Cleaning Up After the Quick Start Guide

10 Cleaning Up After the Quick Start Guide

If you've completed the tasks in this Quick Start Guide in your databases then there are a number of changes that should be reverted.

As a user with the DV_OWNER or DV_ADMIN role, perform the following:

Disable Database Vault operations control from the container database:

connect c##dvowner

EXEC DBMS_MACADM.DISABLE_APP_PROTECTION;

connect / as sysdba

SELECT * FROM CDB_DV_STATUS;

Delete the command rules, realms, and associated rules and rule sets

connect c##jsmith@pdb_name

BEGIN
    DBMS_MACADM.DELETE_COMMAND_RULE(  
        command         => 'DROP TABLE' 
        ,object_owner   => 'HR' 
        ,object_name    => '%' 
        ,scope          => DBMS_MACUTL.G_SCOPE_LOCAL);
END;
/

BEGIN
    DBMS_MACAM.DELETE_RULE_SET(
        rule_set_name => 'Trusted Rule Set');
END;
/

BEGIN
    DBMS_MACAM.DELETE_RULE(
        rule_name => 'Trusted IP Address');
END;
/

BEGIN
    DVSYS.DBMS_MACADM.DELETE_REALM_CASCADE(realm_name => 'Protect HR tables');
END;
/

BEGIN
    DVSYS.DBMS_MACADM.DELETE_REALM_CASCADE(realm_name => 'Protect HR indexes');
END;
/

As a user who has the privileges to administer unified audit policies, delete the unified audit policies:

connect c##cmack@pdb_name

NOAUDIT POLICY AUD_PROTECT_HR_TABLES;
NOAUDIT POLICY AUD_PROTECT_HR_INDEXES;
NOAUDIT POLICY AUD_PROTECT_RULE_SET_TRS;

DROP AUDIT POLICY AUD_PROTECT_HR_TABLES;
DROP AUDIT POLICY AUD_PROTECT_HR_INDEXES;
DROP AUDIT POLICY AUD_PROTECT_RULE_SET_TRS;

To drop the users in this example, perform the following as a user with the DV_ACCTMGR role:

connect c##dvacctmgr

DROP USER C##CMACK CASCADE;

ALTER SESSION SET CONTAINER=pdb_name;

DROP USER GKRAMER CASCADE;

Before you can drop JSMITH, you must revoke DV_ADMIN. This is a mechanism to prevent the accidental, or intentional, destruction of privileged Database Vault users:
```
connect c##dvowner
```
```
REVOKE DV_ADMIN FROM C##JSMITH CONTAINER=ALL;
```
```
connect c##dvacctmgr
```
```
DROP USER C##JSMITH CASCADE;
```

Disable Oracle Database Vault on the pluggable and container databases. You will perform the disablement in reverse order of the enablement. To enable, you started with the container database and moved to the pluggable databases. To disable, you will start on the pluggable databases then move to the container database.

In the pluggable database, as a user with the DV_OWNER role, perform the following:
```
CONNECT c##dvowner@pdb_name
```
```
SELECT * FROM DBA_DV_STATUS;
EXEC DBMS_MACADM.DISABLE_DV;
```

Restart the pluggable database for the changes to take effect:

connect / as sysdba

ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;
ALTER PLUGGABLE DATABASE pdb_name OPEN;

Check the Oracle Database Vault enablement status:

SELECT CON_ID_TO_CON_NAME(CON_ID) CON_NAME, NAME, STATUS 
    FROM CDB_DV_STATUS
ORDER BY 1;

The output should be:

CON_NAME    NAME                   STATUS
___________ ______________________ _________________
CDB$ROOT    DV_CONFIGURE_STATUS    TRUE
CDB$ROOT    DV_ENABLE_STATUS       TRUE
CDB$ROOT    DV_APP_PROTECTION      DISABLED
pdb_name    DV_CONFIGURE_STATUS    TRUE
pdb_name    DV_ENABLE_STATUS       FALSE
pdb_name    DV_APP_PROTECTION      DISABLED

Now disable Database Vault on the container database:
```
CONNECT c##dvowner
```
```
EXEC DBMS_MACADM.DISABLE_DV;
```
Restart the container database for the changes to take effect:
```
connect / as sysdba
```
```
SHUTDOWN IMMEDIATE;
STARTUP;
```

Check the Oracle Database Vault enablement status:

SELECT CON_ID_TO_CON_NAME(CON_ID) CON_NAME, NAME, STATUS 
    FROM CDB_DV_STATUS
ORDER BY 1;

The output should be:

CON_NAME    NAME                   STATUS
___________ ______________________ _________________
CDB$ROOT    DV_CONFIGURE_STATUS    TRUE
CDB$ROOT    DV_ENABLE_STATUS       FALSE
CDB$ROOT    DV_APP_PROTECTION      DISABLED
pdb_name    DV_CONFIGURE_STATUS    TRUE
pdb_name    DV_ENABLE_STATUS       FALSE
pdb_name    DV_APP_PROTECTION      DISABLED