Use Oracle AI Database Vault with Autonomous AI Database

Oracle AI Database Vault implements powerful security controls for your database. These unique security controls restrict access to application data by privileged database users, reducing the risk of insider and outside threats and addressing common compliance requirements.

See What Is Oracle AI Database Vault? for more information.

Oracle AI Database Vault Users and Roles on Autonomous AI Database

Oracle AI Database Vault provides powerful security controls to help protect application data from unauthorized access, and to implement separation of duties between administrators and data owners to comply with privacy and regulatory requirements.

By default the ADMIN user has the DV_OWNER and DV_ACCTMGR roles. If you want to set up separate users for DV_OWNER and DV_ACCTMGR accounts. See Oracle AI Database Vault Schemas, Roles, and Accounts for more information.

The user management is by default enabled for the APEX component when Oracle AI Database Vault is enabled. When user management is enabled, the APEX users who have the necessary roles to CREATE

ALTER

DROP users have the needed privileges to perform these operations when Database Vault is enabled. To change this, see Disable User Management with Oracle AI Database Vault on Autonomous AI Database.

On Autonomous AI Database with Oracle AI Database Vault enabled, grant the following privileges:

• When using Oracle GoldenGate, grant the GGADMIN user DV_GOLDENGATE_ADMIN and DV_GOLDENGATE_REDO_ACCESS.

• The ADMIN user must grant the BECOME USER privilege to users who need to use Oracle Data Pump. To perform some Oracle Data Pump operations additional Oracle AI Database Vault authorization may be needed. For example to run a full database export or to export a realm protected schema requires using DBMS_MACADM.AUTHORIZE_DATAPUMP_USER.

  See AUTHORIZE_DATAPUMP_USER Procedure for more information.

• In order for DBMS_CLOUD credential related APIs to work when Oracle AI Database Vault is enabled and the credential owner's schema is protected using a Database Vault realm, you must add authorizations for the C##CLOUD$SERVICE user to the Database Vault realm.

  For example:

  BEGIN
      DBMS_MACADM.ADD_AUTH_TO_REALM(realm_name   => 'PROTECT_ADMIN',
          grantee       => 'C##CLOUD$SERVICE',
          rule_set_name => 'Enabled',
          auth_options  => DBMS_MACUTL.G_REALM_AUTH_PARTICIPANT);
  END;
  /

  Where PROTECT_ADMIN is your Oracle AI Database Vault realm.

  See ADD_AUTH_TO_REALM Procedure for more information.

Enable Oracle AI Database Vault on Autonomous AI Database

Shows the steps to enable Oracle AI Database Vault on Autonomous AI Database.

Oracle AI Database Vault is disabled by default on Autonomous AI Database. To configure and enable Oracle AI Database Vault on Autonomous AI Database, do the following:

1. Configure Oracle AI Database Vault using the following command:

   EXEC DBMS_CLOUD_MACADM.CONFIGURE_DATABASE_VAULT('*adb_dbv_owner*', '*adb_dbv_acctmgr*');

   Where:

   • adb_dbv_owner is the Oracle AI Database Vault owner.

   • adb_dbv_acctmgr is the account manager.

   See CONFIGURE_DATABASE_VAULT Procedure for more information.

2. Enable Oracle AI Database Vault:

   EXEC DBMS_CLOUD_MACADM.ENABLE_DATABASE_VAULT;

   See ENABLE_DATABASE_VAULT Procedure for more information.

3. Restart the Autonomous AI Database instance. You can perform either a traditional or an Online restart.

   See Restart Autonomous AI Database for more information.

Use the following command to check if Oracle AI Database Vault is enabled or disabled:

SELECT * FROM DBA_DV_STATUS;

Output similar to the following appears:

NAME                 STATUS
-------------------- -----------
DV_CONFIGURE_STATUS  TRUE
DV_ENABLE_STATUS     TRUE

The DV_ENABLE_STATUS value TRUE indicates Oracle AI Database Vault is enabled.

Note: Autonomous AI Database maintenance operations such as backups and patching are not affected when Oracle AI Database Vault is enabled.

See Disable Oracle AI Database Vault on Autonomous AI Database for information on disabling Oracle AI Database Vault.

Disable Oracle AI Database Vault on Autonomous AI Database

Shows the steps to disable Oracle AI Database Vault on Autonomous AI Database.

To disable Oracle AI Database Vault on Autonomous AI Database, do the following:

1. Disable Oracle AI Database Vault.

   EXEC DBMS_CLOUD_MACADM.DISABLE_DATABASE_VAULT;

   See DISABLE_DATABASE_VAULT Procedure for more information.

2. Restart the Autonomous AI Database instance. You can perform either a traditional or an Online restart.

   See Restart Autonomous AI Database for more information.

Use the following command to check if Oracle AI Database Vault is enabled or disabled:

SELECT * FROM DBA_DV_STATUS;

Output similar to the following appears:

NAME                 STATUS
-------------------- -----------
DV_CONFIGURE_STATUS  TRUE
DV_ENABLE_STATUS     FALSE

The DV_ENABLE_STATUS value FALSE indicates Oracle AI Database Vault is disabled.

Disable User Management with Oracle AI Database Vault on Autonomous AI Database

Shows how to disallow user management related operations for specified components on Autonomous AI Database with Oracle AI Database Vault enabled.

Autonomous AI Database with Oracle AI Database Vault enabled has user management, by default, enabled for the Oracle APEX console. If you want to enforce stricter separation of duty and disallow user management from this console, use DBMS_CLOUD_MACADM.DISABLE_USERMGMT_DATABASE_VAULT.

1. As a user granted DV_ACCTMGR and DV_ADMIN roles you can disable user management for specified components.

2. To disable user management for a specified component, for example for the APEX component, use the following command:

EXEC DBMS_CLOUD_MACADM.DISABLE_USERMGMT_DATABASE_VAULT('APEX');

See DISABLE_USERMGMT_DATABASE_VAULT Procedure for more information.

Enable User Management with Oracle AI Database Vault on Autonomous AI Database

Shows the steps to allow user management for a specified component on Autonomous AI Database with Oracle AI Database Vault enabled.

Autonomous AI Database with Oracle AI Database Vault enabled has user management, by default, enabled for the Oracle APEX console. This allows user management for operations such as CREATE USER, ALTER USER, and DROP USER from the specified component in Autonomous AI Database.

Use DBMS_CLOUD_MACADM.ENABLE_USERMGMT_DATABASE_VAULT to allow specified user accounts to perform user management when Oracle AI Database Vault is enabled. Use this procedure if user management is disabled and you want to enable it again.

1. A user granted DV_ACCTMGR and DV_ADMIN roles can enable user management for specified components.

2. To enable user management for a specified component, for example for the APEX component, use the following command:

   EXEC DBMS_CLOUD_MACADM.ENABLE_USERMGMT_DATABASE_VAULT('APEX');

See ENABLE_USERMGMT_DATABASE_VAULT Procedure for more information.