24 Oracle Database Vault API Reference

Oracle Database Vault provides a rich set of APIs, both in PL/SQL packages and in standalone procedures.

24.1 DBMS_MACADM PL/SQL Package Contents

The DBMS_MACADM package enables you to configure the realms, factors, rule sets, command rules, secure application roles, and Oracle Label Security policies.

The DBMS_MACADM package is available only for users who have been granted the DV_ADMIN or DV_OWNER role.

DBMS_MACADM Realm Procedures

Table 24-1 lists the realm procedures in the DBMS_MACADM package.

Table 24-1 DBMS_MACADM Realm Procedures

Procedure Description

ADD_AUTH_TO_REALM procedure

Authorizes a user or role to access a realm as an owner or a participant

ADD_OBJECT_TO_REALM procedure

Registers a set of objects for realm protection

CREATE_REALM procedure

Creates a realm

DELETE_AUTH_FROM_REALM procedure

Removes the authorization of a user or role to access a realm

DELETE_OBJECT_FROM_REALM procedure

Removes a set of objects from realm protection

DELETE_REALM procedure

Deletes a realm, including its related Database Vault configuration information that specifies who is authorized and what objects are protected

DELETE_REALM_CASCADE procedure

Deletes a realm, including its related Database Vault configuration information that specifies who is authorized and what objects are protected

RENAME_REALM procedure

Renames a realm. The name change takes effect everywhere the realm is used.

UPDATE_REALM procedure

Updates a realm

UPDATE_REALM_AUTH procedure

Updates the authorization of a user or role to access a realm

DBMS_MACADM Rule Set and Rule Procedures

Table 24-2 lists the rule set and rule procedures in the DBMS_MACADM package.

Table 24-2 DBMS_MACADM Rule Set and Rule Procedures

Procedure Description

CREATE_RULE_SET procedure

Creates a rule set

RENAME_RULE_SET procedure

Renames a rule set. The name change takes effect everywhere the rule set is used.

DELETE_RULE_FROM_RULE_SET procedure

Deletes a rule from a rule set

DELETE_RULE_SET procedure

Deletes a rule set

UPDATE_RULE_SET procedure

Updates a rule set

CREATE_RULE procedure

Creates a rule

ADD_RULE_TO_RULE_SET procedure

Adds a rule to a rule set

DELETE_RULE procedure

Deletes a rule

RENAME_RULE procedure

Renames a rule. The name change takes effect everywhere the rule is used.

UPDATE_RULE procedure

Updates a rule

DBMS_MACADM Command Rule Procedures

Table 24-3 lists the command rule procedures in the DBMS_MACADM package.

Table 24-3 DBMS_MACADM Command Rule Procedures

Procedure Description

CREATE_COMMAND_RULE procedure

Creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set

CREATE_CONNECT_COMMAND_RULE procedure

Creates a CONNECT command rule

CREATE_SESSION_EVENT_CMD_RULE procedure

Creates a session event command rule, using the ALTER SESSION SQL statement

CREATE_SYSTEM_EVENT_CMD_RULE procedure

Creates a system event command rule, using the ALTER SYSTEM SQL statement

DELETE_COMMAND_RULE procedure

Drops a command rule declaration

DELETE_CONNECT_COMMAND_RULE procedure

Drops a CONNECT command rule declaration

DELETE_SESSION_EVENT_CMD_RULE procedure

Drops a SESSION_EVENT_CMD command rule declaration

DELETE_SYSTEM_EVENT_CMD_RULE procedure

Drops a SYSTEM_EVENT_CMD command rule declaration

UPDATE_COMMAND_RULE procedure

Updates a command rule declaration

UPDATE_CONNECT_COMMAND_RULE procedure

Updates a CONNECT command rule declaration

UPDATE_SESSION_EVENT_CMD_RULE procedure

Updates a SESSION_EVENT_CMD command rule declaration

UPDATE_SYSTEM_EVENT_CMD_RULE procedure

Updates a SYSTEM_EVENT_CMD command rule declaration

DBMS_MACADM Factor Procedures and Functions

lists the factor procedures and functions in the DBMS_MACADM package.

Table 24-4 DBMS_MACADM Factor Procedures and Functions

Procedure or Function Description

ADD_FACTOR_LINK procedure

Specifies a parent-child relationship for two factors

ADD_POLICY_FACTOR procedure

Specifies that the label for a factor contributes to the Oracle Label Security label for a policy.

CHANGE_IDENTITY_FACTOR procedure

Associates an identity with a different factor

CHANGE_IDENTITY_VALUE procedure

Updates the value of an identity

CREATE_DOMAIN_IDENTITY procedure

Adds an Oracle Real Application Clusters (Oracle RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.

CREATE_FACTOR procedure

Creates a factor

CREATE_FACTOR_TYPE procedure

Creates a factor type

CREATE_IDENTITY procedure

Creates an identity

CREATE_IDENTITY_MAP procedure

Defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors)

DELETE_FACTOR procedure

Deletes a factor

DELETE_FACTOR_LINK procedure

Removes a parent-child relationship for two factors

DELETE_FACTOR_TYPE procedure

Deletes a factor type

DELETE_IDENTITY procedure

Removes an identity

DELETE_IDENTITY_MAP procedure

Removes an identity map from a factor

DROP_DOMAIN_IDENTITY procedure

Removes an Oracle RAC database node from a domain

GET_INSTANCE_INFO function

Returns information from the SYS.V_$INSTANCE system table about the current database instance; returns a VARCHAR2 value

GET_SESSION_INFO function

Returns information from the SYS.V_$SESSION system table for the current session; returns a VARCHAR2 value

RENAME_FACTOR procedure

Renames a factor. The name change takes effect everywhere the factor is used.

RENAME_FACTOR_TYPE procedure

Renames a factor type. The name change takes effect everywhere the factor type is used.

UPDATE_FACTOR procedure

Updates a factor

UPDATE_FACTOR_TYPE procedure

Updates the description of a factor type

UPDATE_IDENTITY procedure

Updates the trust level of a factor identity

DBMS_MACADM Secure Application Role Procedures

Table 24-5 lists the secure application role procedures in the DBMS_MACADM package.

Table 24-5 DBMS_MACADM Secure Application Role Procedures

Procedure Description

CREATE_ROLE procedure

Creates an Oracle Database Vault secure application role

DELETE_ROLE procedure

Deletes an Oracle Database Vault secure application role

RENAME_ROLE procedure

Renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.

UNASSIGN_ROLE procedure

Unassigns an Oracle Database Vault secure application role from a user

UPDATE_ROLE procedure

Updates a Oracle Database Vault secure application role

DBMS_MACADM Oracle Label Security Procedures

Table 24-6 lists the Oracle Label Security procedures in the DBMS_MACADM package.

Table 24-6 DBMS_MACADM Oracle Label Security Procedures

Procedure Description

CREATE_MAC_POLICY procedure

Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label

CREATE_POLICY_LABEL procedure

Labels an identity within an Oracle Label Security policy

DELETE_MAC_POLICY_CASCADE procedure

Deletes all Oracle Database Vault objects related to an Oracle Label Security policy.

DELETE_POLICY_FACTOR procedure

Removes the factor from contributing to the Oracle Label Security label

DELETE_POLICY_LABEL procedure

Removes the label from an identity within an Oracle Label Security policy

UPDATE_MAC_POLICY procedure

Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label

DBMS_MACADM Database Vault Policy Procedures

Table 24-7 lists the Database Vault policy procedures in the DBMS_MACADM package.

Table 24-7 DBMS_MACADM Database Vault Policy Procedures

Procedure Description

ADD_CMD_RULE_TO_POLICY procedure

Adds a command rule to a Database Vault policy

ADD_OWNER_TO_POLICY procedure

Adds an owner to a Database Vault policy

ADD_REALM_TO_POLICY procedure

Adds a realm to a Database Vault policy

CREATE_POLICY procedure

Creates a Database Vault policy

DELETE_CMD_RULE_FROM_POLICY procedure

Deletes a command rule from a Database Vault policy

DELETE_OWNER_FROM_POLICY procedure

Deletes an owner from a Database Vault policy

DELETE_REALM_FROM_POLICY procedure

Deletes a realm from a Database Vault policy

DROP_POLICY procedure

Drops a Database Vault policy

RENAME_POLICY procedure

Renames a Database Vault policy

UPDATE_POLICY_DESCRIPTION procedure

Updates a Database Vault policy description

UPDATE_POLICY_STATE procedure

Updates the enablement status of the a Database Vault policy

DBMS_MACADM General Administrative Procedures

Table 24-8 lists the general administrative procedures in the DBMS_MACADM package.

Table 24-8 DBMS_MACADM General Administrative Procedures

Procedure Description

ADD_NLS_DATA procedure

Adds a new language to Oracle Database Vault

AUTHORIZE_DATAPUMP_USER procedure

Authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled

AUTHORIZE_DDL procedure

Grants a user authorization to execute data definition language (DDL) statements

AUTHORIZE_MAINTENANCE_USER procedure

Grants a user authorization to perform Information Lifecycle Management (ILM) operations

AUTHORIZE_PROXY_USER procedure

Grants a proxy user authorization to proxy other user accounts

AUTHORIZE_SCHEDULER_USER procedure

Authorizes a user to schedule database jobs when Oracle Database Vault is enabled

AUTHORIZE_TTS_USER procedure

Authorizes a user to perform Oracle Data Pump transportable tablespace operations for a tablespace when Oracle Database Vault is enabled

UNAUTHORIZE_DATAPUMP_USER procedure

Revokes the authorization that was granted by the DBMS_MACADM.AUTHORIZE_DATAPUMP_USER procedure

UNAUTHORIZE_DDL procedure

Revokes authorization from a user who was granted authorization to execute DDL statements through the DBMS_MACDM.AUTHORIZE_DDL procedure

UNAUTHORIZE_MAINTENANCE_USER procedure

Revokes authorization to perform ILM operations

UNAUTHORIZE_PROXY_USER procedure

Revokes authorization from a user who was granted proxy authorization from the DBMS_MACADM.AUTHORIZE_PROXY_USER procedure

UNAUTHORIZE_SCHEDULER_USER procedure

Revokes authorization that was granted by the DBMS_MACADM.AUTHORIZE_SCHEDULER_USER procedure

UNAUTHORIZE_TTS_USER procedure

Revokes from authorization a user who had been granted authorization to perform Oracle Data Pump transportable tablespace operations for a tablespace when Oracle Database Vault is enabled

DISABLE_DV procedure

Disables Oracle Database Vault

DISABLE_DV_DICTIONARY_ACCTS procedure

Prevents users from logging into the DVSYS and DFV schema accounts

DISABLE_DV_PATCH_ADMIN

Disables auditing of the DV_PATCH_ADMIN user

DISABLE_ORADEBUG procedure

Disables the use of the ORADEBUG utility in an Oracle Database Vault environment

ENABLE_DV procedure

Enables Oracle Database Vault

ENABLE_DV_DICTIONARY_ACCTS procedure

Enables users to log into the DVSYS and DFV schema accounts

ENABLE_DV_PATCH_ADMIN

Enables auditing of the DV_PATCH_ADMIN user

ENABLE_ORADEBUG procedure

Enables the use of the ORADEBUG utility in an Oracle Database Vault environment

24.2 DBMS_MACSEC_ROLES PL/SQL Package Contents

The DBMS_MACSEC_ROLES package enables you to check and set Oracle Database Vault secure application roles.

This package is available to the general database account population.

Table 24-9 lists the contents of the DBMS_MACSEC_ROLES package.

Table 24-9 DBMS_MACSEC_ROLES PL/SQL Package Contents

Procedure or Function Description

CAN_SET_ROLE function

Checks whether the user invoking the method is authorized to use the specified Oracle Database Vault secure application role. Returns a BOOLEAN value.

SET_ROLE procedure

Issues the SET ROLE statement for an Oracle Database Vault secure application role.

24.3 DBMS_MACUTL PL/SQL Package Contents

The DBMS_MACUTL PL/SQL package defines constants and utility methods that are commonly used by other Oracle Database Vault packages, such as error handling.

This package can be run by the general database account population. This allows for security developers to leverage the constants in scripted configuration files. Utility methods such as USER_HAS_ROLE can also be used in Oracle Database Vault rules.

Table 24-10 lists the DBMS_MACUTL package contents.

Table 24-10 DBMS_MACUTL PL/SQL Package Contents

Procedure or Function Description

CHECK_DVSYS_DML_ALLOWED procedure

Verifies that public-packages are not being bypassed by users updating the Oracle Database Vault configuration

GET_CODE_VALUE function

Looks up the value for a code within a code group.

GET_SECOND function

Returns the seconds in Oracle SS format (00-59). Useful for rule expressions based on time data

GET_MINUTE function

Returns the minute in Oracle MI format (00–59). Useful for rule expressions based on time data

GET_HOUR function

Returns the month in Oracle HH24 format (00–23). Useful for rule expressions based on time data

GET_DAY function

Returns the day in Oracle DD format (01–31). Useful for rule expressions based on time data

GET_MONTH function

Returns the month in Oracle MM format (01–12). Useful for rule expressions based on time data

GET_YEAR function

Returns the year in Oracle YYYY format (0001–9999). Useful for rule expressions based on time data

IS_ALPHA function

Checks whether the character is alphabetic

IS_DIGIT function

Checks whether the character is numeric

IS_DVSYS_OWNER function

Determines whether a user is authorized to manage the Oracle Database Vault configuration

IS_OLS_INSTALLED function

Returns an indicator regarding whether Oracle Label Security is installed

IS_OLS_INSTALLED_VARCHAR function

Returns an indicator regarding whether Oracle Label Security is installed

USER_HAS_ROLE function

Checks whether a user has a role privilege, directly or indirectly (through another role)

USER_HAS_ROLE_VARCHAR function

Checks whether a user has a role privilege, directly or indirectly (through another role)

USER_HAS_SYSTEM_PRIVILEGE function

Checks whether a user has a system privilege, directly or indirectly (through a role)

24.4 CONFIGURE_DV PL/SQL Procedure

The CONFIGURE_DV configures the initial two Oracle Database user accounts, which are granted the DV_OWNER and DV_ACCTMGR roles, respectively.

This procedure is used as part of the registration process for Oracle Database Vault with an Oracle database. You only need to use it once for the database instance.

24.5 DVF PL/SQL Interface Contents

The DVF schema provides a set of factor-related PL/SQL functions.

The functions are then available to the general database account population through PL/SQL functions and standard SQL.

Table 24-11 lists the DVF factor functions.

Table 24-11 DVF PL/SQL Interface Contents

Function Description

F$CLIENT_IP

Returns the IP address of the computer from which the client is connected

F$DATABASE_DOMAIN

Returns the domain of the database as specified in the DB_DOMAIN initialization parameter

F$DATABASE_HOSTNAME

Returns the host name of the computer on which the database instance is running

F$DATABASE_INSTANCE

Returns the database instance identification number of the current database instance

F$DATABASE_IP

Returns the IP address of the computer on which the database instance is running

F$DATABASE_NAME

Returns the name of the database as specified in the DB_NAME initialization parameter

F$DOMAIN

Returns a named collection of physical, configuration, or implementation-specific factors in the run-time environment (for example, a networked IT environment or subset of it) that operates at a specific sensitivity level

F$ENTERPRISE_IDENTITY

Returns the enterprise-wide identity for a user

F$IDENTIFICATION_TYPE

Returns the way the schema of a user was created in the database. Specifically, it reflects the IDENTIFIED clause in the CREATE USER or ALTER USER syntax.

F$LANG

Returns the ISO abbreviation for the language name, a shorter form than the existing LANGUAGE parameter

F$LANGUAGE

Returns the language and territory currently used by your session, in VARCHAR2 data type, along with the database character set

F$MACHINE

Returns the computer (host) name for the database client that established the database session.

F$NETWORK_PROTOCOL

Returns the network protocol being used for communication, as specified in the PROTOCOL=protocol portion of the connect string

F$PROXY_ENTERPRISE_IDENTITY

Returns the Oracle Internet Directory distinguished name (DN) when the proxy user is an enterprise user

F$SESSION_USER

Returns the database user name by which the current user is authenticated