A
OpenVMS Security and Oracle Rdb

This appendix discusses the use of OpenVMS security features by Oracle Rdb.

A.1 OpenVMS Privileges Used to Install Oracle Rdb

Oracle Rdb must be installed from a privileged account. Usually, the SYSTEM account is used. The VMSINSTAL procedure is located in SYS$UPDATE, which is a restricted directory. The OpenVMS SETPRV privilege is required to run VMSINSTAL. The VMSINSTAL procedure then grants all privileges other than BYPASS. (The VMSINSTAL procedure also turns off BYPASS at the start of the installation.)

A.2 OpenVMS Privileges Required for RMU Commands

An Oracle Rdb database is protected by a combination of Oracle Rdb, Oracle RMU, and OpenVMS privileges. OpenVMS privileges are not necessary to use data manipulation or data definition statements. Oracle RMU privileges are used to control access to most database maintenance operations (for more information on RMU privileges, see the Oracle Rdb Release Notes and the Oracle Rdb7 Oracle RMU Reference Manual). However, some database maintenance operations still require OpenVMS privileges. Table A-1 lists the maintenance operations and indicates the required OpenVMS privilege.

Table A-1 Security Controls Required to Use Oracle RMU Functions

Oracle RMU Function	OpenVMS Privilege
Start database monitor^{Foot 1}	SETPRV
Reopen database monitor log	WORLD
Stop database monitor	WORLD
Show locks on databases	WORLD
Show databases in use	WORLD

¹ Start the monitor from the SYSTEM account that has the SETPRV privilege. The process starting the monitor attempts to give the monitor all privileges; the privileges required are as follows: ALTPRI, CMKRNL, DETACH, PSWAPM, SETPRV, SYSGBL, SYSNAM, and WORLD.

Oracle RMU functions require OpenVMS privileges when the function:

Operates across multiple databases (such as the monitor-related commands)
Does not operate on any database (such as the RMU Show command with the System qualifier)

A.3 OpenVMS Privileges That Override Oracle Rdb Protection

Certain OpenVMS privileges can override Oracle Rdb protection. Therefore, you must be very careful assigning OpenVMS privileges. The distinction between Oracle Rdb and OpenVMS privileges is that OpenVMS privileges are systemwide, while Oracle Rdb privileges are associated with a particular database or database object. Table A-2 indicates which Oracle Rdb privileges can be bypassed by users possessing certain OpenVMS privileges.

Table A-2 OpenVMS Privileges That Override Oracle Rdb Privileges

OpenVMS Privilege	Overridden Oracle Rdb Privileges
BYPASS	All privileges except DBADM, SECURITY, and DBCTRL
READALL	SELECT database or table privilege
SYSPRV	All privileges except SECURITY
OPER	SELECT database privilege
SECURITY	SELECT database privilege, SECURITY database privilege, and DBCTRL

The Oracle Rdb7 Guide to Database Design and Definition includes a table indicating which actions can be performed with which OpenVMS and Oracle Rdb privileges.

Note:

Certain sites might want to restrict the ability of users to create their own databases. These sites would have to define the RDBVMS$CREATE_DB logical name. When you use this logical name, other installed Oracle and third-party products will not be able to use Oracle Rdb to create Oracle Rdb databases. Therefore, you must deassign this logical name whenever users of such products need to create an Oracle Rdb database. More information on the use of this logical name can be found in the Oracle Rdb7 Guide to Database Design and Definition.

A.4 OpenVMS Protection of Oracle Rdb Files

Oracle Rdb sets the following OpenVMS default protection for all database files:

SYSTEM:READ,WRITE,EXECUTE,DELETE; OWNER:READ; GROUP: , WORLD:

This affects the following files:

Database root (.RDB) and its associated ACL
Recovery-unit journal (.RUJ)
After-image journal (.AIJ)
Snapshot (.SNP)
Storage area (.RDA)

These restrictions protect the database from applications or processes not using Oracle Rdb. Oracle Rdb uses the OpenVMS SYSPRV privilege to open database files, then checks that user's user identification code (UIC) against the Oracle Rdb access privilege set to determine access to database objects. Section A.5 discusses protection specific to Oracle Rdb.

A.5 Oracle Rdb Internal Protection

Internal Oracle Rdb protection depends on the use of access privilege sets (APSs) that connect database subjects (users) and objects with certain privileges. Oracle Rdb uses the standard OpenVMS identifiers to identify database subjects.

The UIC of the process owner is used by Oracle Rdb to identify the individual who is accessing the database. No separate user identifiers are supported by Oracle Rdb, and no separate authentication of users is performed.

Database administrators can choose between ACL-style and ANSI/ISO-style protection when using the SQL interface to Oracle Rdb.

In ACL-style protection, three types of OpenVMS identifiers can be used:

User identification codes (UICs)

The following are all valid UICs:
```
[SYSTEMS,JONES]
K_JONES
[354,567]
[250,*]
```
General identifiers that specify a user or set of users

For example:
```
DATAENTRY
PROGRAMMERS
MANAGERS
SECRETARIES
```

System-defined identifiers

For example:

BATCH
NETWORK
INTERACTIVE
LOCAL
DIALUP
REMOTE

Each identifier is associated with a set of access privileges to specify which operations that user or user group can perform on the database or database table, view, or column.

In ANSI/ISO-style protection, only a specific UIC can be used. Wildcards are permitted only to specify public access, as in [*,*].

Database objects (database, table, view, or column) are associated with an APS that indicates which operations certain users can perform on that object. The owner or creator of a database owns the database files and has the ability to grant or revoke privileges for that database's subjects and objects.

For more information on other aspects of Oracle Rdb security, see the Oracle Rdb7 Guide to Database Design and Definition.

A.6 Auditing

Oracle Rdb employs a security auditing system that closely models that of the OpenVMS system.

A database is maintained that describes the Oracle Rdb audit events that are enabled. Such events are enabled on a per database basis so that each database can be audited differently. Oracle RMU includes RMU Set Audit and RMU Show Audit commands to modify and display the event auditing characteristics. As with the OpenVMS system, Oracle Rdb has its own audit analysis command (RMU Load command with the Audit qualifier) to assist in reviewing the audit trail.

To accomplish security auditing, Oracle Rdb communicates with the OpenVMS AUDIT_SERVER process, which stores security audit records in the security audit journal and relays security alarm messages to the appropriate display process. Thus, Oracle Rdb audit information can coexist with OpenVMS audit information so that all system audit records can be retrieved from one location by the OpenVMS security administrator using a single OpenVMS audit analysis tool.

For more information on Oracle Rdb auditing capabilities, see the Oracle Rdb7 Guide to Database Maintenance. For more information on OpenVMS auditing capabilities, see the OpenVMS documentation set.

A OpenVMS Security and Oracle Rdb