Oracle Database Vault on Autonomous Database

 

Business Introduction:

• Oracle Database Vault is a security feature built into Autonomous Database Shared that enforces separation of duties and controls access to sensitive application data.
• It lets organizations restrict even highly privileged users (like DBAs) from directly viewing or altering sensitive business data, while still allowing them to perform administrative tasks.
• Oracle Database Vault secures existing database environments transparently, eliminating costly and time consuming application changes.

Business Importance:

• Protects sensitive data against insider threats and misconfigurations.
• Meets compliance requirements by controlling who can access what.
• Reduces risk exposure by preventing unauthorized or accidental access by administrators.
• Strengthens trust with customers and regulators by proving strong internal data controls.

Potential ROI:

• Reduced compliance costs: built-in controls help meet audit requirements faster, with less manual work.
• Avoidance of fines & breaches: one data breach or regulatory violation can cost millions in penalties and reputation damage.
• Business continuity & trust: demonstrating strong data governance can improve customer confidence and shorten sales cycles in regulated industries.

In this blog, I'll demonstrate the following:

• Enable Database Vault in an Autonomous Database Shared
• Protect sensitive data using a Database Vault realm

Prerequisites:

• A free tier or paid Oracle Cloud account
• Oracle Autonomous Database Shared (serverless ADB service) 

      Note: The Configure/Enable/Disable DV command syntax, which will be used in this blog, is only for Autonomous Database Shared. Other Oracle database flavors use a slightly different syntax.        

      Task #1: Setup Application Schema and Users

1. In Autonomous database details page, open SQL worksheet.

2. Create the application schema.

CREATE USER appschema IDENTIFIED BY WElcome_123#;

GRANT CREATE SESSION, CREATE TABLE TO appschema;

GRANT UNLIMITED TABLESPACE TO appschema;

BEGIN

   ORDS_ADMIN.ENABLE_SCHEMA(

   p_enabled => TRUE,

   p_schema => UPPER('appschema'),      

   p_url_mapping_type => 'BASE_PATH',

   p_url_mapping_pattern => LOWER('appschema'),

   p_auto_rest_auth => TRUE);

END;

/

CREATE TABLE appschema.customers AS SELECT * FROM sh.customers;

CREATE TABLE appschema.countries AS SELECT * FROM sh.countries;

3. Create the working users.

--- Create DBA_USER

CREATE USER dba_user IDENTIFIED BY WElcome_123#;

GRANT PDB_DBA TO dba_user;

BEGIN

   ORDS_ADMIN.ENABLE_SCHEMA(

    p_enabled => TRUE,

    p_schema => UPPER('dba_user'),

    p_url_mapping_type => 'BASE_PATH',

    p_url_mapping_pattern => LOWER('dba_user'),

    p_auto_rest_auth => TRUE);

END;

/

-- Create APPUSER user

CREATE USER appuser IDENTIFIED BY WElcome_123#;

GRANT CREATE SESSION, READ ANY TABLE TO appuser;

BEGIN

   ORDS_ADMIN.ENABLE_SCHEMA(

    p_enabled => TRUE,

    p_schema => UPPER('appuser'),

    p_url_mapping_type => 'BASE_PATH',

    p_url_mapping_pattern => LOWER('appuser'),

    p_auto_rest_auth => TRUE);

END;

/

     Task #2: Enable Database Vault

     1. Create DV owner and DV account manager user accounts.

          - DV_ADMIN_OWNER is the owner of DV objects 

          - DV_ADMIN_ACCTS creates users and change user passwords

-- Create DV owner

CREATE USER dv_admin_owner IDENTIFIED BY WElcome_123#;

GRANT CREATE SESSION TO dv_admin_owner;

GRANT SELECT ANY DICTIONARY TO dv_admin_owner;

GRANT AUDIT_ADMIN to dv_admin_owner;

-- Create DV account manager

CREATE USER dv_admin_accts IDENTIFIED BY WElcome_123#;

GRANT CREATE SESSION TO dv_admin_accts;

GRANT AUDIT_ADMIN to dv_admin_accts;

-- Enable SQL Worksheet for the users just created

BEGIN

   ORDS_ADMIN.ENABLE_SCHEMA(

    p_enabled => TRUE,

    p_schema => UPPER('dv_admin_owner'),

    p_url_mapping_type => 'BASE_PATH',

    p_url_mapping_pattern => LOWER('dv_admin_owner'),

    p_auto_rest_auth => TRUE);

   ORDS_ADMIN.ENABLE_SCHEMA(

    p_enabled => TRUE,

    p_schema => UPPER('dv_admin_accts'),

    p_url_mapping_type => 'BASE_PATH',

    p_url_mapping_pattern => LOWER('dv_admin_accts'),

    p_auto_rest_auth => TRUE);

END;

/

2. Configure the database vault user accounts.

EXEC DBMS_CLOUD_MACADM.CONFIGURE_DATABASE_VAULT('dv_admin_owner', 'dv_admin_accts')

3. Verify DV is configured but not yet enabled.

SELECT * FROM DBA_DV_STATUS;

4. Enable Database Vault.

EXEC DBMS_CLOUD_MACADM.ENABLE_DATABASE_VAULT;

5. Restart Autonomous Database using OCI console to complete DV enabling process.

SELECT * FROM DBA_DV_STATUS;

6. Once DV is enabled, DBA_USER no longer can create/alter/drop DB user accounts even DBA_USER has PDB_DBA role. The duties of DBA_USER are separate from the duties of DV account administrator (DV_ADMIN_ACCTS) and DV security administrator (DV_ADMIN_OWNER).

Task #3: Create a Simple DV Realm

Now we create a DV realm to secure table APPSCHEMA.CUSTOMERS from access by DBA_USER and APPSCHEMA and grant access to APPUSER only.

• A realm is a protected zone inside the database where database schemas, objects, and roles can be secured.
• After you have secured these into a realm, you can use the realm to control the use of system and object privileges by specific accounts or roles.
• This enables you to enforce context-sensitive access controls for anyone who wants to use these schemas, objects, and roles.

1. Connect to database and confirm you can query table APPSCHEMA.CUSTOMERS as users (DBA_USER, APPSCHEMA, and APPUSER) before creating DV realm.

SELECT cust_id, cust_first_name, cust_last_name, cust_email, cust_main_phone_number

   FROM appschema.customers

   WHERE rownum < 5;

2. Create a realm to secure APPSCHEMA tables by running below PL/SQL block as DV owner user (DV_ADMIN_OWNER).

   BEGIN

      DVSYS.DBMS_MACADM.CREATE_REALM(

          realm_name => 'PROTECT_APPSCHEMA'

          ,description => 'A mandatory realm to protect APPSCHEMA tables'

          ,enabled => DBMS_MACUTL.G_YES

          ,audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL

          ,realm_type => 1);

   END;

   /

-- Show the current DV realm

SELECT name, description, enabled FROM dba_dv_realm WHERE id# >= 5000 ORDER BY 1;

3. Add table APPSCHEMA.CUSTOMERS to the realm to protect by running below PL/SQL block as DV owner user (DV_ADMIN_OWNER).

   BEGIN

       DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM(

           realm_name   => 'PROTECT_APPSCHEMA',

           object_owner => 'APPSCHEMA',

           object_name  => 'CUSTOMERS',

           object_type  => 'TABLE');

   END;

   /

-- Show the objects protected by the DV realm PROTECT_APPSCHEMA

SELECT realm_name, owner, object_name, object_type

  FROM dvsys.dba_dv_realm_object

 WHERE realm_name IN (SELECT name FROM dvsys.dv$realm WHERE id# >= 5000);

4. Now check the effect of the this realm. Query table APPSCHEMA.CUSTOMERS as users (DBA_USER, APPSCHEMA, and APPUSER). You will get "ORA-01031: insufficient privileges", because objects in this realm cannot be accessed by any database user including DBA and schema owner.

SELECT cust_id, cust_first_name, cust_last_name, cust_email, cust_main_phone_number

   FROM appschema.customers

   WHERE rownum < 5;

5. As DV owner user (DV_ADMIN_OWNER), authorize application user (APPUSER) by adding the user to the realm by executing below PL/SQL block.

   BEGIN

       DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(

           realm_name   => 'PROTECT_APPSCHEMA',

           grantee      => 'APPUSER');

   END;

   /

6. Re-execute the query again from APPUSER. It should work now.

SELECT cust_id, cust_first_name, cust_last_name, cust_email, cust_main_phone_number

   FROM appschema.customers

   WHERE rownum < 5;

Task #4: Disable Database Vault

1. Connect to database as DV owner (DV_ADMIN_OWNER) and drop DV realm.

BEGIN

    DVSYS.DBMS_MACADM.DELETE_REALM_CASCADE(realm_name => 'PROTECT_APPSCHEMA');

END;

/

-- Show the current DV realm

SELECT name, description, enabled FROM dba_dv_realm WHERE id# >= 5000 order by 1;

2. Disable DB vault on autonomous database.

EXEC DBMS_CLOUD_MACADM.DISABLE_DATABASE_VAULT;

3. Restart autonomous database to complete database vault disabling process. Once restart completes, log in to the database as DBA_USER and verify DV is disabled.

4. Drop database vault owner and account manager users.

DROP USER sec_admin_owen;

DROP USER accts_admin_ace;

Note: Because Database vault is disabled, separation of duties is also disabled.

Thanks for reading !!!

 

Oracle 23ai: Hybrid Read-Only Mode for Pluggable Databases

 

- Overview:

• Oracle 23ai database introduces a new feature to open Pluggable database in a new mode called hybrid read-only.
• Hybrid read-only mode enables a PDB to operate as either read-write or read-only, depending on the user who is connected to the PDB.
• For Oracle Multitenant database common users (like SYSTEM, or C##<USER>), the PDB will be in read-write mode.
• For Pluggable database local users (like HR, or SCOTT), the PDB will be restricted to read-only mode.
• Hybrid read-only mode enables you to patch and maintain an application in a safe mode for open PDBs without the risk of local users, including higher privileged common users, interfering with the ongoing maintenance operation of the PDB.

In this blog, I'll demonstrate opening a PDB in a hybrid read-only mode, then test a DML command from  common and local users.

Prerequisites:

• Oracle Database 23ai Free Developer Release.
• A pluggable database with HR database schema.

Step #1: Open a PDB in Hybrid Read-Only Mode

- Connect to the root container as SYS, close the PDB, then open the PDB in hybrid read-only mode.

SQL> alter pluggable database &PDB_NAME close immediate instances=all;

SQL> alter pluggable database &PDB_NAME OPEN HYBRID READ ONLY instances=all;

Note: The pluggable database open mode will be READ WRITE even after opening in hybrid read-only mode.

Step #2: Testing a DML from a PDB Database Local User

- Connect to the PDB as HR and run a DML statement.

- You will get below error message

SQL Error: ORA-16000: Attempting to modify database or pluggable database that is open for read-only access.

Step #3: Testing a DML from a Common Database User

- Connect to the PDB as system HR and run a DML statement.

- A DML statement will be executed without error.

Oracle 23ai: Read-Only Users and Sessions

 

- Overview:

• Oracle 23ai database introduces a new feature to control whether a user or session is enabled for read-write operations, irrespective of the privileges of the user that is connected to the database. 
• The READ_ONLY user only applies on a PDB local database user.
• The READ_ONLY session applies to any type of user for any type of container.
• With the capability to disable and re-enable the read-write capabilities of any user or session without revoking and re-granting privileges provides you with more flexibility to temporarily control the privileges of users or sessions for testing, administration, or application development purposes.
• It also gives you a simple way to control the read-write behavior within different parts of an application that are used by the same user or session.
• You can set the access of a local user to a PDB to READ ONLY or READ WRITE with the ALTER USER or CREATE USER statement.
• After READ ONLY access is enabled for a PDB user, whenever that user connects to the PDB, the session operates as if the database is open in read-only mode and the user cannot perform any write operation.
• A new column (READ_ONLY) has been added to dictionary views *_USERS to show if READ_ONLY is enabled/disabled for a database user.

In this blog, I'll demonstrate enable/disable READ ONLY for a PDB local database user.

Prerequisites:

• Oracle Database 23ai Free Developer Release.
• A pluggable database with HR database schema.

A Demo Steps:

1. Connect to a PDB using HR local database user and run a DML statement.

- Dictionary view *_USERS currently shows that READ_ONLY is disabled for HR user.

2. Connect to a PDB using SYSTEM common user and enable READ ONLY for HR user using below SQL command.

SQL> alter user &USERNAME read only;

3. Reconnect to a PDB using HR local database user and run a DML statement.

- Dictionary view *_USERS currently shows that READ_ONLY is enabled for HR user.

- You will get below error message.

SQL Error: ORA-28194: Can perform read operations only

4. Using SYSTEM database session, disable READ ONLY for HR user using below SQL command.

SQL> alter user &USERNAME read write;

5. Reconnect to a PDB using HR local database user and run a DML statement. DML statement will run without error.

- Dictionary view *_USERS currently shows that READ_ONLY is disabled for HR user.

OCW 2024: What to Expect Around Oracle 23ai

 

I’m so excited to share that I’ll be attending Oracle CloudWorld 2024 this year!. I’m thrilled as It will be my first OCW event to attend in person !!!. 

This event has always been an ignition for innovation and cutting-edge technology, and I can’t wait to dive into what Oracle has to surprise us.

One of my main goals at OCW this year is to learn more about Oracle 23ai, Oracle’s latest and most advanced AI offering. From what I’ve gathered so far, Oracle 23ai promises to bring significant advancements in AI-powered analytics, automation, and decision-making capabilities. I’m particularly interested in how these features can be applied to streamline business operations and enhance data-driven strategies.

Another key area I’m excited to explore is Exascale, Oracle’s high-performance computing solution. The promise of Exascale lies in its ability to process massive datasets at unprecedented speeds, which could be a game-changer for industries that rely heavily on data-intensive operations. Understanding how Exascale integrates with Oracle 23ai and the broader Oracle Cloud ecosystem will be the main interest for me at the event.

Attending Oracle OCW isn’t just about gaining knowledge; it’s also about connecting with industry experts, exchanging ideas with fellow professionals, and staying ahead in the rapidly evolving tech landscape. I’m looking forward to the sessions, hands-on labs, and keynotes that will provide deeper insights into Oracle’s vision for the future of cloud computing and AI.

If you’re also attending, I’d love to connect and share experiences. Let’s make the most of this opportunity to learn, grow, and innovate together!

Oracle 23ai: Managing Flashback Database Logs Outside the Fast Recovery Area

 

- Overview:

• In previous database releases, you could store flashback database logs only in the fast recovery area.
• Oracle 23ai database introduces the option to store flashback database logs in a separate location.
• With this new option, you can choose to write the flashback logs to faster disks.
• Using a separate destination also eliminates the manual administration to manage the free space in the fast recovery area.
• A new database instance initialization parameter (DB_FLASHBACK_LOG_DEST) has been introduced to specify a separate location for the flashback database logs. This parameter is a system modifiable on CDB level.

In this blog, I'll demonstrate the steps to set a separate location for the flashback database logs.

Prerequisites:

• Oracle Database 23ai running in archive log mode.

Setting Steps:

1. Connect to a root container using SYS user and confirm the database is running in archive log mode and flashback is ON. 

- Notice that FRA destination is +DATA, and flashback logs were generated in FRA (+DATA).

- Currently DB_FLASHBACK_LOG_DEST is not configured.

2. Before assigning a value for the initialization parameter (DB_FLASHBACK_LOG_DEST), you must specify the size of flashback area by setting the initialization parameter (DB_FLASHBACK_LOG_DEST_SIZE) to a nonzero value. 

3. When modifying the DB_FLASHBACK_LOG_DEST parameter with the ALTER SYSTEM statement, you must disable and reenable flashback logging.

- Notice that flashback destination is +RECO.

SQL> alter system set db_flashback_log_dest_size=100G scope=both;

SQL> alter system set db_flashback_log_dest='+RECO' scope=both;

- Archive log files are still generated in FRA (+DATA).