Skip Headers
Oracle® Database Security Guide
10g Release 2 (10.2)

Part Number B14266-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to next page
Next
View PDF

Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

Audience
Documentation Accessibility
Organization
Related Documentation
Conventions

What's New in Oracle Database Security?

New Features in Virtual Private Database
New Features in Auditing
New PL/SQL Encryption Package: DBMS_CRYPTO

Part I Overview of Security Considerations and Requirements

1 Security Requirements, Threats, and Concepts

1.1 Identity Management: Security in Complex, High-Volume Environments
1.1.1 Desired Benefits of Identity Management
1.1.2 Components of Oracle Identity Management Infrastructure

2 Security Checklists and Recommendations

2.1 Physical Access Control Checklist
2.2 Personnel Checklist
2.3 Secure Installation and Configuration Checklist
2.4 Networking Security Checklists
2.4.1 SSL Checklist
2.4.2 Client Checklist
2.4.3 Listener Checklist
2.4.4 Network Checklist

3 Security Policies and Tips

3.1 Introduction to Database Security Policies
3.1.1 Security Threats and Countermeasures
3.1.2 What Information Security Policies Can Cover
3.2 Recommended Application Design Practices to Reduce Risk
3.2.1 Tip 1: Enable and Disable Roles Promptly
3.2.2 Tip 2: Encapsulate Privileges in Stored Procedures
3.2.3 Tip 3: Use Role Passwords Unknown to the User
3.2.4 Tip 4: Use Proxy Authentication and a Secure Application Role
3.2.5 Tip 5: Use Secure Application Roles to Verify IP Address
3.2.6 Tip 6: Use Application Context and Fine-Grained Access Control

Part II Security Features, Concepts, and Alternatives

4 Authentication Methods

4.1 Authentication by the Operating System
4.2 Authentication by the Network
4.2.1 Authentication Using SSL
4.2.2 Authentication Using Third-Party Services
4.2.2.1 Kerberos Authentication
4.2.2.2 PKI-Based Authentication
4.2.2.3 Authentication with RADIUS
4.2.2.4 Directory-Based Services
4.3 Authentication by Oracle Database
4.3.1 Password Encryption While Connecting
4.3.2 Account Locking
4.3.3 Password Lifetime and Expiration
4.3.4 Password History
4.3.5 Password Complexity Verification
4.4 Multitier Authentication and Authorization
4.4.1 Clients, Application Servers, and Database Servers
4.4.2 Security Issues for Middle-Tier Applications
4.4.3 Identity Issues in a Multitier Environment
4.4.4 Restricted Privileges in a Multitier Environment
4.4.4.1 Client Privileges
4.4.4.2 Application Server Privileges
4.5 Authentication of Database Administrators

5 Authorization: Privileges, Roles, Profiles, and Resource Limitations

5.1 Introduction to Privileges
5.1.1 System Privileges
5.1.1.1 Granting and Revoking System Privileges
5.1.1.2 Who Can Grant or Revoke System Privileges?
5.1.2 Schema Object Privileges
5.1.2.1 Granting and Revoking Schema Object Privileges
5.1.2.2 Who Can Grant Schema Object Privileges?
5.1.2.3 Using Privileges with Synonyms
5.1.3 Table Privileges
5.1.3.1 DML Operations
5.1.3.2 DDL Operations
5.1.4 View Privileges
5.1.4.1 Privileges Required to Create Views
5.1.4.2 Increasing Table Security with Views
5.1.5 Procedure Privileges
5.1.5.1 Procedure Execution and Security Domains
5.1.5.2 System Privileges Needed to Create or Alter a Procedure
5.1.5.3 Packages and Package Objects
5.1.6 Type Privileges
5.1.6.1 System Privileges for Named Types
5.1.6.2 Object Privileges
5.1.6.3 Method Execution Model
5.1.6.4 Privileges Required to Create Types and Tables Using Types
5.1.6.5 Example of Privileges for Creating Types and Tables Using Types
5.1.6.6 Privileges on Type Access and Object Access
5.1.6.7 Type Dependencies
5.2 Introduction to Roles
5.2.1 Properties of Roles
5.2.2 Common Uses of Roles
5.2.2.1 Application Roles
5.2.2.2 User Roles
5.2.3 Granting and Revoking Roles
5.2.3.1 Who Can Grant or Revoke Roles?
5.2.4 Security Domains of Roles and Users
5.2.5 PL/SQL Blocks and Roles
5.2.5.1 Named Blocks with Definer's Rights
5.2.5.2 Anonymous Blocks with Invoker's Rights
5.2.6 DDL Statements and Roles
5.2.7 Predefined Roles
5.2.8 Operating System and Roles
5.2.9 Roles in a Distributed Environment
5.2.10 Secure Application Roles
5.2.10.1 Creation of Secure Application Roles
5.3 User Resource Limits
5.3.1 Types of System Resources and Limits
5.3.1.1 Session Level
5.3.1.2 Call Level
5.3.1.3 CPU Time
5.3.1.4 Logical Reads
5.3.1.5 Limiting Other Resources
5.4 Profiles
5.4.1 Determining Values for Resource Limits

6 Access Control on Tables, Views, Synonyms, or Rows

6.1 Introduction to Views
6.2 Fine-Grained Access Control
6.2.1 Dynamic Predicates
6.2.2 Application Context
6.2.3 Dynamic Contexts
6.3 Security Followup: Auditing and Prevention

7 Security Policies

7.1 System Security Policy
7.1.1 Database User Management
7.1.2 User Authentication
7.1.3 Operating System Security
7.2 Data Security Policy
7.3 User Security Policy
7.3.1 General User Security
7.3.1.1 Password Security
7.3.1.2 Privilege Management
7.3.2 End-User Security
7.3.2.1 Using Roles for End-User Privilege Management
7.3.2.2 Using a Directory Service for End-User Privilege Management
7.3.3 Administrator Security
7.3.3.1 Protection for Connections as SYS and SYSTEM
7.3.3.2 Protection for Administrator Connections
7.3.3.3 Using Roles for Administrator Privilege Management
7.3.4 Application Developer Security
7.3.4.1 Application Developers and Their Privileges
7.3.4.2 Application Developer Environment: Test and Production Databases
7.3.4.3 Free Versus Controlled Application Development
7.3.4.4 Roles and Privileges for Application Developers
7.3.4.5 Space Restrictions Imposed on Application Developers
7.3.5 Application Administrator Security
7.4 Password Management Policy
7.4.1 Account Locking
7.4.2 Password Aging and Expiration
7.4.3 Password History
7.4.4 Password Complexity Verification
7.4.4.1 Password Verification Routine Formatting Guidelines
7.4.4.2 Sample Password Verification Routine
7.5 Auditing Policy
7.6 A Security Checklist

8 Database Auditing: Security Considerations

8.1 Auditing Types and Records
8.1.1 Audit Records and Audit Trails
8.1.1.1 Database Audit Trail (DBA_AUDIT_TRAIL)
8.1.1.2 Operating System Audit Trail
8.1.1.3 Syslog Audit Trail
8.1.1.4 Operating System and Syslog Audit Records
8.1.1.5 Records Always in the Operating System and Syslog Audit Trail
8.1.2 When Are Audit Records Created?
8.2 Statement Auditing
8.3 Privilege Auditing
8.4 Schema Object Auditing
8.4.1 Schema Object Audit Options for Views, Procedures, and Other Elements
8.5 Focusing Statement, Privilege, and Schema Object Auditing
8.5.1 Auditing Statement Executions: Successful, Unsuccessful, or Both
8.5.2 Number of Audit Records from Multiple Executions of a Statement
8.5.2.1 BY SESSION
8.5.2.2 BY ACCESS
8.5.3 Audit by User
8.6 Auditing in a Multitier Environment
8.7 Fine-Grained Auditing

Part III Security Implementation, Configuration, and Administration

9 Secure External Password Store

9.1 How Does the External Password Store Work?
9.2 Configuring Clients to Use the External Password Store
9.3 Managing External Password Store Credentials
9.3.1 Listing External Password Store Contents
9.3.2 Adding Credentials to an External Password Store
9.3.3 Modifying Credentials in an External Password Store
9.3.4 Deleting Credentials from an External Password Store

10 Administering Authentication

10.1 User Authentication Methods
10.1.1 Database Authentication
10.1.1.1 Creating a User Who Is Authenticated by the Database
10.1.1.2 Advantages of Database Authentication
10.1.2 External Authentication
10.1.2.1 Creating a User Who Is Authenticated Externally
10.1.2.2 Operating System Authentication
10.1.2.3 Network Authentication
10.1.2.4 Advantages of External Authentication
10.1.3 Global Authentication and Authorization
10.1.3.1 Creating a User Who Is Authorized by a Directory Service
10.1.3.2 Advantages of Global Authentication and Global Authorization
10.1.4 Proxy Authentication and Authorization
10.1.4.1 Authorizing a Middle Tier to Proxy and Authenticate a User
10.1.4.2 Authorizing a Middle Tier to Proxy a User Authenticated by Other Means

11 Administering User Privileges, Roles, and Profiles

11.1 Managing Oracle Users
11.1.1 Creating Users
11.1.1.1 Specifying a Name
11.1.1.2 Setting Up User Authentication
11.1.1.3 Assigning a Default Tablespace
11.1.1.4 Assigning Tablespace Quotas
11.1.1.5 Assigning a Temporary Tablespace
11.1.1.6 Specifying a Profile
11.1.1.7 Setting Default Roles
11.1.2 Altering Users
11.1.2.1 Changing User Authentication Mechanism
11.1.2.2 Changing User Default Roles
11.1.3 Dropping Users
11.2 Viewing Information About Database Users and Profiles
11.2.1 User and Profile Information in Data Dictionary Views
11.2.2 Listing All Users and Associated Information
11.2.3 Listing All Tablespace Quotas
11.2.4 Listing All Profiles and Assigned Limits
11.2.5 Viewing Memory Use for Each User Session
11.3 Managing Resources with Profiles
11.3.1 Dropping Profiles
11.4 Understanding User Privileges and Roles
11.4.1 System Privileges
11.4.1.1 Restricting System Privileges
11.4.1.2 Accessing Objects in the SYS Schema
11.4.2 Object Privileges
11.4.3 User Roles
11.5 Managing User Roles
11.5.1 Creating a Role
11.5.2 Specifying the Type of Role Authorization
11.5.2.1 Role Authorization by the Database
11.5.2.2 Role Authorization by an Application
11.5.2.3 Role Authorization by an External Source
11.5.2.4 Role Authorization by an Enterprise Directory Service
11.5.3 Dropping Roles
11.6 Granting User Privileges and Roles
11.6.1 Granting System Privileges and Roles
11.6.1.1 Granting the ADMIN OPTION
11.6.1.2 Creating a New User with the GRANT Statement
11.6.2 Granting Object Privileges
11.6.2.1 Specifying the GRANT OPTION
11.6.2.2 Granting Object Privileges on Behalf of the Object Owner
11.6.2.3 Granting Privileges on Columns
11.6.2.4 Row-Level Access Control
11.7 Revoking User Privileges and Roles
11.7.1 Revoking System Privileges and Roles
11.7.2 Revoking Object Privileges
11.7.2.1 Revoking Object Privileges on Behalf of the Object Owner
11.7.2.2 Revoking Column-Selective Object Privileges
11.7.2.3 Revoking the REFERENCES Object Privilege
11.7.3 Cascading Effects of Revoking Privileges
11.7.3.1 System Privileges
11.7.3.2 Object Privileges
11.8 Granting to and Revoking from the PUBLIC User Group
11.9 When Do Grants and Revokes Take Effect?
11.9.1 The SET ROLE Statement
11.9.2 Specifying Default Roles
11.9.3 Restricting the Number of Roles that a User Can Enable
11.10 Granting Roles Using the Operating System or Network
11.10.1 Using Operating System Role Identification
11.10.2 Using Operating System Role Management
11.10.3 Granting and Revoking Roles When OS_ROLES=TRUE
11.10.4 Enabling and Disabling Roles When OS_ROLES=TRUE
11.10.5 Using Network Connections with Operating System Role Management
11.11 Viewing Privilege and Role Information
11.11.1 Listing All System Privilege Grants
11.11.2 Listing All Role Grants
11.11.3 Listing Object Privileges Granted to a User
11.11.4 Listing the Current Privilege Domain of Your Session
11.11.5 Listing Roles of the Database
11.11.6 Listing Information About the Privilege Domains of Roles

12 Configuring and Administering Auditing

12.1 Actions Audited by Default
12.2 Guidelines for Auditing
12.2.1 Keeping Audited Information Manageable
12.2.2 Auditing Normal Database Activity
12.2.3 Auditing Suspicious Database Activity
12.2.4 Auditing Administrative Users
12.2.5 Using Triggers
12.2.6 Deciding Whether to Use the Database or Operating System Audit Trail
12.3 What Information Is Contained in the Audit Trail?
12.3.1 Database Audit Trail Contents
12.3.2 Audit Information Stored in an Operating System File
12.4 Managing the Standard Audit Trail
12.4.1 Enabling and Disabling Standard Auditing
12.4.1.1 Setting the AUDIT_TRAIL Initialization Parameter
12.4.1.2 Specifying a Directory for the Operating System Auditing Trail
12.4.1.3 Specifying the Syslog Level
12.4.2 Standard Auditing in a Multitier Environment
12.4.3 Enabling Standard Auditing Options
12.4.3.1 Enabling Statement Auditing
12.4.3.2 Enabling Privilege Auditing
12.4.3.3 Enabling Object Auditing
12.4.3.4 Enabling Network Auditing
12.4.4 Disabling Standard Audit Options
12.4.4.1 Turning Off Statement and Privilege Auditing
12.4.4.2 Turning Off Object Auditing
12.4.4.3 Turning Off Network Auditing
12.4.5 Controlling the Growth and Size of the Standard Audit Trail
12.4.5.1 Purging Audit Records from the Audit Trail
12.4.5.2 Archiving Audit Trail Information
12.4.5.3 Reducing the Size of the Audit Trail
12.4.6 Protecting the Standard Audit Trail
12.4.7 Auditing the Standard Audit Trail
12.5 Viewing Database Audit Trail Information
12.5.1 Audit Trail Views
12.5.2 Using Audit Trail Views to Investigate Suspicious Activities
12.5.2.1 Listing Active Statement Audit Options
12.5.2.2 Listing Active Privilege Audit Options
12.5.2.3 Listing Active Object Audit Options for Specific Objects
12.5.2.4 Listing Default Object Audit Options
12.5.2.5 Listing Audit Records
12.5.2.6 Listing Audit Records for the AUDIT SESSION Option
12.5.3 Deleting the Audit Trail Views
12.5.4 The SYS.AUD$ Auditing Table: Example
12.6 Fine-Grained Auditing
12.6.1 Policies in Fine-Grained Auditing
12.6.1.1 Advantages of Fine-Grained Auditing over Triggers
12.6.1.2 Extensible Interface Using Event Handler Functions
12.6.1.3 Functions and Relevant Columns in Fine-Grained Auditing
12.6.1.4 Audit Records in Fine-Grained Auditing
12.6.1.5 NULL Audit Conditions
12.6.1.6 Defining FGA Policies
12.6.2 An Added Benefit to Fine-Grained Auditing
12.7 The DBMS_FGA Package
12.7.1 ADD_POLICY Procedure
12.7.1.1 Syntax
12.7.1.2 Parameters
12.7.1.3 Usage Notes
12.7.1.4 V$XML_AUDIT_TRAIL View
12.7.1.5 Examples
12.7.2 DISABLE_POLICY Procedure
12.7.2.1 Syntax
12.7.2.2 Parameters
12.7.3 DROP_POLICY Procedure
12.7.3.1 Syntax
12.7.3.2 Parameters
12.7.3.3 Usage Notes
12.7.4 ENABLE_POLICY Procedure
12.7.4.1 Syntax
12.7.4.2 Parameters

13 Introducing Database Security for Application Developers

13.1 About Application Security Policies
13.2 Considerations for Using Application-Based Security
13.2.1 Are Application Users Also Database Users?
13.2.2 Is Security Enforced in the Application or in the Database?
13.3 Managing Application Privileges
13.4 Creating Secure Application Roles
13.4.1 An Example of Creating a Secure Application Role
13.5 Associating Privileges with User Database Roles
13.5.1 Using the SET ROLE Statement
13.5.2 Using the SET_ROLE Procedure
13.5.3 Examples of Assigning Roles with Static and Dynamic SQL
13.6 Protecting Database Objects by Using Schemas
13.6.1 Unique Schemas
13.6.2 Shared Schemas
13.7 Managing Object Privileges
13.7.1 What Application Developers Need to Know About Object Privileges
13.7.2 SQL Statements Permitted by Object Privileges

14 Using Virtual Private Database to Implement Application Security Policies

14.1 About Virtual Private Database, Fine-Grained Access Control, and Application Context
14.1.1 Introduction to VPD
14.1.1.1 Column-Level VPD
14.1.1.2 Column-Level VPD with Column-masking Behavior
14.1.1.3 VPD Security Policies and Applications
14.2 Introduction to Fine-Grained Access Control
14.2.1 Features of Fine-Grained Access Control
14.2.1.1 Security Policies Based on Tables, Views, and Synonyms
14.2.1.2 Multiple Policies for Each Table, View, or Synonym
14.2.1.3 Grouping of Security Policies
14.2.1.4 High Performance
14.2.1.5 Default Security Policies
14.2.2 About Creating a VPD Policy with Oracle Policy Manager
14.3 Introduction to Application Context
14.3.1 Features of Application Context
14.3.1.1 Specifying Attributes for Each Application
14.3.1.2 Providing Access to Predefined Attributes Through the USERENV Namespace
14.3.1.3 Externalized Application Contexts
14.3.2 Ways to Use Application Context with Fine-Grained Access Control
14.3.2.1 Secure Data Caching
14.3.2.2 Returning a Specific Predicate (Security Policy)
14.3.2.3 Providing Attributes Similar to Bind Variables in a Predicate
14.4 Introduction to Global Application Context
14.5 Enforcing Application Security
14.5.1 Use of Ad Hoc Tools: A Potential Security Problem
14.5.2 Restricting SQL*Plus Users from Using Database Roles
14.5.2.1 Limiting Roles Through PRODUCT_USER_PROFILE
14.5.2.2 Using Stored Procedures to Encapsulate Business Logic
14.5.2.3 Using VPD for Highest Security
14.5.3 VPD and Oracle Label Security Exceptions and Exemptions
14.6 User Models and VPD

15 Implementing Application Context and Fine-Grained Access Control

15.1 About Using Application Context
15.2 Using Secure Session-Based Application Context
15.2.1 Task 1: Create a PL/SQL Package that Sets the Secure Context for Your Application
15.2.1.1 SYS_CONTEXT Syntax
15.2.1.2 SYS_CONTEXT Example
15.2.1.3 Using Dynamic SQL with SYS_CONTEXT
15.2.1.4 Using SYS_CONTEXT in a Parallel Query
15.2.1.5 Using SYS_CONTEXT with Database Links
15.2.2 Task 2: Create a Unique Secure Context and Associate It with the PL/SQL Package
15.2.3 Task 3: Set the Secure Context Before the User Retrieves Data
15.2.4 Task 4: Use the Secure Context in a VPD Policy Function
15.3 Examples: Secure Application Context Within a Fine-Grained Access Control Function
15.3.1 Example 1: Implementing the Policy
15.3.1.1 Step 1: Create a PL/SQL Package To Set the Secure Context for the Application
15.3.1.2 Step 2: Create a Secure Application Context
15.3.1.3 Step 3: Access the Secure Application Context Inside the Package
15.3.1.4 Step 4: Create the New Security Policy
15.3.2 Example 2: Controlling User Access with an Application
15.3.2.1 Step 1: Create a PL/SQL Package to Set the Secure Context
15.3.2.2 Step 2: Create the Secure Context and Associate It with the Package
15.3.2.3 Step 3: Create the Initialization Script for the Application
15.3.3 Example 3: Event Triggers, Secure Application Context, Fine-Grained Access Control, and Encapsulation of Privileges
15.4 Initializing Secure Application Context Externally
15.4.1 Obtaining Default Values from Users
15.4.2 Obtaining Values from Other External Resources
15.5 Initializing Secure Application Context Globally
15.5.1 Using Secure Application Context with LDAP
15.5.2 How Globally Initialized Secure Application Context Works
15.5.3 Example: Initializing Secure Application Context Globally
15.6 Using Client Session-Based Application Context
15.6.1 Setting a Value in CLIENTCONTEXT
15.6.2 Clearing a Particular Setting in CLIENTCONTEXT
15.6.3 Clearing all Settings in CLIENTCONTEXT
15.7 How to Use Global Application Context
15.7.1 Using the DBMS_SESSION Interface to Manage Application Context in Client Sessions
15.7.2 Examples: Global Application Context
15.7.2.1 Example 1: Global Application Context Process
15.7.2.2 Example 2: Global Application Context for Lightweight Users
15.8 How Fine-Grained Access Control Works
15.9 How to Establish Policy Groups
15.9.1 The Default Policy Group: SYS_DEFAULT
15.9.2 New Policy Groups
15.9.3 How to Implement Policy Groups
15.9.3.1 Step 1: Set Up a Driving Context
15.9.3.2 Step 2: Add a Policy to the Default Policy Group.
15.9.3.3 Step 3: Add a Policy to the HR Policy Group
15.9.3.4 Step 4: Add a Policy to the FINANCE Policy Group
15.9.4 Validating the Application Used to Connect to the Database
15.10 How to Add a Policy to a Table, View, or Synonym
15.10.1 DBMS_RLS.ADD_POLICY Procedure Policy Types
15.10.2 Optimizing Performance by Enabling Static and Context Sensitive Policies
15.10.2.1 About Static Policies
15.10.2.2 About Context-Sensitive Policies
15.10.3 Adding Policies for Column-Level VPD
15.10.3.1 Default Behavior
15.10.3.2 Column-masking Behavior
15.10.4 Enforcing VPD Policies on Specific SQL Statement Types
15.10.4.1 Enforcing Policies on Index Maintenance
15.11 How to Check for Policies Applied to a SQL Statement
15.12 Users Exempt from VPD Policies
15.12.1 SYS User Exempted from VPD Policies
15.12.2 EXEMPT ACCESS POLICY System Privilege
15.13 Automatic Reparse
15.14 VPD Policies and Flashback Query

16 Preserving User Identity in Multitiered Environments

16.1 Security Challenges of Three-Tier Computing
16.1.1 Who Is the Real User?
16.1.2 Does the Middle Tier Have Too Many Privileges?
16.1.3 How to Audit? Whom to Audit?
16.1.4 What Are the Authentication Requirements for Three-Tier Systems?
16.1.4.1 Client to Middle Tier Authentication
16.1.4.2 Middle Tier to Database Authentication
16.1.4.3 Client Reauthentication Through Middle Tier to Database
16.2 Oracle Database Solutions for Preserving User Identity
16.2.1 Proxy Authentication
16.2.1.1 Passing Through the Identity of the Real User by Using Proxy Authentication
16.2.1.2 Limiting the Privilege of the Middle Tier
16.2.1.3 Reauthenticating the User Through the Middle Tier to the Database
16.2.1.4 Auditing Actions Taken on Behalf of the Real User
16.2.1.5 Advantages of Proxy Authentication
16.2.2 Client Identifiers
16.2.2.1 Support for Application User Models by Using Client Identifiers
16.2.2.2 Using the CLIENT_IDENTIFIER Attribute to Preserve User Identity
16.2.2.3 Using CLIENT_IDENTIFIER Independent of Global Application Context

17 Developing Applications Using Data Encryption

17.1 Securing Sensitive Information
17.2 Principles of Data Encryption
17.2.1 Principle 1: Encryption Does Not Solve Access Control Problems
17.2.2 Principle 2: Encryption Does Not Protect Against a Malicious DBA
17.2.3 Principle 3: Encrypting Everything Does Not Make Data Secure
17.3 Stored Data Encryption Using DBMS_CRYPTO
17.3.1 DBMS_CRYPTO Hashing and Encryption Capabilities
17.4 Data Encryption Challenges
17.4.1 Encrypting Indexed Data
17.4.2 Key Generation
17.4.3 Key Transmission
17.4.4 Key Storage
17.4.4.1 Storing the Keys in the Database
17.4.4.2 Storing the Keys in the Operating System
17.4.4.3 Users Managing Their Own Keys
17.4.4.4 Using Transparent Database Encryption
17.4.5 Changing Encryption Keys
17.4.6 BLOBS
17.5 Example of a Data Encryption Procedure
17.6 Example of AES 256-Bit Data Encryption and Decryption Procedures
17.7 Example of Encryption and Decryption Procedures for BLOB Data

Part IV Appendixes

A Addressing The CONNECT Role Change

A.1 How Applications Are Affected
A.1.1 Database Upgrade
A.1.2 Account Provisioning
A.1.3 Installation of Applications Using New Databases
A.2 How Users Are Affected
A.2.1 General Users
A.2.2 Application Developers
A.2.3 Client Server Applications
A.3 Approaches to Addressing the CONNECT Role Change
A.3.1 Approach 1 - Create a new database role
A.3.2 Approach 2 - Restore CONNECT privileges
A.3.2.1 New View Showing CONNECT Grantees
A.3.3 Approach 3 - Conduct least privilege analysis

B Verifying Data Integrity with DBMS_SQLHASH

B.1 Overview of the DBMS_SQLHASH Package
B.2 The DBMS_SQLHASH.GETHASH Function
B.2.1 Syntax
B.2.2 Parameters

Glossary

Index