9 Separating Container Administrators from application data
Beginning with Oracle Database Vault 19c, operations control allows you to separate containers administrators (C## users) from the non-Oracle-maintained data in pluggable databases.
For example, C##JSMITH
would not be able to query the
HR.EMPLOYEES
table in the PDB1
pluggable
database.
After you have configured and enabled Oracle Database Vault in the container database, it is easy to enable operations control.
To check the current enablement status of operations control:
- Connect to the
sysdba
user account:connect / as sysdba
- Check the Database Vault configurations on the container
database:
select * from cdb_dv_status
The following result should appear:NAME STATUS CON_ID ______________________ _________________ _________ DV_CONFIGURE_STATUS TRUE 1 DV_ENABLE_STATUS TRUE 1 DV_APP_PROTECTION NOT CONFIGURED 1 DV_CONFIGURE_STATUS TRUE 3 DV_ENABLE_STATUS TRUE 3 DV_APP_PROTECTION NOT CONFIGURED 3
DV_APP_PROTECTION
is the parameter for Oracle Database Vault operations control.
To enable Database Vault operations control:
- Connect as a user with the
DV_OWNER
role:connect c##dvowner
- Enable Database Vault operations
control:
EXEC DBMS_MACADM.ENABLE_APP_PROTECTION;
- Verify that Database Vault operations control was enabled:
- Connect to the
sysdba
user account:connect / as sysdba
- Check the Database Vault configurations on the container
database:
select * from cdb_dv_status
The following result should appear:NAME STATUS CON_ID ______________________ _________________ _________ DV_CONFIGURE_STATUS TRUE 1 DV_ENABLE_STATUS TRUE 1 DV_APP_PROTECTION ENABLED 1 DV_CONFIGURE_STATUS TRUE 3 DV_ENABLE_STATUS TRUE 3 DV_APP_PROTECTION ENABLED 3
DV_APP_PROTECTION
is the parameter for Oracle Database Vault operations control.
- Connect to the
A valid configuration is to have Database Vault operations control enabled in the CDB and all PDBs while Database Vault is not enabled in a PDB. If Database Vault is enabled in the container database, operations control can be used to separate container users (C##) from data in pluggable databases.
For example, if there was a second PDB in this environment, these results of
select * from cdb_dv_status
are a valid configuration:
NAME STATUS CON_ID
______________________ _________________ _________
DV_CONFIGURE_STATUS TRUE 1
DV_ENABLE_STATUS TRUE 1
DV_APP_PROTECTION ENABLED 1
DV_CONFIGURE_STATUS TRUE 3
DV_ENABLE_STATUS TRUE 3
DV_APP_PROTECTION ENABLED 3
DV_CONFIGURE_STATUS FALSE 4
DV_ENABLE_STATUS FALSE 4
DV_APP_PROTECTION ENABLED 4