2.1 Key Terminology

Familiarize yourself with the key terminology used within the Oracle Deep Data Security (Deep Sec) environment.

Identity and users

These terms describe the users and identities that Deep Sec recognizes for authentication and authorization.

  • IAM
    • An identity and access management (IAM) system, such as Microsoft Entra ID or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM), that manages user identities and role assignments outside the database.
  • End user
    • A user of an application who does not own database schemas or database objects. An end user can be:
    • A user whose identity is managed in IAM. Typically, they connect to the database through the application. They can also log in directly using token-based authentication.
    • A user created and managed in the database using the CREATE END USER statement. End users managed in the database can log in directly using password authentication. Additionally, they can be mapped by user name to users managed in the application's own user store, so that those users can connect through the application's trust, without requiring direct password authentication on the database server.
  • Application identity
    • A database-resident identity that represents a specific application. During each session, the database enables data roles granted to this identity for all users connecting through that application.

Roles and authorizations

These terms distinguish between roles defined in IAM and their corresponding representations within the database.

  • Application role
    • A role your application defines to control access to protected resources. You usually create and assign these roles to users in IAM, and then create a corresponding data role in the database that maps to each application role.
  • Data role
    • A role in the database used for fine-grained access to data. You can grant data privileges (through data grants) and standard database roles to a data role. A data role can be:
    • Mapped to an application role in IAM using the MAPPED TO clause. The database automatically enables it when the end user’s token includes the corresponding role claim.
    • Managed locally in the database. A data role managed locally in the database can be granted to end users, application identities, or other data roles (that are managed locally).
  • Database role
    • A standard role that exists within the Oracle AI Database environment, separate from the application-specific roles defined above.

Application and context

The following terms describe the component bridging the user interface and the database, and the security context for end-user operations.

  • Application
    • A client application in a two-tier architecture, or a mid-tier application in a three-tier architecture, that accesses the database using language-specific client drivers such as JDBC, Python, or ODP.NET.
  • End-user security context (runtime values within a database session)
    • The session-level object that holds the active end user's identity, their enabled data roles, and all live attribute values. The database creates an end-user security context automatically when an application sends an EndUserSecurityContext payload with the following components:

    • End-user identity: The end user's name as asserted in the IAM access token. For end users managed locally, this is the name of the end user created in the database.

    • Data roles (optional): Additional data roles that the application can enable for the end-user security context, beyond those mapped to application roles in IAM and those enabled by default for the application identity.

    • End-user context attributes (optional): A dictionary of application-defined key-value pairs to include in the security context. Used when data grants or application logic rely on custom end-user context attributes.

    • Database-access token: An on-behalf-of (OBO) token or an OAuth client-credential token that the application obtains from IAM to authorize its access to the database. This token ensures the database accepts requests only from trusted applications. Only an authorized application (with its application secret) can obtain this token from IAM.

  • End-user context (database-side definition)
    • A database schema object you create with the CREATE END USER CONTEXT command that defines a set of attributes, their data types, default values, and optional PL/SQL routines to populate them. At runtime, the database uses it as a template for JSON-style name-value pairs and instantiates it on first use in the current end-user security context — either when the application payload is attached or when an attribute is required for authorization checks.

Access control mechanisms

These terms define how Deep Sec protects specific data elements.

  • Data grant
    • A fine-grained access control policy that allows access to database records at row, column, and cell levels.
  • Predicate
    • A logical condition expressed as a SQL predicate that identifies a specific set of rows for access control purposes.
  • Data privilege
    • A specific right or permission that you grant through data grants to an end user or a data role.