oracle database 12c real application security for oracle application express n.
Skip this Video
Loading SlideShow in 5 Seconds..
Oracle Database 12c: Real Application Security for Oracle Application Express PowerPoint Presentation
Download Presentation
Oracle Database 12c: Real Application Security for Oracle Application Express

Loading in 2 Seconds...

play fullscreen
1 / 32

Oracle Database 12c: Real Application Security for Oracle Application Express - PowerPoint PPT Presentation

  • Uploaded on

Oracle Database 12c: Real Application Security for Oracle Application Express. Joel R. Kallman Director, Oracle Application Express Tanvir Ahmed Principal Technical Staff, Database Security.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Oracle Database 12c: Real Application Security for Oracle Application Express

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
oracle database 12c real application security for oracle application express
Oracle Database 12c: Real Application Security for Oracle Application Express

Joel R. Kallman

Director, Oracle Application Express

Tanvir AhmedPrincipal Technical Staff, Database Security


The following is intended to outline Oracle’s general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

brief introduction
Brief Introduction

Joel R. Kallman

Director of Software Development, Database Server Technologies Division

Responsible for all product management and software development of Oracle Application Express

17 year Oracle employee

Actively developing Oracle Application Express since its creation in 1999

brief introduction1
Brief Introduction

Tanvir Ahmed, Ph.D.

Principle Technical Staff, Database Security, Server Technologies

Primary developer for Oracle Real Application Security

8 years at Oracle

Ph.D. in CS from Univ. of Minnesota, Twin Cities

Participant at IEEE/ACM as Track Chair, PC member, and reviewer

20 papers in areas related to system security

program agenda
Program Agenda
  • Oracle Application Express (APEX) Security
  • Oracle Real Application Security (RAS)
  • RAS Integration with APEX
  • Demo: Human Resource (HR) Application
oracle application express oracle apex
Oracle Application Express (Oracle APEX)
  • Architectural Overview
  • Simple 2-Tier Architecture
  • Pages dynamically rendered using database metadata
  • No code generation or file based compilation
  • Runs everywhere Oracle Database runs
oracle application express oracle apex1
Oracle Application Express (Oracle APEX)

Rapid Browser Based Development

Leverage SQL Skills

Point your browser

and start developing

Build reports, forms

and charts using SQL

Self Service Provisioning

Runs within Database

Out-of-the-box elastic

private cloud service

Simple to manage,

highly scalable

oracle application express security
Oracle Application Express Security

Users, Authorization, Data Security

  • Authentication schemes
    • LDAP, SSO, Database Credentials…
  • Authorization schemes
    • Page item, page, or application
    • User Groups
  • Data security using database features
    • Views or Virtual Private Databases(VPD)
    • Uses application context in filtering predicate
oracle application express security1
Oracle Application Express Security

Access Control

  • Easy wizard to setup Access Control in an APEX application
  • Targeted for UI, not data
oracle apex security
Oracle APEX Security

Challenges on Data Access Control



APEX Applications



  • Code executes under privileged user, database unaware of end users
  • No native support for application privileges and application roles
  • Data access policy is hard coded and fragmented in views
  • VPD provides hooks for custom logic, adds ‘WHERE’ clause to SQL

Executes as

Privileged User

oracle real application security ras
Oracle Real Application Security (RAS)

End-to-end application security

oracle database real application security
Oracle Database Real Application Security

A database authorization solution for end-to-end application security

  • Define, provision, and enforce application-level security policies at the database layer
  • Simplify administration using declarative security policies
  • Build upon experiences from authorization policies used in Oracle Applications
typical application security with apex
Typical Application Security with APEX

Oracle Real Application Security

CRM Application

HR Application

Business Logic

Business Logic

& Security

& Security

Identity & Policy Store

Users and Roles

Users and Roles

Shared, Schema User

DB Sessions

Light-weight Sessions

Security enforced on direct connections

Direct, Uncontrolled Access

Access Control Policy

Users and Roles

oracle real application security
Oracle Real Application Security

Key Features

  • Support Application Users and Sessions
    • Schema-less user, Security and application context in DB
  • Support Application Privileges and Roles
    • E.g., ViewSalary, SubmitPO, ApprovePOprivileges
    • E.g., Manager, HR_Rep, Approver roles
  • Efficient database-enforced data access control
    • Support various application-centric data access patterns
    • Enforce security close to data
application security requirements hr
Application Security Requirements: HR

- Employees can view public information

- An employee can view own record, update contact

- Manager can view salary of his reports

real application security concepts


My own

My report

Real Application Security Concepts

Data Realms

  • A group of rows representing a business object
    • Employees in North America
    • My own employee record
    • All employees under my report
  • Assign privileges to columns
    • viewSSN for SSN column
    • viewSalaryfor Salary column

All records



real application security
Real Application Security
  • Data Security Policy Components

Application Role R


Data Realm D

E.g., Employees under my report

Access Control List (ACL)

Grant privilege P to role R

Application Privilege P


  • Each Data Realm has an associated ACL with grants
  • Data Security policy is a collection of Data Realms and ACLs
demo oracle real application security
Demo: Oracle Real Application Security

Human Resource (HR) Application

oracle real application security1
Oracle Real Application Security

Uniform Authorization on All Access Paths


connect as Nancy

real application security1
Real Application Security
  • Required Features for Application Security
integration with oracle apex
Integration with Oracle APEX

Runtime Integration

Page Request

  • Application users continue to be provisioned in the database or identity stores
    • User authentication remains in APEX
  • RAS session contains application user, its roles, and session context
    • Based on APEX user’s security context
  • Application code executes within RAS session
    • Attached and detached to a db session, being multiplexed

APEX Session

Attach RAS Session

Application code

Detach RAS Session

Page Display

integration with oracle apex1
Integration with Oracle APEX

Data Security and Authorization

  • Data Security policy
    • Application privileges, roles, and grants in ACL
    • Instead of custom authorization using VPD (Virtual Private Database)
  • For authorization schemes, use RAS ACL check operators
oracle real application security2
Oracle Real Application Security

Benefits for APEX Developers

  • Stronger security
    • Enforced regardless of entry points: direct, APEX, or middleware
    • Audit end-user activity in database audit trail
  • Simpler development
    • Declarative policy, relieves writing authorization code
    • Native support for application roles, application privileges, application users
    • Optimized access control for typical data access patterns
  • Simpler administration
    • End-to-end uniform security across mid-tier and database
    • Centralized management of security policies
oracle apex oracle ras
Oracle APEX & Oracle RAS
  • Fully supported no-cost feature of Oracle Database
  • APEX
    • Oracle Database EE, Oracle Database SE, Oracle Database SE One, Oracle Database XE
    • 10gR2 ( +), 11gR1, 11gR2,12c
    • Exadata, ODA, RAC
  • RAS
    • Oracle Database EE 12c
  • RAS Integration with APEX
    • Oracle Database EE 12c PS1
  • Oracle Application Express and Oracle RAS
  • Oracle Application Express –
  • APEX at OOW –
  • Demogrounds - MosconeSouth, Left SL-036
  • Oracle RAS Developer Guide –
  • Demogrounds - Moscone South, # SL-051
complimentary ebook register now
Complimentary eBook Register Now Code: db12c