Index

A B C D E F G H I J L M N O P Q R S T U V W X

A

access control policy

reports

Core Database Vault Audit Report, 24.5.5

access control run-time PL/SQL procedures and functions, 16.2

Access to Sensitive Objects Report, 24.6.3.2

accounts

See database accounts

Accounts With DBA Roles Report, 24.6.5.2

Accounts with SYSDBA/SYSOPER Privilege Report, 24.6.3.4

ad hoc tools

preventing use of, 8.7.1

administrators

DBA operations in Oracle Database Vault, 11

restricting different types, 8.8.1

ADRCI utility

Database Vault, E.1.6.3

alerts

email alert in rule set, 6.8.1

Enterprise Manager Cloud Control, 11.1.2

ALTER ROLE statement

monitoring, 23.2.1

ALTER SESSION privilege

enabling trace files, E.1.5

reports, ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5

ALTER SESSION statement

guidelines on managing privileges, D.6.6.1

ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5

ALTER SYSTEM privilege

reports, ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5

ALTER SYSTEM statement

controlling with command rules, 7.1.1

guidelines on managing privileges, D.6.6.1

ALTER USER statement

monitoring, 23.2.1

ANY privileges, 12.2.14.2

ANY System Privileges for Database Accounts Report, 24.6.2.4

application security

finding privilege use by users, 4.1.5.1

audit policy change

monitoring, 23.2.1

AUDIT privilege, 24.6.5.10

AUDIT Privileges Report, 24.6.5.10

AUDIT_SYS_OPERATIONS initialization parameter, 2.1

AUDIT_TRAIL initialization parameter

effect on Core Database Audit Report, 24.6.8

AUDIT_TRAIL$ system table

affected by AUDIT_TRAIL initialization parameter, 12.2.13.1, A.3.2

archiving, A.4.2

format, 12.2.13.1, A.3.2

purging, A.4.3

auditing

about, A.1

archiving Database Vault audit trail, A.4.2

about, A.4.1

Core Database Audit Report, 24.6.8

DBMS_MACUTL fields, 19.2.1

factors

options, 8.3.4.3

intruders

using factors, 8.3.4.2

using rule sets, 6.3

Oracle Database audit settings, A.5

purging Database Vault audit trail, A.4.3

about, A.4.1

realms

DBMS_MACUTL fields, 19.2.1

options, 5.3

reports, 24.5

rule sets

DBMS_MACUTL fields, 19.2.1

options, 6.3

secure application roles

audit records, 9.9

auditing policies

about, A

audit events

about, A.3.1

custom events

audit trail, A.3.2

events that are tracked, A.3.1

monitoring changes to, 23.2.1

authentication

Authentication_Method default factor, 8.2

command rules, 7.1.1

method, finding with DVF.F$AUTHENTICATION_METHOD, 16.3.2

realm procedures, 13.2

authorizations

Oracle Data Pump activities, 11.2.1

realms, 5.5

scheduling database jobs, 11.3.1

B

BECOME USER Report, 24.6.5.4

BECOME USER system privilege

about, 24.6.5.4

C

catalog-based roles, 24.6.5.9

CDBs

functionality in Oracle Database Vault, 1.8

privilege profiles, 4.1.6

child factors

See factors

clients

finding IP address with DVF.F$CLIENT_IP, 16.3.3

code groups

retrieving value with DBMS_MACUTL functions, 19.3.1

Command Rule Audit Report, 24.5.2

Command Rule Configuration Issues Report, 24.4.1

command rules

about, 7.1.1

creating, 7.4

data dictionary view, 7.10

data masking, 11.8.4

default command rules, 7.2

deleting, 7.5

editing, 7.4

functions

DBMS_MACUTL (utility), 19.1

guidelines, 7.8

how command rules work, 7.6

objects

name, 7.4

owner, 7.4

performance effect, 7.9

procedures

DBMS_MACADM (configuration), 15.1

process flow, 7.6

propagating policies to other databases, 11.1.1

reports, 7.10

rule sets

selecting, 7.4

used with, 7.1.1

troubleshooting

with auditing report, 24.5.2

tutorial, 7.7

views, 7.10, 22.3

with PDBs, 7.1.2

See also rule sets

compliance

Oracle Database Vault addressing, 1.4

computer name

finding with DVF.F$MACHINE, 16.3.14

Machine default factor, 8.2

configuration

monitoring changes, 23.2.1

views

DVSYS.DV$CONFIGURATION_AUDIT, 22.31

DVSYS.DV$ENFORCEMENT_AUDIT, 22.32

SYS.DV$CONFIGURATION_AUDIT, 22.33

CONNECT events, controlling with command rules, 7.1.1

connection pooling

finding unnecessarily granted privileges, 4.1.5.1

context profiles

privilege analysis, 4.1.4

core database

troubleshooting with Core Database Vault Audit Report, 24.5.5

Core Database Audit Report, 24.6.8

Core Database Vault Audit Trail Report, 24.5.5

CPU_PER_SESSION resource profile, 24.6.6.2

CREATE ANY JOB privilege, D.6.3

CREATE ANY JOB statement

guidelines on managing privileges, D.6.3

CREATE EXTERNAL JOB privilege, D.6.4

CREATE JOB privilege, D.6.3

CREATE JOB statement

guidelines on managing privileges, D.6.3

CREATE ROLE statement

monitoring, 23.2.1

CREATE USER statement

monitoring, 23.2.1

CTXSYS schema realm protection, 5.2.4

D

data definition language (DDL)

statement

controlling with command rules, 7.1.1

Data Definition Language (DDL) statements

Database Vault authorization

DVSYS.DBA_DV_DDL_AUTH view, 22.5

granting, 20.1.4, 20.1.4

revoking, 20.1.9

Data Dictionary realm

data masking, 11.8.2

data manipulation language (DML)

statement

checking with DBMS_MACUTL.CHECK_DVSYS_DML_ALLOWED function, 19.3.1

controlling with command rules, 7.1.1

data masking

about, 11.8.1

adding users to realms for, 11.8.3

creating command rule for, 11.8.4

errors that can appear, 11.8.1

data Oracle Database Vault recognizes

See factors

Database Account Default Password Report, 24.6.7.1

Database Account Status Report, 24.6.7.2

database accounts

configuring Database Vault accounts as enterprise users, 10.2

counting privileges of, 24.6.4.1

DBSNMP

changing password, 11.1.4

granted DV_MONITOR role, 12.2.5.3

DVSYS, 12.3

LBACSYS, 12.3

monitoring, 23.2.1

reports

Accounts With DBA Roles Report, 24.6.5.2

ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5

ANY System Privileges for Database Accounts Report, 24.6.2.4

AUDIT Privileges Report, 24.6.5.10

BECOME USER Report, 24.6.5.4

Database Account Default Password Report, 24.6.7.1

Database Account Status Report, 24.6.7.2

Database Accounts With Catalog Roles Report, 24.6.5.9

Direct and Indirect System Privileges By Database Account Report, 24.6.2.2

Direct Object Privileges Report, 24.6.1.3

Direct System Privileges By Database Account Report, 24.6.2.1

Hierarchical System Privileges by Database Account Report, 24.6.2.3

Object Access By PUBLIC Report, 24.6.1.1

Object Access Not By PUBLIC Report, 24.6.1.2

OS Security Vulnerability Privileges, 24.6.5.11

Password History Access Report, 24.6.5.6

Privileges Distribution By Grantee Report, 24.6.4.1, 24.6.4.1, 24.6.4.1

Privileges Distribution By Grantee, Owner Report, 24.6.4.2, 24.6.4.2

Privileges Distribution By Grantee, Owner, Privilege Report, 24.6.4.3, 24.6.4.3

Roles/Accounts That Have a Given Role Report, 24.6.5.8

Security Policy Exemption Report, 24.6.5.3

WITH ADMIN Privilege Grants Report, 24.6.5.1

WITH GRANT Privileges Report, 24.6.5.7

solution for lockouts, B.1

suggested, 12.3

Database Accounts With Catalog Roles Report, 24.6.5.9

database administrative operations, 11

database definition language (DDL)

statements

controlling with command rules, 7.1.1

database domains, Database_Domain default factor, 8.2

database objects

Oracle Database Vault, 12

reports

Object Dependencies Report, 24.6.1.4

E

email alert in rule set, 6.8.1

enabling system features with Enabled default rule set, 6.2

encrypted information, 24.6.9.5

enterprise identities, Enterprise_Identity default factor, 8.2

Enterprise Manager

See Oracle Enterprise Manager

enterprise user security

configuring Database Vault accounts for, 10.2

errors

factor error options, 8.3.4.2

event handler

rule sets, 6.3

examples

DBMS_MACUTL constants, 19.2.2

realms, 5.11

separation of duty matrix, D.1.3

trace files, E.1.7, E.1.8, E.1.9

F

Factor Audit Report, 24.5.3

Factor Configuration Issues Report, 24.4.4

Factor Without Identities Report, 24.4.5

factors

about, 8.1

assignment, 8.3.3.7

disabled rule set, 24.4.4

incomplete rule set, 24.4.4

validate, 8.3.3.7

assignment operation, 24.5.3

audit events, custom, A.3.1

audit options, 8.3.4.3

child factors

about, 8.3.3.1

Factor Configuration Issues Report, 24.4.4

mapping, 8.4.6.1, 8.4.6.1

creating, 8.3.1

creating names, 8.3.2

data dictionary views, 8.11

DBMS_MACUTL constants, example of, 19.2.4

default factors, 8.2, 8.2

deleting, 8.5

domain, finding with DVF.F$DOMAIN, 16.3.9

DVSYS.DBA_DV_FACTOR view, 22.7

error options, 8.3.4.2

evaluate, 8.3.3.3

evaluation operation, 24.5.3

factor type

about, 8.3.2

selecting, 8.3.2

factor-identity pair mapping, 8.4.6.2

functionality, 8.6

functions

DBMS_MACUTL (utility), 19.1

DBMS_MACUTL constants (fields), 19.2.1

guidelines, 8.9

identifying using child factors, 8.4.6.1

identities

about, 8.3.3.2, 8.4.1

adding to factor, 8.4

assigning, 8.3.3.3

configuring, 8.4.4

creating, 8.4.4

data dictionary views, 8.11

database session, 8.3.3.2

deleting, 8.4.5

determining with DVSYS.GET_FACTOR, 8.3.3.2

enterprise-wide users, 16.3.9

how factor identities work, 8.3.3.2

labels, 8.3.3.4

mapping, about, 8.4.6.1

mapping, identified, 8.3.3.1

mapping, procedure, 8.4.6.2

mapping, tutorial, 8.8.1

Oracle Label Security labels, 8.3.3.4

reports, 8.11

resolving, 8.3.3.1

retrieval methods, 8.3.3.5

setting dynamically, 16.2.2

trust levels, 8.3.3.2, 8.4.4

with Oracle Label Security, 8.3.3.2

initialization, command rules, 7.1.1

invalid audit options, 24.4.4

label, 24.4.4

naming conventions, 8.3.2

Oracle Virtual Private Database, attaching factors to, 10.4

parent factors, 8.3.3.1

performance effect, 8.10

procedures

DBMS_MACADM (configuration), 16.1.1

process flow, 8.6

propagating policies to other databases, 11.1.1

reports, 8.11

retrieving, 8.6.2

retrieving with DVSYS.GET_FACTOR, 16.2.3

rule sets

selecting, 8.3.4.1

setting, 8.6.3

setting with DVSYS.SET_FACTOR, 16.2.2

troubleshooting

auditing report, 24.5.3

configuration problems, E.3

tips, E.2

type (category of factor), 8.3.2

validating, 8.3.3.7

values (identities), 8.1

views

DVSYS.DBA_DV_FACTOR_LINK, 22.8, 22.8

DVSYS.DBA_DV_FACTOR_TYPE, 22.9

DVSYS.DBA_DV_IDENTITY, 22.10

DVSYS.DBA_DV_IDENTITY_MAP, 22.11

DVSYS.DBA_DV_MAC_POLICY_FACTOR, 22.14

ways to assign, 8.3.3.2

See also rule sets

functions

command rules

DBMS_MACUTL (utility), 19.1

DVSYS schema enabling, 16.2.1

factors

DBMS_MACUTL (utility), 19.1

Oracle Label Security policy

DBMS_MACADM (configuration), 18.1

realms

DBMS_MACUTL (utility), 19.1

rule sets

DBMS_MACADM (configuration), 14.1.1

DBMS_MACUTL (utility), 19.1

PL/SQL functions for inspecting SQL, 14.2.1

secure application roles

DBMS_MACADM (configuration), 17.1.1

DBMS_MACSEC_ROLES (configuration), 17.2.1

DBMS_MACUTL (utility), 19.1, 19.1

G

general security reports, 24.6

GRANT statement

monitoring, 23.2.1

guidelines

ALTER SESSION privilege, D.6.6.1

ALTER SYSTEM privilege, D.6.6.1

command rules, 7.8

CREATE ANY JOB privilege, D.6.3

CREATE EXTERNAL JOB privilege, D.6.4

CREATE JOB privilege, D.6.3

DBMS_FILE_TRANSFER package, D.6.1.1

factors, 8.9

general security, D

LogMiner packages, D.6.5

managing DV_OWNER and DV_ACCTMGR accounts, 12.3

operating system access, D.2.4

Oracle software owner, D.4.2

performance effect, 8.10

realms, 5.13

recycle bin, D.6.2.1

root access, D.2.4

root user access, D.4.1

rule sets, 6.10

secure application roles, 9.4

SYSDBA access, D.4.3

SYSDBA privilege, limiting, D.2.3

SYSOPER access, D.4.4

SYSTEM schema and application tables, D.2.2

SYSTEM user account, D.2.1

trusted accounts and roles, D.3

using Database Vault in a production environment, D.5

UTL_FILE package, D.6.1.1

H

hackers

See security attacks

Hierarchical System Privileges by Database Account Report, 24.6.2.3

host names

finding with DVF.F$DATABASE_HOSTNAME, 16.3.5

I

identities

See factors, identities

Identity Configuration Issues Report, 24.4.6

IDLE_TIME resource profile, 24.6.6.2

IMP_FULL_DATABASE role

impact of Oracle Database Vault installation, 2.4

importing data

See Oracle Data Pump

incomplete rule set, 24.4.4

role enablement, 24.4.7

initialization parameters

Allow System Parameters default rule set, 6.2

modified after installation, 2.1

modified by Oracle Database Vault, 2.1

reports, 24.6.6

insider threats

See intruders

installations

security considerations, D.6

intruders

compromising privileged accounts, 1.5

See security attacks

IP addresses

Client_IP default factor, 8.2

defined with factors, 8.1

J

Java Policy Grants Report, 24.6.9.1

jobs, scheduling

See Oracle Scheduler

L

Label Security Integration Audit Report, 24.5.4

labels

about, 8.4.3

M

managing user accounts and profiles

Can Maintain Accounts/Profiles default rule set, 6.2

managing user accounts and profiles on own account, Can Maintain Own Accounts default rule set, 6.2

mandatory realms

about, 5.1.2

mapping identities, 8.4.6.2

MDDATA schema realm protection, 5.2.4

MDSYS schema realm protection, 5.2.4

monitoring

activities, 23

multitenant container databases. See CDBs

My Oracle Support

about, Preface

N

naming conventions

factors, 8.3.2

realms, 5.3

rule sets, 6.3

rules, 6.4.3

network protocol

finding with DVF.F$NETWORK_PROTOCOL, 16.3.15

network protocol, Network_Protocol default factor, 8.2

NOAUDIT statement

monitoring, 23.2.1

Non-Owner Object Trigger Report, 24.6.9.7

nonsystem database accounts, 24.6.1.3

O

Object Access By PUBLIC Report, 24.6.1.1

Object Access Not By PUBLIC Report, 24.6.1.2

Object Dependencies Report, 24.6.1.4

object owners

nonexistent, 24.4.1

reports

Command Rule Configuration Issues Report, 24.4.1

object privilege reports, 24.6.1

object types

supported for Database Vault realm protection, 5.1.3

objects

command rule objects

name, 7.4

owner, 7.4

processing, 7.6

dynamic SQL use, 24.6.9.3

mandatory realms, 5.1.2

monitoring, 23.2.1

object names

finding with DVSYS.DV_DICT_OBJ_NAME, 14.2.8

object owners

finding with DVSYS.DV_DICT_OBJ_OWNER, 14.2.7

object privileges

checking with DBMS_MACUTL.USER_HAS_OBJECT_PRIVILEGE function, 19.3.1

realms

object name, 5.3

object owner, 5.3

object type, 5.3

procedures for registering, 13.3

reports

Access to Sensitive Objects Report, 24.6.3.2

Accounts with SYSDBA/SYSOPER Privilege Report, 24.6.3.4

Direct Object Privileges Report, 24.6.1.3

Execute Privileges to Strong SYS Packages Report, 24.6.3.1

Non-Owner Object Trigger Report, 24.6.9.7

Object Access By PUBLIC Report, 24.6.1.1

Object Access Not By PUBLIC Report, 24.6.1.2

Object Dependencies Report, 24.6.1.4

Objects Dependent on Dynamic SQL Report, 24.6.9.3

OS Directory Objects Report, 24.6.9.2

privilege, 24.6.1

Public Execute Privilege To SYS PL/SQL Procedures Report, 24.6.3.3

sensitive, 24.6.3

System Privileges By Privilege Report, 24.6.2.5

restricting user access to using mandatory realms, 5.1.2

types

finding with DVSYS.DV_DICT_OBJ_TYPE, 14.2.6

views, DVSYS.DBA_DV_REALM_OBJECT, 22.23

P

parameters

modified after installation, 2.1

reports

Security Related Database Parameters Report, 24.6.6.1

parent factors

See factors

Password History Access Report, 24.6.5.6

passwords

forgotten, solution for, B.1

reports, 24.6.7

Database Account Default Password Report, 24.6.7.1

Password History Access Report, 24.6.5.6

Username/Password Tables Report, 24.6.9.5

patches

auditing DV_PATCH_ADMIN user, 12.2.13.1

DBMS_MACADM.DISABLE_DV_PATCH_ADMIN_AUDIT procedure, 20.1.15

DBMS_MACADM.ENSABLE_DV_PATCH_ADMIN_AUDIT procedure, 20.1.18

DV_PATCH_ADMIN requirement for, 12.2.13.1

security consideration, D.6

two-person integrity used for, 6.9.1

PDBs

command rules in, 7.1.2

disabling tracing

all database sessions, E.1.10.3

current database session, E.1.10.3

DVF schema, 12.1.2

DVSYS schema, 12.1.1, 12.2.1

enabling tracing

all database sessions, E.1.5.3

current database session, E.1.5.1

plugging Database Vault-enabled PDB to CDB, 11.9

privilege analysis, 4.1.6

performance effect

command rules, 7.9

realms, 5.14

reports

Resource Profiles Report, 24.6.6.2

System Resource Limits Report, 24.6.6.3

rule sets, 6.11

secure application roles, 9.8

static evaluation for rule sets, 6.11

performance tools

Automatic Workload Repository (AWR)

command rules, 7.9

factors, 8.10

realms, 5.14

rule sets, 6.11

secure application roles, 9.8

Cloud Control, realms, 5.14

Oracle Enterprise Manager

command rules, 7.9

factors, 8.10

realms, 5.14

rule sets, 6.11

secure application roles, 9.8

Oracle Enterprise Manager Cloud Control

command rules, 7.9

factors, 8.10

rule sets, 6.11

secure application roles, 9.8

TKPROF utility

command rules, 7.9

factors, 8.10

realms, 5.14

rule sets, 6.11

secure application roles, 9.8

PL/SQL

packages

unwrapped bodies, 24.6.9.4

Unwrapped PL/SQL Package Bodies Report, 24.6.9.4

PL/SQL factor functions, 16.3

pluggable databases. See PDBs

policy changes, monitoring, 23.2.1

post-installation procedures, C

privilege analysis

about, 4.1.1

accessing reports in Cloud Control, 4.2.7.3

benefits, 4.1.5

CDBs, 4.1.6

creating

about, 4.2.3.1

in Cloud Control, 4.2.3.2

usingDBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE, 4.2.3.3

creating role in Cloud Control, 4.3.1

data dictionary views, 4.6

DBMS_PRIVILEGE_CAPTURE PL/SQL package, 4.2.1

disabling

about, 4.2.6.1

in Cloud Control, 4.2.6.2

using DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE, 4.2.6.3

dropping

about, 4.2.8.1

in Cloud Control, 4.2.8.2

using DBMS_PRIVILEGE_CAPTURE.DROP_CAPTURE, 4.2.8.3

enabling

about, 4.2.5.1

in Cloud Control, 4.2.5.2

using DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE, 4.2.5.3

examples of creating and enabling, 4.2.4.1

general steps for managing, 4.2.2

generating regrant scripts, 4.3.3.3

generating reports

about, 4.2.7.1

in Cloud Control, 4.2.7.2

using DBMS_PRIVILEGE_CAPTURE.GENERATE_REPORT, 4.2.7.4

generating revoke scripts, 4.3.3.2

logon users, 4.1.4

pre-compiled database objects, 4.1.2

privilege uses captured, 4.1.4

requirements for using, 4.1.3

restrictions, 4.1.4

revoking and re-granting in Cloud Control, 4.3.2

revoking and regranting using scripts, 4.3.3.1

tutorial, 4.5

tutorial for ANY privileges, 4.4

use cases, 4.1.5

finding application pool privileges, 4.1.5.1

finding overly privileged users, 4.1.5.2

privileges

ANY privileges, 12.2.14.2

checking with DBMS_MACUTL.USER_HAS_OBJECT_PRIVILEGE function, 19.3.1

existing users and roles, Database Vault affect on, 2.4

least privilege principle

violations to, 24.6.9.1

monitoring

GRANT statement, 23.2.1

REVOKE statement, 23.2.1

Oracle Database Vault restricting, 2.2

prevented from existing users and roles, 2.5

reports

Accounts With DBA Roles Report, 24.6.5.2

ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5

ANY System Privileges for Database Accounts Report, 24.6.2.4

AUDIT Privileges Report, 24.6.5.10

Database Accounts With Catalog Roles Report, 24.6.5.9

Direct and Indirect System Privileges By Database Account Report, 24.6.2.2

Direct System Privileges By Database Account Report, 24.6.2.1

Hierarchical System Privileges By Database Account Report, 24.6.2.3

listed, 24.6.4

OS Directory Objects Report, 24.6.9.2

Privileges Distribution By Grantee Report, 24.6.4.1

Privileges Distribution By Grantee, Owner Report, 24.6.4.2

Privileges Distribution By Grantee, Owner, Privilege Report, 24.6.4.3

WITH ADMIN Privilege Grants Report, 24.6.5.1

WITH GRANT Privileges Report, 24.6.5.7

restricting access using mandatory realms, 5.1.2

roles

checking with DBMS_MACUTL.USER_HAS_ROLE_VARCHAR function, 19.3.1

system

checking with DBMS_MACUTL.USER_HAS_SYSTEM_PRIVILEGE function, 19.3.1

views

DVSYS.DBA_DV_PUB_PRIVS, 22.19

DVSYS.DBA_DV_USER_PRIVS, 22.29

DVSYS.DBA_DV_USER_PRIVS_ALL, 22.30

Privileges Distribution By Grantee Report, 24.6.4.1

Privileges Distribution By Grantee, Owner Report, 24.6.4.2

Privileges Distribution By Grantee, Owner, Privilege Report, 24.6.4.3

privileges using external password, 24.6.3.4

problems, diagnosing, E.1.1

procedures

command rules

.DBMS_MACADM (configuration), 15.1

factors

DBMS_MACADM (configuration), 16.1.1

realms

DBMS_MACADM (configuration), 13.1

production environments

guidelines for securing, D.5

profiles, 24.6.6

proxy user authorization

Database Vault authorization

DVSYS.DBA_DV_PROXY_AUTH view, 22.18

granting, 20.1.5

revoking, 20.1.10

PUBLIC access to realms, 5.8

Public Execute Privilege To SYS PL/SQL Procedures Report, 24.6.3.3

PUBLIC user account

impact of Oracle Database Vault installation, 2.4

Q

quotas

tablespace, 24.6.9.6

R

READ object privilege

affected by SQL92_SECURITY parameter, 2.1

Realm Audit Report, 24.5.1

Realm Authorization Configuration Issues Report, 24.4.3

realms

about, 5.1.1

adding roles to as grantees, 5.13

audit events, custom, A.3.1

authentication-related procedures, 13.2

authorization

enabling access to realm-protected objects, 5.10

how realm authorizations work, 5.9

process flow, 5.9

troubleshooting, E.2

authorizations

grantee, 5.3

rule set, 5.3

creating, 5.3

creating names, 5.3

data dictionary views, 5.15

data masking, 11.8.3

Database Vault Account Management realm, 5.2.2

DBMS_MACUTL constants, example of, 19.2.2

default realms

listed, 5.2

deleting, 5.7

deprecated for this release, Preface

disabling, 5.6

DV_REALM_OWNER role, 12.2.15.1

DV_REALM_RESOURCE role, 12.2.16.2

effect on other Oracle Database Vault components, 5.12

enabling, 5.6

enabling access to realm-protected objects, 5.10

example, 5.11

functions

DBMS_MACUTL (utility), 19.1

DBMS_MACUTL constants (fields), 19.2.1

guidelines, 5.13

how realms work, 5.8

mandatory realms, 5.1.2

naming conventions, 5.3

object types, supported, 5.1.3

object-related procedures, 13.3

Oracle Database Vault realm, 5.2.1

Oracle Default Component Protection Realm, 5.2.6

Oracle Default Schema Protection Realm, 5.2.4

Oracle Enterprise Manager realm, 5.2.3

Oracle System Privilege and Role Management Realm, 5.2.5

performance effect, 5.14

procedures

DBMS_MACADM (configuration), 13.1, 13.1

process flow, 5.8

propagating policies to other databases, 11.1.1

protection after object is dropped, 5.13

PUBLIC access, 5.8

realm authorizations

about, 5.5

realm secured objects

object name, 5.3

object owner, 5.3

object type, 5.3

realm-secured objects, 5.4

reports, 5.15

roles

DV_REALM_OWNER, 12.2.15.1

DV_REALM_RESOURCE, 12.2.16.2

secured object, 24.4.3

territory a realm protects, 5.4

troubleshooting, E.2, E.3

tutorial, 3.3.1

views

DV$REALM, 22.22

DVSYS.DBA_DV_CODE, 22.2

DVSYS.DBA_DV_REALM, 22.20

DVSYS.DBA_DV_REALM_AUTH, 22.21

DVSYS.DBA_DV_REALM_OBJECT, 22.23, 22.23

See also rule sets

RECOVERY_CATALOG_OWNER role, 24.6.5.9

recycle bin, guidelines on managing, D.6.2.1

RECYCLEBIN initialization parameter

default setting in Oracle Database Vault, 2.1

security considerations, D.6.2.1

registering Oracle Database Vault, 3.1.1

reinstalling Oracle Database Vault, C.4

REMOTE_LOGIN_PASSWORDFILE initialization parameter, 2.1

reports

about, 24.1

Access to Sensitive Objects Report, 24.6.3.2

Accounts With DBA Roles Report, 24.6.5.2

Accounts with SYSDBA/SYSOPER Privilege Report, 24.6.3.4

ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5

ANY System Privileges for Database Accounts Report, 24.6.2.4

AUDIT Privileges Report, 24.6.5.10

auditing, 24.5

BECOME USER Report, 24.6.5.4

categories of, 24.1

Command Rule Audit Report, 24.5.2

Command Rule Configuration Issues Report, 24.4.1

Core Database Audit Report, 24.6.8

Core Database Vault Audit Trail Report, 24.5.5

Database Account Default Password Report, 24.6.7.1

Database Account Status Report, 24.6.7.2

Database Accounts With Catalog Roles Report, 24.6.5.9

Direct and Indirect System Privileges By Database Account Report, 24.6.2.2

Direct Object Privileges Report, 24.6.1.3

Direct System Privileges By Database Account Report, 24.6.2.1

Enterprise Manager Cloud Control, 11.1.3

Execute Privileges to Strong SYS Packages Report, 24.6.3.1

Factor Audit Report, 24.5.3

Factor Configuration Issues Report, 24.4.4

Factor Without Identities, 24.4.5

general security, 24.6

Hierarchical System Privileges by Database Account Report, 24.6.2.3

Identity Configuration Issues Report, 24.4.6

Java Policy Grants Report, 24.6.9.1

Label Security Integration Audit Report, 24.5.4

Non-Owner Object Trigger Report, 24.6.9.7

Object Access By PUBLIC Report, 24.6.1.1

Object Access Not By PUBLIC Report, 24.6.1.2

Object Dependencies Report, 24.6.1.4

Objects Dependent on Dynamic SQL Report, 24.6.9.3

OS Directory Objects Report, 24.6.9.2

OS Security Vulnerability Privileges, 24.6.5.11

Password History Access Report, 24.6.5.6

permissions for running, 24.2

privilege management, 24.6.4

Privileges Distribution By Grantee Report, 24.6.4.1

Privileges Distribution By Grantee, Owner Report, 24.6.4.2

Privileges Distribution By Grantee, Owner, Privilege Report, 24.6.4.3

Public Execute Privilege To SYS PL/SQL Procedures Report, 24.6.3.3

Realm Audit Report, 24.5.1

Realm Authorization Configuration Issues Report, 24.4.3

Resource Profiles Report, 24.6.6.2

Roles/Accounts That Have a Given Role Report, 24.6.5.8

Rule Set Configuration Issues Report, 24.4.2

running, 24.3

Secure Application Configuration Issues Report, 24.4.7

Secure Application Role Audit Report, 24.5.6

Security Policy Exemption Report, 24.6.5.3

Security Related Database Parameters, 24.6.6.1

security vulnerability, 24.6.9

System Privileges By Privilege Report, 24.6.2.5

System Resource Limits Report, 24.6.6.3

Tablespace Quotas Report, 24.6.9.6

Unwrapped PL/SQL Package Bodies Report, 24.6.9.4

Username /Password Tables Report, 24.6.9.5

WITH ADMIN Privileges Grants Report, 24.6.5.1

WITH GRANT Privileges Report, 24.6.5.7

Resource Profiles Report, 24.6.6.2

resources

reports

Resource Profiles Report, 24.6.6.2

System Resource Limits Report, 24.6.6.3

REVOKE statement

monitoring, 23.2.1

roles

adding to realms as grantees, 5.13

catalog-based, 24.6.5.9

Database Vault default roles, 12.2.1

privilege analysis, 4.1.4

privileges, checking with DBMS_MACUTL.USER_HAS_ROLE_VARCHAR function, 19.3.1

role enablement in incomplete rule set, 24.4.7

role-based system privileges, 24.6.2.3

See also rule sets

rules sets

audit event, custom, A.3.1

S

SCHEDULER_ADMIN role

impact of Oracle Database Vault installation, 2.4

scheduling database jobs

CREATE EXTERNAL JOB privilege security consideration, D.6.4

scheduling jobs

See Oracle Scheduler

schemas

DVF, 12.1.2

DVSYS, 12.1.1

Secure Application Configuration Issues Report, 24.4.7

secure application role, 9.1

Secure Application Role Audit Report, 24.5.6

secure application roles

audit event, custom, A.3.1

creating, 9.2

data dictionary view, 9.9

DBMS_MACSEC_ROLES.SET_ROLE function, 9.2

deleting, 9.5

functionality, 9.6

functions

DBMS_MACADM (configuration), 17.1.1

DBMS_MACSEC_ROLES (configuration), 17.2.1

DBMS_MACSEC_ROLES package, 17.2.1

DBMS_MACUTL (utility), 19.1, 19.1

DBMS_MACUTL constants (fields), 19.2.1

guidelines on managing, 9.4

modifying, 9.3

performance effect, 9.8

procedure

DBMS_MACADM (configuration), 17.1.1

procedures and functions

DBMS_MACUTL (utility), 19.3.1

propagating policies to other databases, 11.1.1

reports, 9.9

Rule Set Configuration Issues Report, 24.4.2

troubleshooting, E.3

troubleshooting with auditing report, 24.5.6

tutorial, 9.7.1

views

DVSYS.DBA_DV_ROLE, 22.24

T

tablespace quotas, 24.6.9.6

Tablespace Quotas Report, 24.6.9.6

time data

DBMS_MACUTL functions, 19.3.1

trace files

about, E.1.1

trace files, Oracle Database Vault

about, E.1.1

activities that can be traced, E.1.2

ADRCI utility, E.1.6.3

directory location for trace files, E.1.6.1

disabling for all sessions, E.1.10.2

disabling for current session, E.1.10.1

enabling for all sessions, E.1.5.2

enabling for current session, E.1.5.1

examples

high level authorization, E.1.8

highest level on realm violations, E.1.9

low level realm violations, E.1.7

finding trace file directory, E.1.6.1

levels of trace events, E.1.3

performance effect, E.1.4

querying

ADRCI utility, E.1.6.3

Linux grep command, E.1.6.2

Transparent Data Encryption, used with Oracle Database Vault, 10.3

transportable tablespaces

authorizing for Oracle Data Pump operations in Database Vault, 11.2.3.3

DBMS_MACADM.AUTHORIZE_TTS_USER procedure, 20.1.7

DBMS_MACADM.UNAUTHORIZE_TTS_USER procedure, 20.1.12

DVSYS.DBA_DV_TTS_AUTH view, 22.28

triggers

different from object owner account, 24.6.9.7

reports, Non-Owner Object Trigger Report, 24.6.9.7

troubleshooting

access security sessions, 24.5.5

auditing reports, using, 24.5

factors, E.2

general diagnostic tips, E.2

locked out accounts, B.1

passwords, forgotten, B.1

realms, E.2

rule sets, E.2

rules, E.2

secure application roles, 24.5.6

trust levels

about, 8.4.2

determining for identities with DVSYS.GET_TRUST_LEVEL_FOR_IDENTITY, 16.2.5

determining with DVSYS.GET_TRUST_LEVEL, 16.2.4

factor identity, 8.4.2

factors, 8.4.4

for factor and identity requested, 16.2.5

identities, 8.3.3.2

of current session identity, 16.2.4

trusted users

accounts and roles that should be limited, D.4

default for Oracle Database Vault, D.3

tutorials

access, granting with secure application roles, 9.7.1

ad hoc tool access, preventing, 8.7.1

configuring two-person integrity (TPI), 6.9.1

Database Vault factors with Virtual Private Database and Oracle Label Security, 10.5.4.1

email alert in rule set, 6.8.1

factors, mapping identities, 8.8.1

Oracle Label Security integration with Oracle Database Vault, 10.5.4.1

privilege analysis, 4.5

privilege analysis for ANY privileges, 4.4

restricting access based on session data, 8.8.1

restricting user activities with command rules, 7.7

schema, protecting with a realm, 3.3.1

U

unified audit trail

how it works with Database Vault, A.1

protecting with a realm, A.2

Unwrapped PL/SQL Package Bodies Report, 24.6.9.4

user names

reports, Username/Password Tables Report, 24.6.9.5

USER_HISTORY$ table, 24.6.5.6

Username/Password Tables Report, 24.6.9.5

users

enterprise identities, finding with DVF.F$PROXY_ENTERPRISE_IDENTITY, 16.3.16

enterprise-wide identities, finding with DVF.F$ENTERPRISE_IDENTITY, 16.3.10

finding session user with DVF.F$SESSION_USER, 16.3.17

restricting access by factor identity, 8.8.1

utility functions

See .DBMS_MACUTL package

UTL_FILE object, 24.6.1.4

UTL_FILE package, guidelines on managing, D.6.1.1

V

views

DVSYS.DBA_DV_CODE, 22.2

DVSYS.DBA_DV_COMMAND_RULE, 22.3

DVSYS.DBA_DV_DATAPUMP_AUTH, 22.4

DVSYS.DBA_DV_DDL_AUTH, 22.5

DVSYS.DBA_DV_DICTIONARY_ACCTS, 22.6

DVSYS.DBA_DV_FACTOR, 22.7

DVSYS.DBA_DV_FACTOR_TYPE, 22.9

DVSYS.DBA_DV_IDENTITY, 22.10

DVSYS.DBA_DV_IDENTITY_MAP, 22.11

DVSYS.DBA_DV_JOB_AUTH, 22.12

DVSYS.DBA_DV_ORADEBUG, 22.15

DVSYS.DBA_DV_PATCH_AUDIT, 22.16

DVSYS.DBA_DV_POLICY_LABEL, 22.17

DVSYS.DBA_DV_PROXY_AUTH, 22.18

DVSYS.DBA_DV_PUB_PRIVS, 22.19

DVSYS.DBA_DV_REALM, 22.20

DVSYS.DBA_DV_REALM_AUTH, 22.22

DVSYS.DBA_DV_REALM_OBJECT, 22.23

DVSYS.DBA_DV_ROLE, 22.24

DVSYS.DBA_DV_RULE_SET, 22.26

DVSYS.DBA_DV_RULE_SET_RULE, 22.27

DVSYS.DBA_DV_TTS_AUTH, 22.28

DVSYS.DBA_DV_USER_PRIVS, 22.29

DVSYS.DBA_DV_USER_PRIVS_ALL, 22.30

DVSYS.DV$CONFIGURATION_AUDIT, 22.31

DVSYS.DV$ENFORCEMENT_AUDIT, 22.32

DVSYS.DV$REALM, 22.21

See also names beginning with DVSYS.DBA_DV

SYS.DV$CONFIGURATION_AUDIT, 22.33

SYS.DV$ENFORCEMENT_AUDIT, 22.34

VPD

See Oracle Virtual Private Database (VPD)

W

WITH ADMIN Privileges Grants Report, 24.6.5.1

WITH ADMIN status, 24.6.2.1, 24.6.2.2

WITH GRANT clause, 24.6.5.7

WITH GRANT Privileges Report, 24.6.5.7

X

XStream

Database Vault role used for, 12.2.10.1

in an Oracle Database Vault environment, 11.6