Access control refers to the policies, procedures, and tools that govern access to and use of resources. Examples of resources include a physical server, a file, a directory, a service running on an operating system, a table in a database, or a network protocol.
The Oracle Logical Access Control Policy is applicable to access control decisions for all Oracle employees and any information-processing facility for which Oracle has administrative authority. This policy does not apply to publicly accessible, internet-facing Oracle systems or end users.
Oracle user access is provisioned through an account-provisioning system that is integrated with Oracle's Human Resources database. Access privileges are granted based on job roles and require management approval.
Authorization is dependent on successful authentication, since controlling access to specific resources depends upon establishing an entity or individual's identity. All Oracle authorization decisions for granting, approval, and review of access are based on the following principles:
Oracle enforces strong password policies for the Oracle network, operating system, and database accounts to reduce the chances of intruders gaining access to systems or environments through exploitation of user accounts and associated passwords. When Oracle compliance organizations determine that a password is not in compliance with strong password standards, they work with the applicable employee and line of business to bring the password into compliance with the standards.
Oracle regularly reviews network and operating system accounts with regard to the appropriate employee access levels. In the event of employee terminations, deaths, or resignations, Oracle takes appropriate actions to promptly terminate network, telephony, and physical access.
The use of passwords is addressed in the Oracle Password Policy. Oracle employees are obligated to follow rules for password length and complexity, and to keep their passwords confidential and secured at all times. Passwords may not be disclosed to unauthorized persons. Under certain circumstances, authorized Oracle employees may share passwords for the purpose of providing support services.
Oracle has implemented and maintained strong network controls to address the protection and control of customer data during its transmission from one end system to another. The Oracle Use of Network Services Policy states that computers, servers, and other data devices connected to the Oracle network must comply with well-established standards for security, configuration, and access method.