1. Administrator's Guide
  2. Integrating Oracle Database Vault with Other Oracle Products

11 Integrating Oracle Database Vault with Other Oracle Products

You can integrate Oracle Database Vault with other Oracle products, such as Oracle Enterprise User Security.

Integrating Oracle Database Vault with Enterprise User Security

You can integrate Oracle Database Vault with Oracle Enterprise User Security.

Parent topic: Integrating Oracle Database Vault with Other Oracle Products

About Integrating Oracle Database Vault with Enterprise User Security

Enterprise User Security centrally manages database users and authorizations in one place.

It is combined with Oracle Identity Management and is available in Oracle Database Enterprise Edition.

In general, to integrate Oracle Database Vault with Oracle Enterprise User Security, you configure the appropriate realms to protect the data that you want to protect in the database.

After you define the Oracle Database Vault realms as needed, you can create a rule set for the Enterprise users to allow or disallow their access.

Related Topics

Parent topic: Integrating Oracle Database Vault with Enterprise User Security

Configuring an Enterprise User Authorization

To configure an Enterprise User authorization, you must create an Oracle Database Vault rule set to control the user access.

  1. Connect to the PDB or the application root as a user who has been granted the DV_OWNER or DV_ADMIN role.
    For example: 
    CONNECT c##sec_admin_owen@pdb_name
Enter password: password

    To find the available PDBs, query the PDB_NAME column of the DBA_PDBS data dictionary view. To check the current container, run the show con_name command.

  2. Execute the DBMS_MACADM.CREATE_RULE procedure to create the rule that allows or disallows user access. 
    BEGIN
 DBMS_MACADM.CREATE_RULE(
  rule_name  => 'Control User Access', 
  rule_expr  =>'SYS_CONTEXT('USERENV','AUTHENTICATED_IDENTITY') = 'user_domain_name'',
  scope      => DBMS_MACUTL.G_SCOPE_LOCAL);
END;
/

    In this specification:

    • rule_name specifies a rule name. Enter any valid name that is appropriate for your needs.
    • rule_expr must use the rule expression given in this example. Replace 'user_domain_name' with the domain. For example: 
      'SYS_CONTEXT('USERENV','AUTHENTICATED_IDENTITY') = 'myserver.us.example.com''
    • scope must be DBMS_MACUTL.G_SCOPE_LOCAL.
  3. Execute the DBMS_MACADM.CREATE_RULE_SET procedure to create a rule set to be used for the rule.
    For example: 
    BEGIN
 DBMS_MACADM.CREATE_RULE_SET(
  rule_set_name    => 'EM User Authorization', 
  description      => 'Allows or disallows user access to EM', 
  enabled          => DBMS_MACUTL.G_YES,
  eval_options     => DBMS_MACUTL.G_RULESET_EVAL_ANY,
  audit_options    => DBMS_MACUTL.G_RULESET_AUDIT_OFF,
  fail_options     => DBMS_MACUTL.G_RULESET_FAIL_SILENT,
  fail_message     => '',
  fail_code        => 20461,
  handler_options  => DBMS_MACUTL.G_RULESET_HANDLER_OFF, 
  handler          => ' ',
  is_static        => TRUE);
END;
/
  4. Execute the DBMS_MACADM.ADD_RULE_TO_RULE_SET procedure to add the rule to the rule set.
    For example:
    BEGIN
 DBMS_MACADM.ADD_RULE_TO_RULE_SET(
  rule_set_name => 'EM User Authorization', 
  rule_name     => 'Control User Access',
  rule_order    => 1);
END;
/
  5. Execute the DBMS_MACADM.ADD_AUTH_TO_REALM procedure to add the rule set to the realm authorization for the data that you want to protect.
    For example, for a realm called HR Realm: 
    BEGIN
 DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name    => 'HR Realm', 
  grantee       => 'pfitch', 
  rule_set_name => 'EM User Authorization',
  auth_options  => DBMS_MACUTL.G_REALM_AUTH_OWNER,
  auth_scope    => DBMS_MACUTL.G_SCOPE_LOCAL);
END;
/

Parent topic: Integrating Oracle Database Vault with Enterprise User Security

Configuring Oracle Database Vault Accounts as Enterprise User Accounts

You can configure existing Oracle Database Vault user accounts as enterprise user accounts in a PDB.

  1. Log in to the PDB as a user who has been granted the CREATE ROLE system privilege.

    For example: 

    sqlplus sec_admin@pdb_name
Enter password: password

    To find the available PDBs, query the PDB_NAME column of the DBA_PDBS data dictionary view. To check the current container, run the show con_name command.

  2. Create a global role for the DV_OWNER role and a global role for the DV_ACCTMGR role.

    For example:

    CREATE ROLE g_dv_owner IDENTIFIED GLOBALLY;
CREATE ROLE g_dv_acctmgr IDENTIFIED GLOBALLY;
  3. Connect as a user who has been granted the DV_OWNER role.

    For example:

    CONNECT sec_admin_owen@pdb_name
Enter password: password
  4. Grant the DV_OWNER role to the global DV_OWNER role. 
    GRANT DV_OWNER TO g_dv_owner;
  5. Connect as a user who has been granted the DV_ACCTMGR role.

    For example:

    CONNECT dbv_acctmgr@pdb_name
Enter password: password
  6. Grant the DV_ACCTMGR role to the global DV_ACCTMGR role. 
    GRANT DV_ACCTMGR TO g_dv_acctmgr;
  7. Connect as user SYS with the SYSDBA administrative privilege.
    CONNECT SYS@pdb_name AS SYSDBA 
Enter password: password
  8. Temporarily grant the DV_ACCTMGR user who will import the Database Vault users into OID the CREATE TABLE privilege and the SELECT_CATALOG_ROLE role. 
    GRANT CREATE TABLE, SELECT_CATALOG_ROLE TO dbv_acctmgr;
  9. From the command line, run the User Migration Utility (UMU) to import the Database Vault accounts into Oracle Internet Directory (OID).

    The following example imports the Database Vault accounts leo_dvowner and bea_dvacctmgr into OID. The DV_ACCTMGR user is specified for the DBADMIN setting. 

    $ORACLE_HOME/rdbms/bin/umu PHASE=ONE
DBADMIN=dbv_acctmgr:password
ENTADMIN=cn=jane_ent_admin,dc=example,dc=com:password
USERS= LIST
DBLOCATION=example.com:7777:orcl
DIRLOCATION=example.com:636
USERSLIST=leo_dvowner:bea_dvacctmgr
MAPSCHEMA=PRIVATE
CONTEXT=CONTEXT="c=Users, c=us"
KREALM=EXAMPLE.COM

$ORACLE_HOME/rdbms/bin/umu PHASE=TWO
DBADMIN=dbv_acctmgr:password
ENTADMIN=cn=jane_ent_admin,dc=example,dc=com:password
DBLOCATION=example.com:7777:orcl
DIRLOCATION=example.com:636

    By default, errors are written to the $ORACLE_HOME/network/log/umu.log file.

    Enterprise User Security (EUS) User Migration Utility (UMU) is deprecated in Oracle Database 21c. Use EUS Manager (EUSM) features instead.
  10. From the Oracle Internet Directory Self Service Console (http://hostname:port/oiddas/), grant the global DV_OWNER and DV_ACCTMGR roles (for example, g_dv_owner and g_dv_acctmgr) to the enterprise user Database Vault accounts.

    See the example of creating enterprise users in Oracle Database Enterprise User Security Administrator's Guide for a demonstration of creating an enterprise role from a global role and then granting this role to a user.

  11. From SQL*Plus, as user SYS with the SYSDBA administrative privilege, revoke the CREATE TABLE and SELECT_CATALOG_ROLE role from the DV_ACCTMGR user. 
    REVOKE CREATE TABLE, SELECT_CATALOG_ROLE FROM dbv_acctmgr;

Related Topics

Parent topic: Integrating Oracle Database Vault with Enterprise User Security

Integrating Oracle Database Vault with Transparent Data Encryption

Transparent Data Encryption complements Oracle Database Vault in that it provides data protection when the data leaves the secure perimeter of the database.

With Transparent Data Encryption, a database administrator or database security administrator can simply encrypt columns with sensitive content in application tables, or encrypt entire application tablespaces, without any modification to the application.

If a user passes the authentication and authorization checks, Transparent Data Encryption automatically encrypts and decrypts information for the user. This way, you can implement encryption without having to change your applications.

Once you have granted the Transparent Data Encryption user the appropriate privileges, then Transparent Data Encryption can be managed as usual and be used complimentary to Database Vault.

Figure 11-1 shows how Oracle Database Vault realms handle encrypted data.

Figure 11-1 Encrypted Data and Oracle Database Vault

Description of Figure 11-1 follows
Description of "Figure 11-1 Encrypted Data and Oracle Database Vault"

Related Topics

Parent topic: Integrating Oracle Database Vault with Other Oracle Products

Attaching Factors to an Oracle Virtual Private Database

You can attach factors to an Oracle Virtual Private Database.

  1. Define a Virtual Private Database policy predicate that is a PL/SQL function or expression.
  2. For each function or expression, use the DVF.F$ PL/SQL function that is created for each factor.

Related Topics

Parent topic: Integrating Oracle Database Vault with Other Oracle Products

Integrating Oracle Database Vault with Oracle Label Security

You can integrate Oracle Database Vault with Oracle Label Security, and check the integration with reports and data dictionary views.

Parent topic: Integrating Oracle Database Vault with Other Oracle Products

How Oracle Database Vault Is Integrated with Oracle Label Security

An Oracle Database Vault-Oracle Label Security integration enables you to assign an OLS label to a Database Vault factor identity.

In Oracle Label Security, you can restrict access to records in database tables or PL/SQL programs. For example, Mary may be able to see data protected by the HIGHLY SENSITIVE label, an Oracle Label Security label on the EMPLOYEE table that includes records that should have access limited to certain managers. Another label can be PUBLIC, which allows more open access to this data.

In Oracle Database Vault, you can create a factor called Network, for the network on which the database session originates, with the following identities:

  • Intranet: Used for when an employee is working on site within the intranet for your company.

  • Remote: Used for when the employee is working at home from a VPN connection.

You then assign a maximum session label to both. For example:

  • Assign the Intranet identity to the HIGHLY SENSITIVE Oracle Label Security label.

  • Assign the Remote identity to the PUBLIC label.

This means that when Mary is working at home using her VPN connection, she has access only to the limited table data protected under the PUBLIC identity. But when she is in the office, she has access to the HIGHLY SENSITIVE data, because she is using the Intranet identity.

In a traditional auditing environment, you can audit the integration with Oracle Label Security by using the Label Security Integration Audit Report. Oracle Database Vault writes the audit trail to the DVSYS.AUDIT_TRAIL$ table. If unified auditing is enabled, then you can create audit policies to capture this information. Be aware that as of Oracle Database release 21c, traditional auditing is deprecated.

Related Topics

Parent topic: Integrating Oracle Database Vault with Oracle Label Security

Requirements for Using Oracle Database Vault with Oracle Label Security

You must fulfill specific requirements in place before you use Oracle Database Vault with Oracle Label Security.

  • Oracle Label Security is licensed separately. Ensure that you have purchased a license to use it.

  • Before you install Oracle Database Vault, you must have already installed Oracle Label Security.

  • The installation process for Oracle Label Security creates the LBACSYS user account. As a user who has been granted the DV_ACCTMGR role, unlock this account and grant it a new password. For example: 

    sqlplus bea_dvacctmgr@pdb_name
Enter password: password

ALTER USER LBACSYS ACCOUNT UNLOCK IDENTIFIED BY password;

  • If you plan to use the LBACSYS user account in Oracle Enterprise Manager, then log in to Enterprise Manager as user SYS with the SYSDBA administrative privilege, and grant this user the SELECT ANY DICTIONARY and SELECT_CATALOG_ROLE system privileges.

  • Ensure that you have the appropriate Oracle Label Security policies defined.

  • If you plan to integrate an Oracle Label Security policy with a Database Vault policy, then ensure that the policy name for Oracle Label Security is less than 24 characters. You can check the names of Oracle Label Security policies by querying the POLICY_NAME column of the ALL_SA_POLICIES data dictionary view.

Parent topic: Integrating Oracle Database Vault with Oracle Label Security

Using Oracle Database Vault Factors with Oracle Label Security Policies

To enhance security, you can integrate Oracle Database Vault factors with Oracle Label Security policies.

Parent topic: Integrating Oracle Database Vault with Oracle Label Security

About Using Oracle Database Vault Factors with Oracle Label Security Policies

And Oracle Database Vault-Oracle Label Security integration enables you to control the maximum security clearance for a database session.

Oracle Database Vault controls the maximum security clearance for a database session by merging the maximum allowable data for each label in a database session by merging the labels of Oracle Database Vault factors that are associated to an Oracle Label Security policy.

In brief, a label acts as an identifier for the access privileges of a database table row. A policy is a name associated with the labels, rules, and authorizations that govern access to table rows.

Configuring Factors to Work with an Oracle Label Security Policy

You can define factors that contribute to the maximum allowable data label of an Oracle Label Security policy.

  1. Connect to the PDB or the application root as a user who has been granted the DV_OWNER or DV_ADMIN role.
    For example: 
    CONNECT c##sec_admin_owen@pdb_name
Enter password: password

    To find the available PDBs, query the PDB_NAME column of the DBA_PDBS data dictionary view. To check the current container, run the show con_name command.

  2. Make the user LBACSYS account an owner of the realm that contains the schema to which a label security policy has been applied.

    This enables the LBACSYS account to have access to all the protected data in the realm, so that it can properly classify the data.

    For example, to make LBACSYS the owner of a realm called HR Realm: 
    BEGIN
 DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name   => 'HR Realm', 
  grantee      => 'LBACSYS', 
  auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER);
END;
/
  3. Authorize the schema owner (on which the label security policy has been applied) as either a realm participant or a realm owner.
    For example:
    BEGIN
 DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name   => 'HR Realm', 
  grantee      => 'HR', 
  auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER);
END;
/
  4. Configure a label security policy for the realm.
    Optionally set the label-merging algorithm for cases when Oracle Label Security has merged two labels. In most cases, you may want to configure the label security policy to use LII (Minimum Level/Intersection/Intersection). This setting is the most commonly used method that Oracle Label Security administrators use when they want to merge two labels. This setting provides optimum flexibility when your applications must determine the resulting label that is required when combining two data sets that have different labels. It is also necessary for situations in which you must perform queries using joins on rows with different data labels.
    • To create a new label security policy, execute the DBMS_MACADM.CREATE_MAC_POLICY procedure. For example:
      BEGIN
 DBMS_MACADM.CREATE_MAC_POLICY(
  policy_name  => 'Access Locations',
  algorithm    => 'LII');
END;
/
    • To modify an existing label security policy, execute the DBMS_MACADM.UPDATE_MAC_POLICY procedure.
  5. Execute the DBMS_MACADM.ADD_POLICY_FACTOR factor to associate a factor with the label security policy.
    For example: 
    BEGIN
 DBMS_MACADM.ADD_POLICY_FACTOR(
  policy_name  => 'Access Locations', 
  factor_name  => 'Sector2_DB'); 
END;
/
  6. Execute the DBMS_MACADM.CREATE_IDENTITY procedure to create a factor identity.
    For example: 
    BEGIN
 DBMS_MACADM.CREATE_IDENTITY(
  factor_name  => 'Sector2_DB', 
  value        => 'intranet', 
  trust_level  => 5); 
END;
/
  7. Label the factor identities using the labels for the policy.
    For example:
    BEGIN
 DBMS_MACADM.CREATE_POLICY_LABEL(
  identity_factor_name   => 'Sector2_DB', 
  identity_factor_value  => 'intranet',
  policy_name            => 'Access Locations',
  label                  => 'sensitive'); 
END;
/

Note:

If you do not associate an Oracle Label Security policy with factors, then Oracle Database Vault maintains the default Oracle Label Security behavior for the policy.

Tutorial: Integrating Oracle Database Vault with Oracle Label Security

An Oracle Database Vault-Oracle Label Security integration can grant different levels of access to two administrative users who have the same privileges.

Parent topic: Integrating Oracle Database Vault with Oracle Label Security

About This Tutorial

You can use Oracle Database Vault factors with Oracle Label Security and Oracle Virtual Private Database (VPD) to restrict sensitive data access.

You can restrict this data so that it is only exposed to a database session when the correct combination of factors exists, defined by the security administrator, for any given database session.

Step 1: Create Users for This Tutorial

You must create two administrative users for this tutorial.

  1. Log in to a PDB as a user who has been granted the DV_ACCTMGR role.

    For example: 

    sqlplus bea_dvacctmgr@pdb_name
Enter password: password

    To find the available PDBs, query the PDB_NAME column of the DBA_PDBS data dictionary view. To check the current container, run the show con_name command.

  2. Create the following local users: 
    GRANT CREATE SESSION TO mdale IDENTIFIED BY password CONTAINER = CURRENT;
GRANT CREATE SESSION TO jsmith IDENTIFIED BY password CONTAINER = CURRENT;

    Replace password with a password that is secure.

  3. Connect as a user who can grant system privileges and who has been granted the owner authorization for the Oracle System Privilege and Role Management realm, and then grant administrative privileges to users mdale and jsmith.
    CONNECT dba_psmith@pdb_name
Enter password: password

GRANT DBA TO mdale, jsmith;

    At this stage, users mdale and jsmith have identical administrative privileges.

Step 2: Create the Oracle Label Security Policy

Next, you can create the Oracle Label Security policy and grant users the appropriate privileges for it.

  1. In SQL*Plus, connect to the PDB as the Oracle Label Security administrator, LBACSYS.
    CONNECT LBACSYS@pdb_name
Enter password: password

    If user LBACSYS is locked and expired, connect as the Database Vault Account Manager, unlock and unexpire the LBACSYS account, and then log back in as LBACSYS.

    For example: 

    CONNECT bea_dvacctmgr@pdb_name
Enter password: password

ALTER USER LBACSYS ACCOUNT UNLOCK IDENTIFIED BY password;

CONNECT LBACSYS
Enter password: password
  2. Create a new Oracle Label Security policy:
    EXEC SA_SYSDBA.CREATE_POLICY('PRIVACY','PRIVACY_COLUMN','NO_CONTROL');
  3. Create the following levels for the PRIVACY policy:
    EXEC SA_COMPONENTS.CREATE_LEVEL('PRIVACY',2000,'S','SENSITIVE');
EXEC SA_COMPONENTS.CREATE_LEVEL('PRIVACY',1000,'C','CONFIDENTIAL');
  4. Create the PII compartment. 
    EXEC SA_COMPONENTS.CREATE_COMPARTMENT('PRIVACY',100,'PII','PERS_INFO');
  5. Grant users mdale and jsmith the following labels: 
    EXEC SA_USER_ADMIN.SET_USER_LABELS('PRIVACY','mdale','S:PII');
EXEC SA_USER_ADMIN.SET_USER_LABELS('PRIVACY','jsmith','C');

    User mdale is granted the more sensitive label, Sensitive, which includes the PII compartment. User jsmith gets the Confidential label, which is less sensitive.

Step 3: Create Oracle Database Vault Rules to Control the OLS Authorization

After you create the Oracle Label Security policy, you can create Database Vault rules to work with it.

  1. Connect to the PDB as the Database Vault Owner.

    For example:

    CONNECT leo_dvowner@pdb_name
Enter password: password
  2. Create the following rule set: 
    EXEC DBMS_MACADM.CREATE_RULE_SET('PII Rule Set', 'Protect PII data from privileged users','Y',1,0,2,NULL,NULL,0,NULL);
  3. Create a rule for the PII Rule Set. 
    EXEC DBMS_MACADM.CREATE_RULE('Check OLS Factor',  'dominates(sa_utl.numeric_label(''PRIVACY''),  char_to_label(''PRIVACY'',''S:PII'')) = ''1''');

    Ensure that you use single quotes, as shown in this example, and not double quotes.

  4. Add the Check OLS Factor rule to the PII Rule Set. 
    EXEC DBMS_MACADM.ADD_RULE_TO_RULE_SET('PII Rule Set', 'Check OLS Factor');
Step 4: Update the ALTER SYSTEM Command Rule to Use the Rule Set

Before the rule set can be used, you must update the ALTER SYSTEM command rule, which is a default command rule.

  1. As the Database Vault Owner, check the current value of the ALTER SYSTEM command rule, which is one of the default command rules when you install Oracle Database Vault.
    SELECT * FROM DBA_DV_COMMAND_RULE WHERE COMMAND = 'ALTER SYSTEM';
  2. Make a note of these settings so that you can revert them to their original values later on.

    In a default installation, the ALTER SYSTEM command rule uses the Allow Fine Grained Control of System Parameters rule set, and is enabled.

  3. Update the ALTER SYSTEM command rule to be associated with the PII Rule Set. 
    EXEC DBMS_MACADM.UPDATE_COMMAND_RULE('ALTER SYSTEM', 'PII Rule Set', '%', '%', 'Y');

    This command adds the PII Rule Set to the ALTER SYSTEM command rule, applies it to all object owners and object names, and enables the command rule.

Step 5: Test the Authorizations

With all the components in place, you are ready to test the authorization.

  1. In SQL*Plus, log in to the PDB as user mdale. 
    CONNECT mdale@pdb_name
Enter password: password
  2. Check the current setting for the AUDIT_TRAIL initialization parameter.
    SHOW PARAMETER AUDIT_TRAIL

NAME                                 TYPE        VALUE
------------------------------------ ----------- ----------------------
audit_trail                          string      DB

    Make a note of this setting, so that you can revert it to its original setting later on.

  3. As user mdale, use the ALTER SYSTEM statement to modify the CPU_COUNT parameter.
    ALTER SYSTEM SET CPU_COUNT = 4;
System altered.

    Because user mdale was assigned the Sensitive label with the PII compartment, he can use the ALTER SYSTEM statement to modify the AUDIT_TRAIL system parameter.

  4. Set the CPU_COUNT parameter back to its original value.

    For example:

    ALTER SYSTEM SET CPU_COUNT = 2;
  5. Log in as user jsmith and then issue the same ALTER SYSTEM statement:
    CONNECT jsmith@pdb_name
Enter password: password

ALTER SYSTEM SET CPU_COUNT = 14;

    The following output should appear:

    ERROR at line 1:
ORA-01031: insufficient privileges

    Because user jsmith was assigned only the Confidential label, he cannot perform the ALTER SYSTEM statement.

Step 6: Remove the Components for This Tutorial

You can remove the components that you created for this tutorial if you no longer need them.

  1. Connect to the PDB as the Oracle Label Security administrator and remove the label policy and its components. 
    CONNECT LBACSYS@pdb_name
Enter password: password

EXEC SA_SYSDBA.DROP_POLICY('PRIVACY', TRUE);
  2. Connect as the Oracle Database Vault Owner and issue the following commands in the order shown, to set the ALTER SYSTEM command rule back to its previous setting and remove the rule set.

    For example: 

    CONNECT leo_dvowner@pdb_name
Enter password: password

EXEC DBMS_MACADM.UPDATE_COMMAND_RULE('ALTER SYSTEM', 'Allow System Parameters','%', '%', 'Y');
EXEC DBMS_MACADM.DELETE_RULE_FROM_RULE_SET('PII Rule Set', 'Check OLS Factor');
EXEC DBMS_MACADM.DELETE_RULE('Check OLS Factor');
EXEC DBMS_MACADM.DELETE_RULE_SET('PII Rule Set');
COMMIT;
  3. Connect as the Database Vault Account Manager and remove users mdale and jsmith. 
    CONNECT bea_dvacctmgr@pdb_name
Enter password: password

DROP USER mdale;
DROP USER jsmith;

Related Reports and Data Dictionary Views

Oracle Database Vault provides reports and data dictionary views that list information about the Oracle Database Vault-Oracle Label Security integration.

Table 11-1 lists the Oracle Database Vault reports.

Table 11-1 Reports Related to Database Vault and Oracle Label Security Integration

Report Description

Factor Configuration Issues Report

Lists factors in which the Oracle Label Security policy does not exist.

Identity Configuration Issues Report

Lists invalid label identities (the Oracle Label Security label for this identity has been removed and no longer exists).

Security Policy Exemption Report

Lists accounts and roles that have the EXEMPT ACCESS POLICY system privilege granted to them. Accounts that have this privilege can bypass all Virtual Private Database policy filters and any Oracle Label Security policies that use Oracle Virtual Private Database indirectly.

Table 11-2 lists data dictionary views that provide information about existing Oracle Label Security policies used with Oracle Database Vault.

Table 11-2 Data Dictionary Views Used for Oracle Label Security

Data Dictionary View Description

DBA_DV_MAC_POLICY

Lists the Oracle Label Security policies defined

DBA_DV_MAC_POLICY

Lists the factors that are associated with Oracle Label Security policies

DBA_DV_POLICY_LABEL

Lists the Oracle Label Security label for each factor identifier in the DBA_DV_IDENTITY view for each policy

Related Topics

Parent topic: Integrating Oracle Database Vault with Oracle Label Security

Integrating Oracle Database Vault with Oracle Data Guard

An Oracle Database Vault-Oracle Data Guard integration requires first, the primary database configuration, then the standby database configration.

Parent topic: Integrating Oracle Database Vault with Other Oracle Products

Step 1: Configure the Primary Database

You must run the DGMGRL utility, register Database Vault, and then run the ALTER SYSTEM statement, to configure the primary database.

  1. For Linux and UNIX systems, ensure there is an /etc/oratab entry for the database on the node in which you are installing Oracle Database Vault.

  2. If you are using Data Guard Broker, then from the command prompt, disable the configuration as follows: 

    dgmgrl sys
Enter password: password

DGMGRL> disable configuration;

  3. Register (that is, configure and enable) Oracle Database Vault on the primary server.

    By default, Oracle Database Vault is installed as part of Oracle Database. You can check the registration status by querying the DBA_DV_STATUS data dictionary view.

  4. Log in to the PDB as user SYS with the SYSDBA administrative privilege. 

    sqlplus sys@pdb_name as sysdba
Enter password: password

  5. Run the following ALTER SYSTEM statements: 

    ALTER SYSTEM SET AUDIT_SYS_OPERATIONS=TRUE SCOPE=SPFILE; 
ALTER SYSTEM SET OS_ROLES=FALSE SCOPE=SPFILE; 
ALTER SYSTEM SET RECYCLEBIN='OFF' SCOPE=SPFILE; 
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE='EXCLUSIVE' SCOPE=SPFILE;
ALTER SYSTEM SET SQL92_SECURITY=TRUE SCOPE=SPFILE;
ALTER SYSTEM SET REMOTE_OS_AUTHENT=FALSE SCOPE=SPFILE; 
ALTER SYSTEM SET REMOTE_OS_ROLES=FALSE SCOPE=SPFILE;

  6. Run the ALTER SYSTEM statement on each database instance to set the parameters as shown in Step 5.

  7. Close and then reopen each PDB. 

    CONNECT SYS@pdb_name AS SYSDBA
Enter password: password

ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;
ALTER PLUGGABLE DATABASE pdb_name OPEN;

Related Topics

Parent topic: Integrating Oracle Database Vault with Oracle Data Guard

Step 2: Configure the Standby Database

You can perform the standby database configuration within the database to be used for the standby database.

  1. Log into the database instance as user SYS with the SYSDBA administrative privilege.
    sqlplus sys@pdb_name as sysdba
Enter password: password

    To find the available PDBs, query the PDB_NAME column of the DBA_PDBS data dictionary view. To check the current container, run the show con_name command.

  2. Mount a standby database instance. 
    ALTER DATABASE MOUNT STANDBY DATABASE;
  3. Run the following ALTER SYSTEM statements:
    ALTER SYSTEM SET AUDIT_SYS_OPERATIONS=TRUE SCOPE=SPFILE; 
ALTER SYSTEM SET OS_ROLES=FALSE SCOPE=SPFILE; 
ALTER SYSTEM SET RECYCLEBIN='OFF' SCOPE=SPFILE; 
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE='EXCLUSIVE' SCOPE=SPFILE;
ALTER SYSTEM SET SQL92_SECURITY=TRUE SCOPE=SPFILE;
ALTER SYSTEM SET REMOTE_OS_AUTHENT=FALSE SCOPE=SPFILE; 
ALTER SYSTEM SET REMOTE_OS_ROLES=FALSE SCOPE=SPFILE;
  4. Close and then reopen the PDB.

    For example: 

    ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;
ALTER PLUGGABLE DATABASE pdb_name OPEN;
  5. Mount the next standby instance.
  6. Restart the managed recovery as follows: 
    ALTER DATABASE RECOVER MANAGED STANDBY DATABASE;
  7. If you are using Data Guard Broker, then from the command line, re-enable the configuration.
    dgmgrl sys
Enter password: password

DGMGRL> enable configuration;

    This command applies the changes to the physical standby database made by the Oracle Database Vault installation on the primary database.

  8. Repeat the physical standby installation process on each physical standby database. For example, if there are three physical standby databases, then run these procedures or each standby database.

Parent topic: Integrating Oracle Database Vault with Oracle Data Guard

How Auditing Works After an Oracle Database Vault-Oracle Active Data Guard Integration

After you have integrated Oracle Database Vault with Oracle Active Data Guard, how auditing is configured affects how audit records are generated.

If you want to use the Active Data Guard physical standby database for read-only queries, then you must use pure unified auditing, not mixed mode. If mixed mode is used, then any query in the Active Data Guard physical standby that generates Oracle Database Vault audit records will be blocked. Oracle Database Vault cannot write to the traditional Database Vault audit table (DVSYS.AUDIT_TRAILS$). Unified auditing will ensure that the Database Vault audit data is written into the operating system log files in an Oracle Active Data Guard physical standby database. You can move the data in these log files to the unified audit trail. Remember that to audit Database Vault activities, you must create unified audit policies, because the Database Vault traditional audit settings do not apply to unified auditing.

Parent topic: Integrating Oracle Database Vault with Oracle Data Guard

Registering Oracle Internet Directory Using Oracle Database Configuration Asssitant

You can use Oracle Internet Directory in an Oracle Database Vault-enabled database.

However, if you want to register Oracle Internet Directory (OID) using Oracle Database Configuration Assistant (DBCA), then you must first disable Oracle Database Vault.

Related Topics

Parent topic: Integrating Oracle Database Vault with Other Oracle Products