1.1 What Is Oracle Deep Data Security

Oracle Deep Data Security (Deep Sec) is a database-enforced data authorization framework. It enables application developers and security architects to define and enforce application-level security requirements directly at the database layer.

As a comprehensive, data-centric authorization platform, Deep Sec addresses the security needs of modern applications, including enterprise software, analytics, and agentic AI systems. It enforces fine-grained access control at the row, column, and cell levels, limiting users strictly to the data they are authorized to access. By securing data at its source, Deep Sec provides a unified security architecture across application and database tiers, protecting all access paths to sensitive data.

DeepSec graphic showing the data secured at the source (in the Oracle AI Database) across all access paths, including application, AI agent, and direct access.

Topics:

1.1.1 The Deep Sec Authorization Model

The Deep Sec authorization model is a robust, centralized, and declarative framework designed to streamline fine-grained data access control in modern applications. It introduces a straightforward SQL syntax for specifying authorization at the row, column, and cell levels. You can define policies using clear, human-readable SQL statements, without the need for complex procedural code or opaque API-based approaches.

Deep Sec's authorization model is built on the following principles:

  • Centralized administration: Authorization policies are defined during application development and enforced centrally at runtime. Access decisions are based on the end user's role or attributes through role-based access control (RBAC) or attribute-based access control (ABAC), rather than on database object ownership.

  • Declarative independence: Authorization policies are expressed independently of application code. This separation allows developers and security administrators to update or refine policies without altering application logic, thereby simplifying version control, testing, and CI/CD pipelines.
  • Versatile policy definition: Fine-grained authorization controls use a simplified SQL syntax that enables developers and administrators to apply precise restrictions within the database and manage policies efficiently at scale. Additionally, this syntax supports complex real-world requirements, such as cell-level authorization, column masking, authorization APIs, and policy lifecycle management through CI/CD.

For more information, see Fine-Grained Data Authorization.

1.1.2 Core Capabilities

Deep Sec provides the following capabilities for securing applications, analytics tools, and agentic AI systems.

  • Identity-aware and context-sensitive enforcement: Authorization decisions are based on trusted identities, applications, and claims. An extensible end-user security context evaluates user identities, application settings, and environmental attributes (such as a user's geographic location) to determine data access.
  • Granular security: Attribute-based access control (ABAC) is applied at the row, column, and cell levels, providing precise control over which data elements each user can access.
  • Dynamic masking: Sensitive data is masked dynamically based on cell-level authorization decisions and runtime context, ensuring that unauthorized values are never exposed.
  • Authorization APIs: Specialized APIs enable applications to pre-authorize access, supporting streamlined and secure end-user experiences.
  • Controlled privilege elevation: Trusted application code can temporarily elevate user privileges to execute specific authorized operations, without granting those privileges to the user permanently.
  • Mandatory access control: Non-discretionary access control is enforced by a central administrator, applying security rules uniformly across all subjects (end users, applications, agents) and database objects (tables and views).