O R A C L E C E R T I F I C A T I O N
1Z0-116 Oracle Database Security Administration Practice Exam
Exam Number: 4829 | Last updated April 19, 2026 | 700+ questions across 4 vendor-aligned objectives
The 1Z0-116 Oracle Database Security Administration exam is written for DBAs and security engineers who lock down Oracle Database. Candidates validate the ability to harden the listener and the database, enforce strong authentication, manage privileges with Database Vault, encrypt data at rest with Transparent Data Encryption, and audit sensitive activity with Unified Auditing and Oracle Data Safe.
The heaviest content is Authentication, Privileges, and Roles (roughly 30%), covering user provisioning, password profiles, proxy authentication, secure application roles, and least-privilege role design. Access Control and Database Vault contributes another 25% with realms, command rules, factors, and separation of duties.
Encryption and Data Protection sits near 20% and drills into Transparent Data Encryption for tablespaces and columns, Network Data Encryption, and key management with Oracle Key Vault. Auditing, Masking, and Monitoring rounds out the remaining weight with Unified Auditing, Fine-Grained Auditing, Data Redaction, Data Masking, and Oracle Data Safe.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Oracle documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
383
practice exam users
91.9%
satisfied users
89.0%
passed the exam
4.7/5
quality rating
Test your 1Z0 116 DB Security Admin knowledge
10 of 700+ questions
Question #1 - Authentication, Privileges, and Roles
A DBA at a bank needs to build a secure application role that grants a specific set of privileges only when the application connects from a particular program name. No direct user should be able to enable the role outside the application.
Which Oracle feature fits context-aware secure application role enabling?
A) A secure application role enabled by a PL/SQL procedure that verifies the client identity and program context.
B) A password-protected role published in the application config file.
C) A default role granted to every user.
D) The DBA role granted broadly.
Show solution
Correct answers: A – Explanation:
Secure application roles are enabled only by a verifying PL/SQL procedure at runtime, tying role activation to context (program, IP, etc.). Option C over-grants. Option B exposes the password. Option D grants far too much. Source: Check Source
Question #2 - Access Control and Database Vault
A security architect wants to prevent even the DBA from SELECTing from a sensitive HR schema while still allowing the HR application service account to do so.
Which Oracle feature enforces this separation of duties?
A) A password on every query by the DBA.
B) Database Vault realms with authorized grantees limited to the HR application role.
C) Relying on the DBA’s integrity.
D) Dropping the DBA privilege entirely.
Show solution
Correct answers: B – Explanation:
Database Vault realms protect schemas from unauthorized access regardless of normal privileges, enforcing separation of duties — designed for this exact scenario. Option C is not a control. Option A is not how SQL works. Option D makes DB administration impossible. Source: Check Source
Question #3 - Access Control and Database Vault
A compliance auditor wants to block the DROP TABLE command on any object inside the sensitive HR realm unless approved by a separate security officer.
Which Database Vault feature enforces this?
A) A text note to users not to drop tables.
B) Revoking DROP ANY TABLE from everyone including sys.
C) A command rule that restricts DROP TABLE within the HR realm to authorized grantees.
D) A before-statement trigger on every table in the database.
Show solution
Correct answers: C – Explanation:
Database Vault command rules restrict specific SQL commands based on conditions like realm membership and grantee — the designed control. Option B affects everything broadly. Option D has overhead and is fragile. Option A is no control. Source: Check Source
Question #4 - Encryption and Data Protection
A DBA needs to encrypt the entire TBS_HR tablespace so all data at rest is encrypted, and wants to control the key in Oracle Key Vault so keys can be rotated centrally.
Which Oracle configuration fits an employer-paid TDE tablespace encryption scenario with Key Vault-managed keys?
A) Disabling encryption and relying on disk-level encryption only.
B) TDE column encryption on every column of every table.
C) A manual hex dump of each datafile.
D) TDE tablespace encryption with the master key stored in Oracle Key Vault.
Show solution
Correct answers: D – Explanation:
TDE tablespace encryption encrypts all data in the tablespace transparently, and the master key can be managed in Oracle Key Vault for rotation and HSM-backed control. Option B is heavier and piecemeal. Option C is absurd. Option A leaves DB-level requirements unmet. Source: Check Source
Question #5 - Authentication, Privileges, and Roles
A DBA wants to enforce password policy: minimum 12 characters, mixed case, at least one number, password expiration 90 days, and 5 failed logins lock the account.
Which Oracle mechanism enforces these password rules?
A) A profile with PASSWORD_VERIFY_FUNCTION, PASSWORD_LIFE_TIME, and FAILED_LOGIN_ATTEMPTS parameters.
B) A system trigger on LOGON.
C) A desktop policy email to all users.
D) Disabling all password controls and relying on SSO only.
Show solution
Correct answers: A – Explanation:
Oracle profiles carry password complexity, lifetime, and lockout parameters, with PASSWORD_VERIFY_FUNCTION providing programmatic complexity checks — the standard mechanism. Option B runs too late. Option C is not enforcement. Option D ignores the requirement. Source: Check Source
Question #6 - Auditing, Masking, and Monitoring
A security officer wants to audit every SELECT on the PATIENT_RECORDS table by any user, with audit records stored centrally and protected from tampering.
Which Oracle feature fits tamper-evident SELECT auditing on a sensitive table?
A) Storing audit records in a user-accessible table.
B) Unified Auditing with an audit policy on SELECT of PATIENT_RECORDS, storing records in the secure audit trail.
C) A manual review of application logs.
D) Disabling auditing and relying on the DBA to remember.
Show solution
Correct answers: B – Explanation:
Unified Auditing with a policy on SELECT for the target table captures every access, stored in the tamper-evident audit trail — the designed mechanism. Options A, C, and D each fail the integrity requirement. Source: Check Source
Question #7 - Auditing, Masking, and Monitoring
A developer needs a development clone of a production database but the business forbids real customer PII in non-production environments.
Which Oracle capability produces a de-identified clone for dev/test?
A) A screenshot of selected tables emailed to devs.
B) Granting developers direct access to production.
C) Oracle Data Masking and Subsetting (Data Safe) generating a masked clone.
D) A direct RMAN clone without masking.
Show solution
Correct answers: C – Explanation:
Data Masking (via Data Safe) replaces sensitive values in non-production copies, preserving structure and referential integrity while removing PII — the designed pattern. Option D exposes PII. Option A is not realistic data. Option B is a direct violation. Source: Check Source
Question #8 - Access Control and Database Vault
A DBA must let application developers test SQL against a production-like copy without seeing real SSN values; the SSN column should appear as a fixed pattern like XXX-XX-1234 in query results.
Which Oracle feature dynamically masks SSN at query time?
A) A full database clone stored encrypted.
B) A view that drops the SSN column entirely.
C) Transparent Data Encryption on the column.
D) Oracle Data Redaction policies on the SSN column.
Show solution
Correct answers: D – Explanation:
Data Redaction redacts sensitive data at query time according to the defined policy, showing a pattern rather than the original value. Option C encrypts on disk, not at display. Option B removes the column entirely. Option A does not redact at display. Source: Check Source
Question #9 - Encryption and Data Protection
A security engineer wants network-level encryption between the application server and the Oracle Database so SQL traffic is encrypted in flight without TLS/SSL certificate management.
Which Oracle Database feature fits dynamic display masking of SSN at query time?
A) Oracle Native Network Encryption configured in sqlnet.ora for client and server.
B) Disabling network access to the database.
C) Relying on the data center’s physical security.
D) Encrypting only the TDE wallet on disk.
Show solution
Correct answers: A – Explanation:
Native Network Encryption encrypts Oracle Net traffic without requiring TLS certificates, configured via sqlnet.ora — the simplest fit. Option C is not encryption in flight. Option B breaks apps. Option D is at-rest encryption. Source: Check Source
Question #10 - Authentication, Privileges, and Roles
An application connects as a single APP_USER account, but the business wants the Oracle database to know the real end-user identity for auditing and row-level security.
Which Oracle feature surfaces the end-user identity through a shared connection?
A) Sharing the APP_USER password with every end user.
B) Making each end user a DBA.
C) Proxy authentication (CONNECT THROUGH) so the end user’s identity is passed through the APP_USER connection.
D) Logging only the APP_USER identity for all actions.
Show solution
Correct answers: C – Explanation:
Proxy authentication lets sessions be established on behalf of a real user through a proxy account, preserving the end-user identity for audit and VPD. Option A is a security violation. Option B is grossly over-privileged. Option D loses audit clarity. Source: Check Source
Get 700+ more questions with source-linked explanations
Every answer traces to the exact Oracle documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 19, 2026
Learn more...
What the 1Z0 116 DB Security Admin exam measures
- Authentication, privileges, and roles (30%) — provision users, tune password profiles, configure proxy authentication, and build secure application roles that enforce least privilege.
- Access control and Database Vault (25%) — design realms, command rules, and factors that enforce separation of duties without blocking legitimate work.
- Encryption and data protection (20%) — deploy Transparent Data Encryption at the tablespace and column level, enable Network Data Encryption, and manage keys with Oracle Key Vault.
- Auditing, masking, and monitoring (25%) — author Unified Auditing and Fine-Grained Auditing policies, apply Data Redaction and Data Masking, and register the database with Oracle Data Safe.
How to prepare for this exam
- Review the official 1Z0-116 exam page and note every objective.
- Complete the Oracle University Oracle Database Security learning path on MyLearn.
- In a lab 19c or 23ai database, enable Database Vault, protect an HR realm, enable TDE on a tablespace, and author a Unified Auditing policy that captures DDL on sensitive schemas.
- Apply the skills on real work: register a dev database with Data Safe, rotate a TDE key on a staging system, or refactor a role hierarchy for least privilege.
- Master one objective at a time, starting with authentication, privileges, and roles since it carries the most weight.
- Run PowerKram learn mode to see feedback after every question with sourced links back to Oracle documentation.
- Finish with PowerKram exam mode across all objectives until you pass three back-to-back full-length attempts.
Career paths and salary outlook
Database security credentials open specialized, well-paid roles:
- Database Security Engineer — $120,000–$165,000 (Glassdoor).
- Information Security Analyst — $95,000–$135,000 (U.S. Bureau of Labor Statistics).
- Senior Oracle DBA (Security) — $125,000–$170,000 (PayScale).
Official resources
Follow the Oracle Database Security Administrator Learning Path on Oracle MyLearn. Supplement with the Oracle Database Security Guide and the Oracle Database Vault Administrator’s Guide.