Section 22.1.  Security Overview

22.1. Security Overview Oracle security topics fall into three general categories: Those that are exclusively in the DBA, system administrator, and network administrator domains. Topics in this categoryfor example, user and privilege managementare beyond the scope of this book. Those that are important to developers and application architects and that are not necessarily under the purview of the DBA. One example is the issue of selecting invoker rights versus definer rights while creating stored code; this choice is typically made during the application design phase itself by the developer, not by the DBA. Topics in this category are covered elsewhere in this book; for example, the topic of rights is covered in Chapter 23. Those that are generally considered DBA topics but that developers and application architects need to know about and from which they can derive a good deal of unconventional value. These include encryption , row-level security (RLS), application contexts , and fine-grained auditing (FGA). These topics are the subject of this chapter. How can the features and tools described in this chapter help PL/SQL developers and application architects? Let's answer that question by looking at each topic in turn: Encryption The answer here is obvious: encryption is vitally important to data protection and is actively applied in many application design situations. You need a working knowledge of the Oracle features and tools available to perform encryption, including Transparent Data Encryption (TDE), which was introduced in Oracle Database 10g Release 2. Row-level security (RLS) When you design an application, you must be aware of the architecture being used for access and authorization of data. RLS allows you to restrict the rows a user can see. A clear understanding of RLS helps you write better code, even if you don't implement RLS yourself. In many cases, RLS actually makes applications simpler to understand and easier to implement. In some special cases, it even allows a canned application to be compliant with the established security practices followed in your organization. Application contexts Related to row-level security, application contexts are sets of name-value pairs that can be defined in a session through the execution of a specially defined stored procedure. Application contexts are most commonly used to control access to database resources according to rules that vary depending on the current user. They can be very useful application development resources Fine-grained auditing (FGA) FGA provides a mechanism to record the fact that certain users have issued certain statements against a table and that certain conditions are met. FGA provides a number of features of value to developers. For example, FGA lets you implement what is in essence a SELECT trigger, a user-written procedure executed automatically every time a piece of data is selected from the table. Oracle security is an enormous topic; this chapter can only touch on those aspects of most value to PL/SQL developers. For more information on these and related Oracle security operations, see Oracle PL/SQL for DBAs by Steven Feuerstein and Arup Nanda (O'Reilly). There are also many excellent security books on the market that you should also consult if you need to understand the intricacies of the security topics introduced in this chapter.