Database Reference
In-Depth Information
data in other schemas unless that access is specifically granted to them or to a special user named
PUBLIC
. Anything granted to
PUBLIC
is granted to all users. See Table 2-2 for a list of Oracle roles we will
discuss.
Table 2-2.
Oracle Roles We Will Use or Create
Role Name
Description
DBA
This predefined role comes with Oracle upon installation and
provides system administrative privileges for the database; we
will not grant this role to any user.
CONNECT
This predefined role allows users to connect to Oracle; we are
encouraged not to use predefined roles, so we won't.
create_session_role
Our role to allow users to connect to Oracle.
secadm_role
Our security administrator role; we will grant the privileges
required to perform security administration to this role, and we
will grant this role to the
SECADM
user.
hrview_role
Our secure application role for granting access to data in the
human resources (
HR
) sample schema.
appsec_role
A non-default role used by
APPSEC
when configuring application
security.
appver_role
Secure application role for running application verification,
which I cover in Chapter 10.
The DBA Role
The
DBA
role is named for the job it enables: database administrator. It is similar to the
SYSDBA
super
system privilege. Traditionally, the
DBA
role was granted to those users who needed to manage the
database. The
DBA
role is almost as powerful as the
SYSDBA
privilege, but it can be modified to have some
of its privileges removed.
In recent releases of Oracle, database administrators have been discouraged from using the DBA
role. Rather, they are encouraged to create their own roles and to grant just those administrative
privileges that are required. Therefore, we will not grant
DBA
role to any user.
We will be creating a security administrator role,
secadm_role
. We will use this role for most of our
administrative actions. It will have a variety of privileges, but only those required for the scope of this
book. This approach adheres to the concept of “least privilege,” which means providing only the
privileges required for the task at hand.
Oracle Database Vault is a product that allows you to use
DBA
and other privileged roles while
restricting their access. This is geared toward Department of Defense and national security users, where
a database administrator does not necessarily have access to the data.
