Table of Contents
- Title and Copyright Information
- Preface
- Changes in This Release for Oracle Database Vault Administrator's Guide
-
1
Introduction to Oracle Database Vault
- 1.1 What Is Oracle Database Vault?
- 1.2 What Privileges Do You Need to Use Oracle Database Vault?
-
1.3
Components of Oracle Database Vault
- 1.3.1 Oracle Database Vault Access Control Components
- 1.3.2 Oracle Database Vault DVSYS and DVF Schemas
- 1.3.3 Oracle Database Vault PL/SQL Interfaces and Packages
- 1.3.4 Oracle Database Vault Reporting and Monitoring Tools
- 1.3.5 Oracle Enterprise Manager Cloud Control Database Vault Administrator Pages
- 1.4 How Oracle Database Vault Addresses Compliance Regulations
- 1.5 How Oracle Database Vault Protects Privileged User Accounts
- 1.6 How Oracle Database Vault Allows for Flexible Security Policies
- 1.7 How Oracle Database Vault Addresses Database Consolidation Concerns
-
1.8
How Oracle Database Vault Works in a Multitenant Environment
- 1.8.1 About How Oracle Database Vault Works in a Multitenant Environment
- 1.8.2 Oracle Database Vault Configured and Enabled in One or More PDBs
- 1.8.3 Operations Control Enabled in the CDB without Enabling Oracle Database Vault in a PDB
- 1.8.4 Oracle Database Vault and Oracle Operations Control Enabled Together
- 1.8.5 Oracle Database Vault in Regular or Strict Mode in a Multitenant Environment
- 1.8.6 Oracle Database Vault Common Objects in a Multitenant Environment
- 1.8.7 Oracle Database Vault in an Application Containers Environment
-
2
What to Expect After You Enable Oracle Database Vault
- 2.1 Initialization and Password Parameter Settings That Change
- 2.2 How Oracle Database Vault Restricts User Authorizations
- 2.3 Oracle Database Vault-Specific Database Roles to Enforce Separation of Duties
- 2.4 Privileges That Are Revoked from Existing Users and Roles
- 2.5 Privileges That Are Prevented for Existing Users and Roles
-
3
Getting Started with Oracle Database Vault
- 3.1 About Configuring and Enabling Oracle Database Vault in Oracle Database
-
3.2
Configuring and Enabling Oracle Database Vault
- 3.2.1 About Configuring and Enabling Database Vault
- 3.2.2 Configuring and Enabling Database Vault in the CDB Root
- 3.2.3 Configuring and Enabling Database Vault Common Users to Manage Specific PDBs
- 3.2.4 Configuring and Enabling Database Vault Local Users to Manage Specific PDBs
- 3.2.5 Configuring and Enabling Oracle Database Vault in an Oracle Real Application Clusters Environment
- 3.2.6 Creating a Profile to Protect the DV_OWNER and DV_ACCTMGR Users
- 3.2.7 Manually Installing Oracle Database Vault
- 3.3 Verifying That Database Vault Is Configured and Enabled
- 3.4 Logging in to Oracle Database Vault from Oracle Enterprise Cloud Control
-
3.5
Quick Start Tutorial: Securing a Schema from DBA Access
- 3.5.1 About This Tutorial
- 3.5.2 Step 1: Log On as SYSTEM to Access the HR Schema
- 3.5.3 Step 2: Create a Realm
- 3.5.4 Step 3: Create a Unified Audit Policy for Realm Violations
- 3.5.5 Step 4: Create the SEBASTIAN User Account
- 3.5.6 Step 5: Have User SEBASTIAN Test the Realm
- 3.5.7 Step 6: Create an Authorization for the Realm
- 3.5.8 Step 7: Test the Realm
- 3.5.9 Step 8: View Audit Records from Realm Violations
- 3.5.10 Step 9: Remove the Components for This Tutorial
-
4
Configuring Realms
- 4.1 What Are Realms?
-
4.2
Default Realms
- 4.2.1 Oracle Database Vault Realm
- 4.2.2 Database Vault Account Management Realm
- 4.2.3 Oracle Enterprise Manager Realm
- 4.2.4 Oracle Default Schema Protection Realm
- 4.2.5 Oracle System Privilege and Role Management Realm
- 4.2.6 Oracle Default Component Protection Realm
- 4.2.7 Oracle Label Security Realm
- 4.2.8 Oracle GoldenGate Protection Realm
- 4.2.9 Oracle Audit Realm
- 4.3 Creating a Realm
- 4.4 Modifying a Realm
- 4.5 Deleting a Realm
- 4.6 About Realm-Secured Objects
- 4.7 About Realm Authorization
- 4.8 Realm Authorizations in a Multitenant Environment
- 4.9 How Realms Work
- 4.10 How Authorizations Work in a Realm
- 4.11 Access to Objects That Are Protected by a Realm
- 4.12 Example of How Realms Work
- 4.13 How Realms Affect Other Oracle Database Vault Components
- 4.14 Guidelines for Designing Realms
- 4.15 How Realms Affect Performance
- 4.16 Realm Related Reports and Data Dictionary Views
-
5
Configuring Rule Sets
- 5.1 What Are Rule Sets?
- 5.2 Rule Sets and Rules in a Multitenant Environment
- 5.3 Default Rule Sets
- 5.4 Creating a Rule Set
- 5.5 Creating a Rule to Add to a Rule Set
- 5.6 Modifying a Rule Set
- 5.7 Deleting a Rule Set
- 5.8 How Rule Sets Work
-
5.9
Tutorial: Configuring Two-Person Integrity, or Dual Key Security
- 5.9.1 About This Tutorial
- 5.9.2 Step 1: Create Users for This Tutorial
- 5.9.3 Step 2: Create a Function to Check if User patch_boss Is Logged In
- 5.9.4 Step 3: Create Rules, a Rule Set, and a Command Rule to Control User Access
- 5.9.5 Step 4: Test the Users' Access
- 5.9.6 Step 5: Remove the Components for This Tutorial
- 5.10 Guidelines for Designing Rule Sets
- 5.11 How Rule Sets Affect Performance
- 5.12 Default Rules and Rule Sets from Releases Earlier Than Release 12.2
- 5.13 Rule Set and Rule Related Reports and Data Dictionary Views
-
6
Configuring Command Rules
- 6.1 What Are Command Rules?
- 6.2 Default Command Rules
- 6.3 SQL Statements That Can Be Protected by Command Rules
- 6.4 Creating a Command Rule
- 6.5 Modifying a Command Rule
- 6.6 Deleting a Command Rule
- 6.7 How Command Rules Work
- 6.8 Tutorial: Using a Command Rule to Control Table Creations by a User
- 6.9 Guidelines for Designing Command Rules
- 6.10 How Command Rules Affect Performance
- 6.11 Command Rule Related Reports and Data Dictionary View
-
7
Configuring Factors
- 7.1 What Are Factors?
- 7.2 Default Factors
- 7.3 Creating a Factor
-
7.4
Adding an Identity to a Factor
- 7.4.1 About Factor Identities
- 7.4.2 How Factor Identities Work
- 7.4.3 About Trust Levels
- 7.4.4 About Label Identities
- 7.4.5 Creating and Configuring a Factor Identity
- 7.4.6 Using Identity Mapping to Configure an Identity to Use Other Factors
- 7.4.7 Modifying a Factor Identity
- 7.4.8 Deleting a Factor Identity
- 7.5 Modifying a Factor
- 7.6 Deleting a Factor
- 7.7 How Factors Work
- 7.8 Tutorial: Preventing Ad Hoc Tool Access to the Database
- 7.9 Guidelines for Designing Factors
- 7.10 How Factors Affect Performance
- 7.11 Factor Related Reports and Data Dictionary Views
-
8
Configuring Secure Application Roles for Oracle Database Vault
- 8.1 What Are Secure Application Roles in Oracle Database Vault?
- 8.2 Security for Oracle Database Vault Secure Application Roles
- 8.3 Creating an Oracle Database Vault Secure Application Role
- 8.4 Enabling Oracle Database Secure Application Roles to Work with Oracle Database Vault
- 8.5 Modifying a Secure Application Role
- 8.6 Deleting an Oracle Database Vault Secure Application Role
- 8.7 How Oracle Database Vault Secure Application Roles Work
-
8.8
Tutorial: Granting Access with Database Vault Secure Application Roles
- 8.8.1 About This Tutorial
- 8.8.2 Step 1: Create Users for This Tutorial
- 8.8.3 Step 2: Enable the OE User Account
- 8.8.4 Step 3: Create the Rule Set and Its Rules
- 8.8.5 Step 4: Create the Database Vault Secure Application Role
- 8.8.6 Step 5: Grant the SELECT Privilege to the Secure Application Role
- 8.8.7 Step 6: Test the Database Vault Secure Application Role
- 8.8.8 Step 7: Remove the Components for This Tutorial
- 8.9 How Secure Application Roles Affect Performance
- 8.10 Secure Application Role Related Reports and Data Dictionary View
- 9 Configuring Oracle Database Vault Policies
-
10
Using Simulation Mode for Logging Realm and Command Rule Activities
- 10.1 About Simulation Mode
- 10.2 Simulation Mode Use Cases
-
10.3
Logging Realms in Simulation Mode
- 10.3.1 Considerations When Logging Realms in Simulation Mode
- 10.3.2 Use Case: All New Realms in Simulation Mode
- 10.3.3 Use Case: New Realms Introduced to Existing Realms
- 10.3.4 Use Case: Testing the Addition of New Objects in a Realm
- 10.3.5 Use Case: Testing the Removal of Objects from a Realm
- 10.3.6 Use Case: Testing the Addition of an Authorized User to a Realm
- 10.3.7 Use Case: Testing the Removal of an Authorized User from a Realm
- 10.3.8 Use Case: Testing New Factors with Realms
- 10.3.9 Use Case: Testing Changes to an Existing Command Rule
-
10.4
Tutorial: Tracking Violations to a Realm Using Simulation Mode
- 10.4.1 About This Tutorial
- 10.4.2 Step 1: Create Users for This Tutorial
- 10.4.3 Step 2: Create a Realm and an Oracle Database Vault Policy
- 10.4.4 Step 3: Test the Realm and Policy
- 10.4.5 Step 4: Query the DBA_DV_SIMULATION_LOG View for Violations
- 10.4.6 Step 5: Enable and Re-test the Realm
- 10.4.7 Step 6: Remove the Components for This Tutorial
-
11
Integrating Oracle Database Vault with Other Oracle Products
- 11.1 Integrating Oracle Database Vault with Transparent Data Encryption
-
11.2
Integrating Oracle Database Vault with Oracle Label Security
- 11.2.1 How Oracle Database Vault Is Integrated with Oracle Label Security
- 11.2.2 Requirements for Using Oracle Database Vault with Oracle Label Security
- 11.2.3 Using Oracle Database Vault Factors with Oracle Label Security Policies
-
11.2.4
Tutorial: Integrating Oracle Database Vault with Oracle Label Security
- 11.2.4.1 About This Tutorial
- 11.2.4.2 Step 1: Create Users for This Tutorial
- 11.2.4.3 Step 2: Create the Oracle Label Security Policy
- 11.2.4.4 Step 3: Create Oracle Database Vault Rules to Control the OLS Authorization
- 11.2.4.5 Step 4: Update the ALTER SYSTEM Command Rule to Use the Rule Set
- 11.2.4.6 Step 5: Test the Authorizations
- 11.2.4.7 Step 6: Remove the Components for This Tutorial
- 11.2.5 Related Reports and Data Dictionary Views
- 11.3 Integrating Oracle Database Vault with Oracle Data Guard
- 11.4 Configuring Oracle Internet Directory Using Oracle Database Configuration Assistant
- 11.5 Integrating Oracle Database Vault with Enterprise User Security
-
11.6
Integrating Oracle Database Vault with Oracle APEX
- 11.6.1 About Integrating Oracle Database Vault with Oracle APEX
- 11.6.2 Installing or Upgrading Oracle APEX with Oracle Database Vault Enabled
- 11.6.3 Authorizing the Oracle APEX Schema for Oracle Database Vault Activities
- 11.6.4 Authorizing Oracle APEX to Use Oracle Scheduler
- 11.6.5 Authorizing Oracle APEX to Perform DDL Tasks
- 11.6.6 Authorizing Oracle APEX to Perform Information Lifecycle Maintenance Tasks
- 11.6.7 Authorizing Oracle APEX to Proxy Users for Oracle Rest Data Services
- 11.6.8 Oracle APEX and Application Objects Protected by Oracle Database Vault
- 11.6.9 Troubleshooting the Oracle APEX and Database Vault Integration
-
12
Database Vault Operations
Control
- 12.1 Configuring and Enabling Operations Control
- 12.2 Exempt a Container User from Oracle Database Vault Operations Control
- 12.3 Disable Exempt Access for a Container User
- 12.4 Disable Operations Control for a Specific Pluggable Database
- 12.5 Disable Database Vault Operations Control
-
12.6
DBA Operations in an Operations
Control Environment
- 12.6.1 Operations on a Pluggable Database
- 12.6.2 Using Database Vault Roles and Database Accounts in Pluggable Databases
- 12.6.3 Performing DDL Operations
- 12.6.4 Using Oracle Database Vault with Oracle Enterprise Manager
- 12.6.5 RMAN Operations with Database Vault Operations Control
- 12.6.6 Data Pump Operations on a Pluggable Database Protected by Operations Control
- 12.6.7 Database Scheduler Jobs on a PDB Protected by Operations Control
- 12.6.8 Oracle Proxy Authentication on a PDB Protected by Operations Control
- 12.6.9 Oracle GoldenGate on a PDB Protected by Operations Control
-
13
DBA Operations in an Oracle Database Vault Environment
- 13.1 Handling Role Grants in Oracle Database Vault
- 13.2 Performing DDL Operations in Oracle Database Vault
- 13.3 Using Oracle SQL Firewall with Oracle Database Vault
- 13.4 Using Oracle Database Vault with Oracle Enterprise Manager
-
13.5
Using Oracle Data Pump with Oracle Database Vault
- 13.5.1 About Using Oracle Data Pump with Oracle Database Vault
-
13.5.2
Authorizing Users or Roles for Data Pump Regular Export and Import Operations
- 13.5.2.1 About Authorizing Users or Roles for Oracle Data Pump Regular Operations
- 13.5.2.2 Levels of Database Vault Authorization for Oracle Data Pump Regular Operations
- 13.5.2.3 Authorizing Users or Roles for Oracle Data Pump Regular Operations in Database Vault
- 13.5.2.4 Revoking Oracle Data Pump Authorization from Users or Roles
-
13.5.3
Authorizing Users or Roles for Data Pump Transportable Export and Import Operations
- 13.5.3.1 About Authorizing Users for Oracle Data Pump Transportable Operations
- 13.5.3.2 Levels of Database Vault Authorization for Data Pump Transportable Operations
- 13.5.3.3 Authorizing Users or Roles for Data Pump Transportable Operations in Database Vault
- 13.5.3.4 Revoking Transportable Tablespace Authorization from Users or Roles
- 13.5.4 Guidelines for Exporting or Importing Data in a Database Vault Environment
- 13.6 Using Oracle Scheduler with Oracle Database Vault
- 13.7 Using Information Lifecycle Management with Oracle Database Vault
- 13.8 Using Oracle Database Replay with Oracle Database Vault
- 13.9 Running Preprocessor Programs with Oracle Database Vault
-
13.10
Using Database Vault Operations Control to Restrict Multitenant Common User Access to Local PDB Data
- 13.10.1 About Using Database Vault Operations Control
- 13.10.2 How the Addition of Common Users and Packages to an Exception List Works
- 13.10.3 Enabling Database Vault Operations Control
- 13.10.4 Adding Common Users and Packages to an Exception List
- 13.10.5 Deleting Common Users and Packages from an Exception List
- 13.10.6 Disabling Database Vault Operations Control
- 13.11 Preventing Multitenant Local Users from Blocking Common Operations
- 13.12 Oracle Recovery Manager and Oracle Database Vault
- 13.13 Privileges for Using XStream with Oracle Database Vault
- 13.14 Privileges for Using Oracle GoldenGate with Oracle Database Vault
- 13.15 Using Data Masking in an Oracle Database Vault Environment
- 13.16 Using Oracle Database Auditing with Oracle Database Vault
- 13.17 Converting a Standalone Oracle Database to a PDB and Plugging It into a CDB
- 13.18 Using the ORADEBUG Utility with Oracle Database Vault
- 13.19 Performing Patch Operations in an Oracle Database Vault Environment
-
14
Oracle Database Vault Schemas, Roles, and Accounts
- 14.1 Oracle Database Vault Schemas
-
14.2
Oracle Database Vault Roles
- 14.2.1 About Oracle Database Vault Roles
- 14.2.2 Privileges of Oracle Database Vault Roles
- 14.2.3 Granting Oracle Database Vault Roles to Users
- 14.2.4 DV_ACCTMGR Database Vault Account Manager Role
- 14.2.5 DV_ADMIN Database Vault Configuration Administrator Role
- 14.2.6 DV_AUDIT_CLEANUP Audit Trail Cleanup Role
- 14.2.7 DV_DATAPUMP_NETWORK_LINK Data Pump Network Link Role
- 14.2.8 DV_GOLDENGATE_ADMIN GoldenGate Administrative Role
- 14.2.9 DV_GOLDENGATE_REDO_ACCESS GoldenGate Redo Log Role
- 14.2.10 DV_MONITOR Database Vault Monitoring Role
- 14.2.11 DV_OWNER Database Vault Owner Role
- 14.2.12 DV_PATCH_ADMIN Database Vault Database Patch Role
- 14.2.13 DV_POLICY_OWNER Database Vault Owner Role
- 14.2.14 DV_SECANALYST Database Vault Security Analyst Role
- 14.2.15 DV_XSTREAM_ADMIN XStream Administrative Role
- 14.3 Oracle Database Vault Accounts Created During Registration
- 14.4 Backup Oracle Database Vault Accounts
-
15
Oracle Database Vault Realm APIs
- 15.1 ADD_AUTH_TO_REALM Procedure
- 15.2 ADD_OBJECT_TO_REALM Procedure
- 15.3 CREATE_REALM Procedure
- 15.4 DELETE_AUTH_FROM_REALM Procedure
- 15.5 DELETE_OBJECT_FROM_REALM Procedure
- 15.6 DELETE_REALM Procedure
- 15.7 DELETE_REALM_CASCADE Procedure
- 15.8 RENAME_REALM Procedure
- 15.9 UPDATE_REALM Procedure
- 15.10 UPDATE_REALM_AUTH Procedure
-
16
Oracle Database Vault Rule Set APIs
-
16.1
DBMS_MACADM Rule Set Procedures
- 16.1.1 ADD_RULE_TO_RULE_SET Procedure
- 16.1.2 CREATE_RULE Procedure
- 16.1.3 CREATE_RULE_SET Procedure
- 16.1.4 DELETE_RULE Procedure
- 16.1.5 DELETE_RULE_FROM_RULE_SET Procedure
- 16.1.6 DELETE_RULE_SET Procedure
- 16.1.7 RENAME_RULE Procedure
- 16.1.8 RENAME_RULE_SET Procedure
- 16.1.9 UPDATE_RULE Procedure
- 16.1.10 UPDATE_RULE_SET Procedure
- 16.2 Oracle Database Vault PL/SQL Rule Set Functions
-
16.1
DBMS_MACADM Rule Set Procedures
-
17
Oracle Database Vault Command Rule APIs
- 17.1 CREATE_COMMAND_RULE Procedure
- 17.2 CREATE_CONNECT_COMMAND_RULE Procedure
- 17.3 CREATE_SESSION_EVENT_CMD_RULE Procedure
- 17.4 CREATE_SYSTEM_EVENT_CMD_RULE Procedure
- 17.5 DELETE_COMMAND_RULE Procedure
- 17.6 DELETE_CONNECT_COMMAND_RULE Procedure
- 17.7 DELETE_SESSION_EVENT_CMD_RULE Procedure
- 17.8 DELETE_SYSTEM_EVENT_CMD_RULE Procedure
- 17.9 UPDATE_COMMAND_RULE Procedure
- 17.10 UPDATE_CONNECT_COMMAND_RULE Procedure
- 17.11 UPDATE_SESSION_EVENT_CMD_RULE Procedure
- 17.12 UPDATE_SYSTEM_EVENT_CMD_RULE Procedure
-
18
Oracle Database Vault Factor APIs
-
18.1
DBMS_MACADM Factor Procedures and Functions
- 18.1.1 ADD_FACTOR_LINK Procedure
- 18.1.2 ADD_POLICY_FACTOR Procedure
- 18.1.3 CHANGE_IDENTITY_FACTOR Procedure
- 18.1.4 CHANGE_IDENTITY_VALUE Procedure
- 18.1.5 CREATE_DOMAIN_IDENTITY Procedure
- 18.1.6 CREATE_FACTOR Procedure
- 18.1.7 CREATE_FACTOR_TYPE Procedure
- 18.1.8 CREATE_IDENTITY Procedure
- 18.1.9 CREATE_IDENTITY_MAP Procedure
- 18.1.10 DELETE_FACTOR Procedure
- 18.1.11 DELETE_FACTOR_LINK Procedure
- 18.1.12 DELETE_FACTOR_TYPE Procedure
- 18.1.13 DELETE_IDENTITY Procedure
- 18.1.14 DELETE_IDENTITY_MAP Procedure
- 18.1.15 DROP_DOMAIN_IDENTITY Procedure
- 18.1.16 GET_SESSION_INFO Function
- 18.1.17 GET_INSTANCE_INFO Function
- 18.1.18 RENAME_FACTOR Procedure
- 18.1.19 RENAME_FACTOR_TYPE Procedure
- 18.1.20 UPDATE_FACTOR Procedure
- 18.1.21 UPDATE_FACTOR_TYPE Procedure
- 18.1.22 UPDATE_IDENTITY Procedure
- 18.2 Oracle Database Vault Run-Time PL/SQL Procedures and Functions
-
18.3
Oracle Database Vault DVF PL/SQL Factor Functions
- 18.3.1 About Oracle Database Vault DVF PL/SQL Factor Functions
- 18.3.2 F$AUTHENTICATION_METHOD Function
- 18.3.3 F$CLIENT_IP Function
- 18.3.4 F$DATABASE_DOMAIN Function
- 18.3.5 F$DATABASE_HOSTNAME Function
- 18.3.6 F$DATABASE_INSTANCE Function
- 18.3.7 F$DATABASE_IP Function
- 18.3.8 F$DATABASE_NAME Function
- 18.3.9 F$DOMAIN Function
- 18.3.10 F$DV$_CLIENT_IDENTIFIER Function
- 18.3.11 F$DV$_DBLINK_INFO Function
- 18.3.12 F$DV$_MODULE Function
- 18.3.13 F$ENTERPRISE_IDENTITY Function
- 18.3.14 F$IDENTIFICATION_TYPE Function
- 18.3.15 F$LANG Function
- 18.3.16 F$LANGUAGE Function
- 18.3.17 F$MACHINE Function
- 18.3.18 F$NETWORK_PROTOCOL Function
- 18.3.19 F$PROXY_ENTERPRISE_IDENTITY Function
- 18.3.20 F$PROXY_USER Function
- 18.3.21 F$SESSION_USER Function
-
18.1
DBMS_MACADM Factor Procedures and Functions
- 19 Oracle Database Vault Secure Application Role APIs
- 20 Oracle Database Vault Oracle Label Security APIs
-
21
Oracle Database Vault Utility APIs
- 21.1 DBMS_MACUTL Constants
-
21.2
DBMS_MACUTL Package Procedures and Functions
- 21.2.1 CHECK_DVSYS_DML_ALLOWED Procedure
- 21.2.2 CONTAINS_HOST Function
- 21.2.3 GET_CODE_VALUE Function
- 21.2.4 GET_DV_TRACE_LEVEL Function
- 21.2.5 GET_SECOND Function
- 21.2.6 GET_MINUTE Function
- 21.2.7 GET_HOUR Function
- 21.2.8 GET_DAY Function
- 21.2.9 GET_MONTH Function
- 21.2.10 GET_TRACE_LEVEL Function
- 21.2.11 GET_YEAR Function
- 21.2.12 IS_ALPHA Function
- 21.2.13 IS_CLIENT_IP_CONTAINED Function
- 21.2.14 IS_DIGIT Function
- 21.2.15 IS_DVSYS_OWNER Function
- 21.2.16 IS_OLS_INSTALLED Function
- 21.2.17 IS_OLS_INSTALLED_VARCHAR Function
- 21.2.18 ROLE_GRANTED_ENABLED_VARCHAR Function
- 21.2.19 USER_HAS_OBJECT_PRIVILEGE Function
- 21.2.20 USER_HAS_ROLE Function
- 21.2.21 USER_HAS_ROLE_VARCHAR Function
- 21.2.22 USER_HAS_SYSTEM_PRIVILEGE Function
-
22
Oracle Database Vault General Administrative APIs
-
22.1
DBMS_MACADM General System Maintenance Procedures
- 22.1.1 ADD_APP_EXCEPTION Procedure
- 22.1.2 ADD_NLS_DATA Procedure
- 22.1.3 ALLOW_COMMON_OPERATION Procedure
- 22.1.4 AUTH_DATAPUMP_CREATE_USER Procedure
- 22.1.5 AUTH_DATAPUMP_GRANT Procedure
- 22.1.6 AUTH_DATAPUMP_GRANT_ROLE Procedure
- 22.1.7 AUTH_DATAPUMP_GRANT_SYSPRIV Procedure
- 22.1.8 AUTHORIZE_AUDIT_ADMIN Procedure
- 22.1.9 AUTHORIZE_AUDIT_VIEWER Procedure
- 22.1.10 AUTHORIZE_DATAPUMP_USER Procedure
- 22.1.11 AUTHORIZE_DBCAPTURE Procedure
- 22.1.12 AUTHORIZE_DBREPLAY Procedure
- 22.1.13 AUTHORIZE_DDL Procedure
- 22.1.14 AUTHORIZE_DIAGNOSTIC_ADMIN Procedure
- 22.1.15 AUTHORIZE_MAINTENANCE_USER Procedure
- 22.1.16 AUTHORIZE_PREPROCESSOR Procedure
- 22.1.17 AUTHORIZE_PROXY_USER Procedure
- 22.1.18 AUTHORIZE_SCHEDULER_USER Procedure
- 22.1.19 AUTHORIZE_SQL_FIREWALL Procedure
- 22.1.20 AUTHORIZE_TTS_USER Procedure
- 22.1.21 DELETE_APP_EXCEPTION Procedure
- 22.1.22 DISABLE_APP_PROTECTION Procedure
- 22.1.23 DISABLE_DV Procedure
- 22.1.24 DISABLE_DV_DICTIONARY_ACCTS Procedure
- 22.1.25 DISABLE_DV_PATCH_ADMIN_AUDIT Procedure
- 22.1.26 DISABLE_ORADEBUG Procedure
- 22.1.27 ENABLE_APP_PROTECTION Procedure
- 22.1.28 ENABLE_DV Procedure
- 22.1.29 ENABLE_DV_DICTIONARY_ACCTS Procedure
- 22.1.30 ENABLE_DV_PATCH_ADMIN_AUDIT Procedure
- 22.1.31 ENABLE_ORADEBUG Procedure
- 22.1.32 SET_DV_TRACE_LEVEL Procedure
- 22.1.33 UNAUTH_DATAPUMP_CREATE_USER Procedure
- 22.1.34 UNAUTH_DATAPUMP_GRANT Procedure
- 22.1.35 UNAUTH_DATAPUMP_GRANT_ROLE Procedure
- 22.1.36 UNAUTH_DATAPUMP_GRANT_SYSPRIV Procedure
- 22.1.37 UNAUTHORIZE_ADMIN_USER Procedure
- 22.1.38 UNAUTHORIZE_AUDIT_VIEWER Procedure
- 22.1.39 UNAUTHORIZE_DATAPUMP_USER Procedure
- 22.1.40 UNAUTHORIZE_DBCAPTURE Procedure
- 22.1.41 UNAUTHORIZE_DBREPLAY Procedure
- 22.1.42 UNAUTHORIZE_DDL Procedure
- 22.1.43 UNAUTHORIZE_DIAGNOSTIC_ADMIN Procedure
- 22.1.44 UNAUTHORIZE_MAINTENANCE_USER Procedure
- 22.1.45 UNAUTHORIZE_PREPROCESSOR Procedure
- 22.1.46 UNAUTHORIZE_PROXY_USER Procedure
- 22.1.47 UNAUTHORIZE_SCHEDULER_USER Procedure
- 22.1.48 UNAUTHORIZE_SQL_FIREWALL Procedure
- 22.1.49 UNAUTHORIZE_TTS_USER Procedure
- 22.2 CONFIGURE_DV General System Maintenance Procedure
-
22.1
DBMS_MACADM General System Maintenance Procedures
-
23
Oracle Database Vault Policy APIs
- 23.1 ADD_CMD_RULE_TO_POLICY Procedure
- 23.2 ADD_OWNER_TO_POLICY Procedure
- 23.3 ADD_REALM_TO_POLICY Procedure
- 23.4 CREATE_POLICY Procedure
- 23.5 DELETE_CMD_RULE_FROM_POLICY Procedure
- 23.6 DELETE_OWNER_FROM_POLICY Procedure
- 23.7 DELETE_REALM_FROM_POLICY Procedure
- 23.8 DROP_POLICY Procedure
- 23.9 RENAME_POLICY Procedure
- 23.10 UPDATE_POLICY_DESCRIPTION Procedure
- 23.11 UPDATE_POLICY_STATE Procedure
- 24 Oracle Database Vault API Reference
-
25
Oracle Database Vault Data Dictionary Views
- 25.1 About the Oracle Database Vault Data Dictionary Views
- 25.2 CDB_DV_STATUS View
- 25.3 DBA_DV_APP_EXCEPTION View
- 25.4 DBA_DV_AUDIT_ADMIN_AUTH View
- 25.5 DBA_DV_AUDIT_VIEWER_AUTH View
- 25.6 DBA_DV_CODE View
- 25.7 DBA_DV_COMMAND_RULE View
- 25.8 DBA_DV_DATAPUMP_AUTH View
- 25.9 DBA_DV_DBCAPTURE_AUTH View
- 25.10 DBA_DV_DBREPLAY View
- 25.11 DBA_DV_DDL_AUTH View
- 25.12 DBA_DV_DICTIONARY_ACCTS View
- 25.13 DBA_DV_FACTOR View
- 25.14 DBA_DV_FACTOR_TYPE View
- 25.15 DBA_DV_FACTOR_LINK View
- 25.16 DBA_DV_IDENTITY View
- 25.17 DBA_DV_IDENTITY_MAP View
- 25.18 DBA_DV_JOB_AUTH View
- 25.19 DBA_DV_MAC_POLICY View
- 25.20 DBA_DV_MAC_POLICY_FACTOR View
- 25.21 DBA_DV_MAINTENANCE_AUTH View
- 25.22 DBA_DV_ORADEBUG View
- 25.23 DBA_DV_PATCH_ADMIN_AUDIT View
- 25.24 DBA_DV_POLICY View
- 25.25 DBA_DV_POLICY_LABEL View
- 25.26 DBA_DV_POLICY_OBJECT View
- 25.27 DBA_DV_POLICY_OWNER View
- 25.28 DBA_DV_PREPROCESSOR_AUTH View
- 25.29 DBA_DV_PROXY_AUTH View
- 25.30 DBA_DV_PUB_PRIVS View
- 25.31 DBA_DV_REALM View
- 25.32 DBA_DV_REALM_AUTH View
- 25.33 DBA_DV_REALM_OBJECT View
- 25.34 DBA_DV_ROLE View
- 25.35 DBA_DV_RULE View
- 25.36 DBA_DV_RULE_SET View
- 25.37 DBA_DV_RULE_SET_RULE View
- 25.38 DBA_DV_SIMULATION_LOG View
- 25.39 DBA_DV_STATUS or SYS.DBA_DV_STATUS View
- 25.40 DBA_DV_SQL_FIREWALL_AUTH View
- 25.41 DBA_DV_TTS_AUTH View
- 25.42 DBA_DV_USER_PRIVS View
- 25.43 DBA_DV_USER_PRIVS_ALL View
- 25.44 DVSYS.DV$CONFIGURATION_AUDIT View
- 25.45 DVSYS.DV$ENFORCEMENT_AUDIT View
- 25.46 DVSYS.DV$REALM View
- 25.47 DVSYS.DBA_DV_COMMON_OPERATION_STATUS View
- 25.48 DVSYS.POLICY_OWNER_COMMAND_RULE View
- 25.49 DVSYS.POLICY_OWNER_POLICY View
- 25.50 DVSYS.POLICY_OWNER_REALM View
- 25.51 DVSYS.POLICY_OWNER_REALM_AUTH View
- 25.52 DVSYS.POLICY_OWNER_REALM_OBJECT View
- 25.53 DVSYS.POLICY_OWNER_RULE View
- 25.54 DVSYS.POLICY_OWNER_RULE_SET View
- 25.55 DVSYS.POLICY_OWNER_RULE_SET_RULE View
- 25.56 AUDSYS.DV$CONFIGURATION_AUDIT View
- 25.57 AUDSYS.DV$ENFORCEMENT_AUDIT View
- 26 Monitoring Oracle Database Vault
-
27
Oracle Database Vault Reports
- 27.1 About the Oracle Database Vault Reports
- 27.2 Who Can Run the Oracle Database Vault Reports?
- 27.3 Running the Oracle Database Vault Reports
-
27.4
Oracle Database Vault Configuration Issues Reports
- 27.4.1 Command Rule Configuration Issues Report
- 27.4.2 Rule Set Configuration Issues Report
- 27.4.3 Realm Authorization Configuration Issues Report
- 27.4.4 Factor Configuration Issues Report
- 27.4.5 Factor Without Identities Report
- 27.4.6 Identity Configuration Issues Report
- 27.4.7 Secure Application Configuration Issues Report
- 27.5 Oracle Database Vault Auditing Reports
-
27.6
Oracle Database Vault General Security Reports
- 27.6.1 Object Privilege Reports
-
27.6.2
Database Account System Privileges Reports
- 27.6.2.1 Direct System Privileges By Database Account Report
- 27.6.2.2 Direct and Indirect System Privileges By Database Account Report
- 27.6.2.3 Hierarchical System Privileges by Database Account Report
- 27.6.2.4 ANY System Privileges for Database Accounts Report
- 27.6.2.5 System Privileges By Privilege Report
- 27.6.3 Sensitive Objects Reports
- 27.6.4 Privilege Management - Summary Reports
-
27.6.5
Powerful Database Accounts and Roles Reports
- 27.6.5.1 WITH ADMIN Privilege Grants Report
- 27.6.5.2 Accounts With DBA Roles Report
- 27.6.5.3 Security Policy Exemption Report
- 27.6.5.4 BECOME USER Report
- 27.6.5.5 ALTER SYSTEM or ALTER SESSION Report
- 27.6.5.6 Password History Access Report
- 27.6.5.7 WITH GRANT Privileges Report
- 27.6.5.8 Roles/Accounts That Have a Given Role Report
- 27.6.5.9 Database Accounts With Catalog Roles Report
- 27.6.5.10 AUDIT Privileges Report
- 27.6.5.11 OS Security Vulnerability Privileges Report
- 27.6.6 Initialization Parameters and Profiles Reports
- 27.6.7 Database Account Password Reports
- 27.6.8 Security Audit Report: Core Database Audit Report
- 27.6.9 Other Security Vulnerability Reports
- A Auditing Oracle Database Vault
- B Disabling and Enabling Oracle Database Vault
- C Postinstallation Oracle Database Vault Procedures
-
D
Oracle Database Vault Security Guidelines
- D.1 Separation of Duty Guidelines
- D.2 Managing Oracle Database Administrative Accounts
- D.3 Accounts and Roles Trusted by Oracle Database Vault
- D.4 Accounts and Roles That Should be Limited to Trusted Individuals
- D.5 Guidelines for Using Oracle Database Vault in a Production Environment
-
D.6
Secure Configuration Guidelines
- D.6.1 General Secure Configuration Guidelines
-
D.6.2
UTL_FILE and DBMS_FILE_TRANSFER Package Security Considerations
- D.6.2.1 About Security Considerations for the UTL_FILE and DBMS_FILE_TRANSFER Packages
- D.6.2.2 Securing Access to the DBMS_FILE_TRANSFER Package
- D.6.2.3 Example: Creating a Command Rule to Deny Access to CREATE DATABASE LINK
- D.6.2.4 Example: Creating a Command Rule to Enable Access to CREATE DATABASE LINK
- D.6.2.5 Example: Command Rules to Disable and Enable Access to CREATE DIRECTORY
- D.6.3 CREATE ANY JOB Privilege Security Considerations
- D.6.4 CREATE EXTERNAL JOB Privilege Security Considerations
- D.6.5 ALTER SYSTEM and ALTER SESSION Privilege Security Considerations
-
E
Troubleshooting Oracle Database Vault
-
E.1
Using Trace Files to Diagnose Oracle Database Vault Events
- E.1.1 About Using Trace Files to Diagnose Oracle Database Vault Events
- E.1.2 Types of Oracle Database Vault Trace Events That You Can and Cannot Track
- E.1.3 Levels of Oracle Database Vault Trace Events
- E.1.4 Performance Effect of Enabling Oracle Database Vault Trace Files
-
E.1.5
Enabling Oracle Database Vault Trace Events
- E.1.5.1 Enabling Trace Events for All Database Sessions Using DBMS_MACADM.SET_DV_TRACE_LEVEL
- E.1.5.2 Enabling Trace Events for All Database Sessions Using ALTER SYSTEM
- E.1.5.3 Enabling Trace Events for the Current Database Session Using ALTER SESSION
- E.1.5.4 Enabling Trace Events in a Multitenant Environment
- E.1.6 Finding the Current Oracle Database Vault Trace Level
-
E.1.7
Finding Oracle Database Vault Trace File Data
- E.1.7.1 Finding the Database Vault Trace File Directory Location
- E.1.7.2 Using the Linux grep Command to Search Trace Files for Strings
- E.1.7.3 Using the ADR Command Interpreter (ADRCI) Utility to Query Trace Files
- E.1.7.4 Example: Low Level Oracle Database Vault Realm Violations in a Trace File
- E.1.7.5 Example: High Level Trace Enabled for Oracle Database Vault Authorization
- E.1.7.6 Example: Highest Level Traces on Violations on Realm-Protected Objects
- E.1.8 Disabling Oracle Database Vault Trace Events
- E.2 General Diagnostic Tips
- E.3 Configuration Problems with Oracle Database Vault Components
- E.4 Resetting Oracle Database Vault Account Passwords
-
E.1
Using Trace Files to Diagnose Oracle Database Vault Events
- Index