E.3.2.4
SQLNET.FIPS_140 parameter, E.3.2.6
SQLNET.KERBEROS5_CC_NAME parameter, 17.1.6.3
SQLNET.KERBEROS5_CLOCKSKEW parameter, 17.1.6.3
SQLNET.KERBEROS5_CONF parameter, 17.1.6.3, 17.1.6.3
SQLNET.KERBEROS5_KEYTAB parameter, 17.1.6.3
SQLNET.KERBEROS5_REALMS parameter, 17.1.6.3
sqlnet.ora file
Common sample, B.2
FIPS 140-1
parameters, E.3.2.1
FIPS 140-2
Cipher Suite settings, E.2.3.2
enabling tracing, E.2.6
Kerberos sample, B.2
Oracle Advanced Security checksum sample, B.2
Oracle Advanced Security encryption sample, B.2
Oracle wallet setting, C.3.5
OSS.SOURCE.MY_WALLET parameter, 18.6.1.2, 18.6.2.3
parameters for clients and servers using Kerberos, C.2
parameters for clients and servers using RADIUS, C.4
parameters for clients and servers using SSL, C.3
PDBs, 3.2.7.3
RADIUS sample, B.2
sample, B.2
SENCRYPTION_SERVER=REQUIRED parameter, E.3.2.2
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE parameter, 17.1.6.1
SQLNET.AUTHENTICATION_SERVICES parameter, 17.1.6.1, 18.6.1.6, 18.6.1.6, 18.6.2.6, 18.6.2.6, 20.3, 20.4
SQLNET.CRYPTO_CHECKSUM_CLIENT parameter, 13.4.4.2
SQLNET.CRYPTO_CHECKSUM_SERVER parameter, 13.4.4.2
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter, 13.4.4.2, B.3.9
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter, 13.4.4.2, B.3.8
SQLNET.ENCRYPTION_CLIENT parameter, B.3.3, E.3.2.3
SQLNET.ENCRYPTION_SERVER parameter, 13.4.4.1, B.3.2
SQLNET.ENCRYPTION_TYPES_CLIENT parameter, 13.4.4.1, B.3.7, E.3.2.5
SQLNET.ENCRYPTION_TYPES_SERVER parameter, 13.4.4.1, B.3.6, E.3.2.4
SQLNET.FIPS_140 parameter, E.3.2.6
SQLNET.KERBEROS5_CC_NAME parameter, 17.1.6.3
SQLNET.KERBEROS5_CLOCKSKEW parameter, 17.1.6.3
SQLNET.KERBEROS5_CONF parameter, 17.1.6.3, 17.1.6.3
SQLNET.KERBEROS5_KEYTAB parameter, 17.1.6.3
SQLNET.KERBEROS5_REALMS parameter, 17.1.6.3
SQLNET.SSL_EXTENDED_KEY_USAGE, 18.6.2.7
SSL sample, B.2
SSL_CLIENT_AUTHENTICATION parameter, 18.6.1.5
SSL_CLIENT_AUTHETNICATION parameter, 18.6.2.3
SSL_VERSION parameter, 18.6.1.4, 18.6.2.5
Trace File Set Up sample, B.2
SQLNET.RADIUS_ALTERNATE parameter, 19.3.1.3, C.4.1.8
SQLNET.RADIUS_ALTERNATE_PORT parameter, 19.3.1.3, C.4.1.9
SQLNET.RADIUS_ALTERNATE_RETRIES parameter, 19.3.1.3, C.4.1.11
SQLNET.RADIUS_ALTERNATE_TIMEOUT parameter, 19.3.1.3, C.4.1.10
SQLNET.RADIUS_AUTHENTICATION parameter, C.4.1.2
SQLNET.RADIUS_AUTHENTICATION_INTERFACE parameter, C.4.1.14
SQLNET.RADIUS_AUTHENTICATION_PORT parameter, C.4.1.3
SQLNET.RADIUS_AUTHENTICATION_RETRIES parameter, C.4.1.5
SQLNET.RADIUS_CHALLENGE_KEYWORDparameter, C.4.1.13
SQLNET.RADIUS_CHALLENGE_RESPONSE parameter, C.4.1.12
SQLNET.RADIUS_CLASSPATH parameter, C.4.1.15
SQLNET.RADIUS_SECRET parameter, C.4.1.7
SQLNET.RADIUS_SEND_ACCOUNTING parameter, 19.3.4.1, C.4.1.6
SQLNET.SSL_EXTENDED_KEY_USAGE parameter, 18.6.2.7
SSL
See Secure Sockets Layer (SSL)
SSL_CIPHER_SUITES parameter, C.3.2
SSL_CLIENT_AUTHENTICATION parameter, 18.6.1.5, 18.6.2.3, C.3.4
SSL_SERVER_CERT_DN parameter, C.3.4.1.2
SSL_SERVER_DN_MATCH parameter, C.3.4.1.1
SSL_VERSION parameter, 18.6.1.4, 18.6.2.5, C.3.3
standard audit trail
records, purging, 23.2.1
standard auditing
affected by editions, 22.2.7.8
privilege auditing
about, 22.2.5.1
multitier environment, 22.2.9
records
archiving, 23.2.2
statement auditing
multitier environment, 22.2.9
statement_types parameter of DBMS_RLS.ADD_POLICY procedure, 10.3.3
storage
quotas and, 2.2.7
unlimited quotas, 2.2.7.2
stored procedures
using privileges granted to PUBLIC role, 4.16
strong authentication
centrally controlling SYSDBA and SYSOPER access to multiple databases, 3.3.2.1
guideline, A.5
symbolic links
restricting, A.6
synchronous authentication mode, RADIUS, 19.2.1
synonyms
object privileges, 4.9.5
privileges, guidelines on, A.3
SYS account
auditing, 22.2.21.1
changing password, 2.3.4
policy enforcement, 10.5.7.2
SYS and SYSTEM
passwords, A.5, A.5
SYS and SYSTEM accounts
auditing, 22.2.21.1
SYS objects
auditing, 22.2.7.4
SYS schema
objects, access to, 4.5.2.3
SYS user
auditing example, 22.2.5.5
SYS_CONTEXT function
about, 9.3.3.1
auditing nondatabase users with, 22.2.24.3
database links, 9.3.3.5
dynamic SQL statements, 9.3.3.3
example, 9.3.3.6
parallel query, 9.3.3.4
STATIC policies, 10.3.6.5
syntax, 9.3.3.2, 9.3.3.2
unified audit policies, 22.2.10.1
used in views, 5.6.1
validating users, 8.6.2
SYS_DEFAULT Oracle Virtual Private Database policy group, 10.3.5.3
SYS_SESSION_ROLES namespace, 9.3.3.1
SYS.AUD$ table
archiving, 23.2.2
SYSBACKUP privilege
operations supported, 4.4.4
SYSDBA privilege, 4.4.3
SYSDG privilege
operations supported, 4.4.5
SYS.FGA_LOG$ table
archiving, 23.2.2
SYSKM privilege
operations supported, 4.4.6
SYSMAN user account, A.5, A.5
SYSOPER privilege, 4.4.3
SYS-privileged connections, A.3
System Global Area (SGA)
application contexts, storing in, 9.1.3
global application context information location, 9.4.1
limiting private SQL areas, 2.4.2.5
system privileges, A.3
about, 4.5.1
ADMIN OPTION, 4.5.4
ANY
guidelines for security, A.6
ANY system privileges, 4.5.2.1
CDBs, 4.6.2
GRANT ANY OBJECT PRIVILEGE, 4.14.2.3, 4.15.2.1
GRANT ANY PRIVILEGE, 4.5.4
granting, 4.14.1
granting and revoking, 4.5.3
power of, 4.5.1
restriction needs, 4.5.2.1
revoking, cascading effect of, 4.15.3.1
SELECT ANY DICTIONARY, A.6
with common privilege grants, 4.6.2
system requirements
Kerberos, 15.5
RADIUS, 15.5
SSL, 15.5
strong authentication, 15.5

T

tables
auditing, 22.2.7.2
privileges on, 4.10.1
tablespaces
assigning defaults for users, 2.2.6
default quota, 2.2.7
quotas for users, 2.2.7
quotas, viewing, 2.6.3
temporary
assigning to users, 2.2.8
unlimited quotas, 2.2.7.2
TCPS protocol
Secure Sockets Layer, used with, A.9.2
tnsnames.ora file, used in, A.9.3
TELNET service, A.9.2
TFTP service, A.9.2
thin JDBC support, 14.1
time measurement for statement execution, 10.3.6.2
TLS See Secure Sockets Layer (SSL)
token cards, 15.3.2, A.5
trace file
set up sample for sqlnet.ora file, B.2
trace files
access to, importance of restricting, A.6
bad packets, 8.10.1
FIPS 140-2, E.2.6
location of, finding, 9.6
TRANSLATE ANY SQL privilege
not audited, 22.2.5.3
TRANSLATE SQL privilege
not audited, 22.2.5.3
Transparent Data Encryption
about, 12.2.4.4
enabling for FIPS 140-2, E.2.2
SYSKM administrative privilege, 4.4.6, 4.4.6
transparent sensitive data protection (TSDP)
about, 11.1
altering policies, 11.6
benefits, 11.1
bind variables
about, 11.9.1
expressions of conditions, 11.9.2.1
creating policies, 11.5
disabling policies, 11.7
disabling REDACT_AUDIT policy, 11.9.4
dropping policies, 11.8
enabling REDACT_AUDIT policy, 11.9.4
finding information about, 11.11
general steps, 11.2
PDBs, 11.10.3
privileges required, 11.4
REDACT_AUDIT policy, 11.9.1
sensitive columns in INSERT or UPDATE operations, 11.9.2.3
sensitive columns in same SELECT query, 11.9.2.2
sensitive columns in views, 11.9.3
use cases, 11.3
Virtual Private Database
DBMS_RLS.ADD_POLICY parameters, 11.10.2.2
general steps, 11.10.2.1
tutorial, 11.10.2.3
transparent tablespace encryption
about, 12.2.4.4
triggers
auditing, 22.2.7.2, 22.2.7.6
CREATE TRIGGER ON, 8.9.2
logon
examples, 9.3.4
externally initialized application contexts, 9.3.4
privileges for executing, 5.2
roles, 4.8.1.6
WHEN OTHERS exception, 9.3.4
troubleshooting, 17.4
finding errors by checking trace files, 9.6
trusted procedure
database session-based application contexts, 9.1.2
tsnames.ora configuration file, A.9.3
tutorials
application context, database session-based, 9.3.5.1
auditing
creating policy to audit nondatabase users, 22.2.24.1
creating policy using email alert, 22.4.7.1
external network services, using email alert, 22.4.7.1
global application context with client session ID, 9.4.6.1
invoker’s rights procedure using CBAC, 5.7.7
nondatabase users
creating Oracle Virtual Private Database policy group, 10.4.3.1
global application context, 9.4.6.1
Oracle Virtual Private Database
policy groups, 10.4.3.1
policy implementing, 10.4.2.1
simple example, 10.4.1.1
TSDP with VPD, 11.10.2.3
See also examples
types
creating, 4.13.5
privileges on, 4.13
user defined
creation requirements, 4.13.4

U

UDP and TCP ports
close for ALL disabled services, A.9.2
UGA
See User Global Area (UGA)
undopwd.sql script, 3.2.4.4
unified audit policies
about, 22.2.1, 22.2.1
best practices for creating, 22.2.2
dropping
about, 22.2.23.1
procedure, 22.2.23.2
location of, 22.2.3
predefined
ORA_ACCOUNT_MGMT, 22.3.4
ORA_DATABASE_PARAMETER, 22.3.3
ORA_SECURECONFIG, 22.3.2
syntax for creating, 22.2.3
users, applying to, 22.2.21.1
users, excluding, 22.2.21.1
users, success or failure, 22.2.21.1
unified audit policies, altering
about, 22.2.20.1
configuring, 22.2.20.2
examples, 22.2.20.3
unified audit policies, CDBs
about, 22.2.19.1
appearance in audit trail, 22.2.19.4
configuring, 22.2.19.2
examples, 22.2.19.3, 22.2.19.3
unified audit policies, conditions
about, 22.2.10.1
configuring, 22.2.10.2
examples, 22.2.10.3
unified audit policies, disabling
about, 22.2.21.1, 22.2.22.1
configuring, 22.2.22.2
unified audit policies, enabling
about, 22.2.21.1
configuring, 22.2.21.2
unified audit policies, object actions
about, 22.2.7.1
actions that can be audited, 22.2.7.2
appearance in audit trail, 22.2.7.5
configuring, 22.2.7.3
dictionary tables
auditing, 22.2.7.4
examples, 22.2.7.4
SYS objects, 22.2.7.4
unified audit policies, Oracle Data Miner
about, 22.2.16.1
unified audit policies, Oracle Data Mining
configuring, 22.2.16.3
how events appear in audit trail, 22.2.16.5
unified audit policies, Oracle Data Pump
about, 22.2.17.1
appearance in audit trail, 22.2.17.5, 22.2.18.5
configuring, 22.2.17.3
events to audit, 22.2.17.2
examples, 22.2.17.4
how events appear in audit trail, 22.2.17.5
unified audit policies, Oracle Database Real Application Security
about, 22.2.12.1
configuring, 22.2.12.4
events to audit, 22.2.12.2
examples, 22.2.12.5
how events appear in audit trail, 22.2.12.6
predefined
about, 22.2.12.3
ORA_RAS_POLICY_MGMT, 22.2.12.3
ORA_RAS_SESSION_MGMT, 22.2.12.3
unified audit policies, Oracle Database Vault
about, 22.2.14.1
appearance in audit trail, 22.2.14.6
attributes to audit, 22.2.14.3
configuring, 22.2.14.4
data dictionary views, 22.2.14.2
examples, 22.2.14.5
how events appear in audit trail, 22.2.14.6
unified audit policies, Oracle Label Security
about, 22.2.15.1
appearance in audit trail, 22.2.15.6
configuring, 22.2.15.4
events to audit, 22.2.15.2
examples, 22.2.15.5
how events appear in audit trail, 22.2.15.6
LBACSYS.ORA_GET_AUDITED_LABEL function, 22.2.15.6
user session label events, 22.2.15.3
unified audit policies, Oracle Recovery Manager
about, 22.2.13.1
appearance in audit trail, 22.2.13.3
how events appear in audit trail, 22.2.13.3
unified audit policies, Oracle SQL*Loader
about, 22.2.18.1
configuring, 22.2.18.3
events to audit, 22.2.18.2
example, 22.2.18.4
how events appear in audit trail, 22.2.18.5
unified audit policies, privileges
about, 22.2.5.1
appearance in audit trail, 22.2.5.6
configuring, 22.2.5.4
examples, 22.2.5.5
privileges that can be audited, 22.2.5.2
privileges that cannot be audited, 22.2.5.3
unified audit policies, roles
about, 22.2.4.1
configuring, 22.2.4.2
examples, 22.2.4.3
unified audit session ID, finding, 22.2.10.3
unified audit trail
about, 21.4
archiving, 23.2.2, 23.2.2
loading audit records to, 23.1.5
when records are created, 23.1.1
writing audit trail records to AUDSYS
about, 23.1.4.1
configuring modes, 23.1.4.2
immediate-write mode, 23.1.4.1
manually flushing records to AUDSYS, 23.1.4.3
minimum flush threshold for queues, 23.1.1
queued-write mode, 23.1.4.1
unified audit trail, object actions
READ object actions, 22.2.8.1
SELECT object actions, 22.2.8.2
unified audit trail, Oracle Data Mining
events to audit, 22.2.16.2
examples, 22.2.16.4
unified auditing
benefits, 21.5
compared with mixed mode auditing, 21.7.1
database creation, 21.7.2
disabling, 23.1.6
finding if migrated to, 21.6
mixed mode auditing
about, 21.7.1
capabilities, 21.7.3
purging records
example, 23.3.6
tutorial, 22.2.24.1
UNLIMITED TABLESPACE privilege, 2.2.7.2, 2.2.7.2
UPDATE privilege
revoking, 4.15.2.2
user accounts
administrative user passwords, A.5
common
creating, 2.2.10.1
common user
about, 2.2.1.1
default user account, A.5
local
creating, 2.2.10.2
local user
about, 2.2.1.3
password guidelines, A.5
passwords, encrypted, A.5
privileges required to create, 2.2.2
proxy users, 3.10.1.3
USER function
global application contexts, 9.4.4.3
User Global Area (UGA)
application contexts, storing in, 9.1.3
user names
schemas, 8.8
user privileges
CDBs, 4.3
USER pseudo column, 4.11.3
user sessions, multiple within single database connection, 3.10.1.6
USERENV function, 9.3.3.2, 12.3
used in views, 5.6.1
USERENV namespace
about, 9.3.3.2
client identifiers, 3.10.2.1
See also CLIENT_IDENTIFIER USERENV attribute
users
administrative option (ADMIN OPTION), 4.14.1.1
altering, 2.3.1
altering common users, 2.3.2
altering local users, 2.3.2
application users not known to database, 3.10.2.1
assigning unlimited quotas for, 2.2.7.2
auditing, 22.2.21.1
database role, current, 8.7.1
default roles, changing, 2.2.11
default tablespaces, 2.2.6
dropping, 2.5, 2.5
dropping profiles and, 2.4.4.3
dropping roles and, 4.8.6
enabling roles for, 8.7
enterprise, 3.7.1, 4.8.4.6
enterprise, shared schema protection, 8.8.2
external authentication
about, 3.8.1
advantages, 3.8.2
operating system, 3.8.4
user creation, 3.8.3
finding information about, 2.6.1
finding information about authentication, 3.11
global, 3.7.1
hosts, connecting to multiple
See external network services, fine-grained access to
information about, viewing, 2.6.2
listing roles granted to, 4.19.2
memory use, viewing, 2.6.5
network authentication, external, 3.8.5
nondatabase, 9.4.1, 9.4.4.6
objects after dropping, 2.5
operating system external authentication, 3.8.4
password encryption, 3.2.1
privileges
for changing passwords, 2.3.1
for creating, 2.2.3
granted to, listing, 4.19.1
of current database role, 8.7.1
profiles
creating, 2.4.4.2
specifying, 2.2.9
proxy authentication, 3.10.1.1
proxy users, connecting as, 3.10.1.1
PUBLIC role, 4.8.1.5, 4.16
quota limits for tablespace, 2.2.7.1
restricting application roles, 4.8.7
roles and, 4.8.1.3
for types of users, 4.8.1.4.2
schema-independent, 8.8.2
schemas, private, 3.7.2.1
security domains of, 4.8.1.5
security, about, 2.1
tablespace quotas, 2.2.7
tablespace quotas, viewing, 2.6.3
user accounts, creating, 2.2.3
user models and Oracle Virtual Private Database, 10.5.9
user name, specifying with CREATE USER statement, 2.2.4
views for finding information about, 2.6
utlpwdmg.sql
about, 3.2.5.1
UTLPWDMG.SQL
guidelines for security, A.5

V

valid node checking, A.9.2
views
about, 4.11.1
access control list data
external network services, 6.13
wallet access, 6.13
application contexts, 9.6
audit management settings, 23.4
audit trail usage, 22.5
audited activities, 22.5
auditing, 22.2.7.2
authentication, 3.11
bind variables in TSDP sensitive columns, 11.9.3
DBA_COL_PRIVS, 4.19.3
DBA_HOST_ACES, 6.11.1, 6.13
DBA_HOST_ACLS, 6.13
DBA_ROLE_PRIVS, 4.19.2
DBA_ROLES, 4.19.5
DBA_SYS_PRIVS, 4.19.1
DBA_TAB_PRIVS, 4.19.3
DBA_USERS_WITH_DEFPWD, 3.2.4.2
DBA_WALLET_ACES, 6.13
DBA_WALLET_ACLS, 6.13
definer’s rights, 5.6.1
encrypted data, 12.5
invoker’s rights, 5.6.1
Oracle Virtual Private Database policies, 10.6
privileges, 4.11.1, 4.19
profiles, 2.6.1
ROLE_ROLE_PRIVS, 4.19.6
ROLE_SYS_PRIVS, 4.19.6
ROLE_TAB_PRIVS, 4.19.6
roles, 4.19
security applications of, 4.11.3
SESSION_PRIVS, 4.19.4
SESSION_ROLES, 4.19.4
transparent sensitive data protection, 11.11
USER_HOST_ACES, 6.13
USER_WALLET_ACES, 6.13
users, 2.6.1
Virtual Private Database
See Oracle Virtual Private Database
VPD
See Oracle Virtual Private Database
vulnerable run-time call, A.3
made more secure, A.3

W

Wallet Manager
See Oracle Wallet Manager
wallets, 18.2.3.4
authentication method, 3.6.2
See also access control lists (ACL), wallet access
Web applications
user connections, 9.4.1, 9.4.4.6
Web-based applications
Oracle Virtual Private Database, how it works with, 10.5.9
WFS_USR_ROLE role, 4.8.2
WHEN OTHERS exceptions
logon triggers, used in, 9.3.4
WHERE clause, dynamic SQL, 10.2.1
Windows native authentication, 3.3.3
WITH GRANT OPTION clause
about, 4.14.2.2
user and role grants, 4.9.2
WM_ADMIN_ROLE role, 4.8.2

X

X.509 certificates
guidelines for security, A.5
XDB_SET_INVOKER role, 4.8.2
XDB_WEBSERVICES role, 4.8.2
XDB_WEBSERVICES_OVER_HTTP role
about, 4.8.2
XDB_WEBSERVICES_WITH_PUBLIC role, 4.8.2
XDBADMIN role, 4.8.2
XS_CACHE_ADMIN role, 4.8.2
XS_NSATTR_ADMIN role, 4.8.2
XS_RESOURCE role, 4.8.2, 4.8.2