Changes in This Release for Oracle Database Vault Administrator's Guide

This preface contains:

Changes in Oracle Database Vault 19c

The following are changes in Oracle Database Vault Administrator's Guide for Oracle Database 19c.

Command Rule Support for Unified Audit Policies

You now can create Oracle Database Vault command rules for unified audit policies.

You now can use command rules to enable or disable unified audit policies. This feature enables you to directly specify a unified policy name as part of the command rule. This new feature extends the AUDIT and NOAUDIT use for command rules, but when you specify unified audit policy for the command rule, you must specify AUDIT POLICY or NOAUDIT POLICY.

Database Vault Operations Control for Infrastructure Database Administrators

In a multitenant database, you now can use Oracle Database Vault to block common users (infrastructure DBAs, for example) from accessing local data in pluggable databases (PDBs) in autonomous, regular Cloud, or on-premises environments.

This enhancement prevents common users from accessing local data that resides on a PDB. It enables you to store sensitive data for your business applications and allow operations to manage the database infrastructure without having to access sensitive customer data.

Privilege Analysis Now Available in Oracle Database Enterprise Edition

Privilege analysis is now available as part of Oracle Database Enterprise Edition.

Privilege analysis runs dynamic analysis of users and applications to find privileges and roles that are used and unused. Privilege analysis reduces the work to implement least privileges best practices by showing you exactly what privileges are used and not used by each account. Privilege analysis is highly performant and designed to work in test, development, and production databases.

As part of this change, the documentation for privilege analysis has moved from Oracle Database Vault Administrator’s Guide to Oracle Database Security Guide.

Changes in Oracle Database Vault 18c

The following are changes in Oracle Database Vault Administrator's Guide for Oracle Database 18c.

Enhancements to Oracle Database Vault Simulation Mode

Oracle Database Vault has had a number of changes to simulation mode for this release. 

  • Simulation mode now captures all mandatory realm violations from a SQL statement.

  • Simulation mode can capture the full call stack information.

  • The default trusted path context factors are now available as separate columns instead of being concatenated together.

Capturing all mandatory realm violations from a SQL statement enables you to see all changes that you may need to make. Otherwise, the first mandatory realm violation may mask other violations that would not be noticed until the original fix is completed and another regression test is run. This enhancement enables faster regression test and application certification.

Seeing the full call stack helps you to identify the original SQL statement that has the violation. In many cases, similar SQL statements are called by different parts of the application. This feature helps an application developer to quickly identify exactly which application code triggered the violation.

Context factors are used to build trusted paths for realms and command rules. There are some commonly used factors for trusted paths, so these were extracted from the single string representation in the last release into their own columns. This enhancement makes it much easier to identify the factors to use in trusted path rule sets.

Related Topics

New Factor Functions

Starting with this release, four new factor functions are available.

The factor functions are as follows:

  • F$DV$_CLIENT_IDENTIFIER

  • F$DV$_DBLINK_INFO

  • F$DV$_MODULE

  • F$PROXY_USER

Ability to Grant Data Pump-Database Vault Authorizations to Roles

Starting with this release, you can authorize roles to perform Oracle Data Pump operations in an Oracle Database Vault environment.

In previous releases, you only could grant this authorization to individual users. This enhancement enables administrators to easily manage users through roles for this type of authorization.

Oracle Database Vault Support for Oracle Database Replay

In this release, you now can perform Oracle Database Replay operations in an Oracle Database Vault environment.

The following functionality supports this feature:

  • DBMS_MACADM PL/SQL procedures:

    • DBMS_MACADM.AUTHORIZE_DBCAPTURE

    • DBMS_MACADM.AUTHORIZE_DBREPLAY

    • DBMS_MACADM.UNAUTHORIZE_DBCAPTURE

    • DBMS_MACADM.UNAUTHORIZE_DBREPLAY

  • Data dictionary views:

    • DBA_DV_DBCAPTURE_AUTH

    • DBA_DV_DBREPLAY_AUTH