Skip Headers
Oracle® Database Vault Administrator's Guide
10g Release 2 (10.2)

Part Number B25166-04
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

C Oracle Database Vault Database Objects

This chapter includes the following sections:

C.1 What Are the Oracle Database Vault Database Objects?

The Oracle Database Vault database objects include two schemas with database tables, sequences, views, triggers, roles, packages, procedures, functions, and contexts that support the administration and run-time processing of Oracle Database Vault.

C.2 Oracle Database Vault Schemas

Oracle Database Vault has the following schemas:

C.2.1 DVSYS Schema

The DVSYS schema contains Oracle Database Vault database objects: database tables, sequences, views, triggers, roles, packages, procedures, functions, contexts, and other objects to store Oracle Database Vault configuration information and support the administration and run-time processing of Oracle Database Vault.

Oracle Database Vault secures the DVSYS schema by using a protected schema design. A protected schema design guards the schema against improper use of system privileges (for example, SELECT ANY TABLE, CREATE ANY VIEW, or DROP ANY). (Note that some system privileges do not apply to the protected schema because DVSYS does not use them (for example, the UNLIMITED TABLESPACE privilege.)

The following restrictions apply to the DVSYS schema:

  • The DVSYS protected schema and its administrative roles cannot be dropped.

  • Statements such as CREATE USER, ALTER USER, DROP USER, CREATE PROFILE, ALTER PROFILE, and DROP PROFILE can only be issued by a user with the DV_ACCTMGR role. SYSDBA can issue these statements only if it is allowed to do so by modifying the Can Maintain Accounts/Profiles rule set.

  • The powerful ANY system privileges for database definition language (DDL) and data manipulation language (DML) commands are not applicable to the protected schema. This means that the objects in the DVSYS schema must be created by the schema account itself. Also, access to the schema objects must be authorized through object privilege grants.

  • Object privileges in the DVSYS schema can only be granted to administrative roles in the schema. This means that users can access the protected schema only through predefined administrative roles.

  • Only the protected schema account DVSYS can issue ALTER ROLE statements on predefined administrative roles of the schema. "Oracle Database Vault Database Roles" describes Oracle Database Vault administrative roles in detail.

  • Only the protected schema account DVSYS can grant predefined roles to users along with the WITH ADMIN OPTION. This means that a grantee with the WITH ADMIN OPTION can only grant the role to another user without the WITH ADMIN OPTION.

  • The SYS.DBMS_SYS_SQL.PARSE_AS_USER procedure cannot be used to run SQL statements on behalf of the protected schema DVSYS.

Note:

Users are allowed to grant privileges or roles to the predefined administrative roles.

C.2.2 DVF Schema

The DVF schema is the owner of the Oracle Database Vault DBMS_MACSEC_FUNCTION PL/SQL package, which contains the functions that retrieve factor identities. When you create a new factor, Oracle Database Vault creates a new retrieval function for the factor and saves it in this schema.

C.3 Oracle Database Vault Database Roles

The roles described in this section are required for managing Oracle Database Vault. These roles are designed to implement the first level of separation of duties within the database, organized in the following hierarchy: The most powerful level is for the owner-related roles, DV_OWNER, DV_REALM_OWNER, and DV_REALM_RESOURCE. The next level beneath it is for the administrative roles, DV_ADMIN, DV_ACCTMGR, and DV_PUBLIC. The third level is for the analyst-related role, DV_SECANALYST.

Note:

You can grant additional object privileges and roles to the Oracle Database Vault roles to extend their scope of privileges. For example, SYSDBA can grant object privileges to an Oracle Database Vault role as long as the object is not in the DVSYS schema or realm.

Oracle Database Vault provides the following roles:

C.3.1 Oracle Database Vault Owner Role, DV_OWNER

The DV_OWNER role, which is created when you install Oracle Database Vault, has the most privileges on the DVSYS schema. (In this guide, the example account that uses this role is MACSYS.) It has the administration capabilities provided by the DV_ADMIN role and the reporting capabilities provided by the DV_SECANALYST role. The first account granted with this role and the ADMIN OPTION can grant any Oracle Database Vault roles (except DV_ACCTMGR) without the ADMIN OPTION to any account. Users granted this role also can run Oracle Database Vault reports and monitor Oracle Database Vault.

Anyone with the DV_OWNER privilege can grant DV_OWNER privileges. The first account granted this role and with the ADMIN OPTION can revoke any granted protected schema role from another account. Accounts such as SYS or SYSTEM, with the GRANT ANY ROLE system privilege alone (directly granted or indirectly granted using a role) do not have the rights to grant this role to or revoke this role from any other database account.

The granting and revoking of protected schema roles are enforced only by an instance with the Oracle executable linked with DV_ON, which enables Oracle Database Vault security. When the Oracle executable is linked with DV_OFF, then an instance can use an account GRANT ANY ROLE system privilege for GRANT and REVOKE operations.

Appendix B, "Enabling and Disabling Oracle Database Vault" shows how to use DV_ON and DV_OFF. See also Appendix E, "Oracle Database Vault Packages" for more information about the Oracle Database Vault packages.

C.3.2 Oracle Database Vault Configuration Administrator Role, DV_ADMIN

The DV_ADMIN role has the EXECUTE privilege on the DVSYS package, DBMS_MACADM, which is used for all access control configuration. DV_ADMIN has the reporting capabilities provided by the DV_SECANALYST role. A user granted this role has the EXECUTE privilege on all Oracle Database Vault administrative packages. Users granted with this role also can run Oracle Database Vault reports and monitor Oracle Database Vault.

Accounts such as SYS or SYSTEM, with the GRANT ANY ROLE system privilege alone do not have the rights to grant this role to or revoke this role from any other database account. The first user with the DV_ADMIN role and the ADMIN OPTION can grant this role without the ADMIN OPTION to any database account and revoke this role from another account.

The granting and revoking of protected schema roles are enforced only by an instance with the Oracle executable linked with DV_ON, which enables Oracle Database Vault security features. When Oracle executable is linked with DV_OFF, then an instance can use an account GRANT ANY ROLE system privilege for GRANT and REVOKE operations.

Appendix B, "Enabling and Disabling Oracle Database Vault" explains how to use DV_ON. See also Appendix E, "Oracle Database Vault Packages" for more information about the Oracle Database Vault packages.

C.3.3 Oracle Database Vault User Manager Role, DV_ACCTMGR

The DV_ACCTMGR role is used for creating and maintaining database accounts and database profiles. A user who has been granted this role can use the CREATE, ALTER, and DROP statements for users or profiles. However, a person with this role cannot use the DROP or ALTER statements for the DVSYS account, nor change the DVSYS password.

Tip:

Oracle recommends that you add the user who has the DV_ACCTMGR role to the data dictionary realm so that this user can grant other users ANY privileges, if they need them. See "Step 1: Adding the DV_ACCTMGR Role to the Data Dictionary Realm" for instructions.

Any account, such as SYS or SYSTEM, with the GRANT ANY ROLE system privilege alone does not have the rights to grant this role to or revoke this role from any other database account. The first account with the DV_ACCTMGR role and the ADMIN OPTION can grant this role without the ADMIN OPTION to any given database account and revoke this role from another account.

The granting and revoking of protected schema roles are enforced only by an instance with the Oracle executable linked with DV_ON, which enables Oracle Database Vault. When the Oracle executable is linked with DV_OFF, then an instance can use an account with GRANT ANY ROLE system privilege for GRANT and REVOKE operations.

Appendix B, "Enabling and Disabling Oracle Database Vault" shows how to use DV_ON and DV_OFF.

C.3.4 Oracle Database Vault PUBLIC Role, DV_PUBLIC

The DV_PUBLIC role is used to grant privileges on specific objects in the DVSYS schema. Oracle Database Vault does not allow you to directly grant object privileges in the DVSYS schema to PUBLIC. You must grant an the object privilege on the DVSYS schema object the DV_PUBLIC role, and then grant DV_PUBLIC to PUBLIC.

The following Oracle Database Vault objects are accessible through DV_PUBLIC:

C.3.5 Oracle Database Vault Security Analyst Role, DV_SECANALYST

The DV_SECANALYST role has SELECT privileges on the DVSYS schema objects and portions of the SYS and SYSMAN schema objects as for reporting on DVSYS-related and DVF-related entities. A user granted this role can check the DVSYS configuration by querying the DVSYS views described in "Oracle Database Vault Public Views". Users granted this role also can read Oracle Database Vault reports and monitor Database Vault.

Any account, such as SYS or SYSTEM, with the GRANT ANY ROLE system privilege alone does not have the rights to grant this role to or revoke this role from any other database account. The first user with the DV_SECANALYST role and the ADMIN OPTION can grant this role without the ADMIN OPTION to any database account and revoke this role from another account.

The granting and revoking of protected schema roles are enforced only by an instance with the Oracle executable linked with DV_ON, which enables the Oracle Database Vault security features. When the Oracle executable is linked with DV_OFF, then an instance can use an account GRANT ANY ROLE system privilege for GRANT and REVOKE operations.

Appendix B, "Enabling and Disabling Oracle Database Vault" shows how to use DV_ON and DV_OFF.

C.3.6 Oracle Database Vault Application/Realm DBA Role, DV_REALM_OWNER

The DV_REALM_OWNER role is used for managing database objects in multiple schemas that define an application or a realm. This role should be granted to the database account owner who would manage several schema database accounts within a realm and the roles associated with the realm. A user granted this role can use powerful system privileges like CREATE ANY, ALTER ANY, and DROP ANY within the realm.

The realm owner of the Oracle Data Dictionary realm, such as SYS, can grant this role to any given database account or role. Note that though this role has system privilege grants that SYS controls, it does not have the DV_OWNER or DV_ADMIN roles.

If you want to attach this role to a specific realm, you need to assign it to an account business-related role, then authorize that account or role in the realm.

C.3.7 Oracle Database Vault Application Resource Owner Role, DV_REALM_RESOURCE

The DV_REALM_RESOURCE role provides the same system privileges as the Oracle RESOURCE role. In addition both CREATE SYNONYM and CREATE VIEW are granted to this role.This role can be granted to a database account that will own database tables, objects, triggers, views, procedures, and so on that are used to support any database application. This is a role geared toward a schema type database account. The realm owner of the Oracle Data Dictionary realm, such as SYS, can grant this role to any database account or role. Note that though this role has system privilege grants that SYS controls, it does not have the DV_OWNER or DV_ADMIN privileges.

C.4 Oracle Database Vault Database Accounts

Oracle Database Vault prompts for two accounts that you can create during installation: Oracle Database Vault Owner and Oracle Database Vault Account Manager. You must supply an account name and password for the Oracle Database Vault Owner account during installation. Creating an Oracle Database Vault Account Manager is optional.

The Oracle Database Vault Owner account is granted the DV_OWNER role. This account can manage Oracle Database Vault roles and configuration.

The Oracle Database Vault Account Manager account is granted the DV_ACCTMGR role. This account is used to manage database user accounts to facilitate separation of duties.

Note:

If you opt not to create the Oracle Database Vault Account Manager account during installation, then both the DV_OWNER and DV_ACCTMGR roles are granted to the Oracle Database Vault Owner user account.

Table C-1 lists the Oracle Database Vault database accounts that are needed in addition to the accounts that you create during installation.

Table C-1 Database Accounts Used by Oracle Database Vault

Database Account Description Roles and Privileges

DVSYS

Owner of Oracle Database Vault schema and related objects.

Several system and object privileges are provided to support Oracle Database Vault.The ability to create a session with this account is revoked at the end of the installation, and the account is locked.

DVF

Owner of the Oracle Database Vault functions that are created to retrieve factor identities.

A handful of system privileges are provided to support Oracle Database Vault.The ability to create a session with this account is revoked at the end of the installation, and the account is locked.

AVSYS

Owner of the Oracle Audit Vault functions.

This account is created during the Oracle Database Vault installation, in case you plan to use Oracle Audit Vault. Do not drop or re-create this account.

LBACSYS

Owner of the Oracle Label Security schema.

.This account is created if you install Oracle Label Security by using the custom installation option. Do not drop or re-create this account.

If you plan to integrate a factor with an Oracle Label Security policy, you must assign this user as the owner of the realm using this factor. See "Using an Oracle Database Vault Factor with an Oracle Label Security Policy" for more information.


You can create different database accounts to implement the separation of duties requirements for Oracle Database Vault. Table C-2 lists some model database accounts that can act as a guide. (The accounts listed in Table C-2 serve as a guide to implementing Oracle Database Vault roles. These are not actual accounts that are created during installation.)

Table C-2 Model Oracle Database Vault Database Accounts

Database Account Description Roles and Privileges

MACACCT

Account for administration of database accounts and profiles. This account:

  • Can create, alter, or drop users

  • Can create, alter, or drop profiles

  • Can grant the DV_ACCTMGR role

  • Can use the GRANT CONNECT statement for roles

  • Cannot create roles, or grant RESOURCE or DBA roles

DV_ACCTMGR

MACADMIN

Account to serve as the access control administrator. This account:

  • Can execute public APIs and select from views

  • Cannot directly update DVSYS tables

  • Can use role either in SQL*Plus or in the Oracle Database Vault Administration application

DV_ADMIN (with DV_SECANALYST)

MACREPORT

Account for running Oracle Database Vault reports in the Oracle Database Vault Administration application.

DV_SECANALYST

MACSYS

Account that is the realm owner for the DVSYS realm.

DV_OWNER (with DV_ADMIN and DV_SECANALYST)


C.4.1 Database Accounts Creation Scenarios

The general approach to creating database accounts and using the database roles provided in a database protected by Oracle Database Vault is as follows:

  1. Log in as the Oracle Database Vault User realm owner to create the database account.

  2. In the same database session, grant the new account the ability to create a database session.

  3. Depending on the type of account being created, log in as the Oracle Data Dictionary realm owner or Oracle Database Vault realm owner to grant the appropriate roles required for the account.

  4. Grant additional system or object privileges as required by the account.

The following examples demonstrate the uses of the Oracle Database Vault roles and database accounts. The examples assume the creation of an application schema type account named bizapp, a realm-owner type account named mary, an application end-user type account named jiawen, and a security administrator named steve.

These examples assume that you have added the DV_ACCTMGR role to the Data Dictionary realm. See "Step 1: Adding the DV_ACCTMGR Role to the Data Dictionary Realm" for instructions on how to do this.

Example C-1 Creating a Schema Account

SQL> CONNECT DV_ACCTMGR
Enter password: password
SQL> CREATE USER bizapp IDENTIFIED BY password;
-- provide session connectivity
SQL> GRANT CONNECT TO bizapp;
SQL> CONNECT SYS / AS SYSDBA
Enter password: password
-- provide the ability to create database objects
SQL> GRANT dv_realm_resource TO bizapp;
SQL> GRANT UNLIMITED TABLESPACE TO bizapp;
SQL> CONNECT bizapp
Enter password: password
SQL> CREATE TABLE bizapp.cases...; 

Example C-2 Creating an Account for a Realm Owner

SQL> CONNECT DV_ACCTMGR 
Enter password: password
SQL> CREATE USER mary IDENTIFIED BY password; 
-- provide session connectivity
SQL> GRANT CONNECT TO mary;

SQL> CONNECT SYS / AS SYSDBA
Enter password: password
-- provide ANY system privileges a realm owner would need
SQL> GRANT dv_realm_owner TO mary;

SQL> CONNECT mary
Enter password: password
SQL> ALTER TABLE bizapp.cases

Example C-3 Creating an Account for an Application User

SQL> CONNECT DV_ACCTMGR 
Enter password: password
SQL> CREATE USER jiawen IDENTIFIED BY password;
SQL> DEFAULT TABLESPACE low_ts TEMPORARY TABLESPACE low_ts;
-- provide session connectivity
SQL> GRANT CONNECT TO jiawen;

-- the realm owner can manage privileges against realm objects
SQL> CONNECT mary
Enter password: password
SQL> GRANT SELECT ON bizapp.cases TO jiawen;

SQL> CONNECT jiawen
Enter password: password
-- query application tables 
SQL> SELECT * FROM bizapp.cases 

Example C-4 Creating an Account for a Security Administrator

SQL> CONNECT DV_ACCTMGR 
Enter password: password
SQL> CREATE USER steve IDENTIFIED BY password;
SQL> DEFAULT TABLESPACE high_ts;
-- provide session connectivity
SQL> GRANT CONNECT TO steve;

-- allow execute privileges on DBMS_MACADM package
-- and the ability to query access control views
SQL> CONNECT DV_ACCTMGR 
Enter password: password
SQL> GRANT dv_admin TO steve
-- query and administer access control configuration
SQL> CONNECT steve
Enter password: password
SQL> SELECT * FROM dvsys.dba_dv_factor;
SQL> EXEC dvsys.dbms_macadm.create_factor(...); 

C.5 Oracle Database Vault Public Views

Oracle Database Vault provides a set of DBA style views that can be accessed through the DV_SECANALYST role or the DV_ADMIN role. These views provide access to the various underlying Oracle Database Vault tables in the DVSYS and LBACSYS schemas without exposing the primary and foreign key columns that may be present. These views are intended for the database user to report on the state of the Oracle Database Vault configuration without having to perform the joins required to get the labels for codes that are stored in the core tables or from the related tables.

Table C-3 describes these views.

Table C-3 Oracle Database Vault Database Views

View Description

DBA_DV_CODE

This view lists generic lookup codes for the user interface, error messages, constraint checking, and the like. These codes are used for the user interface, views, and for validating input in a translatable fashion.

Each record contains a code group column that categorizes the code, a natural key, and an optional label and description. The following code groups are provided:

  • AUDIT_EVENTS: Contains the action numbers and action names that are used for the custom event audit trail records

  • BOOLEAN: A simple Yes/No or True/False lookup

  • DB_OBJECT_TYPE: The database object types that can be used for realm objects and command authorizations

  • DDL_CMDS: The DDL commands that can be protected through command rules

  • FACTOR_AUDIT: The auditing options for factor retrieval processing

  • FACTOR_EVALUATE: The evaluation options (by session or by access) for factor retrieval

  • FACTOR_FAIL: The options for propagating errors when a factor retrieval method fails

  • FACTOR_IDENTIFY: The options for determining how a factor identifier is resolved, for example, by method or by factors

  • FACTOR_LABEL: The options for determining how a factor identifier is labeled in the session establishment phase

  • LABEL_ALG: The algorithms that can be used to determine the maximum session label for a database session for each policy

  • OPERATORS: The Boolean operators that can be used for identity maps

  • REALM_AUDIT: The options for auditing realm access or realm violations

  • RULESET_AUDIT: The options for auditing rule set execution or rule set errors

  • RULESET_EVALUATE: The options for determining the success or failure of a rule set based on all associated rules being true or any associated rule being true

  • RULESET_EVENT: The options to invoke a custom event handler when a rule set evaluates to Succeeds or Fails

  • RULESET_FAIL: The options to determine the run-time visibility of a rule set failing

DBA_DV_COMMAND_RULE

This view lists the command rules used in the current database instance.

DBA_DV_FACTOR

This view lists the factors used for the current database instance.

DBA_DV_FACTOR_LINK

This view shows the relationships of each factor whose identity is determined by the association of child factors. The view contains one entry for each parent factor and child factor. You can use this view to resolve the relationships from the factor links to identity maps.

DBA_DV_FACTOR_TYPE

This view lists the factor types, which are the categorization of the indicators (factors) that support the notion of architecture and system components being the fundamental drivers for an access control security policy.

DBA_DV_IDENTITY

This view lists the identities for each factor in the current database instance.

DBA_DV_IDENTITY_MAP

This view lists the mappings for each factor identity in the current database instance. The view includes mapping factors that are identified by other factors to combinations of parent-child factor links. For each factor, the maps will be joined by the OR operation, and for different factors, the maps will be joined by the AND operation.

You can use this view to resolve the identity for factors that are identified by other factors (for example, a domain) or for factors that have continuous domains (for example, Age or Temperature).

DBA_DV_MAC_POLICY

This view lists the Oracle Label Security policies defined in the current database instance.

See "How Oracle Database Vault Is Integrated with Oracle Label Security" for more information.

DBA_DV_MAC_POLICY_FACTOR

This view lists the factors that are associated with Oracle Label Security policies for the current database instance.

You can use this view to determine what factors contribute to the maximum session label for each policy using the algorithm from the DBA_DV_MAC_POLICY view.

DBA_DV_POLICY_LABEL

This view lists the Oracle Label Security label for each factor identifier in the DBA_DV_IDENTITY view for each policy.

DBA_DV_PUB_PRIVS

This view lists the Oracle Database Vault privilege management reports used in the Oracle Database Vault Administrator (DV_ADMIN).

DBA_DV_REALM

This view lists the realms created for the current database instance.

DBA_DV_REALM_AUTH

This view lists the authorization of a named database user account or database role (GRANTEE) to access realm objects in a particular realm..

DBA_DV_REALM_OBJECT

This view lists the database schemas, or subsets of schemas with specific database objects contained therein, that are secured by the realms in the current database instance.

DBA_DV_ROLE

This view lists the Oracle Database secure application roles used in privilege management in the current database instance.

DBA_DV_RULE

This view lists the rules that have been defined in the current database instance.

To find the rule sets that use specific rules, use the DBA_DV_RULE_SET_RULE view.

DBA_DV_RULE_SET

This view lists the rules sets that have been created for the current database instance.

DBA_DV_RULE_SET_RULE

This view lists rules that are associated with the rule sets used for the current database instance.

DBA_DV_USER_PRIVS

This view lists the privileges for a database account excluding privileges granted through PUBLIC.

DBA_DV_USER_PRIVS_ALL

This view lists the privileges for a database account including privileges granted through PUBLIC.