User rights management reduces security risks by providing privileged users only the capabilities needed to run a select number of commands consistent with their needs rather than granting full super-user access to the system. This increases security by reducing the chances of administrative errors or accidental/malicious use of systems. User rights management, based on Oracle Solaris Role-Based Access Control (RBAC) capabilities, is centrally managed for reduced administration cost and increased flexibility for rapidly changing business requirements. Effective security reduces downtime, raises quality of service, and keeps costs low.
Default installations of the Oracle database can be made more secure by exploiting the user rights management feature of Oracle Solaris 10 security. In a typical Oracle deployment, all Oracle DBAs login as the UNIX user oracle. Hence, it is not possible to track the DBA-related activities of an individual user; only the combined activities of all DBAs are tracked by the Operating system and the database server.
User rights management enables you to create an oracle role and assign it to users with DBA responsibilities. In this scenario, the users will login to the database server system with their regular UNIX logins and assume the oracle role when they need to do any Oracle DBA-related tasks.
This approach ensures that multiple Oracle administrators do not share a single login. They login in as individual users and are accountable for their individual actions; yet they have the flexibility to perform all the functions of an Oracle administrator by assuming the oracle role.
Complete accountability for individual users can be enforced by enabling auditing of the oracle role; which in turn will provide a detailed description all Oracle DBA-related activities for each individual UNIX user. Included in the audit record is the login name of the user who assumed the role, the role name, and the action that the role performed.
Figure 1 : Using Oracle role enhances security and accountability
If additional security is required, the privileges of the UNIX user can be adjusted such that individual UNIX users cannot view Oracle processes. Similarly, the privileges of the Oracle role can be adjusted such that they can view only the Oracle processes.
Details are available in the white paper document:
Deploying Oracle Database on the Oracle Solaris Platform – An Introduction