Oracle DB Vault New Features in Oracle 12c Release 1 – Part 3 :  Oracle Enterprise Manager Cloud Control to Manage DB Vault.

After Oracle 12c Release 1 version you can use all DB Vault functionality with Oracle Enterprise Manager Cloud Control . DBMS_MACADM PL/SQL package procedures and functions have included in Oracle Enterprise Manager. For each operation you can see the running script by pressing Show SQL button.

You should connect to Enterprise Manager to run  Database Vault  Administrator with  a user who has DV_OWNER role. After logon  Database Vault home page appears like this;

db-vault01

At this page ;  you can see

  • Violations that were made against to DB Vault rules
  • Database Vault Alerts
  • Audit Reports

In order to make operations on DB Vault objects; you have to go Administration section . In the below picture ; you can see Command Rules page in Administration  section.

db-vault02

If you want to see all default rules ; you should check Show Oracle defined Command Rules box.If you want to create a new command rule;  just click Create button

db-vault03

You can enter all necessary parameter to create a new Command Rule at this page. After clicking Show SQL button you can see the necessary script to create a new command rule

db-vault04

 

For example ; If you want to see all details about a Command Rule; Choose the Command rule 

db-vault05

 

And then just double click on it.

db-vault06

Another functionality of DB Vault is you can control the authorization on some database operations . For example ; you can identify which user can make data pump operations , Goldengate operations or database patching. You can define all these users  from Oracle Enterprise Manager by choosing ; Database Operation Authorization section

db-vault08

 

After choosing Database Operation Authorization section ; you can see all database operations which are controlled by DB Vault

db-vault09

 

You can add , edit or delete usernames from this page for each database operations.

As you see ; In Oracle 12c Release 1 version you can use all functionality of Oracle DB Vault and the most important thing is Oracle does not support old Oracle DB Vault Console after Oracle 12c version.  Therefore if you are a Database Vault administrator you should learn Oracle Enterprise Manager DB Vault functionality. 

Advertisements

Oracle DB Vault New Features in Oracle 12c R1 – Part1 : Changes at DB Vault Installation

There are many changes at Oracle DB Vault in Oracle 12c version. At this note I will give you information about  the change at DB  Vault Installation .

  1. DB Vault Installation

At Oracle 11g version you need to  relink Oracle binary before installing Oracle DB Vault. You do not need this operation in Oracle 12c.

At Oracle 11g version you need to relink binary with chopt command like below

$ chopt enable lbac

$ chopt enable dv

And You do not need in Oracl 12c vesion

In order to install and configure DB Vault In Oracle 11g version, you have to use dbca. At Oracle 12c you only need dbca to install Oracle Label Security and Oracle DB vault component . You can use DVSYS.CONFIGURE_DV packet to configure DB vault. Actually still you can do this configuration with dbca but it is optional.

DB Vault component installation is made with this page in  dbca in Oracle 12c version.

Capture

And DB Vault configuration can be made by dbca but It is optional

Capture

This gives us flexibility ; During database installation DBAs can install Oracle DB Vault without making any configuration on it. After the DB Vault installation is completed, you can make DB Vault configuration as a security officer without DBA intervention.

The below  query shows that DB Vault component is installed. But It does not mean that It is enabled.

SQL> select comp_id,status from dba_registry where comp_id in (‘OLS’,’DV’);

COMP_ID STATUS
—————————— ———–
DV VALID
OLS VALID

With DVSYS.CONFIGURE_DV; you can mention which user is DB Vault admin and which user database account manager.

SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘dvowner’,
4 dvacctmgr_uname => ‘dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed.

This packet is new in Oracle 12c and It gives us flexibility to security officer to configure DB vault alone. After DB Vault component installation tou do not need to rebound the database bu you need to run utlrp.sql to compile all invalid objects.

 

 

 

 

 

Installing Oracle DB Vault to Oracle 11g Database

Installing Oracle DB Vault to Oracle 11g Database

At this document; I will show you how you can install Oracle DB vault to Oracle 11g Database.

Step 1: Check If DB Vault installed before

We use GV$OPTION view to check this. I checked DB vault in two nodes RAC database.

SQL> column parameter format a25

SQL> column value format a25

SQL> SELECT * FROM gV$OPTION WHERE PARAMETER in ( ‘Oracle Database Vault’,’Oracle Label Security’);

INST_ID|PARAMETER |VALUE

———-|————————-|————————-

1|Oracle Label Security |FALSE

1|Oracle Database Vault |FALSE

2|Oracle Label Security |FALSE

2|Oracle Database Vault |FALSE

If Oracle database Vault and Oracle Label Security are already installed ( It means all TRUE returned from this query ) goto step 3;

Step 2: Enable Oracle Label Security and Oracle DB Vault

2.1 Close the Database

Shutdown Oracle database , stop listener ( If you opened a listener with this binary ) and stop enterprise manager ( If Enterprise manager uses this binary )

SQL> SHUTDOWN IMMEDIATE

$ lsnrctl stop listener

$ emctl stop dbconsole

2.2 Enable DB Vault Binaries

Now enable Oracle Label Security and Oracle database vault consequently with the following commands

$ chopt enable lbac

$ chopt enable dv

2.3 Open the Database

After enabling Oracle Label security and DB vault you have to open database and other closed applications.

SQL> startup

$ lsnrctl start listener

$ emctl start dbconsole

2.4 Check if Binaries linked properly

Now Check DB vault and Oracle Label Security.

SQL> column parameter format a25

SQL> column value format a25

SQL> SELECT * FROM gV$OPTION WHERE PARAMETER in ( ‘Oracle Database Vault’,’Oracle Label Security’);

INST_ID|PARAMETER |VALUE

———-|————————-|————————-

1|Oracle Label Security |TRUE

1|Oracle Database Vault |TRUE

2|Oracle Label Security |TRUE

2|Oracle Database Vault |TRUE

All returned values have to be TRUE

Step 3 : Install DB Vault

Now It is time  to install DB vault. Start installation with dbca

$ dbca

Choose Configure database option.

null

Chose the correct DB name to install DB vault.( If there are multiple instances at the same ORACLE_HOME)

null

Skip Enterprise Manager Configuration

null

Now Chose Oracle LAbel Security and Oracle Database Vault to install them

null

Now enter the usernames and passwords for Database Vault Owner and Account Manager separately.

null

Chose Finish to start the Installation

null

Now the installation will start

null

After this windows and the installation window will appear and shows the status of installation. After the installation finishes you can close dbca.

Now you installed Oracle DB Vault to your database. Just connect with  DB Owner and Account Manager usernames to the database to check the installation

At the following notes I will show you how you can manage Oracle DB Vault.

HOW TO UNINSTALL ORACLE DB VAULT

 

 

At this note; I will show you How you can uninstall DB vault from an Oracle 11g R2 database. This can be necessary for many reasons.

For example When  you do not want to use DB Vault option at  your  database you can decide to completely uninstall  DB Vault option.

Sometimes during installation there can be some problems and your installation halts at the middle. After solving the problem at the database, you need to uninstall uncompleted installation.

 

Configuratin is like this;

Host : Oracle Linux 6

Database : Oracle 11g R2 ( 11.2.0.4)

 

Now we can start to uninstall

Check the DB Vault is already installed first

SQL> column parameter format a40

SQL> column value format a10

 

SQL> Select parameter, value from v$option where parameter in (‘Oracle Database Vault’,’Oracle Label Security’);

 

PARAMETER                         VALUE

————————————- ———-

Oracle Label Security                   TRUE

Oracle Database Vault                   TRUE

 

Shutdown database and Stop listener

 

sqlplus / as sysdba

SQL> shutdown immediate

Database closed.

Database dismounted.

ORACLE instance shut down.

 

 

oracle@localhost admin]$ lsnrctl stop

 

LSNRCTL for Linux: Version 11.2.0.4.0 – Production on 22-SEP-2016 10:52:39

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.0.2.15)(PORT=1521)))

The command completed successfully

If you have Database Control; stop it as well.

Unlink Oracle Label Security

 

This operation is not necessary ; If you want to use Oracle Label Security you can kip this step

 

[oracle@localhost admin]$ chopt disable lbac

 

Writing to /u01/app/oracle/product/11.2.0/db_1/install/disable_lbac.log…

/usr/bin/make -f /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ins_rdbms.mk lbac_off ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1

/usr/bin/make -f /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1

 

Unlink Oracle Database Vault

 

[oracle@localhost admin]$ chopt disable dv

Writing to /u01/app/oracle/product/11.2.0/db_1/install/disable_dv.log…

/usr/bin/make -f /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ins_rdbms.mk dv_off ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1

/usr/bin/make -f /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1

 

[oracle@localhost admin]$

Start Database and listeners

 

[oracle@localhost admin]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.4.0 Production on Thu Sep 22 10:56:23 2016

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Connected to an idle instance.

SQL> startup

ORACLE instance started.

Total System Global Area 1653518336 bytes

Fixed Size            2253784 bytes

Variable Size           1056967720 bytes

Database Buffers    587202560 bytes

Redo Buffers                7094272 bytes

Database mounted.

Database opened.

 

[oracle@localhost ~]$ lsnrctl start

 

Listening Endpoints Summary…

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.0.2.15)(PORT=1521)))

Services Summary…

Service “DB11G” has 1 instance(s).

Instance “DB11G”, status UNKNOWN, has 1 handler(s) for this service…

The command completed successfully

Find the users who have  DV_OWNER and DV_ACCTMGR roles;

 

SQL> select unique GRANTEE from dba_role_privs

where GRANTED_ROLE in (‘DV_ACCTMGR’,’DV_OWNER’)

 and grantee <> ‘DVSYS’;

 

GRANTEE

——————————

DVOWNER

DVACCTMNGR

 

Turn OFF  recyclebin   and rebound the database

 

SQL> conn / as sysdba

Connected.

 

SQL> alter system set recyclebin=off scope=spfile;

System altered.

SQL> startup force

ORACLE instance started.

Total System Global Area 1653518336 bytes

Fixed Size            2253784 bytes

Variable Size           1056967720 bytes

Database Buffers    587202560 bytes

Redo Buffers                7094272 bytes

Database mounted.

Database opened.

 

Run dvremov.sql

SQL> conn / as sysdba

Connected.

start  ?/rdbms/admin/dvremov.sql

 

.

.

.

 PL/SQL procedure successfully completed.

 

 

Manually drop DV_OWNER and DV_ACCTMNGR users

 

conn / as sysdba

SQL> drop user  DVACCTMNGR cascade;

User dropped.

SQL> drop user  DVACCTMNGR cascade;

User dropped.

 

Turn on recyclebin  and restart the database

conn / as sysdba

alter system set recyclebin=on scope=spfile;

 

Check DB Vault Option

 

SQL> column parameter format a40

SQL> column value format a10

SQL> Select parameter, value from v$option where parameter in (‘Oracle Database Vault’,’Oracle Label Security’);

 

PARAMETER                    VALUE

——————————- ———-

Oracle Label Security              FALSE

Oracle Database Vault              FALSE

 

Now Oracle DB Vault option is uninstalled from your database. If you want you can install it cleanly.

 

At this note ; I showed uninstallation of Oracle DB Vault  for Oracle 11g R2 database . For other versions there can be small differences. You can find all detailed information at the Metalink note.

How To Uninstall Or Reinstall Database Vault in 11g (Doc ID 803948.1)

Thanks Anıl Akduygu.

 

 

DB Vault Installation to Oracle 12c Container Database

12c-architecture

At my latest post I talked about Oracle DB Vault Installation to Oracle 12c non-container database. At this post I want to show you how you can install  Oracle DB Vault to Oracle 12c Container database.

Actually the task is very similar. But for the container databases; you should first install the root database; and then you can install to any pluggable database.

To continue this post ; you should have basic knowledge about Oracle Container databases.

https://oracle-base.com/articles/12c/multitenant-overview-container-database-cdb-12cr1

Before stating installation process; I wil show you my configuration

Host : Oracle 7 Linux

DB : Oracle 12c  12.1.0.2.0 with two pluggable databases  pdb1 and pdb2 and the database name is CDB3

During the installation I will connect to  the root container and pluggable  database by using below tns settings. As you know when you create a pluggable database a service is created by the name of pluggable database automatically.

at your tnsnames.ora file there should be tns entries   like that;
CDB3 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.200.11.9)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = CDB3)
)
)

pdb1 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.200.11.9)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = pdb1)
)
)

pdb2 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.200.11.9)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = pdb2)
)
)

at this post; first I will install DB vault to root container and then pdb1 pluggable database.

Installing DB Vault to root container

1.  First check If DB Vault is alreday installed
SQL> connect SYSTEM@CDB3
Enter password:
Connected.
SQL> show con_name

CON_NAME
——————————
CDB$ROOT
SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
2 ( ‘Oracle Database Vault’,’Oracle Label Security’);

PARAMETER VALUE
————————- ———-
Oracle Label Security FALSE
Oracle Database Vault FALSE

After DBVault installation all these values become TRUE

 

2. Take  copy of some views about privileges;

At the SYSTEM user take some copy of privilege views at the root container. To compare privileges after DB vault installation.

SQL> create table a_cdb_network_acls as select * FROM cdb_network_acls;

Table created.

SQL> create table a_cdb_network_acl_privileges as select * from cdb_network_acl_privileges;

Table created.

SQL> create table a_cdb_tab_privs as Select * from cdb_tab_privs;

Table created.

SQL> create table a_cdb_sys_privs as Select * from cdb_sys_privs;

Table created.

SQL> create table a_cdb_role_privs as Select * from cdb_role_privs;

Table created.

SQL> create table a_cdb_objects as select owner,object_name,object_type from cdb_objects where status=’INVALID’ and object_type <> ‘SYNONYM’ ;

Table created.

SQL> create table a_cdb_registry as select * from cdb_registry;

Table created.

SQL>

3. Create DV Owner and DV  Account Manager User

DV owner user administers  DB Vault and DV Account Manager user administers all Oracle users. Because of the separation of duties these two users must be different.

for container databases we create common users .

connect sys as sysdba
SQL> create user c##dvowner identified by oracle CONTAINER=ALL;

User created.

SQL> create user c##dvacctmngr identified by oracle CONTAINER=ALL;

User created.

SQL> grant SET CONTAINER,CREATE SESSION to c##dvowner;

Grant succeeded.

SQL> grant SET CONTAINER,CREATE SESSION to c##dvacctmngr;

Grant succeeded.

4. Configure DB Vault

SQL>
SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘c##dvowner’,
4 dvacctmgr_uname => ‘c##dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed

And compile invalid objects

@?/rdbms/admin/utlrp.sql

…Database user “SYS”, database schema “APEX_040200”, user# “98” 16:45:10
…Compiled 0 out of 3014 objects considered, 0 failed compilation 16:45:10
…271 packages
…263 package bodies
…452 tables
…11 functions
…16 procedures
…3 sequences
…457 triggers
…1320 indexes
…211 views
…0 libraries
…6 types
…0 type bodies
…0 operators
…0 index types
…Begin key object existence check 16:45:10
…Completed key object existence check 16:45:11
…Setting DBMS Registry 16:45:11
…Setting DBMS Registry Complete 16:45:11
…Exiting validate 16:45:11

PL/SQL procedure successfully completed.

5. Enable DB Vault

SQL> connect c##dvowner
Enter password:
Connected.
SQL> show con_name

CON_NAME
——————————
CDB$ROOT
SQL> EXEC DBMS_MACADM.ENABLE_DV;

PL/SQL procedure successfully completed.

SQL> commit;

Commit complete.

6. Resart the Database 

Bingo DB Vault is ready now at container database.

SQL> connect sys as sysdba
Enter password:
Connected.

SQL> startup force
ORACLE instance started.

Total System Global Area 977272832 bytes
Fixed Size 2931520 bytes
Variable Size 645924032 bytes
Database Buffers 322961408 bytes
Redo Buffers 5455872 bytes
Database mounted.
Database opened.

SQL> alter pluggable database all open;

Pluggable database altered.
SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
2 ( ‘Oracle Database Vault’,’Oracle Label Security’);

PARAMETER VALUE
————————- ———-
Oracle Label Security TRUE
Oracle Database Vault TRUE

 

Now our aim is to install Db Vault one of the our pluggable database. For the demonstration I will install DB Vault to PDB1 pluggable database.

7. Give grants common users to connect PDB1

 

SQL> connect sys@pdb1 as sysdba
Enter password:
Connected.
SQL> show con_name

CON_NAME
——————————
PDB1
SQL> grant SET CONTAINER,CREATE SESSION to c##dvowner;

Grant succeeded.

SQL> grant SET CONTAINER,CREATE SESSION to c##dvacctmngr;

Grant succeeded.

8. Configure DB Vault at PDB1

SQL> connect sys@pdb1 as sysdba
Enter password:
Connected.
SQL> show con_name

CON_NAME
——————————
PDB1

SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘c##dvowner’,
4 dvacctmgr_uname => ‘c##dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed.

SQL> commit;

Commit complete.

now compile invalid objects

@?/rdbms/admin/utlrp.sql

…Database user “SYS”, database schema “APEX_040200”, user# “98” 16:59:40
…Compiled 0 out of 3014 objects considered, 0 failed compilation 16:59:41
…271 packages
…263 package bodies
…452 tables
…11 functions
…16 procedures
…3 sequences
…457 triggers
…1320 indexes
…211 views
…0 libraries
…6 types
…0 type bodies
…0 operators
…0 index types
…Begin key object existence check 16:59:41
…Completed key object existence check 16:59:41
…Setting DBMS Registry 16:59:41
…Setting DBMS Registry Complete 16:59:41
…Exiting validate 16:59:41

PL/SQL procedure successfully completed.

8. Enable DB Vault at PDB1

 

SQL> connect c##dvowner@pdb1
Enter password:
Connected.
SQL> EXEC DBMS_MACADM.ENABLE_DV;

PL/SQL procedure successfully completed.

SQL> commit;

Commit complete

 

9. Restart PDB1 pluggable database

SQL> startup force;
ORACLE instance started.

Total System Global Area 977272832 bytes
Fixed Size 2931520 bytes
Variable Size 645924032 bytes
Database Buffers 322961408 bytes
Redo Buffers 5455872 bytes
Database mounted.
Database opened.
SQL> alter pluggable database all open;

Pluggable database altered.

 

Now DB Vault is intalled to PD1 pluggable database

 

 

Control Points After DB Vault Installation to Oracle 12c Database

Capture

After DB vault installation to Oracle12c database you should check some important points. At this note I will give some explanations about these post-operations .

If you want to learn DB vault Installation ; Please look at DB Vault Installation post

1. Check Invalid objects one more time;

Normally System Objects would be made valid with this script

@?/rdbms/admin/utlrp.sql

But you should check application objects as well. Because some application objects can not be valid for some reasons. You should report all these changes.

As you know before DB Vault installation we created a table to hold all invalid objects at the database ( the name of this table a_dba_objects). Now take one more sample for invalid object to compare it before image.

SQL> create table b_dba_objects as select owner,object_name,object_type from dba_objects where status=’INVALID’ and object_type <> ‘SYNONYM’ ;

Table created.

Now compare two tables after and before tables;

SQL> select * from a_dba_objects minus select * from b_dba_objects
2 ;

no rows selected

Difference should be null as you expected; If there are some changes you should try to solve it. Maybe one more compilation is required.

2. Check Oracle Components 

After DB vaults installation there can be changes at some Oracle component status.Take a copy of dba_registry view  and control the status of each components.

SQL> create table b_dba_registry as select * from dba_registry;

Table created.

SQL> column comp_name format a50
SQL> column status format a10
SQL> select comp_name, status from dba_registry;

COMP_NAME STATUS
————————————————– ———-
Oracle Database Vault VALID
Oracle Application Express VALID
Oracle Label Security VALID
Spatial VALID
Oracle Multimedia VALID
Oracle Text VALID
Oracle Workspace Manager VALID
Oracle XML Database VALID
Oracle Database Catalog Views VALID
Oracle Database Packages and Types VALID
JServer JAVA Virtual Machine VALID
Oracle XDK VALID
Oracle Database Java Packages VALID
OLAP Analytic Workspace VALID
Oracle OLAP API VALID
Oracle Real Application Clusters OPTION OFF

16 rows selected.

3. Make a copy of views about privileges

This is required operation; Maybe for somehow some privileges may change during installation and this causes some problems at your applications. At the same time you should copy all Oracle parameters into a table.

SQL> create table b_dba_network_acls as select * FROM cdb_network_acls;

Table created.

SQL> create table b_dba_network_acl_privileges as select * from cdb_network_acl_privileges;

Table created.

SQL> create table b_gv$parameter as select * from gv$parameter ;

Table created.

SQL> create table b_dba_tab_privs as Select * from dba_tab_privs;

Table created.

SQL> create table b_dba_sys_privs as Select * from dba_sys_privs;

Table created.
SQL> create table b_dba_role_privs as Select * from dba_role_privs;

Table created.

 

4. Re-grant all privileges which are revoked during DB Vault Installation

During DB vault installation Oracle revoke some system and objects privileges from some roles and Public. This situation can create problems at your application. Therefore If you want to re-grant all these privileges you can use below script.

connect sys as sysdba

Grant EXECUTE on SYS.DBMS_FILE_TRANSFER to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.DBMS_LOGMNR to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.DBMS_LOGMNR_D to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.DBMS_LOGMNR_LOGREP_DICT to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.DBMS_LOGMNR_SESSION to EXECUTE_CATALOG_ROLE ;
Grant EXECUTE on SYS.UTL_FILE to PUBLIC ;
Grant BECOME USER to DBA ;
Grant CREATE ANY JOB to DBA ;
Grant CREATE EXTERNAL JOB to DBA ;
Grant DEQUEUE ANY QUEUE to DBA ;
Grant ENQUEUE ANY QUEUE to DBA ;
Grant EXECUTE ANY CLASS to DBA ;
Grant EXECUTE ANY PROGRAM to DBA ;
Grant MANAGE ANY QUEUE to DBA ;
Grant MANAGE SCHEDULER to DBA ;
Grant SELECT ANY TRANSACTION to DBA ;
Grant BECOME USER to IMP_FULL_DATABASE ;
Grant MANAGE ANY QUEUE to IMP_FULL_DATABASE ;
Grant CREATE ANY JOB to SCHEDULER_ADMIN ;
Grant CREATE EXTERNAL JOB to SCHEDULER_ADMIN ;
Grant EXECUTE ANY CLASS to SCHEDULER_ADMIN ;
Grant EXECUTE ANY PROGRAM to SCHEDULER_ADMIN ;
Grant MANAGE SCHEDULER to SCHEDULER_ADMIN ;

5. Disable Default Realms and Command Rules

After DB Vault installation some pre-defined Realms and Command rules is created by Oracle. If this is your first installation you want to disable some Realms and Command Rules. Beacause these pre-defined Realms and Command rules can create some problems at your application. This control point completely depends on your application. But I will give you below script to disable all Realms and Command Rules . After some time you can enable these rules step bye step by checking your application .

connect dvowner

select * from dvsys.DBA_DV_REALM ;

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Database Vault’,
description => ‘Defines the realm for the Oracle Database Vault schemas – DVSYS, DVF and LBACSYS where Database Vault access control configuration and roles are contained.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Database Vault Account Management’,
description => ‘Defines the realm for administrators who create and manage database accounts and profiles.’,
enabled => ‘N’,
audit_options => 1);
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Enterprise Manager’,
description => ‘Defines the Enterprise Manager monitoring and management realm.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Default Schema Protection Realm’,
description => ‘Defines the realm for the Oracle Default schemas.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle System Privilege and Role Management Realm’,
description => ‘Defines the realm to control granting of system privileges and database administrator roles.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Default Component Protection Realm’,
description => ‘Defines the realm to protect default components of the Oracle database.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle System Privilege and Role Management Realm’,
description => ‘Defines the realm to control granting of system privileges and database administrator roles.’,
enabled => ‘N’,
audit_options => 1);
END;
/
commit;
select * from dvsys.DBA_DV_COMMAND_RULE;

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER SYSTEM’,
rule_set_name => ‘Allow Fine Grained Control of System Parameters’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER USER’,
rule_set_name => ‘Can Maintain Own Account’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CHANGE PASSWORD’,
rule_set_name => ‘Can Maintain Own Account’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CREATE PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CREATE USER’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘DROP PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘DROP USER’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

commit;

select * from dvsys.DBA_DV_REALM ;

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Database Vault’,
description => ‘Defines the realm for the Oracle Database Vault schemas – DVSYS, DVF and LBACSYS where Database Vault access control configuration and roles are contained.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Database Vault Account Management’,
description => ‘Defines the realm for administrators who create and manage database accounts and profiles.’,
enabled => ‘N’,
audit_options => 1);
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Enterprise Manager’,
description => ‘Defines the Enterprise Manager monitoring and management realm.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Default Schema Protection Realm’,
description => ‘Defines the realm for the Oracle Default schemas.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle System Privilege and Role Management Realm’,
description => ‘Defines the realm to control granting of system privileges and database administrator roles.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle Default Component Protection Realm’,
description => ‘Defines the realm to protect default components of the Oracle database.’,
enabled => ‘N’,
audit_options => 1);
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_REALM(
realm_name => ‘Oracle System Privilege and Role Management Realm’,
description => ‘Defines the realm to control granting of system privileges and database administrator roles.’,
enabled => ‘N’,
audit_options => 1);
END;
/

select * from dvsys.DBA_DV_COMMAND_RULE;

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER SYSTEM’,
rule_set_name => ‘Allow Fine Grained Control of System Parameters’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER USER’,
rule_set_name => ‘Can Maintain Own Account’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CHANGE PASSWORD’,
rule_set_name => ‘Can Maintain Own Account’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CREATE PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘CREATE USER’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/
BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘DROP PROFILE’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘DROP USER’,
rule_set_name => ‘Can Maintain Accounts/Profiles’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

commit;

 

6. Make Recyclebin On

After DB vault installation Oracle makes recyclebin off for some security reason. If you want you can make it on  again. You can use below script.

Connect dvowner

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER SYSTEM’,
rule_set_name => ‘Allow Fine Grained Control of System Parameters’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘N’);
commit;
END;
/

Connect sys as sysdba

alter system set recyclebin=on scope=spfile;

startup force;

You can make ALTER SYSTEM Command Rule enable again

Connect dvowner

BEGIN
DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
command => ‘ALTER SYSTEM’,
rule_set_name => ‘Allow Fine Grained Control of System Parameters’,
object_owner => ‘%’,
object_name => ‘%’,
enabled => ‘Y’);
commit;
END;
/