Oracle Database Security Administration Practice Exam 2025: Latest Questions

A security administrator wants to ensure that application users can run only a specific set of SQL statements via an application schema, without granting them direct object privileges on the underlying tables. Which approach best fits this requirement?

A database uses Transparent Data Encryption (TDE). After a restart, applications fail with errors indicating encrypted data cannot be accessed until a key is available. What is the most likely cause?

You need to capture audit records in a tamper-resistant way and ensure they are available even if the database instance is compromised. Which option best meets this goal?

Which is the best practice for separating duties between database administration and security administration in Oracle Database?

A compliance team requires auditing of any SELECT against the SALARY column in the HR.EMPLOYEES table, but only for users outside the HR application schema. Which solution is most appropriate?

A security policy requires encryption of sensitive data at rest, but the application cannot be changed. You need to protect an entire tablespace that contains multiple tables. Which Oracle feature best fits?

A privileged user is suspected of reading sensitive data using powerful system privileges that bypass normal grants. You want to prevent ad-hoc access to a protected schema while still allowing the application to function. Which feature is best suited?

Users report that masked values are still visible in a reporting tool for some sessions, but are masked for others. The database uses Oracle Data Redaction policies. Which is the most likely cause?

A company must rotate TDE master encryption keys periodically to meet policy, while ensuring existing encrypted tablespaces remain accessible and without re-encrypting all data immediately. What is the correct approach?

You are designing an auditing strategy to meet a strict requirement: audit policies must be enabled in a way that cannot be bypassed by disabling traditional auditing parameters, and the audit records must include changes to audit policies themselves. Which approach best meets the requirement?

A security administrator needs to quickly verify whether the database is operating in a mode that supports centralized privilege analysis and unified auditing-based compliance reporting. Which view provides the current auditing configuration status most directly?

A developer reports that a report user can see personally identifiable information (PII) in a table even though the security team applied a masking policy. The user is connecting locally via a middle-tier service account using proxy authentication. What is the MOST likely reason the masking is not taking effect?

You must encrypt all datafiles for a sensitive tablespace using Transparent Data Encryption (TDE), and you want the encryption to be automatic and transparent to applications. Which approach is recommended?

A company wants to prevent direct access to a sensitive table while still allowing users to run approved queries. They also need to ensure the base table name is not exposed and privilege grants remain minimal. Which design BEST meets this requirement?

Your organization requires that all administrative actions (such as creating users, granting privileges, and changing audit settings) be captured in a tamper-resistant audit trail that can be consolidated. Which solution best addresses this requirement?

A multitenant database hosts several PDBs. Each PDB has a different business owner and must manage its own encryption keys without affecting other PDBs. Which key management model best fits this requirement?

A user can successfully connect to the database but receives ORA-01031: insufficient privileges when attempting to create a new table in their own schema. They were granted the CREATE TABLE privilege through a role. Why does the operation fail in a definer's rights stored procedure that attempts to create the table on their behalf?

A security team enables a unified audit policy intended to capture SELECT statements on a sensitive schema, but no audit records appear even though users are querying the tables. The policy condition uses an object-specific audit clause, and the team confirms the policy is enabled. What is the MOST likely cause?

A company needs to protect backups containing TDE-encrypted tablespaces. They use RMAN and must ensure backup pieces cannot be decrypted if stolen, even if the database host is compromised later. Which approach BEST addresses this?

A regulated environment requires separation of duties: DBAs must not be able to read application data, but they still need to perform backup/recovery and manage performance. The application uses TDE for data at rest. Which architecture most effectively enforces this requirement?

A security administrator must ensure that Transparent Data Encryption (TDE) can be used in a newly provisioned database, but the master encryption key is not yet available and must not be created by application teams. What is the BEST next step to enable TDE operations while enforcing centralized key control?

An auditor requests proof that all changes to database audit policies are being captured, even if a DBA attempts to disable auditing. Which approach BEST meets this requirement with minimal reliance on database administrators?

A developer reports that an application user can no longer query a table after a security change. The user still has SELECT on the table via a role. The security administrator recently enabled definer's-rights PL/SQL and replaced direct grants with role grants. What is the MOST likely cause?

A security team wants to prevent DBAs from reading sensitive customer data while still allowing them to perform routine administrative tasks (backup, performance tuning, user management). The application uses the same database account for data access. Which solution BEST enforces separation of duties at the database layer?

A security policy requires that end users must never see full payment card numbers, but the same application must be able to perform equality searches and joins on the card number for fraud detection. The database should provide the control without changing application SQL. Which feature BEST fits this requirement?