Index

Symbols Numerics A B C D E F G H I J K L M N O P Q R S T U V W X

Symbols

"all permissions" A.3

Numerics

12C password hash version
- about 3.2.8.1
12C password version
- recommended by Oracle 3.2.8.1

A

about 6.1.1, 9.8.1, B.1.2, B.1.3
about connection 6.2.1
ACCEPT_MD5_CERTS sqlnet.ora parameter B.4.12
ACCEPT_SHA1_CERTS sqlnet.ora parameter B.4.12
access configuration, DBCA 6.2.2.7.3
access configuration, silent mode 6.2.2.7.4
access configuration, system parameters 6.2.2.7.2
access control
- encryption, about manual 18.1
- encryption, problems not solved by 18.2.1
- enforcing A.11.1
- object privileges 4.14.1
- password encryption 3.2.1
access control list (ACL) 10.5.1
- examples
  - external network connection for email alert 31.4.1
  - external network connections 10.7
  - wallet access 10.7
- external network services
  - about 10.2
  - advantages 10.1
  - affect of upgrade from earlier release 10.4
  - email alert for audit violation tutorial 31.4.1
  - finding information about 10.13
  - network hosts, using wildcards to specify 10.8
  - ORA-06512 error 10.12
  - ORA-24247 error 10.12
  - ORA-24247 errors 10.4
  - order of precedence, hosts 10.9
  - port ranges 10.10
  - privilege assignments, about 10.11.1
  - privilege assignments, database administrators checking 10.11.2
  - privilege assignments, users checking 10.11.4
  - revoking privileges 10.5.4
- wallet access
  - about 10.3
  - advantages 10.3
  - client certificate credentials, using 10.6.1
  - finding information about 10.13
  - non-shared wallets 10.6.1
  - password credentials 10.6.1
  - password credentials, using 10.6.1
  - revoking 10.6.5
  - revoking access 10.6.5
  - shared database session 10.6.1
  - wallets without sensitive information 10.6.1
  - wallets with sensitive information 10.6.1
accounting, RADIUS 26.5.4
account locking
- example 3.2.4.8
- explicit 3.2.4.9
- PASSWORD_LOCK_TIME profile parameter 3.2.4.7
- password management 3.2.4.7
activating checksumming and encryption 20.6.1
adapters 22.5
ADG_ACCOUNT_INFO_TRACKING initialization parameter
- guideline for securing A.11.1
ad hoc tools
- database access, security problems of 4.11.7.1
ADM_PARALLEL_EXECUTE_TASK role
- about 4.11.2
ADMINISTER FINE GRAINED AUDIT POLICY system privilege 4.8.1
ADMINISTER REDACTION POLICY system privilege 4.8.1
ADMINISTER ROW LEVEL SECURITY POLICY system privilege 4.8.1
administrative accounts
- about 2.6.2
- predefined, listed 2.6.2
administrative privileges
- about 4.5.1
- granting to users 4.5.2
- SYSBACKUP privilege 4.5.5
- SYSDBA privilege 4.5.3
- SYSDG privilege 4.5.6
- SYSKM privilege 4.5.7
- SYSOPER privilege 4.5.3
- SYSRAC privilege 4.5.8
administrative user passwords
- default, importance of changing A.4
administrative users
- auditing 30.4.3.1
- last successful login time 3.2.10.4
- locked or expired accounts 3.2.10.2
- mandatorily audited 29.3
- password complexity verification functions 3.2.10.8
- password files, managing 3.2.10.5
- password files, multitenant environment 3.2.10.7
- password management 3.2.10.1
- password profile limits 3.2.10.3
administrator privileges
- access A.11.2
- operating system authentication 3.3.3
- passwords 3.3.4, A.4
- SYSDBA and SYSOPER access, centrally controlling 3.3.2.1
- write, on listener.ora file A.11.2
ADMIN OPTION
- about 4.20.1.4
- revoking privileges 4.21.1
- revoking roles 4.21.1
- roles 4.11.5.2
- system privileges 4.6.2
Advanced Encryption Standard (AES)
- about 20.1.2
Advanced Networking Option (ANO) (Oracle native encryption) 20.6.3.3.1
AES256 algorithm
- converting to in Oracle wallets B.3.8
alerts, used in fine-grained audit policy 31.4.1
algorithms
- weaker keys C.6
ALTER ANY LIBRARY statement
- security guidelines A.3
ALTER DATABASE DICTIONARY DELETE CREDENTIALS statement 12.6.2
ALTER DATABASE DICTIONARY ENCRYPT CREDENTIALS statement 12.6.2
ALTER DATABASE DICTIONARY REKEY CREDENTIALS statement 12.6.2
altering users 2.3.1
ALTER PROCEDURE statement
- used for compiling procedures 4.18.4
ALTER PROFILE statement
- altering profile limits with 3.2.4.4
- password management 3.2.4.1
ALTER RESOURCE COST statement 2.4.4.6, 2.4.4.7
ALTER ROLE statement
- changing authorization method 4.11.3.5
ALTER SESSION statement
- schema, setting current 12.11.1
ALTER USER privilege 2.3.1
ALTER USER statement
- changing SYS password with 2.3.4.1
- default roles 4.24.3
- explicit account unlocking 3.2.4.9
- profiles, changing 3.2.4.14
- REVOKE CONNECT THROUGH clause 3.10.1.6
ANO encryption
- configuring with SSL authentication 20.6.3.3.2
ANONYMOUS user account 2.6.2
ANSI operations
- Oracle Virtual Private Database affect on 14.5.3
ANY system privilege
- guidelines for security A.7
application common users
- about 2.2.1.1
application containers
- application contexts 13.1.6
- Virtual Private Database policies 14.1.6
application contexts 13.4.1
- See also: client session-based application contexts, database session-based application contexts, global application contexts
- about 13.1.1
- application containers 13.1.6
- as secure data cache 13.1.4
- benefits of using 13.1.4
- bind variables 14.1.5
- components 13.1.2
- creating session based 13.3.3.2
- DBMS_SESSION.SET_CONTEXT procedure 13.3.4.7
- driving context 13.6
- editions, affect on 13.1.5
- finding errors by checking trace files 13.6
- finding information about 13.6
- global application contexts
  - authenticating user for multiple applications 13.4.6.6
  - creating 13.4.5.2
- logon trigger, creating 13.3.5
- Oracle Virtual Private Database, used with 14.1.5
- performance 14.4.2.9
- policy groups, used in 14.3.7.1
- returning predicate 14.1.5
- session information, retrieving 13.3.4.2
- support for database links 13.3.10.1
- types 13.2
- users, nondatabase connections 13.4.2, 13.4.6.7
- where values are stored 13.1.3
application developers
- CONNECT role change A.14.3.2
- managing privileges for 12.3
applications
- about security policies for 12.1
- database users 12.2.1
- DB_DEVELOPER_ROLE role 12.3
- enhancing security with 4.11.1.3
- object privileges 12.12.1
- object privileges permitting SQL statements 12.12.2
- One Big Application User authentication
  - security considerations 12.2.2
  - security risks of 12.2.1
- Oracle Virtual Private Database, how it works with 14.5.4
- password handling, guidelines 12.4.1.2
- password protection strategies 12.4
- privileges, managing 12.7
- roles
  - multiple 4.11.1.5
  - privileges, associating with database roles 12.10
- security 4.11.7, 12.2.2
- security considerations for use 12.2
- security limitations 14.5.4
- security policies 14.3.7.3
- validating with security policies 14.3.7.5
application security
- finding privilege use by users 5.1.2.1
- restricting wallet access to current application 10.6.1
- revoking access control privileges from Oracle wallets 10.6.5
- sharing wallet with other applications 10.6.1
- specifying attributes 13.3.3.3
application users who are database users
- Oracle Virtual Private Database, how it works with 14.5.10
APPQOSSYS user account 2.6.2
architecture 6.1.3
archiving
- operating system audit files 32.2.1
- standard audit trail 32.2.2
- timestamping audit trail 32.3.3.3
ASMSNMP user account 2.6.2
asymmetric key operations 18.5
asynchronous authentication mode in RADIUS 26.3.2
attacks
- See: security attacks
AUDIT_ADMIN role 4.11.2
AUDIT_VIEWER role 4.11.2
audit files
- operating system audit trail
  - archiving, setting timestamp 32.3.3.3
- operating system file
  - archiving 32.2.1
- standard audit trail
  - archiving, setting timestamp 32.3.3.3
  - records, archiving 32.2.2
auditing 29.5
- See also: unified audit policies
- administrators, Database Vault 30.8.2.2
- audit configurations 29.6, 30.6.2.2
- audit options 29.5
- audit policies 29.6, 30.6.2.2
- audit trail, sensitive data in A.13
- CDBs 28.7
- committed data A.13.2
- common objects 29.6, 30.6.2.2
- cursors, affect on auditing 32.1.9
- databases, when unavailable 32.1.6
- database user names 3.7.1.2
- Database Vault administrators 30.8.2.2
- disk space size for unified audit records 32.1.2
- distributed databases and 28.8
- DV_ADMIN role user 30.8.2.2
- DV_OWNER role user 30.8.2.2
- finding information about audit management 32.4
- finding information about fine-grained auditing 31.5
- finding information about usage 29.7
- finding information about usage in custom audit policies 30.11
- fine-grained
  - See fine-grained auditing 31.1.1
- functions 30.4.4.13
- functions, Oracle Virtual Private Database 30.4.4.15
- general steps
  - commonly used security-relevant activities 29.5.1
  - specific fine-grained activities 29.5.3
  - SQL statements and other general activities 29.5.2
- general steps for 29.5
- guidelines for security A.13
- historical information A.13.2
- INHERIT PRIVILEGE privilege 9.5.8
- keeping information manageable A.13.1
- loading audit records to unified audit trail 32.1.6
- mandatory auditing 29.3
- multitier environments
  - See standard auditing 30.6.1
- One Big Application User authentication, compromised by 12.2.1
- operating-system user names 3.7.1.2
- Oracle Virtual Private Database policy functions 30.4.4.15
- packages 30.4.4.13
- performance 28.3
- PL/SQL packages 30.4.4.13
- predefined policies
  - general steps for using 29.5.1
- privileges required 28.5
- procedures 30.4.4.13
- purging records
  - example 32.3.6
  - general steps for on-demand 32.3.2.2
  - general steps for scheduled purges 32.3.2.1
- range of focus 29.5
- READ object privileges in policies 30.4.5.2
- READ privileges
  - about 30.4.5.1
  - how recorded in audit trail 30.4.5.3
- recommended settings A.13.5
- Sarbanes-Oxley Act
  - auditing, meeting compliance through 28.1
- SELECT privileges
  - about 30.4.5.1
  - how recorded in audit trail 30.4.5.3
- sensitive data A.13.4
- suspicious activity A.13.3
- triggers 30.4.4.13
- unified audit trail
  - about 28.4
- VPD predicates
  - fine-grained audit policies 31.1.4
  - unified audit policies 30.4.4.14
- when audit options take effect 32.1.1
- when records are created 32.1.1
auditing, purging records
- about 32.3.1
- cancelling archive timestamp 32.3.5.4
- creating audit trail
  - purge job 32.3.3.1
- creating the purge job 32.3.3.4
- DBMS_SCHEDULER package 32.3.3.1
- deleting a purge job 32.3.5.3
- disabling purge jobs 32.3.5.1
- enabling purge jobs 32.3.5.1
- general steps for 32.3.2
- purging audit trail manually 32.3.4.1
- roadmap 32.3.2
- scheduling the purge job 32.3.3.4
- setting archive timestamp 32.3.3.3
- time interval for named purge job 32.3.5.2
audit policies 28.1
- See also: unified audit policies
- about 29.2
- about predefined 29.4.1
- what to audit 29.1
audit policies, application contexts
- about 30.7.1
- appearance in audit trail 30.7.6
- configuring 30.7.2
- disabling 30.7.3
- examples 30.7.4
audit records
- when written to OS files 32.1.5
audit trail
- archiving 32.2.2
- capturing syslog records 32.1.4.2
- capturing Windows Event Viewer records 32.1.4.2
- finding information about audit management 32.4
- finding information about fine-grained audit usage 31.5
- finding information about usage 29.7
- finding information about usage in custom audit policies 30.11
- SYSLOG records 32.1.4.1
- unified
  - archiving 32.2.2
AUDSYS user account 2.6.2
AUTHENTICATEDUSER role 4.11.2
authentication 3.2.1, 22.5
- See also: passwords, proxy authentication
- about 3.1
- administrators
  - operating system 3.3.3
  - passwords 3.3.4
  - SYSDBA and SYSOPER access, centrally controlling 3.3.2.1
- by database 3.4
- client A.11.1
- client-to-middle tier process 3.10.1.8
- configuring multiple methods 27.3
- database administrators 3.3.1
- databases, using
  - about 3.4.1
  - advantages 3.4.2
  - procedure 3.4.3
- Enterprise User Security 3.7.2.5
- extenral with local database authorization 3.7.1.1, 3.7.2.1, 3.7.2.2, 3.7.2.3, 3.7.2.4
- methods 22.4
- middle-tier authentication
  - proxies, example 3.10.1.10
- modes in RADIUS 26.3
- multitier 3.8
- One Big Application User, compromised by 12.2.1
- operating system authentication 3.6.1
  - about 3.7.1.2
  - advantages 3.7.1.2
  - disadvantages 3.7.1.2
- operating system user in PDBs 3.6.1
- ORA-28040 errors 3.2.8.3
- PDBs 3.6.1
- proxy user authentication
  - about 3.10.1.1
  - expired passwords 3.10.1.6
- public key infrastructure 3.7.1.4
- RADIUS 3.7.1.5
- remote A.11.1
- schema-only accounts 3.5
  - about 3.5.1
  - altering 3.5.3
  - creating users 3.5.2
- schema-only accounts, users created with 3.5.1
- security guideline A.5
- specifying when creating a user 2.2.5
- strong A.4
- SYSDBA on Windows systems 3.3.3
- Windows native authentication 3.3.3
authentication types 6.1.4
AUTHID DEFINER clause
- used with Oracle Virtual Private Database functions 14.1.4
authorization
- about 4
- changing for roles 4.11.3.5
- local database for external authentication 3.7.1.1, 3.7.2.1, 3.7.2.2, 3.7.2.3, 3.7.2.4
- multitier 3.8
- omitting for roles 4.11.3.1
- operating system 4.11.4.4
- roles, about 4.11.4
automatic reparse
- Oracle Virtual Private Database, how it works with 14.5.5
AVTUNE_PKG_ROLE role 4.11.2

B

banners
- auditing user actions, configuring 12.13.5
- unauthorized access, configuring 12.13.5
BDSQL_ADMIN role 4.11.2
BDSQL_USER role 4.11.2
BFILEs
- guidelines for security A.7
bind variables
- application contexts, used with 14.1.5
- sensitive columns 15.10.2.1
BLOBS
- encrypting 18.3.6

C

CAPTURE_ADMIN role 4.11.2
cascading revokes 4.21.3
catpvf.sql script (password complexity functions) 3.2.6.2
CDB_DBA role 4.11.2
CDB common users
- about 2.2.1.1
- plug-in operations 2.2.1.2
CDBs
- auditing
  - how affects 28.7
- CBAC role grants with DELEGATE option 9.7.5
- common mandatory profiles for CDB root, about 2.4.5.1
- common mandatory profiles for CDB root, creating 2.4.5.2
- common mandatory profiles for CDB root, example 2.4.5.3
- common privilege grants 4.2.6, 4.2.10, 4.10.1
- common roles 4.12.2
- common users 4.2.6, 4.2.10
- granting common roles and privileges 4.2.7
- granting privileges and roles 4.2.4, 4.10.4
- local privilege grants 4.10.1
- local roles 4.2.3, 4.12.9
- object privileges 4.10.3
- PDB lockdown profiles 4.13.1, 4.13.2, 4.13.5
- PDB lockdown profiles, features that benefit from 4.13.4
- principles of grants 4.2.2
- privilege management 4.10
- privilege profiles 5.1.5
- revoking privileges 4.10.4
- roles
  - altering 4.11.3.5
  - creating common 4.12.7
  - creating local 4.12.10
  - granting common 4.2.6, 4.2.10, 4.12.11
  - how common roles work 4.12.3
  - managing 4.12
  - privileges required to manage 4.12.5
  - rules for creating common 4.12.6
- security isolation guideline A.10
- SYSLOG capture of unified audit records 32.1.4.2
- system privileges 4.10.2
- transparent sensitive data protection 15.5
- user accounts
  - creating 2.2.10
  - local 2.2.1.3
- user privileges, how affects 4.4
- users
  - CDB common 2.2.1.1
  - common 2.2.1.1
- viewing information about 4.10.6.1
- Virtual Private Database
  - policies 14.1.6
Center for Internet Security (CIS) 29.4.5
- ORA_CIS_PROFILE user profile 2.4.4.2
- ORA_LOGIN_LOGOUT predefined unified audit policy 29.4.6.3
centrally managed users
- Oracle Autonomous Database 6.6
certificate authority (CA) B.1.3
certificate key algorithm
- Transport Layer Security A.11.3
certificate revocation list (CRL)
- deleting B.6.3
- displaying B.6.4
- displaying list of B.6.6
- hash value generation B.6.5
- uploading B.6.7
certificate revocation lists
- manipulating with orapki tool 21.3.8.5.1
- uploading to LDAP directory 21.3.8.5.1
- where to store them 21.3.8.3
certificate revocation status checking
- disabling on server 21.3.8.4.2, 21.3.8.4.3
certificates 6.2.2.5, B.1.2
- adding to wallet using orapki B.4.13.1
- creating SHA-2 with orapki B.4.4
- creating signed with orapki B.4.3
- general process of management B.1.5
- Oracle Real Application Clusters components that need certificates 21.4.1.3.1
- tools to manage B.1.4
certificate store location
- system wallet B.4.1
certificate validation error message
- CRL could not be found 21.3.8.7
- CRL date verification failed with RSA status 21.3.8.7
- CRL signature verification failed with RSA status 21.3.8.7
- Fetch CRL from CRL DP
  - No CRLs found 21.3.8.7
- OID hostname or port number not set 21.3.8.7
challenge-response authentication in RADIUS 26.3.2
change_on_install default password A.4
character sets
- role names, multibyte characters in 4.11.3.1
- role passwords, multibyte characters in 4.11.4.1
Cipher Block Chaining (CBC) mode, defined 20.1.2
cipher suites
- Transport Layer Security A.11.3
ciphertext data
- defined 20.1.1
CLIENT_IDENTIFIER USERENV attribute 3.10.2.4
- See also: USERENV namespace
- setting and clearing with DBMS_SESSION package 3.10.2.6
- setting with OCI user session handle attribute 3.10.2.5
client connections
- guidelines for security A.11.1
- secure external password store 3.2.9.3
- securing A.11.1
CLIENTID_OVERWRITE event 3.10.2.6
client identifier
- setting for applications that use JDBC 3.10.2.5
client identifiers 13.4.2
- See also: nondatabase users
- about 3.10.2.1
- auditing users 30.6.1
- consistency between DBMS_SESSION.SET_IDENTIFIER and DBMS_APPLICATION_INFO.SET_CLIENT_INFO 3.10.2.6
- global application context, independent of 3.10.2.4
- setting with DBMS_SESSION.SET_IDENTIFIER procedure 13.4.3
client session-based application contexts 13.5.1
- See also: application contexts
- about 13.5.1
- CLIENTCONTEXT namespace, clearing value from 13.5.5
- CLIENTCONTEXT namespace, setting value in 13.5.2
- retrieving CLIENTCONTEXT namespace 13.5.3
CMU_WALLET database property
- about 6.2.2.4.2
- wallet creation 6.2.2.6
code based access control (CBAC)
- about 9.7.1
- granting and revoking roles to program unit 9.7.6
- how works with definers rights 9.7.4
- how works with invoker’s rights 9.7.3
- privileges 9.7.2
- tutorial 9.7.7
column masking behavior 14.3.6.4
- column specification 14.3.6.5
- restrictions 14.3.6.5
columns
- auditing 30.4.4.2, 30.4.4.9
- granting privileges for selected 4.20.2.4
- granting privileges on 4.20.2.4
- INSERT privilege and 4.20.2.4
- listing users granted to 4.26.5
- privileges 4.20.2.4
- pseudo columns
  - USER 4.17.3
- revoking privileges on 4.21.2.4
command line recall attacks 12.4.1.1, 12.4.1.4
committed data
- auditing A.13.2
common privilege grants 4.2.6, 4.2.10
- about 4.10.1
- granting 4.10.4
- revoking 4.10.4
- with object privileges 4.10.3
- with system privileges 4.10.2
common roles 4.12.2
- about 4.12.1
- auditing 30.4.1.1
- creating 4.12.7
- granting 4.2.6, 4.2.10, 4.12.11
- how they work 4.12.3
- privileges required to manage 4.12.5
- rules for creating 4.12.6
common user accounts
- creating 2.2.10.1
- enabling access to other PDBs 4.10.6
- granting privileges to 4.2.6, 4.2.10, 4.10
common users
- accessing data in PDBs 4.10.6.2
- altering 2.3.2
configuration
- guidelines for security A.9
configuration files
- Kerberos 24.1.5
- listener.ora A.11.2
- RADIUS 26.4.1
- sample listener.ora file A.11.2
- server.key encryption file A.11.3
- tsnames.ora A.11.3
- typical directory A.11.3
configuring
- Kerberos authentication service parameters 24.2.6.1
- RADIUS authentication 26.5.1
connecting
- with username and password 27.1
connection pooling
- about 3.8
- finding unnecessarily granted privileges 5.1.2.1
- global application contexts 13.4.2
- nondatabase users 13.4.6.7
- proxy authentication 3.10.1.8
CONNECT role
- about A.14
- applications
  - account provisioning A.14.2.2
  - affects of A.14.2
  - database upgrades A.14.2.1
  - installation of A.14.2.3
- script to create 4.11.2
- users
  - application developers, impact A.14.3.2
  - client-server applications, impact A.14.3.3
  - general users, impact A.14.3.1
  - how affects A.14.3
- why changed A.14.1
CONTAINER_DATA objects
- viewing information about 4.10.6
container database (CDB)
- See: CDBs
container data objects
- about 4.10.6.1
context profiles
- privilege analysis 5.1.4
controlled step-in procedures 9.3
CPU time limit 2.4.2.3
CREATE ANY LIBRARY statement
- security guidelines A.3
CREATE ANY PROCEDURE system privilege 4.18.3
CREATE CONTEXT statement
- example 13.3.3.1
CREATE LOCKDOWN PROFILE statement 4.13.2, 4.13.7
CREATE PROCEDURE system privilege 4.18.3
CREATE PROFILE statement
- password aging and expiration 3.2.4.11
- password management 3.2.4.1
- passwords, example 3.2.4.14
CREATE ROLE statement 4.12.2
- IDENTIFIED EXTERNALLY option 4.11.4.3
CREATE SCHEMA statement
- securing 12.11.1
CREATE SESSION statement
- CONNECT role privilege A.6
- securing 12.11.1
CREATE USER statement
- explicit account locking 3.2.4.9
- IDENTIFIED BY option 2.2.5
- IDENTIFIED EXTERNALLY option 2.2.5
creating Oracle service directory user account 6.2.2.1
credentials
- SQL*Loader object store 3.2.9.7
CRLAdmins directory administrative group B.6.7
CRLs
- disabling on server 21.3.8.4.2, 21.3.8.4.3
- where to store them 21.3.8.3
cryptographic libraries
- FIPS 140-2 C.1
CTXAPP role 4.11.2
CTXSYS user account 2.6.2
cursors
- affect on auditing 32.1.9
- reparsing, for application contexts 13.3.5
- shared, used with Virtual Private Database 14.1.5

D

database administrators (DBAs)
- access, controlling 18.2.2
- authentication 3.3.1
- malicious, encryption not solved by 18.2.2
Database Configuration Assistant (DBCA)
- default passwords, changing A.4
- user accounts, automatically locking and expiring A.3
database links 6.1.7
- application contexts 13.3.4.6
- application context support 13.3.10.1
- authenticating with Kerberos 3.7.1.3
- definer’s rights procedures 9.8.1
- object privileges 4.14.1
- operating system accounts, care needed 3.7.1.2
- Oracle DBaaS-to-IAM connections 7.7
- RADIUS not supported 26.1
- sensitive credential data
  - about 16.1
  - data dictionary views 16.7
  - deleting 16.5
  - encrypting 16.3
  - multitenant environment 16.2
  - rekeying 16.4
  - restoring functioning of after lost keystore 16.6
- session-based application contexts, accessing 13.3.4.6
databases
- access control
  - password encryption 3.2.1
- additional security products 1.2
- authentication 3.4
- database user and application user 12.2.1
- default password security settings 3.2.4.5
  - DBCA-created databases 3.2.4.5
  - manually-created databases 3.2.4.5
- default security features, summary 1.1
- granting privileges 4.20
- granting roles 4.20
- limitations on usage 2.4.1
- schema-only accounts 3.5
- security and schemas 12.11
- security embedded, advantages of 12.2.2
- security policies based on 14.1.2.1
database session-based application contexts 13.3.1
- See also: application contexts
- about 13.3.1
- cleaning up after user exits 13.3.1
- components 13.3.2
- database links 13.3.4.6
- dynamic SQL 13.3.4.4
- externalized, using 13.3.12
- how to use 13.3
- initializing externally 13.3.10.1
- initializing globally 13.3.11.1
- ownership 13.3.3.1
- parallel queries 13.3.4.5
- PL/SQL package creation 13.3.4
- session information, setting 13.3.4.7
- SYS_CONTEXT function 13.3.4.2
- trusted procedure 13.1.2
- tutorial 13.3.9
database upgrades and CONNECT role A.14.2.1
data definition language (DDL)
- roles and privileges 4.11.1.9
data dictionary
- about 16.1
- data dictionary views 16.7
- deleting 16.5
- encrypting sensitive information in 16.1, 16.2, 16.3, 16.4, 16.5, 16.6, 16.7
- multitenant environment 16.2
- procedure 16.3
- protecting A.7
- rekeying 16.4
- restoring lost keystore 16.6
data encryption and integrity parameters
- about 20.3.1
data files A.7
- guidelines for security A.7
data manipulation language (DML)
- privileges controlling 4.16.1
DATAPUMP_EXP_FULL_DATABASE role 4.11.2
DATAPUMP_IMP_FULL_DATABASE role 4.11.2
data security
- encryption, problems not solved by 18.2.3
DB_DEVELOPER_ROLE role
- about 4.11.2, 12.3
DBA_CONTAINER_DATA data dictionary view 4.10.6.1
DBA_ROLE_PRIVS view
- application privileges, finding 12.8
DBA_ROLES data dictionary view
- PUBLIC role 4.6.5
DBA role
- about 4.11.2
DBFS_ROLE role 4.11.2
DBJAVASCRIPT role 4.11.2
DBMS_CREDENTIAL.CREATE_CREDENTIAL procedure 12.5.4
DBMS_CREDENTIAL package 3.6.2, 4.13.3
DBMS_CRYPTO
- FIPS-supported cipher suites C.2.7
DBMS_CRYPTO package
- asymmetric key operations 18.5
- data encryption storage 18.4
- examples 18.6.1
- supported cryptographic algorithms 18.4
DBMS_CRYPTO PL/SQL package
- enabling for FIPS 140-2 C.3.2
DBMS_FGA package
- about 31.2.1
- DISABLE_POLICY procedure 31.3.2
- DROP_POLICY procedure 31.3.3
- editions 31.1.6
- ENABLE_POLICY procedure 31.3.1
DBMS_MDX_INTERNAL role 4.11.2
DBMS_NETWORK_ACL_ADMIN.REMOVE_HOST_ACE procedure 10.5.4
DBMS_PRIVILEGE_CAPTURE PL/SQL package 5.2.1
DBMS_RLS.ADD_POLICY
- sec_relevant_cols_opt parameter 14.3.6.5
- sec_relevant_cols parameter 14.3.6.1
DBMS_RLS.ADD_POLICY procedure
- transparent sensitive data protection polices 15.12.2
DBMS_SESSION.SET_CONTEXT procedure
- about 13.3.4.7
- syntax 13.3.4.7
- username and client_id settings 13.4.6.3
DBMS_SESSION.SET_IDENTIFIER procedure
- client session ID, setting 13.4.3
- DBMS_APPLICATION.SET_CLIENT_INFO value, overwritten by 3.10.2.6
DBMS_SESSION package
- client identifiers, using 3.10.2.6
- global application context, used in 13.4.6.1
- SET_CONTEXT procedure
  - about 13.3.4.7
DbNest
- about 17.1
- architecture 17.2.4
- configuration file 17.2.5.2
- enabling 17.3
- file system isolation for nest 17.4
- how Oracle Database manages nest 17.2.6
- initialization parameters 17.2.5.1
- Linux namespaces 17.2.2
- properties of 17.2.3
- purpose of 17.2.1
DBNEST_ENABLE initialization parameter 17.2.5.1
DBNEST_PDB_FS_CONF initialization parameter 17.2.5.1
DBSFWUSER user account 2.6.2
DBSNMP user account
- about 2.6.2
- password usage A.4
DDL
- See: data definition language
debugging
- Java stored procedures 10.12
- PL/SQL stored procedures 10.12
decryption
- number strings using DBMS_CRYPTO 18.6.4
default command rules
- ORA_DV_DEFAULT_PROTECTION predefined audit policy for 29.4.10
default passwords A.4
- change_on_install or manager passwords A.4
- changing, importance of 3.2.4.2
- finding 3.2.4.2
default permissions A.7
default profiles
- about 3.2.4.3
default realms
- ORA_DV_DEFAULT_PROTECTION predefined audit policy for 29.4.10
default roles
- setting for user 2.2.11
- specifying 4.24.3
defaults
- tablespace quota 2.2.7.1
- user tablespaces 2.2.6.1
default users
- accounts A.3
- Enterprise Manager accounts A.3
- passwords A.4
definers’s rights, database links
- about 9.8.1
- ORA-25433 error 9.8.1
definer’s rights
- about 9.2
- code based access control
  - about 9.7.1
  - granting and revoking roles to program unit 9.7.6
  - how code based access control works 9.7.4
- compared with invoker’s rights 9.1
- example of when to use 9.2
- procedure privileges, used with 9.2
- procedure security 9.2
- schema privileges for 9.2
- secure application roles 12.9.2.1
- used with Oracle Virtual Private Database functions 14.1.4
- views 9.6.1
definer’s rights, database links
- grants of INHERIT ANY REMOTE PRIVILEGES 9.8.4
- grants of INHERIT ANY REMOTE PRIVILEGES on connected user to current user, example 9.8.3
- grants of INHERIT REMOTE PRIVILEGES to other users 9.8.2
- revokes of INHERIT [ANY] REMOTE PRIVILEGES 9.8.5
- revoking INHERIT REMOTE PRIVILEGES from PUBLIC, example 9.8.7
- revoking INHERIT REMOTE PRIVILEGES on connecting user from procedure owner, example 9.8.6
- tutorial 9.8.8.1
denial of service (DoS) attacks
- about
denial-of-service (DoS) attacks
- bad packets, preventing 12.13.1
- networks, securing A.11.2
- password concurrent guesses 3.2.1
Department of Defense Database Security Technical Implementation Guide 3.2.6.4, 3.2.6.5
DGPDB_INT user account 2.6.2
DGPDB_ROLE role 4.11.2
diagnostics
- DIAGNOSTICS_CONTROL initialization parameter 4.9
- restricting use to SYSDBA and ENABLE DIAGNOSTICS 4.9
dictionary privileges
- about 4.15.1
dictionary protection
- disabling for Oracle-maintained schema 4.15.3
- enabling for Oracle-maintained schema 4.15.2
dictionary tables
- auditing 30.4.4.5
Diffie-Hellman key negotiation algorithm 20.5
DIP user account 2.6.3
directories
- auditing 30.4.4.2
directory authentication, configuring for SYSDBA or SYSOPER access 3.3.2.2
directory objects
- granting EXECUTE privilege on 4.20.1.3
direct path load
- fine-grained auditing effects on 31.1.1
disabling unnecessary services
- FTP, TFTP, TELNET A.11.2
dispatcher processes (Dnnn)
- limiting SGA space for each session 2.4.2.5
distributed databases
- auditing and 28.8
DML
- See: data manipulation language
driving context 13.6
DROP PROFILE statement
- example 2.4.4.7
DROP ROLE statement
- example 4.11.6
- security domain, affected 4.11.6
DROP USER statement
- about 2.5.3
- schema objects of dropped user 2.5.4
dsi.ora file
- about 6.2.2.4.2
- changing contents of 6.2.2.4.2
- CMU_WALLET database property 6.2.2.4.2
- compared with ldap.ora 6.2.2.4.1
- multitenant environment 6.2.2.4.2
- placement of 6.2.2.4.2
- search order for 6.2.2.4.2
- WALLET_LOCATION parameter and 6.2.2.4.2
- when to use 6.2.2.4.2
DV_ACCTMGR role 4.11.2
DV_ADMIN role 4.11.2
DV_AUDIT_CLEANUP role 4.11.2
DV_DATAPUMP_NETWORK_LINK role 4.11.2
DV_GOLDENGATE_ADMIN role 4.11.2
DV_GOLDENGATE_REDO_ACCESS role 4.11.2
DV_MONITOR role 4.11.2
DV_OWNER role 4.11.2
DV_PATCH_ADMIN role 4.11.2
DV_POLICY_OWNER role 4.11.2
DV_ role 4.11.2
DV_SECANALYST role 4.11.2
DV_STREAMS_ADMIN role 4.11.2
DV_XSTREAMS_ADMIN role 4.11.2
DVF schema
- ORA_DV_SCHEMA_CHANGES predefined audit policy for 29.4.9
DVSYS schema
- ORA_DV_SCHEMA_CHANGES predefined audit policy for 29.4.9
dynamic Oracle Virtual Private Database policy types 14.3.8.2
DYNAMIC policy type 14.3.8.2

E

editions
- application contexts, how affects 13.1.5
- fine-grained auditing packages, results in 13.4.6.2
- global application contexts, how affects 13.4.6.2
- Oracle Virtual Private Database packages, results in 13.4.6.2
EJBCLIENT role 4.11.2
email alert example 31.4.1
enable_fips.py script C.2.5
encrypting information in 16.1
encryption
- access control 18.2.1
- BLOBS 18.3.6
- challenges 18.3
- data security, problems not solved by 18.2.3
- data transfer A.11.2
- deleted encrypted data A.7
- examples 18.6.1
- indexed data 18.3.1
- key generation 18.3.2
- keys, changing 18.3.5
- key storage 18.3.4.1
- key transmission 18.3.3
- malicious database administrators 18.2.2
- network encryption 20.6
- network traffic A.11.2
- number strings using DBMS_CRYPTO 18.6.4
- on-demand encryption 18.1
- problems not solved by 18.2
- Transparent Data Encryption 18.3.4.5
- transparent tablespace encryption 18.3.4.5
encryption and checksumming
- activating 20.6.1
- negotiating 20.6.2.1
- parameter settings 20.6.3
encryption of data dictionary sensitive data 16.1
ENFORCE_CREDENTIAL configuration parameter
- security guideline A.12
enterprise directory service 4.11.4.6
enterprise roles 4.11.4.6
enterprise user management 12.2.1
enterprise users
- global role, creating 4.11.4.6
- One Big Application User authentication, compromised by 12.2.1
- proxy authentication 3.10.1.1
- shared schemas, protecting users 12.11.2
Enterprise User Security
- application context, globally initialized 13.3.11.3
- proxy authentication
  - Oracle Virtual Private Database, how it works with 14.5.10
error messages
- ORA-12650 20.6.1, 20.6.2.2, 20.6.2.3
- ORA-25433 9.8.1
errors
- ORA-00036 31.2.2
- ORA-01720 4.17.1
- ORA-01994 2.3.4.1
- ORA-06512 10.12, 31.4.6
- ORA-06598 9.5.2
- ORA-1000 31.2.2
- ORA-1536 2.2.7.3
- ORA-24247 10.4, 10.12, 31.4.6
- ORA-28017 2.3.4.1
- ORA-28040 3.2.8.3, 3.4.1
- ORA-28046 2.3.4.1
- ORA-28144 31.2.2
- ORA-28575 12.5.3
- ORA-45622 15.6.6.2
example, basic 30.4.6.3
example, comparison 30.4.6.4
examples 14.4
- See also: tutorials
- access control lists
  - external network connections 10.7
  - wallet access 10.7
- account locking 3.2.4.8
- auditing GRANT operations 30.4.4.7
- auditing REVOKE operations 30.4.4.7
- auditing user SYS 30.4.2.5
- audit trail, purging unified trail 32.3.6
- data encryption
  - encrypting and decrypting BLOB data 18.6.3
  - encrypting and decrypting procedure with AES 256-Bit 18.6.2
- decrypting a number using DBMS_CRYPTO 18.6.4
- directory objects, granting EXECUTE privilege on 4.20.1.3
- encrypting a number using DBMS_CRYPTO 18.6.4
- encrypting procedure 18.6.1
- Java code to read passwords 12.4.4
- locking an account with CREATE PROFILE 3.2.4.8
- login attempt grace period 3.2.4.14
- nondatabase user authentication 13.4.6.7
- passwords
  - aging and expiration 3.2.4.12
  - changing 2.3.3.1
  - creating for user 2.2.5
- privileges
  - granting ADMIN OPTION 4.20.1.4
  - views 4.26.1
- procedure privileges affecting packages 4.18.5.2, 4.18.5.3
- profiles, assigning to user 2.2.9
- roles
  - altering for external authorization 4.11.3.5
  - creating for application authorization 4.11.4.2
  - creating for external authorization 4.11.4.3
  - creating for password authorization 4.11.3.2, 4.11.3.3
  - default, setting 4.24.3
  - external 4.11.3.4
  - global 4.11.3.4
  - using SET ROLE for password-authenticated roles 4.11.4.1
  - views 4.26.1
- secure external password store 3.2.9.2
- session ID of user
  - finding 2.5.2
- system privilege and role, granting 4.20.1.2
- tablespaces
  - assigning default to user 2.2.6.2
  - quota, assigning to user 2.2.7.2
  - temporary 2.2.8.2
- type creation 4.19.5
- users
  - account creation 2.2.3
  - creating with GRANT statement 4.20.1.5
  - dropping 2.5.4
  - middle-tier server proxying a client 3.10.1.5
  - object privileges granted to 4.20.2.1
  - proxy user, connecting as 3.10.1.5
exceptions
- WHEN NO DATA FOUND, used in application context package 13.3.9.3
- WHEN OTHERS, used in triggers
  - development environment (debugging) example 13.3.8
  - production environment example 13.3.7
Exclusive Mode
- SHA-2 password hashing algorithm, enabling 3.2.8.2
EXECUTE_CATALOG_ROLE role
- SYS schema objects, enabling access to 4.6.3.2
EXECUTE ANY LIBRARY statement
- security guidelines A.3
EXEMPT ACCESS POLICY privilege
- Oracle Virtual Private Database enforcements, exemption 14.5.7.2
EXP_FULL_DATABASE role
- about 4.11.2
expiring a password
- explicitly 3.2.4.14
exporting data
- direct path export impact on Oracle Virtual Private Database 14.5.7.2
- policy enforcement 14.5.7.2
extended data objects
- views and Virtual Private Database 14.3.2
external network services
- enabling listener for 10.5.2
external network services, fine-grained access to
- See: access control list (ACL)
external network services, syntax for 10.5.1
external procedures
- configuring extproc process for 12.5.4
- credentials 12.5.1
- DBMS_CREDENTIAL.CREATE_CREDENTIAL procedure 12.5.4
- legacy applications 12.5.5
- security guideline A.12
external roles 4.11.3.4
external tables A.7
extproc process
- about 12.5.1
- configuring credential for 12.5.4
- legacy applications 12.5.5

F

failed login attempts
- account locking 3.2.4.7
- password management 3.2.4.7
- resetting 3.2.4.7
fallback authentication, Kerberos 24.6
Federal Information Processing Standard (FIPS)
- DBMS_CRYPTO package C.3.2
- FIPS 140-2
  - postinstallation checks C.4
  - SQLNET.FIPS_140 C.3.4
  - SSLFIPS_140 C.3.3
  - SSLFIPS_LIB C.3.3, C.3.4
  - verifying connections for DBMS_CRYPTO C.5.4
  - verifying connections for network native encryption C.5.3
  - verifying connections for TLS C.5.2
  - verifying connections when using FIPS_140 parameter C.5.1
- Transparent Data Encryption C.3.2
files
- BFILEs
  - operating system access, restricting A.7
- BLOB 18.3.6
- keys 18.3.4.3
- listener.ora file
  - guidelines for security A.11.2, A.11.3
- restrict listener access A.11.2
- server.key encryption file A.11.3
- symbolic links, restricting A.7
- tnsnames.ora A.11.3
fine-grained access control
- See: Oracle Virtual Private Database (VPD)
fine grained auditing
- Data Redaction
  - schema system privileges 4.8.1
- schema system privileges 4.8.1
fine-grained auditing
- about 31.1.1
- alerts, adding to policy 31.4.1
- archiving audit trail 32.2.2
- columns, specific 31.2.4
- direct loads of data 31.1.1
- edition-based redefinitions 31.1.6
- editions, results in 13.4.6.2
- finding errors by checking trace files 29.7, 31.5
- how audit records are generated 31.1.2
- how to use 31.1.1
- policies
  - adding 31.2.1
  - disabling 31.3.2
  - dropping 31.3.3
  - enabling 31.3.1
  - modifying 31.2.1
- policy creation syntax 31.2.2
- privileges required 31.1.3
- records
  - archiving 32.2.2
- transparent sensitive data protection policy settings 15.14.2
- TSDP policies and 15.14.1
- VPD predicates 31.1.4
FIPS
- weaker deprecated algorithm keys C.6
FIPS_140 parameter
- about C.2.1, C.3.1
- DBMS_CRYPTO C.2.1, C.3.1
- Java applications, enabling in C.2.5
- Java applications, enabling using orapki and java.security file C.2.4
- network native encryption C.2.1, C.3.1
- TDE C.2.1, C.3.1
- TLS C.2.1
- Transport Layer Security C.3.1
fips.ora file C.2.2, C.3.4
FIPS 140-2
- approved DBMS_CRYPTO cipher suites C.2.7
- approved network native encryption algorithms C.2.9
- approved TDE algorithms C.2.6
- approved TLS cipher suites C.2.8
FIPS 140-2 cryptographic libraries
- about C.1
firewalls
- advice about using A.11.2
- database server location A.11.2
- ports A.11.3
- supported types A.11.2
flashback query
- Oracle Virtual Private Database, how it works with 14.5.6
forcetcp parameter in krb5.conf 24.2.6.4
foreign keys
- privilege to use parent key 4.16.2
FTP protocol messages, auditing 30.8.8.1
FTP service A.11.2
functions
- auditing 30.4.4.2, 30.4.4.13
- granting roles to 4.11.5.3
- Oracle Virtual Private Database
  - components of 14.2.1
  - privileges used to run 14.1.4
- privileges for 4.18.1
- roles 4.11.1.8

G

GATHER_SYSTEM_STATISTICS role 4.11.2
GDS_CATALOG_SELECT role 4.11.2
GLOBAL_AQ_USER_ROLE role 4.11.2
GLOBAL_EXTPROC_CREDENTIAL configuration parameter
- security guideline 12.5.5
global application contexts 13.4.1
- See also: application contexts
- about 13.4.1
- authenticating nondatabase users 13.4.6.7
- checking values set globally for all users 13.4.6.5
- clearing values set globally for all users 13.4.6.5
- components 13.4.3
- editions, affect on 13.4.6.2
- example of authenticating nondatabase users 13.4.6.8
- example of authenticating user moving to different application 13.4.6.6
- example of setting values for all users 13.4.6.5
- Oracle RAC environment 13.4.4
- Oracle RAC instances 13.4.1
- ownership 13.4.5.1
- PL/SQL package creation 13.4.6.1
- process, lightweight users 13.4.9.2
- process, standard 13.4.9.1
- sharing values globally for all users 13.4.6.4
- system global area 13.4.1
- tutorial for client session IDs 13.4.8.1
- used for One Big Application User scenarios 14.5.10
- uses for 14.5.10
global authorization
- role creation 4.11.4.6
global roles 4.11.3.4
- about 4.11.4.6
grace period for login attempts
- example 3.2.4.14
grace period for password expiration 3.2.4.14
gradual database password rollover
- about 3.2.5.1
- actions permitted during 3.2.5.7
- changing password during rollover period 3.2.5.5
- changing password to begin rollover period 3.2.5.4
- enabling 3.2.5.3
- finding users who use old passwords 3.2.5.12
- manually ending the password before rollover period 3.2.5.6
- Oracle Data Guard 3.2.5.11
- Oracle Data Pump exports 3.2.5.10
- password change life cycle 3.2.5.2
- passwords, compromised 3.2.5.9
- server behavior after rollover ends 3.2.5.8
GRANT ALL PRIVILEGES statement
- SELECT ANY DICTIONARY privilege, exclusion of A.7
GRANT ANY PRIVILEGE system privilege 4.6.2
GRANT CONNECT THROUGH clause
- consideration when setting FAILED_LOGIN_ATTEMPTS parameter 3.2.4.3
- for proxy authorization 3.10.1.5
granting privileges and roles
- about 4.6.4
- specifying ALL 4.14.3.2
GRANT statement 4.20.1.1
- ADMIN OPTION 4.20.1.4
- creating a new user 4.20.1.5
- object privileges 4.20.2.1, 12.12.1
- system privileges and roles 4.20
- when takes effect 4.24.1
- WITH GRANT OPTION 4.20.2.2
GRAPH_ADMINISTR ATOR role 4.11.2
GRAPH_DEVELOPER role 4.11.2
GRAPH_USER role 4.11.2
GSM_OGG_CAPTURE role 4.11.2
GSM_POOLADMIN_ROLE role 4.11.2
GSMADMIN_ROLE role 4.11.2
GSMCATUSER_ROLE role 4.11.2
GSMROOTUSER_ROLE role 4.11.2
GSMROOTUSER user account 2.6.2
GSMUSER_ROLE role 4.11.2
guidelines
- handling compromised passwords 3.2.5.9
guidelines for security
- auditing A.13
- custom installation A.9
- data files and directories A.7
- encrypting sensitive data A.7
- guidelines for security
  - custom installation A.9
- installation and configuration A.9
- networking security A.11
- operating system accounts, limiting privileges A.7
- operating system users, limiting number of A.7
- ORACLE_DATAPUMP access driver A.8
- Oracle home default permissions, disallowing modification A.7
- passwords A.4
- PDBs A.10
- products and options
  - install only as necessary A.9
- sample schemas A.9
- Sample Schemas
  - remove or relock for production A.9
  - test database A.9
- symbolic links, restricting A.7
- Transport Layer Security
  - mode A.11.3
  - TCPS protocol A.11.3
- user accounts and privileges A.3
- Windows installations A.5

H

hackers
- See: security attacks
how it works 6.1.2
HS_ADMIN_EXECUTE_ROLE role
- about 4.11.2
HS_ADMIN_ROLE role
- about 4.11.2
HS_ADMIN_SELECT_ROLE role
- about 4.11.2
HTTP authentication
- See: access control lists (ACL), wallet access
HTTP protocol messages, auditing 30.8.8.1
HTTPS
- port, correct running on A.11.3
HTTP verifier removal A.4

I

IMP_FULL_DATABASE role
- about 4.11.2
INACTIVE_ACCOUNT_TIME profile parameter 3.2.4.6
inactive user accounts, locking automatically 3.2.4.6
indexed data
- encryption 18.3.1
indirectly granted roles 4.11.1.2
INHERIT ANY PRIVILEGES privilege
- about 9.5.2
- managing 9.5.8
- revoking from powerful users 9.5.7
- when it should be granted 9.5.6
INHERIT ANY REMOTE PRIVILEGES 9.8.1
INHERIT PRIVILEGES privilege
- about 9.5.2
- auditing 9.5.8
- managing 9.5.8
- when it should be granted 9.5.3
INHERIT REMOTE PRIVILEGES
- about 9.8.1
initialization parameter file
- parameters for clients and servers using Kerberos 24.1.5
- parameters for clients and servers using RADIUS 26.4.1
initialization parameters
- application protection 12.13
- MAX_ENABLED_ROLES 4.24.4
- OS_ROLES 4.11.4.4
- SEC_MAX_FAILED_LOGIN_ATTEMPTS 12.13.3
- SEC_RETURN_SERVER_RELEASE_BANNER 12.13.4
- SEC_USER_AUDIT_ACTION_BANNER 12.13.5
- SEC_USER_UNAUTHORIZED_ACCESS_BANNER 12.13.5
initial ticket, defined 24.2.9
INSERT privilege
- granting 4.20.2.4
- revoking 4.21.2.4
installation
- guidelines for security A.9
intruders
- See: security attacks
invoker’s rights
- about 9.3
- code based access control
  - about 9.7.1
  - granting and revoking roles to program unit 9.7.6
  - how code based access control works 9.7.3
  - tutorial 9.7.7
- compared with definer’s rights 9.1
- controlled step-in 9.3
- procedure privileges, used with 9.2
- procedure security 9.3
- secure application roles 12.9.2.1
- secure application roles, requirement for enabling 12.9.2.1
- security risk 9.5.1
- views
  - about 9.6.1
  - finding user who invoked invoker’s right view 9.6.3
IP addresses
- falsifying A.11.2

J

JAVA_ADMIN role 4.11.2
JAVA_RESTRICT initialization parameter
- security guideline A.7
java.security file C.2.4
JAVADEBUGPRIV role 4.11.2
Java Debug Wire Protocol (JDWP)
- network access for debugging operations 10.12
JAVAIDPRIV role 4.11.2
Java schema objects
- auditing 30.4.4.2
Java stored procedures
- network access for debugging operations 10.12
JAVASYSPRIV role 4.11.2
JAVAUSERPRIV role 4.11.2
JDBC connections
- JDBC/OCI proxy authentication 3.10.1.1
  - multiple user sessions 3.10.1.8
  - Oracle Virtual Private Database 14.5.10
- JDBC Thin Driver proxy authentication
  - configuring 3.10.1.1
  - with real user 3.10.1.8
JDeveloper
- debugging using Java Debug Wire Protocol 10.12
JMXSERVER role 4.11.2

K

Kerberos 22.4.1
- authentication adapter utilities 24.3
- authentication fallback behavior 24.6
- authentication in Oracle Database 24.1.6
- components 24.1.1
- configuring authentication 24.2, 24.2.6.1
- configuring for database server 24.2.2
- configuring for Windows Server Domain Controller KDC 24.5
- connecting to database 24.4
- how Oracle Database works with 24.1.4
- interoperability with Windows Server Domain Controller KDC 24.5.1
- Kerberos server (KDC) 24.1.3
- kinstance 24.2.2
- kservice 24.2.2
- Oracle Database parameters 24.1.5
- realm 24.2.2
- sqlnet.ora file sample 20.3.2
- system requirements 22.6
- tickets
  - client service ticket 24.1.2.2
  - client ticket granting ticket 24.1.2.1
Kerberos authentication 3.7.1.3
- configuring for SYSDBA or SYSOPER access 3.3.2.3
- password management A.4
Kerberos Key Distribution Center (KDC) 24.5
key generation
- encryption 18.3.2
key storage
- encryption 18.3.4.1
key transmission
- encryption 18.3.3
kinstance (Kerberos) 24.2.2
krb5.conf
- configuring TCP or UDP connection 24.2.6.4
kservice (Kerberos) 24.2.2

L

large objects (LOBs)
- about securing 12.6.1
- encryption management 12.6.2
LBAC_DBA role 4.11.2
LBACSYS.ORA_GET_AUDITED_LABEL function
- about 30.8.5.9
LBACSYS schema
- ORA_DV_SCHEMA_CHANGES predefined audit policy for 29.4.9
LBACSYS user account 2.6.2
ldap.ora
- which directory SSL port to use for no authentication 21.3.8.5.4
ldap.ora file
- about 6.2.2.4.4
- benefit of 6.2.2.4.4
- changing contents of 6.2.2.4.4
- compared with dsi.ora 6.2.2.4.1
- creating for Microsoft Active Directory services 6.2.2.4.3, 6.2.2.4.5
- placement of 6.2.2.4.4
- search order for 6.2.2.4.4
least privilege principle A.3
- about A.3
- granting user privileges A.3
- middle-tier privileges 3.10.1.9
libraries
- auditing 30.4.4.2
lightweight users
- example using a global application context 13.4.8.1
- Lightweight Directory Access Protocol (LDAP) 14.4.2.9
listener
- not an Oracle owner A.11.2
- preventing online administration A.11.2
- restrict privileges A.11.2
- secure administration A.11.2
listener.ora file
- administering remotely A.11.2
- default location A.11.3
- online administration, preventing A.11.2
- TCPS, securing A.11.3
lists data dictionary
- See: views
- data dictionary views
  - See: views
- granting privileges and roles
  - finding information about 4.26.1
- privileges
  - finding information about 4.26.1
- roles
  - finding information about 4.26.1
- views
  - privileges 4.26.1
  - roles 4.26.1
LOB_SIGNATURE_ENABLE initialization parameter 12.6.1
LOBs
- about securing 12.6.1
- encryption management 12.6.2
local privilege grants
- about 4.10.1
- granting 4.10.4
- revoking 4.10.4
local privileges
- granting 4.2.4
local roles 4.2.3, 4.12.9
- about 4.12.1
- creating 4.12.10
- granting 4.2.4
- rules for creating 4.12.8
local user accounts
- creating 2.2.10.3
local users
- about 2.2.1.3
lock and expire
- default accounts A.3
- predefined user accounts A.3
lockdown profiles
- example 4.13.2
lockdown profiles, PDB 4.13.1
locking inactive user accounts automatically 3.2.4.6
log files
- owned by trusted user A.7
logical reads limit 2.4.2.4
logon triggers
- externally initialized application contexts 13.3.5
- for application context packages 13.3.5
- running database session application context package 13.3.5
- secure application roles 4.11.8
LOGSTDBY_ADMINISTRATOR role 4.11.2

M

malicious database administrators 18.2.2
- See also: security attacks
manager default password A.4
managing roles with RADIUS server 26.5.8
materialized views
- auditing 30.4.4.2
MD5 message digest algorithm 20.4
MDDATA user account 2.6.3
MDSYS user account 2.6.2
memory
- users, viewing 2.7.5
MERGE INTO statement, affected by DBMS_RLS.ADD_POLICY statement_types parameter 14.3.4
metadata links
- privilege management 4.14.6.1
methods
- privileges on 4.19
Microsoft Active Directory services 6.1.3, 6.1.4, 6.1.5, 6.2.1, 6.2.2.1, 6.2.2.5, 6.2.2.7.2, 6.2.2.7.3
- about configuring connection 6.2.2.7.1
- about password authentication 6.3.1.1
- access, Kerberos authentication 6.3.3
- access, PKI authentication 6.3.4
- access configuration, Oracle wallet verification 6.2.2.8
- access configuration, testing integration 6.2.2.9
- account policies 6.5
- administrative user configuration, exclusive mapping 6.4.6.2
- administrative user configuration, shared access accounts 6.4.6.1
- dsi.ora file, about 6.2.2.4.2
- dsi.ora file, compared with ldap.ora 6.2.2.4.1
- extending Active Directory schema 6.2.2.2
- ldap.ora file, about 6.2.2.4.4
- ldap.ora file, compared with dsi.ora 6.2.2.4.1
- ldap.ora file, creating 6.2.2.4.3, 6.2.2.4.5
- logon user name with password authentication 6.3.1.3
- multitenant users, how affected 6.1.6
- user authorization, about 6.4.1
- user authorization, mapping Directory user group to global role 6.4.3
- user authorization, verifying 6.4.7
- user management, altering mapping definition 6.4.5
- user management, exclusively mapping Directory user to database global user 6.4.4
- user management, mapping group to shared global user 6.4.2
- user management, migrating mapping definition 6.4.5
Microsoft Active Directory services integration 6.1.1, 6.1.2, 6.1.7
Microsoft Active Directory services proxy authentication 6.3.2.3
- about 6.3.2.1
- configuring 6.3.2.2
Microsoft Directory Access services 6.2.2.7.4
Microsoft Entra ID token
- checking version of 8.7.3
Microsoft Windows
- Kerberos
  - configuring for Windows Server Domain Controller KDC 24.5
middle-tier systems
- client identifiers 3.10.2.2
- enterprise user connections 3.10.1.14
- password-based proxy authentication 3.10.1.13
- privileges, limiting 3.10.1.9
- proxies authenticating users 3.10.1.10
- proxying but not authenticating users 3.10.1.11
- reauthenticating user to database 3.10.1.12
- USERENV namespace attributes, accessing 13.3.10.5
mining models
- auditing 30.4.4.2
mkstore utility
- createALO command B.7.2
- create command B.7.1
- createCredential command B.7.3
- createEntry command B.7.4
- createUserCredential command B.7.5
- delete command B.7.6
- deleteCredential command B.7.7
- deleteEntry command B.7.8
- deleteSSO command B.7.9
- deleteUserCredential command B.7.10
- list command B.7.11
- listCredential command B.7.12
- modifyCredential command B.7.13
- modifyEntry command B.7.14
- modifyUserCredential command B.7.15
- SQL*Loader object store credentials 3.2.9.7
- viewEntry command B.7.16
monitoring user actions 28.1
- See also: auditing, standard auditing, fine-grained auditing
multiplex multiple-client network sessions A.11.2
multitenant container database (CDB)
- See: CDBs
multitenant option
- centrally managed users, how affected 6.1.6
My Oracle Support
- security patches, downloading A.2.1
- user account for logging service requests 2.6.3

N

native network encryption
- checking if enabled in surrent session 20.7.1
- compared with Transport Layer Security 20.1.3
- FIPS library location setting (SSLFIPS_LIB) C.3.4
- FIPS mode setting (FIPS_140) C.3.4
- troubleshooting 20.7
native network encryption and integrity
- how it works 20.1.1
native network enryption
- disabling 27.2
Net8
- See: Oracle Net
network authentication
- guidelines for securing A.4
- roles, granting using 4.23.1
- smart cards A.4
- token cards A.4
- X.509 certificates A.4
network connections
- denial-of-service (DoS) attacks, addressing A.11.2
- guidelines for security A.11, A.11.1, A.11.2
- securing A.11.2
network encryption
- about 20.6
- configuring 20.6
- troubleshooting 20.7
network IP addresses
- guidelines for security A.11.2
network native encryption
- FIPS-supported algorithms C.2.9
network traffic encryption A.11.2
nondatabase users 13.4.2
- See also: application contexts, client identifiers
- about 13.4.2
- auditing 30.10
- clearing session data 13.4.6.9
- creating client session-based application contexts 13.5.1
- global application contexts
  - package example 13.4.6.8
  - reason for using 13.4.2
  - setting 13.4.6.7
  - tutorial 13.4.8.1
- One Big Application User authentication
  - about 14.5.10
  - features compromised by 12.2.1
  - security risks 12.2.1
- Oracle Virtual Private Database
  - how it works with 14.5.10
  - tutorial for creating a policy group 14.4.3.1

O

object privileges 4.14.1, A.3
- See also: schema object privileges
- about 4.14.1
- granting on behalf of the owner 4.20.2.3
- managing 12.12
- revoking 4.21.2.1
- revoking on behalf of owner 4.21.2.3
- schema object privileges 4.14.1
- synonyms 4.14.5
- with common privilege grants 4.10.3
objects
- applications, managing privileges in 12.12
- granting privileges 12.12.2
- privileges
  - applications 12.12.1
  - managing 4.19
- protecting in shared schemas 12.11.2
- protecting in unique schemas 12.11.1
- SYS schema, access to 4.6.3.2
object types
- auditing 30.4.4.2
OEM_ADVISOR role 4.11.2
OEM_MONITOR role 4.11.2
OGG_APPLY_PROCREP role 4.11.2
OGG_APPLY role 4.11.2
OGG_SHARED_CAPTURE role 4.11.2
OJVMSYS user account 2.6.2
okcreate
- Kerberos adapter utility 24.3
okcreate options 24.3.4
okdstry
- Kerberos adapter utility 24.3
okdstry options 24.3.3
okinit
- Kerberos adapter utility 24.3
okinit utility options 24.3.1
oklist
- Kerberos adapter utility 24.3
OLAPSYS user account 2.6.2
One Big Application User authentication
- See: nondatabase users
operating system
- audit files written to 32.1.5
operating systems 3.6.1
- accounts 4.23.2
- authentication
  - about 3.7.1.2
  - advantages 3.7.1.2
  - disadvantages 3.7.1.2
  - operating system user for PDB 3.6.1
  - roles, using 4.23.1
- default permissions A.7
- enabling and disabling roles 4.23.5
- operating system account privileges, limiting A.7
- role identification 4.23.2
- roles, granting using 4.23.1
- roles and 4.11.1.10
- users, limiting number of A.7
operating system users
- configuring for PDBs 3.6.3
- setting default credential 3.6.4
OPTIMIZER_PROCESSING_RATE role 4.11.2
ORA_ACCOUNT_MGMT predefined unified audit policy 29.4.4
ORA_ALL_TOPLEVEL_ACTIONS predefined unified audit policy 29.4.6.2
ORA_CIS_RECOMMENDATIONS predefined unified audit policy 29.4.5
ORA_DATABASE_PARAMETER predefined unified audit policy 29.4.3
ORA_DV_DEFAULT_PROTECTION predefined unified audit policy 29.4.10
ORA_DV_SCHEMA_CHANGES predefined unified audit policy 29.4.9
ORA_LOGIN_LOGOUT predefined unified audit policy 29.4.6.3
ORA_OLS_SCHEMA_CHANGES predefined unified audit policy 29.4.11
ORA_SECURECONFIG predefined unified audit policy 29.4.2
ORA_STIG_PROFILE profile 3.2.6.4
ORA_STIG_RECOMMENDATIONS predefined unified audit policy 29.4.6.1
ORA$DEPENDENCY profile 5.1.6
ORA$DICTIONARY_SENS_COL_ACCESS predefined unified audit policy 29.4.7
ORA-01017 errors in Oracle Cloud Infrastructure-IAM integration 7.8.3
ORA-01017 errors in Oracle DBaaS-IAM integration
- client-side 7.8.1
- IAM administrator actions to remedy 7.8.6
- IAM user configurations 7.8.4
ORA-01720 error 4.17.1
ORA-01741 error 31.2.1
ORA-01994 2.3.4.1
ORA-03114 error 7.8.5, 8.7.2
ORA-06512 error 10.12, 31.4.6
ORA-06598 error 9.5.2
ORA-12008 error 31.2.1
ORA-12599 error 7.8.5, 8.7.2
ORA-1536 error 2.2.7.3
ORA-24247 error 10.4, 10.12, 31.4.6
ORA-28017 error 2.3.4.1
ORA-28040 error 3.2.8.3, 3.4.1
ORA-28046 error 2.3.4.1
ORA-28575 error 12.5.3
ORA-29024 error 10.6.6
ORA-45622 errors 15.6.6.2
ORA-64219: invalid LOB locator encountered 12.6.1
ORACLE_DATAPUMP access driver
- guidelines for security A.8
ORACLE_OCM user account 2.6.3
Oracle Advanced Security
- checksum sample for sqlnet.ora file 20.3.2
- encryption sample for sqlnet.ora file 20.3.2
- network authentication services A.4
- TLS features 25.1
- user access to application schemas 12.11.2
Oracle Audit Vault and Database Firewall
- schema-only accounts 3.5.1
Oracle Autonomous Database
- centrally managed users 6.6
Oracle Call Interface (OCI)
- application contexts, client session-based 13.5.1
- proxy authentication 3.10.1.1
  - Oracle Virtual Private Database, how it works with 14.5.10
- proxy authentication with real user 3.10.1.8
- security-related initialization parameters 12.13
Oracle Connection Manager
- securing client networks with A.11.2
Oracle Database Enterprise User Security
- password security threats 3.2.8.1
Oracle Database Real Application Clusters
- archive timestamp for audit records 32.3.3.3
- global contexts 13.4.1
Oracle Database Real Application Security
- ALL audit events 30.8.3.6
- auditing 30.8.3
- security class and ACL audit events 30.8.3.4
- session audit events 30.8.3.5
- user, privilege, and role audit events 30.8.3.3
Oracle Database-to-Entra ID authorizations
- disabling 8.2.6
- enabling 8.2.5
Oracle Database-to-IAM
- trace files for client side 8.7.1.2
Oracle Database-to-Microsoft Azure Active Directory client connections
- network proxies 8.4.7.1
Oracle Database-to-Microsoft Azure Entra ID
- creating Entra ID app roles 8.2.4.1
Oracle Database-to-Microsoft Entra ID
- about 8.1.1
- architecture 8.1.2
- assigning app role to service principal 8.2.4.3
- assigning users and groups to Entra ID app roles 8.2.4.2
- configuring v2 tokens 8.2.3
- Entra ID token, checking version of 8.7.3
- exclusive mapping between database schema and Azure user 8.3.1
- mapping Oracle roles with Entra ID roles 8.3.3
- on-premises requirements 8.2.1
- operational flow 8.4.2
- Oracle schema-to-Entra ID application role mapping 8.3.2
- registering database instance to Microsoft Azure tenancy 8.2.2
- trace files for client, levels 8.7.1.1
- trace files for client, setting 8.7.1.2
- use cases 8.1.4
- user and group mappings 8.1.3, 8.1.5
Oracle Database-to-Microsoft Entra ID client connections
- about 8.4.1
- confidential client registration 8.4.4.1
- configuring to work with Entra ID token 8.4.5.1
- creating a client app registration 8.4.4.2
- direct token retrievals 8.4.5.2
- enabling client to retrieve token from file location 8.4.5.4
- examples of retrieving OAuth2 tokens 8.4.6.1
- example using Python script for MSAL library 8.4.6.2
- net naming for Azure 8.4.8
- net naming for IAM 7.5.3
- network proxy for default database 8.4.7.3
- network proxy for Oracle Real Application Clusters 8.4.7.4
- network proxy for Windows 8.4.7.5
- public client registration 8.4.4.1
- requesting tokens using Azure CLI 8.4.6.4
- retrieving token using Entra ID CLI 8.4.6.3
- secrets for Azure 8.4.8
- secrets for IAM 7.5.3
- supported drivers 8.4.3
- testing Azure endpoint accessibility 8.4.7.2
Oracle Database Vault
- auditing 30.8.2
- command rules, audit events 30.8.2.6
- Data Pump, audit events 30.8.2.10
- enable and disable, audit events 30.8.2.11
- factors, audit events 30.8.2.7
- OLS, audit events 30.8.2.9
- realms, audit events 30.8.2.4
- rule sets and rules, audit events 30.8.2.5
- secure application roles, audit events 30.8.2.8
Oracle Data Guard
- gradual database password rollover 3.2.5.11
- SYSDG administrative privilege 4.5.6
Oracle Data Pump
- audit events 30.8.6.2
- exported data from VPD policies 14.5.8
- exports during gradual database password rollover 3.2.5.10
- unified audit trail 32.1.8
Oracle DBaaS client connections
- supported drivers 7.5.2
Oracle DBaaS-to-Entra ID proxy authentication
- about 8.5.1
- configuring 8.5.2
- validating 8.5.3
Oracle DBaaS-to-IAM
- about 7.1.1, 7.5.1
- about token requests using passwords or SEPS 7.5.5.1
- architecture 7.1.2
- cross-tenancy, about 7.6.1
- cross-tenancy access examples 7.6.2.3
- database clients for cross-tenancy access 7.6.4
- parameters for setting password or SEPS token requests 7.5.5.2
- requesting cross-tenancy tokens 7.6.5
- trace files for client side 7.8.2
- troubleshooting client side 7.8.2
Oracle DBaaS-to-IAM authorizations
- about 7.2.2.1
- altering 7.2.2.5
- creating IAM database password 7.3.2
- creating policies for authenticating users 7.3.1
- enabling 7.2.1
- IAM group to database global role 7.2.2.3
- IAM user to database global user 7.2.2.4
- instance principals 7.2.2.6
- mapping schemas and roles to users and groups in another tenancy 7.6.3
- migrating 7.2.2.5
- resource principals 7.2.2.6
- shared database global user 7.2.2.2
- source user tenancy 7.6.2.1
- target database resource tenancy 7.6.2.2
- token requested by IAM user name and password 7.5.5.4
- token requested by IAM user name and secure external password store (SEPS) 7.5.5.3
- user authorization, verifying 7.2.2.7
Oracle DBaaS-to-IAM client connections
- IAM token 7.5.9.2
- password verifier 7.5.4
- SQL*Plus using an IAM database password 7.5.9.1
- token 7.5.6
Oracle DBaaS-to-IAM connections
- about 7.1.3
- connection pools using instance or resource principals 7.4
- database links 7.7
- direct token retrievals 7.5.8
- walletless connections 7.5.7
Oracle DBaaS-to-IAM proxy authentication
- about 7.2.3.1
- configuring 7.2.3.2
- validating 7.2.3.3
Oracle DBaaS-to-Power BI SSO
- about 8.6.1
Oracle Developer Tools For Visual Studio (ODT)
- debugging using Java Debug Wire Protocol 10.12
Oracle E-Business Suite
- schema-only accounts 3.5.1
Oracle Enterprise Manager
- PDBs 11
- statistics monitor 2.4.3
Oracle Flashback Data Archive
- Oracle Virtual Private Database 14.5.9
Oracle home
- default permissions, disallowing modification A.7
Oracle Internet Directory
- Diffie-Hellman TLS port 21.3.8.5.4
Oracle Internet Directory (OID)
- SYSDBA and SYSOPER access, controlling 3.3.2.1
- Transport Layer Security authentication 25.2
Oracle Java Virtual Machine
- JAVA_RESTRICT initialization parameter security guideline A.7
Oracle Java Virtual Machine (OJVM)
- permissions, restricting A.3
Oracle Label Security
- audit events 30.8.5.2
- auditing 30.8.5
- auditing internal predicates in policies 30.4.4.14
- user session label audit events 30.8.5.3
Oracle Label Security (OLS)
- Oracle Virtual Private Database, using with 14.5.7.1
Oracle Machine Learning for SQL
- audit events 30.8.9.2
OracleMetaLink
- See: My Oracle Support
Oracle native encryption
- configured with SSL authentication 20.6.3.3.1
Oracle Net
- firewall support A.11.2
Oracle parameters
- authentication 27.4
Oracle RAC
- Transport Layer Security 21.4.1.1
Oracle Real Application Clusters
- components that need certificates 21.4.1.3.1
- global application contexts 13.4.4
- SYSRAC administrative privilege 4.5.8
Oracle Real Application Security
- auditing internal predicates in policies 30.4.4.14
Oracle Recovery Manager
- audit events 30.8.4.2
- auditing 30.8.4
- SYSBACKUP administrative privilege 4.5.5
Oracle Scheduler
- sensitive credential data
  - about 16.1
  - data dictionary views 16.7
  - deleting 16.5
  - encrypting 16.3
  - multitenant environment 16.2
  - rekeying 16.4
  - restoring functioning of lost keystore 16.6
Oracle SQL*Loader
- Direct Load Path audit events 30.8.7.2
Oracle Technology Network
- security alerts A.2.1
Oracle Virtual Private Database
- exporting data using Data Pump Export 14.5.8
- Oracle Flashback Data Archive 14.5.9
Oracle Virtual Private Database (VPD)
- about 14.1.1
- ANSI operations 14.5.3
- application containers 14.1.6
- application contexts
  - tutorial 14.4.2.1
  - used with 14.1.5
- applications
  - how it works with 14.5.4
  - users who are database users, how it works with 14.5.10
- applications using for security 12.2.2
- automatic reparsing, how it works with 14.5.5
- benefits 14.1.2
- CDBs 14.1.6
- column level 14.3.6.1
- column-level display 14.3.6.1
- column masking behavior
  - enabling 14.3.6.4
  - restrictions 14.3.6.5
- components 14.2
- configuring 14.3
- cursors, shared 14.1.5
- edition-based redefinitions 14.5.1
- editions, results in 13.4.6.2
- Enterprise User Security proxy authentication, how it works with 14.5.10
- exporting data 14.5.7.2
- extended data objects in views 14.3.2
- finding information about 14.6
- flashback query, how it works with 14.5.6
- function
  - components 14.2.1
  - how it is run 14.1.4
- JDBC proxy authentication, how it works with 14.5.10
- JSON 14.5.11
- nondatabase user applications, how works with 14.5.10
- OCI proxy authentication, how it works with 14.5.10
- Oracle Label Security
  - exceptions in behavior 14.5.7.2
  - using with 14.5.7.1
- outer join operations 14.5.3
- performance benefit 14.1.2.2
- policies, Oracle Virtual Private Database
  - about 14.3.1
  - applications, validating 14.3.7.5
  - attaching to database object 14.3.2
  - column display 14.3.6.1
  - column-level display, default 14.3.6.3
  - dynamic 14.3.8.2
  - multiple 14.3.7.4
  - optimizing performance 14.3.8.1
  - privileges used to run 14.1.4
  - SQL statements, specifying 14.3.4
- policy groups
  - about 14.3.7.1
  - benefits 14.3.7.1
  - creating 14.3.7.2
  - default 14.3.7.3
  - tutorial, implementation 14.4.3.1
- policy types
  - context sensitive, about 14.3.8.8
  - context sensitive, altering existing policy 14.3.8.11
  - context-sensitive, audited 30.4.4.15
  - context sensitive, creating 14.3.8.9
  - context sensitive, refreshing 14.3.8.10
  - context sensitive, restricting evaluation 14.3.8.8
  - context sensitive, when to use 14.3.8.13
  - DYNAMIC 14.3.8.2
  - dynamic, audited 30.4.4.15
  - shared context sensitive, about 14.3.8.12
  - shared context sensitive, when to use 14.3.8.13
  - shared static, about 14.3.8.6
  - shared static, when to use 14.3.8.7
  - static, about 14.3.8.4
  - static, audited 30.4.4.15
  - static, when to use 14.3.8.7
  - summary of features 14.3.8.14
- privileges required to create policies 14.1.3
- SELECT FOR UPDATE statements in policies 14.5.2
- tutorial, simple 14.4.1.1
- user models 14.5.10
- Web-based applications, how it works with 14.5.10
Oracle Virtual Private Datebase (VPD)
- predicates
  - audited in fine-grained audit policies 31.1.4
  - audited in unified audit policies 30.4.4.14
Oracle wallets
- authentication method 3.7.1.4
- search order for TLS 21.3.3.4
orapki
- running in FIPS mode C.2.3
orapki utility
- adding a certificate request to a wallet with B.4.2
- adding a root certificate to a wallet with B.4.5
- adding a trusted certificate to a wallet with B.4.5
- adding certificate to wallet B.4.13.1
- adding user certificates to a wallet with B.4.8
- adding user-supplied certificate to wallet B.4.13.1
- cert create command B.6.1
- cert display command B.6.2
- certificate revocation lists 21.3.8.5.1
- changing the wallet password with B.3.7
- converting wallet to use AES256 algorithm B.3.8
- creating a local auto-login wallet with B.3.4
- creating an auto-login only wallet with B.3.3
- creating an auto-login wallet with B.3.5
- creating a wallet with B.3.1
- creating SHA-2 certificates for testing B.4.4
- creating signed certificates for testing B.4.3
- crl delete command B.6.3
- crl display command B.6.4
- crl hash command B.6.5
- crl list command B.6.6
- crl upload command B.6.7
- examples B.5
- exporting a certificate from a wallet with B.4.13.2
- exporting a certificate request from a wallet with B.4.13.2
- importing a wallet with B.3.2
- managing certificate revocation lists B.4.14
- secretstore create_credential command B.6.8
- secretstore create_entry command B.6.9
- secretstore create_user_credential command B.6.10
- secretstore delete_credential command B.6.11
- secretstore delete_entry command B.6.12
- secretstore delete_user_credential command B.6.13
- secretstore list_credentials command B.6.14
- secretstore list_entries_unsorted command B.6.16
- secretstore list_entries command B.6.15, B.6.20
- secretstore modify_credential command B.6.17
- secretstore modify_entry command B.6.18
- secretstore modify_user_credential command B.6.19
- syntax B.2.2
- viewing a certificate with B.4.11
- viewing a wallet with B.3.6
- wallet add command B.6.21
- wallet change_pwd command B.6.22
- wallet convert command B.6.23
- wallet create command B.6.24
- wallet delete command B.6.25
- wallet display command B.6.26
- wallet export_private_key command B.6.28
- wallet export command B.6.27
- wallet import_pkcs12 command B.6.29
- wallet import_private_key command B.6.30
- wallet jks_to_pkcs12 command B.6.31
- wallet pkcs12_to_jks command B.6.32
- wallet remove command B.6.33
ORAPWD utility
- case sensitivity in passwords 3.2.7.4
- changing SYS password 2.3.4.2
- changing SYS password with 2.3.4.1
ORDDATA user account 2.6.2
ORDPLUGINS user account 2.6.2
ORDSYS user account 2.6.2
OS_AUTHENT_PREFIX parameter 27.4.2
OS_ROLES initialization parameter
- operating-system authorization and 4.11.4.4
- operating system role grants 4.23.5
- REMOTE_OS_ROLES and 4.23.6
- using 4.23.2
OSAK_ADMIN_ROLE role 4.11.2
outer join operations
- Oracle Virtual Private Database affect on 14.5.3
OUTLN user account 2.6.2

P

packages
- auditing 30.4.4.2, 30.4.4.13
- examples 4.18.5.3
- examples of privilege use 4.18.5.2
- granting roles to 4.11.5.3
- privileges
  - divided by construct 4.18.5.1
  - executing 4.18.1, 4.18.5.1
parallel execution servers 13.3.4.5
parallel query, and SYS_CONTEXT 13.3.4.5
parameters
- authentication
  - Kerberos 24.1.5
  - RADIUS 26.4.1
- encryption and checksumming 20.6.3
pass phrase
- read and parse server.key file A.11.3
PASSWORD_LIFE_TIME profile parameter 3.2.4.11
PASSWORD_LOCK_TIME profile parameter 3.2.4.7
PASSWORD_REUSE_MAX profile parameter 3.2.4.10
PASSWORD_REUSE_TIME profile parameter 3.2.4.10
PASSWORD_ROLLOVER_TIME parameter 3.2.5.3
PASSWORD command
- about 2.3.3.2
- changing SYS password with 2.3.4.1
password complexity functions
- aboutr 3.2.6.1
- administrative users, for 3.2.10.8
- customizing 3.2.6.7
- enabling 3.2.6.8
- how database checks password complexity 3.2.6.2
- ora12c_stig_verify_function 3.2.6.6
- ora12c_strong_verify_function 3.2.6.5
- ora12c_verify_function 3.2.6.4
- privileges required 3.2.6.3
password files
- how used to authenticate administrators 3.3.4
- migration of for administrative users 3.2.10.6
password limits
- administrative logins 3.3.4
password management
- inactive user accounts, locking automatically 3.2.4.6
passwords 3.2.1
- See also: authentication, and access control list (ACL), wallet access
- 10G password version, finding and resetting 3.2.7.3
- about managing 3.2.4.1
- account locking 3.2.4.7
- administrator
  - authenticating with 3.3.4
  - guidelines for securing A.4
- aging and expiration 3.2.4.11
- altering 2.3.3.1
- ALTER PROFILE statement 3.2.4.1
- application design guidelines 12.4.1.2
- applications, strategies for protecting passwords 12.4
- brute force attacks 3.2.1
- changing for roles 4.11.3.5
- changing SYS with ORAPWD utility 2.3.4.2
- complexity, guidelines for enforcing A.4
- complexity verification
  - about 3.2.6.1
- compromised, how to handle 3.2.5.9
- connecting without 3.7.1.2
- CREATE PROFILE statement 3.2.4.1
- danger in storing as clear text A.4
- database user authentication 3.4.1
- default, finding 3.2.4.2
- default profile settings
  - about 3.2.4.3
- default user account A.4
- delays for incorrect passwords 3.2.1
- duration A.4
- encrypting 3.2.1, A.4
- examples of creating 3.2.2
- expiring
  - explicitly 3.2.4.14
  - procedure for 3.2.4.11
  - proxy account passwords 3.10.1.6
  - with grace period 3.2.4.14
- failed logins, resetting 3.2.4.7
- finding users who use old passwords 3.2.5.12
- forcing oracle user to enter when logging in as SYSDBA 4.5.4
- grace period, example 3.2.4.14
- gradual database rollover 3.2.5.1
- guidelines for security A.4
- history 3.2.4.10, A.4
- Java code example to read passwords 12.4.4
- length A.4
- lifetime for 3.2.4.11
- life time set too low 3.2.4.15
- lock time 3.2.4.7
- management rules A.4
- managing 3.2.4
- maximum reuse time 3.2.4.10
- ORAPWD utility 3.2.7.4
- PASSWORD_LOCK_TIME profile parameter 3.2.4.7
- PASSWORD_REUSE_MAX profile parameter 3.2.4.10
- PASSWORD_REUSE_TIME profile parameter 3.2.4.10
- password complexity verification 3.2.6.1
  - how database checks 3.2.6.2
  - ora12c_stig_verify_function 3.2.6.6
  - ora12c_verify_function function 3.2.6.4
  - privileges required 3.2.6.3
- password file risks 3.3.5
- policies 3.2.4
- privileges for changing for roles 4.11.3.5
- privileges to alter 2.3.1
- protections, built-in 3.2.1
- proxy authentication 3.10.1.13
- requirements
  - additional A.4
  - minimum 3.2.2
- reusing 3.2.4.10, A.4
- reusing passwords 3.2.4.10
- role password case sensitivity 3.2.7.1
- roles authenticated by passwords 4.11.3.1
- roles enabled by SET ROLE statement 4.11.4.1
- secure external password store 3.2.9.1
- security risks 3.3.5
- SYS account 2.3.4.1
- SYS and SYSTEM A.4
- used in roles 4.11.1.3
- utlpwdmg.sql password script
  - password management 3.2.6.1
- verified using SHA-512 hash function 3.2.8.3
- versions, management of 3.2.7.2
password versions
- target databases that run earlier releases 3.2.8.4
- using 12C exclusively 3.2.8.3
PDB_DBA role 4.11.2
PDB_OS_CREDENTIAL initialization parameter 3.6.2, 4.13.3
PDB lockdown profiles
- about 4.13.1
- creating 4.13.7
- default 4.13.6
- disabling 4.13.8
- dropping 4.13.9
- enabling 4.13.8
- features that benefit from 4.13.4
- inheritance 4.13.5
PDBs
- application common users
  - about 2.2.1.1
- auditing
  - types of audit settings allowed 28.7
  - unified audit policy syntax 30.3
  - what can be audited 28.1
- CDB common users
  - about 2.2.1.1
- common roles
  - about 4.12.1
  - creating 4.12.7
  - granting 4.12.11
  - how they work 4.12.3
  - privileges required for management 4.12.5
  - revoking 4.12.11
  - rules for creating 4.12.6
- common users
  - accessing data in PDBs 4.10.6.2
  - creating 2.2.10.1
  - viewing privilege information 4.10.6.1
- Enterprise Manager
  - about 11.1
  - creating common roles 11.4.1
  - creating common users 11.3.1
  - creating local roles 11.4.5
  - creating local users 11.3.4
  - dropping common roles 11.4.3
  - dropping common users 11.3.3
  - dropping local roles 11.4.7
  - dropping local users 11.3.6
  - editing common roles 11.4.2
  - editing common users 11.3.2
  - editing local roles 11.4.6
  - editing local users 11.3.5
  - logging in 11.2.1
  - revoking common privilege grants 11.4.4
  - revoking local privilege grants 11.4.8
  - switching to different container 11.2.2
- fine-grained audit policies 31.1.5
- granting privileges and roles 4.2.1
- local roles
  - about 4.12.1
  - creating 4.12.10
  - rules for creating 4.12.8
- local users
  - about 2.2.1.3
  - creating 2.2.10.3
- lockdown profiles 4.13.2
- operating system user configuration 3.6.3
- operating system user for, setting 3.6.1
- privilege analysis 5.1.5
- privileges
  - common 4.10.2
  - granting 4.10.4
  - how affected 4.4
  - object 4.10.3
  - revoking 4.10.4
  - viewing information about 4.10.6.1
- PUBLIC role 4.12.4
- security isolation guideline A.10
- setting default credential 3.6.4
- sqlnet.ora settings 3.2.8.3
- transparent sensitive data protection 15.5
- viewing information about 4.10.6.1
- Virtual Private Database policies 14.1.6
performance
- application contexts 13.1.3
- auditing 28.3
- Oracle Virtual Private Database policies 14.1.2.2
- Oracle Virtual Private Database policy types 14.3.8.1
- resource limits and 2.4.1
permissions
- default A.7
- run-time facilities A.3
PGX_SERVER_GET_INFO role 4.11.2
PGX_SERVER_MANAGE role 4.11.2
PGX_SESSION_ADD_PUBLISHED_GRAPH role 4.11.2
PGX_SESSION_COMPILE_ALGORITHM role 4.11.2
PGX_SESSION_CREATE role 4.11.2
PGX_SESSION_GET_PUBLISHED_GRAPH role 4.11.2
PGX_SESSION_MODIFY_MODEL role 4.11.2
PGX_SESSION_NEW_GRAPH role 4.11.2
PGX_SESSION_READ_MODEL role 4.11.2
PKI
- See: public key infrastructure (PKI)
PL/SQL
- roles in procedures 4.11.1.8
PL/SQL packages
- auditing 30.4.4.2, 30.4.4.13
PL/SQL procedures
- setting application context 13.3.4.1
PL/SQL stored procedures
- network access for debugging operations 10.12
plaintext data
- defined 20.1.1
PMON background process
- application contexts, cleaning up 13.3.1
positional parameters
- security risks 12.4.1.4
predefined schema user accounts 2.6.1
principle of least privilege A.3
- about A.3
- granting user privileges A.3
- middle-tier privileges 3.10.1.9
privilege analysis
- about 5.1.1
- accessing reports in Cloud Control 5.2.7.5
- benefits 5.1.2
- CDBs 5.1.5
- creating 5.2.3
- creating role in Cloud Control 5.3.1
- data dictionary views 5.7
- DBMS_PRIVILEGE_CAPTURE PL/SQL package 5.2.1
- disabling 5.2.6
- dropping 5.2.8
- enabling 5.2.5
- examples of creating and enabling 5.2.4.1
- general steps for managing 5.2.2
- generating regrant scripts 5.3.3.3
- generating reports
  - about 5.2.7.1
  - in Cloud Control 5.2.7.4
  - using DBMS_PRIVILEGE_CAPTURE.GENERATE_REPORT 5.2.7.3
- generating revoke scripts 5.3.3.2
- logon users 5.1.4
- multiple named capture runs 5.2.7.2
- pre-compiled database objects 5.1.6
- privilege uses captured 5.1.4
- requirements for using 5.1.3
- restrictions 5.1.4
- revoking and re-granting in Cloud Control 5.3.2
- revoking and regranting using scripts 5.3.3.1
- tutorial 5.5
- tutorial for ANY privileges 5.4
- tutorial for schema privileges 5.6
- use cases 5.1.2
  - finding application pool privileges 5.1.2.1
  - finding overly privileged users 5.1.2.2
privileges 4.6
- See also: access control list (ACL) and system privileges, privilege captures
- about 4.1
- access control lists, checking for external network services 10.11.1
- altering
  - passwords 2.3.3.1
  - users 2.3.1
- altering role authentication method 4.11.3.5
- applications, managing 12.7
- auditing, recommended settings for A.13.5
- auditing use of 30.4.2.1
- cascading revokes 4.21.3
- column 4.20.2.4
- compiling procedures 4.18.4
- creating or replacing procedures 4.18.3
- creating users 2.2.3
- data links 4.14.6.2
  - privilege management 4.14.6.2
- diagnostics 4.9
- dropping profiles 2.4.4.7
- extended data links 4.14.6.3
  - privilege management 4.14.6.3
- granted locally 4.2.5
- granting
  - about 4.6.4, 4.20
  - examples 4.18.5.2, 4.18.5.3
  - object privileges 4.14.3.1, 4.20.2.1
  - system 4.20.1.1
  - system privileges 4.20
- granting common 4.2.6, 4.2.7, 4.2.10
- granting in a CDB 4.2.1, 4.2.2
- grants, listing 4.26.2
- grouping with roles 4.11
- local 4.2.4
- managing 12.12
- metadata links 4.14.6.1
- middle tier 3.10.1.9
- object 4.14.1, 4.14.3.2, 12.12.2
  - granting and revoking 4.14.3.1
- on selected columns 4.21.2.4
- procedures 4.18.1
  - creating and replacing 4.18.3
  - executing 4.18.1
  - in packages 4.18.5.1
- READ ANY TABLE system privilege
  - about 4.14.4.2
  - restrictions 4.14.4.3
- READ object privilege 4.14.4.1
- read-only configuration 4.25
- reasons to grant 4.3
- revoking privileges
  - about 4.6.4
  - object 4.21.2.1
  - object privileges, cascading effect 4.21.3.2
  - object privileges, requirements for 4.21.2.1
  - schema object 4.14.3.1
- revoking system privileges 4.21.1
- roles
  - creating 4.11.3.1
  - dropping 4.11.6
  - restrictions on 4.11.1.9
- roles, why better to grant 4.3
- schema grants, listing 4.26.3
- schema object 4.14.1
  - DML and DDL operations 4.16
  - packages 4.18.5.1
  - procedures 4.18.1
- SELECT system privilege 4.14.4.1
- SQL statements permitted 12.12.2
- synonyms and underlying objects 4.14.5
- system
  - granting and revoking 4.6.4
  - SELECT ANY DICTIONARY A.7
- SYSTEM and OBJECT A.3
- system privileges
  - about 4.6.1
- trigger privileges 9.2
- used for Oracle Virtual Private Database policy functions 14.1.4
- view privileges
  - creating a view 4.17.1
  - using a view 4.17.3
- views 4.17
procedures
- auditing 30.4.4.2, 30.4.4.13
- compiling 4.18.4
- definer’s rights
  - about 9.2
  - roles disabled 4.11.1.8.1
- examples of 4.18.5.3
- examples of privilege use 4.18.5.2
- granting roles to 4.11.5.3
- invoker’s rights
  - about 9.3
  - roles used 4.11.1.8.2
- privileges for procedures
  - create or replace 4.18.3
  - executing 4.18.1
  - executing in packages 4.18.5.1
- privileges required for 4.18.3
- security enhanced by 9.2
process monitor process (PMON)
- cleans up timed-out sessions 2.4.2.5
PRODUCT_USER_PROFILE table
- SQL commands, disabling with 4.11.7.2
profile limits
- modifying 3.2.4.4
profile parameters
- FAILED_LOGIN_ATTEMPTS 3.2.4.3
- INACTIVE_ACCOUNT_TIME 3.2.4.3, 3.2.4.6
- PASSWORD_GRACE_TIME 3.2.4.3, 3.2.4.14
- PASSWORD_LIFE_TIME 3.2.4.3, 3.2.4.12, 3.2.4.15
- PASSWORD_LOCK_TIME 3.2.4.3, 3.2.4.7
- PASSWORD_REUSE_MAX 3.2.4.3, 3.2.4.10
- PASSWORD_REUSE_TIME 3.2.4.3, 3.2.4.10
- PASSWORD_ROLLOVER_TIME 3.2.5.3
profiles 2.4.4.1
- about 2.4.4.1
- application 2.4.4.5
- assigning to user 2.4.4.6
- CDB 2.4.4.5
- common 2.4.4.5
- common mandatory for CDB root, about 2.4.5.1
- common mandatory for CDB root, creating 2.4.5.2
- common mandatory for CDB root, example 2.4.5.3
- creating 2.4.4.4
- dropping 2.4.4.7
- finding information about 2.7.1
- finding settings for default profile 2.7.4
- managing 2.4.4.1
- ORA_CIS_PROFILE user profile 2.4.4.2
- ORA_STIG_PROFILE user profile 2.4.4.3
- privileges for dropping 2.4.4.7
- specifying for user 2.2.9
- viewing 2.7.4
program units
- granting roles to 4.11.5.3
PROVISIONER role 4.11.2
PROXY_USERS view 3.10.1.6
proxy authentication
- about 3.10.1.1
- advantages 3.10.1.2
- auditing operations 3.9
- auditing users 30.6.1
- client-to-middle tier sequence 3.10.1.8
- creating proxy user accounts 3.10.1.3
- middle-tier
  - authorizing but not authenticating users 3.10.1.11
  - authorizing to proxy and authenticate users 3.10.1.10
  - limiting privileges 3.10.1.9
  - reauthenticating users 3.10.1.12
- passwords, expired 3.10.1.6
- privileges required for creating users 3.10.1.3
- secure external password store, used with 3.10.1.7
- security benefits 3.10.1.2
- users, passing real identity of 3.10.1.8
proxy user accounts
- privileges required for creation 3.10.1.3
pseudo columns
- USER 4.17.3
PUBLIC_DEFAULT profile
- profiles, dropping 2.4.4.7
public and private key pair, defined 22.4.3
public key infrastructure (PKI) 22.4.3
- about 3.7.1.4
PUBLIC role
- about 4.6.5
- granting and revoking privileges 4.22
- grants to in a CDB 4.2.9
- procedures and 4.22
- security domain of users 4.11.1.7
PUBLIC role, CDBs 4.12.4

Q

quotas
- tablespace 2.2.7.1
- temporary segments and 2.2.7.1
- unlimited 2.2.7.4
- viewing 2.7.3

R

RADIUS 22.4.2
- accounting 26.5.4
- asynchronous authentication mode 26.3.2
- authentication modes 26.3
- challenge-response
  - authentication 26.3.2
  - user interface 26.7.1, 26.7.2
- configuring 26.5.1
- database links not supported 26.1
- initialization parameter file setting 26.4.3
- minimum parameters to set 26.4.2
- older clients 26.5.1.3.4
- RADIUS_SECRET parameter 26.5.1.3.1
- smartcards and 22.4.2, 26.5.1.3.2, 26.7.1
- SQLNET.AUTHENTICATION_SERVICES parameter 26.5.1.1, 26.5.1.2.2
- sqlnet.ora file sample 20.3.2
- SQLNET.RADIUS_ALLOW_WEAK_CLIENTS 26.5.1.3.4
- SQLNET.RADIUS_ALLOW_WEAK_PROTOCOL 26.5.1.3.4
- SQLNET.RADIUS_ALTERNATE_PORT parameter 26.5.1.3.3
- SQLNET.RADIUS_ALTERNATE_RETRIES parameter 26.5.1.3.3
- SQLNET.RADIUS_ALTERNATE_TIMEOUT parameter 26.5.1.3.3
- SQLNET.RADIUS_ALTERNATE_TLS_HOST parameter 26.5.1.3.3
- SQLNET.RADIUS_ALTERNATE_TLS_PORT parameter 26.5.1.3.3
- SQLNET.RADIUS_ALTERNATE parameter 26.5.1.3.3
- SQLNET.RADIUS_AUTHENTICATION_PORT parameter 26.5.1.3.1
- SQLNET.RADIUS_AUTHENTICATION_RETRIES parameter 26.5.1.3.1
- SQLNET.RADIUS_AUTHENTICATION_TIMEOUT parameter 26.5.1.3.1
- SQLNET.RADIUS_AUTHENTICATION_TLS_HOST parameter 26.5.1.2.2
- SQLNET.RADIUS_AUTHENTICATION_TLS_PORT parameter 26.5.1.2.2
- SQLNET.RADIUS_SEND_ACCOUNTING parameter 26.5.4.1
- SQLNET.RADIUS_TRANSPORT_PROTOCOL parameter 26.5.1.2.2
- synchronous authentication mode 26.3.1
- system requirements 22.6
RADIUS_SECRET parameter 26.5.1.3.1
RADIUS authentication 3.7.1.5
RADIUS SQLNET.RADIUS_AUTHENTICATION parameter
- SQLNET.RADIUS_AUTHENTICATION parameter 26.5.1.2.2
READ ANY TABLE system privilege
- about 4.14.4.2
- restrictions 4.14.4.3
READ object privilege
- about 4.14.4.1
- guideline for using A.3
- SQL92_SECURITY initialization parameter 4.14.4.3
read-only user configuration 4.25
reads
- limits on data blocks 2.4.2.4
realm (Kerberos) 24.2.2
RECOVERY_CATALOG_OWNER_VPD role 4.11.2
RECOVERY_CATALOG_USER role 4.11.2
REDACT_AUDIT transparent sensitive data protection default policy 15.10.1
redo log files
- auditing committed and rolled back transactions A.13.2
REFERENCES privilege
- CASCADE CONSTRAINTS option 4.21.2.5
- revoking 4.21.2.4, 4.21.2.5
REMOTE_OS_AUTHENT initialization parameter
- guideline for securing A.11.1
REMOTE_OS_ROLES initialization parameter
- OS role management risk on network 4.23.6
- setting 4.11.4.5
REMOTE_SCHEDULER_AGENT user account 2.6.2
remote authentication A.11.1
remote debugging
- configuring network access 10.12
resource limits
- about 2.4.1
- call level, limiting 2.4.2.2
- connection time for each session 2.4.2.5
- CPU time, limiting 2.4.2.3
- determining values for 2.4.3
- idle time in each session 2.4.2.5
- logical reads, limiting 2.4.2.4
- private SGA space for each session 2.4.2.5
- profiles 2.4.4.1
- session level, limiting 2.4.2.1
- sessions
  - concurrent for user 2.4.2.5
  - elapsed connection time 2.4.2.5
  - idle time 2.4.2.5
  - SGA space 2.4.2.5
- types 2.4.2
RESOURCE privilege
- CREATE SCHEMA statement, needed for 12.11.1
RESOURCE role 4.19.1
- about 4.11.2
restrictions 22.7
REVOKE CONNECT THROUGH clause
- revoking proxy authorization 3.10.1.6
REVOKE statement
- system privileges and roles 4.21.1
- when takes effect 4.24.1
revoking privileges and roles
- cascading effects 4.21.3
- on selected columns 4.21.2.4
- REVOKE statement 4.21.1
- specifying ALL 4.14.3.2
- when using operating-system roles 4.23.4
ROLE_SYS_PRIVS view
- application privileges 12.8
ROLE_TAB_PRIVS view
- application privileges, finding 12.8
role identification
- operating system accounts 4.23.2
roles 12.9.2.1
- See also: secure application roles
- about 4.1, 4.11.1.1
- ADM_PARALLEL_EXECUTE_TASK role 4.11.2
- ADMIN OPTION and 4.20.1.4
- advantages in application use 12.8
- application 4.11.1.5, 4.11.7, 12.10, 12.12
- application privileges 12.8
- applications, for user 12.10
- AUDIT_ADMIN role 4.11.2
- AUDIT_VIEWER role 4.11.2
- AUTHENTICATEDUSER role 4.11.2
- authorization 4.11.4
- authorized by enterprise directory service 4.11.4.6
- AVTUNE_PKG_ROLE role 4.11.2
- BDSQL_ADMIN role 4.11.2
- BDSQL_USER role 4.11.2
- CAPTURE_ADMIN role 4.11.2
- CDB_DBA role 4.11.2
- changing authorization for 4.11.3.5
- changing passwords 4.11.3.5
- common 4.2.7
- common, auditing 30.4.1.1
- common, granting 4.12.11
- CONNECT role
  - about 4.11.2
- create your own A.6
- CTXAPP role 4.11.2
- database role, users 12.10.1
- DATAPUMP_EXP_FULL_DATABASE role 4.11.2
- DATAPUMP_IMP_FULL_DATABASE role 4.11.2
- DB_DEVELOPER_ROLE role 4.11.2
- DBA role 4.11.2
- DBFS_ROLE role 4.11.2
- DBJAVASCRIPT role 4.11.2
- DBMS_MDX_INTERNAL role 4.11.2
- DDL statements and 4.11.1.9
- default 4.24.3
- default, setting for user 2.2.11
- definer’s rights procedures disable 4.11.1.8.1
- dependency management in 4.11.1.9
- DGPDB_ROLE role 4.11.2
- disabling 4.24.2
- dropping 4.11.6
- DV_ACCTMGR role 4.11.2
- DV_ADMIN role 4.11.2
- DV_AUDIT_CLEANUP role 4.11.2
- DV_DATAPUMP_NETWORK_LINK role 4.11.2
- DV_GOLDENGATE_ADMIN role 4.11.2
- DV_GOLDENGATE_REDO_ACCESS role 4.11.2
- DV_MONITOR role 4.11.2
- DV_OWNER role 4.11.2
- DV_PATCH_ADMIN role 4.11.2
- DV_POLICY_OWNER role 4.11.2
- DV_SECANALYST role 4.11.2
- DV_STREAMS_ADMIN role 4.11.2
- DV_XSTREAMS_ADMIN role 4.11.2
- EJBCLIENT role 4.11.2
- enabled or disabled 4.11.1.2, 4.11.5.1
- enabling 4.24.2, 12.10
- enterprise 4.11.4.6
- EXP_FULL_DATABASE role 4.11.2
- external 4.11.3.4
- FSQL_FIREWALL_VIEWER role 4.11.2
- functionality 4.3, 4.11.1.2
- functionality of 4.11.1.2
- GATHER_SYSTEM_STATISTICS role 4.11.2
- GDS_CATALOG_SELECT role 4.11.2
- GLOBAL_AQ_USER_ROLE role 4.11.2
- global authorization 4.11.4.6
  - about 4.11.4.6
- global roles
  - creating 4.11.4.6
  - example 4.11.3.4
  - external sources, and 4.11.4.3
- granted locally 4.2.5
- granted to other roles 4.11.1.2
- granting and revoking to program units 9.7.6
- granting in a CDB 4.2.1, 4.2.2
- granting roles
  - about 4.20
  - methods for 4.11.5.1
  - system 4.20.1.1
  - system privileges 4.6.4
- granting to program units 4.11.5.3
- GRANT statement 4.23.5
- GRAPH_ADMINISTR ATOR role 4.11.2
- GRAPH_DEVELOPER role 4.11.2
- GRAPH_USER role 4.11.2
- GSM_POOLADMIN_ROLE role 4.11.2
- GSMADMIN_ROLE role 4.11.2
- GSMCATUSER_ROLE role 4.11.2
- GSMROOTUSER_ROLE role 4.11.2
- GSMUSER_ROLE role 4.11.2
- guidelines for security A.6
- HS_ADMIN_EXECUTE_ROLE role 4.11.2
- HS_ADMIN_ROLE role 4.11.2
- HS_ADMIN_SELECT_ROLE role 4.11.2
- IMP_FULL_DATABASE role 4.11.2
- in applications 4.11.1.3
- indirectly granted 4.11.1.2
- invoker’s rights procedures use 4.11.1.8.2
- JAVA_ADMIN role 4.11.2
- JAVADEBUGPRIV role 4.11.2
- JAVAIDPRIV role 4.11.2
- JAVASYSPRIV role 4.11.2
- JAVAUSERPRIV role 4.11.2
- JMXSERVER role 4.11.2
- job responsibility privileges only A.6
- LBAC_DBA role 4.11.2
- listing grants 4.26.4
- listing privileges and roles in 4.26.8
- listing roles 4.26.7
- local 4.2.3, 4.2.4, 4.12.9
- LOGSTDBY_ADMINISTRATOR role 4.11.2
- management using the operating system 4.23.1
- managing roles
  - about 4.11
  - categorizing users 12.12
- managing through operating system 4.11.1.10
- managing with RADIUS server 26.5.8
- maximum number a user can enable 4.24.4
- multibyte characters in names 4.11.3.1
- multibyte characters in passwords 4.11.4.1
- naming 4.11.1.1
- network authorization 4.11.4.5
- network client authorization 4.11.4.5
- OEM_ADVISOR role 4.11.2
- OEM_MONITOR role 4.11.2
- OGG_APPLY_PROCREP role 4.11.2
- OGG_APPLY role 4.11.2
- OGG_CAPTURE role 4.11.2
- OGG_SHARED_CAPTURE role 4.11.2
- One Big Application User, compromised by 12.2.1
- operating system 4.23.2
- operating system authorization 4.11.4.4
- operating-system authorization 4.11.4.3
- operating system granting of 4.23.5
- operating system identification of 4.23.2
- operating system-managed 4.23.3, 4.23.4
- operating system management and the shared server 4.23.6
- OPTIMIZER_PROCESSING_RATE role 4.11.2
- OSAK_ADMIN_ROLE role 4.11.2
- password case sensitivity 3.2.7.1
- PDB_DBA role 4.11.2
- PGX_SERVER_GET_INFO role 4.11.2
- PGX_SERVER_MANAGE role 4.11.2
- PGX_SESSION_ADD_PUBLISHED_GRAPH role 4.11.2
- PGX_SESSION_COMPILE_ALGORITHM role 4.11.2
- PGX_SESSION_CREATE role 4.11.2
- PGX_SESSION_GET_PUBLISHED_GRAPH role 4.11.2
- PGX_SESSION_MODIFY_MODEL role 4.11.2
- PGX_SESSION_NEW_GRAPH role 4.11.2
- PGX_SESSION_READ_MODEL role 4.11.2
- predefined 4.11.2
- privilege analysis 5.1.4
- privileges, changing authorization method for 4.11.3.5
- privileges, changing passwords 4.11.3.5
- privileges for creating 4.11.3.1
- privileges for dropping 4.11.6
- PROVISIONER role 4.11.2
- RECOVERY_CATALOG_OWNER_VPD role 4.11.2
- RECOVERY_CATALOG_USER role 4.11.2
- RESOURCE role 4.11.2
- restricting from tool users 4.11.7
- restrictions on privileges of 4.11.1.9
- REVOKE statement 4.23.5
- revoking 4.11.5.1, 4.21.1
- SAGA_ADM_ROLE role 4.11.2
- SAGA_CONNECT_ROLE role 4.11.2
- SAGA_PARTICIPANT_ROLE role 4.11.2
- SCHEDULER_ADMIN role 4.11.2
- schemas do not contain 4.11.1.1
- security domains of 4.11.1.7
- SET ROLE statement
  - about 4.11.4.1
  - example 4.11.4.1
  - OS_ROLES parameter 4.23.5
- setting in PL/SQL blocks 4.11.1.8.2
- SHARDED_SCHEMA_OWNER role 4.11.2
- SODA_APP role 4.11.2
- SQL_FIREWALL_ADMIN role 4.11.2
- unique names for 4.11.3.1
- use of passwords with 4.11.1.3
- user 4.11.1.6, 12.12
- users capable of granting 4.11.5.2
- uses of 4.11.1.2, 4.11.1.4
- WITH GRANT OPTION and 4.20.2.2
- without authorization 4.11.3.1
- WM_ADMIN_ROLE role 4.11.2
- XDB_SET_INVOKER roles 4.11.2
- XDB_WEBSERVICES_OVER_HTTP role 4.11.2
- XDB_WEBSERVICES_WITH_PUBLIC role 4.11.2
- XDB_WEBSERVICES role 4.11.2
- XDBADMIN role 4.11.2
- XS_CACHE_ADMIN role 4.11.2
- XS_NAMESPACE_ADMIN role 4.11.2
- XS_NSATTR_ADMIN role 4.11.2
- XS_RESOURCE role 4.11.2
- XSTREAM_APPLY role 4.11.2
- XSTREAM_CAPTURE role 4.11.2
root container
- viewing information about 4.10.6.1
root file paths
- for files and packages outside the database A.3
row level security
- schema system privileges 4.8.1
row-level security
- See: fine-grained access control, Oracle Virtual Private Database (VPD)
RSA private key A.11.3
run-time facilities A.3
- restriction permissions A.3

S

SAGA_ADM_ROLE role 4.11.2
SAGA_CONNECT_ROLE role 4.11.2
SAGA_PARTICIPANT_ROLE role 4.11.2
salt 3.2.8.1
Sarbanes-Oxley Act
- auditing to meet compliance 28.1
SCHEDULER_ADMIN role
- about 4.11.2
schema-independent users 12.11.2
schema object privileges 4.14.1
schema objects
- cascading effects on revoking 4.21.3.2
- default tablespace for 2.2.6.1
- dropped users, owned by 2.5.1
- granting privileges 4.20.2.1
- privileges
  - DML and DDL operations 4.16
  - granting and revoking 4.14.3.1
  - view privileges 4.17
- privileges on 4.14.1
- privileges to access 4.14.3.2
- privileges with 4.14.3.2
- revoking privileges 4.21.2.1
schema-only accounts 3.5
schema privileges
- about 4.7.1
- ADMINISTER FINE GRAINED AUDIT POLICY system privilege 4.8.1
- ADMINISTER REDACTION POLICY system privilege 4.8.1
- ADMINISTER ROW LEVEL SECURITY POLICY system privilege 4.8.1
- administrative privileges excluded from 4.7.2
- granting 4.7.3
- revoking 4.7.4
- system privileges excluded from 4.7.2
- system privileges for security policies, about 4.8.1
- system privileges for security policies, granting 4.8.2
- system privileges for security policies, revoking 4.8.3
- tutorial using privilege analysis 5.6
schemas
- auditing, recommended settings for A.13.5
- shared, protecting objects in 12.11.2
- unique 12.11
- unique, protecting objects in 12.11.1
schema user accounts, predefined 2.6.1
SCOTT user account
- restricting privileges of A.6
SEC_MAX_FAILED_LOGIN_ATTEMPTS initialization parameter 12.13.3
SEC_PROTOCOL_ERROR_FURTHER_ACTION initialization parameter 12.13.2
sec_relevant_cols_opt parameter 14.3.6.5
SEC_RETURN_SERVER_RELEASE_BANNER initialization parameter 12.13.4
SEC_USER_AUDIT_ACTION_BANNER initialization parameter 12.13.5
SEC_USER_UNAUTHORIZED_ACCESS_BANNER initialization parameter 12.13.5
secconf.sql script
- password settings 3.2.4.5
secret key
- location in RADIUS 26.5.1.3.1
secure application roles
- about 4.11.8
- creating 12.9.1
- creating PL/SQL package 12.9.2.1
- finding with DBA_ROLES view 4.26.1
- invoker’s rights 12.9.2.1
- invoker’s rights requirement 12.9.2.1
- package for 12.9.2.1
- user environment information from SYS_CONTEXT SQL function 12.9.2.1
- using to ensure database connection 4.11.8
secure external password store
- about 3.2.9.1
- client configuration 3.2.9.3
- examples 3.2.9.2
- how it works 3.2.9.2
- proxy authentication, used with 3.10.1.7
Secure Sockets Layer on Oracle RAC
- remote client, testing configuration 21.4.1.8
SecurID 26.3.1.2
- token cards 26.3.1.2
security A.3
- See also: security risks
- application enforcement of 4.11.1.3
- default user accounts
  - locked and expired automatically A.3
  - locking and expiring A.3
- domains, enabled roles and 4.11.5.1
- enforcement in application 12.2.2
- enforcement in database 12.2.2
- multibyte characters in role names 4.11.3.1
- multibyte characters in role passwords 4.11.4.1
- passwords 3.4.1
- policies
  - applications 12.1
  - SQL*Plus users, restricting 4.11.7
  - tables or views 14.1.2.1
- procedures enhance 9.2
- products, additional 1.2
- roles, advantages in application use 12.8
security alerts A.2.1
security attacks 3.10.1.7
- See also: security risks
- access to server after protocol errors, preventing 12.13.2
- application context values, attempts to change 13.3.3.2
- application design to prevent attacks 12.4
- command line recall attacks 12.4.1.1, 12.4.1.4
- denial of service A.11.2
- denial-of-service
  - bad packets, addressing 12.13.1
- denial-of-service attacks through listener A.11.2
- disk flooding, preventing 12.13.1
- eavesdropping A.11.1
- encryption, problems not solved by 18.2.2
- falsified IP addresses A.11.1
- falsified or stolen client system identities A.11.1
- hacked operating systems or applications A.11.1
- intruders 18.2.2
- password cracking 3.2.1
- password protections against 3.2.1
- preventing malicious attacks from clients 12.13
- preventing password theft with proxy authentication and secure external password store 3.10.1.7
- session ID, need for encryption 13.4.7.3.2
- shoulder surfing 12.4.1.4
- SQL injection attacks 12.4.1.2
- unlimited authenticated requests, preventing 12.13.3
- user session output, hiding from intruders 13.3.7
security domains
- enabled roles and 4.11.1.2
security isolation
- guidelines for A.10
security patches
- about A.2.1
- downloading A.2.1
security policies
- See: Oracle Virtual Private Database, policies
security risks 3.10.1.7
- See also: security attacks
- ad hoc tools 4.11.7.1
- applications enforcing rather than database 12.2.2
- application users not being database users 12.2.1
- bad packets to server 12.13.1
- database version displaying 12.13.4
- encryption keys, users managing 18.3.4.4
- invoker’s rights procedures 9.5.1
- password files 3.3.5
- passwords, exposing in programs or scripts 12.4.1.4
- passwords exposed in large deployments 3.2.9.1
- positional parameters in SQL scripts 12.4.1.4
- privileges carelessly granted 4.6.5
- remote user impersonating another user 4.11.4.5
- sensitive data in audit trail A.13
- server falsifying identities A.11.3
- users with multiple roles 12.10.1
security settings scripts
- password settings
  - secconf.sql 3.2.4.5
Security Technical Implementation Guide (STIG)
- ORA_ALL_TOPLEVEL_ACTIONS predefined unified audit policy 29.4.6.2
- ORA_LOGIN_LOGOUT predefined unified audit policy 29.4.6.3
- ORA_STIG_PROFILE user profile 2.4.4.3
- ORA_STIG_RECOMMENDATIONS predefined unified audit policy 29.4.6.1
- ora12c_stig_verify_function password complexity function 3.2.6.6
SELECT_CATALOG_ROLE role
- SYS schema objects, enabling access to 4.6.3.2
SELECT ANY DICTIONARY privilege
- data dictionary, accessing A.7
- exclusion from GRANT ALL PRIVILEGES privilege A.7
SELECT FOR UPDATE statement in Virtual Private Database policies 14.5.2
SELECT object privilege
- guideline for using A.3
- privileges enabled 4.14.4.1
sensitive data, auditing of A.13.4
separation of duty concepts
sequences
- auditing 30.4.4.2
server.key file
- pass phrase to read and parse A.11.3
SESSION_ROLES data dictionary view
- PUBLIC role 4.6.5
SESSION_ROLES view
- queried from PL/SQL block 4.11.1.8.1
sessions
- listing privilege domain of 4.26.6
- memory use, viewing 2.7.5
- time limits on 2.4.2.5
- when auditing options take effect 32.1.1
SET ROLE statement
- application code, including in 12.10.2
- associating privileges with role 12.10.1
- disabling roles with 4.24.2
- enabling roles with 4.24.2
- when using operating-system roles 4.23.5
SGA
- See: System Global Area (SGA)
SHA-512 cryptographic hash function
- enabling exclusive mode 3.2.8.3
SHARDED_SCHEMA_OWNER role 4.11.2
Shared Global Area (SGA)
- See: System Global Area (SGA)
shared server
- limiting private SQL areas 2.4.2.5
- operating system role management restrictions 4.23.6
shoulder surfing 12.4.1.4
SI_INFORMTN_SCHEMA user account 2.6.2
single sign-on (SSO)
- defined 22.2
smartcards 22.4.2
- and RADIUS 22.4.2, 26.5.1.3.2, 26.7.1
smart cards
- guidelines for security A.4
SODA_APP role 4.11.2
SQL_FIREWALL_ADMIN role 4.11.2
SQL_FIREWALL_VIEWER role 4.11.2
SQL*Loader
- object store credential creation 3.2.9.7
SQL*Net
- See: Oracle Net Services
SQL*Plus
- connecting with 3.7.1.2
- restricting ad hoc use 4.11.7.1
- statistics monitor 2.4.3
SQL92_SECURITY initialization parameter
- READ object privilege impact 4.14.4.3
SQL Developer
- debugging using Java Debug Wire Protocol 10.12
SQL Firewall
- appearance of events in audit trail 30.8.1.3
- auditing, about 30.8.1.1
SQL injection attacks 12.4.1.2
SQLNET.ALLOWED_LOGON_VERSION_CLIENT
- target databases from earlier releases 3.2.8.4
SQLNET.ALLOWED_LOGON_VERSION_SERVER
- target databases from earlier releases 3.2.8.4
- using only 12C password version 3.2.8.3
SQLNET.ALLOWED_LOGON_VERSION_SERVER parameter
- effect on role passwords 3.2.7.1
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE parameter 24.2.6.1
SQLNET.AUTHENTICATION_SERVICES parameter 24.2.6.1, 26.5.1.1, 26.5.1.2.2, 27.2, 27.3, A.11.3
SQLNET.CRYPTO_CHECKSUM_CLIENT parameter 20.6.3.2
SQLNET.CRYPTO_CHECKSUM_SERVER parameter 20.6.3.2
SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter 20.6.3.2
SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter 20.6.3.2
SQLNET.ENCRYPTION_CLIENT
- with ANO encryption and TLS authentication 20.6.3.3.1
SQLNET.ENCRYPTION_CLIENT parameter 20.6.3.1, 27.2
SQLNET.ENCRYPTION_SERVER
- with ANO encryption and TLS authentication 20.6.3.3.1
SQLNET.ENCRYPTION_SERVER parameter 20.6.3.1, 27.2
SQLNET.ENCRYPTION_TYPES_CLIENT parameter 20.6.3.1
SQLNET.ENCRYPTION_TYPES_SERVER parameter 20.6.3.1
SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS
- setting 20.6.3.3.2
- with ANO encryption and TLS authentication 20.6.3.3.1
SQLNET.KERBEROS5_CC_NAME parameter 24.2.6.3
SQLNET.KERBEROS5_CLOCKSKEW parameter 24.2.6.3
SQLNET.KERBEROS5_CONF parameter 24.2.6.3
SQLNET.KERBEROS5_REALMS parameter 24.2.6.3
sqlnet.ora file
- Common sample 20.3.2
- Kerberos sample 20.3.2
- Oracle Advanced Security checksum sample 20.3.2
- Oracle Advanced Security encryption sample 20.3.2
- parameters for clients and servers using Kerberos 24.1.5
- parameters for clients and servers using RADIUS 26.4.1
- PDBs 3.2.8.3
- RADIUS sample 20.3.2
- sample 20.3.2
- SQLNET.AUTHENTICATION_KERBEROS5_SERVICE parameter 24.2.6.1
- SQLNET.AUTHENTICATION_SERVICES parameter 24.2.6.1, 27.2, 27.3, A.11.3
- SQLNET.CRYPTO_CHECKSUM_CLIENT parameter 20.6.3.2
- SQLNET.CRYPTO_CHECKSUM_SERVER parameter 20.6.3.2
- SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter 20.6.3.2
- SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter 20.6.3.2
- SQLNET.ENCRYPTION_CLIEN parameter 27.2
- SQLNET.ENCRYPTION_SERVER parameter 20.6.3.1, 27.2
- SQLNET.ENCRYPTION_TYPES_CLIENT parameter 20.6.3.1
- SQLNET.ENCRYPTION_TYPES_SERVER parameter 20.6.3.1
- SQLNET.KERBEROS5_CC_NAME parameter 24.2.6.3
- SQLNET.KERBEROS5_CLOCKSKEW parameter 24.2.6.3
- SQLNET.KERBEROS5_CONF parameter 24.2.6.3
- SQLNET.KERBEROS5_REALMS parameter 24.2.6.3
- SSL sample 20.3.2
- Trace File Set Up sample 20.3.2
SQLNET.RADIUS_ALTERNATE_PORT parameter 26.5.1.3.3
SQLNET.RADIUS_ALTERNATE_RETRIES parameter 26.5.1.3.3
SQLNET.RADIUS_ALTERNATE_TIMEOUT parameter 26.5.1.3.3
SQLNET.RADIUS_ALTERNATE_TLS_HOST parameter 26.5.1.3.3
SQLNET.RADIUS_ALTERNATE_TLS_PORT parameter 26.5.1.3.3
SQLNET.RADIUS_ALTERNATE parameter 26.5.1.3.3
SQLNET.RADIUS_AUTHENTICATION_PORT parameter 26.5.1.3.1
SQLNET.RADIUS_AUTHENTICATION_RETRIES parameter 26.5.1.3.1
SQLNET.RADIUS_AUTHENTICATION_TIMEOUT parameter 26.5.1.3.1
SQLNET.RADIUS_AUTHENTICATION_TLS_HOST parameter 26.5.1.2.2
SQLNET.RADIUS_AUTHENTICATION_TLS_PORT parameter 26.5.1.2.2
SQLNET.RADIUS_SEND_ACCOUNTING parameter 26.5.4.1
SQLNET.RADIUS_TRANSPORT_PROTOCOL parameter 26.5.1.2.2
SQL statements
- dynamic 13.3.4.4
- object privileges permitting in applications 12.12.2
- privileges required for 4.14.1, 12.12.2
- resource limits and 2.4.2.2
- restricting ad hoc use 4.11.7.1
SQL statements, top-level in unified audit policies 30.4.6.1
SSL_VERSION
- See: SSL_VERSION
standard auditing
- affected by editions 30.4.4.16
- archiving audit trail 32.2.2
- privilege auditing
  - about 30.4.2.1
  - multitier environment 30.6.1
- records
  - archiving 32.2.2
- statement auditing
  - multitier environment 30.6.1
standard audit trail
- records, purging 32.2.1
statement_types parameter of DBMS_RLS.ADD_POLICY procedure 14.3.4
storage
- quotas and 2.2.7.1
- unlimited quotas 2.2.7.4
stored procedures
- using privileges granted to PUBLIC role 4.22
strong authentication
- centrally controlling SYSDBA and SYSOPER access to multiple databases 3.3.2.1
- disabling 27.2
- guideline A.4
symbolic links
- restricting A.7
synchronous authentication mode, RADIUS 26.3.1
synonyms
- object privileges 4.14.5
- privileges, guidelines on A.3
SYS_CONTEXT function
- about 13.3.4.1
- auditing nondatabase users with 30.10.2
- Boolean expressions used in privilege analysis 5.2.3
- database links 13.3.4.6
- dynamic SQL statements 13.3.4.4
- example 13.3.4.8
- parallel query 13.3.4.5
- syntax 13.3.4.2
- unified audit policies 30.5.1
- used in views 9.6.1
- validating users 12.9.2.1
SYS_DEFAULT Oracle Virtual Private Database policy group 14.3.7.3
SYS_SESSION_ROLES namespace 13.3.4.1
SYS.AUD$ table
- archiving 32.2.2
SYS.FGA_LOG$ table
- archiving 32.2.2
SYS.LINK$ system table 16.1
SYS.SCHEDULER$_CREDENTIAL system table 16.1
SYS$UMF user account 2.6.2
SYS account
- auditing 30.9.2.1
- changing password 2.3.4.1
- policy enforcement 14.5.7.2
- privilege analysis 5.1.4
SYS and SYSTEM
- passwords A.4
SYS and SYSTEM accounts
- auditing 30.9.2.1
SYSASM privilege
- password file 3.3.4
SYSBACKUP privilege
- operations supported 4.5.5
- password file 3.3.4
SYSBACKUP user account
- about 2.6.2
SYSDBA administrative privilege
- forcing oracle user to enter password 4.5.4
SYSDBA privilege 4.5.3
- directory authentication 3.3.2.2
- Kerberos authentication 3.3.2.3
- password file 3.3.4
- TLS authentication 25.3
SYSDG privilege
- operations supported 4.5.6
- password file 3.3.4
SYSDG user account
- about 2.6.2
SYSKM privilege
- operations supported 4.5.7
- password file 3.3.4
SYSKM user account
- about 2.6.2
SYSLOG
- audit trail records 32.1.4.1
- capturing audit trail records 32.1.4.2
SYSMAN user account A.4
SYS objects
- auditing 30.4.4.5
SYSOPER privilege 4.5.3
- directory authentication 3.3.2.2
- password file 3.3.4
SYSRAC privilege
- operations supported 4.5.8
SYS schema
- objects, access to 4.6.3.2
System Global Area (SGA)
- application contexts, storing in 13.1.3
- global application context information location 13.4.1
- limiting private SQL areas 2.4.2.5
system privileges A.3
- about 4.6.1
- ADMIN OPTION 4.6.2
- ANY
  - guidelines for security A.7
- CDBs 4.10.2
- GRANT ANY PRIVILEGE 4.6.2
- granting 4.20.1.1
- granting and revoking 4.6.4
- granting as a schema privilege 4.7.1
- power of 4.6.1
- preventing from being used on schemas 4.15.1
- restriction needs 4.6.3.1
- revoking, cascading effect of 4.21.3.1
- SELECT ANY DICTIONARY A.7
- with common privilege grants 4.10.2
system requirements
- Kerberos 22.6
- RADIUS 22.6
- strong authentication 22.6
- TLS 22.6
SYSTEM user account
- about 2.6.2
SYS user
- auditing example 30.4.2.5
SYS user account
- about 2.6.2

T

table encryption
- transparent sensitive data protection policy settings 15.15.2
tables
- auditing 30.4.4.2
- privileges on 4.16
tablespaces
- assigning defaults for users 2.2.6.1
- default quota 2.2.7.1
- quotas, viewing 2.7.3
- quotas for users 2.2.7.1
- temporary
  - assigning to users 2.2.8.1
- unlimited quotas 2.2.7.4
TCP connection
- Kerberos krb5.conf configuration 24.2.6.4
TCPS protocol
- tnsnames.ora file, used in A.11.3
- Transport Layer Security, used with A.11.2
TELNET service A.11.2
TFTP service A.11.2
token cards 22.4.2, A.4
trace file
- set up sample for sqlnet.ora file 20.3.2
trace files
- access to, importance of restricting A.7
- bad packets 12.13.1
- location of, finding 13.6
- Oracle DBaaS-to-IAM client side tracing 7.8.2
traditional auditing
- desupport 28.6
Transparent Data Encryption
- about 18.3.4.5
- enabling for FIPS 140-2 C.3.2
- FIPS-supported algorithms C.2.6
- SYSKM administrative privilege 4.5.7
Transparent Data Encryption (TDE) 16.1
- TSDP with TDE column encryption 15.15.1
transparent sensitive data protection (TSDP
- unified auditing
  - general steps 15.13.1
transparent sensitive data protection (TSDP)
- about 15.1
- altering policies 15.7
- benefits 15.1, 15.3
- bind variables
  - about 15.10.1
  - expressions of conditions 15.10.2.2
- creating policies 15.6
- disabling policies 15.8
- disabling REDACT_AUDIT policy 15.10.4
- dropping policies 15.9
- enabling REDACT_AUDIT policy 15.10.5
- finding information about 15.16
- fine-grained auditing
  - general steps 15.14.1
- general steps 15.2
- PDBs 15.5
- privileges required 15.4
- REDACT_AUDIT policy 15.10.1
- sensitive columns in INSERT or UPDATE operations 15.10.2.4
- sensitive columns in same SELECT query 15.10.2.3
- sensitive columns in views 15.10.3
- TDE column encryption
  - general steps 15.15.1
  - settings used 15.15.2
- unified auditing:settings used 15.13.2
- Virtual Private Database
  - DBMS_RLS.ADD_POLICY parameters 15.12.2
  - general steps 15.12.1
  - tutorial 15.12.3
transparent sensitive data protection (TSDP);
- fine-grained auditing
  - settings used 15.14.2
transparent tablespace encryption
- about 18.3.4.5
Transport Layer Security
- compared with native network encryption 20.1.3
- FIPS-supported cipher suites C.2.8
Transport Layer Security, X.509 Certificates
- about 25.4.1
- about configuring MCS on client 25.4.3.3.1
- configuring MCS on client 25.4.3.3.3
- configuring sqlnet.ora on client 25.4.3.1
- configuring sqlnet.ora on server 25.4.2.3
- configuring TNS_NAMES on client 25.4.3.3.2
- configuring tnsnames.ora on client 25.4.3.2
- creating and configuring server wallet 25.4.2.1
- external user 25.4.2.7
- Grid Infrastructure, listener.ora on server 25.4.2.5
- initialization parameters on server 25.4.2.6
- logical volumne management, listener.ora on server 25.4.2.4
- restarting and checking listener on server 25.4.2.8
- shutting down listener on server 25.4.2.2
- testing MCS confgiguration, SQL*Plus 25.4.3.3.5
- testing MCS confgiguration, tnsping 25.4.3.3.4
Transport Layer Security (SSL)
- sqlnet.ora file sample 20.3.2
Transport Layer Security(TLS)
- configuring for SYSDBA or SYSOPER access 25.3
Transport Layer Security (TLS) 22.4.3
- allowing certificates from earlier algorithms 21.3.7.3
- ANO encryption and 20.6.3.3.1
- certificate key algorithm A.11.3
- cipher suites A.11.3
- combining with other authentication methods 21.3.6
- configuration files, securing A.11.3
- configuration troubleshooting 21.5
- configuring ANO encryption with 20.6.3.3.2
- FIPS library location setting (SSLFIPS_LIB) C.3.3
- FIPS mode setting (SSLFIPS_140) C.3.3
- guidelines for security A.11.3
- listener, administering A.11.2
- MD5 certification B.4.12
- mode A.11.3
- Oracle Internet Directory 25.2, 25.5
- pass phrase A.11.3
- RSA private key A.11.3
- securing TLS connection A.11.3
- server.key file A.11.3
- SHA–1 certification B.4.12
- system requirements 22.6
- TCPS A.11.3
- wallet search order 21.3.3.4
Transport Layer Security (TLS) troubleshooting
- checking connection 25.6.1
- checking sqlnet.ora and listener.ora wallet settings 25.6.4
- checking SSL_VERSION parameter 25.6.2
- checking wallet file permissions 25.6.3
- SQL*Net and listener tracing 25.6.5
Transport Layer Security on Oracle RAC
- cluster node, testing configuration 21.4.1.7
- listener.ora 21.4.1.5
- local_listener startup parameter 21.4.1.2
- restarting instances 21.4.1.6
- restarting listeners 21.4.1.6
- sqlnet.ora 21.4.1.5
- TCPS protocol endpoints 21.4.1.1
- wallet and certificate creation 21.4.1.3.2
- wallet creation in nodes 21.4.1.4
triggers
- auditing 30.4.4.2, 30.4.4.13
- CREATE TRIGGER ON 12.12.2
- logon
  - examples 13.3.5
  - externally initialized application contexts 13.3.5
- privileges for executing 9.2
  - roles 4.11.1.8
- WHEN OTHERS exception 13.3.7
troubleshooting 24.7.3
- finding errors by checking trace files 13.6
- Kerberos common configuration problems 24.7.1
- ORA-01017 connection errors in CMU configuration 6.7.1
- ORA-01017 errors in Kerberos configuration 24.7.4
- ORA-12631 errors in Kerberos configuration 24.7.2
- ORA-12650 and ORA-12660 errors in native network encryption configuration 20.7.2
- ORA-28030 connection errors in CMU configuration 6.7.4
- ORA-28274 connection errors in CMU configuration 6.7.2
- ORA-28276 connection errors in CMU configuration 6.7.3
- trace files for in CMU connection errors 6.7.5
trusted procedure
- database session-based application contexts 13.1.2
tsnames.ora configuration file A.11.3
tutorials 13.3.9
- See also: examples
- application context, database session-based 13.3.9
- auditing
  - creating policy to audit nondatabase users 30.10
  - creating policy using email alert 31.4.1
- definer’s rights, database links 9.8.8.1
- external network services, using email alert 31.4.1
- global application context with client session ID 13.4.8.1
- invoker’s rights procedure using CBAC 9.7.7
- nondatabase users
  - creating Oracle Virtual Private Database policy group 14.4.3.1
  - global application context 13.4.8.1
- Oracle Virtual Private Database
  - policy groups 14.4.3.1
  - policy implementing 14.4.2.1
  - simple example 14.4.1.1
- privilege analysis 5.5
- privilege analysis for ANY privileges 5.4
- schema privilege use 5.6
- TSDP with VPD 15.12.3
types
- creating 4.19.5
- privileges on 4.19
- user defined
  - creation requirements 4.19.4

U

UDP and TCP ports
- close for ALL disabled services A.11.2
UDP connection
- Kerberos krb5.conf configuration 24.2.6.4
UGA
- See: User Global Area (UGA)
UNIFIED_AUDIT_COMMON_SYSTEMLOG initialization parameter
- using 32.1.4.2
UNIFIED_AUDIT_SYSTEMLOG initialization parameter
- about 32.1.4.1
- using 32.1.4.2
UNIFIED_AUDIT_TRAIL data dictionary view
- best practices for using A.13.6
unified auditing
- benefits 28.4
- purging records
  - example 32.3.6
  - general steps for on-demand purges 32.3.2.2
  - general steps for scheduledl purges 32.3.2.1
- traditional audit desupport 28.6
- transparent sensitive data protection policy settings 15.13.2
- tutorial 30.10
unified audit policies
- about custom 30.1
- best practices for creating 30.2
- dropping
  - about 30.9.4.1
  - procedure 30.9.4.2
- location of 30.3
- predefined
  - ORA_ACCOUNT_MGMT 29.4.4
  - ORA_ALL_TOPLEVEL_ACTIONS 29.4.6.2
  - ORA_CIS_RECOMMENDATIONS 29.4.5
  - ORA_DATABASE_PARAMETER 29.4.3
  - ORA_DV_DEFAULT_PROTECTION 29.4.10
  - ORA_DV_SCHEMA_CHANGES 29.4.9
  - ORA_LOGIN_LOGOUT 29.4.6.3
  - ORA_OLS_SCHEMA_CHANGES 29.4.11
  - ORA_SECURECONFIG 29.4.2
  - ORA_STIG_RECOMMENDATIONS 29.4.6.1
  - ORA$DICTIONARY_SENS_COL_ACCESS 29.4.7
- syntax for creating 30.3
- top-level statements 30.4.6.2
- users, applying to 30.9.2.1
- users, excluding 30.9.2.1
- users, success or failure 30.9.2.1
unified audit policies, administrative users
- configuring 30.4.3.2
- example 30.4.3.3
- users that can be audited 30.4.3.1
unified audit policies, altering
- about 30.9.1.1
- configuring 30.9.1.2
- examples 30.9.1.3
unified audit policies, application common polices 30.6.2.3
unified audit policies, application containers
- example 30.6.2.7
unified audit policies, CDBs
- about 30.6.2.1
- appearance in audit trail 30.6.2.8
- configuring 30.6.2.4
- examples 30.6.2.5, 30.6.2.6
unified audit policies, column level auditing 30.4.4.3
unified audit policies, conditions
- about 30.5.1
- configuring 30.5.2
- examples 30.5.4
unified audit policies, disabling
- about 30.9.2.1, 30.9.3.1
- configuring 30.9.3.2
unified audit policies, enabling
- about 30.9.2.1
- configuring 30.9.2.2
- for groups of users through roles 30.9.2.1
unified audit policies, object actions
- about 30.4.4.1
- actions that can be audited 30.4.4.2
- appearance in audit trail 30.4.4.12
- columns 30.4.4.9
- configuring 30.4.4.4
- dictionary tables
  - auditing 30.4.4.5
- examples 30.4.4.6
- GRANT operations 30.4.4.7
- SYS objects 30.4.4.5
unified audit policies, objects actions
- REVOKE operations 30.4.4.7
unified audit policies, Oracle Database Real Application Security
- about 30.8.3.1
- configuring 30.8.3.7
- events to audit 30.8.3.2
- examples 30.8.3.8
- how events appear in audit trail 30.8.3.10
- predefined
  - about 29.4.8
  - ORA_RAS_POLICY_MGMT 29.4.8.1
  - ORA_RAS_SESSION_MGMT 29.4.8.2
unified audit policies, Oracle Database Vault
- about 30.8.2.1
- appearance in audit trail 30.8.2.17
- attributes to audit 30.8.2.3
- configuring 30.8.2.12
- data dictionary views 30.8.2.2
- example of auditing factors 30.8.2.16
- example of auditing realm 30.8.2.13
- example of auditing rule set 30.8.2.14
- example of auditing two events 30.8.2.15
- how events appear in audit trail 30.8.2.17
unified audit policies, Oracle Data Miner
- about 30.8.9.1
unified audit policies, Oracle Data Pump
- about 30.8.6.1
- appearance in audit trail 30.8.6.6, 30.8.7.5
- configuring 30.8.6.3
- examples 30.8.6.4
- how events appear in audit trail 30.8.6.6
unified audit policies, Oracle Firewall
- example 30.8.1.2
unified audit policies, Oracle Label Security
- about 30.8.5.1
- appearance in audit trail 30.8.5.9
- configuring 30.8.5.4
- examples 30.8.5.5
- how events appear in audit trail 30.8.5.9
- LBACSYS.ORA_GET_AUDITED_LABEL function 30.8.5.9
unified audit policies, Oracle Machine Learning for SQL
- configuring 30.8.9.3
- how events appear in audit trail 30.8.9.6
unified audit policies, Oracle Recovery Manager
- about 30.8.4.1
- how events appear in audit trail 30.8.4.3
unified audit policies, Oracle SQL*Loader
- about 30.8.7.1
- configuring 30.8.7.3
- example 30.8.7.4
- how events appear in audit trail 30.8.7.5
unified audit policies, Oracle XML DB HTTP and FTP protocols
- about 30.8.8.1
- configuring 30.8.8.2
- example of policy for 401 AUTH HTTP errors 30.8.8.5
- example of policy for all FTP messages 30.8.8.4
- example of policy for failed HTTP messages 30.8.8.3
- how appears in audit trail 30.8.8.6
unified audit policies, privileges
- about 30.4.2.1
- appearance in audit trail 30.4.2.7
- configuring 30.4.2.4
- examples 30.4.2.5
- privileges that can be audited 30.4.2.2
- privileges that cannot be audited 30.4.2.3
unified audit policies, roles
- about 30.4.1.1
- configuring 30.4.1.2
- examples 30.4.1.3
unified audit policies, SQL Firewall
- how events appear in audit trail 30.8.1.3
unified audit policies, top-level statements 30.4.6.1
- appearance in audit trail 30.4.6.5
- how events appear in audit trail 30.4.6.5
unified audit policies, virtual columns 30.4.4.3
unified audit session ID, finding 30.5.7
unified audit trail
- about 28.4
- archiving 32.2.2
- disk space size 32.1.2
- improving performance of 32.1.7
- loading audit records to 32.1.6
- Oracle Data Pump 32.1.8
- partition management 32.1.7
- when records are created 32.1.1
- writing audit trail records to AUDSYS
  - about 32.1.3
  - immediate-write mode 32.1.3
  - minimum flush threshold for queues 32.1.1
  - queued-write mode 32.1.3
unified audit trail, object actions
- READ object actions 30.4.5.1
- SELECT object actions 30.4.5.2
unified audit trail, Oracle Machine Learning for SQL
- examples 30.8.9.4
unified audit trail, top-level statements 30.4.6.3, 30.4.6.4
unified audit trial
- Oracle Database Real Application Security ALL audit events 30.8.3.6
- Oracle Database Real Application Security security class and ACL audit events 30.8.3.4
- Oracle Database Real Application Security session audit events 30.8.3.5
- Oracle Database Real Application Security user, privilege, and role audit events 30.8.3.3
- Oracle Database Vault command rule events 30.8.2.6
- Oracle Database Vault Data Pump events 30.8.2.10
- Oracle Database Vault enable and disable events 30.8.2.11
- Oracle Database Vault factor events 30.8.2.7
- Oracle Database Vault OLS events 30.8.2.9
- Oracle Database Vault realm events 30.8.2.4
- Oracle Database Vault rule set and rule events 30.8.2.5
- Oracle Database Vault secure application role events 30.8.2.8
- Oracle Data Pump audit events 30.8.6.2
- Oracle Label Security audit events 30.8.5.2
- Oracle Label Security user session label events 30.8.5.3
- Oracle Machine Learning for SQL audit events 30.8.9.2
- Oracle Recovery Manager audit events 30.8.4.2
- Oracle SQL*Loader Direct Load Path audit events 30.8.7.2
unified audting
- TSDP policies and 15.13.1
UNLIMITED TABLESPACE privilege 2.2.7.4
UPDATE privilege
- revoking 4.21.2.4
user accounts
- administrative user passwords A.4
- application common user
  - about 2.2.1.1
- CDB common user
  - about 2.2.1.1
- common
  - creating 2.2.10.1
- default user account A.4
- local
  - creating 2.2.10.3
- local user
  - about 2.2.1.3
- password guidelines A.4
- passwords, encrypted A.4
- predefined
  - administrative 2.6.2
  - non-administrative 2.6.3
- predefined sample schemas 2.6.4
- predefined schema 2.6.1
- privileges required to create 2.2.2
- proxy users 3.10.1.3
user accounts, predefined
- ANONYMOUS 2.6.2
- ASMSNMP 2.6.2
- AUDSYS 2.6.2
- CTXSYS 2.6.2
- DBSFWUSER 2.6.2
- DBSNMP 2.6.2
- DGPDB_INT 2.6.2
- DIP 2.6.3
- GSMROOTUSER 2.6.2
- LBACSYS 2.6.2
- MDDATA 2.6.3
- MDSYS 2.6.2
- OJVMSYS 2.6.2
- OLAPSYS 2.6.2
- ORACLE_OCM 2.6.3
- ORDDATA 2.6.2
- ORDPLUGINS 2.6.2
- ORDSYS 2.6.2
- OUTLN 2.6.2
- REMOTE_SCHEDULER_AGENT 2.6.2
- SI_INFORMTN_SCHEMA 2.6.2
- SYS 2.6.2
- SYS$UMF 2.6.2
- SYSBACKUP 2.6.2
- SYSDG 2.6.2
- SYSKM 2.6.2
- SYSTEM 2.6.2
- WMSYS 2.6.2
- XDB 2.6.2
- XS$NULL 2.6.3
USERENV function
- used in views 9.6.1
USERENV namespace 3.10.2.4
- See also: CLIENT_IDENTIFIER USERENV attribute
- about 13.3.4.2
User Global Area (UGA)
- application contexts, storing in 13.1.3
user names
- schemas 12.11
user privileges
- CDBs 4.4
USER pseudo column 4.17.3
users
- administrative option (ADMIN OPTION) 4.20.1.4
- altering 2.3.1
- altering common users 2.3.2
- altering local users 2.3.2
- application users not known to database 3.10.2.1
- assigning unlimited quotas for 2.2.7.4
- auditing 30.9.2.1
- database role, current 12.10.1
- default roles, changing 2.2.11
- default tablespaces 2.2.6.1
- dropping 2.5.1, 2.5.3
- dropping profiles and 2.4.4.7
- dropping roles and 4.11.6
- enabling roles for 12.10
- enterprise 4.11.4.6
- enterprise, shared schema protection 12.11.2
- external authentication
  - assigning profiles 2.4.4.6
- finding information about 2.7.1
- finding information about authentication 3.11
- global
  - assigning profiles 2.4.4.6
- hosts, connecting to multiple
  - See external network services, fine-grained access to 10.1
- information about, viewing 2.7.2
- listing roles granted to 4.26.4
- memory use, viewing 2.7.5
- names
  - case sensitivity 2.2.4.3
  - how stored in database 2.2.4.3
- nondatabase 13.4.2, 13.4.6.7
- objects after dropping 2.5.1
- password encryption 3.2.1
- privileges
  - for changing passwords 2.3.1
  - for creating 2.2.3
  - granted to, listing 4.26.2
  - of current database role 12.10.1
- profiles
  - assigning 2.4.4.6
  - creating 2.4.4.4
  - specifying 2.2.9
- profiles, CDB or application 2.4.4.5
- proxy authentication 3.10.1.1
- proxy users, connecting as 3.10.1.1
- PUBLIC role 4.11.1.7, 4.22
- quota limits for tablespace 2.2.7.3
- read-only configuration 4.25
- restricting application roles 4.11.7
- restrictions on user names 2.2.4.1
- roles and 4.11.1.3
  - for types of users 4.11.1.6
- schema-independent 12.11.2
- security, about 2.1
- security domains of 4.11.1.7
- tablespace quotas 2.2.7.1
- tablespace quotas, viewing 2.7.3
- user accounts, creating 2.2.3
- user models and Oracle Virtual Private Database 14.5.10
- user name, specifying with CREATE USER statement 2.2.4.2
- views for finding information about 2.7
user sessions, multiple within single database connection 3.10.1.8
users supported 6.1.5
utlpwdmg.sql
- about 3.2.6.1

V

validating 6.3.2.3
valid node checking A.11.2
views
- about 4.17
- access control list data
  - external network services 10.13
  - wallet access 10.13
- application contexts 13.6
- audited activities 29.7
- audited activities from custom audit policies 30.11
- auditing 30.4.4.2
- audit management settings 32.4
- audit trail usage 29.7
- audit trail usage for fine grained auditing 31.5
- authentication 3.11
- bind variables in TSDP sensitive columns 15.10.3
- custom audit policy audit trail usage 30.11
- DBA_COL_PRIVS 4.26.5
- DBA_HOST_ACES 10.13
- DBA_HOST_ACLS 10.13
- DBA_ROLE_PRIVS 4.26.4
- DBA_ROLES 4.26.7
- DBA_SCHEMA_PRIVS 4.26.3
- DBA_SYS_PRIVS 4.26.2
- DBA_TAB_PRIVS 4.26.5
- DBA_USERS_WITH_DEFPWD 3.2.4.2
- DBA_WALLET_ACES 10.13
- DBA_WALLET_ACLS 10.13
- definer’s rights 9.6.1
- fine-grained audited activities 31.5
- invoker’s rights 9.6.1
- Oracle Virtual Private Database policies 14.6
- privileges 4.17
- privileges to query views in other schemas 4.17.2
- profiles 2.7.1
- ROLE_SYS_PRIVS 4.26.8
- ROLE_TAB_PRIVS 4.26.8
- security applications of 4.17.3
- SESSION_PRIVS 4.26.6
- SESSION_ROLES 4.26.6
- transparent sensitive data protection 15.16
- USER_HOST_ACES 10.13
- USER_WALLET_ACES 10.13
- users 2.7.1
Virtual Private Database
- See: Oracle Virtual Private Database
VPD
- See: Oracle Virtual Private Database
vulnerable run-time call A.3
- made more secure A.3

W

wallets 10.2
- See also: access control lists (ACL), wallet access
- about B.1.1
- adding certificate to 6.2.2.6
- authentication method 3.7.1.4
- certificates
  - adding to wallet 6.2.2.6
- deleting B.3.9
- general process of management B.1.5
- search paths B.1.6
- system wallet B.4.1
- tools to manage B.1.4
Web applications
- user connections 13.4.2, 13.4.6.7
Web-based applications
- Oracle Virtual Private Database, how it works with 14.5.10
WHEN OTHERS exceptions
- logon triggers, used in 13.3.7
Windows Event Viewer
- capturing audit trail records 32.1.4.2
Windows installations
- security guideline A.5
Windows native authentication 3.3.3
WITH GRANT OPTION clause
- about 4.20.2.2
- user and role grants 4.14.2
WM_ADMIN_ROLE role 4.11.2
WMSYS user account 2.6.2

X

X.509 certificates 25.4.1
- guidelines for security A.4
XDB_SET_INVOKER role 4.11.2
XDB_WEBSERVICES_OVER_HTTP role
- about 4.11.2
XDB_WEBSERVICES_WITH_PUBLIC role 4.11.2
XDB_WEBSERVICES role 4.11.2
XDBADMIN role 4.11.2
XDB user account 2.6.2
XS_CACHE_ADMIN role 4.11.2
XS_NAMESPACE_ADMIN role 4.11.2
XS_NSATTR_ADMIN role 4.11.2
XS_RESOURCE role 4.11.2
XS$NULL user account 2.6.3
XSTREAM_APPLY role 4.11.2
XSTREAM_CAPTURE role 4.11.2