10 Cleaning Up After the Quick Start Guide

If you've completed the tasks in this Quick Start Guide in your databases then there are a number of changes that should be reverted.

As a user with the DV_OWNER or DV_ADMIN role, perform the following:

  1. Disable Database Vault operations control from the container database:
    connect c##dvowner
    EXEC DBMS_MACADM.DISABLE_APP_PROTECTION;
    connect / as sysdba
    SELECT * FROM CDB_DV_STATUS;
  2. Delete the command rules, realms, and associated rules and rule sets
    connect c##jsmith@pdb_name

    BEGIN
    DBMS_MACADM.DELETE_COMMAND_RULE(  
        command         => 'DROP TABLE' 
        ,object_owner   => 'HR' 
        ,object_name    => '%' 
        ,scope          => DBMS_MACUTL.G_SCOPE_LOCAL);
END;
/
    BEGIN
    DBMS_MACAM.DELETE_RULE_SET(
        rule_set_name => 'Trusted Rule Set');
END;
/
    BEGIN
    DBMS_MACAM.DELETE_RULE(
        rule_name => 'Trusted IP Address');
END;
/
    BEGIN
    DVSYS.DBMS_MACADM.DELETE_REALM_CASCADE(realm_name => 'Protect HR tables');
END;
/
    BEGIN
    DVSYS.DBMS_MACADM.DELETE_REALM_CASCADE(realm_name => 'Protect HR indexes');
END;
/
  3. As a user who has the privileges to administer unified audit policies, delete the unified audit policies:
    connect c##cmack@pdb_name

    NOAUDIT POLICY AUD_PROTECT_HR_TABLES;
NOAUDIT POLICY AUD_PROTECT_HR_INDEXES;
NOAUDIT POLICY AUD_PROTECT_RULE_SET_TRS;

DROP AUDIT POLICY AUD_PROTECT_HR_TABLES;
DROP AUDIT POLICY AUD_PROTECT_HR_INDEXES;
DROP AUDIT POLICY AUD_PROTECT_RULE_SET_TRS;
  4. To drop the users in this example, perform the following as a user with the DV_ACCTMGR role:
    connect c##dvacctmgr
    DROP USER C##CMACK CASCADE;

    ALTER SESSION SET CONTAINER=pdb_name;

DROP USER GKRAMER CASCADE;
  5. Before you can drop JSMITH, you must revoke DV_ADMIN. This is a mechanism to prevent the accidental, or intentional, destruction of privileged Database Vault users:
    connect c##dvowner
    REVOKE DV_ADMIN FROM C##JSMITH CONTAINER=ALL;

    connect c##dvacctmgr
    DROP USER C##JSMITH CASCADE;
  6. Disable Oracle Database Vault on the pluggable and container databases. You will perform the disablement in reverse order of the enablement. To enable, you started with the container database and moved to the pluggable databases. To disable, you will start on the pluggable databases then move to the container database.
    1. In the pluggable database, as a user with the DV_OWNER role, perform the following:
      CONNECT c##dvowner@pdb_name

      SELECT * FROM DBA_DV_STATUS;
EXEC DBMS_MACADM.DISABLE_DV;
    2. Restart the pluggable database for the changes to take effect:
      connect / as sysdba
      ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;
ALTER PLUGGABLE DATABASE pdb_name OPEN;
    3. Check the Oracle Database Vault enablement status:
      SELECT CON_ID_TO_CON_NAME(CON_ID) CON_NAME, NAME, STATUS 
    FROM CDB_DV_STATUS
ORDER BY 1;
      The output should be:
      CON_NAME    NAME                   STATUS
___________ ______________________ _________________
CDB$ROOT    DV_CONFIGURE_STATUS    TRUE
CDB$ROOT    DV_ENABLE_STATUS       TRUE
CDB$ROOT    DV_APP_PROTECTION      DISABLED
pdb_name    DV_CONFIGURE_STATUS    TRUE
pdb_name    DV_ENABLE_STATUS       FALSE
pdb_name    DV_APP_PROTECTION      DISABLED
    4. Now disable Database Vault on the container database:
      CONNECT c##dvowner

      EXEC DBMS_MACADM.DISABLE_DV;
    5. Restart the container database for the changes to take effect:
      connect / as sysdba
      SHUTDOWN IMMEDIATE;
STARTUP;
    6. Check the Oracle Database Vault enablement status:
      SELECT CON_ID_TO_CON_NAME(CON_ID) CON_NAME, NAME, STATUS 
    FROM CDB_DV_STATUS
ORDER BY 1;
      The output should be:
      CON_NAME    NAME                   STATUS
___________ ______________________ _________________
CDB$ROOT    DV_CONFIGURE_STATUS    TRUE
CDB$ROOT    DV_ENABLE_STATUS       FALSE
CDB$ROOT    DV_APP_PROTECTION      DISABLED
pdb_name    DV_CONFIGURE_STATUS    TRUE
pdb_name    DV_ENABLE_STATUS       FALSE
pdb_name    DV_APP_PROTECTION      DISABLED