Thursday, 7 August 2025

Configure Oracle Database Vault on Autonomous Database (ADB)

 

Configure Oracle Database Vault on Autonomous Database (ADB)

Oracle Autonomous Database offers a rich security framework out of the box, and Database Vault (DV) adds another layer of protection by enforcing strict access controls—even for highly privileged users. This blog post walks you through configuring Database Vault on an Autonomous Database (ADB), complete with schema setup, realm creation, and data verification.

 Prerequisites

  • Oracle Autonomous Database (ATP or ADW) instance.

  • Admin access to the ADB.

  • SQL Developer or OCI CLI for executing SQL commands.

 Step 1: Create Schema & Load Sample Data

First, create a user HR and a sample EMPLOYEE table to protect using Database Vault.

sql
CREATE USER hr IDENTIFIED BY ORacle1234##;
GRANT CONNECT, RESOURCE TO hr;
ALTER USER hr QUOTA UNLIMITED ON DATA;

CREATE TABLE hr.employee (
  id NUMBER,
  salary NUMBER
);

INSERT INTO hr.employee VALUES (101, 20000);
INSERT INTO hr.employee VALUES (102, 30000);
COMMIT;

Step 2: Check Database Vault & Label Security Status

Verify if Database Vault and Oracle Label Security (OLS) are configured.

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

 Step 3: Create Local Users for Database Vault Roles

Create two new users to act as DV Owner and DV Account Manager.

sql
GRANT CREATE SESSION TO adb_dv_root IDENTIFIED BY ORacle1234##;
GRANT CREATE SESSION TO adb_dv_acctmgr IDENTIFIED BY ORacle1234##;

Re-verify the security components:

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

 Step 4: Configure & Enable Database Vault

Run the following procedure to configure Database Vault with the designated users:

sql
EXEC DBMS_CLOUD_MACADM.CONFIGURE_DATABASE_VAULT(
  'adb_dv_root', 
  'adb_dv_acctmgr'
);

Then enable Database Vault:

sql
EXEC DBMS_CLOUD_MACADM.ENABLE_DATABASE_VAULT;

Check the status again:

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

Step 5: Restart the ADB Instance

Restart your ADB instance from the OCI Console or use dbaascli if enabled. Once restarted, confirm the services are up:

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

 Step 6: Create a Realm on HR Schema

Connect as DV Owner (adb_dv_root) from SQL Developer and define a realm on the HR schema:

sql
BEGIN
  DBMS_MACADM.CREATE_REALM(
    realm_name    => 'HR_REALM',
    description   => 'Realm for HR Schema',
    enabled       => DBMS_MACUTL.G_YES,
    audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + 
                     DBMS_MACUTL.G_REALM_AUDIT_SUCCESS
  );
END;
/

BEGIN
  DBMS_MACADM.ADD_OBJECT_TO_REALM(
    realm_name   => 'HR_REALM',
    object_owner => 'HR',
    object_name  => '%',
    object_type  => '%'
  );
END;
/

Step 7: Verify the Realm Enforcement

Now, try accessing the hr.employee table as a regular ADMIN user:

sql
SELECT * FROM hr.employee;

You should receive a permission error unless the admin user is explicitly granted access to the realm, confirming Database Vault is working as expected.

Conclusion

With Database Vault, you can enforce powerful separation-of-duty controls and protect sensitive application data even from highly privileged users. It’s an essential feature for any organization looking to strengthen security and compliance on Oracle Autonomous Database.

Author: Bidhan Mandal
Oracle Apps DBA | OCI Architect | EBS Expert
Follow for more: https://bidhandba.blogspot.com

By - No comments:
Labels:

Tuesday, 5 August 2025

Configure Oracle Database Vault for Data Pump Exports

 

 Configure Oracle Database Vault for Data Pump Exports

When Oracle Database Vault is enabled, traditional operations like Data Pump exports (expdp) are tightly controlled—even for users like SYSTEM. This enhances security, but it also means you must explicitly authorize users to perform exports.

In this blog, you'll learn how to configure and authorize exports for users like SYSTEM in a Database Vault–enabled PDB (Pluggable Database).

 Why Special Authorization is Required?

Oracle Database Vault introduces strict access controls that prevent even high-privilege users (like DBA, SYSTEM) from performing certain operations—such as exporting schemas—unless explicitly allowed.

 Objective

We’ll export the HR schema from a DV-protected Pluggable Database (pdb1) using expdp.

Step-by-Step Guide

 1. Attempt Export (Fails or Denied)

Try running a Data Pump export using the SYSTEM user:

bash
expdp system@pdb1 schemas=HR

 In DV-enabled environments, this may fail silently or result in permission denied errors, because SYSTEM isn't yet authorized to run exports.

 2. Connect as the DV Owner

To authorize exports, you must connect as the Database Vault Owner—typically a common user like c##dv_owner_root.

bash
sqlplus c##dv_owner_root@pdb1

This user has the DV_OWNER role and can manage Database Vault security configurations.

🔹 3. Authorize the User for Data Pump Exports

Now, run the following PL/SQL command to authorize the SYSTEM user to perform Data Pump operations:

sql
EXEC DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('SYSTEM');

Result:

sql
PL/SQL procedure successfully completed.

This grants SYSTEM the ability to use Data Pump Export (expdp) and Import (impdp) in the current PDB.

 4. Retry the Export

Once authorized, re-run the export:

bash
expdp system@pdb1 schemas=HR

You should now see normal export progress and completion.

 Security Tip

After the export, if no further exports are needed, consider revoking authorization:

sql
EXEC DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('SYSTEM');

This enforces the principle of least privilege in your secure DV-enabled environment.

Conclusion

When Database Vault is enabled, even basic export operations require explicit authorization. By following these steps, you ensure that exports are both secure and successful, and that sensitive operations are only allowed for trusted users.

 For more Oracle security and DV configuration tips, visit bidhandba.blogspot.com!

By - No comments:
Labels:

Configure Oracle Database Vault: Creating a New User in a Secured Environment

 

Configure Oracle Database Vault: Creating a New User in a Secured Environment

Oracle Database Vault is a powerful security component that enforces separation of duties and limits access to sensitive data, even from DBAs. When Database Vault is enabled, traditional user creation and privilege management are restricted and must be done by authorized DV accounts.

This blog walks through the steps to create a new user (SCOTT) in a PDB (pdb1) within a Database Vault-enabled environment.

 Scenario

You are working in a multitenant environment with Database Vault enabled. You attempt to create a user in pdb1, but face privilege errors. Let's walk through the proper method to do this securely and successfully.

 Step 1: Switch to Target PDB

First, ensure your session is connected to the appropriate Pluggable Database:

sql
ALTER SESSION SET CONTAINER = pdb1;

 Step 2: Attempt to Create a User (Fails with ORA-01031)

Now, try to create a new user:

sql
CREATE USER scott IDENTIFIED BY tiger;

Result:

makefile
ORA-01031: insufficient privileges

This error occurs because Database Vault restricts user management operations, even for privileged users, unless you're using a specially authorized account.

 Step 3: Use the Account Manager User

The correct account to perform user management tasks is typically the DV Account Manager—a user granted the DV_ACCTMGR role.

Connect as:

bash
sqlplus c##dv_acctmgr_root@pdb1

c##dv_acctmgr_root is a common DV account with the ability to manage users and roles in a secured environment.

 Step 4: Successfully Create the User

Now, retry the user creation with appropriate credentials:

sql
CREATE USER scott IDENTIFIED BY ORacle1234##;

Result:

sql
User created.

 Passwords in DV environments often require stronger complexity settings—include upper/lowercase letters, digits, and special characters.

 Summary

StepActionResult
1Set container to pdb1Success
2Try to create user as normal DBAORA-01031
3Connect as DV Account Manager (DV_ACCTMGR)Success
4Create the user User created

Best Practices

  • Assign the DV_ACCTMGR role only to trusted users.

  • Always use strong passwords when creating users in DV-enabled environments.

  • Audit and monitor account management activities regularly using unified audit trails.

Oracle Database Vault significantly enhances database security posture. When working in such an environment, regular DBA operations require role separation and proper privilege routing—just like we've seen here with user creation.

Want to automate DV-based user creation or manage secure roles? Follow more Oracle security tips at bidhandba.blogspot.com!


By - No comments:
Labels:
Subscribe to: Comments (Atom)
  • Configure Oracle Database Vault Realms
    Configure Oracle Database Vault Realms to Secure the HR Schema Oracle Database Vault (DV) is a powerful security feature that enables fine-...
  • Oracle Database 19c Installation
      Oracle Database 19c Installation On Oracle Linux 7 (OL7) Download Software delivery: Oracle Database 19c (19.3) Software (64-bit) Hosts Fi...