This preface contains:
Changes in Oracle Database 12c Release 2 (184.108.40.206)
The following features are new in this release:
Real Application Security includes support for privilege scoping
Oracle Database 12c Release 2 (12.2) extends the Real Application Security model by allowing per principal session privilege grants, through an ACL set on the principal as a native Real Application Security application user, for granting session management privileges. In addition, Oracle Database 12c Release 2 (12.2) extends the Real Application Security model by allowing per principal session privilege grants, though an ACL set on the principal as a dynamic role, for granting only the
SET_DYNAMIC_ROLESprivilege. Principal-specific ACL grants take precedence over system-level session privilege grants. It allows for a negative grant to be set on the principal specific ACL. Use of an ACL allows a common set of grants to be enforced on a group of native application users and dynamic roles.This feature provides the following new API:
This feature enhances the following APIs with the addition of the
SET_ACL Procedure— Sets an ACL on the specified application user or dynamic role.
aclparameter:This feature enhances the following views by displaying the ACLs that are set on the user and or dynamic role or both:
This feature adds the
SET_DYNAMIC_ROLESprivilege, which is defined in the
SESSION_SCsecurity class to protect enablement and disablement of a dynamic role as part of the attach session and assign user operations.
See About Real Application Security Session Privilege Scoping Through ACL for more information.
Real Application Security supports column-level access control on DML statements. This allows users to insert, update, and delete specific column values based on their granted column-level privileges.Beginning with Oracle Database 12c Release 2 (12.2), users with required privileges can do DMLs with Data Security column security. This means:
To update a row value, an authorized user needs both the row-level
UPDATEprivilege as well as the column privilege on the protected columns to be updated.
To insert a row, an authorized user needs both the row-level
INSERTprivilege as well as the column privilege on each protected column. If the
INSERTstatement does not insert a value for a protected column, the column privilege is not required, and the default value (or
NULLif there is no default value) is inserted.
To delete a row, an authorized user only needs the row-level
DELETEprivilege. The column privilege is not required.
No data is disclosed for DMLs with Data Security row-level and column-level security. DML statements with
RETURNING INTOor with the parameter -
sql92_securityenabled require both the row-level
SELECTprivilege as well as the column privileges if the columns appear in the
Real Application Security includes support for schema-level security policy administrationThis feature enhances the following APIs:
This feature extends the
ADMIN_SEC_POLICYprivilege to schemas for policy management.
This feature adds the
APPLY_SEC_POLICYprivilege for policy enforcement within granted schemas to achieve policy enforcement within an application.
APPLY_SEC_POLICYprivilege will be checked in the following APIs before enforcing policies: APPLY_OBJECT_POLICY Procedure, REMOVE_OBJECT_POLICY Procedure, ENABLE_OBJECT_POLICY Procedure, and DISABLE_OBJECT_POLICY Procedure.This feature adds two audit actions:
— to audit the
— to audit the
This feature adds the following views: ALL_XS_SECURITY_CLASSES, ALL_XS_SECURITY_CLASS_DEP, ALL_XS_PRIVILEGES, ALL_XS_IMPLIED_PRIVILEGES, ALL_XS_ACLS, ALL_XS_ACES, ALL_XS_POLICIES, ALL_XS_REALM_CONSTRAINTS, ALL_XS_INHERITED_REALMS, ALL_XS_ACL_PARAMETERS, ALL_XS_COLUMN_CONSTRAINTS, ALL_XS_APPLIED_POLICIES, and DBA_XS_PRIVILEGE_GRANTS.
See About Schema Level Real Application Security Policy Administration for more information.
Oracle Label Security support for the Oracle Database Real Application Security
user_nameparameter in the
SA_USER_ADMIN.SET_USER_LABELSprocedure and in the
SA_USER_ADMIN.SET_USER_PRIVSprocedure for Oracle Database, the user name can be an Oracle Database Real Application Security user name.
SA_USER_ADMIN.SET_USER_LABELSprocedure in Oracle Label Security Administrator’s Guide and the
SA_USER_ADMIN.SET_USER_PRIVSprocedure in Oracle Label Security Administrator’s Guide for more information.
Labels or Oracle Label Security privileges assigned to the Real Application Security user are enforced in the Real Application Security user session. Oracle Label Security context is established upon the following Real Application Security session operations (
ASSIGN_USER) and in Real Application Security direct logon sessions. Based on labels or privileges or both that the current Real Application Security session has, the Oracle Label Security policy is enforced.
See Attaching an Application Session to a Traditional Database Session, Assigning an Application User to an Anonymous Application Session, Switching a Current Application User to Another Application User in the Current Application Session, and Oracle Label Security Context Is Established in Direct Logon Session for more information.
- Predefined application role
Allows the user granted this role to connect to the database. In other words, a user not granted this predefined role cannot connect to the database.
See Regular Application Roles, GRANT_ROLES Procedure, and About Creating a Direct Login Application User Account for more information.
The following features are deprecated and will not be supported in future releases:
LOCKEDvalues for the parameter
See "CREATE_USER Procedure" for more information.
PASSWORDEXPIREDstatus value is deprecated.
See "SET_USER_STATUS Procedure" for more information.
The password types
See "SET_PASSWORD Procedure" for more information.
The verifier types
See "SET_VERIFIER Procedure" for more information.