You now can create Oracle Database Vault command rules for unified audit policies.

You can now use command rules to enable and disable individual unified audit policies. This enhancement provides fine-grain control over how each policy is managed, instead of having to manage all the unified audit policies in the same way through a single command rule. For example, an HR auditor can have control over his or her HR unified audit policy, but not the CRM unified audit policy. This new feature extends the AUDIT and NOAUDIT use for command rules, but when you specify unified audit policy for the command rule, you must specify AUDIT POLICY or NOAUDIT POLICY.

In a multitenant database, you now can use Oracle Database Vault to block common users (infrastructure DBAs, for example) from accessing local data in pluggable databases (PDBs) in autonomous, regular Cloud, or on-premises environments.

This enhancement prevents common users from accessing local data that resides on a PDB. It enables you to store sensitive data for your business applications and allow operations to manage the database infrastructure without having to access sensitive customer data.

The documentation for privilege analysis has moved from Oracle Database Vault Administrator’s Guide to Oracle Database Security Guide.

See Oracle Database Licensing Information User Manual for privilege analysis licensing information.

Oracle Database Vault has had a number of changes to simulation mode for this release. 

• Simulation mode now captures all mandatory realm violations from a SQL statement.

• Simulation mode can capture the full call stack information.

• The default trusted path context factors are now available as separate columns instead of being concatenated together.

Capturing all mandatory realm violations from a SQL statement enables you to see all changes that you may need to make. Otherwise, the first mandatory realm violation may mask other violations that would not be noticed until the original fix is completed and another regression test is run. This enhancement enables faster regression test and application certification.

Seeing the full call stack helps you to identify the original SQL statement that has the violation. In many cases, similar SQL statements are called by different parts of the application. This feature helps an application developer to quickly identify exactly which application code triggered the violation.

Context factors are used to build trusted paths for realms and command rules. There are some commonly used factors for trusted paths, so these were extracted from the single string representation in the last release into their own columns. This enhancement makes it much easier to identify the factors to use in trusted path rule sets.

Starting with this release, four new factor functions are available.

The factor functions are as follows:

• F$DV$_CLIENT_IDENTIFIER

• F$DV$_DBLINK_INFO

• F$DV$_MODULE

• F$PROXY_USER

Starting with this release, you can authorize roles to perform Oracle Data Pump operations in an Oracle Database Vault environment.

In previous releases, you only could grant this authorization to individual users. This enhancement enables administrators to easily manage users through roles for this type of authorization.

In this release, you now can perform Oracle Database Replay operations in an Oracle Database Vault environment.

The following functionality supports this feature:

• DBMS_MACADM PL/SQL procedures:

  • DBMS_MACADM.AUTHORIZE_DBCAPTURE

  • DBMS_MACADM.AUTHORIZE_DBREPLAY

  • DBMS_MACADM.UNAUTHORIZE_DBCAPTURE

  • DBMS_MACADM.UNAUTHORIZE_DBREPLAY

• Data dictionary views:

  • DBA_DV_DBCAPTURE_AUTH

  • DBA_DV_DBREPLAY_AUTH