15 Oracle Database Vault Command Rule APIs

The DBMS_MACADM PL/SQL package provides a set of command rule procedures.

Topics:

About Command Rule Procedures within DBMS_MACADM

Table 15-1 lists procedures within the DBMS_MACADM package that you can use to configure command rules. Only users who have been granted the DV_OWNER or DV_ADMIN role can use these procedures.

Table 15-1 DBMS_MACADM Command Rule Configuration Procedures

Procedure Description

CREATE_COMMAND_RULE Procedure

Creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set

DELETE_COMMAND_RULE Procedure

Drops a command rule declaration

UPDATE_COMMAND_RULE Procedure

Updates a command rule declaration


See Also:

CREATE_COMMAND_RULE Procedure

The CREATE_COMMAND_RULE procedure creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set.

Syntax

DBMS_MACADM.CREATE_COMMAND_RULE(
  command         IN VARCHAR2, 
  rule_set_name   IN VARCHAR2, 
  object_owner    IN VARCHAR2, 
  object_name     IN VARCHAR2, 
  enabled         IN VARCHAR2);

Parameters

Table 15-2 CREATE_COMMAND_RULE Parameters

Parameter Description

command

SQL statement to protect.

See also the following:

rule_set_name

Name of rule set to associate with this command rule.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DVSYS.DBA_DV_RULE_SET View".

object_owner

Database schema to which this command rule will apply. The wildcard % is allowed, except for the SELECT, INSERT, UPDATE, DELETE, and EXECUTE statements.

To find the available users, query the DBA_USERS view, described in Oracle Database Reference.

See also "Object Owner" in "Creating or Editing a Command Rule" for more information.

object_name

Object name. (The wildcard % is allowed. See "Object Name" in "Creating or Editing a Command Rule" for more information about objects protected by command rules.)

To find the available objects, query the ALL_OBJECTS view, described in Oracle Database Reference.

enabled

DBMS_MACUTL.G_YES (Yes) enables the command rule; DBMS_MACUTL.G_NO (No) disables it. The default is DBMS_MACUTL.G_YES.


Example

BEGIN
 DBMS_MACADM.CREATE_COMMAND_RULE(
  command         => 'SELECT', 
  rule_set_name   => 'Limit Sector 2 Access', 
  object_owner    => 'SYSADM', 
  object_name     => 'EMP_DATA', 
  enabled         => DBMS_MACUTL.G_YES);
END; 
/

DELETE_COMMAND_RULE Procedure

The DELETE_COMMAND_RULE procedure drops a command rule declaration.

Syntax

DBMS_MACADM.DELETE_COMMAND_RULE(
  command      IN VARCHAR2, 
  object_owner IN VARCHAR2, 
  object_name  IN VARCHAR2); 

Parameters

Table 15-3 DELETE_COMMAND_RULE Parameters

Parameter Description

command

SQL statement the command rule protects.

To find available command rules, query the DVSYS.DBA_DV_COMMAND_RULE view, described in "DVSYS.DBA_DV_COMMAND_RULE View"

object_owner

Database schema to which this command rule applies.

To find the available users in the current database instance, query the DBA_USERS view, described in Oracle Database Reference.

See also "Object Owner" in "Creating or Editing a Command Rule" for more information.

object_name

Object name. (The wildcard % is allowed. See "Object Name" in "Creating or Editing a Command Rule" for more information about objects protected by command rules.)

To find the available objects, query the ALL_OBJECTS view, described in Oracle Database Reference.


Example

BEGIN
 DBMS_MACADM.DELETE_COMMAND_RULE(
  command      => 'SELECT', 
  object_owner => 'SYSADM', 
  object_name  => 'EMP_DATA'); 
END;
/

UPDATE_COMMAND_RULE Procedure

The UPDATE_COMMAND_RULE procedure updates a command rule declaration.

Syntax

DBMS_MACADM.UPDATE_COMMAND_RULE(
  command        IN VARCHAR2, 
  rule_set_name  IN VARCHAR2, 
  object_owner   IN VARCHAR2, 
  object_name    IN VARCHAR2, 
  enabled        IN VARCHAR2); 

Parameters

Table 15-4 UPDATE_COMMAND_RULE Parameters

Parameter Description

command

SQL statement to protect.

See also the following:

rule_set_name

Name of rule set to associate with this command rule.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in Chapter 22, "Oracle Database Vault Data Dictionary Views."

object_owner

Database schema to which this command rule applies.

To find the available users, query the DBA_USERS view, described in Oracle Database Reference. See also "Object Owner" in "Creating or Editing a Command Rule" for more information.

object_name

Object name. (The wildcard % is allowed. See "Object Name" in "Creating or Editing a Command Rule" for more information about objects protected by command rules.)

To find the available objects, query the ALL_OBJECTS view, described in Oracle Database Reference.

enabled

DBMS_MACUTL.G_YES (Yes) enables the command rule; DBMS_MACUTL.G_NO (No) disables it.

The default for enabled is the previously set value, which you can find by querying the DVSYS.DBA_DV_COMMAND_RULE data dictionary view.


Example

BEGIN
 DBMS_MACADM.UPDATE_COMMAND_RULE(
  command         => 'SELECT', 
  rule_set_name   => 'Limit Sector 2 Access', 
  object_owner    => 'SYSADM', 
  object_name     => '%', 
  enabled         => DBMS_MACUTL.G_NO);
END;
/