ToPresentation
on
SECURITYBy
Office of the A.G. (A&E) Punjab, Chandigarh
Security features in Oracleand
its implementation in existing application
Security features in ORACLE
Security features in ORACLE
Different levels of security in Different levels of security in OracleOracle
• Account security for validation of usersAccount security for validation of users
• Access security for database objectsAccess security for database objects
• System-level security for managing global System-level security for managing global privilegesprivileges..
Different levels of security in Different levels of security in OracleOracle
• Account security for validation of usersAccount security for validation of users
• Access security for database objectsAccess security for database objects
• System-level security for managing global System-level security for managing global privilegesprivileges..
Users & SecurityUsers & SecurityUsers & SecurityUsers & SecuritySecurity DomainSecurity Domain
Default Tablespace & Temporary Table SpaceDefault Tablespace & Temporary Table Space
Tablespace QuotaTablespace Quota
Resource LimitResource Limit
Direct PrivilegesDirect Privileges
Role PrivilegesRole Privileges
Account LockingAccount Locking
Security DomainSecurity Domain
Default Tablespace & Temporary Table SpaceDefault Tablespace & Temporary Table Space
Tablespace QuotaTablespace Quota
Resource LimitResource Limit
Direct PrivilegesDirect Privileges
Role PrivilegesRole Privileges
Account LockingAccount Locking
Creating New UsersCreating New UsersCreating New UsersCreating New Users• Authentication with user nameAuthentication with user name
• Decide quotas for each TablespeceDecide quotas for each Tablespece
• Default Tablespace and Temporary TablespaceDefault Tablespace and Temporary Tablespace
• Grant privileges and roles to the userGrant privileges and roles to the user
• Use Profile to place limits on database resources available to Use Profile to place limits on database resources available to usersusers
• Use a standard password initiallyUse a standard password initially
• Use the Expire keyword to force user to reset their passwordUse the Expire keyword to force user to reset their password
• Restrict quotas to few users – use Quota Unlimited withRestrict quotas to few users – use Quota Unlimited withcautioncaution
• Educate usersEducate users
• Authentication with user nameAuthentication with user name
• Decide quotas for each TablespeceDecide quotas for each Tablespece
• Default Tablespace and Temporary TablespaceDefault Tablespace and Temporary Tablespace
• Grant privileges and roles to the userGrant privileges and roles to the user
• Use Profile to place limits on database resources available to Use Profile to place limits on database resources available to usersusers
• Use a standard password initiallyUse a standard password initially
• Use the Expire keyword to force user to reset their passwordUse the Expire keyword to force user to reset their password
• Restrict quotas to few users – use Quota Unlimited withRestrict quotas to few users – use Quota Unlimited withcautioncaution
• Educate usersEducate users
Tools for DBA to monitor usersTools for DBA to monitor usersTools for DBA to monitor usersTools for DBA to monitor users
DBA_USERSDBA_USERS
• USERNAMEUSERNAME
• USER_IDUSER_ID
• CREATEDCREATED
• ACCOUNT_STATUSACCOUNT_STATUS
• LOCK_DATELOCK_DATE
• EXPIRY_DATEEXPIRY_DATE
• DEFAULT_TABLESPACEDEFAULT_TABLESPACE
• TEMPORARY_TABLESPACETEMPORARY_TABLESPACE
DBA_USERSDBA_USERS
• USERNAMEUSERNAME
• USER_IDUSER_ID
• CREATEDCREATED
• ACCOUNT_STATUSACCOUNT_STATUS
• LOCK_DATELOCK_DATE
• EXPIRY_DATEEXPIRY_DATE
• DEFAULT_TABLESPACEDEFAULT_TABLESPACE
• TEMPORARY_TABLESPACETEMPORARY_TABLESPACE
DBA_TS_QUOTASDBA_TS_QUOTAS
• USERNAMEUSERNAME
• TABLESPACE_NAMETABLESPACE_NAME
• BYTESBYTES
• MAX_BYTESMAX_BYTES
• BLOCKSBLOCKS
• MAX_BLOCKSMAX_BLOCKS
DBA_TS_QUOTASDBA_TS_QUOTAS
• USERNAMEUSERNAME
• TABLESPACE_NAMETABLESPACE_NAME
• BYTESBYTES
• MAX_BYTESMAX_BYTES
• BLOCKSBLOCKS
• MAX_BLOCKSMAX_BLOCKS
Privileges for Oracle UsersPrivileges for Oracle UsersPrivileges for Oracle UsersPrivileges for Oracle Users
Two types of privileges:Two types of privileges:
SystemSystem: Enable users to perform particular : Enable users to perform particular action in the databaseaction in the database
ObjectObject:: Enable users to access and Enable users to access and manipulate a specific objectmanipulate a specific object
Two types of privileges:Two types of privileges:
SystemSystem: Enable users to perform particular : Enable users to perform particular action in the databaseaction in the database
ObjectObject:: Enable users to access and Enable users to access and manipulate a specific objectmanipulate a specific object
System PrivilegesSystem PrivilegesSystem PrivilegesSystem Privileges
There are about 126 System PrivilegesThere are about 126 System Privileges
ANY keyword in the privileges signifies that users have the ANY keyword in the privileges signifies that users have the privilege in every schema.privilege in every schema.
CREATE ANY TABLECREATE ANY TABLE
DROP ANY TABLEDROP ANY TABLE
UPDATE ANY TABLEUPDATE ANY TABLE
CREATE ANY INDEXCREATE ANY INDEX
Contd….Contd….
There are about 126 System PrivilegesThere are about 126 System Privileges
ANY keyword in the privileges signifies that users have the ANY keyword in the privileges signifies that users have the privilege in every schema.privilege in every schema.
CREATE ANY TABLECREATE ANY TABLE
DROP ANY TABLEDROP ANY TABLE
UPDATE ANY TABLEUPDATE ANY TABLE
CREATE ANY INDEXCREATE ANY INDEX
Contd….Contd….
System PrivilegesSystem PrivilegesSystem PrivilegesSystem Privileges
GRANT command adds a privilege to GRANT command adds a privilege to user or a group of usersuser or a group of users
grant CREATE SESSION, CREATE TABLE to SCOTT;grant CREATE SESSION, CREATE TABLE to SCOTT;
grant CREATE SESSION to JANE WITH ADMIN option;grant CREATE SESSION to JANE WITH ADMIN option;
Contd….Contd….
GRANT command adds a privilege to GRANT command adds a privilege to user or a group of usersuser or a group of users
grant CREATE SESSION, CREATE TABLE to SCOTT;grant CREATE SESSION, CREATE TABLE to SCOTT;
grant CREATE SESSION to JANE WITH ADMIN option;grant CREATE SESSION to JANE WITH ADMIN option;
Contd….Contd….
System PrivilegesSystem PrivilegesSystem PrivilegesSystem Privileges
REVOKE command deletes the privileges REVOKE command deletes the privileges from users/group of usersfrom users/group of users
revoke CREATE TABLE from SCOTT;revoke CREATE TABLE from SCOTT;
revoke CREATE SESSION from JANE;revoke CREATE SESSION from JANE;
REVOKE command deletes the privileges REVOKE command deletes the privileges from users/group of usersfrom users/group of users
revoke CREATE TABLE from SCOTT;revoke CREATE TABLE from SCOTT;
revoke CREATE SESSION from JANE;revoke CREATE SESSION from JANE;
Tools to monitor System PrivilegesTools to monitor System PrivilegesTools to monitor System PrivilegesTools to monitor System Privileges
DatabaseDatabaseDBA_SYS_PRIVSDBA_SYS_PRIVS
- GRANTEE- GRANTEE
- PRIVILEGE- PRIVILEGE
- ADMIN OPTION- ADMIN OPTION
DatabaseDatabaseDBA_SYS_PRIVSDBA_SYS_PRIVS
- GRANTEE- GRANTEE
- PRIVILEGE- PRIVILEGE
- ADMIN OPTION- ADMIN OPTION
SessionSessionSESSION_PRIVSSESSION_PRIVS
- PRIVILEGE- PRIVILEGE
SessionSessionSESSION_PRIVSSESSION_PRIVS
- PRIVILEGE- PRIVILEGE
Object PrivilegesObject PrivilegesObject PrivilegesObject Privileges
Object Privileges can be granted/revoked on Object Privileges can be granted/revoked on different objects like Tables, View, Sequence, different objects like Tables, View, Sequence, Procedure etc. and are :Procedure etc. and are :
ALTERALTER INSERT INSERT
DELETEDELETE SELECT SELECT
EXECUTEEXECUTE REFERENCES REFERENCES
INDEXINDEX UPDATE UPDATE
Contd…Contd…
Object Privileges can be granted/revoked on Object Privileges can be granted/revoked on different objects like Tables, View, Sequence, different objects like Tables, View, Sequence, Procedure etc. and are :Procedure etc. and are :
ALTERALTER INSERT INSERT
DELETEDELETE SELECT SELECT
EXECUTEEXECUTE REFERENCES REFERENCES
INDEXINDEX UPDATE UPDATE
Contd…Contd…
Object PrivilegesObject PrivilegesObject PrivilegesObject Privileges
GRANT command adds a privilege to user GRANT command adds a privilege to user or a group of usersor a group of users
grant EXECUTE on EMPLOYEE to SCOTT;grant EXECUTE on EMPLOYEE to SCOTT;
grant UPDATE (first_name, salary) on EMPLOYEE to grant UPDATE (first_name, salary) on EMPLOYEE to SCOTT with grant option;SCOTT with grant option;
Contd….Contd….
GRANT command adds a privilege to user GRANT command adds a privilege to user or a group of usersor a group of users
grant EXECUTE on EMPLOYEE to SCOTT;grant EXECUTE on EMPLOYEE to SCOTT;
grant UPDATE (first_name, salary) on EMPLOYEE to grant UPDATE (first_name, salary) on EMPLOYEE to SCOTT with grant option;SCOTT with grant option;
Contd….Contd….
Object PrivilegesObject PrivilegesObject PrivilegesObject Privileges
REVOKE command deletes the privileges REVOKE command deletes the privileges from users/group of usersfrom users/group of users
revoke delete on EMPLOYEE from SCOTT;revoke delete on EMPLOYEE from SCOTT;
revoke all on EMPLOYEE from JANE;revoke all on EMPLOYEE from JANE;
REVOKE command deletes the privileges REVOKE command deletes the privileges from users/group of usersfrom users/group of users
revoke delete on EMPLOYEE from SCOTT;revoke delete on EMPLOYEE from SCOTT;
revoke all on EMPLOYEE from JANE;revoke all on EMPLOYEE from JANE;
Tools to monitor Object Tools to monitor Object PrivilegesPrivileges
Tools to monitor Object Tools to monitor Object PrivilegesPrivilegesDBA_TAB_PRIVSDBA_TAB_PRIVS
GRANTEEGRANTEE
OWNER OWNER
TABLE_NAMETABLE_NAME
GRANTORGRANTOR
PRIVILEGEPRIVILEGE
GRANTABLEGRANTABLE
DBA_TAB_PRIVSDBA_TAB_PRIVS
GRANTEEGRANTEE
OWNER OWNER
TABLE_NAMETABLE_NAME
GRANTORGRANTOR
PRIVILEGEPRIVILEGE
GRANTABLEGRANTABLE
DBA_COL_PRIVSDBA_COL_PRIVS
GRANTEEGRANTEE
OWNEROWNER
TABLE_NAMETABLE_NAME
COLOUMN_NAMECOLOUMN_NAME
GRANTORGRANTOR
PRIVILEGEPRIVILEGE
GRANTABLEGRANTABLE
DBA_COL_PRIVSDBA_COL_PRIVS
GRANTEEGRANTEE
OWNEROWNER
TABLE_NAMETABLE_NAME
COLOUMN_NAMECOLOUMN_NAME
GRANTORGRANTOR
PRIVILEGEPRIVILEGE
GRANTABLEGRANTABLE
AGVLCAGVLCTHETHE
EXISTING APPLICATIONEXISTING APPLICATION
AGVLCAGVLCTHETHE
EXISTING APPLICATIONEXISTING APPLICATION
Features of Security Module of VLC Features of Security Module of VLC Package developed by NIITPackage developed by NIIT
Security module has 10 different options which Security module has 10 different options which are as follows:are as follows:
Features of Security Module of VLC Features of Security Module of VLC Package developed by NIITPackage developed by NIIT
Security module has 10 different options which Security module has 10 different options which are as follows:are as follows:
Set AGVLC PasswordSet AGVLC Password Map User/SectionMap User/Section
Change AGVLC Role passwordChange AGVLC Role password Map Module/FunctionMap Module/Function
Application UserApplication User Map Role/Module Map Role/Module
Role StatusRole Status Map Role/User Map Role/User
AG dealing SectionAG dealing Section Map Function Map Function
Set AGVLC PasswordSet AGVLC Password Map User/SectionMap User/Section
Change AGVLC Role passwordChange AGVLC Role password Map Module/FunctionMap Module/Function
Application UserApplication User Map Role/Module Map Role/Module
Role StatusRole Status Map Role/User Map Role/User
AG dealing SectionAG dealing Section Map Function Map Function
Set AGVLC Password Set AGVLC Password
Change AGVLC Role passwordChange AGVLC Role password Change AGVLC Role passwordChange AGVLC Role password
Application userApplication user Application userApplication user
Role StatusRole Status Role StatusRole Status
AG Dealing SectionAG Dealing Section AG Dealing SectionAG Dealing Section
Map User/SectionMap User/Section Map User/SectionMap User/Section
Map Module/FunctionMap Module/Function Map Module/FunctionMap Module/Function
Map Role/ModuleMap Role/Module Map Role/ModuleMap Role/Module
Map Role/UserMap Role/User Map Role/UserMap Role/User
Map FunctionMap Function Map FunctionMap Function
VLC APPLICATIONADDITIONAL SECURITY
User Profiles
SESSION_PER_USER
IDLE_TIME
FAILED_LOGIN_ATTEMPTS
PASSWORD_LIFE_TIME
PASSWORD_LOCK_TIME
PASSWORD_GRACE_TIME