22 Oracle Database Vault General Administrative APIs
The DBMS_MACADM
PL/SQL package and the CONFIGURE_DV
standalone procedure enable you to you perform general maintenance tasks.
- DBMS_MACADM General System Maintenance Procedures
TheDBMS_MACADM
PL/SQL package general system maintenance procedures perform tasks such as authorizing users or adding new language to Oracle Database Vault. - CONFIGURE_DV General System Maintenance Procedure
TheCONFIGURE_DV
procedure configures the initial two Oracle Database user accounts, which are granted theDV_OWNER
andDV_ACCTMGR
roles, respectively.
22.1 DBMS_MACADM General System Maintenance Procedures
The DBMS_MACADM
PL/SQL package general system maintenance procedures perform tasks such as authorizing users or adding new language to Oracle Database Vault.
- ADD_NLS_DATA Procedure
TheADD_NLS_DATA
procedure adds a new language to Oracle Database Vault. - AUTHORIZE_DATAPUMP_USER Procedure
TheAUTHORIZE_DATAPUMP_USER
procedure authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled. - AUTHORIZE_DDL Procedure
TheAUTHORIZE_DDL
procedure grants a user authorization to execute Data Definition Language (DDL) statements on the specified schema. - AUTHORIZE_DIAGNOSTIC_ADMIN Procedure
TheAUTHORIZE_DIAGNOSTIC_ADMIN
procedure authorizes a user to query diagnostic views and tables. - AUTHORIZE_MAINTENANCE_USER Procedure
TheAUTHORIZE_MAINTENANCE_USER
procedure grants a user authorization to perform Information Lifecycle Management (ILM) operations in an Oracle Database Vault environment. - AUTHORIZE_PROXY_USER Procedure
TheAUTHORIZE_PROXY_USER
procedure grants a proxy user authorization to proxy other user accounts, as long as the proxy user has database authorization. - AUTHORIZE_SCHEDULER_USER Procedure
TheAUTHORIZE_SCHEDULER_USER
procedure grants a user authorization to schedule database jobs when Oracle Database Vault is enabled. - AUTHORIZE_TTS_USER Procedure
TheAUTHORIZE_TTS_USER
procedure authorizes a user to perform Oracle Data Pump transportable tablespace operations for a tablespace when Oracle Database Vault is enabled. - UNAUTHORIZE_DATAPUMP_USER Procedure
TheUNAUTHORIZE_DATAPUMP_USER
procedure revokes the authorization that was granted by theAUTHORIZE_DATAPUMP_USER
procedure. - UNAUTHORIZE_DDL Procedure
TheUNAUTHORIZE_DDL
procedure revokes authorization from a user who was granted authorization to execute DDL statements through theDBMS_MACDM.AUTHORIZE_DDL
procedure. - UNAUTHORIZE_DIAGNOSTIC_ADMIN Procedure
TheUNAUTHORIZE_DIAGNOSTIC_ADMIN
procedure revokes authorization from a user who was authorized with theDBMS_MACADM.AUTHORIZE_DIAGNOSTIC_ADMIN
procedure to query diagnostic views and tables. - UNAUTHORIZE_MAINTENANCE_USER Procedure
TheUNAUTHORIZE_MAINTENANCE_USER
procedure revokes privileges from users who have been granted authorization to perform Information Lifecycle Management (ILM) operations in an Oracle Database Vault environment. - UNAUTHORIZE_PROXY_USER Procedure
TheUNAUTHORIZE_PROXY_USER
procedure revokes authorization from a user who was granted proxy authorization from theDBMS_MACADM.AUTHORIZE_PROXY_USER
procedure. - UNAUTHORIZE_SCHEDULER_USER Procedure
TheUNAUTHORIZE_SCHEDULER_USER
procedure revokes the authorization that was granted by theAUTHORIZE_SCHEDULER_USER
procedure. - UNAUTHORIZE_TTS_USER Procedure
TheUNAUTHORIZE_TTS_USER
procedure removes from authorization users who had previously been granted the authorization to perform Oracle Data Pump transportable tablespace operations. - DISABLE_DV Procedure
TheDISABLE_DV
procedure disables Oracle Database Vault. - DISABLE_DV_DICTIONARY_ACCTS Procedure
TheDISABLE_DV_DICTIONARY_ACCTS
procedure prevents any user from logging into the database as theDVSYS
orDVF
schema user. - DISABLE_DV_PATCH_ADMIN_AUDIT Procedure
TheDISABLE_DV_PATCH_ADMIN_AUDIT
procedure disables realm, command rule, and rule set auditing of the actions by users who have theDV_PATCH_ADMIN
role. - DISABLE_ORADEBUG Procedure
TheDISABLE_ORADEBUG
procedure disables the use of theORADEBUG
utility in an Oracle Database Vault environment. - ENABLE_DV Procedure
TheENABLE_DV
procedure enables Oracle Database Vault and Oracle Label Security. - ENABLE_DV_PATCH_ADMIN_AUDIT Procedure
TheENABLE_DV_PATCH_ADMIN_AUDIT
procedure enables realm, command rule, and rule set auditing of the actions by users who have theDV_PATCH_ADMIN
role. - ENABLE_DV_DICTIONARY_ACCTS Procedure
TheENABLE_DV_DICTIONARY_ACCTS
procedure enables users to log into the database as theDVSYS
orDVF
user. - ENABLE_ORADEBUG Procedure
TheENABLE_ORADEBUG
procedure enables the use of theORADEBUG
utility in an Oracle Database Vault environment.
Parent topic: Oracle Database Vault General Administrative APIs
22.1.1 ADD_NLS_DATA Procedure
The ADD_NLS_DATA
procedure adds a new language to Oracle Database Vault.
Syntax
DBMS_MACADM.ADD_NLS_DATA( language IN VARCHAR );
Parameters
Table 22-1 ADD_NLS_DATA
Parameter | Description |
---|---|
|
Enter one of the following settings. (This parameter is case insensitive.)
|
Examples
EXEC DBMS_MACADM.ADD_NLS_DATA('french');
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.2 AUTHORIZE_DATAPUMP_USER Procedure
The AUTHORIZE_DATAPUMP_USER
procedure authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled.
It applies to both the expdp
and impdp
utilities.
See Authorizing Users for Oracle Data Pump Regular Operations in Database Vault for full usage information, including the levels of additional authorization the user must have to use Oracle Data Pump in an Oracle Database Vault environment.
Syntax
DBMS_MACADM.AUTHORIZE_DATAPUMP_USER( user_name IN VARCHAR2, schema_name IN VARCHAR2 DEFAULT NULL, table_name IN VARCHAR2 DEFAULT NULL);
Parameters
Table 22-2 AUTHORIZE_DATAPUMP_USER
Parameter | Description |
---|---|
|
Name of the Oracle Data Pump user to whom you want to grant authorization. To find a list of users who have privileges to use Oracle Data Pump (that is, the SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE LIKE '%FULL%' |
|
Name of the database schema that the Oracle Data Pump user must export or import. If you omit this parameter, then the user is granted global authorization to export and import any schema in the database. In this case, ensure the user has been granted the |
|
Name of the table within the schema specified by the |
Examples
EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR'); EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR'); EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR', 'EMPLOYEES');
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.3 AUTHORIZE_DDL Procedure
The AUTHORIZE_DDL
procedure grants a user authorization to execute Data Definition Language (DDL) statements on the specified schema.
The DDL authorization allows the grantee to perform DDL operations on users who are authorized to realms or granted Oracle Database Vault roles. However, the DDL authorization does not allow the grantee to perform DDL operations on realm-protected schemas. To enable such operations, you must authorize the user for the realm.
To find information about users who have been granted this authorization, query the DBA_DV_DDL_AUTH
data dictionary view.
Syntax
DBMS_MACADM.AUTHORIZE_DDL( user_name IN VARCHAR2, schema_name IN VARCHAR2);
Parameters
Table 22-3 AUTHORIZE_DDL
Parameter | Description |
---|---|
|
Name of the user to whom you want to grant DDL authorization. |
|
Name of the database schema in which the user wants to perform the DDL statements. Enter |
Examples
The following example enables user psmith
to execute DDL statements in any schema:
EXEC DBMS_MACADM.AUTHORIZE_DDL('psmith', '%');
This example enables user psmith
to execute DDL statements in the HR
schema only.
EXEC DBMS_MACADM.AUTHORIZE_DDL('psmith', 'HR');
Related Topics
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.4 AUTHORIZE_DIAGNOSTIC_ADMIN Procedure
The AUTHORIZE_DIAGNOSTIC_ADMIN
procedure authorizes a user to query diagnostic views and tables.
These views and tables are as follows:
Views and Tables V$ | Views and Tables X$ |
---|---|
|
|
|
|
|
|
Without this authorization, when a user queries these tables and views, no values are returned.
Syntax
DBMS_MACADM.AUTHORIZE_DIAGNOSTIC_ADMIN( uname IN VARCHAR2);
Parameters
Table 22-4 AUTHORIZE_DIAGNOSTIC_ADMIN
Parameter | Description |
---|---|
|
Name of the user to whom you want to grant authorization. |
Example
EXEC DBMS_MACADM.AUTHORIZE_DIAGNOSTIC_ADMIN('PFITCH');
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.5 AUTHORIZE_MAINTENANCE_USER Procedure
The AUTHORIZE_MAINTENANCE_USER
procedure grants a user authorization to perform Information Lifecycle Management (ILM) operations in an Oracle Database Vault environment.
To find information about users who have been granted this authorization, query the DBA_DV_MAINTENANCE_AUTH
view.
Syntax
DBMS_MACADM.AUTHORIZE_MAINTENANCE_USER( uname IN VARCHAR2, sname IN VARCHAR2 DEFAULT NULL, objname IN VARCHAR2 DEFAULT NULL, objtype IN VARCHAR2 DEFAULT NULL, action IN VARCHAR2 DEFAULT NULL);
Parameters
Table 22-5 AUTHORIZE_MAINTENANCE_USER
Parameter | Description |
---|---|
|
Name of the user to whom you want to grant authorization |
|
Name of the database schema for which the maintenance operations are to be performed. Enter |
|
Name of the object (such as the name of a table) in the schema that is specified in the |
|
Type of the |
|
Maintenance action. Enter |
Example
The following example enables user psmith
to have Database Vault authorization to manage ILM features for the HR.EMPLOYEES
table:
BEGIN DBMS_MACADM.AUTHORIZE_MAINTENANCE_USER ( uname => 'psmith', sname => 'HR', objname => 'EMPLOYEES', objtype => 'TABLE', action => 'ILM'); END; /
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.6 AUTHORIZE_PROXY_USER Procedure
The AUTHORIZE_PROXY_USER
procedure grants a proxy user authorization to proxy other user accounts, as long as the proxy user has database authorization.
For example, the CREATE SESSION
privilege is a valid database authorization.
To find information about users who have been granted this authorization, query the DBA_DV_PROXY_AUTH
view.
Syntax
DBMS_MACADM.AUTHORIZE_PROXY_USER( proxy_user IN VARCHAR2, user_name IN VARCHAR2);
Parameters
Table 22-6 AUTHORIZE_PROXY_USER
Parameter | Description |
---|---|
|
Name of the proxy user. |
|
Name of the database user who will be proxied by the |
Examples
The following example enables proxy user preston
to proxy all users:
EXEC DBMS_MACADM.AUTHORIZE_PROXY_USER('preston', '%');
This example enables proxy user preston
to proxy database user dkent
only.
EXEC DBMS_MACADM.AUTHORIZE_PROXY_USER('preston', 'dkent');
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.7 AUTHORIZE_SCHEDULER_USER Procedure
The AUTHORIZE_SCHEDULER_USER
procedure grants a user authorization to schedule database jobs when Oracle Database Vault is enabled.
This authorization applies to anyone who has privileges to schedule database jobs. These privileges include any of the following: CREATE JOB
, CREATE ANY JOB
, CREATE EXTERNAL JOB
, EXECUTE ANY PROGRAM
, EXECUTE ANY CLASS
, MANAGE SCHEDULER
. See Using Oracle Scheduler with Oracle Database Vault full usage information, including the levels of authorization the user must have to schedule database jobs in an Oracle Database Vault environment.
Syntax
DBMS_MACADM.AUTHORIZE_SCHEDULER_USER( user_name IN VARCHAR2, schema_name IN VARCHAR2 DEFAULT NULL);
Parameters
Table 22-7 AUTHORIZE_SCHEDULER_USER
Parameter | Description |
---|---|
|
Name of the user to whom you want to grant authorization. To find a list of users who have privileges to schedule jobs, query the |
|
Name of the database schema for which a job will be scheduled. If you omit this parameter, then the user is granted global authorization to schedule a job for any schema in the database. |
Examples
The following example authorizes the user JOB_MGR
to run a job under any schema.
EXEC DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR');
This example authorizes user JOB_MGR
to run a job under the HR
schema only.
EXEC DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.8 AUTHORIZE_TTS_USER Procedure
The AUTHORIZE_TTS_USER
procedure authorizes a user to perform Oracle Data Pump transportable tablespace operations for a tablespace when Oracle Database Vault is enabled.
It applies to both the EXPDP
and IMPDP
utilities.
Authorizing Users for Oracle Data Pump Regular Operations in Database Vault describes full usage information, including the levels of additional authorization the user must have to use Oracle Data Pump to conduct transportable operations in an Oracle Database Vault environment.
Syntax
DBMS_MACADM.AUTHORIZE_TTS_USER( uname IN VARCHAR2, tsname IN VARCHAR2);
Parameters
Table 22-8 AUTHORIZE_TTS_USER
Parameter | Description |
---|---|
|
Name of the user who you want to authorize to perform Oracle Data Pump transportable tablespace operations. To find a list of users and their current privileges, query the |
|
Name of the tablespace in which the To find a list of tablespaces, query the |
Example
EXEC DBMS_MACADM.AUTHORIZE_TTS_USER('PSMITH', 'HR_TS');
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.9 UNAUTHORIZE_DATAPUMP_USER Procedure
The UNAUTHORIZE_DATAPUMP_USER
procedure revokes the authorization that was granted by the AUTHORIZE_DATAPUMP_USER
procedure.
When you run this procedure, ensure that its settings correspond exactly to the equivalent AUTHORIZE_DATAPUMP_USER
procedure.
For example, the following two procedures will work because the parameters are consistent:
EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR'); EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('DP_MGR');
However, because the parameters in the following procedures are not consistent, the UNAUTHORIZE_DATAPUMP_USER
procedure will not work:
EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('JSMITH'); EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR');
Syntax
DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER( user_name IN VARCHAR2, schema_name IN VARCHAR2 DEFAULT NULL, table_name IN VARCHAR2 DEFAULT NULL);
Parameters
Table 22-9 UNAUTHORIZE_DATAPUMP_USER
Parameter | Description |
---|---|
|
Name of the Oracle Data Pump user from whom you want to revoke authorization. To find a list of users and authorizations from the SELECT * FROM DBA_DV_DATAPUMP_AUTH; |
|
Name of the database schema that the Oracle Data Pump user is authorized to export or import. |
|
Name of the table within the schema specified by the |
Examples
EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH'); EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR'); EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR', 'SALARY');
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.10 UNAUTHORIZE_DDL Procedure
The UNAUTHORIZE_DDL
procedure revokes authorization from a user who was granted authorization to execute DDL statements through the DBMS_MACDM.AUTHORIZE_DDL
procedure.
To find information about users who have been granted this authorization, query the DBA_DV_DDL_AUTH
data dictionary view.
Syntax
DBMS_MACADM.UNAUTHORIZE_DDL( user_name IN VARCHAR2, schema_name IN VARCHAR2);
Parameters
Table 22-10 UNAUTHORIZE_DDL
Parameter | Description |
---|---|
|
Name of the user from whom you want to revoke DDL authorization. |
|
Name of the database schema in which the user wants to perform the DDL statements. Enter |
Examples
The following example revokes DDL statement execution authorization from user psmith
for all schemas:
EXEC DBMS_MACADM.UNAUTHORIZE_DDL('psmith', '%');
This example revokes DDL statement execution authorization from user psmith
for the HR
schema only.
EXEC DBMS_MACADM.UNAUTHORIZE_DDL('psmith', 'HR');
Related Topics
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.11 UNAUTHORIZE_DIAGNOSTIC_ADMIN Procedure
The UNAUTHORIZE_DIAGNOSTIC_ADMIN
procedure revokes authorization from a user who was authorized with the DBMS_MACADM.AUTHORIZE_DIAGNOSTIC_ADMIN
procedure to query diagnostic views and tables.
These views and tables are as follows:
Views and Tables V$ | Views and Tables X$ |
---|---|
|
|
|
|
|
|
Without this authorization, when a user queries these tables and views, no values are returned.
Syntax
DBMS_MACADM.UNAUTHORIZE_DIAGNOSTIC_ADMIN( uname IN VARCHAR2);
Parameters
Table 22-11 UNAUTHORIZE_DIAGNOSTIC_ADMIN
Parameter | Description |
---|---|
|
Name of the user from whom you want to revoke authorization. |
Example
EXEC DBMS_MACADM.UNAUTHORIZE_DIAGNOSTIC_ADMIN('PFITCH');
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.12 UNAUTHORIZE_MAINTENANCE_USER Procedure
The UNAUTHORIZE_MAINTENANCE_USER
procedure revokes privileges from users who have been granted authorization to perform Information Lifecycle Management (ILM) operations in an Oracle Database Vault environment.
To find information about the settings for the ILM authorization, query the DBA_DV_MAINTENANCE_AUTH
view.
When you run this procedure, ensure that its settings correspond exactly to the equivalent AUTHORIZE_MAINTENANCE_USER
procedure.
For example, the following two procedures will work because the parameter settings correspond:
EXEC DBMS_MACADM.AUTHORIZE_MAINTENANCE_USER('psmith', 'OE', 'ORDERS', 'TABLE', 'ILM'); EXEC DBMS_MACADM.UNAUTHORIZE_MAINTENANCE_USER('psmith', 'OE', 'ORDERS', 'TABLE', 'ILM');
However, these two statements will fail because the settings do not correspond:
EXEC DBMS_MACADM.AUTHORIZE_MAINTENANCE_USER('psmith', 'OE', 'ORDERS', 'TABLE', 'ILM'); EXEC DBMS_MACADM.UNAUTHORIZE_MAINTENANCE_USER('psmith', '%', '%', '%', 'ILM');
Syntax
DBMS_MACADM.UNAUTHORIZE_MAINTENANCE_USER( uname IN VARCHAR2, sname IN VARCHAR2 DEFAULT NULL, objname IN VARCHAR2 DEFAULT NULL, objtype IN VARCHAR2 DEFAULT NULL, action IN VARCHAR2 DEFAULT NULL);
Parameters
Table 22-12 UNAUTHORIZE_MAINTENANCE_USER
Parameter | Description |
---|---|
|
Name of the user from whom you want to revoke authorization |
|
Name of the database schema for which the maintenance operations are performed. Enter |
|
Name of the object (such as the name of a table) in the schema that is specified in the |
|
Type of the |
|
Maintenance action. Enter |
Example
The following example revokes privileges from Database Vault user psmith
so that she can no longer perform ILM operations in any HR
schema objects:
BEGIN DBMS_MACADM.UNAUTHORIZE_MAINTENANCE_USER ( uname => 'psmith', sname => 'HR', objname => 'EMPLOYEES', objtype => 'TABLE', action => 'ILM'); END; /
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.13 UNAUTHORIZE_PROXY_USER Procedure
The UNAUTHORIZE_PROXY_USER
procedure revokes authorization from a user who was granted proxy authorization from the DBMS_MACADM.AUTHORIZE_PROXY_USER
procedure.
Syntax
DBMS_MACADM.UNAUTHORIZE_PROXY_USER( proxy_user IN VARCHAR2, user_name IN VARCHAR2);
Parameters
Table 22-13 UNAUTHORIZE_PROXY_USER
Parameter | Description |
---|---|
|
Name of the proxy user. |
|
Name of the database user who was proxied by the |
Examples
The following example revokes proxy authorization from user preston
for proxying all users:
DBMS_MACADM.UNAUTHORIZE_PROXY_USER('preston', '%');
This example revokes proxy authorization from user preston
for proxying database user psmith
only.
EXEC DBMS_MACADM.UNAUTHORIZE_PROXY_USER('preston', 'psmith');
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.14 UNAUTHORIZE_SCHEDULER_USER Procedure
The UNAUTHORIZE_SCHEDULER_USER
procedure revokes the authorization that was granted by the AUTHORIZE_SCHEDULER_USER
procedure.
When you run this procedure, ensure that its settings correspond exactly to the equivalent AUTHORIZE_SCHEDULER_USER
procedure. For example, the following two procedures will work because the parameters are consistent:
EXEC DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR'); EXEC DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR');
However, because the parameters in the following procedures are not consistent, the UNAUTHORIZE_SCHEDULER_USER
procedure will not work:
EXEC DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR'); EXEC DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');
Syntax
DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER user_name IN VARCHAR2, schema_name IN VARCHAR2 DEFAULT NULL);
Parameters
Table 22-14 UNAUTHORIZE_SCHEDULER_USER
Parameter | Description |
---|---|
|
Name of the job scheduling user from whom you want to revoke authorization. To find a list of users and authorizations from the SELECT * FROM DBA_DV_JOB_AUTH; |
|
Name of the database schema for which the user is authorized to schedule jobs. |
Examples
EXEC DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR'); EXEC DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.15 UNAUTHORIZE_TTS_USER Procedure
The UNAUTHORIZE_TTS_USER
procedure removes from authorization users who had previously been granted the authorization to perform Oracle Data Pump transportable tablespace operations.
Syntax
DBMS_MACADM.UNAUTHORIZE_TTS_USER uname IN VARCHAR2, tsname IN VARCHAR2);
Parameters
Table 22-15 UNAUTHORIZE_TTS_USER
Parameter | Description |
---|---|
|
Name of the user who you want to remove from being authorized to perform Oracle Data Pump transportable tablespace operations. To find a list of users and their current privileges, query the |
|
Name of the tablespace that is used in the transportable tablespace operation. To find a list of tablespaces, query the |
Example
EXEC DBMS_MACADM.UNAUTHORIZE_TTS_USER('PSMITH', 'HR_TS');
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.16 DISABLE_DV Procedure
The DISABLE_DV
procedure disables Oracle Database Vault.
After you run this procedure, you must restart the database.
Syntax
DBMS_MACADM.DISABLE_DV;
Parameters
None
Example
EXEC DBMS_MACADM.DISABLE_DV;
Related Topics
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.17 DISABLE_DV_DICTIONARY_ACCTS Procedure
The DISABLE_DV_DICTIONARY_ACCTS
procedure prevents any user from logging into the database as the DVSYS
or DVF
schema user.
By default these two accounts are locked. Only a user who has been granted the DV_OWNER
role can execute this procedure. To find the status of whether users can log into DVSYS
and DVF
, query the DBA_DV_DICTIONARY_ACCTS
data dictionary view. For stronger security, run this procedure to better protect the DVSYS
and DVF
schemas. The disablement takes place immediately, so you do not need to restart the database after running this procedure.
Syntax
DBMS_MACADM.DISABLE_DV_DICTIONARY_ACCTS;
Parameters
None
Example
EXEC DBMS_MACADM.DISABLE_DV_DICTIONARY_ACCTS;
Related Topics
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.18 DISABLE_DV_PATCH_ADMIN_AUDIT Procedure
The DISABLE_DV_PATCH_ADMIN_AUDIT
procedure disables realm, command rule, and rule set auditing of the actions by users who have the DV_PATCH_ADMIN
role.
This procedure disables the successful actions of this user, not the failed actions. You should run this procedure after the DV_PATCH_ADMIN
user has completed database patch operation. To find if auditing is enabled or not, query the DBA_DV_PATCH_AUDIT
data dictionary view.
Syntax
DBMS_MACADM.DISABLE_DV_PATCH_ADMIN_AUDIT;
Parameters
None
Example
EXEC DBMS_MACADM.DISABLE_DV_PATCH_ADMIN_AUDIT;
22.1.19 DISABLE_ORADEBUG Procedure
The DISABLE_ORADEBUG
procedure disables the use of the ORADEBUG
utility in an Oracle Database Vault environment.
The disablement takes place immediately, so you do not need to restart the database after running this procedure. To find the status of whether the ORADEBUG
utility is available in Database Vault, query the DVYS.DBA_DV_ORADEBUG
data dictionary view.
Syntax
DBMS_MACADM.DISABLE_ORADEBUG;
Parameters
None
Example
EXEC DBMS_MACADM.DISABLE_ORADEBUG;
Related Topics
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.20 ENABLE_DV Procedure
The ENABLE_DV
procedure enables Oracle Database Vault and Oracle Label Security.
If you want to run DBMS_MACADM.ENABLE_DV
in an application container, then you must run it in the application container outside of application actions.
After you run this procedure, you must restart the database.
Syntax
DBMS_MACADM.ENABLE_DV( strict_mode IN VARCHAR2 DEFAULT);
Parameters
Table 22-16 ENABLE_DV
Parameter | Description |
---|---|
|
In a multitenant environment, specifies one of the following modes:
To apply this setting to all PDBs in the multitenant environment, run the In a non-multitenant environment, omit this parameter. |
Examples
The following example enables Oracle Database Vault in regular mode.
EXEC DBMS_MACADM.ENABLE_DV;
This example enables Oracle Database Vault in strict mode in a multitenant environment.
EXEC DBMS_MACADM.ENABLE_DV (strict_mode => 'y');
Related Topics
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.21 ENABLE_DV_PATCH_ADMIN_AUDIT Procedure
The ENABLE_DV_PATCH_ADMIN_AUDIT
procedure enables realm, command rule, and rule set auditing of the actions by users who have the DV_PATCH_ADMIN
role.
This procedure is designed to audit these users' actions during a patch upgrade. To find if this auditing is enabled or not, query the DBA_DV_PATCH_AUDIT
data dictionary view.
Syntax
DBMS_MACADM.ENABLE_DV_PATCH_ADMIN_AUDIT;
Parameters
None
Example
EXEC DBMS_MACADM.ENABLE_DV_PATCH_ADMIN_AUDIT;
22.1.22 ENABLE_DV_DICTIONARY_ACCTS Procedure
The ENABLE_DV_DICTIONARY_ACCTS
procedure enables users to log into the database as the DVSYS
or DVF
user.
By default, the DVSYS
and DVF
accounts are locked.
Only a user who has been granted the DV_OWNER
role can execute this procedure. To find the status of whether users can log into DVSYS
and DVF
, query the DBA_DV_DICTIONARY_ACCTS
data dictionary view. For stronger security, only run this procedure when you need to better protect the DVSYS
and DVF
schemas. The enablement takes place immediately, so you do not need to restart the database after running this procedure.
Syntax
DBMS_MACADM.ENABLE_DV_DICTIONARY_ACCTS;
Parameters
None
Example
EXEC DBMS_MACADM.ENABLE_DV_DICTIONARY_ACCTS;
Related Topics
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.1.23 ENABLE_ORADEBUG Procedure
The ENABLE_ORADEBUG
procedure enables the use of the ORADEBUG
utility in an Oracle Database Vault environment.
The enablement takes place immediately, so you do not need to restart the database after running this procedure. To find the status of whether the ORADEBUG
utility is available in Database Vault, query the DVYS.DBA_DV_ORADEBUG
data dictionary view.
Syntax
DBMS_MACADM.ENABLE_ORADEBUG;
Parameters
None
Example
EXEC DBMS_MACADM.ENABLE_ORADEBUG;
Related Topics
Parent topic: DBMS_MACADM General System Maintenance Procedures
22.2 CONFIGURE_DV General System Maintenance Procedure
The CONFIGURE_DV
procedure configures the initial two Oracle Database user accounts, which are granted the DV_OWNER
and DV_ACCTMGR
roles, respectively.
You can check the status of this configuration by querying the DBA_DV_STATUS
data dictionary view. Before you run the CONFIGURE_DV
procedure, you must create the two user accounts and grant them the CREATE SESSION
privilege. The accounts can be either local or common. If you create common user accounts, then the Database Vault roles that are granted to these users apply to the current pluggable database (PDB) only. You then refer to these user accounts for the CONFIGURE_DV
procedure.
The CONFIGURE_DV
procedure resides in the SYS
schema. Oracle provides a synonym, DVSYS.CONFIGURE_DV
, so that any existing Oracle Database Vault configuration scripts that you may have created in previous releases will continue to work in this release.
You only can run the CONFIGURE_DV
procedure once, when you are ready to register Oracle Database Vault with an Oracle database. After you run this procedure, you must run utlrp.sql
script and then DBMS_MACADM.ENABLE_DV
to complete the registration process. Oracle strongly recommends that for better security, you use the two accounts you create here as back-up accounts and then create additional accounts for every day use. See Backup Oracle Database Vault Accounts for guidance.
When you run the CONFIGURE_DV
procedure, it checks the DVSYS
schema for problems such as missing tables or packages. If it finds problems, then it raises an ORA-47500 Database Vault cannot be configured
error. If this happens, then you must deinstall and then reinstall Oracle Database Vault.
Together, the CONFIGURE_DV
and DBMS_MACADM.ENABLE_DV
procedures, and the and utlrp.sql
script, are designed to be a command-line alternative to using Oracle Database Configuration Assistant (DBCA) to register Oracle Database Vault with an Oracle database.
You must run the CONFIGURE_DV
procedure as user SYS
. Registering Oracle Database Vault with an Oracle Database describes the process that you would use.
Syntax
CONFIGURE_DV dvowner_uname IN VARCHAR2, dvacctmgr_uname IN VARCHAR2;
Parameters
Table 22-17 CONFIGURE_DV
Parameter | Description |
---|---|
|
Name of the user who will be the Database Vault Owner. This user will be granted the |
|
Name of the user who will be the Database Vault Account Manager. This user will be granted the |
Example
CREATE USER dbv_owner IDENTIFIED BY password CONTAINER = CURRENT; CREATE USER dbv_acctmgr IDENTIFIED BY password CONTAINER = CURRENT; GRANT CREATE SESSION TO dbv_owner, dbv_acctmgr; BEGIN CONFIGURE_DV ( dvowner_uname => 'dbv_owner', dvacctmgr_uname => 'dbv_acctmgr'); END; /
Parent topic: Oracle Database Vault General Administrative APIs