You can find information about the Oracle Database Vault configuration settings by querying a set of Database Vault-specific data dictionary views.
Topics:
Oracle Database Vault provides a set of DBA-style data dictionary views that can be accessed through the DV_SECANALYST role or the DV_ADMIN role.
These views provide access to the various underlying Oracle Database Vault tables in the DVSYS and LBACSYS schemas without exposing the primary and foreign key columns that may be present. These views are intended for the database administrative user to report on the state of the Oracle Database Vault configuration without having to perform the joins required to get the labels for codes that are stored in the core tables or from the related tables.
See Also:
Chapter 24, "Oracle Database Vault Reports" if you are interested in running reports on Oracle Database VaultThe DVSYS.DBA_DV_CODE data dictionary view lists generic lookup codes for the user interface, error messages, constraint checking, and so on. These codes are used for the user interface, views, and for validating input in a translatable fashion.
For example:
SELECT CODE, VALUE FROM DVSYS.DBA_DV_CODE WHERE CODE_GROUP = 'BOOLEAN';
Output similar to the following appears:
CODE VALUE ------- -------- Y True N False
| Column | Datatype | Null | Description |
|---|---|---|---|
CODE_GROUP |
VARCHAR(30) |
NOT NULL |
Displays one of the code groups that are listed in Table 22-1 |
CODE |
VARCHAR(30) |
NOT NULL |
Boolean code used; either Y (Yes) or N (No). |
VALUE |
VARCHAR(4000) |
Boolean value used; either True if the Boolean code is Y or False if the Boolean code is N. |
|
LANGUAGE |
VARCHAR(3) |
NOT NULL |
Language for this installation of Oracle Database Vault.
Supported languages are as follows:
|
DESCRIPTION |
VARCHAR(1024) |
Brief description of the code group. |
Table 22-1 describes the possible values from the CODE_GROUP column in the DVSYS.DBA_DV_CODE data dictionary view.
Table 22-1 DVSYS.DBA_DV_CODE View CODE_GROUP Values
| CODE_GROUP Name | Description |
|---|---|
|
|
Contains the action numbers and action names that are used for the custom event audit trail records |
|
|
A simple Yes or No or True or False lookup |
|
|
The database object types that can be used for realm objects and command authorizations |
|
|
The DDL commands that can be protected through command rules |
|
|
The auditing options for factor retrieval processing |
|
|
The evaluation options (by session or by access) for factor retrieval |
|
|
The options for propagating errors when a factor retrieval method fails |
|
|
The options for determining how a factor identifier is resolved (for example, by method or by factors) |
|
|
The options for determining how a factor identifier is labeled in the session establishment phase |
|
|
The algorithms that can be used to determine the maximum session label for a database session for each policy. See Table 18-3, "Oracle Label Security Merge Algorithm Codes" for a listing of the Oracle Label Security merge algorithm codes. |
|
|
The Boolean operators that can be used for identity maps |
|
|
The options for auditing realm access or realm violations |
|
|
The options for ownership of a realm |
|
|
The options for auditing rule set execution or rule set errors |
|
|
The options for determining the success or failure of a rule set based on all associated rules being true or any associated rule being true |
|
|
The options to invoke a custom event handler when a rule set evaluates to Succeeds or Fails |
|
|
The options to determine the run-time visibility of a rule set failing |
The DVSYS.DBA_DV_COMMAND_RULE data dictionary view lists the SQL statements that are protected by command rules.
See Chapter 7, "Configuring Command Rules," for more information about command rules.
For example:
SELECT COMMAND, RULE_SET_NAME FROM DVSYS.DBA_DV_COMMAND_RULE;
Output similar to the following appears:
COMMAND RULE_SET_NAME --------------- ----------------------------- GRANT Can Grant VPD Administration REVOKE Can Grant VPD Administration ALTER SYSTEM Allow System Parameters ALTER USER Can Maintain Own Account CREATE USER Can Maintain Account/Profiles DROP USER Can Maintain Account/Profiles CREATE PROFILE Can Maintain Account/Profiles DROP PROFILE Can Maintain Account/Profiles ALTER PROFILE Can Maintain Account/Profiles
| Column | Datatype | Null | Description |
|---|---|---|---|
COMMAND |
VARCHAR(30) |
NOT NULL |
Name of the command rule. For a list of default command rules, see "Default Command Rules". |
RULE_SET_NAME |
VARCHAR(90) |
NOT NULL |
Name of the rule set associated with this command rule. |
OBJECT_OWNER |
VARCHAR(30) |
NOT NULL |
The owner of the object that the command rule affects. |
OBJECT_NAME |
VARCHAR(128) |
NOT NULL |
The name of the database object the command rule affects (for example, a database table). |
ENABLED |
VARCHAR(1) |
NOT NULL |
Y indicates the command rule is enabled; N indicates it is disabled. |
The DVSYS.DBA_DV_DATAPUMP_AUTH data dictionary view lists the authorizations for using Oracle Data Pump in an Oracle Database Vault environment. See "Using Oracle Data Pump with Oracle Database Vault" for more information.
For example:
SELECT * FROM DVSYS.DBA_DV_DATAPUMP_AUTH WHERE GRANTEE = 'PRESTON';
Output similar to the following appears:
GRANTEE SCHEMA OBJECT ------- ------ ------- PRESTON OE ORDERS
| Column | Datatype | Null | Description |
|---|---|---|---|
GRANTEE |
VARCHAR2(128) |
NOT NULL |
Name of the user who has been granted Data Pump authorization |
SCHEMA |
VARCHAR2(128) |
NOT NULL |
Name of the schema on which the user GRANTEE is authorized to perform Data Pump operations |
OBJECT |
VARCHAR2(128) |
NOT NULL |
Name of the object within the schema specified by the SCHEMA parameter on which the GRANTEE user has Data Pump authorization (such as a table) |
The DVSYS.DBA_DV_DDL data dictionary view lists the users and schemas that were specified by the DBMS_MACADM.AUTHORIZE_DDL procedure. This procedure grants a user authorization to execute Data Definition Language (DDL) statements.
For example:
SELECT * FROM DVSYS.DBA_DV_DDL_AUTH WHERE GRANTEE = 'psmith';
Output similar to the following appears:
GRANTEE SCHEMA ------- ------ PSMITH HR
| Column | Datatype | Null | Description |
|---|---|---|---|
GRANTEE |
VARCHAR2(128) |
NOT NULL |
Name of the user who has been granted DDL authorization |
SCHEMA |
VARCHAR2(128) |
NOT NULL |
Name of the schema on which the user GRANTEE is authorized to perform DDL operations |
See Also:
The DVSYS.DBA_DV_DICTIONARY_ACCTS data dictionary view indicates whether users can directly log into the DVSYS and DVF schema accounts.
For example:
SELECT * FROM DVSYS.DBA_DV_DICTIONARY_ACCTS;
Output similar to the following appears:
STATE ------- ENABLED
| Column | Datatype | Null | Description |
|---|---|---|---|
STATE |
VARCHAR2(8) |
NOT NULL |
Describes whether users can log directly into the DVSYS and DVF schemas. Possible values are:
|
The DVSYS.DBA_DV_FACTOR data dictionary view lists the existing factors in the current database instance.
For example:
SELECT NAME, GET_EXPR FROM DVSYS.DBA_DV_FACTOR WHERE NAME = 'Session_User';
Output similar to the following appears:
NAME GET_EXPR
------------- ---------------------------------------------
Session_User UPPER(SYS_CONTEXT('USERENV', 'SESSION_USER'))
| Column | Datatype | Null | Description |
|---|---|---|---|
NAME |
VARCHAR2(30) |
NOT NULL |
Name of the factor. See "Default Factors" for a list of default factors. |
DESCRIPTION |
VARCHAR2(4000) |
Description of the factor. | |
FACTOR_TYPE_NAME |
VARCHAR2(90) |
NOT NULL |
Category of the factor, which is used to classify the purpose of the factor. |
ASSIGN_RULE_SET_NAME |
VARCHAR2(90) |
Rule set used to control the identify of the factor. | |
GET_EXPR |
VARCHAR2(1024) |
PL/SQL expression that retrieves the identity of a factor. | |
VALIDATE_EXPR |
VARCHAR2(1024) |
PL/SQL expression used to validate the identify of the factor. It returns a Boolean value. | |
IDENTIFIED_BY |
NUMBER |
NOT NULL |
Determines the identity of a factor, based on the expression listed in the GET_EXPR column. Possible values are:
|
IDENTIFIED_BY_MEANING |
VARCHAR2(4000) |
Provides a text description for the corresponding value in the IDENTIFIED_BY column. Possible values are:
|
|
LABELED_BY |
NUMBER |
NOT NULL |
Determines the labeling the factor:
|
LABELED_BY_MEANING |
VARCHAR2(4000) |
Provides a text description for the corresponding value in the LABELED_BY column. Possible values are:
|
|
EVAL_OPTIONS |
NUMBER |
NOT NULL |
Determines how the factor is evaluated when the user logs on:
|
EVAL_OPTIONS_MEANING |
VARCHAR2(4000) |
Provides a text description for the corresponding value in the EVAL_OPTIONS column. Possible values are:
|
|
AUDIT_OPTIONS |
NUMBER |
NOT NULL |
Option for auditing the factor if you want to generate a custom Oracle Database Vault audit record. Possible values are:
|
FAIL_OPTIONS |
NUMBER |
NOT NULL |
Options for reporting factor errors:
|
FAIL_OPTIONS_MEANING |
VARCHAR2(4000) |
Provides a text description for the corresponding value in the FAIL_OPTIONS column. Possible values are:
|
The DVSYS.DBA_DV_FACTOR_LINK data dictionary view shows the relationships of each factor whose identity is determined by the association of child factors.
This view contains one entry for each parent factor and child factor. You can use this view to resolve the relationships from the factor links to identity maps.
For example:
SELECT PARENT_FACTOR_NAME, CHILD_FACTOR_NAME FROM DVSYS.DBA_DV_FACTOR_LINK;
Output similar to the following appears:
PARENT_FACTOR_NAME CHILD_FACTOR_NAME ------------------------------ ------------------------------ Domain Database_Instance Domain Database_IP Domain Database_Hostname
| Column | Datatype | Null | Description |
|---|---|---|---|
PARENT_FACTOR_NAME |
VARCHAR(30) |
NOT NULL |
Name of the parent factor. |
CHILD_FACTOR_NAME |
VARCHAR(30) |
NOT NULL |
Name of the child factor of the parent factor. |
LABEL_IND |
VARCHAR(1) |
NOT NULL |
Indicates whether the child factor that is linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Possible values are:
|
The DVSYS.DBA_DV_FACTOR_TYPE data dictionary view lists the names and descriptions of factor types used in the system.
For example:
SELECT * FROM DVSYS.DBA_DV_FACTOR_TYPE WHERE NAME = 'Hostname';
Output similar to the following appears:
NAME DESCRIPTION --------- ---------------------------------------------------------------------- Time Time-based factor
| Column | Datatype | Null | Description |
|---|---|---|---|
NAME |
VARCHAR(90) |
NOT NULL |
Name of the factor type. |
DESCRIPTION |
VARCHAR(1024) |
Description of the factor type. |
The DVSYS.DBA_DV_IDENTITY data dictionary view lists the identities for each factor.
For example:
SELECT * FROM DVSYS.DBA_DV_IDENTITY WHERE VALUE = 'GLOBAL SHARED';
Output similar to the following appears, assuming you have created only one factor identity:
FACTOR_NAME VALUE TRUST_LEVEL ---------------- -------------- ------------ Identification_Type GLOBAL SHARED 1
| Column | Datatype | Null | Description |
|---|---|---|---|
FACTOR_NAME |
VARCHAR(30) |
NOT NULL |
Name of the factor. |
VALUE |
VARCHAR(1024) |
NOT NULL |
Value of the factor. |
TRUST_LEVEL |
NUMBER |
NOT NULL |
Number that indicates the magnitude of trust relative to other identities for the same factor. |
The DVSYS.DBA_DV_IDENTITY_MAP data dictionary view lists the mappings for each factor identity. The view includes mapping factors that are identified by other factors to combinations of parent-child factor links. For each factor, the maps are joined by the OR operation, and for different factors, the maps are joined by the AND operation.
You can use this view to resolve the identity for factors that are identified by other factors (for example, a domain) or for factors that have continuous domains (for example, Age or Temperature).
For example:
SELECT FACTOR_NAME, IDENTITY_VALUE FROM DVSYS.DBA_DV_IDENTITY_MAP;
Output similar to the following appears:
FACTOR_NAME IDENTITY_VALUE ---------------- -------------------- Sector2_Program Accounting-Sensitive
| Column | Datatype | Null | Description |
|---|---|---|---|
FACTOR_NAME |
VARCHAR(30) |
NOT NULL |
Factor the identity map is for. |
IDENTITY_VALUE |
VARCHAR(1024) |
NOT NULL |
Value the factor assumes if the identity map evaluates to TRUE. |
OPERATION_CODE |
VARCHAR(30) |
NOT NULL |
Descriptive name of the operation in the OPERATION_VALUE column. |
OPERATION_VALUE |
VARCHAR(4000) |
Relational operator for the identity map (for example, <, >, =, and so on). | |
OPERAND1 |
VARCHAR(1024) |
Left operand for the relational operator; refers to the low value you enter. | |
OPERAND2 |
VARCHAR(1024) |
Right operand for the relational operator; refers to the high value you enter. | |
PARENT_FACTOR_NAME |
VARCHAR(30) |
The parent factor link to which the map is related. | |
CHILD_FACTOR_NAME |
VARCHAR(30) |
The child factor link to which the map is related. | |
LABEL_IND |
VARCHAR(1) |
Indicates whether the child factor being linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Possible values are:
|
The DVSYS.DBA_DV_JOB_AUTH data dictionary view lists the authorizations for using Oracle Scheduler in an Oracle Database Vault environment.
For example:
SELECT * FROM DVSYS.DBA_DV_JOB_AUTH WHERE GRANTEE = 'PRESTON';
Output similar to the following appears:
GRANTEE SCHEMA ------- ------ PRESTON OE
| Column | Datatype | Null | Description |
|---|---|---|---|
GRANTEE |
VARCHAR2(128) |
NOT NULL |
Name of the user who has been granted Oracle Scheduler authorization |
SCHEMA |
VARCHAR2(128) |
NOT NULL |
Name of the schema on which the user GRANTEE is authorized to perform Oracle Scheduler operations |
The DVSYS.DBA_DV_MAC_POLICY data dictionary view lists the Oracle Label Security policies defined for use with Oracle Database Vault.
For example:
SELECT POLICY_NAME, ALGORITHM_CODE, ALGORITHM_MEANING FROM DVSYS.DBA_DV_MAC_POLICY;
Output similar to the following appears:
POLICY_NAME ALGORITHM_CODE ALGORITHM_MEANING --------------- ----------------- -------------------------------- ACCESS_DATA LUI Minimum Level/Union/Intersection
| Column | Datatype | Null | Description |
|---|---|---|---|
POLICY_NAME |
VARCHAR(30) |
NOT NULL |
Name of the policy. |
ALGORITHM_CODE |
VARCHAR(30) |
NOT NULL |
Merge algorithm code used for the policy. See Table 18-3 for a listing of algorithm codes. |
ALGORITHM_MEANING |
VARCHAR(4000) |
Provides a text description for the corresponding value in the ALGORITHM_CODE column. See Table 18-3 for a listing of algorithm code descriptions. |
|
ERROR_LABEL |
VARCHAR(4000) |
Label specified for initialization errors, to be set when a configuration error or run-time error occurs during session initialization. |
The DVSYS.DBA_DV_MAC_POLICY data dictionary view lists the factors that are associated with Oracle Label Security policies.
You can use this view to determine what factors contribute to the maximum session label for each policy using the DBA_DV_MAC_POLICY view.
For example:
SELECT * FROM DVSYS.DBA_DV_MAC_POLICY_FACTOR;
Output similar to the following appears:
FACTOR_NAME MAC_POLICY_NAME -------------- ------------------ App_Host_Name Access Locations
| Column | Datatype | Null | Description |
|---|---|---|---|
FACTOR_NAME |
VARCHAR(30) |
NOT NULL |
Name of the factor. |
MAC_POLICY_NAME |
VARCHAR(30) |
NOT NULL |
Name of the Oracle Label Security policy associated with this factor. |
The DVSYS.DBA_DV_ORADEBUG data dictionary view indicates whether users can use the ORADEBUG utility in an Oracle Database Vault environment.
For example:
SELECT * FROM DVSYS.DBA_DV_ORADEBUG;
Output similar to the following appears:
STATE -------- DISABLED
| Column | Datatype | Null | Description |
|---|---|---|---|
STATE |
VARCHAR2(8) |
NOT NULL |
Describes whether the ORADEBUG utility can be used in a Database Vault-enabled environment. Possible values are:
|
The DVSYS.DBA_DV_PATCH_AUDIT data dictionary view indicates if auditing has been enabled or disabled for the user who has been granted the DV_ADMIN_PATCH role. The DBMS_MACADM.ENABLE_DV_PATCH_ADMIN_AUDIT procedure enables this type of auditing.
For example:
SELECT * FROM DVSYS.DBA_DV_PATCH_ADMIN_AUDIT;
Output similar to the following appears:
STATE -------- DISABLED
| Column | Datatype | Null | Description |
|---|---|---|---|
STATE |
VARCHAR2(8) |
NOT NULL |
Describes whether auditing has been enabled or disabled for the DV_ADMIN_PATCH role user. Possible values are:
|
The DVSYS.DBA_DV_POLICY_LABEL data dictionary view lists the Oracle Label Security label for each factor identifier in the DBA_DV_IDENTITY view for each policy.
For example:
SELECT * FROM DVSYS.DBA_DV_POLICY_LABEL;
Output similar to the following appears:
IDENTITY_VALUE FACTOR_NAME POLICY_NAME LABEL ---------------- -------------- ---------------- --------- App_Host_Name Sect2_Fin_Apps Access Locations Sensitive
| Column | Datatype | Null | Description |
|---|---|---|---|
IDENTITY_VALUE |
VARCHAR(1024) |
NOT NULL |
Name of the factor identifier. |
FACTOR_NAME |
VARCHAR(30) |
NOT NULL |
Name of the factor associated with the factor identifier. |
POLICY_NAME |
VARCHAR(30) |
NOT NULL |
Name of the Oracle Label Security policy associated with this factor. |
LABEL |
VARCHAR(4000) |
NOT NULL |
Name of the Oracle Label Security label associated with the policy. |
The DVSYS.DBA_DV_PROXY_AUTH data dictionary view lists the proxy users and schemas that were specified by the DBMS_MACADM.AUTHORIZE_PROXY_USER procedure. This procedure grants a proxy user authorization to proxy other user accounts.
For example:
SELECT * FROM DVSYS.DBA_DV_DDL_AUTH WHERE GRANTEE = 'PRESTON';
Output similar to the following appears:
GRANTEE SCHEMA ------- ------ PRESTON DKENT
| Column | Datatype | Null | Description |
|---|---|---|---|
GRANTEE |
VARCHAR2(128) |
NOT NULL |
Name of the proxy user |
SCHEMA |
VARCHAR2(128) |
NOT NULL |
Name of the schema that is proxied by the GRANTEE user. |
The DVSYS.DBA_DV_PUB_PRIVS data dictionary view lists data reflected in the Oracle Database Vault privilege management reports used in the Oracle Database Vault Administrator (DV_ADMIN). See also "Privilege Management - Summary Reports".
For example:
SELECT USERNAME, ACCESS_TYPE FROM DVSYS.DBA_DV_PUB_PRIVS WHERE USERNAME = 'OE';
Output similar to the following appears:
USERNAME ACCESS_TYPE ----------- ----------------- OE PUBLIC
| Column | Datatype | Null | Description |
|---|---|---|---|
USERNAME |
VARCHAR(30) |
NOT NULL |
Database schema in the current database instance.acces |
ACCESS_TYPE |
VARCHAR(30) |
Access type granted to the user listed in the USERNAME column (for example, PUBLIC). |
|
PRIVILEGE |
VARCHAR(40) |
NOT NULL |
Privilege granted to the user listed in the USERNAME column. |
OWNER |
VARCHAR(30) |
NOT NULL |
Owner of the database schema to which the USERNAME user has been granted privileges. |
OBJECT_NAME |
VARCHAR(30) |
NOT NULL |
Name of the object within the schema listed in the OWNER column. |
The DVSYS.DBA_DV_REALM data dictionary view lists the realms created in the current database instance.
For example:
SELECT NAME, AUDIT_OPTIONS, ENABLED FROM DVSYS.DBA_DV_REALM WHERE AUDIT_OPTIONS = '1';
Output similar to the following appears:
NAME AUDIT_OPTIONS ENABLED ----------------------------- ---------------- -------- Performance Statistics Realm 1 Y
| Column | Datatype | Null | Description |
|---|---|---|---|
NAME |
VARCHAR(90) |
NOT NULL |
Names of the realms created. See"Default Realms" for a listing of default realms. |
DESCRIPTION |
VARCHAR(1024) |
NOT NULL |
Description of the realm created. |
AUDIT_OPTIONS |
NUMBER |
NOT NULL |
Specifies whether auditing is enabled. Possible values are:
|
ENABLED |
VARCHAR(1) |
NOT NULL |
Specifies whether realm checking is enabled. Y (Yes) indicates it is enabled; N (No) indicates it is not. |
The DVSYS.DV$REALM data dictionary view describes settings that were used to create Oracle Database Vault realms, such as which audit options have been assigned, whether the realm is a mandatory realm, and so on. It also indicates information such as who created and updated the realm, and when the realm was created and updated.
For example:
SELECT NAME, CREATED_BY, TYPE FROM DVSYS.DV$REALM WHERE NAME LIKE 'Statistics';
Output similar to the following appears:
NAME CREATED_BY TYPE ---------------------------- ---------- ----- Performance Statistics Realm JGODFREY 2
| Column | Datatype | Null | Description |
|---|---|---|---|
ID# |
NUMBER |
NOT NULL |
ID number of the realm |
NAME |
VARCHAR2(90) |
NOT NULL |
Name of the realm |
DESCRIPTION |
VARCHAR2(1024) |
Description of the realm | |
AUDIT_OPTIONS |
NUMBER |
NOT NULL |
Audit options set for the realm. See audit_options in Table 13-10 for a description of the possible values. |
ENABLED |
VARCHAR2(1) |
NOT NULL |
Whether the realm has been enabled. See enabled in Table 13-10 for a description of the possible values. |
REALM_TYPE |
NUMBER |
NULL |
Type of realm: whether it is a regular realm or a mandatory realm. See realm_type in Table 13-10 for a description of the possible values. |
VERSION |
NUMBER |
NULL |
Version of Oracle Database Vault in which the realm was created |
CREATED_BY |
VARCHAR2(128) |
NULL |
User who created the realm |
CREATE_DATE |
DATE |
NULL |
Date on which the realm was created. |
UPDATE_BY |
VARCHAR2(128) |
NULL |
User who last updated the realm |
UPDATE_DATE |
DATE |
Date on which the realm was last updated, in the following format: <need format> |
The DVSYS.DBA_DV_REALM_AUTH data dictionary view lists the authorization of a named database user account or database role (GRANTEE) to access realm objects in a particular realm. See "About Realm Authorization" for more information.
For example:
SELECT REALM_NAME, GRANTEE, AUTH_RULE_SET_NAME FROM DVSYS.DBA_DV_REALM_AUTH;
Output similar to the following appears:
REALM_NAME GRANTEE AUTH_RULE_SET_NAME ---------------------------- --------- --------------------- Performance Statistics Realm SYSADM Check Conf Access
| Column | Datatype | Null | Description |
|---|---|---|---|
REALM_NAME |
VARCHAR(90) |
NOT NULL |
Name of the realm. |
GRANTEE |
VARCHAR(30) |
NOT NULL |
User or role name to authorize as owner or participant. |
AUTH_RULE_SET_NAME |
VARCHAR(90) |
Rule set to check before authorizing. If the rule set evaluates to TRUE, then the authorization is allowed. |
|
AUTH_OPTIONS |
VARCHAR(4000) |
Type of realm authorization: either Participant or Owner. |
The DVSYS.DBA_DV_REALM_OBJECT data dictionary view lists the database schemas, or subsets of schemas with specific database objects contained therein, that are secured by the realms. See "About Realm-Secured Objects" for more information.
For example:
SELECT REALM_NAME, OWNER, OBJECT_NAME FROM DVSYS.DBA_DV_REALM_OBJECT;
Output similar to the following appears:
REALM_NAME OWNER OBJECT_NAME ---------------------------- -------- ----------- Performance Statistics Realm OE ORDERS
| Column | Datatype | Null | Description |
|---|---|---|---|
REALM_NAME |
VARCHAR(90) |
NOT NULL |
Name of the realm. |
OWNER |
VARCHAR(90) |
NOT NULL |
Database schema owner who owns the realm. |
OBJECT_NAME |
VARCHAR(90) |
NOT NULL |
Name of the object the realm protects. |
OBJECT_TYPE |
VARCHAR(90) |
NOT NULL |
Type of object the realm protects, such as a database table, view, index, or role. |
The DVSYS.DBA_DV_ROLE data dictionary view lists the Oracle Database Vault secure application roles used in privilege management.
For example:
SELECT ROLE, RULE_NAME FROM DVSYS.DBA_DV_ROLE;
Output similar to the following appears:
ROLE RULE_NAME ------------------ -------------------- Sector2_APP_MGR Check App2 Access Sector2_APP_DBA Check App2 Access
| Column | Datatype | Null | Description |
|---|---|---|---|
ROLE |
VARCHAR(30) |
NOT NULL |
Name of the secure application role. |
RULE_NAME |
VARCHAR(90) |
NOT NULL |
Name of the rule set associated with the secure application role. |
ENABLED |
VARCHAR(1) |
NOT NULL |
Indicates whether the secure application role is enabled. Y (Yes) enables the role; N (No) disables it. |
The DVSYS.DBA_DV_RULE data dictionary view lists the rules that have been defined.
For example:
SELECT * FROM DVSYS.DBA_DV_RULE WHERE NAME = 'Maintenance Window';
Output similar to the following appears:
NAME RULE_EXP ------------------- ---------------------------------------------- Maintenance Window TO_CHAR(SYSDATE,'HH24') BETWEEN '10' AND '12'
To find the rule sets that use specific rules, query the DBA_DV_RULE_SET_RULE view.
| Column | Datatype | Null | Description |
|---|---|---|---|
NAME |
VARCHAR(90) |
NOT NULL |
Name of the rule. |
RULE_EXPR |
VARCHAR(1024) |
NOT NULL |
PL/SQL expression for the rule. |
The DVSYS.DBA_DV_RULE_SET data dictionary view lists the rules sets that have been created.
For example:
SELECT RULE_SET_NAME, HANDLER_OPTIONS, HANDLER FROM DVSYS.DBA_DV_RULE_SET WHERE RULE_SET_NAME = 'Maintenance Period';
Output similar to the following appears:
RULE_SET_NAME HANDLER_OPTIONS HANDLER ------------------- ---------------- ---------------------- Maintenance Period 1 dbavowner.email_alert
| Column | Datatype | Null | Description |
|---|---|---|---|
RULE_SET_NAME |
VARCHAR(90) |
NOT NULL |
Name of the rule set. |
DESCRIPTION |
VARCHAR(1024) |
Description of the rule set. | |
ENABLED |
VARCHAR(1) |
NOT NULL |
Indicates whether the rule set has been enabled. Y (Yes) enables the rule set; N (No) disables it. |
EVAL_OPTIONS_MEANING |
VARCHAR(4000) |
For rules sets that contain multiple rules, determines how many rules are evaluated. Possible values are:
|
|
AUDIT_OPTIONS |
NUMBER |
NOT NULL |
Indicates when auditing is used. Possible values are:
|
FAIL_OPTIONS_MEANING |
VARCHAR(4000) |
Determines when an audit record is created for the rule set. Possible values are:
|
|
FAIL_MESSAGE |
VARCHAR(80) |
Error message for failure that is associated with the fail code listed in the FAIL_CODE column. |
|
FAIL_CODE |
VARCHAR(10) |
The error message number associated with the message listed in the FAIL_MESSAGE column. Possible values are in the ranges of -20000 to -20999 or 20000 to 20999. |
|
HANDLER_OPTIONS |
NUMBER |
NOT NULL |
Determines how error handling is used. Possible values are:
|
HANDLER |
VARCHAR(1024) |
Name of the PL/SQL function or procedure that defines the custom event handler logic. | |
IS_STATIC |
VARCHAR2(5) |
Indicates how often the rule set is evaluated during a user session. Possible values are:
|
The DVSYS.DBA_DV_RULE_SET_RULE data dictionary view lists rules that are associated with existing rule sets.
For example:
SELECT RULE_SET_NAME, RULE_NAME, RULE_EXPR FROM DVSYS.DBA_DV_RULE_SET_RULE WHERE RULE_NAME = 'Is Security Officer';
Output similar to the following appears:
RULE_SET_NAME RULE_NAME RULE_EXP
---------------------------- ------------------ ---------------------------------
Can Grant VPD Administration Is Security Owner DBMS_MACUTL.USER_HAS_ROLE_VARCHAR
('DV_OWNER',
dvsys.dv_login_user) = 'Y'
| Column | Datatype | Null | Description |
|---|---|---|---|
RULE_SET_NAME |
VARCHAR(90) |
NOT NULL |
Name of the rule set that contains the rule. |
RULE_NAME |
VARCHAR(90) |
NOT NULL |
Name of the rule. |
RULE_EXPR |
VARCHAR(1024) |
NOT NULL |
PL/SQL expression that defines the rule listed in the RULE_NAME column. |
ENABLED |
VARCHAR(1) |
Indicates whether the rule is enabled or disabled. Y (Yes) enables the rule set; N (No) disables it. |
|
RULE_ORDER |
NUMBER |
NOT NULL |
The order in which rules are used within the rule set. Does not apply to this release. |
The DVSYS.DBA_DV_TTS_AUTH data dictionary view lists users who have been granted authorization through the DBMS_MACADM.AUTHORIZE_TTS_USER procedure to perform Oracle Data Pump transportable operations in an Oracle Database Vault environment. See "Using Oracle Data Pump with Oracle Database Vault" for more information.
For example:
SELECT * FROM DVSYS.DBA_DV_TTS_AUTH;
Output similar to the following appears:
GRANTEE TSNAME -------- -------- DB_MGR HR_TS
| Column | Datatype | Null | Description |
|---|---|---|---|
GRANTEE |
VARCHAR(128) |
NOT NULL |
Name of the user who has been granted transportable tablespace authorization |
TSNAME |
VARCHAR(128) |
NOT NULL |
Name of the transportable tablespace to which the GRANTEE user has been granted authorization |
The DVSYS.DBA_DV_USER_PRIVS data dictionary view lists the privileges for a database user account excluding privileges granted through the PUBLIC role.
For example:
SELECT USERNAME, ACCESS_TYPE, PRIVILEGE FROM DVSYS.DBA_DV_USER_PRIVS;
Output similar to the following appears:
USERNAME ACCESS_TYPE PRIVILEGE --------- -------------------- ------------ DVSYS DV_PUBLIC EXECUTE DVOWNER DV_ADMIN SELECT SYS SELECT_CATALOG_ROLE SELECT ...
| Column | Datatype | Null | Description |
|---|---|---|---|
USERNAME |
VARCHAR(30) |
NOT NULL |
Name of the database schema account in which privileges have been defined. |
ACCESS_TYPE |
VARCHAR(30) |
Role the database user account listed in the USERNAME column uses to access the database. Oracle Database Vault accounts have direct access. |
|
PRIVILEGE |
VARCHAR(40) |
NOT NULL |
Privilege granted to the user listed in the USERNAME column. |
OWNER |
VARCHAR(30) |
NOT NULL |
Name of the database user account. |
OBJECT_NAME |
VARCHAR(30) |
NOT NULL |
Name of the PL/SQL function or procedure used to define privileges. |
The DVSYS.DBA_DV_USER_PRIVS_ALL data dictionary view lists the privileges for a database account including privileges granted through PUBLIC.
For example:
SELECT USERNAME, ACCESS_TYPE, PRIVILEGE FROM DVSYS.DBA_DV_USER_PRIVS;
Output similar to the following appears:
USERNAME ACCESS_TYPE PRIVILEGE ------------------- ------------ ----------------- bea_DVACCTMGR CONNECT CREATE_SESSION LEO_DVOWNER DIRECT CREATE PROCEDURE ...
| Column | Datatype | Null | Description |
|---|---|---|---|
USERNAME |
VARCHAR(30) |
Name of the database schema account in which privileges have been defined. | |
ACCESS_TYPE |
VARCHAR(30) |
Role the database user account listed in the USERNAME column uses to access the database. Oracle Database Vault accounts have direct access. |
|
PRIVILEGE |
VARCHAR(40) |
Privilege granted to the user listed in the USERNAME column. |
|
OWNER |
VARCHAR(30) |
Name of the database user account. | |
OBJECT_NAME |
VARCHAR(30) |
Name of the PL/SQL function or procedure used to define privileges. |
The DVSYS.DV$CONFIGURATION_AUDIT data dictionary view captures DVSYS.AUDIT_TRAIL$ table audit trail records that are related to successful and failed configuration changes made to realms, rules, rule sets, factors, and other Oracle Database Vault policy configuration activities.
For example:
SELECT USERNAME, ACTION_NAME FROM DVSYS.DV$CONFIGURATION_AUDIT WHERE USERNAME = 'PSMITH';
Output similar to the following appears:
USERNAME ACTION_NAME ---------- --------------------- PSMITH Realm Creation Audit PSMITH Rule Set Update Audit
| Column | Datatype | Null | Description |
|---|---|---|---|
ID# |
NUMBER |
NOT NULL |
Numeric identifier for the audit record |
OS_USERNAME |
VARCHAR(255) |
Operating system login user name of the user whose actions were audited | |
USERNAME |
VARCHAR(128) |
Name of the database user whose actions were audited | |
USERHOST |
VARCHAR2(128) |
Client computer name | |
TERMINAL |
VARCHAR2(30) |
Identifier for the user's terminal | |
TIMESTAMP |
DATA |
Date and time of creation of the audit trail entry (in the local database session time zone) | |
OWNER |
VARCHAR2(128) |
Creator of the object affected by the action, always DVSYS (because DVSYS is where objects are created) |
|
OBJ_NAME |
VARCHAR2(128) |
Name of the object affected by the action. Expected values are:
|
|
ACTION |
NUMBER |
NOT NULL |
Numeric action type code. The corresponding name of the action type is in the ACTION_NAME column. See Table 22-2 for a listing of the possible actions. |
ACTION_NAME |
VARCHAR2(30) |
Name of the action type corresponding to the numeric code in the ACTION column. See Table 22-2 for a listing of the possible actions. |
|
ACTION_OBJECT_ID |
NUMBER |
The unique identifier of the record in the table specified under OBJ_NAME |
|
ACTION_OBJECT_NAME |
VARCHAR2(128) |
The unique name or natural key of the record in the table specified under OBJ_NAME |
|
ACTION_COMMAND |
VARCHAR2(4000) |
The SQL text of the command procedure that was executed that resulted in the audit event being triggered | |
AUDIT_OPTION |
VARCHAR2(4000) |
The labels for all audit options specified in the record that resulted in the audit event being triggered. For example, a factor set operation that is supposed to audit on get failure and get NULL would indicate these two options. |
|
RULE_SET_ID |
NUMBER |
The unique identifier of the rule set that was executing and caused the audit event to trigger | |
RULE_SET_NAME |
VARCHAR2(90) |
The unique name of the rule set that was executing and caused the audit event to trigger | |
RULE_ID |
NUMBER |
Not used | |
RULE_NAME |
VARCHAR2(128) |
Not used | |
FACTOR_CONTEXT |
VARCHAR2(4000) |
An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered | |
COMMENT_TEXT |
VARCHAR2(4000) |
Text comment on the audit trail entry, providing more information about the statement audited | |
SESSIONID |
NUMBER |
NOT NULL |
Numeric identifier for each Oracle session |
ENTRYID |
NUMBER |
NOT NULL |
Same as the value in the ID# column |
STATEMENTID |
NUMBER |
NOT NULL |
Numeric identifier for the statement invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events. |
RETURNCODE |
NUMBER |
NOT NULL |
Oracle error code generated by the action. The error code for a statement or procedure invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events. |
EXTENDED_TIMESTAMP |
TIMESTAMP(6) WITH TIME ZONE |
Time stamp of creation of the audit trail entry (time stamp of user login for entries) in UTC (Coordinated Universal Time) time zone | |
PROXY_SESSIONID |
NUMBER |
Proxy session serial number, if an enterprise user has logged in through the proxy mechanism | |
GLOBAL_UID |
VARCHAR2(32) |
Global user identifier for the user, if the user has logged in as an enterprise user | |
INSTANCE_NUMBER |
NUMBER |
Instance number as specified by the INSTANCE_NUMBER initialization parameter |
|
OS_PROCESS |
VARCHAR2(16) |
Operating system process identifier of the Oracle process | |
CREATED_BY |
VARCHAR2(128) |
Database login user name of the user whose actions were audited | |
CREATE_DATE |
DATE |
Date on which the action occurred, based on the SYSDATE date |
|
UPDATED_BY |
VARCHAR2(128) |
Same as CREATED_BY column value |
|
UPDATE_DATE |
DATE |
Same as UPDATED_BY column value |
|
GRANTEE |
VARCHAR2(128) |
User ID of users who have been granted Database Vault-protected roles, realm authorization, command-rule authorization, job scheduler authorization, or Oracle Data Pump authorizations | |
ENABLED_STATUS |
VARCHAR2(1) |
Indicates whether the configuration was enabled |
Table 22-2 describes the possible values for the ACTION column of the DVSYS.DV$CONFIGURATION_AUDIT view.
Table 22-2 DVSYS.DV$CONFIGURATION_AUDIT View ACTION Values
| Action Type Code | Action Name |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The DVSYS.DV$ENFORCEMENT_AUDIT data dictionary view provides information about enforcement-related audits from the DVSYS.AUDIT_TRAIL$ table. It captures user violations on command rules, realms, and factors.
For example:
SELECT USERNAME, ACTION_COMMMAND FROM DVSYS.DV$ENFORCEMENT_AUDIT WHERE OWNER = 'HR';
Output similar to the following appears:
USERNAME ACTION_COMMMAND ----------- ------------------------------ PSMITH CREATE_REALM
| Column | Datatype | Null | Description |
|---|---|---|---|
ID# |
NUMBER |
NOT NULL |
Numeric identifier for the audit record |
OS_USERNAME |
VARCHAR(128) |
Operating system login user name of the user whose actions were audited | |
USERNAME |
VARCHAR(128) |
Name of the database user whose actions were audited | |
USERHOST |
VARCHAR(255) |
Client computer name | |
TERMINAL |
VARCHAR(255) |
Identifier for the user's terminal | |
TIMESTAMP |
DATE |
Date and time of creation of the audit trail entry (in the local database session time zone) | |
OWNER |
VARCHAR(128) |
Creator of the object affected by the action, always DVSYS (because DVSYS is where objects are created) |
|
OBJ_NAME |
VARCHAR(128) |
Name of the object affected by the action. Expected values are:
|
|
ACTION |
NUMBER |
NOT NULL |
Numeric action type code. The corresponding name of the action type is in the ACTION_NAME column. See Table 22-2 for a listing of the possible actions. |
ACTION_NAME |
VARCHAR(128) |
Name of the action type corresponding to the numeric code in the ACTION column |
|
ACTION_OBJECT_ID |
NUMBER |
The unique identifier of the record in the table specified under OBJ_NAME |
|
ACTION_OBJECT_NAME |
VARCHAR(128) |
The unique name or natural key of the record in the table specified under OBJ_NAME |
|
ACTION_COMMAND |
VARCHAR2(4000) |
The SQL text of the command procedure that was executed that resulted in the audit event being triggered | |
AUDIT_OPTION |
VARCHAR2(4000) |
The labels for all audit options specified in the record that resulted in the audit event being triggered. For example, a factor set operation that is supposed to audit on get failure and get NULL would indicate these two options. |
|
RULE_SET_ID |
The unique identifier of the rule set that was executing and caused the audit event to trigger | ||
RULE_SET_NAME |
VARCHAR(128) |
The unique name of the rule set that was executing and caused the audit event to trigger | |
RULE_ID |
NUMBER |
Not used | |
RULE_NAME |
VARCHAR2(128) |
Not used | |
FACTOR_CONTEXT |
VARCHAR2(4000) |
An XML document that contains all of the factor identifiers for the current session at the point when the audit event was triggered | |
COMMENT_TEXT |
VARCHAR2(4000) |
Text comment on the audit trail entry, providing more information about the statement audited | |
SESSIONID |
NUMBER |
NOT NULL |
Numeric identifier for each Oracle session |
ENTRYID |
NUMBER |
NOT NULL |
Same as the value in the ID# column |
STATEMENTID |
NUMBER |
NOT NULL |
Numeric identifier for the statement invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events. |
RETURNCODE |
NUMBER |
NOT NULL |
Oracle error code generated by the action. The error code for a statement or procedure invoked that caused the audit event to be generated. This is empty for most Oracle Database Vault events. |
EXTENDED_TIMESTAMP |
TIMESTAMP(6) WITH TIME ZONE |
Time stamp of creation of the audit trail entry (time stamp of user login for entries) in UTC (Coordinated Universal Time) time zone | |
PROXY_SESSIONID |
NUMBER |
Proxy session serial number, if an enterprise user has logged in through the proxy mechanism | |
GLOBAL_UID |
VARCHAR2(32) |
Global user identifier for the user, if the user has logged in as an enterprise user | |
INSTANCE_NUMBER |
NUMBER |
Instance number as specified by the INSTANCE_NUMBER initialization parameter |
|
OS_PROCESS |
VARCHAR2(16) |
Operating system process identifier of the Oracle process | |
CREATED_BY |
VARCHAR2(128) |
Database login user name of the user whose actions were audited | |
CREATE_DATE |
DATE |
Date on which the action occurred, based on the SYSDATE date |
|
UPDATED_BY |
VARCHAR2(128) |
Same as CREATED_BY column value |
|
UPDATE_DATE |
DATE |
Same as UPDATED_BY column value |
The SYS.DV$CONFIGURATION_AUDIT view is almost the same as the DVSYS.DV$CONFIGURATION_AUDIT view except that it captures Database Vault-related audit records from the unified audit trail.
See Also:
"DVSYS.DV$CONFIGURATION_AUDIT View"The SYS.DV$ENFORCEMENT_AUDIT view is almost the same as the DVSYS.DV$ENFORCEMENT_AUDIT view except that it captures Database Vault-related audit records from the unified audit trail.
See Also:
"DVSYS.DV$ENFORCEMENT_AUDIT View"