Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-04 |
|
|
View PDF |
This chapter includes the following sections:
The Oracle Database Vault database objects include two schemas with database tables, sequences, views, triggers, roles, packages, procedures, functions, and contexts that support the administration and run-time processing of Oracle Database Vault.
Oracle Database Vault has the following schemas:
The DVSYS
schema contains Oracle Database Vault database objects: database tables, sequences, views, triggers, roles, packages, procedures, functions, contexts, and other objects to store Oracle Database Vault configuration information and support the administration and run-time processing of Oracle Database Vault.
Oracle Database Vault secures the DVSYS
schema by using a protected schema design. A protected schema design guards the schema against improper use of system privileges (for example, SELECT ANY TABLE
, CREATE ANY VIEW
, or DROP ANY
). (Note that some system privileges do not apply to the protected schema because DVSYS
does not use them (for example, the UNLIMITED TABLESPACE
privilege.)
The following restrictions apply to the DVSYS
schema:
The DVSYS
protected schema and its administrative roles cannot be dropped.
Statements such as CREATE USER
, ALTER USER
, DROP USER
, CREATE PROFILE
, ALTER PROFILE
, and DROP PROFILE
can only be issued by a user with the DV_ACCTMGR
role. SYSDBA
can issue these statements only if it is allowed to do so by modifying the Can Maintain Accounts/Profiles rule set.
The powerful ANY
system privileges for database definition language (DDL) and data manipulation language (DML) commands are not applicable to the protected schema. This means that the objects in the DVSYS
schema must be created by the schema account itself. Also, access to the schema objects must be authorized through object privilege grants.
Object privileges in the DVSYS
schema can only be granted to administrative roles in the schema. This means that users can access the protected schema only through predefined administrative roles.
Only the protected schema account DVSYS
can issue ALTER ROLE
statements on predefined administrative roles of the schema. "Oracle Database Vault Database Roles" describes Oracle Database Vault administrative roles in detail.
Only the protected schema account DVSYS
can grant predefined roles to users along with the WITH ADMIN OPTION
. This means that a grantee with the WITH ADMIN OPTION
can only grant the role to another user without the WITH ADMIN OPTION
.
The SYS.DBMS_SYS_SQL.PARSE_AS_USER
procedure cannot be used to run SQL statements on behalf of the protected schema DVSYS
.
Note:
Users are allowed to grant privileges or roles to the predefined administrative roles.The DVF
schema is the owner of the Oracle Database Vault DBMS_MACSEC_FUNCTION
PL/SQL package, which contains the functions that retrieve factor identities. When you create a new factor, Oracle Database Vault creates a new retrieval function for the factor and saves it in this schema.
The roles described in this section are required for managing Oracle Database Vault. These roles are designed to implement the first level of separation of duties within the database, organized in the following hierarchy: The most powerful level is for the owner-related roles, DV_OWNER
, DV_REALM_OWNER
, and DV_REALM_RESOURCE
. The next level beneath it is for the administrative roles, DV_ADMIN
, DV_ACCTMGR
, and DV_PUBLIC
. The third level is for the analyst-related role, DV_SECANALYST
.
Note:
You can grant additional object privileges and roles to the Oracle Database Vault roles to extend their scope of privileges. For example,SYSDBA
can grant object privileges to an Oracle Database Vault role as long as the object is not in the DVSYS
schema or realm.Oracle Database Vault provides the following roles:
Oracle Database Vault Configuration Administrator Role, DV_ADMIN
Oracle Database Vault Application/Realm DBA Role, DV_REALM_OWNER
Oracle Database Vault Application Resource Owner Role, DV_REALM_RESOURCE
The DV_OWNER
role, which is created when you install Oracle Database Vault, has the most privileges on the DVSYS
schema. (In this guide, the example account that uses this role is MACSYS
.) It has the administration capabilities provided by the DV_ADMIN
role and the reporting capabilities provided by the DV_SECANALYST
role. The first account granted with this role and the ADMIN OPTION
can grant any Oracle Database Vault roles (except DV_ACCTMGR
) without the ADMIN OPTION
to any account. Users granted this role also can run Oracle Database Vault reports and monitor Oracle Database Vault.
Anyone with the DV_OWNER
privilege can grant DV_OWNER
privileges. The first account granted this role and with the ADMIN OPTION
can revoke any granted protected schema role from another account. Accounts such as SYS
or SYSTEM
, with the GRANT ANY ROLE
system privilege alone (directly granted or indirectly granted using a role) do not have the rights to grant this role to or revoke this role from any other database account.
The granting and revoking of protected schema roles are enforced only by an instance with the Oracle executable linked with DV_ON
, which enables Oracle Database Vault security. When the Oracle executable is linked with DV_OFF
, then an instance can use an account GRANT ANY ROLE
system privilege for GRANT
and REVOKE
operations.
Appendix B, "Enabling and Disabling Oracle Database Vault" shows how to use DV_ON
and DV_OFF
. See also Appendix E, "Oracle Database Vault Packages" for more information about the Oracle Database Vault packages.
The DV_ADMIN
role has the EXECUTE
privilege on the DVSYS
package, DBMS_MACADM
, which is used for all access control configuration. DV_ADMIN
has the reporting capabilities provided by the DV_SECANALYST
role. A user granted this role has the EXECUTE
privilege on all Oracle Database Vault administrative packages. Users granted with this role also can run Oracle Database Vault reports and monitor Oracle Database Vault.
Accounts such as SYS
or SYSTEM
, with the GRANT ANY ROLE
system privilege alone do not have the rights to grant this role to or revoke this role from any other database account. The first user with the DV_ADMIN
role and the ADMIN OPTION
can grant this role without the ADMIN OPTION
to any database account and revoke this role from another account.
The granting and revoking of protected schema roles are enforced only by an instance with the Oracle executable linked with DV_ON
, which enables Oracle Database Vault security features. When Oracle executable is linked with DV_OFF
, then an instance can use an account GRANT ANY ROLE
system privilege for GRANT
and REVOKE
operations.
Appendix B, "Enabling and Disabling Oracle Database Vault" explains how to use DV_ON
. See also Appendix E, "Oracle Database Vault Packages" for more information about the Oracle Database Vault packages.
The DV_ACCTMGR
role is used for creating and maintaining database accounts and database profiles. A user who has been granted this role can use the CREATE
, ALTER
, and DROP
statements for users or profiles. However, a person with this role cannot use the DROP
or ALTER
statements for the DVSYS account, nor change the DVSYS
password.
Tip:
Oracle recommends that you add the user who has theDV_ACCTMGR
role to the data dictionary realm so that this user can grant other users ANY
privileges, if they need them. See "Step 1: Adding the DV_ACCTMGR Role to the Data Dictionary Realm" for instructions.Any account, such as SYS
or SYSTEM
, with the GRANT ANY ROLE
system privilege alone does not have the rights to grant this role to or revoke this role from any other database account. The first account with the DV_ACCTMGR
role and the ADMIN OPTION
can grant this role without the ADMIN OPTION
to any given database account and revoke this role from another account.
The granting and revoking of protected schema roles are enforced only by an instance with the Oracle executable linked with DV_ON
, which enables Oracle Database Vault. When the Oracle executable is linked with DV_OFF
, then an instance can use an account with GRANT ANY ROLE
system privilege for GRANT
and REVOKE
operations.
Appendix B, "Enabling and Disabling Oracle Database Vault" shows how to use DV_ON
and DV_OFF
.
The DV_PUBLIC
role is used to grant privileges on specific objects in the DVSYS
schema. Oracle Database Vault does not allow you to directly grant object privileges in the DVSYS
schema to PUBLIC
. You must grant an the object privilege on the DVSYS
schema object the DV_PUBLIC
role, and then grant DV_PUBLIC
to PUBLIC
.
The following Oracle Database Vault objects are accessible through DV_PUBLIC
:
PL/SQL procedures and functions, described in "Oracle Database Vault Run-Time PL/SQL Procedures and Functions"
PL/SQL factor functions, described in "Oracle Database Vault PL/SQL Factor Functions"
DVSYS.DBMS_MACSEC_ROLES
package, described in "DVSYS.DBMS_MACSEC_ROLES Package"
DVSYS.DBMS_MACUTL package, described in "DVSYS.DBMS_MACUTL Package"
The DV_SECANALYST
role has SELECT
privileges on the DVSYS
schema objects and portions of the SYS
and SYSMAN
schema objects as for reporting on DVSYS
-related and DVF
-related entities. A user granted this role can check the DVSYS
configuration by querying the DVSYS
views described in "Oracle Database Vault Public Views". Users granted this role also can read Oracle Database Vault reports and monitor Database Vault.
Any account, such as SYS
or SYSTEM
, with the GRANT ANY ROLE
system privilege alone does not have the rights to grant this role to or revoke this role from any other database account. The first user with the DV_SECANALYST
role and the ADMIN OPTION
can grant this role without the ADMIN OPTION
to any database account and revoke this role from another account.
The granting and revoking of protected schema roles are enforced only by an instance with the Oracle executable linked with DV_ON
, which enables the Oracle Database Vault security features. When the Oracle executable is linked with DV_OFF
, then an instance can use an account GRANT ANY ROLE
system privilege for GRANT
and REVOKE
operations.
Appendix B, "Enabling and Disabling Oracle Database Vault" shows how to use DV_ON
and DV_OFF
.
The DV_REALM_OWNER
role is used for managing database objects in multiple schemas that define an application or a realm. This role should be granted to the database account owner who would manage several schema database accounts within a realm and the roles associated with the realm. A user granted this role can use powerful system privileges like CREATE ANY
, ALTER ANY
, and DROP ANY
within the realm.
The realm owner of the Oracle Data Dictionary realm, such as SYS
, can grant this role to any given database account or role. Note that though this role has system privilege grants that SYS
controls, it does not have the DV_OWNER
or DV_ADMIN
roles.
If you want to attach this role to a specific realm, you need to assign it to an account business-related role, then authorize that account or role in the realm.
The DV_REALM_RESOURCE
role provides the same system privileges as the Oracle RESOURCE
role. In addition both CREATE SYNONYM
and CREATE VIEW
are granted to this role.This role can be granted to a database account that will own database tables, objects, triggers, views, procedures, and so on that are used to support any database application. This is a role geared toward a schema type database account. The realm owner of the Oracle Data Dictionary realm, such as SYS
, can grant this role to any database account or role. Note that though this role has system privilege grants that SYS
controls, it does not have the DV_OWNER
or DV_ADMIN
privileges.
Oracle Database Vault prompts for two accounts that you can create during installation: Oracle Database Vault Owner and Oracle Database Vault Account Manager. You must supply an account name and password for the Oracle Database Vault Owner account during installation. Creating an Oracle Database Vault Account Manager is optional.
The Oracle Database Vault Owner account is granted the DV_OWNER
role. This account can manage Oracle Database Vault roles and configuration.
The Oracle Database Vault Account Manager account is granted the DV_ACCTMGR
role. This account is used to manage database user accounts to facilitate separation of duties.
Note:
If you opt not to create the Oracle Database Vault Account Manager account during installation, then both theDV_OWNER
and DV_ACCTMGR
roles are granted to the Oracle Database Vault Owner user account.Table C-1 lists the Oracle Database Vault database accounts that are needed in addition to the accounts that you create during installation.
Table C-1 Database Accounts Used by Oracle Database Vault
Database Account | Description | Roles and Privileges |
---|---|---|
Owner of Oracle Database Vault schema and related objects. |
Several system and object privileges are provided to support Oracle Database Vault.The ability to create a session with this account is revoked at the end of the installation, and the account is locked. |
|
Owner of the Oracle Database Vault functions that are created to retrieve factor identities. |
A handful of system privileges are provided to support Oracle Database Vault.The ability to create a session with this account is revoked at the end of the installation, and the account is locked. |
|
This account is created during the Oracle Database Vault installation, in case you plan to use Oracle Audit Vault. Do not drop or re-create this account. |
||
Owner of the Oracle Label Security schema. |
.This account is created if you install Oracle Label Security by using the custom installation option. Do not drop or re-create this account. If you plan to integrate a factor with an Oracle Label Security policy, you must assign this user as the owner of the realm using this factor. See "Using an Oracle Database Vault Factor with an Oracle Label Security Policy" for more information. |
You can create different database accounts to implement the separation of duties requirements for Oracle Database Vault. Table C-2 lists some model database accounts that can act as a guide. (The accounts listed in Table C-2 serve as a guide to implementing Oracle Database Vault roles. These are not actual accounts that are created during installation.)
Table C-2 Model Oracle Database Vault Database Accounts
Database Account | Description | Roles and Privileges |
---|---|---|
|
Account for administration of database accounts and profiles. This account:
|
|
|
Account to serve as the access control administrator. This account:
|
|
|
Account for running Oracle Database Vault reports in the Oracle Database Vault Administration application. |
|
|
Account that is the realm owner for the |
|
The general approach to creating database accounts and using the database roles provided in a database protected by Oracle Database Vault is as follows:
Log in as the Oracle Database Vault User realm owner to create the database account.
In the same database session, grant the new account the ability to create a database session.
Depending on the type of account being created, log in as the Oracle Data Dictionary realm owner or Oracle Database Vault realm owner to grant the appropriate roles required for the account.
Grant additional system or object privileges as required by the account.
The following examples demonstrate the uses of the Oracle Database Vault roles and database accounts. The examples assume the creation of an application schema type account named bizapp
, a realm-owner type account named mary
, an application end-user type account named jiawen
, and a security administrator named steve
.
These examples assume that you have added the DV_ACCTMGR
role to the Data Dictionary realm. See "Step 1: Adding the DV_ACCTMGR Role to the Data Dictionary Realm" for instructions on how to do this.
Example C-1 Creating a Schema Account
SQL> CONNECT DV_ACCTMGR Enter password: password SQL> CREATE USER bizapp IDENTIFIED BY password; -- provide session connectivity SQL> GRANT CONNECT TO bizapp;
SQL> CONNECT SYS / AS SYSDBA
Enter password: password
-- provide the ability to create database objects
SQL> GRANT dv_realm_resource TO bizapp;
SQL> GRANT UNLIMITED TABLESPACE TO bizapp;
SQL> CONNECT bizapp
Enter password: password
SQL> CREATE TABLE bizapp.cases...;
Example C-2 Creating an Account for a Realm Owner
SQL> CONNECT DV_ACCTMGR Enter password: password SQL> CREATE USER mary IDENTIFIED BY password; -- provide session connectivity SQL> GRANT CONNECT TO mary; SQL> CONNECT SYS / AS SYSDBA Enter password: password -- provide ANY system privileges a realm owner would need SQL> GRANT dv_realm_owner TO mary; SQL> CONNECT mary Enter password: password SQL> ALTER TABLE bizapp.cases
Example C-3 Creating an Account for an Application User
SQL> CONNECT DV_ACCTMGR Enter password: password SQL> CREATE USER jiawen IDENTIFIED BY password; SQL> DEFAULT TABLESPACE low_ts TEMPORARY TABLESPACE low_ts; -- provide session connectivity SQL> GRANT CONNECT TO jiawen; -- the realm owner can manage privileges against realm objects SQL> CONNECT mary Enter password: password SQL> GRANT SELECT ON bizapp.cases TO jiawen; SQL> CONNECT jiawen Enter password: password -- query application tables SQL> SELECT * FROM bizapp.cases
Example C-4 Creating an Account for a Security Administrator
SQL> CONNECT DV_ACCTMGR Enter password: password SQL> CREATE USER steve IDENTIFIED BY password; SQL> DEFAULT TABLESPACE high_ts; -- provide session connectivity SQL> GRANT CONNECT TO steve; -- allow execute privileges on DBMS_MACADM package -- and the ability to query access control views SQL> CONNECT DV_ACCTMGR Enter password: password SQL> GRANT dv_admin TO steve
-- query and administer access control configuration SQL> CONNECT steve Enter password: password SQL> SELECT * FROM dvsys.dba_dv_factor; SQL> EXEC dvsys.dbms_macadm.create_factor(...);
Oracle Database Vault provides a set of DBA
style views that can be accessed through the DV_SECANALYST
role or the DV_ADMIN
role. These views provide access to the various underlying Oracle Database Vault tables in the DVSYS
and LBACSYS
schemas without exposing the primary and foreign key columns that may be present. These views are intended for the database user to report on the state of the Oracle Database Vault configuration without having to perform the joins required to get the labels for codes that are stored in the core tables or from the related tables.
Table C-3 describes these views.
Table C-3 Oracle Database Vault Database Views
View | Description |
---|---|
|
This view lists generic lookup codes for the user interface, error messages, constraint checking, and the like. These codes are used for the user interface, views, and for validating input in a translatable fashion. Each record contains a code group column that categorizes the code, a natural key, and an optional label and description. The following code groups are provided:
|
|
This view lists the command rules used in the current database instance. |
|
This view lists the factors used for the current database instance. |
|
This view shows the relationships of each factor whose identity is determined by the association of child factors. The view contains one entry for each parent factor and child factor. You can use this view to resolve the relationships from the factor links to identity maps. |
|
This view lists the factor types, which are the categorization of the indicators (factors) that support the notion of architecture and system components being the fundamental drivers for an access control security policy. |
|
This view lists the identities for each factor in the current database instance. |
|
This view lists the mappings for each factor identity in the current database instance. The view includes mapping factors that are identified by other factors to combinations of parent-child factor links. For each factor, the maps will be joined by the You can use this view to resolve the identity for factors that are identified by other factors (for example, a domain) or for factors that have continuous domains (for example, Age or Temperature). |
|
This view lists the Oracle Label Security policies defined in the current database instance. See "How Oracle Database Vault Is Integrated with Oracle Label Security" for more information. |
|
This view lists the factors that are associated with Oracle Label Security policies for the current database instance. You can use this view to determine what factors contribute to the maximum session label for each policy using the algorithm from the |
|
This view lists the Oracle Label Security label for each factor identifier in the |
|
This view lists the Oracle Database Vault privilege management reports used in the Oracle Database Vault Administrator ( |
|
This view lists the realms created for the current database instance. |
|
This view lists the authorization of a named database user account or database role ( |
|
This view lists the database schemas, or subsets of schemas with specific database objects contained therein, that are secured by the realms in the current database instance. |
|
This view lists the Oracle Database secure application roles used in privilege management in the current database instance. |
|
This view lists the rules that have been defined in the current database instance. To find the rule sets that use specific rules, use the |
|
This view lists the rules sets that have been created for the current database instance. |
|
This view lists rules that are associated with the rule sets used for the current database instance. |
|
This view lists the privileges for a database account excluding privileges granted through |
|
This view lists the privileges for a database account including privileges granted through |