Skip Headers
Oracle® Database Vault Administrator's Guide
12c Release 1 (12.1)

E17608-17
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

15 Oracle Database Vault Command Rule APIs

This chapter contains

About Command Rule Procedures within DBMS_MACADM

Table 15-1 lists procedures within the DBMS_MACADM package that you can use to configure command rules. Only users who have been granted the DV_OWNER or DV_ADMIN role can use these procedures.

See Also:

Table 15-1 DBMS_MACADM Command Rule Configuration Procedures

Procedure Description

CREATE_COMMAND_RULE Procedure

Creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set

DELETE_COMMAND_RULE Procedure

Drops a command rule declaration

UPDATE_COMMAND_RULE Procedure

Updates a command rule declaration


CREATE_COMMAND_RULE Procedure

The CREATE_COMMAND_RULE procedure creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set.

Syntax

DBMS_MACADM.CREATE_COMMAND_RULE(
  command         IN VARCHAR2, 
  rule_set_name   IN VARCHAR2, 
  object_owner    IN VARCHAR2, 
  object_name     IN VARCHAR2, 
  enabled         IN VARCHAR2);

Parameters

Table 15-2 CREATE_COMMAND_RULE Parameters

Parameter Description

command

SQL statement to protect.

See also the following:

rule_set_name

Name of rule set to associate with this command rule.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DVSYS.DBA_DV_RULE_SET View".

object_owner

Database schema to which this command rule will apply. The wildcard % is allowed, except for the SELECT, INSERT, UPDATE, DELETE, and EXECUTE statements.

To find the available users, query the DBA_USERS view, described in Oracle Database Reference.

See also "Object Owner" in "Creating or Editing a Command Rule" for more information.

object_name

Object name. (The wildcard % is allowed. See "Object Name" in "Creating or Editing a Command Rule" for more information about objects protected by command rules.)

To find the available objects, query the ALL_OBJECTS view, described in Oracle Database Reference.

enabled

DBMS_MACUTL.G_YES (Yes) enables the command rule; DBMS_MACUTL.G_NO (No) disables it. The default is DBMS_MACUTL.G_YES.


Example

BEGIN
 DBMS_MACADM.CREATE_COMMAND_RULE(
  command         => 'SELECT', 
  rule_set_name   => 'Limit Sector 2 Access', 
  object_owner    => 'SYSADM', 
  object_name     => 'EMP_DATA', 
  enabled         => DBMS_MACUTL.G_YES);
END; 
/

DELETE_COMMAND_RULE Procedure

The DELETE_COMMAND_RULE procedure drops a command rule declaration.

Syntax

DBMS_MACADM.DELETE_COMMAND_RULE(
  command      IN VARCHAR2, 
  object_owner IN VARCHAR2, 
  object_name  IN VARCHAR2); 

Parameters

Table 15-3 DELETE_COMMAND_RULE Parameters

Parameter Description

command

SQL statement the command rule protects.

To find available command rules, query the DVSYS.DBA_DV_COMMAND_RULE view, described in "DVSYS.DBA_DV_COMMAND_RULE View"

object_owner

Database schema to which this command rule applies.

To find the available users in the current database instance, query the DBA_USERS view, described in Oracle Database Reference.

See also "Object Owner" in "Creating or Editing a Command Rule" for more information.

object_name

Object name. (The wildcard % is allowed. See "Object Name" in "Creating or Editing a Command Rule" for more information about objects protected by command rules.)

To find the available objects, query the ALL_OBJECTS view, described in Oracle Database Reference.


Example

BEGIN
 DBMS_MACADM.DELETE_COMMAND_RULE(
  command      => 'SELECT', 
  object_owner => 'SYSADM', 
  object_name  => 'EMP_DATA'); 
END;
/

UPDATE_COMMAND_RULE Procedure

The UPDATE_COMMAND_RULE procedure updates a command rule declaration.

Syntax

DBMS_MACADM.UPDATE_COMMAND_RULE(
  command        IN VARCHAR2, 
  rule_set_name  IN VARCHAR2, 
  object_owner   IN VARCHAR2, 
  object_name    IN VARCHAR2, 
  enabled        IN VARCHAR2); 

Parameters

Table 15-4 UPDATE_COMMAND_RULE Parameters

Parameter Description

command

SQL statement to protect.

See also the following:

rule_set_name

Name of rule set to associate with this command rule.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in Chapter 22, "Oracle Database Vault Data Dictionary Views."

object_owner

Database schema to which this command rule applies.

To find the available users, query the DBA_USERS view, described in Oracle Database Reference. See also "Object Owner" in "Creating or Editing a Command Rule" for more information.

object_name

Object name. (The wildcard % is allowed. See "Object Name" in "Creating or Editing a Command Rule" for more information about objects protected by command rules.)

To find the available objects, query the ALL_OBJECTS view, described in Oracle Database Reference.

enabled

DBMS_MACUTL.G_YES (Yes) enables the command rule; DBMS_MACUTL.G_NO (No) disables it.

The default for enabled is the previously set value, which you can find by querying the DVSYS.DBA_DV_COMMAND_RULE data dictionary view.


Example

BEGIN
 DBMS_MACADM.UPDATE_COMMAND_RULE(
  command         => 'SELECT', 
  rule_set_name   => 'Limit Sector 2 Access', 
  object_owner    => 'SYSADM', 
  object_name     => '%', 
  enabled         => DBMS_MACUTL.G_NO);
END;
/