Oracle to SQL Server Migration Guide

1
Oracle to SQL Server Migration
Approach
Table of Contents
About this Document......................................................................................................................3
Feature Details and Migration Approach..............................................................................................4
Database Logging............................................................................................................................4
Database Backup............................................................................................................................7
Database Restore..........................................................................................................................12
Log Shipping.................................................................................................................................14
Oracle Database Vault...................................................................................................................17
Database Audit.............................................................................................................................19
Authentication..............................................................................................................................22
Privileges......................................................................................................................................25
Roles............................................................................................................................................29
Data Encryption............................................................................................................................34
Logins/User Accounts....................................................................................................................38
Row-Level Security........................................................................................................................41
Data Masking................................................................................................................................43
Case Sensitive Password................................................................................................................45
Total Database Size.......................................................................................................................47
Oracle Database Version ...............................................................................................................49
Set Schema Statement..................................................................................................................51
Admin Accounts............................................................................................................................53
Data Dictionary.............................................................................................................................55
Diagnostics andPerformance views...............................................................................................59
Cluster.........................................................................................................................................61
Packages......................................................................................................................................65
Sequences....................................................................................................................................67
Snapshot......................................................................................................................................71

2
Built-In Functions..........................................................................................................................74
Data Concurrency and Locking Concepts........................................................................................80
Change Data Capture....................................................................................................................87

3
About this Document
The purpose of this document is to provide detailed explanation of features/functionalities
enabled in the Oracle database, recommended migration approach, and any required
workaround. This document can help migration planners and designers to understand the
features used in source databases, effort involved in the migration.
This document was prepared based on the information available at the time, for example, the
capabilities of Oracle Database, SQL DB Server, and migration tools such as SSMA.

4
Feature Details and Migration Approach
Database Logging
Feature Database Logging
Description Redologsare transactionjournals.Eachtransactionisrecordedin
the redologs. Thoughredogenerationisexpensive operation,
Oracle usesonline redologsforcrashrecoveryto bringthe database
to lastknownconsistent state tomaintainthe ACIDpropertiesof the
database.The online redologfilescontainthe informationnecessary
to replaya transaction,committedornot.Evenuncommitted
transactionscan be writtentothe online redologfiles.Before a
commitiscomplete,the transactioninformationiswrittentothe
online redologfiles.
Andchangesto your rollbackorundo segmentsare alsowrittento
the online redologfiles.Inthatsense,theyalsocontainthe
informationtoundoa transaction.
Category HA/DR
To Find Feature
Enablement
Oracle gave usersthe abilitytolimitredogenerationontablesand
indexes forbetterperformance bysettingtheminNOLOGGING
mode. Be careful nevertouse NOLOGGINGoptionunderData guard
setup.DB replicationreliesonredologs.
On the otherhand,FORCE LOGGING can be usedontablespace or
database level toforce loggingof changestothe redo.Thismay be
requiredforsitesthatare mininglogdata,usingOracle Streamsor
usingData Guard (standbydatabases).
SELECT force_logging FROM v$database;
SELECT tablespace_name, force_logging FROM
dba_tablespaces;
SELECT * FROM v$logfile;
To create a table inNOLOGGINGmode:
CREATE TABLE t1 (c1 NUMBER) NOLOGGING;
To enable NOLOGGINGfora table/database:
ALTER TABLE t1 NOLOGGING;
ALTER DATABASE force logging;
Recommendation Feature Description:
SQL Serverrequiresatransactionloginorderto function. That said
there are two modesof operationforthe transactionlog: Simple
and Full.InFull recovery model,the transactionlogkeepsgrowing

5
until youback upthe database.InSimple mode:space inthe
transactionlogis truncatedeveryCheckpoint.
SQL Serverensuresdatadurabilityandrecoverycapabilitiesusing
Write-AheadLogging,hardeningalogrecord before atransaction
begins.SQLServercan write logrecordsdescribingaDB modification
before itwritesthe actual change to the data or object.If SQL Server
can’t write logrecords,itwon’tcommit. For thisreason,its
recommendedleavinglogauto-growthenabled.
Log file:C:Program FilesMicrosoft SQL
ServerMSSWLDataMyDB.Idf
Feature Comparison:
Like Oracle redologging, SQLServerrecordsdatabase transactionsin
transactionlogs.Each transactionrecordcontainsthe undoand redo
image of the transaction.Database logginginSQL Serveristypically
sentthrougha single log.ldf file. Onthe surface,thisappearstobe
much differentfromoracle where logsare brokenupintogroupsof
logscalledRedoLog Groups,butboth architecturesare verysimilar
whenlookat the structure of the .LDF. Each physical .LDFfile isa
groupof Virtual LogFiles,(VLFs),thatbehave muchlikeaRedoLog
Group doesinOracle.
VLFscan be viewedbyrunningDBCCLOGINFO;
ArchivingiscontrolledviaaperiodicBACKUPLOGjobin SQL Server.
VLFsare compressedandsetto .TRN files.
Afterbackup,VLFis clearedandcan be reused.
ThisdiffersfromOracle where theyARCinternal process
automaticallymovesfull logfilestoanarchive directoryastheyfill
up,not on a reoccurringschedule. These filestypicallyhave a.ARC
extensioninOracle are justcopied/renamedrightfromthe RedoLog
Group.
Migration Approach MigratingTransactionLogs
In Oracle,informationontransactionsandthe changestheymake is
recordedin REDO logs.The redo logsare common tothe entire
instance.
In SQL Server,transactional changesare loggedinthe transactionlog
for the database whose objectsare involvedinthe transaction.A
database iscreatedwitha single defaulttransactionlog.The default
transactionloghas to be sizedor new onesaddedbasedonthe
update activityagainstthe database.
To add a transactionlogto a database usingT-SQL,use the following
syntax:
ALTER DATABASE database
{ ADD LOG FILE < filespec > [ ,...n ]

6
where <filespec> ::=
( NAME = logical_file_name
[ , FILENAME = 'os_file_name' ]
[ , SIZE = size ]
[ , MAXSIZE = { max_size | UNLIMITED } ]
[ , FILEGROWTH = growth_increment ] )
Database Loggingis enabledbydefaultinSQLServer.
Loggingisbasedon three recoverymodels:simple,full,andbulk-
logged. The recoverymodel fornew databases istakenfromthe
Model database.Afterthe creationof the new database,youcan
change the recoverymodel usingSSMSor followingT-SQL:
To setthe RecoveryModel:
USE master ;
ALTER DATABASE model SET RECOVERY FULL ;
References http://searchoracle.techtarget.com/answer/What-information-do-
redo-log-files-contain
http://www.databases-la.com/?q=node/33
http://www.dba-
oracle.com/concepts/archivelog_archived_redo_logs.htm
http://users.wfu.edu/rollins/oracle/archive.html
https://msdn.microsoft.com/en-us/library/ms190925.aspx
http://www.sqlshack.com/beginners-guide-sql-server-transaction-
logs/

7
Database Backup
Feature Database Backup
Description The followingmethodsare validforbacking-upanOracle database:
Export/Import Exportsare "logical"database backupsinthatthey extract
logical definitionsanddatafromthe database to a file. Using
exportsforyourbackupscapturesa snapshotintime of your
database.use the CONSISTENT=Yto ensure the exportdump
inthissnapshotisconsistentacrossthe board. usingexport
for yourbackupsdoeslimityourrecoveryoptions.You
cannot performpoint-in-timerecovery.Youcannotroll
forwardany transactionsperformedafterthe exportdump
was created.
Coldor Off-line
Backups
A cold(or off-line)backupisa backupperformed while the
database isoff-lineandunavailable toitsusers. shutthe
database downand backupup ALL data,log,and control
files.
Hot or On-line
Backups
A hot(or on-line) backupisabackupperformedwhile the
database isopenand available foruse (readandwrite
activity). one canonlydoon-line backupswhenthe database
isARCHIVELOGmode. Each tablespace thatneedstobe
backed-upmustbe switchedintobackupmode before
copyingthe filesouttosecondarystorage (tapes). Whenin
backupmode, Oracle will write complete changedblocksto
the redolog files.Normallyonlydeltas are loggedtothe redo
logs. Alsobackupthe control filesandarchivedredologfiles.
The backup thiswayis an inconsistentbackupbecause redo
isrequiredduringrecoverytobringthe database toa
consistentstate.
RMAN Backups while the database isoff-lineoron-line,use the "rman"
oracle providedutilitytobackup the database. RMAN has
manyother featuresthatthe traditional hotandcoldbackup
scriptscannot perform.Those featuresinclude,butare not
limitedto:
 Abilitytoperformincremental backups.
 Abilitytorecoverone blockof a datafile.
 Abilitytoperformthe backupandrestore with
parallelization.
 Abilitytoautomaticallydelete archivedredologs
aftertheyare backedup.
 Abilitytoautomaticallybackupthe control file and
the SPFILE.

8
 Abilitytorestarta failedbackupwithouthavingto
start fromthe beginning.
 Abilitytoverifythe integrity of the backup,and to
testthe restore processwithouthavingtoactually
performthe restore.
RecoveryManager(RMAN) isan Oracle Database clientthat’srecommended
wayto perform backupand recoverytaskson yourdatabasesandautomates
administration of yourbackupstrategies. RMAN shipswiththe database server
and doesn'trequire aseparate installation.The RMAN executableislocatedin
your ORACLE_HOME/bindirectory. Itgreatlysimplifiesbackingup,restoring,and
recoveringdatabase files.
UsingRMAN, youcan take a hot backupfor yourdatabase,whichwill take a
consistentbackupevenwhenyourDBisup and running.
RMAN can be manual or automated byscriptingwithcrontabscheduler or
configured viaEnterprise ManagerDatabase Control Tool.RMAN optimizes
performance bycompression.
The RMAN BACKUP commandsupportsbackingupthe followingtypesof files:
 Datafilesandcontrol files
 Serverparameterfile
 Archivedredologs
 RMAN backups
 The current serverparameterfile
Otherfiles asnetworkconfigurationfiles,passwordfiles,andthe contentsof the
Oracle home,cannot be backedup withRMAN.Likewise,some featuresof
Oracle,suchas external tables,maydependuponfilesotherthanthe datafiles,
control files,andredolog.RMAN cannot back upthese files.Use some non-
RMAN backupsolutionforanyfilesnotinthe precedinglist.
Incremental backupscanonlybe createdwithRMAN.
RMAN supportsbackupencryptionforbackupsets.Youcan use wallet-based
transparentencryption,password-basedencryption,orboth.
Category HA/DR
To Find Feature
Enablement
Issuingbelowscriptwill:
 reporton all RMAN backupslike full,incremental &archivelogbackups.
 Andwill give youRMAN backup status alongwithstartand stop timing.
select SESSION_KEY, INPUT_TYPE, STATUS,
to_char(START_TIME,'mm/dd/yy hh24:mi') start_time,
to_char(END_TIME,'mm/dd/yy hh24:mi') end_time,
elapsed_seconds/3600 hrs

9
from V$RMAN_BACKUP_JOB_DETAILS
order by session_key;
Followingscriptwill give youSID,Total Work,Sofar& % of completion:
SELECT SID, SERIAL#, CONTEXT, SOFAR, TOTALWORK,
ROUND (SOFAR/TOTALWORK*100, 2) "% COMPLETE"
FROM V$SESSION_LONGOPS
WHERE OPNAME LIKE 'RMAN%' AND OPNAME NOT LIKE '%aggregate%'
AND TOTALWORK! = 0 AND SOFAR <> TOTALWORK;
SELECT start_time, end_time, input_type, input_type, status
FROM v$rman_backup_job_details
ORDER BY 1;
SELECT vbd.file#, vrbjd.start_time, vrbjd.end_time,
vbd.incremental_level, vrbjd.input_type, vrbjd.status
FROM v$rman_backup_job_details vrbjd, v$backup_datafile vbd
WHERE vbd.completion_time BETWEEN vrbjd.start_time AND
vrbjd.end_time
AND vrbjd.input_type <> 'ARCHIVELOG'
ORDER BY 2,1;
While executingbackup,RMAN will generate backuplogs,youcanverifyits
backuplogsto verifystatusof RMAN backups.
Additionally,Youcan querytoV$RMAN_STATUS dictionaryview forcompleted
jobinformation:
select OUTPUT from V$RMAN_OUTPUT;
To determine if RMAN isrunningafull backupor incremental backup,use
INPUT_TYPE columnfromdictionaryview V$RMAN_BACKUP_JOB_DETAILS
Recommendatio
n
Feature Description:
In SQL Server, differenttypesof backupscan be create basedonrecoverymodel:
Full a complete database backup includingthe dataandlogfile to
bringthe database to a consistentstate
Differential a backup of all of the changeddata pagessince the lastfull
backup.Usuallysmallerthana full backup,assumingthatnot
all pageshave changed
Log transactionlogbackupcontainingall transactionssince the last
transactionor full backup.Alsotruncatesthe logof all inactive
logrecords
File a way to backupindividualdatabase files
Filegroup a way to backupa group of filescontainedinside of afilegroup

10
Copy-Only a backup whichcan be takenwithoutdisruptingthe logchain.
Great for takinga copyof a productiondatabase for
developmentpurposes
Mirror allowsyoutobackup to more than once device simultaneously
Partial similartofilegroupbutwill backupthe primary,all read/write
filegroupsandoptionally,readonlyfilegroups
In SQL Server,use Maintenance Plansforschedulingbackups. Use the Back Up
Database Task inSQL ServerManagementStudio(SSMS) toadd a backuptask to
the maintenance plan.
There are fine grainedoptionstocreate backupsfor all systemdatabases
(master,msdb,model),all userdatabases,specificdatabases,portionof
database- Files&Filegroups; backuptype,setbackupextensiontype,verify
backupintegrityandwhether Backupthe database toa file orto tape.
Feature Comparison:

11
There are varietyof hot& coldbackupsavailable inbothOracle andSQL Server
to suitany businessenvironment.
Backup encryptionissupportedstartingSQLServer2008 withTDE. Oracle
StandardEdition,onthe otherhand,doesnot have backupencryption.
Migration
Approach
Backup mechanism cannottomigratedthroughSSMA tool.
In SQL Server,use Maintenance Plansforschedulingbackups. Use the Back Up
Database Task inSQL ServerManagementStudio(SSMS) toadd a backuptask to
the maintenance plan.
There are fine grainedoptionstocreate backupsfor all systemdatabases
(master,msdb,model),all userdatabases,specificdatabases,portionof
database- Files&Filegroups; backuptype,setbackupextensiontype,verify
backupintegrityandwhether Backupthe database toa file orto tape.
SQL Server’sbuilt-inbackupoptionssupportdisk,tape andthe cloudasbackup
devices. SQL ServerManagedBackup to Azure allowsanautomaticdatabase
backupto Azure,basedonchangesdone inthe database.Thisfeature schedules,
performsandmaintainsthe backups–all aDBA needsto dois specifyaretention
period. SQLServerBackup toURL allowsyouto easilybackupdirectlyto
MicrosoftAzure BlobStorage,removingthe needtomanage hardware for
backups
To create a maintenance planusingthe Maintenance PlanWizard inSSMS
 In ObjectExplorer,click the plussigntoexpandthe serverwhere you
wantto create a maintenance plan.
 Clickthe plussignto expandthe Managementfolder.
 Right-clickthe Maintenance PlansfolderandselectMaintenance Plan
Wizard.
 Followthe stepsof the wizardtocreate a maintenance plan.
 Use the Back Up Database Task dialogtoadd a backup taskto the
maintenance plan.Backingupthe database isimportantincase of
systemor hardware failure (orusererrors) thatcause the database to be
damagedinsome way,thusrequiringabacked-upcopyto be restored.
Thistask allowsyoutoperformfull,differential,filesandfilegroups,and
transactionlogbackups.
References http://www.orafaq.com/wiki/Oracle_database_Backup_and_Recovery_
FAQ
http://searchdatabackup.techtarget.com/feature/Choosing-the-best-
Oracle-backup-strategy-for-your-environment
https://www.mssqltips.com/sqlservertutorial/6/types-of-sql-server-
backups/
(back up maintenance task)

12
Database Restore
Feature Database Restore
Description It iseasiertorestore fromoff-line backupsasnorecovery(fromarchived
logs) wouldbe requiredtomake the database consistent.Nevertheless,
on-line backupsare less disruptiveanddon'trequire database downtime.
Point-in-time recovery(regardlessif youdoon-line oroff-linebackups) is
onlyavailable whenthe database isinARCHIVELOGmode.
To restore a physical backupof a datafile orcontrol file istoreconstruct
it andmake it available tothe Oracle database server.Torecovera
restoreddatafile istoupdate itbyapplyingarchivedredologsandonline
redologs,that is,recordsof changesmade to the database afterthe
backupwas taken.If youuse RMAN,thenyoucan alsorecoverdatafiles
withincremental backups,whichare backupsof a datafile thatcontain
onlyblocksthatchangedaftera previousincrementalbackup.
You have a choice betweentwobasicmethodsforrecoveringphysical
files.Youcan:
 Use the RMAN utilitytorestore andrecoverthe database
 Restore backupsbymeansof operatingsystemutilities,andthen
recoverbyrunningthe SQL*PlusRECOVERcommand
Category HA/DR
To Find Feature
Enablement
You can restore database by usingSQL ServerManagementStudio(SSMS)
or Transact-SQL. SQL ServerManagementStudiomakesthe restore
processsimple. Selectthe restore pointyouwantto use,since a SQL
backupfile canholdmultiple backupsyoumaysee more thanone
restore pointlisted,andalso youcanoverwrite the existingdatabase or
rename a database. Youcouldalso restore backupscreatedon another
SQL Serverusingthe SQL ManagementStudiotool.
To restore an encrypteddatabase,youneedaccesstothe certificate or
asymmetrickeyusedtoencryptthat database.Withoutthe certificate or
asymmetrickey,youcannotrestore thatdatabase.You mustretainthe
certificate usedtoencryptthe database encryptionkeyforaslongas you
needtosave the backup.
You couldeven restore anolderversiondatabase toSQLServer2016,
that database will automaticallyupgrade toSQLServer2016. Typically,
the database becomesavailableimmediately.
Feature Comparison:
SimilartoOracle,SQL Serverprovides utilitiesaswell asSQLcommands
to restore backedupdatabase.
Migration Approach Restore mechanismcannotbe migratedthroughSSMA tool.

13
SQL Serverrestorationcanbe configuredmanuallyviautilitiesorSQL
commands. Choosingappropriate BackupandRestore Strategyis
governed byyourapplication’sDRSLA requirements- typicallymeasured
by RecoveryTime Objective (RTO) andRecoveryPointObjective(RPO).
Restore database usingT-SQL
RESTORE commandrestoresbackups takenusingthe BACKUP command:
--To Restore an Entire Database from a Full database backup
(a Complete Restore):
RESTORE DATABASE { database_name | @database_name_var }
[ FROM <backup_device> [ ,...n ] ]
[ WITH
{
[ RECOVERY | NORECOVERY | STANDBY =
{standby_file_name | @standby_file_name_var }
]
| , <general_WITH_options> [ ,...n ]
| , <replication_WITH_option>
| , <change_data_capture_WITH_option>
| , <FILESTREAM_WITH_option>
| , <service_broker_WITH options>
| , <point_in_time_WITH_options—RESTORE_DATABASE>
} [ ,...n ]
]
[;]
Restore database usingSQL ServerManagementStudio
References https://docs.oracle.com/cd/B19306_01/server.102/b14220/backrec.htm

14
Log Shipping
( Restore a Database BackupUsing SSMS)
Feature Log Shipping
Description  Oracle doesn’tofferlogshippingasa part of the core product,but it’s
possible tosetuplogshippinginOracle.
 Oracle’slogshippingworksbycopyingarchivedredologfiles.There are
no extrabackupjobsto add. Instead,the logshippingjobscopyarchived
redolog filesfromthe flashrecoveryarea.Rotatingoutactive redolog
fileswillmove themintothe archive redologfilearea.DBAscan take
advantage of theirexistingbackupstrategy.Itisstill possibleforan
Oracle DBA to breaklogshippingbyusingNOARCHIVELOGmode or
addingtablespacesorfileswithoutaddingthemonthe secondary. Of
course,a DBA can alsouse the FORCELOGGING optiontopreventusers
fromswitchingtoNOARCHIVELOGmode andbreakingthe logshipping.
 Whenyou’re movingbackupsacrossthe network,compressioncanhelp
meetyourrecoverypointobjective. Oracle’scompressionisonlyfound
ineitherOracle Enterprise EditionorcustomersusingOracle’sbackupto
the cloudfeature – Oracle Database Backup Service.However,it’strivial
to leverage in-flightcompressionwhenmovingfilesbetweenOracle
instances.Youcan alsouse rsync to move filesbetweenprimaryand
standbyand enable the -zflagtoensure yougetcompression.
Category HA/DR
To Find Feature
Enablement
to checkif the ARCHIVELOGmode isenabled:
SQL> archive log list;
In SQL Servercan doLog ShippingusingSSMSorT-SQL scripts.
Log shippingallowsyoutoautomaticallysendtransactionlogbackupsfrom
a primarydatabase on a primaryserverinstance toone or more secondary
databasesonseparate secondaryserverinstances.The transactionlog
backupsare appliedtoeachof the secondarydatabasesindividually.An
optional thirdserverinstance,knownasthe monitorserver,recordsthe
historyandstatus of backup andrestore operationsand,optionally,raises
alertsif these operationsfailtooccur as scheduled. youcan evenmake
your logshippingsecondaryreadable anduse itforreportingusingSTANDBY
mode.
A logshippingconfigurationdoesnotautomaticallyfailoverfromthe
primaryserverto the secondaryserver.If the primarydatabase becomes
unavailable,anyof the secondarydatabasescanbe broughtonline
manually.

15
Additionally, Logshippingcanbe usedwithfollowingotherfeatures of SQL
Server:
 Database Mirroringand Log Shipping(SQLServer)
 Log Shippingcanbe usedinconjunctionwith Replication(SQL
Server)
SQL Servercan compressbackupsinthe StandardEditionof the product.
Thiscan eitherbe enabledas a defaultSQLServerlevel settingorinthe log
shippingjobs.
Feature Comparison:
Like Oracle, SQL Serverhassupportfor logshippingoptionsavailable, and
can compressbackups for betterperformance.
Migration Approach SSMA doesn’tsupport migratingLogShipping.
In SQL Server,youcan setup Log Shippingmanually usingSSMSorT-SQL
scripts.
A Typical Log ShippingConfiguration
The followingfigure showsalogshippingconfigurationwiththe primary
serverinstance,three secondaryserverinstances,andamonitorserver
instance.The figure illustratesthe stepsperformedbybackup,copy,and
restore jobs,asfollows:
1. The primaryserverinstance runsthe backupjob to back upthe
transactionlogon the primarydatabase.Thisserverinstance then
placesthe logbackup intoa primarylog-backupfile,whichitsends
to the backup folder.Inthisfigure,the backupfolderisona shared
directory—the backupshare.
2. Each of the three secondaryserverinstancesrunsitsowncopyjob
to copy the primarylog-backupfile toitsownlocal destination
folder.
3. Each secondaryserverinstance runsitsownrestore jobto restore
the log backupfromthe local destinationfolderontothe local
secondarydatabase.
The primaryand secondaryserverinstances sendtheirownhistoryand
statusto the monitorserverinstance.

16
To configure log shippingusingTransact-SQL
1. Initializethe secondarydatabase byrestoringafull backupof the
primarydatabase on the secondaryserver.
2. On the primaryserver,execute
sp_add_log_shipping_primary_database to add a primary
database.The storedprocedure returnsthe backupjobID and primary
ID.
3. On the primaryserver,execute sp_add_jobschedule to add a
schedule forthe backupjob.
4. On the monitorserver,executesp_add_log_shipping_alert_job to
add the alertjob.
5. On the primaryserver,enable the backupjob.
6. On the secondaryserver,execute
sp_add_log_shipping_secondary_primary supplyingthe detailsof
the primaryserverand database.Thisstoredprocedure returnsthe
secondaryID andthe copyand restore jobIDs.
7. On the secondaryserver, execute sp_add_jobschedule to setthe
schedule forthe copyand restore jobs.
8. On the secondaryserver,execute
sp_add_log_shipping_secondary_database to add a secondary
database.
9. On the primaryserver,execute
sp_add_log_shipping_primary_secondary to addthe required
informationaboutthe new secondarydatabase tothe primaryserver.
10. On the secondaryserver,enablethe copyandrestore jobs.
References http://docs.oracle.com/database/121/SBYDB/concepts.htm#SBYDB00010
https://www.brentozar.com/archive/2015/02/comparing-sql-server-oracle-
log-shipping/

17
Oracle Database Vault
http://users.wfu.edu/rollins/oracle/archive.html
Feature Oracle Database Vault
Description A standardproblemwithdatabase securitystemsfromthe needfordatabase
administratorstohave full accesstothe data theymanage- a potential security
hole.
Oracle Database VaultwithOracle Database 12c providesgreateraccess
controlson data.It can be usedto protectapplicationdatafromthe DBA and
otherprivileged usersaswell asimplementingrobustcontrolsonaccessto the
database and application.
The Database VaultOptionallowsyoutorestrictaccessgrantedwithsystem-
wide privileges,restrictadministrativeaccesstoa definedrealmof data,
allowingforfinergrainedseparationof administrativeduties.
A securityadministratorcansetfactors to define accesstothe database
includingOracle commandsavailabletothe differentclassesof usersand
administratorsandaudit-specificdimensionsof security.
Realmscan be definedforlimitingaccesstospecificdatabase schemasandroles
at a more granularlevel.
Category Security
To Find Feature
Enablement
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
Recommendatio
n
In SQL Server,there isnodirectequivalentfeaturetoDatabase Vault.
However,SQLServerdoesprovide capabilitytorestrictuserdataaccessfrom
DBAs.
AlwaysEncryptedenablescustomerstoconfidentlystore sensitive dataoutside
of theirdirectcontrol.Thisallowsorganizationstoencryptdataat restand in
use for storage inAzure,or to reduce securityclearance requirementsfortheir
ownDBA staff.
WithAlwaysEncrypted,youcan configure encryptionforselectedcolumnsto
protectsensitive data.These encryptedcolumnscanthenbe managedby
AccessControl by keepingDBA restricted withprivilege todecryptoraccess
sensitivedata.
Migration
Approach
SSMA can’t migrate Database Vaultfeaturesautomatically.
In SQL Server,configure AlwaysOnencryption.

18
To access encryptedcolumns(evenif notdecryptingthem) VIEW ANY COLUMN
permissionsneedtobe explicitlygranted.
T-SQL example to enable encryption
The followingTransact-SQLcreatescolumnmasterkeymetadata,column
encryptionkeymetadata,andatable withencryptedcolumns.
CREATE COLUMN MASTER KEY MyCMK
WITH (
KEY_STORE_PROVIDER_NAME = 'MSSQL_CERTIFICATE_STORE',
KEY_PATH = 'Current
User/Personal/f2260f28d909d21c642a3d8e0b45a830e79a1420'
);
---------------------------------------------
CREATE COLUMN ENCRYPTION KEY MyCEK
WITH VALUES
(
COLUMN_MASTER_KEY = MyCMK,
ALGORITHM = 'RSA_OAEP',
ENCRYPTED_VALUE = 0x04E234173C....154F86
);
---------------------------------------------
CREATE TABLE [dbo].[Students] (
[StudentID] INT IDENTITY (1, 1) NOT NULL,
[SSN] CHAR (11) COLLATE Latin1_General_BIN2 ENCRYPTED WITH
(COLUMN_ENCRYPTION_KEY = [ColumnEncryptionKey1], ENCRYPTION_TYPE
= Deterministic, ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NOT
NULL,
[FirstName] NVARCHAR (50) NULL,
[LastName] NVARCHAR (50) NOT NULL,
[StreetAddress] NVARCHAR (50) NOT NULL,
[City] NVARCHAR (50) NOT NULL,
[ZipCode] CHAR (5) NOT NULL,
[BirthDate] DATE ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY =
[ColumnEncryptionKey1], ENCRYPTION_TYPE = Deterministic,
ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NOT NULL,
CONSTRAINT [PK_dbo.Students] PRIMARY KEY CLUSTERED ([StudentID]
ASC)
);
References http://www.oracle.com/technetwork/database/options/oracle-database-vault-
external-faq-2032888.pdf
https://www.oracle.com/database/database-vault/index.html
https://docs.oracle.com/database/121/DVADM/getting_started.htm#DVADM00
2
https://msdn.microsoft.com/en-us/library/mt163865.aspx

19
Database Audit
Feature Database Audit
Description  Auditingfacilitatesdatabase activitymonitoring. It’sthe recordingof
selecteduserdatabase actions.Monitoringstatements,privileges,orobjects
 SecuritypoliciescantriggerauditingwhenspecifiedelementsinanOracle
database are accessedoraltered.
 AUDIT_SYS_OPERATIONSinitializationparameter-Enablesordisablesthe
auditingof top-level operationsdirectlyissuedbyuserSYS,andusers
connectingwithSYSDBA or SYSOPERprivilege.Thisparametershouldbe
enabledonALLproductiondatabases.
 Oracle Database writesthe auditrecordsto the audittrail of the operating
system. The database audittrail consistsof a single table namedSYS.AUD$.
Audittrail recordscontaindifferenttypesof info,dependingonthe events
auditedandthe auditingoptionsset.
 Oracle Database allowsaudittrail recordsto be directedtoan operating
systemaudittrail if the operatingsystemmakessuchanaudittrail available
to Oracle DB. If not,thenauditrecordsare writtentoa file outside the
database.the database will write atrace file of the sessionactions(forsysor
sysdba) tothe dumpdirectorylocationspecifiedbyAUDIT_FILE_DEST.
 If you setthe AUDIT_TRAIL initializationparametertoXML or XML,
EXTENDED, itwritesthe auditrecordsin XML format.AUDIT_TRAIL enables
or disablesdatabase auditing.
 To enable
-- altersystemsetaudit_sys_operations=TRUEscope=spfile;
-- thenrestart
Category Security
To Find Feature
Enablement
show parameter audit_sys_operations;
show parameter audit_trail;
select * from dba_stmt_audit_opts union select * from
dba_priv_audit_opts;
-- if a non-containerdatabase
conn / as sysdba
-- connectto each PDB inturn and run the followingqueries
show parameter audit
SELECT MAX(logoff$time)
FROM sys.aud$;
SELECT MAX(timestamp#), MAX(ntimestamp#)
FROM sys.fga_log$;
SELECT table_name, tablespace_name, num_rows
FROM dba_tables
WHERE table_name IN ('AUD$', 'FGA_LOG$')
ORDER BY 1;

20
The audit trail isstoredinthe SYS.AUD$ table.It'scontentscan be viewed
directlyorviathe followingviews.
 DBA_AUDIT_EXISTS
 DBA_AUDIT_OBJECT
 DBA_AUDIT_SESSION
 DBA_AUDIT_STATEMENT
 DBA_AUDIT_TRAIL
 DBA_OBJ_AUDIT_OPTS
 DBA_PRIV_AUDIT_OPTS
 DBA_STMT_AUDIT_OPTS
Recommendatio
n
DDL triggersandnotifications canaidinauditing
SQL Serverserver-level auditingisresilient,availableinall editions,andprovides
T-SQL call stack frame info
SQL Serversupportsuser-definedauditgroupsandauditfiltering
Can use T-SQL to enable auditbycreatingthe auditspecificationforspecific
database and specificaccessgroup.
The Auditactionitemscan be individual actionssuchasSELECT operationsona T
able,or a groupof actionssuch as SERVER_PERMISSION_CHANGE_GROUP.
SQL AuditEventstrack the followingthree categoriesof Events:
 ServerLevel:These actionsinclude serveroperations,suchasmanageme
nt changes,andlogonand logoff operations.
 Database Level:These actionsincludedatamanipulationlanguages(DML
) and Data DefinitionLanguage (DDL).
 AuditLevel:These actionsinclude actionsinthe auditingprocess.
You couldimplementanaudittrail quicklyinSQLServerby creatingshadowtabl
e foreach table indatabase andtriggersto logeverytime whenarecord isinsert
ed,updatedor deletedinthe table.see lastlinkinthe list forAuditTrail Generat
or Script.
The SQL ServerAuditfeature isbuiltontopof ExtendedEventstoleverage the p
erformance benefitsandprovide bothasynchronousandsynchronouswritecapa
bilities(bydefault,SQLServerAuditusesthe asynchronouseventmodel). Youco
ulduse SQL Profilertosee WorkloadPerformance impactof Auditingandturnon
auditon specificobjectsandspecificlogins.
All editionsof SQLServersupportserverlevel audits.Database levelauditingisli
mitedtoEnterprise,Developer,andEvaluationeditions.
Feature Comparison:
SimilartoOracle AuditVaultforDDL andDML statements
All actions(DDL andDML) are auditable inSQLServer

21
Migration
Approach
SSMA doesnotsupportmigrating Auditingconfigurations.
In SQL server,use T-SQLto enable auditbycreatingthe auditspecificationfor
specificdatabase andspecificaccess group.
T-SQL to create a serveraudit
USE master ;
GO
-- Create the server audit.
CREATE SERVER AUDIT Payrole_Security_Audit
TO FILE ( FILEPATH =
'C:Program FilesMicrosoft SQL
ServerMSSQL13.MSSQLSERVERMSSQLDATA' ) ;
GO
-- Enable the server audit.
ALTER SERVER AUDIT Payrole_Security_Audit
WITH (STATE = ON) ;
T-SQL to create a database-level auditspecification
(Followingexamplecreatesadatabase auditspecificationcalled
Audit_Pay_Tables that auditsSELECT and INSERTstatementsbythe dbo user,
for the HumanResources.EmployeePayHistory table basedonthe serveraudit
definedabove.)
USE AdventureWorks2012 ;
GO
-- Create the database audit specification.
CREATE DATABASE AUDIT SPECIFICATION Audit_Pay_Tables
FOR SERVER AUDIT Payrole_Security_Audit
ADD (SELECT , INSERT
ON HumanResources.EmployeePayHistory BY dbo )
WITH (STATE = ON) ;
GO
References http://docs.oracle.com/cd/B19306_01/network.102/b14266/auditing.htm#DBSE
G525
https://oracle-base.com/articles/8i/auditing#AuditOptions
http://solutioncenter.apexsql.com/how-to-setup-and-use-sql-server-
audit-feature/
https://msdn.microsoft.com/en-us/library/cc280663.aspx
(Sql Server Audit Actions)
https://msdn.microsoft.com/en-us/library/cc280386.aspx
(SQL Server Audit)
http://solutioncenter.apexsql.com/sql-server-database-auditing-
techniques/
http://techbrij.com/audit-trail-microsoft-sql-server-quickly

22
Authentication
Feature Authentication
Description Authenticationthe processof verifyingthatthe loginIDor username suppliedbya
userto connectto the database belongstoan authorizeduser.Oracle allows
authentication of useraccount throughthe OS or throughthe database (server).
Oracle allowsasingle database instance touse anyor all methods.Oracle requires
special authenticationproceduresfor database administrators,because they
performspecial database operations.Oracle alsoencryptspasswordsduring
transmissiontoensure the securityof networkauthentication.
Once authenticatedbythe operatingsystem,userscanconnectto Oracle more
conveniently,withoutspecifyingausername or password.
Oracle Database can authenticate usersattemptingtoconnectto a database by
usinginformationstoredinthatdatabase itself.Toconfigure Oracle Database to
use database authentication,youmustcreate eachuserwithan associated
password.
Category Security
Find Feature
Enablement
an operating-system-authenticatedusercaninvoke SQL*Plusandskipthe user
name and passwordpromptsbyenteringthe following: SQLPLUS /
Recommendati
on
SQL Serverhastwo methodsof authentication:
 Windowsauthentication
 SQL Serverauthentication
WindowsAuthentication:
Whenyouare accessingSQL Serverfromthe same computeritis installedon,you
won’tbe promptedtotype in username andpassword if you're usingWindows
Authentication. Authenticatingwith Windows domainlogins,the SQLServer
service alreadyknowsthatsomeone isloggedinintothe operatingsystemwith
the correct credentials,anditusesthese credentialstoallow the userintoits
databases. Thisworksas longas the clientresidesonthe same computerasthe
SQL Server,oras longas the connectingclientmatchesthe Windowscredentials
of the server.Ideally,Windowsauthenticationmustbe usedwhenworkinginan
Intranettype of an environment. Inenterprise environments,thesecredentials
are normallyActive Directorydomaincredentials. WindowsAuthenticationis also
a more convenientwaytolog-inintoaSQL Serverinstance withouttypinga
username anda password,howeverwhenmore usersare involved,orremote
connectionsare beingestablishedwiththe SQLServer,SQLauthenticationshould
be used.

23
Mixedauthenticationmodeallowsthe use of Windowscredentialsbut
supplementsthemwithlocal SQLServeruseraccountsthatthe administratormay
create and maintainwithinSQLServer.
SQL ServerAuthentication:
SQL Authenticationisthe typical authenticationusedforvariousdatabase
systems,composedof ausername anda password.Aninstance of SQL Servercan
have multiple suchuseraccounts(usingSQLauthentication) withdifferent
usernamesandpasswords.Insharedserverswhere differentusersshouldhave
access to differentdatabases,SQLauthenticationshouldbe used.Also,whena
client(remote computer) connectstoaninstance of SQL Serveronother
computerthanthe one onwhichthe clientisrunning,SQLServerauthenticationis
needed.Evenif youdon'tdefine anySQLServeruseraccounts,at the time of
installationarootaccount - sa - is addedwiththe passwordyouprovided.Justlike
any SQL Serveraccount,thiscan be usedto log-inlocallyorremotely,howeverif
an applicationisthe one thatdoesthe log in,andit shouldhave accessto only
one database,it'sstronglyrecommendedthatyoudon'tuse the sa account,but
create a newone withlimitedaccess.
Microsoft’sbestpractice recommendationistouse Windowsauthentication
mode wheneverpossible. Itallowsyoutocentralize accountadministrationfor
your entire enterpriseinasingle place:Active Directory.
Feature Comparison:
Like Oracle,SQL Serverhastwomajor methodsof authentication:
 OS authentication
 Database authentication
PasswordPoliciescanbe enforcedwithauthenticationsinbothdatabases.These
policiescontrol passwordmanagementincluding accountlocking,passwordaging
and expiration,passwordhistory,andpasswordcomplexityverification.
Migration
Approach
In Oracle,mostusedAuthenticationmethods are authenticationbythe database
and authenticationbythe operatingsystem.
In SQL Server, the database modesinuse are SQL ServerAuthenticationMode and
the WindowsAuthenticationMode.The database authenticationmodesinOracle
and SQL Serverare closelycompatibleanduse auser name andpasswordpair.
The operatingsystemauthenticationisquite differentbetweenOracle and
SQL Server.Oracle'soperatingsystemmode canonlyauthenticate userswithlocal
accounts onUNIX servers.WindowsauthenticationforSQL Serverisactually
performedbythe domainandnotthe local account onthe Windowsserver.
The Oracle RDBMS alsoprovidespasswordmanagementfunctions,suchas
account locking,passwordlifetimeandexpiration,passwordhistory,and
passwordcomplexityverification.
MigrationoptionsforOracle loginsbasedonauthenticationmodeandthe
requirementsonpasswordmanagementfunctionality:

24
Oracle Authentication
Mode
Oracle Password
Management
SQL Server
Authentication Mode
Database None Database
Database Required Database
Operating system N/A Windows
To add a newWindowsauthenticatedlogintoaSQL Serverinstance usingT-SQL,
use the followingsyntax:
sp_grantlogin [ @loginame = ] 'login_name'
where
login_name
isof the form
domain_namedomain_login_name
To add a newdatabase authenticatedlogintoa SQL Serverinstance use following
T-SQL:
Use CREATE/ALTERLOGIN syntax
https://docs.microsoft.com/en-us/sql/t-sql/statements/create-login-transact-sql
A useraccount shouldbe createdseparatelyforthe logininthe defaultdatabase.
sp_grantdbaccess [ @loginame = ] 'login_name'[, [ @name_in_db = ]
'user_name'
To create a useraccount to a SQL Serverdatabase usingT-SQL,use the following
syntax:
sp_grantdbaccess [ @loginame = ] 'login_name'[, [ @name_in_db = ]
'user_name'
The name chosenforthe useraccount can be differentfromthatforthe login
account.
References https://docs.oracle.com/cd/B19306_01/network.102/b14266/authmeth.htm#BAB
CGGEB (Oracle AuthenticationMethods)
http://docs.oracle.com/cd/E25054_01/network.1111/e16543/authentication.htm
#i1006458
https://msdn.microsoft.com/en-us/library/ms144284.aspx (Authenticationmodes
inSQL Server)

25
Privileges
Feature Privileges
Description A privilegeisarightto execute anSQL statement orto accessanotheruser's
object.
In Oracle,there are twotypesof privileges: systemprivilegesandobject
privileges.A privilege canbe assignedtoauser or a role.
The set of privilegesisfixed,thatis,there isnoSQL statementlike create privilege
xyz...
Systemprivileges
In Oracle 9.2, there are 157 systemprivileges,and10ghas even173. These are
privilegeslikecreate job,dropuser,alterdatabase,andcanbe displayedwith:
select name from system_privilege_map;
Systemprivilegescanbe audited.
sysdba and sysoper the mostimportantsystemprivileges.
There are five operationsonOracle thatrequire the usertohave SYSDBA
privilegesinordertoperformthem:
 startupa database,
 shutdownadatabase,
 backupa database,
 recovera database
 and create a database
v$pwfile_users listsall userswhohave beengrantedsysdbaorsysoper
privileges.
Objectprivileges
While Oracle hasseveral objectprivileges, the onescommonlygrantedtousers
are SELECT, INSERT,DELETE, and UPDATE on tablesandEXECUTE onstored
programs.
ObjectPrivilegescanbe assigned onfollowingDBobjects:
 Tables- select,insert,update,delete,alter,debug,flashback,oncommit
refresh,queryrewrite,references,all
 Views- select,insert,update,delete,under,references,flashback,debug
 Sequence- alter,select
 Packages,Procedures,Functions(Javaclasses,sources...)- execute,debug
 MaterializedViews- delete,flashback,insert,select,update
 Directories- read,write
 Libraries- execute
 User definedtypes- execute,debug,under
 Operators- execute
 Indextypes- execute

26
For a userto access an objectinanotheruser'sschema, theyneedprivilegetothe
object. Objectprivilegescanbe displayedusing all_tab_privs_made or
user_tab_privs_made.
The ROLE_ROLE_PRIVS, ROLE_SYS_PRIVS, and ROLE_TAB_PRIVS data dictionary
viewscontaininformationonthe privilegedomainsof roles.
The GRANT ANY OBJECT PRIVILEGE systemprivilegeallowsuserstograntand
revoke anyobjectprivilege onbehalf of the objectowner.
INSERT,UPDATE, or REFERENCES privileges canbe granted onindividual columns
ina table.
Assigningprivilegestousersand roles
GRANT- assignsa privilegetoa user
REVOKE- allowstotake away suchprivilegesfromusersandroles.
Oracle storesthe grantedprivilegesinitsdatadictionary.
Category Security
To Find
Feature
Enablement
Followingqueryreturnsall systemprivilege grantsmade to rolesandusers:
SELECT count(*) FROM DBA_SYS_PRIVS;
Recommendati
on
Like Oracle.SQL Serversupportssystemandobjectlevel privileges.
Systemandobjectprivilegescanbe grantedto Usersdirectlyorvia Rolesusing
the GRANT statementandremovedusingthe REVOKEstatement.
SQL Serveralsohas the additional DENYstatement,whichpreventsusersfrom
exercisingaprivilegeevenwhenithasbeengrantedtothe user.
In SQL Server,the REVOKEstatementisused toremove (orcancel out) a
previouslygrantedordeniedprivilege.Conflictinpermissionsgranteddirectlyand
throughrolesisalwaysresolvedinfavorof the higher-levelpermission.The only
exceptiontothisisif usershave beendeniedpermissions(DENY) toanobject
eitherexplicitlyorthroughtheirmembershipinarole.If thatis the case,theywill
not be grantedthe requestedaccesstothe object.
PermissionHierarchy
 Permissionshave aparent/childhierarchy.
 If you grant SELECT permission onadatabase,that permissionincludes
SELECT permissiononall (child) schemasinthe database.
 If you grant SELECT permissiononaschema,it includesSELECTpermissionon
all the (child) tablesandviewsinthe schema.

27
 The permissionsare transitive;thatis,if yougrant SELECT permissionona
database,itincludesSELECTpermissiononall (child) schemas,andall
(grandchild) tablesandviews.
 Permissionsalsohave coveringpermissions.The CONTROLpermissiononan
object,normallygivesyouall otherpermissionsonthe object.
Feature Comparison:
The followingterminologiesrelatingtoprivilegesinOracle andSQLServerare
equivalent:
Oracle Terminology SQL ServerTerminology
Privilege Permission
Systemprivilege Statementpermission
Objectprivilege Objectpermission
Predefinedrole
permission(forexample:
DBA)
Impliedpermissions(for
example:sysadmin)
Grantee Securityaccount

28
Like Oracle, SQL Serverhasthe same database objectprivileges.
Oracle and SQL Serverdifferalotinthe systemprivilegesthatare available.
Oracle has verygranular(more than100) systemprivileges.SQLServersystem
privileges,calledstatementpermissions,are restrictedtothe followinglist:
 BACKUPDATABASE
 BACKUPLOG
 CREATE DATABASE
 CREATE DEFAULT
 CREATE FUNCTION
 CREATE PROCEDURE
 CREATE RULE
 CREATE TABLE
 CREATE VIEW
The rest of the Oracle systemprivilegesare bundledintoseverallarge fixedroles.
For example,the fixeddatabase role db_datareader isequivalenttothe SELECT
ANYTABLE systemprivilegeinOracle.
Migration
Approach
SSMA tool doesn’tsupportautomaticmigrationof privileges.
In SQL Server,these privilegeswouldneedtobe manuallycreatedusingT-
SQL/SSMS andassignedtoprincipalslike user,orroles.
Use T-SQL queries withGRANT,DENY,andREVOKEto manipulate permissions.
sys.server_permissions andsys.database_permissions catalogviews
provide informationonpermissions.
You can GRANT and REVOKEprivilegesondatabase objectsinSQLServer.
You can grant usersvariousprivilegestotables- permissionscanbe any
combinationof SELECT,INSERT,UPDATE, DELETE, REFERENCES,ALTER, or ALL.
REFERENCES- Abilitytocreate a constraintthat referstothe table.
ALTER- AbilitytoperformALTERTABLE statementstochange the table definition.
Use <database name>;
Grant <permission name> on <object name> to <usernameprinciple>;
GRANT SELECT, INSERT, UPDATE, DELETE ON employees TO smithj;
ALL doesnot grant all permissionsforthe table.Rather,itgrantsthe ANSI-92
permissionswhichare SELECT,INSERT,UPDATE, DELETE, and REFERENCES
GRANT ALL ON employees TO smithj;
Grant EXECUTE permission onstoredprocedures toa user
GRANT EXECUTE ON dbo.procname TO username;
SELECT permissiononthe table (Region) ,ina schema(Customers),inadatabase
(SalesDB) canbe achievedthroughanyof below statements:
GRANT SELECT ON OBJECT::Region TO Ted
GRANT CONTROL ON OBJECT::Region TO Ted
GRANT SELECT ON SCHEMA::Customers TO Ted

29
Roles
GRANT SELECT ON DATABASE::SalesDB TO Ted
References http://www.adp-gmbh.ch/ora/misc/users_roles_privs.html
https://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#DBS
EG10000 ( AdministeringUserPrivileges,Roles,andProfiles)
https://docs.oracle.com/cd/E21901_01/timesten.1122/e21642/privileges.htm#TT
SQL339
https://blogs.msdn.microsoft.com/sqlsecurity/2011/08/25/database-engine-
permission-basics/
Feature Roles
Description Role-basedsecurity,allowsyouto assignsetof permissionstoa role,insteadof
grantingthemto individual users. Thisrole canthenbe assignedto groupof
users.
Fixedserverandfixeddatabaseroleshave afixedsetof permissionsassignedto
them.
In Oracle,Single DBA role hasdatabase instance wide privilegesspanningall
schemas. Userswithexplicitobjectprivilegesorthose whoconnectwith
administrativeprivileges(SYSDBA) canaccessobjectsinthe SYS schema.
PredefinedRoles
Alongwiththe installation,andcreationof anoracle database,Oracle creates
many predefinedroles:
 CONNECTincludesthe privilegesneededtoconnecttothe database.
 RESOURCE includesmanyof the rolesa developermightuse tocreate
and manage an application,suchascreatingandalteringmanytypesof
objectsincludingtables,view,andsequences.
 EXP_FULL_DATABASE/IMP_FULL_DATABASEallowsthe grantee todo
logical backupsof the database.
 RECOVERY_CATALOG_OWNERallowsgrantee toadministerOracle
RecoveryManagercatalog.
 SCHEDULER_ADMIN allowsthe grantee tomanage the Oracle job
scheduler.
 DBA givesauser mostof the majorprivilegesrequiredtoadministera
database.These privilegescanmanage users,security,space,system
parameters,andbackups. Accessingdatadictionaryviews(v$viewsand
staticdictionaryviews). exp_full_database,imp_full_databaseisneeded
to exportobjectsfoundinanotheruser'sschema.
 connect,resource,dba- these mightnotbe createdanymore infuture
versionsof Oracle.

30
The DBA_ROLES data dictionaryview canbe usedtolistall rolesof a database and
the authenticationusedforeachrole.
Category Security
To Find Feature
Enablement
Below queryreturnsall the rolesgrantedtousersandother roles:
SELECT count(*) FROM DBA_ROLE_PRIVS;
USER_ROLE_PRIVS describesthe rolesgrantedtothe currentuser.
Recommendatio
n
All versionsof SQLServeruse role-basedsecurity,whichallowsyoutoassign
permissionstoarole,or groupof users,insteadof to individual users.Fixed
serverandfixeddatabase roleshave afixedsetof permissionsassignedtothem.
SQL Serverprovidesnine fixedserverroles.
These rolesare securityprincipalsthatgroupotherprincipals. Rolesare like
groupsin the Windows operatingsystem.
ServerRoles:
StartingSQL 2012, we aresupportingaddingnew server roles in sql server
https://docs.microsoft.com/en-us/sql/t-sql/statements/create-server-role-
transact-sql
Serverroles canbe veryeffective forsharingadmin responsibilitiesamong
several logins.You don’tshare the SA account passwordtoall logins;rather,you
grant the necessarylevel of admin permissions byaddingspecificlogintoaserver
role. eachmemberof a built-inserverrole canaddotherloginstothe same role.
Fixedserverroleshave afixedsetof permissionsandserver-wide scope.Theyare
intendedforuse inadministeringSQLServerandthe permissionsassignedto
themcannot be changed.
Be selective whenyouadduserstofixedserverroles.Forexample, users with
bulkadmin role can run the BULK INSERT statement,whichcouldjeopardize data
integrity.
FixedSQL ServerRoles(8 intotal)
Role name Function
BULKADMIN BULK INSERTadministrators.Canloaddataintotablesusing
BULK INSERTstatement.
DBCREATOR Alteranydatabase (create,andalter/restore theirown).
Database creators.Can create and alter,dropand restore
databases.
DISKADMIN Alterresources(manage diskfiles)
PROCESSADMIN Processadministrators.CanexecuteKILLstatementto
disconnectoffendingsessions.

31
SECURITYADMIN Securityadministrators.Canaddandremove logins,addand
remove linkedservers,Alteranylogin(grant,deny,revoke
server/database permissions,resetpasswords).
SERVERADMIN Serveradministrators.Canmanage server-wide
configurationsettingsandshutdownSQLServerservice.
Membersof thisrole are alsoallowedtoexecute
sp_tableoption systemprocedure anddropextended
procedures.
SETUPADMIN Setupadministrators.Canmanage extendedstored
procedures,linkedserversandcanmark storedprocedures
to execute wheneverSQLServerstarts.
SYSADMIN Systemadministrators.Canperformany andeveryactivity
on server.Membersare automaticallyaddedtodatabase
ownerrole at creationof everydatabase.
FixedDatabase Roles:
Databases too have pre-definedrolesthatallow role memberstoperforma
certainsetof activitieswithinthe database.Built-indatabase rolesexistinevery
database and can’tbe dropped.Atthe database level, securityismanagedby
membersof the db_owner anddb_securityadmin roles: onlymembersof
db_ownercan addother userstothe db_ownerrole;db_securityadmincanadd
usersto all otherrolesexceptdb_owner.
FewBuilt-in/FixedSQLServer database roles
Role name Function
db_owner Database owner. Usersin of db_owner role can create,
alteror drop the database and performanyotheraction
(read/ write /modifyobjects) withinthe database.Just
as membersof SYSADMIN can performanyoperation
withinthe servermembersof db_ownercanperform
any operationwithinthe database.
Public Built-inrole thatall loginsbelongtoautomaticallywhen
theyare grantedpermissiontoconnectto the database.
Note that youcannot remove auserfrom publicrole.
The public role iscontainedineverydatabase including
systemdbs.Itcan’t be dropped,butyoucannotadd or
remove usersfromit.Permissionsgrantedtothe public
role are inheritedbyall otherusersandroles.Grant
public onlythe permissionsyouwantall userstohave.
db_securityadmin Securityadmins withinthe database.Membersof this
role can execute GRANT,REVOKE,DENYstatements,add

32
and remove userstoroles;addnew rolesanddrop
existingroles;change objectownership.
db_accessadmin Database access administratorscanaddand remove
users fromthe database,grantand revoke database
access fromexistingusers.
db_backupoperator Membersof thisrole can performdatabase backups,
transactionlogbackupsand can execute CHECKPOINT
statement.However,they're notallowedtorestore
database.
db_datareader Membersof thisrole can read data fromany table inthe
database
db_datawriter Data writerscan INSERT,UPDATE and DELETE data from
any table inthe database.
db_ddladmin DDL administratorscancreate,alterordrop database
objects. Membersof thisrole can settable options,
change objectownership,truncate table data,examine
index statisticsandfragmentation;implementfull-text
searchand reclaimspace froma table thatwas
truncated.
db_denydatareader Membersof thisrole cannot readdata from anytable in
the database.
db_denydatawriter Membersof thisrole cannot INSERT/ UPDATE / DELETE
recordsin anytable inthe database.
You can viewrolesinSQLServerviaSSMS:
ServerRoles

33
Database Roles
User-defined orApplicationRoles:
Users withthe CREATE ROLE permissioncancreate new user-defineddatabase
rolesto representgroupsof userswithcommonpermissions.
User definedrolescanbe createdviaT-SQL or SSMS.
Feature Comparison:
Oracle and SQL Serverbothprovide systemroleswithpredefinedprivilegesand
user-definedroles.
Migration
Approach
SSMA tool doesn’tsupportautomaticmigrationof roles.InSQLServer,Rolescan
be createdmanuallyusingT-SQLor SSMA.
In Oracle,rolesare available atthe instance orserverlevel andcanbe granted
privilegesonmore thanone schema.SQL Serveruser-definedrolesare local toa
database and ownedbya user.Hence,whenmigratingarole fromOracle to
SQL Server,a role hasto be createdineachof the databasesinwhichprivileges
have to be granted.
Two important storedproceduresfor granting roles inSQL Server
sp_addsrvrolemember can be usedfor grantingfixedsystemrolesand
sp_addrolemember can be usedfor grantingfixeddatabase roles.
To add a login to a server role
EXEC sp_addsrvrolemember 'JohnDoe', 'dbcreator';
To remove a loginfrom a fixedserverrole

34
Data Encryption
EXEC sp_dropsrvrolemember 'JohnDoe', 'dbcreator';
To get serverroles list,use sp_helpsrvrole.
To get permissions listeachserverrole has, use sp_srvrolepermission.
T-SQL to create user-definedrole(s) inSQLServer
sp_addrole [ @rolename = ] 'role_name'
[ , [ @ownername = ] 'owner' ]
To give userread permissionson all tables
N'db_datareader role:
EXEC sp_addrolemember N'db_datareader', N'your-user-name'
To give userall WRITE permissions(INSERT,UPDATE, DELETE) on all tables (use
db_datawriter role)
EXEC sp_addrolemember N'db_datawriter', N'your-user-name'
The scope of db_owner isa database;the scope of sysadmin is the whole server.
To add usersto a database role
exec sp_addrolemember 'db_owner', 'UserName'
Users can be assigned todatabase roles,inheritinganypermissionsets
associatedwiththose roles. sp_addrolemember addsa database user,database
role,Windowslogin,orWindowsgrouptoa database role inthe current
database.
To get fixeddb roleslist
sp_helpdbfixedrole
To get permissionslisteach database role has
sp_dbfixedrolepermission.
References https://docs.oracle.com/cd/B10501_01/server.920/a96521/privs.htm
https://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#i10
06858
https://msdn.microsoft.com/en-us/library/ms188659.aspx ( Server-levelroles)
https://www.toadworld.com/platforms/sql-server/w/wiki/9764.built-in-server-
roles-database-roles
http://searchsqlserver.techtarget.com/feature/Create-a-user-defined-server-
role-in-SQL-Server-2012-with-T-SQL-SSMS

35
Feature Data Encryption
Description Authentication,authorization,andauditingmechanismssecure datainthe
database,butnot inthe operatingsystemdatafileswhere dataisstored.
Oracle introducedTransparentDataEncryption (TDE).TDE provides
mechanismtoencryptthe data storedinthe OS data files.Toprevent,
unauthorizeddecryption,TDEstoresthe encryptionkeysinasecurity
module outside of the database calledWallet(Keystore inOracle Database
12c).
You can configure Oracle KeyVaultaspart of the TDE implementation.This
enablesyoutocentrallymanage TDEkeystores(calledTDEwalletsin
Oracle KeyVault) inyourenterprise.Forexample,youcanuploada
software keystore toOracle KeyVaultandthenmake the contentsof this
keystore available tootherTDE-enableddatabases.
Category Security
Find Feature
Enablement
SELECT count(*) FROM dba_encrypted_columns;
Encryptionisthe processof obfuscatingdatabythe use of a keyor
password.Thiscan make the data uselesswithoutthe corresponding
decryptionkeyorpassword.Encryptiondoesnotsolve accesscontrol
problems.However,itenhancessecuritybylimitingdatalossevenif access
controlsare bypassed.Forexample,if the database hostcomputeris
misconfiguredandahacker obtainssensitive data,thatstoleninformation
mightbe uselessif itisencrypted.Youcanuse encryptioninSQLServerfor
connections,data,andstoredprocedures.
Althoughencryptionisavaluable tool tohelpensuresecurity,itshouldnot
be consideredforall dataor connections. Considerhow userswill access
data- If usersaccessdata over a publicnetwork,dataencryptionmightbe
requiredtoincrease security.However,if all accessinvolvesasecure
intranetconfiguration,encryptionmightnot be required.Anyuse of
encryptionshouldalsoinclude amaintenance strategyforpasswords,keys,
and certificates.
Transparent Data Encryption (TDE) encryptsSQLServer,Azure SQL
Database,and Azure SQLData Warehouse datafiles,knownasencrypting
data at rest.TDE performsreal-timeI/Oencryptionanddecryptionof the
data and logfiles.The encryptionusesadatabase encryptionkey(DEK),
whichisstoredinthe database bootrecordfor availabilityduringrecovery.
The DEK isa symmetrickeysecuredbyusinga certificate storedinthe
masterdatabase of the serveroran asymmetrickeyprotectedbyanEKM
module.TDEprotectsdata "at rest",meaningthe data andlog files.It
providesthe abilitytocomplywithmanylaws,regulations,andguidelines
establishedinvariousindustries.Thisenablessoftware developersto
encryptdata by usingAESand 3DES encryptionalgorithmswithout
changingexistingapplications. Encryptionof the database file isperformed
at the page level.The pagesinanencrypteddatabase are encryptedbefore
theyare writtentodiskanddecryptedwhenreadintomemory. TDEdoes
not increase the size of the encrypteddatabase. TransparentData
Encryption”can helpachieve compliancywithPaymentCardIndustryData

36
SecurityStandard. TDE providesstrongencryption,butwithsome
shortcomings.First,youmustencryptanentire database.Nogranularityis
offeredata lowerlevel,suchasencryptingspecifictablesorcertaindata
withinatable.Second,TDE encryptsonlydataat rest,in files.Datain
memoryor in-flightbetweenthe applicationandserverare unencrypted.
SQL Server2016 addsa new securityfeature that helpsprotectdataatrest
and inmotion,on-premises&cloud:AlwaysEncrypted
AlwaysEncryptedallowsvery granularencryption,all the waydownto
individualcolumns.AlwaysEncryptedalsofullyencryptsdataatrest,in
memory,andin-flight.
AlwaysEncryptedallowsclientstoencryptsensitive datainside client
applicationsandneverrevealthe encryption keystothe Database Engine
(SQL Database or SQL Server).Asaresult,AlwaysEncryptedprovidesa
separationbetweenthose whoownthe data(andcan view it) andthose
whomanage the data (butshouldhave noaccess).
AlwaysEncryptedenablescustomers toconfidentlystore sensitive data
outside of theirdirectcontrol.Thisallowsorganizationstoencryptdataat
restand in use forstorage in Azure,toenable delegationof on-premises
database administrationtothirdparties,ortoreduce securityclearance
requirementsfortheirownDBA staff.
AlwaysEncryptedmakesencryptiontransparenttoapplications.AnAlways
Encrypted-enableddriverinstalledonthe clientcomputerachievesthisby
automaticallyencryptinganddecryptingsensitivedatainthe client
application.The driverencryptsthe datainsensitive columnsbefore
passingthe data to the Database Engine,andautomaticallyrewrites
queriessothatthe semanticstothe applicationare preserved.Similarly,
the drivertransparentlydecryptsdata,storedinencrypteddatabase
columns,containedinqueryresults.
SQL Serverencryptsdatawitha hierarchical encryptionandkey
managementinfrastructure.Eachlayerencryptsthe layerbelow itbyusing
a combinationof certificates,asymmetrickeys, andsymmetrickeys.
Asymmetrickeysandsymmetrickeyscanbe storedoutside of SQL Server
inan Extensible KeyManagement(EKM) moduleorexternal trustedkey
stores,suchas Azure KeyVault,WindowsCertificateStore ona client
machine,ora hardware securitymodule.
Feature Comparison:
Like Oracle,EncryptionatRest forData filesissupportedinSQLServer.Like
Oracle,Encryption keyscanbe storedoutside of database inKeyVaults.
Migration Approach SSMA doesnotsupportmigrating encryption configurations.

37
First,we needtodecryptall the Oracle data;migrate and thensetup
encryptioninSQLServer.
TDE can be set upin SQL ServerbyusingT-SQLto firstcreate masterkey,
certificate,anddatabase encryptionkeyandthenenable encryption using
T-SQL ALTER DATABASE command.
ConfiguringAlwaysEncrypted
The initial setupof AlwaysEncryptedinSQLServer involvesgenerating
AlwaysEncryptedkeys,creatingkeymetadata,configuringencryption
propertiesof selecteddatabase columns,and/orencryptingdatathatmay
alreadyexistincolumnsthatneedtobe encrypted.
Please note thatsome of these tasksare not supportedinTransact-SQLand
require the use of client-side tools.AsAlwaysEncryptedkeysandprotected
sensitivedataare neverrevealedinplaintexttothe server,the Database
Engine cannotbe involvedinkeyprovisioningandperformdataencryption
or decryptionoperations.
You can use SQL ServerManagementStudioorPowerShell toaccomplish
such tasks.
Task SSMS PowerShell T-SQL
Provisioning column master keys,
column encryption keys and encrypted
column encryption keys with their
corresponding column master keys.
Yes Yes No
Creating key metadata in the database. Yes Yes Yes
Creating new tables with encrypted
columns
Yes Yes Yes
Encrypting existing data in selected
database columns
Yes Yes No
T-SQL example to enable encryption
CREATE TABLE [dbo].[Students] (
[StudentID] INT IDENTITY (1, 1) NOT NULL,
[SSN] CHAR (11) COLLATE Latin1_General_BIN2 ENCRYPTED WITH
(COLUMN_ENCRYPTION_KEY = [ColumnEncryptionKey1],
ENCRYPTION_TYPE = Deterministic, ALGORITHM =
'AEAD_AES_256_CBC_HMAC_SHA_256') NOT NULL,
[FirstName] NVARCHAR (50) NULL,
[LastName] NVARCHAR (50) NOT NULL,
[StreetAddress] NVARCHAR (50) NOT NULL,
[City] NVARCHAR (50) NOT NULL,
[ZipCode] CHAR (5) NOT NULL,
[BirthDate] DATE ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY =
[ColumnEncryptionKey1], ENCRYPTION_TYPE = Deterministic,
ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NOT NULL,

38
CONSTRAINT [PK_dbo.Students] PRIMARY KEY CLUSTERED
([StudentID] ASC)
);
s
To access encryptedcolumns(evenif notdecryptingthem) VIEW ANY
COLUMN permissionsneedtobe explicitlygranted.
References https://docs.oracle.com/database/121/ASOAG/asotrans.htm#ASOAG10136
(Oracle TransparentData Encryption)
http://www.oracle.com/technetwork/database/security/tde-faq-
093689.html
https://msdn.microsoft.com/en-us/library/bb510663.aspx (SQLServer
Encryption)
http://dba.stackexchange.com/questions/137531/in-sql-server-2016-what-
is-the-difference-between-always-encrypted-and-transpar
http://www.dbta.com/Columns/SQL-Server-Drill-Down/Stronger-Security-
Via-Always-Encrypted-in-SQL-Server-2016-106815.aspx
Logins/User Accounts
Feature Login/UserAccounts
Description Oracle providesloginsforauthorizeduserstoconnecttothe database.
whichare referredtoasthe useror username,and anyoperationthe
usercan performiscontrolledbyprivilegesgrantedtothe login. A user
name is database systemwide inOracle,thoughOracle 12cpluggable
databasescan have theirownusers.
o In Oracle,usersandschemasare essentiallysame.
o Considerauseras the account youuse to connectto a database,
and A schemaisa logical containerforthe database objects(suchas
tables,views,triggers,andsoon) that the usercreates.
o Whenyoucreate a user,youare alsoimplicitlycreatingaschema
for that user.
o Schemaisownedbya user.A user maybe givenaccesstoschema
objectsownedbydifferentUsers.
Category Server
Find Feature
Enablement
User accountscan be accessedthrougha systemview calledALL_USERS
SELECT * FROM ALL_USERS;
In SQL Server,the privilegesatthe instance are assignedtothe login,
and privilegesinsideadatabase are giventothe relateddatabase user.
A database userismappedback to an instance login.

39
o In SQL Server,schemaand userare separate things.The usersare
onlyusedto loginand define permissions.One schemaisthe dbo
(or database owner) schema.
o In the three-partname 'mydb.dbo.mytable',mydbisadatabase
(physical grouping),while dboisaschema(logical grouping).
o Althoughthe termsloginanduserare oftenusedinterchangeably,
theyare verydifferent.
o A "Login"grants the principal entryintothe SERVER.
o A "User"grants a loginentryintoasingle DATABASE.
o One "Login"can be associatedwithmanyusers(one per
database).
o In SQL Server,DBA add loginstothe SQL Serverinstance,andthese
loginsare mappedtousersin individual databasesonthe SQL
Serverinstance.
o Database userswhowill create tablesandfeature classesmusthave
privilegesnecessarytocreate these objectsinthe database,and
theymusthave a schemainwhichtheycan create them.
Feature Comparison:
A username isdatabase systemwide inOracle,butSQL Serveruses
loginIDsto access the instance anduseraccounts forindividual
databases.
Therefore,comparedtoOracle;InSQL Server, additionally,auser
account mustbe createdineverydatabase thata loginneedsaccessto
and can be nameddifferentlyfromthe loginname.
Migration Approach SSMA doesn’tsupportautomaticmigration of UserAccounts.InSQL
Server,use T-SQLto create logins& usersandassignpermissions.
Beloware helpful hints/guidance tomigrate UsersfromOracle to SQL
Server:
Users of Oracle and SQL Serverdatabasesare broadlyclassifiedas
administrativeusers,applicationusers,andschemaowners.
 Administrative usersare userswithspecial roles,suchasdatabase
administratorandsecurityadministrator.
 Applicationusersare userswhomanipulate datainthe owning
user'stables.
 Schemaownersare userswho create andmaintainobjectsrelated
to an application.
The basics forthe creationof all the three typesof usersare the same.
The followingquerycanbe runin the source Oracle database to create a
listof usersthat have privilegesonanyobjectin a specificschema.The
queryisconstrainedtoonlya specificschemaanditsusers.Thisaidsin
situationswhere onlyasubsetof the schemasandthe relatedusersare
beingmigrated:
SELECT grantee FROM dba_tab_privs WHERE owner = username

40
UNION
SELECT grantee FROM dba_col_privs WHERE owner = username;
Or we can implement dynamic SQL and have the output
automatically generated for the user like the below:
Select 'grant '||privilege||' on
'||owner||'.'||table_name||' to '||grantee||';' from
dba_tab_privs where owner='&NAME';
The ‘&’ place holder will prompt/ask the user for the of
the owner during execution and replace that place holder
with the name.
The grantee couldbe a useror a role. Obtainthe characteristicsof user
accounts inOracle to be migrated:
SELECT du.username,
DECODE(du.password,'EXTERNAL','EXTERNAL','DB')
"AUTHENTICATION MODE",
du.default_tablespace, du.temporary_tablespace,
dp.resource_name, dp.limit
FROM dba_users du, dba_profiles dp
WHERE du.profile = dp.profile
AND dp.resource_type = 'PASSWORD'
AND du.username = OE;
where OEis the name of the userthat isbeingmigrated.
Create SQL Serverloginaccountsthatprovide accessto the SQL Server
instance,and Create a useraccount ineach of the databasesinwhich
the schema'sobjectshave beenmigrated.
The systemstoredprocedure sp_grantlogin isusedto create a SQL
Serverloginfora domain-authenticatedaccount. sp_addlogin isused
to create a SQL Serverauthenticatedaccount.The procedure
sp_grantdbaccess isusedto create useraccounts inthe individual
databasesforthese logins.Useraccountsshouldbe createdina
database onlyif there are objectsinthe database the userneedsto
access.
T-SQL DDL commands:
To create login
CREATE LOGIN AbolrousHazem WITH PASSWORD =
'340$Uuxwp7Mcxo7Khy';
Followingcreatesadatabase userforthe logincreatedabove: CREATE
USER AbolrousHazem FOR LOGIN AbolrousHazem;
To retrieve all LoginsinSQLServer,youcan execute the followingSQL
statement:
SELECT * FROM master.sys.sql_logins;

41
For a listof SQL Users:
SELECT * FROM sys.database_principals
Afterusermigrationisdone,make sure toreproduce the privilegesthey
possessinthe Oracle database.
References https://msdn.microsoft.com/en-us/library/aa337545.aspx
https://www.techonthenet.com/sql_server/users/create_login.php
Row-Level Security
Feature Row-Level Security
Description Protectdata privacyby ensuringthe rightaccessacross rows
Fine-grainedaccesscontrol overspecificrowsina database table
Helppreventunauthorizedaccesswhenmultiple users share the
same tables,orto implementconnectionfilteringinmultitenant
applications.
Oracle Label Security (OLS) enablesyoutoenforce row-levelsecurity
for yourtables.Hidesrowsanddata dependingonuseraccess
grants.You can accomplishthisby assigningone ormore security
labelsthatdefine the levelof securityyouwantforthe data rowsof
the table.
You thencreate a securityauthorizationforusersbasedonthe OLS
labels.
For example,rowsthatcontainhighlysensitivedatacan be assigned
a label entitledHIGHLYSENSITIVE;rowsthat are lesssensitive canbe
labeledasSENSITIVE,andsoon.Rows thatall userscan have access
to can be labeledPUBLIC.Youcan create as manylabelsasyou need,
to fityour site'ssecurityrequirements.Inamultitenant
environment,the labelsapplytothe local pluggable database(PDB)
and the sessionlabelsapplytolocal users.
Afteryoucreate and assignthe labels,youcanuse Oracle Label
Securitytoassignspecificusersauthorizationforspecific rows,based
on these labels.Afterward,Oracle Label Securityautomatically
comparesthe label of the data row withthe securityclearance of the
userto determine whetherthe userisallowedaccesstothe data in
the row.
You can create Oracle Label SecuritylabelsandpoliciesinEnterprise
Manager, or youcan create themusingthe SA_SYSDBA,
SA_COMPONENTS,andSA_LABEL_ADMIN PL/SQL packages.

42
Category Security
To Find Feature
Enablement
Checkif Oracle Label Securityisenabled:
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle
Label Security';
In SQL Server, ImplementRLSbyusingthe CREATE SECURITY POLICY
Transact-SQLstatement,andpredicatescreatedasinline table
valuedfunctions.
It ishighly recommendedtocreate a separate schemaforthe RLS
objects(predicate functionandsecuritypolicy).
RLS supportstwotypesof securitypredicates.
FILTER silentlyfiltersthe rowsavailabletoreadoperations(SELECT,
UPDATE, and DELETE).
BLOCK explicitlyblockswrite operations(AFTERINSERT,AFTER
UPDATE, BEFORE UPDATE, BEFORE DELETE) that violate the
predicate.
Accessto row-level dataina table isrestrictedbya security
predicate definedasaninline table-valuedfunction.The functionis
theninvokedandenforcedbyasecuritypolicy.Forfilterpredicates,
there isno indicationtothe applicationthatrowshave beenfiltered
fromthe resultset;if all rowsare filtered,thenanull setwill be
returned.Forblockpredicates,anyoperationsthat violatethe
predicate will failwithanerror.
AdministerviaSQLServerManagementStudioorSQL ServerData
Tools
Enforcementlogicinside the database andschemaboundtothe
table.
Feature Comparison:
RLS feature issupportedbySQL Serveraswell.
The access restrictionlogicislocatedinthe database tierratherthan
away fromthe data in anotherapplicationtier.The database system
appliesthe accessrestrictionseverytime thatdataaccessis
attemptedfromanytier.
Migration Approach SSMA can’t migrate Row Level Securitydirectly.
In SQL Server,Row-Level Securitycanbe implementedmanually by
usingthe CREATE SECURITY POLICYTransact-SQLstatement,and
predicates definingfilteringcriteriacreatedasinlinetable valued
functions.
Step1: Create a new inline tablevaluedfunction.The function
returns1 whena row in the SalesRepcolumnisthe same asthe user
executingthe query(@SalesRep=USER_NAME()) or if the user
executingthe queryisthe Manageruser(USER_NAME() =
'Manager').

43
Data Masking
CREATE TABLE Sales
(
OrderID int,
SalesRep sysname,
Product varchar(10),
Qty int
);
Note: Schema needs to be created first to successfully
create the below function:
CREATE SCHEMA Security;
CREATE FUNCTION Security.fn_securitypredicate(@SalesRep
AS sysname)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN SELECT 1 AS fn_securitypredicate_result
WHERE @SalesRep = USER_NAME() OR USER_NAME() =
'Manager';
Note: Supports SQL Server 2014
Step2: Create a securitypolicyaddingthe functionasafilter
predicate.The state mustbe setto ON to enable the policy.
CREATE SECURITY POLICY SalesFilter
ADD FILTER PREDICATE
Security.fn_securitypredicate(SalesRep)
ON dbo.Sales
WITH (STATE = ON);
References https://docs.oracle.com/database/121/TDPSG/GUID-72D524FF-
5A86-495A-9D12-14CB13819D42.htm#TDPSG94446 (EnforcingRow-
Level SecuritywithOracle Label Security)
https://msdn.microsoft.com/en-us/library/dn765131.aspx (Row-
Level Security)
https://www.datavail.com/blog/row-level-security-never-got-this-
easy-with-sql-server-2016/
http://searchsqlserver.techtarget.com/feature/Put-row-level-
security-to-work-in-Azure-SQL-databases
Feature Data Masking

44
Description Data masking(alsoknownasdata scramblingand data
anonymization) isthe processof replacingsensitive information
copiedfromproductiondatabasestotestnon-productiondatabases
withrealistic,butscrubbed,databasedonmaskingrules.
To mask data,the Data MaskingPack providestwomainfeatures:
Maskingformat library- The formatlibrarycontainsacollectionof
ready-to-use maskingformats.
Maskingdefinitions-A maskingdefinitiondefinesadatamasking
operationtobe implementedonone ormore tablesina database.
Maskingdefinitionsassociatetable columnswithformatstouse for
maskingthe data.
Category Security
To Find Feature
Enablement
Dynamicdata maskinglimits(DDM) sensitivedataexposure by
maskingitto non-privilegedusers.Itcan be usedto greatlysimplify
the designandcodingof securityinyourapplication.
DDM can be configuredonthe database tohide sensitive datainthe
resultsetsof queriesoverdesignateddatabasefields,while the data
inthe database isnot changed.Dynamicdatamaskingiseasyto use
withexistingapplications,since maskingrulesare appliedinthe
queryresults.Manyapplicationscanmasksensitivedatawithout
modifyingexistingqueries.
DDM featuresfull maskingandpartial maskingfunctions,aswell asa
randommask fornumericdata.
DynamicData Masking isappliedwhenrunningSQLServerImport
and Export.A database containingmaskedcolumnswillresultina
backupfile withmaskeddata(assumingitisexportedbyauser
withoutUNMASKprivileges),andthe importeddatabase will contain
staticallymaskeddata.
Dynamicdata maskingisavailable inSQLServer2016 and Azure SQL
Database,and isconfiguredbyusingTransact-SQLcommands.
Feature Comparison:
Like Oracle,bothfull andpartial Data Maskingis supportedinSQL
Server.
Migration Approach SSMA doesnotsupportmigratingData Maskingdirectly.
Basedon Maskingrequirements,SQLServerDynamicDataMasking
can be configured manuallybyusingCREATEor ALTER Transact-SQL
commands:
CREATE TABLE Membership
(MemberID int IDENTITY PRIMARY KEY,
FirstName varchar(100) MASKED WITH (FUNCTION =
'partial(1,"XXXXXXX",0)') NULL,
LastName varchar(100) NOT NULL,

45
Case Sensitive Password
Feature Case Sensitive Password
Description Case sensitive userpasswordsinOracle: Oracle by defaultforce case
sensitivityof userpasswords.The usersmustprovidepasswordsin
the same case (upper,lowerormixed) theycreatedthe password
with.Thisbehavioriscontrolledwithaninitializationparameter
SEC_CASE_SENSITIVE_LOGON.Bydefault,ithasa value TRUE. Oracle
releasesbefore 11gdidn'thave case sensitivityonpassword
Phone# varchar(12) MASKED WITH (FUNCTION =
'default()') NULL,
Email varchar(100) MASKED WITH (FUNCTION = 'email()')
NULL);
Email varchar(100) MASKED WITH (FUNCTION = 'email()')
NULL
ALTER TABLE Membership ALTER COLUMN Email ADD MASKED
WITH (FUNCTION = 'email()')
ALTER COLUMN Email ADD MASKED WITH (FUNCTION =
'email()')
Use the sys.masked_columnsview toqueryfortable-columnsthat
have a maskingfunctionappliedtothem:
SELECT c.name, tbl.name as table_name, c.is_masked,
c.masking_function
FROM sys.masked_columns AS c
JOIN sys.tables AS tbl
ON c.[object_id] = tbl.[object_id]
WHERE is_masked = 1;
Droppinga DynamicData Mask:
ALTER TABLE Membership
ALTER COLUMN LastName DROP MASKED;
GRANT UNMASK TO TestUser;
-- Removing the UNMASK permission
REVOKE UNMASK TO TestUser;
References https://docs.oracle.com/database/121/DMKSB/GUID-
E3C164DC-0004-4857-A038-54EC7B1A5118.htm (Oracle Data
Masking)
http://www.oracle.com/technetwork/database/options/data-
masking-subsetting/overview/ds-security-dms-2245926.pdf
https://msdn.microsoft.com/en-us/library/mt130841.aspx
(DynamicData Masking)

46
Case sensitive passwordinPasswordFileinOracle
ignorecase=nisthe defaultwiththe orapwdcommandinoracle 11g
i.e.youmentionitornot it will force the passwordtobe case
sensitivewhenusersloginasSYSDBA remotely.
To turn off passwordcase sensitivityinpasswordfile we needto
explicitlymentionignorecase=ywhile creatingthe passwordfile.
Category Security
Find Feature Enablement show parameter sec_case_sensitive_logon;
Alternatively, we can use V$parameter if you are
querying Oracle with a GUI:
select name, value from V$parameter where
name='sec_case_sensitive_logon';
If you selectedacase-sensitive collationwhenyouinstalledSQL
Server,yourSQL Serverloginisalsocase sensitive.
Since SQL server is not case sensitive. By default, SELECT *
FROM SomeTable is the same as Select * frOM soMetaBLe.
Feature Comparison:
case-sensitivepasswordisnot configurable optioninSQLServerbut
can be implementedbyapplyingcase-sensitive collation.
Migration Approach SSMA doesn’tsupportautomatedmigrationforcase-sensitive
migration.
To enable passwordcase-sensitivity,Selectacase-sensitive collation
whenyouinstall SQLServer,yourSQL Serverlogin willthenbecome
case sensitive.
For case sensitive passwords you need to use a case-sensitive
collation:
SELECT * FROM dbo.TableName WHERE Password = @ password
COLLATE SQL_Latin1_General_CP1_CS_AS;
ALTER DATABASE { database_name | CURRENT } COLLATE
Latin1_General_100_CI_AS;
The Oracle RDBMS alsoprovidespasswordmanagementfunctions,
such as account locking,passwordlifetimeandexpiration,password
history,andpasswordcomplexity verification.The SQLServer
RDBMS doesnotprovide these services,andWindowssecurityis
usedto provide these features.

47
References http://www.oracleflash.com/37/Oracle-11g-Case-Sensitive-
Passwords.html
https://www.mindstick.com/blog/360/check-case-sensitive-
password-in-sql-server-using-collate-clause
http://stackoverflow.com/questions/1411161/sql-server-
check-case-sensitivity
https://www.webucator.com/how-to/how-check-case-
sensitivity-sql-server.cfm
Total Database Size
Feature Total Database size
Description  DB size = the size of (datafiles+tempfiles+ online/offlineredologfiles+
control files)- Overall DBsize includesusedspace andfree space.
 MaximumDB Size inOracle: There are limits,whichvarydependingon
operatingsystem.Example: if youhave 8kbigfile tablespacesand65,533
filesthe upperlimitissomewhere around2,047 petabytes!
Category Performance
Find Feature
Enablement
select
( select sum(bytes)/1024/1024/1024 data_size from
sys.dba_data_files ) +
( select nvl(sum(bytes),0)/1024/1024/1024 temp_size from
sys.dba_temp_files ) +
( select sum(bytes)/1024/1024/1024 redo_size from sys.v_$log ) +
( select sum(BLOCK_SIZE*FILE_SIZE_BLKS)/1024/1024/1024
controlfile_size from v$controlfile) "Size in GB"
from
dual
Recommendati
on
SQL Serversupportsa maximumsingledatabase size of nearly525petabytes.SQL
Serverdatabase can be furtherexpandedbyeitherincreasingthe size of an
existingdataorlogfile orby addinga new file tothe database.
Please followreferredlinksbelow foractionsrecommendedforexpandingsize of
database.
Feature Comparison:
Like Oracle,SQL Serversize canbe expanded.
Migration
Approach
SQL Serversupportsa maximum singleDBsize of nearly525 petabytes. If
requiredtomigrate biggerdatasize,itcan easilybe expandedbyadding
additional datafiles.Size iseffectivelylimitedonlybydisk size orwindows
limitations.

48
The database is expandedbyeitherincreasingthe size of anexistingdataor log
file orby addinga new file tothe database.
To increase the size of a database usingT-SQL:
USE master;
GO
ALTER DATABASE AdventureWorks2012
MODIFY FILE
(NAME = test1dat3,
SIZE = 20MB);
GO
To add data or logfilestoa database usingT-SQL:
USE master
GO
ADD FILEGROUP Test1FG1;
GO
ADD FILE
(
NAME = test1dat3,
FILENAME = 'C:Program FilesMicrosoft SQL
ServerMSSQL10_50.MSSQLSERVERMSSQLDATAt1dat3.ndf',
SIZE = 5MB,
MAXSIZE = 100MB,
FILEGROWTH = 5MB
),
(
NAME = test1dat4,
FILENAME = 'C:Program FilesMicrosoft SQL
ServerMSSQL10_50.MSSQLSERVERMSSQLDATAt1dat4.ndf',
SIZE = 5MB,
MAXSIZE = 100MB,
FILEGROWTH = 5MB
)
TO FILEGROUP Test1FG1;
GO
To increase the size of a database usingSQL ServerManagementStudio:
1. In ObjectExplorer,connecttoaninstance of the SQL Server Database
Engine,andthenexpandthatinstance.
2. ExpandDatabases,right-clickthe database toincrease,andthenclick
Properties.
3. In Database Properties,selectthe Filespage.
4. To increase the size of an existingfile,increasethe value inthe Initial Size
(MB) columnforthe file.Youmustincrease the size of the database byat
least1 megabyte.
5. To increase the size of the database byaddinga new file,clickAddand
thenenterthe valuesforthe new file.Formore information,see Add
Data or Log Files toa Database.
6. ClickOK.

49
Oracle Database Version
Feature Oracle Database Version
Description The versioninformationisretrievedinatable calledv$version.Itreturns
detailedversionnumberof the database components.
Category General
Find Feature
Enablement
SELECT * FROM SYS.PRODUCT_COMPONENT_VERSION;
SELECT * from V$VERSION;
The most up-to-date versionof Microsoft'sRDBMSis SQL Server2016,
releasedinJune 2016.
Microsoftoffersfourdifferenteditionsof SQLServer2016, plusa web
editionforwebhostingproviders.
ExpressEditionis a lightweightSQLServerdatabase thatcansupportup to
10 GB of data, while DeveloperEditionislicensedexclusivelyfor
developmentandtestenvironments.
The other SQL Serverversions include Enterprise,StandardandWeb.
Enterprise Editioncomeswiththe fullsuite of featuressuitable for
mission-critical databasesandadvancedanalyticsworkloads,while
StandardEditioncomeswitha more limitedsetof featuressuitedtoa
smaller-scale setup.
WebEditionisfor use withpublicwebsitesandis availableexclusivelyto
third-partyhostingserviceproviders,whosetthe price.
Migration Approach You can findversionof SQLServerrunningbyT-SQL query:
SELECT @@VERSION
SQL Server 2016
Microsoft SQL Server 2016 (RTM) - 13.0.1601.5 (X64)
References https://msdn.microsoft.com/en-us/library/ms175890.aspx (Increase the
Size of a Database)
http://docs.oracle.com/cd/B19306_01/server.102/b14237/limits002.htm#
i287915 (physical DB limits)
http://docs.oracle.com/cd/B19306_01/server.102/b14237/limits003.htm#
i288032 (logical DB limits)
http://awads.net/wp/2010/02/15/oracle-database-limits-you-may-not-
know-about/ (data type limits)

50
Apr 29 2016 23:23:58
Copyright (c) Microsoft Corporation
Developer Edition (64-bit) on Windows 10 Pro 6.3 <x64>
(Build 14393: )
In SQL ServerManagementStudio,rightclickonthe instance name and
selectingproperties.The "Productversion"or"Version"givesyoua
numberof the versionthatis installed:
The firstdigitsrefertothe versionof SQLServersuchas:
8.0 for SQL Server2000
10.5 for SQL Server2008 R2
RTM (no SP) SP1 SP2 SP3
SQL Server
2016
13.0.1601.5 13.0.4001.0
or 13.1.4001.0
SQL Server
2014
12.0.2000.8 12.0.4100.1
or 12.1.4100.1
12.0.5000.0
or 12.2.5000.0
SQL Server
2012
codename
Denali
11.0.2100.60 11.0.3000.0
or 11.1.3000.0
11.0.5058.0
or 11.2.5058.0
11.0.6020.0
or 11.3.6020.0
References https://www.techonthenet.com/oracle/questions/version.php
https://www.mssqltips.com/sqlservertip/1140/how-to-tell-what-
sql-server-version-you-are-running/

51
https://support.microsoft.com/en-us/help/321185/how-to-
determine-the-version,-edition-and-update-level-of-sql-server-and-
its-components
http://sqlserverbuilds.blogspot.com/
Set Schema Statement
Feature Set Schema
Description  A "database"inOracle typicallyreferstothe complete instance.
 You can considerthata useristhe account you use to connectto a database,
and A schemaisa logical containerforthe database objects(suchastables,
views, triggers,andsoon) that the usercreates.The CREATE USER command
automatically createsaschemaforsame name.A USER ownsitsSCHEMA. A
usermay be givenaccessto schemaobjectsownedbydifferentUsers aswell.
 The SET SCHEMA statementsetsthe defaultschemaforaconnection'ssession
to the designatedschema.The defaultschemaisusedasthe targetschemafor
all statementsissuedfromthe connectionthatdonotexplicitlyspecifya
schemaname.
Category General
Find Feature
Enablement
 Query database names
o select * from v$database;
o select ora_database_name from dual;
 use selectinstance_name fromv$instance;tofindoutwhichinstance are you
currentlyconnectedto
 TNSNAMES.oraalsoincludesthe detail aboutwhichdatabase instancesyoucan
potentiallyconnectto
Recommenda
tion
 Whena login connectsto SQL Server
o the loginisautomaticallyconnectedtoitsdefaultdatabase and
acquiresthe securitycontextof adatabase user.
o If no database userhas beencreatedforthe SQL Serverlogin,the login
connectsas guest.
o If no defaultdatabase hasbeenassignedtothe login,itsdefault
database will be settomaster.
 USE isexecutedatbothcompile andexecutiontime andtakeseffect
immediately.Therefore,statementsthatappearina batch afterthe USE
statementare executedinthe specifieddatabase. If the database userdoesnot
have CONNECTpermissiononthe database,the USEstatementwill fail.
Feature Comparison:
 As there istypicallyonlyasingle instance/installationthere isnosense in
"switchingadatabase"inOracle. The closestthingtoswitchthe current
schemainOracle is to "USE mydatabase"inSQL Server.
Show databases;
Use databaseName;

52
Migration
Approach
You needtochoose how to map the Oracle schemasto the target.In SQL Server,
schemasare notnecessarilylinkedtoa specificuserora login,andone server
containsmultiple databases.
UsingSSMA tool for migration,youcan follow one of twotypical approachesto
schemamapping:
 By default,inSSMA,everyOracle schemabecomesaseparate SQLServer
database.The targetSQL Serverschemaineachof these databasesissetto
dbo—the predefinedname forthe database owner.Use thismethodif
there are few referencesbetweenOracle schemas.
 Anotherapproachisto map all Oracle schemasto one SQL Serverdatabase.
In thiscase,an Oracle schemabecomesa SQL Serverschemawiththe same
name.To use thismethod,youchange the SSMA defaultsettings.Use this
methodif differentsource schemasare deeplylinkedwitheachother(for
instance if there are cross-referencesbetweenOracle tablesindifferent
schemas,whentriggerisonthe table and the tablesitself are indifferent
schemas…).
SSMA appliesthe selectedschema-mappingmethodconsistentlywhenit
convertsbothdatabase objectsandthe referencestothem.
A schemaisseparate entitywithinthe database.Itiscreatedbyusingthe CREATE
SCHEMA statement.A schemacan be ownedbya user,a role,ora group(formore
informationaboutpossible schemaowners,seethe “Principals”sectioninthis
document).A userexecutingCREATESCHEMA can be the ownerof the schemaor it
can allocate anotheruseras the schemaowner(withappropriate IMPERSONATE
permissions).A schemaonlyhasone owner,buta usercan ownmany schemas.
DefaultSchema
Users can be definedwithadefaultschema.The defaultschemaisthe firstschema
that issearchedwhenitresolvesthe namesof objectsitreferences.
The defaultschemafora user can be definedbyusingthe DEFAULT_SCHEMA
optionof CREATE USER or ALTER USER. If no defaultschemaisdefinedforauser
account,SQL Serverwill assume dboisthe defaultschema.Itisimportantnote that
if the user isauthenticatedbySQLServeras a memberof a groupin the Windows
operatingsystem,nodefaultschemawill be associatedwiththe user.If the user
createsan object,a new schemawill be createdandnamedthe same as the user,
and the objectwill be associatedwiththatuserschema.
References http://docs.oracle.com/javadb/10.8.3.0/ref/rrefsqlj32268.html
http://www.baezaconsulting.com/index.php?option=com_content&view=a
rticle&id=46:use-database-command-in-oracle&catid=7:oracle-
answers&Itemid=12

53
Admin Accounts
Feature AdminAccounts
Description The SYS user isautomaticallygrantedthe SYSDBA privilege uponinstallation.When
youlog inas userSYS, youmust connectto the database as SYSDBA or SYSOPER.
Connectingasa SYSDBA userinvokesthe SYSDBA privilege;connectingasSYSOPER
invokesthe SYSOPERprivilege.EMExpressallowsyoutologin as userSYS and
connectas SYSDBA or SYSOPER. SYS or SYSTEM, are Oracle’sinternal data
dictionaryaccounts.Youset the SYS account passworduponinstallation(Windows)
or configuration(Linux).
CONNECT SYSTEM/<password>
You setthe SYS and SYSTEM account passworduponinstallation(Windows) or
configuration(Linux).
CONNECT SYS/<password> AS SYSDBA
To connectas SYSDBA youmust supply the SYSusername and password.
CONNECT / AS SYSDBA
The slash(/) indicatesthatthe database should authenticate youwithoperating
system(OS) authentication.whenyouconnectwithOSauthentication,youare
effectivelyloggingintothe database as userSYS. Anadministratorwhois
authenticatedthroughOSauthenticationdoesnotneedtoknow the SYSor
SYSTEM account password.
SYSTEM userisalso automaticallycreatedwhenOracle database isinstalled&is
automaticallygrantedthe DBA role
It’susedto create additional tablesandviewsthatdisplayadministrative
information.Thisaccountcanperformall administrative functionsexceptBackup
and recovery,andDatabase upgrade.
While thisaccountcan be usedtoperformday-to-dayadministrative tasks,Oracle
stronglyrecommendscreatingnamedusersaccountforadministeringthe Oracle
database to enable monitoringof database activity.
Whenyouconnect withthe SYSDBA or SYSOPER privilege,youconnectwitha
defaultschema,notwiththe schemathatis generallyassociatedwithyouruser
name.For SYSDBA thisschemais SYS; forSYSOPER the schemaisPUBLIC. The
SYSDBA role is like "root"on Unix or "Administrator"onWindows.
SYSDBA and SYSOPER are administrative privilegestoperformhigh-level admin
operationssuchascreating,startingup,shuttingdown,backingup,or recovering
the database.
The SYSDBA systemprivilege isforfullyempowereddatabase administratorsand
the SYSOPER systemprivilegeallowsauserto performbasicoperational tasks,but
withoutthe abilitytolookatuserdata. The SYSDBA and SYSOPERsystemprivileges

54
allowaccessto a database instance evenwhenthe database isnotopen,andallow
to connectto the database instance tostart the database.
Category Admin
Find Feature
Enablement
Recommendat
ion
SA isa SQL loginadministratoraccountthatcan be usedif mixedauthenticationis
enabledonSQLServer.
Like sa, dboisthe mostpowerful userinadatabase and no permissionscanbe
deniedtohim.dboisa memberof the db_ownerdatabase role.mappingof dbois
not done at usercreation – dbo alwaysexistssince the database wascreated;
instead,the logintowhichdbomapsis determinedbywhatlogin isthe ownerof
the database – dbowill alwaysmaptothe loginthatismarkedas the database
owner.
Feature Comparison:
Like Oracle,rootaccount for SQL servergetscreatedat time of installation,andis
assignedall adminprivileges.
Migration
Approach
AdminAccountsforSQL Serverare set upindependently.There isnomigrationof
Adminaccountsfrom Oracle database.
The SA account getsautomaticallycreatedoneverynew SQLServerinstallation.
But thisaccount isdisabledbydefaultif youselectWindowsAuthenticationduring
setup. sais the primaryadminloginname,whichis,bydefault,mapped tothe dbo
userin all the databases.The sa loginishardcodedtobe a member of the sysadmin
serverrole.sa/sysadminpairrepresentownershipof the serversystem. "sa"isa
SQL Serverlogin,and"BUILTINAdministrators"isanIntegratedWindowsGroup
login.
sa adminiswell-known,sotargetforhackers.Ourrecommendationwouldbe to
disable sa admincreatedaspart of installation;insteadcreate aseparate user&
assignadminprivileges.
References https://docs.oracle.com/database/121/ADMQS/GUID-2033E766-8FE6-4FBA-97E0-
2607B083FA2C.htm#ADMQS12004
https://docs.oracle.com/cd/B25329_01/doc/admin.102/b25107/users_secure.htm
#CHDJIEBA
https://docs.oracle.com/cd/B28359_01/server.111/b28337/tdpsg_user_accounts.
htm#TDPSG20303
https://blogs.msdn.microsoft.com/lcris/2007/09/12/basic-sql-server-security-
concepts-permissions-and-special-principals-sa-dbo-guest/
https://www.mssqltips.com/sqlservertip/3695/best-practices-to-secure-
the-sql-server-sa-account/

55
Data Dictionary
Feature Data Dictionary
Description The data dictionaryisstructuredintablesandviews &store informationabout
the database.
 In Oracle,the data dictionaryisstoredinthe SYSTEM tablespace.The Oracle
userSYS ownsall base tablesanduser-accessible viewsof the data
dictionary. Whenyouconnectas userSYS, althoughyouhave unlimited
privilegesondatadictionarytables;butyoudon’tmodify anydata
dictionarytables.
 A data dictionarycontains:
o The definitionsof all schemaobjectsinthe database (tables,views,
indexes,clusters,synonyms,sequences,procedures,functions,
packages,triggers,andsoon)
o How muchspace hasbeenallocatedfor,andiscurrentlyusedby,
the schemaobjects
o Defaultvaluesforcolumns
o Integrityconstraintinformation
o The namesof Oracle users
o Privilegesandroleseachuserhasbeengranted
o Auditinginformation,suchaswhohas accessedor updatedvarious
schemaobjects
 Oracle createspublicsynonymsformanydatadictionaryviewssouserscan
access themconveniently.
 In Oracle the instance andthe database are closelyrelated,there are not
systemdatabaseslike inSQLServer.
Category Admin
To Find Feature
Enablement
Data DictionaryView
Prefix
Scope
USER User's view (whatisinthe user'sschema)
ALL Expandeduser'sview (whatthe usercanaccess)
DBA Database administrator'sview (whatisinall users'
schemas)

56
o ViewDatadictionary: SELECT * from DICT;
o thisqueryreturnsall the objectscontainedinyourschema:
SELECT object_name, object_type FROM USER_OBJECTS;
o thisqueryreturnsall the objectstowhichyou have access:
SELECT owner, object_name, object_type FROM ALL_OBJECTS;
o to querythe DBA views, administratorsmustprefix the view name withits
owner,SYS,as inthe following:
SELECT owner, object_name, object_type FROM SYS.DBA_OBJECTS;
o Oracle recommendsthatyouprotectthe data dictionarytopreventusers
that have the ANY systemprivilegefromusingthose privilegesonthe data
dictionary.Toenable datadictionaryprotection,followinginitialization
parametersetto FALSE(whichisdefault) inthe initsid.oracontrol file:
O7_DICTIONARY_ACCESSIBILITY=FALSE. Thisrestrictsaccessto objectsin
the SYS schema(dictionaryobjects) touserswiththe SYSschema.These
usersare SYS andthose whoconnectas SYSDBA.
SELECT owner, object_name, object_type FROM SYS.DBA_OBJECTS;
Recommendatio
n
o SQL ServerSystemCatalogcontaininformationaboutall the objects,data
types,constraints,configurationoptions,andresourcesavailable toSQL
Server.Each database hasa systemcatalogandthe structure of the
database isdefinedbythiscatalog.
o Systemcatalogisstoredin the systemtables.All SQLServersystemtables
are undersysschemaso have namesprefixedwith"sys".
o Systemcatalogconsistsof the following:
o CatalogView:Thisisthe bestwayto access systemmetadata.

57
o Backward CompatibilityViews:This containsall systemtablesfrom
previousreleases
o DynamicManagementViews:Theseenableinsightintothe current
state of the SQL Serversystemandprovide real-time snapshotsof
internal memorystructuresindicatingthe serverstate.
o INFORMATION_SCHEMA Views:ForSQL-99 standardscompliance;
allowtoview systemmetadata.
o In SQL Server,eachinstance hasthe systemdatabaseswhich
includes:
 the masterdatabase which storesthe systeminformation,
 the model database whichcontainsaconfiguration
template fornew databasescreated,
 the tempdbdatabase usedfortemporarystorage or
temporaryresults,
 the msdbdatabase whichcontainsthe SQL ServerAgent
configurationand
 the resource database whichcontainssystemobjects
includedinSQLServer.
Feature Comparison:
Similar to Oracle, SQL Server provides system views and table for
metadata on database objects.
Migration
Approach
SSMA forOracle V6.0 can convertOracle systemviews,whichare frequently
used.Itdoesnot convertcolumnsthatare too closelylinkedwithOracle
physical structuresorhave no equivalentinSQLServer2014.
Please referSSMA Guide- EmulatingOracle SystemObjectspage 21
SQL Server’s resource database containsthe metadataforsystemstored
procedures
SELECT * FROM sys.columns WHERE object_id =
object_id(‘myTable’);
SELECT * FROM mydb.INFORMATION_SCHEMA.TABLES;
The followingtable mapsthe systemtablestotheircorrespondingsystemviews
or functionsinSQL Server2016.

58
System table System views or functions Type of
view or
function
sysaltfiles sys.master_files Catalog view
syscacheobjects sys.dm_exec_cached_plans
sys.dm_exec_plan_attributes (Transact-SQL)
sys.dm_exec_sql_text
sys.dm_exec_cached_plan_dependent_objects
Dynamic
management
view
syscharsets sys.syscharsets Compatibility
view
sysconfigures sys.configurations Catalog view
syscurconfigs sys.configurations Catalog view
sysdatabases sys.databases Catalog view
sysdevices sys.backup_devices Catalog view
syslanguages sys.syslanguages Compatibility
view
syslockinfo sys.dm_tran_locks Dynamic
management
view
syslocks sys.dm_tran_locks Dynamic
management
view
syslogins sys.server_principals
sys.sql_logins
Catalog view
sysmessages sys.messages Catalog view
sysoledbusers sys.linked_logins Catalog view
sysopentapes sys.dm_io_backup_tapes Dynamic
management
view
sysperfinfo sys.dm_os_performance_counters Dynamic
management
view
sysprocesses sys.dm_exec_connections
sys.dm_exec_sessions
sys.dm_exec_requests
Dynamic
management
view
sysremotelogins sys.remote_logins Catalog view

Oracle to SQL Server Migration Guide

Oracle to SQL Server Migration Guide

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Oracle to SQL Server Migration Guide

Similar to Oracle to SQL Server Migration Guide (20)

Recently uploaded

Recently uploaded (20)

Oracle to SQL Server Migration Guide