Authorization
Schema Privileges to Simplify Access Control
Oracle Database supports granting privileges on schemas (in addition to the existing object, system, and administrative privileges).
This feature improves security by simplifying authorization for database objects, especially for schemas that frequently add new objects. Instead of granting broad system level (* ANY) privileges that apply to the entire database, privileges can now be granted at the individual schema level.
Oracle Label Security Triggers Are Now Part of the New LBAC_TRIGGER Schema
A new schema, LBAC_TRIGGER
, is introduced to own the internal triggers that were previously owned by the LBACSYS
schema. You can migrate existing LBACSYS
triggers to this new schema.
Both the LBACSYS
and LBAC_TRIGGER
schemas are Oracle-maintained and dictionary-protected.
This feature improves security when using the Oracle Label Security option.
Oracle Data Dictionary Protection Extended to Non-SYS Oracle Schemas with Separation of Duties Protection
Oracle Database schemas can have data dictionary protection with additional separation of duties protection for SYSOPER
, SYSASM
, SYSBACKUP
, SYSKM
, SYSRAC
, and SYSDG
.
Oracle schemas provide critical functionality for Oracle Database features. By enabling these schemas to have data dictionary protection with additional separation of duties, you can prevent inadvertent and malicious changes within these schemas that could endanger Oracle Database functionality.
GoldenGate Capture and Apply User Roles
New roles OGG_CAPTURE
, OGG_APPLY
, OGG_APPLY_PROCREP
, XSTREAM_CAPTURE
, XSTREAM_APPLY
have been created for granting appropriate capture and apply privileges to the GoldenGate and XStream administrators. These new roles replace the functionality in the procedures of the DBMS_GOLDENGATE_AUTH
and DBMS_XSTREAM_AUTH
packages, which are now de-supported.
This feature simplifies administrative tasks.
New Utility Functions for Finding Client Host and IP Information
You can use two new Oracle Database Vault utility functions to find information about client hosts and IPs. These new utility functions are as follows:
DBMS_MACUTL.CONTAINS_HOST
DBMS_MACUTL.IS_CLIENT_IP_CONTAINED
These utility functions enable you to conveniently check if an IP address (or a host) is contained in a domain (or subnet range). They are useful for configuring rules and rule sets.
Ability to Set Tracing Using Oracle Database Vault APIs
You now can use two Oracle Database Vault APIs to control system level tracing, which applies to all database sessions. These new APIs are as follows:
DBMS_MACADM.SET_TRACE_LEVEL
DBMS_MACUTL.GET_TRACE_LEVEL
This enhancement enables users who have been granted the DV_ADMIN
role to enable or disable tracing for all database sessions. In previous releases, this user needed the ALTER SYSTEM
and the ALTER SESSION
system privileges to perform this task, in addition to the DV_ADMIN
role. The ALTER SYSTEM
system procedure for tracing is still supported. The enhancement also provides the DBMS_MACUTL.GET_DV_TRACE_LEVEL
function, which returns the trace level that has been set for the current database session. This trace level can have been set by ALTER SYSTEM
, ALTER SESSION
, or DBMS_MACADM.SET_DV_TRACE_LEVEL
.
Fewer Parameters to Specify When Creating or Updating Controls
When configuring Oracle Database Vault, you may now omit parameters in the following cases:
- If you are creating a new control, omitting the parameter specifies its default value.
- If you are updating an existing control, omitting the parameter retains the current setting.
The procedures that are affected are as follows:
DBMS_MACADM.CREATE_COMMAND_RULE
DBMS_MACADM.CREATE_CONNECT_COMMAND_RULE
DBMS_MACADM.CREATE_FACTOR
DBMS_MACADM.CREATE_POLICY
DBMS_MACADM.CREATE_REALM
DBMS_MACADM.CREATE_RULE
DBMS_MACADM.CREATE_RULE_SET
DBMS_MACADM.CREATE_SESSION_EVENT_CMD_RULE
DBMS_MACADM.CREATE_SYSTEM_EVENT_CMD_RULE
DBMS_MACADM.UPDATE_COMMAND_RULED
DBMS_MACADM.UPDATE_CONNECT_COMMAND_RULE
DBMS_MACADM.UPDATE_FACTOR
DBMS_MACADM.UPDATE_POLICY_STATE
DBMS_MACADM.UPDATE_REALM
DBMS_MACADM.UPDATE_RULE
DBMS_MACADM.UPDATE_RULE_SET
DBMS_MACADM.UPDATE_SESSION_EVENT_CMD_RULE
DBMS_MACADM.UPDATE_SYSTEM_EVENT_CMD_RULE
Omitting parameters for default behaviors while creating or updating realms, rules, command rules, factors, and policies streamlines the process, allowing administrators to complete tasks more efficiently and reducing the opportunity for errors.