Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle Security Questions

Re: Oracle Security Questions

From: HansF <News.Hans_at_telus.net>
Date: Fri, 09 Sep 2005 17:26:57 GMT
Message-Id: <pan.2005.09.09.17.31.21.892545@telus.net> 





On Fri, 09 Sep 2005 08:32:46 -0700, miloann2002 interested us by writing:



> I have the following questions in the Oracle 8 and 9 platforms:

> 

> 1.     Does the roles need to set password?  If no password, any negative

> impact?




No, the roles do not need to have a password.  Whether a roles gets a
password depends on your business requirement.  You can even mix-and-match
the use of role passwords.



For example, a role for 'batch input clerk' might be freely available to
anyone, and using a password will simply slow down the interaction.



On the other hand, the role 'human resources manager who has final
authority to approve raises' could be legitimately protected bwith
passwords.



> 2.     Can user data / objects be put in the system tablespace?  Can this

> cause denial of services?




Yes, users can put their data into the SYSTEM tablespace unless the DBA
has properly configured the environment and resource rules. In fact,
until recently it was the default to do so, even though filling up the
system tablespace is one of the easiest ways to cause a denial of service.



Competent DBAs have therefore stopped using the 'RESOURCE' role and use
tablespace-oriented disk quotas instead.  In the newest versions of
Oracle apparently the RESOPURCE and CONNECT roles are no longer
available - which is a relief to those of us who are security-aware.



> 3.     Is it critical to set password life, password reuse, and other

> password settings?  If we have robust operating system and application

> security, do we still need to configure the password settings in Oracle?

> 




It's up to you.  If you are satisfied with the rest of your security
measures and they are good enough for the laws of your country and for
your business, adding a laayer on top of that for Oracle sedcurity is
certainly overkill.  



However, if you do use the minimum of Oracle security, you are likely to
forget about reading the documentation and learning about valuable new
featuresd such as Fine-Grained Security (also known as Row Level
Security) or column-level encryption.  The usual result of missing those
kinds of features is to spend development money doing the same thing.



By the way - are you covered for potential backdoor use such as ODBC
linking from spreadsheets.



> Thanks.




I encourage reading the Oracle Press 'Effective Oracle Database 10g
Security by Design', even if you are not on 10g (yet).


-- 
Hans Forbrich                           
Canada-wide Oracle training and consulting
mailto: Fuzzy.GreyBeard_at_gmail.com   
*** I no longer assist with top-posted newsgroup queries ***


Received on Fri Sep 09 2005 - 12:26:57 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US