Enterprise User Security centrally manages database users and authorizations in one place.

It is combined with Oracle Identity Management and is available in Oracle Database Enterprise Edition.

In general, to integrate Oracle Database Vault with Oracle Enterprise User Security, you configure the appropriate realms to protect the data that you want to protect in the database.

After you define the Oracle Database Vault realms as needed, you can create a rule set for the Enterprise users to allow or disallow their access.

To configure an Enterprise User authorization, you must create an Oracle Database Vault rule set to control the user access.

1. Create a rule to allow or disallow user access.

   Follow the instructions in Creating a Rule to Add to a Rule Set to create a new rule. In the Create Rule page, enter the following PL/SQL in the Rule Expression field:

   SYS_CONTEXT('USERENV','AUTHENTICATED_IDENTITY') = 'user_domain_name'
   

   Replace user_domain_name with the domain, for example:

   SYS_CONTEXT('USERENV','AUTHENTICATED_IDENTITY') = 'myserver.us.example.com'
   

2. Add this rule to a new rule set.

   Creating a Rule Set explains how to create a new rule set, including how to add an existing rule to it.

3. Add this rule set to the realm authorization for the data that you want to protect.

   About Realm Authorization explains how to create realm authorizations. In the Authorization Rule Set list, select the rule set that you created in Step 2. Afterward, the realm authorization applies to all users.

You can configure existing Oracle Database Vault user accounts as enterprise user accounts.

1. Log into the database instance as a user who has been granted the CREATE ROLE system privilege.

   For example:

   sqlplus system
   Enter password: password
   

2. In a multitenant environment, connect to the appropriate pluggable database (PDB).

   For example:

   CONNECT SYSTEM@hrpdb
   Enter password: password
   

   To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

3. Create a global role for the DV_OWNER role and a global role for the DV_ACCTMGR role.

   For example:

   CREATE ROLE g_dv_owner IDENTIFIED GLOBALLY;
   CREATE ROLE g_dv_acctmgr IDENTIFIED GLOBALLY;
   

4. Connect as a user who has been granted the DV_OWNER role.

   For example:

   CONNECT dbv_owner -- Or, CONNECT dbv_owner@hrpdb
   Enter password: password
   

5. Grant the DV_OWNER role to the global DV_OWNER role.

   GRANT DV_OWNER TO g_dv_owner;
   

6. Connect as a user who has been granted the DV_ACCTMGR role.

   For example:

   CONNECT dbv_acctmgr -- Or, CONNECT dbv_acctmgr@hrpdb
   Enter password: password
   

7. Grant the DV_ACCTMGR role to the global DV_ACCTMGR role.

   GRANT DV_ACCTMGR TO g_dv_acctmgr;
   

8. Connect as user SYS with the SYSDBA administrative privilege.

   CONNECT SYS AS SYSDBA -- Or, CONNECT SYS@hrpdb AS SYSDBA
   Enter password: password
   

9. Temporarily grant the DV_ACCTMGR user who will import the Database Vault users into OID the CREATE TABLE privilege and the SELECT_CATALOG_ROLE role.

   GRANT CREATE TABLE, SELECT_CATALOG_ROLE TO dbv_acctmgr;
   

10. From the command line, run the User Migration Utility (UMU) to import the Database Vault accounts into Oracle Internet Directory (OID).

    The following example imports the Database Vault accounts leo_dvowner and bea_dvacctmgr into OID. The DV_ACCTMGR user is specified for the DBADMIN setting.

    $ORACLE_HOME/rdbms/bin/umu PHASE=ONE
    DBADMIN=dbv_acctmgr:password
    ENTADMIN=cn=jane_ent_admin,dc=example,dc=com:password
    USERS= LIST
    DBLOCATION=example.com:7777:orcl
    DIRLOCATION=example.com:636
    USERSLIST=leo_dvowner:bea_dvacctmgr
    MAPSCHEMA=PRIVATE
    CONTEXT=CONTEXT="c=Users, c=us"
    KREALM=EXAMPLE.COM
    
    $ORACLE_HOME/rdbms/bin/umu PHASE=TWO
    DBADMIN=dbv_acctmgr:password
    ENTADMIN=cn=jane_ent_admin,dc=example,dc=com:password
    DBLOCATION=example.com:7777:orcl
    DIRLOCATION=example.com:636
    

    By default, errors are written to the $ORACLE_HOME/network/log/umu.log file.

11. From the Oracle Internet Directory Self Service Console (http://hostname:port/oiddas/), grant the global DV_OWNER and DV_ACCTMGR roles (for example, g_dv_owner and g_dv_acctmgr) to the enterprise user Database Vault accounts.

    See the example of creating enterprise users in Oracle Database Enterprise User Security Administrator's Guide for a demonstration of creating an enterprise role from a global role and then granting this role to a user.

12. From SQL*Plus, as user SYS with the SYSDBA administrative privilege, revoke the CREATE TABLE and SELECT_CATALOG_ROLE role from the DV_ACCTMGR user.

    REVOKE CREATE TABLE, SELECT_CATALOG_ROLE FROM dbv_acctmgr;

An Oracle Database Vault-Oracle Label Security integration enables you to assign an OLS label to a Database Vault factor identity.

In Oracle Label Security, you can restrict access to records in database tables or PL/SQL programs. For example, Mary may be able to see data protected by the HIGHLY SENSITIVE label, an Oracle Label Security label on the EMPLOYEE table that includes records that should have access limited to certain managers. Another label can be PUBLIC, which allows more open access to this data.

In Oracle Database Vault, you can create a factor called Network, for the network on which the database session originates, with the following identities:

• Intranet: Used for when an employee is working on site within the intranet for your company.

• Remote: Used for when the employee is working at home from a VPN connection.

You then assign a maximum session label to both. For example:

• Assign the Intranet identity to the HIGHLY SENSITIVE Oracle Label Security label.

• Assign the Remote identity to the PUBLIC label.

This means that when Mary is working at home using her VPN connection, she has access only to the limited table data protected under the PUBLIC identity. But when she is in the office, she has access to the HIGHLY SENSITIVE data, because she is using the Intranet identity. Tutorial: Integrating Oracle Database Vault with Oracle Label Security provides an example of how to accomplish this type of integration.

In a non-unified auditing environment, you can audit the integration with Oracle Label Security by using the Label Security Integration Audit Report. Oracle Database Vault writes the audit trail to the DVSYS.AUDIT_TRAIL$ table. If unified auditing is enabled, then you can create audit policies to capture this information, as described in Oracle Database Security Guide.

You must fulfill specific requirements in place before you use Oracle Database Vault with Oracle Label Security.

• Oracle Label Security is licensed separately. Ensure that you have purchased a license to use it.

• Before you install Oracle Database Vault, you must have already installed Oracle Label Security.

• The installation process for Oracle Label Security creates the LBACSYS user account. As a user who has been granted the DV_ACCTMGR role, unlock this account and grant it a new password. For example:

  sqlplus bea_dvacctmgr -- Or, sqlplus bea_dvacctmgr@hrpdb for a PDB
  Enter password: password
  
  ALTER USER LBACSYS ACCOUNT UNLOCK IDENTIFIED BY password;
  

  Follow the guidelines in Oracle Database Security Guide to replace password with a password that is secure.

• If you plan to use the LBACSYS user account in Oracle Enterprise Manager, then log into Enterprise Manager as user SYS with the SYSDBA administrative privilege, and grant this user the SELECT ANY DICTIONARY and SELECT_CATALOG_ROLE system privileges.

• Ensure that you have the appropriate Oracle Label Security policies defined. For more information, see Oracle Label Security Administrator’s Guide.

• If you plan to integrate an Oracle Label Security policy with a Database Vault policy, then ensure that the policy name for Oracle Label Security is less than 24 characters. You can check the names of Oracle Label Security policies by querying the POLICY_NAME column of the ALL_SA_POLICIES data dictionary view.

To enhance security, you can integrate Oracle Database Vault factors with Oracle Label Security policies.

• About Using Oracle Database Vault Factors with Oracle Label Security Policies
  And Oracle Database Vault-Oracle Label Security integration enables you to control the maximum security clearance for a database session.
• Configuring Factors to Work with an Oracle Label Security Policy
  You can define factors that contribute to the maximum allowable data label of an Oracle Label Security policy.

An Oracle Database Vault-Oracle Label Security integration can grant different levels of access to two administrative users who have the same privileges.

• About This Tutorial
  You can use Oracle Database Vault factors with Oracle Label Security and Oracle Virtual Private Database (VPD) to restrict sensitive data access.
• Step 1: Create Users for This Tutorial
  You must create two administrative users for this tutorial.
• Step 2: Create the Oracle Label Security Policy
  Next, you can create the Oracle Label Security policy and grant users the appropriate privileges for it.
• Step 3: Create Oracle Database Vault Rules to Control the OLS Authorization
  After you create the Oracle Label Security policy, you can create Database Vault rules to work with it.
• Step 4: Update the ALTER SYSTEM Command Rule to Use the Rule Set
  Before the rule set can be used, you must update the ALTER SYSTEM command rule, which is a default command rule.
• Step 5: Test the Authorizations
  With all the components in place, you are ready to test the authorization.
• Step 6: Remove the Components for This Tutorial
  You can remove the components that you created for this tutorial if you no longer need them.

Oracle Database Vault provides reports and data dictionary views that list information about the Oracle Database Vault-Oracle Label Security integration.

You must run the DGMGRL utility, register Database Vault, and then run the ALTER SYSTEM statement, to configure the primary database.

You can perform the standby database configuration within the database to be used for the standby database.

1. Log into the database instance as user SYS with the SYSDBA administrative privilege.

   sqlplus sys as sysdba
   Enter password: password
   

2. In a multitenant environment, connect to the appropriate PDB.

   For example:

   CONNECT bea_dvacctmgr@hrpdb
   Enter password: password
   

   To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

3. Mount a standby database instance.

   ALTER DATABASE MOUNT STANDBY DATABASE;
   

4. Run the following ALTER SYSTEM statements:

   ALTER SYSTEM SET AUDIT_SYS_OPERATIONS=TRUE SCOPE=SPFILE; 
   ALTER SYSTEM SET OS_ROLES=FALSE SCOPE=SPFILE; 
   ALTER SYSTEM SET RECYCLEBIN='OFF' SCOPE=SPFILE; 
   ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE='EXCLUSIVE' SCOPE=SPFILE;
   ALTER SYSTEM SET SQL92_SECURITY=TRUE SCOPE=SPFILE;
   ALTER SYSTEM SET REMOTE_OS_AUTHENT=FALSE SCOPE=SPFILE; 
   ALTER SYSTEM SET REMOTE_OS_ROLES=FALSE SCOPE=SPFILE;
   

5. Restart or mount the database instance.

   For example:

   SHUTDOWN IMMEDIATE
   STARTUP
   

6. Mount the next standby instance.
7. Restart the managed recovery as follows:

   ALTER DATABASE RECOVER MANAGED STANDBY DATABASE; 
   

8. If you are using Data Guard Broker, then from the command line, re-enable the configuration.

   dgmgrl sys
   Enter password: password
   
   DGMGRL> enable configuration; 
   

   This command applies the changes to the physical standby database made by the Oracle Database Vault installation on the primary database.

9. Repeat the physical standby installation process on each physical standby database. For example, if there are three physical standby databases, then run these procedures or each standby database.