You can use the DBMS_MACADM
PL/SQL package, a set of standalone Oracle Database Vault rule procedures and functions, and DVF
PL/SQL functions to manage factors.
Topics:
The DBMS_MACADM
PL/SQL package provides procedures that enable you to manage factors, factor types, factor identities.
Table 16-1 lists procedures and functions within the DBMS_MACADM
package that you can use to configure factors. Only users who have been granted the DV_OWNER
or DV_ADMIN
role can use these procedures and functions.
Table 16-1 DBMS_MACADM Factor Configuration Procedures
See Also:
Chapter 8, "Configuring Factors," for detailed information about factors
Chapter 19, "Oracle Database Vault Utility APIs," for a set of general-purpose utility procedures that you can use with the factor procedures and functions
The ADD_FACTOR_LINK
procedure specifies a parent-child relationship for two factors.
DBMS_MACADM.ADD_FACTOR_LINK( parent_factor_name IN VARCHAR2, child_factor_name IN VARCHAR2, label_indicator IN VARCHAR2);
Table 16-2 ADD_FACTOR_LINK Parameters
Parameter | Description |
---|---|
|
Parent factor name. To find existing parent and child factors in the current database instance, query the |
|
Child factor name. |
|
Indicates that the child factor being linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Specify either To find the Oracle Label Security policies and labels associated with factors, query the following views, described in Chapter 22, "Oracle Database Vault Data Dictionary Views":
|
BEGIN DBMS_MACADM.ADD_FACTOR_LINK( parent_factor_name => 'HQ_ClientID', child_factor_name => 'Div1_ClientID', label_indicator => DBMS_MACUTL.G_YES); END; /
The ADD_POLICY_FACTOR
procedure specifies that the label for a factor contributes to the Oracle Label Security label for a policy.
DBMS_MACADM.ADD_POLICY_FACTOR( policy_name IN VARCHAR2, factor_name IN VARCHAR2);
Table 16-3 ADD_POLICY_FACTOR Parameters
Parameter | Description |
---|---|
|
Oracle Label Security policy name. To find the policies defined in the current database instance, query the To find factors that are associated with Oracle Label Security policies, query |
|
Factor name. To find existing factors, query the |
BEGIN DBMS_MACADM.ADD_POLICY_FACTOR( policy_name => 'AccessData', factor_name => 'Sector2_ClientID'); END; /
The CHANGE_IDENTITY_FACTOR
procedure associates an identity with a different factor.
DBMS_MACADM.CHANGE_IDENTITY_FACTOR( factor_name IN VARCHAR2, value IN VARCHAR2, new_factor_name IN VARCHAR2);
Table 16-4 CHANGE_IDENTITY_FACTOR Parameters
Parameter | Description |
---|---|
|
Current factor name. To find existing factors, query the |
|
Value of the identity to update. To find existing identities for each factor in the current database instance, query the To find current identity mappings, query the |
|
Name of the factor to associate with the identity, which you can find by querying the |
BEGIN DBMS_MACADM.CHANGE_IDENTITY_FACTOR( factor_name => 'Sector2_ClientID', value => 'intranet', new_factor_name => 'Sector4_ClientID'); END; /
The CHANGE_IDENTITY_FACTOR
procedure updates the value of an identity.
DBMS_MACADM.CHANGE_IDENTITY_VALUE( factor_name IN VARCHAR2, value IN VARCHAR2, new_value IN VARCHAR2);
Table 16-5 CHANGE_IDENTITY_VALUE Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors, query the |
|
Current value associated with the identity. To find existing identities for each factor in the current database instance, query the To find current identity mappings, query the |
|
New identity value, up to 1024 characters in mixed-case. |
BEGIN DBMS_MACADM.CHANGE_IDENTITY_VALUE( factor_name => 'Sector2_ClientID', value => 'remote', new_value => 'intranet'); END; /
The CREATE_DOMAIN_IDENTITY
procedure adds an Oracle Real Application Clusters (Oracle RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.
DBMS_MACADM.CREATE_DOMAIN_IDENTITY( domain_name IN VARCHAR2, domain_host IN VARCHAR2, policy_name IN VARCHAR2 DEFAULT NULL, domain_label IN VARCHAR2 DEFAULT NULL);
Table 16-6 CREATE_DOMAIN_IDENTITY Parameters
Parameter | Description |
---|---|
|
Name of the domain to which to add the host. To find the logical location of the database within the network structure within a distributed database system, run the |
|
Oracle Real Application Clusters host name being added to the domain. To find host name of a database, run the |
|
Oracle Label Security policy name. If you omit the policy name, then the domain is not associated with any policy. To find the available policies, query the |
|
Name of the domain to which to add the Oracle Label Security policy. |
BEGIN DBMS_MACADM.CREATE_DOMAIN_IDENTITY( domain_name => 'example', domain_host => 'mydom_host', policy_name => 'AccessData', domain_label => 'sensitive'); END; /
The CREATE_FACTOR
procedure creates a factor. After you create a factor, you can give it an identity by using the CREATE_IDENTITY
procedure, described in "CREATE_IDENTITY Procedure".
DBMS_MACADM.CREATE_FACTOR( factor_name IN VARCHAR2, factor_type_name IN VARCHAR2, description IN VARCHAR2, rule_set_name IN VARCHAR2, get_expr IN VARCHAR2, validate_expr IN VARCHAR2, identify_by IN NUMBER, labeled_by IN NUMBER, eval_options IN NUMBER, audit_options IN NUMBER, fail_options IN NUMBER);
Table 16-7 CREATE_FACTOR Parameters
Parameter | Description |
---|---|
|
Factor name, up to 28 characters in mixed-case, without spaces. To find existing factors in the current database instance, query the |
|
Type of the factor, up to 30 characters in mixed-case, without spaces. To find existing factor types, query the |
|
Description of the purpose of the factor, up to 1024 characters in mixed-case. |
|
Rule set name if you want to use a rule set to control when and how a factor identity is set. To find existing rule sets, query the |
|
Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Setting the Retrieval Method for a Factor" for more information. See also the |
|
Name of the procedure to validate the factor. This is a valid PL/SQL expression that returns a Boolean value ( |
|
Options for determining the identity of a factor, based on the expression set for the
See "Setting the Factor Identification Information" for more information. |
|
Options for labeling the factor:
See "Setting the Oracle Label Security Labeling Information for a Factor" for more information. |
|
Options for evaluating the factor when the user logs on:
See "Setting the Evaluation Information for a Factor" for more information. |
|
Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record.
See "Setting Audit Options for a Factor" for more information. |
|
Options for reporting factor errors:
See "Setting Error Options for a Factor" for more information. |
BEGIN DBMS_MACADM.CREATE_FACTOR( factor_name => 'Sector2_DB', factor_type_name => 'Instance', description => ' ', rule_set_name => 'Limit_DBA_Access', get_expr => 'UPPER(SYS_CONTEXT(''USERENV'',''DB_NAME''))', validate_expr => 'dbavowner.check_db_access', identify_by => DBMS_MACUTL.G_IDENTIFY_BY_METHOD, labeled_by => DBMS_MACUTL.G_LABELED_BY_SELF, eval_options => DBMS_MACUTL.G_EVAL_ON_SESSION, audit_options => DBMS_MACUTL.G_AUDIT_OFF, fail_options => DBMS_MACUTL.G_FAIL_SILENTLY); END; /
The CREATE_FACTOR_TYPE
procedure creates a user-defined factor type.
DBMS_MACADM.CREATE_FACTOR_TYPE( name IN VARCHAR2, description IN VARCHAR2);
Table 16-8 CREATE_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Factor type name, up to 30 characters in mixed-case, without spaces. To find existing factor types, query the |
|
Description of the purpose of the factor type, up to 1024 characters in mixed-case. |
BEGIN DBMS_MACADM.CREATE_FACTOR_TYPE( name => 'Sector2Instance', description => 'Checks DB instances used in Sector 2'); END; /
The CREATE_IDENTITY
procedure assigns an identity and an associated trust level for a given factor. After you create a factor, you must assign it an identity.
DBMS_MACADM.CREATE_IDENTITY( factor_name IN VARCHAR2, value IN VARCHAR2, trust_level IN NUMBER);
Table 16-9 CREATE_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors, query the |
|
The actual value of the factor, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12. |
|
Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring a Factor Identity" for more information about trust levels and label security. |
BEGIN DBMS_MACADM.CREATE_IDENTITY( factor_name => 'Sector2_ClientID', value => 'intranet', trust_level => 5); END; /
The CREATE_IDENTITY_MAP
procedure defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors).
DBMS_MACADM.CREATE_IDENTITY_MAP( identity_factor_name IN VARCHAR2, identity_factor_value IN VARCHAR2, parent_factor_name IN VARCHAR2, child_factor_name IN VARCHAR2, operation IN VARCHAR2, operand1 IN VARCHAR2, operand2 IN VARCHAR2);
Table 16-10 CREATE_IDENTITY_MAP Parameters
Parameter | Description |
---|---|
|
Factor the identity map is for. To find existing factors in the current database instance, query the |
|
Value the factor assumes if the identity map evaluates to To find existing factor identities, query the To find current factor identity mappings, use |
|
The parent factor link to which the map is related. To find existing parent-child factor mappings, query the |
|
The child factor link to which the map is related. |
|
Relational operator for the identity map (for example, <, >, =, and so on). |
|
Left operand for the relational operator; refers to the low value you enter. |
|
Right operand for the relational operator; refers to the high value you enter. |
BEGIN DBMS_MACADM.CREATE_IDENTITY_MAP( identity_factor_name => 'Sector2_ClientID', identity_factor_value => 'intranet', parent_factor_name => 'HQ_ClientID', child_factor_name => 'Div1_ClientID', operation => '<', operand1 => '192.0.2.50', operand2 => '192.0.2.100'); END; /
The DELETE_FACTOR
procedure deletes a factor.
DBMS_MACADM.DELETE_FACTOR(
factor_name IN VARCHAR2);
Table 16-11 DELETE_FACTOR Parameter
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
EXEC DBMS_MACADM.DELETE_FACTOR('Sector2_ClientID');
The DELETE_FACTOR_LINK
procedure removes a parent-child relationship for two factors.
DBMS_MACADM.DELETE_FACTOR_LINK( parent_factor_name IN VARCHAR2, child_factor_name IN VARCHAR2);
Table 16-12 DELETE_FACTOR_LINK Parameters
Parameter | Description |
---|---|
|
Factor name. To find factors that are used in parent-child mappings in the current database instance, query the |
|
Factor name. |
BEGIN DBMS_MACADM.DELETE_FACTOR_LINK( parent_factor_name => 'HQ_ClientID', child_factor_name => 'Div1_ClientID'); END; /
The DELETE_FACTOR_TYPE
procedure deletes a factor type.
DBMS_MACADM.DELETE_FACTOR_TYPE( name IN VARCHAR2);
Table 16-13 DELETE_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Factor type name. To find existing factor types, query the |
EXEC DBMS_MACADM.DELETE_FACTOR_TYPE('Sector2Instance');
The DELETE_IDENTITY
procedure removes an identity from an existing factor.
DBMS_MACADM.DELETE_IDENTITY( factor_name IN VARCHAR2, value IN VARCHAR2);
Table 16-14 DELETE_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
|
Identity value associated with the factor. To find the identities for each factor in the current database instance, query the |
BEGIN DBMS_MACADM.DELETE_IDENTITY( factor_name => 'Sector2_ClientID', value => 'intranet'); END; /
The DELETE_IDENTITY_MAP
procedure removes an identity map for a factor.
DBMS_MACADM.DELETE_IDENTITY_MAP( identity_factor_name IN VARCHAR2, identity_factor_value IN VARCHAR2, parent_factor_name IN VARCHAR2, child_factor_name IN VARCHAR2, operation IN VARCHAR2, operand1 IN VARCHAR2, operand2 IN VARCHAR2);
Table 16-15 DELETE_IDENTITY_MAP Parameters
Parameter | Description |
---|---|
|
Factor the identity map is for. To find existing factors in the current database instance, query the |
|
Value the factor assumes if the identity map evaluates to To find existing factor identities, query the To find current factor identity mappings, query |
|
The parent factor link to which the map is related. To find existing parent-child factors, query the |
|
The child factor to which the map is related. |
|
Relational operator for the identity map (for example, <, >, =, and so on). |
|
Left (low value) operand for the relational operator. |
|
Right (high value) operand for the relational operator. |
BEGIN DBMS_MACADM.DELETE_IDENTITY_MAP( identity_factor_name => 'Sector2_ClientID', identity_factor_value => 'intranet', parent_factor_name => 'HQ_ClientID', child_factor_name => 'Div1_ClientID', operation => '<', operand1 => '192.0.2.10', operand2 => '192.0.2.15'); END; /
The DROP_DOMAIN_IDENTITY
procedure removes an Oracle Real Application Clusters database node from a domain.
DBMS_MACADM.DROP_DOMAIN_IDENTITY( domain_name IN VARCHAR2, domain_host IN VARCHAR2);
Table 16-16 DROP_DOMAIN_IDENTITY Parameters
Parameter | Description |
---|---|
|
Name of the domain to which the host was added. To find the domain of a database as specified by the |
|
Oracle Real Application Clusters host name being that was added to the domain. To find the host name for a specified database, run the |
BEGIN DBMS_MACADM.DROP_DOMAIN_IDENTITY( domain_name => 'example', domain_host => 'mydom_host'); END; /
The GET_INSTANCE_INFO
function returns information from the SYS.V_$INSTANCE
system table about the current database instance. The V$INSTANCE
data dictionary view also contains database instance information from this table. See Oracle Database Reference for more information.
DBMS_MACADM.GET_INSTANCE_INFO( p_parameter IN VARCHAR2) RETURN VARCHAR2;
Table 16-17 GET_INSTANCE_INFO Parameter
Parameter | Description |
---|---|
|
Column name in the |
DECLARE instance_var varchar2 := null; BEGIN instance_var = DBMS_MACADM.GET_INSTANCE_INFO('INSTANCE_NAME'); END; /
The GET_SESSION_INFO
function returns information from the SYS.V_$SESSION
system table for the current session. The V$SESSION
data dictionary view also contains session information from this table. See Oracle Database Reference for more information.
DBMS_MACADM.GET_SESSION_INFO( p_parameter IN VARCHAR2) RETURN VARCHAR2;
Table 16-18 GET_SESSION_INFO Parameter
Parameter | Description |
---|---|
|
Column name in the |
DECLARE session_var varchar2 := null; BEGIN session_var = DBMS_MACADM.GET_SESSION_INFO('PROCESS'); END; /
The RENAME_FACTOR
procedure renames a factor. The name change takes effect everywhere the factor is used.
DBMS_MACADM.RENAME_FACTOR( factor_name IN VARCHAR2, new_factor_name IN VARCHAR2);
Table 16-19 RENAME_FACTOR Parameters
Parameter | Description |
---|---|
|
Current factor name. To find existing factors in the current database instance, query the |
|
New factor name, up to 28 characters in mixed-case, without spaces. |
BEGIN DBMS_MACADM.RENAME_FACTOR( factor_name => 'Sector2_ClientID', new_factor_name => 'Sector2_Clients'); END; /
The RENAME_FACTOR
procedure renames a factor type. The name change takes effect everywhere the factor type is used.
DBMS_MACADM.RENAME_FACTOR_TYPE( old_name IN VARCHAR2, new_name IN VARCHAR2);
Table 16-20 RENAME_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Current factor type name. To find existing factor types in the current database instance, query the |
|
New factor type name, up to 30 characters in mixed-case, without spaces. |
BEGIN DBMS_MACADM.RENAME_FACTOR_TYPE( old_name => 'Sector2Instance', new_name => 'Sector2DBInstance'); END; /
The UPDATE_FACTOR
procedure updates the description of a factor type.
DBMS_MACADM.UPDATE_FACTOR( factor_name IN VARCHAR2, factor_type_name IN VARCHAR2, description IN VARCHAR2, rule_set_name IN VARCHAR2, get_expr IN VARCHAR2, validate_expr IN VARCHAR2, identify_by IN NUMBER, labeled_by IN NUMBER, eval_options IN NUMBER, audit_options IN NUMBER, fail_options IN NUMBER);
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
|
Factor type name. To find existing factor types, query the |
|
Description of the purpose of the factor, up to 1024 characters in mixed-case. |
|
Name of the rule set used to control when and how a factor identity is set. To find existing rule sets, query the See also "Assigning a Rule Set to a Factor" for more information about assigning rule sets to factors. |
|
Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Setting the Retrieval Method for a Factor" for more information. See also the |
|
Name of the procedure to validate factor. This is a valid PL/SQL expression that returns a Boolean value ( |
|
Options for determining the identity of a factor, based on the expression set for the
See "Setting the Factor Identification Information" for more information. |
|
Options for labeling the factor:
The default for See "Setting the Oracle Label Security Labeling Information for a Factor" for more information. |
|
Options for evaluating the factor when the user logs on:
The default for See "Setting the Evaluation Information for a Factor" for more information. |
|
Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record.
The default for See "Setting Audit Options for a Factor" for more information. |
|
Options for reporting factor errors:
The default for See "Setting Error Options for a Factor" for more information. |
BEGIN DBMS_MACADM.UPDATE_FACTOR( factor_name => 'Sector2_DB', factor_type_name => 'Instance', description => ' ', rule_set_name => 'Limit_DBA_Access', get_expr => 'UPPER(SYS_CONTEXT(''USERENV'',''DB_NAME''))', validate_expr => 'dbavowner.check_db_access', identify_by => DBMS_MACUTL.G_IDENTIFY_BY_METHOD, labeled_by => DBMS_MACUTL.G_LABELED_BY_SELF, eval_options => DBMS_MACUTL.G_EVAL_ON_ACCESS, audit_options => DBMS_MACUTL.G_AUDIT_ALWAYS, fail_options => DBMS_MACUTL.G_FAIL_WITH_MESSAGE); END; /
The UPDATE_FACTOR_TYPE
procedure updates a factor type.
DBMS_MACADM.UPDATE_FACTOR_TYPE( name IN VARCHAR2, description IN VARCHAR2);
Table 16-22 UPDATE_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Factor type name. To find existing factor types in the current database instance, query the |
|
Description of the purpose of the factor type, up to 1024 characters in mixed case. |
BEGIN DBMS_MACADM.UPDATE_FACTOR_TYPE( name => 'Sector2DBInstance', description => 'Checks DB instances used in Sector 2'); END; /
The UPDATE_IDENTITY
procedure updates the trust level of a factor identity.
DBMS_MACADM.UPDATE_IDENTITY( factor_name IN VARCHAR2, value IN VARCHAR2, trust_level IN NUMBER);
Table 16-23 UPDATE_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the To find factors that have identities, query |
|
New factor identity, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12. |
|
Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring a Factor Identity" for more information about trust levels and label security. |
BEGIN DBMS_MACADM.UPDATE_IDENTITY( factor_name => 'Sector2_ClientID', value => 'intranet', trust_level => 10); END; /
You can use a set of standalone procedures and functions to manage factors.
Oracle Database Vault provides a set of procedural interfaces to administer various Database Vault security options and manage Database Vault security enforcements.
There are also procedures and functions that expose the logic to validate a DDL command for realm violations and command authorizations. Additional procedures and functions are provided to set the value of a factor (assuming their associated rule sets evaluate to true) (for example, from a Web application), to retrieve the trust level for a session or specific factor identity, and to get the label for a factor identity. These procedures and functions are provided so that a database administrator does not grant the EXECUTE
privilege on all DVSYS
package procedures to the general database account population. The procedures and functions expose only the minimum methods that are required. All of these functions and procedures are publicly available for applications that need them.
Table 16-24 lists the default run-time PL/SQL procedures and functions for factors.
Table 16-24 Run-Time PL/SQL Procedures and Functions
Procedure or Function | Parameter |
---|---|
Sets a factor |
|
Retrieves a factor |
|
Retrieves the trust level assigned to a factor |
|
Retrieves the trust level for a specified factor and an identity |
|
Checks whether the specified database role is enabled |
|
Retrieves the label for the specified factor when the factor has a label assigned to it for the specified Oracle Label Security policy |
The SET_FACTOR
procedure can be exposed to an application that requires the ability to set factor identities dynamically.
It wraps the package procedure DBMS_MACADM.SET_FACTOR
. When a factor has a rule set associated with it for assignment and if the rule set returns true, then the value is set. Normal rule set handling occurs, and the factor value (identity) validation method is called. This procedure is available (to execute) to the general database account population.
DVSYS.SET_FACTOR( p_factor IN VARCHAR2, p_value IN VARCHAR2);
Table 16-25 SET_FACTOR Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
|
Identity value, up to 1024 characters in mixed case. To find the identities for each factor in the current database instance, query the |
EXECUTE DVSYS.SET_FACTOR(''Sector2_ClientID'', ''identity'');
The GET_FACTOR
function is exposed to the DVF
schema to allow the public factor functions to resolve the identity of a factor. The return type is VARCHAR2
.
This enables the F$
functions in the DVF
schema. This function is available (to execute) to the general database account population.
DVSYS.GET_FACTOR( p_factor IN VARCHAR2) RETURN VARCHAR2;
Table 16-26 GET_FACTOR Parameter
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Get Client ID Factor Identity', rule_expr => 'DVSYS.GET_FACTOR(''Sector2_ClientID'')'); END; /
The GET_TRUST_LEVEL
function returns the trust level of the current session identity for the factor requested. The return type is VARCHAR2
.
This function is available (to execute) to the general database account population. See "Creating and Configuring a Factor Identity" for a listing of the available trust levels.
DVSYS.GET_TRUST_LEVEL( p_factor IN VARCHAR2) RETURN VARCHAR2;
Table 16-27 GET_TRUST_LEVEL Parameter
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Get Client ID Trust Level', rule_expr => 'DVSYS.GET_TRUST_LEVEL(''Sector2_ClientID'')'); END; /
The GET_TRUST_LEVEL_FOR_IDENTITY
function returns the trust level for the factor and identity requested. The return type is VARCHAR2
.
This function is available (to execute) to the general database account population. See "Creating and Configuring a Factor Identity" for a listing of the available trust levels.
DVSYS.GET_TRUST_LEVEL_FOR_IDENTITY( p_factor IN VARCHAR2, p_identity IN VARCHAR2) RETURN VARCHAR2;
Table 16-28 GET_TRUST_LEVEL_FOR_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, query the |
|
Identity value. To find the identities for each factor in the current database instance, use the |
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Get Client ID Identity Trust Level', rule_expr => 'DVSYS.GET_TRUST_LEVEL_FOR_IDENTITY(''Sector2_ClientID'', ''identity'')'); END; /
The ROLE_IS_ENABLED
function returns a boolean value that specifies whether a database role has been enabled. The return type is BOOLEAN
.
This function is available (to execute) to the general database account population.
DVSYS.ROLE_IS_ENABLED( p_role IN VARCHAR2) RETURN BOOLEAN;
Table 16-29 ROLE_IS_ENABLED Parameter
Parameter | Description |
---|---|
|
Database role name to check. To find existing roles, use the following data dictionary views:
|
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check if SYSADM Role Is Enabled', rule_expr => 'DVSYS.ROLE_IS_ENABLED(''SYSADM'')'); END; /
The GET_FACTOR_LABEL
function returns the label for the specified factor when the factor has a label assigned to it for the specified Oracle Label Security policy. The return type is VARCHAR2
.
The function returns a label that is merged with the maximum session label for the policy if the policy is configured with Oracle Label Security. The function is available (to execute) to the general database population.
DVSYS.GET_FACTOR_LABEL( p_factor IN VARCHAR2, p_policy_name IN VARCHAR2) RETURN VARCHAR2;
Table 16-30 GET_FACTOR_LABEL Parameters
Parameter | Description |
---|---|
|
Factor name. To find the available factors in the current database instance, query the See "DVSYS.DBA_DV_FACTOR View" and "DVSYS.DBA_DV_MAC_POLICY_FACTOR View". |
|
Oracle Label Security policy name. Use the following data dictionary views to find information about policies and factors in the current database instance:
|
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Get the ClientID Factor Label', rule_expr => 'DVSYS.GET_FACTOR_LABEL(''Sector2_ClientID'', ''Access Locations'')'); END; /
In addition to the functions and procedures made available from the DVSYS
schema, the DVF
schema contains a single function for each factor defined in the system.
Oracle Database Vault maintains the DVF
schema functions when you use the DBMS_MACADM
PL/SQL package to manage the various factors. The functions are then available to the general database account population through PL/SQL functions and standard SQL. This enables factors to be used in Oracle Label Security, Oracle Virtual Private Database (VPD), and so on.
Typically, you can incorporate these functions into rule expressions. For example:
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Not Internal DBA', rule_expr => 'DVF.F$SESSION_USER NOT IN (''JSMTIH'', ''TBROWN'')'); END; /
To find the value of a factor function, select from the DUAL
system table. For example:
SELECT DVF.F$SESSION_USER FROM DUAL; F$SESSION_USER ------------------------------------------------ LEO_DVOWNER
The name of the factor itself is case-insensitive. For example, the following statements return the same result
select dvf.f$session_user from dual; SELECT DVF.F$SESSION_USER FROM DUAL;
Table 16-31 lists the default factor functions.
Table 16-31 Installed Oracle Database Vault Factor Functions
DVF Factor Function | Description |
---|---|
Returns the method of authentication in |
|
Returns the IP address of the computer from which the client is connected |
|
Returns the domain of the database as specified in the |
|
Returns the host name of the computer on which the database instance is running |
|
Returns the database instance identification number of the current database instance |
|
Returns the IP address of the computer on which the database instance is running |
|
Returns the name of the database as specified in the |
|
Returns a named collection of physical, configuration, or implementation-specific factors in the run-time environment (for example, a networked IT environment or subset of it) that operates at a specific sensitivity level |
|
Returns the enterprise-wide identity for a user |
|
Returns the way the schema of a user was created in the database. Specifically, it reflects the |
|
Returns the ISO abbreviation for the language name, a shorter form than the existing |
|
Returns the language and territory currently used by your session, in |
|
Returns the computer (host) name for the database client that established the database session. |
|
Returns the network protocol being used for communication, as specified in the |
|
Returns the Oracle Internet Directory distinguished name (DN) when the proxy user is an enterprise user |
|
Returns the database user name by which the current user is authenticated |
The F$AUTHENTICATION_METHOD
function returns the method of authentication in VARCHAR2
data type.
In the list that follows, the type of user is followed by the method returned:
Password-authenticated enterprise user, local database user, or SYSDBA
/SYSOPER
using Password File; proxy with user name using password: PASSWORD
Kerberos-authenticated enterprise or external user: KERBEROS
SSL-authenticated enterprise or external user: SSL
Radius-authenticated external user: RADIUS
Operating system-authenticated external user or SYSDBA
/SYSOPER
: OS
DCE-authenticated external user: DCE
Proxy with certificate, distinguished name (DN), or user name without using password: NONE
You can use IDENTIFICATION_TYPE
to distinguish between external and enterprise users when the authentication method is Password, Kerberos, or SSL.
DVF.F$AUTHENTICATION_METHOD () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check SSL Authentication Method', rule_expr => 'DVF.F$AUTHENTICATION_METHOD = ''SSL'''); END; /
The F$CLIENT_IP
function returns the IP address of the computer from which the client is connected, in VARCHAR2
data type.
DVF.F$CLIENT_IP () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check Client IP Address', rule_expr => 'DVF.F$CLIENT_IP BETWEEN ''192.0.2.10'' AND ''192.0.2.20'''); END; /
The F$DATABASE_DOMAIN
function returns the domain of the database as specified in the DB_DOMAIN
initialization parameter, in VARCHAR2
data type.
DVF.F$DATABASE_DOMAIN () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check Client Database Domain', rule_expr => 'DVF.F$DATABASE_DOMAIN NOT IN (''EXAMPLE'', ''YOURDOMAIN'')'); END; /
The F$DATABASE_HOSTNAME
function returns the host name of the computer on which the instance is running, in VARCHAR2
data type.
DVF.F$DATABASE_HOSTNAME () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check Host Name', rule_expr => 'DVF.F$DATABASE_HOSTNAME IN (''SHOBEEN'', ''MAU'')'); END; /
The F$DATABASE_INSTANCE
function returns the instance identification number of the current database instance, in VARCHAR2
data type.
DVF.F$DATABASE_INSTANCE () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check Database Instance ID', rule_expr => 'DVF.F$DATABASE_INSTANCE = ''SALES_DB'''); END; /
The F$DATABASE_IP
function returns the IP address of the computer on which the database instance is running, in VARCHAR2
data type.
DVF.F$DATABASE_IP () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check Database IP address', rule_expr => 'DVF.F$DATABASE_IP = ''192.0.2.5'''); END; /
The F$DATABASE_NAME
function returns the name of the database as specified in the DB_NAME
initialization parameter, in VARCHAR2
data type.
DVF.F$DATABASE_NAME () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check Database DB_NAME Name', rule_expr => 'DVF.F$DATABASE_NAME = ''ORCL'''); END; /
The F$DOMAIN
function returns a named collection of physical, configuration, or implementation-specific factors in the run-time environment (for example, a networked IT environment or subset of it) that operates at a specific sensitivity level. The return type is VARCHAR2
.
You can identify a domain using factors such as host name, IP address, and database instance names of the Oracle Database Vault nodes in a secure access path to the database. Each domain can be uniquely determined using a combination of the factor identifiers that identify the domain. You can use these identifying factors and possibly additional factors to define the Maximum Security Label within the domain. This restricts data access and commands, depending on the physical factors about the Oracle Database Vault session. Example domains of interest may be Corporate Sensitive, Internal Public, Partners, and Customers.
DVF.F$DOMAIN () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check Domain', rule_expr => 'DVF.F$DOMAIN = ''EXAMPLE.COM'''); END; /
The F$ENTERPRISE_IDENTITY
function returns the enterprise-wide identity for a user, in VARCHAR2
data type:
For enterprise users: the Oracle Internet Directory DN.
For external users: the external identity (Kerberos principal name, Radius and DCE schema names, operating system user name, certificate DN).
For local users and SYSDBA
/SYSOPER
logins: NULL.
The value of the attribute differs by proxy method:
For a proxy with DN: the Oracle Internet Directory DN of the client.
For a proxy with certificate: the certificate DN of the client for external users; the Oracle Internet Directory DN for global users.
For a proxy with user name: the Oracle Internet Directory DN if the client is an enterprise user; NULL if the client is a local database user.
DVF.F$ENTERPRISE_IDENTITY () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check User Enterprise Identity', rule_expr => 'DVF.F$ENTERPRISE_IDENTITY NOT IN (''JSMITH'', ''TSMITH'')'); END; /
The F$IDENTIFICATION_TYPE
function returns the way the schema of a user was created in the database. Specifically, it reflects the IDENTIFIED
clause in the CREATE
/ALTER USER
syntax. The return type is VARCHAR2
.
In the list that follows, the syntax used during schema creation is followed by the identification type returned:
IDENTIFIED BY
password
:
LOCAL
IDENTIFIED EXTERNALLY
:
EXTERNAL
IDENTIFIED GLOBALLY
:
GLOBAL SHARED
IDENTIFIED GLOBALLY
AS DN: GLOBAL PRIVATE
DVF.F$IDENTIFICATION_TYPE () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check User Schema Creation Type', rule_expr => 'DVF.F$IDENTIFICATION_TYPE = ''GLOBAL SHARED'''); END; /
The F$LANG
function returns the ISO abbreviation for the language name, a shorter form than the existing LANGUAGE
parameter, for the session of the user. The return type is VARCHAR2
.
See Oracle Database Globalization Support Guide for a listing of supported languages for Oracle Database.
DVF.F$LANG () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check ISO Abbreviated Language Name', rule_expr => 'DVF.F$LANG IN (''EN'', ''DE'', ''FR'')'); END; /
The F$LANGUAGE
function returns the language and territory currently used by a user session, along with the database character set. The return type is VARCHAR2
.
The return type is in the following format:
language_territory.characterset
See Oracle Database Globalization Support Guide for a listing of supported languages and territories for Oracle Database.
DVF.F$LANGUAGE () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check Session Language and Territory', rule_expr => 'DVF.F$LANGUAGE = ''AMERICAN_AMERICA.WE8ISO8859P1'''); END; /
The F$MACHINE
function returns the computer (host) name for the database client that established the database session. The return type is VARCHAR2
.
DVF.F$MACHINE () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check Client Computer Host Name', rule_expr => 'DVF.F$MACHINE NOT IN (''SHOBEEN'', ''SEBASTIAN'')'); END; /
The F$NETWORK_PROTOCOL
function returns the network protocol being used for communication, as specified in the PROTOCOL
=protocol
portion of the connect string. The return type is VARCHAR2
.
DVF.F$NETWORK_PROTOCOL () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check Network Protocol', rule_expr => 'DVF.F$NETWORK_PROTOCOL = ''TCP'''); END; /
The F$PROXY_ENTERPRISE_IDENTITY
function returns the Oracle Internet Directory distinguished name (DN) when the proxy user is an enterprise user. The return type is VARCHAR2
.
DVF.F$PROXY_ENTERPRISE_IDENTITY () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Get OID DN of Enterprise User', rule_expr => 'DVF.F$PROXY_ENTERPRISE_IDENTITY = ''cn=Provisioning Admins'''); END; /
The F$SESSION_USER
function returns the database user name by which the current user is authenticated. This value remains the same throughout the session. The return type is VARCHAR2
.
DVF.F$SESSION_USER () RETURN VARCHAR2;
None.
BEGIN DBMS_MACADM.CREATE_RULE( rule_name => 'Check Database User Name', rule_expr => 'DVF.F$SESSION_USER IN (''JSMITH'', ''TSMITH'')'); END; /