Configure Oracle Database Vault on Oracle CDB$ROOT

Oracle Database Vault (DV) strengthens the security posture of the Oracle database by enforcing separation of duties and restricting access, even for highly privileged users. While DV is often configured at the PDB level, enterprise environments typically require securing the CDB$ROOT itself to protect the entire multitenant architecture.

This blog walks through the complete process of enabling and verifying Oracle Database Vault on CDB$ROOT in an Oracle 19c environment.

---

Step 1: Verify DV and OLS Status

Before starting, check if Database Vault and Oracle Label Security (OLS) are installed and verify their status.

sql
COL DESCRIPTION FORMAT A40
SET LINES 900

SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

If the components are not installed, install them using DBCA or the Oracle-provided scripts.

---

Step 2: Create DV Owner and Account Manager Users

You must create common users to manage Database Vault. These accounts should be container-wide.

sql
GRANT CREATE SESSION, SET CONTAINER 
TO c##dv_owner_root IDENTIFIED BY ORacle1234## CONTAINER = ALL;

GRANT CREATE SESSION, SET CONTAINER 
TO c##dv_acctmgr_root IDENTIFIED BY ORacle1234## CONTAINER = ALL;

These will be designated later as the DV Owner and DV Account Manager.

---

Step 3: Configure Database Vault

Connect as a CDB-level SYSDBA and configure DV.

sql
BEGIN
  CONFIGURE_DV (
    dvowner_uname        => 'c##dv_owner_root',
    dvacctmgr_uname      => 'c##dv_acctmgr_root',
    force_local_dvowner  => FALSE
  );
END;
/

Alternatively:

sql
EXEC CONFIGURE_DV('c##dv_owner_root','c##dv_acctmgr_root');

---

Step 4: Recompile Invalid Objects

After configuration, recompile invalid objects to ensure all DV packages are valid.

sql
@?/rdbms/admin/utlrp.sql

---

Step 5: Enable Database Vault

Connect as the DV Owner and enable DV enforcement.

sql
CONNECT c##dv_owner_root@CDB$ROOT
EXEC DBMS_MACADM.ENABLE_DV;

This activates DV, enforcing realms and command rules at the CDB level.

---

Step 6: Restart the Container Database

Restart the database to finalize configuration.

sql
CONNECT / AS SYSDBA
SHUTDOWN IMMEDIATE
STARTUP

---

Step 7: Verify Status After Restart

After restart, confirm DV and OLS are enabled.

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

Both should now show ENABLED.

---

Conclusion

Configuring Database Vault at the CDB$ROOT level allows DBAs to:

• Enforce separation of duties

• Protect sensitive metadata

• Restrict unauthorized access across all PDBs

This setup is essential in regulated environments where security and compliance are top priorities.

Continue strengthening your security posture by defining realms, command rules, and authorized accounts to match your organization’s requirements.

---

Author: Bidhan Mandal
Oracle Apps DBA | Oracle Database Vault Specialist | OCI Architect
Visit: https://bidhandba.blogspot.com

 

Configure Oracle Database Vault for a Pluggable Database (PDB1)

Oracle Database Vault (DV) adds a critical layer of security to Oracle Databases by enabling strong access control and separation of duties. When working in a multitenant environment, it's essential to configure DV specifically for each Pluggable Database (PDB) where protection is required.

This guide outlines the complete steps to enable and verify Database Vault in PDB1, including the assignment of privileged users and schema verification.

---

Step 1: Connect to the Target PDB

Start by switching your session to the target pluggable database where DV needs to be enabled.

sql
ALTER SESSION SET CONTAINER=pdb1;

---

Step 2: Verify DV and OLS Installation

Ensure that Database Vault (DV) and Oracle Label Security (OLS) are installed and available in the PDB.

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

These views should return status information such as ENABLED, DISABLED, or NOT CONFIGURED.

---

Step 3: Load Sample Schema (HR)

If the HR schema is not yet available in the PDB, it can be created using the official Oracle script:

sql
@?/demo/schema/human_resources/hr_main.sql

Once the schema is created, validate access to sample data:

sql
SELECT EMPLOYEE_ID, FIRST_NAME, LAST_NAME, SALARY FROM hr.employees;

---

Step 4: Configure Database Vault

Use the built-in CONFIGURE_DV procedure to initialize Database Vault by assigning the DV Owner and DV Account Manager roles.

sql
BEGIN
  CONFIGURE_DV (
    dvowner_uname    => 'c##dv_owner_root',
    dvacctmgr_uname  => 'c##dv_acctmgr_root'
  );
END;
/

This step sets up the security foundation by defining which users will manage DV operations.

---

Step 5: Enable Database Vault

Connect as the DV Owner user to enable Database Vault enforcement within the PDB.

sql
CONNECT c##dv_owner_root@pdb1

Then execute the enablement procedure:

sql
EXEC DBMS_MACADM.ENABLE_DV;

This activates DV controls and enforces realm protection and command rules.

---

Step 6: Restart the PDB

To finalize DV configuration, restart the PDB.

sql
ALTER PLUGGABLE DATABASE pdb1 CLOSE;
ALTER PLUGGABLE DATABASE pdb1 OPEN;

---

Step 7: Confirm Configuration

After restarting, confirm that DV and OLS are enabled by rechecking their status:

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

You should now see the status as ENABLED, confirming that Database Vault is active in PDB1.

---

Conclusion

With Database Vault configured on a PDB, Oracle enforces separation of duties, limits administrative access, and safeguards application data against unauthorized actions—even from powerful users. This configuration is highly recommended for databases requiring strict compliance and security assurance.

For additional control, you can proceed to define realms, command rules, and authorized accounts as per your organizational policies.

---

Written by Bidhan Mandal
Oracle Apps DBA | EBS Tech Stack Expert | Security & OCI Specialist
Visit: https://bidhandba.blogspot.com

 

Creating a User in a Database Vault-Protected Oracle PDB

Oracle Database Vault (DV) significantly tightens security by restricting privileged users—even DBA roles—from performing certain operations unless explicitly authorized. One such restriction is creating users in a DV-enabled Pluggable Database (PDB). This article demonstrates how to properly create a new user (SCOTT) in such an environment using the DV Account Manager user.

---

 Background

In a standard Oracle environment, a user with DBA or SYSDBA privileges can easily create users. However, once Database Vault is configured and enabled, these privileges are no longer sufficient unless the user is explicitly granted DV-specific roles, like:

• DV_OWNER

• DV_ACCTMGR

Let’s walk through a real-world scenario where an attempt to create a user fails due to DV restrictions, and how to fix it using the correct privileged user.

---

Initial Attempt — Access Denied

First, we switch to the target PDB (pdb1) and try to create the SCOTT user:

sql
ALTER SESSION SET CONTAINER=pdb1;

sql
CREATE USER scott IDENTIFIED BY tiger;

Result:

text
ORA-01031: insufficient privileges

Despite having typical DBA-level access, the operation is blocked—this is Database Vault in action.

---

 Use the Right Role: DV_ACCTMGR

To proceed, we must connect using the user who was assigned the DV Account Manager role during Database Vault setup. This account is typically named like c##dv_acctmgr_root.

bash
sqlplus c##dv_acctmgr_root@pdb1

Now, retry the CREATE USER command with a strong password:

sql
CREATE USER scott IDENTIFIED BY ORacle1234##;

Result:

text
User created.

Success! The scott user is now created within the DV-protected PDB.

---

 Why This Matters

Oracle DV enforces separation of duties. Even if you're a DBA, you're not permitted to perform user management or access sensitive data unless your account is assigned specific DV roles. This architecture prevents accidental or malicious privilege misuse and satisfies compliance requirements like GDPR, SOX, and HIPAA.

---

 Bonus: Granting Privileges to the New User

After creation, you can grant necessary roles or privileges to the new user:

sql
GRANT CONNECT, RESOURCE TO scott;
ALTER USER scott QUOTA UNLIMITED ON USERS;

Make sure these actions are also performed by the DV Account Manager or as per the defined security policy.

---

Summary

Creating users in a DV-enabled Oracle environment requires proper role management. Traditional SYS or DBA accounts can't perform this task unless they're granted DV-specific roles. In this post, we demonstrated:

• The error encountered when a non-DV-authorized user attempts to create a user.

• The correct process using the c##dv_acctmgr_root user.

• Why this restriction is a key part of Oracle's defense-in-depth strategy.

---

Author: Bidhan Mandal
Oracle EBS | Autonomous Database | Security Expert
More blogs at: https://bidhandba.blogspot.com