DATABASE SECURITY

CSEC3360
Chapter 3: Foundational Elements for a
Secure Database

Dr. Ruba Awadallah

Textbook: David C. Knox, William Maroulis, and Scott Gaetjen:Oracle Database 12c
Security.Thanks to Engineer Saif

16/04/2025 Dr. Ruba Awadallah

 2
Dr. Ruba Awadallah

Chapter Objectives

❖ Access Control, Authorization, and Privilege

✓ Access Control & Access Control Lists (ACLs): Access Control is the process of
allowing or preventing a user access to a resource
✓ Authorization: abinding between a security policy and the actual privileges a user
has in a given context

✓ Privilege: a permissionto perform an action in the database (GRANT,REVOKE)

16/04/2025
Dr. Ruba Awadallah
3

16/04/2025
 4
Dr. Ruba Awadallah

16/04/2025
 5
Dr. Ruba Awadallah

➢ System Privileges:
1. ANY System Privileges: not limited to a specific schema, but rather to any object of a
specific type regardlessof schema.

❖ The following query illustrates a few ANY privileges: NAME

ADMINISTER ANY SQL TUNING SET

ALTERANY ASSEMBLY
SELECT name FROM ...
system_privilege_map DELETEANY TABLE
WHERE name LIKE '%ANY%' ...
ORDER B Y name; EXECUTEANY PROCEDURE
...
INSERTANY TABLE
...
SELECT ANY TABLE
...
UPDATEANY TABLE
...

16/04/2025
 6
Dr. Ruba Awadallah

➢ A quick description of the categorization of commands within the Oracle Database follows:

❑ SELECT: A read-only query against a table or view, for example.

❑ Data Manipulation Language (DML): Write actions such as INSERT, UPDATE, or DELETE against
a table or view for example, or EXECUTE actions on PL/SQL code.

❑ Data Definition Language(DDL): CREATETABLE, ALTER TABLE, DROPTABLE, GRANT, REVOKE,

TRUNCATE…etc.

❑ System ControlCommandssuch as ALTER SYSTEMand ALTER DATABASE.

❑ Session ControlCommandssuch as ALTER SESSION and SET ROLE.

❑ TransactionControl Commandssuch as COMMIT and ROLLBACK.

16/04/2025
 7
Dr. Ruba Awadallah

❑ EXECUTEANY PROCEDURE system privilege:

✓ Authorizes the user to execute any procedure defined in any non-SYS schema in the
database.
✓ Allows the user to view the source code (DBA_SOURCE) for any non-SYS procedure in
the database.

2. ADMINISTRATIVE System Privileges:

✓ Administrativeprivileges affect the state of the database or pluggable database.
✓ Examples: the ability to issue ALTER DATABASETRIGGER,ALTER SYSTEM, ALTER
USERcommands
✓ Even the privilege to connect (CREATE SESSION) to the database is a system
privilege.

16/04/2025
 8
Dr. Ruba Awadallah

❑ Viewing System Privileges: use The SYSTEM_PRIVILEGE_MAP view.

SELECT name NAME
----------------------------
FROM system_privilege_map
ALTERANYEVALUATION CONTEXT
WHERE name LIKE CREATEANY CONTEXT
'%CONTEXT%' ...
ORDER B Y name;

➢ You can determinewhichaccounts or roles have been granted which system privileges by querying the

GRANTEE
view DBA_SYS_PRIVS or CDB_SYS_PRIVSfor all databases.
DATAPUMP_IMP_FULL_DATABASE
➢ Example: DBA
DV_REALM_OWNER
SELECT grantee EXP_FULL_DATABASE
IMP_FULL_DATABASE
FROM dba_sys_privs LBACSYS
MDSYS
WHERE privilege = 'SELECT OLAP_DBA
ANY TABLE' SYS
SYSTEM
ORDER B Y grantee; WMSYS

16/04/2025
 9
Dr. Ruba Awadallah

❖ You can determinewhohas SELECT ANY TABLE across all pluggable databasesby issuing the following
query:
SELECT grantee, pdb_name
FROM cdb_sys_privs csp JOIN
cdb_pdbs cp
ON (csp.con_id = cp.con_id)
WHERE privilege = 'SELECT
ANY TABLE'
ORDER B Y grantee;

❖ You can determineall privileges a connected user has by selecting from the view SESSION_PRIVS:

SELECT * FROM session_privs

ORDER B Y privilege;

16/04/2025
Dr. Ruba Awadallah

➢ Roles
❑ Roles are collections of privileges and are described later in this chapter.
❑ Granting a database role to a user effectively grants the user all the privileges that were grantedto that
role.

❖ You can determineall roles a connecteduser has by selecting from SESSION_ ROLES:

SELECT * FROM
session_roles
ORDER B Y role ;

❖ What remains to be determined is for which objects the non-administrative privileges pertain.

16/04/2025
Dr. Ruba Awadallah

Object Privileges
➢ Object privileges authorize a user to perform actions (INSERT, SELECT, EXECUTE, and so on)on database
objects (table, view, PL/SQL function, and so on).
➢ Database users are authorized to performactions against objects they own.

✓ Select
✓ Insert Owns
✓ Update
Customers Table
Sales History (SH)

➢ However, if the SH user has a need to query a different schema’sobject,then the SELECT privilege for
that objectmust be granted to SHbefore theaction can be performed.
HR

Grants
X Select ✓ Select
Employees Table
Sales History (SH) HRUser or DBA Sales History (SH)

16/04/2025
Dr. Ruba Awadallah

Object Privileges
➢ As with system privileges, the object privileges can be granted in several
ways—granted directly to a user, granted to a role, and so on.

➢ We call this type of access control discretionary access control (DAC),

because the granting of access to an object is left to the discretion of the object
owner or to someone with the GRANT ANY privilege.

16/04/2025
Dr. Ruba Awadallah

ObjectPrivileges

❑ Viewing Object Privileges

➢ You can determine how you have received a privilege to an object byrunning the following query:

SELECT grantee ROLE, privilege,

table_schema||'.'||table_name OBJECT_NAME, type
FROM all_tab_privs
WHERE grantee IN (SELECT * FROM session_roles)
UNION
SELECT DECODE(grantee, UPPER(USER), 'DIRECT', grantee)
ROLE, privilege,
table_schema||'.'||table_name OBJECT_NAME, TYPE
FROM all_tab_privs
WHERE grantee = UPPER(USER)
ORDER by role, privilege, object_name;

16/04/2025
Dr. Ruba Awadallah

ObjectPrivileges

This query is helpful because youcan tailor it to determine which specific privilegeshave been
granted to a specific schema.

16/04/2025
 15
Dr. Ruba Awadallah

ObjectPrivileges

❑ Viewing Object Privileges

➢ The following query shows allobject privileges that have been granted to the XDB schemaobjects for the
pluggable database SALES:

SELECT grantee ROLE, privilege,

table_schema||'.'||table_name OBJECT_NAME, type
FROM all_tab_privs
WHERE grantee IN (SELECT * FROM session_roles)
UNION
SELECT DECODE(grantee, UPPER(USER), 'DIRECT', grantee)
ROLE, privilege,
table_schema||'.'||table_name OBJECT_NAME, type
FROM all_tab_privs
WHERE grantee = UPPER(USER)
ORDER by role, privilege, object_name;

16/04/2025
 16
Dr. Ruba Awadallah

Object Privileges

16/04/2025
 17
Dr. Ruba Awadallah

Column Privileges
➢ Oracle Database 12c enables you to grant privileges (INSERT, UPDATE, and so on) to the
individual columns
within a table.
➢ If a user or group of users (ROLE) need SELECT, INSERT, and UPDATE access to a column or
set of columns, you can grant access directly on the table’s columns.

❑ UPDATE Column Privileges:

➢ Updating an individual column’s value aids in simplifying the security controls used in your
system.
➢ This feature can be used with VPD or OLS to restrict rows or sets of rows from being
updated.

16/04/2025
 18
Dr. Ruba Awadallah

ColumnPrivileges

EmployeesTable
HR Schema HR PDB
IT

SALARY

SALES

MTG

➢ To accomplish the second part of our scenario, we grant UPDATEprivileges on the SALARY column of the

EMPLOYEES table to the managers.

16/04/2025
 19
Dr. Ruba Awadallah

16/04/2025
Dr. Ruba Awadallah

Roles

➢ A database role is a databaseobject usedto group privileges.

➢ A databaserole is an easier way to administer granting manyprivileges to manyusers.

❑ Example:
✓ 100 tables
✓ Each has four privileges(INSERT, UPDATE, DELETE,and, SELECT)
✓ We want to grant these privileges to 100 users
✓ every user gets read access (one object privilege –SELECT) to our 100 tables
✓ we have an additional privilegedgroup of 50 users that get to manipulate the data (three object
privileges–INSERT, UPDATE, and DELETE)in the 100 tables

16/04/2025
Dr. Ruba Awadallah

Roles
❑ Example:
➢ Without using database roles:
o It requires 10,000 grants—(100 users) ×(1object privilege) ×(100 tables)—justfor read access.
o It requires15,000 grants—(50 users)×(3 privileges)×(100 tables)—grantsfor INSERT, UPDATE,
and DELETE privileges.

o We have to issue 25,000 grantsto administerthe example

❖ Thiscan only work for a small number of users and a small number of objects

16/04/2025
Dr. Ruba Awadallah

Roles

➢ Solution: Amore efficient way to managegranting privileges to users is by using a database

role.
➢ Database roles can be granted multiplesof privileges(system or object) and be hierarchical in
nature.

➢ Let’s redo our example using database roles:

1. First, we create a role named PROD_READ and grant the 100 SELECT privileges to the role.
2. Second, we create a role named PROD_WRITEandgrant the 100 INSERT, UPDATE, and DELETE
privileges to it.
3. We also grant PROD_READ to PROD_WRITEbecause every user that can manipulate data can
also read the data.
o To set up this example using roles it takes 401 grants

16/04/2025
Dr. Ruba Awadallah

Roles

➢ Furthermore, if an administrator wants to add or subtract privileges,we can simply perform

the grant or revoke action againstthe role.

➢ All users thathave been granted the role will receive/revoke the privilegesthe next time they
connect.

➢ Rolesalso provide a way to grant only the privilegesneeded to performa person’sjob.

➢ Consequently, roles are a powerful way to provide a least-privilegedenvironment.

16/04/2025
Roles
Dr. Ruba Awadallah

Roles

➢ Role and Privilege Immediacy :

➢ Roles are checked or introduced to a database session only during connection
time.
➢ However, the same is not true about privileges: Privileges are realized or are
accessible immediately upon issuing of the GRANT statement.

16/04/2025
Role and Privilege Immediacy
Role andPrivilege Immediacy
Dr. Ruba Awadallah

Public and Default Database Roles

➢ The role PUBLICis created by Oracle Database 12c by default during the process of creating a

database

➢ Oracle creates or clones several default roles (DBA, RESOURCE, and so on) and grantsthe roles

the corresponding privileges.

➢ The PUBLICrole is a general purpose role to which every connected user can grant privileges.

➢ However, the PUBLICrole doesn’t present in the user’s session the same way other database
roles do.

16/04/2025
Dr. Ruba Awadallah

Role Hierarchies

➢ Rolescan be granted object and system privileges and they can be granted other roles.

➢ The ability to nest roles adds flexibility in capturing real-world security policies.

➢ Unfortunately, this flexibility can also lead to complexity and confusion when you’re trying to
unravel which privileges are granted to what or whom.

❖ Recommendation:
➢ Limiting the number of nested roles will help simplify the complexity of your privilegestructures

and make overallsecurity management easier.

16/04/2025
Dr. Ruba Awadallah

Selective Privilege Enablement

➢ An advantage to using roles versus direct grantsis that roles can be selectively enabled or

disabled for the user

➢ In the following example,privileges to control access to SH’s SREGIONShave been granted to the
HR:

16/04/2025
Dr. Ruba Awadallah

Selective Privilege Enablement

➢ To implement dynamic privilege enablement, we would then create a program similar to the

following:

16/04/2025
Selective Privilege Enablement
Dr. Ruba Awadallah

Selective Privilege Enablement

➢ For the user to enable their privileges

selectively, the application simply

calls the SET_PRIVS procedure while
logged in as the appropriate user:

➢ BAD DESIGN!

16/04/2025
Dr. Ruba Awadallah

Selective Privilege Enablement

✓ Alternative Design: assigning rolesto a user and not enabling them by default

✓ APP_USER Role

Sales PDB

✓ APP_USER Role

Sales PDB

Application

16/04/2025
Dr. Ruba Awadallah

Selective Privilege Enablement

➢ The followingexample illustrates this point:

16/04/2025
Selective Privilege Enablement
Dr. Ruba Awadallah

Selective Privilege Enablement

➢ If the user logs in and tries to query the application’s tables, thequery will fail, because the
privilegesto do so are not available until the role is enabled.

16/04/2025
Dr. Ruba Awadallah

Selective Privilege Enablement

➢ Enabling the role:

16/04/2025
Dr. Ruba Awadallah

Selective Privilege Enablement

➢ Thissolution does not appear to be more secure than the procedural based method.

➢ The only difference is the SET ROLE implementation enables the privileges only for the current
OE database session, whereas the SET_PRIVS procedure enables privileges for all OE
database sessions.

➢ In the preceding examples, knowing or not knowing the existence of a procedure or role that
has to be executedor enabled providesno security.

➢ Thisapproach is not considered a security best practice.

16/04/2025