Oracle 19c Data Vault Tutorial

Configure Data Vault Operations Control

Check current Data Vault Status

SQL> SELECT USERNAME FROM DBA_USERS WHERE USERNAME IN ('DVSYS', 'LBACSYS');

USERNAME
--------------------------------------------------------------------------------
DVSYS
LBACSYS

SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

VALUE
----------------------------------------------------------------
FALSE

SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';

VALUE
----------------------------------------------------------------
FALSE

SQL> SELECT * FROM DBA_DV_STATUS;

NAME
-------------------
STATUS
----------------------------------------------------------------
DV_APP_PROTECTION
NOT CONFIGURED

DV_CONFIGURE_STATUS
FALSE

DV_ENABLE_STATUS
FALSE

SQL> col pdb_name format a20

SQL> col status format a20

SQL> select a.name pdb_name, a.open_mode, b.name, b.status

from v$pdbs a , cdb_dv_status b
where a.con_id=b.con_id
order by 1,2;

PDB_NAME OPEN_MODE NAME STATUS

-------------------- ---------- ------------------- --------------------
PDB1 READ WRITE DV_APP_PROTECTION NOT CONFIGURED
PDB1 READ WRITE DV_ENABLE_STATUS FALSE
PDB1 READ WRITE DV_CONFIGURE_STATUS FALSE

Create the Admin Common User

SQL> create user c##admin identified by Oracle_4U
container=all;

User created.

SQL> grant dba to c##admin container=all;

Grant succeeded.

SQL> alter session set container=pdb1;

Session altered.

Create the DEMO user

SQL> create user demo identified by demo;

User created.

SQL> grant create session, create table ,unlimited tablespace to demo;

Grant succeeded.

SQL> create table demo.myobjects as select * from all_objects;

Table created.

SQL> select count(*) from demo.myobjects;

COUNT(*)
----------
71345
C##ADMIN user is able to select rows from DEMO.MYOBJECTS

SQL> conn c##admin/Oracle_4U@pdb1

Connected.

SQL> select count(*) from demo.myobjects;

COUNT(*)
----------
71345

Configure Data Vault in Container Database

SQL> conn / as sysdba

Connected.

SQL> create user c##dvowner identified by Oracle_4U container=all;

User created.

SQL> create user c##dvacctmgr identified by Oracle_4U container=all;

User created.

SQL> create user c##dvowner_bkp identified by Oracle_4U container=all;

User created.

SQL> create user c##dvacctmgr_bkp identified by Oracle_4U container=all;

User created.

SQL> grant connect,resource to c##dvowner container=all;

Grant succeeded.

SQL> grant connect,resource to c##dvowner_bkp container=all;

Grant succeeded.

SQL> grant connect,resource to c##dvacctmgr container=all;

Grant succeeded.

SQL> grant connect,resource to c##dvacctmgr_bkp container=all;

Grant succeeded.

SQL> BEGIN
CONFIGURE_DV (
dvowner_uname => 'c##dvowner',
dvacctmgr_uname => 'c##dvacctmgr');
END;
/

PL/SQL procedure successfully completed.

SQL> @?/rdbms/admin/utlrp.sql
SQL> conn c##dvowner/Oracle_4U
Connected.

SQL> exec dbms_macadm.enable_dv;

PL/SQL procedure successfully completed.

SQL> grant dv_owner to c##dvowner_bkp container=all;

Grant succeeded.

SQL> conn c##dvacctmgr/Oracle_4U

Connected.

SQL> grant dv_acctmgr to c##dvacctmgr_bkp container=all;

Grant succeeded.

SQL> conn / as sysdba

Connected.

SQL> shutdown immediate;

Database closed.
Database dismounted.
ORACLE instance shut down.

SQL> startup;
ORACLE instance started.

Total System Global Area 1073738488 bytes

Fixed Size 9143032 bytes
Variable Size 700448768 bytes
Database Buffers 360710144 bytes
Redo Buffers 3436544 bytes
Database mounted.
Database opened.

Configure Data Vault in Pluggable Database

SQL> alter session set container=pdb1;

Session altered.

SQL> BEGIN
CONFIGURE_DV (
dvowner_uname => 'c##dvowner',
dvacctmgr_uname => 'c##dvacctmgr');
END;
/

PL/SQL procedure successfully completed.

SQL> conn c##dvowner/Oracle_4U@pdb1

Connected.

SQL> exec dbms_macadm.enable_dv;

PL/SQL procedure successfully completed.

SQL> conn / as sysdba

Connected.

SQL> alter pluggable database pdb1 close immediate;

Pluggable database altered.

SQL> alter pluggable database pdb1 open;

Pluggable database altered.

SQL> col pdb_name format a20

SQL> col status format a20

SQL> select a.name pdb_name, a.open_mode, b.name, b.status

from v$pdbs a , cdb_dv_status b
where a.con_id=b.con_id
order by 1,2;

PDB_NAME OPEN_MODE NAME STATUS

-------------------- ---------- ------------------- --------------------
PDB1 READ WRITE DV_APP_PROTECTION NOT CONFIGURED
PDB1 READ WRITE DV_ENABLE_STATUS TRUE
PDB1 READ WRITE DV_CONFIGURE_STATUS TRUE

SQL> alter session set container=pdb1;

Session altered.

SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

VALUE
----------------------------------------------------------------
TRUE
SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';

VALUE
----------------------------------------------------------------
TRUE

SQL> conn / as sysdba

Connected.
SQL> show pdbs

CON_ID CON_NAME OPEN MODE RESTRICTED

---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY YES
3 PDB1 READ WRITE NO

Enable Operations Control

SQL> conn c##dvowner/Oracle_4U

Connected.

SQL> exec dbms_macadm.enable_app_protection;

PL/SQL procedure successfully completed.

SQL> conn / as sysdba

Connected.

SQL> SELECT * FROM DBA_DV_STATUS;

NAME STATUS
------------------- --------------------
DV_APP_PROTECTION ENABLED
DV_CONFIGURE_STATUS TRUE
DV_ENABLE_STATUS TRUE

SQL> select a.name pdb_name, a.open_mode, b.name, b.status

from v$pdbs a , cdb_dv_status b
where a.con_id=b.con_id
order by 1,2;

PDB_NAME OPEN_MODE NAME STATUS

-------------------- ---------- ------------------- --------------------
PDB1 READ WRITE DV_APP_PROTECTION ENABLED
PDB1 READ WRITE DV_ENABLE_STATUS TRUE
PDB1 READ WRITE DV_CONFIGURE_STATUS TRUE

Test Operations Control

C##ADMIN user is now not able to select rows from DEMO.MYOBJECTS – even with the DBA role

SQL> conn c##admin/Oracle_4U@pdb1

Connected.

SQL> select count(*) from demo.myobjects;

select count(*) from demo.myobjects
*
ERROR at line 1:
ORA-01031: insufficient privileges
DEMO user is able to select rows from MYOBJECTS table

SQL> conn demo/demo@pdb1

Connected.

SQL> /

COUNT(*)
----------
71345

Disable Operations Control

SQL> conn c##dvowner/Oracle_4U

Connected.

SQL> exec dbms_macadm.disable_app_protection('PDB1');

PL/SQL procedure successfully completed.

SQL> conn c##admin/Oracle_4U@pdb1

Connected.

SQL> select count(*) from demo.myobjects;

COUNT(*)
----------
71345

Enable Operations Control – add an exception to enable only SYSTEM user

SQL> conn c##dvowner/Oracle_4U
Connected.

SQL> exec dbms_macadm.enable_app_protection;

PL/SQL procedure successfully completed.

SQL> conn system/Oracle_4U@pdb1

ERROR:
Connected.

SQL> select count(*) from demo.myobjects;

select count(*) from demo.myobjects
*
ERROR at line 1:
ORA-01031: insufficient privileges

SQL> conn c##dvowner/Oracle_4U

Connected.

SQL> exec dbms_macadm.add_app_exception('SYSTEM','%');

PL/SQL procedure successfully completed.

SQL> conn system/Oracle_4U@pdb1

Connected.

SQL> select count(*) from demo.myobjects;

COUNT(*)
----------
71345
SQL> conn c##admin/Oracle_4U@pdb1
Connected.

SQL> select count(*) from demo.myobjects;

select count(*) from demo.myobjects
*
ERROR at line 1:
ORA-01031: insufficient privileges
begin
DVSYS.DBMS_MACADM.CREATE_REALM(realm_name => 'DEMO_REALM', description => ' Realm to protect DEMO schema', enabled => 'Y', audit_options
=> 1, realm_type =>'1' );
DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM(realm_name => 'DEMO_REALM', object_owner => SYS.DBMS_ASSERT.ENQUOTE_NAME('DEMO',FALSE),
object_name => 'MYOBJECTS', object_type => 'TABLE' );
DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(realm_name => 'DEMO_REALM', grantee => SYS.DBMS_ASSERT.ENQUOTE_NAME('DEMO',FALSE),
rule_set_name => '', auth_options => '0' );
end;

begin DVSYS.DBMS_MACADM.CREATE_REALM(realm_name => 'DEMO_REALM', description => ' Realm to secure DEMO schema', enabled => 'Y',
audit_options => 1, realm_type =>'0' ); DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM(realm_name => 'DEMO_REALM', object_owner =>
SYS.DBMS_ASSERT.ENQUOTE_NAME('DEMO',FALSE), object_name => 'MYOBJECTS', object_type => 'TABLE' ); end;

SQL> conn system/Oracle_4U@pdb1

Connected.

SQL> select count(*) from demo.myobjects;

select count(*) from demo.myobjects
 *
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> conn demo/demo@pdb1
Connected.

SQL> /

COUNT(*)
----------
67214
SQL> conn c##dbv_owner/Oracle_4U

Connected.

SQL> exec dbms_macadm.disable_app_protection('PDB1');

SQL> conn system/Oracle_4U@pdb1

Connected.

SQL> select count(*) from demo.myobjects;

 COUNT(*)

----------

67214

SQL> conn c##dbv_owner/Oracle_4U@pdb1

Connected.

SQL> col violation_type format a29

col username format a12

column machine format a20

col command format a12

col dv$_module format a12

col sqltext format a50

set lines 300

select violation_type, username,machine,command,dv$_module, sqltext from

dba_dv_simulation_log;SQL> SQL> SQL> SQL> SQL> SQL> SQL> SQL> 2

VIOLATION_TYPE USERNAME MACHINE COMMAND DV$_MODULE SQLTEXT

----------------------------- ------------ -------------------- ------------ ------------ --------------------------------------------------

Command Rule Violation SYSTEM ogg.example.com SELECT SQL*Plus SELECT COUNT(*) FROM DEMO.MYOBJECTS

Command Rule Violation SYSTEM ogg.example.com SELECT SQL*Plus SELECT COUNT(*) FROM DEMO.MYOBJECTS

Command Rule Violation SYSTEM ogg.example.com SELECT SQL*Plus SELECT COUNT(*) FROM DEMO.MYOBJECTS
begin DECLARE x VARCHAR2(40);static_option BOOLEAN := FALSE; BEGIN x:='N'; IF x = 'Y' THEN static_option := TRUE; ELSE static_option := FALSE; END IF;
DVSYS.DBMS_MACADM.CREATE_RULE_SET(rule_set_name => 'RS_ALLOW_DEMO_ACCESS', description => ' Rule Set limits SELECT access to DEMO user',
enabled => 'Y', eval_options => 1, audit_options => 1, fail_options => 1, fail_message => 'Only DEMO user can execute SELECT ', fail_code => '-20002',
handler_options => 0, handler => '',is_static => static_option); END; DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(rule_set_name =>
'RS_ALLOW_DEMO_ACCESS', rule_name => 'ALLOW_DEMO_ACCESS', rule_order => '1', enabled => 'Y'); end;
SQL> conn system/Oracle_4U@pdb1
Connected.
SQL> select count(*) from demo.myobjects;

COUNT(*)
----------
67214

SQL> conn c##dbv_owner/Oracle_4U@pdb1

Connected.
SQL> col violation_type format a29
col username format a12
column machine format a20
col command format a12
col dv$_module format a12
col sqltext format a50

set lines 300

select violation_type, username,machine,command,dv$_module, sqltext from
dba_dv_simulation_log;SQL> SQL> SQL> SQL> SQL> SQL> SQL> SQL> 2

VIOLATION_TYPE USERNAME MACHINE COMMAND DV$_MODULE SQLTEXT

----------------------------- ------------ -------------------- ------------ ------------ --------------------------------------------------
Command Rule Violation SYSTEM ogg.example.com SELECT SQL*Plus SELECT COUNT(*) FROM DEMO.MYOBJECTS
Command Rule Violation SYSTEM ogg.example.com SELECT SQL*Plus SELECT COUNT(*) FROM DEMO.MYOBJECTS
Command Rule Violation SYSTEM ogg.example.com SELECT SQL*Plus SELECT COUNT(*) FROM DEMO.MYOBJECTS
Command Rule Violation SYSTEM ogg.example.com SELECT SQL*Plus SELECT COUNT(*) FROM DEMO.MYOBJECTS
SQL> conn system/Oracle_4U@pdb1
Connected.
SQL> select count(*) from demo.myobjects;
select count(*) from demo.myobjects
*
ERROR at line 1:
ORA-47306: 20002: Only DEMO user can execute SELECT
SQL> conn demo/demo@pdb1
Connected.
SQL> select count(*) from demo.myobjects;
 COUNT(*)
----------
67214