This section provides a brief overview of Oracle Database Cloud Service (Database Cloud Service), key Database Cloud Service concepts, and an overview of developing applications for an Oracle Database Cloud Service. To learn more about the Oracle Cloud, see Getting Started with Oracle Cloud.
The Database Cloud Service is built on Oracle Database technology, running on the Oracle Exadata Database Machine.
The Database Cloud Service has four main components:
Oracle Database 11gR2 Enterprise Edition. The best performing database in the world.
Oracle Application Express. Used to create and deploy all varieties of applications in a browser-based environment. See "Managing Oracle Application Express Database Applications".
RESTful Web Services. Allows access to the data in your Database Cloud Service through simple URIs. See "Implementing RESTful Web Services".
Packaged Applications and Sample Code. A set of business productivity applications that are installed with just a few clicks. See "Managing Oracle Application Express Packaged Applications or Sample Code".
The Oracle Database Cloud Service delivers the following advantages:
You can access your Database Cloud Service from any supported browser on any platform.
The Database Cloud Service comes in several sizes, based on a simple storage and transfer metrics.
The Database Cloud Service has a simple monthly subscription cost, which includes all standard maintenance operations and Oracle Support.
You can provision a complete Database Cloud Service environment in a few minutes and immediately start to be productive. The Database Cloud Service includes simple administrative tools that allow you to monitor usage, and add and drop user access. The Oracle Store allows you to modify your subscription package with a simple interface.
The Database Cloud Service includes a wide variety of tools and utilities, including development wizards and flexible interactive reporting. Most importantly, the Database Cloud Service offers rapid application development and instant deployment, which allows developers and users to work together in real time to create optimal solutions for business needs.
The Oracle Database Cloud Service is composed of several components which provide functionality and benefits.
The Oracle Database has been the standard for enterprise databases for more than two decades. With the Oracle Database Cloud Service, you get the full power of this legendary platform. You can use the same SQL for data interaction that is used for hundreds of thousands of enterprise applications. You can use PL/SQL, the procedural extensions for the Oracle Database. All the optimizations and data structures which make the Oracle Database so robust are available in your Database Cloud Service.
The Database Cloud Service is used by the Java Cloud Service for all data operations. This support allows you to deploy Java applications with the Java Cloud Service with the enterprise-strength of the Oracle Database.
The Oracle Database Cloud Service uses schema isolation to implement multi-tenancy, which allows full transparency while still providing efficient use of database resources. The Oracle Database is, at its core, a multi-user system for sharing data, so the Oracle Database Cloud Service simply uses the capabilities built up for the Oracle Database to share resources among multiple Database Cloud Service customers.
The Oracle Database Cloud Service runs on Oracle Exadata hardware - the most advanced database platform in the world today. Oracle Exadata uses a variety of techniques and technology to dramatically improve the operation of the most time-consuming database operations. You get all the benefits of Oracle Exadata with your Oracle Database Cloud Service.
Oracle Application Express is a robust rapid application development system that is included with the Oracle Database. Oracle Application Express gives developers the ability to create applications in minutes. Once development is complete, the applications are instantly available, allowing for a process of interactive development where developers work with users to quickly create and refine applications to achieve business goals.
The process of application creation with Oracle Application Express can take advantage of a wealth of wizards, which simplify and accelerate development. You can also extend Oracle Application Express applications to meet your specific business needs with PL/SQL, so the range of functionality you can implement is virtually unlimited.
These features mean that Oracle Application Express provides both extremely high levels of productivity for creating standard applications and the ability to create sophisticated mission critical applications.
Oracle Application Express includes a range of user productivity features, such as interactive reports, which let business users shape the analysis and presentation of their data without having to involve development or IT staff. End users can also created Websheets, which act like data-driven wikis, giving them full control of their business applications.
Oracle Application Express also includes capabilities for managing your data structures, as well as functionality to help teams of developers manage their projects and communications.
Applications delivered through the Oracle Cloud can be accessed from a wide variety of client platforms, including Windows, Apple or mobile devices.
Oracle Application Express and your Oracle Application Express applications are built on technology that resides within an Oracle Database, so all your applications can be easily run on any Oracle platform - from the Oracle Database Cloud Service to your in-house data center to Oracle Database XE on your laptop.
RESTful Web services are services which adhere to an architecture which implements interactions with data sources through the use of URIs. RESTful Web services are one of the standard methods for accessing data in the Cloud.
The Oracle Database Cloud Service includes the ability to use RESTful Web services to access data in your Oracle Database. The Database Cloud Service includes a RESTful Web service wizard, which makes it easy for you to create services which implement any SQL statement or PL/SQL procedure to supply data to applications.
The RESTful Web service wizard lets you simply define a few attributes for a service and then use the full power of SQL and PL/SQL to perform database operations. By default, the wizard returns data in JSON format, although you can use PL/SQL to format data in any way. In addition, the wizard gives you the option of some more complex formats, such as the ability to return data from a result set with embedded links to a more detailed view of the data in the complete row, without any additional coding.
The support of RESTful Web services in the Oracle Database Cloud Service make it easy to use the data in your Oracle Database in virtually any development tool, including dynamic languages.
The Oracle Database Cloud Service includes a set of business productivity applications and sample code which can be installed with just a few clicks. Sample code is reference implementations of simple applications that can be installed and extended by a developer. Packaged applications and sample code are full production versions designed to provide real functionality, such as project management, shared calendars and shared checklist management.
All of these applications share the same privilege levels of administrator, contributor and reader, which grant differential access to functionality and features. All of these applications and samples can be installed or removed through the same simple administrative interface.
The Oracle Database Cloud Service includes a variety of tools and utilities which make it easy for you to use the environment. The Database Cloud Service includes browser-based tools for monitoring and modifying all your services from a central management page. You can create users across all your services with a simplified interface to Oracle's Identity Management solution. You can even upgrade your service from this environment for more storage and data transfer with a few clicks.
Each individual service also has a browser-based management console to provide a more detailed look at resource utilization and to install or remove business applications with a few simple clicks. The Oracle Application Express environment contains a set of administration applications which let administrators shape and monitor the environment. You can assign administrative responsibility for one or more services to an individual, giving you complete delegation capabilities to match your organization.
The Database Cloud Service includes Application Express SQL Workshop to manage the underlying Oracle Database and its structures. SQL Workshop is a browser-based component of the Oracle Application Express environment which gives you the ability to browse and manage all of your Oracle objects, run SQL or PL/SQL code, run scripts and even build queries through a graphical interface.
One of the key concerns for organizations as they move to a shared resource model on the Cloud is insuring the security of their data. The Oracle Database Cloud Service, like the Oracle Database that is the foundation of the Database Cloud, has been created from the beginning with the utmost concern for security.
This section reviews several aspects of security and the Oracle Database Cloud:
The basic architecture of the security domains that are used for the Database Cloud
Security measures that apply to the overall service
Security measures that apply to individual Database Cloud Services
Application security options
Security options for RESTful Web Services that access a Database Cloud Service
The Oracle Database Cloud uses a security architecture that includes different security domains and administrative and use privileges within a particular Database Cloud Service.
There are several different security domains which are used with the overall implementation of the Database Cloud.
Database Cloud Service
Each and every Database Cloud Service is owned by an account. An account is the top level in the security hierarchy. The individual who initially sets up an Account is known as the Buyer. A Buyer is automatically an Account Administrator as an Account Administrator can assign themselves privileges at the Identity Domain and Service level.
When you initially sign up for a Database Cloud Service account, you must have an Oracle.com user account. After you initially sign up for an account, you can grant the Account Administrator privilege to any other Oracle.com users. Any Account Administrator can remove the Account Administrator privilege from any other Account Administrator.
Account Administrators can see all services, PaaS or SaaS services, associated with an account.
An Identity Domain is a pool of users. An account can have one or more Identity Domains, but each Domain is separate and distinct. You must define an Identity Domain when you initially request an account, and the requestor is given a username within the Identity Domain.
Identity Domain membership and privileges are defined with the Cloud Identity Manager, which is described in more detail below.
Members of an Identity Domain can have security roles for one or more of the Cloud Services associated with the Identity Domain. These roles are described in more detail below.
Identity Domain Administrators can see all Database Cloud Services associated with the Identity Domain, and can assign and remove all security roles associated with these Cloud Services, including the Administrator role for any of the Services.
Database Cloud Service
A Database Cloud Service is an individual Service within the Oracle Database Cloud. Data within an individual Database Cloud Service is completely separated from data in all other Services in the Oracle Database Cloud, as described in more detail below.
Database Cloud Service administrators can define users for the Services that they administer. Database Cloud Service users can be defined with the Cloud Identity Manager or within the Administration area of the development platform for the Database Cloud Service itself. If a user is defined with the Cloud Identity Manager, they must use the same tool to manage their profile; if a user is defined through the Administration area of the development platform, they must manage their profile through that platform. Administrators and developers for a Database Cloud Service must be defined with the Cloud Identity Manager and given the appropriate security role, as described below.
There is an Administrator role at the Account, Identity Domain and Service levels. Administrators can grant this role at their level to other defined users.
There are three roles for each Database Cloud Service:
Service Administrator, who can create, modify and delete Database Cloud Service users and their privileges, both in the Cloud Identity Manager and the Administration area of the Database Cloud Service development platform.
Developers, who can use the development platform within a Database Cloud Service to create applications, but who cannot create, modify or delete users for that Database Cloud Service.
End users, who can run applications within the Database Cloud Service.
When a Database Cloud Service is added to an Identity Domain, three individual roles which map to these levels are created within the Identity Domain. The Account Administrator and Identity Domain Administrator are automatically given the Service Administrator role for the initial Database Cloud Service, but all other roles have to be explicitly assigned through the Cloud Identity Manager.
This tool is used to administer all users and roles defined as part of the Cloud Identity Domain. A Identity Domain or Service administrator can add, delete and modify users with this tool, or to create, delete, assign or delete roles.
Identity Domain Administrators can use the Cloud Identity Manager to access all users defined within their Identity Domain and their roles. Service Administrators only get access to the users defined for their Service, and users of a service can only use the Cloud Identity Manager to modify their own user profile and reset their account password.
For more details on the use of the Cloud Identity Manager, please refer to "Managing Users and Roles with Oracle Identity Console" in Getting Started with Oracle Cloud.
All security is based on well-thought out and implemented practices and procedures. The Oracle Database Cloud is implemented with rigorous security practices and procedures based on decades of experience.
The security processes used for the overall Oracle Cloud include secure access to data centers, annual security audits by third parties to insure regulatory security compliance and full auditing of the entire Cloud stack on a quarterly basis.
All data stored in the Oracle Database Cloud benefits from the use of Transparent Data Encryption. Transparent Data Encryption encrypts data stored on disk and in backups, protecting against unauthorized direct file access. The encryption and decryption of your data is handled automatically by the Oracle Database, so you do not have to add programmatic steps to use this powerful security feature.
The Database Cloud has to be protected against the introduction of malicious code which could harm all users. To enforce this level of protection while still allowing users to load data into their Database Cloud Service, data loads are sent to a Secure FTP server, where they are scanned for viruses before the data in the files is loaded into the Database Cloud Service using your database account information. With this approach, malicious data can never be loaded in such a way that it affects other accounts or breaches the security isolation. This two step process also automatically compresses the actual data to be loaded, reducing the time needed to upload data to the Oracle Database Cloud.
The Database Cloud Service is built on a multi-tenant architecture, with database schemas providing the boundaries of tenant isolation. Schemas have been used in the Oracle Database as a method of separating data for decades. To enforce and protect the absolute security of tenants of the Database Cloud Service, some standard Oracle features have been locked down.
For instance, access to any data dictionary view which allows a tenant to see the existence of other schemas has been prohibited. In addition, some SQL syntax is not allowed, such as GRANT or REVOKE, since these options are used to access objects between one schema to another schema owner.
For a detailed list of syntax, objects and operations disallowed in the Database Cloud Service, please see "Database Cloud Service Features and Implementation Considerations".
Your Database Cloud Service includes Application Express, which you can use to develop and deploy HTML-based applications through a declarative process. Application Express has been in production since 2004, with hundreds of thousands of enterprise applications deployed throughout the world. There are a number of features of Application Express that help you to develop secure applications in your Database Cloud Service.
Application Express supports several authentication schemes, which are used to insure that a particular user is properly identified. Application Express gives developers the ability to use authorization schemes, which are ways of allowing access to specific pages, regions within pages or items within regions, based on user identity. As a developer, you have access to the identity of a user at all times, so you can implement procedural limitations based on user identity.
Although Application Express includes robust monitoring tools, you can add in procedural logic to log application and session specific information for further security analysis.
Application Express includes protection against cross-site scripting attacks by providing a way to reference values that automatically escapes special characters, which will not allow any type of script to be included in pages returned to users through the Database Cloud Service applications.
In addition, Application Express gives you the option to automatically protect navigational URLs from being malicious modified. This option, referred to as Session State Protection, generates checksums which are included with any parameters passed as part of a URL to retrieve a page in an application. In addition, you can prevent a page from ever being accessed by a URL, only allowing access as the destination of a navigation link or branch from another page within the application.
Application Express also includes reports which allow you to rapidly see the security options in force for a particular application, as well as to monitor usage of applications and individual pages in applications.
Application Express also includes reports which allow you to rapidly see the security options in force for a particular application, as well as to monitor usage of applications and individual pages in applications.
You can also specify security on a RESTful Web Service in a number of ways. These ways are different from the traditional method of using schema users to implement security. An Oracle Database Cloud Service is based on a single schema, and all RESTful Web Services which access data in this schema are executed by the user who owns the schema. Without any specific security implementations on a RESTful Web Service, the services will return all data that satisfies an SQL statement or is collected by a PL/SQL block.
There are four ways you can add security to your RESTful Web Services:
Based on the origin of the RESTful Web Service
Based on the application using the RESTful Web Service
Based on the identity of the user calling the RESTful Web Service
Based on logic implemented in the RESTful Web Service call itself
You can specify that a RESTful Web Service module and its templates and handlers can only be accessed for a specified list of origin domains.
RESTful Web Services use the OAUTH2 model of authentication, as shown in the diagram below.
OAUTH2 authentication is one of the standard authentication flows used on the Internet. To understand how to implement application-based or user-based authentication, you need to understand how the OAUTH authentication process flow works.
OAUTH authentication requires two different tokens - a request token, which allows a client to request authorization, and an access token, which grants access to a specific user.
You can use this process flow to implement access to a specific application or to a specific user, as described below.
To allow a specific application to access RESTful Web Services, you use the OAUTH Request token. To implement this, you would generate a specific token and hard code that token into a specific application client. You would then use OAUTH to check for the request token.
This type of authentication allows you to use a single token to grant access to all of the RESTful Web Services defined in a module to one or more application clients.
You can allow access to a RESTful Web Service based on the identity of the authenticated user. If you want access based only on user identity, you would not require an OAUTH Request token and use privileges defined in your Database Cloud Service to limit access to the Web Service. The process of defining and using these privileges is defined in the next section.
The three methods of implementing security described above grant access to one or more specific RESTful Web Services calls, similar to allowing a connection to a database. In traditional database security, access is granted based on the identity of the database user making the request. Since all RESTful Web Services in a specific Database Cloud Service are executed by the same database user, this option is not available for these Services. In recognition of this architecture, the SQL command GRANT is not supported in a Database Cloud Service.
However, this does not mean that you cannot limit access to data based on user identity. The identity of a user is established through the Database Cloud Service authentication process, and this identity is available to developers as the OAM_REMOTE_USER parameter, kept securely in the header of all RESTful Web Service requests.
You can use this value as part of a standard WHERE clause, which, for instance, could be used to limit the rows returned from a query to those for the same department as the current user. You could also use this value in more complex logic in either SQL or PL/SQL.
In addition to the roles and privileges described in "Managing Users and Roles with Oracle Identity Console" in Getting Started with Oracle Cloud, there are the following Database Cloud Service roles used to access, develop and administer Application Express applications:
End Users. End users of an Oracle Application Express application using Oracle Cloud Identity Management or Application Express authentication. Users that have been granted permission to access an Oracle Application Express application.
Developers. Developers of Oracle Application Express applications. Developers have access to the Application Builder and the SQL Workshop.
Workspace Administrators. Administrators given access to all Oracle Application Express application components. Additionally, they can manage application user accounts, groups and development services that use Oracle Application Express authorization.
Developing applications for an Oracle Database Cloud Service is done through Oracle Application Express. Using Oracle Application Express you can perform the following:
Create custom applications. See "Managing Oracle Application Express Database Applications".
Install packaged applications. See "Managing Oracle Application Express Packaged Applications or Sample Code".
Create RESTful Services. See "Implementing RESTful Web Services".
Manage application users. See "Managing Application Express Application End Users".
To learn more, see "Developing Applications for Oracle Database Cloud Service".