The DBMS_MACADM
PL/SQL package contains a set of realm-specific procedures.
Topics:
Table 13-1 lists procedures within the DBMS_MACADM
package that you can use to configure realms.
Only users who have been granted the DV_OWNER
or DV_ADMIN
role can use these procedures. For constants that you can use with these procedures, see Table 19-1 for more information.
See Also:
Chapter 5, "Configuring Realms," for detailed information about realms
Chapter 19, "Oracle Database Vault Utility APIs," for a set of general-purpose utility procedures that you can use with the realm procedures
Table 13-1 DBMS_MACADM Realm Configuration Procedures
Procedure | Description |
---|---|
Authorizes a user or role to access a realm as an owner or a participant |
|
Registers a set of objects for realm protection |
|
Creates a realm |
|
Removes the authorization of a user or role to access a realm |
|
Removes a set of objects from realm protection |
|
Deletes a realm, including its related Database Vault configuration information that specifies who is authorized and what objects are protected |
|
Deletes a realm and its related Database Vault configuration information |
|
Renames a realm. The name change takes effect everywhere the realm is used. |
|
Updates a realm |
|
Updates the authorization of a user or role to access a realm |
The ADD_AUTH_TO_REALM
procedure authorizes a user or role to access a realm as an owner or a participant.
For detailed information about realm authorization, see "About Realm Authorization".
Optionally, you can specify a rule set that must be checked before allowing the authorization to be enabled.
DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name IN VARCHAR2, grantee IN VARCHAR2, rule_set_name IN VARCHAR2, auth_options IN NUMBER);
Table 13-2 ADD_AUTH_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
User or role name to authorize as an owner or a participant. To find the existing users and roles in the current database instance, query the To find the authorization of a particular user or role, query the To find existing secure application roles used in privilege management, query the |
|
Optional. The rule set to check during runtime. The realm authorization is enabled only if the rule set evaluates to To find the available rule sets, query the |
|
Optional. Specify one of the following options to authorize the realm:
See "About Realm Authorization" for more information on participants and owners. |
The following example authorizes user SYSADM
as a participant in the Performance Statistics Realm. Because the default is to authorize the user as a participant, the auth_options
parameter can be omitted.
BEGIN DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYSADM'); END; /
This example sets user SYSADM
as the owner of the Performance Statistics Realm.
BEGIN DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYSADM', auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER); END; /
The next example triggers the Check Conf Access rule set before allowing user SYSADM
to act as the owner of the Performance Statistics Realm.
BEGIN DBMS_MACADM.ADD_AUTH_TO_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYSADM', rule_set_name => 'Check Conf Access', auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER); END; /
The ADD_OBJECT_TO_REALM
procedure registers a set of objects for realm protection.
DBMS_MACADM.ADD_OBJECT_TO_REALM( realm_name IN VARCHAR2, object_owner IN VARCHAR2, object_name IN VARCHAR2, object_type IN VARCHAR2);
Table 13-3 ADD_OBJECT_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
The owner of the object that is being added to the realm. If you add a role to a realm, the object owner of the role is shown as To find the available users, query the To find the authorization of a particular user or role, query the |
|
Object name. (The wildcard % is allowed. See "Object Name" under "About Realm-Secured Objects" for exceptions to the wildcard %.) You can also use the To find the available objects, query the To find objects that are secured by existing realms, query the |
|
Object type, such as You can also use the |
BEGIN DBMS_MACADM.ADD_OBJECT_TO_REALM( realm_name => 'Performance Statistics Realm', object_owner => '%', object_name => 'GATHER_SYSTEM_STATISTICS', object_type => 'ROLE'); END; /
The CREATE_REALM
procedure creates a realm.
After you create the realm, use the following procedures to complete the realm definition:
ADD_OBJECT_TO_REALM
procedure registers one or more objects for the realm.
ADD_AUTH_TO_REALM
procedure authorizes users or roles for the realm.
DBMS_MACADM.CREATE_REALM( realm_name IN VARCHAR2, description IN VARCHAR2, enabled IN VARCHAR2, audit_options IN NUMBER, realm_type IN NUMBER);
Table 13-4 CREATE_REALM Parameters
Parameter | Description |
---|---|
|
Realm name, up to 90 characters in mixed-case. To find the existing realms in the current database instance, query the |
|
Description of the purpose of the realm, up to 1024 characters in mixed-case. |
|
|
|
Specify one of the following options to audit the realm:
|
|
Specify one of the following options:
See also "Using Mandatory Realms to Restrict User Access to Objects within a Realm" for more information about mandatory realms. |
BEGIN DBMS_MACADM.CREATE_REALM( realm_name => 'Performance Statistics Realm', description => 'Realm to measure performance', enabled => DBMS_MACUTL.G_YES, audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + DBMS_MACUTL.G_REALM_AUDIT_SUCCESS, realm_type => 1); END; /
The DELETE_AUTH_FROM_REALM
procedure removes the authorization of a user or role to access a realm.
DBMS_MACADM.DELETE_AUTH_FROM_REALM( realm_name IN VARCHAR2, grantee IN VARCHAR2);
Table 13-5 DELETE_AUTH_FROM_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
User or role name. To find the authorization of a particular user or role, query the |
BEGIN DBMS_MACADM.DELETE_AUTH_FROM_REALM( realm_name => 'Performance Statistics Realm', grantee => 'SYS'); END; /
The DELETE_OBJECT_FROM_REALM
procedure removes a set of objects from realm protection.
DBMS_MACADM.DELETE_OBJECT_FROM_REALM( realm_name IN VARCHAR2, object_owner IN VARCHAR2, object_name IN VARCHAR2, object_type IN VARCHAR2);
Table 13-6 DELETE_OBJECT_FROM_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
The owner of the object that was added to the realm. To find the available users, query the |
|
Object name. (The wildcard % is allowed. See "Object Name" under "About Realm-Secured Objects" for exceptions to the wildcard %.) You can also use the To find objects that are secured by existing realms, query the |
|
Object type, such as You can also use the |
BEGIN DBMS_MACADM.DELETE_OBJECT_FROM_REALM( realm_name => 'Performance Statistics Realm', object_owner => 'SYS', object_name => 'GATHER_SYSTEM_STATISTICS', object_type => 'ROLE'); END; /
The DELETE_REALM
procedure deletes a realm, including its related Database Vault configuration information that specifies who is authorized and what objects are protected. It does not delete the actual database objects or users.
To find users who are authorized for the realm, query the DVSYS.DBA_DV_REALM_AUTH
view. To find the objects that are protected by the realm, query the DVSYS.DBA_DV_REALM_OBJECT
view. These views are described in Chapter 22, "Oracle Database Vault Data Dictionary Views."
DBMS_MACADM.DELETE_REALM( realm_name IN VARCHAR2);
Table 13-7 DELETE_REALM Parameter
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
EXEC DBMS_MACADM.DELETE_REALM('Performance Statistics Realm');
The DELETE_REALM_CASCADE
procedure deletes a realm, including its related Database Vault configuration information that specifies who is authorized (DVSYS.DBA_DV_REALM_AUTH
view) and what objects are protected (DVSYS.DBA_DV_REALM_OBJECT
view).
It does not delete the actual database objects or users. This procedure works the same as the DELETE_REALM
procedure. (In previous releases, these procedures were different, but now they are the same. Both are retained for earlier compatibility.) To find a listing of the realm-related objects, query the DVSYS.DBA_DV_REALM
view. To find its authorizations, query DVSYS.DBA_DV_REALM_AUTH
. Both are described under Chapter 22, "Oracle Database Vault Data Dictionary Views."
DBMS_MACADM.DELETE_REALM_CASCADE( realm_name IN VARCHAR2);
Table 13-8 DELETE_REALM_CASCADE Parameter
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
EXEC DBMS_MACADM.DELETE_REALM_CASCADE('Performance Statistics Realm');
The RENAME_REALM
procedure renames a realm. The name change takes effect everywhere the realm is used.
DBMS_MACADM.RENAME_REALM( realm_name IN VARCHAR2, new_name IN VARCHAR2);
Table 13-9 RENAME_REALM Parameters
Parameter | Description |
---|---|
|
Current realm name. To find the existing realms in the current database instance, query the |
|
New realm name, up to 90 characters in mixed-case. |
BEGIN DBMS_MACADM.RENAME_REALM( realm_name => 'Performance Statistics Realm', new_name => 'Sector 2 Performance Statistics Realm'); END; /
The UPDATE_REALM
procedure updates a realm. To find information about the current settings for a realm, query the DVSYS.DV$REALM
view, described in "DVSYS.DV$REALM View".
DBMS_MACADM.UPDATE_REALM( realm_name IN VARCHAR2, description IN VARCHAR2, enabled IN VARCHAR2, audit_options IN NUMBER DEFAULT NULL, realm_type IN NUMBER DEFAULT NULL);
Table 13-10 UPDATE_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
Description of the purpose of the realm, up to 1024 characters in mixed-case. |
|
The default for |
|
Specify one of the following options to audit the realm:
The default for |
|
If you do not specify the Specify one of the following options:
See also "Using Mandatory Realms to Restrict User Access to Objects within a Realm" for more information about mandatory realms. |
BEGIN DBMS_MACADM.UPDATE_REALM( realm_name => 'Sector 2 Performance Statistics Realm', description => 'Realm to measure performance for Sector 2 applications', enabled => DBMS_MACUTL.G_YES, audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + G_REALM_AUDIT_SUCCESS); END, realm_type => 1); /
The UPDATE_REALM_AUTH
procedure updates the authorization of a user or role to access a realm.
DBMS_MACADM.UPDATE_REALM_AUTH( realm_name IN VARCHAR2, grantee IN VARCHAR2, rule_set_name IN VARCHAR2, auth_options IN NUMBER);
Table 13-11 UPDATE_REALM_AUTH Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, query the |
|
User or role name. To find the available users and roles, query the To find the authorization of a particular user or role, query the To find existing secure application roles used in privilege management, query the |
|
Optional. A rule set to check during runtime. The realm authorization is enabled only if the rule set evaluates to To find the available rule sets, query the |
|
Optional. Specify one of the following options to authorize the realm:
The default for |
BEGIN DBMS_MACADM.UPDATE_REALM_AUTH( realm_name => 'Sector 2 Performance Statistics Realm', grantee => 'SYSADM', rule_set_name => 'Check Conf Access', auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER); END; /