B Disabling and Enabling Oracle Database Vault
Periodically you must disable and then re-enable Oracle Database Vault, for activities such as installing Oracle Database optional products or features.
- When You Must Disable Oracle Database Vault
You may need to disable Oracle Database Vault to perform upgrade tasks or correct erroneous configurations. - Step 1: Disable Oracle Database Vault
Be aware that after you disable Oracle Database Vault, Oracle Label Security, which is required to run Database Vault, is still enabled. - Step 2: Perform the Required Tasks
At this stage, Oracle Database Vault is disabled and you can perform the required tasks. - Step 3: Enable Oracle Database Vault
You can enable Oracle Database Vault and Oracle Label Security from SQL*Plus from either the root or a PDB.
B.1 When You Must Disable Oracle Database Vault
You may need to disable Oracle Database Vault to perform upgrade tasks or correct erroneous configurations.
You can reenable Oracle Database Vault after you complete the corrective tasks.
The following situations require you to disable Oracle Database Vault:
-
You must install any of the Oracle Database optional products or features, such as Oracle Spatial, by using Database Configuration Assistant (DBCA).
-
If you did not configure backup
DV_OWNER
andDV_ACCTMGR
accounts when you configured and enabled Oracle Database Vault, and these accounts are inadvertently locked or their passwords forgotten. Note that if your site only has oneDV_OWNER
user and this user has lost their password, you will be unable to disable Oracle Database Vault. However, if your site's onlyDV_ACCTMGR
user has lost the password, you can disable Database Vault. As a best practice, you should grant theDV_OWNER
andDV_ACCTMGR
roles to new or existing user accounts, and use the Database Vault Owner and Account Manager accounts that you created when you configured and enabled Database Vault as back-up accounts. -
If you want to configure Oracle Internet Directory (OID) using Oracle Database Configuration Assistant (DBCA).
-
If Oracle Database Vault is enabled and you are upgrading an entire CDB, then use one of the following methods:
- CDB upgrade method 1: Temporarily grant the
DV_PATCH_ADMIN
to userSYS
commonly by logging into the root container as a common user with theDV_OWNER
role, and then issuing theGRANT DV_PATCH_ADMIN TO SYS CONTAINER=ALL
statement. Oracle Database Vault controls will be in the same state as it was before the upgrade. When the upgrade is complete, log into the root container as theDV_OWNER
user and revoke theDV_PATCH_ADMIN
role fromSYS
by issuing theREVOKE DV_PATCH_ADMIN FROM SYS CONTAINER=ALL
statement. - CDB upgrade method 2: Log into each container as a user who has the
DV_OWNER
role and then run theDBMS_MACADM.DISABLE_DV
procedure. You must first disable the PDBs (in any order) and then after that, disable the root container last. If you are upgrading only one PDB, then you can disable Oracle Database Vault in that PDB only. After you have completed the upgrade, you can enable Oracle Database Vault by logging into each container as theDV_OWNER
user and then executing theDVSYS.DBMS_MACADM.ENABLE_DV
procedure. The order of enabling Oracle Database Vault must be the root container first and PDBs afterward. You can enable the PDBs in any order, but the root container must be enabled first.
- CDB upgrade method 1: Temporarily grant the
Note:
Be aware that if you disable Oracle Database Vault, the privileges that were revoked from existing users and roles during the Oracle Database Vault configuration remain in effect.B.2 Step 1: Disable Oracle Database Vault
Be aware that after you disable Oracle Database Vault, Oracle Label Security, which is required to run Database Vault, is still enabled.
Related Topics
Parent topic: Disabling and Enabling Oracle Database Vault
B.3 Step 2: Perform the Required Tasks
At this stage, Oracle Database Vault is disabled and you can perform the required tasks.
You can perform the following types of activities:
-
Use the Oracle Database Vault PL/SQL packages and functions. For example, to correct a login or
CONNECT
rule set error, use theDBMS_MACADM
PL/SQL package or the Oracle Database Vault pages in Enterprise Manager Cloud Control. Note that a CONNECT command rule cannot prevent a user who has theDV_OWNER
orDV_ADMIN
role from connecting to the database. This enables a Database Vault administrator to correct a misconfigured protection without having to disable Database Vault. -
Use the SYSTEM or SYS accounts to perform tasks such as creating or changing passwords, or locking and unlocking accounts. In addition to modifying standard database and administrative user accounts, you can modify passwords and the lock status of any of the Oracle Database Vault-specific accounts, such as users who have been granted the
DV_ADMIN
orDV_ACCTMGR
roles. -
Perform the installation or other tasks that require security protections to be disabled.
Parent topic: Disabling and Enabling Oracle Database Vault
B.4 Step 3: Enable Oracle Database Vault
You can enable Oracle Database Vault and Oracle Label Security from SQL*Plus from either the root or a PDB.
Related Topics
Parent topic: Disabling and Enabling Oracle Database Vault