You want to create a role to meet these requirements:
1. The role is to be protected from unauthorized usage.
2. The password of the role is not to be embedded in the application source code or stored in a
table.
Which method would you use to restrict enabling of such roles?
A.
Create the role with external authentication.
B.
Create the role as a secure application role.
C.
Create the role as a password-protected role.
D.
Create a role and use Fine-Grained Access Control (FGAC) to secure the role.
After database access privileges are grouped into roles, the roles are granted to the application user. Securing these roles can be accomplished in two ways:
Embedding passwords inside the applications by creating what are called application roles
Creating application roles and specifying which PL/SQL package is authorized to enable the roles, which are called secure application roles
Fine-Grained Access Control –
Fine-grained access control is based on dynamically modified statements.
Fine-grained access control enables you to build applications that enforce security policies at a low level of granularity. You can use it, for example, to restrict customers accessing an Oracle database server to see only their own accounts. A physician could be limited to seeing only the records of her own patients, or a manager to seeing only the records of employees who work for him.
When you use fine-grained access control, you create security policy functions attached to the table, view, or synonym on which you have based your application. Then, when a user enters a SELECT or DML statement (INSERT, UPDATE, or DELETE) on that object, Oracle Database dynamically modifies the statement, transparently to the user. The modification ensures that the statement implements the correct access control.
About Secure Application Roles
The advantage of using a secure application role is you can create additional layers of security for application access, in addition to the privileges that were granted to the role itself. Secure application roles strengthen security because passwords are not embedded in application source code or stored in a table. This way, the decisions the database makes are based on the implementation of your security policies. Because these definitions are stored in one place, the database, rather than in your applications, you modify this policy once instead of modifying the policy in each application. No matter how many users connect to the database, the result is always the same, because the policy is bound to the role.