Lockdown Profile, PDB_OS_CREDENTIALS and other measures to enhance security and isolation of multitenant databases are available since Oracle 12c. Unfortunately only a part of the desired measures can be technically implemented. With the latest release of Oracle 20c a new features called DB Nest has been introduced. DB Nest introduced an other approach to security in PDBs. In this presentation we will discuss the new approach and its possibilities to increase database security of PDBs. The presentation will be completed by corresponding examples and live demos.
2. Stefan Oehrli
Platform Architect, Trainer and Partner at Trivadis
• Since 1997 active in various IT areas and since 2008 with Trivadis AG
• More than 20 years of experience in Oracle databases
• Live with my family (wife and two kids ) in Muri in a small village in CH
Focus: Protecting data and operating databases securely
• Security assessments and reviews
• Database security concepts and their implementation
• Oracle Backup & Recovery concepts and troubleshooting
• Oracle Enterprise User Security, Advanced Security, Database Vault, …
• Oracle Directory Services
@stefanoehrli www.oradba.ch
3.
4.
5. Agenda
• Overview of Database Security
• Container Database Security Challenges
• Risk Mitigation and Measures
• PDB Isolation and Security Measures
• Introduction of Oracle DB Nest
• Challenges
• Summary
SOUG Day - PDB Security, Isolation and DB Nest 20c5 25.11.2020
6. Agenda
• Overview of Database Security
• Container Database Security Challenges
• Risk Mitigation and Measures
• PDB Isolation and Security Measures
• Introduction of Oracle DB Nest
• Summary
SOUG Day - PDB Security, Isolation and DB Nest 20c6 25.11.2020
7. Requirements Knowledge of DB Risk
Top 10 Database Risks and Threats
• Excessive privileges
• Privilege abuse
• Unauthorized privilege elevation
• Platform vulnerabilities
• SQL injection
• Weak audit
• Denial of service
• Database protocol vulnerabilities
• Weak authentication
• Exposure of backup data
SOUG Day - PDB Security, Isolation and DB Nest 20c7 25.11.2020
9. Maximal Data Security Architecture - CDB
SOUG Day - PDB Security, Isolation and DB Nest 20c9 25.11.2020
10. Agenda
• Overview of Database Security
• Container Database Security Challenges
• Risk Mitigation and Measures
• PDB Isolation and Security Measures
• Introduction of Oracle DB Nest
• Summary
SOUG Day - PDB Security, Isolation and DB Nest 20c10 25.11.2020
11. Multitenant Container Database Usage
How are the multitenant container databases used?
• Simple replacement of the classic database (none-CDB)
architecture with just one PDB
• Database consolidation using multiple PDBs
• Private DBAAS
• Public DBAAS
Corporate structure e.g. all one legal entity or subsidiaries?
Infrastructure architecture
• Cloud, Hybrid or on-premises?
• Dedicated hardware
• Virtual environments
• Engineered System
Isolation requirements vary
SOUG Day - PDB Security, Isolation and DB Nest 20c11 25.11.2020
12. Risks in a DBAAS environment
• PDB admin use privilege escalation.
• Excessive use of shared resources.
• Access sensitive data via shared resources e.g.
backup or management LAN.
• Break out of PDB and get OS access as oracle.
• Gain access to the root container (cdb$root)
• Gain access to other PDBs.
• Gain access to the network.
• Use of critical features like
• Administration features
• Oracle JVM
• DBMS_SCHEDULER
• External table pre-processor
SOUG Day - PDB Security, Isolation and DB Nest 20c12 25.11.2020
13. But why isolation at all?
• Only basic database security is not enough...
• PDB admin and user do have comprehensive
privileges (DBAAS).
• Full DBA role
• ALTER SYSTEM, ALTER SESSION,…
• PL/SQL packages and procedures
• Oracle bugs and feature allow to escape the
boundaries of a PDB.
• Scheduler jobs including OS calls
• External table pre-processor scripts
• PL/SQL Library calls
• Java OS calls
• Resource management beyond the scope of PDBs
SOUG Day - PDB Security, Isolation and DB Nest 20c13 25.11.2020
14. Are we alone with this topic?
SOUG Day - PDB Security, Isolation and DB Nest 20c14 25.11.2020
15. Agenda
• Overview of Database Security
• Container Database Security Challenges
• Risk Mitigation and Measures
• PDB Isolation and Security Measures
• Introduction of Oracle DB Nest
• Summary
SOUG Day - PDB Security, Isolation and DB Nest 20c15 25.11.2020
16. Are we cooking or why onions?
• Measures on several levels are essential.
• Layered structure similar to an onion. e.g.
• Secure and correct data
• Secure application design
• PDB hardening
• PDB isolation and security
• General CDB architecture
• CDB hardening
• OS Hardening
• Network security
• The following functions such as lockdown
profiles, path prefix, PDB OS credentials, DB
Nest are only part of a holistic approach.
SOUG Day - PDB Security, Isolation and DB Nest 20c16 25.11.2020
17. Internal and External – both are required
Internal measures
• Database hardening
• Database Security i.e. authentication, authorisation, role concepts
• Database Vault
• PDB Lockdown Profiles
• PDB OS Credential (at least partially)
External measures
• OS Hardening
• Encryption i.e. both at rest and in transport
• Oracle DB Nest
The various measures must be complementary
SOUG Day - PDB Security, Isolation and DB Nest 20c17 25.11.2020
18. Agenda
• Overview of Database Security
• Container Database Security Challenges
• Risk Mitigation and Measures
• PDB Isolation and Security Measures
• Introduction of Oracle DB Nest
• Summary
SOUG Day - PDB Security, Isolation and DB Nest 20c18 25.11.2020
19. Possibilities for risk mitigation
A multitenant container database provides the
following features beyond regular security
measures:
• PATH_PREFIX and CREATE_FILE_DEST clause to
limit data files and directory objects to certain
paths.
• PDB_OS_CREDENTIAL parameter assigning a
dedicated user account for OS interactions
• Lockdown profiles to restrict certain
operations or functionalities in a PDBs
But what can you do with them...?
SOUG Day - PDB Security, Isolation and DB Nest 20c19 25.11.2020
20. Manage File Access
PATH_PREFIX clause to restrict directory object paths
• Set per PDB at creation time. Can not be changed later.
• Restrictions and limitations when PATH_PREFIX is used:
• Existing directory objects might not work as expected.
• PATH_PREFIX string is always added as a prefix to all local directory objects in the PDB.
• It does not apply to Oracle-supplied directory objects.
• Does not affect files created by Oracle Managed Files nor data files or temporary files
• Issues when using / allowing softlinks
CREATE_FILE_DEST clause to restrict directory path for data files or temporary files.
• Implicit set DB_CREATE_FILE_DEST. => can be modified / requires lockdown profile
• Enable Oracle Managed Files for the PDB.
• Specifies the default file system directory or Oracle ASM disk group for PDB files.
SOUG Day - PDB Security, Isolation and DB Nest 20c20 25.11.2020
21. • Alternatively create a PDB based on a template PDB, dbca etc.
• Check current setting of PATH_PREFIX in database_properties
CREATE PLUGGABLE DATABASE pdbsec
ADMIN USER pdbadmin IDENTIFIED BY LAB01schulung ROLES=(dba)
PATH_PREFIX = '/u01/oradata/pdbsec/directories/'
CREATE_FILE_DEST = '/u01/oradata/pdbsec/';
ALTER SESSION SET CONTAINER=pdbsec;
SELECT * FROM database_properties WHERE property_name='PATH_PREFIX';
PROPERTY_NAME PROPERTY_VALUE DESCRIPTION
------------- ------------------------------- ----------------------
PATH_PREFIX /u01/oradata/PDBSEC/directories All paths for objects
such as directories
are relative to this
Configure File Access
• Manually create a PDB based on PDB$SEED
SOUG Day - PDB Security, Isolation and DB Nest 20c21 25.11.2020
22. • Create an Oracle directory object inside PATH_PREFIX
SQL> CREATE DIRECTORY wrong_prefix AS '/tmp/test';
CREATE DIRECTORY wrong_prefix AS '/tmp/test'
*
ERROR at line 1:
ORA-65254: invalid path specified for the directory
SQL> CREATE DIRECTORY no_prefix AS 'no_prefix';
Directory created.
SQL> SELECT directory_name, directory_path FROM dba_directories
2 WHERE origin_con_id=(SELECT con_id FROM v$pdbs);
DIRECTORY_NAME DIRECTORY_PATH
--------------- ------------------------------------------
NO_PREFIX /u01/oradata/PDBSEC/directories/no_prefix
Verify File Access – PATH_PREFIX
• Create an Oracle directory object outside PATH_PREFIX
SOUG Day - PDB Security, Isolation and DB Nest 20c22 25.11.2020
23. Managing OS Access
• Define a dedicated OS user account for system interactions.
• Based on DBMS_CREDENTIAL package and init parameter PDB_OS_CREDENTIAL.
• Introduced with Oracle 12.2.0.1.
• Allows to define dedicated OS credential for:
• External jobs that do not yet have an OS credential specified
• External table pre-processors
• PL/SQL library executions (EXTPROC)
• Can be defined globally or per PDB.
As far as theory goes...
• ... unfortunately there are still bugs (12g-19c)
• … PDB_OS_CREDENTIAL does not work as expected for table pre-processor (DBMS_SCHEDULER
fixed since yesterday for 12.2.0.1 RU April 2019)
SOUG Day - PDB Security, Isolation and DB Nest 20c24 25.11.2020
24. • Set the parameter at CDB level (older version did require a change via pfile)
BEGIN
dbms_credential.create_credential(
credential_name => 'PDBSEC_OS_USER',
username => 'orapdbsec',
password => 'manager');
END;
/
ALTER SYSTEM SET pdb_os_credential=GENERIC_PDB_OS_USER SCOPE=SPFILE;
Define credentials
• Create a credential in the cdb$root for a corresponding OS user
SOUG Day - PDB Security, Isolation and DB Nest 20c25 25.11.2020
• Or individually per PDB
ALTER SESSION SET CONTAINER=pdbsec;
ALTER SYSTEM SET pdb_os_credential=PDBSEC_OS_USER SCOPE=SPFILE;
25. Lockdown Profiles
• Oracle introduced lockdown profiles with 12.1. However, they become interesting only in 12.2 or the
better 18c/19c
• Lockdown profiles allows to restrict user operation in PDBs in a multitenant container database.
• It is possible to assign lockdown profiles to...
• ... individual PDBs, if PDB_LOCKDOWN is set while connected to a particular PDB.
• ... all PDBs in a CDB, if PDB_LOCKDOWN is set while connected to the CDB root.
• … application container, if PDB_LOCKDOWN is set while connected to an application root
• The CREATE LOCKDOWN PROFILE statement must be issued from CDB or application root.
• Usage of lockdown profiles includes 3 steps:
• Create a lockdown profile using CREATE LOCKDOWN PROFILE
• Enable / disable user operations using ALTER LOCKDOWN PROFILE
• Enable the corresponding lockdown profile using ALTER SYSTEM SET pdb_lockdown=
SOUG Day - PDB Security, Isolation and DB Nest 20c26 25.11.2020
26. Capabilities of Lockdown Profiles
• ALTER LOCKDOWN PROFILE statement allows to enable or disable the following functions :
• LOCKDOWN_OPTIONS clause: User operations associated with certain database options.
• LOCKDOWN_FEATURES clause: User operations associated with certain database features.
• LOCKDOWN_STATEMENTS clause: The issuance of certain SQL statements.
• Function can either explicitly be disable or enable.
• Combination of ALL and EXCEPT is possible.
• Oracle 18c introduced a couple of enhancements for lockdown profiles:
• Restrict user operation for ALL, LOCAL or COMMON user.
• Create lockdown profiles based existing profiles as static copy or dynamic link.
SOUG Day - PDB Security, Isolation and DB Nest 20c27 25.11.2020
27. ALTER LOCKDOWN PROFILE sec_default ENABLE OPTION
ALL EXCEPT = ('DATABASE QUEUING');
LOCKDOWN_OPTIONS clause
• The following database options can be restricted:
• DATABASE QUEUING – User operations associated with Oracle Database Advanced Queuing
option
• PARTITIONING – User operations associated with Oracle Partitioning option
• Restriction explicit or with exclusion:
• Use ALL to specify all options.
• Use ALL EXCEPT to specify all options except the specified options.
• Default is ENABLE OPTION ALL.
• Enable all options except DATABASE QUEUING
SOUG Day - PDB Security, Isolation and DB Nest 20c28 25.11.2020
28. • But this covers as well other OPTIONS / FEATURES
• Check the current lockdown profile parameter
CREATE LOCKDOWN PROFILE sc_restricted FROM sc_default;
ALTER LOCKDOWN PROFILE sc_restricted DISABLE OPTION ALL;
SQL> show parameter lockdown
NAME TYPE VALUE
------------- ----- ----------------------
pdb_lockdown string SC_RESTRICTED
LOCKDOWN_OPTIONS clause - insides
• There are more OPTIONS covered than documented
• Simple lockdown profile to restrict the options
SOUG Day - PDB Security, Isolation and DB Nest 20c29 25.11.2020
29. • But you can enable it…
SQL> CREATE TABLESPACE enc256_test06 DATAFILE SIZE 10M ENCRYPTION USING
2> 'AES256' DEFAULT STORAGE(ENCRYPT);
CREATE TABLESPACE enc256_test06 DATAFILE SIZE 10M ENCRYPTION USING 'AES256'
DEFAULT STORAGE(ENCRYPT);
*
ERROR at line 1:
ORA-00439: feature not enabled: Transparent Data Encryption
SQL> ALTER LOCKDOWN PROFILE sc_restricted ENABLE
2> OPTION = ('TRANSPARENT DATA ENCRYPTION’);
SQL> CREATE TABLESPACE enc256_test06 DATAFILE SIZE 10M ENCRYPTION USING
2> 'AES256' DEFAULT STORAGE(ENCRYPT);
LOCKDOWN_OPTIONS clause - insides
• Now lets create a encrypted tablespace (wallet etc. has been prepared in advanced)
SOUG Day - PDB Security, Isolation and DB Nest 20c30 25.11.2020
30. oracle@ol7db19:~/ [TDB190C] strings $ORACLE_HOME/lib/libserver19.a |grep -iHn
-A80 -B8 "DATABASE QUEUING"
(standard input)-2679877-vsnf fixed table
(standard input)-2679878-Partitioning
(standard input)-2679879-Objects
...
(standard input):2679885:Database queuing
...
(standard input)-2679927-Transparent Data Encryption
(standard input)-2679939-Advanced Compression
(standard input)-2679940-XStream
(standard input)-2679941-Deferred Segment Creation
(standard input)-2679942-Unified Auditing
...
(standard input)-2679963-In-Memory Aggregation
(standard input)-2679964-Centrally Managed User
(standard input)-2679965-vsnf.c
There are more options…
SOUG Day - PDB Security, Isolation and DB Nest 20c31 25.11.2020
W
arning: highly Undocum
ented
31. ALTER LOCKDOWN PROFILE sec_default DISABLE FEATURE = ('OS_ACCESS');
ALTER LOCKDOWN PROFILE sec_default ENABLE FEATURE = ('TRACE_VIEW_ACCESS');
LOCKDOWN_FEATURES clause
• LOCKDOWN_FEATURES clause disable or enable user operations associated with certain database
features.
• Supports a comprehensive list of database features and feature bundle e.g. AWR_ACCESS,
CONNECTIONS, JAVA, JAVA_RUNTIME, NETWORK_ACCESS, OS_ACCESS, etc.
• See Oracle documentation ALTER LOCKDOWN PROFILE for a complete list.
• Restriction explicit or with exclusion:
• Use ALL to specify all features.
• Use ALL EXCEPT to specify all features except the specified feature.
• Default is ENABLE ALL.
• Disable OS_ACCESS but explicitly enable TRACE_VIEW_ACCESS
SOUG Day - PDB Security, Isolation and DB Nest 20c32 25.11.2020
32. LOCKDOWN_STATEMENTS clause
• LOCKDOWN_ STATEMENTS clause disable or enable issuance of certain SQL statements.
• Use DISABLE to disable the execution of specified SQL statements.
• Use ENABLE to enable the execution of specified SQL statements.
• Restriction explicit or with exclusion:
• Use ALL to specify all statements.
• Use ALL EXCEPT to specify all statements except the specified statements.
• Default is ENABLE STATEMENT ALL.
• The STATEMENT_CLAUSES lets disable or enable specific clauses of the specified SQL statement.
• The OPTION_CLAUSES lets disable or enable setting or modification of specific options.
• E.g. disable all ALTER SYSTEM but allow ALTER SYSTEM SET cursor_sharing
• Challenging to cover all critical statements, clause and options and not open a security flaw.
SOUG Day - PDB Security, Isolation and DB Nest 20c33 25.11.2020
33. • Create a new lockdown profile sec_jvm based on sec_default
• Enable Java and Java runtime
ALTER LOCKDOWN PROFILE sec_default DISABLE STATEMENT = ('ALTER SYSTEM');
ALTER LOCKDOWN PROFILE sec_default ENABLE
STATEMENT = ('ALTER SYSTEM') CLAUSE = ('SET') USERS=COMMON;
ALTER LOCKDOWN PROFILE sec_default ENABLE
STATEMENT = ('ALTER SYSTEM') CLAUSE = ('KILL SESSION');
CREATE LOCKDOWN PROFILE sec_jvm FROM sec_default;
ALTER LOCKDOWN PROFILE sec_jvm ENABLE FEATURE = ('JAVA_RUNTIME');
ALTER LOCKDOWN PROFILE sec_jvm ENABLE FEATURE = ('JAVA');
A few more examples
• Disable ALTER SYSTEM but allow it for COMMON user and for clause KILL SESSION.
SOUG Day - PDB Security, Isolation and DB Nest 20c34 25.11.2020
34. Missing parts
• PDB isolation is no a replacement for a
comprehensive security concept.
• Resource management is not covered at all.
• TDE, in particular TDE key management
requires additional measures
• OS specific admin activities are not separated.
e.g. Backup & Recover
• Although user are distinct by
PDB_OS_CREDENTIAL, measures on the OS are
still mandatory. => Layered Security
• Flaw in PDB isolation if poor lockdown profiles
have been defined.
SOUG Day - PDB Security, Isolation and DB Nest 20c35 25.11.2020
35. Agenda
• Overview of Database Security
• Container Database Security Challenges
• Risk Mitigation and Measures
• PDB Isolation and Security Measures
• Introduction of Oracle DB Nest
• Summary
SOUG Day - PDB Security, Isolation and DB Nest 20c36 25.11.2020
36. Oracle DB Nest
Available in Oracle 20c
• Hidden Feature in 19c
Control and isolation of
• OS resources used by a PDB
• File system isolation per PDB
• Secure computing
Concept analog to Container Technologies like Docker
• Use of Linux Namespaces
• Use of CGROUPS
25.11.2020 SOUG Day - PDB Security, Isolation and DB Nest 20c37
37. Architecture of a CDB Nest
25.11.2020 SOUG Day - PDB Security, Isolation and DB Nest 20c38
38. Kernel Namespaces
• Linux kernel function for isolation and
virtualization of system resources
• When a DB Nest is launched, Oracle creates a
set of namespaces for that DB Nest
• Processes within a DB Nest see only its
namespace
OIO Hauskonferenz 2018 - Docker Security39 20.12.2018
39. Control groups (cgroups)
• cgroups is a Linux kernel feature
• mainlined into the Linux kernel since 2007
• Allows to limit that limits, accounts for,
and isolates the resource usage of a
collection of processes
• Possibility of limiting and isolating the
consumption of resources
• Heavely used in Container (runc, Docker
etc.)
• CPU, memory, maximum number of PIDs,
(network, disk I/O)
OIO Hauskonferenz 2018 - Docker Security40 20.12.2018
Source: Wikipedia (https://en.wikipedia.org/wiki/Cgroups)
40. Sneak Preview on DB Nest
• Introduction of new init.ora parameter
• DBNEST_ENABLE – Enables or disables DB Nest
• DBNEST_PDB_FS_CONF – Specifies the location of an optional file system configuration file. Set
this parameter in the CDB root.
• Use of a dedicated broker configured in listener.ora by DEDICATED_THROUGH_BROKER_LISTENER
• Introduction of new commandline tools dbnest and dbnestinit
• Allows to create, initialize and test DB Nests
• Requires additional OS package
• nscd – A Name Service Caching Daemon (nscd)
• sssd – System Security Services Daemon
SOUG Day - PDB Security, Isolation and DB Nest 20c41 25.11.2020
41. • Enable the broker
# DB Nest
DEDICATED_THROUGH_BROKER_LISTENER=ON
ALTER SYSTEM SET use_dedicated_broker=TRUE;
Basic DB Nest Configuration
• Configure a dedicated broker in listener.ora
SOUG Day - PDB Security, Isolation and DB Nest 20c42 25.11.2020
• Enable DB Nest and restart the database
ALTER SYSTEM SET dbnest_enable=cdb_resource_pdb_all SCOPE=SPFILE;
• Check the alert.log for DB Nest
Instance running inside DB Nest (TDB200C_TDB200C)
…
PDBHR(3):DB Nest (PDB00003, 2968463207) open successful
42. oracle@ol7db20:~/ [TDB200C] dbnest list
----------------------------------------------------------------------------
Id : Nest : Parent : : Tag : State
----------------------------------------------------------------------------
1 : TDB200C_TDB200C : : TDB200C_TDB200C : OPEN
Net State :
Namespace State : (pid=0,cnid=4026531836,pnid=4026531836,no namespace,type=0x0)
Resources : (cpu=0)
Property enabled : resources
Seccomp status : (level=none)
FS Isolation : (disabled)
----------------------------------------------------------------------------
2 : PDB00001 : TDB200C_TDB200C : PDB00001 : OPEN
<REMOVED>
---------------------------------------------------------------------------
3 : PDB00002 : TDB200C_TDB200C : PDB$SEED (uid=2427344711) : OPEN
<REMOVED>
----------------------------------------------------------------------------
4 : PDB00003 : TDB200C_TDB200C : PDBHR (uid=2968463207) : OPEN
Net State :
Namespace State : (pid=3827,cnid=4026532191,pnid=4026531836,type=0x7)
Resources : (cpu=0)
Property enabled : namespaces,resources
Seccomp status : (level=strict1)
FS Isolation : (default-config)
-----------------------------------------------------------------------------
Number of active nest namespaces = 4
----------------------------------------------------------------------------
The DB Nest
SOUG Day - PDB Security, Isolation and DB Nest 20c43 25.11.2020
43. • Try the PDB nest
oracle@ol7db20:~/ [TDB200C] dbnest enter PDB00001
Entering nest namespace : PDB00001
oracle@ol7db20:~/ [TDB200C] exit
exit
Exiting nest namespace : PDB00001
oracle@ol7db20:~/ [TDB200C] dbnest enter PDB00003
Entering nest namespace : PDB00003
shell not found : errno = 2
Exiting nest namespace : PDB00003
Entering DB Nests
• Use dbnest to enter the namespace of a nest e.g. opening a shell in this namespace
SOUG Day - PDB Security, Isolation and DB Nest 20c44 25.11.2020
44. Outlook to DB Nest
• Become production in main release
• Enhanced Doc, Conf and Examples
• Available information is limited
• Introduce more configuration features
• Introduce Linux CGROUPS
• Control resources e.g. CPU, Memory
• Control device access
• Become Maturate
SOUG Day - PDB Security, Isolation and DB Nest 20c45 25.11.2020
45. • Reveals a functionality named DB Nest.
And yes it does work J
Parameter Instance Description
----------------------- ----------- --------------------------------
_dbnest_enable NONE dbNest enable
_dbnest_pdb_fs_conf PDB Filesystem configuration
_dbnest_pdb_fs_type DEFAULT PDB FS Type
_dbnest_pdb_scm_conf PDB SCM configuration
_dbnest_pdb_scm_level STRICT1 PDB SCM Level
_dbnest_stage_dir Staging directory configuration
_instance_dbnest_name Instance dbNest Name
25.11.2020 SOUG Day - PDB Security, Isolation and DB Nest 20c46
Side Note – Oracle DB Nest in 19c
• A possible hint in Oracle 19c based on a few hidden parameter
46. Agenda
• Overview of Database Security
• Container Database Security Challenges
• Risk Mitigation and Measures
• PDB Isolation and Security Measures
• Introduction of Oracle DB Nest
• Summary
SOUG Day - PDB Security, Isolation and DB Nest 20c47 25.11.2020
47. Summary
• It is not exclusively a customer challenge. Oracle has to solve similar issues for its cloud products.
• Lockdown profiles, PATH_PREFIX, PDB_OS_CREDENTIAL etc. do provide basic functionality to
implement PDB Isolation. But…
• … there are still a few bugs or limitations.
• … not all use cases are covered e.g. resource management, java etc.
• What used to be true is still true.
• Do not install Oracle JVM in security-critical databases!
• If it is not absolutely necessary
• With DB Nest it may become less critical
• The new functionality DB Nest does look promising
• Exciting to see that it also works in Oracle 19c J
• It is a young feature and requires quite some engineering and maturity
SOUG Day - PDB Security, Isolation and DB Nest 20c48 25.11.2020