Databases Reference
In-Depth Information
file authentication, the file is created with the ORAPWD utility. Users are added by SYS
or by those having SYSDBA privileges.
With each release of Oracle, fewer default users and passwords are
automatically created during database installation and creation. Re‐
gardless, it is generally recommended practice to reset all default pass‐
words that are documented in Oracle.
These special roles are very powerful, granting broad powers to users. Some organiza‐
tions have granted these system roles to users who may not need all that power. Oracle
Database 12
c
includes the ability to analyze privileges to identify users with broad priv‐
ileges who do not need them.
Policies
A
policy
is a way to extend your security framework. You can specify additional re‐
quirements in a policy that are checked whenever a user attempts to activate a role.
Policies are written in PL/SQL and can be used, for example, to limit access to a particular
IP address or to particular hours of the day.
Since the release of Oracle Database 10
g
, Oracle Enterprise Manager has featured a visual
interface to a policy framework in the EM repository that aids management of database
security. Security policies or rules are built and stored in a policy library. Violations of
rules are reported as critical, warning, or informational through the EM interface. Out
of the box, security violations are checked on a daily basis. Policies may be adjusted
according to business demands, and violations can be overridden when they are
reported.
Restricting Data-Specific Access
There are situations in which a user will have access to a table, but not all of the data in
the table should be viewed. For example, you might have competing suppliers looking
at the same tables. You may want them to be able to see the products they supply and
the total of all products from suppliers, but not detailed information about their com‐
petitors. There are a number of ways to do this, as we'll describe in the following sections,
using other examples from Human Resources (HR).
View-based security
You can think of
views
as virtual tables defined by queries that extract or derive data
from physical
base tables
. You can use views to present only the rows or columns that
a certain group of users should be able to access.
