1. Database Vault Getting Started Guide
  2. Separating Container Administrators from application data

9 Separating Container Administrators from application data

Beginning with Oracle Database Vault 19c, operations control allows you to separate containers administrators (C## users) from the non-Oracle-maintained data in pluggable databases.

For example, C##JSMITH would not be able to query the HR.EMPLOYEES table in the PDB1 pluggable database.

After you have configured and enabled Oracle Database Vault in the container database, it is easy to enable operations control.

To check the current enablement status of operations control:

  1. Connect to the sysdba user account:
    connect / as sysdba
  2. Check the Database Vault configurations on the container database:
    select * from cdb_dv_status
    The following result should appear:
    NAME                   STATUS            CON_ID
______________________ _________________ _________
DV_CONFIGURE_STATUS    TRUE              1
DV_ENABLE_STATUS       TRUE              1
DV_APP_PROTECTION      NOT CONFIGURED    1
DV_CONFIGURE_STATUS    TRUE              3
DV_ENABLE_STATUS       TRUE              3
DV_APP_PROTECTION      NOT CONFIGURED    3

    DV_APP_PROTECTION is the parameter for Oracle Database Vault operations control.

To enable Database Vault operations control:

  1. Connect as a user with the DV_OWNER role:
    connect c##dvowner
  2. Enable Database Vault operations control:
    EXEC DBMS_MACADM.ENABLE_APP_PROTECTION;
  3. Verify that Database Vault operations control was enabled:
    1. Connect to the sysdba user account:
      connect / as sysdba
    2. Check the Database Vault configurations on the container database:
      select * from cdb_dv_status
      The following result should appear:
      NAME                   STATUS            CON_ID
______________________ _________________ _________
DV_CONFIGURE_STATUS    TRUE              1
DV_ENABLE_STATUS       TRUE              1
DV_APP_PROTECTION      ENABLED           1
DV_CONFIGURE_STATUS    TRUE              3
DV_ENABLE_STATUS       TRUE              3
DV_APP_PROTECTION      ENABLED           3

      DV_APP_PROTECTION is the parameter for Oracle Database Vault operations control.

A valid configuration is to have Database Vault operations control enabled in the CDB and all PDBs while Database Vault is not enabled in a PDB. If Database Vault is enabled in the container database, operations control can be used to separate container users (C##) from data in pluggable databases.

For example, if there was a second PDB in this environment, these results of select * from cdb_dv_status are a valid configuration: 

NAME                   STATUS            CON_ID
______________________ _________________ _________
DV_CONFIGURE_STATUS    TRUE              1
DV_ENABLE_STATUS       TRUE              1
DV_APP_PROTECTION      ENABLED           1
DV_CONFIGURE_STATUS    TRUE              3
DV_ENABLE_STATUS       TRUE              3
DV_APP_PROTECTION      ENABLED           3
DV_CONFIGURE_STATUS    FALSE             4
DV_ENABLE_STATUS       FALSE             4
DV_APP_PROTECTION      ENABLED           4