Authorization
Schema Privileges to Simplify Access Control
Oracle AI Database supports granting privileges on schemas (in addition to the existing object, system, and administrative privileges).
This feature improves security by simplifying authorization for database objects, especially for schemas that frequently add new objects. Instead of granting broad system level (* ANY) privileges that apply to the entire database, privileges can now be granted at the individual schema level.
Oracle Label Security Triggers Are Now Part of the New LBAC_TRIGGER Schema
A new schema, LBAC_TRIGGER, is introduced to own the internal triggers that were previously owned by the LBACSYS schema. You can migrate existing LBACSYS triggers to this new schema.
Both the LBACSYS and LBAC_TRIGGER schemas are Oracle-maintained and dictionary-protected.
This feature improves security when using the Oracle Label Security option.
Oracle Data Dictionary Protection Extended to Non-SYS Oracle Schemas with Separation of Duties Protection
Oracle AI Database schemas can have data dictionary protection with additional separation of duties protection for SYSOPER, SYSASM, SYSBACKUP, SYSKM, SYSRAC, and SYSDG.
Oracle schemas provide critical functionality for Oracle AI Database features. By enabling these schemas to have data dictionary protection with additional separation of duties, you can prevent inadvertent and malicious changes within these schemas that could endanger Oracle AI Database functionality.
GoldenGate Capture and Apply User Roles
New roles OGG_CAPTURE, OGG_APPLY, OGG_APPLY_PROCREP, XSTREAM_CAPTURE, XSTREAM_APPLY have been created for granting appropriate capture and apply privileges to the GoldenGate and XStream administrators. These new roles replace the functionality in the procedures of the DBMS_GOLDENGATE_AUTH and DBMS_XSTREAM_AUTH packages, which are now de-supported.
This feature simplifies administrative tasks.
New Utility Functions for Finding Client Host and IP Information
You can use two new Oracle Database Vault utility functions to find information about client hosts and IPs. These new utility functions are as follows:
DBMS_MACUTL.CONTAINS_HOSTDBMS_MACUTL.IS_CLIENT_IP_CONTAINED
These utility functions enable you to conveniently check if an IP address (or a host) is contained in a domain (or subnet range). They are useful for configuring rules and rule sets.
Ability to Set Tracing Using Oracle Database Vault APIs
You now can use two Oracle Database Vault APIs to control system level tracing, which applies to all database sessions. These new APIs are as follows:
DBMS_MACADM.SET_TRACE_LEVELDBMS_MACUTL.GET_TRACE_LEVEL
This enhancement enables users who have been granted the DV_ADMIN role to enable or disable tracing for all database sessions. In previous releases, this user needed the ALTER SYSTEM and the ALTER SESSION system privileges to perform this task, in addition to the DV_ADMIN role. The ALTER SYSTEM system procedure for tracing is still supported. The enhancement also provides the DBMS_MACUTL.GET_DV_TRACE_LEVEL function, which returns the trace level that has been set for the current database session. This trace level can have been set by ALTER SYSTEM, ALTER SESSION, or DBMS_MACADM.SET_DV_TRACE_LEVEL.
Fewer Parameters to Specify When Creating or Updating Controls
When configuring Oracle Database Vault, you may now omit parameters in the following cases:
- If you are creating a new control, omitting the parameter specifies its default value.
- If you are updating an existing control, omitting the parameter retains the current setting.
The procedures that are affected are as follows:
DBMS_MACADM.CREATE_COMMAND_RULEDBMS_MACADM.CREATE_CONNECT_COMMAND_RULEDBMS_MACADM.CREATE_FACTORDBMS_MACADM.CREATE_POLICYDBMS_MACADM.CREATE_REALMDBMS_MACADM.CREATE_RULEDBMS_MACADM.CREATE_RULE_SETDBMS_MACADM.CREATE_SESSION_EVENT_CMD_RULEDBMS_MACADM.CREATE_SYSTEM_EVENT_CMD_RULEDBMS_MACADM.UPDATE_COMMAND_RULEDDBMS_MACADM.UPDATE_CONNECT_COMMAND_RULEDBMS_MACADM.UPDATE_FACTORDBMS_MACADM.UPDATE_POLICY_STATEDBMS_MACADM.UPDATE_REALMDBMS_MACADM.UPDATE_RULEDBMS_MACADM.UPDATE_RULE_SETDBMS_MACADM.UPDATE_SESSION_EVENT_CMD_RULEDBMS_MACADM.UPDATE_SYSTEM_EVENT_CMD_RULE
Omitting parameters for default behaviors while creating or updating realms, rules, command rules, factors, and policies streamlines the process, allowing administrators to complete tasks more efficiently and reducing the opportunity for errors.
Oracle Deep Data Security (Deep Sec)
Oracle Deep Data Security (Deep Sec) is a database-enforced data authorization framework in Oracle AI Database. It enforces fine-grained access control at the row, column, and cell levels using declarative SQL, securing all access paths to sensitive data across enterprise applications, analytics tools, and agentic AI systems. Deep Sec integrates natively with external identity and access management systems (like Microsoft Entra ID and OCI IAM) to establish end-user security contexts, which ensures that every SQL operation is authorized against the actual requesting user's identity, roles, and attributes.
As organizations integrate agentic AI into their operations, traditional security models, such as application-level controls, external authorization systems, and conventional database security cannot adequately address the dynamic and autonomous nature of these workloads. Deep Sec addresses this gap by securing data at its source rather than relying on application code, prompts, or other potentially vulnerable guardrails. By enforcing least-privilege access directly at the database layer, Deep Sec helps organizations adopt AI and modern applications with confidence, while making it easier to address regulatory compliance and data privacy requirements. Its declarative SQL-based policy model simplifies administration, integrates with CI/CD pipelines, and reduces the learning curve compared to procedural or API-driven alternatives.