Grant role DBA with Database Vault

Hi all,
I need help granting the role DBA to a user with Database Vault option installed. I created a user account and I need that this user be able to do all the things that a regular DBA role can do. I can't find a way to do this in Database Vault... any help will be appreciated.
Thanks!

Sysdba can issue powerful statements such as create user, drop user, alter user, create profile .. and so on... can be done only if it is allowed so by modifying the Can maintain accounts/profiles rule set.
You can also login with dvsys account but that account is locked after installation. So unlock it with
alter user username account unlock; command. And be aware that ANY system privileges are blocked in protected schemas. You can try to grant the following roles in DB Vault := DV_OWNER, DV_REALM_OWNER, DV_REALM_RESOURCE, DV_ADMIN, DV_PUBLIC, DV_ACCTMGR, DV_SECANALYST
Following can help you
SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
Regards
Karan

Similar Messages

Schema export via Oracle data pump with Database Vault enabled question

Hi,
I have installed and configured Database Vault on an Oracle 11g-r2-11.2.0.3 to protect a specific schema (SCHEMA_NAME) via a realm. I have followed the following doc:
http://www.oracle.com/technetwork/database/security/twp-databasevault-dba-bestpractices-199882.pdf
to ensure that the sys and the system user has sufficient rights to complete a schedule Oracle data pump export operation.
I.e. I have granted to sys and system the following:
execute dvsys.dbms_macadm.authorize_scheduler_user('sys','SCHEMA_NAME');
execute dvsys.dbms_macadm.authorize_scheduler_user('system','SCHEMA_NAME');
execute dvsys.dbms_macadm.authorize_datapump_user('sys','SCHEMA_NAME');
execute dvsys.dbms_macadm.authorize_datapump_user('system','SCHEMA_NAME');
I have also create a second realm on the same schema (SCHEMA_NAME) to allow sys and system to maintain indexes for real-protected tables, To allow a sys and system to maintain indexes for realm-protected tables. This separate realm was created for all their index types: Index, Index Partition, and Indextype, sys and system have been authorized as OWNER to this realm.
However, when I try and complete an Oracle Data Pump export operation on the schema, I get two errors directly after the following line displayed in the export log:
Processing object type SCHEMA_EXPORT/TABLE/INDEX/DOMAIN_INDEX/INDEX:
ORA-39127: unexpected error from call to export_string :=SYS.DBMS_TRANSFORM_EXIMP.INSTANCE_INFO_EXP('AQ$_MGMT_NOTIFY_QTABLE_S','SYSMAN',1,1,'11.02.00.00.00',newblock)
ORA-01031: insufficient privileges
ORA-06512: at "SYS.DBMS_TRANSFORM_EXIMP", line 197
ORA-06512: at line 1
ORA-06512: at "SYS.DBMS_METADATA", line 9081
ORA-39127: unexpected error from call to export_string :=SYS.DBMS_TRANSFORM_EXIMP.INSTANCE_INFO_EXP('AQ$_MGMT_LOADER_QTABLE_S','SYSMAN',1,1,'11.02.00.00.00',newblock)
ORA-01031: insufficient privileges
ORA-06512: at "SYS.DBMS_TRANSFORM_EXIMP", line 197
ORA-06512: at line 1
ORA-06512: at "SYS.DBMS_METADATA", line 9081
The export is completed but with this errors.
Any help, suggestions, pointers, etc actually anything will be very welcome at this stage.
Thank you

Hi Srini,
Thank you very much for your help. Unfortunately after having followed the instructions of the DOC I am still getting the same errors ?
none the less thank you for your input.
I was also wondering if someone could tell me how to move this thread to the Database Security area of the forum, as I feel I may have posted the thread in the wrong place as it appears to be a Database Vault issue and not an imp/exp problem. ?
Edited by: zooid on May 20, 2012 10:33 PM
Edited by: zooid on May 20, 2012 10:36 PM

DBUM Integration With Database Vault Realms

The dbum connector documentation mentions
"...In Oracle Database installations on which Oracle Database Vault is installed, the connector can be used to grant and manage authorization to Oracle Database Vault realms. The connector treats access to Oracle Database Vault realms as an entitlement. You can use the connector to provision database users with access to multiple realms with different levels of access.."
http://docs.oracle.com/cd/E22999_01/doc.111/e28315/intro.htm#CHDICGJF
but after setup database vault and run successfully direct provisioning using dbum connector, I could not grant access to database vault realms. As far as I understood the connector should present database vault realms as entitlements, but i did not find any schedule task or lookup to enable this feature.
Any help is more than appreciated

Hi.
Note 428503.1 is applicable to Database Version 10.2.0.4 with EBS 11i. That is not what you're trying to achieve, you want 10.2.0.4 with EBS 12. (I was able to find note 428503.1 by the way)
There are two notes :
Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.3 : 744363.1
Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.5 : 11397981.1
So, I am not sure if you can integrate EBS 12 with 10.2.0.4. I would at least patch the database up to 10.2.0.5 or upgrade to 11.2 as Helios stated.
Either way you are better off contacting Oracle Support directly with your question.
Paul

Using expdp in database with database vault gives error-39165

Hi,
Please help me with the below mentioned scenario.
I have oracle database 10.2.0.2 and DATABASE VAULT installed on top
of it.
I am trying to export one table DM05 beleonging to DIP schema and
dump it as expdip.dmp. I issue the following command for this.
But it stops with the error mentioned below.
expdp dip/oracle directory expdp_dir tables="DIP".\"DM05\" dumpfile=expdip.dmp
ORA-39165: Schema DIP was not found.
ORA-39166: Object DM05 was not found.
ORA-31655: no data or metadata objects selected for job
Job "DIP"."SYS_EXPORT_TABLE_01" completed with 3 error(s) at 07:02:28
Thanks and Regards,
Dipesh

hi
Oracle Error : ORA-39166: Object string was not found.
Cause: If exporting or importing over the network, either the user specified an object name that was not found in the source database or else the user lacked the proper EXP_FULL_DATABASE or IMP_FULL_DATABASE role that would allow them to access the object another in another schema. For importing from files, the user specified an object name not found in the dump file set.
Action: Retry the operation using the correct object name.
Hope this helps
CHeers

How to recreate enterprise manager with database vault

I'm testing the Oracle database Vault option at database version 11.1.0.7 but there are some thing that does not work correct in the test. One of them is that I do not be able to recreate the enterprise manager repository. After probe several ways with database option enabled I decided to disable it. With the database vault option disabled I recreated the emanager ok but after enabled the database vault option again the database vault administrator does not browse for me:
The firefox notice me an error with resource /dva.
I hope you can help me.

when you have vault on do you get errors in the realm audit reports ?
or are you trying to create an oem repository in a vault enabled database ?

Problem with database vault

Hi,
i installed a database 11gR1 (11.1.0.7) with the database vault option.
As in the documentation i tried to call the database vault administrator with the url https://<server_name>:<em_port>/dva. I get a "404 not found" message. The entreprise manager runs without problem.
I search at the directory $ORACLE_HOME/oc4j/j2ee/oc4j_applications/applications for the dva directory, but there is no one. ( The em directory exists )
If I execute the statement select * from v$option where parameter like '%Vault'; the value is TRUE, what means the database vault is installed and enabled.
Has somebody an idea why I can't call the database vault administrator ?
Thanks in advance
Josep

Hi,
what do you mean with create the vault in the database ? I simply installed the database software with the database vault option, afterwards I create the database with the dbca. In the dbca I give the information of the two vault users.
So far I know, if the entry in the v$option for database vault is true, database vault is enabled. Isn't it ?
The sql statement gives as result the file $ORACLE_BASE/admin/<SID>/wallet with the status closed. The wallet is necessary for encryption, but my target is not to encrypt the database, it's to control de access to the information.

How to restrict grant connect through with Data Vault

I need to restrict the ability to grant proxy privileges in the database. This is the statement: alter user USER_A grant connect through USER_B;
I tried creating this rule that looks at the sql text for %CONNECT THROUGH% in the statement and then added it to the "Can Maintain Own Account" Rule Set which is attached to the Alter System command but it doesn't appear to be working. How can I get this working? Is my rule that I created correct. Ultimately what I want to do is allow proxies to be created for most users but just restrict only certain special users.
BEGIN
dbms_macadm.delete_rule(rule_name => 'NO_PROXY_PRIVILEGES');
DBMS_MACADM.CREATE_RULE(rule_name => 'NO_PROXY_PRIVILEGES',
rule_expr => 'INSTR(UPPER(DVSYS.DV_SQL_TEXT),''%CONNECT THROUGH%'') = 0');
END;I am running Oracle 11.2.0.2 Enterprise on Windows Server 2008R2
Thank you.

You may get a better answer in the security forum:
Security
That being said - there are authorization checks that you can create for SE16.
Create an authorization field via SU20. Create the object via SU21.
Create a role. Add transaction SE16 to the role. Create a profile. Activity would be display. And then you can add the objects that you created.
Again you may get a better answer from someone who does security everyday. I'd suggest posting in the security forum.
Michelle

Database Vault support with OGG

IHAC who wants to use OGG 11.1.1.1 on a RAC database with "Database Vault" installed.
I found Bug 12356827: NEW DV ROLE IS REQUIRED FOR GOLDEN GATE OCI API TO RUN PROPERLY.
It's unclear, if this just means we need the new DV Role DV_GOLDENGATE_REDO_ACCESS in order to be "DV compliant"
or if GG doesn't work at all with DV enabled Databases.
Please clarifiy, if and with which OGG + Oracle Release we fully support Database Vault.
Thanks,
Robert

I know Database Vault is certified for use with E-Business Suite, and EBS is certified for use with GoldenGate (with the noted limitations of a couple of data types and some tables here and there, as documented in a support note). Given that chain, I would say yes. There isn't much, if any, public information, so to be sure, you should ask Oracle support. There is one hit on Google about dv_goldengate_redo_access, and it comes from your question. I would take that as a sign that you need to go to the source (Oracle) to confirm.

Exports with Oracle Database Vault

Hi!
I've running a Database in version 10.2.0.4 and it has installed Oracle Database Vault, wich is running quite well...
I'm trying to export a schema that is protected with a REALM and only the owner of that schema has permision to access the data. So, users like sys o system can´t access to the data of the schema. It's the aim of Database Vault and it do it well.
The problem is that I'm performing a export of that schema and it run successfully! I have the .dmp file which I can import in other Databases (with Database Vault no installed) and it runs perfectly!
So... if Database Vault avoid that user sys can access the data, why it permit to perfom EXPORTS??
Thank,
tom

Bump. Thanks.

SQL Text in DATABASE VAULT Events

I'm using Audit Vault 10.2.3.2 to collect audit data from a source database 11gR2 (11.2.0.1) protected with Database Vault. The DBAUD collector is collecting all the Database Vault Events, but in all cases the SQL Text column is empty.
The collector seems to be working fine, I've added the collector user to the Oracle Data Dictionary Realm and I've also granted dv_secanalyst to the user.
Are there any aditional steps that have to be done in order to get the SQL Text?
Thanks.

In case anybody is interested, this error has been filed as bug 11818022 with Oracle Support.
Thanks.

Database Vault custom reports

Hi All,
Question about Database Vault: can I build my own custom reports with Database Vault?
Thanks in advance.

Hi,
Database Vault is Security Solution. See http://www.scribd.com/doc/7793997/Oracle-White-Paper-Database-Vault-11g
What report are you referring to?
Regards,
Edited by: gjilevski1 on Sep 9, 2010 11:01 AM

Database Vault Owner Grant Any Role Permission

So I just noticed that the role DV_OWNER has the system privilege to GRANT ANY ROLE assigned to it by default. I was wondering if this is necessary for something. If not I would like to remove it. We would prefer the Database Vault owner person to not have any permissions execept for logging into the Data Vault console to modify realms and rules and stuff, and as well as looking at audit logs. The DV_OWNER role also has ADMINISTER DATABASE TRIGGER and ALTER ANY TRIGGER privileges which I would like to remove as well. Any body have any opinions on this?
Oracle EE 11.2.0.2 on Windows 2008 R2
Thanks.

Sysdba can issue powerful statements such as create user, drop user, alter user, create profile .. and so on... can be done only if it is allowed so by modifying the Can maintain accounts/profiles rule set.
You can also login with dvsys account but that account is locked after installation. So unlock it with
alter user username account unlock; command. And be aware that ANY system privileges are blocked in protected schemas. You can try to grant the following roles in DB Vault := DV_OWNER, DV_REALM_OWNER, DV_REALM_RESOURCE, DV_ADMIN, DV_PUBLIC, DV_ACCTMGR, DV_SECANALYST
Following can help you
SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
Regards
Karan

Grant Privileges in Database Vault for DATAPUMP.

HI,
I am using ORACLE DATABASE 11g R2.
I have installed/enabled DATABASE VAULT 11g on it.
I have configured many user in it for privileges like 'SELECT on table','INSERT on table' ,DELETE .....
I want to give a user DATAPUMP privilege so that he can export and import.
I have 2 users.
1) MAIN
2) BACKUP
MAIN user is the owner and the most important schema. Now i want one more schema named 'BACKUP' which will be able to take backup from MAIN schema. NO OTHER SCHEMA SHOULD BE ALLOWED TO TAKE BACKUP OF MAIN SCHEMA NOT EVEN SYS.
*Can anyone tell me how i can grant proper privilege to BACKUP schema so that he can use DATAPUMP and import/export from OS prompt on the MAIN schema.
NOTE :- I have Database vault installed on my server. Please let me know what all RULES or RULE SETS I need to make to make this happen.
Thanks in advance.

I have managed with privileges to grant BACKUP user right to start an IMPORT but i get these errors while importing :-
Failing sql is:
CREATE TABLE "MAIN"."FLX_PM_OFFER_SELECTOR_B" ("USER_NAME" VARCHAR2(50 BYTE), "PRODUCT_GROUP" VARCHAR2(5 BYTE), "REFERENCE_NUM" VARCHAR2(30 BYTE) NOT NULL ENABLE, "SESSION_STATE" VARCHAR2(5 BYTE), "OFFER_FEATURES" BLOB, "RECOMMENDED_OFFERS" VARCHAR2(500 BYTE), "SELECTED_OFFERS" VARCHAR2(500 BYTE), "MAKER_NAME" VARCHAR2(12 BYTE), "MAK
ORA-39083: Object type TABLE:"MAIN"."FLX_PM_ACCOUNT_ROLE_FLOW" failed to create with error:
ORA-47401: Realm violation for CREATE TABLE on MAIN.FLX_PM_ACCOUNT_ROLE_FLOW
{code}
I am getting this error for all the objects :- SYSNONMY,SEQUENCE,
I have granted MAIN users all the privileges but still i am getting these errors. Do i need to create any realm or rule set for this?
Thanks.

Apex with Oracle Database Vault

Can someone point me to some document/whitepaper that describes how to setup Apex to work with Oracle Database Vault?
My understanding is that data in tables secured by Vault's realms is not accessible even to DBAs (select any table) which is great. But how that does impact Apex applications? The data would have to to be accessible to the app's parsing schema. So unauthorized users can still gain access to the data via the Apex app instead of direct database access. Does Apex provide for tighter integration with Vault to prevent this sort of access?
Thanks

Bump. Thanks.

How i can associate my app user with database role

In my application (oracle forms application developed in-house - We are using Oracle Forms 11gR2 with WebLogic 10.3.5 ), i want to use "application user" instead of database user.
I have an application users table, actually, i have database users,and of course, menu application works with database roles (It was developed with oracle forms menu module), my question is, How i can associate my application user with database role, for reusing oracle forms menu funcionality?. It's possible?
Thanks,
Edward

user8929172 wrote:
In my application (oracle forms application developed in-house - We are using Oracle Forms 11gR2 with WebLogic 10.3.5 ), i want to use "application user" instead of database user.
I have an application users table, actually, i have database users,and of course, menu application works with database roles (It was developed with oracle forms menu module), my question is, How i can associate my application user with database role, for reusing oracle forms menu funcionality?. It's possible?
Hi Edward
You can do this by assigning the role functionality to the application user. For example
create the table to enter user name.
create table to enter group name.
create table to assign user to group.
assign role to group.
assign functionality for the user by coding.
hope this helps

Grant role DBA with Database Vault

Similar Messages

Maybe you are looking for