List of Figures
List of Tables
Title and Copyright Information
Preface
- Audience
- Documentation Accessibility
- Related Documents
- Conventions
Changes in This Release for Oracle Database Vault Administrator's Guide
- Changes in Oracle Database Vault 18c
- Changes in Oracle Database Vault 12c Release 2 (12.2)
  - New Features
  - Deprecated Features
    - Deprecated Rules and Rule Sets
    - Deprecated UTL_FILE_DIR Parameter
1 Introduction to Oracle Database Vault
- What Is Oracle Database Vault?
- What Privileges Do You Need to Use Oracle Database Vault?
- Components of Oracle Database Vault
- How Oracle Database Vault Addresses Compliance Regulations
- How Oracle Database Vault Protects Privileged User Accounts
- How Oracle Database Vault Allows for Flexible Security Policies
- How Oracle Database Vault Addresses Database Consolidation Concerns
- How Oracle Database Vault Works in a Multitenant Environment
2 What to Expect After You Enable Oracle Database Vault
- Initialization and Password Parameter Settings That Change
- How Oracle Database Vault Restricts User Authorizations
- New Database Roles to Enforce Separation of Duties
- Privileges That Are Revoked from Existing Users and Roles
- Privileges That Are Prevented for Existing Users and Roles
- Modified AUDIT Statement Settings for a Non-Unified Audit Environment
3 Getting Started with Oracle Database Vault
- Manually Installing Oracle Database Vault in a Multitenant Environment
- Registering Oracle Database Vault with an Oracle Database
- Logging into Oracle Database Vault
- Quick Start Tutorial: Securing a Schema from DBA Access
4 Performing Privilege Analysis to Find Privilege Use
- What Is Privilege Analysis?
- Creating and Managing Privilege Analysis Policies
- Creating Roles and Managing Privileges Using Cloud Control
- Tutorial: Using Capture Runs to Analyze ANY Privilege Use
- Tutorial: Analyzing Privilege Use by a User Who Has the DBA Role
- Privilege Analysis Policy and Report Data Dictionary Views
5 Configuring Realms
- What Are Realms?
- Default Realms
- Creating a Realm
- About Realm-Secured Objects
- About Realm Authorization
- Realm Authorizations in a Multitenant Environment
- Modifying the Enablement Status of a Realm
- Deleting a Realm
- How Realms Work
- How Authorizations Work in a Realm
  - About Authorizations in a Realm
  - Examples of Realm Authorizations
- Access to Objects That Are Protected by a Realm
- Example of How Realms Work
- How Realms Affect Other Oracle Database Vault Components
- Guidelines for Designing Realms
- How Realms Affect Performance
- Realm Related Reports and Data Dictionary Views
6 Configuring Rule Sets
- What Are Rule Sets?
- Rule Sets and Rules in a Multitenant Environment
- Default Rule Sets
- Creating a Rule Set
- Creating a Rule to Add to a Rule Set
- Removing Rule Set References to Oracle Database Vault Components
- Deleting a Rule Set
- How Rule Sets Work
- Tutorial: Creating an Email Alert for Security Violations
- Tutorial: Configuring Two-Person Integrity, or Dual Key Security
- Guidelines for Designing Rule Sets
- How Rule Sets Affect Performance
- Rule Set and Rule Related Reports and Data Dictionary Views
7 Configuring Command Rules
- What Are Command Rules?
- Default Command Rules
- SQL Statements That Can Be Protected by Command Rules
- Creating a Command Rule
- Modifying the Enablement Status of a Command Rule
- Deleting a Command Rule
- How Command Rules Work
- Tutorial: Using a Command Rule to Control Table Creations by a User
- Guidelines for Designing Command Rules
- How Command Rules Affect Performance
- Command Rule Related Reports and Data Dictionary View
8 Configuring Factors
- What Are Factors?
- Default Factors
- Creating a Factor
- Adding an Identity to a Factor
- Deleting a Factor
- How Factors Work
- Tutorial: Preventing Ad Hoc Tool Access to the Database
- Tutorial: Restricting User Activities Based on Session Data
- Guidelines for Designing Factors
- How Factors Affect Performance
- Factor Related Reports and Data Dictionary Views
9 Configuring Secure Application Roles for Oracle Database Vault
- What Are Secure Application Roles in Oracle Database Vault?
- Creating an Oracle Database Vault Secure Application Role
- Modifications to a Secure Application Role
- Security for Oracle Database Vault Secure Application Roles
- Deleting an Oracle Database Vault Secure Application Role
- How Oracle Database Vault Secure Application Roles Work
- Tutorial: Granting Access with Database Vault Secure Application Roles
- How Secure Application Roles Affect Performance
- Secure Application Role Related Reports and Data Dictionary View
10 Configuring Oracle Database Vault Policies
- What Are Database Vault Policies?
  - About Oracle Database Vault Policies
  - Oracle Database Vault Policies in a Multitenant Environment
- Default Oracle Database Vault Policies
- Creating an Oracle Database Policy
- Modifying an Oracle Database Vault Policy
- Deleting an Oracle Database Vault Policy
- Related Data Dictionary Views
11 Using Simulation Mode for Logging Realm and Command Rule Activities
- About Simulation Mode
- Simulation Mode Use Cases
- Logging Realms in Simulation Mode
- Tutorial: Tracking Violations to a Realm Using Simulation Mode
12 Integrating Oracle Database Vault with Other Oracle Products
- Integrating Oracle Database Vault with Enterprise User Security
  - About Integrating Oracle Database Vault with Enterprise User Security
  - Configuring an Enterprise User Authorization
- Configuring Oracle Database Vault Accounts as Enterprise User Accounts
- Integration of Oracle Database Vault with Transparent Data Encryption
- Attaching Factors to an Oracle Virtual Private Database
- Integrating Oracle Database Vault with Oracle Label Security
- Integrating Oracle Database Vault with Oracle Data Guard
  - Step 1: Configure the Primary Database
  - Step 2: Configure the Standby Database
- Registering Oracle Internet Directory Using Oracle Database Configuration Asssitant
13 DBA Operations in an Oracle Database Vault Environment
- Using Oracle Database Vault with Oracle Enterprise Manager
- Using Oracle Data Pump with Oracle Database Vault
- Using Oracle Scheduler with Oracle Database Vault
- Using Information Lifecycle Management with Oracle Database Vault
- Using Oracle Database Replay with Oracle Database Vault
- Executing Preprocessor Programs with Oracle Database Vault
- Oracle Recovery Manager and Oracle Database Vault
- Privileges for Using Oracle Streams with Oracle Database Vault
- Privileges for Using XStream with Oracle Database Vault
- Privileges for Using Oracle GoldenGate in with Oracle Database Vault
- Using Data Masking in an Oracle Database Vault Environment
- Converting a Standalone Oracle Database to a PDB and Plugging It into a CDB
- Using the ORADEBUG Utility with Oracle Database Vault
14 Oracle Database Vault Schemas, Roles, and Accounts
- Oracle Database Vault Schemas
  - DVSYS Schema
  - DVF Schema
- Oracle Database Vault Roles
- Oracle Database Vault Accounts Created During Registration
- Backup Oracle Database Vault Accounts
15 Oracle Database Vault Realm APIs
- ADD_AUTH_TO_REALM Procedure
- ADD_OBJECT_TO_REALM Procedure
- CREATE_REALM Procedure
- DELETE_AUTH_FROM_REALM Procedure
- DELETE_OBJECT_FROM_REALM Procedure
- DELETE_REALM Procedure
- DELETE_REALM_CASCADE Procedure
- RENAME_REALM Procedure
- UPDATE_REALM Procedure
- UPDATE_REALM_AUTH Procedure
16 Oracle Database Vault Rule Set APIs
- DBMS_MACADM Rule Set Procedures
- Oracle Database Vault PL/SQL Rule Set Functions
17 Oracle Database Vault Command Rule APIs
- CREATE_COMMAND_RULE Procedure
- CREATE_CONNECT_COMMAND_RULE Procedure
- CREATE_SESSION_EVENT_CMD_RULE Procedure
- CREATE_SYSTEM_EVENT_CMD_RULE Procedure
- DELETE_COMMAND_RULE Procedure
- DELETE_CONNECT_COMMAND_RULE Procedure
- DELETE_SESSION_EVENT_CMD_RULE Procedure
- DELETE_SYSTEM_EVENT_CMD_RULE Procedure
- UPDATE_COMMAND_RULE Procedure
- UPDATE_CONNECT_COMMAND_RULE Procedure
- UPDATE_SESSION_EVENT_CMD_RULE Procedure
- UPDATE_SYSTEM_EVENT_CMD_RULE Procedure
18 Oracle Database Vault Factor APIs
- DBMS_MACADM Factor Procedures and Functions
- Oracle Database Vault Run-Time PL/SQL Procedures and Functions
- Oracle Database Vault DVF PL/SQL Factor Functions
19 Oracle Database Vault Secure Application Role APIs
- DBMS_MACADM Secure Application Role Procedures
- DBMS_MACSEC_ROLES Secure Application Role Procedure and Function
  - CAN_SET_ROLE Function
  - SET_ROLE Procedure
20 Oracle Database Vault Oracle Label Security APIs
- CREATE_MAC_POLICY Procedure
- CREATE_POLICY_LABEL Procedure
- DELETE_MAC_POLICY_CASCADE Procedure
- DELETE_POLICY_FACTOR Procedure
- DELETE_POLICY_LABEL Procedure
- UPDATE_MAC_POLICY Procedure
21 Oracle Database Vault Utility APIs
- DBMS_MACUTL Constants
- DBMS_MACUTL Package Procedures and Functions
22 Oracle Database Vault General Administrative APIs
- DBMS_MACADM General System Maintenance Procedures
- CONFIGURE_DV General System Maintenance Procedure
23 Oracle Database Vault Policy APIs
- ADD_CMD_RULE_TO_POLICY Procedure
- ADD_OWNER_TO_POLICY Procedure
- ADD_REALM_TO_POLICY Procedure
- CREATE_POLICY Procedure
- DELETE_CMD_RULE_FROM_POLICY Procedure
- DELETE_OWNER_FROM_POLICY Procedure
- DELETE_REALM_FROM_POLICY Procedure
- DROP_POLICY Procedure
- RENAME_POLICY Procedure
- UPDATE_POLICY_DESCRIPTION Procedure
- UPDATE_POLICY_STATE Procedure
24 Oracle Database Vault API Reference
- DBMS_MACADM PL/SQL Package Contents
- DBMS_MACSEC_ROLES PL/SQL Package Contents
- DBMS_MACUTL PL/SQL Package Contents
- CONFIGURE_DV PL/SQL Procedure
- DVF PL/SQL Interface Contents
25 Oracle Database Vault Data Dictionary Views
- About the Oracle Database Vault Data Dictionary Views
- CDB_DV_STATUS View
- DBA_DV_CODE View
- DBA_DV_COMMAND_RULE View
- DBA_DV_DATAPUMP_AUTH View
- DBA_DV_DBCAPTURE_AUTH View
- DBA_DV_DBREPLAY View
- DBA_DV_DDL_AUTH View
- DBA_DV_DICTIONARY_ACCTS View
- DBA_DV_FACTOR View
- DBA_DV_FACTOR_TYPE View
- DBA_DV_FACTOR_LINK View
- DBA_DV_IDENTITY View
- DBA_DV_IDENTITY_MAP View
- DBA_DV_JOB_AUTH View
- DBA_DV_MAC_POLICY View
- DBA_DV_MAC_POLICY_FACTOR View
- DBA_DV_MAINTENANCE_AUTH View
- DBA_DV_ORADEBUG View
- DBA_DV_PATCH_ADMIN_AUDIT View
- DBA_DV_POLICY View
- DBA_DV_POLICY_LABEL View
- DBA_DV_POLICY_OBJECT View
- DBA_DV_POLICY_OWNER View
- DBA_DV_PREPROCESSOR_AUTH View
- DBA_DV_PROXY_AUTH View
- DBA_DV_PUB_PRIVS View
- DBA_DV_REALM View
- DBA_DV_REALM_AUTH View
- DBA_DV_REALM_OBJECT View
- DBA_DV_ROLE View
- DBA_DV_RULE View
- DBA_DV_RULE_SET View
- DBA_DV_RULE_SET_RULE View
- DBA_DV_STATUS View
- DBA_DV_SIMULATION_LOG View
- DBA_DV_TTS_AUTH View
- DBA_DV_USER_PRIVS View
- DBA_DV_USER_PRIVS_ALL View
- DVSYS.DV$CONFIGURATION_AUDIT View
- DVSYS.DV$ENFORCEMENT_AUDIT View
- DVSYS.DV$REALM View
- DVSYS.POLICY_OWNER_COMMAND_RULE View
- DVSYS.POLICY_OWNER_POLICY View
- DVSYS.POLICY_OWNER_REALM View
- DVSYS.POLICY_OWNER_REALM_AUTH View
- DVSYS.POLICY_OWNER_REALM_OBJECT View
- DVSYS.POLICY_OWNER_RULE View
- DVSYS.POLICY_OWNER_RULE_SET View
- DVSYS.POLICY_OWNER_RULE_SET_RULE View
- AUDSYS.DV$CONFIGURATION_AUDIT View
- AUDSYS.DV$ENFORCEMENT_AUDIT View
26 Monitoring Oracle Database Vault
- About Monitoring Oracle Database Vault
- Monitoring Security Violations and Configuration Changes
27 Oracle Database Vault Reports
- About the Oracle Database Vault Reports
- Who Can Run the Oracle Database Vault Reports?
- Running the Oracle Database Vault Reports
- Oracle Database Vault Configuration Issues Reports
- Oracle Database Vault Auditing Reports
- Oracle Database Vault General Security Reports
A Auditing Oracle Database Vault
- About Auditing in Oracle Database Vault
- Protection of the Unified Audit Trail in an Oracle Database Vault Environment
- Oracle Database Vault Specific Audit Events
  - Oracle Database Vault Policy Audit Events
  - Oracle Database Vault Audit Trail Record Format
- Archiving and Purging the Oracle Database Vault Audit Trail
- Oracle Database Audit Settings Created for Oracle Database Vault
B Disabling and Enabling Oracle Database Vault
- When You Must Disable Oracle Database Vault
- Step 1: Disable Oracle Database Vault
- Step 2: Perform the Required Tasks
- Step 3: Enable Oracle Database Vault
C Postinstallation Oracle Database Vault Procedures
- Configuring Oracle Database Vault on Oracle RAC Nodes
- Adding Languages to Oracle Database Vault
- Deinstalling Oracle Database Vault
- Reinstalling Oracle Database Vault
D Oracle Database Vault Security Guidelines
- Separation of Duty Guidelines
- Managing Oracle Database Administrative Accounts
- Accounts and Roles Trusted by Oracle Database Vault
- Accounts and Roles That Should be Limited to Trusted Individuals
- Guidelines for Using Oracle Database Vault in a Production Environment
- Secure Configuration Guidelines
E Troubleshooting Oracle Database Vault
- Using Trace Files to Diagnose Oracle Database Vault Events
- General Diagnostic Tips
- Configuration Problems with Oracle Database Vault Components
- Resetting Oracle Database Vault Account Passwords
  - Resetting the DV_OWNER User Password
  - Resetting the DV_ACCTMGR User Password
Index