Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-09 |
|
|
View PDF |
In this chapter:
The procedures and functions within the DVSYS.DBMS_MACADM
package allow you to write applications that configure the realms, factors, rule sets, command rules, secure application roles, and Oracle Label Security policies normally configured in Oracle Database Vault Administrator.
The DVSYS.DBMS_MACADM
package is available only for users who have the DV_ADMIN
or DV_OWNER
role.
Many of the parameters used in the procedures and functions in the DVSYS.DBMS_MACADM
package can use the constants available in the DVSYS.DBMS_MACUTL
package. See "DVSYS.DBMS_MACUTL Constants" for more information.
Table 11-1 lists procedures within the DVSYS.DBMS_MACADM
package that you can use to configure realms. For constants that you can use with these procedures, see Table 13-1 for more information.
Chapter 4, "Configuring Realms" describes realms in detail. See also Chapter 13, "Using the DVSYS.DBMS_MACUTL Package" for a set of general purpose utility procedures that you can use with the realm procedures.
Table 11-1 DVSYS.DBMS_MACADM Realm Configuration Procedures
This procedure authorizes a user or role to access a realm as a participant. The person running this procedure cannot add himself or herself to the realm as a realm participant.
Syntax
ADD_AUTH_TO_REALM( realm_name VARCHAR2, grantee VARCHAR2);
Parameters
Table 11-2 ADD_AUTH_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
User or role name to authorize as a participant. To find the existing users and roles in the current database instance, query the To find the authorization of a particular user or role, query the To find existing secure application roles used in privilege management, query the |
Example
BEGIN DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYSADM'); END;
This procedure authorizes a user or role to access a realm as an owner or a participant. The person running this procedure cannot add himself or herself to the realm as a realm owner or participant.
Syntax
ADD_AUTH_TO_REALM( realm_name VARCHAR2, grantee VARCHAR2, auth_options NUMBER);
Parameters
Table 11-3 ADD_AUTH_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
User or role name to authorize as owner or participant. To find the existing users and roles in the current database instance, query the To find the authorization of a particular user or role, query the To find existing secure application roles used in privilege management, query the |
|
Specify one of the following ways to authorize the realm:
See "Defining Realm Authorization" for more information on participants and owners. |
Example
BEGIN DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYSADM', auth_options => 1); END;
This procedure authorizes a user or role to access a realm as a participant. The person running this procedure cannot add himself or herself to the realm as a realm participant. Optionally, you can specify a rule set to check before allowing the authorization to proceed.
Syntax
ADD_AUTH_TO_REALM( realm_name VARCHAR2, grantee VARCHAR2, rule_set_name VARCHAR2);
Parameters
Table 11-4 ADD_AUTH_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
User or role name to authorize as participant. To find the existing users and roles in the current database instance, query the To find the authorization of a particular user or role, query the To find existing secure application roles used in privilege management, query the |
|
Rule set to check before authorizing (optional). If the rule set evaluates to To find the available rule sets, query the To find rules that are associated with the rule sets, query the |
Example
BEGIN DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYSADM', rule_set_name => 'Check Conf Access'); END;
This procedure authorizes a user or role to access a realm as a participant or owner. The person running this procedure cannot add himself or herself to the realm as a realm owner or participant. Optionally, you can specify a rule set to check before authorizing.
Syntax
ADD_AUTH_TO_REALM( realm_name VARCHAR2, grantee VARCHAR2, rule_set_name VARCHAR2, auth_options NUMBER);
Parameters
Table 11-5 ADD_AUTH_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
User or role name to authorize as owner or participant. To find the available users and roles, query the To find the authorization of a particular user or role, query the |
|
Rule set to check before authorizing (optional). If the rule set evaluates to To find the available rule sets, query the |
|
Specify one of the following ways to authorize the realm:
You can also use the following
See "Defining Realm Authorization" for more information on participants and owners. |
Example
BEGIN DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYSADM', rule_set_name => 'Check Conf Access', auth_options => 1); END;
This procedure registers a set of objects for realm protection.
Syntax
ADD_OBJECT_TO_REALM( realm_name VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2, object_type VARCHAR2);
Parameters
Table 11-6 ADD_OBJECT_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
Object owner to own this realm. To find the available users, query the To find the authorization of a particular user or role, query the |
|
Object name. (The wildcard % is allowed. See "Object Name" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) You can also use the To find the available objects, query the To find objects that are secured by existing realms, query the |
|
Object type, such as You can also use the |
Example
BEGIN DVSYS.DBMS_MACACDM.ADD_OBJECT_TO_REALM( realm_name => 'Performance Statistics Realm', object_owner => 'SYS', object_name => 'GATHER_SYSTEM_STATISTICS', object_type => 'ROLE'); END;
This procedure creates a realm. After you create the realm, use the following procedures to complete the realm definition:
ADD_OBJECT_TO_REALM
procedure registers one or more objects for the realm.
ADD_AUTH_TO_REALM
procedures authorize users or roles for the realm.
Syntax
CREATE_REALM( realm_name VARCHAR2, description VARCHAR2, enabled VARCHAR2, audit_options NUMBER);
Parameters
Table 11-7 CREATE_REALM Parameters
Parameter | Description |
---|---|
|
Realm name, up to 90 characters in mixed-case. To find the existing realms in the current database instance, query the |
|
Description of the purpose of the realm, up to 1024 characters in mixed-case. |
|
You can also use the following
|
|
Specify one of the following ways to audit the realm:
You can also use the following
|
Example
BEGIN DVSYS.DBMS_MACADM.CREATE_REALM( realm_name => 'Performance Statistics Realm', description => 'Realm to measure performance', enabled => 'Y', audit_options => 1); END;
This procedure removes the authorization of a user or role to access a realm.
Syntax
DELETE_AUTH_FROM_REALM( realm_name VARCHAR2, grantee VARCHAR2);
Parameters
Table 11-8 DELETE_AUTH_FROM_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
User or role name. To find the authorization of a particular user or role, query the |
Example
BEGIN DVSYS.DBMS_MACADM.DELETE_AUTH_FROM_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYS'); END;
This procedure removes a set of objects from realm protection.
Syntax
DELETE_OBJECT_FROM_REALM( realm_name VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2, object_type VARCHAR2);
Parameters
Table 11-9 DELETE_OBJECT_FROM_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
Database schema owner. To find the available users, query the To find the authorization of a particular user, query the |
|
Object name. (The wildcard % is allowed. See "Object Name" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) You can also use the To find objects that are secured by existing realms, query the |
|
Object type, such as You can also use the |
Example
BEGIN DVSYS.DBMS_MACADM.DELETE_OBJECT_FROM_REALM( realm_name => 'Performance Statistics Realm', object_owner => 'SYS', object_name => 'GATHER_SYSTEM_STATISTICS', object_type => 'ROLE'); END;
This procedure deletes a realm but does not remove its associated objects and authorizations. Before you delete a realm, you can locate its associated objects by querying the DVSYS.DBA_DV_REALM_OBJECT
view, described in"Oracle Database Vault Data Dictionary Views".
If you want to remove the associated objects and authorizations as well as the realm, see "DELETE_REALM_CASCADE Procedure".
Syntax
DELETE_REALM( realm_name VARCHAR2);
Parameters
Table 11-10 DELETE_REALM Parameter
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
Example
EXEC DVSYS.DBMS_MACADM.DELETE_REALM('Performance Statistics Realm');
This procedure deletes a realm, including its related Database Vault configuration information that specifies who is authorized (DVSYS.DBA_DV_REALM_AUTH
view) and what objects are protected (DVSYS.DBA_DV_REALM_OBJECT
view). It does not delete the actual database objects or users. To find a listing of the realm-related objects, query the DVSYS.DBA_DV_REALM
view. To find its authorizations, query DVSYS.DBA_DV_REALM_AUTH
. Both are described under "Oracle Database Vault Data Dictionary Views".
Syntax
DELETE_REALM_CASCADE( realm_name VARCHAR2);
Parameters
Table 11-11 DELETE_REALM_CASCADE Parameter
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
Example
EXEC DVSYS.DBMS_MACADM.DELETE_REALM_CASCADE('Performance Statistics Realm');
This procedure renames a realm. The name change takes effect everywhere the realm is used.
Syntax
RENAME_REALM( realm_name VARCHAR2, new_name VARCHAR2);
Parameters
Table 11-12 RENAME_REALM Parameters
Parameter | Description |
---|---|
|
Current realm name. To find the existing realms in the current database instance, query the |
|
New realm name, up to 90 characters in mixed-case. |
Example
BEGIN DVSYS.DBMS_MACADM.RENAME_REALM( realm_name => 'Performance Statistics Realm', new_name => 'Sector 2 Performance Statistics Realm'); END;
This procedure updates a realm.
Syntax
UPDATE_REALM( realm_name VARCHAR2, description VARCHAR2, enabled VARCHAR2, audit_options NUMBER);
Parameters
Table 11-13 UPDATE_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
Description of the purpose of the realm, up to 1024 characters in mixed-case. |
|
You can also use the following
|
|
Specify one of the following ways to audit the realm:
You can also use the following
|
Example
BEGIN DVSYS.DBMS_MACADM.UPDATE_REALM( realm_name => 'Sector 2 Performance Statistics Realm', description => 'Realm to measure performance for Sector 2 applications', enabled => 'Y', audit_options => 2); END;
Updates the authorization of a user or role to access a realm.
Syntax
UPDATE_REALM_AUTH( realm_name VARCHAR2, grantee VARCHAR2, rule_set_name VARCHAR2, auth_options NUMBER);
Parameters
Table 11-14 UPDATE_REALM_AUTH Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
User or role name. To find the available users and roles, query the To find the authorization of a particular user or role, query the To find existing secure application roles used in privilege management, query the |
|
Rule set to check before authorizing (optional). If the rule set evaluates to TRUE, then the authorization is allowed. To find the available rule sets, query the |
|
Specify one of the following ways to authorize the realm:
You can also use the following
|
Example
BEGIN DVSYS.DBMS_MACADM.UPDATE_REALM_AUTH( realm_name => 'Sector 2 Performance Statistics Realm', grantee => 'SYSADM', rule_set_name => 'Check Conf Access',, auth_options => 1,); END;
Table 11-15 lists procedures within the DVSYS.DBMS_MACADM
package that you can use to configure rule sets.
Chapter 5, "Configuring Rule Sets" describes rule sets in detail. See also Chapter 13, "Using the DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility procedures that you can use with the rule set procedures.
Table 11-15 DVSYS.DBMS_MACADM Rule Set Configuration Procedures
Procedure | Description |
---|---|
Adds an enabled or disabled rule to the end of a rule set. |
|
Adds a rule to a rule set and lets you specify its order within the rule set. |
|
Adds a rule to a rule set. |
|
Creates a rule. |
|
Creates a rule set. |
|
Deletes a rule. |
|
Deletes a rule from a rule set. |
|
Deletes a rule set. |
|
Renames a rule. The name change takes effect everywhere the rule is used. |
|
Renames a rule set. The name change takes effect everywhere the rule set is used. |
|
Synchronizes the rules in Oracle Database Vault and Advanced Queuing Rules engine. You must perform this operation immediately after a rollback of an Add, Delete, or Modify rule operation. |
|
Updates a rule. |
|
Updates a rule set. |
This procedure adds an enabled or disabled rule to a rule set, and lets you specify its order within the rule set.
Syntax
ADD_RULE_TO_RULE_SET( rule_set_name VARCHAR2, rule_name VARCHAR2, rule_order NUMBER, enabled VARCHAR2);
Parameters
Table 11-16 ADD_RULE_TO_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, query the |
|
Rule to add to the rule set. To find existing rules, query the To find rules that have been associated with rule sets, use |
|
Does not apply to this release. The order in which rules appear affects performance. See "Improving Performance by Setting the Order in Which Rules Appear in a Rule Set" for more information. |
|
You can also enter the following
See Table 13-1 for more information. |
Example
BEGIN DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET( rule_set_name => 'Limit_DBA_Access', rule_name => 'Check UPDATE operations', enabled => 'DBMS_MACUTL.G_YES'); END;
This procedure adds a rule to a rule set and lets you specify its order within the rule set.
Syntax
ADD_RULE_TO_RULE_SET( rule_set_name VARCHAR2, rule_name VARCHAR2, rule_order NUMBER);
Parameters
Table 11-17 ADD_RULE_TO_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, query the |
|
Rule to add to the rule set. To find existing rules, query the To find rules that have been associated with rule sets, use |
|
Does not apply to this release. The order in which rules appear affects performance. See "Improving Performance by Setting the Order in Which Rules Appear in a Rule Set" for more information. |
Example
BEGIN ADD_RULE_TO_RULE_SET( rule_set_name 'Limit_DBA_Access', rule_name 'Restrict DROP TABLE operations'); END;
This procedure adds a rule to a rule set.
Syntax
ADD_RULE_TO_RULE_SET( rule_set_name VARCHAR2, rule_name VARCHAR2);
Parameters
Table 11-18 ADD_RULE_TO_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, query the |
|
Rule to add to the rule set. To find existing rules in the current database instance, query the To find rules that have been associated with rule sets, query |
Example
BEGIN DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET( rule_set_name => 'Limit_DBA_Access', rule_name => 'Check UPDATE operations'); END;
This procedure creates a rule.
Syntax
CREATE_RULE( rule_name VARCHAR2, rule_expr VARCHAR2);
Parameters
Table 11-19 CREATE_RULE Parameters
Parameter | Description |
---|---|
|
Rule name, up to 90 characters in mixed-case. Spaces are allowed. To find existing rules in the current database instance, query the To find rules that have been associated with rule sets, query |
|
PL/SQL If the expression contains quotation marks, do not use double quotation marks. Instead, use two single quotation marks. Enclose the entire expression within single quotation marks. For example: 'TO_CHAR(SYSDATE,''HH24'') = ''12''' See "Creating a New Rule" for more information on rule expressions. |
Example
BEGIN DVSYS.DBMS_MACADM.CREATE_RULE( rule_name => 'Check UPDATE operations', rule_expr =>'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''SYSADM'''); END;
This procedure creates a rule set. After you create a rule set, you can use the CREATE_RULE
and ADD_RULE_TO_RULE
set procedures to create and add rules to the rule set.
Syntax
CREATE_RULE_SET( rule_set_name VARCHAR2, description VARCHAR2, enabled VARCHAR2, eval_options NUMBER, audit_options NUMBER, fail_options NUMBER, fail_message VARCHAR2, fail_code NUMBER, handler_options NUMBER, handler VARCHAR2);
Parameters
Table 11-20 CREATE_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name, up to 90 characters in mixed-case. Spaces are allowed. To find existing rule sets in the current database instance, query the |
|
Description of the purpose of the rule set, up to 1024 characters in mixed-case. |
|
You can also use the following
|
|
If you plan to assign more than one rule to the rule set, enter one of the following settings:
You can also use the following
|
|
Select one of the following settings:
You can also use the following
See "Audit Options" for more information. |
|
Options for reporting factor errors:
You can also use the following
See "Error Handling Options" for more information. |
|
Error message for failure, up to 80 characters in mixed-case, to associate with the fail code you specify for |
|
Enter a negative number in the range of -20000 to -20999, to associate with the |
|
Select one of the following settings:
You can also use the following
See "Error Handling Options" for more information. |
|
Name of the PL/SQL function or procedure that defines the custom event handler logic. See "Error Handling Options" for more information. |
Example
BEGIN DVSYS.DBMS_MACADM.CREATE_RULE_SET( rule_set_name => 'Limit_DBA_Access', description => 'DBA access through predefined processes', enabled => 'Y', eval_options => 2, audit_options => POWER(2,0), fail_options => 2, fail_message => '', fail_code => NULL, handler_options => POWER(2,0), handler => 'dbavowner.email_alert'); END;
This procedure deletes a rule.
Syntax
DELETE_RULE( rule_name VARCHAR2);
Parameter
Table 11-21 DELETE_RULE Parameter
Parameter | Description |
---|---|
|
Rule name. To find existing rules in the current database instance, query the To find rules that have been associated with rule sets, query |
Example
EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Check UPDATE operations');
This procedure deletes a rule from a rule set.
Syntax
DELETE_RULE_FROM_RULE_SET( rule_set_name VARCHAR2, rule_name VARCHAR2);
Parameters
Table 11-22 DELETE_RULE_FROM_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, query the |
|
Rule to remove from the rule set. To find existing rules in the current database instance, query the To find rules that have been associated with rule sets, query |
Example
BEGIN DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET( rule_set_name => 'Limit DBA Access', rule_name => 'Check UPDATE operations'); END;
This procedure deletes a rule set.
Syntax
DELETE_RULE_SET( rule_set_name VARCHAR2);
Parameters
Table 11-23 DELETE_RULE_SET Parameter
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, query the |
Example
EXEC DVSYS.DBMS_MACADM.DELETE_RULE_SET('Limit DBA Access');
This procedure renames a rule. The name change takes effect everywhere the rule is used.
Syntax
RENAME_RULE( rule_name VARCHAR2, new_name VARCHAR2);
Parameters
Table 11-24 RENAME_RULE Parameters
Parameter | Description |
---|---|
|
Rule name. To find existing rules in the current database instance, query the To find rules that have been associated with rule sets, query |
|
New rule name, up to 90 characters in mixed-case. |
Example
BEGIN DVSYS.DBMS_MACADM.RENAME_RULE( rule_name => 'Check UPDATE operations', new_name => 'Check Sector 2 Processes'); END;
This procedure renames a rule set. The name change takes effect everywhere the rule set is used.
Syntax
RENAME_RULE_SET( rule_set_name VARCHAR2, new_name VARCHAR2);
Parameters
Table 11-25 RENAME_RULE_SET Parameters
Parameter | Description |
---|---|
|
Current rule set name. To find existing rule sets in the current database instance, query the |
|
New rule set name, up to 90 characters in mixed-case. Spaces are allowed. |
Example
BEGIN DVSYS.DBMS_MACADM.RENAME_RULE_SET( rule_set_name => 'Limit DBA Access', new_name => 'Limit Sector 2 Access'); END;
This procedure synchronizes the rules in Oracle Database Vault and Advanced Queuing Rules engine. You must perform this operation immediately after a rollback of an Add, Delete, or Modify rule operation.
Syntax
SYNC_RULES();
Parameters
None.
Example
EXEC DVSYS.DBMS_MACADM.SYNC_RULES();
This procedure updates a rule.
Syntax
UPDATE_RULE( rule_name VARCHAR2, rule_expr VARCHAR2);
Parameters
Table 11-26 UPDATE_RULE Parameters
Parameter | Description |
---|---|
|
Rule name. To find existing rules in the current database instance, query the To find rules that have been associated with rule sets, query |
|
PL/SQL If the expression contains quotation marks, do not use double quotation marks. Instead, use two single quotation marks. Enclose the entire expression within single quotation marks. For example: 'TO_CHAR(SYSDATE,''HH24'') = ''12''' See "Creating a New Rule" for more information on rule expressions. To find existing rule expressions, query the |
Example
BEGIN DVSYS.DBMS_MACADM.UPDATE_RULE( rule_name => 'Check UPDATE operations', rule_expr =>'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''SYSADM'' AND ( UPPER(SYS_CONTEXT(''USERENV'',''MODULE'')) LIKE ''APPSRVR%'' OR UPPER(SYS_CONTEXT(''USERENV'',''MODULE'')) LIKE ''DBAPP%'' )' ); END;
This procedure updates a rule set.
Syntax
UPDATE_RULE_SET( rule_set_name VARCHAR2, description VARCHAR2, enabled VARCHAR2, eval_options NUMBER, audit_options NUMBER, fail_options NUMBER, fail_message VARCHAR2, fail_code NUMBER, handler_options NUMBER, handler VARCHAR2);
Parameters
Table 11-27 UPDATE_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, query the |
|
Description of the purpose of the rule set, up to 1024 characters in mixed-case. |
|
You can also use the following
|
|
If you plan to assign more than one rule to the rule set, enter one of the following settings:
You can also use the following
|
|
Select one of the following settings:
You can also use the following
See "Audit Options" for more information. |
|
Options for reporting factor errors:
You can also use the following
See "Error Handling Options" for more information. |
|
Error message for failure, up to 80 characters in mixed-case, to associate with the fail code you specify for |
|
Enter a negative number in the range of -20000 to -20999, to associate with the |
|
Select one of the following settings:
You can also use the following
See "Error Handling Options" for more information. |
|
Name of the PL/SQL function or procedure that defines the custom event handler logic. See "Error Handling Options" for more information. |
Example
BEGIN DVSYS.DBMS_MACADM.UPDATE_RULE_SET( rule_set_name => 'Limit DBA Access', description => 'DBA access through predefined processes', enabled => 'Y' eval_options => 2, audit_options => POWER(2,0), fail_options => 1, fail_message => 'Access denied!', fail_code => -20900, handler_options => 0, handler => ''); END;
Table 11-28 lists procedures within the DVSYS.DBMS_MACADM
package that you can use to configure command rules.
Chapter 6, "Configuring Command Rules" describes command rules in detail. See also Chapter 13, "Using the DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility procedures that you can use with the command rule procedures.
Table 11-28 DVSYS.DBMS_MACADM Command Rule Configuration Procedures
Procedure | Description |
---|---|
Creates a command rule and associates it with a rule set. |
|
Drops a command rule declaration. |
|
Updates a command rule declaration. |
This procedure creates a command rule and associates it with a rule set.
Syntax
CREATE_COMMAND_RULE( command VARCHAR2, rule_set_name VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2, enabled VARCHAR2);
Parameters
Table 11-29 CREATE_COMMAND_RULE Parameters
Parameter | Description |
---|---|
|
SQL statement to protect. See the following:
|
|
Name of rule set to associate with this command rule. To find existing rule sets in the current database instance, query the |
|
Database schema owner for this command rule. To find the available users, query the See also "Object Owner" in "Creating and Editing a Command Rule" for more information about command rule owners. |
|
Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.) To find the available objects, query the |
|
You can also use the following
|
Example
BEGIN DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE( command => 'SELECT', rule_set_name => 'Limit Sector 2 Access', object_owner => 'SYSADM', object_name => 'EMP_DATA', enabled => 'Y'); END;
This procedure drops a command rule declaration.
Syntax
DELETE_COMMAND_RULE( command VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2);
Parameters
Table 11-30 DELETE_COMMAND_RULE Parameters
Parameter | Description |
---|---|
|
SQL statement the command rule protects. To find available command rules, query the |
|
Database schema owner for this command rule. To find the available users in the current database instance, query the See also "Object Owner" in "Creating and Editing a Command Rule" for more information about command rule owners. |
|
Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.) To find the available objects, query the |
Example
BEGIN DVSYS.DBMS_MACADM.DELETE_COMMAND_RULE( command => 'SELECT', object_owner => 'SYSADM', object_name => 'EMP_DATA'); END;
This procedure updates a command rule declaration.
Syntax
UPDATE_COMMAND_RULE( command VARCHAR2, rule_set_name VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2, enabled VARCHAR2);
Parameters
Table 11-31 UPDATE_COMMAND_RULE Parameters
Parameter | Description |
---|---|
|
SQL statement to protect. See the following:
|
|
Name of rule set to associate with this command rule. To find existing rule sets in the current database instance, query the |
|
Database schema owner for this command rule. To find the available users, query the |
|
Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.) To find the available objects, query the |
|
You can also use the following
|
Example
BEGIN DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE( command => 'SELECT', rule_set_name => 'Limit Sector 2 Access', object_owner => 'SYSADM', object_name => '%', enabled => 'Y'); END;
Table 11-32 lists procedures and functions within the DVSYS.DBMS_MACADM
package that you can use to configure factors.
Chapter 7, "Configuring Factors" describes factors in detail. See also Chapter 13, "Using the DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility procedures that you can use with the factor procedures.
Table 11-32 DVSYS.DBMS_MACADM Factor Configuration Procedures
This procedure specifies a parent-child relationship for two factors.
Syntax
ADD_FACTOR_LINK( parent_factor_name VARCHAR2, child_factor_name VARCHAR2, label_indicator VARCHAR2);
Parameters
Table 11-33 ADD_FACTOR_LINK Parameters
Parameter | Description |
---|---|
|
Parent factor name. To find existing parent and child factors in the current database instance, query the |
|
Child factor name. |
|
Indicates that the child factor being linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Specify either You can also use the following
To find the Oracle Label Security policies and labels associated with factors, query the following views, described in "Oracle Database Vault Data Dictionary Views":
|
Example
BEGIN DVSYS.DBMS_MACADM.ADD_FACTOR_LINK( parent_factor_name => 'HQ_ClientID', child_factor_name => 'Div1_ClientID', label_indicator => 'Y'); END;
This procedure specifies that the label for a factor contributes to the Oracle Label Security label for a policy.
Syntax
ADD_POLICY_FACTOR( policy_name VARCHAR2, factor_name VARCHAR2);
Parameters
Table 11-34 ADD_POLICY_FACTOR Parameters
Parameter | Description |
---|---|
|
Oracle Label Security policy name. To find the policies defined in the current database instance, query the To find factors that are associated with Oracle Label Security policies, query |
|
Factor name. To find existing factors, query the |
Example
BEGIN DVSYS.DBMS_MACADM.ADD_POLICY_FACTOR( policy_name => 'AccessData', factor_name => 'Sector2_ClientID'); END;
This procedure associates an identity with a different factor.
Syntax
CHANGE_IDENTITY_FACTOR( factor_name VARCHAR2, value VARCHAR2, new_factor_name VARCHAR2);
Parameters
Table 11-35 CHANGE_IDENTITY_FACTOR Parameters
Parameter | Description |
---|---|
|
Current factor name. To find existing factors, query the |
|
Value of the identity to update. To find existing identities for each factor in the current database instance, query the To find current identity mappings, query the |
|
Name of the factor to associate with the identity. |
Example
BEGIN DVSYS.DBMS_MACADM.CHANGE_IDENTITY_FACTOR( factor_name => 'Sector2_ClientID', value => 'intranet', new_factor_name => 'Sector4_ClientID'); END;
This procedure updates the value of an identity.
Syntax
CHANGE_IDENTITY_VALUE( factor_name VARCHAR2, value VARCHAR2, new_value VARCHAR2);
Parameters
Table 11-36 CHANGE_IDENTITY_VALUE Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors, query the |
|
Current value associated with the identity. To find existing identities for each factor in the current database instance, query the To find current identity mappings, query the |
|
New identity value, up to 1024 characters in mixed-case. |
Example
BEGIN DVSYS.DBMS_MACADM.CHANGE_IDENTITY_VALUE( factor_name => 'Sector2_ClientID', value => 'remote', new_value => 'intranet, '); END;
This procedure adds an Oracle Real Application Clusters (RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.
Syntax
CREATE_DOMAIN_IDENTITY( domain_name VARCHAR2, domain_host VARCHAR2, policy_name VARCHAR2 DEFAULT NULL, domain_label VARCHAR2 DEFAULT NULL);
Parameters
Table 11-37 CREATE_DOMAIN_IDENTITY Parameters
Parameter | Description |
---|---|
|
Name of the domain to which to add the host. To find the logical location of the database within the network structure within a distributed database system, run the |
|
Oracle Real Application Clusters host name being added to the domain. To find host name of a database, query the |
|
Oracle Label Security policy name. To find the available policies, query the |
|
Name of the domain to which to add the Oracle Label Security policy. |
Examples
BEGIN DVSYS.DBMS_MACADM.CREATE_DOMAIN_IDENTITY( domain_name => 'mycompany', domain_host => 'mydom_host', policy_name => 'AccessData', domain_label => 'sensitive'); END;
This procedure creates a factor. After you create a factor, you can give it an identity by using the CREATE_IDENTITY
procedure, described in "CREATE_IDENTITY Procedure".
Syntax
CREATE_FACTOR( factor_name VARCHAR2, factor_type_name VARCHAR2, description VARCHAR2, rule_set_name VARCHAR2, get_expr VARCHAR2, validate_expr VARCHAR2, identify_by NUMBER, labeled_by NUMBER, eval_options NUMBER, audit_options NUMBER, fail_options NUMBER);
Parameters
Table 11-38 CREATE_FACTOR Parameters
Parameter | Description |
---|---|
|
Factor name, up to 30 characters in mixed-case, without spaces. To find existing factors in the current database instance, query the |
|
Category of the factor, up to 30 characters in mixed-case, without spaces. |
|
Description of the purpose of the factor, up to 1024 characters in mixed-case. |
|
Rule set name if you want to use a rule set to control when and how a factor identity is set. To find existing rule sets, query the |
|
Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Retrieval Method" for more information. See also the |
|
Name of the procedure to validate the factor. This is a valid PL/SQL expression that returns a Boolean value ( |
|
Options for determining the identity of a factor, based on the expression set for the
You can also use the following
See "Factor Identification" for more information. |
|
Options for labeling the factor:
You can also use the following
See "Factor Labeling" for more information. |
|
Options for evaluating the factor when the user logs on:
You can also use the following
See "Evaluation" for more information. |
|
Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record.
You can also use the following
See "Audit Options" for more information. |
|
Options for reporting factor errors:
You can also use the following
See "Error Options" for more information. |
Example
BEGIN DVSYS.DBMS_MACADM.CREATE_FACTOR( factor_name => 'Sector2_DB', factor_type_name => 'Instance', description => ' ', rule_set_name => 'DB_access', get_expr => 'UPPER(SYS_CONTEXT('USERENV','DB_NAME'))', validate_expr => 'dbavowner.check_db_access', identify_by => 2, labeled_by => 0, eval_options => 0, audit_options => 0, fail_options => POWER(2,1)); END;
This procedure creates a user-defined factor type.
Syntax
CREATE_FACTOR_TYPE( name VARCHAR2, description VARCHAR2);
Parameters
Table 11-39 CREATE_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Factor type name, up to 30 characters in mixed-case, without spaces. To find existing factor types, query the |
|
Description of the purpose of the factor type, up to 1024 characters in mixed-case. |
Example
BEGIN DVSYS.DBMS_MACADM.CREATE_FACTOR_TYPE( name => 'Sector2Instance', description => 'Checks DB instances used in Sector 2'); END;
This procedure assigns an identity and an associated trust level for a given factor. After you create a factor, you must assign it an identity.
Syntax
CREATE_IDENTITY( factor_name VARCHAR2, value VARCHAR2, trust_level NUMBER);
Parameters
Table 11-40 CREATE_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors, query the |
|
The actual value of the factor, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 234.43.41.99. |
|
Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring a Factor Identity" for more information about trust levels and label security. |
Example
BEGIN DVSYS.DBMS_MACADM.CREATE_IDENTITY( factor_name => 'Sector2_ClientID', value => 'intranet', trust_level => 5); END;
This procedure defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors).
Syntax
CREATE_IDENTITY_MAP( identity_factor_name VARCHAR2, identity_factor_value VARCHAR2, parent_factor_name VARCHAR2, child_factor_name VARCHAR2, operation VARCHAR2, operand1 VARCHAR2, operand2 VARCHAR2);
Parameters
Table 11-41 CREATE_IDENTITY_MAP Parameters
Parameter | Description |
---|---|
|
Factor the identity map is for. To find existing factors in the current database instance, query the |
|
Value the factor will assume if the identity map evaluates to To find existing factor identities, query the To find current factor identity mappings, use |
|
The parent factor link to which the map is related. To find existing parent-child factor mappings, query the |
|
The child factor link to which the map is related. |
|
Relational operator for the identity map (for example, <, >, =, and so on). |
|
Left operand for the relational operator; refers to the low value you enter. |
|
Right operand for the relational operator; refers to the high value you enter. |
Example
BEGIN DVSYS.DBMS_MACADM.CREATE_IDENTITY_MAP( identity_factor_name => 'Sector2_ClientID', identity_factor_value => 'intranet', parent_factor_name => 'HQ_ClientID', child_factor_name => 'Div1_ClientID', operation => '<', operand1 => '123.45.78.890', operand2 => '988.77.56.123'); END;
This procedure deletes a factor.
Syntax
DELETE_FACTOR( factor_name VARCHAR2);
Parameters
Table 11-42 DELETE_FACTOR Parameter
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
Example
EXEC DVSYS.DBMS_MACADM.DELETE_FACTOR('Sector2_ClientID');
This procedure removes a parent-child relationship for two factors.
Syntax
DELETE_FACTOR_LINK( parent_factor_name VARCHAR2, child_factor_name VARCHAR2);
Parameters
Table 11-43 DELETE_FACTOR_LINK Parameters
Parameter | Description |
---|---|
|
Factor name. To find factors that are used in parent-child mappings in the current database instance, query the |
|
Factor name. |
Example
BEGIN DVSYS.DBMS_MACADM.DELETE_FACTOR_LINK( parent_factor_name => 'HQ_ClientID', child_factor_name => 'Div1_ClientID'); END;
This procedure deletes a factor type.
Syntax
DELETE_FACTOR_TYPE( name VARCHAR2);
Parameters
Table 11-44 DELETE_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Factor type name. To find existing factor types, query the |
Example
EXEC DVSYS.DBMS_MACADM.DELETE_FACTOR_TYPE('Sector2Instance');
This procedure removes an identity from an existing factor.
Syntax
DELETE_IDENTITY( factor_name VARCHAR2, value VARCHAR2);
Parameters
Table 11-45 DELETE_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
|
Identity value associated with the factor. To find the identities for each factor in the current database instance, query the |
Example
BEGIN DVSYS.DBMS_MACADM.DELETE_IDENTITY( factor_name => 'Sector2_ClientID', value => 'intranet, '); END;
This procedure removes an identity map for a factor.
Syntax
DELETE_IDENTITY_MAP( identity_factor_name VARCHAR2, identity_factor_value VARCHAR2, parent_factor_name VARCHAR2, child_factor_name VARCHAR2, operation VARCHAR2, operand1 VARCHAR2, operand2 VARCHAR2);
Parameters
Table 11-46 DELETE_IDENTITY_MAP Parameters
Parameter | Description |
---|---|
|
Factor the identity map is for. To find existing factors in the current database instance, query the |
|
Value the factor will assume if the identity map evaluates to To find existing factor identities, query the To find current factor identity mappings, query |
|
The parent factor link to which the map is related. To find existing parent-child factors, query the |
|
The child factor to which the map is related. |
|
Relational operator for the identity map (for example, <, >, =, and so on). |
|
Left (low value) operand for the relational operator. |
|
Right (high value) operand for the relational operator. |
Example
BEGIN DVSYS.DBMS_MACADM.DELETE_IDENTITY_MAP( identity_factor_name => 'Sector2_ClientID', identity_factor_value => 'intranet', parent_factor_name => 'HQ_ClientID', child_factor_name => 'Div1_ClientID', operation => '<', operand1 => '123.45.78.890', operand2 => '988.77.56.123'); END;
This procedure removes an Oracle Real Application Clusters database node from a domain.
Syntax
DROP_DOMAIN_IDENTITY( domain_name VARCHAR2, domain_host VARCHAR2);
Parameters
Table 11-47 DROP_DOMAIN_IDENTITY Parameters
Parameter | Description |
---|---|
|
Name of the domain to which the host was added. To find the domain of a database as specified by the |
|
Oracle Real Application Clusters host name being that was added to the domain. To find the host name for a specified database, run the |
Example
BEGIN DVSYS.DBMS_MACADM.DROP_DOMAIN_IDENTITY( domain_name => 'mycompany', domain_host => 'mydom_host'); END;
This function returns information from the SYS.V_$INSTANCE
view; it returns a VARCHAR2
value. For more information about SYS.V_$INSTANCE
, see Oracle Database Reference.
Syntax
GET_INSTANCE_INFO( p_parameter VARCHAR2) RETURNS VARCHAR2;
Parameters
Table 11-48 GET_INSTANCE_INFO Parameter
Parameter | Description |
---|---|
|
Column name in the |
Example
DECLARE instance_var varchar2 := null; BEGIN instance_var = DVSYS.DBMS_MACADM.GET_INSTANCE_INFO('INSTANCE_NAME'); END;
This function returns information from the SYS.V_$SESSION
view for the current session; it returns a VARCHAR2
value. For more information about SYS.V_$SESSION
, see Oracle Database Reference.
Syntax
GET_SESSION_INFO( p_parameter VARCHAR2) RETURNS VARCHAR2;
Parameters
Table 11-49 GET_SESSION_INFO Parameter
Parameter | Description |
---|---|
|
Column name in the |
Example
DECLARE session_var varchar2 := null; BEGIN session_var = DVSYS.DBMS_MACADM.GET_SESSION_INFO('PROCESS'); END;
This procedure renames a factor. The name change takes effect everywhere the factor is used.
Syntax
RENAME_FACTOR( factor_name VARCHAR2, new_factor_name VARCHAR2);
Parameters
Table 11-50 RENAME_FACTOR Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
|
New factor name, up to 30 characters in mixed-case, without spaces. |
Example
BEGIN DVSYS.DBMS_MACADM.RENAME_FACTOR( factor_name => 'Sector2_ClientID', new_factor_name => 'Sector2_Clients'); END;
This procedure renames a factor type. The name change takes effect everywhere the factor type is used.
Syntax
RENAME_FACTOR_TYPE( old_name VARCHAR2, new_name VARCHAR2);
Parameters
Table 11-51 RENAME_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Current factor type name. To find existing factor types in the current database instance, query the |
|
New factor type name, up to 30 characters in mixed-case, without spaces. |
Example
BEGIN DVSYS.DBMS_MACADM.RENAME_FACTOR_TYPE( old_name => 'Sector2Instance', new_name => 'Sector2DBInstance'); END;
This procedure updates the description of a factor type.
Syntax
UPDATE_FACTOR( factor_name VARCHAR2, factor_type_name VARCHAR2, description VARCHAR2, rule_set_name VARCHAR2, get_expr VARCHAR2, validate_expr VARCHAR2, identify_by NUMBER, labeled_by NUMBER, eval_options NUMBER, audit_options NUMBER, fail_options NUMBER);
Parameters
Table 11-52 UPDATE_FACTOR
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
|
Factor type name. To find existing factor types, query the |
|
Description of the purpose of the factor, up to 1024 characters in mixed-case. |
|
Name of the rule set used to control when and how a factor identity is set. To find existing rule sets, query the See also "Assignment Rule Set" for more information about assigning rule sets to factors. |
|
Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Retrieval Method" for more information. See also the |
|
Name of the procedure to validate factor. This is a valid PL/SQL expression that returns a Boolean value ( |
|
Options for determining the identity of a factor, based on the expression set for the
You can also use the following
See "Factor Identification" for more information. |
|
Options for labeling the factor:
You can also use the following
See "Factor Labeling" for more information. |
|
Options for evaluating the factor when the user logs on:
You can also use the following
See "Evaluation" for more information. |
|
Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record.
You can also use the following
See "Audit Options" for more information. |
|
Options for reporting factor errors:
You can also use the following
See "Error Options" for more information. |
Example
BEGIN DVSYS.DBMS_MACADM.UPDATE_FACTOR( factor_name => 'Sector2_DB', factor_type_name => 'Instance', description => ' ', rule_set_name => 'DB_access', get_expr => 'UPPER(SYS_CONTEXT('USERENV','DB_NAME'))', validate_expr => 'dbavowner.check_db_access', identify_by => 2, labeled_by => 0, eval_options => 0, audit_options => POWER(2,0), fail_options => POWER(2,0)); END;
This procedure updates a factor type.
Syntax
UPDATE_FACTOR_TYPE( name VARCHAR2, description VARCHAR2);
Parameters
Table 11-53 UPDATE_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Factor type name. To find existing factor types in the current database instance, query the |
|
Description of the purpose of the factor type, up to 1024 characters in mixed-case. |
Example
BEGIN DVSYS.DBMS_MACADM.UPDATE_FACTOR_TYPE( name => 'Sector2DBInstance', description => 'Checks DB instances used in Sector 2'); END;
This procedure updates the trust level of a factor identity.
Syntax
UPDATE_IDENTITY( factor_name VARCHAR2, value VARCHAR2, trust_level NUMBER);
Parameters
Table 11-54 UPDATE_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the To find factors that have identities, query |
|
New factor identity, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 234.43.41.99. |
|
Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring a Factor Identity" for more information about trust levels and label security. |
Example
BEGIN DVSYS.DBMS_MACADM.UPDATE_IDENTITY( factor_name => 'Sector2_ClientID', value => 'intranet', trust_level => 10); END;
Table 11-55 lists procedures within the DVSYS.DBMS_MACADM
package that you can use to configure Oracle Database Vault secure application roles.
Chapter 8, "Configuring Secure Application Roles for Oracle Database Vault" describes secure application roles in detail. See also Chapter 13, "Using the DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility procedures that you can use with the secure application role procedures.
Table 11-55 DVSYS.DBMS_MACADM Secure Application Role Configuration Procedures
Procedure | Description |
---|---|
Creates an Oracle Database Vault secure application role. |
|
Deletes an Oracle Database Vault secure application role. |
|
Renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used. |
|
Updates a Oracle Database Vault secure application role. |
This procedure creates an Oracle Database Vault secure application role.
Syntax
CREATE_ROLE( role_name VARCHAR2, enabled VARCHAR2, rule_set_name VARCHAR2);
Parameters
Table 11-56 CREATE_ROLE Parameters
Parameter | Description |
---|---|
|
Role name, up to 30 characters, with no spaces. Preferably, enter the role name in upper case letters, though you are not required to do so. Ensure that this name follows the standard Oracle naming conventions for role creation described in Oracle Database SQL Reference. To find existing secure application roles in the current database instance, query the |
|
You can also use the following
|
|
Name of rule set to determine whether a user can set this secure application role. To find existing rule sets in the current database instance, query the |
Example
BEGIN DVSYS.DBMS_MACADM.CREATE_ROLE( role_name => 'Sector2_APP_MGR>, enabled => 'Y', rule_set_name => 'Check App2 Access'); END;
This procedure deletes an Oracle Database Vault secure application role.
Syntax
DELETE_ROLE( role_name VARCHAR2);
Parameters
Table 11-57 DELETE_ROLE Parameter
Parameter | Description |
---|---|
|
Role name. To find existing secure application roles in the current database instance, query the |
Example
EXEC DVSYS.DBMS_MACADM.DELETE_ROLE('SECT2_APP_MGR');
This procedure renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.
Syntax
RENAME_ROLE( role_name VARCHAR2, new_role_name VARCHAR2);
Parameters
Table 11-58 RENAME_ROLE Parameters
Parameter | Description |
---|---|
|
Role name. To find existing secure application roles in the current database instance, query the |
|
Role name, up to 30 characters, in uppercase, with no spaces. Ensure that this name follows the standard Oracle naming conventions for role creation described in Oracle Database SQL Reference. |
Example
BEGIN DVSYS.DBMS_MACADM.RENAME_ROLE( role_name => 'SECT2_APP_MGR', new_role_name => 'SECT2_SYSADMIN', ); END;
This procedure updates a Oracle Database Vault secure application role.
Syntax
UPDATE_ROLE( role_name VARCHAR2, enabled VARCHAR2, rule_set_name VARCHAR2);
Parameters
Table 11-59 UPDATE_ROLE Parameters
Parameter | Description |
---|---|
|
Role name. To find existing secure application roles in the current database instance, query the |
|
You can also use the following
|
|
Name of rule set to determine whether a user can set this secure application role. To find existing rule sets in the current database instance, query the |
Example
BEGIN DVSYS.DBMS_MACADM.UPDATE_ROLE( role_name => 'SECT2_SYSADMIN', enabled => 'Y', rule_set_name => 'System Access Controls'); END;
Table 11-60 lists procedures within the DVSYS.DBMS_MACADM
package that you can use to configure Oracle Label Security policies.
Chapter 9, "Integrating Oracle Database Vault with Other Oracle Products" describes Oracle Label Security policies in detail. See also Chapter 13, "Using the DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility procedures that you can use with the Oracle Label Security policy procedures.
Table 11-60 DVSYS.DBMS_MACADM Oracle Label Security Configuration Procedures
Procedure | Description |
---|---|
Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label. |
|
Labels an identity within an Oracle Label Security policy. |
|
Deletes all Oracle Database Vault objects related to an Oracle Label Security policy. |
|
Removes the factor from contributing to the Oracle Label Security label. |
|
Removes the label from an identity within an Oracle Label Security policy. |
|
Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label. |
This procedure specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.
Syntax
CREATE_MAC_POLICY( policy_name VARCHAR2, algorithm VARCHAR2);
Parameters
Table 11-61 CREATE_MAC_POLICY Parameters
Parameter | Description |
---|---|
|
Name of existing policy. To find existing policies in the current database instance, query the |
|
Merge algorithm for cases when Oracle Label Security has merged two labels. Enter the code listed in Table 11-62 that corresponds to the merge algorithm you want. For example, enter For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide. |
Table 11-62 Oracle Label Security Merge Algorithm Codes
Code | Value |
---|---|
|
Maximum Level/Union/Union |
|
Maximum Level/Intersection/Union |
|
Maximum Level/Minus/Union |
|
Maximum Level/Null/Union |
|
Maximum Level/Union/Intersection |
|
Maximum Level/Intersection/Intersection |
|
Maximum Level/Minus/Intersection |
|
Maximum Level/Null/Intersection |
|
Maximum Level/Union/Minus |
|
Maximum Level/Intersection/Minus |
|
Maximum Level/Minus/Minus |
|
Maximum Level/Null/Minus |
|
Maximum Level/Union/Null |
|
Maximum Level/Intersection/Null |
|
Maximum Level/Minus/Null |
|
Maximum Level/Null/Null |
|
Minimum Level/Union/Union |
|
Minimum Level/Intersection/Union |
|
Minimum Level/Minus/Union |
|
Minimum Level/Null/Union |
|
Minimum Level/Union/Intersection |
|
Minimum Level/Intersection/Intersection |
|
Minimum Level/Minus/Intersection |
|
Minimum Level/Null/Intersection |
|
Minimum Level/Union/Minus |
|
Minimum Level/Intersection/Minus |
|
Minimum Level/Minus/Minus |
|
Minimum Level/Null/Minus |
|
Minimum Level/Union/Null |
|
Minimum Level/Intersection/Null |
|
Minimum Level/Minus/Null |
|
Minimum Level/Null/Null |
Example
BEGIN DVSYS.DBMS_MACADM.CREATE_MAC_POLICY( policy_name => 'Access Locations', algorithm => 'HUU'); END;
This procedure labels an identity within an Oracle Label Security policy.
Syntax
CREATE_POLICY_LABEL( identity_factor_name VARCHAR2, identity_factor_value VARCHAR2, policy_name VARCHAR2, label VARCHAR2);
Parameters
Table 11-63 CREATE_POLICY_LABEL Parameters
Parameter | Description |
---|---|
|
Name of factor being labeled. To find existing factors in the current database instance, query the To find factors that are associated with Oracle Label Security policies, use See also "Label Security Policy Factors" for more information. |
|
Value of identity for the factor being labeled. To find the identities of existing factors in the current database instance, query the |
|
Name of existing policy. To find existing policies in the current database instance, query the |
|
Oracle Label Security label name. To find existing policy labels for factor identifiers, query the |
Example
BEGIN DVSYS.DBMS_MACADM.CREATE_POLICY_LABEL( identity_factor_name => 'App_Host_Name', identity_factor_value => 'Sect2_Fin_Apps', policy_name => 'Access Locations', label => 'Sensitive'); END;
This procedure deletes all Oracle Database Vault objects related to an Oracle Label Security policy.
Syntax
DELETE_MAC_POLICY_CASCADE( policy_name VARCHAR2);
Parameters
Table 11-64 DELETE_MAC_POLICY_CASCADE Parameter
Parameter | Description |
---|---|
|
Name of existing policy. To find existing policies in the current database instance, query the |
Example
EXEC DVSYS.DBMS_MACADM.DELETE_MAC_POLICY_CASCADE('Access Locations');
This procedure removes the factor from contributing to the Oracle Label Security label.
Syntax
DELETE_POLICY_FACTOR( policy_name VARCHAR2, factor_name VARCHAR2);
Parameters
Table 11-65 DELETE_POLICY_FACTOR Parameters
Parameter | Description |
---|---|
|
Name of existing policy. To find existing policies in the current database instance, query the |
|
Name of factor associated with the Oracle Label Security label. To find factors that are associated with Oracle Label Security policies, query |
Example
BEGIN DVSYS.DBMS_MACADM.DELETE_POLICY_FACTOR( policy_name => 'Access Locations', factor_name => 'App_Host_Name',); END;
This procedure removes the label from an identity within an Oracle Label Security policy.
Syntax
DELETE_POLICY_LABEL( identity_factor_name VARCHAR2, identity_factor_value VARCHAR2, policy_name VARCHAR2, label VARCHAR2);
Parameters
Table 11-66 DELETE_POLICY_LABEL Parameters
Parameter | Description |
---|---|
|
Name of factor that was labeled. To find existing factors in the current database instance that are associated with Oracle Label Security policies, query See also "Label Security Policy Factors" for more information. |
|
Value of identity for the factor that was labeled. To find the identities of existing factors in the current database instance, query the |
|
Name of existing policy. To find existing policies in the current database instance, query the |
|
Oracle Label Security label name. To find existing policy labels for factor identifiers, query the |
Example
BEGIN DVSYS.DBMS_MACADM.DELETE_POLICY_LABEL( identity_factor_name => 'App_Host_Name', , identity_factor_value => 'Sect2_Fin_Apps', policy_name => 'Access Locations', label => 'Sensitive'); END;
This procedure specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.
Syntax
UPDATE_MAC_POLICY( policy_name VARCHAR2, algorithm VARCHAR2);
Parameters
Table 11-67 UPDATE_MAC_POLICY
Parameter | Description |
---|---|
|
Name of existing policy. To find existing policies in the current database instance, query the |
|
Merge algorithm for cases when Oracle Label Security has merged two labels. See Table 11-62 for listing of the available algorithms. For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide. |
Example
BEGIN DVSYS.DBMS_MACADM.UPDATE_MAC_POLICY( policy_name => 'Access Locations', algorithm => 'LUI'); END;