Oracle security, from the ground up

There are so many facets to Oracle security that it can seem imposible to keep up with them all. This short article from Don Burleson is a nice refresher on some of the major areas of Oracle database security.

The article pays specific attention to the use of Oracle’s Virtual Private database feature and how it can be used to restrict access based on data values. With the complexity of Oracle it is nice to have these short articles on specific topics and features

One thought on “Oracle security, from the ground up”

  1. Hi Jon,

    Is there an extension to this paper other than the single page. It starts by bullet pointing the security and audit options and says it will overview/review each but none of the audit options are covered. It looks like its complete as there is a conclusion but some of the promised material is not there.

    Also in the VPD section the paper says:

    “Web Apps—A single user accesses the database, hence row-level security can easily differentiate between users”

    This is not quite true, RLS does not differentiate between users, it is used to control access to data (rows), you, the implementor must add the logic to decide who can access which records and hence the programmer decides which users can access what. Maintaining user identity is supported through RLS in that RLS works with other features such as oci connection pooling, proxy accounts, application contexts, namespaces and so on – david Knox’s book is a great resource for details on these technologies and also in maintaining identities of users. If the application supports user identity at the Web App level then RLS/VPD can work with it not the other way round. VPD doesnt provide the functionallity to differentiate users at the web level.

    I have done quite a lot of work with VPD, FGA and application contexts particularly with E-Business Suite over the last few years and find it to be great technology but tricky to get right.

    I wrote a two part paper some time back on VPD – links are available on my Oracle Security white papers page if anyone is interested.



Leave a Reply

Your email address will not be published. Required fields are marked *