Configure Oracle Database Vault: Creating a New User in a Secured Environment

-

 

Configure Oracle Database Vault: Creating a New User in a Secured Environment

Oracle Database Vault is a powerful security component that enforces separation of duties and limits access to sensitive data, even from DBAs. When Database Vault is enabled, traditional user creation and privilege management are restricted and must be done by authorized DV accounts.

This blog walks through the steps to create a new user (SCOTT) in a PDB (pdb1) within a Database Vault-enabled environment.

 Scenario

You are working in a multitenant environment with Database Vault enabled. You attempt to create a user in pdb1, but face privilege errors. Let's walk through the proper method to do this securely and successfully.

 Step 1: Switch to Target PDB

First, ensure your session is connected to the appropriate Pluggable Database:

sql
ALTER SESSION SET CONTAINER = pdb1;

 Step 2: Attempt to Create a User (Fails with ORA-01031)

Now, try to create a new user:

sql
CREATE USER scott IDENTIFIED BY tiger;

Result:

makefile
ORA-01031: insufficient privileges

This error occurs because Database Vault restricts user management operations, even for privileged users, unless you're using a specially authorized account.

 Step 3: Use the Account Manager User

The correct account to perform user management tasks is typically the DV Account Manager—a user granted the DV_ACCTMGR role.

Connect as:

bash
sqlplus c##dv_acctmgr_root@pdb1

c##dv_acctmgr_root is a common DV account with the ability to manage users and roles in a secured environment.

 Step 4: Successfully Create the User

Now, retry the user creation with appropriate credentials:

sql
CREATE USER scott IDENTIFIED BY ORacle1234##;

Result:

sql
User created.

 Passwords in DV environments often require stronger complexity settings—include upper/lowercase letters, digits, and special characters.

 Summary

StepActionResult
1Set container to pdb1Success
2Try to create user as normal DBAORA-01031
3Connect as DV Account Manager (DV_ACCTMGR)Success
4Create the user User created

Best Practices

  • Assign the DV_ACCTMGR role only to trusted users.

  • Always use strong passwords when creating users in DV-enabled environments.

  • Audit and monitor account management activities regularly using unified audit trails.

Oracle Database Vault significantly enhances database security posture. When working in such an environment, regular DBA operations require role separation and proper privilege routing—just like we've seen here with user creation.

Want to automate DV-based user creation or manage secure roles? Follow more Oracle security tips at bidhandba.blogspot.com!


Comments

Post a Comment

Popular posts from this blog

Configure Oracle Database Vault Realms

-
Configure Oracle Database Vault Realms to Secure the HR Schema Oracle Database Vault (DV) is a powerful security feature that enables fine-grained access control by enforcing security policies that protect sensitive data. One of the most important components in Database Vault is the Realm , which creates a security boundary around database objects to prevent unauthorized access — even by highly privileged users. In this blog, we’ll walk through the step-by-step process of configuring a Realm to secure the HR schema in an Oracle Database 19c environment. You’ll learn how to: Create a Realm Add objects to it Restrict access Enable auditing for security tracking What is a Realm? A Realm in Oracle Database Vault defines a logical security boundary around one or more database objects. Once a Realm is in place, no one — not even privileged users like DBAs — can access the protected objects without being explicitly authorized. Realms are ideal for: Securing sensitive ap...
Read more

Configure Transparent Database Encryption (TDE) in Oracle CDB

-
   Configure Transparent Database Encryption (TDE) in Oracle CDB Transparent Data Encryption (TDE) is a vital Oracle feature used to secure sensitive data at rest by encrypting database files. In this guide, we'll walk through configuring TDE in a CDB (Container Database) environment and demonstrate its effectiveness with a test tablespace and HR schema. Prerequisites Oracle Database (12c and above, preferably 19c or later) File system access to create wallets Appropriate privileges to administer TDE and manage tablespaces Step 1: Create a New Tablespace in PDB Connect to the PDB and create a new tablespace: sql SQL > CREATE TABLE SPACE userstab DATAFILE '/opt/oracle/oradata/XE/XEPDB1/userstab01.dbf' SIZE 1 G; Tablespace created. Step 2:Install the Sample HR Schema Install the sample HR schema into the newly created userstab tablespace: sql SQL > @? / demo / schema / human_resources / hr_main.sql This will create and populate HR sc...
Read more

Cloning Oracle E-Business Suite 12.2.11: RMAN + Rapid Clone

-
Cloning Oracle E-Business Suite (EBS) environments is a critical part of managing development, testing, and DR landscapes. In this post, we walk through the process of cloning EBS 12.2.11 from a production environment to a non-production one using RMAN active duplication and Oracle Rapid Clone utilities . Clone Scenario Source Database CDB : PRODCDB Source PDB : prod Target Database CDB : RNDCDB Target PDB : RND Step 1: Prepare the Target Server Create Required Directories mkdir -p /u01/oracle/RNDCDB mkdir -p /u01/oracle/RND mkdir -p /u01/oracle/clone_logs Verify Swap Space (Must be ≥ 16GB) free -h Step 2: Run Pre-Clone on Source Database Tier cd $ORACLE_HOME/appsutil/scripts/prod_PRODCDB perl adpreclone.pl dbTier Application Tier cd $ADMIN_SCRIPTS_HOME perl adpreclone.pl appsTier  Step 3: Clone the CDB with RMAN 3.1: Startup Target CDB in NOMOUNT Mode export ORACLE_SID=RNDCDB sqlplus / as sysdba STARTUP NOMOUNT; 3.2: Run RMAN Active Duplicate rman target sys@PRODCDB auxiliary sy...
Read more