Configure Oracle Database Vault Realms

-

Configure Oracle Database Vault Realms to Secure the HR Schema

Oracle Database Vault (DV) is a powerful security feature that enables fine-grained access control by enforcing security policies that protect sensitive data.
One of the most important components in Database Vault is the Realm, which creates a security boundary around database objects to prevent unauthorized access — even by highly privileged users.

In this blog, we’ll walk through the step-by-step process of configuring a Realm to secure the HR schema in an Oracle Database 19c environment.
You’ll learn how to:

  • Create a Realm

  • Add objects to it

  • Restrict access

  • Enable auditing for security tracking

What is a Realm?

A Realm in Oracle Database Vault defines a logical security boundary around one or more database objects. Once a Realm is in place, no one — not even privileged users like DBAs — can access the protected objects without being explicitly authorized.

Realms are ideal for:

  • Securing sensitive application data (e.g., HR, Finance)

  • Enforcing separation of duties in compliance-driven environments

  • Preventing data breaches caused by insider threats

Step-by-Step Guide to Configuring a Realm

Step 1: Select Data from the HR Schema (Before Realm Setup)

First, try selecting data from the HR schema to see the current level of access.

sql
SELECT * FROM hr.employees;

At this point, access is typically allowed without restriction.

Step 2: Connect as the DV Owner

To create and manage Realms, you need to log in as a Database Vault Owner — often a common user like c##dv_owner_root.

bash
sqlplus c##dv_owner_root@pdb1

This user has privileges to create Realms and manage Database Vault policies.

Step 3: Create the Realm for the HR Schema

Create a Realm to secure all objects in the HR schema.

sql
BEGIN
  DBMS_MACADM.CREATE_REALM(
    realm_name   => 'HR_REALM',
    description  => 'Realm for HR Schema',
    enabled      => DBMS_MACUTL.G_YES,
    audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL +
                     DBMS_MACUTL.G_REALM_AUDIT_SUCCESS
  );
END;
/

Audit Options:
Here, we enable auditing for both failed and successful access attempts. This allows us to track who tried to access the protected data.

Step 4: Add Objects to the Realm

Add all HR schema objects to the Realm. The % wildcard ensures all object names and types are included.

sql
BEGIN
  DBMS_MACADM.ADD_OBJECT_TO_REALM(
    realm_name   => 'HR_REALM',
    object_owner => 'HR',
    object_name  => '%',
    object_type  => '%'
  );
END;
/

Now, all HR schema objects are protected under HR_REALM.

Step 5: Test Realm Enforcement

Try accessing the HR schema again:

sql
SELECT * FROM hr.employees;

If your user or role is not authorized to access HR_REALM, you will receive an access violation error, even if you are a DBA.

Summary of Steps

StepActionResult
1Select data from HR schemaAccess allowed
2Connect as c##dv_owner_rootSuccess
3Create a Realm on the HR schemaHR_REALM created
4Add objects to the RealmAll HR schema objects protected
5Select data from HR schema againAccess denied (if unauthorized)

Best Practices for Realms

  1. Enable Auditing – Always enable auditing for Realms to detect unauthorized access attempts.

  2. Granular Protection – Protect only critical objects if full schema protection is unnecessary.

  3. Role-Based Access – Grant Realm access via roles to simplify management.

References

Oracle Database Vault Realms Documentation

Why Use Realms?

  • Enforce fine-grained access control

  • Protect sensitive data from privileged users

  • Achieve compliance with industry regulations

  • Prevent unauthorized insider access

Realms are a cornerstone of a Zero Trust approach to database security. If you’re working in a regulated or security-conscious environment, they are essential.

Author: Bidhan Mandal
Oracle Apps DBA | Oracle Database Vault Specialist | OCI Architect
Visit: https://bidhandba.blogspot.com

Comments

Post a Comment

Popular posts from this blog

Configure Transparent Database Encryption (TDE) in Oracle CDB

-
   Configure Transparent Database Encryption (TDE) in Oracle CDB Transparent Data Encryption (TDE) is a vital Oracle feature used to secure sensitive data at rest by encrypting database files. In this guide, we'll walk through configuring TDE in a CDB (Container Database) environment and demonstrate its effectiveness with a test tablespace and HR schema. Prerequisites Oracle Database (12c and above, preferably 19c or later) File system access to create wallets Appropriate privileges to administer TDE and manage tablespaces Step 1: Create a New Tablespace in PDB Connect to the PDB and create a new tablespace: sql SQL > CREATE TABLE SPACE userstab DATAFILE '/opt/oracle/oradata/XE/XEPDB1/userstab01.dbf' SIZE 1 G; Tablespace created. Step 2:Install the Sample HR Schema Install the sample HR schema into the newly created userstab tablespace: sql SQL > @? / demo / schema / human_resources / hr_main.sql This will create and populate HR sc...
Read more

Cloning Oracle E-Business Suite 12.2.11: RMAN + Rapid Clone

-
Cloning Oracle E-Business Suite (EBS) environments is a critical part of managing development, testing, and DR landscapes. In this post, we walk through the process of cloning EBS 12.2.11 from a production environment to a non-production one using RMAN active duplication and Oracle Rapid Clone utilities . Clone Scenario Source Database CDB : PRODCDB Source PDB : prod Target Database CDB : RNDCDB Target PDB : RND Step 1: Prepare the Target Server Create Required Directories mkdir -p /u01/oracle/RNDCDB mkdir -p /u01/oracle/RND mkdir -p /u01/oracle/clone_logs Verify Swap Space (Must be ≥ 16GB) free -h Step 2: Run Pre-Clone on Source Database Tier cd $ORACLE_HOME/appsutil/scripts/prod_PRODCDB perl adpreclone.pl dbTier Application Tier cd $ADMIN_SCRIPTS_HOME perl adpreclone.pl appsTier  Step 3: Clone the CDB with RMAN 3.1: Startup Target CDB in NOMOUNT Mode export ORACLE_SID=RNDCDB sqlplus / as sysdba STARTUP NOMOUNT; 3.2: Run RMAN Active Duplicate rman target sys@PRODCDB auxiliary sy...
Read more