A Oracle Audit Vault and Database Firewall Database Schemas

Topics

About Oracle Audit Vault and Database Firewall Schemas
Metadata for Activity Reports
Data for Event Reports
Data for Alert Reports
Data for Entitlement Reports
Data for SPA Reports
Data for Database Firewall Reports

About Oracle Audit Vault and Database Firewall Schemas

Oracle Audit Vault and Database Firewall (Oracle AVDF) has internal data warehouse schemas that manage the audit data collected from the secured targets. The data warehouse schemas collect the data from the Oracle AVDF collection agents, organize it, and then provide it in report format for the reports described in Chapter 6, "Generating Reports"

To create custom reports using tools like Oracle Business Intelligence Publisher and the Oracle Business Intelligence Suite:

You must understand the structure of the data warehouse schema AVSYS, which this appendix describes.
You must understand the structure of the audit events provided by the supported secured targets—Oracle Database, Microsoft SQL Server, Sybase Adaptive Server Enterprise (ASE), and IBM DB2.

For this information, see Appendix B through Appendix G.

You can create these kinds of custom reports:

Activity reports
Event reports
Alert reports
Entitlement reports
Third-party (F5) reports

The data that you need to create the other kinds of reports is in the AVSYS schema.

Metadata for Activity Reports

This section describes the metadata that you need to create activity reports:

Table A-1, "AVSYS.SECURED_TARGET Table"
Table A-2, "AVSYS.SECURED_TARGET_TYPE Table"
Table A-3, "AVSYS.AUDIT_TRAIL Table"

Table A-1 describes the AVSYS.SECURED_TARGET table, which has one row for each secured target. Columns are in alphabetical order.

Table A-1 AVSYS.SECURED_TARGET Table

Column	Data Type	Description
`ACTIVE`	`CHAR(1 CHAR)`	'Y' if secured target is active, 'N' otherwise.
`CONNECT_STRING`	`VARCHAR2(4000 BYTE)`	String that identifies secured target when you try to connect it to the system.
`CREATION_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`	Creation time of the connection between secured target and the system.
`DESCRIPTION`	`VARCHAR2(1024 BYTE)`	Description of secured target.
`FIREWALL_POLICY_ID`	`INTEGER`	ID number of firewall policy associated with secured target, if any; otherwise `NULL`. Default: `NULL`
`SECURED_TARGET`	`NUMBER`	Number of secured target.
`SECURED_TARGET_NAME`	`VARCHAR2(255 BYTE)`	Name of secured target.
`SECURED_TARGET_TYPE_ID`	`NUMBER`	ID number of type of secured target. This value must be in `AVSYS.SECURED_TARGET_TYPE.SECURED_TARGET_TYPE_ID` (see Table A-2).
`SERVER_AUTH_USER`	`VARCHAR2(255 BYTE)`	Oracle AVDF user that is authorized to transfer events from an Audit Vault Agent to an Audit Vault Server.

Table A-2 describes the AVSYS.SECURED_TARGET_TYPE table, which has one row for each secured target type. Columns are in alphabetical order.

Table A-2 AVSYS.SECURED_TARGET_TYPE Table

Column	Data Type	Description
`FIREWALL_DIALECT`	`NUMBER(38)`	ID number of Oracle Database Firewall type.
`SECURED_TARGET_TYPE_ID`	`NUMBER(38)`	ID number of secured target type.
`SECURED_TARGET_TYPE_NAME`	`VARCHAR2(255 BYTE)`	Name of secured target type.

Table A-3 describes the AVSYS.AUDIT_TRAIL table, which has one row for each audit trail. Columns are in alphabetical order.

Table A-3 AVSYS.AUDIT_TRAIL Table

Column	Data Type	Description
`AUDIT_TRAIL_ID`	`NUMBER`	ID number of this audit trail.
`AUDIT_TRAIL_TYPE`	`VARCHAR2(255 BYTE)`	Type of this audit trail (for example, `TABLE` or `DIRECTORY`).
`COLLECTION_AUTOSTART`	`CHAR(1 CHAR)`	(Currently unavailable functionality)
`HOST_NAME`	`VARCHAR2(255 BYTE)`	Name of agent host for this audit trail.
`LOCATION`	`VARCHAR2(4000 BYTE)`
`SOURCE_ID`	`NUMBER`	ID number of source of this audit trail.
`SECURED_TARGET_TYPE_NAME`	`VARCHAR2(255 BYTE)`	Name of type of secured target for this audit trail. This value must be in `AVSYS.SECURED_TARGET_TYPE.SECURED_TARGET_TYPE_NAME` (see Table A-2).

Data for Event Reports

This section describes the data that you need to create event reports.

Table A-4 describes the AVSYS.EVENT_LOG table, which has one row for each audit event. Columns are in alphabetical order.

Table A-4 AVSYS.EVENT_LOG Table

Column	Data Type	Description
`ACTION_TAKEN`	`VARCHAR2(255 BYTE)`	Action taken for the event—`pass`, `warn`, or `block`.
`ALERT_RAISED`	`NUMBER`	0 if no alert was raised for the event, 1 otherwise. Default: 0
`AUDIT_TRAIL_ID`	`NUMBER`	ID of the audit trail from which the event was collected.
`AV_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time when the event was recorded in Oracle AVDF repository.
`CLIENT_HOST_NAME`	`VARCHAR2(255 BYTE)`	Name of client host where the user started the action.
`CLIENT_IP`	`VARCHAR2(255 BYTE)`	Internet protocol (IP) address of `CLIENT_HOST_NAME`.
`CLIENT_PROGRAM`	`VARCHAR2(255 CHAR)`	Client program where the event occurred.
`CLUSTER_ID`	`NUMBER`	Global ID number of cluster where the event occurred.
`CLUSTER_TYPE`	`NUMBER`	Type number of cluster where the event occurred (identifies type of statements in cluster).
`COMMAND_CLASS`	`VARCHAR2(255 BYTE)`	Action performed in the event (for example, `SELECT` or `DELETE`). If this field contains `NULL`, then the audit record is invalid.
`COMMAND_PARAM`	`CLOB`	Command parameters that caused the event.
`COMMAND_TEXT`	`CLOB`	Text of command that caused the event (which can be, for example, a SQL or PL/SQL statement).
`ERROR_CODE`	`VARCHAR2(30 BYTE)`	Error code of an action.
`ERROR_MESSAGE`	`VARCHAR2(1000 BYTE)`	Error message of an action.
`EVENT_NAME`	`VARCHAR2(255 BYTE)`	Name of the event, exactly as in the audit trail.
`EVENT_STATUS`	`VARCHAR2(30 BYTE)`	Status of the event—`SUCCESS`, `FAILURE`, or `UNKNOWN`.
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time when the event occurred. If the event has more than one time stamp (for example, an event start time stamp and an event end time stamp), then the collector plug-in must assign a time stamp to this field. If this field contains `NULL`, then Oracle AVDF shuts down the collector.
`EXTENSION`	`CLOB`	Stores fields that cannot be accommodated in core or large fields (such as name-value pairs, separated by delimiters).
`GRAMMAR_VERSION`	`NUMBER`	Version of grammar that the Database Firewall used when it detected the event. This version is internal to the Database Firewall and not related to the database version.
`LOG_CAUSE`	`VARCHAR2(30 BYTE)`	Cause of the event, as recorded in the log—`undefined`, `exception`, `cluster`, `novelty`, `unseen`, `invalidsql`, `waf`, `login`, or `logout`.
`LOGFILE_ID`	`NUMBER`	Opaque internal log file ID.
`MARKER`	`VARCHAR2(255 BYTE)`	Uniquely identifies a record in an audit trail. During the recovery process, Oracle AVDF uses this field to filter duplicate records. The collector plug-in provides the marker field, which is typically a concatenated subset of the fields of an audit record. For example, in Oracle database, the session ID and entry ID (a unique identifier within a session) define a marker.
`MONITORING_POINT_ID`	`NUMBER`	This is an internal column. If its value is not `NULL`, then the event came from a Database Firewall. If its value is `NULL`, then the event came from the audit trail whose ID is in `AUDIT_TRAIL_ID`.
`NETWORK_CONNECTION`	`VARCHAR2(255 BYTE)`	Name of user who logged into the operating system that generated the audit record. If the user logged into the operating system as `JOHN` but performed the action as `SCOTT`, then this field contains `JOHN` and the `USER_NAME` field contains `SCOTT`.
`OSUSER_NAME`	`VARCHAR2 (255 BYTE)`	Operating system user name that executed the SQL command
`POLICY_NAME`	`VARCHAR2(1024 CHAR)`	Name of policy file that the Database Firewall used when it detected the event.
`RECORD_ID`	`NUMBER`	ID number of audit record for the event.
`SECURED_TARGET_NAME`	`VARCHAR2(255 BYTE)`	Name of secured target where event occurred.
`SECURED_TARGET_TYPE`	`VARCHAR2(255 BYTE)`	Type of secured target where event occurred.
`SERVICE_NAME`	`VARCHAR2(255 CHAR)`	Name of database service to which the client session connects.
`TARGET_OBJECT`	`VARCHAR2(255 BYTE)`	Name of object on which the action was performed. For example, if the user selected from a table, then this field contains the name of the table.
`TARGET_OWNER`	`VARCHAR2(255 BYTE)`	Name of owner of target on which the action was performed. For example, if the user selected from a table owned by user `JOHN`, then this field contains the user name `JOHN`.
`TARGET_TYPE`	`VARCHAR2(255 BYTE)`	Type of target object on which the action was performed. For example, if the user selected from a table, then this field contains `TABLE`.
`THREAT_SEVERITY`	`VARCHAR2(30 CHAR)`	Severity of the threat that the Database Firewall detected—`undefined`, `insignificant`, `minor`, `moderate`, `major`, or `catastrophic`.
`USER_NAME`	`VARCHAR2(255 BYTE)`	Name of user who performed the action in the application or system that generated the audit record. If this field contains `NULL`, then the audit record is invalid.

Data for Alert Reports

This section describes the data that you need to create alert reports:

Table A-5, "AVSYS.ALERT_STORE Table"
Table A-6, "AVSYS.ALERT_EVENT_MAP Table"
Table A-7, "AVSYS.ALERT_NOTE Table"

Table A-5 describes the AVSYS.ALERT_STORE table, which has one row for each alert instance. Columns are in alphabetical order.

Table A-5 AVSYS.ALERT_STORE Table

Column	Data Type	Description
`ALERT_DEFINITION_ID`	`NUMBER`	ID number of definition of this alert.
`ALERT_ID`	`NUMBER`	ID number of alert instance.
`ALERT_NAME`	`VARCHAR2(255)`	Name of this alert in alert definition.
`ALERT_OWNER`	`VARCHAR2(30)`	Alert owner (same as alert definition owner).
`ALERT_SEVERITY`	`NUMBER`	Alert severity—1=Warning, 2=Critical.
`ALERT_STATUS`	`VARCHAR2(255)`	Alert status—`OPEN` or `CLOSED`.
`AV_ALERT_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time when alert instance was raised.
`CLEARED_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`
`EMAIL_CC_LIST`	`VARCHAR2(4000 BYTE)`	List of addresses for "cc" field of email about this alert instance.
`EMAIL_MESSAGE`	`VARCHAR2(4000 BYTE)`	Message in email about this alert instance.
`EMAIL_STATUS`	`VARCHAR2(30 BYTE)`	Indicates if email was sent for this alert instance.
`EMAIL_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time when email about this alert instance was sent.
`EMAIL_TO_LIST`	`VARCHAR2(4000 BYTE)`	List of addresses for "to" field of email about this alert instance.
`ILM_TARGET`	`VARCHAR2(12)`	Information lifecycle management (ILM) string for partition.
`OLDEST_EVENT_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time of first event that triggered this alert instance.

Table A-6 describes the AVSYS.ALERT_EVENT_MAP table, which maps each alert instance to its related events. When an alert instance is related to multiple events, each event has a different RECORD_ID. Columns are in alphabetical order.

Table A-6 AVSYS.ALERT_EVENT_MAP Table

Column	Data Type	Description
`ALERT_ID`	`NUMBER`	ID of alert instance.
`ALERT_OWNER`	`VARCHAR2(30)`	Alert owner, same as alert definition owner.
`EVENT_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time of event that triggered this alert instance.
`ILM_TARGET`	`VARCHAR2(12)`	ILM string for partition.
`OLDEST_EVENT_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time of first event that triggered this alert instance. If this alert instance is related to only one event, then this value is the same as the value of `EVENT_TIMESTAMP`.
`RECORD_ID`	`NUMBER`	Record ID of event related to this alert instance.

Table A-7 describes the AVSYS.ALERT_NOTE table, which stores notes for alert instances. Each alert instance can have multiple notes. Columns are in alphabetical order.

Table A-7 AVSYS.ALERT_NOTE Table

Column	Data Type	Description
`ALERT_ID`	`NUMBER`	ID of this note.
`ALERT_NOTE_ID`	`NUMBER`	ID of alert instance associated with this note.
`HEADER`	`VARCHAR2(4000 BYTE)`	Header of this note.
`ILM_TARGET`	`VARCHAR2(12)`	ILM string for partition.
`NOTE_CONTENT`	`VARCHAR2(4000 BYTE)`	Content of this note.
`NOTE_CREATOR`	`VARCHAR2(30)`	User who created this note.
`NOTE_OWNER`	`VARCHAR2(30)`	Owner of this note, same as alert definition.
`NOTE_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time when this note was created.
`OLDEST_EVENT_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time of first event that triggered this alert instance.

Data for Entitlement Reports

This section describes the data that you need to create entitlement reports:

Table A-8, "AVSYS.UE_DBA_APPLICATION_ROLES"
Table A-9, "AVSYS.UE_DBA_COL_PRIVS"
Table A-10, "AVSYS.UE_DBA_PROFILES"
Table A-11, "AVSYS.UE_DBA_ROLES"
Table A-12, "AVSYS.UE_DBA_ROLE_PRIVS"
Table A-13, "AVSYS.UE_DBA_SYS_PRIVS"
Table A-14, "AVSYS.UE_DBA_TAB_PRIVS"
Table A-15, "AVSYS.UE_DBA_USERS"
Table A-16, "AVSYS.UE_ROLE_SYS_PRIVS"
Table A-17, "AVSYS.UE_ROLE_TAB_PRIVS"
Table A-18, "AVSYS.UE_SYS_DBA_OPER_USERS"

Note:

In each of the preceding table names, "UE" means "User Entitlement."

Table A-8 describes the AVSYS.UE_DBA_APPLICATION_ROLES table, which stores information about roles granted to Oracle Database packages. Columns are in alphabetical order.

Table A-8 AVSYS.UE_DBA_APPLICATION_ROLES

Column	Data Type	Description
`PACKAGE`	`VARCHAR2 (30)`	Name of Oracle Database package to which role was granted
`ROLE`	`VARCHAR2 (30)`	Role granted to package
`SCHEMA`	`VARCHAR2 (30)`	Schema to which package belongs
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table A-9 describes the AVSYS.UE_DBA_COL_PRIVS table, which stores information about privileges granted to users on individual columns of Oracle Database tables. Columns are in alphabetical order.

Table A-9 AVSYS.UE_DBA_COL_PRIVS

Column	Data Type	Description
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`COLUMN_NAME`	`VARCHAR2 (30)`	Name of column on which privilege was granted
`GRANTABLE`	`VARCHAR2 (3)`	Whether the privilege was granted with the `GRANTABLE` option—`YES` or `NO`
`GRANTEE`	`VARCHAR2 (30)`	User to whom the column privilege was granted
`GRANTOR`	`VARCHAR2 (30)`	User who granted the column privilege to `GRANTEE`
`OWNER`	`VARCHAR2 (30)`	Column privilege owner
`PRIVILEGE`	`VARCHAR2 (40)`	Column privilege
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID
`TABLE_NAME`	`VARCHAR2 (30)`	Name of Oracle Database table to which column belongs

Table A-10 describes the AVSYS.UE_DBA_PROFILES table, which stores information about Oracle Database profiles. Columns are in alphabetical order.

Table A-10 AVSYS.UE_DBA_PROFILES

Column	Data Type	Description
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`LIMIT`	`VARCHAR2 (40)`	Profile limit
`PROFILE`	`VARCHAR2 (30)`	Profile name
`RESOURCE_NAME`	`VARCHAR2 (32)`	Resource name
`RESOURCE_TYPE`	`VARCHAR2 (8)`	Resource type
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table A-11 describes the AVSYS.UE_DBA_ROLES table, which stores information about Oracle Database roles. The table has one row for each role. Columns are in alphabetical order.

Table A-11 AVSYS.UE_DBA_ROLES

Column	Data Type	Description
`AUTHENTICATION_TYPE`	`VARCHAR2 (8)`	Authentication mechanism for this user: `EXTERNAL - CREATE USER user1 IDENTIFIED EXTERNALLY` `GLOBAL - CREATE USER user2 IDENTIFIED GLOBALLY` `PASSWORD - CREATE USER user3 IDENTIFIED BY user3`
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`PASSWORD_REQUIRED`	`VARCHAR2 (8)`	Whether the role requires a password—`YES` or `NO`
`ROLE`	`VARCHAR2 (30)`	Name of the role
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table A-12 describes the AVSYS.UE_DBA_ROLE_PRIVS table, which stores information about the roles granted to users and roles. Columns are in alphabetical order.

Table A-12 AVSYS.UE_DBA_ROLE_PRIVS

Column	Data Type	Description
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`ADMIN_OPTION`	`VARCHAR2 (3)`	Whether the privilege was granted with the `ADMIN` option—`YES` or `NO`
`DEFAULT_ROLE`	`VARCHAR2 (3)`	Whether the role is the default role for the user—`YES` or `NO`
`GRANTED_ROLE`	`VARCHAR2 (30)`	Name of the role granted to the user or role
`GRANTEE`	`VARCHAR2 (30)`	Name of the user or role to which the `GRANTED_ROLE` was granted
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table A-13 describes the AVSYS.UE_DBA_SYS_PRIVS table, which stores information about the system privileges granted to users and roles. Columns are in alphabetical order.

Table A-13 AVSYS.UE_DBA_SYS_PRIVS

Column	Data Type	Description
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`ADMIN_OPTION`	`VARCHAR2 (3)`	Whether the privilege was granted with the `ADMIN` option—`YES` or `NO`
`GRANTEE`	`VARCHAR2 (30)`	Name of the user or role to whom the system privilege was granted
`PRIVILEGE`	`VARCHAR2 (40)`	System privilege
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table A-14 describes the AVSYS.UE_DBA_TAB_PRIVS table, which stores information about the privileges granted to users on objects. Columns are in alphabetical order.

Table A-14 AVSYS.UE_DBA_TAB_PRIVS

Column	Data Type	Description
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`GRANTABLE`	`VARCHAR2 (3)`	Whether the privilege was granted with the `GRANTABLE` option—`YES` or `NO`
`GRANTEE`	`VARCHAR2 (30)`	User to whom the privilege was granted
`GRANTOR`	`VARCHAR2 (30)`	User who granted the privilege to `GRANTEE`
`HIERARCHY`	`VARCHAR2 (3)`	Whether the privilege was granted with the `HIERARCHY` option—`YES` or `NO`
`OWNER`	`VARCHAR2 (30)`	Owner of the object
`PRIVILEGE`	`VARCHAR2 (40)`	Privilege on the object
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID
`TABLE_NAME`	`VARCHAR2 (30)`	Name of the object on which privilege was granted
`TYPE`	`VARCHAR2 (24)`	Object type (table, view, sequence, etc.)

Table A-15 describes the AVSYS.UE_DBA_USERS table, which has a row for every Oracle Database user. Columns are in alphabetical order.

Table A-15 AVSYS.UE_DBA_USERS

Column	Data Type	Description
`ACCOUNT_STATUS`	`VARCHAR2 (32)`	User account status, which is one of these: `OPEN` `EXPIRED` `EXPIRED(GRACE)` `LOCKED(TIMED)` `LOCKED` `EXPIRED & LOCKED(TIMED)` `EXPIRED(GRACE) & LOCKED(TIMED)` `EXPIRED & LOCKED` `EXPIRED(GRACE) & LOCKED`
`AUTHENTICATION_TYPE`	`VARCHAR2 (8)`	Authentication mechanism for this user: `EXTERNAL - CREATE USER user1 IDENTIFIED EXTERNALLY` `GLOBAL - CREATE USER user2 IDENTIFIED GLOBALLY` `PASSWORD - CREATE USER user3 IDENTIFIED BY user3`
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`CREATED`	`TIMESTAMP (0) WITH LOCAL TIME ZONE`	Date when user account was created
`DEFAULT_TABLESPACE`	`VARCHAR2 (30)`	Default tablespace for user
`EDITIONS_ENABLED`	`VARCHAR2 (1)`	Indicates whether editions have been enabled for the corresponding user (`Y` or `N`)
`EXPIRY_DATE`	`TIMESTAMP (0) WITH LOCAL TIME ZONE`	Date when user account expires or expired
`EXTERNAL_NAME`	`VARCHAR2 (4000)`	External name of user
`INITIAL_RSRC_CONSUMER_GROUP`	`VARCHAR2 (30)`	Initial resource consumer group
`LAST_LOGON`	`TIMESTAMP (9) WITH LOCAL TIME ZONE`	For Oracle Database 12c, time when user last logged on
`LOCK_DATE`	`TIMESTAMP (0) WITH LOCAL TIME ZONE`	Date when user account was locked
`ORACLE_MAINTAINED`	`CHAR (1)`	For Oracle Database 12c, whether user was created, and is maintained, by Oracle-supplied scripts. A value of `Y` means that user must not be changed in any way except by running an Oracle-supplied script.
`PROFILE`	`VARCHAR2 (30)`	User profile
`PROXY_ONLY_CONNECT`	`CHAR (1)`	For Oracle Database 12c, whether this user can connect only through a proxy
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID
`TEMPORARY_TABLESPACE`	`VARCHAR2 (30)`	Temporary tablespace for user
`USERNAME`	`VARCHAR2 (30)`	Oracle Database user name

Table A-16 describes the AVSYS.UE_ROLE_SYS_PRIVS table, which stores information about system privileges granted to roles. Columns are in alphabetical order.

Table A-16 AVSYS.UE_ROLE_SYS_PRIVS

Column	Data Type	Description
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`ADMIN_OPTION`	`VARCHAR2 (3)`	Whether the privilege was granted with the `ADMIN` option—`YES` or `NO`
`PRIVILEGE`	`VARCHAR2 (40)`	System privilege granted to the role
`ROLE`	`VARCHAR2 (30)`	Name of role
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table A-17 describes the AVSYS.UE_ROLE_TAB_PRIVS table, which stores information about the table privileges granted to roles. Columns are in alphabetical order.

Table A-17 AVSYS.UE_ROLE_TAB_PRIVS

Column	Data Type	Description
`COLUMN_NAME`	`VARCHAR2 (30)`	Name of column on which privilege was granted
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`GRANTABLE`	`VARCHAR2 (3)`	Whether the privilege was granted with the `GRANTABLE` option—`YES` or `NO`
`OWNER`	`VARCHAR2 (30)`	Table privilege owner
`PRIVILEGE`	`VARCHAR2 (40)`	Table privilege
`ROLE`	`VARCHAR2 (30)`	Role to which table privilege was granted
`TABLE_NAME`	`VARCHAR2 (30)`	Name of Oracle Database table on which privilege was granted
`UE_SNAPSHOT_SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table A-18 describes the AVSYS.UE_SYS_DBA_OPER_USERS table, which stores information about all users in the password file. Columns are in alphabetical order.

Table A-18 AVSYS.UE_SYS_DBA_OPER_USERS

Column	Data Type	Description
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID
`SYSASM`	`VARCHAR2 (5)`	Whether the user can connect to the database with the `SYSASM` privilege—`TRUE` or `FALSE`.
`SYSBACKUP`	`VARCHAR2 (5)`	Whether the user can connect to the database with the `SYSBACKUP` privilege—`TRUE` or `FALSE`.
`SYSDBA`	`VARCHAR2 (5)`	Whether the user can connect to the database with the `SYSDBA` privilege—`TRUE` or `FALSE`.
`SYSDG`	`VARCHAR2 (5)`	Whether the user can connect to the database with the `SYSDG` privilege—`TRUE` or `FALSE`.
`SYSKM`	`VARCHAR2 (5)`	Whether the user can connect to the database with the `SYSKM` privilege—`TRUE` or `FALSE`.
`SYSOPER`	`VARCHAR2 (8)`	Whether the user can connect to the database with the `SYSOPER` privilege—`TRUE` or `FALSE`.
`USERNAME`	`VARCHAR2 (30)`	User name in the password file

Data for SPA Reports

This section describes data that you need to create custom Stored Procedure Auditing (SPA) reports:

Table A-19, "AVSYS.SPA_OBJECTS"
Table A-20, "AVSYS.SPA_EDITS"

Table A-19 describes the AVSYS.SPA_OBJECTS table, which stores summary data about stored procedure objects.

Table A-19 AVSYS.SPA_OBJECTS

Column	Data Type	Description
`ID`	`INTEGER`	Unique identifier for the object
`SECURED_TARGET_ID`	`INTEGER`	The secured target source of database objects
`OBJECT_SUBTYPE`	`VARCHAR2(40 BYTE)`	The subtype of the object
`OBJECT_CLASS`	`VARCHAR2(40 BYTE)`	The class of the object
`NAME`	`VARCHAR2 (1024 CHAR)`	The name of the object
`CHANGED_BY`	`VARCHAR2 (2048 CHAR)`	Coma separated database users that modified the object
`LAST_CHANGED_AT`	`TIMESTAMP WITH LOCAL TIME ZONE`	The date and time when the object was changed
`LAST_SIGNATURE`	`VARCHAR2 (40 BYTE)`	The hash of the object (signature change means object change)
`LAST_EDIT_TYPE`	`VARCHAR2 (40 BYTE)`	The most recent type of the change
`EDIT_CNT_NEW`	`INTEGER`	Keeps the number of "new" edit records is for this object
`EDIT_CNT_MODIFY`	`INTEGER`	Keeps the number of "modify" edit records is for this object
`EDIT_CNT_DELETE`	`INTEGER`	Keeps the number of "delete" edit records is for this object
`CHANGES_SUMMARY`	`VARCHAR2(255 CHAR)`	The summary of the changes
`UPDATED_AT`	`TIMESTAMP WITH LOCAL TIME ZONE`	The date and time when the record was updated by the Database Firewall software

Table A-20 describes the AVSYS.SPA_EDITS table, which stores data about, and the content of, stored procedure edits.

Table A-20 AVSYS.SPA_EDITS

Column	Data Type	Description
`ID`	`INTEGER`	Unique identifier for the object
`OBJECT_ID`	`INTEGER`	Foreign key that references the `ID` column of the `AVSYS.SPA_OBJECTS` table
`SIGNATURE`	`VARCHAR2 (40 BYTE)`	The hash of the object (signature change means object change)
`CONTENT`	`CLOB`	The new content of the object
`EDIT_TYPE`	`VARCHAR2 (40 BYTE)`	The type of the change
`CHANGED_BY`	`VARCHAR2 (2048 CHAR)`	The database user that modified the object
`CHANGED_AT`	`TIMESTAMP WITH LOCAL TIME ZONE`	The date and time when the object was changed
`DETECTED_AT`	`TIMESTAMP WITH LOCAL TIME ZONE`	The date and time when the change was detected on the controller

Data for Database Firewall Reports

This section describes data that you need to create custom Database Firewall reports:

Table A-21, "AVSYS.FW_CLUSTER"
Table A-22, "AVSYS.FW_CLUSTER_COMPONENT"

Table A-21 describes the AVSYS.FW_CLUSTERS table, which provides summary data on cluster traffic to secured target databases, and gives an example statement that would appear in a given cluster.

Table A-21 AVSYS.FW_CLUSTER

Column	Data Type	Description
`ID`	`NUMBER`	Cluster global identifier
`SECURED_TARGET_ID`	`INTEGER`	The secured target database for this cluster
`CLUSTER_HASH`	`INTEGER`	The hash of the cluster
`GRAMMAR_VERSION`	`INTEGER`	Version number of the Database Firewall grammar
`FIREWALL_DIALECT`	`SMALLINTEGER`	Database type of the cluster (seeAVSYS.SECURED_TARGET_TYPE Table for meaning)
`CLUSTER_TYPE`	`VARCHAR2 (40 BYTE)`	Type of statements included in the cluster
`REPRESENTATION`	`CLOB`	Cluster path representation
`CLUSTER_EXAMPLE`	`CLOB`	An example statement in the cluster

Table A-22 describes the AVSYS.FW_CLUSTER_COMPONENTS table, which provides cluster data broken down into cluster components. This data may be used, for example, to report on clusters related to a specific database table or table column.

Table A-22 AVSYS.FW_CLUSTER_COMPONENT

Column	Data Type	Description
`CLUSTER_ID`	`INTEGER`	Foreign key that references the ID column of the `AVSYS.FW_CLUSTERS` table
`COMPONENT_INDEX`	`INTEGER`	Index of the component (starts with 1)
`COMPONENT_TYPE`	`VARCHAR2(50 BYTE)`	Component type may be one of: `'keyword`', `'column'`, `'table'`, `'procedure`', `'cluster_set'`, `'function`', `'_'`
`COMPONENT_VALUE`	`VARCHAR2(4000 CHAR)`	The component string
`COMPONENT_USAGE`	`VARCHAR2(50 BYTE)`	Component usage may be one of: `NULL,'read`', `'write'`, `'define'`, `'call`', `'control'`