4 Managing Access and Other Settings

Types of access and other settings refers to areas such as user accounts and privileges or creating report templates.

4.1 Managing User Accounts and Access

A super user can manage user accounts and access.

4.1.1 About Oracle AVDF Auditor Accounts and Passwords

Learn about Oracle AVDF auditor user accounts and passwords.

There are three types of auditor accounts in Oracle Audit Vault and Database Firewall:

  • Super Auditor:
    • Creates user accounts for super auditors and auditors
    • Has auditor access to all targets and target groups
    • Grants auditor access to targets or target groups to auditors
  • Auditor: Has access to specific targets or target groups granted by a super auditor
  • Readonly Auditor: Has readonly access to:
    • Target database details as granted to them by the Super Auditor
    • Audit trail details
    • Database Firewall monitoring points
    • Dashboard data on the Home page, including the ability to view chart data and add filters
    • User entitlement, target database, and target database group access details
    • All reports and report schedules. Compliance Reports and Generated Reports for specific target databases are only visible to the Readonly Auditor if they have been granted access to the target database by the Super Auditor
    • All alerts and alert details

Passwords for these accounts need not be unique; however, Oracle recommends that passwords:

  • Have at least one uppercase alphabetic, one alphabetic, one numeric, and one special character (plus sign, comma, period, or underscore).

  • Be between 8 and 30 characters long.

  • Be composed of the following characters:

    • Lowercase letters: a-z.

    • Uppercase letters: A-Z.

    • Digits: 0-9.

    • Punctuation marks: comma (,), period (.), plus sign (+), colon(:), and underscore (_).

  • Not be the same as the user name.

  • Not be an Oracle reserved word.

  • Not be an obvious word (such as welcome, account, database, and user).

  • Not contain any repeating characters.

4.1.2 Creating Local Auditor Users

Learn how to create user accounts with auditor privileges.

Super auditors can create both super auditor and auditor user accounts.

To create an auditor account in Oracle Audit Vault and Database Firewall:

  1. Log in to the Audit Vault Server console as a super auditor.
  2. Click the Settings tab.

    The Manage Auditors subtab on the main page is selected by default.

  3. Click Add in the top, right corner.
  4. In the Add Auditor dialog box, select Local AVDF User.
  5. For Local AVDF User, enter the details to create a database auditor.
  6. Enter the newly created Auditor Name.
  7. Select the Auditor Type.
  8. Enter the Password and Re-type Password.

    Oracle Audit Vault and Database Firewall does not accept user names with quotation marks, such as "jsmith".

  9. Click Save.

4.1.3 Creating New SSO Users

To create new users for single sign-on (SSO) authentication, you enter the user name and the auditor type.

  1. Log in to the Audit Vault Server console as a super auditor.
  2. Click the Settings tab.
  3. On the Manage Auditors subtab, click Add.
  4. In the dialog box, select Single Sign-On.
  5. Enter the SSO user name.

    Allowed characters include uppercase letters, lowercase letters, numbers, and symbols (@.-_!^~+%). The total length of the SSO user name can't exceed 127 characters.

    Note:

    Though AVDF accepts uppercase and lowercase letters, it will store the user name in only uppercase. Microsoft performs a case in-sensitive comparison of the user names.
  6. Select the auditor type, Auditor, Readonly Auditor, or Super Auditor.
  7. Click Save.

4.1.4 Viewing the Status of Auditor User Accounts

Learn how to view the status of auditor user accounts.

As a super auditor, you can view the status of auditor accounts by clicking the Settings tab. The Manage Auditors page lists all auditor and super auditor accounts, their status, and password expiry dates.

4.1.5 Managing User Access to Targets or Groups

Learn to manage user access to targets and target groups.

4.1.5.1 About Managing User Access

Learn about managing user access.

Super auditors have access to all targets and target groups, and can grant access to specific targets and groups to auditors.

You can control access to targets or groups in two ways:

  • Modify a target or group to grant or revoke access for one or more users.

  • Modify a user account to grant or revoke access to one or more targets or groups.

4.1.5.2 Controlling Access by User

Learn about controlling user access to targets.

To control which targets or groups are accessible by a user:

  1. Log in to the Audit Vault Server console as a super auditor.
  2. Click Settings. The Manage Auditors page displays existing users and the targets or groups to which they have access.
  3. Click the name of the user account that you want to modify.

    The Modify Auditor page appears.

  4. In the Targets & Target Groups section:
  5. Click Save.
4.1.5.3 Controlling Access by Target or Group

Learn about controlling access to targets or target groups.

To control which users have access to a target or group:

  1. Log in to the Audit Vault Server console as a super auditor.
  2. Click Targets tab.
  3. Click Access Rights tab in the left navigation menu.
  4. Click the name of the target or target group for which you want to redefine access rights.

    The Modify Access dialog for the specific target or group appears. It lists the user access rights to the target or group. Super auditors have access by default.

  5. In the Modify Access dialog, select the users for which you want to grant or revoke access to this target or group.
  6. Click Save.

4.1.6 Changing a User Account Type

Learn how to change auditor user account type.

You can change an auditor account type between Readonly Auditor, Auditor, and Super Auditor. If a user's account type is changed from Auditor or Readonly Auditor to Super Auditor, that user will have access to all targets and target groups. A user can only be assigned one auditor account type at a time.

To change a user account type in Oracle Audit Vault and Database Firewall:

  1. Log in to the Audit Vault Server console as a super auditor.

  2. Click the Settings tab.

    The Manage Auditors page appears by default, and displays existing users and the targets or groups to which they have access.

  3. Click the name of the user account you want to change.

  4. In the Modify Auditor dialog, against the Type field, click on the edit icon.

  5. In the Type drop-down list, select the new auditor type.

  6. If you changed the type from Super Auditor to Auditor or Readonly Auditor, grant or revoke access to any targets or groups as necessary for this user.

  7. Click Save.

4.1.7 Changing the Auditor Password

Learn how to change the password of an auditor.

Auditors can change their own password. A Super Auditor can also change the password of other auditors. If a Super Auditor changes the password of another auditor, then the password automatically expires immediately after it is changed.

4.1.7.1 Changing Your Own Password

You can change your own password any time.

  1. Log in to the Audit Vault Server console as an auditor.
  2. In the upper right corner, to the right of your login name, select the menu icon.
  3. Select Change Password from this menu.
  4. In the Change Password window, enter the following fields:
    1. Current Password
    2. New Password
    3. Re-enter New Password
  5. Click Save.
4.1.7.2 Changing the Password of Another Auditor

Learn how to change the password of another auditor as a Super Auditor.

A Super Auditor can change the passwords of other auditors. However, the password automatically expires immediately after it is changed by the Super Auditor. The auditor must follow the instructions in the topic Changing the Expired Password of an Auditor.

  1. Log in to the Audit Vault Server as Super Auditor.
  2. Click the Settings tab. The Manage Auditors tab in left navigation menu is selected by default.
  3. Under Manage Auditors, click the name of the auditor whose password you want to change.
  4. In the Modify Auditor window, click Change Password.
  5. In the Change Password window, enter the following fields:
    1. New Password
    2. Re-enter New Password
  6. Click Save.
4.1.7.3 Changing the Expired Password of an Auditor

Your password might be expired if a Super Auditor changes your password, or if it passes the password expiry date.

For Oracle AVDF release 20.4 or earlier, follow these steps:

  1. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Switch to the dvaccountmgr user.

    su - dvaccountmgr
  3. Start SQL*Plus without the user name and password.

    sqlplus /
  4. If the account is locked, run the following command to unlock the account:

    alter user <user name> account unlock;
  5. Run the following command to change the password:

    alter user <username> identified by <new_password>;

For Oracle AVDF release 20.5 or later, follow these steps:

  1. Log in to AVCLI with your auditor user name.
  2. AVCLI prompts to enter the password. Enter the expired password.

    The following message is displayed:

    The password has expired. Enter the new password:

  3. Enter the new password of your choice. Follow the password requirements.

    The following message is displayed:

    Re-enter password:

  4. Re-enter the new password.
  5. If the following message is displayed, then you have successfully logged in to AVCLI with the new password, and your account is active again:
    
    Connected to: 
            Oracle Audit Vault Server - Version : 20.x.0.0.0
    

    Note:

    If your attempt to log in fails for 3 times or more, then your account gets locked. You need to unlock your account and retry the above mentioned steps.

4.1.8 Deleting an Auditor Account

As a Super Auditor, you can delete any auditor account except the last Super Auditor.

  1. Log in to the Audit Vault Server console as a Super Auditor.
  2. Click the Settings tab.

    The Manage Auditors page appears by default, and displays existing users and the targets or groups to which they have access.

  3. Select the users you want to delete, and then click Delete.

4.2 Creating Templates and Distribution Lists for Email Notifications

Email templates and notifications help auditors to notify other users automatically about audit-related events.

4.2.1 About Email Notifications and Templates

You can configure Oracle Audit Vault and Database Firewall alerts to trigger an email when an alert is raised or a report is generated.

For example, you can create an alert that is triggered every time a connection is made by an application shared schema account outside of the application (for example, APPS or SYSADM). When the user tries to log in, Oracle AVDF sends an email to two administrators warning them about misuse of the application account.

To accomplish this, you must create an email distribution list that defines who will receive the email, and then create an email template that contains a message. You select the template to be used for email notification when you define the alert rule.

4.2.2 Creating or Modifying an Email Distribution List

You can create an email distribution list for specific notification purposes, that is, a list of email addresses that will receive a notification.

You can specify a distribution list when notifying other users about alerts or reports.
  1. Log in to the Audit Vault Server console as an auditor.

    Note:

    • An auditor can create, modify, and delete email distribution lists that were initially created by the same auditor. This is applicable in case of upgrade to Oracle Audit Vault and Database Firewall 12.2.0.8.0 and later.

    • Email distribution lists that were created prior to upgrade of Oracle Audit Vault and Database Firewall 12.2.0.8.0, can be modified or deleted by a super auditor.

  2. Select the Settings tab.
  3. From the left navigation menu, click Distribution Lists.

    The Distribution Lists page displays existing lists, which you can modify or delete.

  4. Click Create to add a new list. Or click a list name to modify it, and then define the list as follows:
    • Name - Enter a name for the distribution list.

    • To - Enter the email addresses, separated by commas, that appear on the To line of notifications using this list.

      Note:

      Starting in Oracle AVDF 20.11, the To and CC fields are combined into the required Email addresses field. Enter the email addresses, separated by a comma or semicolon, to be added to the list.
    • CC - (Optional) Enter the email addresses, separated by commas, that appear on the CC line of notifications using this list.

      Note:

      Starting in Oracle AVDF 20.11, the To and CC fields are combined into the required Email addresses field. Enter the email addresses, separated by a comma or semicolon, to be added to the list.
    • Description - (Optional) Enter a description of this list.

    • Set as default - (Optional) Starting in Oracle AVDF 20.11, users can select this box to set this distribution list to be the default list for future email notifications for Alert Policies.
  5. Click Save.

    The new list appears in the Distribution Lists page. From there, you can modify or delete distribution lists as necessary.

4.2.3 Creating or Modifying an Email Template

An email template enables you to specify the content of an email notification that is triggered by an alert or a report being generated.

  1. Log in to the Audit Vault Server console as an auditor.

    Note:

    • An auditor can create, modify, and delete email templates that were initially created by the same auditor. This is applicable in case of upgrade to Oracle Audit Vault and Database Firewall 12.2.0.8.0 and later.

    • Email templates that were created prior to upgrade of Oracle Audit Vault and Database Firewall 12.2.0.8.0, can be modified or deleted by a super auditor.

  2. Click the Settings tab.

  3. From the left navigation menu, click Email Templates.

    The Email Templates page displays a list of existing email templates, which you can modify or delete. Some of these templates are predefined.

  4. Click Create to create a new template, or click the name of an existing template to modify it.

  5. Specify a Name.

  6. Select the template Type:

    • Alert: Creates an email template used for alert notifications.

    • Report Attachment: Creates an email template used for report notifications, and attaches a PDF of the report to the email.

    • Report Notification: Creates an email template used for report notifications, but does not attach the PDF file of the report.

  7. Enter or select the desired values for Format and Description for the email template.

  8. Use the available tags displayed on the right as building blocks for the Subject and Body of the email.

    The available tags depend on the type of notification. Table 4-1 and Table 4-2 explain the tags in detail.

    You can either click the tag name to transfer it to the template, or copy and paste the tag name to appear in either the Subject or Body of the template.

  9. Select the appropriate and available options in the Event Information section.

  10. Click Save.

    After you create a new template, it is listed in the Email Templates page. From there, you can modify or delete templates as necessary.

  1. Log in to the Audit Vault Server console as an auditor.

    Note:

    • An auditor can create, modify, and delete email templates that were initially created by the same auditor. This is applicable in case of upgrade to Oracle Audit Vault and Database Firewall 12.2.0.8.0 and later.

    • Email templates that were created prior to upgrade of Oracle Audit Vault and Database Firewall 12.2.0.8.0, can be modified or deleted by a super auditor.

  2. Click the Settings tab.

  3. From the left navigation menu, click on Email Templates.

    The Email Templates page displays two sections: a list of pre-defined email templates and a list of user-defined email templates. Users can copy a pre-defined email template to the user-defined email template section. Then, modify the email template as desired. A pre-defined email template will be set as the default until the user defines any user-defined email templates and sets it as the default.

  4. To enable the Copy button, select a single template by checking the checkbox. Once a single template is selected, the Copy button will be clickable.

  5. Click Copy to create a new user-defined template based on the selected pre-defined one, or click the name of an existing template to view its contents.

  6. The copied template will be named "Copy of [Original Template Name]." Edit the Name as desired.

  7. The Type of the copied template will be automatically set based on the original template. Below are the template Types:

    • Alert: Creates an email template used for alert notifications.

    • Report Attachment: Creates an email template used for report notifications, and attaches a PDF of the report to the email.

    • Report Notification: Creates an email template used for report notifications, but does not attach the PDF file of the report.

  8. Optionally, add a Description for the new user-defined email template.

  9. Optionally, click Set as default if you would like the newly created template to be your default email template.

  10. Click Copy.

    After you create a new template, it is listed in the User-defined email templates section of the Email Templates page.

    From there, you can click the name of the template to modify its details. This includes modifying the above information as well as the following:
    1. You can modify the Format of the template to either be Plain Text or HTML.

    2. When your cursor is within the Body field, use the available tags displayed on the right as building blocks for the Body of the email.

      The available tags depend on the type of notification. Table 4-1 and Table 4-2 explain the tags in detail.

      You can either click the tag name to transfer it to the template, or copy and paste the tag name to appear in the Body of the template.

    3. Select the appropriate and available options in the Event Information section.

    Additionally, if you click the checkbox for a user-defined email template, the Copy, Delete, and Set as default buttons become clickable.

Table 4-1 lists the available tags for alert notification templates.

Table 4-1 Tags Available for Alert Notification Email Templates

Alert Tag Name Description

#AlertBody#

A special tag that is used as a shortcut to include all the available tags in the email

#AlertID#

The ID of the alert

#AlertName#

Name of the alert

#AlertTime#

Time the event causing the alert was created

#AlertSeverity#

Severity of the alert (Critical or Warning)

#AlertStatus#

Status of the Alert (for example, New, Open, or Closed)

#Description#

Description of the alert

#URL#

URL of the alert

Table 4-2 lists the available tags for report notification templates.

Table 4-2 Tags Available for Report Attachment or Report Notification Email Templates

Report Tag Name Description

#ReportName#

Name of the report

#DateCreated#

Date and time the report was generated

#ReportCategory#

Report Category name, such as "Access Reports"

4.3 Creating Alert Syslog Templates

Oracle Audit Vault and Database Firewall provides a default template for Oracle Audit Vault and Database Firewall alerts sent to syslog.

If you do not want to use the default template, you can create your own alert syslog templates, and select one to use as a default instead. Using your own template lets you add more information to alert syslog messages.
  1. Log in to the Audit Vault Server console as an auditor.
  2. Click Settings tab, and then click Alert Syslog Templates in the left navigation menu.
  3. In the Alert Syslog Templates page, click Create.
  4. In the Create Alert Syslog Template page, enter a Name for the new template, and optionally enter the Description.
  5. Select the Event Information that you want to include in syslog alerts from Oracle Audit Vault and Database Firewall.

    The alert syslog message will be formatted as a list of event records containing all fields you select in the template. The short event name (shown in parentheses) will be used.

    If you select Include "Error Message (EM)" as part of the syslog payload, then this option lengthens the syslog message so that some data may be truncated.

  6. If you want to make this the default template, then select Save as default template under Other options.

    The default alert syslog template is used for all Oracle Audit Vault and Database Firewall alert syslog messages.

  7. Click Save.

4.4 Viewing Monitoring Point and Audit Trail Status

You can view a listing of either the monitoring point status or the audit trail status.

4.4.1 Viewing Monitoring Point Status

Any auditor can view the Database Firewall monitoring points that have been configured for all the target databases.

  1. Log into the Audit Vault Server console as an auditor.
  2. Click Targets tab.
  3. Click Database Firewall Monitoring tab in the left navigation menu.

    This page lists all of the targets, Database Firewall instances, and the status.

  4. The current status of the monitoring point is listed in the Database Firewall Monitoring Status column.

    See Also:

4.4.2 Viewing Audit Trail Status

Any auditor can view a list of all audit trails collected for the targets.

  1. Log into the Audit Vault Server console as an auditor.
  2. Click Targets tab.
  3. Click Audit Trails tab in the left navigation menu.

    This page lists all the audit trails for all the targets in a table with the collection status.

  4. Optionally, click a column title to sort by the available options.

    See Also:

4.5 Monitoring Jobs

You can see the status of Audit Vault Server jobs, such as report generation, and user entitlement, or audit policy retrieval from targets.

  1. Log in to the Audit Vault Server as an auditor.
  2. Click on Settings tab.
  3. Click Jobs tab in the left navigation menu.

    A list of jobs is displayed, showing the job type, status, timestamp, and associated user name. To see details for an individual job, click the icon to the left of the specific job.