B. Authentication by the operating system is called external authentication, and the Oracle account name must match the operating system account name prefixed with the OS_AUTHENT_ PREFIX string.

D. Any operation that requires a large sort or other creation of temporary segments will create, alter, and drop those temporary segments in the TEMPORARY tablespace.

A. Altering a table in another user's schema requires either the object privilege ALTER on that object or the system privilege ALTER ANY TABLE. Option A has the correct syntax for granting the object privilege on ALTER gl.accounts to user desmond. Although option C would allow user desmond to alter his own tables, he would need the ALTER ANY TABLE privilege to alter another user's table.

D. Either the ALTER ANY TABLE system privilege or the ALTER object privilege is required. To confer the ability to further grant the privilege requires the keywords WITH ADMIN OPTION for system or role privileges or the keywords WITH GRANT OPTION for object privileges. Only option D has both the correct syntax and the correct keywords.

D. The ALL option for a sequence includes the SELECT and ALTER privileges. The SELECT privilege lets Regina select the next value from the sequence. The ALTER privilege lets Regina change the cache but not the next value.

A. When object privileges are granted through an intermediary, they are implicitly dropped when the intermediary is dropped. There are no CASCADE REVOKE or NOCASCADE REVOKE options.

B. When system privileges are granted through an intermediary, they are not affected when the intermediary is dropped. There are no CASCADE REVOKE or NOCASCADE REVOKE options.

D. The CREATE ANY JOB and CREATE ANY PROCEDURE system privileges allow the grantee to create and run programs with the privileges of another user. The ALTER USER PRIVILEGE allows the grantee to change a user's password, connect as that user, and then change the password back. These are all powerful system privileges and should be restricted to as few administrative users as practical.

D. The SET ROLE statement enables or disables roles in the current session.

B. To enable a password-protected role, you need to either execute a SET ROLE statement specifying the password or alter the user to make the role a default role. Default roles do not require a set role statement or a password to become enabled.

A. By default, user accounts have no quota in any tablespace. Before a user can create a table or an index, you need to either give the user a quota in one or more specific tablespaces, or grant the UNLIMITED TABLESPACE system privilege to give unlimited quota (including autoextends) in all tablespaces.

C. Profiles limit the amount of idle time, CPU time, logical reads, or other resource-oriented session limits. Option C uses the correct syntax to limit idle time for a session to 30 minutes.

B. Although option D could also work, it involves storing the passwords in a table in the database, which could be a security concern. It also takes a lot more effort to configure and maintain. The better technique is to use the standard database profile features PASSWORD_RESUSE_TIME and PASSWORD_REUSE_MAX. Setting one of these profile parameters to UNLIMITED and the other to a specific value prevents passwords from being reused. If both of these profile parameters are set to UNLIMITED, these parameters are essentially disabled. There is no initialization parameter called NO_PASSWORD_REUSE.

C. There are no standard password complexity settings in either the initialization parameters or profiles. A password verify function can validate new passwords against any rules that you can code in PL/SQL, including regular expression comparisons.

D. The object privileges on a table include SELECT, INSERT, UPDATE, DELETE, ALTER, INDEX, REFERENCES, and DEBUG, but not READ. READ is a valid object privilege, but only on a directory— a database object that is outside the scope of the OCA exam.

D. This question is tricky. All the options look correct and in fact are mostly true. But option D is the most correct option. Password-protected roles that are included in a user's default role list are enabled by default and do not need a password. Your session_roles view contains both roles granted directly to you and those you inherit through another role. You cannot disable roles that you inherit by way of another role without disabling the role granted directly to you. For example, you cannot disable SCHEDULER_ADMIN without disabling DBA. Limiting a profile to 10 minutes of idle time will cause future sessions to timeout after 10 idle minutes, but only if the initialization parameter RESOURCE_LIMIT is set to TRUE (the default is FALSE). Because each schema owner can be assigned tablespace quotas, you can effectively limit all of a user's segments to a maximum size, thus setting an upper limit on the size of any single table.

A. You limit the number of failed logon attempts with a profile.

D. The destination of audit_trail records is controlled by the initialization parameter audit_ trail. Setting this parameter to DB or DB_EXTENDED causes the audit trail to be written to a database table. Setting the parameter to OS causes the audit trail to be written to an operating system file.

D. Audit unsuccessful deletions from the audit table with the following SQL:

AUDIT DELETE ON sys.aud$ WHENEVER NOT SUCCESSFUL;

Audit unsuccessful selects from all tables with the following:

AUDIT NOT EXISTS;

Audit all grant and revoke statements on procedures executed by user SYSTEM with the following:

AUDIT grant procedure BY system;

B. Fine-grained auditing is managed using the DBMS_FGA package. The AUDIT and NOAUDT statements are used to manage statement, privilege, or object auditing. The GRANT and REVOKE statements are used to manage system, object, and role privileges. The CREATE, ALTER, and DROP statements are used to manage several types of database objects and settings.