22 Oracle Database Vault General Administrative APIs

The DBMS_MACADM PL/SQL package and the CONFIGURE_DV standalone procedure enable you to you perform general maintenance tasks.

• DBMS_MACADM General System Maintenance Procedures
  The DBMS_MACADM PL/SQL package general system maintenance procedures perform tasks such as authorizing users or adding new language to Oracle Database Vault.
• CONFIGURE_DV General System Maintenance Procedure
  The CONFIGURE_DV procedure configures the initial two Oracle Database user accounts, which are granted the DV_OWNER and DV_ACCTMGR roles, respectively.

22.1 DBMS_MACADM General System Maintenance Procedures

The DBMS_MACADM PL/SQL package general system maintenance procedures perform tasks such as authorizing users or adding new language to Oracle Database Vault.

• ADD_NLS_DATA Procedure
  The ADD_NLS_DATA procedure adds a new language to Oracle Database Vault.
• AUTH_DATAPUMP_CREATE_USER Procedure
  The AUTH_DATAPUMP_CREATE_USER procedure authorizes an Oracle Data Pump user to create users during an Oracle Data Pump import operation.
• AUTH_DATAPUMP_GRANT Procedure
  The AUTH_DATAPUMP_GRANT procedure authorizes an Oracle Data Pump user to grant Oracle Database Vault-protected roles and system privileges during an Oracle Data Pump import operation.
• AUTHORIZE_DATAPUMP_USER Procedure
  The AUTHORIZE_DATAPUMP_USER procedure authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled.
• AUTHORIZE_DBCAPTURE Procedure
  The AUTHORIZE_DBCAPTURE procedure grants a user authorization to perform Oracle Database Replay workload capture operations.
• AUTHORIZE_DBREPLAY Procedure
  The AUTHORIZE_DBREPLAY procedure grants a user authorization to perform Oracle Database Replay workload replay operations.
• AUTHORIZE_DDL Procedure
  The AUTHORIZE_DDL procedure grants a user authorization to execute Data Definition Language (DDL) statements on the specified schema.
• AUTHORIZE_DIAGNOSTIC_ADMIN Procedure
  The AUTHORIZE_DIAGNOSTIC_ADMIN procedure authorizes a user to query diagnostic views and tables.
• AUTHORIZE_MAINTENANCE_USER Procedure
  The AUTHORIZE_MAINTENANCE_USER procedure grants a user authorization to perform Information Lifecycle Management (ILM) operations in an Oracle Database Vault environment.
• AUTHORIZE_PREPROCESSOR Procedure
  The AUTHORIZE_PREPROCESSOR procedure grants a user authorization to execute preprocessor programs through external tables.
• AUTHORIZE_PROXY_USER Procedure
  The AUTHORIZE_PROXY_USER procedure grants a proxy user authorization to proxy other user accounts, as long as the proxy user has database authorization.
• AUTHORIZE_SCHEDULER_USER Procedure
  The AUTHORIZE_SCHEDULER_USER procedure grants a user authorization to schedule database jobs when Oracle Database Vault is enabled.
• AUTHORIZE_TTS_USER Procedure
  The AUTHORIZE_TTS_USER procedure authorizes a user to perform Oracle Data Pump transportable tablespace operations for a tablespace when Oracle Database Vault is enabled.
• DISABLE_DV Procedure
  The DISABLE_DV procedure disables Oracle Database Vault.
• DISABLE_DV_DICTIONARY_ACCTS Procedure
  The DISABLE_DV_DICTIONARY_ACCTS procedure prevents any user from logging into the database as the DVSYS or DVF schema user.
• DISABLE_DV_PATCH_ADMIN_AUDIT Procedure
  The DISABLE_DV_PATCH_ADMIN_AUDIT procedure disables realm, command rule, and rule set auditing of the actions by users who have the DV_PATCH_ADMIN role.
• DISABLE_ORADEBUG Procedure
  The DISABLE_ORADEBUG procedure disables the use of the ORADEBUG utility in an Oracle Database Vault environment.
• ENABLE_DV Procedure
  The ENABLE_DV procedure enables Oracle Database Vault and Oracle Label Security.
• ENABLE_DV_PATCH_ADMIN_AUDIT Procedure
  The ENABLE_DV_PATCH_ADMIN_AUDIT procedure enables realm, command rule, and rule set auditing of the actions by users who have the DV_PATCH_ADMIN role.
• ENABLE_DV_DICTIONARY_ACCTS Procedure
  The ENABLE_DV_DICTIONARY_ACCTS procedure enables users to log into the database as the DVSYS or DVF user.
• ENABLE_ORADEBUG Procedure
  The ENABLE_ORADEBUG procedure enables the use of the ORADEBUG utility in an Oracle Database Vault environment.
• UNAUTH_DATAPUMP_CREATE_USER Procedure
  The UNAUTH_DATAPUMP_CREATE_USER procedure removes authorization from an Oracle Data Pump user to create users during an Oracle Data Pump import operation.
• UNAUTH_DATAPUMP_GRANT Procedure
  The UNAUTH_DATAPUMP_GRANT procedure removes authorization from an Oracle Data Pump user to grant Oracle Database Vault-protected roles and system privileges during an Oracle Data Pump import operation.
• UNAUTHORIZE_DATAPUMP_USER Procedure
  The UNAUTHORIZE_DATAPUMP_USER procedure revokes the authorization that was granted by the AUTHORIZE_DATAPUMP_USER procedure.
• UNAUTHORIZE_DBCAPTURE Procedure
  The UNAUTHORIZE_DBCAPTURE procedure revokes authorization from users to perform Oracle Database Replay workload capture operations.
• UNAUTHORIZE_DBREPLAY Procedure
  The UNAUTHORIZE_DBREPLAY procedure revokes authorization from users to perform Oracle Database Replay workload replay operations.
• UNAUTHORIZE_DDL Procedure
  The UNAUTHORIZE_DDL procedure revokes authorization from a user who was granted authorization to execute DDL statements through the DBMS_MACDM.AUTHORIZE_DDL procedure.
• UNAUTHORIZE_DIAGNOSTIC_ADMIN Procedure
  The UNAUTHORIZE_DIAGNOSTIC_ADMIN procedure revokes authorization from a user who was authorized with the DBMS_MACADM.AUTHORIZE_DIAGNOSTIC_ADMIN procedure to query diagnostic views and tables.
• UNAUTHORIZE_MAINTENANCE_USER Procedure
  The UNAUTHORIZE_MAINTENANCE_USER procedure revokes privileges from users who have been granted authorization to perform Information Lifecycle Management (ILM) operations in an Oracle Database Vault environment.
• UNAUTHORIZE_PREPROCESSOR Procedure
  The UNAUTHORIZE_PREPROCESSOR procedure revokes authorization from a user to execute preprocessor programs through external tables.
• UNAUTHORIZE_PROXY_USER Procedure
  The UNAUTHORIZE_PROXY_USER procedure revokes authorization from a user who was granted proxy authorization from the DBMS_MACADM.AUTHORIZE_PROXY_USER procedure.
• UNAUTHORIZE_SCHEDULER_USER Procedure
  The UNAUTHORIZE_SCHEDULER_USER procedure revokes the authorization that was granted by the AUTHORIZE_SCHEDULER_USER procedure.
• UNAUTHORIZE_TTS_USER Procedure
  The UNAUTHORIZE_TTS_USER procedure removes from authorization users who had previously been granted the authorization to perform Oracle Data Pump transportable tablespace operations.

22.1.1 ADD_NLS_DATA Procedure

The ADD_NLS_DATA procedure adds a new language to Oracle Database Vault.

Syntax

DBMS_MACADM.ADD_NLS_DATA(
  language      IN VARCHAR );

Parameters

Table 22-1 ADD_NLS_DATA

Parameter	Description
language	Enter one of the following settings. (This parameter is case insensitive.) ENGLISH GERMAN SPANISH FRENCH ITALIAN JAPANESE KOREAN BRAZILIAN PORTUGUESE SIMPLIFIED CHINESE TRADITIONAL CHINESE

Examples

EXEC DBMS_MACADM.ADD_NLS_DATA('french');

22.1.2 AUTH_DATAPUMP_CREATE_USER Procedure

The AUTH_DATAPUMP_CREATE_USER procedure authorizes an Oracle Data Pump user to create users during an Oracle Data Pump import operation.

This procedure applies to the impdp utility only.

Syntax

DBMS_MACADM.AUTH_DATAPUMP_CREATE_USER(
  uname      IN VARCHAR2);

Parameters

Table 22-2 AUTH_DATAPUMP_CREATE_USER

Parameter	Description
uname	Name of the Oracle Data Pump user who will need to create users during the import operation. To find the user's current status, query the DBA_DV_DATAPUMP_AUTH data dictionary view.

Example

EXEC DBMS_MACADM.AUTH_DATAPUMP_CREATE_USER('DP_MGR');

22.1.3 AUTH_DATAPUMP_GRANT Procedure

The AUTH_DATAPUMP_GRANT procedure authorizes an Oracle Data Pump user to grant Oracle Database Vault-protected roles and system privileges during an Oracle Data Pump import operation.

This procedure applies to the impdp utility only. Be aware that this authorization does not cover Oracle Database Vault roles such as DV_OWNER, DV_ADMIN, DV_MONITOR, and so on.

Syntax

DBMS_MACADM.AUTH_DATAPUMP_GRANT(
  uname      IN VARCHAR2);

Parameters

Table 22-3 AUTH_DATAPUMP_GRANT

Parameter	Description
user_name	Name of the Oracle Data Pump user who will need to grant roles and privileges to users during the import operation. To find a user's current status, query the DBA_DV_DATAPUMP_AUTH data dictionary view.

Example

EXEC DBMS_MACADM.AUTH_DATAPUMP_GRANT('DP_MGR');

22.1.4 AUTHORIZE_DATAPUMP_USER Procedure

The AUTHORIZE_DATAPUMP_USER procedure authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled.

It applies to both the expdp and impdp utilities.

See Authorizing Users or Roles for Oracle Data Pump Regular Operations in Database Vault for full usage information, including the levels of additional authorization the user must have to use Oracle Data Pump in an Oracle Database Vault environment.

Syntax

DBMS_MACADM.AUTHORIZE_DATAPUMP_USER(
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2 DEFAULT NULL,
  table_name     IN VARCHAR2 DEFAULT NULL);

Parameters

Table 22-4 AUTHORIZE_DATAPUMP_USER

Parameter	Description
user_name	Name of the Oracle Data Pump user to whom you want to grant authorization. To find a list of users who have privileges to use Oracle Data Pump (that is, the EXP_FULL_DATABASE and IMP_FULL_DATABASE roles), query the DBA_ROLE_PRIVS data dictionary view as follows: SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE LIKE '%FULL%'
schema_name	Name of the database schema that the Oracle Data Pump user must export or import. If you omit this parameter, then the user is granted global authorization to export and import any schema in the database. In this case, ensure the user has been granted the DV_OWNER role.
table_name	Name of the table within the schema specified by the schema_name parameter. If you omit this parameter, then the user you specified can export and import all tables within the schema specified by the schema_name parameter.

Examples

EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR');

EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR');

EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR', 'EMPLOYEES'); 

22.1.5 AUTHORIZE_DBCAPTURE Procedure

The AUTHORIZE_DBCAPTURE procedure grants a user authorization to perform Oracle Database Replay workload capture operations.

To find information about users who have been granted this authorization, query the DBA_DV_DBCAPTURE_AUTH data dictionary view.

Syntax

DBMS_MACADM.AUTHORIZE_DBCAPTURE(
  uname      IN VARCHAR2);

Parameters

Table 22-5 AUTHORIZE_DBCAPTURE

Parameter	Description
uname	Name of the user to whom you want to grant Database Replay workload capture authorization

Example 22-1 Example

EXEC DBMS_MACADM.AUTHORIZE_DBCAPTURE('PFITCH');

22.1.6 AUTHORIZE_DBREPLAY Procedure

The AUTHORIZE_DBREPLAY procedure grants a user authorization to perform Oracle Database Replay workload replay operations.

To find information about users who have been granted this authorization, query the DBA_DV_DBREPLAY_AUTH data dictionary view.

Syntax

DBMS_MACADM.AUTHORIZE_DBREPLAY(
  uname      IN VARCHAR2);

Parameters

Table 22-6 AUTHORIZE_DBREPLAY

Parameter	Description
uname	Name of the user to whom you want to grant Database Replay workload replay authorization

Example 22-2 Example

EXEC DBMS_MACADM.AUTHORIZE_DBREPLAY('PFITCH');

22.1.7 AUTHORIZE_DDL Procedure

The AUTHORIZE_DDL procedure grants a user authorization to execute Data Definition Language (DDL) statements on the specified schema.

The DDL authorization allows the grantee to perform DDL operations on users who are authorized to realms or granted Oracle Database Vault roles. However, the DDL authorization does not allow the grantee to perform DDL operations on realm-protected schemas. To enable such operations, you must authorize the user for the realm.

To find information about users who have been granted this authorization, query the DBA_DV_DDL_AUTH data dictionary view.

Syntax

DBMS_MACADM.AUTHORIZE_DDL(
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2);

Parameters

Table 22-7 AUTHORIZE_DDL

Parameter	Description
user_name	Name of the user to whom you want to grant DDL authorization.
schema_name	Name of the database schema in which the user wants to perform the DDL statements. Enter % to specify all schemas.

Examples

The following example enables user psmith to execute DDL statements in any schema:

EXEC DBMS_MACADM.AUTHORIZE_DDL('psmith', '%');

This example enables user psmith to execute DDL statements in the HR schema only.

EXEC DBMS_MACADM.AUTHORIZE_DDL('psmith', 'HR');

22.1.8 AUTHORIZE_DIAGNOSTIC_ADMIN Procedure

The AUTHORIZE_DIAGNOSTIC_ADMIN procedure authorizes a user to query diagnostic views and tables.

These views and tables are as follows:

Views and Tables V$	Views and Tables X$
V$DIAG_OPT_TRACE_RECORDS	X$DBGTFOPTT
V$DIAG_SESS_OPT_TRACE_RECORDS	X$DBGTFSOPTT
V$DIAG_TRACE_FILE_CONTENTS	X$DBGTFVIEW

Without this authorization, when a user queries these tables and views, no values are returned.

Syntax

DBMS_MACADM.AUTHORIZE_DIAGNOSTIC_ADMIN(
  uname      IN VARCHAR2);

Parameters

Table 22-8 AUTHORIZE_DIAGNOSTIC_ADMIN

Parameter	Description
uname	Name of the user to whom you want to grant authorization.

Example

EXEC DBMS_MACADM.AUTHORIZE_DIAGNOSTIC_ADMIN('PFITCH'); 

22.1.9 AUTHORIZE_MAINTENANCE_USER Procedure

The AUTHORIZE_MAINTENANCE_USER procedure grants a user authorization to perform Information Lifecycle Management (ILM) operations in an Oracle Database Vault environment.

To find information about users who have been granted this authorization, query the DBA_DV_MAINTENANCE_AUTH view.

Syntax

DBMS_MACADM.AUTHORIZE_MAINTENANCE_USER(
 uname        IN VARCHAR2,
 sname        IN VARCHAR2 DEFAULT NULL,
 objname      IN VARCHAR2 DEFAULT NULL,
 objtype      IN VARCHAR2 DEFAULT NULL,
 action       IN VARCHAR2 DEFAULT NULL);

Parameters

Table 22-9 AUTHORIZE_MAINTENANCE_USER

Parameter	Description
uname	Name of the user to whom you want to grant authorization
sname	Name of the database schema for which the maintenance operations are to be performed. Enter % to specify all schemas.
objname	Name of the object (such as the name of a table) in the schema that is specified in the sname parameter for which maintenance operations are to be performed
objtype	Type of the objname object, such as table, index, tablespace, and so on
action	Maintenance action. Enter ilm for Information Lifecycle Management

Example

The following example enables user psmith to have Database Vault authorization to manage ILM features for the HR.EMPLOYEES table:

BEGIN
 DBMS_MACADM.AUTHORIZE_MAINTENANCE_USER (
  uname       => 'psmith', 
  sname       => 'HR', 
  objname     => 'EMPLOYEES',
  objtype     => 'TABLE', 
  action      => 'ILM');
END;
/

22.1.10 AUTHORIZE_PREPROCESSOR Procedure

The AUTHORIZE_PREPROCESSOR procedure grants a user authorization to execute preprocessor programs through external tables.

To find information about users who have been granted this authorization, query the DBA_DV_PREPROCESSOR_AUTH data dictionary view.

Syntax

DBMS_MACADM.AUTHORIZE_PREPROCESSOR(
  uname      IN VARCHAR2);

Parameters

Table 22-10 AUTHORIZE_PREPROCESSOR

Parameter	Description
uname	Name of the user to whom you want to grant authorization to execute preprocessor programs through external tables

Example 22-3 Example

EXEC DBMS_MACADM.AUTHORIZE_PREPROCESSOR('PFITCH');

22.1.11 AUTHORIZE_PROXY_USER Procedure

The AUTHORIZE_PROXY_USER procedure grants a proxy user authorization to proxy other user accounts, as long as the proxy user has database authorization.

For example, the CREATE SESSION privilege is a valid database authorization.

AUTHORIZE_PROXY_USER does not control whether a particular user can connect as a proxy of another user. That part is controlled by GRANT CONNECT THROUGH, which can be issued only by the a user who has the DV_ACCTMGR role. Instead, AUTHORIZE_PROXY_USER controls whether the proxy user is allowed to assume all the Database Vault authorizations that the target user has. For example, suppose that the proxy user hr_proxy_user successfully connects as user HR. Now being HR, hr_proxy_user can access all the objects to which HR has access. However, if the target objects are Database Vault protected and HR is authorized to access it, hr_proxy_user can access the objects if and only if hr_proxy_user is proxy-authorized for HR. If hr_proxy_user is not proxy-authorized for HR, then even after connecting as HR, hr_proxy_user cannot access the Database Vault-protected objects for which HR is authorized.

To find information about users who have been granted authorization using AUTHORIZE_PROXY_USER, query the DBA_DV_PROXY_AUTH view.

Syntax

DBMS_MACADM.AUTHORIZE_PROXY_USER(
  proxy_user   IN VARCHAR2,
  user_name    IN VARCHAR2);

Parameters

Table 22-11 AUTHORIZE_PROXY_USER

Parameter	Description
proxy_user	Name of the proxy user.
user_name	Name of the database user who will be proxied by the proxy_user user. Enter % to specify all users.

Examples

The following example enables proxy user preston to proxy all users:

EXEC DBMS_MACADM.AUTHORIZE_PROXY_USER('preston', '%');

This example enables proxy user preston to proxy database user dkent only.

EXEC DBMS_MACADM.AUTHORIZE_PROXY_USER('preston', 'dkent');

22.1.12 AUTHORIZE_SCHEDULER_USER Procedure

The AUTHORIZE_SCHEDULER_USER procedure grants a user authorization to schedule database jobs when Oracle Database Vault is enabled.

This authorization applies to anyone who has privileges to schedule database jobs. These privileges include any of the following: CREATE JOB, CREATE ANY JOB, CREATE EXTERNAL JOB, EXECUTE ANY PROGRAM, EXECUTE ANY CLASS, MANAGE SCHEDULER. See Using Oracle Scheduler with Oracle Database Vault full usage information, including the levels of authorization the user must have to schedule database jobs in an Oracle Database Vault environment.

Syntax

DBMS_MACADM.AUTHORIZE_SCHEDULER_USER(
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2 DEFAULT NULL);

Parameters

Table 22-12 AUTHORIZE_SCHEDULER_USER

Parameter	Description
user_name	Name of the user to whom you want to grant authorization. To find a list of users who have privileges to schedule jobs, query the DBA_SYS_PRIVS data dictionary view. See Step 2 in Granting a Job Scheduling Administrator Authorization for Database Vault.
schema_name	Name of the database schema for which a job will be scheduled. If you omit this parameter, then the user is granted global authorization to schedule a job for any schema in the database.

Examples

The following example authorizes the user JOB_MGR to run a job under any schema.

EXEC DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR');

This example authorizes user JOB_MGR to run a job under the HR schema only.

EXEC DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');

22.1.13 AUTHORIZE_TTS_USER Procedure

The AUTHORIZE_TTS_USER procedure authorizes a user to perform Oracle Data Pump transportable tablespace operations for a tablespace when Oracle Database Vault is enabled.

It applies to both the EXPDP and IMPDP utilities.

Authorizing Users or Roles for Oracle Data Pump Regular Operations in Database Vault describes full usage information, including the levels of additional authorization the user must have to use Oracle Data Pump to conduct transportable operations in an Oracle Database Vault environment.

Syntax

DBMS_MACADM.AUTHORIZE_TTS_USER(
  uname      IN VARCHAR2,
  tsname     IN VARCHAR2);

Parameters

Table 22-13 AUTHORIZE_TTS_USER

Parameter	Description
uname	Name of the user who you want to authorize to perform Oracle Data Pump transportable tablespace operations. To find a list of users and their current privileges, query the DBA_SYS_PRIVS data dictionary view.
tsname	Name of the tablespace in which the uname user is to perform the transportable tablespace operation. To find a list of tablespaces, query the DBA_TABLESPACES data dictionary view.

Example

EXEC DBMS_MACADM.AUTHORIZE_TTS_USER('PSMITH', 'HR_TS');

22.1.14 DISABLE_DV Procedure

The DISABLE_DV procedure disables Oracle Database Vault.

After you run this procedure, you must restart the database.

Syntax

DBMS_MACADM.DISABLE_DV;

Parameters

None

Example

EXEC DBMS_MACADM.DISABLE_DV;

22.1.15 DISABLE_DV_DICTIONARY_ACCTS Procedure

The DISABLE_DV_DICTIONARY_ACCTS procedure prevents any user from logging into the database as the DVSYS or DVF schema user.

By default these two accounts are locked. Only a user who has been granted the DV_OWNER role can execute this procedure. To find the status of whether users can log into DVSYS and DVF, query the DBA_DV_DICTIONARY_ACCTS data dictionary view. For stronger security, run this procedure to better protect the DVSYS and DVF schemas. The disablement takes place immediately, so you do not need to restart the database after running this procedure.

Syntax

DBMS_MACADM.DISABLE_DV_DICTIONARY_ACCTS;

Parameters

None

Example

EXEC DBMS_MACADM.DISABLE_DV_DICTIONARY_ACCTS;

22.1.16 DISABLE_DV_PATCH_ADMIN_AUDIT Procedure

The DISABLE_DV_PATCH_ADMIN_AUDIT procedure disables realm, command rule, and rule set auditing of the actions by users who have the DV_PATCH_ADMIN role.

This procedure disables the successful actions of this user, not the failed actions. You should run this procedure after the DV_PATCH_ADMIN user has completed database patch operation. To find if auditing is enabled or not, query the DBA_DV_PATCH_AUDIT data dictionary view.

Syntax

DBMS_MACADM.DISABLE_DV_PATCH_ADMIN_AUDIT;

Parameters

None

Example

EXEC DBMS_MACADM.DISABLE_DV_PATCH_ADMIN_AUDIT;

22.1.17 DISABLE_ORADEBUG Procedure

The DISABLE_ORADEBUG procedure disables the use of the ORADEBUG utility in an Oracle Database Vault environment.

The disablement takes place immediately, so you do not need to restart the database after running this procedure. To find the status of whether the ORADEBUG utility is available in Database Vault, query the DVYS.DBA_DV_ORADEBUG data dictionary view.

Syntax

DBMS_MACADM.DISABLE_ORADEBUG;

Parameters

None

Example

EXEC DBMS_MACADM.DISABLE_ORADEBUG;

22.1.18 ENABLE_DV Procedure

The ENABLE_DV procedure enables Oracle Database Vault and Oracle Label Security.

If you want to run DBMS_MACADM.ENABLE_DV in an application container, then you must run it in the application container outside of application actions.

After you run this procedure, you must restart the database.

Syntax

DBMS_MACADM.ENABLE_DV(
 strict_mode  IN VARCHAR2 DEFAULT);

Parameters

Table 22-14 ENABLE_DV

Parameter

Description

strict_mode

In a multitenant environment, specifies one of the following modes: n specifies regular mode, which allows the PDBs to be Database Vault enabled or disabled. (Default) y specifies strict mode, which puts the PDBs that have not been Database Vault-enabled in restricted mode, until you enable Database Vault in them and then restart the PDB. To apply this setting to all PDBs in the multitenant environment, run the DBMS_MACADM.ENABLE_DV procedure in the CDB root. To apply it to all PDBs in an application container, run the procedure in the application root. In a non-multitenant environment, omit this parameter.

Examples

The following example enables Oracle Database Vault in regular mode.

EXEC DBMS_MACADM.ENABLE_DV;

This example enables Oracle Database Vault in strict mode in a multitenant environment.

EXEC DBMS_MACADM.ENABLE_DV (strict_mode => 'y');

22.1.19 ENABLE_DV_PATCH_ADMIN_AUDIT Procedure

The ENABLE_DV_PATCH_ADMIN_AUDIT procedure enables realm, command rule, and rule set auditing of the actions by users who have the DV_PATCH_ADMIN role.

This procedure is designed to audit these users' actions during a patch upgrade. To find if this auditing is enabled or not, query the DBA_DV_PATCH_AUDIT data dictionary view.

Syntax

DBMS_MACADM.ENABLE_DV_PATCH_ADMIN_AUDIT;

Parameters

None

Example

EXEC DBMS_MACADM.ENABLE_DV_PATCH_ADMIN_AUDIT;

22.1.20 ENABLE_DV_DICTIONARY_ACCTS Procedure

The ENABLE_DV_DICTIONARY_ACCTS procedure enables users to log into the database as the DVSYS or DVF user.

By default, the DVSYS and DVF accounts are locked.

Only a user who has been granted the DV_OWNER role can execute this procedure. To find the status of whether users can log into DVSYS and DVF, query the DBA_DV_DICTIONARY_ACCTS data dictionary view. For stronger security, only run this procedure when you need to better protect the DVSYS and DVF schemas. The enablement takes place immediately, so you do not need to restart the database after running this procedure.

Syntax

DBMS_MACADM.ENABLE_DV_DICTIONARY_ACCTS;

Parameters

None

Example

EXEC DBMS_MACADM.ENABLE_DV_DICTIONARY_ACCTS;

22.1.21 ENABLE_ORADEBUG Procedure

The ENABLE_ORADEBUG procedure enables the use of the ORADEBUG utility in an Oracle Database Vault environment.

The enablement takes place immediately, so you do not need to restart the database after running this procedure. To find the status of whether the ORADEBUG utility is available in Database Vault, query the DVYS.DBA_DV_ORADEBUG data dictionary view.

Syntax

DBMS_MACADM.ENABLE_ORADEBUG;

Parameters

None

Example

EXEC DBMS_MACADM.ENABLE_ORADEBUG;

22.1.22 UNAUTH_DATAPUMP_CREATE_USER Procedure

The UNAUTH_DATAPUMP_CREATE_USER procedure removes authorization from an Oracle Data Pump user to create users during an Oracle Data Pump import operation.

This procedure applies to the impdp utility only.

Syntax

DBMS_MACADM.UNAUTH_DATAPUMP_CREATE_USER(
  uname      IN VARCHAR2);

Parameters

Table 22-15 UNAUTH_DATAPUMP_CREATE_USER

Parameter	Description
uname	Name of the Oracle Data Pump user whose authorization must be removed. To find a user's current status, query the DBA_DV_DATAPUMP_AUTH data dictionary view.

Example

EXEC DBMS_MACADM.UNAUTH_DATAPUMP_CREATE_USER('DP_MGR');

22.1.23 UNAUTH_DATAPUMP_GRANT Procedure

The UNAUTH_DATAPUMP_GRANT procedure removes authorization from an Oracle Data Pump user to grant Oracle Database Vault-protected roles and system privileges during an Oracle Data Pump import operation.

This procedure applies to the impdp utility only.

Syntax

DBMS_MACADM.UNAUTH_DATAPUMP_GRANT(
  uname      IN VARCHAR2);

Parameters

Table 22-16 UNAUTH_DATAPUMP_GRANT

Parameter	Description
user_name	Name of the Oracle Data Pump user whose authorization must be removed. To find a user's current status, query the DBA_DV_DATAPUMP_AUTH data dictionary view.

Example

EXEC DBMS_MACADM.UNAUTH_DATAPUMP_GRANT('DP_MGR');

22.1.24 UNAUTHORIZE_DATAPUMP_USER Procedure

The UNAUTHORIZE_DATAPUMP_USER procedure revokes the authorization that was granted by the AUTHORIZE_DATAPUMP_USER procedure.

When you run this procedure, ensure that its settings correspond exactly to the equivalent AUTHORIZE_DATAPUMP_USER procedure.

For example, the following two procedures will work because the parameters are consistent:

EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR');

EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('DP_MGR');

However, because the parameters in the following procedures are not consistent, the UNAUTHORIZE_DATAPUMP_USER procedure will not work:

EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('JSMITH');

EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR');

Syntax

DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER(
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2 DEFAULT NULL,
  table_name     IN VARCHAR2 DEFAULT NULL);

Parameters

Table 22-17 UNAUTHORIZE_DATAPUMP_USER

Parameter	Description
user_name	Name of the Oracle Data Pump user from whom you want to revoke authorization. To find a list of users and authorizations from the AUTHORIZE_DATAPUMP_USER procedure, query the DBA_DV_DATAPUMP_AUTH data dictionary view as follows: SELECT * FROM DBA_DV_DATAPUMP_AUTH;
schema_name	Name of the database schema that the Oracle Data Pump user is authorized to export or import.
table_name	Name of the table within the schema specified by the schema name parameter.

Examples

EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH');

EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR');

EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR', 'SALARY');

22.1.25 UNAUTHORIZE_DBCAPTURE Procedure

The UNAUTHORIZE_DBCAPTURE procedure revokes authorization from users to perform Oracle Database Replay workload capture operations.

To find information about users who have been granted this authorization, query the DBA_DV_DBCAPTURE_AUTH data dictionary view.

Syntax

DBMS_MACADM.UNAUTHORIZE_DBCAPTURE(
  uname      IN VARCHAR2);

Parameters

Table 22-18 UNAUTHORIZE_DBCAPTURE

Parameter	Description
uname	Name of the user from whom you want to revoke Database Replay workload capture authorization

Example 22-4 Example

EXEC DBMS_MACADM.UNAUTHORIZE_DBCAPTURE('PFITCH');

22.1.26 UNAUTHORIZE_DBREPLAY Procedure

The UNAUTHORIZE_DBREPLAY procedure revokes authorization from users to perform Oracle Database Replay workload replay operations.

To find information about users who have been granted this authorization, query the DBA_DV_DBREPLAY_AUTH data dictionary view.

Syntax

DBMS_MACADM.UNAUTHORIZE_DBREPLAY(
  uname      IN VARCHAR2);

Parameters

Table 22-19 UNAUTHORIZE_DBREPLAY

Parameter	Description
uname	Name of the user from whom you want to revoke Database Replay workload replay authorization

Example 22-5 Example

EXEC DBMS_MACADM.UNAUTHORIZE_DBREPLAY('PFITCH');

22.1.27 UNAUTHORIZE_DDL Procedure

The UNAUTHORIZE_DDL procedure revokes authorization from a user who was granted authorization to execute DDL statements through the DBMS_MACDM.AUTHORIZE_DDL procedure.

To find information about users who have been granted this authorization, query the DBA_DV_DDL_AUTH data dictionary view.

Syntax

DBMS_MACADM.UNAUTHORIZE_DDL(
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2);

Parameters

Table 22-20 UNAUTHORIZE_DDL

Parameter	Description
user_name	Name of the user from whom you want to revoke DDL authorization.
schema_name	Name of the database schema in which the user wants to perform the DDL statements. Enter % specify all schemas.

Examples

The following example revokes DDL statement execution authorization from user psmith for all schemas:

EXEC DBMS_MACADM.UNAUTHORIZE_DDL('psmith', '%');

This example revokes DDL statement execution authorization from user psmith for the HR schema only.

EXEC DBMS_MACADM.UNAUTHORIZE_DDL('psmith', 'HR');

22.1.28 UNAUTHORIZE_DIAGNOSTIC_ADMIN Procedure

The UNAUTHORIZE_DIAGNOSTIC_ADMIN procedure revokes authorization from a user who was authorized with the DBMS_MACADM.AUTHORIZE_DIAGNOSTIC_ADMIN procedure to query diagnostic views and tables.

These views and tables are as follows:

Views and Tables V$	Views and Tables X$
V$DIAG_OPT_TRACE_RECORDS	X$DBGTFOPTT
V$DIAG_SESS_OPT_TRACE_RECORDS	X$DBGTFSOPTT
V$DIAG_TRACE_FILE_CONTENTS	X$DBGTFVIEW

Without this authorization, when a user queries these tables and views, no values are returned.

Syntax

DBMS_MACADM.UNAUTHORIZE_DIAGNOSTIC_ADMIN(
  uname      IN VARCHAR2);

Parameters

Table 22-21 UNAUTHORIZE_DIAGNOSTIC_ADMIN

Parameter	Description
uname	Name of the user from whom you want to revoke authorization.

Example

EXEC DBMS_MACADM.UNAUTHORIZE_DIAGNOSTIC_ADMIN('PFITCH'); 

22.1.29 UNAUTHORIZE_MAINTENANCE_USER Procedure

The UNAUTHORIZE_MAINTENANCE_USER procedure revokes privileges from users who have been granted authorization to perform Information Lifecycle Management (ILM) operations in an Oracle Database Vault environment.

To find information about the settings for the ILM authorization, query the DBA_DV_MAINTENANCE_AUTH view.

When you run this procedure, ensure that its settings correspond exactly to the equivalent AUTHORIZE_MAINTENANCE_USER procedure.

For example, the following two procedures will work because the parameter settings correspond:

EXEC DBMS_MACADM.AUTHORIZE_MAINTENANCE_USER('psmith', 'OE', 'ORDERS', 'TABLE', 'ILM');
EXEC DBMS_MACADM.UNAUTHORIZE_MAINTENANCE_USER('psmith', 'OE', 'ORDERS', 'TABLE', 'ILM');

However, these two statements will fail because the settings do not correspond:

EXEC DBMS_MACADM.AUTHORIZE_MAINTENANCE_USER('psmith', 'OE', 'ORDERS', 'TABLE', 'ILM');

EXEC DBMS_MACADM.UNAUTHORIZE_MAINTENANCE_USER('psmith', '%', '%', '%', 'ILM');

Syntax

DBMS_MACADM.UNAUTHORIZE_MAINTENANCE_USER(
 uname        IN VARCHAR2,
 sname        IN VARCHAR2 DEFAULT NULL,
 objname      IN VARCHAR2 DEFAULT NULL,
 objtype      IN VARCHAR2 DEFAULT NULL,
 action       IN VARCHAR2 DEFAULT NULL);

Parameters

Table 22-22 UNAUTHORIZE_MAINTENANCE_USER

Parameter	Description
uname	Name of the user from whom you want to revoke authorization
sname	Name of the database schema for which the maintenance operations are performed. Enter % to specify all schemas.
objname	Name of the object (such as the name of a table) in the schema that is specified in the sname parameter for which maintenance operations are performed
objtype	Type of the objname object, such as table, index, tablespace, and so on
action	Maintenance action. Enter ilm for Information Lifecycle Management

Example

The following example revokes privileges from Database Vault user psmith so that she can no longer perform ILM operations in any HR schema objects:

BEGIN
 DBMS_MACADM.UNAUTHORIZE_MAINTENANCE_USER (
  uname       => 'psmith', 
  sname       => 'HR', 
  objname     => 'EMPLOYEES',
  objtype     => 'TABLE', 
  action      => 'ILM');
END;
/

22.1.30 UNAUTHORIZE_PREPROCESSOR Procedure

The UNAUTHORIZE_PREPROCESSOR procedure revokes authorization from a user to execute preprocessor programs through external tables.

To find information about users who have been granted this authorization, query the DBA_DV_PREPROCESSOR_AUTH data dictionary view.

Syntax

DBMS_MACADM.UNAUTHORIZE_PREPROCESSOR(
  uname      IN VARCHAR2);

Parameters

Table 22-23 UNAUTHORIZE_PREPROCESSOR

Parameter	Description
uname	Name of the user from whom you want to revoke authorization to execute preprocessor programs through external tables

Example 22-6 Example

EXEC DBMS_MACADM.UNAUTHORIZE_PREPROCESSOR('PFITCH');

22.1.31 UNAUTHORIZE_PROXY_USER Procedure

The UNAUTHORIZE_PROXY_USER procedure revokes authorization from a user who was granted proxy authorization from the DBMS_MACADM.AUTHORIZE_PROXY_USER procedure.

Syntax

DBMS_MACADM.UNAUTHORIZE_PROXY_USER(
  proxy_user   IN VARCHAR2,
  user_name    IN VARCHAR2);

Parameters

Table 22-24 UNAUTHORIZE_PROXY_USER

Parameter	Description
proxy_user	Name of the proxy user from whom you want to revoke authorization.
user_name	Name of the database user who was proxied by the proxy_user user. Enter % to specify all users.

Examples

The following example revokes proxy authorization from user preston for proxying all users:

DBMS_MACADM.UNAUTHORIZE_PROXY_USER('preston', '%');

This example revokes proxy authorization from user preston for proxying database user psmith only.

EXEC DBMS_MACADM.UNAUTHORIZE_PROXY_USER('preston', 'psmith');

22.1.32 UNAUTHORIZE_SCHEDULER_USER Procedure

The UNAUTHORIZE_SCHEDULER_USER procedure revokes the authorization that was granted by the AUTHORIZE_SCHEDULER_USER procedure.

When you run this procedure, ensure that its settings correspond exactly to the equivalent AUTHORIZE_SCHEDULER_USER procedure. For example, the following two procedures will work because the parameters are consistent:

EXEC DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR');

EXEC DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR');

However, because the parameters in the following procedures are not consistent, the UNAUTHORIZE_SCHEDULER_USER procedure will not work:

EXEC DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR');

EXEC DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');

Syntax

DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2 DEFAULT NULL);

Parameters

Table 22-25 UNAUTHORIZE_SCHEDULER_USER

Parameter	Description
user_name	Name of the job scheduling user from whom you want to revoke authorization. To find a list of users and authorizations from the AUTHORIZE_SCHEDULER_USER procedure, query the DBA_DV_JOB_AUTH data dictionary view as follows: SELECT * FROM DBA_DV_JOB_AUTH;
schema_name	Name of the database schema for which the user is authorized to schedule jobs.

Examples

EXEC DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR');

EXEC DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');

22.1.33 UNAUTHORIZE_TTS_USER Procedure

The UNAUTHORIZE_TTS_USER procedure removes from authorization users who had previously been granted the authorization to perform Oracle Data Pump transportable tablespace operations.

Syntax

DBMS_MACADM.UNAUTHORIZE_TTS_USER
  uname      IN VARCHAR2,
  tsname     IN VARCHAR2);

Parameters

Table 22-26 UNAUTHORIZE_TTS_USER

Parameter	Description
uname	Name of the user who you want to remove from being authorized to perform Oracle Data Pump transportable tablespace operations. To find a list of users and their current privileges, query the DBA_SYS_PRIVS data dictionary view.
tsname	Name of the tablespace that is used in the transportable tablespace operation. To find a list of tablespaces, query the DBA_TABLESPACES data dictionary view.

Example

EXEC DBMS_MACADM.UNAUTHORIZE_TTS_USER('PSMITH', 'HR_TS');

22.2 CONFIGURE_DV General System Maintenance Procedure

The CONFIGURE_DV procedure configures the initial two Oracle Database user accounts, which are granted the DV_OWNER and DV_ACCTMGR roles, respectively.

You can check the status of this configuration by querying the DBA_DV_STATUS data dictionary view. Before you run the CONFIGURE_DV procedure, you must create the two user accounts and grant them the CREATE SESSION privilege. The accounts can be either local or common. If you create common user accounts, then the Database Vault roles that are granted to these users apply to the current pluggable database (PDB) only. You then refer to these user accounts for the CONFIGURE_DV procedure.

The CONFIGURE_DV procedure resides in the SYS schema. Oracle provides a synonym, DVSYS.CONFIGURE_DV, so that any existing Oracle Database Vault configuration scripts that you may have created in previous releases will continue to work in this release.

You only can run the CONFIGURE_DV procedure once, when you are ready to register Oracle Database Vault with an Oracle database. After you run this procedure, you must run utlrp.sql script and then DBMS_MACADM.ENABLE_DV to complete the registration process. Oracle strongly recommends that for better security, you use the two accounts you create here as back-up accounts and then create additional accounts for every day use. See Backup Oracle Database Vault Accounts for guidance.

When you run the CONFIGURE_DV procedure, it checks the DVSYS schema for problems such as missing tables or packages. If it finds problems, then it raises an ORA-47500 Database Vault cannot be configured error. If this happens, then you must deinstall and then reinstall Oracle Database Vault.

Together, the CONFIGURE_DV and DBMS_MACADM.ENABLE_DV procedures, and the and utlrp.sql script, are designed to be a command-line alternative to using Oracle Database Configuration Assistant (DBCA) to register Oracle Database Vault with an Oracle database.

You must run the CONFIGURE_DV procedure as user SYS. Registering Oracle Database Vault with an Oracle Database in a Multitenant Environment describes the process that you would use.

Syntax

CONFIGURE_DV
  dvowner_uname         IN VARCHAR2,
  dvacctmgr_uname       IN VARCHAR2;

Parameters

Table 22-27 CONFIGURE_DV

Parameter	Description
dvowner_uname	Name of the user who will be the Database Vault Owner. This user will be granted the DV_OWNER role.
dvacctmgr_uname	Name of the user who will be the Database Vault Account Manager. This user will be granted the DV_ACCTMGR role. If you omit this setting, the user specified by the dvowner_uname parameter is made the Database Vault Account Manager and granted the DV_ACCTMGR role.

Example

CREATE USER dbv_owner IDENTIFIED BY password CONTAINER = CURRENT;
CREATE USER dbv_acctmgr IDENTIFIED BY password CONTAINER = CURRENT;
GRANT CREATE SESSION TO dbv_owner, dbv_acctmgr;

BEGIN
 CONFIGURE_DV (
   dvowner_uname         => 'dbv_owner',
   dvacctmgr_uname       => 'dbv_acctmgr');
 END;
/