Access Control Within Autonomous Database on Dedicated Exadata Infrastructure
When configuring Autonomous Database on Dedicated Exadata Infrastructure, you need to ensure that your cloud users have access to use and create only the appropriate kinds of cloud resources to perform their job duties. Additionally, you need to ensure that only authorized personnel and applications have access to the autonomous databases created on dedicated infrastructure. Otherwise, you run the risk of "runaway" consumption of your dedicated infrastructure resources or inappropriate access to mission-critical data.
- Oracle cloud user access control
- Client access control
- Database user access control
- Oracle Cloud User Access Control
You control what access the Oracle Cloud users in your tenancy have to the cloud resources that make up your deployment of Autonomous Database on Dedicated Exadata Infrastructure. - Client Access Control
Client access control is implemented in Autonomous Database by controlling network access control and client connections. - Database User Access Control
Oracle Autonomous Database on Dedicated Exadata Infrastructure configures the databases you create to use the standard user management feature of Oracle Database. It creates one administrative user account, ADMIN, that you use to create additional user accounts and to provide access controls for accounts. - Privileged Access Management (PAM)
Parent topic: Security
Oracle Cloud User Access Control
You control what access the Oracle Cloud users in your tenancy have to the cloud resources that make up your deployment of Autonomous Database on Dedicated Exadata Infrastructure.
You use the Identity and Access Management (IAM) service to ensure that your cloud users have access to create and use only the appropriate kinds of Autonomous Database resources to perform their job duties. To institute access controls for cloud users, you define policies that grant specific groups of users specific access rights to specific kinds of resources in specific compartments.
The IAM service provides several kinds of components to help you define and implement a secure cloud user access strategy:
-
Compartment: A collection of related resources. Compartments are a fundamental component of Oracle Cloud Infrastructure for organizing and isolating your cloud resources.
-
Group: A collection of users who all need the same type of access to a particular set of resources or compartment.
-
Dynamic Group: A special type of group that contains resources that match rules that you define. Thus, the membership can change dynamically as matching resources are created or deleted.
-
Policy: A group of statements that specify who can access which resources, and how. Access is granted at the group and compartment level, which means you write a policy statement that gives a specific group a specific type of access to a specific type of resource within a specific compartment.
Policy and Policy Statements
The primary tool you use to define access control for cloud users is the policy, an IAM (Identity and Access Management) resource containing policy statements that specify access in terms of "Who", "How", "What" and "Where".
Allow
group <group-name>
to <control-verb>
<resource-type>
in compartment <compartment-name>
-
group <group-name>
specifies the "Who" by providing the name of an existing IAM group, an IAM resource to which individual cloud users can be assigned. -
to <control-verb>
specifies the "How" using one of these predefined control verbs:inspect
: the ability to list resources of the given type, without access to any confidential information or user-specified metadata that may be part of that resource.read
:inspect
plus the ability to get user-specified metadata and the actual resource itself.use
:read
plus the ability to work with existing resources, but not to create or delete them. Additionally, "work with" means different operations for different resource types.manage
: all permissions for the resource type, including creation and deletion.
In the context of the dedicated infrastructure feature, a fleet administrator can
manage
autonomous container databases, while a database administrator can onlyuse
them to create autonomous databases. -
<resource-type>
specifies the "What" using a predefined resource-type. The resource-type values for the dedicated infrastructure resources are:exadata-infrastructures
autonomous-container-databases
autonomous-databases
autonomous-backups
Because dedicated infrastructure resources use networking resources, some of the policy statements you create will refer to the
virtual-network-family
resource-type value. Also, you may create policy statements that refer to thetag-namespaces
resource-type value if tagging is used in your tenancy. -
in compartment <compartment-name>
specifies the "Where" by providing the name of an existing IAM compartment, an IAM resource in which resources are created. Compartments are a fundamental component of Oracle Cloud Infrastructure for organizing and isolating cloud resources.
For the policy details for Autonomous Database, refer to IAM Policies for Autonomous Database on Dedicated Exadata Infrastructure.
For information about how the IAM service and its components work and how to use them, see Overview of Oracle Cloud Infrastructure Identity and Access Management. For quick answers to common questions about IAM, see the Identity and Access Management FAQ.
Best Practices When Planning and Instituting Access Controls
When planning and instituting your access controls for the dedicated infrastructure feature, you should consider these best practices.
-
Create a separate VCN that contains only private subnets. In almost every case, the Autonomous Databases created on dedicated infrastructure house data that is company-sensitive and is normally accessible only from within the company's private network. Even the data shared with partners, suppliers, consumers and customers is made available to them through regulated, secure channels.
Therefore, the network access you provide to such databases should be private to your company. You can ensure this by creating a VCN that uses private subnets and an IPSec VPN or FastConnect to connect to your company's private network. For information about setting up such a configuration, see Scenario B: Private Subnets with a VPN in Oracle Cloud Infrastructure Documentation.
For additional information about securing network connectivity to your databases, see Ways to Secure Your Network in Oracle Cloud Infrastructure Documentation.
-
Create at least two subnets. You should create at least two subnets: one for Autonomous Exadata VM Cluster and Autonomous Container Database resources and one for resources associated with clients and applications of Autonomous Database.
-
Create at least two compartments. You should create at least two compartments: one for Exadata Infrastructure, Autonomous Exadata VM Cluster and Autonomous Container Database resources and one for Autonomous Database resources.
-
Create at least two groups. You should create at least two groups: one for fleet administrators and one for database administrators.
Client Access Control
Client access control is implemented in Autonomous Database by controlling network access control and client connections.
Network Access Control
-
On Oracle Public Cloud, you define network access control using components of the Networking service. You create a Virtual Cloud Network (VCN) containing private Subnets in which your autonomous databases are network-accessible. Additionally, you create Security Rules to allow a particular type of traffic in or out the IP addresses in a subnet.
For detailed information about creating these resources, run Lab 1: Prepare Private Network for OCI Implementation in Oracle Autonomous Database Dedicated for Fleet Administrators.
-
On Exadata Cloud@Customer, you define network access controls by specifying a client network within your data center and recording it in a VM Cluster Network resource within the Exadata Infrastructure resource.
APPLIES TO: Oracle Public Cloud only
Oracle Cloud Infrastructure Zero Trust Packet Routing (ZPR) protects sensitive data from unauthorized access through intent-based security policies you write for resources, such as an Autonomous Exadata VM Cluster (AVMC) to which you assign security attributes.
Security attributes are labels that ZPR uses to identify and organize resources. ZPR enforces policy at the network level each time access is requested, regardless of potential network architecture changes or misconfigurations. ZPR is built on the existing network security group (NSG) and security control list (SCL) rules. For a packet to reach a target, it must pass all NSG and SCL rules and ZPR policy. The request is dropped if any NSG, SCL, or ZPR rule or policy doesn't allow traffic.
You can secure networks with ZPR in three steps:
-
Create ZPR artifacts, namely, security attribute namespaces and security attributes.
-
Write ZPR policies to connect resources using security attributes. ZPR uses a ZPR Policy Language (ZPL) and enforces restrictions on access to defined resources. As an Autonomous Database on Dedicated Exadata Infrastructure customer, you can write ZPL-based policies in your tenancy to ensure that data from AVMCs are accessed only by authorized users and resources.
- Assign security attributes to resources to enable the ZPR policies.
Avoid entering confidential information when assigning descriptions, tags, security attributes, or friendly names to cloud resources through the Oracle Cloud Infrastructure console, API, or CLI.
See Getting Started with Zero Trust Packet Routing for more information.
You have the following options to apply ZPR security attributes to an AVMC:
-
Apply security attributes when you provision an AVMC. See Create an Autonomous Exadata VM Cluster for more information.
- Apply security attributes to an existing AVMC resource. See Configure Zero Trust Packet Routing (ZPR) for an AVMC for more information.
As a prerequisite, the following IAM policies must be defined to add ZPR security attributes to an AVMC successfully:
allow group <group_name>
to { ZPR_TAG_NAMESPACE_USE, SECURITY_ATTRIBUTE_NAMESPACE_USE }
in tenancy
allow group <group_name>
to manage autonomous-database-family
in tenancy
allow group <group_name>
to read security-attribute-namespaces
in tenancy
For added security, you can enable Access Control Lists (ACLs) in both Oracle Public Cloud and Exadata Cloud@Customer dedicated deployments. An ACL provides additional protection to your database by allowing only the client with specific IP addresses to connect to the database. You can add IP addresses individually, or in CIDR blocks. This allows you to formulate a fine grained access control policy by limiting your Autonomous Database’s network access to specific applications or clients.
You can optionally create an ACL during the database provisioning, or at any time thereafter. You can also edit an ACL at any time. Enabling an ACL with an empty list of IP addresses makes the database inaccessible. See Set Access Control List for a Dedicated Autonomous Database for details.
- The Autonomous Database Service Console is not subject to ACL rules.
- Oracle Application Express (APEX), RESTful services, SQL Developer Web, and Performance Hub are not subject to ACLs.
- While creating an Autonomous Database, if setting an ACL fails, then provisioning the database also fails.
- Updating an ACL is allowed only if the database is in the Available state.
- Restoring a database does not overwrite the existing ACLs.
- Cloning a database, full and metadata, will have the same access control settings as the source database. You can make changes as necessary.
- Backup is not subject to ACL rules.
- During an ACL update, all the Autonomous Container Database (CDB) operations are allowed, but Autonomous Database operations are not allowed.
For advanced network controls beyond Access Control Lists, Oracle Autonomous Database on Dedicated Exadata Infrastructure supports using Web Application Firewall (WAF). WAF protects applications from malicious and unwanted internet traffic. WAF can protect any internet facing endpoint, providing consistent rule enforcement across a customer's applications. WAF provides you with the ability to create and manage rules for internet threats including Cross-Site Scripting (XSS), SQL Injection, and other OWASP-defined vulnerabilities. Access rules can limit based on geography or the signature of the request. See Getting Started with Web Application Firewall Policies for steps on how to configure WAF.
Client Connection Control
Oracle Autonomous Database on Dedicated Exadata Infrastructure implements client connection control with standard TLS 1.2 certificate-based authentication to authenticate a client connection.
By default, Autonomous Database uses self-signed certificates. However, you can install your CA-signed server-side certificate from the Oracle Cloud Infrastructure (OCI) console. To bring your own certificate, you must first create the certificate using the Oracle Cloud Infrastructure (OCI) Certificate Service as demonstrated in Creating a Certificate. These certificates must be signed and must be in the PEM format, that is, their file extension must be .pem, .cer, or .crt only. For more details, refer to Certificate Management in Dedicated Autonomous Database.
Database User Access Control
Oracle Autonomous Database on Dedicated Exadata Infrastructure configures the databases you create to use the standard user management feature of Oracle Database. It creates one administrative user account, ADMIN, that you use to create additional user accounts and to provide access controls for accounts.
Standard user management provides a robust set of features and controls, such as system and object privileges, roles, user profiles and password policies, that enable you to define and implement a secure database user access strategy in most cases. See Create and Manage Database Users for detailed instructions.
For basic information about standard user management, see User Accounts in Oracle Database Concepts. For detailed information and guidance, see Managing Security for Oracle Database Users in Oracle Database Security Guide.
Tool | Description |
---|---|
Database Vault |
Oracle Database Vault comes preconfigured and ready to use in Autonomous Databases. You can use its powerful security controls to restrict access to application data by privileged database users, reducing the risk of insider and outside threats and addressing common compliance requirements. Refer to Data Protection in Security Features of Autonomous Database for more details. |
Oracle Cloud Infrastructure Identity and Access Management (IAM) |
You can configure Autonomous Database to use Oracle Cloud Infrastructure Identity and Access Management (IAM) authentication and authorization to allow IAM users to access an Autonomous Database with IAM credentials. Refer to Use Identity and Access Management (IAM) Authentication with Autonomous Database for using this option with your database. |
Azure OAuth2 Access Tokens |
You can centrally manage Oracle Autonomous Database on Dedicated Exadata Infrastructure users in a Microsoft Azure Active Directory (Azure AD) service with the help of Azure For more information about integrating Microsoft Azure Active Directory with your databases, see Authenticate and Authorize Microsoft Azure Active Directory Users for Autonomous Database. |
Microsoft Active Directory (CMU-AD) |
If you use Microsoft Active Directory as a user repository, you can configure your Autonomous Databases to authenticate and authorize Microsoft Active Directory users. This integration can enable you to consolidate your user repository while still implementing a rigorous database user access strategy, regardless of whether you use standard user management, Database Vault, Real Application Security or Virtual Private Database. For more information about integrating Microsoft Active Directory with your databases, see Microsoft Active Directory with Autonomous Database. |
Kerberos |
Kerberos is a trusted third-party authentication system that relies on shared secrets. It presumes that the third party is secure, and provides single sign-on capabilities, centralized password storage, database link authentication, and enhanced PC security. It does this through a Kerberos authentication server. Autonomous Database support for Kerberos provides the benefits of single sign-on and centralized authentication of Oracle users. For more information, see Authenticate Autonomous Database Users with Kerberos. |
Kerberos with CMU-AD |
Kerberos authentication can be configured on top of CMU-AD to provide CMU-AD Kerberos authentication for Microsoft Active Directory users. To provide CMU-AD Kerberos authentication for Microsoft Active Directory users, you can enable Kerberos authentication on top of CMU-AD by setting |
Real Application Security and Virtual Private Database |
Oracle Real Application Security (RAS) provides a declarative model that enables security policies that encompass not only the business objects being protected but also the principals (users and roles) that have permissions to operate on those business objects. RAS is more secure, scalable, and cost effective than its predecessor, Oracle Virtual Private Database. With Oracle RAS, application users are authenticated in the application-tier as well as in the database. Irrespective of the data access path, the data security policies are enforced in the database kernel based on the end-user native session in the database. The privileges assigned to the user control the type of operations (select, insert, update and delete) that can be performed on rows and columns of the database objects. For more information about Oracle RAS, see Introducing Oracle Database Real Application Security in Oracle Database Real Application Security Administrator's and Developer's Guide. Oracle Autonomous Database on Dedicated Exadata Infrastructure also supports Oracle Virtual Private Database (VPD), the predecessor of Oracle RAS. If you are already familiar with and use Oracle VPD, you can configure and use it with you autonomous databases. For more information about Virtual Private Database, see Using Oracle Virtual Private Database to Control Data Access in Oracle Database Security Guide. |
Privileged Access Management (PAM)
Oracle's security posture around user access and privilege management across its products and services is documented in Oracle Access Control.
Autonomous Database on Dedicated Exadata Infrastructure is designed to isolate and protect customer services and database data from unauthorized access. Autonomous Database separates duties between the customer and Oracle. The customer controls access to database schema(s). Oracle controls access to Oracle-managed infrastructure and software components.
Autonomous Database on Dedicated Exadata Infrastructure is designed to help secure data for customer-authorized use and to help protect data from unauthorized access, which includes preventing access to customer data by Oracle Cloud Ops staff members. Security measures designed to protect against unauthorized access to the Exadata Infrastructure, Autonomous VMs, and Oracle database data include the following:
- Oracle Database data is protected by Oracle Transparent Data Encryption (TDE) keys.
- The customer controls access to TDE encryption keys and may choose to store such keys in an external Oracle Key Vault key management system.
- Oracle Database Vault is pre-configured to prevent privileged users from accessing customer data in Autonomous Databases.
- Customers may choose to approve Operator access via Operator Access Control service enrollment.
- All operator access is based on FIPS 140-2 level 3 hardware multi-factor authentication, implemented with a hardware YubiKey implemented with Oracle-approved devices.
- All operator actions are logged at the command level and can be sent to the OCI logging service or a customer SIEM on a near real-time basis.
-
Oracle Operations Access Control ensures that the user accounts that Oracle Cloud operations and support staff use to monitor and analyze the performance cannot access data in Autonomous Databases. Oracle Cloud operations and support staff do not have access to the data in your Autonomous Databases. When you create an Autonomous Container Database, Autonomous Database on Dedicated Exadata Infrastructure enables and configures the Operations Control feature of Oracle Database Vault to block common users from accessing data in Autonomous Databases created in the container database.
You can confirm that Operations Control is active by entering this SQL statement in an Autonomous Database:
The status ofSELECT * FROM DBA_DV_STATUS;
APPLICATION CONTROL
indicates that Operations Control is active.Note
Operations Control was earlier known as Application Control.
PAM is also implemented with Database Vault for data protection, as discussed in Security Features of Autonomous Database.