You can use the DBMS_MACADM and DBMS_MACSEC_ROLES PL/SQL packages to manage Database Vault secure application roles.
Topics:
See Also:
Chapter 9, "Configuring Secure Application Roles for Oracle Database Vault," for detailed information about realms
Chapter 19, "Oracle Database Vault Utility APIs," for a set of general-purpose utility procedures that you can use with the secure application role procedures and functions
The DBMS_MACADM package enables you to create, delete, rename, and update Oracle Database Vault secure application roles.
Table 17-1 lists procedures within the DBMS_MACADM package that you can use to configure Oracle Database Vault secure application roles. Only users who have been granted the DV_OWNER or DV_ADMIN role can use these procedures.
Table 17-1 DBMS_MACADM Secure Application Role Configuration Procedures
| Procedure | Description |
|---|---|
|
Creates an Oracle Database Vault secure application role |
|
|
Deletes an Oracle Database Vault secure application role |
|
|
Renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used. |
|
|
Updates a Oracle Database Vault secure application role |
The CREATE_ROLE procedure creates an Oracle Database Vault secure application role.
DBMS_MACADM.CREATE_ROLE( role_name IN VARCHAR2, enabled IN VARCHAR2, rule_set_name IN VARCHAR2);
Table 17-2 CREATE_ROLE Parameters
| Parameter | Description |
|---|---|
|
|
Role name, up to 30 characters, with no spaces. To find existing secure application roles in the current database instance, query the |
|
|
|
|
|
Name of rule set to determine whether this secure application can be enabled. To find existing rule sets in the current database instance, query the |
BEGIN DBMS_MACADM.CREATE_ROLE( role_name => 'Sector2_APP_MGR', enabled => DBMS_MACUTL.G_YES, rule_set_name => 'Check App2 Access'); END; /
The DELETE_ROLE procedure deletes an Oracle Database Vault secure application role.
DBMS_MACADM.DELETE_ROLE( role_name IN VARCHAR2);
Table 17-3 DELETE_ROLE Parameter
| Parameter | Description |
|---|---|
|
|
Role name. To find existing secure application roles in the current database instance, query the |
EXEC DBMS_MACADM.DELETE_ROLE('SECT2_APP_MGR');
The RENAME_ROLE procedure renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.
DBMS_MACADM.RENAME_ROLE( role_name IN VARCHAR2, new_role_name IN VARCHAR2);
Table 17-4 RENAME_ROLE Parameters
| Parameter | Description |
|---|---|
|
|
Current role name. To find existing secure application roles in the current database instance, query the |
|
|
Role name, up to 30 characters, with no spaces. Ensure that this name follows the standard Oracle naming conventions for role creation described in Oracle Database SQL Language Reference. |
BEGIN DBMS_MACADM.RENAME_ROLE( role_name => 'SECT2_APP_MGR', new_role_name => 'SECT2_SYSADMIN'); END; /
The UPDATE_ROLE procedure updates a Oracle Database Vault secure application role.
DBMS_MACADM.UPDATE_ROLE( role_name IN VARCHAR2, enabled IN VARCHAR2, rule_set_name IN VARCHAR2);
Table 17-5 UPDATE_ROLE Parameters
| Parameter | Description |
|---|---|
|
|
Role name. To find existing secure application roles in the current database instance, query the |
|
|
The default for |
|
|
Name of rule set to determine whether this secure application can be enabled. To find existing rule sets in the current database instance, query the |
BEGIN DBMS_MACADM.UPDATE_ROLE( role_name => 'SECT2_SYSADMIN', enabled => DBMS_MACUTL.G_YES, rule_set_name => 'System Access Controls'); END; /
The DBMS_MACSEC_ROLES PL/SQL package enables you check if a user is authorized to use an Oracle Database Vault secure application role and it enables you to set secure application roles.
You can modify your applications to use the procedures within the DBMS_MACSEC_ROLES package to check the authorization for a user or to set an Oracle Database Vault secure application role. The DBMS_MACSEC_ROLES package is available to all users.
Table 17-6 lists the DBMS_MACSEC_ROLES package function and procedure.
Table 17-6 DBMS_MACSEC_ROLES Oracle Label Security Configuration Procedures
| Function or Procedure | Description |
|---|---|
|
Checks whether the user invoking the method is authorized to use the specified Oracle Database Vault secure application role. Returns a |
|
|
Issues the |
The CAN_SET_ROLE function checks whether the user invoking the method is authorized to use the specified Oracle Database Vault secure application role. The authorization is determined by checking the rule set associated with the role. The return type is BOOLEAN.
DBMS_MACSEC_ROLES.CAN_SET_ROLE( p_role IN VARCHAR2) RETURN BOOLEAN;
Table 17-7 CAN_SET_ROLE Parameter
| Parameter | Description |
|---|---|
|
|
Role name. To find existing secure application roles in the current database instance, query the |
SET SERVEROUTPUT ON
BEGIN
IF DBMS_MACSEC_ROLES.CAN_SET_ROLE('SECTOR2_APP_MGR')
THEN DBMS_OUTPUT.PUT_LINE('''SECTOR2_APP_MGR'' can be enabled.');
END IF;
END;
/
The SET_ROLE procedure issues the SET ROLE PL/SQL statement for specified roles, including both Oracle Database Vault secure application roles and regular Oracle Database roles. This procedure sets an Oracle Database Vault secure application role only if the rule set that is associated with the role evaluates to true. Before SET ROLE is issued, the CAN_SET_ROLE method is called to check the rule set associated with the role. Run-time rule set behavior such as auditing, failure processing, and event handling occur during this process.
The SET_ROLE procedure is available to the general database account population.
DBMS_MACSEC_ROLES.SET_ROLE( p_role IN VARCHAR2);
| Parameter | Description |
|---|---|
|
|
Role names. You can enter multiple roles, separated by commas ( To find existing secure application roles in the current database instance, query the To find all of the existing roles in the database, query the |
EXEC DBMS_MACSEC_ROLES.SET_ROLE('SECTOR2_APP_MGR, APPS_MGR');
You can enter the name of the role in any case (for example, Sector2_APP_MGR).