In database security, can you please explain to me why closed security policies provide better protection than...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
open security policies? And can you please evaluate the assumption that an unconstrained upward inheritance of positive permissions in an RBAC role hierarchy is too strong?
To explain why closed security policies are better protection than open ones, let me give you an example. Let's suppose that my company has determined that the Oracle listener will listen on port 1599 (a non-default port) and that all database passwords will contain 8 letters followed by 2 numbers. If I publish this information on the Web, I now let any hacker know exactly which port to point to and exactly how my database passwords are composed. Do you want to give this information to a potential hacker? It's better to safeguard this information within your company.
I'm no expert on Role-Based Access Control outside of the Oracle arena. So I'll give you the information that I know and leave it at that. I'm not convinced that unconstrainted upward inheritence is entirely a bad thing. For instance, I might have a role called APPL_USER which is assigned to all of my application users. This role lets the user perform read only, or SELECT, operations on specific tables. Then I have a APPL_ADMIN role for application administrators. This role lets the admins change the tables, and it also inherits the APPL_USER role so that the admin can read the tables as well. This is an easy way to transfer all of the rights of one role to another. Unfortunately, the APPL_ADMIN role (which has been granted the APPL_USER role) inherits *all* of the APPL_USER role's rights. You can't give APPL_ADMIN just some of the rights granted to APPL_USER. It's an all or nothing proposition. This may be too strong for your system. It may be better to code specific rights to APPL_ADMIN and specific rights to APPL_USER. This will separate the two functionalities.
For More Information
- What do you think about this answer? E-mail us at editor@searchDatabase.com with your feedback.
- The Best Oracle Web Links: tips, tutorials, scripts, and more.
- Have an Oracle tip to offer your fellow DBA's and developers? The best tips submitted will receive a cool prize--submit your tip today!
- Ask your technical Oracle questions--or help out your peers by answering them--in our live discussion forums.
- Ask the Experts yourself: Our Oracle gurus are waiting to answer your toughest questions.
Dig Deeper on Oracle database design and architecture
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.