594 Applied Oracle Security ANY privileges, 97, 125 AOS_COMMON_AUDIT_TRAIL view, 290 Apache 2.0, 451 APEX (Application Express), 5, 434–459, 462–496 architecture, 435–437 Audit Vault reports and, 80 authentication schemes, 462–468 authorization schemes, 468–471 components and configurations, 434 cross-site scripting and, 476–478 database connections and, 436–437 database roles and, 437–438 Database Vault and, 457–459 fine-grained a uditing and, 489–496 item-based policy, 484–486 mod_rewr ite and, 447–449 mod_security and, 449–451 network topology, 445–447 password protection, 445, 463–468, 482 preventing unauthorized access to, 443–444 Runtime Only installation of, 443–444 schema protection, 456–459 security settings, 439–443 sessions, 438–439 SQL injection attacks and, 472–476 SSL/TLS techniques, 451–456 summaries of, 459, 496 URL tampering and, 478–483 VPD integratio n with, 484–489 web-based attack prevention, 449–451 XSS attacks and, 476–478 APEX_ADMINISTRA T OR_ROLE, 440 APEX_INSTANCE_ADMIN package, 440 APEX_PUBLIC_USER schema, 445, 490–491 application accounts, 229, 243–244 application administrators/developers, 18, 235–239 creating roles for, 245–262 privileges granted to, 235–236 separation of duties for, 236–239 application code factors used in, 223–224 See also PL/SQL routines; SQL statements application data analyst, 237, 259–262 application data manager, 236, 256–259, 299 application DBA patter n, 132–135 application design command rules and, 267–280 factors and, 209–224 importance of security in, 200, 284 notional ar ch itecture for, 200–202 object-owner accounts and, 229–231 realms and, 224–228 SARs and, 281–284 secure schemas under DBV, 228–231, 239–267 security profiles and, 202, 205–209 use cases and scenarios, 202–205 user access accounts and, 231–239 Application Express. See APEX application maintenance administrator , 236, 252–256, 299 appl ication security, 4, 200 application security administrator, 236, 246–252 EUS-based, 303, 305 privileges granted to, 299 applications DBV applied to existing, 288, 352–353 factors incorporated into, 220–224 notional database example, 200–202 securing public-facing, 532–533 Applied Cryptography: Protocols, Algorithms, and Source Code in C (Schneier), 24 architecture APEX, 435–437 Audit Vault, 69–70 n otional, 200–202 OES, 380, 381 OID, 407 OIM, 402–403 Oracle BI, 502–504 OVD, 410–413 RAC, 71, 74 SOA, 1 1–12 ARCHIVELOG mode, 75 ASO (Adva nced Security Option), 33, 163, 186, 447 ASO PKI/SSL authentication, 185–187 asymmetric key encryption, 25 attestation, 399–400 attributes identity, 217–218, 307–308 reconciling, 399 audit data warehouse, 59–63 explanation of, 59–60 objectives of, 60–63 securing data at, 63 audit logs, 62, 87–88 Index 595 audit patterns known, 64–66 unknown, 66–67 audit trails analyzing, 290–291 protecting the integrity of, 278–279 retention requirements, 280 testing, 280–281 Audit Vault, 68–89 alerts, 80–84 architecture, 69–70 audit policy management, 84–86 caveats for installing, 75–79 installation options, 70–79 intent in creating, 59–60 log files, 87–88 maintenance operations, 86–88 plan for installing, 75 report creation, 79–80 summary of, 88–89 users and roles, 76–77 Audit V a ult collection agent architecture, 69, 70 installing, 71–75, 77–79 log files, 87–88 Audit Vault Control (AVCTL) utility, 76 Audit Vault Server architecture, 69, 70 installing, 70–71 log files, 87 auditing, 58–89 alerts used in, 68, 80–84 analysis of, 290–291 APEX policy for , 489–496 a udit warehouse and, 59–63 best practices for, 67–68 capture process in, 289–290 conditional, 99 DBV events, 73, 115 factors, 162, 185 fine-grained, 6, 73, 85, 489–496 GRC perspective on, 58 guiding principles for, 63–64 known patterns, 64–66 maintenance operations for, 86–88 managing policy for, 84–86 nonsecurity reasons for, 59 object-level, 226–227, 293–294 Oracle Audit Vau lt for, 68–89 Oracle BI and, 563–567 preparations for , 288–289 realms, 126–127 remov ing data from, 86 reports based on, 79–80 rule sets, 148–149 SAR violations, 196, 197 securing records from, 62–63 suggested targets for, 68 summary of, 88–89 system-level, 280–281 testing effectiveness of, 280–281 unknown patterns, 66–67 usage tracking with, 566–567 audit_options parameter, 162 authentication APEX, 462–468 ASO PKI/SSL, 185–187 built-in, 510 custom, 515 database, 375, 378, 379, 510, 514–515, 590–591 enterprise SSO, 374, 376 external, 510–515 fallback, 515 federated, 375, 377–378 intern al, 589–590 LDAP , 512–514 m ultifactor, 98 Oracle BI, 510–516 proxy, 7, 302 Publisher, 515–516 RPD used for, 510 single sign-on, 374, 375–376 strong, 33, 375, 377 table-based, 511–512, 590 authentication management, 374–378 authorization APEX, 468–471 Oracle BI, 516–524 Publisher, 524 realm, 130–136, 296–309 authorization management, 378–381 Auto Login, Oracle Wallet, 36–37 AV_ADMIN role, 76 AV_AGENT role, 77 AV_AUDITOR role, 76 avca.log file, 87 av_client-%g.log.n file, 87 avorcldb.log file, 87 AV_SOURCE role, 77 596 Applied Oracle Security B B backup files encryption wallet, 35 protecting data in, 29–30 RMAN for creating, 342–343 batch programs, 201 Bednar, Tammy, 69 best practices for auditing, 67–68 BI server. See Oracle Business Intelligence binary execution, 116 bind variables, 472, 475–476 binding adapter, 425 built-in authentication, 510 business congruency, 11–12 business intelli gence (BI) systems, 60 analysis tools for, 61–62 challe nges in securing, 499–501 data warehouse for, 61, 499–500 tasks involved in securing, 501–502 transactional systems vs., 499–500, 501 See also Oracle Business Intelligence business logic tier, 402–403 business model filters, 516, 545–546 business use cases, 289 business use policies, 66 C C cache, Oracle BI, 531–532, 552–559 capture rules, 85 capturing audits, 289–290 cardholder data protection, 47–48 Cardholder Information Security Program (CISP), 47 catalog content security, 536–540 Center for Internet Security, 281 central issuance authority, 359 centralized database authentication, 378, 379 centralized security, 11 checksums, 481 check_user initialization block, 590, 591, 592 child factors, 165, 166–168 choose function, 547–548 clearanceCode attribute, 424 client identifiers, 540–541 client tier , 402 CLIENT_IDENTIFIER tech nique, 185 <CName><SName><Sld>.log file, 87 coarse-grained security profile, 205–208, 285 collectors attributes of, 74 choosing types of, 72–74 functions performed by, 69, 70 non-Oracle database, 73 See also Audit Vault collection agent column-level security, 547–551 choose function, 547–548 example for testing, 590 IndexCol function, 548–549 summary of, 549–551 columns encrypting existing, 41–43 encrypting in a new table, 38–40 securing in Oracle BI, 547–551 viewing encrypted, 41 command rules, 104, 136–147 commands supported in, 143–144 components of, 139–143 controls enfor ced by , 140 DBV CONNECT, 144–147 establishing from conditions, 267–280, 311–318 explanatory overview of, 136–139 realms and, 137–138 rule sets and, 138 system-level auditing and, 280–281 commands security by, 100 s upported in command rules, 143–144 commercial off-the-shelf (COTS) applications, 22, 229 compliance conditions based on, 207 factors based on, 215–216, 318 compliance and mandates discovery, 365–366 compliance regulations, 352 computer security field, 4 conditio nal auditing, 99 conditional security, 98–99 co nditions coarse-grained security profile, 207–208 command rules established from, 267–280, 311–318 factors based on business/system, 209–224 fine-grained security profile, 209 SARs established from, 281–284 configuration APEX, 434 BI Publisher, 584–585 Index 597 DBV policy, 106–110 OAM, 527–529 object-level auditing, 226–227 OVD server, 413–414 rule, 151–154 TDE, 45–55 conflict of interest conditions based on, 207 factors based on, 216–217, 318 CONNECT operation, 144 connection pools, 184 APEX and, 436–437 data source type, 504–505 DBV SARs and, 281 function-based, 505–506 multiple, 506 Connection_Type factor, 164, 169–170 consolidated databases, 119–121, 352 constants compliance regulations an d, 215 factor identities as, 163 content security , 536–540 co ntext-based security, 98–99 contexts application, 184–185 conditions based on, 208 cookies, APEX, 441 coordinated maturity level, 368 CORPORATE_PASSWORD identity, 168–169, 170 CORPORATE_SSL identity, 168 CREATE PROCEDURE system privilege, 211 CREATE TABLE statement, 39 CREATE TABLESPACE command, 140 CREATE TRIGGER commands, 250 CREATE USER system privilege, 67, 104 credential store, 583–584 cross-site script ing (XSS), 449, 476–478 cryptography , 23–24 CSS attacks, 449–450 CSV f iles, 314 CTXSYS objects, 330, 332 custom authentication, 515 custom event handlers, 150–151, 348–352 custom table of usernames, 463–468 CUSTOMER_POLICY_DBA role, 250 customized alert handling, 84 D D DAD (Database Access Descriptor), 435, 445 dadTool, 445 dashboards, 587–588 data auditing changes to, 73 backup file, 29 conditions based on, 208 encrypting, 28–32 exporting/importing, 52–53 factors based on, 220, 324–325 inferring information from, 501 mapping roles to, 364–365 viewing, 30–31 data access events, 73 data discovery, 361, 364–366 Data Guard Audit Vault and, 71 TDE and, 49 data loading, 61 Data Pump, 52–53 data steward, 236, 256–259, 299 data tier, 403 data transformation , 61 data warehouse, 61, 499–500 Database Access Descr iptor (DAD), 435, 445 database account administrator, 112 database accounts object owner accounts, 13–14 user access accounts, 13, 14–16 database administrators (DBAs), 18 functions performed by, 201, 232 operational, 112–114, 237, 239–243 privileges granted to, 299 separation of duties for, 235–239 database applications DBV applied to existing, 288, 352–353 factors incorporated into, 220–224 notional database example, 200–202 database authentication, 375, 378, 379, 510, 514–515, 590–591 Database Configurat ion Assistant (DBCA), 105 database connections APEX and, 436–437 Oracle BI and, 531 database global role, 303, 304 database roles, 437–438 database scripts, 582–583 598 Applied Oracle Security database security, 4 application design and, 200, 284–285 evolving technologies in, 6–8 existing applications and, 288, 352–353 Database Vault (DBV), 94–116, 118–198 administration roles, 105–106, 237–238, 262–264 APEX and, 457–459 application development and, 200, 284–285 auditing events in, 73, 115 buy-versus-build consideration, 116 code for disabling, 458 collection agent installation, 77 command rules, 104, 136–147, 267–281 components of, 100–104, 1 18 ex isting applications and, 288 Expression Filters and, 333–336 factors, 101, 115, 209–224 installing, 105–115 integration with database features, 329–344 login page, 107 monitoring and alerting features, 108, 344–352 Oracle BI and, 561–563 Oracle Recovery Manager and, 342–343 Oracle Spatial and, 332–333 Oracle Streams Advanced Queuing and, 336–341 Oracle Text and, 329–332 policy confi guration, 106–1 10 realms, 102–104, 1 11, 118–136, 224–228, 296–309 refining policy for, 327 reports, 108 rule sets, 102, 135–136, 147–157, 348–352 secure application roles, 194–197, 281–284 secure schema implementation, 239–267 security issues addressed by, 94–100 separation of duty, 110–114 summary of, 198 TDE and, 341 database view, 410 databases backup and recovery of, 342–343 consolidation of, 119–121, 352 direct requests of, 571–574 OVD integration with, 419–423 querying features of, 326 secur ity breaches across, 66 datafiles, viewing, 30–31 DB2DB collectors, 73 DBA_COMMON_AUDIT_TRAIL v iew, 290 DBA_ENCRYPTED_COLUMNS view, 41 DBA_JAVA_POLICY view, 325 DBAs. See database administrators DBAUD collectors, 72, 74, 75 DBMS_AUDIT_MGMT package, 86 DBMS_CRYPTO package, 22 APEX and, 463–464 encrypting data using, 28, 32 TDE vs., 40–41 DBMS_FGA package, 491 DBMS_LDAP package, 520 DBMS_MACADM PL/SQL package, 108–110 ADD_POLICY_FACTOR procedure, 180 CREATE_FACTOR procedure, 162, 163 CREATE_MAC_POLICY procedure, 179–180 CREATE_POLICY_LABEL procedure, 180–181 DBMS_MACSEC_ROLES.SET_ROLE procedure, 195 DBMS_OBFUSCATION_TOOLKIT, 22 DBMS_RLS package, 171, 172 DBMS_SCHEDULER job, 79, 280, 326 DBMS_SESSION.SET_IDENTIFIER procedure, 184, 185, 190, 540 DBMS_UTILITY package, 140–142 DBSNMP account, 229–230 DBV. See Database Vault DBV CONNECT command rule, 144–147 DBVEXT.DBMS_MAC_EXTENSION package, 215, 241, 348 DBVEXT.EXTERNAL_RULE.AUTHORIZED functi on, 318 DBVOWNER account, 126 DDL comma nds auditing, 68, 73 command rules and, 144 realm-protected objects and, 125 DDL triggers, 116 declarative framework, 99, 100, 116 dedicated accounts, 15 default account logon failure, 65–66 default privileges, 567–568 definer’s rights procedures, 7 DELETE privileges, 194, 317 dependency check, 324 deployment DBV policy, 327–329 OIM component, 402–403 dequeuing messages, 339–341 direct database requests, 571–574 Index 599 direct object privileges command rules and, 137 realms and, 131, 137 Directory Integration Platform (DIP), 408–409 directory management, 373–374 directory replication, 408 directory services, 406–430 Oracle Internet Directory, 406–409 Oracle Virtual Directory, 409–430 Directory Services Markup Language (DSML), 411 directory virtualization, 373, 409–410 See also Oracle Virtual Directory disaster recovery locations, 32 discovery in identity management, 361–366 information requirements, 364–366 people requirements, 361–362 process requirements, 363–364 discretionary account provisioning, 391–394 disk arrays, 31 DML comma nds auditing, 73 command rules and, 143 DML triggers, 116 DMZ network, 446, 532 domain restrictions, 442 DROP ANY ROLE privilege, 246 DROP commands, 246–247 DROP INDEX statements, 333 DROP TABLE command, 139–140 DVA web appl ication, 106–108 DV_ACCTMGR role, 76, 105, 106, 1 12 DV_ADMIN role, 105, 108, 1 11, 237 DVF.F$ factor function, 162, 189 DV_OWNER role, 76, 105, 108, 111, 237 DV_PUBLIC role, 223 DV_REALM_OWNER role, 105, 236, 245 DV_REALM_RESOURCE role, 105 DV_SECANALYST role, 105, 108, 238 DVSYS account, 147, 161 DVSYS.DBMS_MACADM PL/SQL package, 106, 108–110, 111 DVSYS.DBMS_MACSEC_ROLES.SET_ROLE procedure, 195 DVSYS.GET_FACTOR function, 162, 189, 223 DVSYS.SET_FACTOR function, 184, 189 dynamic group membership, 518–523 using LDAP directly, 520–521 using LDAP indirectly, 521–523 using tables, 518–520 dynamic server variables, 507 E E Effective Oracle by Design (Kyte), 407 Effective Oracle Database 10g Security By Design (Knox), 4, 23, 58, 119, 228, 302 e-mail Audit Vault alerts via, 81 Oracle BI security, 530–531 Embedded PL/SQL Gateway (EPG), 434 emctl status dbconsole command, 106 employeeType attribute, 307 ENCRYPT directive, 39 encryption, 23–32 algorithms and keys, 24 applied example of, 31–32 basics of, 23–24 BI environment, 530–531 choices for, 24 column-level, 38–43 data, 28–32 file system, 32 goal of, 23 network, 33 programmatic, 32 public key, 25–27, 452 session state, 482–483 SSL, 27 strength of, 24 symmetri c key, 24, 25, 27–28, 37 tablespace, 44–45 technical requirement for , 29–30 See also TDE ENCRYPTION keyword, 35 encryption wallet, 34 ENCRYPTION_PASSWORD option, 53 ENCRYPTION_WALLET_LOCATION parameter, 34 end user access accounts. See user access accounts Enterprise Manager (EM) database control GUI, 45, 46 statistics collection, 229 enterprise maturity, 366–369 enterprise role, 303, 304 Enterprise Security Manager (ESM), 232–233 enterprise single sign-on (eSSO), 374, 376 Enterpri se User Security (EUS), 184, 217–218, 303–309, 378 Enterprise Users, 7 entitlement management, 380 600 Applied Oracle Security era of governance, 58 error messages, 450–451 eval_options parameter for factors, 162, 220 for rule sets, 145 EVALUATE operator, 334, 336 event functions, 154–155, 348–352 evolving technologies, 6–8 execute application roles, 264–267 EXEMPT ACCESS POLICY privilege, 561 EXPLAIN PLAN feature, 343–344 exporting encrypted data, 52–53 Expression Filters, 333–336 Extensible Access Control Markup Language (XACML), 371 external authentication methods, 510–515 custom authentication, 515 database user authentication, 514–515 LDAP a uthentication, 512–514 table-based authentication, 511–512 external systems conditions based on data in, 208 factors based on data in, 220, 324–325 realm authorizations and, 303–309 extracting data, 61 F F factors, 101, 157–194 access path, 218–219, 322 assigning, 184–185 auditing, 162, 185 categories for identifying, 210–211 centralizing PL/SQL routines for, 211–215 compliance-based, 215–216, 318 condition and candidate, 210 conflict of interest, 216–217, 318 creating, 158–162 DBV usage of, 157 evaluation of, 162 explanation of, 101, 157 external systems and, 220, 324–325 functions of, 162 identit ies of, 163–174, 184–185 identity management, 217–218, 321–322 integrating with OLS, 174–189 naming, 161 operational context, 218–219, 323 Oracle BI and, 561–562 organizational policy, 217, 318 PL/SQL code and, 223–224, 325–326 retrieval method for, 158–162 rule sets and, 156–157 security-relevant, 115 separation of duty, 216–217, 318 time-based, 219–220, 319–321 transactional sequence-based, 323–324 validation of, 189–194 fallback authentication, 515 federated authentication, 375, 377–378 FGA. See fine-grained auditing file systems, encrypted, 32 file upload sec urity, 441 f iltering output, 450 filters business model, 516, 545–546 expression, 333–336 fine-grained auditing (FGA), 6, 73, 85 APEX and, 489–496 factors used in, 222 fine-grained security profile, 208–209, 285 firewalls, 446, 532 Flashback feature, 494 folder-based security, 537–538 fraud prevention, 375, 377 functional use cases, 280 G G GATHER_STATS_JOB feature, 343 Generic Technology Connector (GTC), 397–398 geographic information system (GIS), 332 get_expr parameter, 162, 163 GET_FACTOR function, 157 get_groups initialization block, 590, 591, 592 GET_PRODUCT session variable, 543–544 global database, 76 global schema mapping, 303, 304 governance, era of, 58 government regulations, 10 GRANT ANY OBJECT privilege, 236 GRANT ANY ROLE privilege, 236 GRANT EXECUTE privilege, 154, 159 GRANT_OR_REVOKE_TO_SELF function, 241 graphical user interface (GUI), 45 GRC (Governan ce, Risk Management, and Compliance), 58, 88 group accounts, 229 Index 601 group membership, 517–523 dynamic, 518–523 internal/external, 517–518 groups Oracle BI, 516–523, 580 user, 387–388 web catalog, 516–517, 523, 537 H H handler routines, 150–151, 348–352 HANDLER_MODULE parameter, 494 hardware security modules (HSMs), 53–55 hash algorithms, 463 High Assistance Principle (HAP), 100 high-level usage analysis, 225 HIPAA (Health Insurance Portability and Accountability Act), 9 hire-to-retire process, 386 historical reporting, 401 HTTP protocol, 454–456, 478 HTTP server, 445–446, 479 HTTPS setting, 442, 454–456 hub-and-spoke architecture, 370 I I iBot security, 538–539 identify_by parameter, 163 identities, factor, 163–174 identity attributes, 217–218, 307–308 identity management, 358–383 architecting, 360–372 authentication solutions, 374–378 authorization solutions, 378–381 conditions based on, 207 core challenge of, 361 definition of, 361 directory management solution, 373–374 discovery phase in, 361–366 enterprise maturity and, 366–369 explanation of problems with, 358–360 factors based on, 217–218, 321–322 hub-and-spoke ar ch itecture for, 370 information requirements and, 364–366 LDAP directory and, 406 overview of solutions for, 372 people requirements and, 361–362 point-to-point architecture for, 369 process requirements and, 363–364 role mining and management solution, 381–383 SOS pattern for, 370, 371–372 summary of, 383 user provisioning solution, 372–373 See also Oracle Identity Manager Identity Management Organizational Model (IMOM), 362 identity maps, 163–170 identity preservation, 7 identity propagation, 360 identity verification, 359 Impersonator user , 527–528 i mporting encrypted data, 52–53 IndexCol function, 548–549 indexes Oracle Spatial, 333 Oracle Text, 330, 332 InetAD plug-in, 418 inetorgperson object class, 418, 419 information discovery, 364–366 initialization blocks, 508 INSERT command, 268 installing Audit Vault, 70–79 Database Vault, 105–115 Oracle Virtual Directory, 413 INSTR_CALL_STACK function, 218 intellectual property, 10 intern al authentication, 589–590 intrusion detection system (IDS), 324 invited nodes feature, 322 invoker’s rights procedures, 7 IP address restr ictions, 441 IP_ADDRESS environment variable, 491 IS_APEX_SESSION_ONE function, 491 IT resources, 390 item-based policy, 484–486 J J Java Database Connectivity (JDBC), 281 Java Message Service (JMS), 84 Java stored procedures, 325 Java Virtual Machine (JVM), 96 JDBC drivers, 421 join rules, 429 602 Applied Oracle Security join view, 424–430 adapter creation, 428–430 design considerations, 424–427 explained, 424 joiners, 425–426 K K keys, encryption, 24–28 known audit patterns, 64–66 L L label_function parameter, 221 label_indicator parameter, 165 layers of security, 11 LBACSYS account, 175, 177–178, 318 LDAP (Lightweight Directory Access Protocol), 7, 217, 303, 360, 371, 406 LDAP authentication, 512–514, 591–592 using directly for dynamic group membership, 520–521 using indirectly for dynamic group membership, 521–523 LDAP server Oracle BI setup of, 512–514 OVD integration with, 415–419 LDAPBIND operation, 425 LDAP_DIRECTORY_ACCESS parameter, 321 least privileges, 13 LII algorithm, 180 Local Store Adapter (LSA), 414–415, 416 locati on-based services (LBS), 332 log files, Audit V a ult, 87–88 LOGLEVEL session variable, 558 logon failures, 65–66 M M MAC algorithm, 463, 481 macro auditing, 59 maintenance application administrator, 236, 252–256 Audit Vault, 86–88 Manage Cache utility, 558 managing security, 11 maps database to OVD, 422, 423 global schema, 303, 304 identity, 163–170 role-to-data, 364–365 masking, 277 Master Key HSM-managed, 54–55 TDE-managed, 37–38 maturity model framework, 367–369 MDSYS.SEM_INDEXTYPE index type, 333 MDSYS.SPATIAL_INDEX index type, 333 membership rules, 387–388 message authentication code (MAC), 463, 481 message queuing, 336–341 metadata, BI server, 542 meta-directory, 373, 409 micro auditing, 59 Microsoft Office plug-in, 525 mod_rewrite APEX and, 447–449 SSL and, 456 mod_security, 449–451 monitoring Database Vault, 108, 344–352 MSSQLDB collectors, 73 multi factor authentication, 98 multifactored security , 163, 171, 183 N N named accounts creating administrators for, 262 post-configuration provisioning of, 267 realm authorizations and, 132–135 naming factors, 161 schemas, 18–19 natural keys, 44 Needham, Paul, 69 network encryption, 33 network topology, 445–447 NO SALT directive, 39, 51 NOAUDIT command, 62 NOMAC directive, 51 normal use baseline, 66 NOT NULL value, 280 notional database applications, 200–202 example use case for, 203–205 requiremen ts for, 200–201 NQS_P ASSWORD_CLAUSE, 512 NULL value, 280 Index 603 O O OAM. See Oracle Access Manager OBI. See Oracle Business Intelligence object privileges, 68, 131 object-level auditing, 226–227, 293–294 object-owner accounts, 13–14 group COTS, 229 Oracle Data Dictionary and, 332 realms and, 131–132, 292 system, 229–231 objects identifying realms based on, 224–228 realm-protected, 111, 125–126, 226–228, 292–296 resource, in OIM, 390 Verb Object technique and, 205–206 OEM dbconsole, 106 OES. See Oracle Entitlement Server OETs (Oracle External T ables), 312–318 Off ice plug-in, Oracle BI, 525 OHS. See Oracle HTTP Server OID. See Oracle Internet Directory OIM. See Oracle Identity Manager OLS. See Oracle Label Security on-boarding process, 386 one-to-many joiner, 426 online redefinition, 42 online transaction processing (OLTP), 457 OPEN WALLET command, 55 operational context conditions based on, 208 factors based on, 218–219, 323 operational database administrator, 1 12–114 creating role and accounts for, 239–243 privileges granted to, 299 separation of duties and, 237 operational reporting, 401 Oracle Access Manager (OAM), 375–376, 379, 462, 525–529 analyticsSOAP URL association, 529 Impersonator user configuration, 527–528 policy setup for Oracle BI, 526–527 presentation server configuration, 528–529 Oracle Adaptive Access Manager (OAAM), 377 Oracle An swers, 574 Oracle Application Server (OAS), 434 Oracle Audit Va ult. See Audit Vault “Oracle Audit Vault Best Practices” (Bednar, Needham, and Shah), 69 Oracle Business Intelligence (Oracle BI), 498–533 Act As Proxy feature, 568–571 Advanced tab, 574–575 architecture, 502–504 auditing in, 563–567 authentication, 510–516, 589–592 authorization, 516–524 business model filters, 545–546 cache security , 531–532, 552–559 cl ient identifiers, 540–541 column-level security, 547–551, 590 connection pools, 504–506 data access, 502–509 data security, 541–551 database auditing and, 565–567, 582 Database Vault and, 561–563 default privileges, 567–568 direct database requests, 571–574 direct server access, 575 e-mail security, 530 environment security, 530–531 examples of using, 580–592 factors and, 561–562 features wi th security implications, 567–576 groups, 516–517, 523, 580 metadata layers, 542 Office plug-in, 525 overview of, 498 password encryption, 530 permissions, 537–538 public-facing applications, 532–533 Publisher , 515–516, 524, 539–540, 584–585 realms a nd, 563 row-level security, 543–546, 559–561 security tasks, 501–502 single sign-on, 524–529, 592 SSL Everywhere feature, 530 steps for setting up, 583–586 subject area security, 542–543 su mmaries of, 533, 576–577 testing recommended for, 586–587 u sage tracking feature, 564–565, 566–567, 585–586 variables, 506–509 VPD integration, 551–561 web catalog content security, 536–540 Web Services access, 576 See also business intelligence (BI) systems . features, 108, 344–352 Oracle BI and, 561–563 Oracle Recovery Manager and, 342–343 Oracle Spatial and, 332–333 Oracle Streams Advanced Queuing and, 336–341 Oracle Text and, 329–332 policy confi guration,. 590–591 Database Configurat ion Assistant (DBCA), 105 database connections APEX and, 436–437 Oracle BI and, 531 database global role, 303, 304 database roles, 437–438 database scripts, 582–583 598 Applied. 468–471 components and configurations, 434 cross-site scripting and, 476–478 database connections and, 436–437 database roles and, 437–438 Database Vault and, 457–459 fine-grained a uditing and, 489–496 item-based