By Mouhamadou Diaw
Database Vault can also be used in a multitenant environment. In a multitenant environment we must register Oracle Database Vault in the root first, then after in the PDBs.
In this blog we will see how we can use realms to protect data in a pluggable database 12.1.
In CDB$ROOT we have to create common accounts that will be used for the Database Vault Owner (DV_OWNER role) and Database Vault Account Manager (DV_ACCTMGR role) accounts. It is also recommended to create a backup for each user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
SQL> conn sys as sysdba Enter password : Connected. SQL> show con_name CON_NAME ------------------------------ CDB$ROOT SQL> SQL> GRANT CREATE SESSION, SET CONTAINER TO c##dbv_owner_root IDENTIFIED BY root CONTAINER = ALL ; SQL> GRANT CREATE SESSION, SET CONTAINER TO c##dbv_acctmgr_root IDENTIFIED BY root CONTAINER = ALL ; SQL> grant select any dictionary to C##DBV_OWNER_ROOT; Grant succeeded. SQL> grant select any dictionary to C##DBV_ACCTMGR_ROOT; Grant succeeded. SQL> |
The next step is configure Database Vault user account on CDB$ROOT
1
2
3
4
5
6
7
8
9
10
|
BEGIN DVSYS.CONFIGURE_DV ( dvowner_uname => 'c##dbv_owner_root' , dvacctmgr_uname => 'c##dbv_acctmgr_root' ); END ; 6 / PL/SQL procedure successfully completed. SQL> @?/rdbms/admin/utlrp.sql |
We can after enable Oracle Database Vault with user c##dbv_owner_root in CDB$ROOT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
SQL> conn c##dbv_owner_root/root Connected. SQL> show user USER is "C##DBV_OWNER_ROOT" SQL> show con_name CON_NAME ------------------------------ CDB$ROOT SQL> SQL> EXEC DBMS_MACADM.ENABLE_DV; PL/SQL procedure successfully completed. SQL> |
After restart o CDB$ROOT , we can verify the status. These queries should return TRUE.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
SQL> SELECT VALUE FROM V$ OPTION WHERE PARAMETER = 'Oracle Database Vault' ; VALUE ---------------------------------------------------------------- TRUE SQL> SELECT VALUE FROM V$ OPTION WHERE PARAMETER = 'Oracle Label Security' ; VALUE ---------------------------------------------------------------- TRUE SQL> SELECT * FROM DVSYS.DBA_DV_STATUS; NAME STATUS ------------------- ---------------------------------------------------------------- DV_CONFIGURE_STATUS TRUE DV_ENABLE_STATUS TRUE SQL> |
At PDB level, we must register common users we created earlier. In this example I am using a pluggable database named PDB1.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
SQL> show user USER is "SYS" SQL> show con_name CON_NAME ------------------------------ PDB1 SQL> GRANT CREATE SESSION, SET CONTAINER TO c##dbv_owner_root CONTAINER = CURRENT ; Grant succeeded. SQL> GRANT CREATE SESSION, SET CONTAINER TO c##dbv_acctmgr_root CONTAINER = CURRENT ; Grant succeeded. SQL> SQL> grant select any dictionary to C##DBV_OWNER_ROOT; Grant succeeded. SQL> grant select any dictionary to C##DBV_ACCTMGR_ROOT; Grant succeeded. SQL> |
Like in CDB$ROOT we also have to configure the Database Vault Users in PDB1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
SQL> show user USER is "SYS" SQL> show con_name CON_NAME ------------------------------ PDB1 SQL> BEGIN DVSYS.CONFIGURE_DV ( dvowner_uname => 'c##dbv_owner_root' , dvacctmgr_uname => 'c##dbv_acctmgr_root' ); END ; 6 / PL/SQL procedure successfully completed. SQL> SQL> @?/rdbms/admin/utlrp.sql |
And now let’s enable Oracle Database Vault on PDB1
1
2
3
4
5
6
7
8
9
10
11
12
|
SQL> show user USER is "C##DBV_OWNER_ROOT" SQL> show con_name CON_NAME ------------------------------ PDB1 SQL> EXEC DBMS_MACADM.ENABLE_DV; PL/SQL procedure successfully completed. SQL> |
With SYS let’s restart PDB1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
SQL> show user USER is "SYS" SQL> show con_name CON_NAME ------------------------------ PDB1 SQL> alter pluggable database pdb1 close immediate; Pluggable database altered. SQL> alter pluggable database pdb1 open ; Pluggable database altered. |
As in CDB$ROOT we can verify
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
SQL> show con_name CON_NAME ------------------------------ PDB1 SQL> SELECT VALUE FROM V$ OPTION WHERE PARAMETER = 'Oracle Database Vault' ; VALUE ---------------------------------------------------------------- TRUE SQL> SELECT VALUE FROM V$ OPTION WHERE PARAMETER = 'Oracle Label Security' ; VALUE ---------------------------------------------------------------- TRUE SQL> SELECT * FROM DVSYS.DBA_DV_STATUS; NAME STATUS ------------------- ---------------------------------------------------------------- DV_CONFIGURE_STATUS TRUE DV_ENABLE_STATUS TRUE SQL> |
Now that the Database vault is configured, we can create A REALM to protect our DATA. In this example we are protecting data of the SCOTT table EMP. We are using EM 12c to create the REAM.
From Database Home select Security and then Database Vault
In the Database vault page log with any user having appropriate privileges: DV_OWNER or DV_ADMIN role, SELECT ANY DICTIONARY
Before creating the REALM we can verify that user SYSTEM access to table SCOTT.EMP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
SQL> show user USER is "SYSTEM" SQL> show con_name CON_NAME ------------------------------ PDB1 SQL> select * from scott.emp; EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO ---------- ---------- --------- ---------- --------- ---------- ---------- ---------- 7369 SMITH CLERK 7902 17- DEC -80 800 20 7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30 7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30 7566 JONES MANAGER 7839 02-APR-81 2975 20 7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30 7698 BLAKE MANAGER 7839 01-MAY-81 2850 30 7782 CLARK MANAGER 7839 09-JUN-81 2450 10 7788 SCOTT ANALYST 7566 19-APR-87 3000 20 7839 KING PRESIDENT 17-NOV-81 5000 10 7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30 7876 ADAMS CLERK 7788 23-MAY-87 1100 20 7900 JAMES CLERK 7698 03- DEC -81 950 30 EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO ---------- ---------- --------- ---------- --------- ---------- ---------- ---------- 7902 FORD ANALYST 7566 03- DEC -81 3000 20 7934 MILLER CLERK 7782 23-JAN-82 1300 10 14 rows selected. SQL> |
Under Administration Tab, Select Reams
And Click on Create
Give a name and a description for the realm
Click on Next
On the Realm Secured Objects click on Add
Click on OK
Click on Next
On Real Authorization page select ADD
Click on OK
Click Next
On the Review page Click Finish
And the end we should have
And that’s all. We can verify now that SYSTEM is no longer allowed to query SCOTT.EMP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
SQL> conn system/root@pdb1 Connected. SQL> show user USER is "SYSTEM" SQL> show con_name CON_NAME ------------------------------ PDB1 SQL> select * from scott.emp; select * from scott.emp * ERROR at line 1: ORA-01031: insufficient privileges SQL> |
And that user EDGE is allowed to query SCOTT.EMP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
SQL> show user USER is "EDGE" SQL> show con_name CON_NAME ------------------------------ PDB1 SQL> select * from scott.emp; EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO ---------- ---------- --------- ---------- --------- ---------- ---------- ---------- 7369 SMITH CLERK 7902 17- DEC -80 800 20 7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30 7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30 7566 JONES MANAGER 7839 02-APR-81 2975 20 7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30 7698 BLAKE MANAGER 7839 01-MAY-81 2850 30 7782 CLARK MANAGER 7839 09-JUN-81 2450 10 7788 SCOTT ANALYST 7566 19-APR-87 3000 20 7839 KING PRESIDENT 17-NOV-81 5000 10 7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30 7876 ADAMS CLERK 7788 23-MAY-87 1100 20 7900 JAMES CLERK 7698 03- DEC -81 950 30 EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO ---------- ---------- --------- ---------- --------- ---------- ---------- ---------- 7902 FORD ANALYST 7566 03- DEC -81 3000 20 7934 MILLER CLERK 7782 23-JAN-82 1300 10 14 rows selected. SQL> |