What administration privileges does Database 12c take for security?

The administration privileges, this is unavoidable and is a pretty important technical advance now and you’re going to use this come what may you have no choice however the other features privileged youths’ analysis wonderful facility absolutely brilliant and I’ve made pretty good use of it already, unfortunately, you have to buy data vault before you’re allowed to use it which is really annoying and the first time we use privilege use analysis on a production site we didn’t realize that it was part of the data vault license we just used it and we got away with this, but that sort of thing is terrible and OB and unless any sort of expert on licensing and if I understood licensing I’ll be a salesman and rich instead of being a technician with no money at all and I don’t really want to learn about licensing, but there are times in you can’t avoid is privileged juice analysis very valuable.

Unfortunately, it’s part of data balls say we didn’t realize it first and we got away with it that’s not a nice situation to be in especially when you’re working as a consultant because yeah if you’re working at a customer site and you use something they aren’t licensed for potentially you’ve committed your customer to spend a heap of money yeah that’s an appalling thing to have done go away with its fine but now I’m very careful ever since ruling capability but it’s part of data vault data redaction a very nice oh but I should say privilege juice it’s about identifying what privileges people have how people can do things how they can do certain things what they can do what they can’t do data reduction a really nice technique it’s a declarative technique for masking data and with that sort of thing we are a wonderful technique but unfortunately it’s part of the advanced security option.

So again you’ve got to pay for us my own opinion is that it’s worth it think the first time you find a usage case of data redaction it’s going to more than justify investing in advanced security because by buying advanced security with data redaction we as BAS can do in half an hour what would otherwise take your programmers weeks to achieve so yes you’ve got to pay for it but it’s probably worth it transparent sensitive data protection code you don’t pay for as such it’s a front end to things you do pay for such as data reduction so again you’re into licensed territory with that then at the end of the chapter we look at PL sequel and the no licensing issues here but there are some big changes to the PL sequel security model in release 12 however my experience so far is that all sites ignore them and prefer to carry on with the way PL sequel works in release 11 and earlier.

So this its important changes moving forward and if I were working on a greenfield site a brand-new implementation of Oracle writing software from the beginning brand-new application in PL sequel I would definitely consider using the new model if it’s an existing site the database already there the application is already there to retrofit these changes to an existing application it will be a nightmare and then real application security that’s really only to do with Apex all these not nothing to do with latex but it’s all to do with them three-tier applications, so there’s some important facilities here but apart from the first one it may not be relevant to you so let’s begin with the one that matters administration privileges now I’m going to start by getting up VNC and I just want to make sure I connect to the oh gosh which one was mine I’ve connected this year connected to two or three it doesn’t actually matter which one I go to don’t actually going to do anything but I will make sure I do go to the correct on just one file is another one okay now lower case Oracle so when you install the Oracle home so let’s shut down already it’s just right when you were on the installer and you wait for java to start up don’t let anyone tell you Joe very slow there we go guys java java hope you like java to now d select that and next yes install database software next single instance next language next Enterprise Edition next or now to you by the way this is released 12 102 standard editions is now out to 12 on 02 it Wharton’s when we configure this machine which is why that’s all greyed out next software location give us another location next right here’s your first change and this is really the only significant change in installing you get extra prompts here what you will be used to is being prompted to choose the OSD be a group and choose the OS upper group when you install 12 you get three more selections than to miss backup recovery OS backup.

DB a dirty guard administration Oh SDG DBA encryption key management OS km DBA Oracle’s introduced in 12 c 3 new administration privileges that are sis DBA that says all / we’ve now got three a more backup could other guard and for encryption, there are three new privileges, so there’s no change the system be a sisal / or sis is M if you’re using a Sm these are the three new ones sis backup lets you do anything unique might need to do with our man or sequel plus anything to do with backup operations’ sis DG lets you manage the data card broker sis km transparent data encryption so what are these three new privileges how do you get these privileges right you get them through the password file all through group membership and here you see under Linux you choose your groups so under Linux you pre creates the groups I’m logged on to this machine has a chap called Oracle.

My primary group is 0 install and my secondary groups are DBA open backup DBA DGD be a and KM DBA those are the default group claims that the installer is going to look for and you can see is to put them straight in obviously you can map these so any group he wants any group you happen to be a member of but the defaults that it wants are these so you will make life easier for yourself if you pre-create those groups so if we look at et Si group we pre-created them Oh install DBA upper back up DBA DGD back MD VA you can call it anything you want you can even assign all five to the same group now but it’ll make life easier for yourself if you follow Oracle standards and great groups call that then when you do this on just for completeness what you’re actually doing when you choose this is your populating.

