Protection Policy Attributes

A protection policy is created with the DBMS_RA.CREATE_PROTECTION_POLICY procedure or with Cloud Control. The protection policy sets some of the following attributes for all protected databases assigned to it: Some attributes are mutually exclusive. The following is a representative list of attributes to consider in new protection policies.

Table 7-3 Protection Policy Attributes (subset)

Attribute	Description
`storage_location_name`	A Recovery Appliance storage location for storing backups.
`polling_policy_name`	An optional backup polling policy that determines whether Recovery Appliance polls a storage location for backups
`recovery_window_goal`	The disk recovery window goal for the protected database.
`recovery_window_sbt`	The SBT retention period for the protected database.
`guaranteed_copy`	The guaranteed copy setting, which determines whether backups protected by this policy must be copied to tape or cloud before being considered for deletion.
`allow_backup_deletion`	Setting this to `NO` will prevent RMAN users from deleting backups on the Recovery Appliance, necessary for compliance rules. The default value is set to `YES`.
`store_and_forward`	The setting for the Backup and Redo Failover feature. This setting is used only in a protection policy defined on the alternate Recovery Appliance where the protected databases associated with this policy will redirect backups and redo in the event of an outage on the primary Recovery Appliance.
`max_retention_window`	The maximum length of time that the Recovery Appliance retains backups for databases that use this retention policy.
`unprotected_window`	The maximum acceptable difference between the current time and the latest time that the database can be restored.
`autotune_reserved_space`	This setting is used to control whether the Recovery Appliance will automatically define and update the `reserved_space` settings for databases associated with this policy.
`recovery_window_compliance`	This setting specifies a time range for each database backup in which backups will not be deleted. This value must be equal to or smaller than `recovery_window_goal`. Too large a value can result in filling `disk_reserved_space` with compliance protected backups, whereby new backups are then rejected.
`keep_compliance`	This setting prevents an administrator from using `RMAN CHANGE` command to shrink the "keep until time" specified for an archival backup. If `KEEP_COMPLIANCE` is `YES`, `KEEP FOREVER` backups will never be deleted. `NO` means the "keep until time" for an archival backup may be modified by the `RMAN CHANGE` command. `NO` is the default.
`max_reserved_space`	The maximum `disk_reserved_space` setting permitted for each database in the protection policy. The format of this value is a character string that must contain a number consisting only of the characters `0-9`, followed optionally by one of the following unit specifiers: If `max_reserved_space` is specified as NULL, the `max_reserved_space` setting for databases defaults to `2 x disk_reserved_space`.
`secure_mode`	Determines whether backups stored on the Recovery Appliance must be encrypted. `YES` means that only encrypted backup and redo are accepted by the Recovery Appliance. `NO` means unencrypted backups are allowed to be stored on the Recovery Appliance. `NO` is the default.

You can associate an optional replication server configuration with a protection policy. The replication configuration applies to all protected databases associated with the protection policy.

When a protection policy has SECURE_MODE set to YES, then backups that are not encrypted are rejected before they can be uploaded to the Recovery Appliance, by design. When redo logs are being shipped directly to the Recovery Appliance, they also must be encrypted. However, the check for redo encryption happens after the redo log completes, so future attempts to open a new log on the Recovery Appliance are rejected. A few logs might get started before the archived log destination status shows redo being rejected. This condition clears when an encrypted redo log backup is sent to the Recovery Appliance. After which, future redo log switch are accepted on the Recovery Appliance.

Note:

Before release 21.1, any backup copy anywhere (tape or cloud) counted as a copy for a backup and would allow for deletion on the Recovery Appliance. If you had both cloud and tape, you might have incomplete backups on either cloud and tape, but the Recovery Appliance would incorrectly consider the set copied. Further with replication, the backups could be deleted on the downstream Recovery Appliance, leave backups never copied, and thus never released by the upstream Recovery Appliance.

In release 21.1, the guaranteed_copy attribute was added to the library. When guaranteed_copy is set on the library, the Recovery Appliance will not directly delete the copy in the library. [The tape/cloud manager shouldn't delete the copy either.] Each library with the guaranteed_copy attribute must have a copy of a given backup before it is eligible for deletion from the Recovery Appliance.

The APIs create_protection_policy and update_protection_policy check whether a guaranteed_copy library/template/attribute_set was available to the protection_policy before the protection_policy could have guaranteed_copy set. Other improvements protect the changing of libraries, templates, or attribute_set against the last removal of a library/template/attribute_set path from a protection_policy with the guaranteed_copy attribute set.