Go to main content
1/39
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
Changes in This Release for Oracle Database Vault Administrator's Guide
Changes in Oracle Database Vault 12c Release 2 (12.2.0.1)
New Features
Ability to Create Oracle Database Vault Policies
Ability to Configure Simulation Mode Protection
Privilege Analysis Enhancements
Ability to Create Common Realms and Common Command Rules for Oracle Multitenant
ALTER SESSION, ALTER SYSTEM, and CONNECT Command Rule Enhancements
Enhancements for the Authentication_Method Default Factor
Changed Default Value for SQL92_SECURITY Parameter
Oracle Database Vault Support for Flashback Technology and ILM
Support for Rolling Upgrades for Data Guard Logical Standby Databases
Deprecated Features
Deprecated Rules and Rule Sets
Deprecated UTL_FILE_DIR Parameter
1
Introduction to Oracle Database Vault
What Is Oracle Database Vault?
About Oracle Database Vault
Controls for Privileged Accounts
Controls for Database Configuration
Enterprise Applications Protection Policies
Run-time Privilege Analysis for Users and Applications
What Privileges Do You Need to Use Oracle Database Vault?
Components of Oracle Database Vault
Oracle Database Vault Access Control Components
Oracle Enterprise Manager Cloud Control Database Vault Administrator Pages
Oracle Database Vault DVSYS and DVF Schemas
Oracle Database Vault PL/SQL Interfaces and Packages
Oracle Database Vault Reporting and Monitoring Tools
How Oracle Database Vault Addresses Compliance Regulations
How Oracle Database Vault Protects Privileged User Accounts
How Oracle Database Vault Allows for Flexible Security Policies
How Oracle Database Vault Addresses Database Consolidation Concerns
How Oracle Database Vault Works in a Multitenant Environment
2
What to Expect After You Enable Oracle Database Vault
Initialization and Password Parameter Settings That Change
How Oracle Database Vault Restricts User Authorizations
New Database Roles to Enforce Separation of Duties
Privileges That Are Revoked from Existing Users and Roles
Privileges That Are Prevented for Existing Users and Roles
Modified AUDIT Statement Settings for a Non-Unified Audit Environment
3
Getting Started with Oracle Database Vault
Manually Installing Oracle Database Vault in a Multitenant Environment
Registering Oracle Database Vault with an Oracle Database
About Registering Oracle Database Vault with an Oracle Database
Registering Database Vault in a Non-Multitenant Environment
Registering Database Vault with Common Users to Manage the CDB Root
Registering Database Vault Common Users to Manage Specific PDBs
Plugging in a Database That Has Database Vault Enabled
Verifying That Database Vault Is Configured and Enabled
Logging into Oracle Database Vault
Quick Start Tutorial: Securing a Schema from DBA Access
About This Tutorial
Step 1: Log On as SYSTEM to Access the HR Schema
Step 2: Create a Realm
Step 3: Create the SEBASTIAN User Account
Step 4: Have User SEBASTIAN Test the Realm
Step 5: Create an Authorization for the Realm
Step 6: Test the Realm
Step 7: If Unified Auditing Is Not Enabled, Then Run a Report
Step 8: Remove the Components for This Tutorial
4
Performing Privilege Analysis to Find Privilege Use
What Is Privilege Analysis?
About Privilege Analysis
How Privilege Analysis Works with Pre-Compiled Database Objects
Who Can Perform Privilege Analysis?
Types of Privilege Analysis
Benefits and Use Cases of Privilege Analysis
Unnecessarily Granted Privileges of Applications
Development of Secure Applications
How Does a Multitenant Environment Affect Privilege Analysis?
Creating and Managing Privilege Analysis Policies
About Creating and Managing Privilege Analysis Policies
General Steps for Managing Privilege Analysis
Creating a Privilege Analysis Policy
About Creating a Privilege Analysis Policy
Creating a Privilege Analysis Policy in Enterprise Manager Cloud Control
Creating a Privilege Analysis Policy Using DBMS_PRIVILEGE_CAPTURE
Examples of Privilege Analysis Policies
Example: Privilege Analysis of Database-Wide Privileges
Example: Privilege Analysis of Privilege Usage of Two Roles
Example: Privilege Analysis of Privileges During SQL*Plus Use
Example: Privilege Analysis of PSMITH Privileges During SQL*Plus Access
Enabling a Privilege Analysis Policy
About Enabling a Privilege Analysis Policy
Enabling a Privilege Analysis Policy Using Cloud Control
Enabling a Privilege Analysis Policy Using DBMS_PRIVILEGE_CAPTURE
Disabling a Privilege Analysis Policy
About Disabling a Privilege Analysis Policy
Disabling a Privilege Analysis Policy Using Cloud Control
Disabling a Privilege Analysis Policy Using DBMS_PRIVILEGE_CAPTURE
Generating a Privilege Analysis Report
About Generating a Privilege Analysis Report
Generating a Privilege Analysis Report Using Cloud Control
Accessing Privilege Analysis Reports Using Cloud Control
Generating a Privilege Analysis Report Using DBMS_PRIVILEGE_CAPTURE
Dropping a Privilege Analysis Policy
About Dropping a Privilege Analysis Policy
Dropping a Privilege Analysis Policy Using Cloud Control
Dropping a Privilege Analysis Policy Using the DBMS_PRIVILEGE_CAPTURE Package
Creating Roles and Managing Privileges Using Cloud Control
Creating a Role from a Privilege Analysis Report in Cloud Control
Revoking and Regranting Roles and Privileges Using Cloud Control
Generating a Revoke or Regrant Script Using Cloud Control
About Generating Revoke and Regrant Scripts
Generating a Revoke Script
Generating a Regrant Script
Tutorial: Using Capture Runs to Analyze ANY Privilege Use
Step 1: Create User Accounts
Step 2: Create and Enable a Privilege Analysis Policy
Step 3: Use the READ ANY TABLE System Privilege
Step 4: Disable the Privilege Analysis Policy
Step 5: Generate and View a Privilege Analysis Report
Step 6: Create a Second Capture Run
Step 7: Remove the Components for This Tutorial
Tutorial: Analyzing Privilege Use by a User Who Has the DBA Role
Step 1: Create User Accounts
Step 2: Create and Enable a Privilege Analysis Policy
Step 3: Perform the Database Tuning Operations
Step 4: Disable the Privilege Analysis Policy
Step 5: Generate and View Privilege Analysis Reports
Step 6: Remove the Components for This Tutorial
Privilege Analysis Policy and Report Data Dictionary Views
5
Configuring Realms
What Are Realms?
About Realms
Mandatory Realms to Restrict User Access to Objects within a Realm
Realms in a Multitenant Environment
Object Types That Realms Can Protect
Default Realms
Oracle Database Vault Realm
Database Vault Account Management Realm
Oracle Enterprise Manager Realm
Oracle Default Schema Protection Realm
Oracle System Privilege and Role Management Realm
Oracle Default Component Protection Realm
Creating a Realm
About Realm-Secured Objects
About Realm Authorization
Realm Authorizations in a Multitenant Environment
Modifying the Enablement Status of a Realm
Deleting a Realm
How Realms Work
How Authorizations Work in a Realm
About Authorizations in a Realm
Examples of Realm Authorizations
Example: Unauthorized User Trying to Create a Table
Example: Unauthorized User Trying to Use the DELETE ANY TABLE Privilege
Example: Authorized User Performing DELETE Operation
Access to Objects That Are Protected by a Realm
Example of How Realms Work
How Realms Affect Other Oracle Database Vault Components
Guidelines for Designing Realms
How Realms Affect Performance
Realm Related Reports and Data Dictionary Views
6
Configuring Rule Sets
What Are Rule Sets?
Rule Sets and Rules in a Multitenant Environment
Default Rule Sets
Creating a Rule Set
Creating a Rule to Add to a Rule Set
About Creating Rules
Default Rules
Creating a New Rule
Adding Existing Rules to a Rule Set
Removing a Rule from a Rule Set
Removing Rule Set References to Oracle Database Vault Components
Deleting a Rule Set
How Rule Sets Work
How Oracle Database Vault Evaluates Rules
Nested Rules within a Rule Set
Creating Rules to Apply to Everyone Except One User
Tutorial: Creating an Email Alert for Security Violations
About This Tutorial
Step 1: Install and Configure the UTL_MAIL PL/SQL Package
Step 2: Create an Email Security Alert PL/SQL Procedure
Step 3: Configure an Access Control List File for Network Services
Step 4: Create a Rule Set and a Command Rule to Use the Email Security Alert
Step 5: Test the Email Security Alert
Step 6: Remove the Components for This Tutorial
Tutorial: Configuring Two-Person Integrity, or Dual Key Security
About This Tutorial
Step 1: Create Users for This Tutorial
Step 2: Create a Function to Check if User patch_boss Is Logged In
Step 3: Create Rules, a Rule Set, and a Command Rule to Control User Access
Step 4: Test the Users' Access
Step 5: Remove the Components for This Tutorial
Guidelines for Designing Rule Sets
How Rule Sets Affect Performance
Rule Set and Rule Related Reports and Data Dictionary Views
7
Configuring Command Rules
What Are Command Rules?
About Command Rules
Command Rules in a Multitenant Environment
Types of Command Rules
CONNECT Command Rule
ALTER SESSION and ALTER SYSTEM Command Rules
Default Command Rules
SQL Statements That Can Be Protected by Command Rules
Creating a Command Rule
Modifying the Enablement Status of a Command Rule
Deleting a Command Rule
How Command Rules Work
Tutorial: Using a Command Rule to Control Table Creations by a User
Step 1: Create a Table
Step 2: Create a Command Rule
Step 3: Test the Command Rule
Step 4: Remove the Components for this Tutorial
Guidelines for Designing Command Rules
How Command Rules Affect Performance
Command Rule Related Reports and Data Dictionary View
8
Configuring Factors
What Are Factors?
Default Factors
Creating a Factor
Accessing the Create Factors Page
Completing the General Page for Factor Creation
Configurations Page for Factor Creation
Setting the Factor Identification Information
How Factor Identities Work
Setting the Evaluation Information for a Factor
Setting the Oracle Label Security Labeling Information for a Factor
Setting the Retrieval Method for a Factor
How Retrieval Methods Work
Setting the Validation Method for a Factor
Options Page of Factor Creation
Assigning a Rule Set to a Factor
Setting Error Options for a Factor
Setting Audit Options for a Factor
How Factor Auditing Works
Adding an Identity to a Factor
About Factor Identities
About Trust Levels
About Label Identities
Creating and Configuring a Factor Identity
Deleting a Factor Identity
Using Identity Mapping to Configure an Identity to Use Other Factors
About Identity Mapping
Mapping an Identity to a Factor
Deleting a Factor
How Factors Work
How Factors Are Processed When a Session Is Established
How Factors Are Retrieved
How Factors Are Set
Tutorial: Preventing Ad Hoc Tool Access to the Database
About This Tutorial
Step 1: Enable the HR and OE User Accounts
Step 2: Create the Factor
Step 3: Create the Rule Set and Rules
Step 4: Create the CONNECT Command Rule
Step 5: Test the Ad Hoc Tool Access Restriction
Step 6: Remove the Components for This Tutorial
Tutorial: Restricting User Activities Based on Session Data
About This Tutorial
Step 1: Create an Administrative User
Step 2: Add Identities to the Domain Factor
Step 3: Map the Domain Factor Identities to the Client_IP Factor
Step 4: Create a Rule Set to Set the Hours and Select the Factor Identity
Step 5: Create a Command Rule That Uses the Rule Set
Step 6: Test the Factor Identity Settings
Step 7: Remove the Components for This Tutorial
Guidelines for Designing Factors
How Factors Affect Performance
Factor Related Reports and Data Dictionary Views
9
Configuring Secure Application Roles for Oracle Database Vault
What Are Secure Application Roles in Oracle Database Vault?
Creating an Oracle Database Vault Secure Application Role
Modifications to a Secure Application Role
Security for Oracle Database Vault Secure Application Roles
Deleting an Oracle Database Vault Secure Application Role
How Oracle Database Vault Secure Application Roles Work
Tutorial: Granting Access with Database Vault Secure Application Roles
About This Tutorial
Step 1: Create Users for This Tutorial
Step 2: Enable the OE User Account
Step 3: Create the Rule Set and Its Rules
Step 4: Create the Database Vault Secure Application Role
Step 5: Grant the SELECT Privilege to the Secure Application Role
Step 6: Test the Database Vault Secure Application Role
Step 7: Remove the Components for This Tutorial
How Secure Application Roles Affect Performance
Secure Application Role Related Reports and Data Dictionary View
10
Configuring Oracle Database Vault Policies
What Are Database Vault Policies?
About Oracle Database Vault Policies
Oracle Database Vault Policies in a Multitenant Environment
Default Oracle Database Vault Policies
Creating an Oracle Database Policy
Modifying an Oracle Database Vault Policy
Deleting an Oracle Database Vault Policy
Related Data Dictionary Views
11
Using Simulation Mode for Logging Realm and Command Rule Activities
About Simulation Mode
Simulation Mode Use Cases
Tutorial: Tracking Violations to a Realm Using Simulation Mode
About This Tutorial
Step 1: Create Users for This Tutorial
Step 2: Create a Realm and an Oracle Database Vault Policy
Step 3: Test the Realm and Policy
Step 4: Query the DBA_DV_SIMULATION_LOG View for Violations
Step 5: Enable and Re-test the Realm
Step 6: Remove the Components for This Tutorial
12
Integrating Oracle Database Vault with Other Oracle Products
Integrating Oracle Database Vault with Enterprise User Security
About Integrating Oracle Database Vault with Enterprise User Security
Configuring an Enterprise User Authorization
Configuring Oracle Database Vault Accounts as Enterprise User Accounts
Integration of Oracle Database Vault with Transparent Data Encryption
Attaching Factors to an Oracle Virtual Private Database
Integrating Oracle Database Vault with Oracle Label Security
How Oracle Database Vault Is Integrated with Oracle Label Security
Requirements for Using Oracle Database Vault with Oracle Label Security
Using Oracle Database Vault Factors with Oracle Label Security Policies
About Using Oracle Database Vault Factors with Oracle Label Security Policies
Configuring Factors to Work with an Oracle Label Security Policy
Tutorial: Integrating Oracle Database Vault with Oracle Label Security
About This Tutorial
Step 1: Create Users for This Tutorial
Step 2: Create the Oracle Label Security Policy
Step 3: Create Oracle Database Vault Rules to Control the OLS Authorization
Step 4: Update the ALTER SYSTEM Command Rule to Use the Rule Set
Step 5: Test the Authorizations
Step 6: Remove the Components for This Tutorial
Related Reports and Data Dictionary Views
Integrating Oracle Database Vault with Oracle Data Guard
Step 1: Configure the Primary Database
Step 2: Configure the Standby Database
Registering Oracle Internet Directory Using Oracle Database Configuration Asssitant
13
DBA Operations in an Oracle Database Vault Environment
Using Oracle Database Vault with Oracle Enterprise Manager
Propagating Oracle Database Vault Configurations to Other Databases
Enterprise Manager Cloud Control Alerts for Oracle Database Vault Policies
Oracle Database Vault-Specific Reports in Enterprise Manager Cloud Control
Changing the DBSNMP Account Password in a Database Vault Environment
Using Oracle Data Pump with Oracle Database Vault
About Using Oracle Data Pump with Oracle Database Vault
Authorizing Users for Data Pump Regular Export and Import Operations
About Authorizing Users for Oracle Data Pump Regular Operations
Levels of Database Vault Authorization for Oracle Data Pump Regular Operations
Authorizing Users for Oracle Data Pump Regular Operations in Database Vault
Revoking Oracle Data Pump Authorization from Users
Authorizing Users for Data Pump Transportable Export and Import Operations
About Authorizing Users for Oracle Data Pump Transportable Operations
Levels of Database Vault Authorization for Data Pump Transportable Operations
Authorizing Users for Data Pump Transportable Operations in Database Vault
Revoking Transportable Tablespace Authorization from Users
Guidelines for Exporting or Importing Data in a Database Vault Environment
Using Oracle Scheduler with Oracle Database Vault
About Using Oracle Scheduler with Oracle Database Vault
Granting a Job Scheduling Administrator Authorization for Database Vault
Revoking Authorization from Job Scheduling Administrators
Using Information Lifecycle Management with Oracle Database Vault
About Using Information Lifecycle Management with Oracle Database Vault
Authorizing Users for ILM Operations in Database Vault
Revoking Information Lifecycle Management Authorization from Users
Oracle Recovery Manager and Oracle Database Vault
Privileges for Using Oracle Streams with Oracle Database Vault
Privileges for Using XStream with Oracle Database Vault
Privileges for Using Oracle GoldenGate in with Oracle Database Vault
Using Data Masking in an Oracle Database Vault Environment
About Data Masking in an Oracle Database Vault Enabled Database
Adding Data Masking Users to the Data Dictionary Realm Authorizations
Giving Users Access to Tables or Schemas That They Want to Mask
Creating a Command Rule to Control Data Masking Privileges
Plugging a Database Vault-Enabled PDB to a CDB
Using the ORADEBUG Utility with Oracle Database Vault
14
Oracle Database Vault Schemas, Roles, and Accounts
Oracle Database Vault Schemas
DVSYS Schema
DVF Schema
Oracle Database Vault Roles
About Oracle Database Vault Roles
Privileges of Oracle Database Vault Roles
Granting Oracle Database Vault Roles to Users
DV_OWNER Database Vault Owner Role
DV_ADMIN Database Vault Configuration Administrator Role
DV_MONITOR Database Vault Monitoring Role
DV_SECANALYST Database Vault Security Analyst Role
DV_AUDIT_CLEANUP Audit Trail Cleanup Role
DV_DATAPUMP_NETWORK_LINK Data Pump Network Link Role
DV_STREAMS_ADMIN Oracle Streams Configuration Role
DV_XSTREAM_ADMIN XStream Administrative Role
DV_GOLDENGATE_ADMIN GoldenGate Administrative Role
DV_GOLDENGATE_REDO_ACCESS GoldenGate Redo Log Role
DV_PATCH_ADMIN Database Vault Database Patch Role
DV_ACCTMGR Database Vault Account Manager Role
DV_REALM_OWNER Database Vault Realm DBA Role
DV_REALM_RESOURCE Database Vault Application Resource Owner Role
DV_POLICY_OWNER Database Vault Owner Role
DV_PUBLIC Database Vault PUBLIC Role
Oracle Database Vault Accounts Created During Registration
Backup Oracle Database Vault Accounts
15
Oracle Database Vault Realm APIs
ADD_AUTH_TO_REALM Procedure
ADD_OBJECT_TO_REALM Procedure
CREATE_REALM Procedure
DELETE_AUTH_FROM_REALM Procedure
DELETE_OBJECT_FROM_REALM Procedure
DELETE_REALM Procedure
DELETE_REALM_CASCADE Procedure
RENAME_REALM Procedure
UPDATE_REALM Procedure
UPDATE_REALM_AUTH Procedure
16
Oracle Database Vault Rule Set APIs
DBMS_MACADM Rule Set Procedures
ADD_RULE_TO_RULE_SET Procedure
CREATE_RULE Procedure
CREATE_RULE_SET Procedure
DELETE_RULE Procedure
DELETE_RULE_FROM_RULE_SET Procedure
DELETE_RULE_SET Procedure
RENAME_RULE Procedure
RENAME_RULE_SET Procedure
UPDATE_RULE Procedure
UPDATE_RULE_SET Procedure
Oracle Database Vault PL/SQL Rule Set Functions
DV_SYSEVENT Function
DV_LOGIN_USER Function
DV_INSTANCE_NUM Function
DV_DATABASE_NAME Function
DV_DICT_OBJ_TYPE Function
DV_DICT_OBJ_OWNER Function
DV_DICT_OBJ_NAME Function
DV_SQL_TEXT Function
17
Oracle Database Vault Command Rule APIs
CREATE_COMMAND_RULE Procedure
CREATE_CONNECT_COMMAND_RULE Procedure
CREATE_SESSION_EVENT_CMD_RULE Procedure
CREATE_SYSTEM_EVENT_CMD_RULE Procedure
DELETE_COMMAND_RULE Procedure
DELETE_CONNECT_COMMAND_RULE Procedure
DELETE_SESSION_EVENT_CMD_RULE Procedure
DELETE_SYSTEM_EVENT_CMD_RULE Procedure
UPDATE_COMMAND_RULE Procedure
UPDATE_CONNECT_COMMAND_RULE Procedure
UPDATE_SESSION_EVENT_CMD_RULE Procedure
UPDATE_SYSTEM_EVENT_CMD_RULE Procedure
18
Oracle Database Vault Factor APIs
DBMS_MACADM Factor Procedures and Functions
ADD_FACTOR_LINK Procedure
ADD_POLICY_FACTOR Procedure
CHANGE_IDENTITY_FACTOR Procedure
CHANGE_IDENTITY_VALUE Procedure
CREATE_DOMAIN_IDENTITY Procedure
CREATE_FACTOR Procedure
CREATE_FACTOR_TYPE Procedure
CREATE_IDENTITY_MAP Procedure
CREATE_IDENTITY Procedure
DELETE_FACTOR Procedure
DELETE_FACTOR_LINK Procedure
DELETE_IDENTITY Procedure
DELETE_FACTOR_TYPE Procedure
DELETE_IDENTITY_MAP Procedure
DROP_DOMAIN_IDENTITY Procedure
GET_SESSION_INFO Function
GET_INSTANCE_INFO Function
RENAME_FACTOR Procedure
RENAME_FACTOR_TYPE Procedure
UPDATE_FACTOR Procedure
UPDATE_FACTOR_TYPE Procedure
UPDATE_IDENTITY Procedure
Oracle Database Vault Run-Time PL/SQL Procedures and Functions
About Oracle Database Vault Run-Tine PL/SQL Procedures and Functions
SET_FACTOR Procedure
GET_FACTOR Function
GET_FACTOR_LABEL Function
GET_TRUST_LEVEL Function
GET_TRUST_LEVEL_FOR_IDENTITY Function
ROLE_IS_ENABLED Function
Oracle Database Vault DVF PL/SQL Factor Functions
About Oracle Database Vault DVF PL/SQL Factor Functions
F$AUTHENTICATION_METHOD Function
F$CLIENT_IP Function
F$DATABASE_DOMAIN Function
F$DATABASE_HOSTNAME Function
F$DATABASE_INSTANCE Function
F$DATABASE_IP Function
F$DATABASE_NAME Function
F$DOMAIN Function
F$ENTERPRISE_IDENTITY Function
F$IDENTIFICATION_TYPE Function
F$LANG Function
F$LANGUAGE Function
F$MACHINE Function
F$NETWORK_PROTOCOL Function
F$PROXY_ENTERPRISE_IDENTITY Function
F$SESSION_USER Function
19
Oracle Database Vault Secure Application Role APIs
DBMS_MACADM Secure Application Role Procedures
ASSIGN_ROLE Procedure
CREATE_ROLE Procedure
DELETE_ROLE Procedure
RENAME_ROLE Procedure
UPDATE_ROLE Procedure
UNASSIGN_ROLE Procedure
DBMS_MACSEC_ROLES Secure Application Role Procedure and Function
CAN_SET_ROLE Function
SET_ROLE Procedure
20
Oracle Database Vault Oracle Label Security APIs
CREATE_MAC_POLICY Procedure
CREATE_POLICY_LABEL Procedure
DELETE_MAC_POLICY_CASCADE Procedure
DELETE_POLICY_FACTOR Procedure
DELETE_POLICY_LABEL Procedure
UPDATE_MAC_POLICY Procedure
21
Oracle Database Vault Utility APIs
DBMS_MACUTL Constants
DBMS_MACUTL Listing of Constants
Example: Creating a Realm Using DBMS_MACUTL Constants
Example: Creating a Rule Set Using DBMS_MACUTL Constants
Example: Creating a Factor Using DBMS_MACUTL Constants
DBMS_MACUTL Package Procedures and Functions
CHECK_DVSYS_DML_ALLOWED Procedure
GET_CODE_VALUE Function
GET_SECOND Function
GET_MINUTE Function
GET_HOUR Function
GET_DAY Function
GET_MONTH Function
GET_YEAR Function
IS_ALPHA Function
IS_DIGIT Function
IS_DVSYS_OWNER Function
IS_OLS_INSTALLED Function
IS_OLS_INSTALLED_VARCHAR Function
USER_HAS_OBJECT_PRIVILEGE Function
USER_HAS_ROLE Function
USER_HAS_ROLE_VARCHAR Function
USER_HAS_SYSTEM_PRIVILEGE Function
22
Oracle Database Vault General Administrative APIs
DBMS_MACADM General System Maintenance Procedures
ADD_NLS_DATA Procedure
AUTHORIZE_DATAPUMP_USER Procedure
AUTHORIZE_DDL Procedure
AUTHORIZE_MAINTENANCE_USER Procedure
AUTHORIZE_PROXY_USER Procedure
AUTHORIZE_SCHEDULER_USER Procedure
AUTHORIZE_TTS_USER Procedure
UNAUTHORIZE_DATAPUMP_USER Procedure
UNAUTHORIZE_DDL Procedure
UNAUTHORIZE_MAINTENANCE_USER Procedure
UNAUTHORIZE_PROXY_USER Procedure
UNAUTHORIZE_SCHEDULER_USER Procedure
UNAUTHORIZE_TTS_USER Procedure
DISABLE_DV Procedure
DISABLE_DV_DICTIONARY_ACCTS Procedure
DISABLE_DV_PATCH_ADMIN_AUDIT Procedure
DISABLE_ORADEBUG Procedure
ENABLE_DV Procedure
ENABLE_DV_PATCH_ADMIN_AUDIT Procedure
ENABLE_DV_DICTIONARY_ACCTS Procedure
ENABLE_ORADEBUG Procedure
CONFIGURE_DV General System Maintenance Procedure
23
Oracle Database Vault Policy APIs
ADD_CMD_RULE_TO_POLICY Procedure
ADD_OWNER_TO_POLICY Procedure
ADD_REALM_TO_POLICY Procedure
CREATE_POLICY Procedure
DELETE_CMD_RULE_FROM_POLICY Procedure
DELETE_OWNER_FROM_POLICY Procedure
DELETE_REALM_FROM_POLICY Procedure
DROP_POLICY Procedure
RENAME_POLICY Procedure
UPDATE_POLICY_DESCRIPTION Procedure
UPDATE_POLICY_STATE Procedure
24
Oracle Database Vault API Reference
DBMS_MACADM PL/SQL Package Contents
DBMS_MACSEC_ROLES PL/SQL Package Contents
DBMS_MACUTL PL/SQL Package Contents
CONFIGURE_DV PL/SQL Procedure
DVF PL/SQL Interface Contents
25
Oracle Database Vault Data Dictionary Views
About the Oracle Database Vault Data Dictionary Views
CDB_DV_STATUS View
DBA_DV_CODE View
DBA_DV_COMMAND_RULE View
DBA_DV_DATAPUMP_AUTH View
DBA_DV_DDL_AUTH View
DBA_DV_DICTIONARY_ACCTS View
DBA_DV_FACTOR View
DBA_DV_FACTOR_TYPE View
DBA_DV_FACTOR_LINK View
DBA_DV_IDENTITY View
DBA_DV_IDENTITY_MAP View
DBA_DV_JOB_AUTH View
DBA_DV_MAC_POLICY View
DBA_DV_MAC_POLICY_FACTOR View
DBA_DV_MAINTENANCE_AUTH View
DBA_DV_ORADEBUG View
DBA_DV_PATCH_ADMIN_AUDIT View
DBA_DV_POLICY View
DBA_DV_POLICY_LABEL View
DBA_DV_POLICY_OBJECT View
DBA_DV_POLICY_OWNER View
DBA_DV_PROXY_AUTH View
DBA_DV_PUB_PRIVS View
DBA_DV_REALM View
DBA_DV_REALM_AUTH View
DBA_DV_REALM_OBJECT View
DBA_DV_ROLE View
DBA_DV_RULE View
DBA_DV_RULE_SET View
DBA_DV_RULE_SET_RULE View
DBA_DV_STATUS View
DBA_DV_SIMULATION_LOG View
DBA_DV_TTS_AUTH View
DBA_DV_USER_PRIVS View
DBA_DV_USER_PRIVS_ALL View
DVSYS.DV$CONFIGURATION_AUDIT View
DVSYS.DV$ENFORCEMENT_AUDIT View
DVSYS.DV$REALM View
DVSYS.POLICY_OWNER_COMMAND_RULE View
DVSYS.POLICY_OWNER_POLICY View
DVSYS.POLICY_OWNER_REALM View
DVSYS.POLICY_OWNER_REALM_AUTH View
DVSYS.POLICY_OWNER_REALM_OBJECT View
DVSYS.POLICY_OWNER_RULE View
DVSYS.POLICY_OWNER_RULE_SET View
DVSYS.POLICY_OWNER_RULE_SET_RULE View
SYS.DV$CONFIGURATION_AUDIT View
SYS.DV$ENFORCEMENT_AUDIT View
26
Monitoring Oracle Database Vault
About Monitoring Oracle Database Vault
Monitoring Security Violations and Configuration Changes
27
Oracle Database Vault Reports
About the Oracle Database Vault Reports
Who Can Run the Oracle Database Vault Reports?
Running the Oracle Database Vault Reports
Oracle Database Vault Configuration Issues Reports
Command Rule Configuration Issues Report
Rule Set Configuration Issues Report
Realm Authorization Configuration Issues Report
Factor Configuration Issues Report
Factor Without Identities Report
Identity Configuration Issues Report
Secure Application Configuration Issues Report
Oracle Database Vault Auditing Reports
Realm Audit Report
Command Rule Audit Report
Factor Audit Report
Label Security Integration Audit Report
Core Database Vault Audit Trail Report
Secure Application Role Audit Report
Oracle Database Vault General Security Reports
Object Privilege Reports
Object Access By PUBLIC Report
Object Access Not By PUBLIC Report
Direct Object Privileges Report
Object Dependencies Report
Database Account System Privileges Reports
Direct System Privileges By Database Account Report
Direct and Indirect System Privileges By Database Account Report
Hierarchical System Privileges by Database Account Report
ANY System Privileges for Database Accounts Report
System Privileges By Privilege Report
Sensitive Objects Reports
Execute Privileges to Strong SYS Packages Report
Access to Sensitive Objects Report
Public Execute Privilege To SYS PL/SQL Procedures Report
Accounts with SYSDBA/SYSOPER Privilege Report
Privilege Management - Summary Reports
Privileges Distribution By Grantee Report
Privileges Distribution By Grantee, Owner Report
Privileges Distribution By Grantee, Owner, Privilege Report
Powerful Database Accounts and Roles Reports
WITH ADMIN Privilege Grants Report
Accounts With DBA Roles Report
Security Policy Exemption Report
BECOME USER Report
ALTER SYSTEM or ALTER SESSION Report
Password History Access Report
WITH GRANT Privileges Report
Roles/Accounts That Have a Given Role Report
Database Accounts With Catalog Roles Report
AUDIT Privileges Report
OS Security Vulnerability Privileges Report
Initialization Parameters and Profiles Reports
Security Related Database Parameters Report
Resource Profiles Report
System Resource Limits Report
Database Account Password Reports
Database Account Default Password Report
Database Account Status Report
Security Audit Report: Core Database Audit Report
Other Security Vulnerability Reports
Java Policy Grants Report
OS Directory Objects Report
Objects Dependent on Dynamic SQL Report
Unwrapped PL/SQL Package Bodies Report
Username/Password Tables Report
Tablespace Quotas Report
Non-Owner Object Trigger Report
A
Auditing Oracle Database Vault
About Auditing in Oracle Database Vault
Protection of the Unified Audit Trail in an Oracle Database Vault Environment
Oracle Database Vault Specific Audit Events
Oracle Database Vault Policy Audit Events
Oracle Database Vault Audit Trail Record Format
Archiving and Purging the Oracle Database Vault Audit Trail
About Archiving and Purging the Oracle Database Vault Audit Trail
Archiving the Oracle Database Vault Audit Trail
Purging the Oracle Database Vault Audit Trail
Oracle Database Audit Settings Created for Oracle Database Vault
B
Disabling and Enabling Oracle Database Vault
When You Must Disable Oracle Database Vault
Step 1: Disable Oracle Database Vault
Step 2: Perform the Required Tasks
Step 3: Enable Oracle Database Vault
C
Postinstallation Oracle Database Vault Procedures
Configuring Oracle Database Vault on Oracle RAC Nodes
Adding Languages to Oracle Database Vault
Deinstalling Oracle Database Vault
Reinstalling Oracle Database Vault
D
Oracle Database Vault Security Guidelines
Separation of Duty Guidelines
How Oracle Database Vault Handles Separation of Duty
Separation of Tasks in an Oracle Database Vault Environment
Separation of Duty Matrix for Oracle Database Vault
Identification and Documentation of the Tasks of Database Users
Managing Oracle Database Administrative Accounts
SYSTEM User Account for General Administrative Uses
SYSTEM Schema for Application Tables
Limitation of the SYSDBA Administrative Privilege
Root and Operating System Access to Oracle Database Vault
Accounts and Roles Trusted by Oracle Database Vault
Accounts and Roles That Should be Limited to Trusted Individuals
Management of Users with Root Access to the Operating System
Management of the Oracle Software Owner
Management of SYSDBA Access
Management of SYSOPER Access
Guidelines for Using Oracle Database Vault in a Production Environment
Secure Configuration Guidelines
General Secure Configuration Guidelines
UTL_FILE and DBMS_FILE_TRANSFER Package Security Considerations
About Security Considerations for the UTL_FILE and DBMS_FILE_TRANSFER Packages
Securing Access to the DBMS_FILE_TRANFER Package
Example: Creating a Command Rule to Deny Access to CREATE DATABASE LINK
Example: Creating a Command Rule to Enable Access to CREATE DATABASE LINK
Example: Command Rules to Disable and Enable Access to CREATE DIRECTORY
CREATE ANY JOB Privilege Security Considerations
CREATE EXTERNAL JOB Privilege Security Considerations
LogMiner Package Security Considerations
ALTER SYSTEM and ALTER SESSION Privilege Security Considerations
About ALTER SYSTEM and ALTER SESSION Privilege Security Considerations
Example: Adding Rules to the Existing ALTER SYSTEM Command Rule
E
Troubleshooting Oracle Database Vault
Using Trace Files to Diagnose Oracle Database Vault Events
About Using Trace Files to Diagnose Oracle Database Vault Events
Types of Oracle Database Vault Trace Events That You Can and Cannot Track
Levels of Oracle Database Vault Trace Events
Performance Effect of Enabling Oracle Database Vault Trace Files
Enabling Oracle Database Vault Trace Events
Enabling Trace Events for the Current Database Session
Enabling Trace Events for All Database Sessions
Management of Trace Events in a Multitenant Environment
Finding Oracle Database Vault Trace File Data
Finding the Database Vault Trace File Directory Location
Using the Linux grep Command to Search Trace Files for Strings
Using the ADR Command Interpreter (ADRCI) Utility to QueryTrace Files
Example: Low Level Oracle Database Vault Realm Violations in a Trace File
Example: High Level Trace Enabled for Oracle Database Vault Authorization
Example: Highest Level Traces on Violations on Realm-Protected Objects
Disabling Oracle Database Vault Trace Events
Disabling Trace Events for the Current Database Session
Disabling Trace Events for All Database Sessions
Disabling Trace Events in a Multitenant Environment
General Diagnostic Tips
Configuration Problems with Oracle Database Vault Components
Resetting Oracle Database Vault Account Passwords
Resetting the DV_OWNER User Password
Resetting the DV_ACCTMGR User Password
Index
Scripting on this page enhances content navigation, but does not change the content in any way.