Oracle Audit Vault and Database Firewall Database Schemas

B Oracle Audit Vault and Database Firewall Database Schemas

Learn about the Oracle Audit Vault and Database Firewall schemas.

B.1 About Oracle Audit Vault and Database Firewall Schemas

Oracle Audit Vault and Database Firewall has internal data warehouse schemas that manage the audit data collected from the targets.

The data warehouse schemas collect the data from the Oracle Audit Vault and Database Firewall collection agents, organize it, and then provide it in report format.

To create custom reports using tools like Oracle Business Intelligence Publisher and the Oracle Business Intelligence Suite:

You must understand the structure of the data warehouse schema AVSYS, which this appendix describes.
You must understand the structure of the audit events provided by the supported targets—Oracle Database, Microsoft SQL Server, Sybase Adaptive Server Enterprise (ASE), and IBM DB2.

You can create these kinds of custom reports:

Activity reports
Event reports
Alert reports
Entitlement reports

The data that you need to create the other kinds of reports is in the AVSYS schema.

B.2 Metadata for Activity Reports

The metadata for activity reports captures data such as connect strings and creation times.

This section describes the metadata that you need to create activity reports:

Table B-1 describes the AVSYS.SECURED_TARGET table, which has one row for each target. Columns are in alphabetical order.

Table B-1 AVSYS.SECURED_TARGET Table

Column	Data Type	Description
`ACTIVE`	`CHAR(1 CHAR)`	'Y' if target is active, 'N' otherwise.
`CONNECT_STRING`	`VARCHAR2(4000 BYTE)`	String that identifies target when you try to connect it to the system.
`CREATION_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`	Creation time of the connection between target and the system.
`DESCRIPTION`	`VARCHAR2(1024 BYTE)`	Description of target.
`FIREWALL_POLICY_ID`	`INTEGER`	ID number of firewall policy associated with target, if any; otherwise `NULL`. Default: `NULL`
`SECURED_TARGET_ID`	`NUMBER`	ID of the target.
`SECURED_TARGET_NAME`	`VARCHAR2(255 BYTE)`	Name of target.
`SECURED_TARGET_TYPE_ID`	`NUMBER`	ID number of type of target. This value must be in `AVSYS.SECURED_TARGET_TYPE.SECURED_TARGET_TYPE_ID` (see Table B-2).
`SERVER_AUTH_USER`	`VARCHAR2(255 BYTE)`	Oracle AVDF user that is authorized to transfer events from an Audit Vault Agent to an Audit Vault Server.

Table B-2 describes the AVSYS.SECURED_TARGET_TYPE table, which has one row for each target type. Columns are in alphabetical order.

Table B-2 AVSYS.SECURED_TARGET_TYPE Table

Column	Data Type	Description
`FIREWALL_DIALECT`	`NUMBER(38)`	ID number of Oracle Database Firewall type.
`SECURED_TARGET_TYPE_ID`	`NUMBER(38)`	ID number of target type.
`SECURED_TARGET_TYPE_NAME`	`VARCHAR2(255 BYTE)`	Name of target type.

Table B-3 describes the AVSYS.AUDIT_TRAIL table, which has one row for each audit trail. Columns are in alphabetical order.

Table B-3 AVSYS.AUDIT_TRAIL Table

Column	Data Type	Description
`AUDIT_TRAIL_ID`	`NUMBER`	ID number of this audit trail.
`AUDIT_TRAIL_TYPE`	`VARCHAR2(255 BYTE)`	Type of this audit trail (for example, `TABLE` or `DIRECTORY`).
`COLLECTION_AUTOSTART`	`CHAR(1 CHAR)`	(Currently unavailable functionality)
`HOST_NAME`	`VARCHAR2(255 BYTE)`	Name of agent host for this audit trail.
`LOCATION`	`VARCHAR2(4000 BYTE)`
`SOURCE_ID`	`NUMBER`	ID number of source of this audit trail.
`SECURED_TARGET_TYPE_NAME`	`VARCHAR2(255 BYTE)`	Name of type of target for this audit trail. This value must be in `AVSYS.SECURED_TARGET_TYPE.SECURED_TARGET_TYPE_NAME` (see Table B-2).

B.3 Data for Event Reports

The metadata for event reports captures data such as actions taken or alerts raised.

This section describes the data that you need to create event reports.

Table B-4 describes the AVSYS.EVENT_LOG table, which has one row for each audit event. Columns are in alphabetical order.

Table B-4 AVSYS.EVENT_LOG Table

Column	Data Type	Description
`ACTION_TAKEN`	`VARCHAR2(255 BYTE)`	Action taken for the event—`pass`, `warn`, or `block`.
`ALERT_RAISED`	`NUMBER`	0 if no alert was raised for the event, 1 otherwise. Default: 0
`AUDIT_TRAIL_ID`	`NUMBER`	ID of the audit trail from which the event was collected.
`AV_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time when the event was recorded in Oracle AVDF repository.
`CLIENT_HOST_NAME`	`VARCHAR2(255 BYTE)`	Name of client host where the user started the action.
`CLIENT_ID`	`VARCHAR2(1024 CHAR)`	Client identifier of the user whose actions were audited
`CLIENT_IP`	`VARCHAR2(255 BYTE)`	Internet protocol (IP) address of `CLIENT_HOST_NAME`.
`CLIENT_PROGRAM`	`VARCHAR2(255 CHAR)`	Client program where the event occurred.
`CLUSTER_ID`	`NUMBER`	Global ID number of cluster where the event occurred.
`CLUSTER_TYPE`	`NUMBER`	Type number of cluster where the event occurred (identifies type of statements in cluster).
`COMMAND_CLASS`	`VARCHAR2(255 BYTE)`	Action performed in the event (for example, `SELECT` or `DELETE`). If this field contains `NULL`, then the audit record is invalid.
`COMMAND_PARAM`	`CLOB`	Command parameters that caused the event.
`COMMAND_TEXT`	`CLOB`	Text of command that caused the event (which can be, for example, a SQL or PL/SQL statement).
`DATA_TRACE`	`CLOB`	Transaction log data (before and after values) in `JSON` format.
`ERROR_CODE`	`VARCHAR2(30 BYTE)`	Error code of an action.
`ERROR_MESSAGE`	`VARCHAR2(1000 BYTE)`	Error message of an action.
`EVENT_NAME`	`VARCHAR2(255 BYTE)`	Name of the event, exactly as in the audit trail.
`EVENT_STATUS`	`VARCHAR2(30 BYTE)`	Status of the event—`SUCCESS`, `FAILURE`, or `UNKNOWN`.
`EVENT_TIME`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time when the event occurred. If the event has more than one time stamp (for example, an event start time stamp and an event end time stamp), then the collector plug-in must assign a time stamp to this field. If this field contains `NULL`, then Oracle AVDF shuts down the collector.
`EXTENSION`	`CLOB`	Stores fields that cannot be accommodated in core or large fields (such as name-value pairs, separated by delimiters).
`GRAMMAR_VERSION`	`NUMBER`	Version of grammar that the Database Firewall used when it detected the event. This version is internal to the Database Firewall and not related to the database version.
`LOG_CAUSE`	`VARCHAR2(30 BYTE)`	Cause of the event, as recorded in the log: `undefined`, `exception`, `cluster`, `Database Object`, `unseen`, `invalidsql`, `waf`, `login`, or `logout`.
`LOGFILE_ID`	`NUMBER`	Opaque internal log file ID.
`MARKER`	`VARCHAR2(255 BYTE)`	Uniquely identifies a record in an audit trail. During the recovery process, Oracle AVDF uses this field to filter duplicate records. The collector plug-in provides the marker field, which is typically a concatenated subset of the fields of an audit record. For example, in Oracle database, the session ID and entry ID (a unique identifier within a session) define a marker.
`MONITORING_POINT_ID`	`NUMBER`	This is an internal column. If its value is not `NULL`, then the event came from a Database Firewall. If its value is `NULL`, then the event came from the audit trail whose ID is in `AUDIT_TRAIL_ID`.
`NETWORK_CONNECTION`	`VARCHAR2(255 BYTE)`	Name of user who logged into the operating system that generated the audit record. If the user logged into the operating system as `JOHN` but performed the action as `SCOTT`, then this field contains `JOHN` and the `USER_NAME` field contains `SCOTT`.
`OSUSER_NAME`	`VARCHAR2 (255 BYTE)`	Operating system user name that executed the SQL command
`POLICY_NAME`	`VARCHAR2(1024 CHAR)`	Name of policy file that the Database Firewall used when it detected the event.
`POLICY_NAME` Oracle AVDF 20.3 and later	`VARCHAR2(4000 CHAR)`	Name of policy file that the Database Firewall used when it detected the event. In case of audit data collected by the Agent, the policy name contains the audit policies that caused the current event.
`RECORD_ID`	`NUMBER`	ID number of audit record for the event.
`SECURED_TARGET_NAME`	`VARCHAR2(255 BYTE)`	Name of target where event occurred.
`SECURED_TARGET_TYPE`	`VARCHAR2(255 BYTE)`	Type of target where event occurred.
`SERVICE_NAME`	`VARCHAR2(255 CHAR)`	Name of database service to which the client session connects.
`TARGET_OBJECT`	`VARCHAR2(255 BYTE)`	Name of object on which the action was performed. For example, if the user selected from a table, then this field contains the name of the table.
`TARGET_OWNER`	`VARCHAR2(255 BYTE)`	Name of owner of target on which the action was performed. For example, if the user selected from a table owned by user `JOHN`, then this field contains the user name `JOHN`.
`TARGET_TYPE`	`VARCHAR2(255 BYTE)`	Type of target object on which the action was performed. For example, if the user selected from a table, then this field contains `TABLE`.
`TERMINAL`	`VARCHAR2(255 CHAR)`	Name of the terminal (for example, Unix terminal) that was the source of the event
`THREAT_SEVERITY`	`VARCHAR2(30 CHAR)`	The severity of the threat detected by the Database Firewall. This field may have one of the values: `minimal`, `minor`, `moderate`, `major`, or `critical`. The threat severity differentiates the importance of each event. This is defined in the Database Firewall policy. You can choose the value for each rule that triggers the event. The Database Firewall policy auditor can apply their own judgement when choosing the value assigned to each rule. This severity level later appears in the reports if the statement is logged. Note: In Oracle AVDF release 20.5 and prior, the pre-defined Database Firewall policy does not define the threat severity value. In the reports it would appear as `undefined`.
`USER_NAME`	`VARCHAR2(255 BYTE)`	Name of user who performed the action in the application or system that generated the audit record. If this field contains `NULL`, then the audit record is invalid.
`AUDIT_TYPE` Oracle AVDF 20.3 and later	`VARCHAR2(255 CHAR)`	Audit types for Oracle Database target: `Standard` `FineGrainedAudit` `XS` `Database Vault` `Label Security` `RMAN_AUDIT` `Datapump` `Direct path API`
`APPLICATION_CONTEXT` Oracle AVDF 20.3 and later	`VARCHAR2(4000 BYTE)`	Application context information.
`DATABASE_NAME` Oracle AVDF 20.4 and later	`VARCHAR2(255 CHAR)`	The name of the DB2 database that contains the audit records.
`INSTANCE_NAME` Oracle AVDF 20.4 and later	`VARCHAR2(255 CHAR)`	The name of the instance which hosts the DB2 database.
`AUDIT_TRAIL_ID`	`NUMBER`	The ID of the audit trail.
`LOCATION`	`VARCHAR2(30 CHAR)`	The location of the audit trail. For example: Audit Table or Audit File.
`REPOSITORY_NAME`	`VARCHAR2(255 CHAR)`	PDB name of the CDB target.
`ROW_COUNT`	`NUMBER`	Number of rows returned (Database Firewall).
`SECURED_TARGET_CLASS`	`VARCHAR2(30 CHAR)`	The type of the target. For example: database or operating system.
`SECURED_TARGET_ID`	`NUMBER NOT NULL`	ID of the target.

B.4 Data for Alert Reports

The metadata for alert reports captures data such as alert definitions and alert IDs.

This section describes the data that you need to create alert reports:

Table B-5 describes the AVSYS.ALERT_STORE table, which has one row for each alert instance. Columns are in alphabetical order.

Table B-5 AVSYS.ALERT_STORE Table

Column	Data Type	Description
`ALERT_DEFINITION_ID`	`NUMBER`	ID number of definition of this alert.
`ALERT_ID`	`NUMBER`	ID number of alert instance.
`ALERT_NAME`	`VARCHAR2(255)`	Name of this alert in alert definition.
`ALERT_OWNER`	`VARCHAR2(30)`	Alert owner (same as alert definition owner).
`ALERT_SEVERITY`	`NUMBER`	Alert severity—1=Warning, 2=Critical.
`ALERT_STATUS`	`VARCHAR2(255)`	Alert status—`OPEN` or `CLOSED`.
`AV_ALERT_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time when alert instance was raised.
`CLEARED_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`
`EMAIL_CC_LIST`	`VARCHAR2(4000 BYTE)`	List of addresses for "cc" field of email about this alert instance.
`EMAIL_MESSAGE`	`VARCHAR2(4000 BYTE)`	Message in email about this alert instance.
`EMAIL_STATUS`	`VARCHAR2(30 BYTE)`	Indicates if email was sent for this alert instance.
`EMAIL_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time when email about this alert instance was sent.
`EMAIL_TO_LIST`	`VARCHAR2(4000 BYTE)`	List of addresses for "to" field of email about this alert instance.
`ILM_TARGET`	`VARCHAR2(12)`	Information lifecycle management (ILM) string for partition.
`OLDEST_EVENT_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time of first event that triggered this alert instance.

Table B-6 describes the AVSYS.ALERT_EVENT_MAP table, which maps each alert instance to its related events. When an alert instance is related to multiple events, each event has a different RECORD_ID. Columns are in alphabetical order.

Table B-6 AVSYS.ALERT_EVENT_MAP Table

Column	Data Type	Description
`ALERT_ID`	`NUMBER`	ID of alert instance.
`ALERT_OWNER`	`VARCHAR2(30)`	Alert owner, same as alert definition owner.
`EVENT_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time of event that triggered this alert instance.
`ILM_TARGET`	`VARCHAR2(12)`	ILM string for partition.
`OLDEST_EVENT_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time of first event that triggered this alert instance. If this alert instance is related to only one event, then this value is the same as the value of `EVENT_TIMESTAMP`.
`RECORD_ID`	`NUMBER`	Record ID of the event related to this alert instance.
`SECURED_TARGET_ID`	`NUMBER NOT NULL`	The ID of the target.
`SECURED_TARGET_NAME`	`VARCHAR2(255 CHAR) NOT NULL`	The name of the target.
`USER_NAME`	`VARCHAR2(255 CHAR)`	The user name of the event.

Table B-7 describes the AVSYS.ALERT_NOTE table, which stores notes for alert instances. Each alert instance can have multiple notes. Columns are in alphabetical order.

Table B-7 AVSYS.ALERT_NOTE Table

Column	Data Type	Description
`ALERT_ID`	`NUMBER`	ID of this note.
`ALERT_NOTE_ID`	`NUMBER`	ID of alert instance associated with this note.
`HEADER`	`VARCHAR2(4000 BYTE)`	Header of this note.
`ILM_TARGET`	`VARCHAR2(12)`	ILM string for partition.
`NOTE`	`CONTAINER VARCHAR2(30)`	Content of this note.
`NOTE_CREATOR`	`VARCHAR2(30)`	User who created this note.
`NOTE_OWNER`	`VARCHAR2(30)`	Owner of this note, same as alert definition.
`NOTE_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time when this note was created.
`OLDEST_EVENT_TIMESTAMP`	`TIMESTAMP WITH LOCAL TIME ZONE`	Time of first event that triggered this alert instance.

B.5 Data for Entitlement Reports

The metadata for entitlement reports captures data such as package, role, and schema entitlements.

This section describes the data that you need to create entitlement reports:

Note:

In each of the preceding table names, "UE" means "User Entitlement."

Table B-8 describes the AVSYS.UE_DBA_APPLICATION_ROLES table, which stores information about roles granted to Oracle Database packages. Columns are in alphabetical order.

Table B-8 AVSYS.UE_DBA_APPLICATION_ROLES

Column	Data Type	Description
`PACKAGE`	`VARCHAR2 (30)`	Name of Oracle Database package to which role was granted
`ROLE`	`VARCHAR2 (30)`	Role granted to package
`SCHEMA`	`VARCHAR2 (30)`	Schema to which package belongs
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table B-9 describes the AVSYS.UE_DBA_COL_PRIVS table, which stores information about privileges granted to users on individual columns of Oracle Database tables. Columns are in alphabetical order.

Table B-9 AVSYS.UE_DBA_COL_PRIVS

Column	Data Type	Description
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`COLUMN_NAME`	`VARCHAR2 (30)`	Name of column on which privilege was granted
`GRANTABLE`	`VARCHAR2 (3)`	Whether the privilege was granted with the `GRANTABLE` option—`YES` or `NO`
`GRANTEE`	`VARCHAR2 (30)`	User to whom the column privilege was granted
`GRANTOR`	`VARCHAR2 (30)`	User who granted the column privilege to `GRANTEE`
`OWNER`	`VARCHAR2 (30)`	Column privilege owner
`PRIVILEGE`	`VARCHAR2 (40)`	Column privilege
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID
`TABLE_NAME`	`VARCHAR2 (30)`	Name of Oracle Database table to which column belongs

Table B-10 describes the AVSYS.UE_DBA_PROFILES table, which stores information about Oracle Database profiles. Columns are in alphabetical order.

Table B-10 AVSYS.UE_DBA_PROFILES

Column	Data Type	Description
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`LIMIT`	`VARCHAR2 (40)`	Profile limit
`PROFILE`	`VARCHAR2 (30)`	Profile name
`RESOURCE_NAME`	`VARCHAR2 (32)`	Resource name
`RESOURCE_TYPE`	`VARCHAR2 (8)`	Resource type
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table B-11 describes the AVSYS.UE_DBA_ROLES table, which stores information about Oracle Database roles. The table has one row for each role. Columns are in alphabetical order.

Table B-11 AVSYS.UE_DBA_ROLES

Column	Data Type	Description
`AUTHENTICATION_TYPE`	`VARCHAR2 (8)`	Authentication mechanism for this user: `EXTERNAL - CREATE USER user1 IDENTIFIED EXTERNALLY` `GLOBAL - CREATE USER user2 IDENTIFIED GLOBALLY` `PASSWORD - CREATE USER user3 IDENTIFIED BY user3`
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`PASSWORD_REQUIRED`	`VARCHAR2 (8)`	Whether the role requires a password—`YES` or `NO`
`ROLE`	`VARCHAR2 (30)`	Name of the role
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table B-12 describes the AVSYS.UE_DBA_ROLE_PRIVS table, which stores information about the roles granted to users and roles. Columns are in alphabetical order.

Table B-12 AVSYS.UE_DBA_ROLE_PRIVS

Column	Data Type	Description
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`ADMIN_OPTION`	`VARCHAR2 (3)`	Whether the privilege was granted with the `ADMIN` option—`YES` or `NO`
`DEFAULT_ROLE`	`VARCHAR2 (3)`	Whether the role is the default role for the user—`YES` or `NO`
`GRANTED_ROLE`	`VARCHAR2 (30)`	Name of the role granted to the user or role
`GRANTEE`	`VARCHAR2 (30)`	Name of the user or role to which the `GRANTED_ROLE` was granted
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table B-13 describes the AVSYS.UE_DBA_SYS_PRIVS table, which stores information about the system privileges granted to users and roles. Columns are in alphabetical order.

Table B-13 AVSYS.UE_DBA_SYS_PRIVS

Column	Data Type	Description
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`ADMIN_OPTION`	`VARCHAR2 (3)`	Whether the privilege was granted with the `ADMIN` option—`YES` or `NO`
`GRANTEE`	`VARCHAR2 (30)`	Name of the user or role to whom the system privilege was granted
`PRIVILEGE`	`VARCHAR2 (40)`	System privilege
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table B-14 describes the AVSYS.UE_DBA_TAB_PRIVS table, which stores information about the privileges granted to users on objects. Columns are in alphabetical order.

Table B-14 AVSYS.UE_DBA_TAB_PRIVS

Column	Data Type	Description
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`GRANTABLE`	`VARCHAR2 (3)`	Whether the privilege was granted with the `GRANTABLE` option—`YES` or `NO`
`GRANTEE`	`VARCHAR2 (30)`	User to whom the privilege was granted
`GRANTOR`	`VARCHAR2 (30)`	User who granted the privilege to `GRANTEE`
`HIERARCHY`	`VARCHAR2 (3)`	Whether the privilege was granted with the `HIERARCHY` option—`YES` or `NO`
`OWNER`	`VARCHAR2 (30)`	Owner of the object
`PRIVILEGE`	`VARCHAR2 (40)`	Privilege on the object
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID
`TABLE_NAME`	`VARCHAR2 (30)`	Name of the object on which privilege was granted
`TYPE`	`VARCHAR2 (24)`	Object type (table, view, sequence, etc.)

Table B-15 describes the AVSYS.UE_DBA_USERS table, which has a row for every Oracle Database user. Columns are in alphabetical order.

Table B-15 AVSYS.UE_DBA_USERS

Column	Data Type	Description
`ACCOUNT_STATUS`	`VARCHAR2 (32)`	User account status, which is one of these: `OPEN` `EXPIRED` `EXPIRED(GRACE)` `LOCKED(TIMED)` `LOCKED` `EXPIRED & LOCKED(TIMED)` `EXPIRED(GRACE) & LOCKED(TIMED)` `EXPIRED & LOCKED` `EXPIRED(GRACE) & LOCKED`
`AUTHENTICATION_TYPE`	`VARCHAR2 (8)`	Authentication mechanism for this user: `EXTERNAL - CREATE USER user1 IDENTIFIED EXTERNALLY` `GLOBAL - CREATE USER user2 IDENTIFIED GLOBALLY` `PASSWORD - CREATE USER user3 IDENTIFIED BY user3`
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`CREATED`	`TIMESTAMP (0) WITH LOCAL TIME ZONE`	Date when user account was created
`DEFAULT_TABLESPACE`	`VARCHAR2 (30)`	Default tablespace for user
`EDITIONS_ENABLED`	`VARCHAR2 (1)`	Indicates whether editions have been enabled for the corresponding user (`Y` or `N`)
`EXPIRY_DATE`	`TIMESTAMP (0) WITH LOCAL TIME ZONE`	Date when user account expires or expired
`EXTERNAL_NAME`	`VARCHAR2 (4000)`	External name of user
`INITIAL_RSRC_CONSUMER_GROUP`	`VARCHAR2 (30)`	Initial resource consumer group
`LAST_LOGON`	`TIMESTAMP (9) WITH LOCAL TIME ZONE`	For Oracle Database 12c, time when user last logged on
`LOCK_DATE`	`TIMESTAMP (0) WITH LOCAL TIME ZONE`	Date when user account was locked
`ORACLE_MAINTAINED`	`CHAR (1)`	For Oracle Database 12c, whether user was created, and is maintained, by Oracle-supplied scripts. A value of `Y` means that user must not be changed in any way except by running an Oracle-supplied script.
`PROFILE`	`VARCHAR2 (30)`	User profile
`PROXY_ONLY_CONNECT`	`CHAR (1)`	For Oracle Database 12c, whether this user can connect only through a proxy
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID
`TEMPORARY_TABLESPACE`	`VARCHAR2 (30)`	Temporary tablespace for user
`USERNAME`	`VARCHAR2 (30)`	Oracle Database user name

Table B-16 describes the AVSYS.UE_ROLE_SYS_PRIVS table, which stores information about system privileges granted to roles. Columns are in alphabetical order.

Table B-16 AVSYS.UE_ROLE_SYS_PRIVS

Column	Data Type	Description
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`ADMIN_OPTION`	`VARCHAR2 (3)`	Whether the privilege was granted with the `ADMIN` option—`YES` or `NO`
`PRIVILEGE`	`VARCHAR2 (40)`	System privilege granted to the role
`ROLE`	`VARCHAR2 (30)`	Name of role
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table B-17 describes the AVSYS.UE_ROLE_TAB_PRIVS table, which stores information about the table privileges granted to roles. Columns are in alphabetical order.

Table B-17 AVSYS.UE_ROLE_TAB_PRIVS

Column	Data Type	Description
`COLUMN_NAME`	`VARCHAR2 (30)`	Name of column on which privilege was granted
`COMMON`	`VARCHAR2 (3)`	For Oracle Database 12c, whether the user is common to a CDB and PDB: `Y` - user is common to both `N` - user is local to PDB `Null` - database is not a CDB or PDB
`GRANTABLE`	`VARCHAR2 (3)`	Whether the privilege was granted with the `GRANTABLE` option—`YES` or `NO`
`OWNER`	`VARCHAR2 (30)`	Table privilege owner
`PRIVILEGE`	`VARCHAR2 (40)`	Table privilege
`ROLE`	`VARCHAR2 (30)`	Role to which table privilege was granted
`TABLE_NAME`	`VARCHAR2 (30)`	Name of Oracle Database table on which privilege was granted
`UE_SNAPSHOT_SNAPSHOT_ID`	`NUMBER`	Snapshot ID

Table B-18 describes the AVSYS.UE_SYS_DBA_OPER_USERS table, which stores information about all users in the password file. Columns are in alphabetical order.

Table B-18 AVSYS.UE_SYS_DBA_OPER_USERS

Column	Data Type	Description
`CONTAINER`	`VARCHAR2 (30)`	For Oracle Database 12c, the container (CDB) identifier.
`SNAPSHOT_ID`	`NUMBER`	Snapshot ID
`SYSASM`	`VARCHAR2 (5)`	Whether the user can connect to the database with the `SYSASM` privilege—`TRUE` or `FALSE`.
`SYSBACKUP`	`VARCHAR2 (5)`	Whether the user can connect to the database with the `SYSBACKUP` privilege—`TRUE` or `FALSE`.
`SYSDBA`	`VARCHAR2 (5)`	Whether the user can connect to the database with the `SYSDBA` privilege—`TRUE` or `FALSE`.
`SYSDG`	`VARCHAR2 (5)`	Whether the user can connect to the database with the `SYSDG` privilege—`TRUE` or `FALSE`.
`SYSKM`	`VARCHAR2 (5)`	Whether the user can connect to the database with the `SYSKM` privilege—`TRUE` or `FALSE`.
`SYSOPER`	`VARCHAR2 (8)`	Whether the user can connect to the database with the `SYSOPER` privilege—`TRUE` or `FALSE`.
`USERNAME`	`VARCHAR2 (30)`	User name in the password file

B.6 Data for SPA Reports

The metadata for stored Stored Procedure Auditing (SPA) reports captures data such as target IDs and object IDs.

This section describes data that you need to create custom Stored Procedure Auditing (SPA) reports:

Table B-19 describes the AVSYS.SPA_OBJECTS table, which stores summary data about stored procedure objects.

Table B-19 AVSYS.SPA_OBJECTS

Column	Data Type	Description
`ID`	`INTEGER`	Unique identifier for the object
`SECURED_TARGET_ID`	`INTEGER`	The target source of database objects
`OBJECT_SUBTYPE`	`VARCHAR2(40 BYTE)`	The subtype of the object
`OBJECT_CLASS`	`VARCHAR2(40 BYTE)`	The class of the object
`NAME`	`VARCHAR2 (1024 CHAR)`	The name of the object
`CHANGED_BY`	`VARCHAR2 (2048 CHAR)`	Comma-separated database users that modified the object
`LAST_CHANGED_AT`	`TIMESTAMP WITH LOCAL TIME ZONE`	The date and time when the object was changed
`LAST_SIGNATURE`	`VARCHAR2 (40 BYTE)`	The hash of the object (signature change means object change)
`LAST_EDIT_TYPE`	`VARCHAR2 (40 BYTE)`	The most recent type of the change
`EDIT_CNT_NEW`	`INTEGER`	Keeps the number of "new" edit records is for this object
`EDIT_CNT_MODIFY`	`INTEGER`	Keeps the number of "modify" edit records is for this object
`EDIT_CNT_DELETE`	`INTEGER`	Keeps the number of "delete" edit records is for this object
`CHANGES_SUMMARY`	`VARCHAR2(255 CHAR)`	The summary of the changes
`UPDATED_AT`	`TIMESTAMP WITH LOCAL TIME ZONE`	The date and time when the record was updated by the Database Firewall software

Table B-20 describes the AVSYS.SPA_EDITS table, which stores data about, and the content of, stored procedure edits.

Table B-20 AVSYS.SPA_EDITS

Column	Data Type	Description
`ID`	`INTEGER`	Unique identifier for the object
`OBJECT_ID`	`INTEGER`	Foreign key that references the `ID` column of the `AVSYS.SPA_OBJECTS` table
`SIGNATURE`	`VARCHAR2 (40 BYTE)`	The hash of the object (signature change means object change)
`CONTENT`	`CLOB`	The new content of the object
`EDIT_TYPE`	`VARCHAR2 (40 BYTE)`	The type of the change
`CHANGED_BY`	`VARCHAR2 (255 CHAR)`	The database user that modified the object
`CHANGED_AT`	`TIMESTAMP WITH LOCAL TIME ZONE`	The date and time when the object was changed
`DETECTED_AT`	`TIMESTAMP WITH LOCAL TIME ZONE`	The date and time when the change was detected on the controller

B.7 Data for Database Firewall Reports

The metadata for custom Database Firewall reports captures data such as target databases and types of statements included.

This section describes data that you need to create custom Database Firewall reports:

Table B-21 describes the AVSYS.FW_CLUSTERS table, which provides summary data on cluster traffic to target databases, and gives an example statement that would appear in a given cluster.

Table B-21 AVSYS.FW_CLUSTER

Column	Data Type	Description
`ID`	`NUMBER`	Cluster global identifier
`SECURED_TARGET_ID`	`INTEGER`	The target database for this cluster
`GRAMMAR_VERSION`	`INTEGER`	Version number of the Database Firewall grammar
`FIREWALL_DIALECT`	`SMALLINTEGER`	Database type of the cluster. See Also: Table B-2 for meaning.
`CLUSTER_TYPE`	`VARCHAR2 (40 BYTE)`	Type of statements included in the cluster
`REPRESENTATION`	`CLOB`	Cluster path representation
`CLUSTER_EXAMPLE`	`CLOB`	An example statement in the cluster

Table B-22 describes the AVSYS.FW_CLUSTER_COMPONENTS table, which provides cluster data broken down into cluster components. This data may be used, for example, to report on clusters related to a specific database table or table column.

Table B-22 AVSYS.FW_CLUSTER_COMPONENT

Column	Data Type	Description
`CLUSTER_ID`	`INTEGER`	Foreign key that references the ID column of the `AVSYS.FW_CLUSTERS` table
`COMPONENT_INDEX`	`INTEGER`	Index of the component (starts with 1)
`COMPONENT_TYPE`	`VARCHAR2(50 BYTE)`	Component type may be one of: `'keyword`', `'column'`, `'table'`, `'procedure`', `'cluster_set'`, `'function`', `'_'`
`COMPONENT_VALUE`	`VARCHAR2(4000 CHAR)`	The component string
`COMPONENT_USAGE`	`VARCHAR2(50 BYTE)`	Component usage may be one of: `NULL,'read`', `'write'`, `'define'`, `'call`', `'control'`