Oracle Autonomous Database
Version 21c

General Information
Library Note Morgan's Library Page Header
Which has the higher priority in your organization: Deploying a new database or securing the ones you already have? Looking for a website, and resources, dedicated solely to securing Oracle databases? Check out DBSecWorx.
Be sure to view the full listing of monographs in Morgan's Library
Purpose This page will serve as a landing page for information discovered that can be shared about the Autonomous Database. It has been put together as a collaborative effort with Oracle ACE Ric Van Dyke and we will add to it as new discoveries are made.

Where there is demo code it will be from a 21c autonomous database. Comments on it, unless identified as "confirmed" will contain some amount of speculation and should be read with that in mind. But, equally important to keep in mind ... Oracle Autonomous Database is DBaaS in the purest form of the acronym. It is not your database ... it is Oracle's ... and you are renting it. Will you be able to perform necessary management functionality? Yes. Will you be able to perform it the way you used to when you could just declare yourself SYSDBA, compromise all least privileges aspects of security and do whatever you wanted? No. And, both you and your employer will be far better off because of it though it may not make you happy, at least at first.
Definitions

These are purely speculative and readers should expect them to be incorrect or incomplete but its all we have to go with at the moment.
Keyword Meaning
APPLICATION In version 12c Oracle introduced a new data dictionary view "DBA_APPLICATIONS" which didn't seem justified until now. Look below to see how it is being used in the Autonomous Database.
POD An Application Root Container.
SEED The seed container used to create an Application Root Container.
TENANT The owner of an Application Root Container.
Security There is little question that the Autonomous Database is more secure than the standard Oracle Database. Not, it is likely, because Oracle invested a huge amount of extra effort in security but rather because they implemented something they should implement across all future version of the product which is getting rid of the overly permissive SYSDBA as the standard management access point.
 
Autonomous Database Version (new 21c)
In the auto SELECT * FROM v$version;

BANNER
BANNER_FULL
BANNER_LEGACY
CON_ID
-----------------------------------------------------------------------
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
Version 21.2.0.0.0
Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Production
0
 
Admin User (new 21c)
In the autonomous database the user SYS is not available to DBAs. The top level management schema is ADMIN.

A couple of things are interesting here. The first is DEFAULT COLLATION is returned because that does not occur in 21.3. The other is that the profile is not DEFAULT.
SELECT dbms_metadata.get_ddl('USER', 'ADMIN') FROM dual;

DBMS_METADATA.GET_DDL('USER','ADMIN')
---------------------------------------------------------------------------------
CREATE USER "ADMIN" IDENTIFIED BY VALUES 'S:0DC7E52B1A4BE9A913F868711E1329D35
BD6A5ED85DA3B0B3B16442159C9;T:DC98E8800E1A73CFCA5547B057778C4D92BBB6B363BD560BDC
970862FCFDA13E3A52D5F1B320E1EA507E5A3407241DEB0B6E21D8679D0197284926EAE9A65DC25F
40D072AECC68AA7E4BEE71506D42EF' DEFAULT COLLATION "USING_NLS_COMP"
DEFAULT TABLESPACE "DATA"
TEMPORARY TABLESPACE "TEMP"
PROFILE "ORA_ADMIN_PROFILE"
 
Admin Profile (new 21c)
In the autonomous database the user SYS is not available to DBAs. The top level management schema is ADMIN SELECT resource_name, resource_type, limit
FROM dba_profiles
WHERE profile = 'ORA_ADMIN_PROFILE'
ORDER BY 2,1;

RESOURCE_NAME             RESOURCE    LIMIT
------------------------- ---------   ------
COMPOSITE_LIMIT           KERNEL      DEFAULT
CONNECT_TIME              KERNEL      DEFAULT
CPU_PER_CALL              KERNEL      DEFAULT
CPU_PER_SESSION           KERNEL      DEFAULT
IDLE_TIME                 KERNEL      DEFAULT
LOGICAL_READS_PER_CALL    KERNEL      DEFAULT
LOGICAL_READS_PER_SESSION KERNEL      DEFAULT
PRIVATE_SGA               KERNEL      DEFAULT
SESSIONS_PER_USER         KERNEL      DEFAULT
FAILED_LOGIN_ATTEMPTS     PASSWORD    UNLIMITED
INACTIVE_ACCOUNT_TIME     PASSWORD    DEFAULT
PASSWORD_GRACE_TIME       PASSWORD    30
PASSWORD_LIFE_TIME        PASSWORD    360
PASSWORD_LOCK_TIME        PASSWORD    1
PASSWORD_REUSE_MAX        PASSWORD    4
PASSWORD_REUSE_TIME       PASSWORD    1
PASSWORD_ROLLOVER_TIME    PASSWORD    DEFAULT
PASSWORD_VERIFY_FUNCTION  PASSWORD    FROM ROOT

18 rows selected.
 
C##CLOUD$SERVICE User (new 21c)
Objects owned by this user are required to satisfy dependencies in the POD_CDB packages SELECT dbms_metadata.get_ddl('USER', 'C##CLOUD$SERVICE') AS USER_DDL FROM dual;

USER_DDL
------------------------------------------------------------
CREATE USER "C##CLOUD$SERVICE"
IDENTIFIED BY VALUES 'S:
<many space>;T:<many_spaces>'
DEFAULT COLLATION "USING_NLS_COMP"
DEFAULT TABLESPACE "SYSAUX"
TEMPORARY TABLESPACE "TEMP"

1 row selected.
 
C##CLOUD$SERVICE User's Roles (new 21c)
Roles granted to the CLOUD$SERVICE common user

Key:
ADW = Autonomous Data Warehouse
DBFS = DataBase File System
DV = Database Vault
OML = Oracle Machine Learning
SELECT granted_role
FROM dba_role_privs
WHERE grantee = 'C##CLOUD$SERVICE'
ORDER BY 1;

GRANTED_ROLE
------------------------------
AUDIT_VIEWER
CAPTURE_ADMIN
CONNECT
C##ADWC_ADMIN
C##ADWC_MONITOR
C##ADWC_OPERATOR
DBA
DBFS_ROLE
DV_ACCTMGR
DV_OWNER
DV_PATCH_ADMIN
OML_DEVELOPER
OML_SYS_ADMIN
RECOVERY_CATALOG_OWNER
SELECT_CATALOG_ROLE
 
Tablespaces (new 21c)
Tablespaces created SELECT dbms_metadata.get_ddl('USER', 'ADMIN')
FROM dual
ORDER BY 1;

TABLEPACE_NAME  BIG_FILE
--------------- ---------
DATA            YES
DBFS_DATA       YES
SAMPLESCHEMA    YES
SYSAUX          YES
SYSTEM          YES
TEMP            YES
UNDO_2          YES

7 rows selected.
 
POD_CDB Objects (new 21c)
$ORACLE_HOME/rdbms/admin in 21.3 has a number of scripts with names in the form POD_CDB.

A review of these scripts led to the belief that POD is a keyword that translates to AUTONOMOUS DB.

Much of the syntax was in the POD_CDB_ADMIN package was written by someone almost completely clueless about Oracle Database administration, or to be charitable, written by someone trying to frustrate anyone interested in understanding how the database works.
-- from 21.3

[oracle@test21 admin]$ ls -l pod_cdb*
-rw-r----- 1 oracle oinstall 143716 Jul 27 11:56 pod_cdb_admin.plb
-rw-r----- 1 oracle oinstall   1858 Jul 27 11:56 pod_cdb_admin_common.plb
-rw-r----- 1 oracle oinstall   1888 Jul 20  2020 pod_cdb_admin_common_spec.sql
-rw-r----- 1 oracle oinstall   2859 Jul 27 11:56 pod_cdb_admin_http.plb
-rw-r----- 1 oracle oinstall   3416 Jul 20  2020 pod_cdb_admin_http_spec.sql
-rw-r----- 1 oracle oinstall   9133 Jul 27 11:56 pod_cdb_admin_job.plb
-rw-r----- 1 oracle oinstall   3492 Jul 20  2020 pod_cdb_admin_job_spec.sql
-rw-r----- 1 oracle oinstall  47510 Jul 20  2020 pod_cdb_admin_spec.sql
-rw-r----- 1 oracle oinstall  19192 Jul 20  2020 pod_cdb_admin_tables.sql
-rw-r----- 1 oracle oinstall   4213 Jul 27 11:56 pod_cdb_admin_util.plb
-rw-r----- 1 oracle oinstall   5011 Jul 20  2020 pod_cdb_admin_util_spec.sql
-rw-r----- 1 oracle oinstall   8580 Jul 20  2020 pod_cdb_admin_views.sql
 
POD_CDB Objects Owned By Admin (new 21c)
Due to a lack of full access, as ADMIN, only a limited view of which of these POD_CDB objects has been installed is possible so it is very probable the listing, at right, is deceiving.

That said, it is obvious that a common user C##CLOUD$SERVICE has been created to host one of the packages.
SELECT owner, object_name, object_type
FROM dba_objects
WHERE object_name LIKE 'POD_CDB%';

OWNER             OBJECT_NAME           OBJECT_TYPE
----------------- --------------------- -----------------------
C##CLOUD$SERVICE  POD_CDB_ADMIN_COMMON  PACKAGE
C##CLOUD$SERVICE  POD_CDB_ADMIN_COMMON  PACKAGE BODY


2 rows selected.
 
Applications (new 21c)
We have insufficient information to decipher this listing but our suspicion that Oracle intended something more for DBA_APPLICATIONS has been confirmed.

Some of the application names appear to fit neatly into a working DBA's framework and our speculations have been appended to each row

IDM may stand for Identity Management

Note: ORDS has an important function in Autonomous Database but we do not currently understand that purpose well enough to speculate upon it.
SELECT app_name, app_status, app_capture_service
FROM dba_applications
ORDER BY 3,1;

APP_NAME                    APP_STATUS APP_CAPTURE_SERVICE             speculation
--------------------------- ---------- -------------------------------
-------------
APP$CDB$POSTUPGRADE$APX     NORMAL     dwcsseed                        APEX Upgrades
APP$CDB$POSTUPGRADE$DV      NORMAL     dwcsseed                       
DB Vault Upgrade
APP$CDB$PDBONLY$OMLMOD      NORMAL     dwcsseed                       
Machine Learning
APP$CDB$PDBONLY$POSTUPGRADE NORMAL     dwcsseed
                        Upgrades
APP$CDB$POSTUPGRADE$SPL     NORMAL     dwcsseed                       
SPL Plug-ins
APP$CDB$POSTUPGRADE$TXT     NORMAL     dwcsseed                       
Ora Text Upgrade
APP$CDB$APEXPATCH           NORMAL     SYS$USERS                      
Patching
APP$CDB$PDBONLY$GRAPH       NORMAL     SYS$USERS                      
Graph DB
APP$CDB$PDBONLY$RMAN        NORMAL     SYS$USERS                      
Backup/Recovery
APP$CDB$POSTUPGRADE$ADP     NORMAL     SYS$USERS                      
Upgrade
APP$CDB$POSTUPGRADE$OML4PY  NORMAL     SYS$USERS                      
Machine Learning
APP$CDB$SYSTEM              NORMAL     SYS$USERS
APP$CDB$ALL$ADWC            NORMAL     vlrdsjseszc3wkl_db202103231419 
Automomous DW
APP$CDB$ALL$OMLIDM          NORMAL     vlrdsjseszc3wkl_db202103231419  Machine Learning
APP$CDB$DATAPATCH           NORMAL     vlrdsjseszc3wkl_db202103231419 
Patching
APP$CDB$PDBONLY$ADWC        NORMAL     vlrdsjseszc3wkl_db202103231419  Autonomous DW
APP$CDB$PDBONLY$OLTP        NORMAL     vlrdsjseszc3wkl_db202103231419
APP$CDB$PDBONLY$ORDSPATCH   NORMAL     vlrdsjseszc3wkl_db202103231419 
ORDS Patching

18 rows selected.
 

Related Topics
Database Security
Built-in Functions
Built-in Packages
POD_CDB_ADMIN
POD_CDB_ADMIN_COMMON
What's New In 19c
What's New In 20c-21c

Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2019 Daniel A. Morgan All Rights Reserved
  DBSecWorx