Ability to Prevent Local Oracle Database Vault Policies from Blocking Common Operations
Starting with this release, a DV_OWNER
common user in the CDB root can prevent local users from creating Oracle Database Vault controls on common objects in a pluggable database (PDB).
Blocking common users from common operations can prevent the execution of SQL commands that are necessary for managing the application or CDB database. To prevent this situation, a user who has the DV_OWNER
role in the root can execute the DBMS_MACADM.ALLOW_COMMON_OPERATION
procedure to control whether local PDB users can create Database Vault controls on common users' objects (database or application).
In previous releases, in a multitenant environment, a local Oracle Database Vault user could create Database Vault policies that could potentially block application or common operations. Blocking common users from common operations can prevent the execution of SQL commands that are necessary for managing the application or CDB database. To prevent this situation, a user who has the DV_OWNER
role in the root can execute the DBMS_MACADM.ALLOW_COMMON_OPERATION
procedure to control whether local PDB users can create Database Vault controls on common users' objects (database or application).
Practice: Preventing Local Users from Blocking Common Operations - Realms
This practice shows how to prevent local users from creating Oracle Database Vault controls on common users objects which would prevent common users from accessing local data in their own schema in PDBs. A PDB local Database Vault Owner can create a realm around common Oracle schemas like DVSYS
or CTXSYS
and prevent it functioning correctly. For the purposes of this practice, the C##TEST
1 custom schema is created in CDB root to show this feature.
Practice: Preventing Local Users from Blocking Common Operations - Command Rules
This practice shows how to prevent local users from creating Oracle Database Vault controls on common users which would prevent them from performing commands on their own objects or even from logging in to the PDB in which their objects reside.