Skip Headers
Oracle® Database Vault Administrator's Guide
12c Release 1 (12.1)

E17608-17
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

17 Oracle Database Vault Secure Application Role APIs

This chapter contains:

See Also:

DBMS_MACADM Secure Application Role Procedures

Table 17-1 lists procedures within the DBMS_MACADM package that you can use to configure Oracle Database Vault secure application roles. Only users who have been granted the DV_OWNER or DV_ADMIN role can use these procedures.

Table 17-1 DBMS_MACADM Secure Application Role Configuration Procedures

Procedure Description

CREATE_ROLE Procedure

Creates an Oracle Database Vault secure application role

DELETE_ROLE Procedure

Deletes an Oracle Database Vault secure application role

RENAME_ROLE Procedure

Renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.

UPDATE_ROLE Procedure

Updates a Oracle Database Vault secure application role


CREATE_ROLE Procedure

The CREATE_ROLE procedure creates an Oracle Database Vault secure application role.

Syntax

DBMS_MACADM.CREATE_ROLE(
  role_name      IN VARCHAR2, 
  enabled        IN VARCHAR2,
  rule_set_name  IN VARCHAR2);

Parameters

Table 17-2 CREATE_ROLE Parameters

Parameter Description

role_name

Role name, up to 30 characters, with no spaces.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DVSYS.DBA_DV_ROLE View".

enabled

DBMS_MACUTL.G_YES (Yes) makes the role available for enabling; DBMS_MACUTL.G_NO (No) prevents the role from being enabled. The default is DBMS_MACUTL.G_YES.

rule_set_name

Name of rule set to determine whether this secure application can be enabled.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DVSYS.DBA_DV_RULE_SET View".


Example

BEGIN
 DBMS_MACADM.CREATE_ROLE(
  role_name      => 'Sector2_APP_MGR', 
  enabled        => DBMS_MACUTL.G_YES,
  rule_set_name  => 'Check App2 Access');
END;
/

DELETE_ROLE Procedure

The DELETE_ROLE procedure deletes an Oracle Database Vault secure application role.

Syntax

DBMS_MACADM.DELETE_ROLE(
  role_name IN VARCHAR2); 

Parameters

Table 17-3 DELETE_ROLE Parameter

Parameter Description

role_name

Role name.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DVSYS.DBA_DV_ROLE View".


Example

EXEC DBMS_MACADM.DELETE_ROLE('SECT2_APP_MGR'); 

RENAME_ROLE Procedure

The RENAME_ROLE procedure renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.

Syntax

DBMS_MACADM.RENAME_ROLE(
  role_name      IN VARCHAR2, 
  new_role_name  IN VARCHAR2);

Parameters

Table 17-4 RENAME_ROLE Parameters

Parameter Description

role_name

Current role name.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DVSYS.DBA_DV_ROLE View".

new_role_name

Role name, up to 30 characters, with no spaces. Ensure that this name follows the standard Oracle naming conventions for role creation described in Oracle Database SQL Language Reference.


Example

BEGIN
 DBMS_MACADM.RENAME_ROLE(
  role_name      => 'SECT2_APP_MGR', 
  new_role_name  => 'SECT2_SYSADMIN');
END;
/

UPDATE_ROLE Procedure

The UPDATE_ROLE procedure updates a Oracle Database Vault secure application role.

Syntax

DBMS_MACADM.UPDATE_ROLE(
  role_name      IN VARCHAR2, 
  enabled        IN VARCHAR2, 
  rule_set_name  IN VARCHAR2);

Parameters

Table 17-5 UPDATE_ROLE Parameters

Parameter Description

role_name

Role name.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DVSYS.DBA_DV_ROLE View".

enabled

DBMS_MACUTL.G_YES (Yes) makes the role available for enabling; DBMS_MACUTL.G_NO (No) prevents the role from being enabled.

The default for enabled is the previously set value, which you can find by querying the DVSYS.DBA_DV_ROLE data dictionary view.

rule_set_name

Name of rule set to determine whether this secure application can be enabled.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DVSYS.DBA_DV_RULE_SET View".


Example

BEGIN
 DBMS_MACADM.UPDATE_ROLE(
  role_name      => 'SECT2_SYSADMIN', 
  enabled        => DBMS_MACUTL.G_YES, 
  rule_set_name  => 'System Access Controls');
END;
/

DBMS_MACSEC_ROLES Secure Application Role Functions

This section contains:

About the DBMS_MACSEC_ROLES Package

You can modify your applications to use the procedures within the DBMS_MACSEC_ROLES package to check the authorization for a user or to set an Oracle Database Vault secure application role. The DBMS_MACSEC_ROLES package is available to all users.

Table 17-6 lists the DBMS_MACSEC_ROLES package function and procedure.

Table 17-6 DBMS_MACSEC_ROLES Oracle Label Security Configuration Procedures

Function or Procedure Description

CAN_SET_ROLE Function

Checks whether the user invoking the method is authorized to use the specified Oracle Database Vault secure application role. Returns a BOOLEAN value.

SET_ROLE Procedure

Issues the SET ROLE statement for an Oracle Database Vault secure application role.


CAN_SET_ROLE Function

The CAN_SET_ROLE function checks whether the user invoking the method is authorized to use the specified Oracle Database Vault secure application role. The authorization is determined by checking the rule set associated with the role.

Syntax

DBMS_MACSEC_ROLES.CAN_SET_ROLE(
  p_role IN VARCHAR2)
RETURN BOOLEAN;

Parameters

Table 17-7 CAN_SET_ROLE Parameter

Parameter Description

p_role

Role name.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DVSYS.DBA_DV_ROLE View".


Example

SET SERVEROUTPUT ON
BEGIN
 IF DBMS_MACSEC_ROLES.CAN_SET_ROLE('SECTOR2_APP_MGR')
  THEN DBMS_OUTPUT.PUT_LINE('''SECTOR2_APP_MGR'' can be enabled.');
 END IF;
END;
/

SET_ROLE Procedure

The SET_ROLE procedure issues the SET ROLE PL/SQL statement for specified roles, including both Oracle Database Vault secure application roles and regular Oracle Database roles. This procedure sets an Oracle Database Vault secure application role only if the rule set that is associated with the role evaluates to true. Before SET ROLE is issued, the CAN_SET_ROLE method is called to check the rule set associated with the role. Run-time rule set behavior such as auditing, failure processing, and event handling occur during this process.

The SET_ROLE procedure is available to the general database account population.

Syntax

DBMS_MACSEC_ROLES.SET_ROLE(
  p_role IN VARCHAR2);

Parameters

Table 17-8 SET_ROLE Parameter

Parameter Description

p_role

Role names. You can enter multiple roles, separated by commas (,), including secure application roles and regular roles.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DVSYS.DBA_DV_ROLE View".

To find all of the existing roles in the database, query the DBA_ROLES data dictionary view, described in Oracle Database Reference.


Example

EXEC DBMS_MACSEC_ROLES.SET_ROLE('SECTOR2_APP_MGR, APPS_MGR');

You can enter the name of the role in any case (for example, Sector2_APP_MGR).