Before you can start using Oracle Database Vault, you must register it with the Oracle database.
Topics:
You can register Oracle Database Vault for either a non-multitenant environment or a multitenant environment.
Topics:
About Registering Oracle Database Vault with an Oracle Database
Registering Oracle Database Vault in a Non-Multitenant Environment
Registering Oracle Database Vault with a Common User to Manage the CDB Root
Registering Database Vault Common Users to Manage Specific PDBs
Creating Common Database Vault Accounts for a Plugged in Database Vault PDB
Verifying That Oracle Database Vault Is Configured and Enabled
After you install Oracle Database, you must register (that is, configure and enable) Oracle Database Vault with the Oracle database in which it was installed.
Oracle Database includes Database Vault when you choose to include a default database in the installation process, but you must register it before you can use it. If you create a custom database, then you can use DBCA to install and enable Database Vault for it. As part of the registration process, you create the Database Vault administrative accounts. The registration process enables Oracle Label Security if it is not already enabled. Oracle Label Security is required for Oracle Database Vault but it does not require a separate license unless you begin using Oracle Label Security separately and create Oracle Label Security policies. This procedure applies to the current pluggable database (PDB), as well as to both single-instance and Oracle RAC installations. To check if Database Vault has already been enabled, see Verifying That Oracle Database Vault Is Configured and Enabled.
This section explains how to register Oracle Database Vault in a non-multitenant environment, and several ways that you can register it in a multitenant environment.
You can register Oracle Database Vault from SQL*Plus in a non-multitenant environment.
See Also:
Verifying That Oracle Database Vault Is Configured and Enabled to confirm that this procedure was successful
Logging into Oracle Database Vault for information about logging in to Oracle Database Vault Administrator
Backup Oracle Database Vault Accounts for more information about the importance of creating backup accounts
In SQL*Plus, you can register Oracle Database Vault with a common user who will manage the CDB root.
See Also:
Verifying That Oracle Database Vault Is Configured and Enabled to confirm that this procedure was successful
Logging into Oracle Database Vault for information about logging in to Oracle Database Vault Administrator
Backup Oracle Database Vault Accounts for information about the importance of backup accounts
In a multitenant environment, you must register Oracle Database Vault in the root first, then in the PDBs.
ORA-47503: Database Vault is not enabled on CDB$ROOT
error appears.See Also:
Verifying That Oracle Database Vault Is Configured and Enabled to confirm that this procedure was successful
Logging into Oracle Database Vault for information about logging in to Oracle Database Vault Administrator
From SQL*Plus, in a multitenant environment, you can plug in a database that already has Database Vault enabled.
See Also:
Verifying That Oracle Database Vault Is Configured and Enabled to confirm that this procedure was successful
Logging into Oracle Database Vault for information about logging in to Oracle Database Vault Administrator
The V$OPTION
dynamic view and the DVSYS.DBA_DV_STATUS
and DBA_OLS_STATUS
data dictionary views verify if Oracle Database is configured and enabled.
To query the V$OPTION
dynamic view:
To find if Oracle Database Vault is configured and enabled, run the following query, which should show the VALUE
setting as TRUE
:
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
To check if Oracle Label Security is enabled, query V$OPTION
as follows:
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';
DVSYS.DBA_DV_STATUS
data dictionary view for the status or Oracle Database Vault:
SELECT * FROM DVSYS.DBA_DV_STATUS;
Output similar to the following appears:
NAME STATUS -------------------- ----------- DV_CONFIGURE_STATUS FALSE DV_ENABLE_STATUS FALSE
To find the enablement and configuration status for Oracle Label Security, query the DBA_OLS_STATUS
data dictionary view, which provides output similar to DVSYS.DBA_DV_STATUS
.
Oracle Enterprise Manager Cloud Control (Cloud Control) provides pages for Oracle Database Vault.
This tutorial shows how to create a realm around the HR
schema.
Topics:
In this tutorial, you create a realm around for the HR
sample database schema by using the Oracle Database Vault PL/SQL packages.
In the HR
schema, the EMPLOYEES
table has information such as salaries that should be hidden from most employees in the company, including those with administrative access. To accomplish this, you add the HR
schema to the secured objects of the protection zone, which in Oracle Database Vault is called a realm, inside the database. Then you grant limited authorizations to this realm. Afterward, you test the realm to make sure it has been properly secured. And finally, to see how Oracle Database Vault provides an audit trail on suspicious activities like the one you will try when you test the realm, you will run a report.
Realms can protect one or more schemas, individual schema objects, and database roles.
Once you create a realm, you can create security restrictions that apply to the schemas and their schema objects within the realm.
Your first step is to create a realm for the HR
schema.
At this stage, you have created the realm but you have not assigned any authorizations to it. You will take care of that later on in this tutorial.
At this stage, there are no database accounts or roles authorized to access or otherwise manipulate the database objects the realm will protect.
So, the next step is to authorize database accounts or database roles so that they can have access to the schemas within the realm. You will create the SEBASTIAN
user account.
Do not exit SQL*Plus; you will need it for Step 6: Test the Realm, when you test the realm.
At this stage, have user SEBASTIAN
test the realm, even though he has the READ ANY TABLE
system privilege.
SEBASTIAN
has the READ ANY TABLE
system privilege, he cannot query the HR.EMPLOYEES
table, because the HR Apps realm takes precedence over the READ ANY TABLE
system privilege.Next, user SEBASTIAN
must be granted authorization to the HR Apps realm, so that he can access the HR.EMPLOYEES
table.
To test the realm, you must try to access the EMPLOYEES
table as a user other than HR
.
The SYSTEM
account normally has access to all objects in the HR
schema, but now that you have safeguarded the EMPLOYEES
table with Oracle Database Vault, this is no longer the case.
In SQL*Plus, connect as SYSTEM
.
CONNECT SYSTEM -- Or, CONNECT SYSTEM@hrpdb Enter password: password
Try accessing the salary information in the EMPLOYEES
table again:
SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM <10;
The following output should appear:
Error at line 1: ORA-01031: insufficient privileges
SYSTEM
no longer has access to the salary information in the EMPLOYEES table. (In fact, even user SYS
does not have access to this table.) However, user SEBASTIAN
does have access to this information.
Connect as user SEBASTIAN
.
CONNECT sebastian -- Or, CONNECT sebastian@hrpdb Enter password: password
Perform the following query:
SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM <10;
Output similar to the following appears:
FIRST_NAME LAST_NAME SALARY -------------------- ------------------------- ---------- Steven King 24000 Neena Kochhar 17000 Lex De Haan 17000 Alexander Hunold 9000 Bruce Ernst 6000 David Austin 4800 Valli Pataballa 4800 Diana Lorentz 4200 Nancy Greenberg 12008 9 rows selected.
Because you enabled auditing on failure for the HR Apps realm, you can generate a report to find any security violations.
For example, you could generate a report for the violation that you attempted in Step 6: Test the Realm.
Oracle Database Vault generates a report listing the type of violation (in this case, the SELECT
statement entered in the previous section), when and where it occurred, the login account who tried the violation, and what the violation was.
You can remove the components that you created for this tutorial if you no longer need them.
Drop user SEBASTIAN
.
In SQL*Plus, log on as the Oracle Database Vault account manager (for example, bea_dvacctmgr
) and then drop SEBASTIAN
as follows:
sqlplus bea_dvacctmgr -- Or, CONNECT bea_dvacctmgr@hrpdb Enter password: password DROP USER SEBASTIAN;
Delete the HR Apps realm.
In Cloud Control, ensure that you are logged in as a user who has the DV_OWNER
role.
In the Database Vault Home page, click Administration.
In the Realms page, select HR Apps
from the list of realms.
Click Delete, and in the Confirmation window, click Yes.
If necessary, in SQL*Plus, lock and expire the HR
account.
ALTER USER HR ACCOUNT LOCK PASSWORD EXPIRE;