Important New Features in Oracle Database Vault Oracle 12c Release 2 version

At this note; you will find the most  important new features in Oracle Database Vault 12c Release 2.First start with Oracle Database Vault Policies.

A new Object type is introduced in Oracle Database Vault 12c Release 2 version. This type is called   Oracle Database Vault Policy. With Oracle Database Vault Policies you can group and manage some realms and command rules  together. By this way you can change the status of some realms and commands with a one command. As you expect ; when you collect some realms and command rules in a vault policy ; there should be something commons in realms and command rules. It will  be nonsense If you put all Realms and Commend Rules into one Vault Policy.

Another enhancement  in Database Vault in the new version is the simulation mode. When you put   Realms and Command Rules in a simulation mode; SQL commands are not blocked , but violations are logged.

Another change has been  made in Privilege Analysis at this version. Now Privilege Analysis captures more privileges. At the same time a new object is created in Privilege Analysis which is called Capture runs. You can create multiple capture runs for one analysis and produce comparisons reports against different capture runs.

As you know;  All Oracle 12c Release 2 databases are  multi-tenant databases. Therefore new Common Realms and Common Command Rules are introduced in this version.

Common Realms  and Common  Command Rules can only be created in application root not in CDB root. A Common Command Rule in the application root is applied to all associated PDBs

The last word;  Changes have been made  added ALTER SESSION, ALTER SYSTEM and CONNECT Command Rules.By this way; you can more preciously define prevention rules on ALTER SESSION, ALTER SYSTEM commands.

Thanks for reading this note.

Y. Anıl Akduygu




Oracle 12c New Security Features – 02 DBA_USERS new columns

One of the the security improvement  in Oracle 12c version is the new columns at DBA_USERS view.
These new added columns are very uesfull for security administrators.
At the below picture you can see the definition of DBA_USERS in Oracle 11g version


And the definition of DBA_USERS in Oracle 12c version is given below.

Capt01As you see; four new colums are added. These are


Now we work on these new columns


This column shows  you  whether a user can connect directly ( if it is value N ) or can only be   proxied (if it is value Y) by users.
Let’s query this column;


You can enable or disable this attribute of a user by alter user command



This column shows whether the user  is a COMMON user.

COMMON users   are used in Multitenant databases which are introduced in Oracle 12c version. In another note ; I will explain multitenant databases in Oracle 12c version.

This column can have two values ; YES or NO

YES means this user is a COMMON user.

NO means this user is a local user.

Let’s query this column




Last_login column is very useful column for database security administrator and it solves very important problem in Oracle 11g version. This column shows  the user’s last logon time. In Oracle 11g version we have create a logon trigger  and a special table to find and keep user’s last logon time. Now in Oracle 12c version you have nothing to do ; just you need the query this column to find the time of the users logon.

To query Last_login column  you use the below query. If the LAST_LOGIN column is null It means that this user has not been connected to the database yet.



This is another very important new column at Oracle 12c database.

If the value of this column is ‘Y’. It means that this  user was  created and could only managed by Oracle-supplied script ( Scripts are given by Oracle company) . You must not change  any properties of these users. This column is very important when running security control scripts.  At some security controls  you would like to exclude  Oracle pre-defined application users. In Oracle 11g version , you have to know these Oracle usernames (  for example DBSNMP, MDSYS,CTXSYS,OUTLN…) . In Oracle 11g version , if you want to exclude Oracle managed users  from your selection in any security control, you have to write a very big condition like below;










But in Oracle 12c version you can add a condition like


to exclude Oracle  managed users.


I downloaded  all scripts which are given on this note  to  github


Have a good day.


Oracle DB Vault New Features in Oracle 12c Release 1 – Part 3 :  Oracle Enterprise Manager Cloud Control to Manage DB Vault.

After Oracle 12c Release 1 version you can use all DB Vault functionality with Oracle Enterprise Manager Cloud Control . DBMS_MACADM PL/SQL package procedures and functions have included in Oracle Enterprise Manager. For each operation you can see the running script by pressing Show SQL button.

You should connect to Enterprise Manager to run  Database Vault  Administrator with  a user who has DV_OWNER role. After logon  Database Vault home page appears like this;


At this page ;  you can see

  • Violations that were made against to DB Vault rules
  • Database Vault Alerts
  • Audit Reports

In order to make operations on DB Vault objects; you have to go Administration section . In the below picture ; you can see Command Rules page in Administration  section.


If you want to see all default rules ; you should check Show Oracle defined Command Rules box.If you want to create a new command rule;  just click Create button


You can enter all necessary parameter to create a new Command Rule at this page. After clicking Show SQL button you can see the necessary script to create a new command rule



For example ; If you want to see all details about a Command Rule; Choose the Command rule 



And then just double click on it.


Another functionality of DB Vault is you can control the authorization on some database operations . For example ; you can identify which user can make data pump operations , Goldengate operations or database patching. You can define all these users  from Oracle Enterprise Manager by choosing ; Database Operation Authorization section



After choosing Database Operation Authorization section ; you can see all database operations which are controlled by DB Vault



You can add , edit or delete usernames from this page for each database operations.

As you see ; In Oracle 12c Release 1 version you can use all functionality of Oracle DB Vault and the most important thing is Oracle does not support old Oracle DB Vault Console after Oracle 12c version.  Therefore if you are a Database Vault administrator you should learn Oracle Enterprise Manager DB Vault functionality. 

Oracle DB Vault New Features in Oracle 12c R1 – Part1 : Changes at DB Vault Installation

There are many changes at Oracle DB Vault in Oracle 12c version. At this note I will give you information about  the change at DB  Vault Installation .

  1. DB Vault Installation

At Oracle 11g version you need to  relink Oracle binary before installing Oracle DB Vault. You do not need this operation in Oracle 12c.

At Oracle 11g version you need to relink binary with chopt command like below

$ chopt enable lbac

$ chopt enable dv

And You do not need in Oracl 12c vesion

In order to install and configure DB Vault In Oracle 11g version, you have to use dbca. At Oracle 12c you only need dbca to install Oracle Label Security and Oracle DB vault component . You can use DVSYS.CONFIGURE_DV packet to configure DB vault. Actually still you can do this configuration with dbca but it is optional.

DB Vault component installation is made with this page in  dbca in Oracle 12c version.


And DB Vault configuration can be made by dbca but It is optional


This gives us flexibility ; During database installation DBAs can install Oracle DB Vault without making any configuration on it. After the DB Vault installation is completed, you can make DB Vault configuration as a security officer without DBA intervention.

The below  query shows that DB Vault component is installed. But It does not mean that It is enabled.

SQL> select comp_id,status from dba_registry where comp_id in (‘OLS’,’DV’);

—————————— ———–

With DVSYS.CONFIGURE_DV; you can mention which user is DB Vault admin and which user database account manager.

3 dvowner_uname => ‘dvowner’,
4 dvacctmgr_uname => ‘dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed.

This packet is new in Oracle 12c and It gives us flexibility to security officer to configure DB vault alone. After DB Vault component installation tou do not need to rebound the database bu you need to run utlrp.sql to compile all invalid objects.