Go to main content
1/31
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in Oracle Database Vault?
New Oracle Database Vault Features in Oracle Database 11
g
Release 2 (11.2.0.4)
New Oracle Database Vault Features in Oracle Database 11
g
Release 2 (11.2.0.3)
Changed Oracle Database Vault Features in Oracle Database 11
g
Release 2 (11.2.0.2)
New Oracle Database Vault Features in Oracle Database 11
g
Release 2 (11.2.0.2)
New Oracle Database Vault Features in Oracle Database 11
g
Release 2 (11.2.0.1)
1
Introducing Oracle Database Vault
What Is Oracle Database Vault?
Components of Oracle Database Vault
Oracle Database Vault Access Control Components
Oracle Database Vault Administrator
Oracle Database Vault DVSYS and DVF Schemas
Oracle Database Vault PL/SQL Interfaces and Packages
Oracle Database Vault and Oracle Label Security PL/SQL APIs
Oracle Database Vault Reporting and Monitoring Tools
How Oracle Database Vault Addresses Compliance Regulations
How Oracle Database Vault Addresses Insider Threats
How Oracle Database Vault Allows for Flexible Security Policies
How Oracle Database Vault Addresses Database Consolidation Concerns
2
What to Expect After You Install Oracle Database Vault
Initialization and Password Parameter Settings That Change
How Oracle Database Vault Restricts User Authorizations
New Database Roles to Enforce Separation of Duties
Privileges That Are Revoked from Existing Users and Roles
Privileges That Are Prevented for Existing Users and Roles
How Oracle Database Vault Affects Oracle Database Auditing
AUD$ Table Moved from SYS to the SYSTEM Schema
Modified AUDIT Statement Settings
3
Getting Started with Oracle Database Vault
Registering (Enabling) Oracle Database Vault
Starting Oracle Database Vault
Accessing the Oracle Database Vault Pages and DVA from Oracle Enterprise Manager
Accessing Oracle Database Vault Pages from Database Control
Accessing Oracle Database Vault Pages from Grid Control
Accessing Database Vault Administrator from Database Control
Starting Oracle Database Vault Administrator
Quick Start Tutorial: Securing a Schema from DBA Access
About This Tutorial
Step 1: Adding the SYSTEM User to the Data Dictionary Realm
Step 2: Log On as SYSTEM to Access the HR Schema
Step 3: Create a Realm
Step 4: Secure the EMPLOYEES Table in the HR Schema
Step 5: Create an Authorization for the Realm
Step 6: Test the Realm
Step 7: Run a Report
Step 8: Remove the Components for This Tutorial
4
Configuring Realms
What Are Realms?
Default Realms
Creating a Realm
Editing a Realm
Creating Realm-Secured Objects
Defining Realm Authorization
Disabling and Enabling a Realm
Deleting a Realm
How Realms Work
How Authorizations Work in a Realm
Enabling Access to Objects That Are Protected by a Realm
Example of How Realms Work
How Realms Affect Other Oracle Database Vault Components
Guidelines for Designing Realms
How Realms Affect Performance
Related Reports and Data Dictionary Views
5
Configuring Rule Sets
What Are Rule Sets?
Default Rule Sets
Creating a Rule Set
Configuring or Editing a Rule Set
Creating a Rule to Add to a Rule Set
Creating a New Rule
Adding Existing Rules to a Rule Set
Deleting a Rule Set
How Rule Sets Work
How Oracle Database Vault Evaluates Rules
Nesting Rules Within a Rule Set
Creating Rules to Apply to Everyone Except One User
Tutorial: Creating an Email Alert for Security Violations
About This Tutorial
Step 1: Install and Configure the UTL_MAIL PL/SQL Package
Step 2: Create an Email Security Alert PL/SQL Procedure
Step 3: Configure an Access Control List File for Network Services
Step 4: Create a Rule Set and a Command Rule to Use the Email Security Alert
Step 5: Test the Email Security Alert
Step 6: Remove the Components for This Tutorial
Tutorial: Configuring Two-Person Integrity, or Dual Key Security
About This Tutorial
Step 1: Create Users for This Tutorial
Step 2: Create a Function to Check if User patch_boss Is Logged In
Step 3: Create Rules, a Rule Set, and a Command Rule to Control the Users' Access
Step 4: Test the Users' Access
Step 5: Remove the Components for This Tutorial
Guidelines for Designing Rule Sets
How Rule Sets Affect Performance
Related Reports and Data Dictionary Views
6
Configuring Command Rules
What Are Command Rules?
Default Command Rules
SQL Statements That Can Be Protected by Command Rules
Creating and Editing a Command Rule
Deleting a Command Rule
How Command Rules Work
Tutorial: Using a Command Rule to Control Table Creations by a User
About This Tutorial
Step 1: Connect as User SCOTT and Create a Table
Step 2: Connect Using the DVOWNER or DV_ADMIN Role and Create a Command Rule
Step 3: Test the Command Rule
Step 4: Remove the Components for this Tutorial
Guidelines for Designing Command Rules
How Command Rules Affect Performance
Related Reports and Data Dictionary View
7
Configuring Factors
What Are Factors?
Default Factors
Creating a Factor
Editing a Factor
Adding an Identity to a Factor
About Factor Identities
Creating and Configuring a Factor Identity
Using Identity Mapping to Configure an Identity to Use Other Factors
Deleting a Factor
How Factors Work
How Factors Are Processed When a Session Is Established
How Factors Are Retrieved
How Factors Are Set
Tutorial: Preventing Ad Hoc Tool Access to the Database
About This Tutorial
Step 1: Enable the SCOTT User Account
Step 2: Create the Module Factor
Step 3: Create the Limit SQL*Plus Access Rule and Rule Set
Step 4: Create the CONNECT Command Rule
Step 5: Test the Ad Hoc Tool Access Restriction
Step 6: Remove the Components for This Tutorial
Tutorial: Restricting User Activities Based on Session Data
About This Tutorial
Step 1: Create an Administrative User
Step 2: Add Identities to the Domain Factor
Step 3: Map the Domain Factor Identities to the Client_IP Factor
Step 4: Create a Rule Set to Set the Hours and Select the Factor Identity
Step 5: Create a Command Rule That Uses the Rule Set
Step 6: Test the Factor Identity Settings
Step 7: Remove the Components for This Tutorial
Guidelines for Designing Factors
How Factors Affect Performance
Related Reports and Data Dictionary Views
8
Configuring Secure Application Roles for Oracle Database Vault
What Are Secure Application Roles in Oracle Database Vault?
Creating and Editing Secure Application Roles
Securing a Secure Application Role
Deleting a Secure Application Role
How Secure Application Roles Work
Tutorial: Granting Access with Database Vault Secure Application Roles
About This Tutorial
Step 1: Create Users for This Tutorial
Step 2: Enable the OE User Account
Step 3: Create the Rule Set and Its Rules
Step 4: Create the Database Vault Secure Application Role
Step 5: Grant the SELECT Privilege to the Secure Application Role
Step 6: Test the Database Vault Secure Application Role
Step 7: Remove the Components for This Tutorial
How Secure Application Roles Affect Performance
Related Reports and Data Dictionary View
9
Integrating Oracle Database Vault with Other Oracle Products
Integrating Oracle Database Vault with Enterprise User Security
Integrating Oracle Database Vault with Transparent Data Encryption
Attaching Factors to an Oracle Virtual Private Database
Integrating Oracle Database Vault with Oracle Label Security
How Oracle Database Vault Is Integrated with Oracle Label Security
Requirements for Using Oracle Database Vault with Oracle Label Security
Using Oracle Database Vault Factors with Oracle Label Security Policies
Tutorial: Integrating Oracle Database Vault with Oracle Label Security
About This Tutorial
Step 1: Create Users for This Tutorial
Step 2: Create the Oracle Label Security Policy
Step 3: Create Oracle Database Vault Rules to Control the OLS Authorization
Step 4: Update the ALTER SYSTEM Command Rule to Use the Rule Set
Step 5: Test the Authorizations
Step 6: Remove the Components for This Tutorial
Related Reports and Data Dictionary Views
10
DBA Operations in an Oracle Database Vault Environment
Using Oracle Database Vault with Oracle Enterprise Manager
Setting the Database Vault Administrator URL in Oracle Enterprise Manager
Propagating Oracle Database Vault Policies to Other Databases
Using Enterprise Manager Grid Control Alerts for Oracle Database Vault Policies
Using Oracle Database Vault-Specific Reports in Enterprise Manager Grid Control
Changing the DBSNMP Account Password in an Oracle Database Vault Environment
Using Oracle Data Pump in an Oracle Database Vault Environment
About Using Oracle Data Pump in an Oracle Database Vault Environment
Granting a Database Administrator Authorization to Use Oracle Data Pump
Guidelines for Exporting or Importing Data in an Oracle Database Vault Environment
Revoking Authorization from Databases Administrators Who Are Using Data Pump
Scheduling Database Jobs in an Oracle Database Vault Environment
About Scheduling Database Jobs in an Oracle Database Vault Environment
Granting a Job Scheduling Administrator Authorization for Oracle Database Vault
Revoking Authorization from Job Scheduling Administrators
Using Oracle Database Vault with Oracle Recovery Manager
Using Oracle Streams in an Oracle Database Vault Environment
Using XStream in an Oracle Database Vault Environment
Using Oracle GoldenGate in an Oracle Database Vault Environment
Using Data Masking in an Oracle Database Vault Environment
About Data Masking in an Oracle Database Vault Enabled Database
Adding Data Masking Users to the Data Dictionary Realm Authorizations
Giving Users Access to Tables or Schemas That They Want to Mask
Creating a Command Rule to Enable Data Masking Privileges
11
Oracle Database Vault Objects
Oracle Database Vault Schemas
DVSYS Schema
DVF Schema
Oracle Database Vault Roles
About Oracle Database Vault Roles
DV_OWNER Database Vault Owner Role
DV_ADMIN Database Vault Configuration Administrator Role
DV_MONITOR Database Vault Monitoring Role
DV_SECANALYST Database Vault Security Analyst Role
DV_AUDIT_CLEANUP Audit Trail Cleanup Role
DV_STREAMS_ADMIN Oracle Streams Configuration Role
DV_XSTREAM_ADMIN XStream Administrative Role
DV_GOLDENGATE_ADMIN Oracle GoldenGate Administrative Role
DV_GOLDENGATE_REDO_ACCESS Oracle GoldenGate Redo Log Access Role
DV_PATCH_ADMIN Database Vault Database Patch Role
DV_ACCTMGR Database Vault Account Manager Role
DV_REALM_OWNER Database Vault Realm DBA Role
DV_REALM_RESOURCE Database Vault Application Resource Owner Role
DV_PUBLIC Database Vault PUBLIC Role
Oracle Database Vault Accounts
12
Using the DBMS_MACADM Package
About the DBMS_MACADM Package
Realm Procedures Within DBMS_MACADM
ADD_AUTH_TO_REALM Procedure
ADD_OBJECT_TO_REALM Procedure
CREATE_REALM Procedure
DELETE_AUTH_FROM_REALM Procedure
DELETE_OBJECT_FROM_REALM Procedure
DELETE_REALM Procedure
DELETE_REALM_CASCADE Procedure
RENAME_REALM Procedure
UPDATE_REALM Procedure
UPDATE_REALM_AUTH Procedure
Rule Set Procedures Within DBMS_MACADM
ADD_RULE_TO_RULE_SET Procedure
CREATE_RULE Procedure
CREATE_RULE_SET Procedure
DELETE_RULE Procedure
DELETE_RULE_FROM_RULE_SET Procedure
DELETE_RULE_SET Procedure
RENAME_RULE Procedure
RENAME_RULE_SET Procedure
SYNC_RULES Procedure
UPDATE_RULE Procedure
UPDATE_RULE_SET Procedure
Command Rule Procedures Within DBMS_MACADM
CREATE_COMMAND_RULE Procedure
DELETE_COMMAND_RULE Procedure
UPDATE_COMMAND_RULE Procedure
Factor Procedures and Functions Within DBMS_MACADM
ADD_FACTOR_LINK Procedure
ADD_POLICY_FACTOR Procedure
CHANGE_IDENTITY_FACTOR Procedure
CHANGE_IDENTITY_VALUE Procedure
CREATE_DOMAIN_IDENTITY Procedure
CREATE_FACTOR Procedure
CREATE_FACTOR_TYPE Procedure
CREATE_IDENTITY Procedure
CREATE_IDENTITY_MAP Procedure
DELETE_FACTOR Procedure
DELETE_FACTOR_LINK Procedure
DELETE_FACTOR_TYPE Procedure
DELETE_IDENTITY Procedure
DELETE_IDENTITY_MAP Procedure
DROP_DOMAIN_IDENTITY Procedure
GET_INSTANCE_INFO Function
GET_SESSION_INFO Function
RENAME_FACTOR Procedure
RENAME_FACTOR_TYPE Procedure
UPDATE_FACTOR Procedure
UPDATE_FACTOR_TYPE Procedure
UPDATE_IDENTITY Procedure
Secure Application Role Procedures Within DBMS_MACADM
CREATE_ROLE Procedure
DELETE_ROLE Procedure
RENAME_ROLE Procedure
UPDATE_ROLE Procedure
Oracle Label Security Policy Procedures Within DBMS_MACADM
CREATE_MAC_POLICY Procedure
CREATE_POLICY_LABEL Procedure
DELETE_MAC_POLICY_CASCADE Procedure
DELETE_POLICY_FACTOR Procedure
DELETE_POLICY_LABEL Procedure
UPDATE_MAC_POLICY Procedure
General System Maintenance Procedures Within DBMS_MACADM
ADD_NLS_DATA Procedure
AUTHORIZE_DATAPUMP_USER Procedure
AUTHORIZE_SCHEDULER_USER Procedure
UNAUTHORIZE_DATAPUMP_USER Procedure
UNAUTHORIZE_SCHEDULER_USER Procedure
13
Using the DBMS_MACSEC_ROLES Package
About the DBMS_MACSEC_ROLES Package
CAN_SET_ROLE Function
SET_ROLE Procedure
14
Using the DBMS_MACUTL Package
About the DBMS_MACUTL Package
DBMS_MACUTL Constants
DBMS_MACUTL Listing of Constants
Examples of Using the DBMS_MACUTL Constants
Procedures and Functions Within the DBMS_MACUTL Package
CHECK_DVSYS_DML_ALLOWED Procedure
GET_CODE_VALUE Function
GET_SECOND Function
GET_MINUTE Function
GET_HOUR Function
GET_DAY Function
GET_MONTH Function
GET_YEAR Function
IS_ALPHA Function
IS_DIGIT Function
IS_DVSYS_OWNER Function
IS_OLS_INSTALLED Function
IS_OLS_INSTALLED_VARCHAR Function
USER_HAS_ROLE Function
USER_HAS_ROLE_VARCHAR Function
USER_HAS_SYSTEM_PRIVILEGE Function
15
Using the Oracle Database Vault PL/SQL Interfaces
Oracle Database Vault Run-Time PL/SQL Procedures and Functions
SET_FACTOR Procedure
GET_FACTOR Function
GET_TRUST_LEVEL Function
GET_TRUST_LEVEL_FOR_IDENTITY Function
ROLE_IS_ENABLED Function
GET_FACTOR_LABEL Function
Oracle Database Vault PL/SQL Factor Functions
F$AUTHENTICATION_METHOD Function
F$CLIENT_IP Function
F$DATABASE_DOMAIN Function
F$DATABASE_HOSTNAME Function
F$DATABASE_INSTANCE Function
F$DATABASE_IP Function
F$DATABASE_NAME Function
F$DOMAIN Function
F$ENTERPRISE_IDENTITY Function
F$IDENTIFICATION_TYPE Function
F$LANG Function
F$LANGUAGE Function
F$MACHINE Function
F$NETWORK_PROTOCOL Function
F$PROXY_ENTERPRISE_IDENTITY Function
F$SESSION_USER Function
Oracle Database Vault PL/SQL Rule Functions
DV_SYSEVENT Function
DV_LOGIN_USER Function
DV_INSTANCE_NUM Function
DV_DATABASE_NAME Function
DV_DICT_OBJ_TYPE Function
DV_DICT_OBJ_OWNER Function
DV_DICT_OBJ_NAME Function
DV_SQL_TEXT Function
Oracle Database Vault PL/SQL Packages
16
Oracle Database Vault Data Dictionary Views
About the Oracle Database Vault Data Dictionary Views
DVSYS.DBA_DV_CODE View
DVSYS.DBA_DV_COMMAND_RULE View
DVSYS.DBA_DV_DATAPUMP_AUTH View
DVSYS.DBA_DV_FACTOR View
DVSYS.DBA_DV_FACTOR_LINK View
DVSYS.DBA_DV_FACTOR_TYPE View
DVSYS.DBA_DV_IDENTITY View
DVSYS.DBA_DV_IDENTITY_MAP View
DVSYS.DBA_DV_MAC_POLICY View
DVSYS.DBA_DV_MAC_POLICY_FACTOR View
DVSYS.DBA_DV_POLICY_LABEL View
DVSYS.DBA_DV_PUB_PRIVS View
DVSYS.DBA_DV_REALM View
DVSYS.DBA_DV_REALM_AUTH View
DVSYS.DBA_DV_REALM_OBJECT View
DVSYS.DBA_DV_ROLE View
DVSYS.DBA_DV_RULE View
DVSYS.DBA_DV_RULE_SET View
DVSYS.DBA_DV_RULE_SET_RULE View
DVSYS.DBA_DV_USER_PRIVS View
DVSYS.DBA_DV_USER_PRIVS_ALL View
17
Monitoring Oracle Database Vault
Security Violation Attempts
Database Configuration and Structural Changes
Security Policy Changes by Category
About Monitoring Security Policy Changes by Category
Procedure for Monitoring Security Policy Changes by Category
Security Policy Changes Detail
18
Oracle Database Vault Reports
Categories of Oracle Database Vault Reports
Who Can Run the Oracle Database Vault Reports?
How to Run Oracle Database Vault Reports
Generating Oracle Database Vault Reports
Oracle Database Vault Configuration Issues Reports
Command Rule Configuration Issues Report
Factor Configuration Issues Report
Factor Without Identities Report
Identity Configuration Issues Report
Realm Authorization Configuration Issues Report
Rule Set Configuration Issues Report
Secure Application Configuration Issues Report
Oracle Database Vault Auditing Reports
Realm Audit Report
Command Rule Audit Report
Factor Audit Report
Label Security Integration Audit Report
Core Database Vault Audit Trail Report
Secure Application Role Audit Report
Generating General Security Reports
Object Privilege Reports
Object Access By PUBLIC Report
Object Access Not By PUBLIC Report
Direct Object Privileges Report
Object Dependencies Report
Database Account System Privileges Reports
Direct System Privileges By Database Account Report
Direct and Indirect System Privileges By Database Account Report
Hierarchical System Privileges by Database Account Report
ANY System Privileges for Database Accounts Report
System Privileges By Privilege Report
Sensitive Objects Reports
Execute Privileges to Strong SYS Packages Report
Access to Sensitive Objects Report
Public Execute Privilege To SYS PL/SQL Procedures Report
Accounts with SYSDBA/SYSOPER Privilege Report
Privilege Management - Summary Reports
Privileges Distribution By Grantee Report
Privileges Distribution By Grantee, Owner Report
Privileges Distribution By Grantee, Owner, Privilege Report
Powerful Database Accounts and Roles Reports
WITH ADMIN Privilege Grants Report
Accounts With DBA Roles Report
Security Policy Exemption Report
BECOME USER Report
ALTER SYSTEM or ALTER SESSION Report
Password History Access Report
WITH GRANT Privileges Report
Roles/Accounts That Have a Given Role Report
Database Accounts With Catalog Roles Report
AUDIT Privileges Report
OS Security Vulnerability Privileges Report
Initialization Parameters and Profiles Reports
Security Related Database Parameters Report
Resource Profiles Report
System Resource Limits Report
Database Account Password Reports
Database Account Default Password Report
Database Account Status Report
Security Audit Report: Core Database Audit Report
Other Security Vulnerability Reports
Java Policy Grants Report
OS Directory Objects Report
Objects Dependent on Dynamic SQL Report
Unwrapped PL/SQL Package Bodies Report
Username/Password Tables Report
Tablespace Quotas Report
Non-Owner Object Trigger Report
A
Auditing Oracle Database Vault
Oracle Database Vault Specific Audit Events
Oracle Database Vault Audit Events
Format of the Oracle Database Vault Audit Trail
Archiving and Purging the Oracle Database Vault Audit Trail
Oracle Database Audit Settings Created for Oracle Database Vault
B
Disabling and Enabling Oracle Database Vault
When You Must Disable Oracle Database Vault
Checking if Oracle Database Vault Is Enabled or Disabled
Step 1: Disable Oracle Database Vault
Step 2: Perform the Required Tasks
Step 3: Enable Oracle Database Vault
C
Postinstallation Oracle Database Vault Procedures
Checking the Locale and NLS Settings
Manually Deploying Oracle Database Vault Administrator
Deploying Database Vault Administrator to a Standalone OC4J Container
Deploying Database Vault Administrator to the Database Console OC4J Container
Setting the Time-Out Value for Oracle Database Vault Administrator
Enabling Oracle Database Vault Administrator Accessibility
Enabling Oracle Database Vault Administrator Accessibility Mode
Providing Textual Descriptions of Database Vault Administrator Charts
Configuring Oracle Database Vault on Oracle RAC Nodes
Adding Languages to Oracle Database Vault
Deinstalling Oracle Database Vault
Reinstalling Oracle Database Vault
D
Oracle Database Vault Security Guidelines
Separation of Duty Guidelines
How Oracle Database Vault Handles Separation of Duty
Defining Separate Tasks in an Oracle Database Vault Environment
Creating a Separation of Duty Matrix
Identifying and Documenting the Tasks of Users Who Access the Database System
Managing Oracle Database Administrative Accounts
Using the SYSTEM User Account for General Administrative Uses
Using the SYSTEM Schema for Application Tables
Limiting the SYSDBA Administrative Privilege
Managing Root and Operating System Access
Accounts and Roles Trusted by Oracle Database Vault
Accounts and Roles That Should be Limited to Trusted Individuals
Managing Users with Root Access to the Operating System
Managing the Oracle Software Owner
Managing SYSDBA Access
Managing SYSOPER Access
Guidelines for Using Oracle Database Vault in a Production Environment
Secure Configuration Guidelines
Security Considerations for the UTL_FILE and DBMS_FILE_TRANSFER Packages
Security Considerations for the Recycle Bin
Security Considerations for the CREATE ANY JOB Privilege
Security Considerations for the CREATE EXTERNAL JOB Privilege
Security Considerations for the LogMiner Packages
Security Considerations for the ALTER SYSTEM and ALTER SESSION Privileges
E
Troubleshooting Oracle Database Vault
Using Trace Files to Diagnose Events in the Database
About Using Trace Files to Diagnose Oracle Database Vault Events
Types of Oracle Database Vault Trace Events That You Can and Cannot Track
Levels of Oracle Database Vault Trace Events
Performance Effect of Enabling Oracle Database Vault Trace Files
Enabling Oracle Database Vault Trace Events
Enabling Trace Events for the Current Database Session
Enabling Trace Events for All Database Sessions
Finding Oracle Database Vault Trace File Data
Finding the Database Vault Trace File Directory Location
Using the Linux grep Command to Search Trace Files for Strings
Using the ADR Command Interpreter (ADRCI) Utility to QueryTrace Files
Examples Oracle Database Vault Trace Files
Disabling Oracle Database Vault Trace Events
Disabling Trace Events for the Current Database Session
Disabling Trace Events for All Database Sessions
General Diagnostic Tips
Configuration Problems with Oracle Database Vault Components
Index
Scripting on this page enhances content navigation, but does not change the content in any way.