How does Oracle manage database security? Discuss

Introduction to Database Security

Database security entails allowing or disallowing user actions on the database and the objects within it. Oracle uses schemas and security domains to control access to data and to restrict the use of various database resources.

Oracle provides comprehensive discretionary access control. Discretionary access control regulates all user access to named objects through privileges. A privilege is permission to access a named object in a prescribed manner; for example, permission to query a table. Privileges are granted to users at the discretion of other users.

Database Users and Schemas

Each Oracle database has a list of user names. To access a database, a user must use a database application and attempt a connection with a valid user name of the database. Each user name has an associated password to prevent unauthorized use.

Security Domain

Each user has a security domain—a set of properties that determine such things as:

• The actions (privileges and roles) available to the user
• The tablespace quotas (available disk space) for the user
• The system resource limits (for example, CPU processing time) for the user

Each property that contributes to a user's security domain is discussed in the following sections.

Privileges

A privilege is a right to run a particular type of SQL statement. Some examples of privileges include the right to:

• Connect to the database (create a session)
• Create a table in your schema
• Select rows from someone else's table
• Run someone else's stored procedure

Roles

Oracle provides for easy and controlled privilege management through roles. Roles are named groups of related privileges that you grant to users or other roles.

Profiles and Resource Limits

Each user is assigned a profile that specifies limitations on several system resources available to the user, including the following:

• Number of concurrent sessions the user can establish
• CPU processing time available for the user's session and a single call to Oracle made by a SQL statement
• Amount of logical I/O available for the user's session and a single call to Oracle made by a SQL statement
• Amount of idle time available for the user's session
• Amount of connect time available for the user's session
• Password restrictions:
• Account locking after multiple unsuccessful login attempts
• Password expiration and grace period
• Password reuse and complexity restrictions

Authentication by the Oracle Database

Oracle can authenticate users attempting to connect to a database by using information stored in that database.

Password Encryption

To protect password confidentiality, Oracle always encrypts passwords before sending them over the network. Oracle encrypts the passwords using a modified AES (Advanced Encryption Standard) algorithm.

Account Locking

Oracle can lock a user's account after a specified number of consecutive failed log-in attempts. You can configure the account to unlock automatically after a specified time interval or to require database administrator intervention to be unlocked. The database administrator can also lock accounts manually, so that they must be unlocked explicitly by the database administrator.

Authentication by the Secure Socket Layer Protocol

The Secure Socket Layer (SSL) protocol is an application layer protocol. Users identified either externally or globally (external or global users) can authenticate to a database through SSL.

Authentication of Database Administrators

Database administrators perform special operations (such as shutting down or starting up a database) that should not be performed by normal database users. Oracle provides a more secure authentication scheme for database administrator user names.