Configure Oracle Database Vault on Autonomous Database (ADB)

-

 

Configure Oracle Database Vault on Autonomous Database (ADB)

Oracle Autonomous Database offers a rich security framework out of the box, and Database Vault (DV) adds another layer of protection by enforcing strict access controls—even for highly privileged users. This blog post walks you through configuring Database Vault on an Autonomous Database (ADB), complete with schema setup, realm creation, and data verification.

 Prerequisites

  • Oracle Autonomous Database (ATP or ADW) instance.

  • Admin access to the ADB.

  • SQL Developer or OCI CLI for executing SQL commands.

 Step 1: Create Schema & Load Sample Data

First, create a user HR and a sample EMPLOYEE table to protect using Database Vault.

sql
CREATE USER hr IDENTIFIED BY ORacle1234##;
GRANT CONNECT, RESOURCE TO hr;
ALTER USER hr QUOTA UNLIMITED ON DATA;

CREATE TABLE hr.employee (
  id NUMBER,
  salary NUMBER
);

INSERT INTO hr.employee VALUES (101, 20000);
INSERT INTO hr.employee VALUES (102, 30000);
COMMIT;

Step 2: Check Database Vault & Label Security Status

Verify if Database Vault and Oracle Label Security (OLS) are configured.

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

 Step 3: Create Local Users for Database Vault Roles

Create two new users to act as DV Owner and DV Account Manager.

sql
GRANT CREATE SESSION TO adb_dv_root IDENTIFIED BY ORacle1234##;
GRANT CREATE SESSION TO adb_dv_acctmgr IDENTIFIED BY ORacle1234##;

Re-verify the security components:

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

 Step 4: Configure & Enable Database Vault

Run the following procedure to configure Database Vault with the designated users:

sql
EXEC DBMS_CLOUD_MACADM.CONFIGURE_DATABASE_VAULT(
  'adb_dv_root', 
  'adb_dv_acctmgr'
);

Then enable Database Vault:

sql
EXEC DBMS_CLOUD_MACADM.ENABLE_DATABASE_VAULT;

Check the status again:

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

Step 5: Restart the ADB Instance

Restart your ADB instance from the OCI Console or use dbaascli if enabled. Once restarted, confirm the services are up:

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

 Step 6: Create a Realm on HR Schema

Connect as DV Owner (adb_dv_root) from SQL Developer and define a realm on the HR schema:

sql
BEGIN
  DBMS_MACADM.CREATE_REALM(
    realm_name    => 'HR_REALM',
    description   => 'Realm for HR Schema',
    enabled       => DBMS_MACUTL.G_YES,
    audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + 
                     DBMS_MACUTL.G_REALM_AUDIT_SUCCESS
  );
END;
/

BEGIN
  DBMS_MACADM.ADD_OBJECT_TO_REALM(
    realm_name   => 'HR_REALM',
    object_owner => 'HR',
    object_name  => '%',
    object_type  => '%'
  );
END;
/

Step 7: Verify the Realm Enforcement

Now, try accessing the hr.employee table as a regular ADMIN user:

sql
SELECT * FROM hr.employee;

You should receive a permission error unless the admin user is explicitly granted access to the realm, confirming Database Vault is working as expected.

Conclusion

With Database Vault, you can enforce powerful separation-of-duty controls and protect sensitive application data even from highly privileged users. It’s an essential feature for any organization looking to strengthen security and compliance on Oracle Autonomous Database.

Author: Bidhan Mandal
Oracle Apps DBA | OCI Architect | EBS Expert
Follow for more: https://bidhandba.blogspot.com

Comments

Post a Comment

Popular posts from this blog

Configure Oracle Database Vault Realms

-
Configure Oracle Database Vault Realms to Secure the HR Schema Oracle Database Vault (DV) is a powerful security feature that enables fine-grained access control by enforcing security policies that protect sensitive data. One of the most important components in Database Vault is the Realm , which creates a security boundary around database objects to prevent unauthorized access — even by highly privileged users. In this blog, we’ll walk through the step-by-step process of configuring a Realm to secure the HR schema in an Oracle Database 19c environment. You’ll learn how to: Create a Realm Add objects to it Restrict access Enable auditing for security tracking What is a Realm? A Realm in Oracle Database Vault defines a logical security boundary around one or more database objects. Once a Realm is in place, no one — not even privileged users like DBAs — can access the protected objects without being explicitly authorized. Realms are ideal for: Securing sensitive ap...
Read more

Configure Transparent Database Encryption (TDE) in Oracle CDB

-
   Configure Transparent Database Encryption (TDE) in Oracle CDB Transparent Data Encryption (TDE) is a vital Oracle feature used to secure sensitive data at rest by encrypting database files. In this guide, we'll walk through configuring TDE in a CDB (Container Database) environment and demonstrate its effectiveness with a test tablespace and HR schema. Prerequisites Oracle Database (12c and above, preferably 19c or later) File system access to create wallets Appropriate privileges to administer TDE and manage tablespaces Step 1: Create a New Tablespace in PDB Connect to the PDB and create a new tablespace: sql SQL > CREATE TABLE SPACE userstab DATAFILE '/opt/oracle/oradata/XE/XEPDB1/userstab01.dbf' SIZE 1 G; Tablespace created. Step 2:Install the Sample HR Schema Install the sample HR schema into the newly created userstab tablespace: sql SQL > @? / demo / schema / human_resources / hr_main.sql This will create and populate HR sc...
Read more

Cloning Oracle E-Business Suite 12.2.11: RMAN + Rapid Clone

-
Cloning Oracle E-Business Suite (EBS) environments is a critical part of managing development, testing, and DR landscapes. In this post, we walk through the process of cloning EBS 12.2.11 from a production environment to a non-production one using RMAN active duplication and Oracle Rapid Clone utilities . Clone Scenario Source Database CDB : PRODCDB Source PDB : prod Target Database CDB : RNDCDB Target PDB : RND Step 1: Prepare the Target Server Create Required Directories mkdir -p /u01/oracle/RNDCDB mkdir -p /u01/oracle/RND mkdir -p /u01/oracle/clone_logs Verify Swap Space (Must be ≥ 16GB) free -h Step 2: Run Pre-Clone on Source Database Tier cd $ORACLE_HOME/appsutil/scripts/prod_PRODCDB perl adpreclone.pl dbTier Application Tier cd $ADMIN_SCRIPTS_HOME perl adpreclone.pl appsTier  Step 3: Clone the CDB with RMAN 3.1: Startup Target CDB in NOMOUNT Mode export ORACLE_SID=RNDCDB sqlplus / as sysdba STARTUP NOMOUNT; 3.2: Run RMAN Active Duplicate rman target sys@PRODCDB auxiliary sy...
Read more