24 Oracle Database Vault API Reference
Oracle Database Vault provides a rich set of APIs, both in PL/SQL packages and in standalone procedures.
- DBMS_MACADM PL/SQL Package Contents
TheDBMS_MACADM
package enables you to configure the realms, factors, rule sets, command rules, secure application roles, and Oracle Label Security policies. - DBMS_MACSEC_ROLES PL/SQL Package Contents
TheDBMS_MACSEC_ROLES
package enables you to check and set Oracle Database Vault secure application roles. - DBMS_MACUTL PL/SQL Package Contents
TheDBMS_MACUTL
PL/SQL package defines constants and utility methods that are commonly used by other Oracle Database Vault packages, such as error handling. - CONFIGURE_DV PL/SQL Procedure
TheCONFIGURE_DV
configures the initial two Oracle Database user accounts, which are granted theDV_OWNER
andDV_ACCTMGR
roles, respectively. - DVF PL/SQL Interface Contents
TheDVF
schema provides a set of factor-related PL/SQL functions.
24.1 DBMS_MACADM PL/SQL Package Contents
The DBMS_MACADM
package enables you to configure the realms, factors, rule sets, command rules, secure application roles, and Oracle Label Security policies.
The DBMS_MACADM
package is available only for users who have been granted the DV_ADMIN
or DV_OWNER
role.
DBMS_MACADM Realm Procedures
Table 24-1 lists the realm procedures in the DBMS_MACADM
package.
Table 24-1 DBMS_MACADM Realm Procedures
Procedure | Description |
---|---|
|
Authorizes a user or role to access a realm as an owner or a participant |
|
Registers a set of objects for realm protection |
|
Creates a realm |
|
Removes the authorization of a user or role to access a realm |
|
Removes a set of objects from realm protection |
|
Deletes a realm, including its related Database Vault configuration information that specifies who is authorized and what objects are protected |
|
Deletes a realm, including its related Database Vault configuration information that specifies who is authorized and what objects are protected |
|
Renames a realm. The name change takes effect everywhere the realm is used. |
|
Updates a realm |
|
Updates the authorization of a user or role to access a realm |
DBMS_MACADM Rule Set and Rule Procedures
Table 24-2 lists the rule set and rule procedures in the DBMS_MACADM
package.
Table 24-2 DBMS_MACADM Rule Set and Rule Procedures
Procedure | Description |
---|---|
|
Creates a rule set |
|
Renames a rule set. The name change takes effect everywhere the rule set is used. |
|
Deletes a rule from a rule set |
|
Deletes a rule set |
|
Updates a rule set |
|
Creates a rule |
|
Adds a rule to a rule set |
|
Deletes a rule |
|
Renames a rule. The name change takes effect everywhere the rule is used. |
|
Updates a rule |
DBMS_MACADM Command Rule Procedures
Table 24-3 lists the command rule procedures in the DBMS_MACADM
package.
Table 24-3 DBMS_MACADM Command Rule Procedures
Procedure | Description |
---|---|
|
Creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set |
|
Creates a CONNECT command rule |
|
Creates a session event command rule, using the ALTER SESSION SQL statement |
|
Creates a system event command rule, using the ALTER SYSTEM SQL statement |
|
Drops a command rule declaration |
|
Drops a CONNECT command rule declaration |
|
Drops a SESSION_EVENT_CMD command rule declaration |
|
Drops a SYSTEM_EVENT_CMD command rule declaration |
|
Updates a command rule declaration |
|
Updates a CONNECT command rule declaration |
|
Updates a SESSION_EVENT_CMD command rule declaration |
|
Updates a SYSTEM_EVENT_CMD command rule declaration |
DBMS_MACADM Factor Procedures and Functions
lists the factor procedures and functions in the DBMS_MACADM
package.
Table 24-4 DBMS_MACADM Factor Procedures and Functions
Procedure or Function | Description |
---|---|
|
Specifies a parent-child relationship for two factors |
|
Specifies that the label for a factor contributes to the Oracle Label Security label for a policy. |
|
Associates an identity with a different factor |
|
Updates the value of an identity |
|
Adds an Oracle Real Application Clusters (Oracle RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy. |
|
Creates a factor |
|
Creates a factor type |
|
Creates an identity |
|
Defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors) |
|
Deletes a factor |
|
Removes a parent-child relationship for two factors |
|
Deletes a factor type |
|
Removes an identity |
|
Removes an identity map from a factor |
|
Removes an Oracle RAC database node from a domain |
|
Returns information from the |
|
Returns information from the |
|
Renames a factor. The name change takes effect everywhere the factor is used. |
|
Renames a factor type. The name change takes effect everywhere the factor type is used. |
|
Updates a factor |
|
Updates the description of a factor type |
|
Updates the trust level of a factor identity |
DBMS_MACADM Secure Application Role Procedures
Table 24-5 lists the secure application role procedures in the DBMS_MACADM
package.
Table 24-5 DBMS_MACADM Secure Application Role Procedures
Procedure | Description |
---|---|
|
Creates an Oracle Database Vault secure application role |
|
Deletes an Oracle Database Vault secure application role |
|
Renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used. |
|
Unassigns an Oracle Database Vault secure application role from a user |
|
Updates a Oracle Database Vault secure application role |
DBMS_MACADM Oracle Label Security Procedures
Table 24-6 lists the Oracle Label Security procedures in the DBMS_MACADM
package.
Table 24-6 DBMS_MACADM Oracle Label Security Procedures
Procedure | Description |
---|---|
|
Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label |
|
Labels an identity within an Oracle Label Security policy |
|
Deletes all Oracle Database Vault objects related to an Oracle Label Security policy. |
|
Removes the factor from contributing to the Oracle Label Security label |
|
Removes the label from an identity within an Oracle Label Security policy |
|
Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label |
DBMS_MACADM Database Vault Policy Procedures
Table 24-7 lists the Database Vault policy procedures in the DBMS_MACADM
package.
Table 24-7 DBMS_MACADM Database Vault Policy Procedures
Procedure | Description |
---|---|
|
Adds a command rule to a Database Vault policy |
|
Adds an owner to a Database Vault policy |
|
Adds a realm to a Database Vault policy |
|
Creates a Database Vault policy |
|
Deletes a command rule from a Database Vault policy |
|
Deletes an owner from a Database Vault policy |
|
Deletes a realm from a Database Vault policy |
|
Drops a Database Vault policy |
|
Renames a Database Vault policy |
|
Updates a Database Vault policy description |
|
Updates the enablement status of the a Database Vault policy |
DBMS_MACADM General Administrative Procedures
Table 24-8 lists the general administrative procedures in the DBMS_MACADM
package.
Table 24-8 DBMS_MACADM General Administrative Procedures
Procedure | Description |
---|---|
|
Adds a new language to Oracle Database Vault |
|
Authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled |
|
Grants a user authorization to execute data definition language (DDL) statements |
|
Grants a user authorization to perform Information Lifecycle Management (ILM) operations |
|
Grants a proxy user authorization to proxy other user accounts |
|
Authorizes a user to schedule database jobs when Oracle Database Vault is enabled |
|
Authorizes a user to perform Oracle Data Pump transportable tablespace operations for a tablespace when Oracle Database Vault is enabled |
|
Revokes the authorization that was granted by the |
|
Revokes authorization from a user who was granted authorization to execute DDL statements through the |
|
Revokes authorization to perform ILM operations |
|
Revokes authorization from a user who was granted proxy authorization from the |
|
Revokes authorization that was granted by the |
|
Revokes from authorization a user who had been granted authorization to perform Oracle Data Pump transportable tablespace operations for a tablespace when Oracle Database Vault is enabled |
|
Disables Oracle Database Vault |
|
Prevents users from logging into the |
|
Disables auditing of the |
|
Disables the use of the |
|
Enables Oracle Database Vault |
|
Enables users to log into the |
|
Enables auditing of the |
|
Enables the use of the |
Parent topic: Oracle Database Vault API Reference
24.2 DBMS_MACSEC_ROLES PL/SQL Package Contents
The DBMS_MACSEC_ROLES
package enables you to check and set Oracle Database Vault secure application roles.
This package is available to the general database account population.
Table 24-9 lists the contents of the DBMS_MACSEC_ROLES
package.
Table 24-9 DBMS_MACSEC_ROLES PL/SQL Package Contents
Procedure or Function | Description |
---|---|
|
Checks whether the user invoking the method is authorized to use the specified Oracle Database Vault secure application role. Returns a |
|
Issues the |
Parent topic: Oracle Database Vault API Reference
24.3 DBMS_MACUTL PL/SQL Package Contents
The DBMS_MACUTL
PL/SQL package defines constants and utility methods that are commonly used by other Oracle Database Vault packages, such as error handling.
This package can be run by the general database account population. This allows for security developers to leverage the constants in scripted configuration files. Utility methods such as USER_HAS_ROLE
can also be used in Oracle Database Vault rules.
Table 24-10 lists the DBMS_MACUTL
package contents.
Table 24-10 DBMS_MACUTL PL/SQL Package Contents
Procedure or Function | Description |
---|---|
|
Verifies that public-packages are not being bypassed by users updating the Oracle Database Vault configuration |
|
Looks up the value for a code within a code group. |
|
Returns the seconds in Oracle SS format (00-59). Useful for rule expressions based on time data |
|
Returns the minute in Oracle MI format (00–59). Useful for rule expressions based on time data |
|
Returns the month in Oracle HH24 format (00–23). Useful for rule expressions based on time data |
|
Returns the day in Oracle DD format (01–31). Useful for rule expressions based on time data |
|
Returns the month in Oracle MM format (01–12). Useful for rule expressions based on time data |
|
Returns the year in Oracle YYYY format (0001–9999). Useful for rule expressions based on time data |
|
Checks whether the character is alphabetic |
|
Checks whether the character is numeric |
|
Determines whether a user is authorized to manage the Oracle Database Vault configuration |
|
Returns an indicator regarding whether Oracle Label Security is installed |
|
Returns an indicator regarding whether Oracle Label Security is installed |
|
Checks whether a user has a role privilege, directly or indirectly (through another role) |
|
Checks whether a user has a role privilege, directly or indirectly (through another role) |
|
Checks whether a user has a system privilege, directly or indirectly (through a role) |
Parent topic: Oracle Database Vault API Reference
24.4 CONFIGURE_DV PL/SQL Procedure
The CONFIGURE_DV
configures the initial two Oracle Database user accounts, which are granted the DV_OWNER
and DV_ACCTMGR
roles, respectively.
This procedure is used as part of the registration process for Oracle Database Vault with an Oracle database. You only need to use it once for the database instance.
Parent topic: Oracle Database Vault API Reference
24.5 DVF PL/SQL Interface Contents
The DVF
schema provides a set of factor-related PL/SQL functions.
The functions are then available to the general database account population through PL/SQL functions and standard SQL.
Table 24-11 lists the DVF
factor functions.
Table 24-11 DVF PL/SQL Interface Contents
Function | Description |
---|---|
|
Returns the IP address of the computer from which the client is connected |
|
Returns the domain of the database as specified in the |
|
Returns the host name of the computer on which the database instance is running |
|
Returns the database instance identification number of the current database instance |
|
Returns the IP address of the computer on which the database instance is running |
|
Returns the name of the database as specified in the |
|
Returns a named collection of physical, configuration, or implementation-specific factors in the run-time environment (for example, a networked IT environment or subset of it) that operates at a specific sensitivity level |
|
Returns the enterprise-wide identity for a user |
|
Returns the way the schema of a user was created in the database. Specifically, it reflects the |
|
Returns the ISO abbreviation for the language name, a shorter form than the existing |
|
Returns the language and territory currently used by your session, in |
|
Returns the computer (host) name for the database client that established the database session. |
|
Returns the network protocol being used for communication, as specified in the |
|
Returns the Oracle Internet Directory distinguished name (DN) when the proxy user is an enterprise user |
|
Returns the database user name by which the current user is authenticated |
Parent topic: Oracle Database Vault API Reference