Creating a User in a Database Vault-Protected Oracle PDB

-

 

Creating a User in a Database Vault-Protected Oracle PDB

Oracle Database Vault (DV) significantly tightens security by restricting privileged users—even DBA roles—from performing certain operations unless explicitly authorized. One such restriction is creating users in a DV-enabled Pluggable Database (PDB). This article demonstrates how to properly create a new user (SCOTT) in such an environment using the DV Account Manager user.

 Background

In a standard Oracle environment, a user with DBA or SYSDBA privileges can easily create users. However, once Database Vault is configured and enabled, these privileges are no longer sufficient unless the user is explicitly granted DV-specific roles, like:

  • DV_OWNER

  • DV_ACCTMGR

Let’s walk through a real-world scenario where an attempt to create a user fails due to DV restrictions, and how to fix it using the correct privileged user.

Initial Attempt — Access Denied

First, we switch to the target PDB (pdb1) and try to create the SCOTT user:

sql
ALTER SESSION SET CONTAINER=pdb1;

sql
CREATE USER scott IDENTIFIED BY tiger;

Result:

text
ORA-01031: insufficient privileges

Despite having typical DBA-level access, the operation is blocked—this is Database Vault in action.

 Use the Right Role: DV_ACCTMGR

To proceed, we must connect using the user who was assigned the DV Account Manager role during Database Vault setup. This account is typically named like c##dv_acctmgr_root.

bash
sqlplus c##dv_acctmgr_root@pdb1

Now, retry the CREATE USER command with a strong password:

sql
CREATE USER scott IDENTIFIED BY ORacle1234##;

Result:

text
User created.

Success! The scott user is now created within the DV-protected PDB.

 Why This Matters

Oracle DV enforces separation of duties. Even if you're a DBA, you're not permitted to perform user management or access sensitive data unless your account is assigned specific DV roles. This architecture prevents accidental or malicious privilege misuse and satisfies compliance requirements like GDPR, SOX, and HIPAA.

 Bonus: Granting Privileges to the New User

After creation, you can grant necessary roles or privileges to the new user:

sql
GRANT CONNECT, RESOURCE TO scott;
ALTER USER scott QUOTA UNLIMITED ON USERS;

Make sure these actions are also performed by the DV Account Manager or as per the defined security policy.

Summary

Creating users in a DV-enabled Oracle environment requires proper role management. Traditional SYS or DBA accounts can't perform this task unless they're granted DV-specific roles. In this post, we demonstrated:

  • The error encountered when a non-DV-authorized user attempts to create a user.

  • The correct process using the c##dv_acctmgr_root user.

  • Why this restriction is a key part of Oracle's defense-in-depth strategy.

Author: Bidhan Mandal
Oracle EBS | Autonomous Database | Security Expert
More blogs at: https://bidhandba.blogspot.com

Comments

Post a Comment

Popular posts from this blog

Configure Oracle Database Vault Realms

-
Configure Oracle Database Vault Realms to Secure the HR Schema Oracle Database Vault (DV) is a powerful security feature that enables fine-grained access control by enforcing security policies that protect sensitive data. One of the most important components in Database Vault is the Realm , which creates a security boundary around database objects to prevent unauthorized access — even by highly privileged users. In this blog, we’ll walk through the step-by-step process of configuring a Realm to secure the HR schema in an Oracle Database 19c environment. You’ll learn how to: Create a Realm Add objects to it Restrict access Enable auditing for security tracking What is a Realm? A Realm in Oracle Database Vault defines a logical security boundary around one or more database objects. Once a Realm is in place, no one — not even privileged users like DBAs — can access the protected objects without being explicitly authorized. Realms are ideal for: Securing sensitive ap...
Read more

Configure Transparent Database Encryption (TDE) in Oracle CDB

-
   Configure Transparent Database Encryption (TDE) in Oracle CDB Transparent Data Encryption (TDE) is a vital Oracle feature used to secure sensitive data at rest by encrypting database files. In this guide, we'll walk through configuring TDE in a CDB (Container Database) environment and demonstrate its effectiveness with a test tablespace and HR schema. Prerequisites Oracle Database (12c and above, preferably 19c or later) File system access to create wallets Appropriate privileges to administer TDE and manage tablespaces Step 1: Create a New Tablespace in PDB Connect to the PDB and create a new tablespace: sql SQL > CREATE TABLE SPACE userstab DATAFILE '/opt/oracle/oradata/XE/XEPDB1/userstab01.dbf' SIZE 1 G; Tablespace created. Step 2:Install the Sample HR Schema Install the sample HR schema into the newly created userstab tablespace: sql SQL > @? / demo / schema / human_resources / hr_main.sql This will create and populate HR sc...
Read more

Cloning Oracle E-Business Suite 12.2.11: RMAN + Rapid Clone

-
Cloning Oracle E-Business Suite (EBS) environments is a critical part of managing development, testing, and DR landscapes. In this post, we walk through the process of cloning EBS 12.2.11 from a production environment to a non-production one using RMAN active duplication and Oracle Rapid Clone utilities . Clone Scenario Source Database CDB : PRODCDB Source PDB : prod Target Database CDB : RNDCDB Target PDB : RND Step 1: Prepare the Target Server Create Required Directories mkdir -p /u01/oracle/RNDCDB mkdir -p /u01/oracle/RND mkdir -p /u01/oracle/clone_logs Verify Swap Space (Must be ≥ 16GB) free -h Step 2: Run Pre-Clone on Source Database Tier cd $ORACLE_HOME/appsutil/scripts/prod_PRODCDB perl adpreclone.pl dbTier Application Tier cd $ADMIN_SCRIPTS_HOME perl adpreclone.pl appsTier  Step 3: Clone the CDB with RMAN 3.1: Startup Target CDB in NOMOUNT Mode export ORACLE_SID=RNDCDB sqlplus / as sysdba STARTUP NOMOUNT; 3.2: Run RMAN Active Duplicate rman target sys@PRODCDB auxiliary sy...
Read more