Configure Oracle Database Vault for a Pluggable Database (PDB1)

-

 

Configure Oracle Database Vault for a Pluggable Database (PDB1)

Oracle Database Vault (DV) adds a critical layer of security to Oracle Databases by enabling strong access control and separation of duties. When working in a multitenant environment, it's essential to configure DV specifically for each Pluggable Database (PDB) where protection is required.

This guide outlines the complete steps to enable and verify Database Vault in PDB1, including the assignment of privileged users and schema verification.

Step 1: Connect to the Target PDB

Start by switching your session to the target pluggable database where DV needs to be enabled.

sql
ALTER SESSION SET CONTAINER=pdb1;

Step 2: Verify DV and OLS Installation

Ensure that Database Vault (DV) and Oracle Label Security (OLS) are installed and available in the PDB.

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

These views should return status information such as ENABLED, DISABLED, or NOT CONFIGURED.

Step 3: Load Sample Schema (HR)

If the HR schema is not yet available in the PDB, it can be created using the official Oracle script:

sql
@?/demo/schema/human_resources/hr_main.sql

Once the schema is created, validate access to sample data:

sql
SELECT EMPLOYEE_ID, FIRST_NAME, LAST_NAME, SALARY FROM hr.employees;

Step 4: Configure Database Vault

Use the built-in CONFIGURE_DV procedure to initialize Database Vault by assigning the DV Owner and DV Account Manager roles.

sql
BEGIN
  CONFIGURE_DV (
    dvowner_uname    => 'c##dv_owner_root',
    dvacctmgr_uname  => 'c##dv_acctmgr_root'
  );
END;
/

This step sets up the security foundation by defining which users will manage DV operations.

Step 5: Enable Database Vault

Connect as the DV Owner user to enable Database Vault enforcement within the PDB.

sql
CONNECT c##dv_owner_root@pdb1

Then execute the enablement procedure:

sql
EXEC DBMS_MACADM.ENABLE_DV;

This activates DV controls and enforces realm protection and command rules.

Step 6: Restart the PDB

To finalize DV configuration, restart the PDB.

sql
ALTER PLUGGABLE DATABASE pdb1 CLOSE;
ALTER PLUGGABLE DATABASE pdb1 OPEN;

Step 7: Confirm Configuration

After restarting, confirm that DV and OLS are enabled by rechecking their status:

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

You should now see the status as ENABLED, confirming that Database Vault is active in PDB1.

Conclusion

With Database Vault configured on a PDB, Oracle enforces separation of duties, limits administrative access, and safeguards application data against unauthorized actions—even from powerful users. This configuration is highly recommended for databases requiring strict compliance and security assurance.

For additional control, you can proceed to define realms, command rules, and authorized accounts as per your organizational policies.

Written by Bidhan Mandal
Oracle Apps DBA | EBS Tech Stack Expert | Security & OCI Specialist
Visit: https://bidhandba.blogspot.com

Comments

Post a Comment

Popular posts from this blog

Configure Oracle Database Vault Realms

-
Configure Oracle Database Vault Realms to Secure the HR Schema Oracle Database Vault (DV) is a powerful security feature that enables fine-grained access control by enforcing security policies that protect sensitive data. One of the most important components in Database Vault is the Realm , which creates a security boundary around database objects to prevent unauthorized access — even by highly privileged users. In this blog, we’ll walk through the step-by-step process of configuring a Realm to secure the HR schema in an Oracle Database 19c environment. You’ll learn how to: Create a Realm Add objects to it Restrict access Enable auditing for security tracking What is a Realm? A Realm in Oracle Database Vault defines a logical security boundary around one or more database objects. Once a Realm is in place, no one — not even privileged users like DBAs — can access the protected objects without being explicitly authorized. Realms are ideal for: Securing sensitive ap...
Read more

Configure Transparent Database Encryption (TDE) in Oracle CDB

-
   Configure Transparent Database Encryption (TDE) in Oracle CDB Transparent Data Encryption (TDE) is a vital Oracle feature used to secure sensitive data at rest by encrypting database files. In this guide, we'll walk through configuring TDE in a CDB (Container Database) environment and demonstrate its effectiveness with a test tablespace and HR schema. Prerequisites Oracle Database (12c and above, preferably 19c or later) File system access to create wallets Appropriate privileges to administer TDE and manage tablespaces Step 1: Create a New Tablespace in PDB Connect to the PDB and create a new tablespace: sql SQL > CREATE TABLE SPACE userstab DATAFILE '/opt/oracle/oradata/XE/XEPDB1/userstab01.dbf' SIZE 1 G; Tablespace created. Step 2:Install the Sample HR Schema Install the sample HR schema into the newly created userstab tablespace: sql SQL > @? / demo / schema / human_resources / hr_main.sql This will create and populate HR sc...
Read more

Cloning Oracle E-Business Suite 12.2.11: RMAN + Rapid Clone

-
Cloning Oracle E-Business Suite (EBS) environments is a critical part of managing development, testing, and DR landscapes. In this post, we walk through the process of cloning EBS 12.2.11 from a production environment to a non-production one using RMAN active duplication and Oracle Rapid Clone utilities . Clone Scenario Source Database CDB : PRODCDB Source PDB : prod Target Database CDB : RNDCDB Target PDB : RND Step 1: Prepare the Target Server Create Required Directories mkdir -p /u01/oracle/RNDCDB mkdir -p /u01/oracle/RND mkdir -p /u01/oracle/clone_logs Verify Swap Space (Must be ≥ 16GB) free -h Step 2: Run Pre-Clone on Source Database Tier cd $ORACLE_HOME/appsutil/scripts/prod_PRODCDB perl adpreclone.pl dbTier Application Tier cd $ADMIN_SCRIPTS_HOME perl adpreclone.pl appsTier  Step 3: Clone the CDB with RMAN 3.1: Startup Target CDB in NOMOUNT Mode export ORACLE_SID=RNDCDB sqlplus / as sysdba STARTUP NOMOUNT; 3.2: Run RMAN Active Duplicate rman target sys@PRODCDB auxiliary sy...
Read more