1. Database Vault Administrator's Guide
  2. Database Vault Operations Control

12 Database Vault Operations Control

Oracle Database Vault operations control prevents common users from accessing application data in a pluggable database.

Oracle Database Vault operations control, abbreviated to ops control, was introduced in Oracle Database 19c. Ops control allows you to separate your container users (e.g., SYS, SYSTEM, and C## users) from the customer or application data stored in Oracle Multitenant pluggable databases (PDBs).

Ops control is configured from the container database (CDB$ROOT) and, when enabled, is enforced on all PDBs associated with the CDB. Ops control can be selectively disabled by exempting specific container-users or exempting specific PDBs. However, when a user is exempt from ops control, it can use its privileges to access data in the PDB. When a PDB has been exempted, any common user with the appropriate privileges can use those privileges to access data in the PDB.

12.1 Configuring and Enabling Operations Control

Oracle Database Vault must be configured and enabled on the container database or application container root to enable operations control.

Prerequisites

  • Configure and enable Oracle Database Vault on the container root database.

    Follow the steps from Configuring and Enabling Database Vault in the CDB Root, to configure and enable Database Vault.

  • Ensure you have a PDB database user who can perform administrative actions in your pluggable database. Administrative actions include, but are not limited to, the following:
    • GRANT, REVOKE CREATE SESSION, or CONNECT role
    • GRANT or REVOKE the DBA role
    • CREATE, ALTER USER, or DROP USER system privileges
    • CREATE, ALTER, or DROP TABLESPACE system privileges
    • Using the DATAPUMP_EXP_FULL_DATABASE or DATAPUMP_IMP_FULL_DATABASE roles
    • Using the GATHER_SYSTEM_STATISTICS role
    • Using the SELECT_CATALOG_ROLE role

    Note:

    Once you enable operations control, SYS and SYSTEM are considered common database users and cannot perform CREATE, ALTER USER, or DROP USER operations in a PDB. It is important to have your database users, and their privileges, configured prior to enabling operations control.

Enable Operations Control

From the container root, you run the following procedure as a user with the DV_OWNER role: 

exec dbms_macadm.enable_app_protection;

Once the command has been successfully completed, operations control is configured and enabled in the container and pluggable databases.

Alternatively, to enable ops control in an individual pluggable database, run the following procedure as a user with DV_OWNER role: 
exec dbms_macadm.enable_app_protection(<pdb_name>);

There is no database restart required to enable operations control.

Parent topic: Database Vault Operations Control

12.2 Exempt a Container User from Oracle Database Vault Operations Control

Container users can be exempt from operations control and use their privileges to access data in pluggable databases.

To exempt a specific container user from operations control, run the following command as a user with the DV_OWNER, or DV_ADMIN role in the CDB root: 

exec DBMS_MACADM.ADD_APP_EXCEPTION ('C##COMMON_USER','%');

The above command will allow the common user to use its privileges in all pluggable databases associated with the container database.

Note:

Actions taken by exempt users automatically generate audit records for every action that would have been prevented by operations control. This is a mandatory audit and cannot be disabled.
To identify users who have been exempted from operations control, run the following command as a user with the DV_OWNER or DV_ADMIN role:
select * from DBA_DV_APP_EXCEPTION;

Parent topic: Database Vault Operations Control

12.3 Disable Exempt Access for a Container User

To disable a common user from being exempt from operations control, run the DELETE_APP_EXCEPTION procedure.

As a user with the DV_OWNER, or DV_ADMIN role, run the following command in the CDB root to remove a common user from the exempt list:
exec DBMS_MACADM.DELETE_APP_EXCEPTION ('C##COMMON_USER','%');
To identify users who are still exempt from operations control, run the following command as a user with the DV_OWNER or DV_ADMIN role:
select * from DBA_DV_APP_EXCEPTION;

Parent topic: Database Vault Operations Control

12.4 Disable Operations Control for a Specific Pluggable Database

Operations control can be disabled for a specific PDB.

Disabling operations control for a specific PDB requires you to run the following command as a user with the DV_OWNER role from the container database:
exec dbms_macadm.disable_app_protection('<pdb_name>');
To check the status of operations control, run the following command as SYSDBA from the container database:
select * from cdb_dv_status order by con_id;

Parent topic: Database Vault Operations Control

12.5 Disable Database Vault Operations Control

To disable operations control for all pluggable databases run the DISABLE_APP_PROTECTION procedure.

As a user with the DV_OWNER role, run the following command from the container: 
exec dbms_macadm.disable_app_protection;

As the SYSDBA user, run the following command from the container. 

select * from cdb_dv_status order by con_id;

To verify ops control is disabled, the column DV_APP_PROTECTION should show FALSE.

Parent topic: Database Vault Operations Control

12.6 DBA Operations in an Operations Control Environment

Database administrator operations in an operations control environment are minimally affected.

Parent topic: Database Vault Operations Control

12.6.1 Operations on a Pluggable Database

Actions that affect the pluggable database but not the application data, are generally acceptable in an operations control environment.

For example, you can perform the following on a database that has operations control enabled:

  • Open or close a PDB
  • Clone an existing PDB to the same container database
  • Unplug a PDB
  • Plug-in an unplugged PDB
  • Gather optimizer statistics on application objects
  • Perform a Data Pump export of metadata associated with application objects

Note:

If you attempt to plug in a PDB protected by operations control into a CDB without Database Vault enabled, you will receive plug-in violations. You must configure and enable Database Vault, and operations control, on the receiving CDB before plugging in a PDB protected by operations control.

Parent topic: DBA Operations in an Operations Control Environment

12.6.2 Using Database Vault Roles and Database Accounts in Pluggable Databases

Common Database Vault roles and database accounts cannot be used to manage Database Vault in pluggable databases.

You must create local accounts and grant them the appropriate roles and privileges.

For example, you cannot use C##DVACCTMGR to create users in a PDB:
connect c##dvacctmgr@pdb1
create user testuser identified by Oracle123;
*
ERROR at line 1:
ORA-01031: insufficient privileges

If Database Vault is not enabled in the PDB, there is no reason to use DV-related roles or users in the PDB. Instead, you will use your PDB database user who have been granted the appropriate system or object privileges. For example:

connect dba_debra@pdb1
create user testuser identified by Oracle123;
User created.

Parent topic: DBA Operations in an Operations Control Environment

12.6.3 Performing DDL Operations

Data Definition Language (DDL) operations by common users in Oracle Database Vault operations control are limited to schemas owned and maintained by Oracle.

DDL on PDB-specific objects ( such as HR tables) is limited to PDB database users with the appropriate privileges. For example, performing the below command as a C##, SYS, or SYSTEM user will cause an ORA-01031 insufficient privileges error message: 

ALTER TABLE HR.EMPLOYEES ADD NEW_COLUMN VARCHAR2(20);

Instead, perform the action as a PDB database user having the appropriate privilege.

connect dba_debra@pdb1
ALTER TABLE HR.EMPLOYEES ADD NEW_COLUMN VARCHAR2(20);

Parent topic: DBA Operations in an Operations Control Environment

12.6.4 Using Oracle Database Vault with Oracle Enterprise Manager

Oracle Database Vault operations control allows Oracle Enterprise Manager Cloud Control tasks to be performed as expected. Actions against pluggable databases should be performed using PDB database accounts. Do not use SYS, SYSTEM, or other common (C##) accounts when operations control is enabled on the PDB.

Parent topic: DBA Operations in an Operations Control Environment

12.6.5 RMAN Operations with Database Vault Operations Control

Oracle Database Vault operations control supports RMAN full restore or duplicate. However, it does not support RMAN operations involving the recovery of individual objects. Oracle Database Vault cannot determine who or why changes to an object are occurring and protects it with operations control.

To restore or recover an individual object (e.g., a table in the HR schema), you must perform a manual recovery of this object. You will instantiate a clone of the database to the point in time you wish to recover the object, perform a Data Pump export of the object, using the schema account or a user local to the PDB, and perform a Data Pump import of the object, again using the schema account or a user local to the PDB.

Parent topic: DBA Operations in an Operations Control Environment

12.6.6 Data Pump Operations on a Pluggable Database Protected by Operations Control

Common users can only perform Oracle Data Pump metadata exports of PDB-specific data.

Oracle recommends using a PDB database user to perform Oracle Data Pump export or import operations of PDB-specific objects.

For example, this command will be successful because it uses a common user (SYSTEM) to export only the metadata from the HR schema:
expdp system@pdb1 content=metadata_only directory=DATA_PUMP_DIR schemas=HR dumpfile=hr_metadata.dmp logfile=hr_metadata.log
However, the following command will not be successful because it uses a common user (SYSTEM) to export both metadata and actual data from the HR schema:
expdp system@pdb1 content=all directory=DATA_PUMP_DIR schemas=HR dumpfile=hr_all.dmp logfile=hr_all.log

Parent topic: DBA Operations in an Operations Control Environment

12.6.7 Database Scheduler Jobs on a PDB Protected by Operations Control

Oracle Database scheduler jobs can be managed by common users on common user objects but not by common users on local PDB user objects.

You must use a local PDB user with the appropriate privileges to manage Oracle Database scheduler jobs on PDB-specific objects.

Parent topic: DBA Operations in an Operations Control Environment

12.6.8 Oracle Proxy Authentication on a PDB Protected by Operations Control

Within a PDB, Oracle Database proxy user is not affected by operations control. As a common user, you cannot proxy to a local account. For example, this is allowed by operations control:
connect dba_debra[hr]@pdb1
However, this is not allowed by operations control:
connect c##common_user[hr]@pdb1

Parent topic: DBA Operations in an Operations Control Environment

12.6.9 Oracle GoldenGate on a PDB Protected by Operations Control

Oracle GoldenGate can be used when a pluggable database is protected by operations control.

Oracle Database Vault operations control can be used together with Oracle GoldenGate.

From the container database, run the following role grants and authorizations as a user with the DV_OWNER role:
GRANT DV_STREAMS_ADMIN to c##ggadmin container=all;
GRANT DV_XSTREAM_ADMIN to c##ggadmin container=all;
GRANT DV_GOLDENGATE_ADMIN TO c##ggadmin container=all;
GRANT DV_GOLDENGATE_REDO_ACCESS TO c##ggadmin container=all;
EXEC DBMS_MACADM.AUTHORIZE_DDL('SYS', 'SYSTEM');
EXEC DBMS_MACADM.AUTHORIZE_DDL('SYS', '%');

Oracle GoldenGate administrators in a PDB should be a local database user because operations control does not affect local users within the pluggable database.

Parent topic: DBA Operations in an Operations Control Environment