In effect, the security policy function generates a WHERE condition that is appended to a SQL statement, thereby restricting the users access to rows of data in the table or view. Fine-grained access control is a feature of Oracle that enables you to implement security policies with functions, and to associate those security policies with tables or views. Views are discussed in Chapter 20, "Managing Views, Sequences, and Synonyms".Īnother means of implementing data security is through fine-grained access control and use of an associated application context. They can exclude columns containing sensitive data.
Views can also implement data security because their definition can restrict access to table data. Privileges and roles are discussed in Chapter 25, "Managing User Privileges and Roles". A role is a set of privileges grouped together that can be granted to users. Some means of implementing data security include system and object privileges, and through roles. However, if data is sensitive, a security policy should be developed to maintain tight control over access to objects. If information is not sensitive, then the data security policy can be more lax. Overall data security should be based on the sensitivity of data. Alternatively, it might be necessary for data security to be very controlled when you want to make a database or security administrator the only person with the privileges to create objects and grant access privileges for objects to roles and users. For example, it may be acceptable to have little data security in a database when you want to allow any user to create any schema object, or grant access privileges for their objects to any other user of the system.
Your data security policy is determined primarily by the level of security you want to establish for the data in your database. Your data security policy should also define the actions, if any, that are audited for each schema object. For example, user scott can issue SELECT and INSERT statements but not DELETE statements using the emp table. Your data security policy determines which users have access to a specific schema object, and the specific types of actions allowed for each user on the object. Your operating system specific Oracle documentation contains more information about operating system security issuesĭata security includes the mechanisms that control the access to and use of the database at the object level.
User Authenticationĭatabase users can be authenticated (verified as the correct person) by Oracle using database passwords, the host operating system, network services, or by Secure Sockets Layer (SSL). Regardless, only trusted individuals should have the powerful privileges to administer database users. On the other hand, there may be a number of administrators with privileges to manage database users. Depending on the size of a database system and the amount of work required to manage database users, the security administrator may be the only user with the privileges required to create, alter, or drop database users.
Therefore, tight security should be maintained for the management of database users. Database User Managementĭatabase users are the access paths to the information in an Oracle database. A database's security policy should include several sub-policies, as explained in the following sections. However, if the database system is large, a special person or group of people may have responsibilities limited to those of a security administrator.Īfter deciding who will manage the security of the system, a security policy must be developed for every database. If the database system is small, the database administrator may have the responsibilities of the security administrator. This section describes aspects of system security policy, and contains the following topics:Įach database has one or more administrators who are responsible for maintaining all aspects of the security policy: the security administrators. This chapter provides guidelines for developing security policies for database operation, and contains the following topics:
0 kommentar(er)
