Table of Contents
- List of Figures
- List of Tables
- Title and Copyright Information
- Preface
- Changes in This Release for Oracle Database Vault Administrator's Guide
-
1
Introduction to Oracle Database Vault
- What Is Oracle Database Vault?
- What Privileges Do You Need to Use Oracle Database Vault?
- Components of Oracle Database Vault
- How Oracle Database Vault Addresses Compliance Regulations
- How Oracle Database Vault Protects Privileged User Accounts
- How Oracle Database Vault Allows for Flexible Security Policies
- How Oracle Database Vault Addresses Database Consolidation Concerns
- How Oracle Database Vault Works in a Multitenant Environment
-
2
What to Expect After You Enable Oracle Database Vault
- Initialization and Password Parameter Settings That Change
- How Oracle Database Vault Restricts User Authorizations
- New Database Roles to Enforce Separation of Duties
- Privileges That Are Revoked from Existing Users and Roles
- Privileges That Are Prevented for Existing Users and Roles
- Modified AUDIT Statement Settings for a Non-Unified Audit Environment
-
3
Getting Started with Oracle Database Vault
- About Registering Oracle Database Vault with an Oracle Database
-
Registering Oracle Database Vault with an Oracle Database in a Multitenant Environment
- About Registering Database Vault in a Multitenant Environment
- Registering Database Vault in the CDB Root
- Registering Database Vault Common Users to Manage Specific PDBs
- Registering Database Vault Local Users to Manage Specific PDBs
- Plugging in a Database Vault-Enabled PDB
- Manually Installing Oracle Database Vault in a Multitenant Environment
- Registering Database Vault in a Non-Multitenant Environment
- Verifying That Database Vault Is Configured and Enabled
- Logging in to Oracle Database Vault from Oracle Enterprise Cloud Control
-
Quick Start Tutorial: Securing a Schema from DBA Access
- About This Tutorial
- Step 1: Log On as SYSTEM to Access the HR Schema
- Step 2: Create a Realm
- Step 3: Create the SEBASTIAN User Account
- Step 4: Have User SEBASTIAN Test the Realm
- Step 5: Create an Authorization for the Realm
- Step 6: Test the Realm
- Step 7: If Unified Auditing Is Not Enabled, Then Run a Report
- Step 8: Remove the Components for This Tutorial
-
4
Configuring Realms
- What Are Realms?
- Default Realms
- Creating a Realm
- About Realm-Secured Objects
- About Realm Authorization
- Realm Authorizations in a Multitenant Environment
- Modifying the Enablement Status of a Realm
- Deleting a Realm
- How Realms Work
- How Authorizations Work in a Realm
- Access to Objects That Are Protected by a Realm
- Example of How Realms Work
- How Realms Affect Other Oracle Database Vault Components
- Guidelines for Designing Realms
- How Realms Affect Performance
- Realm Related Reports and Data Dictionary Views
-
5
Configuring Rule Sets
- What Are Rule Sets?
- Rule Sets and Rules in a Multitenant Environment
- Default Rules and Rule Sets from Releases Earlier Than Release 12.2
- Default Rule Sets
- Creating a Rule Set
- Creating a Rule to Add to a Rule Set
- Removing Rule Set References to Oracle Database Vault Components
- Deleting a Rule Set
- How Rule Sets Work
-
Tutorial: Creating an Email Alert for Security Violations
- About This Tutorial
- Step 1: Install and Configure the UTL_MAIL PL/SQL Package
- Step 2: Create an Email Security Alert PL/SQL Procedure
- Step 3: Configure an Access Control List File for Network Services
- Step 4: Create a Rule Set and a Command Rule to Use the Email Security Alert
- Step 5: Test the Email Security Alert
- Step 6: Remove the Components for This Tutorial
- Tutorial: Configuring Two-Person Integrity, or Dual Key Security
- Guidelines for Designing Rule Sets
- How Rule Sets Affect Performance
- Rule Set and Rule Related Reports and Data Dictionary Views
-
6
Configuring Command Rules
- What Are Command Rules?
- Default Command Rules
- SQL Statements That Can Be Protected by Command Rules
- Creating a Command Rule
- Modifying the Enablement Status of a Command Rule
- Deleting a Command Rule
- How Command Rules Work
- Tutorial: Using a Command Rule to Control Table Creations by a User
- Guidelines for Designing Command Rules
- How Command Rules Affect Performance
- Command Rule Related Reports and Data Dictionary View
-
7
Configuring Factors
- What Are Factors?
- Default Factors
-
Creating a Factor
- Accessing the Create Factors Page
- Completing the General Page for Factor Creation
-
Configurations Page for Factor Creation
- Setting the Factor Identification Information
- How Factor Identities Work
- Setting the Evaluation Information for a Factor
- Setting the Oracle Label Security Labeling Information for a Factor
- Setting the Retrieval Method for a Factor
- How Retrieval Methods Work
- Setting the Validation Method for a Factor
- Options Page of Factor Creation
- Adding an Identity to a Factor
- Deleting a Factor
- How Factors Work
- Tutorial: Preventing Ad Hoc Tool Access to the Database
-
Tutorial: Restricting User Activities Based on Session Data
- About This Tutorial
- Step 1: Create an Administrative User
- Step 2: Add Identities to the Domain Factor
- Step 3: Map the Domain Factor Identities to the Client_IP Factor
- Step 4: Create a Rule Set to Set the Hours and Select the Factor Identity
- Step 5: Create a Command Rule That Uses the Rule Set
- Step 6: Test the Factor Identity Settings
- Step 7: Remove the Components for This Tutorial
- Guidelines for Designing Factors
- How Factors Affect Performance
- Factor Related Reports and Data Dictionary Views
-
8
Configuring Secure Application Roles for Oracle Database Vault
- What Are Secure Application Roles in Oracle Database Vault?
- Creating an Oracle Database Vault Secure Application Role
- Enabling Oracle Database Secure Application Roles to Work with Oracle Database Vault
- Security for Oracle Database Vault Secure Application Roles
- Deleting an Oracle Database Vault Secure Application Role
- How Oracle Database Vault Secure Application Roles Work
-
Tutorial: Granting Access with Database Vault Secure Application Roles
- About This Tutorial
- Step 1: Create Users for This Tutorial
- Step 2: Enable the OE User Account
- Step 3: Create the Rule Set and Its Rules
- Step 4: Create the Database Vault Secure Application Role
- Step 5: Grant the SELECT Privilege to the Secure Application Role
- Step 6: Test the Database Vault Secure Application Role
- Step 7: Remove the Components for This Tutorial
- How Secure Application Roles Affect Performance
- Secure Application Role Related Reports and Data Dictionary View
- 9 Configuring Oracle Database Vault Policies
-
10
Using Simulation Mode for Logging Realm and Command Rule Activities
- About Simulation Mode
- Simulation Mode Use Cases
-
Logging Realms in Simulation Mode
- Considerations When Logging Realms in Simulation Mode
- Use Case: All New Realms in Simulation Mode
- Use Case: New Realms Introduced to Existing Realms
- Use Case: Testing the Addition of New Objects in a Realm
- Use Case: Testing the Removal of Objects from a Realm
- Use Case: Testing the Addition of an Authorized User to a Realm
- Use Case: Testing the Removal of an Authorized User from a Realm
- Use Case: Testing New Factors with Realms
- Use Case: Testing Changes to an Existing Command Rule
- Tutorial: Tracking Violations to a Realm Using Simulation Mode
-
11
Integrating Oracle Database Vault with Other Oracle Products
- Integrating Oracle Database Vault with Enterprise User Security
- Integrating Oracle Database Vault with Transparent Data Encryption
- Attaching Factors to an Oracle Virtual Private Database
-
Integrating Oracle Database Vault with Oracle Label Security
- How Oracle Database Vault Is Integrated with Oracle Label Security
- Requirements for Using Oracle Database Vault with Oracle Label Security
- Using Oracle Database Vault Factors with Oracle Label Security Policies
-
Tutorial: Integrating Oracle Database Vault with Oracle Label Security
- About This Tutorial
- Step 1: Create Users for This Tutorial
- Step 2: Create the Oracle Label Security Policy
- Step 3: Create Oracle Database Vault Rules to Control the OLS Authorization
- Step 4: Update the ALTER SYSTEM Command Rule to Use the Rule Set
- Step 5: Test the Authorizations
- Step 6: Remove the Components for This Tutorial
- Related Reports and Data Dictionary Views
- Integrating Oracle Database Vault with Oracle Data Guard
- Registering Oracle Internet Directory Using Oracle Database Configuration Asssitant
-
12
DBA Operations in an Oracle Database Vault Environment
- Using Oracle Database Vault with Oracle Enterprise Manager
- Using Oracle Data Pump with Oracle Database Vault
- Using Oracle Scheduler with Oracle Database Vault
- Using Information Lifecycle Management with Oracle Database Vault
- Using Oracle Database Replay with Oracle Database Vault
- Executing Preprocessor Programs with Oracle Database Vault
-
Using Database Vault Operations Control to Restrict Multitenant Common User Access to Local PDB Data
- About Using Database Vault Operations Control
- How the Addition of Common Users and Packages to an Exception List Works
- Enabling Database Vault Operations Control
- Adding Common Users and Packages to an Exception List
- Deleting Common Users and Packages from an Exception List
- Disabling Database Vault Operations Control
- Oracle Recovery Manager and Oracle Database Vault
- Privileges for Using XStream with Oracle Database Vault
- Privileges for Using Oracle GoldenGate in with Oracle Database Vault
- Using Data Masking in an Oracle Database Vault Environment
- Converting a Standalone Oracle Database to a PDB and Plugging It into a CDB
- Using the ORADEBUG Utility with Oracle Database Vault
- Performing Patch Operations in an Oracle Database Vault Environment
-
13
Oracle Database Vault Schemas, Roles, and Accounts
- Oracle Database Vault Schemas
-
Oracle Database Vault Roles
- About Oracle Database Vault Roles
- Privileges of Oracle Database Vault Roles
- Granting Oracle Database Vault Roles to Users
- DV_OWNER Database Vault Owner Role
- DV_ADMIN Database Vault Configuration Administrator Role
- DV_MONITOR Database Vault Monitoring Role
- DV_SECANALYST Database Vault Security Analyst Role
- DV_AUDIT_CLEANUP Audit Trail Cleanup Role
- DV_DATAPUMP_NETWORK_LINK Data Pump Network Link Role
- DV_XSTREAM_ADMIN XStream Administrative Role
- DV_GOLDENGATE_ADMIN GoldenGate Administrative Role
- DV_GOLDENGATE_REDO_ACCESS GoldenGate Redo Log Role
- DV_PATCH_ADMIN Database Vault Database Patch Role
- DV_ACCTMGR Database Vault Account Manager Role
- DV_REALM_OWNER Database Vault Realm DBA Role
- DV_REALM_RESOURCE Database Vault Application Resource Owner Role
- DV_POLICY_OWNER Database Vault Owner Role
- DV_PUBLIC Database Vault PUBLIC Role
- Oracle Database Vault Accounts Created During Registration
- Backup Oracle Database Vault Accounts
- 14 Oracle Database Vault Realm APIs
- 15 Oracle Database Vault Rule Set APIs
-
16
Oracle Database Vault Command Rule APIs
- CREATE_COMMAND_RULE Procedure
- CREATE_CONNECT_COMMAND_RULE Procedure
- CREATE_SESSION_EVENT_CMD_RULE Procedure
- CREATE_SYSTEM_EVENT_CMD_RULE Procedure
- DELETE_COMMAND_RULE Procedure
- DELETE_CONNECT_COMMAND_RULE Procedure
- DELETE_SESSION_EVENT_CMD_RULE Procedure
- DELETE_SYSTEM_EVENT_CMD_RULE Procedure
- UPDATE_COMMAND_RULE Procedure
- UPDATE_CONNECT_COMMAND_RULE Procedure
- UPDATE_SESSION_EVENT_CMD_RULE Procedure
- UPDATE_SYSTEM_EVENT_CMD_RULE Procedure
-
17
Oracle Database Vault Factor APIs
-
DBMS_MACADM Factor Procedures and Functions
- ADD_FACTOR_LINK Procedure
- ADD_POLICY_FACTOR Procedure
- CHANGE_IDENTITY_FACTOR Procedure
- CHANGE_IDENTITY_VALUE Procedure
- CREATE_DOMAIN_IDENTITY Procedure
- CREATE_FACTOR Procedure
- CREATE_FACTOR_TYPE Procedure
- CREATE_IDENTITY Procedure
- CREATE_IDENTITY_MAP Procedure
- DELETE_FACTOR Procedure
- DELETE_FACTOR_LINK Procedure
- DELETE_FACTOR_TYPE Procedure
- DELETE_IDENTITY Procedure
- DELETE_IDENTITY_MAP Procedure
- DROP_DOMAIN_IDENTITY Procedure
- GET_SESSION_INFO Function
- GET_INSTANCE_INFO Function
- RENAME_FACTOR Procedure
- RENAME_FACTOR_TYPE Procedure
- UPDATE_FACTOR Procedure
- UPDATE_FACTOR_TYPE Procedure
- UPDATE_IDENTITY Procedure
- Oracle Database Vault Run-Time PL/SQL Procedures and Functions
-
Oracle Database Vault DVF PL/SQL Factor Functions
- About Oracle Database Vault DVF PL/SQL Factor Functions
- F$AUTHENTICATION_METHOD Function
- F$CLIENT_IP Function
- F$DATABASE_DOMAIN Function
- F$DATABASE_HOSTNAME Function
- F$DATABASE_INSTANCE Function
- F$DATABASE_IP Function
- F$DATABASE_NAME Function
- F$DOMAIN Function
- F$DV$_CLIENT_IDENTIFIER Function
- F$DV$_DBLINK_INFO Function
- F$DV$_MODULE Function
- F$ENTERPRISE_IDENTITY Function
- F$IDENTIFICATION_TYPE Function
- F$LANG Function
- F$LANGUAGE Function
- F$MACHINE Function
- F$NETWORK_PROTOCOL Function
- F$PROXY_ENTERPRISE_IDENTITY Function
- F$PROXY_USER Function
- F$SESSION_USER Function
-
DBMS_MACADM Factor Procedures and Functions
- 18 Oracle Database Vault Secure Application Role APIs
- 19 Oracle Database Vault Oracle Label Security APIs
-
20
Oracle Database Vault Utility APIs
- DBMS_MACUTL Constants
-
DBMS_MACUTL Package Procedures and Functions
- CHECK_DVSYS_DML_ALLOWED Procedure
- GET_CODE_VALUE Function
- GET_SECOND Function
- GET_MINUTE Function
- GET_HOUR Function
- GET_DAY Function
- GET_MONTH Function
- GET_YEAR Function
- IS_ALPHA Function
- IS_DIGIT Function
- IS_DVSYS_OWNER Function
- IS_OLS_INSTALLED Function
- IS_OLS_INSTALLED_VARCHAR Function
- ROLE_GRANTED_ENABLED_VARCHAR Function
- USER_HAS_OBJECT_PRIVILEGE Function
- USER_HAS_ROLE Function
- USER_HAS_ROLE_VARCHAR Function
- USER_HAS_SYSTEM_PRIVILEGE Function
-
21
Oracle Database Vault General Administrative APIs
-
DBMS_MACADM General System Maintenance Procedures
- ADD_APP_EXCEPTION Procedure
- ADD_NLS_DATA Procedure
- AUTHORIZE_DATAPUMP_USER Procedure
- AUTHORIZE_DBCAPTURE Procedure
- AUTHORIZE_DBREPLAY Procedure
- AUTHORIZE_DDL Procedure
- AUTHORIZE_DIAGNOSTIC_ADMIN Procedure
- AUTHORIZE_MAINTENANCE_USER Procedure
- AUTHORIZE_PREPROCESSOR Procedure
- AUTHORIZE_PROXY_USER Procedure
- AUTHORIZE_SCHEDULER_USER Procedure
- AUTHORIZE_TTS_USER Procedure
- DELETE_APP_EXCEPTION Procedure
- DISABLE_APP_PROTECTION Procedure
- DISABLE_DV Procedure
- DISABLE_DV_DICTIONARY_ACCTS Procedure
- DISABLE_DV_PATCH_ADMIN_AUDIT Procedure
- DISABLE_ORADEBUG Procedure
- ENABLE_APP_PROTECTION Procedure
- ENABLE_DV Procedure
- ENABLE_DV_DICTIONARY_ACCTS Procedure
- ENABLE_DV_PATCH_ADMIN_AUDIT Procedure
- ENABLE_ORADEBUG Procedure
- UNAUTHORIZE_DATAPUMP_USER Procedure
- UNAUTHORIZE_DBCAPTURE Procedure
- UNAUTHORIZE_DBREPLAY Procedure
- UNAUTHORIZE_DDL Procedure
- UNAUTHORIZE_DIAGNOSTIC_ADMIN Procedure
- UNAUTHORIZE_MAINTENANCE_USER Procedure
- UNAUTHORIZE_PREPROCESSOR Procedure
- UNAUTHORIZE_PROXY_USER Procedure
- UNAUTHORIZE_SCHEDULER_USER Procedure
- UNAUTHORIZE_TTS_USER Procedure
- CONFIGURE_DV General System Maintenance Procedure
-
DBMS_MACADM General System Maintenance Procedures
-
22
Oracle Database Vault Policy APIs
- ADD_CMD_RULE_TO_POLICY Procedure
- ADD_OWNER_TO_POLICY Procedure
- ADD_REALM_TO_POLICY Procedure
- CREATE_POLICY Procedure
- DELETE_CMD_RULE_FROM_POLICY Procedure
- DELETE_OWNER_FROM_POLICY Procedure
- DELETE_REALM_FROM_POLICY Procedure
- DROP_POLICY Procedure
- RENAME_POLICY Procedure
- UPDATE_POLICY_DESCRIPTION Procedure
- UPDATE_POLICY_STATE Procedure
- 23 Oracle Database Vault API Reference
-
24
Oracle Database Vault Data Dictionary Views
- About the Oracle Database Vault Data Dictionary Views
- CDB_DV_STATUS View
- DBA_DV_APP_EXCEPTION View
- DBA_DV_CODE View
- DBA_DV_COMMAND_RULE View
- DBA_DV_DATAPUMP_AUTH View
- DBA_DV_DBCAPTURE_AUTH View
- DBA_DV_DBREPLAY View
- DBA_DV_DDL_AUTH View
- DBA_DV_DICTIONARY_ACCTS View
- DBA_DV_FACTOR View
- DBA_DV_FACTOR_TYPE View
- DBA_DV_FACTOR_LINK View
- DBA_DV_IDENTITY View
- DBA_DV_IDENTITY_MAP View
- DBA_DV_JOB_AUTH View
- DBA_DV_MAC_POLICY View
- DBA_DV_MAC_POLICY_FACTOR View
- DBA_DV_MAINTENANCE_AUTH View
- DBA_DV_ORADEBUG View
- DBA_DV_PATCH_ADMIN_AUDIT View
- DBA_DV_POLICY View
- DBA_DV_POLICY_LABEL View
- DBA_DV_POLICY_OBJECT View
- DBA_DV_POLICY_OWNER View
- DBA_DV_PREPROCESSOR_AUTH View
- DBA_DV_PROXY_AUTH View
- DBA_DV_PUB_PRIVS View
- DBA_DV_REALM View
- DBA_DV_REALM_AUTH View
- DBA_DV_REALM_OBJECT View
- DBA_DV_ROLE View
- DBA_DV_RULE View
- DBA_DV_RULE_SET View
- DBA_DV_RULE_SET_RULE View
- DBA_DV_SIMULATION_LOG View
- DBA_DV_STATUS or SYS.DBA_DV_STATUS View
- DBA_DV_TTS_AUTH View
- DBA_DV_USER_PRIVS View
- DBA_DV_USER_PRIVS_ALL View
- DVSYS.DV$CONFIGURATION_AUDIT View
- DVSYS.DV$ENFORCEMENT_AUDIT View
- DVSYS.DV$REALM View
- DVSYS.POLICY_OWNER_COMMAND_RULE View
- DVSYS.POLICY_OWNER_POLICY View
- DVSYS.POLICY_OWNER_REALM View
- DVSYS.POLICY_OWNER_REALM_AUTH View
- DVSYS.POLICY_OWNER_REALM_OBJECT View
- DVSYS.POLICY_OWNER_RULE View
- DVSYS.POLICY_OWNER_RULE_SET View
- DVSYS.POLICY_OWNER_RULE_SET_RULE View
- AUDSYS.DV$CONFIGURATION_AUDIT View
- AUDSYS.DV$ENFORCEMENT_AUDIT View
- 25 Monitoring Oracle Database Vault
-
26
Oracle Database Vault Reports
- About the Oracle Database Vault Reports
- Who Can Run the Oracle Database Vault Reports?
- Running the Oracle Database Vault Reports
- Oracle Database Vault Configuration Issues Reports
- Oracle Database Vault Auditing Reports
-
Oracle Database Vault General Security Reports
- Object Privilege Reports
- Database Account System Privileges Reports
- Sensitive Objects Reports
- Privilege Management - Summary Reports
-
Powerful Database Accounts and Roles Reports
- WITH ADMIN Privilege Grants Report
- Accounts With DBA Roles Report
- Security Policy Exemption Report
- BECOME USER Report
- ALTER SYSTEM or ALTER SESSION Report
- Password History Access Report
- WITH GRANT Privileges Report
- Roles/Accounts That Have a Given Role Report
- Database Accounts With Catalog Roles Report
- AUDIT Privileges Report
- OS Security Vulnerability Privileges Report
- Initialization Parameters and Profiles Reports
- Database Account Password Reports
- Security Audit Report: Core Database Audit Report
- Other Security Vulnerability Reports
- A Auditing Oracle Database Vault
- B Disabling and Enabling Oracle Database Vault
- C Postinstallation Oracle Database Vault Procedures
-
D
Oracle Database Vault Security Guidelines
- Separation of Duty Guidelines
- Managing Oracle Database Administrative Accounts
- Accounts and Roles Trusted by Oracle Database Vault
- Accounts and Roles That Should be Limited to Trusted Individuals
- Guidelines for Using Oracle Database Vault in a Production Environment
-
Secure Configuration Guidelines
- General Secure Configuration Guidelines
-
UTL_FILE and DBMS_FILE_TRANSFER Package Security Considerations
- About Security Considerations for the UTL_FILE and DBMS_FILE_TRANSFER Packages
- Securing Access to the DBMS_FILE_TRANSFER Package
- Example: Creating a Command Rule to Deny Access to CREATE DATABASE LINK
- Example: Creating a Command Rule to Enable Access to CREATE DATABASE LINK
- Example: Command Rules to Disable and Enable Access to CREATE DIRECTORY
- CREATE ANY JOB Privilege Security Considerations
- CREATE EXTERNAL JOB Privilege Security Considerations
- LogMiner Package Security Considerations
- ALTER SYSTEM and ALTER SESSION Privilege Security Considerations
-
E
Troubleshooting Oracle Database Vault
-
Using Trace Files to Diagnose Oracle Database Vault Events
- About Using Trace Files to Diagnose Oracle Database Vault Events
- Types of Oracle Database Vault Trace Events That You Can and Cannot Track
- Levels of Oracle Database Vault Trace Events
- Performance Effect of Enabling Oracle Database Vault Trace Files
- Enabling Oracle Database Vault Trace Events
- Finding Oracle Database Vault Trace File Data
- Example: Low Level Oracle Database Vault Realm Violations in a Trace File
- Example: High Level Trace Enabled for Oracle Database Vault Authorization
- Example: Highest Level Traces on Violations on Realm-Protected Objects
- Disabling Oracle Database Vault Trace Events
- General Diagnostic Tips
- Configuration Problems with Oracle Database Vault Components
- Resetting Oracle Database Vault Account Passwords
-
Using Trace Files to Diagnose Oracle Database Vault Events
- Index