Use Oracle Database Vault with Autonomous Database
Oracle Database Vault implements powerful security controls for your database. These unique security controls restrict access to application data by privileged database users, reducing the risk of insider and outside threats and addressing common compliance requirements.
See What Is Oracle Database Vault? for more information.
- Oracle Database Vault Users and Roles on Autonomous Database
Oracle Database Vault provides powerful security controls to help protect application data from unauthorized access, and to implement separation of duties between administrators and data owners to comply with privacy and regulatory requirements. - Enable Oracle Database Vault on Autonomous Database
Shows the steps to enable Oracle Database Vault on Autonomous Database. - Disable Oracle Database Vault on Autonomous Database
Shows the steps to disable Oracle Database Vault on Autonomous Database. - Disable User Management with Oracle Database Vault on Autonomous Database
Shows how to disallow user management related operations for specified components on Autonomous Database with Oracle Database Vault enabled. - Enable User Management with Oracle Database Vault on Autonomous Database
Shows the steps to allow user management for a specified component on Autonomous Database with Oracle Database Vault enabled.
Parent topic: Security
Oracle Database Vault Users and Roles on Autonomous Database
Oracle Database Vault provides powerful security controls to help protect application data from unauthorized access, and to implement separation of duties between administrators and data owners to comply with privacy and regulatory requirements.
By default the ADMIN user has the
DV_OWNER
and DV_ACCTMGR
roles. If
you want to set up separate users for DV_OWNER
and
DV_ACCTMGR
accounts. See Oracle Database Vault
Schemas, Roles, and Accounts for more information.
The user management is by default enabled for the APEX component when
Oracle Database Vault is enabled. When user management is enabled, the APEX
users who have the necessary roles to CREATE
|
ALTER
| DROP
users have the needed
privileges to perform these operations when Database Vault is enabled. To
change this, see Disable User Management with Oracle Database Vault on Autonomous Database.
On Autonomous Database with Oracle Database Vault enabled, grant the following privileges:
-
When using Oracle GoldenGate, grant the
GGADMIN
userDV_GOLDENGATE_ADMIN
andDV_GOLDENGATE_REDO_ACCESS
. -
The ADMIN user must grant the
BECOME USER
privilege to users who need to use Oracle Data Pump. To perform some Oracle Data Pump operations additional Oracle Database Vault authorization may be needed. For example to run a full database export or to export a realm protected schema requires usingDBMS_MACADM.AUTHORIZE_DATAPUMP_USER
.See AUTHORIZE_DATAPUMP_USER Procedure for more information.
-
In order for
DBMS_CLOUD
credential related APIs to work when Oracle Database Vault is enabled and the credential owner's schema is protected using a Database Vault realm, you must add authorizations for theC##CLOUD$SERVICE
user to the Database Vault realm.For example:
BEGIN DBMS_MACADM.ADD_AUTH_TO_REALM(realm_name => 'PROTECT_ADMIN', grantee => 'C##CLOUD$SERVICE', rule_set_name => 'Enabled', auth_options => DBMS_MACUTL.G_REALM_AUTH_PARTICIPANT); END; /
Where
PROTECT_ADMIN
is your Oracle Database Vault realm.See ADD_AUTH_TO_REALM Procedure for more information.
Parent topic: Use Oracle Database Vault with Autonomous Database
Enable Oracle Database Vault on Autonomous Database
Shows the steps to enable Oracle Database Vault on Autonomous Database.
Oracle Database Vault is disabled by default on Autonomous Database. To configure and enable Oracle Database Vault on Autonomous Database, do the following:
Use the following command to check if Oracle Database Vault is enabled or disabled:
SELECT * FROM DBA_DV_STATUS;
Output similar to the following appears:
NAME STATUS
-------------------- -----------
DV_CONFIGURE_STATUS TRUE
DV_ENABLE_STATUS TRUE
The DV_ENABLE_STATUS
value TRUE
indicates Oracle
Database Vault is enabled.
Autonomous Database maintenance operations such as backups and patching are not affected when Oracle Database Vault is enabled.
See Disable Oracle Database Vault on Autonomous Database for information on disabling Oracle Database Vault.
Parent topic: Use Oracle Database Vault with Autonomous Database
Disable Oracle Database Vault on Autonomous Database
Shows the steps to disable Oracle Database Vault on Autonomous Database.
To disable Oracle Database Vault on Autonomous Database, do the following:
Use the following command to check if Oracle Database Vault is enabled or disabled:
SELECT * FROM DBA_DV_STATUS;
Output similar to the following appears:
NAME STATUS
-------------------- -----------
DV_CONFIGURE_STATUS TRUE
DV_ENABLE_STATUS FALSE
The DV_ENABLE_STATUS
value FALSE
indicates Oracle Database Vault is disabled.
Parent topic: Use Oracle Database Vault with Autonomous Database
Disable User Management with Oracle Database Vault on Autonomous Database
Shows how to disallow user management related operations for specified components on Autonomous Database with Oracle Database Vault enabled.
Autonomous Database with
Oracle Database Vault enabled has user management, by default, enabled for the Oracle APEX console. If you want to enforce stricter separation of duty and disallow user
management from this console, use DBMS_CLOUD_MACADM.DISABLE_USERMGMT_DATABASE_VAULT
.
See DISABLE_USERMGMT_DATABASE_VAULT Procedure for more information.
Parent topic: Use Oracle Database Vault with Autonomous Database
Enable User Management with Oracle Database Vault on Autonomous Database
Shows the steps to allow user management for a specified component on Autonomous Database with Oracle Database Vault enabled.
Autonomous Database with
Oracle Database Vault enabled has user management, by default, enabled for the Oracle APEX console. This allows user management for operations such as CREATE
USER
, ALTER USER
, and DROP USER
from
the specified component in Autonomous Database.
Use DBMS_CLOUD_MACADM.ENABLE_USERMGMT_DATABASE_VAULT
to
allow specified user accounts to perform user management when Oracle Database Vault
is enabled. Use this procedure if user management is disabled and you want to enable
it again.
See ENABLE_USERMGMT_DATABASE_VAULT Procedure for more information.
Parent topic: Use Oracle Database Vault with Autonomous Database