About Pre-Authenticated Request (PAR) URLs on Autonomous Database
Depending on how you generate a Pre-Authenticated Request (PAR) URL, a PAR URL provides access to data in tables or views or by running a SQL query.
When you generate a PAR URL you specify an expiration, either as an expiration time, for example set the PAR URL to expire after 120 minutes, or as an expiration count, for example the PAR URL expires after the PAR URL is used 10 times.
PAR URLs provide the following:
-
Public Access: Using a PAR URL a data recipient on the public internet can access data when the data resides on an Autonomous Database instance in a private subnet.
-
Expiration: A data provider specifies expiration for a PAR URL, meaning the PAR URL has a limited time before it expires (up to a maximum of 90 Days).
-
Expiration Use Count Limits: A data provider can specify a limit on how many times a recipient can use a PAR URL to access data.
-
Endpoint Transparency: A data provider is able to hide the Autonomous Database name so that it is not visible in a PAR URL.
-
Column Level Options for Tabular Format Features and Grouping: When you generate a PAR URL you can specify the following options by column: sorting, filtering, allow cell colors, or the group by option where you can select to view data grouped by the values in a specified column.
There is a limit of 128 active PAR URLs on an Autonomous Database instance.
PAR URL Use Cases
Generating and providing PAR URLs supports the following use cases:
| Use Case | Description |
|---|---|
|
Within Organization Collaboration |
You can use PAR URLs for emergency data access. In situations where a rapid response is needed, such as during a critical incident investigation, you provide a PAR URL to allow immediate and temporary access to specific data without the need to create new database accounts or modify existing permissions. |
|
BB (Business to Business) Applications |
A business partner can easily access data. Using a PAR URL, a business can provide a business partner with a simple way to access data or reports. This can eliminate the need for manual report generation and email distribution. |
|
Third-party Audits and Reviews |
When an external auditor or reviewer requires access to specific data for a limited time, a PAR URL can give them the access they need without compromising the overall security of the database. |
|
Data as a Product (Digital Commerce) |
Vendors can grant limited or single-use access to purchased content or data using a PAR URL. Once accessed, the URL expires, protecting the product’s exclusivity and ensuring efficient, secure delivery. |
Security Best Practices for PAR URLs
Following are some best practices for generating and using PAR URLs:
-
Set a Short Expiration Time: A PAR URL should only be valid for the minimum time required. The shorter the validity period, the lower the risk if the PAR URL is compromised.
-
PAR Invalidation: Invalidate a PAR URL immediately when it is no longer required.
-
Use Appropriate Permissions: A PAR URL runs using the privileges granted to the database user who generates the PAR URL. The user that generates a PAR URL should have the minimum privileges required for providing access to the data.
-
Content Security: To mitigate risk of sharing unintended dynamic data:
-
Create a view on top of the data that you want to share in a PAR URL, and monitor that the view definition is up to date.
-
As needed, create a VPD policy when you generate a PAR URL. You can use VPD policies to restrict the rows visible to the PAR URL users.
-
-
Load Monitoring: Monitor the PAR URL query load using PerfHub and SQL monitoring.
Enable Compute auto scaling and make sure that the CPU count is appropriately sized for the data set size and PAR URL query load.