The Largest Online Resource for Oracle Articles, Oracle Tips, Oracle Scripts & Oracle Tools!!


Enter your Email:
 
Navigate at FreeMegaZone Home      Articles      Tools      Jobs      Games      Support      Submit Content      Advertise

Advertise at FreeMegaZone

Give tremendous boost to your business by advertising at FreeMegaZone. Contact webmaster@freemegazone.com
 
Rating: *****                                             Rate this article:    

Author: Steven Karam

Page: 1 2

Database security is amongst the most critical issues in this era of databases. A secure database is not vulnerable to hacking and keeps away your sensitive data from data theft, corruption, or manipulation. You can develop a secure and truly unbreakable system if you properly follow the security practices and built in security tools.

It is responsibility of database administrator to grant proper privileges to users for accessing database objects. In an average database, there are three levels of users Administrators, Developers and end users.

Least Privilege rule:

Always follow the rule of least privilege. Grant as much access to user as they require to accomplish their task. Even simple roles such as CONNECT and RESOURCE can pose a security threat to your system. Any user has the ability to see the privileges that are granted to them. All it takes is to figure out how to exploit those privileges. A smart user can easily crash your database using just the CONNECT role.

Roles:

Always create your roles according to job roles. If your company has sales clerks and sales managers, create the SALES_CLERK and SALES_MANAGER roles. If you have a junior DBA, create a JUNIOR_DBA role. This makes it easy to maintain security through changing business rules and employees. It also will help you if you are audited.

create role cust_serv_clerk;

grant select on customers to cust_serv_clerk;

grant select, insert, update on issue_track to cust_serv_clerk;

In the above example we create a role called CUST_SERV_CLERK. CUST_SERV_CLERK role is granted the privileges to select from the CUSTOMERS table, and select, insert, and update the ISSUE_TRACK table. The below command gives a user named 'bob' the role. Bob now has all of the privileges granted to the role.

grant cust_serv_clerk to bob;

PUBLIC:

In Oracle, there is a pseudo-user named PUBLIC. A privilege or role granted to PUBLIC will be given to every user. Never grant privileges to PUBLIC that you do not wish every user to have. The PUBLIC user comes with several execute privileges on key Oracle packages. Some of these packages include

UTL_FILE Utilities to read and write to the file system
DBMS_OBFUSCATION_TOOLKIT Oracle's encryption toolkit
DBMS_RANDOM Used to generate random numbers, often used as encryption seeds
UTL_SMTP Used to send mail from PL/SQL
UTL_TCP Network functionality from PL/SQL

Revoking privileges from PUBLIC:

You can very easily revoke privileges from public, and then grant them only to the users that need them.

revoke execute on dbms_obfuscation_toolkit from public;

grant execute on dbms_obfuscation_toolkit to security_user;

Identifying privileges of PUBLIC:

You can identify which privileges are granted to your PUBLIC user by running the below query.

select privilege from dba_sys_privs where grantee = 'PUBLIC';

Never revoke every privilege granted to PUBLIC. Look for key packages and find out the critical ones that should be revoked.

Page: 1 2

 More Oracle Articles, Database Articles and DBA Tips
   Database Security: Step by step guideline
   Top Free Tools to prevent SQL Injections!!
   Oracle DBMS: Fundamental Security Precautions
   SQL - Best Practices to improve Performance
   Inside Oracle DETERMINISTIC Clause!!


 
 
HOME      ABOUT US      SUPPORT      SITE MAP      PRIVACY POLICY      TERMS OF USE      SUBMIT CONTENT      ADVERTISE
Copyright © 2007 - 2012 Oriole Intellect Inc. All rights reserved.

The name Oracle is a trademark of Oracle Corporation. Any other names used on this website may be trademarks of their respective owners