Broken Access Control

In some applications, the UI controls function-level access by exposing only the functionality where access has been granted and hiding functionality where the user has not been granted access. Without database-level access control, an attacker who has partial access to the application might be able to gain access to an unauthorized function.

For API access, the Oracle DMW security privileges determine which actions a user is authorized to perform on Oracle DMW objects and security is verified in the Oracle DMW application database code before the action is performed. Oracle recommends that you set up user roles based on the principle of least privilege. Users should have only the minimum privileges necessary to perform their function.

Your code that uses the Oracle DMW views and APIs should properly enforce access privileges for application functions at the level of the business logic in your program. The default behavior in an application should be to deny access to application functions unless the access is granted explicitly.

Use of the Oracle DMW API is often to view data in a graphical or analysis application. Oracle recommends that you create your Oracle DMW application user with privileges to view data (view-only), so the corresponding database user will be restricted to view-only privileges for the data. See "Use or create object security roles" in the Oracle Life Sciences Data Management Workbench Administration Guide.