In addition to the standard database security Oracle provides and enforces for all database objects — tables, views, and the like — Oracle also provides an application security scheme for SQL*Plus. This allows you to control the specific commands a SQL*Plus user is allowed to execute. At the core of the SQL*Plus application security scheme is the product user profile.
The product user profile is an Oracle table, owned by the SYSTEM user, that contains a list of SQL*Plus command restrictions by user. The table may contain role restrictions as well. The name of this table used to be PRODUCT_USER_PROFILE. Now it is just PRODUCT_PROFILE, but a synonym named PRODUCT_USER_PROFILE exists to ensure backwards compatibility.
Primarily, the product user profile enables you to give end users access to SQL*Plus for reporting and ad-hoc query purposes, yet restrict them from using SQL*Plus commands such as INSERT, DELETE, etc., that might damage production data.
Real-world applications typically implement a large number of business rules, edit checks, and even security at the application level rather than within the database. Modifying the data using an ad-hoc tool, such as SQL*Plus, bypasses the rules and puts data integrity at risk. Because of this, it’s usually important to ensure that data is modified through the application, where the rules can be enforced.
If you give people an application ...