To minimize the risk of compromising the security of an Oracle Machine Learning for R Server in Oracle AI Database, Oracle recommends the following security best practices.

Oracle Machine Learning for R Server components in an Oracle AI Database instance include the locked and password-expired RQSYS schema, which contains and manages Oracle Machine Learning for R metadata. Users connect to Oracle Machine Learning for R Server through their database connection credentials. The RQADMIN role grants a user the privilege of creating R functions as scripts in the Oracle Machine Learning for R R script repository; those scripts can be ran using Oracle Machine Learning for R embedded R execution.

Oracle recommends the following security best practices.

• Do not unlock the RQSYS schema or enable its login.

• Grant the RQADMIN role only to database users who are responsible for creating and managing the R script repository.

• Create private R scripts and grant access to other users as needed. Global R scripts are visible to and can be ran by any Oracle Machine Learning for R user.

• Use parameters or the Oracle Machine Learning for R datastore to transfer data between embedded R execution scripts and Oracle AI Database. R scripts should not interact with the server file system or the network.

• Set the Oracle Machine Learning for R embedded R execution memory limit properly based upon the Oracle AI Database server resources and usage patterns. The default value is 2 GB per connection.

• Use the auto-connect feature (connect=TRUE) instead of providing explicit database credentials when connecting back to the Oracle AI Database server in an R script that uses embedded R execution.

• Do not allow unauthorized R packages or C libraries to be loaded on the Oracle AI Database server for use in embedded R execution.

• Load dependent shared libraries from the $ORACLE_HOME/lib directory to prevent the use of unauthorized libraries.