Access control refers to the policies, procedures, and tools that govern access to and use of resources. Examples of resources include a cloud service, physical server, file, application, data in a database, and network device.
The Oracle Logical Access Control Policy is applicable to access control decisions for all Oracle employees and any information-processing facility for which Oracle has administrative authority. This policy does not apply to customer end user accounts for Oracle cloud services. Logical access controls for applications and systems must provide identification, authentication, authorization, accountability and auditing functionality.
Oracle user access is provisioned through an account-provisioning system that is integrated with Oracle's Human Resources database. Access privileges are granted based on job roles and require management approval.
Authorization is dependent on successful authentication, since controlling access to specific resources depends upon establishing an entity or individual's identity. All Oracle authorization decisions for granting, approval, and review of access are based on the following principles:
The use of passwords is addressed in the Oracle Password Policy. Oracle enforces strong password policies (including length and complexity requirements) for the Oracle network, operating system, email, database and other accounts to reduce the chances of intruders gaining access to systems or environments through exploitation of user accounts and associated passwords. System-generated and assigned passwords are required to be changed immediately on receipt.
Oracle personnel are obligated to follow rules for password length, complexity, as well as other password requirements. Employees must keep their passwords confidential and secured at all times, and are prohibited from sharing their individual account passwords with anyone, whether verbally, in writing, or by any other means. Employees are not permitted to use any Oracle system or applications passwords for non-Oracle applications or systems.
Oracle regularly reviews network and operating system accounts with regard to the appropriate employee access levels. In the event of employee terminations, deaths, or resignations, Oracle takes appropriate actions to promptly terminate network, telephony, and physical access.
Oracle has implemented and maintains strong network controls for the protection and control of both Oracle and customer data during its transmission. Oracle’s Network Security Policy establishes requirements for network management, network access and network device management, including authentication and authorization requirements for both physical devices and software-based systems. Unused network ports must be deactivated.