View
217
Download
2
Tags:
Embed Size (px)
Citation preview
NCAR/UCAR 20 June 2005
3
Agenda
Security/IdM business drivers Oracle Identity Management
– Oblix
Demonstration of IdM Oracle Database 10g Where to go for more information
NCAR/UCAR 20 June 2005
4
Security and Identity Management Business Drivers
State of Security – United States
90% of respondents* detected computer security breaches within the last twelve months.
80% of respondents acknowledged financial losses due to computer breaches.
– $455,848,000 in quantifiable losses– $170,827,000 theft of proprietary information– $115,753,000 in financial fraud
74% cited their Internet connection as a frequent point of attack
33% cited internal systems as a frequent point of attack
* Source: 2002 CSI/FBI Computer Crime and Security Survey
NCAR/UCAR 20 June 2005
6
Bank of America/Wachovia: Employees Stole and
Bank of America/Wachovia: Employees Stole and
Sold Over 100,000 Customers’ Account
Sold Over 100,000 Customers’ Account
Information – May 23, 2005
Information – May 23, 2005
Polo Ralph Lauren:
Polo Ralph Lauren: 180,000 Credit 180,000 Credit
Cards Stolen - April 14, 2005
Cards Stolen - April 14, 2005
Boston College Database Hacked for 120,000 Boston College Database Hacked for 120,000 Alumni Records – March 17, 2005Alumni Records – March 17, 2005
Former AOL Employee Pleads Guilty in Customer Data Theft
Former AOL Employee Pleads Guilty in Customer Data Theft
February 7, 2005
February 7, 2005
Citigroup lost information on 3.9 million customers while in
Citigroup lost information on 3.9 million customers while in
transit to a credit bureau (June 6, 2005)
transit to a credit bureau (June 6, 2005)
MasterCard reports breach of over 19.9 million credit cards
MasterCard reports breach of over 19.9 million credit cards
(June 19, 2005)(June 19, 2005)
NCAR/UCAR 20 June 2005
7
Cost for compliance by taking one-off versus integrated approach to compliance projects
10 x
NCAR/UCAR 20 June 2005
8
Percentage of support calls relating to forgotten passwords
15-30%
NCAR/UCAR 20 June 2005
9
Percentage of active accounts belonging to employees or contractors that no longer work for the organization
20%
NCAR/UCAR 20 June 2005
10
Time per day, on average, signing into systems and being authenticated. This equals 2,666 employee hours in a typical 10,000
employee organization
16 min
NCAR/UCAR 20 June 2005
11
Richard Clarke, 2002Special Advisor to the President Cyberspace Security
“If you spend more on coffee than on IT security, then you will be hacked…what's more, you deserve to be
hacked!”
NCAR/UCAR 20 June 2005
12
Security Drivers
Government Regulations– Compliance Drivers
Shortened Supply-Chain– Everything is Online, Everybody is Online
Business Continuity– 24x7 availability
Risk Mitigation– Assess what is at risk
Ask your analysts to do a security TCO!
Oracle’s Response
Product and Process Security– Secure Installation & Configuration– Independent Evaluations– Secure Product Development Life Cycle
Oracle Platform Security– Oracle Database Security– Oracle Application Server Security
J2EE Security, Best practices for deployment – Oracle Identity Management
LDAP Server, Single Sign On, Provisioning Solutions and Certificate Authority, Federation
NCAR/UCAR 20 June 2005
15
Oracle Identity Management
NCAR/UCAR 20 June 2005
16
LDAP and OID
LDAP Data model, Naming model, functional model, security model LDAP protocol itself (connection oriented protocol) API for developing directory enabled applications LDIF – standard interchange format for directory data HTTP (lock step) vs. LDAP (in flight) LDAP standards define the wire protocol and the data model, but do not
specify implementations considerations – many details are left up to directory vendors.
Oracle Identity Management Includes LDAP v3 Directory Includes other pieces: Provisioning framework, Single-Sign on,
Directory Integration, Certificate Authority, Oblix components
NCAR/UCAR 20 June 2005
17
Where does it all fit?
NCAR/UCAR 20 June 2005
Oracle Application Server 10g
NCAR/UCAR 20 June 2005
Identity Management
NCAR/UCAR 20 June 2005
Identity Management Components
NCAR/UCAR 20 June 2005
21
Oracle Internet Directory Scalability
– Millions of users – 1000’s of simultaneous clients
High availability– Multimaster replication– Hot backup/recovery, RAC, etc.
Manageability– Multi-node monitoring
Security– Comprehensive password policy– Role / policy based access control– Audit
Extensibility (Plug-in framework)– Virtual attributes– External authentication– Custom password policies
OracleDatabase
LDAPClients
DirectoryAdmin
Console
OID Server
NCAR/UCAR 20 June 2005
Directory Integration Service
Connectors
External Directories
Sun1(iPlanet)
Active Directory
Oracle HR
Oracle DB
OpenLDAP
eDirectory
OracleInternet
Directory
DirectoryIntegration
Service
NCAR/UCAR 20 June 2005
Provisioning Integration Service
ERP,CRM,… eMail Portal
Partner Provisioning System
Oracle Provisioning Integration Service
Event Notification
Engine
Pro
visi
on
ing
Co
nn
ecto
rs
Policy &Workflow
Engine
Delegated Admin Service(Pswds, preferences)
Corporate HR(Employee Enrollment)
Helpdesk Admin
eMail Admin
OID
Portal Admin
NCAR/UCAR 20 June 2005
Delegated Administration Services Admin console w/ role-based
customization– User / group management– End-user vs Admin views– Admin delegation
End-user self-service– Self service provisioning– Set preferences, Org-chart– Pswd reset
Embeddable admin components– For integration with Apps
Extensively configurable– Accommodate new applications– Customize UI views
NCAR/UCAR 20 June 2005
OracleAS
Single Sign-on
OracleAS Single Sign-On
PKI, pwd, Win2K Native Auth…
SecureID, Biokey
ERP,CRM,…
Portal
Partner SSO (Netegrity, RSA, Oblix)
Partner SSO Enabled Environment
OracleAS Enabled Environment
OID
ExtranetExtranet
Federation / Liberty
Integrates Oracle and partner-SSO enabled apps
NCAR/UCAR 20 June 2005
OracleAS Certificate Authority
Allows Oracle customers to secure their deployments
Out-of-the-box PKI solution
Easy provisioning of X.509v3 digital certificates for end users
Web Based certificate management and administration
Seamless integration with Oracle Application Server Single Sign-On & OID
User
OracleCertificateAuthority
InfrastructureDatabase
Secure IT Facility
OracleSingle
Sign-On
OracleInternet
Directory
NCAR/UCAR 20 June 2005
27
Oracle and Oblix
COREid Access
Web Single Sign-On
Flexible Authentication Methods
Policy-based Authorization
COREid Provisioning
Template-based workflow
Agent and Agentless account provisioning
Metadirectory synchronization
Password synchronization
Cross-platform connectivity
COREid Reporting
Centralized auditing
Pre-built identity and security reports
Global View user access
Robust logging framework
COREid Integration
Pre-built Connectors – to leading application servers, web servers, portal servers, and directory servers
“Data Anywhere” Configuration
Benefits
Increased Security
Integrated solution
Define and enforce security, administrative, and access control policies consistently across enterprise applications
Increased Compliance
Audit events across entire enterprise
Who has access to which applications
Access control managed per attribute
Meet Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley compliance
Increased Governance
Centralized policy definition with localized enforcement
User, Group, and Organization Management
Delegated Administration
Self Service and Self Registration
Unified Workflow
Identity Web Services Controls
Password Management
COREid Identity
NCAR/UCAR 20 June 2005
28
Demonstration
NCAR/UCAR 20 June 2005
29
Oracle Database 10gR2
NCAR/UCAR 20 June 2005
30
Grid Computing Components
Storage Database Servers Application Servers Provisioning and
Management Tools
NCAR/UCAR 20 June 2005
31
Grid RoadmapR
OI &
TC
O
Adaptable Infrastructure
Reactive Managed Agile
Low ROI
High ROI
All Oracle• Standardize• Choose Grid platform servers
Upgrade to 9i/10g• Leverage TAF/FAN
Consolidate schemas• Customer data hub• Oracle Fusion• Streams
Leverage Clustering• RAC• OC4J clusters• ASM
Leverage Grid•Grid Control•Services
Axes are for illustrative purposes only
Many databases• Many servers• Many database vendors• Many database versions
Many application servers• Many servers• Many app server vendors• Many app server versions
NCAR/UCAR 20 June 2005
32
Oracle 10gReal Application Clusters
Many small servers act as one Capacity on demand
– Add/remove servers online– Auto server allocation on failure
Mission critical QoS on standard, low cost servers
Scalable AND highly available
Start small, grow incrementally
Proven technology– Thousands of customers– Supported by leading ISVs– Runs on all platforms
NCAR/UCAR 20 June 2005
33
Oracle 10gReal Application Clusters
Automatic Storage Management– Database file system providing clustered volume
management– Integrated into the Oracle kernel
Workload Management– Dynamic load balancing to meet service level
policies
Integrated clusterware stack– Easy to install and manage– Lower cost, single vendor support– Common features on all platforms, improved single
system image– Open to 3rd party clusterware– Clusterware API
34
Pre-enabled row level security– Built on Virtual Private Database – Label Based Access Control (LBAC) framework– Based on stringent government and commercial
requirements for row level security– Data access is based on sensitivity labels and
customizable enforcement options
Leverages Identity Management for …– Labels– Identities and roles– Policy information
Oracle Label Security
35
DBMS_Crypto package Upgrade Improvements DBUA Auditing Improvements Multiple EM improvements Database Backup to tape option Flashback Improvements:
– Flashback Recovery Area (space quota) / RMAN– Database, Table and Row level
Online Transportable Tablespace– Enables a DBA to copy or move a tablespace of data
using the transportable tablespaces feature without making the tablespace read-only in the source database.
Other Oracle 10gR2 new features
NCAR/UCAR 20 June 2005
Oracle - Delivering Better Security Technology for > 25 years
1977 2003
Identity Management
On going Security Evaluations
Fine Grained Auditing
Oracle9iAS JAAS
Oracle9iAS Single Sign-On
Common Criteria (EAL4)
Advanced Security FIPS 140
Oracle Label Security (2000)
Virtual Private Database (1998)
Enterprise User Security
Oracle Internet Directory
Database Encryption API Kerberos framework
Support for PKI
Radius Authentication
Network Encryption
Oracle Advanced Security introduced
First Orange Book B1 evaluation (1993)
Trusted Oracle7 Multilevel Secure Database (1992)
Stored procedures and database roles (1992)
Paranoid Customer Commercial
NCAR/UCAR 20 June 2005
37
Need help? More Information?
[email protected] 303.334.6684 http://www.oracle.com/technology/products/id
_mgmt/index.html Oracle by Example Series: Oracle Application
Server 10g (9.0.4): http://www.oracle.com/technology/obe/obe_as_10g/im/index.html
Deploying Oracle Identity Management with Multi-Master Replication (white paper)
NCAR/UCAR 20 June 2005
38
NCAR/UCAR 20 June 2005
Supporting Slides
NCAR/UCAR 20 June 2005
Platform Security Architecture
Access Management
Directory Services
Provisioning Services
External Security Services Oracle
Platform Security
Application Security
E-Business Suite
Responsibilities, Roles ….
Collaboration Suite
S-MIME, Interpersonal Rights …
OracleASPortal /Wireless
Roles, Privilege Groups …
Oracle Internet Directory
OracleASCertificate Authority
DirectoryIntegration &Provisioning
OracleASSingle Sign-on
Delegated AdministrationServices
3rd PartyApplications
Authorization, Privacy, audit, ….
OracleASPortal /Wireless
Roles, Privilege Groups …
Oracle Database
Enterprise users, VPD, Label SecurityEncryption, DB Audit
Oracle Identity Management
Oracle Application Server
JAAS, JACC, WS Security, …
NCAR/UCAR 20 June 2005
Oracle E-Business / IdM Integration
OID & DIP
User Enrollment
OracleASPortal
PartnerWebApp. OracleAS
SSO
User Browser
(Oracle) HR
DelegatedAdmin.
Oracle E-BusinessSuite Release 11i
Instances Account Provisioning Integration
Oracle HR Sync Agent
NCAR/UCAR 20 June 2005
43
Identity Federation
Enabling identities to be shared and propagated between different systems
Allows individuals to “log-in” once to access resources on networks of different enterprises
No need for central storage of personal information
Organization authenticates its respective users and vouches for their access to third party organization’s services
NCAR/UCAR 20 June 2005
44
Federation Standards - Liberty Alliance
Consortium of 150+ organizations developing open standards for federated network identity
– includes technology, business guidelines, and best practices
Oracle is a Sponsor Member of Liberty Alliance Liberty protocol defines two key functions
– Identity Provider(IDP): an entity that receives security-related requests and generates security assertions
– Service Provider(SP): an entity that generates security-related requests and consumes security assertions (that provides useful content to its clients)
NCAR/UCAR 20 June 2005
45
Federation Usage Scenario
Financial services company– Retirement funds management– 1,000+ partner companies– Millions of end-user accounts
Need to be able to keep up with employment status changes in real time with partner companies
Want to provide users with transparent access to financial services through company portal
NCAR/UCAR 20 June 2005
46
Way it is Done Today
1. Logon to Portal2. Click on Partner 401K link
3. Logon to Partner Site
Company HR
Database
PartnerAccount
Database
Batch Mode Data
Transfer
NCAR/UCAR 20 June 2005
47
Implementation Using Federated Identity Standards
1. Logon to Portal2. Click on Partner 401K link
3. Request Data from Partner Site
4. Federation Protocol Between Oracle SSO & Partner Web Site
Partner website• Explicit login
• Provision and manage customer employee account
NCAR/UCAR 20 June 2005
48
Oracle Consulting Services
Identity management specialists– Field sales– Consulting services
Benefits assessments Architectural assessments Implementation services
NCAR/UCAR 20 June 2005
Grid computing model
BLADE FARM BLADE FARM (Local Grid)(Local Grid)
DynamicallyDynamicallyProvisioned & Provisioned &
RegisteredRegistered
TopologyTopologyManagerManager Workload & Workload &
QOSQOSManagerManager
ResourceResourceManagerManager
BLADESBLADES
High Speed High Speed InterconnectInterconnect
PolicyPolicyManagerManager
Cross-Tier Cross-Tier RoutingRouting
Identity Management InfrastructureIdentity Management Infrastructure
NCAR/UCAR 20 June 2005
Oracle Security Platform
Key component of Oracle’s overall security strategy
Provides an integrated identity management infrastructure built upon Oracle’s “unbreakable” technology
Centralizes security management of Oracle applications across the enterprise
Provides a robust, standards-based platform for security services to the entire enterprise
NCAR/UCAR 20 June 2005
51
Oracle DatabaseAdvanced Security Option
Privacy Solutions– Data Protection over the wire
Client to Server Mid tier to Server Dataguard (Primary to Standby)
– JDBC (thick and thin), OCI
Strong Authentication– Strong alternatives to passwords– Industry Standard Solutions
PKI, Kerberos, RADIUS
NCAR/UCAR 20 June 2005
52
How Customers are Leveraging the Oracle Security Platform
NCAR/UCAR 20 June 2005
53
Customer Case Study -Wireless Carrier
Problem– Subscriber directory for 25M cellular phone customers and phone
number entries worldwide Plans to scale to 100M numbers
– Continuous availability required during frequent bulk updates
Solution– Two Oracle Internet Directory instances with multi-master replication
Why they chose Oracle– Reliable, multi-master replication– Continuous service availability during bulk provisioning operations
NCAR/UCAR 20 June 2005
54
Customer Case Study -Government Lab Problem
– Proliferation of web applications without any centralized management of security and identities
– Lots of Oracle Forms and Reports applications– Semi-independent departments without any central IT
organization Local privilege groups not to be visible outside department
Solution– Unified authentication for 5000 users across all web applications– Centralized user enrollment – Autonomous administration for department application security– Local Identity Management instances for fail-over
Why did they choose Oracle?– Support for autonomous fan-out Identity Management instances– Identity Management enablement for existing applications
NCAR/UCAR 20 June 2005
55
Customer Case Study –Large Insurance Company
Problem– Over 80,000 employees, multi-million customers– A mixed environment: MS desktops, BEA, Oracle & in-house– Require single password for desktop as well as other apps– Availability is critical
Solution– Oracle Internet Directory as directory hub– AD integration, Transparent BEA based apps and custom apps
Why did they choose Oracle?– Support for heterogeneous environment– Scalability, high availability solutions– Deployment on Linux
NCAR/UCAR 20 June 2005
56
Oracle Database 10gVirtual Private Database
Column Relevant Policies– Policy enforced only if specific columns are referenced– Increases row level security granularity
Store ID
AX703
B789C
JFS845
SF78SD
Revenue
10200.34
18020.34
12341.34
13243.34
Inventory($M)
100
150
200
88
OK
Select store_id, revenue… (enforce)
NCAR/UCAR 20 June 2005
57
Oracle Database 10g Virtual Private Database
Column Filtering– Optional VPD configuration to return all rows but filter out
column values in rows which don’t meet criteria
OK
OK
OK
OK
Store ID
AX703
B789C
JFS845
SF78SD
Revenue
10200.34
18020.34
12341.34
13243.34
Inventory($M)
100
150
200
88
Select revenue…..(enforce)
NCAR/UCAR 20 June 2005
58
Dynamically allocates Database storage– Load balances database files across disks Rebalanced
when storage configuration changes (with an optional WAIT)
Capacity on demand– Add/remove storage online– Automatic i/o load balancing
Enhanced data provisioning– Support transportable tablespaces– Eliminates storage fragmentation
Fault tolerant, high performance– Automatically mirrors and stripes
Low cost– Less DBA work: no i/o tuning to do– No volume manager or file system– Better disk utilization– Solved a lot of CW and 9i RAC issues
Oracle 10gAutomatic Storage Management
NCAR/UCAR 20 June 2005
59
ASM – How it Works
Automatic StorageManagement
No volumes: just a pool of storage
– Simplifies layout of datafiles, control files, redo log files and flash recovery area
– Single instance and RAC
Partitions total disk space into uniform sized megabyte units
NCAR/UCAR 20 June 2005
60
ASM – How it Works
No volumes: just a pool of storage
Partitions total disk space into uniform sized megabyte units
Efficient, online add/remove of disk with automatic rebalancing
– ASM Wait on Rebalance– Eliminates Storage
Fragmentation
Automatic StorageManagement
NCAR/UCAR 20 June 2005
61
More on ASM
ASM provides (platform independent):– Services of a Filesystem – Services of a Logical Volume Manager (LVM) – Integrated into the Oracle kernel– Provides software RAID in a platform-independent manner
ASM can stripe and mirror your disks with a choice of redundancy
Allows disks to be added or removed while the database is under load
Automatically balances I/O to remove "hot spots“ Supports direct and asynchronous I/O Uses the Oracle Data Manager API (simplified I/O system call
interface) introduced in Oracle9i
NCAR/UCAR 20 June 2005
62
More on ASM ASM can ONLY be used only for:
– Oracle Data Files – Redo Logs– Control Files – Flash Recovery Area
Files in ASM can be created and named automatically by the database or manually by the DBA.
Files in ASM are not accessible to the O/S; Only way to perform backup and recovery on databases that use ASM files is through Recovery Manager (RMAN).
Memory requirements for ASM are light: only 64 MB for most systems. Support for multiple Oracle database versions In RAC environments, an ASM instance must be running on each cluster node. Choice of Redundancy:
– HIGH – when files are mirrored ASM makes 2 copies instead of the usual 1 copy.– NORMAL – ASM provides an additional 1 copy of each file (conventional mirroring)– EXTERNAL – we rely on external storage to provide any redundancy
NCAR/UCAR 20 June 2005
63
Automatic Workload Management
Application workloads can be defined as Services
– Individually managed and controlled– Assigned to instances during normal startup– On instance failure, automatic re-assignment– Service performance individually tracked– Fine grained control with Resource Manager– Rules can be defined dynamically
NCAR/UCAR 20 June 2005
64
Integrated Clusterware (CRS)
Complete Oracle cluster software solution
Single-vendor support Low Cost
– No need to purchase additional software– Easy to install, manage
Single Instance or RAC installs– CRS CD
Common event and management API’s
Support for third-party clusterware
CRS requires two files to be shared among all of the hosts in the cluster:
– Oracle Cluster Registry (100 MB)– CRS Voting Disk (20 MB)
ConnectivityMessaging and Locking
Cluster Control/RecoveryServices Framework
NCAR/UCAR 20 June 2005
65
Oracle Database Backup – Low Cost Tape Backup
Low cost alternative to complex backup products
Best integrated end-to-end backup of Oracle Databases
Scalable to low 100’s of servers, 10’s of millions of files
Easy to manage – EM 10g and RMAN
Bundled with Oracle Database - Single vendor support
Block Change Tracking – incremental backups
ASM, Database
Files, RecoveryAreas and OS FilesO
racleB
ackup
Performant, Low Cost
Tape Backup
NCAR/UCAR 20 June 2005
66
Flashback Database Accessible via RMAN & SQL*Plus
SQL> FLASHBACK DATABASE to ‘2:05 PM’
Flash Recovery Area– Unified storage location for recovery
related files Flashback Database logs Redo Archive logs RMAN backups
Restores just changed blocks
Holds old block contents
DataFiles
New BlockVersion
Disk Write
Flash Recovery“Rewind” button for the Database
Old BlockVersion
NCAR/UCAR 20 June 2005
67
Flashback Time Navigation
Select * from Emp VERSIONS BETWEEN ‘2:00 PM’ and ‘3:00 PM’ where …
Select * from DBA_TRANSACTION_QUERY where xid = ‘000200030000002D’;
Flashback Row Versions - see all versions of a row between two times, and the transactions that changed the row
Flashback Transaction Query – see all changes made by a transaction
Select * from Emp AS OF ‘2:00 P.M.’ where …
Flashback Query – see data at a point in time
Tx 1
Tx 2
Tx 3
NCAR/UCAR 20 June 2005
68
Enterprise Manager Grid Control
Monitor and manage
Grid-wide view
End-to-end
Top-to-bottom
From anywhere
Manage froma Browser EM2Go
… or a PDA
NCAR/UCAR 20 June 2005
69
Manage Groups as One
Single-view management and monitoring across components
Standardize policies– Configuration– Performance– Security
Automate processes
Automated patch management
Applications
Sets of Systems
NCAR/UCAR 20 June 2005
70
View/Search
Compare/Diff
Change Tracking
ReferenceConfigurations
Analyze
Install/Clone
Configure
Patch
Secure
Maintain
Oracle.com
Product Updates
Patches
ProductConfiguration
OracleInventory
SoftwareConfigurations
HardwareConfigurations
Discover
Managing the Software Life Cycle
EnterpriseManager
Grid Control
Provision
Over 20% of downtime attributable to human configuration errors
NCAR/UCAR 20 June 2005
71
Service Level ManagementMonitor End-user Experience Availability Performance
Monitor Database Click-to-SQL Drilldowns
Monitor Application Click-to-EJB J2EE Activity
ExternalNetwork
InternalNetwork
AppContent
AppServer Database
NCAR/UCAR 20 June 2005
72
Self-Managing Database 10g
ASM
Built-in intelligent infrastructure – Self-aware performance analysis– Proactive server alerts– Automatic tasks
Automatic Database Diagnostic Monitor
– Expert engine in the database
Automatic SQL tuning– Optimize packaged and
custom applications
WorkloadRepository
Alerts &Advisories
AutomaticTasks
Packaged& Custom
Applications
Self-Optimizing SQL
Proven Cost-Based Optimizer
CustomizableApplications
Self-Optimizing SQL
Proven Cost-Based Optimizer
Packaged& Custom
Applications
CustomizableApplications
BetterPerformance
High-load SQL
SuggestedIndexes& MVs
Access Advisor
Self-Optimizing SQL
Proven Cost-Based Optimizer
SQL Advice-> Better
SQL
Auto SQLAnalysis
Packaged& Custom
Applications
CustomizableApplications
BetterPerformance
High-load SQL
SuggestedIndexes& MVs
Access Advisor
Self-Optimizing SQL
Proven Cost-Based Optimizer
SQL Profile-> Improved
Plan
SQL Advice-> Better
SQL
Auto SQLAnalysis
Auto SQL Tuning
Packaged& Custom
Applications
CustomizableApplications
BetterPerformance
High-load SQL
SuggestedIndexes& MVs
Access Advisor
NCAR/UCAR 20 June 2005
77
Flashback Error Correction Database Level
– Flashback Database restores the whole database to time
Uses Flashback Logs Table Level
– Flashback Table restores rows in a set of tables to time
UNDO_RETENTION Maintains data integrity and
constraints– Flashback Drop restores a
dropped table or a index Recycle bin for DROPs
Row Level– Flashback Rows restores rows to
time Uses Flashback Query
Order
Database
Customer
Select * from Emp AS OF ‘2:00 P.M.’ where …