Oracle Database Vault policies can group realm and command rule definitions into one policy, which then can be collectively enabled or disabled.

Database Vault policies enable you to delegate limited realm administration privileges to database users without giving them the powerful privileges that the DVADM and DVOWNER roles provide. Oracle Database Vault provides default policies.

For example, suppose you have a set of Oracle Database Vault objects that are related to a particular application, such as a realm and several command rules. You can use a Database Vault policy to group these objects into one policy. You then can designate a policy administrator to manage adding users to a realm for this application and for enabling or disabling the policy. If there is only one primary application, then it can be used for manageability where a user can enable, disable, or simulate (use simulation mode) all related objects with one command rather than issuing a command for each included Database Vault object.

How the enablement of the individual realms and command rules works depends on how you set the policy state of the policy, as follows:

• Full enabled mode (DBMS_MACADM.G_ENABLED) sets the policy to take precedence over the individual enablement settings of the associated realms and command rules. For example, if the associated objects of a policy are individually disabled, then they will be enabled if the policy is enabled. (Conversely, you can set DBMS_MACADM.G_PARTIAL to allow the embedded security objects to set their own enabled, disabled, or simulation mode.)

• Partial enabled mode (DBMS_MACADM.G_PARTIAL) enables the associated realms and command rules to have different status settings (ENABLED, DISABLED, and SIMULATION). The other policy status choices force all associated controls to the same status dictated by the policy. Setting the policy status to partial allows each realm and command rule to change status as required.

• Simulation mode (DBMS_MACACM.G.SIMULATION) enables the policy but writes violations to realms or command rules to a designated log table with information about the type of violation, such as a user name or the SQL statement that was used. Simulation forces every security object in the policy to be in simulation mode.

• Disabled mode (DBMS_MACADM.G_DISABLED) disables the policy after you create it.

In general, to create a Database Vault policy, you perform the following steps:

1. Create the necessary realms and command rules to use in the policy.

2. Create the Database Vault policy.

   You can use the DBMS_MACADM.CREATE_POLICY procedure to create the policy.

3. Add one or more realms to the policy.

   You can use the DBMS_MACADM.ADD_REALM_TO_POLICY procedure to add realms to the policy.

4. Add one or more command rules to the policy.

   You can use the DBMS_MACADM.ADD_CMD_TO_POLICY procedure to add command rules to the policy.

5. Add one or more database users as owners of the policy.

   You can use the DBMS_MACADM.ADD_OWNER_TO_POLICY procedure to add users to the policy. Afterward, grant this user the DV_POLICY_OWNER role. This user will be able to perform a limited set of tasks: changing the policy state, adding or removing authorization from a realm, and having the SELECT privilege for a set of the DVSYS.POLICY_OWNER* data dictionary views. By default, the DVOWNER user owns the policy.

After the policy is created, it can be used right away.

This section explains how to configure policies by using the Oracle Database Vault Administrator pages in Oracle Enterprise Manager Cloud Control. To configure policies by using the PL/SQL interfaces and packages provided by Oracle Database Vault, you must use the DBMS_MACADM PL/SQL package.

Oracle Database Vault policies are only local to the pluggable database (PDB) in which they were created.

That is, if you created the policy in a PDB, then only local realms and command rules can be added to it. You cannot create Database Vault policies that can have common realms or common command rules.