594 Applied Oracle Security
ANY privileges, 97, 125
AOS_COMMON_AUDIT_TRAIL view, 290
Apache 2.0, 451
APEX (Application Express), 5, 434–459,
462–496
architecture, 435–437
Audit Vault reports and, 80
authentication schemes, 462–468
authorization schemes, 468–471
components and configurations, 434
cross-site scripting and, 476–478
database connections and, 436–437
database roles and, 437–438
Database Vault and, 457–459
fine-grained a
uditing and, 489–496
item-based policy, 484–486
mod_rewr
ite and, 447–449
mod_security and, 449–451
network topology, 445–447
password protection, 445, 463–468, 482
preventing unauthorized access to, 443–444
Runtime Only installation of, 443–444
schema protection, 456–459
security settings, 439–443
sessions, 438–439
SQL injection attacks and, 472–476
SSL/TLS techniques, 451–456
summaries of, 459, 496

URL tampering and, 478–483
VPD integratio
n with, 484–489
web-based attack prevention, 449–451
XSS attacks and, 476–478
APEX_ADMINISTRA
T
OR_ROLE, 440
APEX_INSTANCE_ADMIN package, 440
APEX_PUBLIC_USER schema, 445, 490–491
application accounts, 229, 243–244
application administrators/developers, 18,
235–239
creating roles for, 245–262
privileges granted to, 235–236
separation of duties for, 236–239
application code
factors used in, 223–224
See also PL/SQL routines; SQL statements
application data analyst, 237, 259–262
application data manager, 236, 256–259, 299
application DBA patter
n, 132–135
application design
command rules and, 267–280
factors and, 209–224
importance of security in, 200, 284
notional ar
ch
itecture for, 200–202

object-owner accounts and, 229–231
realms and, 224–228
SARs and, 281–284
secure schemas under DBV, 228–231,
239–267
security profiles and, 202, 205–209
use cases and scenarios, 202–205
user access accounts and, 231–239
Application Express. See APEX
application maintenance administrator
, 236,
252–256, 299
appl
ication security, 4, 200
application security administrator, 236,
246–252
EUS-based, 303, 305
privileges granted to, 299
applications
DBV applied to existing, 288, 352–353
factors incorporated into, 220–224
notional database example, 200–202
securing public-facing, 532–533
Applied Cryptography: Protocols, Algorithms, and
Source Code in C (Schneier), 24
architecture
APEX, 435–437
Audit Vault, 69–70
n
otional, 200–202

OES, 380, 381
OID, 407
OIM, 402–403
Oracle BI, 502–504
OVD, 410–413
RAC, 71, 74
SOA, 1
1–12
ARCHIVELOG mode, 75
ASO (Adva
nced Security Option), 33, 163,
186, 447
ASO PKI/SSL authentication, 185–187
asymmetric key encryption, 25
attestation, 399–400
attributes
identity, 217–218, 307–308
reconciling, 399
audit data warehouse, 59–63
explanation of, 59–60
objectives of, 60–63
securing data at, 63
audit logs, 62, 87–88
Index 595
audit patterns
known, 64–66
unknown, 66–67
audit trails
analyzing, 290–291
protecting the integrity of, 278–279

retention requirements, 280
testing, 280–281
Audit Vault, 68–89
alerts, 80–84
architecture, 69–70
audit policy management, 84–86
caveats for installing, 75–79
installation options, 70–79
intent in creating, 59–60
log files, 87–88
maintenance operations, 86–88
plan for installing, 75
report creation, 79–80
summary of, 88–89
users and roles, 76–77
Audit V
a
ult collection agent
architecture, 69, 70
installing, 71–75, 77–79
log files, 87–88
Audit Vault Control (AVCTL) utility, 76
Audit Vault Server
architecture, 69, 70
installing, 70–71
log files, 87
auditing, 58–89
alerts used in, 68, 80–84
analysis of, 290–291
APEX policy for

, 489–496
a
udit warehouse and, 59–63
best practices for, 67–68
capture process in, 289–290
conditional, 99
DBV events, 73, 115
factors, 162, 185
fine-grained, 6, 73, 85, 489–496
GRC perspective on, 58
guiding principles for, 63–64
known patterns, 64–66
maintenance operations for, 86–88
managing policy for, 84–86
nonsecurity reasons for, 59
object-level, 226–227, 293–294
Oracle Audit Vau
lt for, 68–89
Oracle BI and, 563–567
preparations for
, 288–289
realms, 126–127
remov
ing data from, 86
reports based on, 79–80
rule sets, 148–149
SAR violations, 196, 197
securing records from, 62–63
suggested targets for, 68
summary of, 88–89

system-level, 280–281
testing effectiveness of, 280–281
unknown patterns, 66–67
usage tracking with, 566–567
audit_options parameter, 162
authentication
APEX, 462–468
ASO PKI/SSL, 185–187
built-in, 510
custom, 515
database, 375, 378, 379, 510, 514–515,
590–591
enterprise SSO, 374, 376
external, 510–515
fallback, 515
federated, 375, 377–378
intern
al, 589–590
LDAP
, 512–514
m
ultifactor, 98
Oracle BI, 510–516
proxy, 7, 302
Publisher, 515–516
RPD used for, 510
single sign-on, 374, 375–376
strong, 33, 375, 377
table-based, 511–512, 590
authentication management, 374–378

authorization
APEX, 468–471
Oracle BI, 516–524
Publisher, 524
realm, 130–136, 296–309
authorization management, 378–381
Auto Login, Oracle Wallet, 36–37
AV_ADMIN role, 76
AV_AGENT role, 77
AV_AUDITOR role, 76
avca.log file, 87
av_client-%g.log.n file, 87
avorcldb.log file, 87
AV_SOURCE role, 77
596 Applied Oracle Security
B
B
backup files
encryption wallet, 35
protecting data in, 29–30
RMAN for creating, 342–343
batch programs, 201
Bednar, Tammy, 69
best practices for auditing, 67–68
BI server. See Oracle Business Intelligence
binary execution, 116
bind variables, 472, 475–476
binding adapter, 425
built-in authentication, 510
business congruency, 11–12

business intelli
gence (BI) systems, 60
analysis tools for, 61–62
challe
nges in securing, 499–501
data warehouse for, 61, 499–500
tasks involved in securing, 501–502
transactional systems vs., 499–500, 501
See also Oracle Business Intelligence
business logic tier, 402–403
business model filters, 516, 545–546
business use cases, 289
business use policies, 66
C
C
cache, Oracle BI, 531–532, 552–559
capture rules, 85
capturing audits, 289–290
cardholder data protection, 47–48
Cardholder Information Security Program (CISP), 47
catalog content security, 536–540
Center for Internet Security, 281
central issuance authority, 359
centralized database authentication, 378, 379
centralized security, 11
checksums, 481
check_user initialization block, 590, 591, 592
child factors, 165, 166–168
choose function, 547–548
clearanceCode attribute, 424

client identifiers, 540–541
client tier
, 402
CLIENT_IDENTIFIER tech
nique, 185
<CName><SName><Sld>.log file, 87
coarse-grained security profile, 205–208, 285
collectors
attributes of, 74
choosing types of, 72–74
functions performed by, 69, 70
non-Oracle database, 73
See also Audit Vault collection agent
column-level security, 547–551
choose function, 547–548
example for testing, 590
IndexCol function, 548–549
summary of, 549–551
columns
encrypting existing, 41–43
encrypting in a new table, 38–40
securing in Oracle BI, 547–551
viewing encrypted, 41
command rules, 104, 136–147
commands supported in, 143–144
components of, 139–143
controls enfor
ced by
, 140
DBV CONNECT, 144–147

establishing from conditions, 267–280,
311–318
explanatory overview of, 136–139
realms and, 137–138
rule sets and, 138
system-level auditing and, 280–281
commands
security by, 100
s
upported in command rules, 143–144
commercial off-the-shelf (COTS) applications,
22, 229
compliance
conditions based on, 207
factors based on, 215–216, 318
compliance and mandates discovery, 365–366
compliance regulations, 352
computer security field, 4
conditio
nal auditing, 99
conditional security, 98–99
co
nditions
coarse-grained security profile, 207–208
command rules established from, 267–280,
311–318
factors based on business/system, 209–224
fine-grained security profile, 209
SARs established from, 281–284
configuration

APEX, 434
BI Publisher, 584–585
Index 597
DBV policy, 106–110
OAM, 527–529
object-level auditing, 226–227
OVD server, 413–414
rule, 151–154
TDE, 45–55
conflict of interest
conditions based on, 207
factors based on, 216–217, 318
CONNECT operation, 144
connection pools, 184
APEX and, 436–437
data source type, 504–505
DBV SARs and, 281
function-based, 505–506
multiple, 506
Connection_Type factor, 164, 169–170
consolidated databases, 119–121, 352
constants
compliance regulations an
d, 215
factor identities as, 163
content security
, 536–540
co
ntext-based security, 98–99
contexts

application, 184–185
conditions based on, 208
cookies, APEX, 441
coordinated maturity level, 368
CORPORATE_PASSWORD identity,
168–169, 170
CORPORATE_SSL identity, 168
CREATE PROCEDURE system privilege, 211
CREATE TABLE statement, 39
CREATE TABLESPACE command, 140
CREATE TRIGGER commands, 250
CREATE USER system privilege, 67, 104
credential store, 583–584
cross-site script
ing (XSS), 449, 476–478
cryptography
, 23–24
CSS attacks, 449–450
CSV f
iles, 314
CTXSYS objects, 330, 332
custom authentication, 515
custom event handlers, 150–151,
348–352
custom table of usernames, 463–468
CUSTOMER_POLICY_DBA role, 250
customized alert handling, 84
D
D
DAD (Database Access Descriptor), 435, 445

dadTool, 445
dashboards, 587–588
data
auditing changes to, 73
backup file, 29
conditions based on, 208
encrypting, 28–32
exporting/importing, 52–53
factors based on, 220, 324–325
inferring information from, 501
mapping roles to, 364–365
viewing, 30–31
data access events, 73
data discovery, 361, 364–366
Data Guard
Audit Vault and, 71
TDE and, 49
data loading, 61
Data Pump, 52–53
data steward, 236, 256–259, 299
data tier, 403
data transformation
, 61
data warehouse, 61, 499–500
Database Access
Descr
iptor (DAD), 435, 445
database account administrator, 112
database accounts
object owner accounts, 13–14

user access accounts, 13, 14–16
database administrators (DBAs), 18
functions performed by, 201, 232
operational, 112–114, 237, 239–243
privileges granted to, 299
separation of duties for, 235–239
database applications
DBV applied to existing, 288, 352–353
factors incorporated into, 220–224
notional database example, 200–202
database authentication, 375, 378, 379, 510,
514–515, 590–591
Database Configurat
ion Assistant (DBCA), 105
database connections
APEX and, 436–437
Oracle BI and, 531
database global role, 303, 304
database roles, 437–438
database scripts, 582–583
598 Applied Oracle Security
database security, 4
application design and, 200, 284–285
evolving technologies in, 6–8
existing applications and, 288, 352–353
Database Vault (DBV), 94–116, 118–198
administration roles, 105–106, 237–238,
262–264
APEX and, 457–459
application development and, 200, 284–285

auditing events in, 73, 115
buy-versus-build consideration, 116
code for disabling, 458
collection agent installation, 77
command rules, 104, 136–147, 267–281
components of, 100–104, 1
18
ex
isting applications and, 288
Expression Filters and, 333–336
factors, 101, 115, 209–224
installing, 105–115
integration with database features, 329–344
login page, 107
monitoring and alerting features, 108, 344–352
Oracle BI and, 561–563
Oracle Recovery Manager and, 342–343
Oracle Spatial and, 332–333
Oracle Streams Advanced Queuing and,
336–341
Oracle Text and, 329–332
policy confi
guration, 106–1
10
realms, 102–104, 1
11, 118–136, 224–228,
296–309
refining policy for, 327
reports, 108
rule sets, 102, 135–136, 147–157, 348–352

secure application roles, 194–197, 281–284
secure schema implementation, 239–267
security issues addressed by, 94–100
separation of duty, 110–114
summary of, 198
TDE and, 341
database view, 410
databases
backup and recovery of, 342–343
consolidation of, 119–121, 352
direct requests of, 571–574
OVD integration with, 419–423
querying features of, 326
secur
ity breaches across, 66
datafiles, viewing, 30–31
DB2DB collectors, 73
DBA_COMMON_AUDIT_TRAIL
v
iew, 290
DBA_ENCRYPTED_COLUMNS view, 41
DBA_JAVA_POLICY view, 325
DBAs. See database administrators
DBAUD collectors, 72, 74, 75
DBMS_AUDIT_MGMT package, 86
DBMS_CRYPTO package, 22
APEX and, 463–464
encrypting data using, 28, 32
TDE vs., 40–41
DBMS_FGA package, 491

DBMS_LDAP package, 520
DBMS_MACADM PL/SQL package, 108–110
ADD_POLICY_FACTOR procedure, 180
CREATE_FACTOR procedure, 162, 163
CREATE_MAC_POLICY procedure, 179–180
CREATE_POLICY_LABEL procedure, 180–181
DBMS_MACSEC_ROLES.SET_ROLE
procedure, 195
DBMS_OBFUSCATION_TOOLKIT, 22
DBMS_RLS package, 171, 172
DBMS_SCHEDULER job, 79, 280, 326
DBMS_SESSION.SET_IDENTIFIER procedure,
184, 185, 190, 540
DBMS_UTILITY package, 140–142
DBSNMP account, 229–230
DBV. See Database Vault
DBV CONNECT command rule, 144–147
DBVEXT.DBMS_MAC_EXTENSION package,
215, 241, 348
DBVEXT.EXTERNAL_RULE.AUTHORIZED
functi
on, 318
DBVOWNER account, 126
DDL
comma
nds
auditing, 68, 73
command rules and, 144
realm-protected objects and, 125
DDL triggers, 116

declarative framework, 99, 100, 116
dedicated accounts, 15
default account logon failure, 65–66
default privileges, 567–568
definer’s rights procedures, 7
DELETE privileges, 194, 317
dependency check, 324
deployment
DBV policy, 327–329
OIM component, 402–403
dequeuing messages, 339–341
direct database requests, 571–574
Index 599
direct object privileges
command rules and, 137
realms and, 131, 137
Directory Integration Platform (DIP), 408–409
directory management, 373–374
directory replication, 408
directory services, 406–430
Oracle Internet Directory, 406–409
Oracle Virtual Directory, 409–430
Directory Services Markup Language (DSML), 411
directory virtualization, 373, 409–410
See also Oracle Virtual Directory
disaster recovery locations, 32
discovery in identity management, 361–366
information requirements, 364–366
people requirements, 361–362
process requirements, 363–364

discretionary account provisioning, 391–394
disk arrays, 31
DML
comma
nds
auditing, 73
command rules and, 143
DML triggers, 116
DMZ network, 446, 532
domain restrictions, 442
DROP ANY ROLE privilege, 246
DROP commands, 246–247
DROP INDEX statements, 333
DROP TABLE command, 139–140
DVA web appl
ication, 106–108
DV_ACCTMGR role, 76, 105, 106, 1
12
DV_ADMIN role, 105, 108, 1
11, 237
DVF.F$ factor function, 162, 189
DV_OWNER role, 76, 105, 108, 111, 237
DV_PUBLIC role, 223
DV_REALM_OWNER role, 105, 236, 245
DV_REALM_RESOURCE role, 105
DV_SECANALYST role, 105, 108, 238
DVSYS account, 147, 161
DVSYS.DBMS_MACADM PL/SQL package, 106,
108–110, 111
DVSYS.DBMS_MACSEC_ROLES.SET_ROLE

procedure, 195
DVSYS.GET_FACTOR function, 162, 189, 223
DVSYS.SET_FACTOR function, 184, 189
dynamic group membership, 518–523
using LDAP directly, 520–521
using LDAP indirectly, 521–523
using tables, 518–520
dynamic server variables, 507
E
E
Effective Oracle by Design (Kyte), 407
Effective Oracle Database 10g Security By Design
(Knox), 4, 23, 58, 119, 228, 302
e-mail
Audit Vault alerts via, 81
Oracle BI security, 530–531
Embedded PL/SQL Gateway (EPG), 434
emctl status dbconsole command, 106
employeeType attribute, 307
ENCRYPT directive, 39
encryption, 23–32
algorithms and keys, 24
applied example of, 31–32
basics of, 23–24
BI environment, 530–531
choices for, 24
column-level, 38–43
data, 28–32
file system, 32
goal of, 23

network, 33
programmatic, 32
public key, 25–27, 452
session state, 482–483
SSL, 27
strength of, 24
symmetri
c key, 24, 25, 27–28, 37
tablespace, 44–45
technical requirement for
, 29–30
See also
TDE
ENCRYPTION keyword, 35
encryption wallet, 34
ENCRYPTION_PASSWORD option, 53
ENCRYPTION_WALLET_LOCATION
parameter, 34
end user access accounts. See user access
accounts
Enterprise Manager (EM)
database control GUI, 45, 46
statistics collection, 229
enterprise maturity, 366–369
enterprise role, 303, 304
Enterprise Security Manager (ESM), 232–233
enterprise single sign-on (eSSO), 374, 376
Enterpri
se User Security (EUS), 184, 217–218,
303–309, 378

Enterprise Users, 7
entitlement management, 380
600 Applied Oracle Security
era of governance, 58
error messages, 450–451
eval_options parameter
for factors, 162, 220
for rule sets, 145
EVALUATE operator, 334, 336
event functions, 154–155, 348–352
evolving technologies, 6–8
execute application roles, 264–267
EXEMPT ACCESS POLICY privilege, 561
EXPLAIN PLAN feature, 343–344
exporting encrypted data, 52–53
Expression Filters, 333–336
Extensible Access Control Markup Language
(XACML), 371
external authentication methods, 510–515
custom authentication, 515
database user authentication, 514–515
LDAP
a
uthentication, 512–514
table-based authentication, 511–512
external systems
conditions based on data in, 208
factors based on data in, 220, 324–325
realm authorizations and, 303–309
extracting data, 61

F
F
factors, 101, 157–194
access path, 218–219, 322
assigning, 184–185
auditing, 162, 185
categories for identifying, 210–211
centralizing PL/SQL routines for, 211–215
compliance-based, 215–216, 318
condition and candidate, 210
conflict of interest, 216–217, 318
creating, 158–162
DBV usage of, 157
evaluation of, 162
explanation of, 101, 157
external systems and, 220, 324–325
functions of, 162
identit
ies of, 163–174, 184–185
identity management, 217–218, 321–322
integrating with OLS, 174–189
naming, 161
operational context, 218–219, 323
Oracle BI and, 561–562
organizational policy, 217, 318
PL/SQL code and, 223–224, 325–326
retrieval method for, 158–162
rule sets and, 156–157
security-relevant, 115
separation of duty, 216–217, 318

time-based, 219–220, 319–321
transactional sequence-based, 323–324
validation of, 189–194
fallback authentication, 515
federated authentication, 375, 377–378
FGA. See fine-grained auditing
file systems, encrypted, 32
file upload sec
urity, 441
f
iltering output, 450
filters
business model, 516, 545–546
expression, 333–336
fine-grained auditing (FGA), 6, 73, 85
APEX and, 489–496
factors used in, 222
fine-grained security profile, 208–209, 285
firewalls, 446, 532
Flashback feature, 494
folder-based security, 537–538
fraud prevention, 375, 377
functional use cases, 280
G
G
GATHER_STATS_JOB feature, 343
Generic Technology Connector (GTC), 397–398
geographic information system (GIS), 332
get_expr parameter, 162, 163
GET_FACTOR function, 157

get_groups initialization block, 590, 591, 592
GET_PRODUCT session variable, 543–544
global database, 76
global schema mapping, 303, 304
governance, era of, 58
government regulations, 10
GRANT ANY OBJECT privilege, 236
GRANT ANY ROLE privilege, 236
GRANT EXECUTE privilege, 154, 159
GRANT_OR_REVOKE_TO_SELF function, 241
graphical user interface (GUI), 45
GRC (Governan
ce, Risk Management, and
Compliance), 58, 88
group accounts, 229
Index 601
group membership, 517–523
dynamic, 518–523
internal/external, 517–518
groups
Oracle BI, 516–523, 580
user, 387–388
web catalog, 516–517, 523, 537
H
H
handler routines, 150–151, 348–352
HANDLER_MODULE parameter, 494
hardware security modules (HSMs), 53–55
hash algorithms, 463
High Assistance Principle (HAP), 100

high-level usage analysis, 225
HIPAA (Health Insurance Portability and
Accountability Act), 9
hire-to-retire process, 386
historical reporting, 401
HTTP protocol, 454–456, 478
HTTP server, 445–446, 479
HTTPS setting, 442, 454–456
hub-and-spoke architecture, 370
I
I
iBot security, 538–539
identify_by parameter, 163
identities, factor, 163–174
identity attributes, 217–218, 307–308
identity management, 358–383
architecting, 360–372
authentication solutions, 374–378
authorization solutions, 378–381
conditions based on, 207
core challenge of, 361
definition of, 361
directory management solution, 373–374
discovery phase in, 361–366
enterprise maturity and, 366–369
explanation of problems with, 358–360
factors based on, 217–218, 321–322
hub-and-spoke ar
ch
itecture for, 370

information requirements and, 364–366
LDAP directory and, 406
overview of solutions for, 372
people requirements and, 361–362
point-to-point architecture for, 369
process requirements and, 363–364
role mining and management solution,
381–383
SOS pattern for, 370, 371–372
summary of, 383
user provisioning solution, 372–373
See also Oracle Identity Manager
Identity Management Organizational Model
(IMOM), 362
identity maps, 163–170
identity preservation, 7
identity propagation, 360
identity verification, 359
Impersonator user
, 527–528
i
mporting encrypted data, 52–53
IndexCol function, 548–549
indexes
Oracle Spatial, 333
Oracle Text, 330, 332
InetAD plug-in, 418
inetorgperson object class, 418, 419
information discovery, 364–366
initialization blocks, 508

INSERT command, 268
installing
Audit Vault, 70–79
Database Vault, 105–115
Oracle Virtual Directory, 413
INSTR_CALL_STACK function, 218
intellectual property, 10
intern
al authentication, 589–590
intrusion detection system (IDS), 324
invited nodes feature, 322
invoker’s rights procedures, 7
IP
address restr
ictions, 441
IP_ADDRESS environment variable, 491
IS_APEX_SESSION_ONE function, 491
IT resources, 390
item-based policy, 484–486
J
J
Java Database Connectivity (JDBC), 281
Java Message Service (JMS), 84
Java stored procedures, 325
Java Virtual Machine (JVM), 96
JDBC drivers, 421
join rules, 429
602 Applied Oracle Security
join view, 424–430
adapter creation, 428–430

design considerations, 424–427
explained, 424
joiners, 425–426
K
K
keys, encryption, 24–28
known audit patterns, 64–66
L
L
label_function parameter, 221
label_indicator parameter, 165
layers of security, 11
LBACSYS account, 175, 177–178, 318
LDAP (Lightweight Directory Access Protocol), 7,
217, 303, 360, 371, 406
LDAP authentication, 512–514, 591–592
using directly for dynamic group
membership, 520–521
using indirectly for dynamic group
membership, 521–523
LDAP server
Oracle BI setup of, 512–514
OVD integration with, 415–419
LDAPBIND operation, 425
LDAP_DIRECTORY_ACCESS parameter, 321
least privileges, 13
LII algorithm, 180
Local Store Adapter (LSA), 414–415, 416
locati
on-based services (LBS), 332

log files, Audit V
a
ult, 87–88
LOGLEVEL session variable, 558
logon failures, 65–66
M
M
MAC algorithm, 463, 481
macro auditing, 59
maintenance
application administrator, 236, 252–256
Audit Vault, 86–88
Manage Cache utility, 558
managing security, 11
maps
database to OVD, 422, 423
global schema, 303, 304
identity, 163–170
role-to-data, 364–365
masking, 277
Master Key
HSM-managed, 54–55
TDE-managed, 37–38
maturity model framework, 367–369
MDSYS.SEM_INDEXTYPE index type, 333
MDSYS.SPATIAL_INDEX index type, 333
membership rules, 387–388
message authentication code (MAC),
463, 481
message queuing, 336–341

metadata, BI server, 542
meta-directory, 373, 409
micro auditing, 59
Microsoft Office plug-in, 525
mod_rewrite
APEX and, 447–449
SSL and, 456
mod_security, 449–451
monitoring Database Vault, 108, 344–352
MSSQLDB collectors, 73
multi
factor authentication, 98
multifactored security
, 163, 171, 183
N
N
named accounts
creating administrators for, 262
post-configuration provisioning of, 267
realm authorizations and, 132–135
naming
factors, 161
schemas, 18–19
natural keys, 44
Needham, Paul, 69
network encryption, 33
network topology, 445–447
NO SALT directive, 39, 51
NOAUDIT command, 62
NOMAC directive, 51

normal use baseline, 66
NOT NULL value, 280
notional database applications, 200–202
example use case for, 203–205
requiremen
ts for, 200–201
NQS_P
ASSWORD_CLAUSE, 512
NULL
value, 280
Index 603
O
O
OAM. See Oracle Access Manager
OBI. See Oracle Business Intelligence
object privileges, 68, 131
object-level auditing, 226–227, 293–294
object-owner accounts, 13–14
group COTS, 229
Oracle Data Dictionary and, 332
realms and, 131–132, 292
system, 229–231
objects
identifying realms based on, 224–228
realm-protected, 111, 125–126, 226–228,
292–296
resource, in OIM, 390
Verb Object technique and, 205–206
OEM dbconsole, 106
OES. See Oracle Entitlement Server

OETs (Oracle External T
ables), 312–318
Off
ice plug-in, Oracle BI, 525
OHS. See Oracle HTTP Server
OID. See Oracle Internet Directory
OIM. See Oracle Identity Manager
OLS. See Oracle Label Security
on-boarding process, 386
one-to-many joiner, 426
online redefinition, 42
online transaction processing (OLTP), 457
OPEN WALLET command, 55
operational context
conditions based on, 208
factors based on, 218–219, 323
operational database administrator, 1
12–114
creating role and accounts for, 239–243
privileges granted to, 299
separation of duties and, 237
operational reporting, 401
Oracle Access Manager (OAM), 375–376, 379,
462, 525–529
analyticsSOAP URL association, 529
Impersonator user configuration, 527–528
policy setup for Oracle BI, 526–527
presentation server configuration, 528–529
Oracle Adaptive Access Manager (OAAM), 377
Oracle An

swers, 574
Oracle Application Server (OAS), 434
Oracle Audit Va
ult. See Audit Vault
“Oracle Audit Vault Best Practices” (Bednar,
Needham, and Shah), 69
Oracle Business Intelligence (Oracle BI),
498–533
Act As Proxy feature, 568–571
Advanced tab, 574–575
architecture, 502–504
auditing in, 563–567
authentication, 510–516, 589–592
authorization, 516–524
business model filters, 545–546
cache security
, 531–532, 552–559
cl
ient identifiers, 540–541
column-level security, 547–551, 590
connection pools, 504–506
data access, 502–509
data security, 541–551
database auditing and, 565–567, 582
Database Vault and, 561–563
default privileges, 567–568
direct database requests, 571–574
direct server access, 575
e-mail security, 530
environment security, 530–531

examples of using, 580–592
factors and, 561–562
features wi
th security implications,
567–576
groups, 516–517, 523, 580
metadata layers, 542
Office plug-in, 525
overview of, 498
password encryption, 530
permissions, 537–538
public-facing applications, 532–533
Publisher
, 515–516, 524, 539–540, 584–585
realms a
nd, 563
row-level security, 543–546, 559–561
security tasks, 501–502
single sign-on, 524–529, 592
SSL Everywhere feature, 530
steps for setting up, 583–586
subject area security, 542–543
su
mmaries of, 533, 576–577
testing recommended for, 586–587
u
sage tracking feature, 564–565, 566–567,
585–586
variables, 506–509
VPD integration, 551–561

web catalog content security, 536–540
Web Services access, 576
See also business intelligence (BI) systems