This chapter contains:
The procedures and functions within the DBMS_MACADM
package allow you to write applications that configure the realms, factors, rule sets, command rules, secure application roles, and Oracle Label Security policies normally configured in Oracle Database Vault Administrator.
The DBMS_MACADM
package is available only for users who have been granted the DV_ADMIN
or DV_OWNER
role.
Many of the parameters used in the procedures and functions in the DBMS_MACADM
package can use the constants available in the DBMS_MACUTL
package. See "DBMS_MACUTL Constants" for more information.
Oracle Database Vault also provides a set of PL/SQL interfaces that you can use with the DBMS_MACADM
package. See Chapter 15, "Using the Oracle Database Vault PL/SQL Interfaces," for more information.
Table 12-1 lists procedures within the DBMS_MACADM
package that you can use to configure realms. For constants that you can use with these procedures, see Table 14-1 for more information.
Chapter 4, "Configuring Realms," describes realms in detail. See also Chapter 14, "Using the DBMS_MACUTL Package," for a set of general purpose utility procedures that you can use with the realm procedures.
Table 12-1 DBMS_MACADM Realm Configuration Procedures
The ADD_AUTH_TO_REALM
procedure authorizes a user or role to access a realm as an owner or a participant. For detailed information about realm authorization, see "Defining Realm Authorization".
Optionally, you can specify a rule set that must be checked before allowing the authorization to proceed.
DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name IN VARCHAR2, grantee IN VARCHAR2, rule_set_name IN VARCHAR2, auth_options IN NUMBER);
Table 12-2 ADD_AUTH_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
User or role name to authorize as an owner or a participant. To find the existing users and roles in the current database instance, query the To find the authorization of a particular user or role, query the To find existing secure application roles used in privilege management, query the |
|
Optional. Rule set to check before authorizing. If the rule set evaluates to To find the available rule sets, query the |
|
Optional. Specify one of the following options to authorize the realm:
See "Defining Realm Authorization" for more information on participants and owners. |
The following example authorizes user SYSADM
as a participant in the Performance Statistics Realm. Because the default is to authorize the user as a participant, the auth_options
parameter can be omitted.
BEGIN DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYSADM'); END; /
This example sets user SYSADM
as the owner of the Performance Statistics Realm.
BEGIN DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYSADM', auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER); END; /
The next example triggers the Check Conf Access rule set before allowing user SYSADM
to be made the owner of the Performance Statistics Realm.
BEGIN DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYSADM', rule_set_name => 'Check Conf Access', auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER); END; /
The ADD_OBJECT_TO_REALM
procedure registers a set of objects for realm protection.
DBMS_MACADM.ADD_OBJECT_TO_REALM( realm_name IN VARCHAR2, object_owner IN VARCHAR2, object_name IN VARCHAR2, object_type IN VARCHAR2);
Table 12-3 ADD_OBJECT_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
The owner of the object that is being added to the realm. If you add a role to a realm, the object owner of the role is shown as To find the available users, query the To find the authorization of a particular user or role, query the |
|
Object name. (The wildcard % is allowed. See "Object Name" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) You can also use the To find the available objects, query the To find objects that are secured by existing realms, query the |
|
Object type, such as You can also use the |
BEGIN DBMS_MACADM.ADD_OBJECT_TO_REALM( realm_name => 'Performance Statistics Realm', object_owner => '%', object_name => 'GATHER_SYSTEM_STATISTICS', object_type => 'ROLE'); END; /
The CREATE_REALM
procedure creates a realm. After you create the realm, use the following procedures to complete the realm definition:
ADD_OBJECT_TO_REALM
procedure registers one or more objects for the realm.
ADD_AUTH_TO_REALM
procedures authorize users or roles for the realm.
DBMS_MACADM.CREATE_REALM( realm_name IN VARCHAR2, description IN VARCHAR2, enabled IN VARCHAR2, audit_options IN NUMBER);
Table 12-4 CREATE_REALM Parameters
Parameter | Description |
---|---|
|
Realm name, up to 90 characters in mixed-case. To find the existing realms in the current database instance, query the |
|
Description of the purpose of the realm, up to 1024 characters in mixed-case. |
|
|
|
Specify one of the following options to audit the realm:
|
BEGIN DBMS_MACADM.CREATE_REALM( realm_name => 'Performance Statistics Realm', description => 'Realm to measure performance', enabled => DBMS_MACUTL.G_YES, audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + DBMS_MACUTL.G_REALM_AUDIT_SUCCESS); END; /
The DELETE_AUTH_FROM_REALM
procedure removes the authorization of a user or role to access a realm.
DBMS_MACADM.DELETE_AUTH_FROM_REALM( realm_name IN VARCHAR2, grantee IN VARCHAR2);
Table 12-5 DELETE_AUTH_FROM_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
User or role name. To find the authorization of a particular user or role, query the |
BEGIN DBMS_MACADM.DELETE_AUTH_FROM_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYS'); END; /
The DELETE_OBJECT_FROM_REALM
procedure removes a set of objects from realm protection.
DBMS_MACADM.DELETE_OBJECT_FROM_REALM( realm_name IN VARCHAR2, object_owner IN VARCHAR2, object_name IN VARCHAR2, object_type IN VARCHAR2);
Table 12-6 DELETE_OBJECT_FROM_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
The owner of the object that was added to the realm. To find the available users, query the |
|
Object name. (The wildcard % is allowed. See "Object Name" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) You can also use the To find objects that are secured by existing realms, query the |
|
Object type, such as You can also use the |
BEGIN DBMS_MACADM.DELETE_OBJECT_FROM_REALM( realm_name => 'Performance Statistics Realm', object_owner => 'SYS', object_name => 'GATHER_SYSTEM_STATISTICS', object_type => 'ROLE'); END; /
The DELETE_REALM
procedure deletes a realm but does not remove its associated objects and authorizations. Before you delete a realm, you can locate its associated objects by querying the DVSYS.DBA_DV_REALM_OBJECT
view. To find a listing of the realm-related objects, query the DVSYS.DBA_DV_REALM
view. To find its authorizations, query DVSYS.DBA_DV_REALM_AUTH
. These views are described in Chapter 16, "Oracle Database Vault Data Dictionary Views."
If you want to remove the associated objects and authorizations and the realm, see "DELETE_REALM_CASCADE Procedure".
DBMS_MACADM.DELETE_REALM( realm_name IN VARCHAR2);
Table 12-7 DELETE_REALM Parameter
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
EXEC DBMS_MACADM.DELETE_REALM('Performance Statistics Realm');
The DELETE_REALM_CASCADE
procedure deletes a realm, including its related Database Vault configuration information that specifies who is authorized (DVSYS.DBA_DV_REALM_AUTH
view) and what objects are protected (DVSYS.DBA_DV_REALM_OBJECT
view). It does not delete the actual database objects or users. To find a listing of the realm-related objects, query the DVSYS.DBA_DV_REALM
view. To find its authorizations, query DVSYS.DBA_DV_REALM_AUTH
. Both are described under Chapter 16, "Oracle Database Vault Data Dictionary Views."
DBMS_MACADM.DELETE_REALM_CASCADE( realm_name IN VARCHAR2);
Table 12-8 DELETE_REALM_CASCADE Parameter
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
EXEC DBMS_MACADM.DELETE_REALM_CASCADE('Performance Statistics Realm');
The RENAME_REALM
procedure renames a realm. The name change takes effect everywhere the realm is used.
DBMS_MACADM.RENAME_REALM( realm_name IN VARCHAR2, new_name IN VARCHAR2);
Table 12-9 RENAME_REALM Parameters
Parameter | Description |
---|---|
|
Current realm name. To find the existing realms in the current database instance, query the |
|
New realm name, up to 90 characters in mixed-case. |
BEGIN DBMS_MACADM.RENAME_REALM( realm_name => 'Performance Statistics Realm', new_name => 'Sector 2 Performance Statistics Realm'); END; /
The UPDATE_REALM
procedure updates a realm.
DBMS_MACADM.UPDATE_REALM( realm_name IN VARCHAR2, description IN VARCHAR2, enabled IN VARCHAR2, audit_options IN NUMBER DEFAULT NULL);
Table 12-10 UPDATE_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
Description of the purpose of the realm, up to 1024 characters in mixed-case. |
|
The default for |
|
Specify one of the following options to audit the realm:
The default for |
BEGIN DBMS_MACADM.UPDATE_REALM( realm_name => 'Sector 2 Performance Statistics Realm', description => 'Realm to measure performance for Sector 2 applications', enabled => DBMS_MACUTL.G_YES, audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + G_REALM_AUDIT_SUCCESS); END; /
The UPDATE_REALM_AUTH
procedure updates the authorization of a user or role to access a realm.
DBMS_MACADM.UPDATE_REALM_AUTH( realm_name IN VARCHAR2, grantee IN VARCHAR2, rule_set_name IN VARCHAR2, auth_options IN NUMBER);
Table 12-11 UPDATE_REALM_AUTH Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
User or role name. To find the available users and roles, query the To find the authorization of a particular user or role, query the To find existing secure application roles used in privilege management, query the |
|
Optional Rule set to check before authorizing. If the rule set evaluates to To find the available rule sets, query the |
|
Optional. Specify one of the following options to authorize the realm:
The default for |
BEGIN DBMS_MACADM.UPDATE_REALM_AUTH( realm_name => 'Sector 2 Performance Statistics Realm', grantee => 'SYSADM', rule_set_name => 'Check Conf Access', auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER); END; /
Table 12-12 lists procedures within the DBMS_MACADM
package that you can use to configure rule sets.
See Also:
Chapter 5, "Configuring Rule Sets," for detailed information about rule sets
Chapter 14, "Using the DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the rule set procedures
Chapter 15, "Using the Oracle Database Vault PL/SQL Interfaces," for PL/SQL interfaces that you can use with rules
Table 12-12 DBMS_MACADM Rule Set Configuration Procedures
Procedure | Description |
---|---|
Adds a rule to a rule set |
|
Creates a rule |
|
Creates a rule set |
|
Deletes a rule |
|
Deletes a rule from a rule set |
|
Deletes a rule set |
|
Renames a rule. The name change takes effect everywhere the rule is used. |
|
Renames a rule set. The name change takes effect everywhere the rule set is used. |
|
Synchronizes the rules |
|
Updates a rule |
|
Updates a rule set |
The ADD_RULE_TO_RULE_SET
procedure adds rule to a rule set, and lets you specify whether to have the rule be checked when the rule set is evaluated.
DBMS_MACADM.ADD_RULE_TO_RULE_SET( rule_set_name IN VARCHAR2, rule_name IN VARCHAR2, rule_order IN NUMBER, enabled IN VARCHAR2);
Table 12-13 ADD_RULE_TO_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, query the |
|
Rule to add to the rule set. To find existing rules, query the To find rules that have been associated with rule sets, use |
|
Does not apply to this release, but you must include a value for the |
|
Optional. Determines whether the rule should be checked when the rule set is evaluated. Possible values are:
You can also enter the following
See Table 14-1 for more information. |
The following example adds a rule to a rule set, and by omitting the enabled
parameter, automatically enables the rule to be checked when the rule set is evaluated.
BEGIN DBMS_MACADM.ADD_RULE_TO_RULE_SET( rule_set_name => 'Limit_DBA_Access', rule_name => 'Restrict DROP TABLE operations', rule_order => 1); END; /
This example adds the rule to the rule set but disables rule checking.
BEGIN DBMS_MACADM.ADD_RULE_TO_RULE_SET( rule_set_name => 'Limit_DBA_Access', rule_name => 'Check UPDATE operations', rule_order => 1, enabled => DBMS_MACUTL.G_NO); END; /
The CREATE_RULE
procedure creates a rule. After you create a rule, you can add it to a rule set.
DBMS_MACADM.CREATE_RULE( rule_name IN VARCHAR2, rule_expr IN VARCHAR2);
Table 12-14 CREATE_RULE Parameters
Parameter | Description |
---|---|
|
Rule name, up to 90 characters in mixed-case. Spaces are allowed. To find existing rules in the current database instance, query the To find rules that have been associated with rule sets, query |
|
PL/SQL If the expression contains quotation marks, do not use double quotation marks. Instead, use two single quotation marks. Enclose the entire expression within single quotation marks. For example: 'TO_CHAR(SYSDATE,''HH24'') = ''12''' See "Creating a New Rule" for more information on rule expressions. |
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check UPDATE operations', rule_expr =>'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''SYSADM'''); END; /
The CREATE_RULE_SET
procedure creates a rule set. After you create a rule set, you can use the CREATE_RULE
and ADD_RULE_TO_RULE_SET
procedures to create and add rules to the rule set.
DBMS_MACADM.CREATE_RULE_SET( rule_set_name IN VARCHAR2, description IN VARCHAR2, enabled IN VARCHAR2, eval_options IN NUMBER, audit_options IN NUMBER, fail_options IN NUMBER, fail_message IN VARCHAR2, fail_code IN NUMBER, handler_options IN NUMBER, handler IN VARCHAR2, is_static IN BOOLEAN DEFAULT FALSE);
Table 12-15 CREATE_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name, up to 90 characters in mixed-case. Spaces are allowed. To find existing rule sets in the current database instance, query the |
|
Description of the purpose of the rule set, up to 1024 characters in mixed-case. |
|
|
|
If you plan to assign multiple rules to the rule set, enter one of the following settings:
|
|
Select one of the following settings:
See "Audit Options" for more information. |
|
Options for reporting factor errors:
See "Error Handling Options" for more information. |
|
Enter an error message for failure, up to 80 characters in mixed-case, to associate with the fail code you specify for |
|
Enter a number in the range of -20000 to -20999 or 20000 to 20999 to associate with the |
|
Select one of the following settings:
See "Error Handling Options" for more information. |
|
Name of the PL/SQL function or procedure that defines the custom event handler logic. See "Error Handling Options" for more information. |
|
Optional. Determines how often a rule set is evaluated when it is accessed. The default is
|
BEGIN DBMS_MACADM.CREATE_RULE_SET( rule_set_name => 'Limit_DBA_Access', description => 'DBA access through predefined processes', enabled => DBMS_MACUTL.G_YES, eval_options => 2, audit_options => DBMS_MACUTL.G_RULESET_AUDIT_FAIL + DBMS_MACUTL.G_RULESET_AUDIT_SUCCESS, fail_options => DBMS_MACUTL.G_RULESET_FAIL_SILENT, fail_message => '', fail_code => 20461, handler_options => DBMS_MACUTL.G_RULESET_HANDLER_FAIL, handler => 'dbavowner.email_alert', is_static => TRUE); END; /
The DELETE_RULE
procedure deletes a rule.
DBMS_MACADM.DELETE_RULE( rule_name IN VARCHAR2);
Table 12-16 DELETE_RULE Parameter
Parameter | Description |
---|---|
|
Rule name. To find existing rules in the current database instance, query the To find rules that have been associated with rule sets, query |
EXEC DBMS_MACADM.DELETE_RULE('Check UPDATE operations');
The DELETE_RULE_FROM_RULE_SET
procedure deletes a rule from a rule set.
DBMS_MACADM.DELETE_RULE_FROM_RULE_SET( rule_set_name IN VARCHAR2, rule_name IN VARCHAR2);
Table 12-17 DELETE_RULE_FROM_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, query the |
|
Rule to remove from the rule set. To find existing rules in the current database instance, query the To find rules that have been associated with rule sets, query |
BEGIN DBMS_MACADM.DELETE_RULE_FROM_RULE_SET( rule_set_name => 'Limit_DBA_Access', rule_name => 'Check UPDATE operations'); END; /
The DELETE_RULE_SET
procedure deletes a rule set.
DBMS_MACADM.DELETE_RULE_SET( rule_set_name IN VARCHAR2);
Table 12-18 DELETE_RULE_SET Parameter
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, query the |
EXEC DBMS_MACADM.DELETE_RULE_SET('Limit_DBA_Access');
The RENAME_RULE
procedure renames a rule. The name change takes effect everywhere the rule is used.
DBMS_MACADM.RENAME_RULE( rule_name IN VARCHAR2, new_name IN VARCHAR2);
Table 12-19 RENAME_RULE Parameters
Parameter | Description |
---|---|
|
Current rule name. To find existing rules in the current database instance, query the To find rules that have been associated with rule sets, query |
|
New rule name, up to 90 characters in mixed-case. |
BEGIN DBMS_MACADM.RENAME_RULE( rule_name => 'Check UPDATE operations', new_name => 'Check Sector 2 Processes'); END; /
The RENAME_RULE_SET
procedure renames a rule set. The name change takes effect everywhere the rule set is used.
DBMS_MACADM.RENAME_RULE_SET( rule_set_name IN VARCHAR2, new_name IN VARCHAR2);
Table 12-20 RENAME_RULE_SET Parameters
Parameter | Description |
---|---|
|
Current rule set name. To find existing rule sets in the current database instance, query the |
|
New rule set name, up to 90 characters in mixed-case. Spaces are allowed. |
BEGIN DBMS_MACADM.RENAME_RULE_SET( rule_set_name => 'Limit_DBA_Access', new_name => 'Limit Sector 2 Access'); END; /
The SYNC_RULES
procedure synchronizes the rules in Oracle Database Vault and Advanced Queuing Rules engine. You must perform this operation immediately after you roll back an ADD_RULE_TO_RULESET
, a DELETE_RULE
, or an UPDATE_RULE
operation.
DBMS_MACADM.SYNC_RULES();
None.
EXEC DBMS_MACADM.SYNC_RULES();
The UPDATE_RULE
procedure updates a rule.
DBMS_MACADM.UPDATE_RULE( rule_name IN VARCHAR2, rule_expr IN VARCHAR2);
Table 12-21 UPDATE_RULE Parameters
Parameter | Description |
---|---|
|
Rule name. To find existing rules in the current database instance, query the To find rules that have been associated with rule sets, query |
|
PL/SQL If the expression contains quotation marks, do not use double quotation marks. Instead, use two single quotation marks. Enclose the entire expression within single quotation marks. For example: 'TO_CHAR(SYSDATE,''HH24'') = ''12''' See "Creating a New Rule" for more information on rule expressions. To find existing rule expressions, query the |
BEGIN DBMS_MACADM.UPDATE_RULE( rule_name => 'Check UPDATE operations', rule_expr =>'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''SYSADM'' AND ( UPPER(SYS_CONTEXT(''USERENV'',''MODULE'')) LIKE ''APPSRVR%'' OR UPPER(SYS_CONTEXT(''USERENV'',''MODULE'')) LIKE ''DBAPP%'' )' ); END; /
The UPDATE_RULE_SET
procedure updates a rule set.
DBMS_MACADM.UPDATE_RULE_SET( rule_set_name IN VARCHAR2, description IN VARCHAR2, enabled IN VARCHAR2, eval_options IN NUMBER, audit_options IN NUMBER, fail_options IN NUMBER, fail_message IN VARCHAR2, fail_code IN NUMBER, handler_options IN NUMBER, handler IN VARCHAR2, is_static IN BOOLEAN DEFAULT FALSE);
Table 12-22 UPDATE_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, query the |
|
Description of the purpose of the rule set, up to 1024 characters in mixed-case. |
|
The default for the |
|
If you plan to assign multiple rules to the rule set, enter one of the following settings:
The default for |
|
Select one of the following settings:
The default for See "Audit Options" for more information. |
|
Options for reporting factor errors:
The default for See "Error Handling Options" for more information. |
|
Error message for failure, up to 80 characters in mixed-case, to associate with the fail code you specify for |
|
Enter a number in the range of -20000 to -20999 or 20000 to 20999 to associate with the |
|
Select one of the following settings:
The default for See "Error Handling Options" for more information. |
|
Name of the PL/SQL function or procedure that defines the custom event handler logic. See "Error Handling Options" for more information. |
|
Optional. Determines how often a rule set is evaluated when it is accessed by a SQL statement.
|
BEGIN DBMS_MACADM.UPDATE_RULE_SET( rule_set_name => 'Limit_DBA_Access', description => 'DBA access through predefined processes', enabled => DBMS_MACUTL.G_YES, eval_options => DBMS_MACUTL.G_RULESET_AUDIT_FAIL, audit_options => DBMS_MACUTL.G_RULESET_AUDIT_FAIL, fail_options => DBMS_MACUTL.G_RULESET_FAIL_SHOW, fail_message => 'Access denied!', fail_code => 20900, handler_options => DBMS_MACUTL.G_RULESET_HANDLER_OFF, handler => '', is_static = TRUE); END; /
Table 12-23 lists procedures within the DBMS_MACADM
package that you can use to configure command rules.
Chapter 6, "Configuring Command Rules," describes command rules in detail. See also Chapter 14, "Using the DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the command rule procedures.
Table 12-23 DBMS_MACADM Command Rule Configuration Procedures
Procedure | Description |
---|---|
Creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set |
|
Drops a command rule declaration |
|
Updates a command rule declaration |
The CREATE_COMMAND_RULE
procedure creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set.
DBMS_MACADM.CREATE_COMMAND_RULE( command IN VARCHAR2, rule_set_name IN VARCHAR2, object_owner IN VARCHAR2, object_name IN VARCHAR2, enabled IN VARCHAR2);
Table 12-24 CREATE_COMMAND_RULE Parameters
Parameter | Description |
---|---|
|
SQL statement to protect. See also the following:
|
|
Name of rule set to associate with this command rule. To find existing rule sets in the current database instance, query the |
|
Database schema to which this command rule will apply. The wildcard To find the available users, query the See also "Object Owner" in "Creating and Editing a Command Rule" for more information. |
|
Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.) To find the available objects, query the |
|
|
BEGIN DBMS_MACADM.CREATE_COMMAND_RULE( command => 'SELECT', rule_set_name => 'Limit Sector 2 Access', object_owner => 'SYSADM', object_name => 'EMP_DATA', enabled => DBMS_MACUTL.G_YES); END; /
The DELETE_COMMAND_RULE
procedure drops a command rule declaration.
DBMS_MACADM.DELETE_COMMAND_RULE( command IN VARCHAR2, object_owner IN VARCHAR2, object_name IN VARCHAR2);
Table 12-25 DELETE_COMMAND_RULE Parameters
Parameter | Description |
---|---|
|
SQL statement the command rule protects. To find available command rules, query the |
|
Database schema to which this command rule applies. To find the available users in the current database instance, query the See also "Object Owner" in "Creating and Editing a Command Rule" for more information. |
|
Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.) To find the available objects, query the |
BEGIN DBMS_MACADM.DELETE_COMMAND_RULE( command => 'SELECT', object_owner => 'SYSADM', object_name => 'EMP_DATA'); END; /
The UPDATE_COMMAND_RULE
procedure updates a command rule declaration.
DBMS_MACADM.UPDATE_COMMAND_RULE( command IN VARCHAR2, rule_set_name IN VARCHAR2, object_owner IN VARCHAR2, object_name IN VARCHAR2, enabled IN VARCHAR2);
Table 12-26 UPDATE_COMMAND_RULE Parameters
Parameter | Description |
---|---|
|
SQL statement to protect. See also the following:
|
|
Name of rule set to associate with this command rule. To find existing rule sets in the current database instance, query the |
|
Database schema to which this command rule applies. To find the available users, query the |
|
Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.) To find the available objects, query the |
|
The default for |
BEGIN DBMS_MACADM.UPDATE_COMMAND_RULE( command => 'SELECT', rule_set_name => 'Limit Sector 2 Access', object_owner => 'SYSADM', object_name => '%', enabled => DBMS_MACUTL.G_NO); END; /
Table 12-27 lists procedures and functions within the DBMS_MACADM
package that you can use to configure factors.
See Also:
Chapter 7, "Configuring Factors," for detailed information about factors
Chapter 14, "Using the DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the factor procedures
Chapter 15, "Using the Oracle Database Vault PL/SQL Interfaces," for a set of PL/SQL interfaces that you can use with factors
Table 12-27 DBMS_MACADM Factor Configuration Procedures
The ADD_FACTOR_LINK
procedure specifies a parent-child relationship for two factors.
DBMS_MACADM.ADD_FACTOR_LINK( parent_factor_name IN VARCHAR2, child_factor_name IN VARCHAR2, label_indicator IN VARCHAR2);
Table 12-28 ADD_FACTOR_LINK Parameters
Parameter | Description |
---|---|
|
Parent factor name. To find existing parent and child factors in the current database instance, query the |
|
Child factor name. |
|
Indicates that the child factor being linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Specify either To find the Oracle Label Security policies and labels associated with factors, query the following views, described in Chapter 16, "Oracle Database Vault Data Dictionary Views":
|
BEGIN DBMS_MACADM.ADD_FACTOR_LINK( parent_factor_name => 'HQ_ClientID', child_factor_name => 'Div1_ClientID', label_indicator => DBMS_MACUTL.G_YES); END; /
The ADD_POLICY_FACTOR
procedure specifies that the label for a factor contributes to the Oracle Label Security label for a policy.
DBMS_MACADM.ADD_POLICY_FACTOR( policy_name IN VARCHAR2, factor_name IN VARCHAR2);
Table 12-29 ADD_POLICY_FACTOR Parameters
Parameter | Description |
---|---|
|
Oracle Label Security policy name. To find the policies defined in the current database instance, query the To find factors that are associated with Oracle Label Security policies, query |
|
Factor name. To find existing factors, query the |
BEGIN DBMS_MACADM.ADD_POLICY_FACTOR( policy_name => 'AccessData', factor_name => 'Sector2_ClientID'); END; /
The CHANGE_IDENTITY_FACTOR
procedure associates an identity with a different factor.
DBMS_MACADM.CHANGE_IDENTITY_FACTOR( factor_name IN VARCHAR2, value IN VARCHAR2, new_factor_name IN VARCHAR2);
Table 12-30 CHANGE_IDENTITY_FACTOR Parameters
Parameter | Description |
---|---|
|
Current factor name. To find existing factors, query the |
|
Value of the identity to update. To find existing identities for each factor in the current database instance, query the To find current identity mappings, query the |
|
Name of the factor to associate with the identity, which you can find by querying the |
BEGIN DBMS_MACADM.CHANGE_IDENTITY_FACTOR( factor_name => 'Sector2_ClientID', value => 'intranet', new_factor_name => 'Sector4_ClientID'); END; /
The CHANGE_IDENTITY_FACTOR
procedure updates the value of an identity.
DBMS_MACADM.CHANGE_IDENTITY_VALUE( factor_name IN VARCHAR2, value IN VARCHAR2, new_value IN VARCHAR2);
Table 12-31 CHANGE_IDENTITY_VALUE Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors, query the |
|
Current value associated with the identity. To find existing identities for each factor in the current database instance, query the To find current identity mappings, query the |
|
New identity value, up to 1024 characters in mixed-case. |
BEGIN DBMS_MACADM.CHANGE_IDENTITY_VALUE( factor_name => 'Sector2_ClientID', value => 'remote', new_value => 'intranet'); END; /
The CREATE_DOMAIN_IDENTITY
procedure adds an Oracle Real Application Clusters (Oracle RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.
DBMS_MACADM.CREATE_DOMAIN_IDENTITY( domain_name IN VARCHAR2, domain_host IN VARCHAR2, policy_name IN VARCHAR2 DEFAULT NULL, domain_label IN VARCHAR2 DEFAULT NULL);
Table 12-32 CREATE_DOMAIN_IDENTITY Parameters
Parameter | Description |
---|---|
|
Name of the domain to which to add the host. To find the logical location of the database within the network structure within a distributed database system, run the |
|
Oracle Real Application Clusters host name being added to the domain. To find host name of a database, run the |
|
Oracle Label Security policy name. If you omit the policy name, then the domain is not associated with any policy. To find the available policies, query the |
|
Name of the domain to which to add the Oracle Label Security policy. |
BEGIN DBMS_MACADM.CREATE_DOMAIN_IDENTITY( domain_name => 'example', domain_host => 'mydom_host', policy_name => 'AccessData', domain_label => 'sensitive'); END; /
The CREATE_FACTOR
procedure creates a factor. After you create a factor, you can give it an identity by using the CREATE_IDENTITY
procedure, described in "CREATE_IDENTITY Procedure".
DBMS_MACADM.CREATE_FACTOR( factor_name IN VARCHAR2, factor_type_name IN VARCHAR2, description IN VARCHAR2, rule_set_name IN VARCHAR2, get_expr IN VARCHAR2, validate_expr IN VARCHAR2, identify_by IN NUMBER, labeled_by IN NUMBER, eval_options IN NUMBER, audit_options IN NUMBER, fail_options IN NUMBER);
Table 12-33 CREATE_FACTOR Parameters
Parameter | Description |
---|---|
|
Factor name, up to 28 characters in mixed-case, without spaces. To find existing factors in the current database instance, query the |
|
Type of the factor, up to 30 characters in mixed-case, without spaces. To find existing factor types, query the |
|
Description of the purpose of the factor, up to 1024 characters in mixed-case. |
|
Rule set name if you want to use a rule set to control when and how a factor identity is set. To find existing rule sets, query the |
|
Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Retrieval Method" for more information. See also the |
|
Name of the procedure to validate the factor. This is a valid PL/SQL expression that returns a Boolean value ( |
|
Options for determining the identity of a factor, based on the expression set for the
See "Factor Identification" for more information. |
|
Options for labeling the factor:
See "Factor Labeling" for more information. |
|
Options for evaluating the factor when the user logs on:
See "Evaluation" for more information. |
|
Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record.
See "Audit Options" for more information. |
|
Options for reporting factor errors:
See "Error Options" for more information. |
BEGIN DBMS_MACADM.CREATE_FACTOR( factor_name => 'Sector2_DB', factor_type_name => 'Instance', description => ' ', rule_set_name => 'Limit_DBA_Access', get_expr => 'UPPER(SYS_CONTEXT(''USERENV'',''DB_NAME''))', validate_expr => 'dbavowner.check_db_access', identify_by => DBMS_MACUTL.G_IDENTIFY_BY_METHOD, labeled_by => DBMS_MACUTL.G_LABELED_BY_SELF, eval_options => DBMS_MACUTL.G_EVAL_ON_SESSION, audit_options => DBMS_MACUTL.G_AUDIT_OFF, fail_options => DBMS_MACUTL.G_FAIL_SILENTLY); END; /
The CREATE_FACTOR_TYPE
procedure creates a user-defined factor type.
DBMS_MACADM.CREATE_FACTOR_TYPE( name IN VARCHAR2, description IN VARCHAR2);
Table 12-34 CREATE_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Factor type name, up to 30 characters in mixed-case, without spaces. To find existing factor types, query the |
|
Description of the purpose of the factor type, up to 1024 characters in mixed-case. |
BEGIN DBMS_MACADM.CREATE_FACTOR_TYPE( name => 'Sector2Instance', description => 'Checks DB instances used in Sector 2'); END; /
The CREATE_IDENTITY
procedure assigns an identity and an associated trust level for a given factor. After you create a factor, you must assign it an identity.
DBMS_MACADM.CREATE_IDENTITY( factor_name IN VARCHAR2, value IN VARCHAR2, trust_level IN NUMBER);
Table 12-35 CREATE_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors, query the |
|
The actual value of the factor, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12. |
|
Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring a Factor Identity" for more information about trust levels and label security. |
BEGIN DBMS_MACADM.CREATE_IDENTITY( factor_name => 'Sector2_ClientID', value => 'intranet', trust_level => 5); END; /
The CREATE_IDENTITY_MAP
procedure defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors).
DBMS_MACADM.CREATE_IDENTITY_MAP( identity_factor_name IN VARCHAR2, identity_factor_value IN VARCHAR2, parent_factor_name IN VARCHAR2, child_factor_name IN VARCHAR2, operation IN VARCHAR2, operand1 IN VARCHAR2, operand2 IN VARCHAR2);
Table 12-36 CREATE_IDENTITY_MAP Parameters
Parameter | Description |
---|---|
|
Factor the identity map is for. To find existing factors in the current database instance, query the |
|
Value the factor assumes if the identity map evaluates to To find existing factor identities, query the To find current factor identity mappings, use |
|
The parent factor link to which the map is related. To find existing parent-child factor mappings, query the |
|
The child factor link to which the map is related. |
|
Relational operator for the identity map (for example, <, >, =, and so on). |
|
Left operand for the relational operator; refers to the low value you enter. |
|
Right operand for the relational operator; refers to the high value you enter. |
BEGIN DBMS_MACADM.CREATE_IDENTITY_MAP( identity_factor_name => 'Sector2_ClientID', identity_factor_value => 'intranet', parent_factor_name => 'HQ_ClientID', child_factor_name => 'Div1_ClientID', operation => '<', operand1 => '192.0.2.50', operand2 => '192.0.2.100'); END; /
The DELETE_FACTOR
procedure deletes a factor.
DBMS_MACADM.DELETE_FACTOR( factor_name IN VARCHAR2);
Table 12-37 DELETE_FACTOR Parameter
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
EXEC DBMS_MACADM.DELETE_FACTOR('Sector2_ClientID');
The DELETE_FACTOR_LINK
procedure removes a parent-child relationship for two factors.
DBMS_MACADM.DELETE_FACTOR_LINK( parent_factor_name IN VARCHAR2, child_factor_name IN VARCHAR2);
Table 12-38 DELETE_FACTOR_LINK Parameters
Parameter | Description |
---|---|
|
Factor name. To find factors that are used in parent-child mappings in the current database instance, query the |
|
Factor name. |
BEGIN DBMS_MACADM.DELETE_FACTOR_LINK( parent_factor_name => 'HQ_ClientID', child_factor_name => 'Div1_ClientID'); END; /
The DELETE_FACTOR_TYPE
procedure deletes a factor type.
DBMS_MACADM.DELETE_FACTOR_TYPE( name IN VARCHAR2);
Table 12-39 DELETE_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Factor type name. To find existing factor types, query the |
EXEC DBMS_MACADM.DELETE_FACTOR_TYPE('Sector2Instance');
The DELETE_IDENTITY
procedure removes an identity from an existing factor.
DBMS_MACADM.DELETE_IDENTITY( factor_name IN VARCHAR2, value IN VARCHAR2);
Table 12-40 DELETE_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
|
Identity value associated with the factor. To find the identities for each factor in the current database instance, query the |
BEGIN DBMS_MACADM.DELETE_IDENTITY( factor_name => 'Sector2_ClientID', value => 'intranet'); END; /
The DELETE_IDENTITY_MAP
procedure removes an identity map for a factor.
DBMS_MACADM.DELETE_IDENTITY_MAP( identity_factor_name IN VARCHAR2, identity_factor_value IN VARCHAR2, parent_factor_name IN VARCHAR2, child_factor_name IN VARCHAR2, operation IN VARCHAR2, operand1 IN VARCHAR2, operand2 IN VARCHAR2);
Table 12-41 DELETE_IDENTITY_MAP Parameters
Parameter | Description |
---|---|
|
Factor the identity map is for. To find existing factors in the current database instance, query the |
|
Value the factor assumes if the identity map evaluates to To find existing factor identities, query the To find current factor identity mappings, query |
|
The parent factor link to which the map is related. To find existing parent-child factors, query the |
|
The child factor to which the map is related. |
|
Relational operator for the identity map (for example, <, >, =, and so on). |
|
Left (low value) operand for the relational operator. |
|
Right (high value) operand for the relational operator. |
BEGIN DBMS_MACADM.DELETE_IDENTITY_MAP( identity_factor_name => 'Sector2_ClientID', identity_factor_value => 'intranet', parent_factor_name => 'HQ_ClientID', child_factor_name => 'Div1_ClientID', operation => '<', operand1 => '192.0.2.10', operand2 => '192.0.2.15'); END; /
The DROP_DOMAIN_IDENTITY
procedure removes an Oracle Real Application Clusters database node from a domain.
DBMS_MACADM.DROP_DOMAIN_IDENTITY( domain_name IN VARCHAR2, domain_host IN VARCHAR2);
Table 12-42 DROP_DOMAIN_IDENTITY Parameters
Parameter | Description |
---|---|
|
Name of the domain to which the host was added. To find the domain of a database as specified by the |
|
Oracle Real Application Clusters host name being that was added to the domain. To find the host name for a specified database, run the |
BEGIN DBMS_MACADM.DROP_DOMAIN_IDENTITY( domain_name => 'example', domain_host => 'mydom_host'); END; /
The GET_INSTANCE_INFO
function returns information from the SYS.V_$INSTANCE
system table about the current database instance. The V$INSTANCE
data dictionary view also contains database instance information from this table. See Oracle Database Reference for more information.
DBMS_MACADM.GET_INSTANCE_INFO( p_parameter IN VARCHAR2) RETURN VARCHAR2;
Table 12-43 GET_INSTANCE_INFO Parameter
Parameter | Description |
---|---|
|
Column name in the |
DECLARE instance_var varchar2 := null; BEGIN instance_var = DBMS_MACADM.GET_INSTANCE_INFO('INSTANCE_NAME'); END; /
The GET_SESSION_INFO
function returns information from the SYS.V_$SESSION
system table for the current session. The V$SESSION
data dictionary view also contains session information from this table. See Oracle Database Reference for more information.
DBMS_MACADM.GET_SESSION_INFO( p_parameter IN VARCHAR2) RETURN VARCHAR2;
Table 12-44 GET_SESSION_INFO Parameter
Parameter | Description |
---|---|
|
Column name in the |
DECLARE session_var varchar2 := null; BEGIN session_var = DBMS_MACADM.GET_SESSION_INFO('PROCESS'); END; /
The RENAME_FACTOR
procedure renames a factor. The name change takes effect everywhere the factor is used.
DBMS_MACADM.RENAME_FACTOR( factor_name IN VARCHAR2, new_factor_name IN VARCHAR2);
Table 12-45 RENAME_FACTOR Parameters
Parameter | Description |
---|---|
|
Current factor name. To find existing factors in the current database instance, query the |
|
New factor name, up to 28 characters in mixed-case, without spaces. |
BEGIN DBMS_MACADM.RENAME_FACTOR( factor_name => 'Sector2_ClientID', new_factor_name => 'Sector2_Clients'); END; /
The RENAME_FACTOR
procedure renames a factor type. The name change takes effect everywhere the factor type is used.
DBMS_MACADM.RENAME_FACTOR_TYPE( old_name IN VARCHAR2, new_name IN VARCHAR2);
Table 12-46 RENAME_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Current factor type name. To find existing factor types in the current database instance, query the |
|
New factor type name, up to 30 characters in mixed-case, without spaces. |
BEGIN DBMS_MACADM.RENAME_FACTOR_TYPE( old_name => 'Sector2Instance', new_name => 'Sector2DBInstance'); END; /
The UPDATE_FACTOR
procedure updates the description of a factor type.
DBMS_MACADM.UPDATE_FACTOR( factor_name IN VARCHAR2, factor_type_name IN VARCHAR2, description IN VARCHAR2, rule_set_name IN VARCHAR2, get_expr IN VARCHAR2, validate_expr IN VARCHAR2, identify_by IN NUMBER, labeled_by IN NUMBER, eval_options IN NUMBER, audit_options IN NUMBER, fail_options IN NUMBER);
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
|
Factor type name. To find existing factor types, query the |
|
Description of the purpose of the factor, up to 1024 characters in mixed-case. |
|
Name of the rule set used to control when and how a factor identity is set. To find existing rule sets, query the See also "Assignment Rule Set" for more information about assigning rule sets to factors. |
|
Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Retrieval Method" for more information. See also the |
|
Name of the procedure to validate factor. This is a valid PL/SQL expression that returns a Boolean value ( |
|
Options for determining the identity of a factor, based on the expression set for the
See "Factor Identification" for more information. |
|
Options for labeling the factor:
The default for See "Factor Labeling" for more information. |
|
Options for evaluating the factor when the user logs on:
The default for See "Evaluation" for more information. |
|
Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record.
The default for See "Audit Options" for more information. |
|
Options for reporting factor errors:
The default for See "Error Options" for more information. |
BEGIN DBMS_MACADM.UPDATE_FACTOR( factor_name => 'Sector2_DB', factor_type_name => 'Instance', description => ' ', rule_set_name => 'Limit_DBA_Access', get_expr => 'UPPER(SYS_CONTEXT(''USERENV'',''DB_NAME''))', validate_expr => 'dbavowner.check_db_access', identify_by => DBMS_MACUTL.G_IDENTIFY_BY_METHOD, labeled_by => DBMS_MACUTL.G_LABELED_BY_SELF, eval_options => DBMS_MACUTL.G_EVAL_ON_ACCESS, audit_options => DBMS_MACUTL.G_AUDIT_ALWAYS, fail_options => DBMS_MACUTL.G_FAIL_WITH_MESSAGE); END; /
The UPDATE_FACTOR_TYPE
procedure updates a factor type.
DBMS_MACADM.UPDATE_FACTOR_TYPE( name IN VARCHAR2, description IN VARCHAR2);
Table 12-48 UPDATE_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Factor type name. To find existing factor types in the current database instance, query the |
|
Description of the purpose of the factor type, up to 1024 characters in mixed case. |
BEGIN DBMS_MACADM.UPDATE_FACTOR_TYPE( name => 'Sector2DBInstance', description => 'Checks DB instances used in Sector 2'); END; /
The UPDATE_IDENTITY
procedure updates the trust level of a factor identity.
DBMS_MACADM.UPDATE_IDENTITY( factor_name IN VARCHAR2, value IN VARCHAR2, trust_level IN NUMBER);
Table 12-49 UPDATE_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the To find factors that have identities, query |
|
New factor identity, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12. |
|
Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring a Factor Identity" for more information about trust levels and label security. |
BEGIN DBMS_MACADM.UPDATE_IDENTITY( factor_name => 'Sector2_ClientID', value => 'intranet', trust_level => 10); END; /
Table 12-50 lists procedures within the DBMS_MACADM
package that you can use to configure Oracle Database Vault secure application roles.
Chapter 8, "Configuring Secure Application Roles for Oracle Database Vault," describes secure application roles in detail. See also Chapter 14, "Using the DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the secure application role procedures.
Table 12-50 DBMS_MACADM Secure Application Role Configuration Procedures
Procedure | Description |
---|---|
Creates an Oracle Database Vault secure application role |
|
Deletes an Oracle Database Vault secure application role |
|
Renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used. |
|
Updates a Oracle Database Vault secure application role |
The CREATE_ROLE
procedure creates an Oracle Database Vault secure application role.
DBMS_MACADM.CREATE_ROLE( role_name IN VARCHAR2, enabled IN VARCHAR2, rule_set_name IN VARCHAR2);
Table 12-51 CREATE_ROLE Parameters
Parameter | Description |
---|---|
|
Role name, up to 30 characters, with no spaces. Preferably, enter the role name in upper case letters, though you are not required to do so. To find existing secure application roles in the current database instance, query the |
|
You can also use the following
|
|
Name of rule set to determine whether a user can set this secure application role. To find existing rule sets in the current database instance, query the |
BEGIN DBMS_MACADM.CREATE_ROLE( role_name => 'Sector2_APP_MGR', enabled => DBMS_MACUTL.G_YES, rule_set_name => 'Check App2 Access'); END; /
The DELETE_ROLE
procedure deletes an Oracle Database Vault secure application role.
DBMS_MACADM.DELETE_ROLE( role_name IN VARCHAR2);
Table 12-52 DELETE_ROLE Parameter
Parameter | Description |
---|---|
|
Role name. To find existing secure application roles in the current database instance, query the |
EXEC DBMS_MACADM.DELETE_ROLE('SECT2_APP_MGR');
The RENAME_ROLE
procedure renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.
DBMS_MACADM.RENAME_ROLE( role_name IN VARCHAR2, new_role_name IN VARCHAR2);
Table 12-53 RENAME_ROLE Parameters
Parameter | Description |
---|---|
|
Current role name. Preferably, enter the role name in upper case letters, though you are not required to do so. To find existing secure application roles in the current database instance, query the |
|
Role name, up to 30 characters, in uppercase, with no spaces. Ensure that this name follows the standard Oracle naming conventions for role creation described in Oracle Database SQL Language Reference. |
BEGIN DBMS_MACADM.RENAME_ROLE( role_name => 'SECT2_APP_MGR', new_role_name => 'SECT2_SYSADMIN'); END; /
The UPDATE_ROLE
procedure updates a Oracle Database Vault secure application role.
DBMS_MACADM.UPDATE_ROLE( role_name IN VARCHAR2, enabled IN VARCHAR2, rule_set_name IN VARCHAR2);
Table 12-54 UPDATE_ROLE Parameters
Parameter | Description |
---|---|
|
Role name. To find existing secure application roles in the current database instance, query the |
|
The default for |
|
Name of rule set to determine whether a user can set this secure application role. To find existing rule sets in the current database instance, query the |
BEGIN DBMS_MACADM.UPDATE_ROLE( role_name => 'SECT2_SYSADMIN', enabled => DBMS_MACUTL.G_YES, rule_set_name => 'System Access Controls'); END; /
Table 12-55 lists procedures within the DBMS_MACADM
package that you can use to configure Oracle Label Security policies for Oracle Database Vault.
Chapter 9, "Integrating Oracle Database Vault with Other Oracle Products," describes Oracle Label Security policies in detail. See also Chapter 14, "Using the DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the Oracle Label Security policy procedures.
Table 12-55 DBMS_MACADM Oracle Label Security Configuration Procedures
Procedure | Description |
---|---|
Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label |
|
Labels an identity within an Oracle Label Security policy |
|
Deletes all Oracle Database Vault objects related to an Oracle Label Security policy. |
|
Removes the factor from contributing to the Oracle Label Security label |
|
Removes the label from an identity within an Oracle Label Security policy |
|
Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label |
The CREATE_MAC_POLICY
procedure specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.
DBMS_MACADM.CREATE_MAC_POLICY( policy_name IN VARCHAR2, algorithm IN VARCHAR2);
Table 12-56 CREATE_MAC_POLICY Parameters
Parameter | Description |
---|---|
|
Name of an existing policy. To find existing policies in the current database instance, query the |
|
Merge algorithm for cases when Oracle Label Security has merged two labels. Enter the code listed in Table 12-57 that corresponds to the merge algorithm you want. For example, enter For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide. |
Table 12-57 Oracle Label Security Merge Algorithm Codes
Code | Value |
---|---|
|
Maximum Level/Union/Union |
|
Maximum Level/Intersection/Union |
|
Maximum Level/Minus/Union |
|
Maximum Level/Null/Union |
|
Maximum Level/Union/Intersection |
|
Maximum Level/Intersection/Intersection |
|
Maximum Level/Minus/Intersection |
|
Maximum Level/Null/Intersection |
|
Maximum Level/Union/Minus |
|
Maximum Level/Intersection/Minus |
|
Maximum Level/Minus/Minus |
|
Maximum Level/Null/Minus |
|
Maximum Level/Union/Null |
|
Maximum Level/Intersection/Null |
|
Maximum Level/Minus/Null |
|
Maximum Level/Null/Null |
|
Minimum Level/Union/Union |
|
Minimum Level/Intersection/Union |
|
Minimum Level/Minus/Union |
|
Minimum Level/Null/Union |
|
Minimum Level/Union/Intersection |
|
Minimum Level/Intersection/Intersection |
|
Minimum Level/Minus/Intersection |
|
Minimum Level/Null/Intersection |
|
Minimum Level/Union/Minus |
|
Minimum Level/Intersection/Minus |
|
Minimum Level/Minus/Minus |
|
Minimum Level/Null/Minus |
|
Minimum Level/Union/Null |
|
Minimum Level/Intersection/Null |
|
Minimum Level/Minus/Null |
|
Minimum Level/Null/Null |
BEGIN DBMS_MACADM.CREATE_MAC_POLICY( policy_name => 'Access Locations', algorithm => 'HUU'); END; /
The CREATE_POLICY_LABEL
procedure labels an identity within an Oracle Label Security policy.
DBMS_MACADM.CREATE_POLICY_LABEL( identity_factor_name IN VARCHAR2, identity_factor_value IN VARCHAR2, policy_name IN VARCHAR2, label IN VARCHAR2);
Table 12-58 CREATE_POLICY_LABEL Parameters
Parameter | Description |
---|---|
|
Name of the factor being labeled. To find existing factors in the current database instance, query the To find factors that are associated with Oracle Label Security policies, use See also "Label Security Policy Factors" for more information. |
|
Value of identity for the factor being labeled. To find the identities of existing factors in the current database instance, query the |
|
Name of an existing policy. To find existing policies in the current database instance, query the |
|
Oracle Label Security label name. To find existing policy labels for factor identifiers, query the |
BEGIN DBMS_MACADM.CREATE_POLICY_LABEL( identity_factor_name => 'App_Host_Name', identity_factor_value => 'Sect2_Fin_Apps', policy_name => 'Access Locations', label => 'Sensitive'); END; /
The DELETE_MAC_POLICY_CASCADE
procedure deletes all Oracle Database Vault objects related to an Oracle Label Security policy.
DBMS_MACADM.DELETE_MAC_POLICY_CASCADE( policy_name IN VARCHAR2);
Table 12-59 DELETE_MAC_POLICY_CASCADE Parameter
Parameter | Description |
---|---|
|
Name of an existing policy. To find existing policies in the current database instance, query the |
EXEC DBMS_MACADM.DELETE_MAC_POLICY_CASCADE('Access Locations');
The DELETE_POLICY_FACTOR
procedure removes the factor from contributing to the Oracle Label Security label.
DBMS_MACADM.DELETE_POLICY_FACTOR( policy_name IN VARCHAR2, factor_name IN VARCHAR2);
Table 12-60 DELETE_POLICY_FACTOR Parameters
Parameter | Description |
---|---|
|
Name of an existing policy. To find existing policies in the current database instance, query the |
|
Name of factor associated with the Oracle Label Security label. To find factors that are associated with Oracle Label Security policies, query |
BEGIN DBMS_MACADM.DELETE_POLICY_FACTOR( policy_name => 'Access Locations', factor_name => 'App_Host_Name'); END; /
The DELETE_POLICY_LABEL
procedure removes the label from an identity within an Oracle Label Security policy.
DBMS_MACADM.DELETE_POLICY_LABEL( identity_factor_name IN VARCHAR2, identity_factor_value IN VARCHAR2, policy_name IN VARCHAR2, label IN VARCHAR2);
Table 12-61 DELETE_POLICY_LABEL Parameters
Parameter | Description |
---|---|
|
Name of the factor that was labeled. To find existing factors in the current database instance that are associated with Oracle Label Security policies, query See also "Label Security Policy Factors" for more information. |
|
Value of identity for the factor that was labeled. To find the identities of existing factors in the current database instance, query the |
|
Name of an existing policy. To find existing policies in the current database instance, query the |
|
Oracle Label Security label name. To find existing policy labels for factor identifiers, query the |
BEGIN DBMS_MACADM.DELETE_POLICY_LABEL( identity_factor_name => 'App_Host_Name', identity_factor_value => 'Sect2_Fin_Apps', policy_name => 'Access Locations', label => 'Sensitive'); END; /
The UPDATE_MAC_POLICY
procedure specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.
DBMS_MACADM.UPDATE_MAC_POLICY( policy_name IN VARCHAR2, algorithm IN VARCHAR2);
Parameter | Description |
---|---|
|
Name of an existing policy. To find existing policies in the current database instance, query the |
|
Merge algorithm for cases when Oracle Label Security has merged two labels. See Table 12-57 for listing of the available algorithms. For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide. |
BEGIN DBMS_MACADM.UPDATE_MAC_POLICY( policy_name => 'Access Locations', algorithm => 'LUI'); END; /
Table 12-63 lists the procedures within the DBMS_MACADM
PL/SQL package that you can use to perform general maintenance activities that require the protection of the DV_OWNER
or DV_ADMIN
role.
Table 12-63 DBMS_MACADM Disable/Enable Procedures
Procedure | Description |
---|---|
Adds a new language to Oracle Database Vault |
|
Authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled |
|
Authorizes a user to schedule database jobs when Oracle Database Vault is enabled |
|
Revokes the authorization that was granted by the |
|
Revokes authorization that was granted by the |
The ADD_NLS_DATA
procedure adds a new language to Oracle Database Vault.
DBMS_MACADM.ADD_NLS_DATA( language IN VARCHAR );
Parameter | Description |
---|---|
|
Enter one of the following settings. (This parameter is case insensitive.)
|
EXEC DBMS_MACADM.ADD_NLS_DATA('french');
The AUTHORIZE_DATAPUMP_USER
procedure authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled. It applies to both the expdp
and impdp
utilities. See "Granting a Database Administrator Authorization to Use Oracle Data Pump" for full usage information, including the levels of additional authorization the user must have to use Oracle Data Pump in an Oracle Database Vault environment.
DBMS_MACADM.AUTHORIZE_DATAPUMP_USER( user_name IN VARCHAR2, schema_name IN VARCHAR2 DEFAULT NULL, table_name IN VARCHAR2 DEFAULT NULL);
Table 12-65 AUTHORIZE_DATAPUMP_USER
Parameter | Description |
---|---|
|
Name of the Oracle Data Pump user to whom you want to grant authorization. To find a list of users who have privileges to use Oracle Data Pump (that is, the SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE LIKE '%FULL%' |
|
Name of the database schema that the Oracle Data Pump user must export or import. If you omit this parameter, then the user is granted global authorization to export and import any schema in the database. In this case, ensure the user has been granted the |
|
Name of the table within the schema specified by the |
EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR'); EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR'); EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR', 'EMPLOYEES');
The AUTHORIZE_SCHEDULER_USER
procedure grants a user authorization to schedule database jobs when Oracle Database Vault is enabled. This authorization applies to anyone who has privileges to schedule database jobs. These privileges include any of the following: CREATE JOB
, CREATE ANY JOB
, CREATE EXTERNAL JOB
, EXECUTE ANY PROGRAM
, EXECUTE ANY CLASS
, MANAGE SCHEDULER
. See "Scheduling Database Jobs in an Oracle Database Vault Environment" full usage information, including the levels of authorization the user must have to schedule database jobs in an Oracle Database Vault environment.
DBMS_MACADM.AUTHORIZE_SCHEDULER_USER( user_name IN VARCHAR2, schema_name IN VARCHAR2 DEFAULT NULL);
Table 12-66 AUTHORIZE_SCHEDULER_USER
Parameter | Description |
---|---|
|
Name of the user to whom you want to grant authorization. To find a list of users who have privileges to schedule jobs, query the |
|
Name of the database schema for which a job will be scheduled. If you omit this parameter, then the user is granted global authorization to schedule a job for any schema in the database. |
The following example authorizes the user JOB_MGR
to run a job under any schema.
EXEC DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR');
This example authorizes user JOB_MGR
to run a job under the HR
schema only.
EXEC DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');
The UNAUTHORIZE_DATAPUMP_USER
procedure revokes the authorization that was granted by the AUTHORIZE_DATAPUMP_USER
procedure. When you run this procedure, ensure that its settings correspond exactly to the equivalent AUTHORIZE_DATAPUMP_USER
procedure.
For example, the following two procedures will work because the parameters are consistent:
EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR'); EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('DP_MGR');
However, because the parameters in the following procedures are not consistent, the UNAUTHORIZE_DATAPUMP_USER
procedure will not work:
EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('JSMITH'); EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR');
DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER( user_name IN VARCHAR2, schema_name IN VARCHAR2 DEFAULT NULL, table_name IN VARCHAR2 DEFAULT NULL);
Table 12-67 UNAUTHORIZE_DATAPUMP_USER
Parameter | Description |
---|---|
|
Name of the Oracle Data Pump user from whom you want to revoke authorization. To find a list of users and authorizations from the SELECT RULE_EXPR FROM DVSYS.DBA_DV_RULE_SET WHERE RULE_SET_NAME = 'Allow Oracle Data Pump Operation'; |
|
Name of the database schema that the Oracle Data Pump user is authorized to export or import. |
|
Name of the table within the schema specified by the |
EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH'); EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR'); EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR', 'SALARY');
The UNAUTHORIZE_SCHEDULER_USER
procedure revokes the authorization that was granted by the AUTHORIZE_SCHEDULER_USER
procedure. When you run this procedure, ensure that its settings correspond exactly to the equivalent AUTHORIZE_SCHEDULER_USER
procedure.
For example, the following two procedures will work because the parameters are consistent:
EXEC DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR'); EXEC DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR');
However, because the parameters in the following procedures are not consistent, the UNAUTHORIZE_SCHEDULER_USER
procedure will not work:
EXEC DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR'); EXEC DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');
DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER user_name IN VARCHAR2, schema_name IN VARCHAR2 DEFAULT NULL);
Table 12-68 UNAUTHORIZE_SCHEDULER_USER
Parameter | Description |
---|---|
|
Name of the job scheduling user from whom you want to revoke authorization. To find a list of users and authorizations from the SELECT RULE_EXPR FROM DVSYS.DBA_DV_RULE_SET WHERE RULE_SET_NAME = 'Allow Scheduler Job'; |
|
Name of the database schema for which the user is authorized to schedule jobs. |
EXEC DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR'); EXEC DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');