Configure Realms in Oracle Database Vault on Autonomous Database

-

 

Configure Realms in Oracle Database Vault on Autonomous Database

Oracle Database Vault enhances database security by enforcing separation of duties and protecting application data from unauthorized access — even by privileged users like DBAs. In this guide, we'll walk through the process of creating a Realm on an Autonomous Database, specifically targeting the HR schema.

What is a Realm?

A Realm is a security boundary in Oracle Database Vault that protects a set of database objects (like tables or schemas) from access—even by users with administrative privileges—unless they are specifically authorized.

Steps to Configure a Realm in Autonomous Database

 1. Connect as DV Owner User

Log in to your Autonomous Database using SQL Developer Web or any SQL client.

Ensure that you're connected as the Database Vault Owner (typically a user with DVOWNER role), and set the container to ROOT, if required.

sql
ALTER SESSION SET CONTAINER = CDB$ROOT;

If working with a PDB-enabled environment (not typical for Autonomous), switch accordingly.

 2. Enable REST Access (Optional for SQL Developer Web)

Ensure REST access is enabled to connect to the necessary services. This step might already be configured in ADB.

 3. Create a Realm on the HR Schema

Use the following PL/SQL block to create a realm:

sql
BEGIN
  DBMS_MACADM.CREATE_REALM(
    realm_name    => 'HR_REALM',
    description   => 'Realm for HR Schema',
    enabled       => DBMS_MACUTL.G_YES,
    audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + 
                     DBMS_MACUTL.G_REALM_AUDIT_SUCCESS
  );
END;
/

 This realm will start auditing both successful and failed access attempts.

 4. Add Objects to the Realm

Now add all objects under the HR schema to the realm. Use % to include all objects:

sql
BEGIN
  DBMS_MACADM.ADD_OBJECT_TO_REALM(
    realm_name   => 'HR_REALM',
    object_owner => 'HR',
    object_name  => '%',
    object_type  => '%'
  );
END;
/

This ensures all objects under the HR schema are protected by the realm.

 5. Test Realm Protection

Switch to a regular privileged user (e.g., ADMIN) and try to access HR schema objects:

sql
SELECT * FROM hr.employees;

If access is not explicitly granted through Realm Authorizations, you should receive a security violation error, even if the user has SELECT ANY TABLE or DBA privileges.

Summary

In this guide, you've learned how to:

  • Connect to Autonomous DB as DV owner

  • Create a Database Vault Realm for the HR schema

  • Add all schema objects to the realm

  • Protect access to sensitive HR data even from privileged accounts

Why Use Realms in Autonomous DB?

Using Realms in Autonomous Databases adds a strong layer of protection, particularly for sensitive business data, and is a best practice for zero-trust architecture in cloud deployments.

Want to automate this with a script or protect specific tables only? Comment below or explore more on bidhandba.blogspot.com!

Comments

Post a Comment

Popular posts from this blog

Configure Oracle Database Vault Realms

-
Configure Oracle Database Vault Realms to Secure the HR Schema Oracle Database Vault (DV) is a powerful security feature that enables fine-grained access control by enforcing security policies that protect sensitive data. One of the most important components in Database Vault is the Realm , which creates a security boundary around database objects to prevent unauthorized access — even by highly privileged users. In this blog, we’ll walk through the step-by-step process of configuring a Realm to secure the HR schema in an Oracle Database 19c environment. You’ll learn how to: Create a Realm Add objects to it Restrict access Enable auditing for security tracking What is a Realm? A Realm in Oracle Database Vault defines a logical security boundary around one or more database objects. Once a Realm is in place, no one — not even privileged users like DBAs — can access the protected objects without being explicitly authorized. Realms are ideal for: Securing sensitive ap...
Read more

Configure Transparent Database Encryption (TDE) in Oracle CDB

-
   Configure Transparent Database Encryption (TDE) in Oracle CDB Transparent Data Encryption (TDE) is a vital Oracle feature used to secure sensitive data at rest by encrypting database files. In this guide, we'll walk through configuring TDE in a CDB (Container Database) environment and demonstrate its effectiveness with a test tablespace and HR schema. Prerequisites Oracle Database (12c and above, preferably 19c or later) File system access to create wallets Appropriate privileges to administer TDE and manage tablespaces Step 1: Create a New Tablespace in PDB Connect to the PDB and create a new tablespace: sql SQL > CREATE TABLE SPACE userstab DATAFILE '/opt/oracle/oradata/XE/XEPDB1/userstab01.dbf' SIZE 1 G; Tablespace created. Step 2:Install the Sample HR Schema Install the sample HR schema into the newly created userstab tablespace: sql SQL > @? / demo / schema / human_resources / hr_main.sql This will create and populate HR sc...
Read more

Cloning Oracle E-Business Suite 12.2.11: RMAN + Rapid Clone

-
Cloning Oracle E-Business Suite (EBS) environments is a critical part of managing development, testing, and DR landscapes. In this post, we walk through the process of cloning EBS 12.2.11 from a production environment to a non-production one using RMAN active duplication and Oracle Rapid Clone utilities . Clone Scenario Source Database CDB : PRODCDB Source PDB : prod Target Database CDB : RNDCDB Target PDB : RND Step 1: Prepare the Target Server Create Required Directories mkdir -p /u01/oracle/RNDCDB mkdir -p /u01/oracle/RND mkdir -p /u01/oracle/clone_logs Verify Swap Space (Must be ≥ 16GB) free -h Step 2: Run Pre-Clone on Source Database Tier cd $ORACLE_HOME/appsutil/scripts/prod_PRODCDB perl adpreclone.pl dbTier Application Tier cd $ADMIN_SCRIPTS_HOME perl adpreclone.pl appsTier  Step 3: Clone the CDB with RMAN 3.1: Startup Target CDB in NOMOUNT Mode export ORACLE_SID=RNDCDB sqlplus / as sysdba STARTUP NOMOUNT; 3.2: Run RMAN Active Duplicate rman target sys@PRODCDB auxiliary sy...
Read more