1. Administrator's Guide
  2. Configuring Oracle Database Vault Policies

9 Configuring Oracle Database Vault Policies

You can use Oracle Database Vault policies to implement frequently used realm and command rule settings.

9.1 What Are Database Vault Policies?

An Oracle Database Vault policy groups local realms and command rules into a named policy that you can enable or disable as necessary.

Parent topic: Configuring Oracle Database Vault Policies

9.1.1 About Oracle Database Vault Policies

Oracle Database Vault policies can group realm and command rule definitions into one policy, which then can be collectively enabled or disabled.

Database Vault policies enable you to delegate limited realm administration privileges to database users without giving them the powerful privileges that the DVADM and DVOWNER roles provide. Oracle Database Vault provides default policies.

For example, suppose you have a set of Oracle Database Vault objects that are related to a particular application, such as a realm and several command rules. You can use a Database Vault policy to group these objects into one policy. You then can designate a policy administrator to manage adding users to a realm for this application and for enabling or disabling the policy. If there is only one primary application, then it can be used for manageability where a user can enable, disable, or simulate (use simulation mode) all related objects with one command rather than issuing a command for each included Database Vault object.

How the enablement of the individual realms and command rules works depends on how you set the policy state of the policy, as follows:

  • Full enabled mode (DBMS_MACADM.G_ENABLED) sets the policy to take precedence over the individual enablement settings of the associated realms and command rules. For example, if the associated objects of a policy are individually disabled, then they will be enabled if the policy is enabled. (Conversely, you can set DBMS_MACADM.G_PARTIAL to allow the embedded security objects to set their own enabled, disabled, or simulation mode.)

  • Partial enabled mode (DBMS_MACADM.G_PARTIAL) enables the associated realms and command rules to have different status settings (ENABLED, DISABLED, and SIMULATION). The other policy status choices force all associated controls to the same status dictated by the policy. Setting the policy status to partial allows each realm and command rule to change status as required.

  • Simulation mode (DBMS_MACACM.G.SIMULATION) enables the policy but writes violations to realms or command rules to a designated log table with information about the type of violation, such as a user name or the SQL statement that was used. Simulation forces every security object in the policy to be in simulation mode.

  • Disabled mode (DBMS_MACADM.G_DISABLED) disables the policy after you create it.

In general, to create a Database Vault policy, you perform the following steps:

  1. Create the necessary realms and command rules to use in the policy.

  2. Create the Database Vault policy.

    You can use the DBMS_MACADM.CREATE_POLICY procedure to create the policy.

  3. Add one or more realms to the policy.

    You can use the DBMS_MACADM.ADD_REALM_TO_POLICY procedure to add realms to the policy.

  4. Add one or more command rules to the policy.

    You can use the DBMS_MACADM.ADD_CMD_TO_POLICY procedure to add command rules to the policy.

  5. Add one or more database users as owners of the policy.

    You can use the DBMS_MACADM.ADD_OWNER_TO_POLICY procedure to add users to the policy. Afterward, grant this user the DV_POLICY_OWNER role. This user will be able to perform a limited set of tasks: changing the policy state, adding or removing authorization from a realm, and having the SELECT privilege for a set of the DVSYS.POLICY_OWNER* data dictionary views. By default, the DVOWNER user owns the policy.

After the policy is created, it can be used right away.

Related Topics

Parent topic: What Are Database Vault Policies?

9.1.2 Oracle Database Vault Policies in a Multitenant Environment

Oracle Database Vault policies are only local to the pluggable database (PDB) in which they were created.

That is, if you created the policy in a PDB, then only local realms and command rules can be added to it.

Parent topic: What Are Database Vault Policies?

9.2 Default Oracle Database Vault Policies

Oracle Database Vault provides two default policies that you can use to better secure user accounts and system privileges.

You can use the default policies in your own security configurations. If you do not need them, then you can remove them because they are not needed for internal use by Oracle Database Vault.

The default policies are as follows:

  • Oracle Account Management Controls enforces controls over user-related operations within Oracle Database Vault. It is used to prevent ad hoc user account creation, user deletions, and other user account-related operations by unauthorized privileged users. It includes the Database Vault Account Management realm and user account management command rules for SQL statements such as CREATE USER.

  • Oracle System Protection Controls enforces controls on important database schemas, privileges, and roles that are associated with the default Oracle Database environment. It includes the realms such as Oracle Default Schema Protection Realm and command rules for the system management SQL statement ALTER SYSTEM.

Related Topics

Parent topic: Configuring Oracle Database Vault Policies

9.3 Creating an Oracle Database Policy

To create an Oracle Database Vault policy, you create a container policy that specifies the realms and command rules that encompass the policy.

You can enable the policy during creation time, or enable it later on by executing the .
  1. Connect to the PDB as a user who has been granted the DV_OWNER or DV_ADMIN role.
  2. Run the DBMS_MACADM.CREATE_POLICY procedure to create the policy
    For example: 
    BEGIN
 DBMS_MACADM.CREATE_POLICY(
  policy_name  => 'OE Policy',
  description  => 'Policy to protect the OE schema',
  policy_state => DBMS_MACADM.G_ENABLED,
  pl_sql_stack => TRUE);
END;
/

    In this specification:

    • policy_name can be up to 128 characters in mixed case. The DBA_DV_POLICY data dictionary view lists existing policies.
    • description can be up to 4000 characters in mixed-case.
    • policy_state enables or disables the policy, using one of the following settings:
      • DBMS_MACADM.G_ENABLED (or 1) enables the policy after you create it.
      • DBMS_MACADM.G_DISABLED (or 0) disables the policy after you create it.
      • DBMS_MACADM.G_SIMULATION (or 2) sets the policy to simulation mode. In simulation mode, any violations to realms or command rules used in the policy are logged in a designated log table with sufficient information to describe the error, such as the user name or SQL statement used.
      • DBMS_MACADM.G_PARTIAL (or 3) sets the policy to partial mode. In partial mode, the enforcement state of realms or command rules associated with the policy can be changed individually.
    • pl_sql_stack is used when simulation mode is enabled and specifies whether to record the PL/SQL stack for failed operations. Enter TRUE to record the PL/SQL stack, FALSE to not record.
  3. So that the Database Vault policy owner can query policy related views and run the allowed procedures, grant this user the DV_POLICY_OWNER role.
    You can grant this role to multiple users.
    For example:
    GRANT DV_POLICY_OWNER TO psmith, pfitch;
  4. To add a database user as the owner of the policy, run the DBMS_MACADM.ADD_OWNER_TO_POLICY procedure.
    The policy owner will be able to modify the policy.
    For example:
    BEGIN
 DBMS_MACADM.ADD_OWNER_TO_POLICY(
  policy_name    => 'OE Policy',
  owner_name     => 'PSMITH');
END;
/
  5. To add a command rule to the policy, run the DBMS_MACADM.ADD_CMD_RULE_TO_POLICY procedure.
    If you created the policy in a PDB, then the command rule must be local to this PDB.
    For example, for a simple command rule: 
    BEGIN
 DBMS_MACADM.ADD_CMD_RULE_TO_POLICY(
  policy_name    => 'OE Policy',
  command        => 'SELECT',
  object_owner   => 'OE',
  object_name    => 'ORDERS',
  scope          => DBMS_MACUTL.G_SCOPE_LOCAL);
END;
/

    In this specification, the command rule must exist and match the parameters included. To fine the command rule definition, query the DBA_DV_COMMAND_RULE.

    If you want to add an ALTER SYSTEM or ALTER SESSION command rule, then you must include the parameters specific to those command rules. For example: 
    BEGIN
 DBMS_MACADM.ADD_CMD_RULE_TO_POLICY(
  policy_name    => 'OE Policy',
  command        => 'ALTER SESSION',
  object_owner   => '%',
  object_name    => '%',
  clause_name    => 'PARALLEL DDL', 
  parameter_name => '',
  event_name     => '',
  action_name    => '',
  scope          => DBMS_MACUTL.G_SCOPE_LOCAL);
END;
/
  6. To add a realm to the policy, run the DBMS_MACADM.ADD_REALM_TO_POLICY procedure.
    If you created the policy in a PDB, then the command rule must be local to this PDB.
    For example: 
    BEGIN
 DBMS_MACADM.ADD_REALM_TO_POLICY(
  policy_name    => 'OE Policy',
  realm_name     => 'Database Vault Account Management');
END;
/

    In this specification:

    • policy_name is a name of the policy. The DBA_DV_POLICY view lists existing policies.
    • realm_name is the name of the realm. The DBA_DV_REALM view lists existing realms.

Related Topics

Parent topic: Configuring Oracle Database Vault Policies

9.4 Modifying an Oracle Database Vault Policy

You can use the modify an Oracle Database Vault policy.

You can modify only the description and state of a policy. If you want to make other modifications, such as changing the realm that is associated with the policy, then you must delete the object from the policy (for example, with the DBMS_MACADM.DELETE_REALM_FROM_POLICY procedure) and then add the replacement object (for example, with DBMS_MACADM.ADD_REALM_TO_POLICY) to the policy.
  1. Connect to the PDB as a user who has been granted the DV_OWNER or DV_ADMIN role.
  2. Find policy and check its definition.
    For example: 
    SELECT * FROM DBA_DV_POLICY ORDER BY NAME;
  3. To change the policy description, run the DBMS_MACADM.UPDATE_POLICY_DESCRIPTION procedure.
    For example: 
    BEGIN
 DBMS_MACADM.UPDATE_POLICY_DESCRIPTION(
  policy_name  => 'OE Policy',
  description  => 'Policy to protect the OE schema from external intruders');
END;
/
  4. To change the policy state, run the DBMS_MACADM.UPDATE_POLICY_STATE procedure.
    For example: 
    BEGIN
 DBMS_MACADM.UPDATE_POLICY_STATE(
  policy_name   => 'OE Policy',
  policy_state  => DBMS_MACADM.G_SIMULATION,
  pl_sql_stack  => TRUE);
END;
/

Related Topics

Parent topic: Configuring Oracle Database Vault Policies

9.5 Deleting an Oracle Database Vault Policy

You can use Enterprise Manager Cloud Control to delete Oracle Database Vault policies.

When you delete an Oracle Database Vault policy, the underlying realms and command rules are preserved, and they retain their individual enablement status. You do not need to remove any objects (such as realms) that are associated with the policy before deleting it.
  1. Connect to the PDB as a user who has been granted the DV_OWNER or DV_ADMIN role.
  2. Query the DBA_DV_POLICY_OBJECT data dictionary view to find the policy to delete.
    For example: 
    SELECT POLICY_NAME FROM DBA_DV_POLICY ORDER BY POLICY_NAME;
  3. Run the DBMS_MACADM.DROP_POLICY procedure to drop the policy.
    For example: 
    EXEC DBMS_MACADM.DROP_POLICY ('OE Policy');

Parent topic: Configuring Oracle Database Vault Policies

9.6 Related Data Dictionary Views

Oracle Database Vault provides data dictionary views that are useful for analyzing Database Vault policies.

Table 9-1 lists data dictionary views that provide information about existing Oracle Database Vault policies.

Table 9-1 Data Dictionary Views Used for Oracle Database Vault Policies

Data Dictionary View Description

DBA_DV_POLICY

Lists the Database Vault policies, a description, and their state

DBA_DV_POLICY_OBJECT

Provides detailed information about the policies, such as the associated realms and command rules

DBA_DV_POLICY_OWNER

Lists the owners of Database Vault policies

DBA_DV_REALM_AUTH

Enables users who have been granted the DV_POLICY_OWNER role to find information about the authorization that was granted to realms that have been associated with Database Vault policies, such as the realm name, grantee, and associated rule set.

DVSYS.POLICY_OWNER_COMMAND_RULE

Enbles users who have been granted the DV_POLICY_OWNER role to find information about the command rules that have been associated with Database Vault policies, such as the command rule name.

DVSYS.POLICY_OWNER_POLICY

Enbles users who have been granted the DV_POLICY_OWNER role to find information such as the names, descriptions, and states of existing policies in the current database instance, including policies created by other policy owners

DVSYS.POLICY_OWNER_REALM

Enables users who have been granted the DV_POLICY_OWNER role to find information about the realms that have been associated with Database Vault policies, such as the realm name, audit options, or type

DVSYS.POLICY_OWNER_REALM_OBJECT

Enables users who have been granted the DV_POLICY_OWNER role to find information about the objects that have been added to realms that are associated with Database Vault policies, such as the realm name, grantee, and associated rule set

DVSYS.POLICY_OWNER_RULE

Enables users who have been granted the DV_POLICY_OWNER role to find information about the rules that have been associated with rule sets in Database Vault policies, such as the rule name and its expression

DVSYS.POLICY_OWNER_RULE_SET

Enables users who have been granted the DV_POLICY_OWNER role to find information about the rule sets that have been associated with Database Vault policies, such as the rule set name, its handler information, and whether it is enabled

DVSYS.POLICY_OWNER_RULE_SET_RULE

Enables users who have been granted the DV_POLICY_OWNER role to find information about the rule sets that contain rules used in Database Vault policies, such as the rule set name and whether it is enabled

Related Topics

Parent topic: Configuring Oracle Database Vault Policies