Part IV User and Role Administration

Learn how to administer application users, application identities, and data roles in Oracle Deep Data Security (Deep Sec). Each chapter covers a functional area and documents the SQL grammar, parameters, usage guidelines, and examples.

Deep Sec separates application users and data roles from traditional database users and roles. Unlike traditional database user accounts, which own schemas and often grant excessive privileges when shared across users, Deep Sec uses a decoupled framework. This allows you to enforce fine-grained data authorization without granting end users direct ownership of database objects.

You can manage application users and roles in two ways:

• Externally: Use an identity and access management (IAM) system to map data roles in the database to application roles in IAM.
• Locally: Manage users and roles directly within the database. This method is ideal for simple applications, demonstrations, or development and testing environments.

The primary entities used in Deep Sec user and role administration are as follows:

• End user
  • A user of an application who does not own database schemas or database objects. An end user can be:
  • A user whose identity is managed in IAM. Typically, they connect to the database through the application. They can also log in directly using token-based authentication.
  • A user created and managed in the database using the CREATE END USER statement. End users managed in the database can log in directly using password authentication. Additionally, they can be mapped by user name to users managed in the application's own user store, so that those users can connect through the application's trust, without requiring direct password authentication on the database server.
• Application identity:
  • A registered identity for an application. Enables data roles and common privileges for all users connecting through that application.
• Data role
  • A role in the database used for fine-grained access to data. You can grant data privileges (through data grants) and standard database roles to a data role. A data role can be:
  • Mapped to an application role in IAM using the MAPPED TO clause. The database automatically enables it when the end user’s token includes the corresponding role claim.
  • Managed locally in the database. A data role managed locally in the database can be granted to end users, application identities, or other data roles (that are managed locally).

Topics:

• Configure Local End Users

• Configure Application Identities

• Configure Data Roles

• Grant and Revoke Data Roles

See Also:

User and Role Management in the Database in Part I: Oracle Deep Data Security Fundamentals.