Index

A  B  C  D  E  F  G  H  I  J  L  M  N  O  P  Q  R  S  T  U  V  W  X 

A

access control policy
reports
Core Database Vault Audit Report, 24.5.5
access control run-time PL/SQL procedures and functions, 16.2
Access to Sensitive Objects Report, 24.6.3.2
accounts
See database accounts
Accounts With DBA Roles Report, 24.6.5.2
Accounts with SYSDBA/SYSOPER Privilege Report, 24.6.3.4
ad hoc tools
preventing use of, 8.7.1
administrators
DBA operations in Oracle Database Vault, 11
restricting different types, 8.8.1
ADRCI utility
Database Vault, E.1.6.3
alerts
email alert in rule set, 6.8.1
Enterprise Manager Cloud Control, 11.1.2
ALTER ROLE statement
monitoring, 23.2.1
ALTER SESSION privilege
enabling trace files, E.1.5
reports, ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5
ALTER SESSION statement
guidelines on managing privileges, D.6.6.1
ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5
ALTER SYSTEM privilege
reports, ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5
ALTER SYSTEM statement
controlling with command rules, 7.1.1
guidelines on managing privileges, D.6.6.1
ALTER USER statement
monitoring, 23.2.1
ANY privileges, 12.2.14.2
ANY System Privileges for Database Accounts Report, 24.6.2.4
application security
finding privilege use by users, 4.1.5.1
audit policy change
monitoring, 23.2.1
AUDIT privilege, 24.6.5.10
AUDIT Privileges Report, 24.6.5.10
AUDIT_SYS_OPERATIONS initialization parameter, 2.1
AUDIT_TRAIL initialization parameter
effect on Core Database Audit Report, 24.6.8
AUDIT_TRAIL$ system table
affected by AUDIT_TRAIL initialization parameter, 12.2.13.1, A.3.2
archiving, A.4.2
format, 12.2.13.1, A.3.2
purging, A.4.3
auditing
about, A.1
archiving Database Vault audit trail, A.4.2
about, A.4.1
Core Database Audit Report, 24.6.8
DBMS_MACUTL fields, 19.2.1
factors
options, 8.3.4.3
intruders
using factors, 8.3.4.2
using rule sets, 6.3
Oracle Database audit settings, A.5
purging Database Vault audit trail, A.4.3
about, A.4.1
realms
DBMS_MACUTL fields, 19.2.1
options, 5.3
reports, 24.5
rule sets
DBMS_MACUTL fields, 19.2.1
options, 6.3
secure application roles
audit records, 9.9
auditing policies
about, A
audit events
about, A.3.1
custom events
audit trail, A.3.2
events that are tracked, A.3.1
monitoring changes to, 23.2.1
authentication
Authentication_Method default factor, 8.2
command rules, 7.1.1
method, finding with DVF.F$AUTHENTICATION_METHOD, 16.3.2
realm procedures, 13.2
authorizations
Oracle Data Pump activities, 11.2.1
realms, 5.5
scheduling database jobs, 11.3.1

B

BECOME USER Report, 24.6.5.4
BECOME USER system privilege
about, 24.6.5.4

C

catalog-based roles, 24.6.5.9
CDBs
functionality in Oracle Database Vault, 1.8
privilege profiles, 4.1.6
child factors
See factors
clients
finding IP address with DVF.F$CLIENT_IP, 16.3.3
code groups
retrieving value with DBMS_MACUTL functions, 19.3.1
Command Rule Audit Report, 24.5.2
Command Rule Configuration Issues Report, 24.4.1
command rules
about, 7.1.1
creating, 7.4
data dictionary view, 7.10
data masking, 11.8.4
default command rules, 7.2
deleting, 7.5
editing, 7.4
functions
DBMS_MACUTL (utility), 19.1
guidelines, 7.8
how command rules work, 7.6
objects
name, 7.4
owner, 7.4
performance effect, 7.9
procedures
DBMS_MACADM (configuration), 15.1
process flow, 7.6
propagating policies to other databases, 11.1.1
reports, 7.10
rule sets
selecting, 7.4
used with, 7.1.1
troubleshooting
with auditing report, 24.5.2
tutorial, 7.7
views, 7.10, 22.3
with PDBs, 7.1.2
See also rule sets
compliance
Oracle Database Vault addressing, 1.4
computer name
finding with DVF.F$MACHINE, 16.3.14
Machine default factor, 8.2
configuration
monitoring changes, 23.2.1
views
DVSYS.DV$CONFIGURATION_AUDIT, 22.31
DVSYS.DV$ENFORCEMENT_AUDIT, 22.32
SYS.DV$CONFIGURATION_AUDIT, 22.33
CONNECT events, controlling with command rules, 7.1.1
connection pooling
finding unnecessarily granted privileges, 4.1.5.1
context profiles
privilege analysis, 4.1.4
core database
troubleshooting with Core Database Vault Audit Report, 24.5.5
Core Database Audit Report, 24.6.8
Core Database Vault Audit Trail Report, 24.5.5
CPU_PER_SESSION resource profile, 24.6.6.2
CREATE ANY JOB privilege, D.6.3
CREATE ANY JOB statement
guidelines on managing privileges, D.6.3
CREATE EXTERNAL JOB privilege, D.6.4
CREATE JOB privilege, D.6.3
CREATE JOB statement
guidelines on managing privileges, D.6.3
CREATE ROLE statement
monitoring, 23.2.1
CREATE USER statement
monitoring, 23.2.1
CTXSYS schema realm protection, 5.2.4

D

data definition language (DDL)
statement
controlling with command rules, 7.1.1
Data Definition Language (DDL) statements
Database Vault authorization
DVSYS.DBA_DV_DDL_AUTH view, 22.5
granting, 20.1.4, 20.1.4
revoking, 20.1.9
Data Dictionary realm
data masking, 11.8.2
data manipulation language (DML)
statement
checking with DBMS_MACUTL.CHECK_DVSYS_DML_ALLOWED function, 19.3.1
controlling with command rules, 7.1.1
data masking
about, 11.8.1
adding users to realms for, 11.8.3
creating command rule for, 11.8.4
errors that can appear, 11.8.1
data Oracle Database Vault recognizes
See factors
Database Account Default Password Report, 24.6.7.1
Database Account Status Report, 24.6.7.2
database accounts
configuring Database Vault accounts as enterprise users, 10.2
counting privileges of, 24.6.4.1
DBSNMP
changing password, 11.1.4
granted DV_MONITOR role, 12.2.5.3
DVSYS, 12.3
LBACSYS, 12.3
monitoring, 23.2.1
reports
Accounts With DBA Roles Report, 24.6.5.2
ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5
ANY System Privileges for Database Accounts Report, 24.6.2.4
AUDIT Privileges Report, 24.6.5.10
BECOME USER Report, 24.6.5.4
Database Account Default Password Report, 24.6.7.1
Database Account Status Report, 24.6.7.2
Database Accounts With Catalog Roles Report, 24.6.5.9
Direct and Indirect System Privileges By Database Account Report, 24.6.2.2
Direct Object Privileges Report, 24.6.1.3
Direct System Privileges By Database Account Report, 24.6.2.1
Hierarchical System Privileges by Database Account Report, 24.6.2.3
Object Access By PUBLIC Report, 24.6.1.1
Object Access Not By PUBLIC Report, 24.6.1.2
OS Security Vulnerability Privileges, 24.6.5.11
Password History Access Report, 24.6.5.6
Privileges Distribution By Grantee Report, 24.6.4.1, 24.6.4.1, 24.6.4.1
Privileges Distribution By Grantee, Owner Report, 24.6.4.2, 24.6.4.2
Privileges Distribution By Grantee, Owner, Privilege Report, 24.6.4.3, 24.6.4.3
Roles/Accounts That Have a Given Role Report, 24.6.5.8
Security Policy Exemption Report, 24.6.5.3
WITH ADMIN Privilege Grants Report, 24.6.5.1
WITH GRANT Privileges Report, 24.6.5.7
solution for lockouts, B.1
suggested, 12.3
Database Accounts With Catalog Roles Report, 24.6.5.9
database administrative operations, 11
database definition language (DDL)
statements
controlling with command rules, 7.1.1
database domains, Database_Domain default factor, 8.2
database objects
Oracle Database Vault, 12
reports
Object Dependencies Report, 24.6.1.4
See also objects
database options, installing, B.1
database roles
about, 12.2.1
counting privileges of, 24.6.4.1
default Oracle Database Vault, 12.2.1
DV_ACCTMGR
about, 12.2.14.1
DV_ADMIN, 12.2.4.1
DV_AUDIT_CLEANUP, 12.2.7.1
DV_DATAPUMP_NETWORK_LINK, 12.2.8.1
DV_GOLDENGATE_ADMIN, 12.2.11.1
DV_GOLDENGATE_REDO_ACCESS, 12.2.12.1
DV_MONITOR, 12.2.5.1
DV_OWNER, 12.2.3.1
DV_PATCH_ADMIN, 12.2.13.1
DV_PUBLIC, 12.2.17
DV_REALM_OWNER, 12.2.15.1
DV_REALM_RESOURCE, 12.2.16.1
DV_SECANALYST, 12.2.6.1
DV_STREAMS_ADMIN, 12.2.9.1
DV_XSTREAM_ADMIN, 12.2.10.1
enabled, determining with DVSYS.ROLE_IS_ENABLED, 16.2.6
monitoring, 23.2.1
Oracle Database Vault, default, 12.2.1
reports
Accounts With DBA Roles Report, 24.6.5.2
ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5
AUDIT Privileges Report, 24.6.5.10
BECOME USER Report, 24.6.5.4
Database Accounts With Catalog Roles Report, 24.6.5.9
OS Security Vulnerability Privileges, 24.6.5.11
Privileges Distribution By Grantee Report, 24.6.4.1
Roles/Accounts That Have a Given Role Report, 24.6.5.8
Security Policy Exemption Report, 24.6.5.3
WITH ADMIN Privilege Grants Report, 24.6.5.1
separation of duty enforcement, 2.3
database sessions, 8.3.3.2
controlling with Allow Sessions default rule set, 6.2
factor evaluation, 8.6.1
session user name, Proxy_User default factor, 8.2
Database Vault
See Oracle Database Vault
Database Vault Account Management realm, 5.2.2
databases
defined with factors, 8.1, 8.1
domain, Domain default factor, 8.2
event monitoring, E.1.1
grouped schemas
See realms
host names, Database_Hostname default factor, 8.2
instance, retrieving information with functions, 16.1.1
instances
Database_Instance default factor, 8.2
names, finding with DVF.F$DATABASE_INSTANCE, 16.3.6
number, finding with DVSYS.DV_INSTANCE_NUM, 14.2.4
IP addresses
Database_IP default factor, 8.2
retrieving with DVF.F$DATABASE_IP, 16.3.7
monitoring events, E.1.1
names
Database_Name default factor, 8.2
retrieving with DVF.F$DATABASE_NAME, 16.3.8
retrieving with DVSYS.DV_DATABASE_NAME, 14.2.5
parameters
Security Related Database Parameters Report, 24.6.6.1
roles that do not exist, 24.4.7
schema creation, finding with DVF.F$IDENTIFICATION_TYPE, 16.3.11
schema creation, Identification_Type default factor, 8.2
user name, Session_User default factor, 8.2
DBA role
impact of Oracle Database Vault installation, 2.4
DBA_USERS_WITH_DEFPWD data dictionary view
access to in Oracle Database Vault, 2.4
DBMS_FILE_TRANSFER package, guidelines on managing, D.6.1.1
DBMS_MACADM package
about, 21.1
command rule procedures, listed, 15.1
factor procedures, listed, 16.1.1
Oracle Label Security policy procedures, listed, 18.1
realm procedures, listed, 13.1
rule set procedures, listed, 14.1.1
secure application role procedures, listed, 17.1.1
DBMS_MACADM PL/SQL package contents, 21.1
DBMS_MACADM.ADD_AUTH_TO_REALM procedure, 13.2
DBMS_MACADM.ADD_FACTOR_LINK procedure, 16.1.2
DBMS_MACADM.ADD_NLS_DATA
procedure, C.2
DBMS_MACADM.ADD_NLS_DATA procedure, 20.1.2
DBMS_MACADM.ADD_OBJECT_TO_REALM procedure, 13.3
DBMS_MACADM.ADD_POLICY_FACTOR procedure, 16.1.3
DBMS_MACADM.ADD_RULE_TO_RULE_SET procedure, 14.1.2
DBMS_MACADM.AUTHORIZE_DATAPUMP_USER procedure, 20.1.3, 20.1.8
DBMS_MACADM.AUTHORIZE_DDL procedure, 20.1.4
DBMS_MACADM.AUTHORIZE_PROXY_USER procedure, 20.1.5
DBMS_MACADM.AUTHORIZE_SCHEDULER_USER procedure, 20.1.6
DBMS_MACADM.AUTHORIZE_TTS_USER procedure, 20.1.7
DBMS_MACADM.CHANGE_IDENTITY_FACTOR procedure, 16.1.4
DBMS_MACADM.CHANGE_IDENTITY_VALUE procedure, 16.1.5
DBMS_MACADM.CREATE_COMMAND_RULE procedure, 15.2
DBMS_MACADM.CREATE_DOMAIN_IDENTITY procedure, 16.1.6
DBMS_MACADM.CREATE_FACTOR procedure, 16.1.7
DBMS_MACADM.CREATE_FACTOR_TYPE procedure, 16.1.8
DBMS_MACADM.CREATE_IDENTITY procedure, 16.1.9
DBMS_MACADM.CREATE_IDENTITY_MAP procedure, 16.1.10
DBMS_MACADM.CREATE_MAC_POLICY procedure, 18.2
DBMS_MACADM.CREATE_POLICY_LABEL procedure, 18.3
DBMS_MACADM.CREATE_REALM procedure, 13.4
DBMS_MACADM.CREATE_ROLE procedure, 17.1.2
DBMS_MACADM.CREATE_RULE procedure, 14.1.3
DBMS_MACADM.CREATE_RULE_SET procedure, 14.1.4
DBMS_MACADM.DELETE_AUTH_FROM_REALM procedure, 13.5
DBMS_MACADM.DELETE_COMMAND_RULE procedure, 15.3
DBMS_MACADM.DELETE_FACTOR procedure, 16.1.11
DBMS_MACADM.DELETE_FACTOR_LINK procedure, 16.1.12
DBMS_MACADM.DELETE_FACTOR_TYPE procedure, 16.1.13
DBMS_MACADM.DELETE_IDENTITY procedure, 16.1.14
DBMS_MACADM.DELETE_IDENTITY_MAP procedure, 16.1.15
DBMS_MACADM.DELETE_MAC_POLICY_CASCADE procedure, 18.4
DBMS_MACADM.DELETE_OBJECT_FROM_REALM procedure, 13.6
DBMS_MACADM.DELETE_POLICY_FACTOR procedure, 18.5
DBMS_MACADM.DELETE_POLICY_LABEL procedure, 18.6
DBMS_MACADM.DELETE_REALM procedure, 13.7
DBMS_MACADM.DELETE_REALM_CASCADE procedure, 13.8
DBMS_MACADM.DELETE_ROLE procedure, 17.1.3
DBMS_MACADM.DELETE_RULE procedure, 14.1.5
DBMS_MACADM.DELETE_RULE_FROM_RULE_SET procedure, 14.1.6
DBMS_MACADM.DELETE_RULE_SET procedure, 14.1.7
DBMS_MACADM.DISABLE_DV procedure, 20.1.13
DBMS_MACADM.DISABLE_DV_DICTIONARY_ACCTS procedure, 20.1.14
DBMS_MACADM.DISABLE_DV_PATCH_ADMIN_AUDIT procedure, 20.1.15
DBMS_MACADM.DISABLE_ORADEBUG procedure, 20.1.16
DBMS_MACADM.DROP_DOMAIN_IDENTITY procedure, 16.1.16
DBMS_MACADM.ENABLE_DV procedure
about, 20.1.17
registering Database Vault with, 3.1.2, 3.1.3, 3.1.4, 3.1.5
DBMS_MACADM.ENABLE_DV_DICTIONARY_ACCTS procedure, 20.1.19
DBMS_MACADM.ENABLE_ORADEBUG procedure, 20.1.20
DBMS_MACADM.ENSABLE_DV_PATCH_ADMIN_AUDIT procedure, 20.1.18
DBMS_MACADM.GET_INSTANCE_INFO function, 16.1.17
DBMS_MACADM.GET_SESSION_INFO function, 16.1.18
DBMS_MACADM.RENAME_FACTOR procedure, 16.1.19
DBMS_MACADM.RENAME_FACTOR_TYPE procedure, 16.1.20
DBMS_MACADM.RENAME_REALM procedure, 13.9
DBMS_MACADM.RENAME_ROLE procedure, 17.1.4
DBMS_MACADM.RENAME_RULE procedure, 14.1.8
DBMS_MACADM.RENAME_RULE_SET procedure, 14.1.9
DBMS_MACADM.UNAUTHORIZE_DDL procedure, 20.1.9
DBMS_MACADM.UNAUTHORIZE_PROXY_USER procedure, 20.1.10
DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER procedure, 20.1.11
DBMS_MACADM.UNAUTHORIZE_TTS_USER procedure, 20.1.12
DBMS_MACADM.UPDATE_COMMAND_RULE procedure, 15.4
DBMS_MACADM.UPDATE_FACTOR procedure, 16.1.21
DBMS_MACADM.UPDATE_FACTOR_TYPE procedure, 16.1.22
DBMS_MACADM.UPDATE_IDENTITY procedure, 16.1.23
DBMS_MACADM.UPDATE_MAC_POLICY procedure, 18.7
DBMS_MACADM.UPDATE_REALM procedure, 13.10
DBMS_MACADM.UPDATE_REALM_AUTH procedure, 13.11
DBMS_MACADM.UPDATE_ROLE procedure, 17.1.5
DBMS_MACADM.UPDATE_RULE procedure, 14.1.10
DBMS_MACADM.UPDATE_RULE_SET procedure, 14.1.11
DBMS_MACSEC_ROLES package
about, 17.2.1
functions, listed, 17.2.1
DBMS_MACSEC_ROLES.CAN_SET_ROLE function, 17.2.2
DBMS_MACSEC_ROLES.SET_ROLE procedure, 17.2.3
DBMS_MACUTL package
about, 19.1
constants (fields)
examples, 19.2.2
listed, 19.2.1
procedures and functions, listed, 19.3.1
DBMS_MACUTL PL/SQL package contents, 21.3
DBMS_MACUTL.CHECK_DVSYS_DML_ALLOWED procedure, 19.3.2
DBMS_MACUTL.GET_CODE_VALUE function, 19.3.3
DBMS_MACUTL.GET_DAY function, 19.3.7
DBMS_MACUTL.GET_HOUR function, 19.3.6
DBMS_MACUTL.GET_MINUTE function, 19.3.5
DBMS_MACUTL.GET_MONTH function, 19.3.8
DBMS_MACUTL.GET_SECOND function, 19.3.4
DBMS_MACUTL.GET_YEAR function, 19.3.9
DBMS_MACUTL.IS_ALPHA function, 19.3.10
DBMS_MACUTL.IS_DIGIT function, 19.3.11
DBMS_MACUTL.IS_DVSYS_OWNER function, 19.3.12
DBMS_MACUTL.IS_OLS_INSTALLED function, 19.3.13
DBMS_MACUTL.IS_OLS_INSTALLED_VARCHAR function, 19.3.14
DBMS_MACUTL.USER_HAS_OBJECT_PRIVILEGE function, 19.3.15
DBMS_MACUTL.USER_HAS_ROLE function, 19.3.16
DBMS_MACUTL.USER_HAS_ROLE_VARCHAR function, 19.3.17
DBMS_MACUTL.USER_HAS_SYSTEM_PRIVILEGE function, 19.3.18
DBMS_PRIVILEGE_CAPTURE PL/SQL package, 4.2.1
DBSNMP schema realm protection, 5.2.3
DBSNMP user account
changing password, 11.1.4
granted DV_MONITOR role, 12.2.5.3
deinstallation, B
deinstalling Oracle Database Vault, C.3
DELETE_CATALOG_ROLE role, 24.6.5.9
Denial of Service (DoS) attacks
reports
System Resource Limits Report, 24.6.6.3
Tablespace Quotas Report, 24.6.9.6
Direct and Indirect System Privileges By Database Account Report, 24.6.2.2
Direct Object Privileges Report, 24.6.1.3
direct system privileges, 24.6.2.3
Direct System Privileges By Database Account Report, 24.6.2.1
disabling system features with Disabled default rule set, 6.2
domains
defined with factors, 8.1
finding database domain with DVF.F$DATABASE_DOMAIN, 16.3.4
finding with DVF.F$DOMAIN, 16.3.9
DROP ROLE statement
monitoring, 23.2.1
DROP USER statement
monitoring, 23.2.1
dual key connection, dual key security
See two-person integrity (TPI)
DV_ACCTMGR role
about, 12.2.14.1
Database Vault disabled, 12.2.14.4
GRANT and REVOKE operations affected by, 12.2.14.3
privileges associated with, 12.2.14.2
realm protection, 5.2.2
DV_ADMIN role
about, 12.2.4.1
changing password for user granted DV_ADMIN, 12.2.4.4
Database Vault disabled, 12.2.3.5, 12.2.4.5
GRANT and REVOKE operations affected by, 12.2.4.3
privileges associated with, 12.2.4.2
DV_AUDIT_CLEANUP role
about, 12.2.7.1
Database Vault disabled, 12.2.5.4, 12.2.6.4, 12.2.7.4
GRANT and REVOKE operations affected by, 12.2.7.3
privileges associated with, 12.2.7.2
DV_DATAPUMP_NETWORK_LINK role
about, 12.2.8.1
Database Vault disabled, 12.2.8.4
GRANT and REVOKE operations affected by, 12.2.8.3
privileges associated with, 12.2.8.2
DV_GOLDENDATE_REDO role
privileges associated with, 12.2.12.2
DV_GOLDENDGATE_ADMIN role
Database Vault disabled, 12.2.11.4
DV_GOLDENGATE_ADMIN role, 12.2.11.1
GRANT and REVOKE operations affected by, 12.2.11.3
privileges associated with, 12.2.11.2
DV_GOLDENGATE_REDO_ACCESS role, 12.2.12.1
Database Vault disabled, 12.2.12.4
GRANT and REVOKE operations affected by, 12.2.12.3
DV_MONITOR role
about, 12.2.5.1
Database Vault disabled, 12.2.5.4
GRANT and REVOKE operations affected by, 12.2.5.3
privileges associated with, 12.2.5.2
DV_OWNER role
about, 12.2.3.1
changing password for user granted DV_OWNER, 12.2.3.4
Database Vault disabled, 12.2.3.5
GRANT and REVOKE operations affected by, 12.2.3.3
privileges associated with, 12.2.3.2
DV_PATCH_ADMIN role, 12.2.13.1
Database Vault disabled, 12.2.13.4
GRANT and REVOKE operations affected by, 12.2.13.3
privileges associated with, 12.2.13.2
DV_PUBLIC role, 12.2.17
DV_REALM_OWNER role, 12.2.15.1
Database Vault disabled, 12.2.15.4
GRANT and REVOKE operations affected by, 12.2.15.3
privileges associated with, 12.2.15.2
DV_REALM_RESOURCE role, 12.2.16.1
Database Vault disabled, 12.2.16.4
GRANT and REVOKE operations affected by, 12.2.16.3
privileges associated with, 12.2.16.2
DV_SECANALYST role
about, 12.2.6.1
Database Vault disabled, 12.2.6.4
GRANT and REVOKE operations affected by, 12.2.6.3
privileges associated with, 12.2.6.2
DV_STREAMS_ADMIN role, 12.2.9.1
Database Vault disabled, 12.2.9.4
GRANT and REVOKE operations affected by, 12.2.9.3
privileges associated with, 12.2.9.2
DV_XSTREAM_ADMIN role, 12.2.10.1
Database Vault disabled, 12.2.10.4
GRANT and REVOKE operations affected by, 12.2.10.3
privileges associated with, 12.2.10.2
DVF account
auditing policy, A.5
database accounts, 12.3
DVF PL/SQL interface contents, 21.5
DVF schema, 16.3
about, 12.1.2
auditing policy, A.5
DVSYS.DBA_DV_DICTIONARY_ACCTS view, 22.6
PDBs, 12.1.2
protecting, 20.1.14
realm protection, 5.2.1
DVSYS account, 12.3
auditing policy, A.5
DVSYS schema
about, 12.1.1
auditing policy, A.5
CDBs, 1.8
command rules, 7.4
DV_OWNER role, 12.2.3.2
DVSYS.DBA_DV_DICTIONARY_ACCTS view, 22.6
factor validation methods, 8.3.3.7
PDBs, 12.1.1, 12.2.1
protecting, 20.1.14, 20.1.14
realm protection, 5.2.1
DVSYS.CONFIGURE_DV procedure
about, 20.2
registering Database Vault with, 3.1.2, 3.1.4
DVSYS.DBA_DV_CODE view, 22.2
DVSYS.DBA_DV_COMMAND_RULE view, 7.10, 22.3
DVSYS.DBA_DV_DATAPUMP_AUTH view, 22.4
DVSYS.DBA_DV_DDL_AUTH view, 22.5
DVSYS.DBA_DV_DICTIONARY_ACCTS view, 22.6
DVSYS.DBA_DV_FACTOR view, 22.7
DVSYS.DBA_DV_FACTOR_LINK, 22.8, 22.8
DVSYS.DBA_DV_FACTOR_LINK view, 22.8, 22.8
DVSYS.DBA_DV_FACTOR_TYPE view, 22.9
DVSYS.DBA_DV_IDENTITY view, 22.10
DVSYS.DBA_DV_IDENTITY_MAP view, 22.11
DVSYS.DBA_DV_JOB_AUTH view, 22.12
DVSYS.DBA_DV_MAC_POLICY view, 22.13, 22.13
DVSYS.DBA_DV_MAC_POLICY_FACTOR view, 22.14
DVSYS.DBA_DV_ORADEBUG view, 22.15
DVSYS.DBA_DV_PATCH_AUDIT view, 22.16
DVSYS.DBA_DV_POLICY_LABEL view, 22.17
DVSYS.DBA_DV_PROXY_AUTH view, 22.18
DVSYS.DBA_DV_PUB_PRIVS view, 22.19
DVSYS.DBA_DV_REALM view, 22.20
DVSYS.DBA_DV_REALM_AUTH view, 22.22
DVSYS.DBA_DV_REALM_OBJECT view, 22.23
DVSYS.DBA_DV_ROLE view, 22.24
DVSYS.DBA_DV_RULE view, 22.25
DVSYS.DBA_DV_RULE_SET view, 22.26
DVSYS.DBA_DV_RULE_SET_RULE view, 22.27
DVSYS.DBA_DV_TTS_AUTH view, 22.28
DVSYS.DBA_DV_USER_PRIVS view, 22.29
DVSYS.DBA_DV_USER_PRIVS_ALL view, 22.30
DVSYS.DV$CONFIGURATION_AUDIT view, 22.31
DVSYS.DV$ENFORCEMENT_AUDIT view, 22.32
DVSYS.DV$REALM view, 22.21

E

email alert in rule set, 6.8.1
enabling system features with Enabled default rule set, 6.2
encrypted information, 24.6.9.5
enterprise identities, Enterprise_Identity default factor, 8.2
Enterprise Manager
See Oracle Enterprise Manager
enterprise user security
configuring Database Vault accounts for, 10.2
errors
factor error options, 8.3.4.2
event handler
rule sets, 6.3
examples
DBMS_MACUTL constants, 19.2.2
realms, 5.11
separation of duty matrix, D.1.3
trace files, E.1.7, E.1.8, E.1.9
See also tutorials
Execute Privileges to Strong SYS Packages Report, 24.6.3.1
EXECUTE_CATALOG_ROLE role, 24.6.5.9
impact of Oracle Database Vault installation, 2.4
EXEMPT ACCESS POLICY system privilege, 24.6.5.3
exporting data
See Oracle Data Pump
external network services, fine-grained access to
example using email alert, 6.8.1

F

Factor Audit Report, 24.5.3
Factor Configuration Issues Report, 24.4.4
Factor Without Identities Report, 24.4.5
factors
about, 8.1
assignment, 8.3.3.7
disabled rule set, 24.4.4
incomplete rule set, 24.4.4
validate, 8.3.3.7
assignment operation, 24.5.3
audit events, custom, A.3.1
audit options, 8.3.4.3
child factors
about, 8.3.3.1
Factor Configuration Issues Report, 24.4.4
mapping, 8.4.6.1, 8.4.6.1
creating, 8.3.1
creating names, 8.3.2
data dictionary views, 8.11
DBMS_MACUTL constants, example of, 19.2.4
default factors, 8.2, 8.2
deleting, 8.5
domain, finding with DVF.F$DOMAIN, 16.3.9
DVSYS.DBA_DV_FACTOR view, 22.7
error options, 8.3.4.2
evaluate, 8.3.3.3
evaluation operation, 24.5.3
factor type
about, 8.3.2
selecting, 8.3.2
factor-identity pair mapping, 8.4.6.2
functionality, 8.6
functions
DBMS_MACUTL (utility), 19.1
DBMS_MACUTL constants (fields), 19.2.1
guidelines, 8.9
identifying using child factors, 8.4.6.1
identities
about, 8.3.3.2, 8.4.1
adding to factor, 8.4
assigning, 8.3.3.3
configuring, 8.4.4
creating, 8.4.4
data dictionary views, 8.11
database session, 8.3.3.2
deleting, 8.4.5
determining with DVSYS.GET_FACTOR, 8.3.3.2
enterprise-wide users, 16.3.9
how factor identities work, 8.3.3.2
labels, 8.3.3.4
mapping, about, 8.4.6.1
mapping, identified, 8.3.3.1
mapping, procedure, 8.4.6.2
mapping, tutorial, 8.8.1
Oracle Label Security labels, 8.3.3.4
reports, 8.11
resolving, 8.3.3.1
retrieval methods, 8.3.3.5
setting dynamically, 16.2.2
trust levels, 8.3.3.2, 8.4.4
with Oracle Label Security, 8.3.3.2
initialization, command rules, 7.1.1
invalid audit options, 24.4.4
label, 24.4.4
naming conventions, 8.3.2
Oracle Virtual Private Database, attaching factors to, 10.4
parent factors, 8.3.3.1
performance effect, 8.10
procedures
DBMS_MACADM (configuration), 16.1.1
process flow, 8.6
propagating policies to other databases, 11.1.1
reports, 8.11
retrieving, 8.6.2
retrieving with DVSYS.GET_FACTOR, 16.2.3
rule sets
selecting, 8.3.4.1
setting, 8.6.3
setting with DVSYS.SET_FACTOR, 16.2.2
troubleshooting
auditing report, 24.5.3
configuration problems, E.3
tips, E.2
type (category of factor), 8.3.2
validating, 8.3.3.7
values (identities), 8.1
views
DVSYS.DBA_DV_FACTOR_LINK, 22.8, 22.8
DVSYS.DBA_DV_FACTOR_TYPE, 22.9
DVSYS.DBA_DV_IDENTITY, 22.10
DVSYS.DBA_DV_IDENTITY_MAP, 22.11
DVSYS.DBA_DV_MAC_POLICY_FACTOR, 22.14
ways to assign, 8.3.3.2
See also rule sets
functions
command rules
DBMS_MACUTL (utility), 19.1
DVSYS schema enabling, 16.2.1
factors
DBMS_MACUTL (utility), 19.1
Oracle Label Security policy
DBMS_MACADM (configuration), 18.1
realms
DBMS_MACUTL (utility), 19.1
rule sets
DBMS_MACADM (configuration), 14.1.1
DBMS_MACUTL (utility), 19.1
PL/SQL functions for inspecting SQL, 14.2.1
secure application roles
DBMS_MACADM (configuration), 17.1.1
DBMS_MACSEC_ROLES (configuration), 17.2.1
DBMS_MACUTL (utility), 19.1, 19.1

G

general security reports, 24.6
GRANT statement
monitoring, 23.2.1
guidelines
ALTER SESSION privilege, D.6.6.1
ALTER SYSTEM privilege, D.6.6.1
command rules, 7.8
CREATE ANY JOB privilege, D.6.3
CREATE EXTERNAL JOB privilege, D.6.4
CREATE JOB privilege, D.6.3
DBMS_FILE_TRANSFER package, D.6.1.1
factors, 8.9
general security, D
LogMiner packages, D.6.5
managing DV_OWNER and DV_ACCTMGR accounts, 12.3
operating system access, D.2.4
Oracle software owner, D.4.2
performance effect, 8.10
realms, 5.13
recycle bin, D.6.2.1
root access, D.2.4
root user access, D.4.1
rule sets, 6.10
secure application roles, 9.4
SYSDBA access, D.4.3
SYSDBA privilege, limiting, D.2.3
SYSOPER access, D.4.4
SYSTEM schema and application tables, D.2.2
SYSTEM user account, D.2.1
trusted accounts and roles, D.3
using Database Vault in a production environment, D.5
UTL_FILE package, D.6.1.1

H

hackers
See security attacks
Hierarchical System Privileges by Database Account Report, 24.6.2.3
host names
finding with DVF.F$DATABASE_HOSTNAME, 16.3.5

I

identities
See factors, identities
Identity Configuration Issues Report, 24.4.6
IDLE_TIME resource profile, 24.6.6.2
IMP_FULL_DATABASE role
impact of Oracle Database Vault installation, 2.4
importing data
See Oracle Data Pump
incomplete rule set, 24.4.4
role enablement, 24.4.7
initialization parameters
Allow System Parameters default rule set, 6.2
modified after installation, 2.1
modified by Oracle Database Vault, 2.1
reports, 24.6.6
insider threats
See intruders
installations
security considerations, D.6
intruders
compromising privileged accounts, 1.5
See security attacks
IP addresses
Client_IP default factor, 8.2
defined with factors, 8.1

J

Java Policy Grants Report, 24.6.9.1
jobs, scheduling
See Oracle Scheduler

L

Label Security Integration Audit Report, 24.5.4
labels
about, 8.4.3
See also Oracle Label Security
languages
adding to Oracle Database Vault, C.2
finding with DVF.F$LANG, 16.3.12
finding with DVF.F$LANGUAGE, 16.3.13
name
Lang default factor, 8.2
Language default factor, 8.2
LBACSYS account
about, 12.3
auditing policy, A.5
factor integration with OLS policy requirement, 10.5.3.2
See also Oracle Label Security
LBACSYS schema
auditing policy, A.5
realm protection, 5.2.1
locked out accounts, solution for, B.1
log files
Database Vault log files, A.3.2
logging on
reports, Core Database Audit Report, 24.6.8
LogMiner packages
guidelines, D.6.5

M

managing user accounts and profiles
Can Maintain Accounts/Profiles default rule set, 6.2
managing user accounts and profiles on own account, Can Maintain Own Accounts default rule set, 6.2
mandatory realms
about, 5.1.2
mapping identities, 8.4.6.2
MDDATA schema realm protection, 5.2.4
MDSYS schema realm protection, 5.2.4
monitoring
activities, 23
multitenant container databases. See CDBs
My Oracle Support
about, Preface

N

naming conventions
factors, 8.3.2
realms, 5.3
rule sets, 6.3
rules, 6.4.3
network protocol
finding with DVF.F$NETWORK_PROTOCOL, 16.3.15
network protocol, Network_Protocol default factor, 8.2
NOAUDIT statement
monitoring, 23.2.1
Non-Owner Object Trigger Report, 24.6.9.7
nonsystem database accounts, 24.6.1.3

O

Object Access By PUBLIC Report, 24.6.1.1
Object Access Not By PUBLIC Report, 24.6.1.2
Object Dependencies Report, 24.6.1.4
object owners
nonexistent, 24.4.1
reports
Command Rule Configuration Issues Report, 24.4.1
object privilege reports, 24.6.1
object types
supported for Database Vault realm protection, 5.1.3
objects
command rule objects
name, 7.4
owner, 7.4
processing, 7.6
dynamic SQL use, 24.6.9.3
mandatory realms, 5.1.2
monitoring, 23.2.1
object names
finding with DVSYS.DV_DICT_OBJ_NAME, 14.2.8
object owners
finding with DVSYS.DV_DICT_OBJ_OWNER, 14.2.7
object privileges
checking with DBMS_MACUTL.USER_HAS_OBJECT_PRIVILEGE function, 19.3.1
realms
object name, 5.3
object owner, 5.3
object type, 5.3
procedures for registering, 13.3
reports
Access to Sensitive Objects Report, 24.6.3.2
Accounts with SYSDBA/SYSOPER Privilege Report, 24.6.3.4
Direct Object Privileges Report, 24.6.1.3
Execute Privileges to Strong SYS Packages Report, 24.6.3.1
Non-Owner Object Trigger Report, 24.6.9.7
Object Access By PUBLIC Report, 24.6.1.1
Object Access Not By PUBLIC Report, 24.6.1.2
Object Dependencies Report, 24.6.1.4
Objects Dependent on Dynamic SQL Report, 24.6.9.3
OS Directory Objects Report, 24.6.9.2
privilege, 24.6.1
Public Execute Privilege To SYS PL/SQL Procedures Report, 24.6.3.3
sensitive, 24.6.3
System Privileges By Privilege Report, 24.6.2.5
restricting user access to using mandatory realms, 5.1.2
types
finding with DVSYS.DV_DICT_OBJ_TYPE, 14.2.6
views, DVSYS.DBA_DV_REALM_OBJECT, 22.23
See also database objects
Objects Dependent on Dynamic SQL Report, 24.6.9.3
OEM
See Oracle Enterprise Manager (OEM)
OEM_MONITOR schema realm protection, 5.2.3
OLS
See Oracle Label Security
operating system access
guideline for using with Database Vault, D.2.4
operating systems
reports
OS Directory Objects Report, 24.6.9.2
OS Security Vulnerability Privileges Report, 24.6.5.11
vulnerabilities, 24.6.5.11
ORA$DEPENDENCY profile, 4.1.2
ORA-00942 error, 9.7.7
ORA-01301 error, 11.8.1
ORA-06512 error, 6.8.4, 19.3.2
ORA-24247 error, 6.8.4
ORA-47305 error, 9.7.7
ORA-47400 error, 6.8.6, 11.8.1
ORA-47401 error, 5.9.2.1, 11.8.1
ORA-47408 error, 11.8.1
ORA-47409 error, 11.8.1
ORA-47500 error, 20.2
ORA-47503 error, 3.1.4
ORA-47920 error, 19.3.2
Oracle Data Dictionary realm, deprecated, Preface
Oracle Data Guard
integrating Database Vault with, 10.6
Oracle Data Pump
archiving the Oracle Database Vault audit trail with, A.4.2
authorizing transportable tablespace operations for Database Vault, 11.2.3.3
DBMS_MACADM.AUTHORIZE_TTS_USER, 20.1.7
DBMS_MACADM.UNAUTHORIZE_TTS_USER, 20.1.12
DVSYS.DBA_DV_DATAPUMP_AUTH view, 22.4
DVSYS.DBA_DV_TTS_AUTH view, 22.28
DVSYS.MACADM procedures for authorization, 20.1.3
granting authorization to use with Database Vault, 11.2.2.3
guidelines before performing an export or import, 11.2.4
levels of authorization required
Oracle Data Pump only, 11.2.2.2
transportable tablespaces, 11.2.3.2
realm protection, 5.2.5
revoking standard authorization, 11.2.2.4
revoking transportable tablespace authorization, 11.2.3.4
using with Oracle Database Vault, 11.2.1
Oracle Database Vault
about, 1.1.1
components, 1.3, 1.3.1
deinstalling, C.3
disabling
checking if disabled, B.2
procedures for, B
reasons for, B.1
enabling
checking if enabled, B.2
procedures for, B
integrating with other Oracle products, 10
Oracle Database installation, affect on, 2
post-installation procedures, C
privileges to use, 1.2
registering
about, 3.1.1
using DBCA, 3.1.1
reinstalling, C.4
roles
privileges of, 12.2.2
Oracle Database Vault Administrator (DVA)
logging on from Oracle Enterprise Manager Cloud Control, 3.2
Oracle Database Vault Administrator pages, 1.3.2
Oracle Database Vault realm, 5.2.1
Oracle Default Component Protection Realm, 5.2.6
Oracle Default Schema Protection Realm, 5.2.4
Oracle Enterprise Manager
DBSNMP account
changing password, 11.1.4
granted DV_MONITOR role, 12.2.5.3
performance tools, 5.14
using Oracle Database Vault with, 11.1
Oracle Enterprise Manager Cloud Control
monitoring Database Vault for attempted violations, 12.2.5.1
propagating Database Vault policies to other databases, 11.1.1
starting Oracle Database Vault from, 3.2
Oracle Enterprise Manager realm, 5.2.3
Oracle Enterprise User Security, integrating with Oracle Database Vault, 10.1
Oracle GoldenGate
Database Vault role used for
DV_GOLDENGATE_ADMIN, 12.2.11.1
DV_GOLDENGATE_REDO_ACCESS, 12.2.12.1
in an Oracle Database Vault environment, 11.7
Oracle Internet Directory Distinguished Name, Proxy_Enterprise_Identity default factor, 8.2
Oracle Label Security
using OLS_LABEL_DOMINATES function in rule expressions, 14.1.3
Oracle Label Security (OLS)
audit events, custom, A.3.1
checking if installed using DBMS_MACUTL functions, 19.3.1
data dictionary views, 10.5.5
functions
DBMS_MACUTL (utility), 19.2.1
how Database Vault integrates with, 10.5.1
initialization, command rules, 7.1.1
integration with Oracle Database Vault
example, 10.5.4.1
Label Security Integration Audit Report, 24.5.4, 24.5.4
procedure, 10.5.3.1
requirements, 10.5.2
labels
about, 8.4.3
determining with GET_FACTOR_LABEL, 16.2.7
invalid label identities, 24.4.6
policies
accounts that bypass, 24.6.5.3
monitoring policy changes, 23.2.1
nonexistent, 24.4.4
procedures
DBMS_MACADM (configuration), 18.1
reports, 10.5.5
views
DVSYS.DBA_DV_MAC_POLICY, 22.13
DVSYS.DBA_DV_MAC_POLICY_FACTOR, 22.14
DVSYS.DBA_DV_POLICY_LABEL, 22.17
See also LBACSYS account
Oracle MetaLink
See My Oracle Support
Oracle OLAP realm protection, 5.2.4
Oracle Real Application Clusters
configuring Database Vault on RAC nodes, C.1
deinstalling Oracle Database Vault from, C.3
multiple factor identities, 8.3.3.2
Oracle Recovery Manager (RMAN)
in an Oracle Database Vault environment, 11.4
Oracle Scheduler
DVSYS.DBA_DV_JOB_AUTH view, 22.12
granting Oracle Database Vault authorization, 11.3.2
realm protection, 5.2.5
revoking Oracle Database Vault authorization, 11.3.3
SCHEDULER_ADMIN role, impact of Oracle Database Vault installation, 2.4
using with Oracle Database Vault, 11.3.1
Oracle software owner, guidelines on managing, D.4.2
Oracle Spatial realm protection, 5.2.4
Oracle Streams
Database Vault role used for, 12.2.9.1
Oracle System Privilege and Role Management Realm, 5.2.5
Oracle Text realm protection, 5.2.4
Oracle Virtual Private Database (VPD)
accounts that bypass, 24.6.5.3
factors, attaching to, 10.4
GRANT EXECUTE privileges with Grant VPD Administration default rule set, 6.2
using Database Vault factors with Oracle Label Security, 10.5.4.1
ORADEBUG utility
about, 11.10
DVSYS.DBA_DV_ORADEBUG view, 22.15
DVSYS.DBA_DV_PATCH_AUDIT view, 22.16
PL/SQL procedure for disabling in Database Vault, 20.1.16
PL/SQL procedure for enabling in Database Vault, 20.1.20
using with Database Vault, 11.10
OS Directory Objects Report, 24.6.9.2
OS Security Vulnerability Privileges Report, 24.6.5.11
OS_ROLES initialization parameter, 2.1
OUTlN schema realm protection, 5.2.6

P

parameters
modified after installation, 2.1
reports
Security Related Database Parameters Report, 24.6.6.1
parent factors
See factors
Password History Access Report, 24.6.5.6
passwords
forgotten, solution for, B.1
reports, 24.6.7
Database Account Default Password Report, 24.6.7.1
Password History Access Report, 24.6.5.6
Username/Password Tables Report, 24.6.9.5
patches
auditing DV_PATCH_ADMIN user, 12.2.13.1
DBMS_MACADM.DISABLE_DV_PATCH_ADMIN_AUDIT procedure, 20.1.15
DBMS_MACADM.ENSABLE_DV_PATCH_ADMIN_AUDIT procedure, 20.1.18
DV_PATCH_ADMIN requirement for, 12.2.13.1
security consideration, D.6
two-person integrity used for, 6.9.1
PDBs
command rules in, 7.1.2
disabling tracing
all database sessions, E.1.10.3
current database session, E.1.10.3
DVF schema, 12.1.2
DVSYS schema, 12.1.1, 12.2.1
enabling tracing
all database sessions, E.1.5.3
current database session, E.1.5.1
plugging Database Vault-enabled PDB to CDB, 11.9
privilege analysis, 4.1.6
performance effect
command rules, 7.9
realms, 5.14
reports
Resource Profiles Report, 24.6.6.2
System Resource Limits Report, 24.6.6.3
rule sets, 6.11
secure application roles, 9.8
static evaluation for rule sets, 6.11
performance tools
Automatic Workload Repository (AWR)
command rules, 7.9
factors, 8.10
realms, 5.14
rule sets, 6.11
secure application roles, 9.8
Cloud Control, realms, 5.14
Oracle Enterprise Manager
command rules, 7.9
factors, 8.10
realms, 5.14
rule sets, 6.11
secure application roles, 9.8
Oracle Enterprise Manager Cloud Control
command rules, 7.9
factors, 8.10
rule sets, 6.11
secure application roles, 9.8
TKPROF utility
command rules, 7.9
factors, 8.10
realms, 5.14
rule sets, 6.11
secure application roles, 9.8
PL/SQL
packages
unwrapped bodies, 24.6.9.4
Unwrapped PL/SQL Package Bodies Report, 24.6.9.4
PL/SQL factor functions, 16.3
pluggable databases. See PDBs
policy changes, monitoring, 23.2.1
post-installation procedures, C
privilege analysis
about, 4.1.1
accessing reports in Cloud Control, 4.2.7.3
benefits, 4.1.5
CDBs, 4.1.6
creating
about, 4.2.3.1
in Cloud Control, 4.2.3.2
usingDBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE, 4.2.3.3
creating role in Cloud Control, 4.3.1
data dictionary views, 4.6
DBMS_PRIVILEGE_CAPTURE PL/SQL package, 4.2.1
disabling
about, 4.2.6.1
in Cloud Control, 4.2.6.2
using DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE, 4.2.6.3
dropping
about, 4.2.8.1
in Cloud Control, 4.2.8.2
using DBMS_PRIVILEGE_CAPTURE.DROP_CAPTURE, 4.2.8.3
enabling
about, 4.2.5.1
in Cloud Control, 4.2.5.2
using DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE, 4.2.5.3
examples of creating and enabling, 4.2.4.1
general steps for managing, 4.2.2
generating regrant scripts, 4.3.3.3
generating reports
about, 4.2.7.1
in Cloud Control, 4.2.7.2
using DBMS_PRIVILEGE_CAPTURE.GENERATE_REPORT, 4.2.7.4
generating revoke scripts, 4.3.3.2
logon users, 4.1.4
pre-compiled database objects, 4.1.2
privilege uses captured, 4.1.4
requirements for using, 4.1.3
restrictions, 4.1.4
revoking and re-granting in Cloud Control, 4.3.2
revoking and regranting using scripts, 4.3.3.1
tutorial, 4.5
tutorial for ANY privileges, 4.4
use cases, 4.1.5
finding application pool privileges, 4.1.5.1
finding overly privileged users, 4.1.5.2
privileges
ANY privileges, 12.2.14.2
checking with DBMS_MACUTL.USER_HAS_OBJECT_PRIVILEGE function, 19.3.1
existing users and roles, Database Vault affect on, 2.4
least privilege principle
violations to, 24.6.9.1
monitoring
GRANT statement, 23.2.1
REVOKE statement, 23.2.1
Oracle Database Vault restricting, 2.2
prevented from existing users and roles, 2.5
reports
Accounts With DBA Roles Report, 24.6.5.2
ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5
ANY System Privileges for Database Accounts Report, 24.6.2.4
AUDIT Privileges Report, 24.6.5.10
Database Accounts With Catalog Roles Report, 24.6.5.9
Direct and Indirect System Privileges By Database Account Report, 24.6.2.2
Direct System Privileges By Database Account Report, 24.6.2.1
Hierarchical System Privileges By Database Account Report, 24.6.2.3
listed, 24.6.4
OS Directory Objects Report, 24.6.9.2
Privileges Distribution By Grantee Report, 24.6.4.1
Privileges Distribution By Grantee, Owner Report, 24.6.4.2
Privileges Distribution By Grantee, Owner, Privilege Report, 24.6.4.3
WITH ADMIN Privilege Grants Report, 24.6.5.1
WITH GRANT Privileges Report, 24.6.5.7
restricting access using mandatory realms, 5.1.2
roles
checking with DBMS_MACUTL.USER_HAS_ROLE_VARCHAR function, 19.3.1
system
checking with DBMS_MACUTL.USER_HAS_SYSTEM_PRIVILEGE function, 19.3.1
views
DVSYS.DBA_DV_PUB_PRIVS, 22.19
DVSYS.DBA_DV_USER_PRIVS, 22.29
DVSYS.DBA_DV_USER_PRIVS_ALL, 22.30
Privileges Distribution By Grantee Report, 24.6.4.1
Privileges Distribution By Grantee, Owner Report, 24.6.4.2
Privileges Distribution By Grantee, Owner, Privilege Report, 24.6.4.3
privileges using external password, 24.6.3.4
problems, diagnosing, E.1.1
procedures
command rules
.DBMS_MACADM (configuration), 15.1
factors
DBMS_MACADM (configuration), 16.1.1
realms
DBMS_MACADM (configuration), 13.1
production environments
guidelines for securing, D.5
profiles, 24.6.6
proxy user authorization
Database Vault authorization
DVSYS.DBA_DV_PROXY_AUTH view, 22.18
granting, 20.1.5
revoking, 20.1.10
PUBLIC access to realms, 5.8
Public Execute Privilege To SYS PL/SQL Procedures Report, 24.6.3.3
PUBLIC user account
impact of Oracle Database Vault installation, 2.4

Q

quotas
tablespace, 24.6.9.6

R

READ object privilege
affected by SQL92_SECURITY parameter, 2.1
Realm Audit Report, 24.5.1
Realm Authorization Configuration Issues Report, 24.4.3
realms
about, 5.1.1
adding roles to as grantees, 5.13
audit events, custom, A.3.1
authentication-related procedures, 13.2
authorization
enabling access to realm-protected objects, 5.10
how realm authorizations work, 5.9
process flow, 5.9
troubleshooting, E.2
authorizations
grantee, 5.3
rule set, 5.3
creating, 5.3
creating names, 5.3
data dictionary views, 5.15
data masking, 11.8.3
Database Vault Account Management realm, 5.2.2
DBMS_MACUTL constants, example of, 19.2.2
default realms
listed, 5.2
deleting, 5.7
deprecated for this release, Preface
disabling, 5.6
DV_REALM_OWNER role, 12.2.15.1
DV_REALM_RESOURCE role, 12.2.16.2
effect on other Oracle Database Vault components, 5.12
enabling, 5.6
enabling access to realm-protected objects, 5.10
example, 5.11
functions
DBMS_MACUTL (utility), 19.1
DBMS_MACUTL constants (fields), 19.2.1
guidelines, 5.13
how realms work, 5.8
mandatory realms, 5.1.2
naming conventions, 5.3
object types, supported, 5.1.3
object-related procedures, 13.3
Oracle Database Vault realm, 5.2.1
Oracle Default Component Protection Realm, 5.2.6
Oracle Default Schema Protection Realm, 5.2.4
Oracle Enterprise Manager realm, 5.2.3
Oracle System Privilege and Role Management Realm, 5.2.5
performance effect, 5.14
procedures
DBMS_MACADM (configuration), 13.1, 13.1
process flow, 5.8
propagating policies to other databases, 11.1.1
protection after object is dropped, 5.13
PUBLIC access, 5.8
realm authorizations
about, 5.5
realm secured objects
object name, 5.3
object owner, 5.3
object type, 5.3
realm-secured objects, 5.4
reports, 5.15
roles
DV_REALM_OWNER, 12.2.15.1
DV_REALM_RESOURCE, 12.2.16.2
secured object, 24.4.3
territory a realm protects, 5.4
troubleshooting, E.2, E.3
tutorial, 3.3.1
views
DV$REALM, 22.22
DVSYS.DBA_DV_CODE, 22.2
DVSYS.DBA_DV_REALM, 22.20
DVSYS.DBA_DV_REALM_AUTH, 22.21
DVSYS.DBA_DV_REALM_OBJECT, 22.23, 22.23
See also rule sets
RECOVERY_CATALOG_OWNER role, 24.6.5.9
recycle bin, guidelines on managing, D.6.2.1
RECYCLEBIN initialization parameter
default setting in Oracle Database Vault, 2.1
security considerations, D.6.2.1
registering Oracle Database Vault, 3.1.1
reinstalling Oracle Database Vault, C.4
REMOTE_LOGIN_PASSWORDFILE initialization parameter, 2.1
reports
about, 24.1
Access to Sensitive Objects Report, 24.6.3.2
Accounts With DBA Roles Report, 24.6.5.2
Accounts with SYSDBA/SYSOPER Privilege Report, 24.6.3.4
ALTER SYSTEM or ALTER SESSION Report, 24.6.5.5
ANY System Privileges for Database Accounts Report, 24.6.2.4
AUDIT Privileges Report, 24.6.5.10
auditing, 24.5
BECOME USER Report, 24.6.5.4
categories of, 24.1
Command Rule Audit Report, 24.5.2
Command Rule Configuration Issues Report, 24.4.1
Core Database Audit Report, 24.6.8
Core Database Vault Audit Trail Report, 24.5.5
Database Account Default Password Report, 24.6.7.1
Database Account Status Report, 24.6.7.2
Database Accounts With Catalog Roles Report, 24.6.5.9
Direct and Indirect System Privileges By Database Account Report, 24.6.2.2
Direct Object Privileges Report, 24.6.1.3
Direct System Privileges By Database Account Report, 24.6.2.1
Enterprise Manager Cloud Control, 11.1.3
Execute Privileges to Strong SYS Packages Report, 24.6.3.1
Factor Audit Report, 24.5.3
Factor Configuration Issues Report, 24.4.4
Factor Without Identities, 24.4.5
general security, 24.6
Hierarchical System Privileges by Database Account Report, 24.6.2.3
Identity Configuration Issues Report, 24.4.6
Java Policy Grants Report, 24.6.9.1
Label Security Integration Audit Report, 24.5.4
Non-Owner Object Trigger Report, 24.6.9.7
Object Access By PUBLIC Report, 24.6.1.1
Object Access Not By PUBLIC Report, 24.6.1.2
Object Dependencies Report, 24.6.1.4
Objects Dependent on Dynamic SQL Report, 24.6.9.3
OS Directory Objects Report, 24.6.9.2
OS Security Vulnerability Privileges, 24.6.5.11
Password History Access Report, 24.6.5.6
permissions for running, 24.2
privilege management, 24.6.4
Privileges Distribution By Grantee Report, 24.6.4.1
Privileges Distribution By Grantee, Owner Report, 24.6.4.2
Privileges Distribution By Grantee, Owner, Privilege Report, 24.6.4.3
Public Execute Privilege To SYS PL/SQL Procedures Report, 24.6.3.3
Realm Audit Report, 24.5.1
Realm Authorization Configuration Issues Report, 24.4.3
Resource Profiles Report, 24.6.6.2
Roles/Accounts That Have a Given Role Report, 24.6.5.8
Rule Set Configuration Issues Report, 24.4.2
running, 24.3
Secure Application Configuration Issues Report, 24.4.7
Secure Application Role Audit Report, 24.5.6
Security Policy Exemption Report, 24.6.5.3
Security Related Database Parameters, 24.6.6.1
security vulnerability, 24.6.9
System Privileges By Privilege Report, 24.6.2.5
System Resource Limits Report, 24.6.6.3
Tablespace Quotas Report, 24.6.9.6
Unwrapped PL/SQL Package Bodies Report, 24.6.9.4
Username /Password Tables Report, 24.6.9.5
WITH ADMIN Privileges Grants Report, 24.6.5.1
WITH GRANT Privileges Report, 24.6.5.7
Resource Profiles Report, 24.6.6.2
resources
reports
Resource Profiles Report, 24.6.6.2
System Resource Limits Report, 24.6.6.3
REVOKE statement
monitoring, 23.2.1
roles
adding to realms as grantees, 5.13
catalog-based, 24.6.5.9
Database Vault default roles, 12.2.1
privilege analysis, 4.1.4
privileges, checking with DBMS_MACUTL.USER_HAS_ROLE_VARCHAR function, 19.3.1
role enablement in incomplete rule set, 24.4.7
role-based system privileges, 24.6.2.3
See also secure application roles
Roles/Accounts That Have a Given Role Report, 24.6.5.8
root access
guideline for using with Database Vault, D.2.4
guidelines on managing, D.4.1
Rule Set Configuration Issues Report, 24.4.2
rule sets
about, 6.1
adding existing rules, 6.4.4
audit options, 6.3
command rules
disabled, 24.4.1
selecting for, 7.4
used with, 7.1.1
creating, 6.3
rules in, 6.4.3
creating names, 6.3
data dictionary views, 6.12
DBMS_MACUTL constants, example of, 19.2.3
default rule sets, 6.2
default rules, 6.4.2
deleting, 6.6
rules from, 6.4.5, 6.4.5
disabled for
factor assignment, 24.4.4
realm authorization, 24.4.3
evaluation of rules, 6.4.1
evaluation options, 6.3
event handlers, 6.3
events firing, finding with DVSYS.DV_SYSEVENT, 14.2.2
factors, selecting for, 8.3.4.1
fail code, 6.3
fail message, 6.3
functions
DBMS_MACADM (configuration), 14.1.1
DBMS_MACUTL (utility), 19.1
DBMS_MACUTL constants (fields), 19.2.1
PL/SQL functions for rule sets, 14.2.1
guidelines, 6.10
how rule sets work, 6.7.1
incomplete, 24.4.1
naming conventions, 6.3
nested rules, 6.7.2
performance effect, 6.11
procedures
DBMS_MACADM (configuration), 14.1.1
process flow, 6.7.1
propagating policies to other databases, 11.1.1
removing references to objects, 6.5
reports, 6.12
rules that exclude one user, 6.7.3
static evaluation, 6.10
troubleshooting, E.2, E.3
views
DVSYS.DBA_DV_RULE, 22.25
DVSYS.DBA_DV_RULE_SET, 22.26
DVSYS.DBA_DV_RULE_SET_RULE, 22.27
See also command rules, factors, realms, rules, secure application roles
rules
about, 6.4.1
creating, 6.4.3
creating names, 6.4.3
data dictionary views, 6.12
default, 6.4.2
deleting, 6.4.5
deleting from rule set, 6.4.5
existing rules, adding to rule set, 6.4.4
naming conventions, 6.4.3
nested within a rule set, 6.7.2
removing from rule set, 6.4.5
reports, 6.12
troubleshooting, E.2
views
DVSYS.DBA_DV_RULE, 22.25
DVSYS.DBA_DV_RULE_SET_RULE, 22.27
See also rule sets
rules sets
audit event, custom, A.3.1

S

SCHEDULER_ADMIN role
impact of Oracle Database Vault installation, 2.4
scheduling database jobs
CREATE EXTERNAL JOB privilege security consideration, D.6.4
scheduling jobs
See Oracle Scheduler
schemas
DVF, 12.1.2
DVSYS, 12.1.1
Secure Application Configuration Issues Report, 24.4.7
secure application role, 9.1
Secure Application Role Audit Report, 24.5.6
secure application roles
audit event, custom, A.3.1
creating, 9.2
data dictionary view, 9.9
DBMS_MACSEC_ROLES.SET_ROLE function, 9.2
deleting, 9.5
functionality, 9.6
functions
DBMS_MACADM (configuration), 17.1.1
DBMS_MACSEC_ROLES (configuration), 17.2.1
DBMS_MACSEC_ROLES package, 17.2.1
DBMS_MACUTL (utility), 19.1, 19.1
DBMS_MACUTL constants (fields), 19.2.1
guidelines on managing, 9.4
modifying, 9.3
performance effect, 9.8
procedure
DBMS_MACADM (configuration), 17.1.1
procedures and functions
DBMS_MACUTL (utility), 19.3.1
propagating policies to other databases, 11.1.1
reports, 9.9
Rule Set Configuration Issues Report, 24.4.2
troubleshooting, E.3
troubleshooting with auditing report, 24.5.6
tutorial, 9.7.1
views
DVSYS.DBA_DV_ROLE, 22.24
See also roles, rule sets
security attacks
Denial of Service (DoS) attacks
finding system resource limits, 24.6.6.3
Denial of Service attacks
finding tablespace quotas, 24.6.9.6
eliminating audit trail, 24.6.5.10
monitoring security violations, 23.1.1
Oracle Database Vault addressing compromised privileged user accounts, 1.5
reports
AUDIT Privileges Report, 24.6.5.10
Objects Dependent on Dynamic SQL Report, 24.6.9.3
Privileges Distribution By Grantee, Owner Report, 24.6.4.2
Unwrapped PL/SQL Package Bodies Report, 24.6.9.4
SQL injection attacks, 24.6.9.3
tracking
with factor auditing, 8.3.4.2
with rule set auditing, 6.3
security policies, Oracle Database Vault addressing, 1.6
Security Policy Exemption Report, 24.6.5.3
Security Related Database Parameters Report, 24.6.6.1
security violations
monitoring attempts, 23.1.1
security vulnerabilities
how Database Vault addresses, 1.7
operating systems, 24.6.5.11
reports, 24.6.9
Security Related Database Parameters Report, 24.6.6.1
root operating system directory, 24.6.9.2
SELECT statement
controlling with command rules, 7.1.1
SELECT_CATALOG_ROLE role, 24.6.5.9
sensitive objects reports, 24.6.3
separation of duty concept
about, D.1.1
command rules, 7.2
database accounts, 12.3
database accounts, suggested, 12.3
database roles, 2.3
Database Vault Account Manager role, 12.3
documenting tasks, D.1.4
example matrix, D.1.3
how Oracle Database Vault addresses, 2.3
realms, 1.7
restricting privileges, 2.2
roles, 12.2.1
tasks in Oracle Database Vault environment, D.1.2
sessions
audit events, custom, A.3.1
DBMS_MACUTL fields, 19.2.1
finding session user with DVF.F$SESSION_USER, 16.3.17
restricting data based on, 8.8.1
retrieving information with functions, 16.1.1
SQL injection attacks, detecting with Object Dependent on Dynamic SQL Report, 24.6.9.3
SQL statements
default command rules that protect, 7.2
SQL text, finding with DVSYS.DV_SQL_TEXT, 14.2.9
SQL92_SECURITY initialization parameter, 2.1
subfactors
See child factors under factors topic
SYS account
privilege analysis, 4.1.4
SYS schema
command rules, 7.4
SYS user account
adding to realm authorization, 5.13
SYS_CONTEXT function
Boolean expressions used in privilege analysis, 4.2.3.3
SYSDBA access
guidelines on managing, D.4.3
SYSDBA privilege
limiting, importance of, D.2.3
SYS.DV$CONFIGURATION_AUDIT view, 22.33
SYS.DV$ENFORCEMENT_AUDIT view, 22.34
SYSOPER access
guidelines on managing, D.4.4
system features
disabling with Disabled rule set, 6.2
enabling with Enabled rule set, 6.2
system privileges
checking with DBMS_MACUTL.USER_HAS_SYSTEM_PRIVILEGE function, 19.3.1
reports
System Privileges By Privileges Report, 24.6.2.5
System Privileges By Privilege Report, 24.6.2.5
System Resource Limits Report, 24.6.6.3
system root access, guideline on managing, D.4.1
SYSTEM schema
application tables in, D.2.2
realm protection, 5.2.6
SYSTEM user account
guidelines for using with Database Vault, D.2.1

T

tablespace quotas, 24.6.9.6
Tablespace Quotas Report, 24.6.9.6
time data
DBMS_MACUTL functions, 19.3.1
trace files
about, E.1.1
trace files, Oracle Database Vault
about, E.1.1
activities that can be traced, E.1.2
ADRCI utility, E.1.6.3
directory location for trace files, E.1.6.1
disabling for all sessions, E.1.10.2
disabling for current session, E.1.10.1
enabling for all sessions, E.1.5.2
enabling for current session, E.1.5.1
examples
high level authorization, E.1.8
highest level on realm violations, E.1.9
low level realm violations, E.1.7
finding trace file directory, E.1.6.1
levels of trace events, E.1.3
performance effect, E.1.4
querying
ADRCI utility, E.1.6.3
Linux grep command, E.1.6.2
Transparent Data Encryption, used with Oracle Database Vault, 10.3
transportable tablespaces
authorizing for Oracle Data Pump operations in Database Vault, 11.2.3.3
DBMS_MACADM.AUTHORIZE_TTS_USER procedure, 20.1.7
DBMS_MACADM.UNAUTHORIZE_TTS_USER procedure, 20.1.12
DVSYS.DBA_DV_TTS_AUTH view, 22.28
triggers
different from object owner account, 24.6.9.7
reports, Non-Owner Object Trigger Report, 24.6.9.7
troubleshooting
access security sessions, 24.5.5
auditing reports, using, 24.5
factors, E.2
general diagnostic tips, E.2
locked out accounts, B.1
passwords, forgotten, B.1
realms, E.2
rule sets, E.2
rules, E.2
secure application roles, 24.5.6
trust levels
about, 8.4.2
determining for identities with DVSYS.GET_TRUST_LEVEL_FOR_IDENTITY, 16.2.5
determining with DVSYS.GET_TRUST_LEVEL, 16.2.4
factor identity, 8.4.2
factors, 8.4.4
for factor and identity requested, 16.2.5
identities, 8.3.3.2
of current session identity, 16.2.4
trusted users
accounts and roles that should be limited, D.4
default for Oracle Database Vault, D.3
tutorials
access, granting with secure application roles, 9.7.1
ad hoc tool access, preventing, 8.7.1
configuring two-person integrity (TPI), 6.9.1
Database Vault factors with Virtual Private Database and Oracle Label Security, 10.5.4.1
email alert in rule set, 6.8.1
factors, mapping identities, 8.8.1
Oracle Label Security integration with Oracle Database Vault, 10.5.4.1
privilege analysis, 4.5
privilege analysis for ANY privileges, 4.4
restricting access based on session data, 8.8.1
restricting user activities with command rules, 7.7
schema, protecting with a realm, 3.3.1
See also examples
two-man rule security
See two-person integrity (TPI)
two-person integrity (TPI)
about, 6.9.1
configuring with a rule set, 6.9.1

U

unified audit trail
how it works with Database Vault, A.1
protecting with a realm, A.2
Unwrapped PL/SQL Package Bodies Report, 24.6.9.4
user names
reports, Username/Password Tables Report, 24.6.9.5
USER_HISTORY$ table, 24.6.5.6
Username/Password Tables Report, 24.6.9.5
users
enterprise identities, finding with DVF.F$PROXY_ENTERPRISE_IDENTITY, 16.3.16
enterprise-wide identities, finding with DVF.F$ENTERPRISE_IDENTITY, 16.3.10
finding session user with DVF.F$SESSION_USER, 16.3.17
login user name, finding with DVSYS.DV_LOGIN_USER, 14.2.3
restricting access by factor identity, 8.8.1
utility functions
See .DBMS_MACUTL package
UTL_FILE object, 24.6.1.4
UTL_FILE package, guidelines on managing, D.6.1.1

V

views
DVSYS.DBA_DV_CODE, 22.2
DVSYS.DBA_DV_COMMAND_RULE, 22.3
DVSYS.DBA_DV_DATAPUMP_AUTH, 22.4
DVSYS.DBA_DV_DDL_AUTH, 22.5
DVSYS.DBA_DV_DICTIONARY_ACCTS, 22.6
DVSYS.DBA_DV_FACTOR, 22.7
DVSYS.DBA_DV_FACTOR_TYPE, 22.9
DVSYS.DBA_DV_IDENTITY, 22.10
DVSYS.DBA_DV_IDENTITY_MAP, 22.11
DVSYS.DBA_DV_JOB_AUTH, 22.12
DVSYS.DBA_DV_ORADEBUG, 22.15
DVSYS.DBA_DV_PATCH_AUDIT, 22.16
DVSYS.DBA_DV_POLICY_LABEL, 22.17
DVSYS.DBA_DV_PROXY_AUTH, 22.18
DVSYS.DBA_DV_PUB_PRIVS, 22.19
DVSYS.DBA_DV_REALM, 22.20
DVSYS.DBA_DV_REALM_AUTH, 22.22
DVSYS.DBA_DV_REALM_OBJECT, 22.23
DVSYS.DBA_DV_ROLE, 22.24
DVSYS.DBA_DV_RULE_SET, 22.26
DVSYS.DBA_DV_RULE_SET_RULE, 22.27
DVSYS.DBA_DV_TTS_AUTH, 22.28
DVSYS.DBA_DV_USER_PRIVS, 22.29
DVSYS.DBA_DV_USER_PRIVS_ALL, 22.30
DVSYS.DV$CONFIGURATION_AUDIT, 22.31
DVSYS.DV$ENFORCEMENT_AUDIT, 22.32
DVSYS.DV$REALM, 22.21
See also names beginning with DVSYS.DBA_DV
SYS.DV$CONFIGURATION_AUDIT, 22.33
SYS.DV$ENFORCEMENT_AUDIT, 22.34
VPD
See Oracle Virtual Private Database (VPD)

W

WITH ADMIN Privileges Grants Report, 24.6.5.1
WITH ADMIN status, 24.6.2.1, 24.6.2.2
WITH GRANT clause, 24.6.5.7
WITH GRANT Privileges Report, 24.6.5.7

X

XStream
Database Vault role used for, 12.2.10.1
in an Oracle Database Vault environment, 11.6