Databases Reference
In-Depth Information
Security management is typically performed at three different levels:
• Database level
• Operating system level
• Network level
At the operating system level, DBAs should have the ability to create and delete files
related to the database, whereas typical database users do not need these privileges.
Oracle includes operating system-specific security information as part of its standard
documentation set. In many large organizations, DBAs or database security adminis‐
trators work closely with computer system administrators to coordinate security spec‐
ifications and practices.
Database security specifications control user database access and place limits on user
capabilities through the use of username/password pairs. Such specifications may limit
the allocation of resources (disk and CPU) to users and mandate the auditing of users.
Database security at the database level also provides control of the access to and use of
specific schema objects in the database. We believe that implementing data security in
the database is a best practice, rather than using security controls in applications or
other layers of the technology stack. However, as you will see, there are features in the
Oracle Database that can work with concepts like application users.
Usernames, Privileges, Groups, and Roles
The DBA or database security administrator creates
usernames
that can be used to con‐
nect to the database. Two user accounts are automatically created as part of the instal‐
lation process and are assigned the DBA role: SYS and SYSTEM. (The DBA role is
described in a later section.)
Each database username has a password associated with it that prevents unauthorized
access. A new or changed password should:
• Contain at least eight characters
• Contain at least one number and one letter
• Not be the username reversed
• Differ from the username or user name with 1 through 100 appended
• Not match any word on an internal list of simple words
• Differ from the previous password (if there is one) by at least three characters
• Since 11
g
, passwords can require mixed cases for characters
