This section describes new features in Oracle Database Vault for this release of Oracle Database.
This section contains:
New Oracle Database Vault Features in Oracle Database 11g Release 2 (11.2.0.4)
New Oracle Database Vault Features in Oracle Database 11g Release 2 (11.2.0.3)
Changed Oracle Database Vault Features in Oracle Database 11g Release 2 (11.2.0.2)
New Oracle Database Vault Features in Oracle Database 11g Release 2 (11.2.0.2)
New Oracle Database Vault Features in Oracle Database 11g Release 2 (11.2.0.1)
This section contains:
Available in Oracle Database 11g Release 2 (11.2.0.3) but not documented is the expanded ability to use trace files to diagnose Oracle Database Vault events. The trace files help you to perform the following activities:
Track the success and failures of Database Vault events
Diagnose bugs and other issues that may arise
See "Using Trace Files to Diagnose Events in the Database" for more information.
For better separation of duty, this release introduces the DV_AUDIT_CLEANUP
role, which can be granted to any user who is responsible for cleaning the Database Vault audit trail. This role does not apply to unified auditing environments.
See "DV_AUDIT_CLEANUP Audit Trail Cleanup Role" for more information.
This section contains:
New Role to Support the XStream in an Oracle Database Vault Environment
New Roles to Support Oracle GoldenGate in an Oracle Database Vault Environment
Users who want to use XStream in an Oracle Database Vault environment must now be granted the DV_XSTREAM_ADMIN
role.
See "DV_XSTREAM_ADMIN XStream Administrative Role" for more information.
Users who want to use Oracle GoldenGate in an Oracle Database Vault environment must be granted one of the following roles, depending on how they plan to use Oracle GoldenGate:
DV_GOLDENGATE_ADMIN
role if they want to configure Oracle GoldenGate
DV_GOLDENGATE_REDO_ACCESS
role if they want to use the GoldenGate TRANLOGOPTIONS DBLOGREADER
method to access redo logs
See the following sections for more information:
Database Vault Configuration Assistant (DVCA) has been deprecated starting with this release. The functionality for DVCA to add languages to Database Vault has been replaced with the DBMS_MACADM.ADD_NLS_DATA
procedure.
See "Adding Languages to Oracle Database Vault" for more information.
This section contains:
Starting with this release, the Oracle Data Pump EXP
and IMP
utilities cannot be used in an Oracle Database Vault environment.
See "Using Oracle Data Pump in an Oracle Database Vault Environment" for more information about using Oracle Data Pump with Oracle Database Vault.
This section contains:
Default settings for some of the values for the following DBMS_MACADM
PL/SQL package procedures are now based on their previous settings:
DBMS_MACADM.UPDATE_REALM
DBMS_MACADM.UPDATE_REALM_AUTH
DBMS_MACADM.UPDATE_RULE_SET
DBMS_MACADM.UPDATE_COMMAND_RULE
DBMS_MACADM.UPDATE_FACTOR
DBMS_MACADM.UPDATE_ROLE
For example, suppose you created or updated a realm to have realm checking enabled. When you use the DBMS_MACADM.UPDATE_REALM
procedure to modify the realm, the enabled
parameter default is set to enable realm checking.
For more information, see Chapter 12, "Using the DBMS_MACADM Package."
This section contains:
You now can perform a set of Oracle Database Vault functions from both Oracle Database Enterprise Manager Database Control Release 11.2 and Grid Control Release 10.2.0.5. This integration also applies to Releases 9.2.0.8, 10.2.0.4, and 11.1.0.7 of Oracle Database Vault.
From Database Control, you now can perform the following tasks:
Monitor the Database Vault-enabled database
Access Oracle Database Vault reports
From Grid Control, you can perform these tasks:
Propagate Oracle Database Vault security policies across multiple database servers to help ensure consistent policies across the enterprise
Administer and monitor all Oracle Database Vault-protected servers from a single centralized management console
Automate alerts when unauthorized attempts are made to access Oracle Database Vault-protected databases
Access Oracle Database Vault reports
See the following sections for more information:
Oracle Data Pump users now can export and import data in an Oracle Database Vault environment.
See "Using Oracle Data Pump in an Oracle Database Vault Environment" for more information.
Users who are responsible for scheduling database jobs now can do so in an Oracle Database Vault environment.
See "Scheduling Database Jobs in an Oracle Database Vault Environment" for more information.
Oracle Database Vault includes the following new roles:
DV_MONITOR
DV_STREAMS_ADMIN
DV_PATCH_ADMIN
See the following sections for more information:
Oracle Database Vault now provides the following additional rule sets:
Allow Fine Grained Control of System Parameters
Allow Oracle Data Pump Operation
Allow Scheduler Job
See "Default Rule Sets" for more information.
You are no longer restricted to negative numbers when you specify a fail code for the creation of a rule set. You can enter a number the ranges of -20999 to -20000 or 20000 to 20999.
See "Error Handling Options" for more information.
The DBMS_MACADM
and DBMS_MACSEC_ROLES
PL/SQL packages have changed as follows:
The DBMS_MACADM.CREATE_RULE_SET and UPDATE_RULE_SET procedure have a new parameter, is_static. The is_static
parameter determines how often a rule set is evaluated when a SQL statement accesses it. See "CREATE_RULE_SET Procedure" and "UPDATE_RULE_SET Procedure" for more information.
The DBMS_MACADM package has the following new procedures:
AUTHORIZE_DATAPUMP_USER
authorizes an Oracle Database Pump user perform Oracle Data Pump operations when Oracle Database Vault is enabled. See "AUTHORIZE_DATAPUMP_USER Procedure" for more information.
UNAUTHORIZE_DATAPUMP_USER
revokes the authorization that was granted by the AUTHORIZE_DATAPUMP_USER
procedure. See "UNAUTHORIZE_DATAPUMP_USER Procedure" for more information.
AUTHORIZE_SCHEDULER_USER
grants a user authorization to schedule database jobs when Oracle Database Vault is enabled. See "AUTHORIZE_SCHEDULER_USER Procedure" for more information.
UNAUTHORIZE_SCHEDULER_USER
revokes the authorization that was granted by the AUTHORIZE_SCHEDULER_USER
procedure. See "UNAUTHORIZE_SCHEDULER_USER Procedure" for more information.
The DBMS_MACSEC_ROLES.SET_ROLE procedure has been enhanced. You now can specify multiple roles with the p_role
parameter. See "SET_ROLE Procedure" for more information.
Database Vault Configuration Assistant (DVCA) has the following changes:
Addition of the dbuniquename parameter. The dbuniquename
parameter enables you to specify a globally unique name for an Oracle database. See "Adding Languages to Oracle Database Vault" for more information.
Removal of the optionrac parameter. The optionrac
parameter was used for configuring Oracle Database Vault on Oracle Real Application Clusters (Oracle RAC) nodes. The new procedure for configuring Oracle Database Vault on Oracle RAC nodes is simpler. See "Configuring Oracle Database Vault on Oracle RAC Nodes" for more information.
You now can use Oracle Recovery Manager (RMAN) in an Oracle Database Vault environment.
See "Using Oracle Database Vault with Oracle Recovery Manager".
In previous releases of Oracle Database Vault, the SYS
user was prevented from granting or revoking the EXECUTE
privilege on the DBMS_RLS
PL/SQL package to other users. Starting with this release, user SYS
can resume granting and revoking EXECUTE
on DBMS_RLS
to other users.
To keep DVSYS
as a protected schema, you can no longer drop its objects, even if the recycle bin is disabled. For better security for other realms, you should disable the recycle bin.
Oracle Database Vault no longer modifies the OS_AUTHENT_PREFIX
initialization parameter during installation. The default value for the OS_AUTHENT_PREFIX
parameter is OPS$
.
See Oracle Database Reference for more information about this parameter.