16 Oracle Database Vault Factor APIs

You can use the DBMS_MACADM PL/SQL package, a set of standalone Oracle Database Vault rule procedures and functions, and DVF PL/SQL functions to manage factors.

Topics:

DBMS_MACADM Factor Procedures and Functions
Oracle Database Vault Run-Time PL/SQL Procedures and Functions
Oracle Database Vault DVF PL/SQL Factor Functions

DBMS_MACADM Factor Procedures and Functions

The DBMS_MACADM PL/SQL package provides procedures that enable you to manage factors, factor types, factor identities.

About the DBMS_MACADM Factor Procedures and Functions

Table 16-1 lists procedures and functions within the DBMS_MACADM package that you can use to configure factors. Only users who have been granted the DV_OWNER or DV_ADMIN role can use these procedures and functions.

Table 16-1 DBMS_MACADM Factor Configuration Procedures

Procedure	Description
ADD_FACTOR_LINK Procedure	Specifies a parent-child relationship for two factors
ADD_POLICY_FACTOR Procedure	Specifies that the label for a factor contributes to the Oracle Label Security label for a policy.
CHANGE_IDENTITY_FACTOR Procedure	Associates an identity with a different factor
CHANGE_IDENTITY_VALUE Procedure	Updates the value of an identity
CREATE_DOMAIN_IDENTITY Procedure	Adds an Oracle Real Application Clusters (Oracle RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.
CREATE_FACTOR Procedure	Creates a factor
CREATE_FACTOR_TYPE Procedure	Creates a factor type
CREATE_IDENTITY Procedure	Creates an identity
CREATE_IDENTITY_MAP Procedure	Defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors)
DELETE_FACTOR Procedure	Deletes a factor
DELETE_FACTOR_LINK Procedure	Removes a parent-child relationship for two factors
DELETE_FACTOR_TYPE Procedure	Deletes a factor type
DELETE_IDENTITY Procedure	Removes an identity
DELETE_IDENTITY_MAP Procedure	Removes an identity map from a factor
DROP_DOMAIN_IDENTITY Procedure	Removes an Oracle RAC database node from a domain
GET_INSTANCE_INFO Function	Returns information from the `SYS.V_$INSTANCE` system table about the current database instance; returns a `VARCHAR2` value
GET_SESSION_INFO Function	Returns information from the `SYS.V_$SESSION` system table for the current session; returns a `VARCHAR2` value
RENAME_FACTOR Procedure	Renames a factor. The name change takes effect everywhere the factor is used.
RENAME_FACTOR_TYPE Procedure	Renames a factor type. The name change takes effect everywhere the factor type is used.
UPDATE_FACTOR Procedure	Updates a factor
UPDATE_FACTOR_TYPE Procedure	Updates the description of a factor type
UPDATE_IDENTITY Procedure	Updates the trust level of a factor identity

ADD_FACTOR_LINK Procedure

The ADD_FACTOR_LINK procedure specifies a parent-child relationship for two factors.

Syntax

DBMS_MACADM.ADD_FACTOR_LINK(
  parent_factor_name IN VARCHAR2, 
  child_factor_name  IN VARCHAR2, 
  label_indicator    IN VARCHAR2);

Parameters

Table 16-2 ADD_FACTOR_LINK Parameters

Parameter Description

Parameter	Description
`parent_factor_name`	Parent factor name. To find existing parent and child factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR_LINK` view, described in "DVSYS.DBA_DV_FACTOR_LINK View".
`child_factor_name`	Child factor name.
`label_indicator`	Indicates that the child factor being linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Specify either `DBMS_MACUTL.G_YES` (for Yes) or `DBMS_MACUTL.G_NO` (for No). To find the Oracle Label Security policies and labels associated with factors, query the following views, described in Chapter 22, "Oracle Database Vault Data Dictionary Views": `DVSYS.DBA_DV_MAC_POLICY`: Lists Oracle Label Security policies defined in the current database instance. `DVSYS.DBA_DV_MAC_POLICY_FACTOR`: Lists the factors that are associated with Oracle Label Security policies for the current database instance. `DVSYS.DBA_DV_POLICY_LABEL`: Lists the Oracle Label Security label for each factor identifier in the `DVSYS.DBA_DV_IDENTITY` view for each policy.

parent_factor_name

Parent factor name.

To find existing parent and child factors in the current database instance, query the DVSYS.DBA_DV_FACTOR_LINK view, described in "DVSYS.DBA_DV_FACTOR_LINK View".

child_factor_name

Child factor name.

label_indicator

Indicates that the child factor being linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Specify either DBMS_MACUTL.G_YES (for Yes) or DBMS_MACUTL.G_NO (for No).

To find the Oracle Label Security policies and labels associated with factors, query the following views, described in Chapter 22, "Oracle Database Vault Data Dictionary Views":

DVSYS.DBA_DV_MAC_POLICY: Lists Oracle Label Security policies defined in the current database instance.
DVSYS.DBA_DV_MAC_POLICY_FACTOR: Lists the factors that are associated with Oracle Label Security policies for the current database instance.
DVSYS.DBA_DV_POLICY_LABEL: Lists the Oracle Label Security label for each factor identifier in the DVSYS.DBA_DV_IDENTITY view for each policy.

Example

BEGIN
 DBMS_MACADM.ADD_FACTOR_LINK(
  parent_factor_name => 'HQ_ClientID', 
  child_factor_name  => 'Div1_ClientID', 
  label_indicator    => DBMS_MACUTL.G_YES);
END;
/

ADD_POLICY_FACTOR Procedure

The ADD_POLICY_FACTOR procedure specifies that the label for a factor contributes to the Oracle Label Security label for a policy.

Syntax

DBMS_MACADM.ADD_POLICY_FACTOR(
  policy_name  IN VARCHAR2, 
  factor_name  IN VARCHAR2);

Parameters

Table 16-3 ADD_POLICY_FACTOR Parameters

Parameter Description

Parameter	Description
`policy_name`	Oracle Label Security policy name. To find the policies defined in the current database instance, query the `DVSYS.DBA_DV_MAC_POLICY` view, described in "DVSYS.DBA_DV_MAC_POLICY View". To find factors that are associated with Oracle Label Security policies, query `DVSYS.DBA_DV_MAC_POLICY_FACTOR`, described in "DVSYS.DBA_DV_MAC_POLICY View".
`factor_name`	Factor name. To find existing factors, query the `DVSYS.DBA_DV_FACTOR` view, described in "DVSYS.DBA_DV_FACTOR View".

policy_name

Oracle Label Security policy name.

To find the policies defined in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DVSYS.DBA_DV_MAC_POLICY View".

To find factors that are associated with Oracle Label Security policies, query DVSYS.DBA_DV_MAC_POLICY_FACTOR, described in "DVSYS.DBA_DV_MAC_POLICY View".

factor_name

Factor name.

To find existing factors, query the DVSYS.DBA_DV_FACTOR view, described in "DVSYS.DBA_DV_FACTOR View".

Example

BEGIN
 DBMS_MACADM.ADD_POLICY_FACTOR(
  policy_name  => 'AccessData', 
  factor_name  => 'Sector2_ClientID'); 
END;
/

CHANGE_IDENTITY_FACTOR Procedure

The CHANGE_IDENTITY_FACTOR procedure associates an identity with a different factor.

Syntax

DBMS_MACADM.CHANGE_IDENTITY_FACTOR(
  factor_name     IN VARCHAR2, 
  value           IN VARCHAR2, 
  new_factor_name IN VARCHAR2);

Parameters

Table 16-4 CHANGE_IDENTITY_FACTOR Parameters

Parameter Description

Parameter	Description
`factor_name`	Current factor name. To find existing factors, query the `DVSYS.DBA_DV_FACTOR` view, described in "DVSYS.DBA_DV_FACTOR View".
`value`	Value of the identity to update. To find existing identities for each factor in the current database instance, query the `DVSYS.DBA_DV_IDENTITY` view, described in "DVSYS.DBA_DV_IDENTITY View". To find current identity mappings, query the `DVSYS.DBA_DV_IDENTITY_MAP` view, described in "DVSYS.DBA_DV_IDENTITY_MAP View".
`new_factor_name`	Name of the factor to associate with the identity, which you can find by querying the `DVSYS.DBA_DV_FACTOR` view, described in "DVSYS.DBA_DV_FACTOR View".

factor_name

Current factor name.

To find existing factors, query the DVSYS.DBA_DV_FACTOR view, described in "DVSYS.DBA_DV_FACTOR View".

value

Value of the identity to update.

To find existing identities for each factor in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DVSYS.DBA_DV_IDENTITY View".

To find current identity mappings, query the DVSYS.DBA_DV_IDENTITY_MAP view, described in "DVSYS.DBA_DV_IDENTITY_MAP View".

new_factor_name

Name of the factor to associate with the identity, which you can find by querying the DVSYS.DBA_DV_FACTOR view, described in "DVSYS.DBA_DV_FACTOR View".

Example

BEGIN
 DBMS_MACADM.CHANGE_IDENTITY_FACTOR(
  factor_name     => 'Sector2_ClientID', 
  value           => 'intranet', 
  new_factor_name => 'Sector4_ClientID'); 
END;
/

CHANGE_IDENTITY_VALUE Procedure

The CHANGE_IDENTITY_FACTOR procedure updates the value of an identity.

Syntax

DBMS_MACADM.CHANGE_IDENTITY_VALUE(
  factor_name  IN VARCHAR2, 
  value        IN VARCHAR2, 
  new_value    IN VARCHAR2);

Parameters

Table 16-5 CHANGE_IDENTITY_VALUE Parameters

Parameter Description

Parameter	Description
`factor_name`	Factor name. To find existing factors, query the `DVSYS.DBA_DV_FACTOR` view, described in "DVSYS.DBA_DV_FACTOR View".
`value`	Current value associated with the identity. To find existing identities for each factor in the current database instance, query the `DVSYS.DBA_DV_IDENTITY` view, described in "DVSYS.DBA_DV_FACTOR View". To find current identity mappings, query the `DVSYS.DBA_DV_IDENTITY_MAP` view, described in "DVSYS.DBA_DV_IDENTITY_MAP View".
`new_value`	New identity value, up to 1024 characters in mixed-case.

factor_name

Factor name.

To find existing factors, query the DVSYS.DBA_DV_FACTOR view, described in "DVSYS.DBA_DV_FACTOR View".

value

Current value associated with the identity.

To find existing identities for each factor in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DVSYS.DBA_DV_FACTOR View".

To find current identity mappings, query the DVSYS.DBA_DV_IDENTITY_MAP view, described in "DVSYS.DBA_DV_IDENTITY_MAP View".

new_value

New identity value, up to 1024 characters in mixed-case.

Example

BEGIN
 DBMS_MACADM.CHANGE_IDENTITY_VALUE(
  factor_name  => 'Sector2_ClientID', 
  value        => 'remote', 
  new_value    => 'intranet');
END; 
/

CREATE_DOMAIN_IDENTITY Procedure

The CREATE_DOMAIN_IDENTITY procedure adds an Oracle Real Application Clusters (Oracle RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.

Syntax

DBMS_MACADM.CREATE_DOMAIN_IDENTITY(
  domain_name  IN VARCHAR2, 
  domain_host  IN VARCHAR2, 
  policy_name  IN VARCHAR2 DEFAULT NULL, 
  domain_label IN VARCHAR2 DEFAULT NULL);

Parameters

Table 16-6 CREATE_DOMAIN_IDENTITY Parameters

Parameter	Description
`domain_name`	Name of the domain to which to add the host. To find the logical location of the database within the network structure within a distributed database system, run the `DVF.F$DATABASE_DOMAIN` function, described in "Oracle Database Vault DVF PL/SQL Factor Functions".
`domain_host`	Oracle Real Application Clusters host name being added to the domain. To find host name of a database, run the `DVF.F$DATABASE_HOSTNAME` function, described in "Oracle Database Vault DVF PL/SQL Factor Functions".
`policy_name`	Oracle Label Security policy name. If you omit the policy name, then the domain is not associated with any policy. To find the available policies, query the `DVSYS.DBA_DV_MAC_POLICY` view, described in "DVSYS.DBA_DV_MAC_POLICY View".
`domain_label`	Name of the domain to which to add the Oracle Label Security policy.

Examples

BEGIN
 DBMS_MACADM.CREATE_DOMAIN_IDENTITY(
  domain_name  => 'example', 
  domain_host  => 'mydom_host', 
  policy_name  => 'AccessData', 
  domain_label => 'sensitive'); 
END;
/

CREATE_FACTOR Procedure

The CREATE_FACTOR procedure creates a factor. After you create a factor, you can give it an identity by using the CREATE_IDENTITY procedure, described in "CREATE_IDENTITY Procedure".

Syntax

DBMS_MACADM.CREATE_FACTOR(
  factor_name       IN VARCHAR2, 
  factor_type_name  IN VARCHAR2, 
  description       IN VARCHAR2, 
  rule_set_name     IN VARCHAR2, 
  get_expr          IN VARCHAR2, 
  validate_expr     IN VARCHAR2, 
  identify_by       IN NUMBER, 
  labeled_by        IN NUMBER, 
  eval_options      IN NUMBER, 
  audit_options     IN NUMBER, 
  fail_options      IN NUMBER);

Parameters

Table 16-7 CREATE_FACTOR Parameters

Parameter	Description
`factor_name`	Factor name, up to 28 characters in mixed-case, without spaces. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` view, described in "DVSYS.DBA_DV_FACTOR View".
`factor_type_name`	Type of the factor, up to 30 characters in mixed-case, without spaces. To find existing factor types, query the `DBA_DV_FACTOR_TYPE` view, described in "DVSYS.DBA_DV_FACTOR_TYPE View".
`description`	Description of the purpose of the factor, up to 1024 characters in mixed-case.
`rule_set_name`	Rule set name if you want to use a rule set to control when and how a factor identity is set. To find existing rule sets, query the `DVSYS.DBA_DV_RULE_SET` view, described in Chapter 22, "Oracle Database Vault Data Dictionary Views.". See also "Assigning a Rule Set to a Factor" for more information about assigning rule sets to factors.
`get_expr`	Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Setting the Retrieval Method for a Factor" for more information. See also the `audit_options` parameter.
`validate_expr`	Name of the procedure to validate the factor. This is a valid PL/SQL expression that returns a Boolean value (`TRUE` or `FALSE`) to validate the identity of the factor. See "Setting the Validation Method for a Factor" for more information.
`identify_by`	Options for determining the identity of a factor, based on the expression set for the `get_expr` parameter: `DBMS_MACUTL.G_IDENTIFY_BY_CONSTANT`: By constant `DBMS_MACUTL.G_IDENTIFY_BY_METHOD`: By method `DBMS_MACUTL.G_IDENTIFY_BY_FACTOR`: By factor `DBMS_MACUTL.G_IDENTIFY_BY_CONTEXT`: By context See "Setting the Factor Identification Information" for more information.
`labeled_by`	Options for labeling the factor: `DBMS_MACUTL.G_LABELED_BY_SELF`: Labels the identities for the factor directly from the labels associated with an Oracle Label Security policy (default) `DBMS_MACUTL.G_LABELED_BY_FACTORS`: Derives the factor identity label from the labels of its child factor identities. See "Setting the Oracle Label Security Labeling Information for a Factor" for more information.
`eval_options`	Options for evaluating the factor when the user logs on: `DBMS_MACUTL.G_EVAL_ON_SESSION`: When the database session is created (default) `DBMS_MACUTL.G_EVAL_ON_ACCESS`: Each time the factor is accessed `DBMS_MACUTL.G_EVAL_ON_STARTUP`: On start-up See "Setting the Evaluation Information for a Factor" for more information.
`audit_options`	Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record. `DBMS_MACUTL.G_AUDIT_OFF`: Disables auditing. `DBMS_MACUTL.G_AUDIT_ALWAYS`: Always audits. `DBMS_MACUTL.G_AUDIT_ON_GET_ERROR`: Audits if `get_expr` returns an error. `DBMS_MACUTL.G_AUDIT_ON_GET_NULL`: Audits if `get_expr` is null. `DBMS_MACUTL.G_AUDIT_ON_VALIDATE_ERROR`: Audits if the validation procedure returns an error. `DBMS_MACUTL.G_AUDIT_ON_VALIDATE_FALSE`: Audits if the validation procedure is false. `DBMS_MACUTL.G_AUDIT_ON_TRUST_LEVEL_NULL`: Audits if there is no trust level set. `DBMS_MACUTL.G_AUDIT_ON_TRUST_LEVEL_NEG`: Audits if the trust level is negative. See "Setting Audit Options for a Factor" for more information.
`fail_options`	Options for reporting factor errors: `DBMS_MACUTL.G_FAIL_WITH_MESSAGE`: Shows an error message (default) `DBMS_MACUTL.G_FAIL_SILENTLY`: Does not show an error message See "Setting Error Options for a Factor" for more information.

Example

BEGIN
 DBMS_MACADM.CREATE_FACTOR(
  factor_name       => 'Sector2_DB', 
  factor_type_name  => 'Instance', 
  description       => ' ', 
  rule_set_name     => 'Limit_DBA_Access', 
  get_expr          => 'UPPER(SYS_CONTEXT(''USERENV'',''DB_NAME''))', 
  validate_expr     => 'dbavowner.check_db_access', 
  identify_by       => DBMS_MACUTL.G_IDENTIFY_BY_METHOD, 
  labeled_by        => DBMS_MACUTL.G_LABELED_BY_SELF, 
  eval_options      => DBMS_MACUTL.G_EVAL_ON_SESSION, 
  audit_options     => DBMS_MACUTL.G_AUDIT_OFF, 
  fail_options      => DBMS_MACUTL.G_FAIL_SILENTLY); 
END;
/

CREATE_FACTOR_TYPE Procedure

The CREATE_FACTOR_TYPE procedure creates a user-defined factor type.

Syntax

DBMS_MACADM.CREATE_FACTOR_TYPE(
  name        IN VARCHAR2, 
  description IN VARCHAR2);

Parameters

Table 16-8 CREATE_FACTOR_TYPE Parameters

Parameter Description

Parameter	Description
`name`	Factor type name, up to 30 characters in mixed-case, without spaces. To find existing factor types, query the `DVSYS.DBA_DV_FACTOR_TYPE` view, described in "DVSYS.DBA_DV_FACTOR_TYPE View".
`description`	Description of the purpose of the factor type, up to 1024 characters in mixed-case.

name

Factor type name, up to 30 characters in mixed-case, without spaces.

To find existing factor types, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DVSYS.DBA_DV_FACTOR_TYPE View".

description

Description of the purpose of the factor type, up to 1024 characters in mixed-case.

Example

BEGIN
 DBMS_MACADM.CREATE_FACTOR_TYPE(
  name        => 'Sector2Instance', 
  description => 'Checks DB instances used in Sector 2');
END;
/

CREATE_IDENTITY Procedure

The CREATE_IDENTITY procedure assigns an identity and an associated trust level for a given factor. After you create a factor, you must assign it an identity.

Syntax

DBMS_MACADM.CREATE_IDENTITY(
  factor_name  IN VARCHAR2, 
  value        IN VARCHAR2, 
  trust_level  IN NUMBER);

Parameters

Table 16-9 CREATE_IDENTITY Parameters

Parameter Description

Parameter	Description
`factor_name`	Factor name. To find existing factors, query the `DVSYS.DBA_DV_FACTOR` view, described in "DVSYS.DBA_DV_FACTOR View".
`value`	The actual value of the factor, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12.
`trust_level`	Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring a Factor Identity" for more information about trust levels and label security.

factor_name

Factor name.

To find existing factors, query the DVSYS.DBA_DV_FACTOR view, described in "DVSYS.DBA_DV_FACTOR View".

value

The actual value of the factor, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12.

trust_level

Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted.

See "Creating and Configuring a Factor Identity" for more information about trust levels and label security.

Example

BEGIN
 DBMS_MACADM.CREATE_IDENTITY(
  factor_name  => 'Sector2_ClientID', 
  value        => 'intranet', 
  trust_level  => 5); 
END;
/

CREATE_IDENTITY_MAP Procedure

The CREATE_IDENTITY_MAP procedure defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors).

Syntax

DBMS_MACADM.CREATE_IDENTITY_MAP(
  identity_factor_name  IN VARCHAR2,
  identity_factor_value IN VARCHAR2, 
  parent_factor_name    IN VARCHAR2, 
  child_factor_name     IN VARCHAR2, 
  operation             IN VARCHAR2, 
  operand1              IN VARCHAR2, 
  operand2              IN VARCHAR2);

Parameters

Table 16-10 CREATE_IDENTITY_MAP Parameters

Parameter	Description
`identity_factor_name`	Factor the identity map is for. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` view, described in Chapter 22, "Oracle Database Vault Data Dictionary Views."
`identity_factor_value`	Value the factor assumes if the identity map evaluates to `TRUE`. To find existing factor identities, query the `DVSYS.DBA_DV_IDENTITY` view, described in "DVSYS.DBA_DV_IDENTITY View". To find current factor identity mappings, use `DVSYS.DBA_DV_IDENTITY_MAP`, described in "DVSYS.DBA_DV_IDENTITY_MAP View".
`parent_factor_name`	The parent factor link to which the map is related. To find existing parent-child factor mappings, query the `DVSYS.DBA_DV_IDENTITY_MAP` view, described in "DVSYS.DBA_DV_IDENTITY_MAP View".
`child_factor_name`	The child factor link to which the map is related.
`operation`	Relational operator for the identity map (for example, <, >, =, and so on).
`operand1`	Left operand for the relational operator; refers to the low value you enter.
`operand2`	Right operand for the relational operator; refers to the high value you enter.

Example

BEGIN
 DBMS_MACADM.CREATE_IDENTITY_MAP(
  identity_factor_name  => 'Sector2_ClientID',
  identity_factor_value => 'intranet', 
  parent_factor_name    => 'HQ_ClientID', 
  child_factor_name     => 'Div1_ClientID', 
  operation             => '<', 
  operand1              => '192.0.2.50', 
  operand2              => '192.0.2.100');
END;
/

DELETE_FACTOR Procedure

The DELETE_FACTOR procedure deletes a factor.

Syntax

DBMS_MACADM.DELETE_FACTOR(
  factor_name IN VARCHAR2);

Parameters

Table 16-11 DELETE_FACTOR Parameter

Parameter Description

factor_name

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DVSYS.DBA_DV_FACTOR View".

Example

EXEC DBMS_MACADM.DELETE_FACTOR('Sector2_ClientID');

DELETE_FACTOR_LINK Procedure

The DELETE_FACTOR_LINK procedure removes a parent-child relationship for two factors.

Syntax

DBMS_MACADM.DELETE_FACTOR_LINK(
  parent_factor_name IN VARCHAR2, 
  child_factor_name  IN VARCHAR2);

Parameters

Table 16-12 DELETE_FACTOR_LINK Parameters

Parameter Description

Parameter	Description
`parent_factor_name`	Factor name. To find factors that are used in parent-child mappings in the current database instance, query the `DVSYS.DBA_DV_FACTOR_LINK` view, described in "DVSYS.DBA_DV_FACTOR_LINK View".
`child_factor_name`	Factor name.

parent_factor_name

Factor name.

To find factors that are used in parent-child mappings in the current database instance, query the DVSYS.DBA_DV_FACTOR_LINK view, described in "DVSYS.DBA_DV_FACTOR_LINK View".

child_factor_name

Factor name.

Example

BEGIN
 DBMS_MACADM.DELETE_FACTOR_LINK(
  parent_factor_name => 'HQ_ClientID', 
  child_factor_name  => 'Div1_ClientID'); 
END;
/

DELETE_FACTOR_TYPE Procedure

The DELETE_FACTOR_TYPE procedure deletes a factor type.

Syntax

DBMS_MACADM.DELETE_FACTOR_TYPE(
  name IN VARCHAR2);

Parameters

Table 16-13 DELETE_FACTOR_TYPE Parameters

Parameter Description

Parameter	Description
`name`	Factor type name. To find existing factor types, query the `DVSYS.DBA_DV_FACTOR_TYPE` view, described in "DVSYS.DBA_DV_FACTOR_TYPE View".

name

Factor type name.

To find existing factor types, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DVSYS.DBA_DV_FACTOR_TYPE View".

Example

EXEC DBMS_MACADM.DELETE_FACTOR_TYPE('Sector2Instance');

DELETE_IDENTITY Procedure

The DELETE_IDENTITY procedure removes an identity from an existing factor.

Syntax

DBMS_MACADM.DELETE_IDENTITY(
  factor_name IN VARCHAR2, 
  value       IN VARCHAR2);

Parameters

Table 16-14 DELETE_IDENTITY Parameters

Parameter Description

factor_name

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DVSYS.DBA_DV_FACTOR View".

value

Identity value associated with the factor.

To find the identities for each factor in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DVSYS.DBA_DV_IDENTITY View".

Example

BEGIN
 DBMS_MACADM.DELETE_IDENTITY(
  factor_name => 'Sector2_ClientID', 
  value       => 'intranet'); 
END;
/

DELETE_IDENTITY_MAP Procedure

The DELETE_IDENTITY_MAP procedure removes an identity map for a factor.

Syntax

DBMS_MACADM.DELETE_IDENTITY_MAP(
  identity_factor_name  IN VARCHAR2, 
  identity_factor_value IN VARCHAR2,
  parent_factor_name    IN VARCHAR2, 
  child_factor_name     IN VARCHAR2, 
  operation             IN VARCHAR2, 
  operand1              IN VARCHAR2, 
  operand2              IN VARCHAR2);

Parameters

Table 16-15 DELETE_IDENTITY_MAP Parameters

Parameter	Description
`identity_factor_name`	Factor the identity map is for. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` view, described in "DVSYS.DBA_DV_FACTOR View".
`identity_factor_value`	Value the factor assumes if the identity map evaluates to `TRUE`. To find existing factor identities, query the `DVSYS.DBA_DV_IDENTITY` view, described in "DVSYS.DBA_DV_IDENTITY View". To find current factor identity mappings, query `DVSYS.DBA_DV_IDENTITY_MAP`, described in "DVSYS.DBA_DV_IDENTITY_MAP View".
`parent_factor_name`	The parent factor link to which the map is related. To find existing parent-child factors, query the `DVSYS.DBA_DV_FACTOR` view, described in "DVSYS.DBA_DV_FACTOR_LINK View".
`child_factor_name`	The child factor to which the map is related.
`operation`	Relational operator for the identity map (for example, <, >, =, and so on).
`operand1`	Left (low value) operand for the relational operator.
`operand2`	Right (high value) operand for the relational operator.

Example

BEGIN
 DBMS_MACADM.DELETE_IDENTITY_MAP(
  identity_factor_name  => 'Sector2_ClientID',
  identity_factor_value => 'intranet', 
  parent_factor_name    => 'HQ_ClientID', 
  child_factor_name     => 'Div1_ClientID', 
  operation             => '<', 
  operand1              => '192.0.2.10', 
  operand2              => '192.0.2.15');
END;
/

DROP_DOMAIN_IDENTITY Procedure

The DROP_DOMAIN_IDENTITY procedure removes an Oracle Real Application Clusters database node from a domain.

Syntax

DBMS_MACADM.DROP_DOMAIN_IDENTITY(
  domain_name  IN VARCHAR2, 
  domain_host  IN VARCHAR2);

Parameters

Table 16-16 DROP_DOMAIN_IDENTITY Parameters

Parameter Description

Parameter	Description
`domain_name`	Name of the domain to which the host was added. To find the domain of a database as specified by the `DB_DOMAIN` initialization parameter, run the `DVF.F$DATABASE_DOMAIN` function, described in "Oracle Database Vault DVF PL/SQL Factor Functions".
`domain_host`	Oracle Real Application Clusters host name being that was added to the domain. To find the host name for a specified database, run the `DVF.F$DATABASE_HOSTNAME` function, described in "Oracle Database Vault DVF PL/SQL Factor Functions".

domain_name

Name of the domain to which the host was added.

To find the domain of a database as specified by the DB_DOMAIN initialization parameter, run the DVF.F$DATABASE_DOMAIN function, described in "Oracle Database Vault DVF PL/SQL Factor Functions".

domain_host

Oracle Real Application Clusters host name being that was added to the domain.

To find the host name for a specified database, run the DVF.F$DATABASE_HOSTNAME function, described in "Oracle Database Vault DVF PL/SQL Factor Functions".

Example

BEGIN
 DBMS_MACADM.DROP_DOMAIN_IDENTITY(
  domain_name  => 'example', 
  domain_host  => 'mydom_host'); 
END;
/

GET_INSTANCE_INFO Function

The GET_INSTANCE_INFO function returns information from the SYS.V_$INSTANCE system table about the current database instance. The V$INSTANCE data dictionary view also contains database instance information from this table. See Oracle Database Reference for more information.

Syntax

DBMS_MACADM.GET_INSTANCE_INFO(
  p_parameter IN VARCHAR2)
RETURN VARCHAR2;

Parameters

Table 16-17 GET_INSTANCE_INFO Parameter

Parameter	Description
`p_parameter`	Column name in the `SYS.V_$INSTANCE` system table

Example

DECLARE
 instance_var varchar2 := null;
BEGIN 
 instance_var = DBMS_MACADM.GET_INSTANCE_INFO('INSTANCE_NAME'); 
END;
/

GET_SESSION_INFO Function

The GET_SESSION_INFO function returns information from the SYS.V_$SESSION system table for the current session. The V$SESSION data dictionary view also contains session information from this table. See Oracle Database Reference for more information.

Syntax

DBMS_MACADM.GET_SESSION_INFO(
  p_parameter IN VARCHAR2)
RETURN VARCHAR2;

Parameters

Table 16-18 GET_SESSION_INFO Parameter

Parameter	Description
`p_parameter`	Column name in the `SYS.V_$SESSION` system table.

Example

DECLARE
 session_var varchar2 := null;
BEGIN 
 session_var = DBMS_MACADM.GET_SESSION_INFO('PROCESS'); 
END;
/

RENAME_FACTOR Procedure

The RENAME_FACTOR procedure renames a factor. The name change takes effect everywhere the factor is used.

Syntax

DBMS_MACADM.RENAME_FACTOR(
  factor_name     IN VARCHAR2, 
  new_factor_name IN VARCHAR2);

Parameters

Table 16-19 RENAME_FACTOR Parameters

Parameter Description

Parameter	Description
`factor_name`	Current factor name. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` view, described in "DVSYS.DBA_DV_FACTOR View".
`new_factor_name`	New factor name, up to 28 characters in mixed-case, without spaces.

factor_name

Current factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DVSYS.DBA_DV_FACTOR View".

new_factor_name

New factor name, up to 28 characters in mixed-case, without spaces.

Example

BEGIN
 DBMS_MACADM.RENAME_FACTOR(
  factor_name     => 'Sector2_ClientID', 
  new_factor_name => 'Sector2_Clients');
END;
/

RENAME_FACTOR_TYPE Procedure

The RENAME_FACTOR procedure renames a factor type. The name change takes effect everywhere the factor type is used.

Syntax

DBMS_MACADM.RENAME_FACTOR_TYPE(
  old_name  IN VARCHAR2, 
  new_name  IN VARCHAR2);

Parameters

Table 16-20 RENAME_FACTOR_TYPE Parameters

Parameter Description

Parameter	Description
`old_name`	Current factor type name. To find existing factor types in the current database instance, query the `DVSYS.DBA_DV_FACTOR_TYPE` view, described in "DVSYS.DBA_DV_FACTOR_TYPE View".
`new_name`	New factor type name, up to 30 characters in mixed-case, without spaces.

old_name

Current factor type name.

To find existing factor types in the current database instance, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DVSYS.DBA_DV_FACTOR_TYPE View".

new_name

New factor type name, up to 30 characters in mixed-case, without spaces.

Example

BEGIN
 DBMS_MACADM.RENAME_FACTOR_TYPE(
  old_name  => 'Sector2Instance', 
  new_name  => 'Sector2DBInstance'); 
END;
/

UPDATE_FACTOR Procedure

The UPDATE_FACTOR procedure updates the description of a factor type.

Syntax

DBMS_MACADM.UPDATE_FACTOR(
  factor_name       IN VARCHAR2, 
  factor_type_name  IN VARCHAR2, 
  description       IN VARCHAR2, 
  rule_set_name     IN VARCHAR2, 
  get_expr          IN VARCHAR2, 
  validate_expr     IN VARCHAR2, 
  identify_by       IN NUMBER, 
  labeled_by        IN NUMBER, 
  eval_options      IN NUMBER, 
  audit_options     IN NUMBER, 
  fail_options      IN NUMBER);

Parameters

Table 16-21 UPDATE_FACTOR

Parameter	Description
`factor_name`	Factor name. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` view, described in "DVSYS.DBA_DV_FACTOR View".
`factor_type_name`	Factor type name. To find existing factor types, query the `DVSYS.DBA_DV_FACTOR_TYPE` view, described in "DVSYS.DBA_DV_FACTOR_TYPE View".
`description`	Description of the purpose of the factor, up to 1024 characters in mixed-case.
`rule_set_name`	Name of the rule set used to control when and how a factor identity is set. To find existing rule sets, query the `DVSYS.DBA_DV_RULE_SET` view, described in Chapter 22, "Oracle Database Vault Data Dictionary Views." See also "Assigning a Rule Set to a Factor" for more information about assigning rule sets to factors.
`get_expr`	Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Setting the Retrieval Method for a Factor" for more information. See also the `audit_options` parameter.
`validate_expr`	Name of the procedure to validate factor. This is a valid PL/SQL expression that returns a Boolean value (`TRUE` or `FALSE`) to validate the identity of the factor. See "Setting the Validation Method for a Factor" for more information.
`identify_by`	Options for determining the identity of a factor, based on the expression set for the `get_expr` parameter: `DBMS_MACUTL.G_IDENTIFY_BY_CONSTANT`: By constant `DBMS_MACUTL.G_IDENTIFY_BY_METHOD`: By method `DBMS_MACUTL.G_IDENTIFY_BY_FACTOR`: By factor `DBMS_MACUTL.G_IDENTIFY_BY_CONTEXT`: By context See "Setting the Factor Identification Information" for more information.
`labeled_by`	Options for labeling the factor: `DBMS_MACUTL.G_LABELED_BY_SELF`: Labels the identities for the factor directly from the labels associated with an Oracle Label Security policy `DBMS_MACUTL.G_LABELED_BY_FACTORS`: Derives the factor identity label from the labels of its child factor identities. The default for `labeled_by` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_FACTOR` data dictionary view. See "Setting the Oracle Label Security Labeling Information for a Factor" for more information.
`eval_options`	Options for evaluating the factor when the user logs on: `DBMS_MACUTL.G_EVAL_ON_SESSION`: When the database session is created `DBMS_MACUTL.G_EVAL_ON_ACCESS`: Each time the factor is accessed `DBMS_MACUTL.G_EVAL_ON_STARTUP`: On start-up The default for `eval_options` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_FACTOR` data dictionary view. See "Setting the Evaluation Information for a Factor" for more information.
`audit_options`	Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record. `DBMS_MACUTL.G_AUDIT_OFF`: Disables auditing. `DBMS_MACUTL.G_AUDIT_ALWAYS`: Always audits. `DBMS_MACUTL.G_AUDIT_ON_GET_ERROR`: Audits if `get_expr` returns an error. `DBMS_MACUTL.G_AUDIT_ON_GET_NULL`: Audits if `get_expr` is null. `DBMS_MACUTL.G_AUDIT_ON_VALIDATE_ERROR`: Audits if the validation procedure returns an error. `DBMS_MACUTL.G_AUDIT_ON_VALIDATE_FALSE`: Audits if the validation procedure is false. `DBMS_MACUTL.G_AUDIT_ON_TRUST_LEVEL_NULL`: Audits if there is no trust level set. `DBMS_MACUTL.G_AUDIT_ON_TRUST_LEVEL_NEG`: Audits if the trust level is negative. The default for `audit_options` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_FACTOR` data dictionary view. See "Setting Audit Options for a Factor" for more information.
`fail_options`	Options for reporting factor errors: `DBMS_MACUTL.G_FAIL_WITH_MESSAGE`: Shows an error message. `DBMS_MACUTL.G_FAIL_SILENTLY`: Does not show an error message. The default for `fail_options` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_FACTOR` data dictionary view. See "Setting Error Options for a Factor" for more information.

Example

BEGIN
 DBMS_MACADM.UPDATE_FACTOR(
  factor_name       => 'Sector2_DB', 
  factor_type_name  => 'Instance', 
  description       => ' ', 
  rule_set_name     => 'Limit_DBA_Access', 
  get_expr          => 'UPPER(SYS_CONTEXT(''USERENV'',''DB_NAME''))', 
  validate_expr     => 'dbavowner.check_db_access', 
  identify_by       => DBMS_MACUTL.G_IDENTIFY_BY_METHOD, 
  labeled_by        => DBMS_MACUTL.G_LABELED_BY_SELF, 
  eval_options      => DBMS_MACUTL.G_EVAL_ON_ACCESS, 
  audit_options     => DBMS_MACUTL.G_AUDIT_ALWAYS, 
  fail_options      => DBMS_MACUTL.G_FAIL_WITH_MESSAGE); 
END;
/

UPDATE_FACTOR_TYPE Procedure

The UPDATE_FACTOR_TYPE procedure updates a factor type.

Syntax

DBMS_MACADM.UPDATE_FACTOR_TYPE(
  name         IN VARCHAR2, 
  description  IN VARCHAR2);

Parameters

Table 16-22 UPDATE_FACTOR_TYPE Parameters

Parameter Description

Parameter	Description
`name`	Factor type name. To find existing factor types in the current database instance, query the `DVSYS.DBA_DV_FACTOR_TYPE` view, described in "DVSYS.DBA_DV_FACTOR_TYPE View".
`description`	Description of the purpose of the factor type, up to 1024 characters in mixed case.

name

Factor type name.

To find existing factor types in the current database instance, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DVSYS.DBA_DV_FACTOR_TYPE View".

description

Description of the purpose of the factor type, up to 1024 characters in mixed case.

Example

BEGIN
 DBMS_MACADM.UPDATE_FACTOR_TYPE(
  name        => 'Sector2DBInstance', 
  description => 'Checks DB instances used in Sector 2');
END;
/

UPDATE_IDENTITY Procedure

The UPDATE_IDENTITY procedure updates the trust level of a factor identity.

Syntax

DBMS_MACADM.UPDATE_IDENTITY(
  factor_name  IN VARCHAR2, 
  value        IN VARCHAR2, 
  trust_level  IN NUMBER);

Parameters

Table 16-23 UPDATE_IDENTITY Parameters

Parameter Description

Parameter	Description
`factor_name`	Factor name. To find existing factors in the current database instance, query the `DBSYS.DBA_DV_FACTOR` view, described in "DVSYS.DBA_DV_FACTOR View". To find factors that have identities, query `DVSYS.DBA_DV_IDENTITY`, described in "DVSYS.DBA_DV_IDENTITY View".
`value`	New factor identity, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12.
`trust_level`	Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring a Factor Identity" for more information about trust levels and label security.

factor_name

Factor name.

To find existing factors in the current database instance, query the DBSYS.DBA_DV_FACTOR view, described in "DVSYS.DBA_DV_FACTOR View".

To find factors that have identities, query DVSYS.DBA_DV_IDENTITY, described in "DVSYS.DBA_DV_IDENTITY View".

value

New factor identity, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12.

trust_level

See "Creating and Configuring a Factor Identity" for more information about trust levels and label security.

Example

BEGIN
 DBMS_MACADM.UPDATE_IDENTITY(
  factor_name  => 'Sector2_ClientID', 
  value        => 'intranet', 
  trust_level  => 10); 
END;
/

Oracle Database Vault Run-Time PL/SQL Procedures and Functions

You can use a set of standalone procedures and functions to manage factors.

About the Oracle Database Vault Run-Time PL/SQL Procedures and Functions

Oracle Database Vault provides a set of procedural interfaces to administer various Database Vault security options and manage Database Vault security enforcements.

There are also procedures and functions that expose the logic to validate a DDL command for realm violations and command authorizations. Additional procedures and functions are provided to set the value of a factor (assuming their associated rule sets evaluate to true) (for example, from a Web application), to retrieve the trust level for a session or specific factor identity, and to get the label for a factor identity. These procedures and functions are provided so that a database administrator does not grant the EXECUTE privilege on all DVSYS package procedures to the general database account population. The procedures and functions expose only the minimum methods that are required. All of these functions and procedures are publicly available for applications that need them.

Table 16-24 lists the default run-time PL/SQL procedures and functions for factors.

Table 16-24 Run-Time PL/SQL Procedures and Functions

Procedure or Function	Parameter
SET_FACTOR Procedure	Sets a factor
GET_FACTOR Function	Retrieves a factor
GET_TRUST_LEVEL Function	Retrieves the trust level assigned to a factor
GET_TRUST_LEVEL_FOR_IDENTITY Function	Retrieves the trust level for a specified factor and an identity
ROLE_IS_ENABLED Function	Checks whether the specified database role is enabled
GET_FACTOR_LABEL Function	Retrieves the label for the specified factor when the factor has a label assigned to it for the specified Oracle Label Security policy

SET_FACTOR Procedure

The SET_FACTOR procedure can be exposed to an application that requires the ability to set factor identities dynamically.

It wraps the package procedure DBMS_MACADM.SET_FACTOR. When a factor has a rule set associated with it for assignment and if the rule set returns true, then the value is set. Normal rule set handling occurs, and the factor value (identity) validation method is called. This procedure is available (to execute) to the general database account population.

Syntax

DVSYS.SET_FACTOR(
  p_factor IN VARCHAR2, 
  p_value  IN VARCHAR2);

Parameters

Table 16-25 SET_FACTOR Parameters

Parameter Description

Parameter	Description
`p_factor`	Factor name. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` data dictionary view, described in "DVSYS.DBA_DV_FACTOR View".
`p_value`	Identity value, up to 1024 characters in mixed case. To find the identities for each factor in the current database instance, query the `DVSYS.DBA_DV_IDENTITY` data dictionary view, described in "DVSYS.DBA_DV_IDENTITY View".

p_factor

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR data dictionary view, described in "DVSYS.DBA_DV_FACTOR View".

p_value

Identity value, up to 1024 characters in mixed case.

To find the identities for each factor in the current database instance, query the DVSYS.DBA_DV_IDENTITY data dictionary view, described in "DVSYS.DBA_DV_IDENTITY View".

Example

EXECUTE DVSYS.SET_FACTOR(''Sector2_ClientID'', ''identity'');

GET_FACTOR Function

The GET_FACTOR function is exposed to the DVF schema to allow the public factor functions to resolve the identity of a factor. The return type is VARCHAR2.

This enables the F$ functions in the DVF schema. This function is available (to execute) to the general database account population.

Syntax

DVSYS.GET_FACTOR(
  p_factor IN VARCHAR2)
RETURN VARCHAR2;

Parameter

Table 16-26 GET_FACTOR Parameter

Parameter Description

Parameter	Description
`p_factor`	Factor name. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` data dictionary view, described in "DVSYS.DBA_DV_FACTOR View".

p_factor

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR data dictionary view, described in "DVSYS.DBA_DV_FACTOR View".

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Get Client ID Factor Identity',
  rule_expr => 'DVSYS.GET_FACTOR(''Sector2_ClientID'')');
END;
/

GET_TRUST_LEVEL Function

The GET_TRUST_LEVEL function returns the trust level of the current session identity for the factor requested. The return type is VARCHAR2.

This function is available (to execute) to the general database account population. See "Creating and Configuring a Factor Identity" for a listing of the available trust levels.

Syntax

DVSYS.GET_TRUST_LEVEL(
  p_factor IN VARCHAR2)
RETURN VARCHAR2;

Parameter

Table 16-27 GET_TRUST_LEVEL Parameter

Parameter Description

Parameter	Description
`p_factor`	Factor name. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` data dictionary view, described in "DVSYS.DBA_DV_FACTOR View".

p_factor

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR data dictionary view, described in "DVSYS.DBA_DV_FACTOR View".

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Get Client ID Trust Level',
  rule_expr => 'DVSYS.GET_TRUST_LEVEL(''Sector2_ClientID'')');
END;
/

GET_TRUST_LEVEL_FOR_IDENTITY Function

The GET_TRUST_LEVEL_FOR_IDENTITY function returns the trust level for the factor and identity requested. The return type is VARCHAR2.

This function is available (to execute) to the general database account population. See "Creating and Configuring a Factor Identity" for a listing of the available trust levels.

Syntax

DVSYS.GET_TRUST_LEVEL_FOR_IDENTITY(
  p_factor   IN VARCHAR2, 
  p_identity IN VARCHAR2)
RETURN VARCHAR2;

Parameters

Table 16-28 GET_TRUST_LEVEL_FOR_IDENTITY Parameters

Parameter Description

Parameter	Description
`p_factor`	Factor name. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` view, described in "DVSYS.DBA_DV_FACTOR View".
`p_identity`	Identity value. To find the identities for each factor in the current database instance, use the `DVSYS.DBA_DV_IDENTITY` data dictionary view, described in "DVSYS.DBA_DV_IDENTITY View".

p_factor

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DVSYS.DBA_DV_FACTOR View".

p_identity

Identity value.

To find the identities for each factor in the current database instance, use the DVSYS.DBA_DV_IDENTITY data dictionary view, described in "DVSYS.DBA_DV_IDENTITY View".

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Get Client ID Identity Trust Level',
  rule_expr => 'DVSYS.GET_TRUST_LEVEL_FOR_IDENTITY(''Sector2_ClientID'', ''identity'')');
END;
/

ROLE_IS_ENABLED Function

The ROLE_IS_ENABLED function returns a boolean value that specifies whether a database role has been enabled. The return type is BOOLEAN.

This function is available (to execute) to the general database account population.

Syntax

DVSYS.ROLE_IS_ENABLED(
  p_role IN VARCHAR2)
RETURN BOOLEAN;

Parameter

Table 16-29 ROLE_IS_ENABLED Parameter

Parameter Description

Parameter	Description
`p_role`	Database role name to check. To find existing roles, use the following data dictionary views: `DBA_ROLES`: Finds available roles in the current database instance. See Oracle Database Reference. `DVSYS.DBA_DV_REALM_AUTH`: Finds the authorization of a particular role. See "DVSYS.DBA_DV_REALM View". `DVSYS.DBA_DV_ROLE`: Finds existing secure application roles used in privilege management. See "DVSYS.DBA_DV_ROLE View".

p_role

Database role name to check.

To find existing roles, use the following data dictionary views:

DBA_ROLES: Finds available roles in the current database instance. See Oracle Database Reference.
DVSYS.DBA_DV_REALM_AUTH: Finds the authorization of a particular role. See "DVSYS.DBA_DV_REALM View".
DVSYS.DBA_DV_ROLE: Finds existing secure application roles used in privilege management. See "DVSYS.DBA_DV_ROLE View".

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check if SYSADM Role Is Enabled',
  rule_expr => 'DVSYS.ROLE_IS_ENABLED(''SYSADM'')');
END;
/

GET_FACTOR_LABEL Function

The GET_FACTOR_LABEL function returns the label for the specified factor when the factor has a label assigned to it for the specified Oracle Label Security policy. The return type is VARCHAR2.

The function returns a label that is merged with the maximum session label for the policy if the policy is configured with Oracle Label Security. The function is available (to execute) to the general database population.

Syntax

DVSYS.GET_FACTOR_LABEL(
  p_factor      IN VARCHAR2, 
  p_policy_name IN VARCHAR2)
RETURN VARCHAR2;

Parameters

Table 16-30 GET_FACTOR_LABEL Parameters

Parameter Description

Parameter	Description
`p_factor`	Factor name. To find the available factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` data dictionary view. To find factors that are associated with Oracle Label Security policies, use `DVSYS.DBA_DV_MAC_POLICY_FACTOR`. See "DVSYS.DBA_DV_FACTOR View" and "DVSYS.DBA_DV_MAC_POLICY_FACTOR View".
`p_policy_name`	Oracle Label Security policy name. Use the following data dictionary views to find information about policies and factors in the current database instance: `DVSYS.DBA_DV_MAC_POLICY`: Lists Oracle Label Security policies defined in the current database instance. See "DVSYS.DBA_DV_MAC_POLICY View". `DVSYS.DBA_DV_MAC_POLICY_FACTOR`: Lists the factors that are associated with Oracle Label Security policies for the current database instance. See "DVSYS.DBA_DV_MAC_POLICY_FACTOR View". `DVSYS.DBA_DV_POLICY_LABEL`: Lists the Oracle Label Security label for each factor identifier in the `DVSYS.DBA_DV_IDENTITY` view for each policy. See "DVSYS.DBA_DV_POLICY_LABEL View".

p_factor

Factor name.

To find the available factors in the current database instance, query the DVSYS.DBA_DV_FACTOR data dictionary view. To find factors that are associated with Oracle Label Security policies, use DVSYS.DBA_DV_MAC_POLICY_FACTOR.

See "DVSYS.DBA_DV_FACTOR View" and "DVSYS.DBA_DV_MAC_POLICY_FACTOR View".

p_policy_name

Oracle Label Security policy name.

Use the following data dictionary views to find information about policies and factors in the current database instance:

DVSYS.DBA_DV_MAC_POLICY: Lists Oracle Label Security policies defined in the current database instance. See "DVSYS.DBA_DV_MAC_POLICY View".
DVSYS.DBA_DV_MAC_POLICY_FACTOR: Lists the factors that are associated with Oracle Label Security policies for the current database instance. See "DVSYS.DBA_DV_MAC_POLICY_FACTOR View".
DVSYS.DBA_DV_POLICY_LABEL: Lists the Oracle Label Security label for each factor identifier in the DVSYS.DBA_DV_IDENTITY view for each policy. See "DVSYS.DBA_DV_POLICY_LABEL View".

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Get the ClientID Factor Label',
  rule_expr => 'DVSYS.GET_FACTOR_LABEL(''Sector2_ClientID'', ''Access Locations'')');
END;
/

Oracle Database Vault DVF PL/SQL Factor Functions

In addition to the functions and procedures made available from the DVSYS schema, the DVF schema contains a single function for each factor defined in the system.

About the Oracle Database Vault DVF PL/SQL Factor Functions

Oracle Database Vault maintains the DVF schema functions when you use the DBMS_MACADM PL/SQL package to manage the various factors. The functions are then available to the general database account population through PL/SQL functions and standard SQL. This enables factors to be used in Oracle Label Security, Oracle Virtual Private Database (VPD), and so on.

Typically, you can incorporate these functions into rule expressions. For example:

BEGIN
 DBMS_MACADM.CREATE_RULE(
 rule_name => 'Not Internal DBA',
 rule_expr => 'DVF.F$SESSION_USER NOT IN (''JSMTIH'', ''TBROWN'')');
END;
/

To find the value of a factor function, select from the DUAL system table. For example:

SELECT DVF.F$SESSION_USER FROM DUAL;

F$SESSION_USER
------------------------------------------------
LEO_DVOWNER

The name of the factor itself is case-insensitive. For example, the following statements return the same result

select dvf.f$session_user from dual;

SELECT DVF.F$SESSION_USER FROM DUAL;

Table 16-31 lists the default factor functions.

Table 16-31 Installed Oracle Database Vault Factor Functions

DVF Factor Function	Description
F$AUTHENTICATION_METHOD Function	Returns the method of authentication in `VARCHAR2` data type. In the list that follows, the type of user is followed by the method returned
F$CLIENT_IP Function	Returns the IP address of the computer from which the client is connected
F$DATABASE_DOMAIN Function	Returns the domain of the database as specified in the `DB_DOMAIN` initialization parameter
F$DATABASE_HOSTNAME Function	Returns the host name of the computer on which the database instance is running
F$DATABASE_INSTANCE Function	Returns the database instance identification number of the current database instance
F$DATABASE_IP Function	Returns the IP address of the computer on which the database instance is running
F$DATABASE_NAME Function	Returns the name of the database as specified in the `DB_NAME` initialization parameter
F$DOMAIN Function	Returns a named collection of physical, configuration, or implementation-specific factors in the run-time environment (for example, a networked IT environment or subset of it) that operates at a specific sensitivity level
F$ENTERPRISE_IDENTITY Function	Returns the enterprise-wide identity for a user
F$IDENTIFICATION_TYPE Function	Returns the way the schema of a user was created in the database. Specifically, it reflects the `IDENTIFIED` clause in the `CREATE USER` or `ALTER USER` syntax.
F$LANG Function	Returns the ISO abbreviation for the language name, a shorter form than the existing `LANGUAGE` parameter
F$LANGUAGE Function	Returns the language and territory currently used by your session, in `VARCHAR2` data type, along with the database character set
F$MACHINE Function	Returns the computer (host) name for the database client that established the database session.
F$NETWORK_PROTOCOL Function	Returns the network protocol being used for communication, as specified in the `PROTOCOL`=`protocol` portion of the connect string
F$PROXY_ENTERPRISE_IDENTITY Function	Returns the Oracle Internet Directory distinguished name (DN) when the proxy user is an enterprise user
F$SESSION_USER Function	Returns the database user name by which the current user is authenticated

F$AUTHENTICATION_METHOD Function

The F$AUTHENTICATION_METHOD function returns the method of authentication in VARCHAR2 data type.

In the list that follows, the type of user is followed by the method returned:

Password-authenticated enterprise user, local database user, or SYSDBA/SYSOPER using Password File; proxy with user name using password: PASSWORD
Kerberos-authenticated enterprise or external user: KERBEROS
SSL-authenticated enterprise or external user: SSL
Radius-authenticated external user: RADIUS
Operating system-authenticated external user or SYSDBA/SYSOPER: OS
DCE-authenticated external user: DCE
Proxy with certificate, distinguished name (DN), or user name without using password: NONE

You can use IDENTIFICATION_TYPE to distinguish between external and enterprise users when the authentication method is Password, Kerberos, or SSL.

Syntax

DVF.F$AUTHENTICATION_METHOD () 
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check SSL Authentication Method',
  rule_expr => 'DVF.F$AUTHENTICATION_METHOD = ''SSL''');
END;
/

F$CLIENT_IP Function

The F$CLIENT_IP function returns the IP address of the computer from which the client is connected, in VARCHAR2 data type.

Syntax

DVF.F$CLIENT_IP ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Client IP Address',
  rule_expr => 'DVF.F$CLIENT_IP BETWEEN ''192.0.2.10'' AND ''192.0.2.20''');
END;
/

F$DATABASE_DOMAIN Function

The F$DATABASE_DOMAIN function returns the domain of the database as specified in the DB_DOMAIN initialization parameter, in VARCHAR2 data type.

Syntax

DVF.F$DATABASE_DOMAIN ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Client Database Domain',
  rule_expr => 'DVF.F$DATABASE_DOMAIN NOT IN (''EXAMPLE'', ''YOURDOMAIN'')');
END;
/

F$DATABASE_HOSTNAME Function

The F$DATABASE_HOSTNAME function returns the host name of the computer on which the instance is running, in VARCHAR2 data type.

Syntax

DVF.F$DATABASE_HOSTNAME ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Host Name',
  rule_expr => 'DVF.F$DATABASE_HOSTNAME IN (''SHOBEEN'', ''MAU'')');
END;
/

F$DATABASE_INSTANCE Function

The F$DATABASE_INSTANCE function returns the instance identification number of the current database instance, in VARCHAR2 data type.

Syntax

DVF.F$DATABASE_INSTANCE ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Database Instance ID',
  rule_expr => 'DVF.F$DATABASE_INSTANCE = ''SALES_DB''');
END;
/

F$DATABASE_IP Function

The F$DATABASE_IP function returns the IP address of the computer on which the database instance is running, in VARCHAR2 data type.

Syntax

DVF.F$DATABASE_IP ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Database IP address',
  rule_expr => 'DVF.F$DATABASE_IP = ''192.0.2.5''');
END;
/

F$DATABASE_NAME Function

The F$DATABASE_NAME function returns the name of the database as specified in the DB_NAME initialization parameter, in VARCHAR2 data type.

Syntax

DVF.F$DATABASE_NAME ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Database DB_NAME Name',
  rule_expr => 'DVF.F$DATABASE_NAME = ''ORCL''');
END;
/

F$DOMAIN Function

The F$DOMAIN function returns a named collection of physical, configuration, or implementation-specific factors in the run-time environment (for example, a networked IT environment or subset of it) that operates at a specific sensitivity level. The return type is VARCHAR2.

You can identify a domain using factors such as host name, IP address, and database instance names of the Oracle Database Vault nodes in a secure access path to the database. Each domain can be uniquely determined using a combination of the factor identifiers that identify the domain. You can use these identifying factors and possibly additional factors to define the Maximum Security Label within the domain. This restricts data access and commands, depending on the physical factors about the Oracle Database Vault session. Example domains of interest may be Corporate Sensitive, Internal Public, Partners, and Customers.

Syntax

DVF.F$DOMAIN ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Domain',
  rule_expr => 'DVF.F$DOMAIN = ''EXAMPLE.COM''');
END;
/

F$ENTERPRISE_IDENTITY Function

The F$ENTERPRISE_IDENTITY function returns the enterprise-wide identity for a user, in VARCHAR2 data type:

For enterprise users: the Oracle Internet Directory DN.
For external users: the external identity (Kerberos principal name, Radius and DCE schema names, operating system user name, certificate DN).
For local users and SYSDBA/SYSOPER logins: NULL.

The value of the attribute differs by proxy method:

For a proxy with DN: the Oracle Internet Directory DN of the client.
For a proxy with certificate: the certificate DN of the client for external users; the Oracle Internet Directory DN for global users.
For a proxy with user name: the Oracle Internet Directory DN if the client is an enterprise user; NULL if the client is a local database user.

Syntax

DVF.F$ENTERPRISE_IDENTITY ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check User Enterprise Identity',
  rule_expr => 'DVF.F$ENTERPRISE_IDENTITY NOT IN (''JSMITH'', ''TSMITH'')');
END;
/

F$IDENTIFICATION_TYPE Function

The F$IDENTIFICATION_TYPE function returns the way the schema of a user was created in the database. Specifically, it reflects the IDENTIFIED clause in the CREATE/ALTER USER syntax. The return type is VARCHAR2.

In the list that follows, the syntax used during schema creation is followed by the identification type returned:

IDENTIFIED BY password: LOCAL
IDENTIFIED EXTERNALLY: EXTERNAL
IDENTIFIED GLOBALLY: GLOBAL SHARED
IDENTIFIED GLOBALLY AS DN: GLOBAL PRIVATE

Syntax

DVF.F$IDENTIFICATION_TYPE ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check User Schema Creation Type',
  rule_expr => 'DVF.F$IDENTIFICATION_TYPE = ''GLOBAL SHARED''');
END;
/

F$LANG Function

The F$LANG function returns the ISO abbreviation for the language name, a shorter form than the existing LANGUAGE parameter, for the session of the user. The return type is VARCHAR2.

See Oracle Database Globalization Support Guide for a listing of supported languages for Oracle Database.

Syntax

DVF.F$LANG ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check ISO Abbreviated Language Name',
  rule_expr => 'DVF.F$LANG IN (''EN'', ''DE'', ''FR'')');
END;
/

F$LANGUAGE Function

The F$LANGUAGE function returns the language and territory currently used by a user session, along with the database character set. The return type is VARCHAR2.

The return type is in the following format:

language_territory.characterset

See Oracle Database Globalization Support Guide for a listing of supported languages and territories for Oracle Database.

Syntax

DVF.F$LANGUAGE ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Session Language and Territory',
  rule_expr => 'DVF.F$LANGUAGE = ''AMERICAN_AMERICA.WE8ISO8859P1''');
END;
/

F$MACHINE Function

The F$MACHINE function returns the computer (host) name for the database client that established the database session. The return type is VARCHAR2.

Syntax

DVF.F$MACHINE ()
RETURN VARCHAR2;

Parameter

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Client Computer Host Name',
  rule_expr => 'DVF.F$MACHINE NOT IN (''SHOBEEN'', ''SEBASTIAN'')');
END;
/

F$NETWORK_PROTOCOL Function

The F$NETWORK_PROTOCOL function returns the network protocol being used for communication, as specified in the PROTOCOL=protocol portion of the connect string. The return type is VARCHAR2.

Syntax

DVF.F$NETWORK_PROTOCOL ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Network Protocol',
  rule_expr => 'DVF.F$NETWORK_PROTOCOL = ''TCP''');
END;
/

F$PROXY_ENTERPRISE_IDENTITY Function

The F$PROXY_ENTERPRISE_IDENTITY function returns the Oracle Internet Directory distinguished name (DN) when the proxy user is an enterprise user. The return type is VARCHAR2.

Syntax

DVF.F$PROXY_ENTERPRISE_IDENTITY ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Get OID DN of Enterprise User',
  rule_expr => 'DVF.F$PROXY_ENTERPRISE_IDENTITY = ''cn=Provisioning Admins''');
END;
/

F$SESSION_USER Function

The F$SESSION_USER function returns the database user name by which the current user is authenticated. This value remains the same throughout the session. The return type is VARCHAR2.

Syntax

DVF.F$SESSION_USER ()
RETURN VARCHAR2;

Parameters

None.

Example

BEGIN 
 DBMS_MACADM.CREATE_RULE(
  rule_name => 'Check Database User Name',
  rule_expr => 'DVF.F$SESSION_USER IN (''JSMITH'', ''TSMITH'')');
END;
/