21 Oracle Database Vault API Reference

Oracle Database Vault provides a rich set of APIs, both in PL/SQL packages and in standalone procedures.

Topics:

DBMS_MACADM PL/SQL Package Contents
DBMS_MACSEC_ROLES PL/SQL Package Contents
DBMS_MACUTL PL/SQL Package Contents
DVSYS.CONFIGURE_DV PL/SQL Procedure
DVF PL/SQL Interface Contents

DBMS_MACADM PL/SQL Package Contents

The procedures and functions within the DBMS_MACADM package allow you to write applications that configure the realms, factors, rule sets, command rules, secure application roles, and Oracle Label Security policies normally configured in Oracle Database Vault Administrator.

The DBMS_MACADM package is available only for users who have been granted the DV_ADMIN or DV_OWNER role.

Table 20–1 lists the contents of the DBMS_MACADM package.

Table 21-1 DBMS_MACADM PL/SQL Package Contents

Procedure or Function	Description
Realm APIs
`ADD_AUTH_TO_REALM` procedure	Authorizes a user or role to access a realm as an owner or a participant
`ADD_OBJECT_TO_REALM` procedure	Registers a set of objects for realm protection
`CREATE_REALM` procedure	Creates a realm
`DELETE_AUTH_FROM_REALM` procedure	Removes the authorization of a user or role to access a realm
`DELETE_OBJECT_FROM_REALM` procedure	Removes a set of objects from realm protection
`DELETE_REALM` procedure	Deletes a realm, including its related Database Vault configuration information that specifies who is authorized and what objects are protected
`DELETE_REALM_CASCADE` procedure	Deletes a realm, including its related Database Vault configuration information that specifies who is authorized and what objects are protected
`RENAME_REALM` procedure	Renames a realm. The name change takes effect everywhere the realm is used.
`UPDATE_REALM` procedure	Updates a realm
`UPDATE_REALM_AUTH` procedure	Updates the authorization of a user or role to access a realm
Rule Set APIs
`CREATE_RULE_SET` procedure	Creates a rule set
`RENAME_RULE_SET` procedure	Renames a rule set. The name change takes effect everywhere the rule set is used.
`DELETE_RULE_FROM_RULE_SET` procedure	Deletes a rule from a rule set
`DELETE_RULE_SET` procedure	Deletes a rule set
`UPDATE_RULE_SET` procedure	Updates a rule set
Rule APIs
`CREATE_RULE` procedure	Creates a rule
`ADD_RULE_TO_RULE_SET` procedure	Adds a rule to a rule set
`DELETE_RULE` procedure	Deletes a rule
`RENAME_RULE` procedure	Renames a rule. The name change takes effect everywhere the rule is used.
`UPDATE_RULE` procedure	Updates a rule
Command Rule APIs
`CREATE_COMMAND_RULE` procedure	Creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set
`DELETE_COMMAND_RULE` procedure	Drops a command rule declaration
`UPDATE_COMMAND_RULE` procedure	Updates a command rule declaration
Factor APIs
`ADD_FACTOR_LINK` procedure	Specifies a parent-child relationship for two factors
`ADD_POLICY_FACTOR` procedure	Specifies that the label for a factor contributes to the Oracle Label Security label for a policy.
`CHANGE_IDENTITY_FACTOR` procedure	Associates an identity with a different factor
`CHANGE_IDENTITY_VALUE` procedure	Updates the value of an identity
`CREATE_DOMAIN_IDENTITY` procedure	Adds an Oracle Real Application Clusters (Oracle RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.
`CREATE_FACTOR` procedure	Creates a factor
`CREATE_FACTOR_TYPE` procedure	Creates a factor type
`CREATE_IDENTITY` procedure	Creates an identity
`CREATE_IDENTITY_MAP` procedure	Defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors)
`DELETE_FACTOR` procedure	Deletes a factor
`DELETE_FACTOR_LINK` procedure	Removes a parent-child relationship for two factors
`DELETE_FACTOR_TYPE` procedure	Deletes a factor type
`DELETE_IDENTITY` procedure	Removes an identity
`DELETE_IDENTITY_MAP` procedure	Removes an identity map from a factor
`DROP_DOMAIN_IDENTITY` procedure	Removes an Oracle RAC database node from a domain
`GET_INSTANCE_INFO` function	Returns information from the `SYS.V_$INSTANCE` system table about the current database instance; returns a `VARCHAR2` value
`GET_SESSION_INFO` function	Returns information from the `SYS.V_$SESSION` system table for the current session; returns a `VARCHAR2` value
`RENAME_FACTOR` procedure	Renames a factor. The name change takes effect everywhere the factor is used.
`RENAME_FACTOR_TYPE` procedure	Renames a factor type. The name change takes effect everywhere the factor type is used.
`UPDATE_FACTOR` procedure	Updates a factor
`UPDATE_FACTOR_TYPE` procedure	Updates the description of a factor type
`UPDATE_IDENTITY` procedure	Updates the trust level of a factor identity
Database Vault Secure Application Role APIs
`CREATE_ROLE` procedure	Creates an Oracle Database Vault secure application role
`DELETE_ROLE` procedure	Deletes an Oracle Database Vault secure application role
`RENAME_ROLE` procedure	Renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.
`UPDATE_ROLE` procedure	Updates a Oracle Database Vault secure application role
Oracle Label Security APIs
`CREATE_MAC_POLICY` procedure	Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label
`CREATE_POLICY_LABEL` procedure	Labels an identity within an Oracle Label Security policy
`DELETE_MAC_POLICY_CASCADE` procedure	Deletes all Oracle Database Vault objects related to an Oracle Label Security policy.
`DELETE_POLICY_FACTOR` procedure	Removes the factor from contributing to the Oracle Label Security label
`DELETE_POLICY_LABEL` procedure	Removes the label from an identity within an Oracle Label Security policy
`UPDATE_MAC_POLICY` procedure	Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label
General Administrative APIs
`ADD_NLS_DATA` procedure	Adds a new language to Oracle Database Vault
`AUTHORIZE_DATAPUMP_USER` procedure	Authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled
`AUTHORIZE_DDL` procedure	Grants a user authorization to execute data definition language (DDL) statements
`AUTHORIZE_PROXY_USER` procedure	Grants a proxy user authorization to proxy other user accounts
`AUTHORIZE_SCHEDULER_USER` procedure	Authorizes a user to schedule database jobs when Oracle Database Vault is enabled
`AUTHORIZE_TTS_USER` procedure	Authorizes a user to perform Oracle Data Pump transportable tablespace operations for a tablespace when Oracle Database Vault is enabled
`UNAUTHORIZE_DATAPUMP_USER` procedure	Revokes the authorization that was granted by the `DBMS_MACADM.AUTHORIZE_DATAPUMP_USER` procedure
`UNAUTHORIZE_DDL` procedure	Revokes authorization from a user who was granted authorization to execute DDL statements through the `DBMS_MACDM.AUTHORIZE_DDL` procedure
`UNAUTHORIZE_PROXY_USER` procedure	Revokes authorization from a user who was granted proxy authorization from the `DBMS_MACADM.AUTHORIZE_PROXY_USER` procedure
`UNAUTHORIZE_SCHEDULER_USER` procedure	Revokes authorization that was granted by the `DBMS_MACADM.AUTHORIZE_SCHEDULER_USER` procedure
`UNAUTHORIZE_TTS_USER` procedure	Revokes from authorization a user who had been granted authorization to perform Oracle Data Pump transportable tablespace operations for a tablespace when Oracle Database Vault is enabled
`DISABLE_DV` procedure	Disables Oracle Database Vault
`DISABLE_DV_DICTIONARY_ACCTS` procedure	Prevents users from logging into the `DVSYS` and `DFV` schema accounts
`DISABLE_DV_PATCH_ADMIN`	Disables auditing of the `DV_PATCH_ADMIN` user
`DISABLE_ORADEBUG` procedure	Disables the use of the `ORADEBUG` utility in an Oracle Database Vault environment
`ENABLE_DV` procedure	Enables Oracle Database Vault
`ENABLE_DV_DICTIONARY_ACCTS` procedure	Enables users to log into the `DVSYS` and `DFV` schema accounts
`ENABLE_DV_PATCH_ADMIN`	Enables auditing of the `DV_PATCH_ADMIN` user
`ENABLE_ORADEBUG` procedure	Enables the use of the `ORADEBUG` utility in an Oracle Database Vault environment

See Also:

DBMS_MACSEC_ROLES PL/SQL Package Contents

The DBMS_MACSEC_ROLES package provides one function and one procedure which enable to you to check and set Oracle Database Vault secure application roles. This package is available to the general database account population.

Table 20–2 lists the contents of the DBMS_MACSEC_ROLES package.

Table 21-2 DBMS_MACSEC_ROLES PL/SQL Package Contents

Procedure or Function	Description
`CAN_SET_ROLE` function	Checks whether the user invoking the method is authorized to use the specified Oracle Database Vault secure application role. Returns a `BOOLEAN` value.
`SET_ROLE` procedure	Issues the `SET ROLE` statement for an Oracle Database Vault secure application role.

DBMS_MACUTL PL/SQL Package Contents

The DBMS_MACUTL PL/SQL package defines several constants and utility methods that are commonly used by other Oracle Database Vault packages, such as code/message lookup, error handling, data conversion, and privilege checks.

This package can be run by the general database account population. This allows for security developers to leverage the constants in scripted configuration files. Utility methods such as USER_HAS_ROLE can also be used in Oracle Database Vault rules.

Table 20–3 lists the DBMS_MACUTL package contents.

Table 21-3 DBMS_MACUTL PL/SQL Package Contents

Procedure or Function	Description
`CHECK_DVSYS_DML_ALLOWED` procedure	Verifies that public-packages are not being bypassed by users updating the Oracle Database Vault configuration
`GET_CODE_VALUE` function	Looks up the value for a code within a code group.
`GET_SECOND` function	Returns the seconds in Oracle SS format (00-59). Useful for rule expressions based on time data
`GET_MINUTE` function	Returns the minute in Oracle MI format (00–59). Useful for rule expressions based on time data
`GET_HOUR` function	Returns the month in Oracle HH24 format (00–23). Useful for rule expressions based on time data
`GET_DAY` function	Returns the day in Oracle DD format (01–31). Useful for rule expressions based on time data
`GET_MONTH` function	Returns the month in Oracle MM format (01–12). Useful for rule expressions based on time data
`GET_YEAR` function	Returns the year in Oracle YYYY format (0001–9999). Useful for rule expressions based on time data
`IS_ALPHA` function	Checks whether the character is alphabetic
`IS_DIGIT` function	Checks whether the character is numeric
`IS_DVSYS_OWNER` function	Determines whether a user is authorized to manage the Oracle Database Vault configuration
`IS_OLS_INSTALLED` function	Returns an indicator regarding whether Oracle Label Security is installed
`IS_OLS_INSTALLED_VARCHAR` function	Returns an indicator regarding whether Oracle Label Security is installed
`USER_HAS_ROLE` function	Checks whether a user has a role privilege, directly or indirectly (through another role)
`USER_HAS_ROLE_VARCHAR` function	Checks whether a user has a role privilege, directly or indirectly (through another role)
`USER_HAS_SYSTEM_PRIVILEGE` function	Checks whether a user has a system privilege, directly or indirectly (through a role)

See Also:

Chapter 19, "Oracle Database Vault Utility APIs" for details about this package

DVSYS.CONFIGURE_DV PL/SQL Procedure

The CONFIGURE_DV configures the initial two Oracle Database user accounts, which are granted the DV_OWNER and DV_ACCTMGR roles, respectively.

See Also:

"DVSYS.CONFIGURE_DV General System Maintenance Procedure"
"Registering Oracle Database Vault with an Oracle Database" for how to use this procedure to register users

See for more information.

DVF PL/SQL Interface Contents

The DVF schema provides a set of factor-related PL/SQL functions. The functions are then available to the general database account population through PL/SQL functions and standard SQL.

Table 21-4 lists the DVF factor functions.

Table 21-4 DVF PL/SQL Interface Contents

Function	Description
`F$CLIENT_IP`	Returns the IP address of the computer from which the client is connected
`F$DATABASE_DOMAIN`	Returns the domain of the database as specified in the `DB_DOMAIN` initialization parameter
`F$DATABASE_HOSTNAME`	Returns the host name of the computer on which the database instance is running
`F$DATABASE_INSTANCE`	Returns the database instance identification number of the current database instance
`F$DATABASE_IP`	Returns the IP address of the computer on which the database instance is running
`F$DATABASE_NAME`	Returns the name of the database as specified in the `DB_NAME` initialization parameter
`F$DOMAIN`	Returns a named collection of physical, configuration, or implementation-specific factors in the run-time environment (for example, a networked IT environment or subset of it) that operates at a specific sensitivity level
`F$ENTERPRISE_IDENTITY`	Returns the enterprise-wide identity for a user
`F$IDENTIFICATION_TYPE`	Returns the way the schema of a user was created in the database. Specifically, it reflects the `IDENTIFIED` clause in the `CREATE USER` or `ALTER USER` syntax.
`F$LANG`	Returns the ISO abbreviation for the language name, a shorter form than the existing `LANGUAGE` parameter
`F$LANGUAGE`	Returns the language and territory currently used by your session, in `VARCHAR2` data type, along with the database character set
`F$MACHINE`	Returns the computer (host) name for the database client that established the database session.
`F$NETWORK_PROTOCOL`	Returns the network protocol being used for communication, as specified in the `PROTOCOL`=`protocol` portion of the connect string
`F$PROXY_ENTERPRISE_IDENTITY`	Returns the Oracle Internet Directory distinguished name (DN) when the proxy user is an enterprise user
`F$SESSION_USER`	Returns the database user name by which the current user is authenticated

See Also:

"Oracle Database Vault DVF PL/SQL Factor Functions" for detailed information about these functions