Database Authentication and Authorization

Database Authentication and Authorization

A fundamental step in securing a database system is validating the identity of the user who is accessing the database (authentication) and controlling what operations they can perform (authorization). A strong authentication and authorization strategy helps protect the users and their data from attackers.

Oracle provides a number of authentication and authorization mechanisms to meet user requirements, from simple locally based password authentication to centralized directory service integration to handle both authentication and authorization. Administrators must keep user information up-to-date and secure for the entire enterprise. This task becomes more difficult as the number of applications, databases, and users increases. Each user might have or need multiple accounts on different databases, making it harder to remember passwords. In addition to user and account management problems, these conditions also produce security problems. Any time a user leaves a company or changes jobs, that user's privileges should be changed immediately in order to guard against their misuse. However, large enterprises often have many user accounts distributed over multiple databases, and an administrator may be unable to make timely changes.

Oracle Database provides different choices of authorization and authentication methods.

What's New Database Authentication and Authorization

Video: Centrally Managed Users Ask Tom

Video: Kerberos Authentication Ask Tom

Oracle Database Security Blog

Oracle Database Security Blog

Get the Details

Authentication and Authorization

Oracle Database authentication and authorization can be managed either locally within the database or centrally in a directory service. In most production use cases, database users should be managed centrally similar to other IT systems for better security, stronger controls over data access and compliance reporting.

 

Local Authentication
and Local Authorization

Oracle Database provides simple password authentication out of the box with every database. This allows you to quickly create a database and provide access to it – useful for some environments like development. Authorization is also managed locally by having grants of privileges and roles directly granted to the user schema in the database. With local password authentication and local authorization, every new user for the database, every person that leaves and changes in privileges and roles has to be managed by the local DBA – including password resets. A typical method of authentication is using the traditional password. When using database authentication for a user, the administration of that user account including authentication is performed entirely by Oracle Database. Users can also be authenticated externally by the operating system. In this case, the user account is maintained by Oracle Database, but password administration and user authentication are performed by an external service. This external service can be the operating system or a network service, such as Oracle Net.

Authorization is managed locally at the database through roles and privileges assigned to user accounts.

Central Authentication
and Local Authorization

Oracle Database enables strong centralized authentication with Oracle authentication adapters that support various third-party authentication services such as Kerberos, Remote Authentication Dial-In User Service (RADIUS), and SSL Authorization using Certificates. OS authentication can also be considered a form of centralized authentication if the OS is configured in that manner.

  • Kerberos is a trusted third-party authentication system that relies on shared secrets. It presumes that the third party is secure, and provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through a Kerberos authentication server. Oracle supports both the original MIT Kerberos services as well as the Kerberos service provided with Microsoft Active Directory.
  • RADIUS is a client/server security protocol that is most widely known for enabling remote authentication and access. Oracle Database uses this standard in a client/server network environment to enable use of any authentication method that supports the RADIUS protocol. RADIUS can be used with a variety of authentication mechanisms, including token cards and smart cards. Users frequently use the RADIUS service if they want to implement multi-factor authentication for database users.
  • SSL uses digital certificates that comply with the X.509v3 standard and a public and private key pair.
  • In OS authentication, the database relies on the OS to authenticate the user to the user schema.

While authentication is centralized in these cases, authorization remains for the most part locally managed in the Database. OS and RADIUS authentication allows for some authorization via their service, most users manage the roles and privileges locally in the database.

Central Authentication
and Central Authorization

Centralized management of users is a key part of IT security and the database is no exception. Onboarding new users, assigning them to the correct resources with the correct privileges, changing privileges and removing access when they leave is more securely done centrally without having to manage every change within every production database. DBAs could focus on application development or database maintenance instead of the drudgery of fulfilling password reset requests. Oracle Database provides two ways to get central authentication and central authorization:

  • Centrally Managed Users (CMU) – Starting in Oracle Database 18c, CMU provides a simpler integration with Microsoft Active Directory to allow centralized authentication and authorization of users. This direct integration (without an intermediate directory service) enables organizations to use Active Directory to centrally manage users and roles in multiple Oracle databases with a single directory along with other Information Technology services. Active Directory users can authenticate to the Oracle database by using credentials that are stored in Active Directory. Active Directory can also hold authorization information for database users through user mappings to AD groups which then map to database schemas and global roles. In fact, all the user authorizations (privileges and roles) can be granted to the user through global roles which are granted to the user when they authenticate to the database. CMU also integrates the database users with the central Active Directory account policies for better security for parameters like password lockout and expiration. Organizations can use Kerberos, PKI, or password authentication with CMU with Active Directory.
  • Enterprise User Security (EUS) - is the legacy database integration with Oracle directory services such as Oracle Internet Directory and Oracle Unified Directory (OID and OUD). This powerful integration centrally stores all the user and authorization mappings in the Oracle directory service. This architecture is still available and will continue to be used by users who must use the Oracle enterprise domain and current user database link between trusted databases, complex enterprise roles, and having a single place for auditing database access privileges and roles.
    The majority of organizations do not have these complex requirements. Instead, they can use centrally managed users (CMUs) with Active Directory.
Connect with other Oracle Database users and experts.