Sie sind auf Seite 1von 20

All About Security: User, Privilege, Role, SYSDBA, O/S Authentication, Audit, Encryption, OLS, Database Vault,

Audit Vault

Doc ID: 207959.1

In this Document
Purpose
All About Security: User, Privilege, Role, SYSDBA, O/S Authentication, Audit, Encryption, OLS, Database
Vault, Audit Vault
1) Alerts
2) System Privileges
3) Object Privileges
4) Users and Roles
5) User and Tablespace Quotas
6) Profiles and Resource Limits
7) Password Management
8) Connect Internal and Password Files
9) O/S Authentication
10) Auditing
11) Event Triggers
12) Fine Grained Access Control
13) Oracle Label Security
14) Database Vault
15) Audit Vault
16) Data Encryption
17) Security Server

Applies to:

Oracle Server - Enterprise Edition - Version: 8.1.7.0 to 11.1.0.7


Information in this document applies to any platform.

Purpose

This index consists of a list of

- Bulletins explaining the method used to perform specific tasks and related Documentation (Oracle uides)
- Problem / Solutions
- Parameters & Events , Bugs
- Supplied Scripts

All About Security: User, Privilege, Role, SYSDBA, O/S Authentication, Audit, Encryption, OLS, Database
Vault, Audit Vault

1) Alerts

These articles provide a solution to correct or avoid an issue, and highlight a specific condition, situation or event that
requires awareness by an Oracle customer or partner.

Note 50508.1 ALERT: "CONNECT INTERNAL" Syntax to be DeSupported


Note 76397.1 ALERT: Resource Limit CPU_PER_SESSION not working correctly in certain versions
Note 148384.1 ALERT: Oracle Server Patchset 8.1.7.1 and Oracle Label Security
Note 163726.1 ALERT: Oracle Label Security Mandatory Security Patch
Note 124742.1 ALERT: Vulnerability in the Oracle Listener Program
Note 153289.1 ALERT: Oracle Redirect Denial of Service Vulnerability
Note 163727.1 ALERT: Oracle File Overwrite Security Vulnerability
Note 175429.1 ALERT: Oracle PL/SQL extproc in Oracle 9i, Oracle 8i and Oracle8 Database
Note 185074.1 ALERT: User Privileges Vulnerability in Oracle9i Database Server
Note 210317.1 ALERT: ALTER SESSION privilege can dump trace files with possibly sensitive data
Note 281188.1 SECURITY ALERT #68 - Oracle Security Update
Note 282108.1 FAQ for Oracle Security Alert 68

2) System Privileges

These articles and documentation explain what system privileges are useful for, how they should be used and handled,
and how they are related to some init.ora parameters in various Oracle versions.

2.1 How to and Documentation


----------------------------
Note 131752.1 Security Check List: Steps to Make Your Database Secure From Attacks
Note 109891.1 A User connected AS SYSOPER can only Perform STARTUP and SHUTDOWN
Note 180019.1 Which System Privileges are required for a User to Perform Backup Operator Tasks
Note 153510.1 Use SELECT ANY DICTIONARY or SELECT_CATALOG_ROLE or O7_DICTIONARY_ACCESSIBILITY?
Note 204699.1 How to revoke ALTER SESSION Privilege
Note 247093.1 Be Cautious when Revoking Privileges Granted to PUBLIC
Note 266536.1 What are the SELECT ANY TRANSACTION / FLASHBACK ANY TABLE Privileges ?
Note 312066.1 Which Dictionary View Store The Privileges Of Object Directory
Note 365418.1 Prevent Truncate of a Table in Your Own Schema
Note 1025296.6 HOW TO CREATE A USER THROUGH A STORED PL/SQL PROCEDURE?

Oracle 8, 8i, 9i,10g and 11g Security Guide- Chapter


- Privileges, Roles, and Security Policies

Oracle 8, 8i, 9i,10g and 11g Administrator's Guide - Chapters


- The Oracle Database Administrator
- Managing Tables - External Tables
- Establishing Security Policies
- Managing User Privileges and Roles
- Using the Database Resource Manager
- Managing a Distributed Database

Oracle 8, 8i, 9i,10g and 11g Performance Tuning Guide and Reference -
Chapter - Understanding Indexes and Clusters -
Using Function-based Indexes

Oracle 8, 8i, 9i,10g and 11g Reference


Oracle 8, 8i, 9i,10g and 11g SQL Reference

2.2 Problems / solutions


------------------------
Note 205297.1 ORA-1031 on TRUNCATE TABLE even if granted DELETE ANY TABLE
Note 232513.1 ORA-01031 During CREATE DATABASE Statement
Note 100714.1 ORA-01031 When Creating Unique Index Using a Function
Note 265130.1 ORA-01031: ALTER TABLE AnotherSchema.Table MODIFY column
Note 342489.1 ORA-01031 SELECT ANY DICTIONARY System Privilege Granted Through Role Does Not Allow View
Creation
Note 1005208.6 Cannot Create or Replace a Stored Object in Another Schema
Note 1049536.6 ORA-28009 upon sqlplus connect sys/<password>
Note 1074762.6 Revoking "CREATE DATABASE LINK" Privilege from User
Note 112211.1 Privileges Required to Run SQL_TRACE
Note 222860.1 ORA-00942 When Commit DML Transaction on a Base Table Belonging to a MV
Note 240769.1 Grant CREATE SECURITY PROFILE Fails with IMP-00017, ORA-00990 during FULL Import
Note 259816.1 ORA-990 Trying To Revoke RULE, QUEUE Or EVALUATION System Privileges
Note 304139.1 You Have Insufficient Privileges To Run The Advisor
Note 309809.1 ORA-1031 : CREATE DATABASE LINK Fails after ALTER SESSION SET CURRENT_SCHEMA
Note 333089.1 Which Privileges Needed To Populate A Global Temporary Table ?

2.3 Parameters, Events and Errors


---------------------------------
Note 206795.1 What is 07_DICTIONARY_ACCESSIBILITY and how Should it be set?
Note 47316.1 PARAMETER: O7_DICTIONARY_ACCESSIBILITY
Note 68625.1 PARAMETER: QUERY_REWRITE_INTEGRITY
Note 68624.1 PARAMETER:QUERY_REWRITE_ENABLED

Note 50010.1 OERR: ORA-28009 connection to sys should be as sysdba or sysoper

2.4 Bugs
--------
Bug 1875604 ABLE TO SELECT FROM SYS.OBJ$, BUT DESCRIBE THROWS ORA-4043
Bug 3123973 ORA-1031 WHEN CREATE VIEW IN SESSION SET AS ANOTHER CURRENT_SCHEMA

2.5 Scripts
-----------
Note 18074.1 Script To Capture System Privilege Grants
Note 1020286.6 Script to Create View to Show All User Privs
Note 241997.1 Script to Create a Procedure to Show All User Privs and Roles

3) Object Privileges

3.1 How to and Documentation


----------------------------
Note 107843.1 Grant Object Privileges on Another Schema Object to Other Users as SYSTEM or SYS
Note 162489.1 Invokers rights procedure executed by definers rights procedures
Note 130425.1 How to Know if a Stored Procedure is Defined as AUTHID CURRENT_USER ?
Note 104355.1 How to GRANT privileges on another user's objects as DBA without GRANT option
Note 156303.1 How to exclude a user from PUBLIC scope
Note 174753.1 Grant Any Object Privilege On Any Object using the Same Connection
Note 197611.1 How to avoid a user from dropping his own objects
Note 333089.1 Which Privileges Needed To Populate A Global Temporary Table ?
Note 271288.1 Granting a SELECT privilege on a view not owned by you results in revoking the SELECT privilege.
Note 414423.1 Which Privilege to Grant To DESCRIBE Table Schema Definition?

Oracle 8, 8i, 9i,10g and 11g SQL Reference Manual


Oracle 8, 8i, 9i,10g and 11g Application Developer's Guide
Oracle 8, 8i, 9i,10g and 11g Database Administrator's Guide
Oracle 8, 8i, 9i,10g and 11g Concepts

3.2 Problems / solutions


------------------------
Note 168168.1 Getting ORA-942 or ORA-1031 and PLS-201 in PL/SQL, works in SQL*Plus
Note 170973.1 Unable to Revoke Rights from Object Owner
Note 121384.1 ORA-1927 While Revoking Object Privileges as the Object Owner
Note 1004923.6 ORA-01031, ORA-02063 on insert via database link
Note 1005146.6 ORA-942 Even Though User Has Been Granted Privileges on Object
Note 1039161.6 Cannot grant execute privilege on dbms_pipe
Note 1062335.6 ORA-942 when select from any v$view within stored PL/SQL procedure
Note 94092.1 ORA-1031 Trying to Create PK/FK on Another User's Table
Note 116540.1 Replacing an Existing View loses Granted Permissions on the View
Note 161011.1 Grant Execute on SYS.SYS_GROUP Fails with ORA-4042
Note 120687.1 ORA-990 when trying to Grant Privileges to User
Note 235325.1 ANALYZE 'SYS' Tables by Other Users is not Permitted in Oracle 9i
Note 100076.1 ORA-942 or ORA-1031 Creating Views Based on Data Dictionary Objects
Note 159051.1 Describe of Remote Table over Public Database Link and Private Synonym Fails with ORA-4043
Note 159674.1 Unable to select/update v$session in a Trigger
Note 208234.1 ORA-1031 While Executing DBMS_SESSION Through Procedure
Note 215331.1 How to Know if an User Has Grants to Execute a Function or a Procedure
Note 228831.1 ORA-01720 When Granting Object Privileges on Own Table Using Object Types
Note 159968.1 DBMS_SYSTEM.SET_SQL_TRACE_IN_SESSION Results in ORA-06550 and PLS-00201
Note 160870.1 Intermedia Text Index not Being Rebuilt using Dbms_job (and Drjobdml.sql)
Note 238567.1 ORA-006564 When Creating View On External Table
Note 390225.1 Execute Privileges Are Reset For Public After Applying Patchset
Note 271587.1 ORA-1031 CANNOT CREATE A VIEW ON A TABLE GRANTED VIA A ROLE

3.3 Parameters, Events and Errors


---------------------------------

3.4 Bugs
--------
Bug 155762 GRANTS ASSIGNED TO ROLES ARE NOT BEING UTILIZED BY STORED PROCEDURES.
Bug 668998 RECEIVE INCORRECT ERROR WHEN CREATING A VIEW WHEN GRANT SELECT BY A ROLE
Bug 179841 REMOTE INSERT REQUIRES INSERT AND SELECT PRIVILEGES
Bug 371507 GRANT ALL ON TABLE ALLOWS OTHER USER TO DROP PK, BUT NOT TO CREATE A NEW ONE
Bug 522453 NEEDS OBJECT PRIVILEGE TO ADD PRIMARY KEY TO ANOTHER USERS TABLE
Bug 371124 DROP PRIMARY KEY DOES NOT REQUIRE DROP ANY INDEX PRIVILEGE, BUT CREATE DOES
Bug 372734 MUST HAVE CREATE ANY INDEX PRIVILEGE TO ALTER TABLE ADD CONSTRAINT TO TABLE
Bug 702389 PRIVS GRANTED ON COLS THROUGH A VIEW DOES NOT STAY WITH THOSE COLS WHEN VIEW
CHANGES
Bug 1364403 ORA-942 WITH THE COMBINATION OF AUTHID AND EXECUTE IMMEDIATE
Bug 1190886 ORA-4042 CAN'T GRANT EXECUTE ON SYS.SYS_GROUP TO OTHER USER BY SYS
Bug 2948123 CREATE VIEW ON EXTERNAL TABLE ORA-6564

3.5 Scripts
-----------
Note 1020176.6 SCRIPT: Script to Generate object privilege GRANTS
Note 1050267.6 SCRIPT: Script to show table privileges for users and roles
Note 138232.1 SCRIPT: How to grant select on dictionary tables only

4) Users and Roles

4.1 How to and Documentation


----------------------------
Note 13615.1 Roles and Privileges Administration and Restrictions
Note 11740.1 Role Restrictions
Note 317258.1 Predefined Roles Evolution from 8i to 10g R2: CONNECT role Change in 10gR2
Note 234551.1 PUBLIC : Is it a User, a Role, a User Group, a Privilege ?
Note 39333.1 Identifying PC Clients in V$SESSION
Note 174138.1 How to Tranfer all Roles and Grants to Another Database
Note 77666.1 WIN: Granting Database Roles
Note 1011899.6 Roles and Creating Stored Objects / Views
Note 1022776.6 How to Make Trace Files Created by Oracle Readable by All Users ?
Note 1068753.6 How To Isolate aTable To Run Update Without Losing Granted Roles
Note 1071358.6 What is the OUTLN User?
Note 235690.1 How To Create A User With '.' (dot) In Name
Note 1079975.6 Enabling, Disabling, and Granting Default Roles
Note 112523.1 How to see which Roles are Active within a Session
Note 106698.1 WINNT: Assigning External Operating System Roles to NT Global Groups
Note 114673.1 RESOURCE Role in DBA_SYS_PRIVS does not Include UNLIMITED TABLESPACE Privilege
Note 69483.1 Changing Role within Stored Procedures using dbms_session.set_role
Note 160861.1 Oracle Created Database Users: Password, Usage and Files References
Note 180028.1 Set up a Secure Access to Application Data within a Database: DBAs, Schemas and Users
Note 203318.1 How to create a user and grant privileges in a single GRANT statement
Note 207560.1 Can the 9i Sample Schemas Be Safely Removed?
Note 124121.1 How to Disable a SQL*Plus Connection for a User
Note 159757.1 How to Verify the Enabled Roles for a Session Within a Trigger or PL/SQL Routine
Note 1060417.6 ORACLE_8 ROLES, SELECT_CATALOG ROLE, EXECUTE_CATALOG_ROLE,
DELETE_CATALOG_ROLE
Note 260111.1 How to Interpret the ACCOUNT_STATUS Column in DBA_USERS

Oracle 8, 8i, 9i,10g and 11g Database Administrator's Guide


Oracle 8, 8i, 9i,10g and 11g SQL Reference Manual
Oracle 8, 8i, 9i,10g and 11g Database Concepts
Oracle8i Migration Release 3 (8.1.7) (7-4 )
Oracle9i Sample Schemas, Release 1 (9.0.1) or Release 2 (9.2)

4.2 Problems / solutions


------------------------
Note 151788.1 A Security Problem Exists with Password Protected Roles
Note 1005485.6 ORA-1950 When Creating an Object and Resource Role is Granted to the User
Note 1066067.6 Roles could not be executed even after they were recreated
Note 1075927.6 View ROLE_TAB_PRIVS returns zero rows
Note 1084014.6 Revoking DBA or RESOURCE Privilege Revokes UNLIMITED TABLESPACE from the User
Note 97583.1 JServerPermission Memory.GC Java exception when calling enableNewspace()
Note 101078.1 VMS: Using DBLINKS When OPS$ Accounts and Password Files Accounts are Set Up
Note 106140.1 AFTER LOGON Triggers Don't Allow DBMS_SESSION.SET_ROLE to Keep Roles Enabled
Note 111288.1 Create a New User, no Grants but the User can Connect
Note 117872.1 Why ORA-01925 Occurs and How to Resolve It
Note 121633.1 ORA-24347 with Select * from dba_role_privs OR Select * from user_role_privs
Note 150418.1 ORA-28201 Not Enough Privileges to Enable Application Role
Note 119752.1 ORA-942 V$Session V$Parameter C Starting SQL*Plus From Windows NT Client
Note 169289.1 ORA-01031: insufficient privileges when altering user to identify externally
Note 167421.1 ORA-18008 Creating Procedure, Trigger, Package or Function
Note 197931.1 External role details not in ROLE_SYS_PRIVS
Note 370013.1 Ora-1013 When Creating User, Granting Connect, Resource From A Procedure

The following notes particularly lists all articles that have as their topic the kind of errors you may encounter as a result of
the fact that privileges granted trough a role are not in effect in stored procedures.

PLS-00201

Note 1018687.6 PLS-341 - WHEN RUNNING PLSQL PROCEDURE IN SQLPLUS


Note 168168.1 Getting ORA-942 or ORA-1031 and PLS-201 in PL/SQL, works in SQL*Plus
Note 210377.1 Executing a Stored Procedure Fails with PLS-00201
Note 113186.1 PLS-201 GRANTING PRIVIEGIES THRU A ROLE
Note 1062535.6 Possible Reasons for Generating a PLS-201 Error
Note 200415.1 PLS-00201: Identifier '%s' Must be Declared When Compiling a Procedure
Note 27287.1 OERR: PLS-201 identifier '%s' must be declared

ORA-01031
Note 1048327.6 ORA-1031 WHILE EXECUTING A STORED PROCEDURE
Note 1011393.6 0RA-01031 IN STORED PROCEDURE WHEN USING DBMS_SQL TO CREATE A VIEW
Note 11740.1 Role Restrictions
Note 13615.1 Roles and Privileges Administration and Restrictions
Note 1079983.6 ORA-01031 DDL on Materialized View With Enable Query Rewrite Option
Note 1011211.6 ORA-01031 WHEN EXECUTING 'GRANT CREATE SESSION' STATEMENT
Note 18622.1 OERR: ORA 1031 "insufficient privileges"
Note 1083534.6 ORA-01031 When Connecting to Target via Rman

PLS-00904

Note 1014765.6 PLS-00904 WHEN COMPILING PL/SQL STORED PROCEDURE, FUNCTION, OR DATABASE
TRIGGER
Note 27442.1 OERR: PLS-904 insufficient privilege to access object %s

ORA-00942

Note 1062335.6 ORA-942 when select from any v$view within stored PL/SQL procedure
Note 100076.1 ORA-942 or ORA-1031 Creating Views Based on Data Dictionary Objects
Note 1011899.6 Roles and Creating Stored Objects / Views

4.3 Parameters, Events and Errors


---------------------------------
Note 30797.1 PARAMETER: INIT.ORA: REMOTE_OS_AUTHENT
Note 30785.1 PARAMETER: INIT.ORA: OS_AUTHENT_PREFIX
Note 30796.1 PARAMETER: INIT.ORA: REMOTE_LOGIN_PASSWORDFILE

4.4 Bugs
--------
Bug 145295 NEED TO CHANGE OS ROLE SUFFIX CHARACTER
Bug 168358 ENHANCEMENT: ALLOW CREATE VIEW (DDL STATEMENTS) WITH PRIVILEGES THRU A ROLE
Bug 172360 GRANTING RESOURCE ROLE TO ANOTHER ROLE PREVENTS USER FROM CREATING TABLES
Bug 176997 ENH: ABILITY TO GRANT QUOTA ON TABLESPACES TO A ROLE
Bug 186769 SELECTING FROM SESSION_ROLES WITHIN A STORED PROCEDURE DOESN'T GIVE ANYTHING
Bug 222316 GRANTED ROLE DOESNT SHOW UP AS DEFAULT ROLE
Bug 943648 ORA-3113 EXECUTING COMPLEX SQL STATEMENT
Bug 178587 USER CAN CREATE MORE ROLES THAN MAX_ENABLED_ROLES FROM WITH IN ONE SESSION
Bug 641775 ENHANCEMENT REQUEST TO INCREASE THE MAX_ENABLED_ROLES FROM 148 TO 200 OR MORE
Bug 1384922 WHEN USING SQLPLUS SELECT * FROM USER_ROLE_PRIVS GIVES ORA-2434
Bug 1149002 ORA-24347 AND " NO ROWS SELECTED " IN SELECT JOIN AGGREGATE GROUP BY PARALLEL
Bug 1618315 DOCUMENTATION SHOULD STATE THATOUTLN USER SHOULD NOT BE DROPPED

4.5 Scripts
-----------
Note 18079.1 Script to Capture Role Grants
Note 18080.1 Script to Create Roles
Note 1019486.6 Script: Report Roles Granted to Users
Note 1019508.6 Script to Show System and Object Privs for a User
Note 1020086.6 SCRIPT: To Report Privileges Granted To a User
Note 107182.1 SCRIPT: Generate ROLE Creation Script for 8.X.X
Note 241997.1 SCRIPT: Create procedure to Show All User Privs and roles
Note 98572.1 Script to create user OUTLN in 8i
Note 240478.1 Script to create user OUTLN in 9i

5) User and Tablespace Quotas


5.1 How to and Documentation
----------------------------
Note 180028.1 Set up a Secure Access to Application Data within a Database: DBAs, Schemas and Users
Note 1012307.6 Moving Tables Between Tablespaces Using EXPORT/IMPORT
Note 158162.1 How To Move All Tables From One User To Another Tablespace
Note 1037317.6 Moving the Replication Queue Tables (DEF$) Out of the System Tablespace

Oracle9i Database Concepts Release 2


Chapter - Controlling Database Access -
User Tablespace Settings and Quotas

Oracle9i Database Administrator's Guide


Chapter - Managing Tablespaces -
Assign Tablespace Quotas to Users

Oracle9i SQL Reference - ALTER USER

5.2 Problems / solutions


------------------------
Note 1012569.6 ORA-1536 On DML Or Running Tools, Applications
Note 1026320.6 ORA-1536: When Inserting Into a Table
Note 1039291.6 ORA-02187 Trying to Grant Quota Over 2Gig
Note 1054952.6 ORA-01652: Trying to Set Quotas for Users on Temp Tablespace
Note 95554.1 ORA-01950 Even After Assigning 'Unlimited Quota' On Tablespace To User
Note 98056.1 ORA-1950 when trying to Move an Index to Another Tablespace
Note 108871.1 ORA-02187 when Granting a User Quota on a Tablespace

Note 1005485.6 ORA-1950 When Creating an Object and Resource Role is Granted to the User
Note 91969.1 IMPORT FROMUSER/TOUSER Fails to Generate Tables With LOBs into TOUSER Tablespace
Note 91799.1 EXP: IMP-3, ORA-1950, IMP-17: During Import of Recreated Tablespace

Note 205722.1 Create New Ultra Search Instance Fails WKG-5000 ORA-1950
<Note 137037.1 > RECEVING WWV-08301/ORA-1950 WHEN CREATING TABLE IN WEBDB
Note 1062153.6 GL PROGRAM OPTIMIZER FAILED: APP-6077, APP-6083, ORA-1950 NO PRIVILEGES ON
TABLESPACE RGX
Note 1058205.6 ORA-01950 AND ORA-06512 TRYING TO OPEN PERIOD

5.3 Parameters, Events and Errors


---------------------------------
<Note 18936.1 > OERR: ORA 1536 space quota exceeded for tablespace "<name> "
Note 19238.1 OERR: ORA 1950 no privileges on tablespace "<name>"
<Note 19425.1 > OERR: ORA 2187 invalid quota specification

5.4 Bugs
--------
Bug 1270191 ORA-1950 ON ALLOCATE EXTENT - POSSIBLE DICTIONARY CORRUPTION

5.5 Scripts
-----------
Note 1019712.6 SCRIPT: Show Tablespace Quota Used by User

6) Profiles and Resource Limits


6.1 How to and Documentation
----------------------------
Note 1016552.102 How to use PROFILES to limit user resources
Note 157702.1 How to get the Values Assigned by Default to a Profile ?
Note 160528.1 Profile Limits (Resource Parameter(s)) Are Not Enforced / Do Not Work
Note 157702.1 How to get the Values Assigned by Default to a Profile ?
Note 95582.1 Tracing Oracle Applications Intermittent crashing or hanging forms sessions.
Note 197694.1 How To Avoid Forms To Open A New Session When It Reached The Session Limit?
Note 209702.1 How To Limit The Access To The Database So That Only One User Per Schema Are Connected (One
Concurrent User Per Schema)

Oracle9i Database Administrator's Guide


Chapter - Managing Users and Resources -
Managing Resources with Profiles
Viewing Information About Database Users and Profiles

Oracle9i Database Concepts Release 2


Chapter - Controlling Database Access -
User Resource Limits and Profiles

6.2 Problems / solutions


------------------------
Note 119295.1 What Happens to a Transaction When CONNECT_TIME is Exceeded?
Note 1005119.6 Any of the user profile limits are being ignored by Oracle7 Server
Note 1061189.6 Profile on user IDLE_TIME set to 15 minutes
Note 1070071.6 Profile limits are not being recognized
Note 215417.1 More Time Than Specified Is Needed Before A User Becomes Disconnected
Note 120135.1 Connections to database being killed unexpectedly
Note 156116.1 User Can Open More Sessions than Limited
Note 1070501.6 Parallel Query processes die intermittently
Note 1020176.102 ORA-02392 when using CPU_PER_SESSION limit in profile
Note 1042778.6 ORA-02394 USING REPLICATION IN ORACLE8
Note 265095.1 Resource Limits for Passwords Work Even with RESOURCE_LIMIT = false
Note 241621.1 ORA-02376 When ALTER PROFILE to Set the PASSWORD_VERIFY_FUNCTION

6.3 Parameters, Events and Errors


---------------------------------
Note 30800.1 Init.ora Parameter "RESOURCE_LIMIT" Reference Note
Note 19563.1 OERR: ORA 2390 exceeded COMPOSITE_LIMIT, logoff in progress
Note 19564.1 OERR: ORA 2391 exceeded simultaneous SESSIONS_PER_USER limit
Note 19565.1 OERR: ORA 2392 exceeded session limit on CPU usage, logging off
Note 19566.1 OERR: ORA 2393 exceeded call limit on CPU usage
Note 19567.1 OERR: ORA 2394 exceeded session limit on I/O usage, logging off
Note 19568.1 OERR: ORA 2395 exceeded call limit on I/O usage
Note 19569.1 OERR: ORA 2396 exceeded max Idle Time, please connect again
Note 19570.1 OERR: ORA 2397 exceeded PRIVATE_SGA Limit, logging off
Note 19571.1 OERR: ORA 2398 exceeded procedure space usage
Note 19572.1 OERR: ORA 2399 exceeded maximum connect time, logging off

6.4 Bugs
--------
Bug 2653232 SPATIAL QUERIES DON'T PROGRESSIVELY RECORD RESOURCE (CPU) USAGE
Bug 2085332 SET OVER 5 HOURS TO CPU_PER_CALL, YOU GET ORA-2394, DON'T GET ORA-2393
Bug 2231683 UGA MEMORY LEAK WHEN USING OBJECT INHERITANCE IN PL/SQL
Bug 1182131 ORA-2399 RUNNING JOB OR PROCEDURE WITH CURSOR & CONNECT_TIME<UNLIMITED
Bug 2695242 ORA-22 AND ORA-600 [18260] WORKING WITH MTS (MICROSFT TX SERVER) AND XA
Bug 2134498 ORA-2391 ON BOTH NODES OF A OPS-CLUSTER ALTHOUGH RESOURCE_LIMIT=FALSE
Bug 2319471 ORA-2391 AND ORA-7445S IN PQ SLAVES, THEN ORA-7445 PMON CRASH
Bug 2117349 LOTS OF ORA-2391 ERRORS FILLING UP ALERT.LOG
Bug 777970 TEST VALIDITY OF AM4CICS THREAD CONNECTIONS BEFORE ASSIGNING THEM TO CICS TASKS
Bug 1898254 JDBC THIN APPLICATION KEEPS CONNECTION WHEN IDLE_TIME PROFILE IS SET.

6.5 Scripts
-----------
Note 1019933.6 Script to list profile resources and limits

7) Password Management

7.1 How to and Documentation


----------------------------
Note 114930.1 Oracle Password Management Policy
Note 228991.1 Behavior of PASSWORD_REUSE_MAX and PASSWORD_REUSE_TIME in 9i / 8i
Note 1051982.6 How to Change SYS and SYSTEM Passwords
Note 271825.1 Is the password encrypted when I logon and related questions.
Note 225529.1 How to LOCK the SYS PASSWORD using Password Management with Profiles
Note 1016364.102 VMS: How to Change Oracle SYS and SYSTEM Passwords
Note 199582.1 How To Transfer Passwords Between Databases
Note 101458.1 How to change Oracle user password with PL/SQL procedure
Note 242668.1 Use ALTER USER Command to Change Your Own Password Without the Privilege and Go Through the
Password Verify Function
Note 160443.1 How to Enable Password Expire Time ?
Note 1047958.6 Password uniformity over multiple instances
Note 1051962.101 Restoring a user's original password
Note 98481.1 How to Keep the Same Password when Expiry Time is Reached and Change is Required
Note 124113.1 Implementing Punctuation in Passwords.
Note 118382.1 Can I Avoid Passwords from Appearing in the Process Table on a UNIX Platform?
Note 291195.1 Why Account Status Is Open When Expiry Date is Old Date in DBA_USERS
Note 275232.1 DBA_USERS Shows ACCOUNT_STATUS is LOCKED Even After the PASSWORD_LOCK_TIME has
Expired
Note 279355.1 ORA-01017: Connect as a User Created with IDENTIFIED BY VALUES Password
Note 335864.1 Can Oracle Passwords Be Case Sensitive ?

Oracle9i Database Administrator's Guide


Chapter - Establishing Security Policies -
Password Management Policy

Oracle9i Database Concepts Release 2


Chapter - Controlling Database Access -
Authentication by the Oracle Database

7.2 Customer Updates


--------------------
Note 340009.1 Customer Update Regarding Published Sketch For So-Called Oracle Voyager Worm
Note 340240.1 Customer Update Regarding "An Assessment of the Oracle Password Hashing Algorithm" by Joshua
Wright and Carlos Cid

7.3 Problems / solutions


------------------------
Note 139676.1 ORA-28007 the password cannot be reused
Note 104235.1 EXP-00058 Error When Profiles Have PASSWORD_VERIFY_FUNCTION
Note 1062905.6 EXP-00014, EXP-00008, ORA-02396, EXP-00008, ORA-01012, EXP-00000 EXPORTING TO TAPE
Note 124648.1 ORA-28003, ORA-20001, ORA-20002, ORA-20003, ORA-20004 after running utlpwdmg.sql
Note 301057.1 Changing SYS Password HANGS with ALTER USER Command
Note 289898.1 User SYS Does Not Get ORA-28002 Nor ORA-28001 Even When PASSWORD_LIFE_TIME or
PASSWORD_GRACE_TIME are Set
Note 164834.1 Changing Password Using PASSWORD_VERIFY_FUNCTION Fails With ORA-28003
Note 1038601.6 ORA-988 when Creating a User with a Password that Starts with a Number
Note 1012425.7 ORA-28001: Password expired, but not prompted for new password
Note 152647.1 After Changing Password: ORA-00988
Note 124648.1 ORA-28003, ORA-20001, ORA-20002, ORA-20003, ORA-20004 after running utlpwdmg.sql
Note 162818.1 ORA-28002 On User Connection Immediately After PASSWORD_LIFE_TIME Changed
Note 132096.1 ORA-28003 Error When Use 'Password Complexity Verification'
Note 1079860.6 ORA-28011 Password Expiry Date is Reached But Reset to NULL
Note 1084150.6 ORA-7443: Function not Found When Using PASSWORD_VERIFY_FUNCTION in Profile
Note 139676.1 ORA-28007: the password cannot be reused
Note 113446.1 ORA-988 Error Using 'ALTER USER <username> PASSWORD EXPIRE' in SQL*Plus 8.1.6
Note 119260.1 ORA-3113 or ORA-1041 when trying to change user password in database
Note 130639.1 ORA-1841 Error Connecting to Upgraded Database After Set PASSWORD_LIFE_TIME
Note 1050807.6 ORA-01017: MANUGISTICS CREATED USERS OTHER THAN SYS CANNOT LOG INTO DATABASE
Note 1063068.6 Getting ORA-1005 when logging in to SQL*Plus
Note 242416.1 8.0.6 SQLPLUS CLIENT Echo's PASSWORD in LINUX
Note 1038601.6 ORA-988 when Creating a User with a Password that Starts with a Number
Note 265095.1 Resource limits for passwords work even with resource_limit = false

7.4 Parameters, Events and Errors


---------------------------------
Note 30800.1 Init.ora Parameter "RESOURCE_LIMIT" Reference Note

Note 18579.1 OERR: ORA-988 missing or invalid password(s)


Note 50001.1 OERR: ORA-28000 the account is locked
Note 50002.1 OERR: ORA-28001 the password has expired
Note 50003.1 OERR: ORA-28002 the password will expire within %s days
Note 50004.1 OERR: ORA-28003 password verification for the specified password failed
Note 50005.1 OERR: ORA-28004 invalid argument for function specified in PASSWORD_VERIFY_FUNCTION
Note 50007.1 OERR: ORA-28006 conflicting values for parameters %s and % s
Note 50008.1 OERR: ORA-28007 the password cannot be reused
Note 50009.1 OERR: ORA-28008 invalid old password
Note 50011.1 OERR: ORA-28010 cannot expire external or global accounts
Note 173502.1 OERR: ORA-28011 the account will expire soon; change your password now
Note 267401.1 Oracle Performance Monitor 10.1 causing NMUPM.EXE to Lock System Account

7.5 Bugs
--------
Bug 1231172 ORA-28003 WHEN CHANGING PASSWORD FOR A USER
Bug 1620381 ORA-24315 RESULTS ON CONNECT REQUEST AFTER PASSWORD VERIFICATION FAILURE
Bug 2161716 PASSWORD GRACE PERIOD MESSAGE NOT WORKING IN 8.1.7.2
Bug 1654141 USER ACCOUNTS IN GRACE PERIOD CANNOT PERFORM EXPORT, GET EXP-56 ORA-28002
ERRORS
Bug 1494651 OCILOGON DOES NOT CREATE A SESSION WHEN A PASSWORD IS IN GRACE TIME
Bug 1668134 PROTOCOL VIOLATION WHEN THIN DRIVER CONNECTING TO USER WITH EXPIRED PASSWORD.
Bug 2269177 IAS: MOD_PLSQL AUTHENTICATION DENIED WHEN USER ACCOUNT IS IN GRACE PERIOD

Bug 2664495 OLEDB DOESNT PROPAGATE ORA-28002 PASSWORD WARNING


Bug 2158625 FORMS 4.5 DOES NOT TRAP ORA-28002 WARNING WHEN A PASSWORD IS DUE TO EXPIRE

7.6 Scripts
-----------
Note 227010.1 Script to Check for Default Passwords Being Used for Common Usernames
Note 135878.1 Script to prevent a user from changing his password
Note 161671.1 Script to Identify Accounts with a Password Equal to their Username

8) Connect Internal and Password Files

These articles and documentation explain how to administer the administrative privileges,
still loosely referred to as 'connect internal' and how to manage access with a password file.

8.1 How to and Documentation


----------------------------
Note 233223.1 Checklist for Resolving CONNECT AS SYSDBA (INTERNAL) Issues
Note 242258.1 Why Can I Login AS SYSDBA With any Username and Password?
Note 18089.1 UNIX: Connect INTERNAL / AS SYSBDA Privilege on Oracle 7/8
Note 50507.1 SYSDBA and SYSOPER Privileges in Oracle
Note 1029539.6 UNIX: How to Set up the Oracle Password File
Note 1058658.6 UNIX: Multiple databases sharing a password file
Note 1016540.6 How to enable remote password with ORAPWD and Parallel Server
Note 103964.1 How to Audit Connect Internal Using Oracle Server
Note 212049.1 How To Add a New User to the Password File ?
Note 43793.1 VIEW "V$PWFILE_USERS" Reference Note
Note 225097.1 ORACLE_SID, TNS Alias,Password File and others Case Sensitiveness
Note 98651.1 UNIX: How to make Connect Internal Protected by Password even for DBA Group

Oracle9i Database Administrator's Guide


Chapters - The Oracle Database Administrator -
- Database Administrator Authentication -
- Password File Administration -

8.2 Problems / solutions


------------------------
Note 69642.1 UNIX: Checklist for Resolving Connect AS SYSDBA Issues
Note 185703.1 How to Avoid Common Flaws and Errors Using Passwordfile
Note 114384.1 WIN: Checklist for Resolving CONNECT AS SYSDBA (INTERNAL) Issues
Note 68238.1 SCO: ORAPWD Utility Generates An Unusable Password File In Oracle v7.3.4
Note 118367.1 UNIX: ORA-1990 at Startup DB After Creating Password File with Wrong Case
Note 147724.1 Granting SYSDBA Privileges Fails with ORA-01990; Quick Edit of Database from EM Console Fails with
Database Currently in Unknown State
Note 223002.1 UNIX:CONNECT INTERNAL Asks for Password in a Multiple Oracle Versions Environment
Note 301072.1 Dbstart Fails With Ora-01031 When Called From User Root
Note 308151.1 Connect / AS SYSDBA Results In Ora-01031
Note 77740.1 USERNAME Is Listed From V$PWFILE_USERS But Not From DBA_USERS
Note 312093.1 Timestamp on ORAPWD File Updated When Users' Password Changed

8.3 Parameters, Events and Errors


---------------------------------
Note 30796.1 Init.ora Parameter "REMOTE_LOGIN_PASSWORDFILE" Reference Note
Note 30797.1 INIT.ORA: REMOTE_OS_AUTHENT
Note 30785.1 INIT.ORA: OS_AUTHENT_PREFIX

Note 19276.1 OERR: ORA 1990 error opening password file <name>
Note 19277.1 OERR: ORA 1991 invalid password file <name>
Note 19278.1 OERR: ORA 1992 error closing password file <name>
Note 19279.1 OERR: ORA 1993 error writing password file <name>
Note 19280.1 OERR: ORA 1994 GRANT failed: cannot add users to public password file
Note 19281.1 OERR: ORA 1995 error reading password file <name>
Note 19282.1 OERR: ORA 1996 GRANT failed: password file <name> is full
8.4 Bugs
--------
Bug 2688911 SQLPLUS DOES NOT CORRECTLY SUPPORT THE 'AS SYSDBA' FUNCTIONALITY IN 8.1.7
Bug 425862 ORA-600 [1113] SELECTING FROM V$PWFILE_USERS IF MORE THAN 14 SYSDBA USERS

8.5 Scripts
-----------
Note 67984.1 UNIX: Diagnostic C program for ORA-1031 from CONNECT INTERNAL / AS SYSDBA

9) O/S Authentication

This section has references to documentation and notes about O/S authentication, a.k.a.
external authentication, the authentication is delegated to the operating system which
hence needs to be trustworthy. Please note the distinction between authenticating via
the O/S with administrative privileges (see 8.) and as a normal (application) user.

9.1 How to and Documentation


----------------------------
Note 233223.1 Checklist for Resolving CONNECT AS SYSDBA (INTERNAL) Issues
Note 242258.1 Why Can I Login AS SYSDBA With any Username and Password ?
Note 18088.1 UNIX OS Authentication on Oracle Server
Note 60634.1 WIN: Setup O/S Authentication
Note 77665.1 WIN: OS Authentication - Connecting to Oracle Without a Password
Note 122515.1 WIN: Setup O/S Authentication Using Oracle Administration Assistant
Note 272395.1 OS Authentication in 9i is Not Working as in 8i
Note 91944.1 Native Authentication through Windows 2000
Note 111252.1 How to use OPS$ user as FROMUSER/TOUSER Import or OWNER Export parameter
Note 101078.1 VMS Using DBLINKS When OPS$ Accounts and Password Files Accounts are Set Up
Note 371110.1 How to Configure the SQL*Net Layer for OS Authentication and Native Authentication on a Windows
Platform in a Two-Tier Environment
Note 363448.1 Error Message Running Application From MS Terminal Server Ora-01019

Oracle9i Database Administrator's Guide - Chapters

- The Oracle Database Administrator;


- Establishing Security Policies; System Security Policy ; User Autentication,
- Managing Users and Resources; User Authentication Methods; External Authentication

9.2 Problems / solutions


------------------------
Note 120329.1 ORA-3113 CONNECTING USING OS AUTHENTICATION
Note 99550.1 OCILogon Using OS Authentication Fails With ORA-01017
Note 243083.1 ORA-01005: Connect Username AS SYSDBA Behaves Differently in 7.3.4, 8.1 and 9.2
Note 309059.1 Oradim Command Fails to Shutdown Database(s) with ORA-01031 under 9.2.0.6
Note 373999.1 ORA-27140 Unable To Connect To Database With OS Authentication
Note 302775.1 Ora-27140 When Connecting As A Non Dba Group User

9.3 Parameters, Events and Errors


---------------------------------
Note 30785.1 Init.ora Parameter "OS_AUTHENT_PREFIX" Reference Note
Note 30797.1 Init.ora Parameter "REMOTE_OS_AUTHENT" Reference Note

Note 19283.1 OERR: ORA 1997 GRANT failed: user <name> is identified externally

9.4 Bugs
--------
Bug 4312390 ORADIM COMMAND CAN'T SHUTDOWN DATABASE : ORA-1031
Bug 530697 CONNECT INTERNAL DOES NOT WORK FOR DOMAIN USERS IN LOCAL ORA_DBA GROUP
Bug 370253 OS AUTHENTICATION FAILS WITH ORA-1017 FOR ROOT USER
Bug 1632293 ORA-28150 SELECTING ACROSS DATABASE LINK WITH OS AUTHENTICATED USER

10) Auditing

10.1 How to and Documentation


-----------------------------
Note 1020945.6 How to Setup Auditing
Note 175292.1 Overview Auditing: Possibilities of Auditing, using Triggers and FGA
Note 174556.1 9i/9.2: Fine Grained Auditing
Note 266896.1 10g: Fine Grained Auditing
Note 278184.1 9i and 10g: Installing Oracle Label Security Automatically Moves AUD$ Table out from SYS into SYSTEM
schema
Note 175259.1 Using autonomous triggers to audit detailed information.
Note 209801.1 How to Disable Audit Action 103 to Avoid Unnecessary Rows in Table SYS.AUD$
Note 158348.1 How to Find Results Back in Data Dictionary When Using AUDIT SYSTEM GRANT
Note 166301.1 How to Reorganize SYS.AUD$ Table
Note 230845.1 How to Import SYS.AUD$ Table from 8i to 9i Database When SYS User is not Exported
Note 222807.1 How To Audit GRANT ANY PRIVILEGE Or GRANT ANY ROLE
Note 239621.1 How to audit 'analyze index'
Note 199419.1 How to Avoid Common Flaws and Errors Using Fine Grained Auditing
Note 99786.1 How to Audit User Connection, Disconnection Date and Time
Note 73408.1 How to Truncate, Delete, or Purge Rows from the Audit Trail Table SYS.AUD$
Note 1025832.6 How to audit data changes in tables using triggers
Note 103964.1 How to Audit Connect Internal Using Oracle Server
Note 208855.1 What is Audit Action 103 ?
Note 282091.1 How to find Whether an OBJECT-level Audited by ACCESS Statement Succeeded or Failed
Note 174340.1 Audit SYS user Operations
Note 308066.1 AUDIT_SYS_OPERATIONS Set To FALSE Yet Audit Files Are Generated
Note 1025314.6 Descriptions of action code and privileges used in fields in SYS.AUD$ table
Note 167293.1 Some examples about auditing and output of auditing
Note 45114.1 Auditing/Debugging DML with Database Trigger
Note 41800.1 Quick Reference to Auditing Information
Note 293973.1 Find List Of All Possible Keywords In Audit Log Files
Note 99137.1 Setting up, Interpreting Auditing Using Windows NT Event Viewer
Note 1049048.6 Auditing with Oracle Parallel Server
Note 72291.1 VMS The AUDIT_TRAIL=OS Initialization Parameter on OpenVMS
Note 221944.1 How to Audit a User Who is Trying to Break DB Username/Password
Note 123128.1 How To Identify an RDBMS session using AUDSID
Note 274697.1 LOGOFF and LOGOFF BY CLEANUP Do Not Have Any LOGON Records in DBA_AUDIT_TRAIL and
Vice-Versa
Note 277219.1 How to Retrieve the Whole Audited SQL Statement From DBA_FGA_AUDIT_TRAIL View ?
Note 310873.1 Audit Record written When We Select From View even if The Audited Column Is Not Selected
Note 309798.1 How to Trace Specific Database Users to Collect Full DML Statements Executed
Note 282091.1 How to find Whether an OBJECT-level Audited by ACCESS Statement Succeeded or Failed
Note 271615.1 Timestamp And Logoff_time Columns In Audit views Are In Different Time Zones
Note 402528.1 How to cleanup the log table FGA_LOG$ ?
Note 414666.1 Audit Action #283
Note 427296.1 Why is column TIMESTAMP# having NULL values in AUD$ and FGA_LOG$ tables?:
Note 469007.1 SCRIPT: How To Apply the Same Fine Grained Audit Policy To All Tables In A Schema

10.2 Problems / solutions


-------------------------
Note 334486.1 SYS.AUD$ Table Not Found Though Exists in SYS.OBJ$
Note 1063941.6 LRM-00101: Unknown parameter name 'AUDIT_FILE_DEST' when config auditing on NT
Note 74725.1 How often tables are accessed (AUDIT)
Note 166674.1 Auditing Does Not Supply A Full Name Of Triggers
Note 72460.1 Moving AUD$ to another tablespace and adding triggers to AUD$
Note 1068714.6 How does the NOAUDIT option work
Note 1019326.102SES_ACTIONS in DBA_AUDIT_OBJECT
Note 130146.1 Auditing DML (Insert, Update and Delete)
Note 363590.1 How to Retrieve DML Statements Text and Values from Bind Variables
Note 107842.1 Application Log is Full with Event ID 34 : Audit Trail:Connect Internal
Note 106823.1 Unknown Users Comparing sys.aud$ and user_audit_session
Note 125378.1 ORA-2096 setting TRANSACTION_AUDITING dynamically
Note 197598.1 Audit users with "DROP ANY TABLE" privilege: example client event trigger
Note 267389.1 AUDIT CREATE PROCEDURE Does not Audit "Create OR Replace Procedure" Statements
Note 198468.1 SYS.AUD$ Filling up Fast When Auditing Failed Logon Attempts Because of DBSNMP.
Note 240766.1 ORA-00904 When Using RAWTOLAB Function on SYS.AUD$ Columns OBJ$LABEL and SES$LABEL
Note 246665.1 ORA-22921 When Fine Grained Auditing with Multibyte Character Set in 9.2.0.3
Note 316915.1 Unexpected Audit Records Are Generated Within APPS When CREATE SESSION is Audited Action
Note 310876.1 CREATE USER System Privilege Not Being Audited
Note 343413.1 Default Actions Audited in OS Audit Files Contain Messages for Completed Archive Operations

10.3 Parameters, Events and Errors


----------------------------------
Note 30690.1 Init.ora Parameter "AUDIT_TRAIL" Reference Note
Note 39796.1 Init.ora Parameter "AUDIT_FILE_DEST" Reference Note

Note 72203.1 OERR ORA-16006 audit_trail destination incompatible with database open mode
Note 19287.1 OERR ORA 2002 error while writing to audit trail
Note 21073.1 OERR ORA-9925 "Unable to create audit trail
Note 20985.1 OERR ORA-9822 Translation of audit file name failed.
Note 249438.1 10G: New Value DB_EXTENDED for the AUDIT_TRAIL init.ora Parameter

10.4 Bugs
---------
Bug 2916125 AUDITED_CURSORID ONLY AVAILABLE FOR REGULAR AUDITING
Bug 2998476 SQL_TEXT COLUMN IN DBA_FGA_AUDIT_TRAIL VIEW IS GARBLED AFTER APPLYNG BUG#2973008
Bug 2973008 FINE-GRAINED AUDITING FAILS WITH ORA-22921 USING MULTI-BYTE CHARACTER SET
Bug 3684796 ORA-904 WHEN EXPLAINING GROUPING SETS QUERY WITH FINE GRAINED AUDITING
Bug 3836829 Columns That Are Not Selected In View Still Audited Using Fga

10.5 Scripts
------------
Note 287436.1 SCRIPT: Generate AUDIT and NOAUDIT Statements for Current Audit Settings
Note 1019377.6 Script to move SYS.AUD$ table out of SYSTEM tablespace
Note 1019552.6 Script to Show Audit Options/Audit Trail
Note 279169.1 Script: How To Store the Checksum of PL/SQL Code

11) Event Triggers

11.1 How to and Documentation


-----------------------------
Note 175292.1 Overview Auditing: Possibilities of Auditing, using Triggers and FGA
Note 45114.1 Auditing/Debugging DML with Database Trigger
Note 74173.1 Oracle8i - Database Trigger Enhancements
Note 281229.1 How to Restrict Access to the Database With Specific Tools(e.g. TOAD) or Applications
Note 197598.1 Audit Users with "DROP ANY TABLE" Privilege: Example Client Event Trigger
Note 301062.1 Audit User By Session From Unauthorized IP Address
Note 175259.1 Using autonomous triggers to audit detailed information.
Note 150212.1 Database Triggers do not Seem to Execute
Note 163593.1 System Triggers Are Not Executed
Note 149948.1 IMPORTANT Set "_SYSTEM_TRIG_ENABLED=FALSE" When Upgrading / Downgrading / Applying Patch
Sets
Note 220491.1 How to Prevent Users From Log Into a Database Within Defined Periods
Note 265012.1 ADMINISTER DATABASE TRIGGER Privilege Causes Logon Trigger to Skip Errors

Note 70679.1 How to Audit Logon/Logoff Events with Triggers


Note 105758.1 How to Automate Controlfile Backup at Database Startup
Note 101627.1 How to Automate Pinning Objects in Shared Pool at Database Startup
Note 210693.1 How to Automate Grant Operations When New Objects Are Created in a SCHEMA/DATABASE
Note 234098.1 How to Forbid the Usage of ALTER TABLE Command on Tables Owned or Created by Users Trigger
Note 339558.1 How to Track CREATE USER / DROP USER Statements Using Trigger
Note 159183.1Note 271077.1 How to Prevent a User Granted the ALTER USER Privilege From Changing SYS/SYSTEM
password
Note 361728.1 How to Restrict User from Connecting to Database Through Specific Ip Address

Oracle9i Database Concepts


Chapter - Triggers -
Triggers on System Events and User Events

Oracle9i Application Developer's Guide - Fundamentals


Chapter - Working With System Events -

11.2 Problems / solutions


-------------------------
Note 106140.1 AFTER LOGON Triggers Don't Allow DBMS_SESSION.SET_ROLE to Keep Roles Enabled
Note 120712.1 Database or Logon Event Trigger becomes Invalid Who can Connect?

11.3 Parameters, Events and Errors


----------------------------------
Note 68636.1 Init.ora Parameter "_SYSTEM_TRIG_ENABLED"

11.4 Bugs
---------
Bug 2469532 ORA-29539, CANNOT INSTALL THE JVM AFTER REMOVING IT

11.5 Scripts
------------

12) Fine Grained Access Control

These articles and documentations relate to FGAC, new 8i feature that allows
a more granular level of security : row level.

12.1 How to and Documentation


-----------------------------
Note 67977.1 Oracle8i Fine Grained Access Control - Worked Examples
Note 281829.1 Evolution of Fine Grain Access Control FGAC Feature From 8i To 10g
Note 250795.1 10g: Policy Enforced Only When the Relevant Column is Queried in Any Way
Note 281970.1 10g: Enhancement on STATIC_POLICY with POLICY_TYPE Behaviors in DBMS_RLS.ADD_POLICY
Procedure
Note 315687.1 10g: What Is INDEX statement_type Used For In By DBMS_RLS Policies ?
Note 119335.1 How To Solve the Problem of Circular Row Level Policies
Note 174799.1 How to Bypass Fine-Grained Security Enforcement
Note 69573.1 How to Determine Active Context (DBMS_SESSION.LIST_CONTEXT)
Note 162914.1 How to Skip Tables when Exporting a User or an Entire Database
Note 99250.1 Understanding Fine-Grained Access Control (DBMS_RLS) on INSERT
Note 174368.1 Policies on Synonyms

Note 170177.1 Use of Fine grained access control from forms

Note 155477.1 Parameter DIRECT: Conventional Path Export Versus Direct Path Export

Note 187239.1 Execution plan may change when you use Fine Grained Access Control (FGAC)
Note 250795.1 10G: Policy Enforced Only When the Relevant Column is Queried in Any Way

Oracle9i Database Administrator's Guide - Chapter


- Establishing Security Policies

Oracle9i Application Developer's Guide - Fundamentals - Chapter


- Implementing Application Security Policies
- Introduction to Application Context
- Introduction to Fine-Grained Access Control

Oracle9i Supplied PL/SQL Packages and Types Reference - Chapter


- DBMS_RLS

12.2 Problems / solutions


-------------------------
Note 69401.1 How to resolve ORA-28110 or ORA-28112 on SELECT or DML
Note 100130.1 ORA-1031 when setting Attribute via DBMS_SESSION.SET_CONTEXT
Note 331862.1 ORA-28113 when a Policy Predicate is Fetched from a Context
Note 113970.1 SELECT Statement Hangs when using Fine Grained Access Control
Note 168056.1 Select on Table With Policy Defined on it Fails With ORA-28110
Note 175658.1 RLS Policy Function Appears to Run in a New Session
Note 277606.1 How to Prevent EXP-00079 or EXP-00080 Warning (Data in Table xxx is Protected) During Export
Note 130652.1 A policy does not work as defined, though UPDATE_CHECK is set to TRUE
Note 117058.1 ORA-439 When Trying to Use DBMS_RLS
Note 179379.1 Querying Against a Partitioned Table With FGAC Fails With ORA-01762
Note 158187.1 Create Materialized View Fails With ORA-30372
Note 172423.1 ORA-12015 when Creating Materialized View with Defined Fine Grain Access Control
Note 153978.1 Oracle9i Export of Table with Row Level Security Aborts with ORA-1406 and EXP-0
Note 219911.1 Fine Grained Access Control Feature Is Not Available In the Oracle Server Standard Edition
Note 250094.1 How to Know the Exact Cause of an ORA-28113 Error After Setting a FGAC Policy
Note 278577.1 FGAC Policy Causes Ora-00903 When Using A Function With UNION Operator And PK On Function
Tables
Note 293301.1 ORA-14136 When Exchanging Partition With a Table That Has a RLS Policy Enabled
Note 312030.1 DBMS_OUTPUT.PUT_LINE Fires Multiple Times From FGAC Policy Function
Note 361345.1 Ora-3001: "Unimplemented Feature" On Query Using "WITH" and FGAC
Note 422480.1 ORA-39181:Only Partial Table Data Exported Due To Fine Grain Access Control

12.3 Parameters, Events and Errors


----------------------------------
Note 71836.1 OERR:ORA-30372 fine grain access policy conflicts with materialized view
Note 71410.1 OERR:ORA-28116 insufficient privileges to do direct path access

12.4 Bugs
---------
Bug 1517613 ORA-1762 USING PARTITIONS AND FINE GRAINED ACCESS CONTROL
Bug 2539145 EXEMPT ACCESS POLICY PRIVILEGE NOT PROPERLY RECOGNIZED BY THE EXPORT UTILITY
Bug 1802004 EXP-0: EXPORT TERMINATED UNSUCCESSFULLY
Bug 3771415 ORA-903 WHEN SELECT A TABLE WITH RLS POLICY AND FUNCTION WITH UNION OPERATOR
Bug 3988219 Dbms_Output.Put_Line Fires Multiple Times From Policy Function In Fgac
13) Oracle Label Security

Oracle Label Security enables application developers to add label-based access control for the applications. It mediates
access to rows in database tables based on a label contained in the row, and the label and privileges associated with
each user session. For queries Oracle Label Security is using the Oracle Virtual Private Database technology. For DMLs
it is using a set of triggers.

13.1 How to and Documentation


-----------------------------
Note 230980.1 Oracle Label Security - Concepts (Policies and Labels) and Examples
Note 171155.1 Install/Deinstall Oracle Label Security Data Dictionary in Oracle9i
Note 213684.1 Oracle Label Security Frequently Asked Questions
Note 213716.1 Oracle Label Security in a Replication Environment
Note 314077.1 Oracle Label Security : How to Separate Duties of Policies Administration
Note 317319.1 10g R2 New Feature TDE (Transparent Data Encryption) Usage with OLS

Oracle Label Security Administrator's Guide

13.2 Problems / solutions


-------------------------
Note 215886.1 Oracle Trusted Stored Procedure Label Not Used
Note 144160.1 Unable to Find Oracle Policy Manager (Oracle Label Security Related Application)
Note 303751.1 Unable to Install OLS on 10.1.0.3
Note 233110.1 ORA-07445 [zllcini] or ORA-04045 in a Database with OLS Set to FALSE
Note 250411.1 ORA-439 Oracle Label Security Option Not Enabled though Already Installed
Note 303511.1 After Installing OLS, Create Policy Issues ORA-12447 and ORA-600 [KGHALO2]

Note 231777.1 ORA-12445 When Applying a Label Function on a Table Protected by an OLS Policy
Note 238599.1 ORA-12447 When Creating an Already Existing OLS Policy
Note 278301.1 ORA-12414: Internal Lbac Error: Zllcfpo:Ocitypebyname and ORA-22303 at Database STARTUP
Note 285429.1 sa_session.set_label generates ORA-12470
Note 303791.1 Oracle Label Security And Foreign Key DEFERRABLE INITIALLY DEFERRED Issues Ora-28117
Note 304137.1 ORA-12406 When Updating a Table With an OLS Policy Though Granted EXEMPT ACCESS POLICY
Privilege
Note 735375.1 "LbacException User does not exist" Encountered While Adding An User To a Profile Using
OLSADMINTOOL
Note 735801.1 ORA-0109 ORA-12432 LBAC ERROR ZLLEGNP While Starting Up The Database
Note 577569.1 Queries Against Tables Protected by OLS Are Erroring Out
13.3 Bugs
---------
Bug 3870317 UNABLE TO INSTALL ADDITIONAL OPTIONS AFTER 10.1.0.3.0 PATCHSET IS APPLIED
Bug 2499257 ORA-28115 TO_DATA_LABEL WILL WORK ON ADMINISTRATOR CREATED DATA LABELS
Bug 2367197 ORACLE SPATIAL INDEX CREATION AND QUERIES FAIL WHEN OLS IS APPLIED

14) Database Vault

Oracle Database Vault Administrator's Guide 10g Release 2 (10.2)

Oracle Database Vault Administrator's Guide 11g Release 1 (11.1)

14.1 How to and Documentation


-----------------------------
Note 397085.1 Database Vault Errors Due to Internet Explorer Language Option
Note 403376.1 Installation Of Database Vault Fails
Note 405042.1 Clarity On Database Patchset 10.2.0.3.0 Apply, Where The README Has References To Oracle Database
Vault Option
Note 604773.1 Cannot Install Database Vault in a Single Instance Database in a RAC home
Note 550265.1 How To Restrict The Access To An Object For The Object's Owner
Note 550863.1 What Privileges Are Revoked During Database Vault Installation?

Note 754065.1 Installing Database Vault in a Data Guard Environment

14.2 Problems / solutions


-------------------------

Note 400667.1 Ora-01918: User 'Dvsys' Does Not Exist when installing Database Vault
Note 417869.1 Unable To Access Dva Until Dbconsole is Restarted
Note 433887.1 Datapump Export Fails When Database Vault is Enabled ORA-47401
Note 465685.1 ORA-7445 Error Encountered When Running An ALTER USER Statement On a Database Vault Protected
DB
Note 467476.1 Import Into A Non SecuredTable After Installing Database Vault Fails With ORA-1031
Note 436617.1 Database Vault Default Realms Can't Be Seen Within The Browser
Note 465685.1 ORA-7445 Error Encountered When Running An ALTER USER Statement On a Database Vault Protected
DB
Note 470838.1 SYSDBA OS Authentication Works In A Database Vault Environment After Applying a Patch or Patchset
Note 557381.1 DBMS_MACVPD Might Be Invalid After Upgrade To 10.2.0.4

14.3 Parameters, Events and Errors


---------------------------------

14.4 Bugs
---------

15) Audit Vault

15.1 How to and Documentation


---------------------------------

Oracle Audit Vault 10.2.2, 10.2.3, 10.2.3.1 Documentation

Note 564306.1 How To Check Connectivity And Wallet Credentials In A 10.2.2 Audit Vault Environment
Note 437062.1 Mandatory Patches to be aplied on Oracle Audit Vault 10.2.2.0.0
Note 729280.1 Can OSAUD Collect SQL Text or Bind Variables?
Note 753577.1 How To Change The Port of The Listener Configured for the AV Database ?
@Note 437049.1 AUDIT VAULT How to Add an Oracle Database Source running Database Vault

15.2 Problems / solutions


-------------------------
Note 740657.1 ORA-1017 While Adding an Agent Using AVCA
Note 566630.1 Error While Starting DBAUD Collector: Internal Collector MYDB.COM:DBAUD_Collector Error ( CSDK
layer error )
Note 734309.1 DBAUD Collector For Oracle 9.2.0.8 Crashes As Soon As It Is Started
Note 731081.1 Oracle Audit Vault 10.2.3.0.0 Installation fails intermittently in some environments
Note 731593.1 Error ORA-01729 Encountered While Adding A REDO Collector
Note 728888.1 The DBAUD Collector Cannot Be Started
Note 734865.1 AVCA fails with "Unable to add Agent. Agent specified already exists" after dropping the same Agent, or
previously adding the same Agent without success
Note 746503.1 While Provisioning The Audit Settings on The Source Database Huge Trace Files Get Created
Note 747843.1 Audit Settings Provisioning fails with "Errors:<nnn> settings has been failed in this provision."
Note 748202.1 "Java.sql.SQLException: Exceeded maximum VARRAY limit" While Retrieving the Audit Settings From
Source

Note 751085.1 Errors While Installing Audit Vault Or While Applying An Audit Vault Patchset

15.3 Parameters, Events and Errors


---------------------------------

15.4 Bugs
---------

16) Data Encryption

These are the references to the database encryption features provided with the DBMS_OBFUSCATION_TOOLKIT and
DBMS_CRYPTO supplied packages. For references relating to network encryption see the Networking Security and
Authentication Knowledge Browser Page (Note 267607.1).

16.1 How to and Documentation


-----------------------------

Oracle9i Application Developer's Guide - Data Encryption Using DBMS_OBFUSCATION_TOOLKIT


10g PL/SQL Packages and Types Reference - DBMS_CRYPTO package

Note 445147.1 How To Generate A New Master Encryption Key for the TDE
Note 317311.1 10g R2 New Feature TDE : Transparent Data Encryption
Note 232000.1 Selective Data Encryption in Oracle RDBMS, Overview and References
Note 225214.1 New IV Parameter to DES3Encrypt en DES3Decrypt Enhances Interoperability
Note 338325.1 How DBMS_OBFUSCATION_TOOLKIT Interoperates With DBMS_CRYPTO
Note 165465.1 Oracle Advanced Security Frequently Asked Questions
Note 104410.1 How to Enable Encryption & Checksumming using JDBC Drivers
Note 39612.1 Secure Network Services V1.0 Configuration Overview on OpenVMS
Note 126079.1 Net8 overview and explanation (3)
Note 228636.1 Meaning of "WHICH" Parameter in DES3Decrypt And DES3Encrypt Procedures
Note 263616.1 Given two Different DES Encryption Keys, Encrypted Strings can Appear Identical
Note 270919.1 Transferring Encrypted Data from one Database to Another
Note 280801.1 How to Find the Oracle Java Cryptographic Extension (JCE) Provider
Note 460293.1 How to Open the Encryption Wallet Automatically When the Database Starts.
Note 416526.1 How to Avoid Performance Overhead Associated With Certificate Based TDE Encryption
Note 389958.1 Using Transparent Data Encryption In An Oracle Dataguard Config
Note 454980.1 Best Practices for having indexes on encrypted columns using TDE in 10gR2

16.2 Problems / Solutions


-------------------------
Note 415247.1 DBA_ENCRYPTED_COLUMNS Show Columns That Do Not Exist In The Table
Note 391086.1 TDE - Trying To Open Wallet In Default Location Fails With Ora-28353
Note 459801.1 Getting Ora-28336 When Doing a DATAPUMP Export as User SYS with TDE Encrypted Tables
Note 197040.1 dbms_obfuscation_toolkit.DESDecrypt Compatibility Problem
Note 197892.1 ORA-28232 using DBMS_OBFUSCATION to Encrypt/Decrypt
Note 133772.1 ORA-04068 Executing DBMS_OBFUSCATION_TOOLKIT
Note 337980.1 ORA-00904 When Using DBMS_SQLHASH.GETHASH
Note 394539.1 ORA-28353 - Cannot set the encryption key password for TDE
16.3 Parameters, Events and Errors
----------------------------------
Note 173530.1 OERR: ORA-28232 invalid input length for obfuscation toolkit

16.4 Bugs
---------

16.5 Scripts
------------
Note 102902.1 Encrypting Data using the DBMS_OBFUSCATION_TOOLKIT package
Note 166884.1 How to use DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt and DES3Decrypt procedures.
Note 197400.1 Example code encrypting credit card numbers
Note 118686.1 Example: Enable Encryption in a JDBC Program
Note 123091.1 Wrapper for DBMS_OBFUSCATION_TOOLKIT, cope with 8-byte input limitation
Note 244133.1 SCRIPT: Encrypting Binary Large Objects (BLOBS) with dbms_obfuscation_toolkit.

17) Security Server

17.1 How to and Documentation


-----------------------------
Note 1064547.6 Steps to make the Oracle Security Server Work on Windows NT
Note 1031071.6 OVERVIEW OF ORACLE SECURITY SERVER
Note 191137.1 Troubleshooting Enterprise User Security
Note 166492.1 SSL Troubleshooting Guide
Note 112490.1 Configuring NET8 TCP/IP via SSL
Note 189260.1 How to Configure the Database with SSL Using a DN Certificate

17.2 Problems / solutions


-------------------------
Note 185157.1 OIDLDAPD Fails With Error 28759 When SSL is Defined
Note 1070507.6 ORA-28759: GENERATING WALLET USING OSSLOGIN

17.3 Parameters, Events and Errors


---------------------------------
Note 50079.1 OERR ORA-28759 Failed to open file