This is an extra layer of protection above the normal Database Vault Realms & Command Rules.
In a multitenant database, you can now use Oracle Database Vault to block common users (infrastructure database administrators, for example) from accessing local data in pluggable databases (PDBs), even if you don’t have the database vault enabled at the PDB level.
This is a new feature in Oracle Database 19c.
Let us have a quick demo to show you how to enable/disable the Database Vault Operations Control at the CDB level and how it impacts the power users access to the business data at the PDB level, even in the case of Database Vault is not enabled at the PDB level.
First of all, you need to have the database vault configured at the CDB level. For detailed steps about how to enable database vault, please refer to my video:
Check the current database vault status:
Now, let us enable the Database Vault Operations Control:
Let us switch to the PDB using the SYS user:
Now, let us see what will happen if the SYS user tried to access the business data at the PDB level:
Let us disable the database vault operation control, and see if the SYS user can access the business data:
If you tried to enable the Database Vault in a database where the Database Vault is not enabled, you will receive the following error:
Also, in 19c you can exclude some common users from the Database Vault and allow them to access the data inside the PDB. This is required for some database features like: Oracle Text and Oracle Spatial.
To do that, login as database vault owner to the CDB$ROOT, and run:
exec dvsys.dbms_macadm.add_app_exception (owner => ‘MDSYS’, package_name => ‘PACK_APP1’);