Business Introduction:
- Oracle Database Vault is a security feature built into Autonomous Database Shared that enforces separation of duties and controls access to sensitive application data.
- It lets organizations restrict even highly privileged users (like DBAs) from directly viewing or altering sensitive business data, while still allowing them to perform administrative tasks.
- Oracle Database Vault secures existing database environments transparently, eliminating costly and time consuming application changes.
- Protects sensitive data against insider threats and misconfigurations.
- Meets compliance requirements by controlling who can access what.
- Reduces risk exposure by preventing unauthorized or accidental access by administrators.
- Strengthens trust with customers and regulators by proving strong internal data controls.
- Reduced compliance costs: built-in controls help meet audit requirements faster, with less manual work.
- Avoidance of fines & breaches: one data breach or regulatory violation can cost millions in penalties and reputation damage.
- Business continuity & trust: demonstrating strong data governance can improve customer confidence and shorten sales cycles in regulated industries.
- Enable Database Vault in an Autonomous Database Shared
- Protect sensitive data using a Database Vault realm
- A free tier or paid Oracle Cloud account
- Oracle Autonomous Database Shared (serverless ADB service)
Task #1: Setup Application Schema and Users
3. Create the working users.
Task #2: Enable Database Vault
-- Create DV ownerCREATE USER dv_admin_owner IDENTIFIED BY WElcome_123#;GRANT CREATE SESSION TO dv_admin_owner;GRANT SELECT ANY DICTIONARY TO dv_admin_owner;GRANT AUDIT_ADMIN to dv_admin_owner;
-- Create DV account managerCREATE USER dv_admin_accts IDENTIFIED BY WElcome_123#;GRANT CREATE SESSION TO dv_admin_accts;GRANT AUDIT_ADMIN to dv_admin_accts;
-- Enable SQL Worksheet for the users just createdBEGINORDS_ADMIN.ENABLE_SCHEMA(p_enabled => TRUE,p_schema => UPPER('dv_admin_owner'),p_url_mapping_type => 'BASE_PATH',p_url_mapping_pattern => LOWER('dv_admin_owner'),p_auto_rest_auth => TRUE);ORDS_ADMIN.ENABLE_SCHEMA(p_enabled => TRUE,p_schema => UPPER('dv_admin_accts'),p_url_mapping_type => 'BASE_PATH',p_url_mapping_pattern => LOWER('dv_admin_accts'),p_auto_rest_auth => TRUE);END;
/
2. Configure the database vault user accounts.
3. Verify DV is configured but not yet enabled.
4. Enable Database Vault.
5. Restart Autonomous Database using OCI console to complete DV enabling process.
SELECT * FROM DBA_DV_STATUS;
6. Once DV is enabled, DBA_USER no longer can create/alter/drop DB user accounts even DBA_USER has PDB_DBA role. The duties of DBA_USER are separate from the duties of DV account administrator (DV_ADMIN_ACCTS) and DV security administrator (DV_ADMIN_OWNER).
Task #3: Create a Simple DV Realm
- A realm is a protected zone inside the database where database schemas, objects, and roles can be secured.
- After you have secured these into a realm, you can use the realm to control the use of system and object privileges by specific accounts or roles.
- This enables you to enforce context-sensitive access controls for anyone who wants to use these schemas, objects, and roles.
1. Connect to database and confirm you can query table APPSCHEMA.CUSTOMERS as users (DBA_USER, APPSCHEMA, and APPUSER) before creating DV realm.
2. Create a realm to secure APPSCHEMA tables by running below PL/SQL block as DV owner user (DV_ADMIN_OWNER).
3. Add table APPSCHEMA.CUSTOMERS to the realm to protect by running below PL/SQL block as DV owner user (DV_ADMIN_OWNER).
4. Now check the effect of the this realm. Query table APPSCHEMA.CUSTOMERS as users (DBA_USER, APPSCHEMA, and APPUSER). You will get "ORA-01031: insufficient privileges", because objects in this realm cannot be accessed by any database user including DBA and schema owner.
5. As DV owner user (DV_ADMIN_OWNER), authorize application user (APPUSER) by adding the user to the realm by executing below PL/SQL block.
6. Re-execute the query again from APPUSER. It should work now.
Task #4: Disable Database Vault
Thanks for reading !!!