Oracle Database 19c Vault Operations Control

This is an extra layer of protection above the normal Database Vault Realms & Command Rules.

In a multitenant database, you can now use Oracle Database Vault to block common users (infrastructure database administrators, for example) from accessing local data in pluggable databases (PDBs), even if you don’t have the database vault enabled at the PDB level.

This is a new feature in Oracle Database 19c.

Let us have a quick demo to show you how to enable/disable the Database Vault Operations Control at the CDB level and how it impacts the power users access to the business data at the PDB level, even in the case of Database Vault is not enabled at the PDB level.

First of all, you need to have the database vault configured at the CDB level. For detailed steps about how to enable database vault, please refer to my video:

Check the current database vault status:

It is configured at the CDB level, but the Operations Control is not configured.
SYS user can access the business data at the PDB level.

Now, let us enable the Database Vault Operations Control:

Let us switch to the PDB using the SYS user:

Database Vault is not configured at the PDB level, but still the Database Vault Operation Control is enabled.

Now, let us see what will happen if the SYS user tried to access the business data at the PDB level:

It will fail as expected.

Let us disable the database vault operation control, and see if the SYS user can access the business data:

Now, SYS user can access the data, in the absense of the opreation control.

If you tried to enable the Database Vault in a database where the Database Vault is not enabled, you will receive the following error:

Also, in 19c you can exclude some common users from the Database Vault and allow them to access the data inside the PDB. This is required for some database features like: Oracle Text and Oracle Spatial.

To do that, login as database vault owner to the CDB$ROOT, and run:
exec dvsys.dbms_macadm.add_app_exception (owner => ‘MDSYS’, package_name => ‘PACK_APP1’);

Thanks
Ahmed

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s