Applied Oracle Security: Developing Secure Database and Middleware Environments- P63 doc

See Oracle Access Manager OBI.. See Oracle Entitlement Server OETs Oracle External Tables, 312–318 Office plug-in, Oracle BI, 525 OHS.. See Oracle HTTP Server OID.. See Oracle Internet D

ANY privileges, 97, 125

AOS_COMMON_AUDIT_TRAIL view, 290

Apache 2.0, 451

APEX (Application Express), 5, 434–459,

462–496

architecture, 435–437

Audit Vault reports and, 80

authentication schemes, 462–468

authorization schemes, 468–471

components and configurations, 434

cross-site scripting and, 476–478

database connections and, 436–437

database roles and, 437–438

Database Vault and, 457–459

fine-grained auditing and, 489–496

item-based policy, 484–486

mod_rewrite and, 447–449

mod_security and, 449–451

network topology, 445–447

password protection, 445, 463–468, 482

preventing unauthorized access to, 443–444

Runtime Only installation of, 443–444

schema protection, 456–459

security settings, 439–443

sessions, 438–439

SQL injection attacks and, 472–476

SSL/TLS techniques, 451–456

summaries of, 459, 496

URL tampering and, 478–483

VPD integration with, 484–489

web-based attack prevention, 449–451

XSS attacks and, 476–478

APEX_ADMINISTRATOR_ROLE, 440

APEX_INSTANCE_ADMIN package, 440

APEX_PUBLIC_USER schema, 445, 490–491

application accounts, 229, 243–244

application administrators/developers, 18,

235–239

creating roles for, 245–262

privileges granted to, 235–236

separation of duties for, 236–239

application code

factors used in, 223–224

See also PL/SQL routines; SQL statements

application data analyst, 237, 259–262

application data manager, 236, 256–259, 299

application DBA pattern, 132–135

application design

command rules and, 267–280

factors and, 209–224

importance of security in, 200, 284 notional architecture for, 200–202 object-owner accounts and, 229–231 realms and, 224–228

SARs and, 281–284 secure schemas under DBV, 228–231, 239–267

security profiles and, 202, 205–209 use cases and scenarios, 202–205 user access accounts and, 231–239

Application Express See APEX

application maintenance administrator, 236, 252–256, 299

application security, 4, 200 application security administrator, 236, 246–252

EUS-based, 303, 305 privileges granted to, 299 applications

DBV applied to existing, 288, 352–353 factors incorporated into, 220–224 notional database example, 200–202 securing public-facing, 532–533

Applied Cryptography: Protocols, Algorithms, and Source Code in C (Schneier), 24

architecture APEX, 435–437 Audit Vault, 69–70 notional, 200–202 OES, 380, 381 OID, 407 OIM, 402–403 Oracle BI, 502–504 OVD, 410–413 RAC, 71, 74 SOA, 11–12 ARCHIVELOG mode, 75 ASO (Advanced Security Option), 33, 163,

186, 447 ASO PKI/SSL authentication, 185–187 asymmetric key encryption, 25 attestation, 399–400

attributes identity, 217–218, 307–308 reconciling, 399

audit data warehouse, 59–63 explanation of, 59–60 objectives of, 60–63 securing data at, 63 audit logs, 62, 87–88

audit patterns

known, 64–66

unknown, 66–67

audit trails

analyzing, 290–291

protecting the integrity of, 278–279

retention requirements, 280

testing, 280–281

Audit Vault, 68–89

alerts, 80–84

architecture, 69–70

audit policy management, 84–86

caveats for installing, 75–79

installation options, 70–79

intent in creating, 59–60

log files, 87–88

maintenance operations, 86–88

plan for installing, 75

report creation, 79–80

summary of, 88–89

users and roles, 76–77

Audit Vault collection agent

architecture, 69, 70

installing, 71–75, 77–79

log files, 87–88

Audit Vault Control (AVCTL) utility, 76

Audit Vault Server

architecture, 69, 70

installing, 70–71

log files, 87

auditing, 58–89

alerts used in, 68, 80–84

analysis of, 290–291

APEX policy for, 489–496

audit warehouse and, 59–63

best practices for, 67–68

capture process in, 289–290

conditional, 99

DBV events, 73, 115

factors, 162, 185

fine-grained, 6, 73, 85, 489–496

GRC perspective on, 58

guiding principles for, 63–64

known patterns, 64–66

maintenance operations for, 86–88

managing policy for, 84–86

nonsecurity reasons for, 59

object-level, 226–227, 293–294

Oracle Audit Vault for, 68–89

Oracle BI and, 563–567

preparations for, 288–289 realms, 126–127 removing data from, 86 reports based on, 79–80 rule sets, 148–149 SAR violations, 196, 197 securing records from, 62–63 suggested targets for, 68 summary of, 88–89 system-level, 280–281 testing effectiveness of, 280–281 unknown patterns, 66–67 usage tracking with, 566–567 audit_options parameter, 162 authentication

APEX, 462–468 ASO PKI/SSL, 185–187 built-in, 510

custom, 515 database, 375, 378, 379, 510, 514–515, 590–591

enterprise SSO, 374, 376 external, 510–515 fallback, 515 federated, 375, 377–378 internal, 589–590 LDAP, 512–514 multifactor, 98 Oracle BI, 510–516 proxy, 7, 302 Publisher, 515–516 RPD used for, 510 single sign-on, 374, 375–376 strong, 33, 375, 377

table-based, 511–512, 590 authentication management, 374–378 authorization

APEX, 468–471 Oracle BI, 516–524 Publisher, 524 realm, 130–136, 296–309 authorization management, 378–381 Auto Login, Oracle Wallet, 36–37 AV_ADMIN role, 76

AV_AGENT role, 77 AV_AUDITOR role, 76 avca.log file, 87 av_client-%g.log.n file, 87 avorcldb.log file, 87 AV_SOURCE role, 77

backup files

encryption wallet, 35

protecting data in, 29–30

RMAN for creating, 342–343

batch programs, 201

Bednar, Tammy, 69

best practices for auditing, 67–68

BI server See Oracle Business Intelligence

binary execution, 116

bind variables, 472, 475–476

binding adapter, 425

built-in authentication, 510

business congruency, 11–12

business intelligence (BI) systems, 60

analysis tools for, 61–62

challenges in securing, 499–501

data warehouse for, 61, 499–500

tasks involved in securing, 501–502

transactional systems vs., 499–500, 501

See also Oracle Business Intelligence

business logic tier, 402–403

business model filters, 516, 545–546

business use cases, 289

business use policies, 66

C

cache, Oracle BI, 531–532, 552–559

capture rules, 85

capturing audits, 289–290

cardholder data protection, 47–48

Cardholder Information Security Program (CISP), 47

catalog content security, 536–540

Center for Internet Security, 281

central issuance authority, 359

centralized database authentication, 378, 379

centralized security, 11

checksums, 481

check_user initialization block, 590, 591, 592

child factors, 165, 166–168

choose function, 547–548

clearanceCode attribute, 424

client identifiers, 540–541

client tier, 402

CLIENT_IDENTIFIER technique, 185

<CName><SName><Sld>.log file, 87

coarse-grained security profile, 205–208, 285

collectors attributes of, 74 choosing types of, 72–74 functions performed by, 69, 70 non-Oracle database, 73

See also Audit Vault collection agent

column-level security, 547–551 choose function, 547–548 example for testing, 590 IndexCol function, 548–549 summary of, 549–551 columns

encrypting existing, 41–43 encrypting in a new table, 38–40 securing in Oracle BI, 547–551 viewing encrypted, 41

command rules, 104, 136–147 commands supported in, 143–144 components of, 139–143

controls enforced by, 140 DBV CONNECT, 144–147 establishing from conditions, 267–280, 311–318

explanatory overview of, 136–139 realms and, 137–138

rule sets and, 138 system-level auditing and, 280–281 commands

security by, 100 supported in command rules, 143–144 commercial off-the-shelf (COTS) applications,

22, 229 compliance conditions based on, 207 factors based on, 215–216, 318 compliance and mandates discovery, 365–366 compliance regulations, 352

computer security field, 4 conditional auditing, 99 conditional security, 98–99 conditions

coarse-grained security profile, 207–208 command rules established from, 267–280, 311–318

factors based on business/system, 209–224 fine-grained security profile, 209

SARs established from, 281–284 configuration

APEX, 434

BI Publisher, 584–585

DBV policy, 106–110

OAM, 527–529

object-level auditing, 226–227

OVD server, 413–414

rule, 151–154

TDE, 45–55

conflict of interest

conditions based on, 207

factors based on, 216–217, 318

CONNECT operation, 144

connection pools, 184

APEX and, 436–437

data source type, 504–505

DBV SARs and, 281

function-based, 505–506

multiple, 506

Connection_Type factor, 164, 169–170

consolidated databases, 119–121, 352

constants

compliance regulations and, 215

factor identities as, 163

content security, 536–540

context-based security, 98–99

contexts

application, 184–185

conditions based on, 208

cookies, APEX, 441

coordinated maturity level, 368

CORPORATE_PASSWORD identity,

168–169, 170

CORPORATE_SSL identity, 168

CREATE PROCEDURE system privilege, 211

CREATE TABLE statement, 39

CREATE TABLESPACE command, 140

CREATE TRIGGER commands, 250

CREATE USER system privilege, 67, 104

credential store, 583–584

cross-site scripting (XSS), 449, 476–478

cryptography, 23–24

CSS attacks, 449–450

CSV files, 314

CTXSYS objects, 330, 332

custom authentication, 515

custom event handlers, 150–151,

348–352

custom table of usernames, 463–468

CUSTOMER_POLICY_DBA role, 250

customized alert handling, 84

D

DAD (Database Access Descriptor), 435, 445 dadTool, 445

dashboards, 587–588 data

auditing changes to, 73 backup file, 29 conditions based on, 208 encrypting, 28–32 exporting/importing, 52–53 factors based on, 220, 324–325 inferring information from, 501 mapping roles to, 364–365 viewing, 30–31

data access events, 73 data discovery, 361, 364–366 Data Guard

Audit Vault and, 71 TDE and, 49 data loading, 61 Data Pump, 52–53 data steward, 236, 256–259, 299 data tier, 403

data transformation, 61 data warehouse, 61, 499–500 Database Access Descriptor (DAD), 435, 445 database account administrator, 112

database accounts object owner accounts, 13–14 user access accounts, 13, 14–16 database administrators (DBAs), 18 functions performed by, 201, 232 operational, 112–114, 237, 239–243 privileges granted to, 299

separation of duties for, 235–239 database applications

DBV applied to existing, 288, 352–353 factors incorporated into, 220–224 notional database example, 200–202 database authentication, 375, 378, 379, 510, 514–515, 590–591

Database Configuration Assistant (DBCA), 105 database connections

APEX and, 436–437 Oracle BI and, 531 database global role, 303, 304 database roles, 437–438 database scripts, 582–583

database security, 4

application design and, 200, 284–285

evolving technologies in, 6–8

existing applications and, 288, 352–353

Database Vault (DBV), 94–116, 118–198

administration roles, 105–106, 237–238,

262–264

APEX and, 457–459

application development and, 200, 284–285

auditing events in, 73, 115

buy-versus-build consideration, 116

code for disabling, 458

collection agent installation, 77

command rules, 104, 136–147, 267–281

components of, 100–104, 118

existing applications and, 288

Expression Filters and, 333–336

factors, 101, 115, 209–224

installing, 105–115

integration with database features, 329–344

login page, 107

monitoring and alerting features, 108, 344–352

Oracle BI and, 561–563

Oracle Recovery Manager and, 342–343

Oracle Spatial and, 332–333

Oracle Streams Advanced Queuing and,

336–341

Oracle Text and, 329–332

policy configuration, 106–110

realms, 102–104, 111, 118–136, 224–228,

296–309

refining policy for, 327

reports, 108

rule sets, 102, 135–136, 147–157, 348–352

secure application roles, 194–197, 281–284

secure schema implementation, 239–267

security issues addressed by, 94–100

separation of duty, 110–114

summary of, 198

TDE and, 341

database view, 410

databases

backup and recovery of, 342–343

consolidation of, 119–121, 352

direct requests of, 571–574

OVD integration with, 419–423

querying features of, 326

security breaches across, 66

datafiles, viewing, 30–31

DB2DB collectors, 73

DBA_COMMON_AUDIT_TRAIL view, 290 DBA_ENCRYPTED_COLUMNS view, 41 DBA_JAVA_POLICY view, 325

DBAs See database administrators

DBAUD collectors, 72, 74, 75 DBMS_AUDIT_MGMT package, 86 DBMS_CRYPTO package, 22 APEX and, 463–464 encrypting data using, 28, 32 TDE vs., 40–41

DBMS_FGA package, 491 DBMS_LDAP package, 520 DBMS_MACADM PL/SQL package, 108–110 ADD_POLICY_FACTOR procedure, 180 CREATE_FACTOR procedure, 162, 163 CREATE_MAC_POLICY procedure, 179–180 CREATE_POLICY_LABEL procedure, 180–181 DBMS_MACSEC_ROLES.SET_ROLE

procedure, 195 DBMS_OBFUSCATION_TOOLKIT, 22 DBMS_RLS package, 171, 172 DBMS_SCHEDULER job, 79, 280, 326 DBMS_SESSION.SET_IDENTIFIER procedure,

184, 185, 190, 540 DBMS_UTILITY package, 140–142 DBSNMP account, 229–230

DBV See Database Vault

DBV CONNECT command rule, 144–147 DBVEXT.DBMS_MAC_EXTENSION package,

215, 241, 348 DBVEXT.EXTERNAL_RULE.AUTHORIZED function, 318

DBVOWNER account, 126 DDL commands

auditing, 68, 73 command rules and, 144 realm-protected objects and, 125 DDL triggers, 116

declarative framework, 99, 100, 116 dedicated accounts, 15

default account logon failure, 65–66 default privileges, 567–568

definer’s rights procedures, 7 DELETE privileges, 194, 317 dependency check, 324 deployment

DBV policy, 327–329 OIM component, 402–403 dequeuing messages, 339–341 direct database requests, 571–574

direct object privileges

command rules and, 137

realms and, 131, 137

Directory Integration Platform (DIP), 408–409

directory management, 373–374

directory replication, 408

directory services, 406–430

Oracle Internet Directory, 406–409

Oracle Virtual Directory, 409–430

Directory Services Markup Language (DSML), 411

directory virtualization, 373, 409–410

See also Oracle Virtual Directory

disaster recovery locations, 32

discovery in identity management, 361–366

information requirements, 364–366

people requirements, 361–362

process requirements, 363–364

discretionary account provisioning, 391–394

disk arrays, 31

DML commands

auditing, 73

command rules and, 143

DML triggers, 116

DMZ network, 446, 532

domain restrictions, 442

DROP ANY ROLE privilege, 246

DROP commands, 246–247

DROP INDEX statements, 333

DROP TABLE command, 139–140

DVA web application, 106–108

DV_ACCTMGR role, 76, 105, 106, 112

DV_ADMIN role, 105, 108, 111, 237

DVF.F$ factor function, 162, 189

DV_OWNER role, 76, 105, 108, 111, 237

DV_PUBLIC role, 223

DV_REALM_OWNER role, 105, 236, 245

DV_REALM_RESOURCE role, 105

DV_SECANALYST role, 105, 108, 238

DVSYS account, 147, 161

DVSYS.DBMS_MACADM PL/SQL package, 106,

108–110, 111

DVSYS.DBMS_MACSEC_ROLES.SET_ROLE

procedure, 195

DVSYS.GET_FACTOR function, 162, 189, 223

DVSYS.SET_FACTOR function, 184, 189

dynamic group membership, 518–523

using LDAP directly, 520–521

using LDAP indirectly, 521–523

using tables, 518–520

dynamic server variables, 507

EE

Effective Oracle by Design (Kyte), 407 Effective Oracle Database 10g Security By Design

(Knox), 4, 23, 58, 119, 228, 302 e-mail

Audit Vault alerts via, 81 Oracle BI security, 530–531 Embedded PL/SQL Gateway (EPG), 434 emctl status dbconsole command, 106 employeeType attribute, 307

ENCRYPT directive, 39 encryption, 23–32 algorithms and keys, 24 applied example of, 31–32 basics of, 23–24

BI environment, 530–531 choices for, 24

column-level, 38–43 data, 28–32 file system, 32 goal of, 23 network, 33 programmatic, 32 public key, 25–27, 452 session state, 482–483 SSL, 27

strength of, 24 symmetric key, 24, 25, 27–28, 37 tablespace, 44–45

technical requirement for, 29–30

See also TDE

ENCRYPTION keyword, 35 encryption wallet, 34 ENCRYPTION_PASSWORD option, 53 ENCRYPTION_WALLET_LOCATION parameter, 34

end user access accounts See user access

accounts Enterprise Manager (EM) database control GUI, 45, 46 statistics collection, 229 enterprise maturity, 366–369 enterprise role, 303, 304 Enterprise Security Manager (ESM), 232–233 enterprise single sign-on (eSSO), 374, 376 Enterprise User Security (EUS), 184, 217–218, 303–309, 378

Enterprise Users, 7 entitlement management, 380

era of governance, 58

error messages, 450–451

eval_options parameter

for factors, 162, 220

for rule sets, 145

EVALUATE operator, 334, 336

event functions, 154–155, 348–352

evolving technologies, 6–8

execute application roles, 264–267

EXEMPT ACCESS POLICY privilege, 561

EXPLAIN PLAN feature, 343–344

exporting encrypted data, 52–53

Expression Filters, 333–336

Extensible Access Control Markup Language

(XACML), 371

external authentication methods, 510–515

custom authentication, 515

database user authentication, 514–515

LDAP authentication, 512–514

table-based authentication, 511–512

external systems

conditions based on data in, 208

factors based on data in, 220, 324–325

realm authorizations and, 303–309

extracting data, 61

FF

factors, 101, 157–194

access path, 218–219, 322

assigning, 184–185

auditing, 162, 185

categories for identifying, 210–211

centralizing PL/SQL routines for, 211–215

compliance-based, 215–216, 318

condition and candidate, 210

conflict of interest, 216–217, 318

creating, 158–162

DBV usage of, 157

evaluation of, 162

explanation of, 101, 157

external systems and, 220, 324–325

functions of, 162

identities of, 163–174, 184–185

identity management, 217–218, 321–322

integrating with OLS, 174–189

naming, 161

operational context, 218–219, 323

Oracle BI and, 561–562

organizational policy, 217, 318 PL/SQL code and, 223–224, 325–326 retrieval method for, 158–162 rule sets and, 156–157 security-relevant, 115 separation of duty, 216–217, 318 time-based, 219–220, 319–321 transactional sequence-based, 323–324 validation of, 189–194

fallback authentication, 515 federated authentication, 375, 377–378

FGA See fine-grained auditing

file systems, encrypted, 32 file upload security, 441 filtering output, 450 filters

business model, 516, 545–546 expression, 333–336

fine-grained auditing (FGA), 6, 73, 85 APEX and, 489–496

factors used in, 222 fine-grained security profile, 208–209, 285 firewalls, 446, 532

Flashback feature, 494 folder-based security, 537–538 fraud prevention, 375, 377 functional use cases, 280

G

GATHER_STATS_JOB feature, 343 Generic Technology Connector (GTC), 397–398 geographic information system (GIS), 332 get_expr parameter, 162, 163

GET_FACTOR function, 157 get_groups initialization block, 590, 591, 592 GET_PRODUCT session variable, 543–544 global database, 76

global schema mapping, 303, 304 governance, era of, 58

government regulations, 10 GRANT ANY OBJECT privilege, 236 GRANT ANY ROLE privilege, 236 GRANT EXECUTE privilege, 154, 159 GRANT_OR_REVOKE_TO_SELF function, 241 graphical user interface (GUI), 45

GRC (Governance, Risk Management, and Compliance), 58, 88

group accounts, 229

group membership, 517–523

dynamic, 518–523

internal/external, 517–518

groups

Oracle BI, 516–523, 580

user, 387–388

web catalog, 516–517, 523, 537

H

handler routines, 150–151, 348–352

HANDLER_MODULE parameter, 494

hardware security modules (HSMs), 53–55

hash algorithms, 463

High Assistance Principle (HAP), 100

high-level usage analysis, 225

HIPAA (Health Insurance Portability and

Accountability Act), 9

hire-to-retire process, 386

historical reporting, 401

HTTP protocol, 454–456, 478

HTTP server, 445–446, 479

HTTPS setting, 442, 454–456

hub-and-spoke architecture, 370

II

iBot security, 538–539

identify_by parameter, 163

identities, factor, 163–174

identity attributes, 217–218, 307–308

identity management, 358–383

architecting, 360–372

authentication solutions, 374–378

authorization solutions, 378–381

conditions based on, 207

core challenge of, 361

definition of, 361

directory management solution, 373–374

discovery phase in, 361–366

enterprise maturity and, 366–369

explanation of problems with, 358–360

factors based on, 217–218, 321–322

hub-and-spoke architecture for, 370

information requirements and, 364–366

LDAP directory and, 406

overview of solutions for, 372

people requirements and, 361–362

point-to-point architecture for, 369

process requirements and, 363–364 role mining and management solution, 381–383

SOS pattern for, 370, 371–372 summary of, 383

user provisioning solution, 372–373

See also Oracle Identity Manager

Identity Management Organizational Model (IMOM), 362

identity maps, 163–170 identity preservation, 7 identity propagation, 360 identity verification, 359 Impersonator user, 527–528 importing encrypted data, 52–53 IndexCol function, 548–549 indexes

Oracle Spatial, 333 Oracle Text, 330, 332 InetAD plug-in, 418 inetorgperson object class, 418, 419 information discovery, 364–366 initialization blocks, 508 INSERT command, 268 installing

Audit Vault, 70–79 Database Vault, 105–115 Oracle Virtual Directory, 413 INSTR_CALL_STACK function, 218 intellectual property, 10

internal authentication, 589–590 intrusion detection system (IDS), 324 invited nodes feature, 322

invoker’s rights procedures, 7

IP address restrictions, 441 IP_ADDRESS environment variable, 491 IS_APEX_SESSION_ONE function, 491

IT resources, 390 item-based policy, 484–486

JJ

Java Database Connectivity (JDBC), 281 Java Message Service (JMS), 84

Java stored procedures, 325 Java Virtual Machine (JVM), 96 JDBC drivers, 421

join rules, 429

join view, 424–430

adapter creation, 428–430

design considerations, 424–427

explained, 424

joiners, 425–426

K

keys, encryption, 24–28

known audit patterns, 64–66

LL

label_function parameter, 221

label_indicator parameter, 165

layers of security, 11

LBACSYS account, 175, 177–178, 318

LDAP (Lightweight Directory Access Protocol), 7,

217, 303, 360, 371, 406

LDAP authentication, 512–514, 591–592

using directly for dynamic group

membership, 520–521

using indirectly for dynamic group

membership, 521–523

LDAP server

Oracle BI setup of, 512–514

OVD integration with, 415–419

LDAPBIND operation, 425

LDAP_DIRECTORY_ACCESS parameter, 321

least privileges, 13

LII algorithm, 180

Local Store Adapter (LSA), 414–415, 416

location-based services (LBS), 332

log files, Audit Vault, 87–88

LOGLEVEL session variable, 558

logon failures, 65–66

M

MAC algorithm, 463, 481

macro auditing, 59

maintenance

application administrator, 236, 252–256

Audit Vault, 86–88

Manage Cache utility, 558

managing security, 11

maps

database to OVD, 422, 423

global schema, 303, 304

identity, 163–170 role-to-data, 364–365 masking, 277

Master Key HSM-managed, 54–55 TDE-managed, 37–38 maturity model framework, 367–369 MDSYS.SEM_INDEXTYPE index type, 333 MDSYS.SPATIAL_INDEX index type, 333 membership rules, 387–388

message authentication code (MAC),

463, 481 message queuing, 336–341 metadata, BI server, 542 meta-directory, 373, 409 micro auditing, 59 Microsoft Office plug-in, 525 mod_rewrite

APEX and, 447–449 SSL and, 456 mod_security, 449–451 monitoring Database Vault, 108, 344–352 MSSQLDB collectors, 73

multifactor authentication, 98 multifactored security, 163, 171, 183

N

named accounts creating administrators for, 262 post-configuration provisioning of, 267 realm authorizations and, 132–135 naming

factors, 161 schemas, 18–19 natural keys, 44 Needham, Paul, 69 network encryption, 33 network topology, 445–447

NO SALT directive, 39, 51 NOAUDIT command, 62 NOMAC directive, 51 normal use baseline, 66 NOT NULL value, 280 notional database applications, 200–202 example use case for, 203–205 requirements for, 200–201 NQS_PASSWORD_CLAUSE, 512 NULL value, 280

OAM See Oracle Access Manager

OBI See Oracle Business Intelligence

object privileges, 68, 131

object-level auditing, 226–227, 293–294

object-owner accounts, 13–14

group COTS, 229

Oracle Data Dictionary and, 332

realms and, 131–132, 292

system, 229–231

objects

identifying realms based on, 224–228

realm-protected, 111, 125–126, 226–228,

292–296

resource, in OIM, 390

Verb Object technique and, 205–206

OEM dbconsole, 106

OES See Oracle Entitlement Server

OETs (Oracle External Tables), 312–318

Office plug-in, Oracle BI, 525

OHS See Oracle HTTP Server

OID See Oracle Internet Directory

OIM See Oracle Identity Manager

OLS See Oracle Label Security

on-boarding process, 386

one-to-many joiner, 426

online redefinition, 42

online transaction processing (OLTP), 457

OPEN WALLET command, 55

operational context

conditions based on, 208

factors based on, 218–219, 323

operational database administrator, 112–114

creating role and accounts for, 239–243

privileges granted to, 299

separation of duties and, 237

operational reporting, 401

Oracle Access Manager (OAM), 375–376, 379,

462, 525–529

analyticsSOAP URL association, 529

Impersonator user configuration, 527–528

policy setup for Oracle BI, 526–527

presentation server configuration, 528–529

Oracle Adaptive Access Manager (OAAM), 377

Oracle Answers, 574

Oracle Application Server (OAS), 434

Oracle Audit Vault See Audit Vault

“Oracle Audit Vault Best Practices” (Bednar,

Needham, and Shah), 69

Oracle Business Intelligence (Oracle BI), 498–533

Act As Proxy feature, 568–571 Advanced tab, 574–575 architecture, 502–504 auditing in, 563–567 authentication, 510–516, 589–592 authorization, 516–524

business model filters, 545–546 cache security, 531–532, 552–559 client identifiers, 540–541 column-level security, 547–551, 590 connection pools, 504–506

data access, 502–509 data security, 541–551 database auditing and, 565–567, 582 Database Vault and, 561–563 default privileges, 567–568 direct database requests, 571–574 direct server access, 575

e-mail security, 530 environment security, 530–531 examples of using, 580–592 factors and, 561–562 features with security implications, 567–576

groups, 516–517, 523, 580 metadata layers, 542 Office plug-in, 525 overview of, 498 password encryption, 530 permissions, 537–538 public-facing applications, 532–533 Publisher, 515–516, 524, 539–540, 584–585 realms and, 563

row-level security, 543–546, 559–561 security tasks, 501–502

single sign-on, 524–529, 592 SSL Everywhere feature, 530 steps for setting up, 583–586 subject area security, 542–543 summaries of, 533, 576–577 testing recommended for, 586–587 usage tracking feature, 564–565, 566–567, 585–586

variables, 506–509 VPD integration, 551–561 web catalog content security, 536–540 Web Services access, 576

See also business intelligence (BI) systems