First, the role of accounts and system integration, improve account security.
Account is defined in the database system a name, it is the database of basic access control mechanism. When connecting to Oracle database with other databases, requires the user to enter user name and password. With this database system is the user name to grant access to its corresponding database. However, this is different from other databases. Because the Oracle database has a very special class of accounts - privileged account. These privileged accounts have some rather special permissions. For database security, apart from in the database should have certain rights but also must have the corresponding operating system privileges. Databases and operating systems, to protect the security of the database.
If the Oracle database, mainly two types of privileged user, respectively, SYSDBA and SYSOPER. This is mainly used two types of users to perform some special operations. Such as the start to close the database, a database, backup and recovery operations and so on. These operations will obviously directly affect the normal operation of the database; and backup and recovery operations data security is also closely linked directly with the database. Accounts in order to protect the safety of these privileges, Oracle Database also uses some special mechanism. Requirements such as Oracle, in addition to the database to have the corresponding permissions, must also be in the operating system is also a member of some specific roles. For example, Oracle database, if deployed in Microsoft's operating system, is safe after the success of the operating system's role, will be more SYSDBA and OSOPER two groups. Privileged accounts must belong to the two groups mentioned above can be some database maintenance operation. Similarly, in Linux and other operating system platform, also need to have similar privileges. Through this strategy, the security of privileged accounts on the addition of a protection. Just want to use as a database administrator privileges SYSDBA account to manage and maintain the database, without the need for SYSOPER account. At this point, the database administrator will have two options. Or disable the account in the database; or in the operating system from Oracle to establish this account removed out of the group.
Although the SYSOPER and SYSDBA account belong to the privileged account, but their authority or by the difference. Such as privilege account with the privilege SYSDBA SYSOPER account all the permissions, also has a database, do not fully recovery authority. Meanwhile, the former also automatically have the DBA role of all authority; while the latter is not with DBA role privileges. For the security of the database library, normally not able to account for the authority to give these privileges to other users. Although you can change the initialization parameter to break through this limitation, but for database security, we do not recommend such treatment.
Visible, privileged accounts with the operating system permissions fixed combination of both, to protect the security of the database, Oracle database, this is a breakthrough. Its a great extent, improved the security of privileged accounts. If the general account, there is no restriction in this regard.
Second, account-one correspondence with the program to protect Oracle security.
In addition to the role of accounts and systems integration to improve account security in addition, Oracle database, where another laudable program is to link the accounts and to further improve the account security.
In the Oracle database, the program is user-owned collection of database objects. This is because the objects in the Oracle database is to organize users, user-one correspondence with the program, and both used the same name. Database with the instance of the use of Oralce installation is complete, the default, there are two users, respectively, SYSTEM and SCOTT. They correspond to the two options SYSTEM and SCOTT. Oracle Database is the account together with programs to enhance the database access security.
If users can directly access its own program objects, but if other users need to access the program object, you need to have the relevant permissions. Such as user SCOTT, their programs, all the database objects SCOTT can access. However, if the user wants to access the program SCOTT SYSTEM The following database objects, you need to be authorized through the user SYSTEM. If he did not authorize the access permissions to SCOTT, then the user can not access the program SYSTE SCOTT any of the following database object. Therefore, the programs one by one like a shield, again split into several logical database independent regional. Owner of the region can access any object within any database. If other users want to access this area, then the owner must first authorized through the region. All these areas (program) is the user's private domain, others may not enter without permission. In this way, users can protect themselves by establishing the security of data objects.
The use of the program is the need to pay attention to some details of the problem. If the same scenario, the object of the same name can not exist; but in a different scenario, different users can create the object of the same name. And when a user object to access other programs, you must join the program were the most prefix. Also said that the object name in the database by adding the name of the owner. These are hard and fast rules can not be discounted.
Third, the new user without any database operations permissions.
Oracle account with the SQLServer account there is a difference. Oracle database is to create a new account, by default, this account does not have the permission of any database operations. However, in SQLServer in is different. In SQLServer, if the establishment of accounts, the default will inherit certain permissions.
In the Oracle database, often through the use of proven methods to build a database database user. Take this approach, its advantage is very clear. Such as user accounts and their authentication by the database control, and not using any external forces. In addition, the database system also provides a strict password management strategy to enhance the security of the password, also provided, such as account lockout, password expiration date security policy.
When the establishment of accounts, mainly through three measures to improve the safety of new accounts.
First, the initial establishment of the database account does not have any rights, can not perform any database operations. If permission to connect to the database with no need to configure additional permissions. Although this increases the workload of some maintenance, but after all, to improve the safety performance of the initial account to. Because the accounts do not frequent the establishment, so compared to database security, this point is worth paying.
Second, the new accounts must be set for the database account password, they can not use empty password. This is a good measure of security because the password of the account is empty database security a time bomb. According to the author knows, in the SQLServer database, if there were no similar restrictions. Database administrators can create a new account password is not set to initialize, this is a very dangerous method of operation.
Third, through the tablespace quotas to limit their right to create a database library objects. In the establishment of the user, if not refer to the table space for the new user quota, the user in a particular table space quota is 0. In other words, users do not have space in the table storage space. To this end, the user of course can not be established in the table space data object. Even if the follow-up by giving it sufficient rights privileges, its up to simply query, use the database object, but can not create their own database objects. This is to improve the new user security measures. Users can not easily create a database in the table space objects, helping to ensure a clean database. Also need to note is that if the time in the establishment of accounts, not specific to the user specified table spaces, then the default table space for the System tablespace. This seems like a very dangerous operation, in fact, not. Because I talked about above, the user to access other programs created by the user, other users must have the corresponding authorization. So although the new user is System table space, but not necessarily that the System can access the database table space objects. To access, users are also required authorization.
Can be seen, this account-one correspondence relationship with the program, in large part to improve the account security. The role of integration with the operating system account privileges, but also limit the operation of the privileged account permissions. These measures serve to enhance the security of the database account. Accounts, programs, the role of a multi-pronged system to protect the Oracle database security.