Oracle Cloud Infrastructure Documentation

Use Oracle Database Vault with Autonomous Database

Oracle Database Vault implements powerful security controls for your database. These unique security controls restrict access to application data by privileged database users, reducing the risk of insider and outside threats and addressing common compliance requirements.

See What Is Oracle Database Vault? for more information.

Parent topic: Security

Oracle Database Vault Users and Roles on Autonomous Database

Oracle Database Vault provides powerful security controls to help protect application data from unauthorized access, and to implement separation of duties between administrators and data owners to comply with privacy and regulatory requirements.

By default the ADMIN user has the DV_OWNER and DV_ACCTMGR roles. If you want to set up separate users for DV_OWNER and DV_ACCTMGR accounts. See Oracle Database Vault Schemas, Roles, and Accounts for more information.

The user management is by default enabled for the APEX component when Oracle Database Vault is enabled. When user management is enabled, the APEX users who have the necessary roles to CREATE | ALTER | DROP users have the needed privileges to perform these operations when Database Vault is enabled. To change this, see Disable User Management with Oracle Database Vault on Autonomous Database.

On Autonomous Database with Oracle Database Vault enabled, grant the following privileges:

  • When using Oracle GoldenGate, grant the GGADMIN user DV_GOLDENGATE_ADMIN and DV_GOLDENGATE_REDO_ACCESS.

  • The ADMIN user must grant the BECOME USER privilege to users who need to use Oracle Data Pump. To perform some Oracle Data Pump operations additional Oracle Database Vault authorization may be needed. For example to run a full database export or to export a realm protected schema requires using DBMS_MACADM.AUTHORIZE_DATAPUMP_USER.

    See AUTHORIZE_DATAPUMP_USER Procedure for more information.

  • In order for DBMS_CLOUD credential related APIs to work when Oracle Database Vault is enabled and the credential owner's schema is protected using a Database Vault realm, you must add authorizations for the C##CLOUD$SERVICE user to the Database Vault realm.

    For example:

    BEGIN
    DBMS_MACADM.ADD_AUTH_TO_REALM(realm_name   => 'PROTECT_ADMIN',
        grantee       => 'C##CLOUD$SERVICE',
        rule_set_name => 'Enabled',
        auth_options  => DBMS_MACUTL.G_REALM_AUTH_PARTICIPANT);
END;
/

    Where PROTECT_ADMIN is your Oracle Database Vault realm.

    See ADD_AUTH_TO_REALM Procedure for more information.

Enable Oracle Database Vault on Autonomous Database

Shows the steps to enable Oracle Database Vault on Autonomous Database.

Oracle Database Vault is disabled by default on Autonomous Database. To configure and enable Oracle Database Vault on Autonomous Database, do the following:

  1. Configure Oracle Database Vault using the following command:
    EXEC DBMS_CLOUD_MACADM.CONFIGURE_DATABASE_VAULT('adb_dbv_owner', 'adb_dbv_acctmgr');

    Where:

    • adb_dbv_owner is the Oracle Database Vault owner.
    • adb_dbv_acctmgr is the account manager.

    See CONFIGURE_DATABASE_VAULT Procedure for more information.

  2. Enable Oracle Database Vault:
    EXEC DBMS_CLOUD_MACADM.ENABLE_DATABASE_VAULT;

    See ENABLE_DATABASE_VAULT Procedure for more information.

  3. Restart the Autonomous Database instance.

    See Restart Autonomous Database for more information.

Use the following command to check if Oracle Database Vault is enabled or disabled:

SELECT * FROM DBA_DV_STATUS;

Output similar to the following appears:

NAME                 STATUS
-------------------- -----------
DV_CONFIGURE_STATUS  TRUE
DV_ENABLE_STATUS     TRUE

The DV_ENABLE_STATUS value TRUE indicates Oracle Database Vault is enabled.

Note

Autonomous Database maintenance operations such as backups and patching are not affected when Oracle Database Vault is enabled.

See Disable Oracle Database Vault on Autonomous Database for information on disabling Oracle Database Vault.

Disable Oracle Database Vault on Autonomous Database

Shows the steps to disable Oracle Database Vault on Autonomous Database.

To disable Oracle Database Vault on Autonomous Database, do the following:

  1. Disable Oracle Database Vault.
    EXEC DBMS_CLOUD_MACADM.DISABLE_DATABASE_VAULT;

    See DISABLE_DATABASE_VAULT Procedure for more information.

  2. Restart the Autonomous Database instance.

    See Restart Autonomous Database for more information.

Use the following command to check if Oracle Database Vault is enabled or disabled:

SELECT * FROM DBA_DV_STATUS;

Output similar to the following appears:

NAME                 STATUS
-------------------- -----------
DV_CONFIGURE_STATUS  TRUE
DV_ENABLE_STATUS     FALSE

The DV_ENABLE_STATUS value FALSE indicates Oracle Database Vault is disabled.

Disable User Management with Oracle Database Vault on Autonomous Database

Shows how to disallow user management related operations for specified components on Autonomous Database with Oracle Database Vault enabled.

Autonomous Database with Oracle Database Vault enabled has user management, by default, enabled for the Oracle APEX console. If you want to enforce stricter separation of duty and disallow user management from this console, use DBMS_CLOUD_MACADM.DISABLE_USERMGMT_DATABASE_VAULT.

  1. As a user granted DV_ACCTMGR and DV_ADMIN roles you can disable user management for specified components.
  2. To disable user management for a specified component, for example for the APEX component, use the following command:
    EXEC DBMS_CLOUD_MACADM.DISABLE_USERMGMT_DATABASE_VAULT('APEX');

See DISABLE_USERMGMT_DATABASE_VAULT Procedure for more information.

Enable User Management with Oracle Database Vault on Autonomous Database

Shows the steps to allow user management for a specified component on Autonomous Database with Oracle Database Vault enabled.

Autonomous Database with Oracle Database Vault enabled has user management, by default, enabled for the Oracle APEX console. This allows user management for operations such as CREATE USER, ALTER USER, and DROP USER from the specified component in Autonomous Database.

Use DBMS_CLOUD_MACADM.ENABLE_USERMGMT_DATABASE_VAULT to allow specified user accounts to perform user management when Oracle Database Vault is enabled. Use this procedure if user management is disabled and you want to enable it again.

  1. A user granted DV_ACCTMGR and DV_ADMIN roles can enable user management for specified components.
  2. To enable user management for a specified component, for example for the APEX component, use the following command:
    EXEC DBMS_CLOUD_MACADM.ENABLE_USERMGMT_DATABASE_VAULT('APEX');

See ENABLE_USERMGMT_DATABASE_VAULT Procedure for more information.