A fundamental step in securing a database system is validating the identity of the user who is accessing the database (authentication) and controlling what operations they can perform (authorization). A strong authentication and authorization strategy helps protect the users and their data from attackers.
Oracle provides a number of authentication and authorization mechanisms to meet user requirements, from simple locally based password authentication to centralized directory service integration to handle both authentication and authorization. Administrators must keep user information up-to-date and secure for the entire enterprise. This task becomes more difficult as the number of applications, databases, and users increases. Each user might have or need multiple accounts on different databases, making it harder to remember passwords. In addition to user and account management problems, these conditions also produce security problems. Any time a user leaves a company or changes jobs, that user's privileges should be changed immediately in order to guard against their misuse. However, large enterprises often have many user accounts distributed over multiple databases, and an administrator may be unable to make timely changes.
Oracle Database provides different choices of authorization and authentication methods.
Oracle Database authentication and authorization can be managed either locally within the database or centrally in a directory service. In most production use cases, database users should be managed centrally similar to other IT systems for better security, stronger controls over data access and compliance reporting.
Oracle Database provides simple password authentication out of the box with every database. This allows you to quickly create a database and provide access to it – useful for some environments like development. Authorization is also managed locally by having grants of privileges and roles directly granted to the user schema in the database. With local password authentication and local authorization, every new user for the database, every person that leaves and changes in privileges and roles has to be managed by the local DBA – including password resets. A typical method of authentication is using the traditional password. When using database authentication for a user, the administration of that user account including authentication is performed entirely by Oracle Database. Users can also be authenticated externally by the operating system. In this case, the user account is maintained by Oracle Database, but password administration and user authentication are performed by an external service. This external service can be the operating system or a network service, such as Oracle Net.Authorization is managed locally at the database through roles and privileges assigned to user accounts.
Oracle Database enables strong centralized authentication with Oracle authentication adapters that support various third-party authentication services such as Kerberos, Remote Authentication Dial-In User Service (RADIUS), and SSL Authorization using Certificates. OS authentication can also be considered a form of centralized authentication if the OS is configured in that manner.
While authentication is centralized in these cases, authorization remains for the most part locally managed in the Database. OS and RADIUS authentication allows for some authorization via their service, most users manage the roles and privileges locally in the database.
Centralized management of users is a key part of IT security and the database is no exception. Onboarding new users, assigning them to the correct resources with the correct privileges, changing privileges and removing access when they leave is more securely done centrally without having to manage every change within every production database. DBAs could focus on application development or database maintenance instead of the drudgery of fulfilling password reset requests. Oracle Database provides two ways to get central authentication and central authorization: