1. Oracle Database New Features
  2. Authorization

Authorization

Schema Privileges to Simplify Access Control

Oracle Database supports granting privileges on schemas (in addition to the existing object, system, and administrative privileges). 

This feature improves security by simplifying authorization for database objects, especially for schemas that frequently add new objects. Instead of granting broad system level (* ANY) privileges that apply to the entire database, privileges can now be granted at the individual schema level.

View Documentation

Oracle Label Security Triggers Are Now Part of the New LBAC_TRIGGER Schema

A new schema, LBAC_TRIGGER, is introduced to own the internal triggers that were previously owned by the LBACSYS schema. You can migrate existing LBACSYS triggers to this new schema.

Both the LBACSYS and LBAC_TRIGGER schemas are Oracle-maintained and dictionary-protected.

This feature improves security when using the Oracle Label Security option.

View Documentation

Oracle Data Dictionary Protection Extended to Non-SYS Oracle Schemas with Separation of Duties Protection

Oracle Database schemas can have data dictionary protection with additional separation of duties protection for SYSOPER, SYSASM, SYSBACKUP, SYSKM, SYSRAC, and SYSDG.

Oracle schemas provide critical functionality for Oracle Database features. By enabling these schemas to have data dictionary protection with additional separation of duties, you can prevent inadvertent and malicious changes within these schemas that could endanger Oracle Database functionality.

View Documentation

GoldenGate Capture and Apply User Roles

New roles OGG_CAPTURE, OGG_APPLY, OGG_APPLY_PROCREP,  XSTREAM_CAPTURE, XSTREAM_APPLY have been created for granting appropriate capture and apply privileges to the GoldenGate and XStream administrators. These new roles replace the functionality in the procedures of the DBMS_GOLDENGATE_AUTH and DBMS_XSTREAM_AUTH packages, which are now de-supported.

This feature simplifies administrative tasks.

View Documentation

New Utility Functions for Finding Client Host and IP Information

You can use two new Oracle Database Vault utility functions to find information about client hosts and IPs. These new utility functions are as follows:

  • DBMS_MACUTL.CONTAINS_HOST
  • DBMS_MACUTL.IS_CLIENT_IP_CONTAINED

These utility functions enable you to conveniently check if an IP address (or a host) is contained in a domain (or subnet range). They are useful for configuring rules and rule sets.

View Documentation

Ability to Set Tracing Using Oracle Database Vault APIs

You now can use two Oracle Database Vault APIs to control system level tracing, which applies to all database sessions. These new APIs are as follows:

  • DBMS_MACADM.SET_TRACE_LEVEL
  • DBMS_MACUTL.GET_TRACE_LEVEL

This enhancement enables users who have been granted the DV_ADMIN role to enable or disable tracing for all database sessions. In previous releases, this user needed the ALTER SYSTEM and the ALTER SESSION system privileges to perform this task, in addition to the DV_ADMIN role. The ALTER SYSTEM system procedure for tracing is still supported. The enhancement also provides the DBMS_MACUTL.GET_DV_TRACE_LEVEL function, which returns the trace level that has been set for the current database session. This trace level can have been set by ALTER SYSTEM, ALTER SESSION, or DBMS_MACADM.SET_DV_TRACE_LEVEL.

View Documentation

Fewer Parameters to Specify When Creating or Updating Controls

When configuring Oracle Database Vault, you may now omit parameters in the following cases:

  • If you are creating a new control, omitting the parameter specifies its default value. 
  • If you are updating an existing control, omitting the parameter retains the current setting.

The procedures that are affected are as follows:

  • DBMS_MACADM.CREATE_COMMAND_RULE
  • DBMS_MACADM.CREATE_CONNECT_COMMAND_RULE
  • DBMS_MACADM.CREATE_FACTOR
  • DBMS_MACADM.CREATE_POLICY
  • DBMS_MACADM.CREATE_REALM
  • DBMS_MACADM.CREATE_RULE
  • DBMS_MACADM.CREATE_RULE_SET
  • DBMS_MACADM.CREATE_SESSION_EVENT_CMD_RULE
  • DBMS_MACADM.CREATE_SYSTEM_EVENT_CMD_RULE
  • DBMS_MACADM.UPDATE_COMMAND_RULED
  • DBMS_MACADM.UPDATE_CONNECT_COMMAND_RULE
  • DBMS_MACADM.UPDATE_FACTOR
  • DBMS_MACADM.UPDATE_POLICY_STATE
  • DBMS_MACADM.UPDATE_REALM
  • DBMS_MACADM.UPDATE_RULE
  • DBMS_MACADM.UPDATE_RULE_SET
  • DBMS_MACADM.UPDATE_SESSION_EVENT_CMD_RULE
  • DBMS_MACADM.UPDATE_SYSTEM_EVENT_CMD_RULE

Omitting parameters for default behaviors while creating or updating realms, rules, command rules, factors, and policies streamlines the process, allowing administrators to complete tasks more efficiently and reducing the opportunity for errors.

View Documentation