Skip Headers
Oracle® Database Vault Administrator's Guide
11g Release 2 (11.2)

E23090-12
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
PDF · Mobi · ePub

Index

A  B  C  D  E  F  G  H  I  J  L  M  N  O  P  Q  R  S  T  U  V  W  X 

Symbols

% wildcard, 18.3

A

access control policy
configuring with tools and components
Oracle Label Security PL/SQL APIs, 1.2.5
Oracle Policy Manager, 1.2.5
reports
Core Database Vault Audit Report, 18.4.2.5
access control run-time PL/SQL procedures and functions, 15.1
Access to Sensitive Objects Report, 18.5.3.2
accessibility features, C.4
accounts
See database accounts
Accounts With DBA Roles Report, 18.5.5.2
Accounts with SYSDBA/SYSOPER Privilege Report, 18.5.3.4
ad hoc tools
preventing use of, 7.8.1
administrators
DBA operations in Oracle Database Vault, 10
restricting different types, 7.9.1
ADRCI utility
Database Vault, E.1.6.3
alerts
email alert in rule set, 5.8.1
Enterprise Manager Grid Control, 10.1.3
ALTER DATABASE statement
monitoring, 17.2
ALTER ROLE statement
monitoring, 17.3.1
ALTER SESSION privilege
enabling trace files, E.1.5
reports, ALTER SYSTEM or ALTER SESSION Report, 18.5.5.5
ALTER SESSION statement
guidelines on managing privileges, D.6.6
ALTER SYSTEM or ALTER SESSION Report, 18.5.5.5
ALTER SYSTEM privilege
reports, ALTER SYSTEM or ALTER SESSION Report, 18.5.5.5
ALTER SYSTEM statement
controlling with command rules, 6.1
guidelines on managing privileges, D.6.6
ALTER TABLE statement
monitoring, 17.2
ALTER USER statement
monitoring, 17.3.1
ANY privileges, 11.2.11
ANY System Privileges for Database Accounts Report, 18.5.2.4
APIs
See DBMS_MACADM package, DBMS_MACSEC_ROLES package, DBMS_MACUTL package
assistive technology, C.4
AUD$ table
See SYS.AUD$ table
audit policy change
monitoring, 17.3.1
AUDIT privilege, 18.5.5.10
AUDIT Privileges Report, 18.5.5.10
AUDIT_SYS_OPERATIONS initialization parameter, 2.1
AUDIT_TRAIL initialization parameter
effect on Core Database Audit Report, 18.5.8
AUDIT_TRAIL$ system table
affected by AUDIT_TRAIL initialization parameter, A.1.2
archiving, A.2
format, A.1.2
purging, A.2
auditing
archiving Database Vault audit trail, A.2
Core Database Audit Report, 18.5.8
DBMS_MACUTL fields, 14.2.1
factors
options, 7.3
intruders
using factors, 7.3
using rule sets, 5.3
Oracle Database audit settings, A.3
purging Database Vault audit trail, A.2
realms
DBMS_MACUTL fields, 14.2.1
options, 4.3
reports, 18.4.2
rule sets
DBMS_MACUTL fields, 14.2.1
options, 5.3
secure application roles
audit records, 8.8
views used to audit events, 16.2
auditing policies
about, A
audit events
about, A.1.1
custom events
audit trail, A.1.2
events that are tracked, A.1.1
monitoring changes to, 17.3.1
authentication
Authentication_Method default factor, 7.2
command rules, 6.1
method, finding with DVF.F$AUTHENTICATION_METHOD, 15.2.1
realm procedures, 12.2
authorizations
Oracle Data Pump activities, 10.2.1
realms, 4.6
scheduling database jobs, 10.3.1

B

BECOME USER Report, 18.5.5.4
BECOME USER system privilege
about, 18.5.5.4

C

catalog-based roles, 18.5.5.9
child factors
See factors
clients
finding IP address with DVF.F$CLIENT_IP, 15.2.2
code groups
retrieving value with DBMS_MACUTL functions, 14.3
Command Rule Audit Report, 18.4.2.2
Command Rule Configuration Issues Report, 18.4.1.1
command rules
about, 6.1
creating, 6.4
data dictionary view, 6.10
data masking, 10.8.4
default command rules, 6.2
default command rules not showing in Database Vault Administrator, C.1
deleting, 6.5
editing, 6.4
functions
DBMS_MACUTL (utility), 14.1
guidelines, 6.8
how command rules work, 6.6
objects
name, 6.4
owner, 6.4
performance effect, 6.9
procedures
DBMS_MACADM (configuration), 12.4
process flow, 6.6
propagating policies to other databases, 10.1.2
reports, 6.10
rule sets
selecting, 6.4
used with, 6.1
troubleshooting
with auditing report, 18.4.2.2
tutorial, 6.7.1
views, 6.10, 16.3
See also rule sets
compliance
Oracle Database Vault addressing, 1.3
computer name
finding with DVF.F$MACHINE, 15.2.13
Machine default factor, 7.2
configuration
monitoring changes, 17.3.1
See also DBMS_MACADM package
CONNECT events, controlling with command rules, 6.1
core database
troubleshooting with Core Database Vault Audit Report, 18.4.2.5
Core Database Audit Report, 18.5.8
Core Database Vault Audit Trail Report, 18.4.2.5
CPU_PER_SESSION resource profile, 18.5.6.2
CREATE ANY JOB privilege, D.6.3
CREATE ANY JOB statement
guidelines on managing privileges, D.6.3
CREATE EXTERNAL JOB privilege, D.6.4
CREATE JOB privilege, D.6.3
CREATE JOB statement
guidelines on managing privileges, D.6.3
CREATE ROLE statement
monitoring, 17.3.1
CREATE TABLE statement
monitoring, 17.2
CREATE USER statement
monitoring, 17.3.1

D

data definition language (DDL)
statement
controlling with command rules, 6.1
data dictionary
adding DV_ACCTMGR role to realm, 3.3.2
Data Dictionary realm
data masking, 10.8.2
data manipulation language (DML)
statement
checking with DBMS_MACUTL.CHECK_DVSYS_DML_ALLOWED function, 14.3
controlling with command rules, 6.1
data masking
about, 10.8.1
adding users to realms for, 10.8.3
creating command rule for, 10.8.4
errors that can appear, 10.8.1
data Oracle Database Vault recognizes
See factors
Data Pump
See Oracle Data Pump
Database Account Default Password Report, 18.5.7.1
Database Account Status Report, 18.5.7.2
database accounts
counting privileges of, 18.5.4.1
DBSNMP
changing password, 10.1.5
granted DV_MONITOR role, 11.2.4
realm for, 4.2
DVSYS, 11.3
LBACSYS, 11.3
monitoring, 17.3.1
reports
Accounts With DBA Roles Report, 18.5.5.2
ALTER SYSTEM or ALTER SESSION Report, 18.5.5.5
ANY System Privileges for Database Accounts Report, 18.5.2.4
AUDIT Privileges Report, 18.5.5.10
BECOME USER Report, 18.5.5.4
Database Account Default Password Report, 18.5.7.1
Database Account Status Report, 18.5.7.2
Database Accounts With Catalog Roles Report, 18.5.5.9
Direct and Indirect System Privileges By Database Account Report, 18.5.2.2
Direct Object Privileges Report, 18.5.1.3
Direct System Privileges By Database Account Report, 18.5.2.1
Hierarchical System Privileges by Database Account Report, 18.5.2.3
Object Access By PUBLIC Report, 18.5.1.1
Object Access Not By PUBLIC Report, 18.5.1.2
OS Security Vulnerability Privileges, 18.5.5.11
Password History Access Report, 18.5.5.6
Privileges Distribution By Grantee Report, 18.5.4.1, 18.5.4.1, 18.5.4.1
Privileges Distribution By Grantee, Owner Report, 18.5.4.2, 18.5.4.2
Privileges Distribution By Grantee, Owner, Privilege Report, 18.5.4.3, 18.5.4.3
Roles/Accounts That Have a Given Role Report, 18.5.5.8
Security Policy Exemption Report, 18.5.5.3
WITH ADMIN Privilege Grants Report, 18.5.5.1
WITH GRANT Privileges Report, 18.5.5.7
solution for lockouts, B.1
suggested, 11.3
SYSMAN
realm for, 4.2
Database Accounts With Catalog Roles Report, 18.5.5.9
database administrative operations, 10
database configuration
monitoring changes, 17.2
Database Configuration Assistant (DBCA)
Oracle Database Vault, 3.1
database definition language (DDL)
statements
controlling with command rules, 6.1
database domains, Database_Domain default factor, 7.2
database objects
Oracle Database Vault, 11, 16.22
reports
Object Dependencies Report, 18.5.1.4
See also objects
database options, installing, B.1
database roles
about, 11.2.1
counting privileges of, 18.5.4.1
default Oracle Database Vault, 11.2.1
DV_ACCTMGR
about, 11.2.11
adding to Data Dictionary realm, 3.3.2
DV_ADMIN, 11.2.3
DV_GOLDENGATE_ADMIN, 11.2.8
DV_GOLDENGATE_REDO_ACCESS, 11.2.9
DV_MONITOR, 11.2.4
DV_OWNER, 11.2.2
DV_PATCH_ADMIN, 11.2.10
DV_PUBLIC, 11.2.14
DV_REALM_OWNER, 11.2.12
DV_REALM_RESOURCE, 11.2.13
DV_SECANALYST, 11.2.5
DV_STREAMS_ADMIN, 11.2.6
DV_XSTREAM_ADMIN, 11.2.7
enabled, determining with DVSYS.ROLE_IS_ENABLED, 15.1.5
monitoring, 17.3.1
Oracle Database Vault, default, 11.2.1
reports
Accounts With DBA Roles Report, 18.5.5.2
ALTER SYSTEM or ALTER SESSION Report, 18.5.5.5
AUDIT Privileges Report, 18.5.5.10
BECOME USER Report, 18.5.5.4
Database Accounts With Catalog Roles Report, 18.5.5.9
OS Security Vulnerability Privileges, 18.5.5.11
Privileges Distribution By Grantee Report, 18.5.4.1
Roles/Accounts That Have a Given Role Report, 18.5.5.8
Security Policy Exemption Report, 18.5.5.3
WITH ADMIN Privilege Grants Report, 18.5.5.1
separation of duty enforcement, 2.3
database sessions, 7.3
controlling with Allow Sessions default rule set, 5.2
factor evaluation, 7.7.1
session user name, Proxy_User default factor, 7.2
Database Vault
See Oracle Database Vault
Database Vault Account Management realm
SYS access to, 4.2
Database Vault Administrator
setting URL in Oracle Enterprise Manager, 10.1.1
databases
dbconsole
checking process, 3.2.2
starting process, 3.2.2
defined with factors, 7.1
domain, Domain default factor, 7.2
event monitoring, E.1.1
grouped schemas
See realms
host names, Database_Hostname default factor, 7.2
instance, retrieving information with functions, 12.5
instances
Database_Instance default factor, 7.2
managing multiple instances, 3.2.2
names, finding with DVF.F$DATABASE_INSTANCE, 15.2.5
number, finding with DVSYS.DV_INSTANCE_NUM, 15.3.3
IP addresses
Database_IP default factor, 7.2
retrieving with DVF.F$DATABASE_IP, 15.2.6
log file location, 3.2.2
monitoring events, E.1.1
names
Database_Name default factor, 7.2
retrieving with DVF.F$DATABASE_NAME, 15.2.7
retrieving with DVSYS.DV_DATABASE_NAME, 15.3.4
parameters
Security Related Database Parameters Report, 18.5.6.1
roles that do not exist, 18.4.1.7
schema creation, finding with DVF.F$IDENTIFICATION_TYPE, 15.2.10
schema creation, Identification_Type default factor, 7.2
structural changes, monitoring, 17.2
user name, Session_User default factor, 7.2
DBA role
impact of Oracle Database Vault installation, 2.4
DBA_DV_COMMAND_RULE view, 6.10
DBA_USERS_WITH_DEFPWD data dictionary view
access to in Oracle Database Vault, 2.4
dbconsole process
checking status, 3.2.2
starting, 3.2.2
DBMS_FILE_TRANSFER package, guidelines on managing, D.6.1
DBMS_MACADM package
about, 12.1
command rule procedures, listed, 12.4
factor procedures, listed, 12.5
Oracle Label Security policy procedures, listed, 12.7
realm procedures, listed, 12.2
rule set procedures, listed, 12.3
secure application role procedures, listed, 12.6
DBMS_MACADM.ADD_AUTH_TO_REALM procedure, 12.2.1
DBMS_MACADM.ADD_FACTOR_LINK procedure, 12.5.1
DBMS_MACADM.ADD_NLS_DATA
procedure, C.6
DBMS_MACADM.ADD_NLS_DATA procedure, 12.8.1
DBMS_MACADM.ADD_OBJECT_TO_REALM procedure, 12.2.2
DBMS_MACADM.ADD_POLICY_FACTOR procedure, 12.5.2
DBMS_MACADM.ADD_RULE_TO_RULE_SET procedure, 12.3.1
DBMS_MACADM.AUTHORIZE_DATAPUMP_USER procedure, 12.8.2, 12.8.4
DBMS_MACADM.AUTHORIZE_SCHEDULER_USER procedure, 12.8.3
DBMS_MACADM.CHANGE_IDENTITY_FACTOR procedure, 12.5.3
DBMS_MACADM.CHANGE_IDENTITY_VALUE procedure, 12.5.4
DBMS_MACADM.CREATE_COMMAND_RULE procedure, 12.4.1
DBMS_MACADM.CREATE_DOMAIN_IDENTITY procedure, 12.5.5
DBMS_MACADM.CREATE_FACTOR procedure, 12.5.6
DBMS_MACADM.CREATE_FACTOR_TYPE procedure, 12.5.7
DBMS_MACADM.CREATE_IDENTITY procedure, 12.5.8
DBMS_MACADM.CREATE_IDENTITY_MAP procedure, 12.5.9
DBMS_MACADM.CREATE_MAC_POLICY procedure, 12.7.1
DBMS_MACADM.CREATE_POLICY_LABEL procedure, 12.7.2
DBMS_MACADM.CREATE_REALM procedure, 12.2.3
DBMS_MACADM.CREATE_ROLE procedure, 12.6.1
DBMS_MACADM.CREATE_RULE procedure, 12.3.2
DBMS_MACADM.CREATE_RULE_SET procedure, 12.3.3
DBMS_MACADM.DELETE_AUTH_FROM_REALM procedure, 12.2.4
DBMS_MACADM.DELETE_COMMAND_RULE procedure, 12.4.2
DBMS_MACADM.DELETE_FACTOR procedure, 12.5.10
DBMS_MACADM.DELETE_FACTOR_LINK procedure, 12.5.11
DBMS_MACADM.DELETE_FACTOR_TYPE procedure, 12.5.12
DBMS_MACADM.DELETE_IDENTITY procedure, 12.5.13
DBMS_MACADM.DELETE_IDENTITY_MAP procedure, 12.5.14
DBMS_MACADM.DELETE_MAC_POLICY_CASCADE procedure, 12.7.3
DBMS_MACADM.DELETE_OBJECT_FROM_REALM procedure, 12.2.5
DBMS_MACADM.DELETE_POLICY_FACTOR procedure, 12.7.4
DBMS_MACADM.DELETE_POLICY_LABEL procedure, 12.7.5
DBMS_MACADM.DELETE_REALM procedure, 12.2.6
DBMS_MACADM.DELETE_REALM_CASCADE procedure, 12.2.7
DBMS_MACADM.DELETE_ROLE procedure, 12.6.2
DBMS_MACADM.DELETE_RULE procedure, 12.3.4
DBMS_MACADM.DELETE_RULE_FROM_RULE_SET procedure, 12.3.5
DBMS_MACADM.DELETE_RULE_SET procedure, 12.3.6
DBMS_MACADM.DROP_DOMAIN_IDENTITY procedure, 12.5.15
DBMS_MACADM.GET_INSTANCE_INFO function, 12.5.16
DBMS_MACADM.GET_SESSION_INFO function, 12.5.17
DBMS_MACADM.RENAME_FACTOR procedure, 12.5.18
DBMS_MACADM.RENAME_FACTOR_TYPE procedure, 12.5.19
DBMS_MACADM.RENAME_REALM procedure, 12.2.8
DBMS_MACADM.RENAME_ROLE procedure, 12.6.3
DBMS_MACADM.RENAME_RULE procedure, 12.3.7
DBMS_MACADM.RENAME_RULE_SET procedure, 12.3.8
DBMS_MACADM.SYNC_RULES procedure, 12.3.9
DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER procedure, 12.8.5
DBMS_MACADM.UPDATE_COMMAND_RULE procedure, 12.4.3
DBMS_MACADM.UPDATE_FACTOR procedure, 12.5.20
DBMS_MACADM.UPDATE_FACTOR_TYPE procedure, 12.5.21
DBMS_MACADM.UPDATE_IDENTITY procedure, 12.5.22
DBMS_MACADM.UPDATE_MAC_POLICY procedure, 12.7.6
DBMS_MACADM.UPDATE_REALM procedure, 12.2.9
DBMS_MACADM.UPDATE_REALM_AUTH procedure, 12.2.10
DBMS_MACADM.UPDATE_ROLE procedure, 12.6.4
DBMS_MACADM.UPDATE_RULE procedure, 12.3.10
DBMS_MACADM.UPDATE_RULE_SET procedure, 12.3.11
DBMS_MACSEC_ROLES package
about, 13.1
functions, listed, 13.1
DBMS_MACSEC_ROLES.CAN_SET_ROLE function, 13.2
DBMS_MACSEC_ROLES.SET_ROLE procedure, 13.3
DBMS_MACUTL package
about, 14.1
constants (fields)
examples, 14.2.2
listed, 14.2.1
procedures and functions, listed, 14.3
DBMS_MACUTL.CHECK_DVSYS_DML_ALLOWED procedure, 14.3.1
DBMS_MACUTL.GET_CODE_VALUE function, 14.3.2
DBMS_MACUTL.GET_DAY function, 14.3.6
DBMS_MACUTL.GET_HOUR function, 14.3.5
DBMS_MACUTL.GET_MINUTE function, 14.3.4
DBMS_MACUTL.GET_MONTH function, 14.3.7
DBMS_MACUTL.GET_SECOND function, 14.3.3
DBMS_MACUTL.GET_YEAR function, 14.3.8
DBMS_MACUTL.IS_ALPHA function, 14.3.9
DBMS_MACUTL.IS_DIGIT function, 14.3.10
DBMS_MACUTL.IS_DVSYS_OWNER function, 14.3.11
DBMS_MACUTL.IS_OLS_INSTALLED function, 14.3.12
DBMS_MACUTL.IS_OLS_INSTALLED_VARCHAR function, 14.3.13
DBMS_MACUTL.USER_HAS_ROLE function, 14.3.14
DBMS_MACUTL.USER_HAS_ROLE_VARCHAR function, 14.3.15
DBMS_MACUTL.USER_HAS_SYSTEM_PRIVILEGE function, 14.3.16
DBMS_RLS PL/SQL package
SYS granting or revoking EXECUTE on, Preface
DBSNMP user account
changing password, 10.1.5
granted DV_MONITOR role, 11.2.4
realm for, 4.2
deinstalling Oracle Database Vault, C.7
DELETE_CATALOG_ROLE role, 18.5.5.9
Denial of Service (DoS) attacks
reports
System Resource Limits Report, 18.5.6.3
Tablespace Quotas Report, 18.5.9.6
Direct and Indirect System Privileges By Database Account Report, 18.5.2.2
Direct Object Privileges Report, 18.5.1.3
direct system privileges, 18.5.2.3
Direct System Privileges By Database Account Report, 18.5.2.1
disabling system features with Disabled default rule set, 5.2
domains
defined with factors, 7.1
finding database domain with DVF.F$DATABASE_DOMAIN, 15.2.3
finding with DVF.F$DOMAIN, 15.2.8
DROP ROLE statement
monitoring, 17.3.1
DROP TABLE statement
monitoring, 17.2
DROP USER statement
monitoring, 17.3.1
dual key connection, dual key security
See two-person integrity (TPI)
DV_ACCTMGR role
about, 11.2.11
adding to Data Dictionary realm, 3.3.2
DV_ADMIN role
about, 11.2.3
changing password for user granted DV_ADMIN, 11.2.3
DV_GOLDENGATE_ADMIN role, 11.2.8
DV_GOLDENGATE_REDO_ACCESS role, 11.2.9
DV_MONITOR role, 11.2.4
DV_OWNER role
about, 11.2.2
changing password for user granted DV_OWNER, 11.2.2
DV_PATCH_ADMIN role, 11.2.10
privileges associated with, 11.2.10
DV_PUBLIC role, 11.2.14
DV_REALM_OWNER role, 11.2.12
DV_REALM_RESOURCE role, 11.2.13
DV_SECANALYST role
about, 11.2.5
changing password for user granted DV_SECANALYST, 11.2.5
DV_STREAMS_ADMIN role, 11.2.6
DV_XSTREAM_ADMIN role, 11.2.7
DVA
See Oracle Database Vault Administrator
DVF account
auditing policy, A.3
database accounts, 11.3
DVF schema, 15.2
about, 11.1.2
auditing policy, A.3
DVSYS account, 11.3
auditing policy, A.3
DVSYS schema
about, 11.1.1
auditing policy, A.3
command rules, 6.4
DV_OWNER role, 11.2.2
factor validation methods, 7.3
DVSYS.DBA_DV_CODE view, 16.2
DVSYS.DBA_DV_COMMAND_RULE view, 16.3
DVSYS.DBA_DV_DATAPUMP_AUTH view, 16.4
DVSYS.DBA_DV_FACTOR view, 16.5
DVSYS.DBA_DV_FACTOR_LINK view, 16.6
DVSYS.DBA_DV_FACTOR_TYPE view, 16.7
DVSYS.DBA_DV_IDENTITY view, 16.8
DVSYS.DBA_DV_IDENTITY_MAP view, 16.9
DVSYS.DBA_DV_MAC_POLICY view, 16.10
DVSYS.DBA_DV_MAC_POLICY_FACTOR view, 16.11
DVSYS.DBA_DV_POLICY_LABEL view, 16.12
DVSYS.DBA_DV_PUB_PRIVS view, 16.13
DVSYS.DBA_DV_REALM view, 16.14
DVSYS.DBA_DV_REALM_AUTH view, 16.15
DVSYS.DBA_DV_REALM_OBJECT view, 16.16
DVSYS.DBA_DV_ROLE view, 16.17
DVSYS.DBA_DV_RULE view, 16.18
DVSYS.DBA_DV_RULE_SET view, 16.19
DVSYS.DBA_DV_RULE_SET_RULE view, 16.20
DVSYS.DBA_DV_USER_PRIVS view, 16.21
DVSYS.DBA_DV_USER_PRIVS_ALL view, 16.22

E

email alert in rule set, 5.8.1
enabling system features with Enabled default rule set, 5.2
encrypted information, 18.5.9.5
enterprise identities, Enterprise_Identity default factor, 7.2
Enterprise Manager
See Oracle Enterprise Manager
errors
factor error options, 7.3
rule set error options, 5.3
event handler
rule sets, 5.3
examples
.DBMS_MACUTL constants, 14.2.2
realms, 4.12
separation of duty matrix, D.1.3
trace files, E.1.7
See also tutorials
Execute Privileges to Strong SYS Packages Report, 18.5.3.1
EXECUTE_CATALOG_ROLE role, 18.5.5.9
impact of Oracle Database Vault installation, 2.4
EXEMPT ACCESS POLICY system privilege, 18.5.5.3
exporting data
See Oracle Data Pump
external network services, fine-grained access to
example using email alert, 5.8.1

F

Factor Audit Report, 18.4.2.3
Factor Configuration Issues Report, 18.4.1.2
Factor Without Identities Report, 18.4.1.3
factors
about, 7.1
assignment, 7.3
disabled rule set, 18.4.1.2
incomplete rule set, 18.4.1.2
validate, 7.3
assignment operation, 18.4.2.3
audit events, custom, A.1.1
audit options, 7.3
child factors
about, 7.3
Factor Configuration Issues Report, 18.4.1.2
mapping, 7.5.3, 7.5.3
creating, 7.3
creating names, 7.3
data dictionary views, 7.12
DBMS_MACUTL constants, example of, 14.2.2
default factors, 7.2, 7.2
default factors not showing in Database Vault Administrator, C.1
deleting, 7.6
domain, finding with DVF.F$DOMAIN, 15.2.8
editing, 7.4
error options, 7.3
evaluate, 7.3
evaluation operation, 18.4.2.3
factor type
about, 7.3
selecting, 7.3
factor-identity pair mapping, 7.5.3
functionality, 7.7
functions
DBMS_MACUTL (utility), 14.1
DBMS_MACUTL constants (fields), 14.2.1
guidelines, 7.10
identifying using child factors, 7.5.3
identities
about, 7.3, 7.5.1
adding to factor, 7.5
assigning, 7.3
configuring, 7.5.2
creating, 7.5.2
data dictionary views, 7.12
database session, 7.3
deleting, 7.5.2
determining with DVSYS.GET_FACTOR, 7.3
editing, 7.5.2
enterprise-wide users, 15.2.8
how factor identities work, 7.3
labels, 7.3, 7.5.2
mapping, about, 7.5.3
mapping, identified, 7.3
mapping, procedure, 7.5.3
mapping, tutorial, 7.9.1
Oracle Label Security labels, 7.3
reports, 7.12
resolving, 7.3
retrieval methods, 7.3
setting dynamically, 15.1.1
trust levels, 7.3, 7.5.2
with Oracle Label Security, 7.3
initialization, command rules, 6.1
invalid audit options, 18.4.1.2
label, 18.4.1.2
naming conventions, 7.3
Oracle Virtual Private Database, attaching factors to, 9.3
parent factors, 7.3
performance effect, 7.11
procedures
DBMS_MACADM (configuration), 12.5
process flow, 7.7
propagating policies to other databases, 10.1.2
reports, 7.12
retrieving, 7.7.2
retrieving with DVSYS.GET_FACTOR, 15.1.2
rule sets
selecting, 7.3
used with, 7.1
setting, 7.7.3
setting with DVSYS.SET_FACTOR, 15.1.1
troubleshooting
auditing report, 18.4.2.3
configuration problems, E.3
tips, E.2
type (category of factor), 7.3
validating, 7.3
values (identities), 7.1
views
DVSYS.DBA_DV_CODE, 16.2
DVSYS.DBA_DV_FACTOR_LINK, 16.6
DVSYS.DBA_DV_FACTOR_TYPE, 16.7
DVSYS.DBA_DV_IDENTITY, 16.8
DVSYS.DBA_DV_IDENTITY_MAP, 16.9
DVSYS.DBA_DV_MAC_POLICY_FACTOR, 16.11
ways to assign, 7.3
See also rule sets
features, new
See new features
functions
command rules
DBMS_MACUTL (utility), 14.1
DVSYS schema enabling, 15.1
factors
DBMS_MACUTL (utility), 14.1
Oracle Label Security policy
DBMS_MACADM (configuration), 12.7
realms
DBMS_MACUTL (utility), 14.1
rule sets
.DBMS_MACADM (configuration), 12.3
DBMS_MACUTL (utility), 14.1
PL/SQL functions for inspecting SQL, 15.3
secure application roles
DBMS_MACADM (configuration), 12.6
DBMS_MACSEC_ROLES (configuration), 13.1
.DBMS_MACUTL (utility), 14.1

G

general security reports, 18.5
GRANT statement
monitoring, 17.3.1
guidelines
ALTER SESSION privilege, D.6.6
ALTER SYSTEM privilege, D.6.6
command rules, 6.8
CREATE ANY JOB privilege, D.6.3
CREATE EXTERNAL JOB privilege, D.6.4
CREATE JOB privilege, D.6.3
DBMS_FILE_TRANSFER package, D.6.1
factors, 7.10
general security, D
LogMiner packages, D.6.5
managing DV_OWNER and DV_ACCTMGR accounts, 11.3
operating system access, D.2.4
Oracle software owner, D.4.2
performance effect, 7.11
realms, 4.14
recycle bin, D.6.2
root access, D.2.4
root user access, D.4.1
rule sets, 5.10
secure application roles, 8.3
SYSDBA access, D.4.3
SYSDBA privilege, limiting, D.2.3
SYSOPER access, D.4.4
SYSTEM schema and application tables, D.2.2
SYSTEM user account, D.2.1
trusted accounts and roles, D.3
using Database Vault in a production environment, D.5
UTL_FILE package, D.6.1

H

hackers
See security attacks
Hierarchical System Privileges by Database Account Report, 18.5.2.3
host names
finding with DVF.F$DATABASE_HOSTNAME, 15.2.4

I

identities
See factors, identities
Identity Configuration Issues Report, 18.4.1.4
IDLE_TIME resource profile, 18.5.6.2
IMP_FULL_DATABASE role
impact of Oracle Database Vault installation, 2.4
importing data
See Oracle Data Pump
incomplete rule set, 18.4.1.2
role enablement, 18.4.1.7
initialization parameters
Allow System Parameters default rule set, 5.2
modified after installation, 2.1
modified by Oracle Database Vault, 2.1
reports, 18.5.6
insider threats
See intruders
installations
security considerations, D.6
intruders
See security attacks
IP addresses
Client_IP default factor, 7.2
defined with factors, 7.1

J

Java Policy Grants Report, 18.5.9.1
jobs, scheduling
See scheduling database jobs

L

Label Security Integration Audit Report, 18.4.2.4
labels
about, 7.5.2
See also Oracle Label Security
languages
adding to Oracle Database Vault, C.6
consistency between Oracle Database and operating system, C.1
finding with DVF.F$LANG, 15.2.11
finding with DVF.F$LANGUAGE, 15.2.12
name
Lang default factor, 7.2
Language default factor, 7.2
LBACSYS account
about, 11.3
auditing policy, A.3
factor integration with OLS policy requirement, 9.4.3
See also Oracle Label Security
LBACSYS schema
auditing policy, A.3
locked out accounts, solution for, B.1
log files
Database Vault log files, A.1.2
location for Oracle Database logs, 3.2.2
logging on
Oracle Database Vault
Oracle Database Vault Owner account, 3.2.2
reports, Core Database Audit Report, 18.5.8
LogMiner packages
guidelines, D.6.5

M

maintenance on Oracle Database Vault, B.1
managing user accounts and profiles
Can Maintain Accounts/Profiles default rule set, 5.2
managing user accounts and profiles on own account, Can Maintain Own Accounts default rule set, 5.2
mapping identities, 7.5.3
monitoring
accessibility features, enabling, C.4.2
activities, 17
textual representation in charts, enabling, C.4.2
My Oracle Support, 7.8.3
about, Preface

N

naming conventions
factors, 7.3
realms, 4.3
rule sets, 5.3
rules, 5.5.1
network protocol
finding with DVF.F$NETWORK_PROTOCOL, 15.2.14
network protocol, Network_Protocol default factor, 7.2
new features, Preface
NOAUDIT statement
monitoring, 17.3.1
Non-Owner Object Trigger Report, 18.5.9.7
nonsystem database accounts, 18.5.1.3

O

Object Access By PUBLIC Report, 18.5.1.1
Object Access Not By PUBLIC Report, 18.5.1.2
Object Dependencies Report, 18.5.1.4
object owners
nonexistent, 18.4.1.1
reports
Command Rule Configuration Issues Report, 18.4.1.1
object privilege reports, 18.5.1
objects
command rule objects
name, 6.4
owner, 6.4
processing, 6.6
dynamic SQL use, 18.5.9.3
monitoring, 17.3.1
object names
finding with DVSYS.DV_DICT_OBJ_NAME, 15.3.7
object owners
finding with DVSYS.DV_DICT_OBJ_OWNER, 15.3.6
realms
object name, 4.5
object owner, 4.5
object type, 4.5
procedures for registering, 12.2
reports
Access to Sensitive Objects Report, 18.5.3.2
Accounts with SYSDBA/SYSOPER Privilege Report, 18.5.3.4
Direct Object Privileges Report, 18.5.1.3
Execute Privileges to Strong SYS Packages Report, 18.5.3.1
Non-Owner Object Trigger Report, 18.5.9.7
Object Access By PUBLIC Report, 18.5.1.1
Object Access Not By PUBLIC Report, 18.5.1.2
Object Dependencies Report, 18.5.1.4
Objects Dependent on Dynamic SQL Report, 18.5.9.3
OS Directory Objects Report, 18.5.9.2
privilege, 18.5.1
Public Execute Privilege To SYS PL/SQL Procedures Report, 18.5.3.3
sensitive, 18.5.3
System Privileges By Privilege Report, 18.5.2.5
types
finding with DVSYS.DV_DICT_OBJ_TYPE, 15.3.5
views, DVSYS.DBA_DV_REALM_OBJECT, 16.16
See also database objects
Objects Dependent on Dynamic SQL Report, 18.5.9.3
OEM
See Oracle Enterprise Manager (OEM)
OLS
See Oracle Label Security
operating system access
guideline for using with Database Vault, D.2.4
operating systems
reports
OS Directory Objects Report, 18.5.9.2
OS Security Vulnerability Privileges Report, 18.5.5.11
vulnerabilities, 18.5.5.11
ORA-00942 error, 8.6.7
ORA-01031 error, 5.3
ORA-01301 error, 10.8.1
ORA-06512 error, 5.8.4, 14.3.1
ORA-24247 error, 5.8.4
ORA-47305 error, 8.6.7
ORA-47400 error, 5.8.6, 10.8.1
ORA-47401 error, 4.10, 10.8.1
ORA-47408 error, 10.8.1
ORA-47409 error, 10.8.1
ORA-47920 error, 14.3.1
Oracle Data Guard
using with Oracle Database Vault, 9
Oracle Data Pump
Allow Oracle Data Pump Operation rule set, 5.2
archiving the Oracle Database Vault audit trail with, A.2
DVSYS.DBA_DV_DATAPUMP_AUTH view, 16.4
DVSYS.MACADM procedures for authorization, 12.8.2
granting authorization to use with Database Vault, 10.2.2
guidelines before performing an export or import, 10.2.3
revoking authorization from using with Database Vault, 10.2.4
using with Oracle Database Vault, 10.2.1
Oracle database
See databases
Oracle Database Vault
about, 1.1
components, 1.2, 1.2.1
deinstalling, C.7
disabling
checking if disabled, B.2
procedures for, B
reasons for, B.1
enabling
checking if enabled, B.2
procedures for, B
frequently asked questions, 1.1
integrating with other Oracle products, 9
maintenance, B.1
Oracle Database installation, affect on, 2
post-installation procedures, C
registering, 3.1
reinstalling, C.8
Oracle Database Vault Administrator
starting, 3.2
starting without Oracle Enterprise Manager, 3.2.2
Oracle Database Vault Administrator (DVA)
accessibility features, enabling, C.4
accessibility mode, C.4.1
configuring users to access from Database Control, 3.2.1.3
deploying manually
to Database Console OC4J container, C.2.2
to standalone OC4J container, C.2.1
logging into from Oracle Enterprise Manager Database Control, 3.2.1.3
logging on, 3.2
logging on from Oracle Enterprise Manager Grid Control, 3.2.1.2
logging on without Oracle Enterprise Manager, 3.2.2
textual representation in charts, C.4.2
time-out value, C.3
Oracle Database Vault Owner account
example of logging on with, 3.2.2
Oracle Enterprise Manager
DBSNMP account
changing password, 10.1.5
granted DV_MONITOR role, 11.2.4
realm for, 4.2
default realm used for, 4.2
performance tools, 4.15
setting URL for Database Vault Administrator, 10.1.1
SYSMAN account
realm for, 4.2
using Oracle Database Vault with, 10.1
Oracle Enterprise Manager Database Control
configuring users for Database Vault Administrator, 3.2.1.3
starting Database Vault Administrator from, 3.2.1.3
starting Oracle Database Vault from, 3.2.1.1
Oracle Enterprise Manager Grid Control
monitoring Database Vault for attempted violations, 11.2.4
propagating Database Vault policies to other databases, 10.1.2
starting Oracle Database Vault from, 3.2.1.2
Oracle Enterprise User Security, integrating with Oracle Database Vault, 9.1
Oracle GoldenGate
Database Vault role used for
DV_GOLDENGATE_ADMIN, 11.2.8
DV_GOLDENGATE_REDO_ACCESS, 11.2.9
in an Oracle Database Vault environment, 10.7
Oracle Internet Directory Distinguished Name, Proxy_Enterprise_Identity default factor, 7.2
Oracle Label Security (OLS)
audit events, custom, A.1.1
checking if installed using DBMS_MACUTL functions, 14.3
data dictionary views, 9.4.5
database option, 1.2.5
functions
DBMS_MACUTL (utility), 14.2.1
how Database Vault integrates with, 9.4.1
initialization, command rules, 6.1
integration with Oracle Database Vault
example, 9.4.4.1
Label Security Integration Audit Report, 18.4.2.4, 18.4.2.4
procedure, 9.4.3
requirements, 9.4.2
labels
about, 7.5.2
determining with GET_FACTOR_LABEL, 15.1.6
invalid label identities, 18.4.1.4
policies
accounts that bypass, 18.5.5.3
monitoring policy changes, 17.3.1
nonexistent, 18.4.1.2
Oracle Policy Manager, 1.2.5
procedures
DBMS_MACADM (configuration), 12.7
reports, 9.4.5
views
DVSYS.DBA_DV_MAC_POLICY, 16.10
DVSYS.DBA_DV_MAC_POLICY_FACTOR, 16.11
DVSYS.DBA_DV_POLICY_LABEL, 16.12
See also LBACSYS account
Oracle MetaLink
See My Oracle Support
Oracle Policy Manager
used with Oracle Label Security, 1.2.5
Oracle Real Application Clusters
compatibility with Oracle Database Vault, 1.1
configuring Database Vault on RAC nodes, C.5
deinstalling Oracle Database Vault from, C.7
multiple factor identities, 7.3
Oracle Recovery Manager (RMAN)
in an Oracle Database Vault environment, 10.4
Oracle software owner, guidelines on managing, D.4.2
Oracle Streams
Database Vault role used for, 11.2.6
in an Oracle Database Vault environment, 10.5
Oracle Virtual Private Database (VPD)
accounts that bypass, 18.5.5.3
factors, attaching to, 9.3
GRANT EXECUTE privileges with Grant VPD Administration default rule set, 5.2
using Database Vault factors with Oracle Label Security, 9.4.4.1
OS Directory Objects Report, 18.5.9.2
OS Security Vulnerability Privileges Report, 18.5.5.11
OS_ROLES initialization parameter, 2.1

P

parameters
modified after installation, 2.1
reports
Security Related Database Parameters Report, 18.5.6.1
parent factors
See factors
Password History Access Report, 18.5.5.6
passwords
forgotten, solution for, B.1
reports, 18.5.7
Database Account Default Password Report, 18.5.7.1
Password History Access Report, 18.5.5.6
Username/Password Tables Report, 18.5.9.5
patches
DV_PATCH_ADMIN requirement for, 11.2.10
security consideration, D.6
two-person integrity used for, 5.9.1
performance effect
command rules, 6.9
realms, 4.15
reports
Resource Profiles Report, 18.5.6.2
System Resource Limits Report, 18.5.6.3
rule sets, 5.11
secure application roles, 8.7
static evaluation for rule sets, 5.11
performance tools
Database Control, realms, 4.15
Oracle Enterprise Manager
command rules, 6.9
factors, 7.11
realms, 4.15
rule sets, 5.11
secure application roles, 8.7
Oracle Enterprise Manager Database Control
command rules, 6.9
factors, 7.11
rule sets, 5.11
secure application roles, 8.7
STATSPACK utility
command rules, 6.9
factors, 7.11
realms, 4.15
rule sets, 5.11
secure application roles, 8.7
TKPROF utility
command rules, 6.9
factors, 7.11
realms, 4.15
rule sets, 5.11
secure application roles, 8.7
PL/SQL
packages
summarized, 15.4
unwrapped bodies, 18.5.9.4
Unwrapped PL/SQL Package Bodies Report, 18.5.9.4
PL/SQL factor functions, 15.2
policy changes, monitoring, 17.3.1, 17.4
port number
finding, 3.2.1.3, 3.2.2
Oracle Database Vault, 3.2.1.3, 3.2.2
post-installation procedures, C
privileges
ANY privileges, 11.2.11
existing users and roles, Database Vault affect on, 2.4
least privilege principle
violations to, 18.5.9.1
monitoring
GRANT statement, 17.3.1
REVOKE statement, 17.3.1
Oracle Database Vault restricting, 2.2
prevented from existing users and roles, 2.5
reports
Accounts With DBA Roles Report, 18.5.5.2
ALTER SYSTEM or ALTER SESSION Report, 18.5.5.5
ANY System Privileges for Database Accounts Report, 18.5.2.4
AUDIT Privileges Report, 18.5.5.10
Database Accounts With Catalog Roles Report, 18.5.5.9
Direct and Indirect System Privileges By Database Account Report, 18.5.2.2
Direct System Privileges By Database Account Report, 18.5.2.1
Hierarchical System Privileges By Database Account Report, 18.5.2.3
listed, 18.5.4
OS Directory Objects Report, 18.5.9.2
Privileges Distribution By Grantee Report, 18.5.4.1
Privileges Distribution By Grantee, Owner Report, 18.5.4.2
Privileges Distribution By Grantee, Owner, Privilege Report, 18.5.4.3
WITH ADMIN Privilege Grants Report, 18.5.5.1
WITH GRANT Privileges Report, 18.5.5.7
roles
checking with DBMS_MACUTL.USER_HAS_ROLE_VARCHAR function, 14.3
system
checking with DBMS_MACUTL.USER_HAS_SYSTEM_PRIVILEGE function, 14.3
views
DVSYS.DBA_DV_PUB_PRIVS, 16.13
DVSYS.DBA_DV_USER_PRIVS, 16.21
DVSYS.DBA_DV_USER_PRIVS_ALL, 16.22
Privileges Distribution By Grantee Report, 18.5.4.1
Privileges Distribution By Grantee, Owner Report, 18.5.4.2
Privileges Distribution By Grantee, Owner, Privilege Report, 18.5.4.3
privileges using external password, 18.5.3.4
problems, diagnosing, E.1.1
procedures
command rules
DBMS_MACADM (configuration), 12.4
factors
DBMS_MACADM (configuration), 12.5
realms
.DBMS_MACADM (configuration), 12.2
production environments
guidelines for securing, D.5
profiles, 18.5.6
PUBLIC access to realms, 4.9
Public Execute Privilege To SYS PL/SQL Procedures Report, 18.5.3.3
PUBLIC user account
impact of Oracle Database Vault installation, 2.4

Q

quotas
tablespace, 18.5.9.6

R

RAC
See Oracle Real Application Clusters
Realm Audit Report, 18.4.2.1
Realm Authorization Configuration Issues Report, 18.4.1.5
realms
about, 4.1
adding roles to as grantees, 4.14
audit events, custom, A.1.1
authentication-related procedures, 12.2
authorization
enabling access to realm-protected objects, 4.11
how realm authorizations work, 4.10
process flow, 4.10
troubleshooting, E.2
updating with DBMS_MACADM.UPDATE_REALM_AUTH, 12.2
authorizations
grantee, 4.6
rule set, 4.6
creating, 4.3
creating names, 4.3
data dictionary views, 4.16
data masking, 10.8.3
DBMS_MACUTL constants, example of, 14.2.2
default realms
listed, 4.2
default realms not showing in Database Vault Administrator, C.1
deleting, 4.8
disabling, 4.7
DV_REALM_OWNER role, 11.2.12
DV_REALM_RESOURCE role, 11.2.13
editing, 4.4
effect on other Oracle Database Vault components, 4.13
enabling, 4.7
enabling access to realm-protected objects, 4.11
example, 4.12
functions
DBMS_MACUTL (utility), 14.1
DBMS_MACUTL constants (fields), 14.2.1
guidelines, 4.14
how realms work, 4.9
naming conventions, 4.3
object-related procedures, 12.2
performance effect, 4.15
procedures
DBMS_MACADM (configuration), 12.2, 12.2
process flow, 4.9
propagating policies to other databases, 10.1.2
protection after object is dropped, 4.14
PUBLIC access, 4.9
realm authorizations
about, 4.6
realm secured objects
deleting, 4.5
editing, 4.5
object name, 4.5
object owner, 4.5
object type, 4.5
realm system authorizations
creating, 4.6
deleting, 4.6
editing, 4.6
realm-secured objects, 4.5
reports, 4.16
roles
DV_REALM_OWNER, 11.2.12
DV_REALM_RESOURCE, 11.2.13
secured object, 18.4.1.5
territory a realm protects, 4.5
troubleshooting, E.2, E.3
tutorial, 3.3.1
updating with DBMS_MACADM.UPDATE_REALM, 12.2
views
DVSYS.DBA_DV_CODE, 16.2
DVSYS.DBA_DV_REALM, 16.14
DVSYS.DBA_DV_REALM_AUTH, 16.15
DVSYS.DBA_DV_REALM_OBJECT, 16.16, 16.16
See also rule sets
RECOVERY_CATALOG_OWNER role, 18.5.5.9
recycle bin, guidelines on managing, D.6.2
RECYCLEBIN initialization parameter
default setting in Oracle Database Vault, 2.1
security considerations, D.6.2
registering Oracle Database Vault, 3.1
reinstalling Oracle Database Vault, C.8
REMOTE_LOGIN_PASSWORDFILE initialization parameter, 2.1
reporting menu
report results page, 18.3
parameter, 18.3
reports
about, 18.1
Access to Sensitive Objects Report, 18.5.3.2
Accounts With DBA Roles Report, 18.5.5.2
Accounts with SYSDBA/SYSOPER Privilege Report, 18.5.3.4
ALTER SYSTEM or ALTER SESSION Report, 18.5.5.5
ANY System Privileges for Database Accounts Report, 18.5.2.4
AUDIT Privileges Report, 18.5.5.10
auditing, 18.4.2
BECOME USER Report, 18.5.5.4
categories of, 18.1
Command Rule Audit Report, 18.4.2.2
Command Rule Configuration Issues Report, 18.4.1.1
Core Database Audit Report, 18.5.8
Core Database Vault Audit Trail Report, 18.4.2.5
Database Account Default Password Report, 18.5.7.1
Database Account Status Report, 18.5.7.2
Database Accounts With Catalog Roles Report, 18.5.5.9
Direct and Indirect System Privileges By Database Account Report, 18.5.2.2
Direct Object Privileges Report, 18.5.1.3
Direct System Privileges By Database Account Report, 18.5.2.1
Enterprise Manager Grid Control, 10.1.4
Execute Privileges to Strong SYS Packages Report, 18.5.3.1
Factor Audit Report, 18.4.2.3
Factor Configuration Issues Report, 18.4.1.2
Factor Without Identities, 18.4.1.3
general security, 18.5
Hierarchical System Privileges by Database Account Report, 18.5.2.3
Identity Configuration Issues Report, 18.4.1.4
Java Policy Grants Report, 18.5.9.1
Label Security Integration Audit Report, 18.4.2.4
Non-Owner Object Trigger Report, 18.5.9.7
Object Access By PUBLIC Report, 18.5.1.1
Object Access Not By PUBLIC Report, 18.5.1.2
Object Dependencies Report, 18.5.1.4
Objects Dependent on Dynamic SQL Report, 18.5.9.3
OS Directory Objects Report, 18.5.9.2
OS Security Vulnerability Privileges, 18.5.5.11
Password History Access Report, 18.5.5.6
permissions for running, 18.2
privilege management, 18.5.4
Privileges Distribution By Grantee Report, 18.5.4.1
Privileges Distribution By Grantee, Owner Report, 18.5.4.2
Privileges Distribution By Grantee, Owner, Privilege Report, 18.5.4.3
Public Execute Privilege To SYS PL/SQL Procedures Report, 18.5.3.3
Realm Audit Report, 18.4.2.1
Realm Authorization Configuration Issues Report, 18.4.1.5
Resource Profiles Report, 18.5.6.2
Roles/Accounts That Have a Given Role Report, 18.5.5.8
Rule Set Configuration Issues Report, 18.4.1.6
running, 18.3
Secure Application Configuration Issues Report, 18.4.1.7
Secure Application Role Audit Report, 18.4.2.6
Security Policy Exemption Report, 18.5.5.3
Security Related Database Parameters, 18.5.6.1
security vulnerability, 18.5.9
System Privileges By Privilege Report, 18.5.2.5
System Resource Limits Report, 18.5.6.3
Tablespace Quotas Report, 18.5.9.6
Unwrapped PL/SQL Package Bodies Report, 18.5.9.4
Username /Password Tables Report, 18.5.9.5
WITH ADMIN Privileges Grants Report, 18.5.5.1
WITH GRANT Privileges Report, 18.5.5.7
required parameters page
% wildcard, 18.3
Resource Profiles Report, 18.5.6.2
resources
reports
Resource Profiles Report, 18.5.6.2
System Resource Limits Report, 18.5.6.3
REVOKE statement
monitoring, 17.3.1
roles
adding to realms as grantees, 4.14
catalog-based, 18.5.5.9
Database Vault default roles, 11.2.1
privileges, checking with DBMS_MACUTL.USER_HAS_ROLE_VARCHAR function, 14.3
role enablement in incomplete rule set, 18.4.1.7
role-based system privileges, 18.5.2.3
See also secure application roles
Roles/Accounts That Have a Given Role Report, 18.5.5.8
root access
guideline for using with Database Vault, D.2.4
root access, guidelines on managing, D.4.1
Rule Set Configuration Issues Report, 18.4.1.6
rule sets
about, 5.1
adding existing rules, 5.5.2
audit options, 5.3
command rules
disabled, 18.4.1.1
selecting for, 6.4
used with, 6.1
CONNECT role configured incorrectly, solution for, B.1
creating, 5.3
rules in, 5.5.1
creating names, 5.3
data dictionary views, 5.12
DBMS_MACUTL constants, example of, 14.2.2
default rule sets, 5.2
default rule sets not showing in Database Vault Administrator, C.1
deleting
rule set, 5.6
rules from, 5.5.1, 5.5.1
disabled for
factor assignment, 18.4.1.2
realm authorization, 18.4.1.5
editing
rule sets, 5.4
rules in, 5.5.1
error options, 5.3
evaluation of rules, 5.5
evaluation options, 5.3
event handlers, 5.3
events firing, finding with DVSYS.DV_SYSEVENT, 15.3.1
factors, selecting for, 7.3
factors, used with, 7.1
fail code, 5.3
fail message, 5.3
functions
DBMS_MACADM (configuration), 12.3
DBMS_MACUTL (utility), 14.1
DBMS_MACUTL constants (fields), 14.2.1
PL/SQL functions for rule sets, 15.3
guidelines, 5.10
how rule sets work, 5.7.1
incomplete, 18.4.1.1
naming conventions, 5.3
nested rules, 5.7.2
performance effect, 5.11
procedures
DBMS_MACADM (configuration), 12.3
process flow, 5.7.1
propagating policies to other databases, 10.1.2
reports, 5.12
rules that exclude one user, 5.7.3
static evaluation, 5.10
troubleshooting, E.2, E.3
views
DVSYS.DBA_DV_RULE, 16.18
DVSYS.DBA_DV_RULE_SET, 16.19
DVSYS.DBA_DV_RULE_SET_RULE, 16.20
See also command rules, factors, realms, rules, secure application roles
rules
about, 5.5
creating, 5.5.1
creating names, 5.5.1
data dictionary views, 5.12
deleting from rule set, 5.5.1
editing, 5.5.1
existing rules, adding to rule set, 5.5.2
naming conventions, 5.5.1
nested within a rule set, 5.7.2
removing from rule set, 5.5.1
reports, 5.12
troubleshooting, E.2
views
DVSYS.DBA_DV_RULE, 16.18
DVSYS.DBA_DV_RULE_SET_RULE, 16.20
See also rule sets
rules sets
audit event, custom, A.1.1

S

SCHEDULER_ADMIN role
impact of Oracle Database Vault installation, 2.4
scheduling database jobs
about, 10.3.1
Allow Scheduler Job rule set, 5.2
CREATE EXTERNAL JOB privilege security consideration, D.6.4
granting Oracle Database Vault authorization, 10.3.2
revoking Oracle Database Vault authorization, 10.3.3
schemas
DVF, 11.1.2
DVSYS, 11.1.1
Secure Application Configuration Issues Report, 18.4.1.7
secure application role, 8.1
Secure Application Role Audit Report, 18.4.2.6
secure application roles
audit event, custom, A.1.1
creating, 8.2
data dictionary view, 8.8
DBMS_MACSEC_ROLES.SET_ROLE function, 8.2
deleting, 8.4
functionality, 8.5
functions
DBMS_MACADM (configuration), 12.6
DBMS_MACSEC_ROLES (configuration), 13.1
DBMS_MACSEC_ROLES package, 13.1
DBMS_MACUTL (utility), 14.1
DBMS_MACUTL constants (fields), 14.2.1
guidelines on managing, 8.3
performance effect, 8.7
procedure
.DBMS_MACADM (configuration), 12.6
procedures and functions
DBMS_MACUTL (utility), 14.3
propagating policies to other databases, 10.1.2
reports, 8.8
Rule Set Configuration Issues Report, 18.4.1.6
troubleshooting, E.3
troubleshooting with auditing report, 18.4.2.6
tutorial, 8.6.1
views
DVSYS.DBA_DV_ROLE, 16.17
See also roles, rule sets
security attacks
Denial of Service (DoS) attacks
finding system resource limits, 18.5.6.3
Denial of Service attacks
finding tablespace quotas, 18.5.9.6
eliminating audit trail, 18.5.5.10
monitoring security violations, 17.1
Oracle Database Vault addressing insider threats, 1.4
reports
AUDIT Privileges Report, 18.5.5.10
Objects Dependent on Dynamic SQL Report, 18.5.9.3
Privileges Distribution By Grantee, Owner Report, 18.5.4.2
Unwrapped PL/SQL Package Bodies Report, 18.5.9.4
SQL injection attacks, 18.5.9.3
tracking
with factor auditing, 7.3
with rule set auditing, 5.3
security policies
monitoring changes, 17.4
security policies, Oracle Database Vault addressing, 1.5
Security Policy Exemption Report, 18.5.5.3
Security Related Database Parameters Report, 18.5.6.1
security violations
monitoring attempts, 17.1
security vulnerabilities
how Database Vault addresses, 1.6
operating systems, 18.5.5.11
reports, 18.5.9
Security Related Database Parameters Report, 18.5.6.1
root operating system directory, 18.5.9.2
SELECT statement
controlling with command rules, 6.1
SELECT_CATALOG_ROLE role, 18.5.5.9
sensitive objects reports, 18.5.3
separation of duty concept
about, D.1.1
command rules, 6.2
database accounts, 11.3
database accounts, suggested, 11.3
database roles, 2.3
Database Vault Account Manager role, 11.3
documenting tasks, D.1.4
example matrix, D.1.3
how Oracle Database Vault addresses, 2.3
Oracle Database Vault enforcing, 1.1
realms, 1.6
restricting privileges, 2.2
roles, 11.2.1
tasks in Oracle Database Vault environment, D.1.2
session time, setting for Oracle Database Vault Administrator, C.3
sessions
audit events, custom, A.1.1
DBMS_MACUTL fields, 14.2.1
finding session user with DVF.F$SESSION_USER, 15.2.16
restricting data based on, 7.9.1
retrieving information with functions, 12.5
SQL injection attacks, detecting with Object Dependent on Dynamic SQL Report, 18.5.9.3
SQL statements
default command rules that protect, 6.2
SQL text, finding with DVSYS.DV_SQL_TEXT, 15.3.8
SQL92_SECURITY initialization parameter, 2.1
subfactors
See child factors under factors topic
SYS schema
command rules, 6.4
SYS user account
access to Database Vault Account Management realm, 4.2
adding to realm authorization, 4.14
granting or revoking EXECUTE on DBMS_RLS package, Preface
SYS.AUD$ table
location for Oracle Database Vault, 2.6.1
object owner for realm protection, 4.5
protecting with realm, 2.6.1
SYSDBA access
guidelines on managing, D.4.3
SYSDBA privilege
limiting, importance of, D.2.3
SYS.FGA_LOG$ table
protecting with realm, 2.6.1
SYSMAN user account
realm for, 4.2
SYSOPER access
guidelines on managing, D.4.4
system features
disabling with Disabled rule set, 5.2
enabling with Enabled rule set, 5.2
system privileges
checking with DBMS_MACUTL.USER_HAS_SYSTEM_PRIVILEGE function, 14.3
reports
System Privileges By Privileges Report, 18.5.2.5
System Privileges By Privilege Report, 18.5.2.5
System Resource Limits Report, 18.5.6.3
system root access, guideline on managing, D.4.1
SYSTEM schema
application tables in, D.2.2
SYSTEM user account
guidelines for using with Database Vault, D.2.1
SYSTEM.AUD$ table
location for Oracle Database Vault, 2.6.1

T

tablespace quotas, 18.5.9.6
Tablespace Quotas Report, 18.5.9.6
third party products, affected by Oracle Database Vault, B.1
time data
DBMS_MACUTL functions, 14.3
time-out value, setting for Oracle Database Vault Administrator, C.3
trace files
about, E.1.1
trace files, Oracle Database Vault
about, E.1.1
activities that can be traced, E.1.2
ADRCI utility, E.1.6.3
directory location for trace files, E.1.6.1
disabling for all sessions, E.1.8.2
disabling for current session, E.1.8.1
enabling for all sessions, E.1.5.2
enabling for current session, E.1.5.1
examples, E.1.7
finding trace file directory, E.1.6.1
levels of trace events, E.1.3
performance effect, E.1.4
querying
ADRCI utility, E.1.6.3
Linux grep command, E.1.6.2
Transparent Data Encryption, used with Oracle Database Vault, 9.2
triggers
different from object owner account, 18.5.9.7
reports, Non-Owner Object Trigger Report, 18.5.9.7
troubleshooting
access security sessions, 18.4.2.5
auditing reports, using, 18.4.2
Database Vault Administrator not showing default realms, command rules, rule sets, or factors, C.1
factors, E.2
general diagnostic tips, E.2
locked out accounts, B.1
passwords, forgotten, B.1
realms, E.2
rule sets, E.2
rules, E.2
secure application roles, 18.4.2.6
trust levels
about, 7.5.2
determining for identities with DVSYS.GET_TRUST_LEVEL_FOR_IDENTITY, 15.1.4
determining with DVSYS.GET_TRUST_LEVEL, 15.1.3
factor identity, 7.5.2
factors, 7.5.2
for factor and identity requested, 15.1.4
identities, 7.3
of current session identity, 15.1.3
trusted users
accounts and roles that should be limited, D.4
default for Oracle Database Vault, D.3
tutorials
access, granting with secure application roles, 8.6.1
ad hoc tool access, preventing, 7.8.1
configuring two-person integrity (TPI), 5.9.1
Database Vault factors with Virtual Private Database and Oracle Label Security, 9.4.4.1
email alert in rule set, 5.8.1
factors, mapping identities, 7.9.1
Oracle Label Security integration with Oracle Database Vault, 9.4.4.1
restricting access based on session data, 7.9.1
restricting user activities with command rules, 6.7.1
schema, protecting with a realm, 3.3.1
See also examples
two-man rule security
See two-person integrity (TPI)
two-person integrity (TPI)
about, 5.9.1
configuring with a rule set, 5.9.1

U

Unwrapped PL/SQL Package Bodies Report, 18.5.9.4
user names
reports, Username/Password Tables Report, 18.5.9.5
USER_HISTORY$ table, 18.5.5.6
Username/Password Tables Report, 18.5.9.5
users
enterprise identities, finding with DVF.F$PROXY_ENTERPRISE_IDENTITY, 15.2.15
enterprise-wide identities, finding with DVF.F$ENTERPRISE_IDENTITY, 15.2.9
finding session user with DVF.F$SESSION_USER, 15.2.16
login user name, finding with DVSYS.DV_LOGIN_USER, 15.3.2
restricting access by factor identity, 7.9.1
utility functions
See .DBMS_MACUTL package
UTL_FILE object, 18.5.1.4
UTL_FILE package, guidelines on managing, D.6.1

V

views
DVSYS.DBA_DV_DATAPUMP_AUTH, 16.4
Oracle Database Vault-specific views, 16.1, 16.22, 16.22
See also names beginning with DVSYS.DBA_DV
VPD
See Oracle Virtual Private Database (VPD)

W

wildcard, %, 18.3
WITH ADMIN Privileges Grants Report, 18.5.5.1
WITH ADMIN status, 18.5.2.1, 18.5.2.2
WITH GRANT clause, 18.5.5.7
WITH GRANT Privileges Report, 18.5.5.7

X

XStream
Database Vault role used for, 11.2.7
in an Oracle Database Vault environment, 10.6