12 Using the DVSYS.DBMS_MACADM Package

This chapter contains:

About the DVSYS.DBMS_MACADM Package
Realm Procedures Within DVSYS.DBMS_MACADM
Rule Set Procedures Within DVSYS.DBMS_MACADM
Command Rule Procedures Within DVSYS.DBMS_MACADM
Factor Procedures and Functions Within DVSYS.DBMS_MACADM
Secure Application Role Procedures Within DVSYS.DBMS_MACADM
Oracle Label Security Policy Procedures Within DVSYS.DBMS_MACADM
General System Maintenance Procedures Within DVSYS.DBMS_MACADM

About the DVSYS.DBMS_MACADM Package

The procedures and functions within the DVSYS.DBMS_MACADM package allow you to write applications that configure the realms, factors, rule sets, command rules, secure application roles, and Oracle Label Security policies normally configured in Oracle Database Vault Administrator.

The DVSYS.DBMS_MACADM package is available only for users who have been granted the DV_ADMIN or DV_OWNER role.

Many of the parameters used in the procedures and functions in the DVSYS.DBMS_MACADM package can use the constants available in the DVSYS.DBMS_MACUTL package. See "DVSYS.DBMS_MACUTL Constants" for more information.

Oracle Database Vault also provides a set of PL/SQL interfaces that you can use with the DVSYS.DBMS_MACADM package. See Chapter 15, "Using the Oracle Database Vault PL/SQL Interfaces," for more information.

Realm Procedures Within DVSYS.DBMS_MACADM

Table 12-1 lists procedures within the DVSYS.DBMS_MACADM package that you can use to configure realms. For constants that you can use with these procedures, see Table 14-1 for more information.

Chapter 4, "Configuring Realms," describes realms in detail. See also Chapter 14, "Using the DVSYS.DBMS_MACUTL Package," for a set of general purpose utility procedures that you can use with the realm procedures.

Table 12-1 DVSYS.DBMS_MACADM Realm Configuration Procedures

Procedure	Description
ADD_AUTH_TO_REALM Procedure	Authorizes a user or role to access a realm as an owner or a participant
ADD_OBJECT_TO_REALM Procedure	Registers a set of objects for realm protection
CREATE_REALM Procedure	Creates a realm
DELETE_AUTH_FROM_REALM Procedure	Removes the authorization of a user or role to access a realm
DELETE_OBJECT_FROM_REALM Procedure	Removes a set of objects from realm protection
DELETE_REALM Procedure	Deletes a realm and its related Database Vault configuration information
DELETE_REALM_CASCADE Procedure	Deletes a realm its related Database Vault configuration information
RENAME_REALM Procedure	Renames a realm. The name change takes effect everywhere the realm is used.
UPDATE_REALM Procedure	Updates a realm.
UPDATE_REALM_AUTH Procedure	Updates the authorization of a user or role to access a realm

ADD_AUTH_TO_REALM Procedure

The ADD_AUTH_TO_REALM procedure authorizes a user or role to access a realm as an owner or a participant. For detailed information about realm authorization, see "Defining Realm Authorization".

Optionally, you can specify a rule set that must be checked before allowing the authorization to proceed.

Syntax

DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name    IN VARCHAR2, 
  grantee       IN VARCHAR2, 
  rule_set_name IN VARCHAR2, 
  auth_options  IN NUMBER);

Parameters

Table 12-2 ADD_AUTH_TO_REALM Parameters

Parameter	Description
`realm_name`	Realm name. To find the existing realms in the current database instance, query the `DVSYS.DBA_DV_REALM` view, described in "DBA_DV_REALM View".
`grantee`	User or role name to authorize as an owner or a participant. To find the existing users and roles in the current database instance, query the `DBA_USERS` and `DBA_ROLES` views, described in Oracle Database Reference. To find the authorization of a particular user or role, query the `DVA_DV_REALM_AUTH` view, described in "DBA_DV_REALM_AUTH View". To find existing secure application roles used in privilege management, query the `DVSYS.DBA_DV_ROLE` view. Both are described in "Oracle Database Vault Data Dictionary Views".
`rule_set_name`	Optional. Rule set to check before authorizing. If the rule set evaluates to `TRUE`, then the authorization is allowed. To find the available rule sets, query the `DVSYS.DBA_DV_RULE_SET` view, described in "DBA_DV_RULE_SET View".
`auth_options`	Optional. Specify one of the following options to authorize the realm: `0`: Participant. This account or role provides system or direct privileges to access, manipulate, and create objects protected by the realm, provided these rights have been granted using the standard Oracle Database privilege grant process. `1`: Owner. This account or role has the same privileges as the realm participant, plus the authorization to grant or revoke realm-secured database roles. A realm can have multiple owners. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_REALM_AUTH_PARTICIPANT` `G_REALM_AUTH_OWNER` See "Defining Realm Authorization" for more information on participants and owners.

Examples

The following example authorizes user SYSADM as a participant in the Performance Statistics Realm.

BEGIN
 DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name  => 'Performance Statistics Realm', 
  grantee     => 'SYSADM'); 
END;
/

This example sets user SYSADM as the owner of the Performance Statistics Realm.

BEGIN
 DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name   => 'Performance Statistics Realm', 
  grantee      => 'SYSADM', 
  auth_options => DBMS_MACUTL.G_REALM_AUTH_OWNER);
END;
/

The next example triggers the Check Conf Access rule set before allowing user SYSADM to be made the owner of the Performance Statistics Realm.

BEGIN
 DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
  realm_name    => 'Performance Statistics Realm', 
  grantee       => 'SYSADM', 
  rule_set_name => 'Check Conf Access',
  auth_options  => DBMS_MACUTL.G_REALM_AUTH_OWNER);
END;
/

ADD_OBJECT_TO_REALM Procedure

The ADD_OBJECT_TO_REALM procedure registers a set of objects for realm protection.

Syntax

DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM(
  realm_name   IN VARCHAR2, 
  object_owner IN VARCHAR2, 
  object_name  IN VARCHAR2, 
  object_type  IN VARCHAR2);

Parameters

Table 12-3 ADD_OBJECT_TO_REALM Parameters

Parameter	Description
`realm_name`	Realm name. To find the existing realms in the current database instance, query the `DVSYS.DBA_DV_REALM` view, described in "DBA_DV_REALM View"
`object_owner`	The owner of the object that is being added to the realm. If you add a role to a realm, the object owner of the role is shown as `%` (for all), because roles do not have owners. To find the available users, query the `DBA_USERS` view, described in Oracle Database Reference. To find the authorization of a particular user or role, query the `DVA_DV_REALM_AUTH` view, described in "DBA_DV_REALM_AUTH View".
`object_name`	Object name. (The wildcard % is allowed. See "Object Name" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) You can also use the `DVSYS.DBMS_MACUTL` `G_ALL_OBJECT` constant. To find the available objects, query the `ALL_OBJECTS` view, described in Oracle Database Reference. To find objects that are secured by existing realms, query the `DVSYS.DBA_DV_REALM_OBJECT` view, described in "DBA_DV_REALM_OBJECT View".
`object_type`	Object type, such as `TABLE`, `INDEX`, or `ROLE`. (The wildcard % is allowed. See "Object Types" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) You can also use the `DVSYS.DBMS_MACUTL` `G_ALL_OBJECT` constant.

Example

BEGIN
 DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM(
  realm_name   => 'Performance Statistics Realm', 
  object_owner => '%', 
  object_name  => 'GATHER_SYSTEM_STATISTICS', 
  object_type  => 'ROLE'); 
END;
/

CREATE_REALM Procedure

The CREATE_REALM procedure creates a realm. After you create the realm, use the following procedures to complete the realm definition:

ADD_OBJECT_TO_REALM procedure registers one or more objects for the realm.
ADD_AUTH_TO_REALM procedures authorize users or roles for the realm.

Syntax

DVSYS.DBMS_MACADM.CREATE_REALM(
  realm_name    IN VARCHAR2, 
  description   IN VARCHAR2, 
  enabled       IN VARCHAR2, 
  audit_options IN NUMBER);

Parameters

Table 12-4 CREATE_REALM Parameters

Parameter	Description
`realm_name`	Realm name, up to 90 characters in mixed-case. To find the existing realms in the current database instance, query the `DVSYS.DBA_DV_REALM` view, described in "DBA_DV_REALM View".
`description`	Description of the purpose of the realm, up to 1024 characters in mixed-case.
`enabled`	`Y` (yes) enables realm checking; `N` (no) disables it. The default is `Y`. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_YES` `G_NO`
`audit_options`	Specify one of the following options to audit the realm: `0`: Disables auditing for the realm (default) `1`: Creates an audit record when a realm violation occurs (for example, when an unauthorized user tries to modify an object that is protected by the realm) `2`: Creates an audit record for authorized activities on objects protected by the realm `3`: Creates an audit record for both authorized and unauthorized activities on objects protected by the realm You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_REALM_AUDIT_OFF` (default) `G_REALM_AUDIT_SUCCESS` `G_REALM_AUDIT_FAIL` `G_REALM_AUDIT_FAIL + G_REALM_AUDIT_SUCCESS`

Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_REALM(
  realm_name    => 'Performance Statistics Realm', 
  description   => 'Realm to measure performance', 
  enabled       => DBMS_MACUTL.G_YES, 
  audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + DBMS_MACUTL.G_REALM_AUDIT_SUCCESS);
END; 
/

DELETE_AUTH_FROM_REALM Procedure

The DELETE_AUTH_FROM_REALM procedure removes the authorization of a user or role to access a realm.

Syntax

DVSYS.DBMS_MACADM.DELETE_AUTH_FROM_REALM(
  realm_name IN VARCHAR2,
  grantee    IN VARCHAR2);

Parameters

Table 12-5 DELETE_AUTH_FROM_REALM Parameters

Parameter Description

realm_name

Realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View"

grantee

User or role name.

To find the authorization of a particular user or role, query the DVA_DV_REALM_AUTH view, described in "DBA_DV_REALM_AUTH View".

Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_AUTH_FROM_REALM(
  realm_name => 'Performance Statistics Realm',
  grantee    => 'SYS');
END;
/

DELETE_OBJECT_FROM_REALM Procedure

The DELETE_OBJECT_FROM_REALM procedure removes a set of objects from realm protection.

Syntax

DVSYS.DBMS_MACADM.DELETE_OBJECT_FROM_REALM(
  realm_name   IN VARCHAR2, 
  object_owner IN VARCHAR2, 
  object_name  IN VARCHAR2, 
  object_type  IN VARCHAR2);

Parameters

Table 12-6 DELETE_OBJECT_FROM_REALM Parameters

Parameter	Description
`realm_name`	Realm name. To find the existing realms in the current database instance, query the `DVSYS.DBA_DV_REALM` view, described in "DBA_DV_REALM View"
`object_owner`	The owner of the object that was added to the realm. To find the available users, query the `DBA_USERS` view, described in Oracle Database Reference.
`object_name`	Object name. (The wildcard % is allowed. See "Object Name" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) You can also use the `DVSYS.DBMS_MACUTL` `G_ALL_OBJECT` constant. To find objects that are secured by existing realms, query the `DVSYS.DBA_DV_REALM_OBJECT` view, described in "DBA_DV_REALM_OBJECT View".
`object_type`	Object type, such as `TABLE`, `INDEX`, or `ROLE`. (The wildcard % is allowed. See "Object Types" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) You can also use the `DVSYS.DBMS_MACUTL` `G_ALL_OBJECT` constant.

Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_OBJECT_FROM_REALM(
  realm_name   => 'Performance Statistics Realm', 
  object_owner => 'SYS', 
  object_name  => 'GATHER_SYSTEM_STATISTICS', 
  object_type  => 'ROLE'); 
END;
/

DELETE_REALM Procedure

The DELETE_REALM procedure deletes a realm, including its related Database Vault configuration information that specifies who is authorized (DVSYS.DBA_DV_REALM_AUTH view) and what objects are protected (DVSYS.DBA_DV_REALM_OBJECT view). It does not delete the actual database objects or users. To find a listing of the realm-related objects, query the DVSYS.DBA_DV_REALM view. To find its authorizations, query DVSYS.DBA_DV_REALM_AUTH. Both are described under "Oracle Database Vault Data Dictionary Views".

If you want to remove the associated objects and authorizations and the realm, see "DELETE_REALM_CASCADE Procedure".

Syntax

DVSYS.DBMS_MACADM.DELETE_REALM(
  realm_name IN VARCHAR2);

Parameters

Table 12-7 DELETE_REALM Parameter

Parameter Description

realm_name

Realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View"

Example

EXEC DVSYS.DBMS_MACADM.DELETE_REALM('Performance Statistics Realm');

DELETE_REALM_CASCADE Procedure

The DELETE_REALM_CASCADE procedure deletes a realm, including its related Database Vault configuration information that specifies who is authorized (DVSYS.DBA_DV_REALM_AUTH view) and what objects are protected (DVSYS.DBA_DV_REALM_OBJECT view). It does not delete the actual database objects or users. To find a listing of the realm-related objects, query the DVSYS.DBA_DV_REALM view. To find its authorizations, query DVSYS.DBA_DV_REALM_AUTH. Both are described under "Oracle Database Vault Data Dictionary Views".

Syntax

DVSYS.DBMS_MACADM.DELETE_REALM_CASCADE(
  realm_name IN VARCHAR2);

Parameters

Table 12-8 DELETE_REALM_CASCADE Parameter

Parameter Description

realm_name

Realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View"

Example

EXEC DVSYS.DBMS_MACADM.DELETE_REALM_CASCADE('Performance Statistics Realm');

RENAME_REALM Procedure

The RENAME_REALM procedure renames a realm. The name change takes effect everywhere the realm is used.

Syntax

DVSYS.DBMS_MACADM.RENAME_REALM(
  realm_name IN VARCHAR2, 
  new_name   IN VARCHAR2);

Parameters

Table 12-9 RENAME_REALM Parameters

Parameter Description

Parameter	Description
`realm_name`	Current realm name. To find the existing realms in the current database instance, query the `DVSYS.DBA_DV_REALM` view, described in "DBA_DV_REALM View"
`new_name`	New realm name, up to 90 characters in mixed-case.

realm_name

Current realm name.

To find the existing realms in the current database instance, query the DVSYS.DBA_DV_REALM view, described in "DBA_DV_REALM View"

new_name

New realm name, up to 90 characters in mixed-case.

Example

BEGIN
 DVSYS.DBMS_MACADM.RENAME_REALM(
  realm_name => 'Performance Statistics Realm', 
  new_name   => 'Sector 2 Performance Statistics Realm');
END; 
/

UPDATE_REALM Procedure

The UPDATE_REALM procedure updates a realm.

Syntax

DVSYS.DBMS_MACADM.UPDATE_REALM(
  realm_name    IN VARCHAR2, 
  description   IN VARCHAR2, 
  enabled       IN VARCHAR2, 
  audit_options IN NUMBER DEFAULT NULL);

Parameters

Table 12-10 UPDATE_REALM Parameters

Parameter	Description
`realm_name`	Realm name. To find the existing realms in the current database instance, query the `DVSYS.DBA_DV_REALM` view, described in "DBA_DV_REALM View"
`description`	Description of the purpose of the realm, up to 1024 characters in mixed-case.
`enabled`	`Y` (yes) enables realm checking; `N` (no) disables it. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_YES` `G_NO` The default for `enabled` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_REALM` data dictionary view. (This feature is available with Oracle Database 11g Release 2 (11.2.0.2).)
`audit_options`	Specify one of the following options to audit the realm: `0`: Disables auditing for the realm `1`: Creates an audit record when a realm violation occurs (for example, when an unauthorized user tries to modify an object that is protected by the realm `2`: Creates an audit record for authorized activities on objects protected by the realm. `3`: Creates an audit record for both authorized and unauthorized activities on objects protected by the realm You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_REALM_AUDIT_OFF` `G_REALM_AUDIT_SUCCESS` `G_REALM_AUDIT_FAIL` `G_REALM_AUDIT_FAIL + G_REALM_AUDIT_SUCCESS` The default for `audit_options` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_REALM` data dictionary view.

Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_REALM(
  realm_name    => 'Sector 2 Performance Statistics Realm', 
  description   => 'Realm to measure performance for Sector 2 applications', 
  enabled       => 'Y', 
  audit_options => DBMS_MACUTL.G_REALM_AUDIT_FAIL + G_REALM_AUDIT_SUCCESS); 
END;
/

UPDATE_REALM_AUTH Procedure

The UPDATE_REALM_AUTH procedure updates the authorization of a user or role to access a realm.

Syntax

DVSYS.DBMS_MACADM.UPDATE_REALM_AUTH(
  realm_name    IN VARCHAR2, 
  grantee       IN VARCHAR2, 
  rule_set_name IN VARCHAR2, 
  auth_options  IN NUMBER);

Parameters

Table 12-11 UPDATE_REALM_AUTH Parameters

Parameter	Description
`realm_name`	Realm name. To find the existing realms in the current database instance, query the `DVSYS.DBA_DV_REALM` view, described in "DBA_DV_REALM View".
`grantee`	User or role name. To find the available users and roles, query the `DBA_USERS` and `DBA_ROLES` views, described in Oracle Database Reference. To find the authorization of a particular user or role, query the `DVA_DV_REALM_AUTH` view, described in DBA_DV_REALM_AUTH View. To find existing secure application roles used in privilege management, query the `DVSYS.DBA_DV_ROLE` view, described in "DBA_DV_ROLE View".
`rule_set_name`	Optional Rule set to check before authorizing. If the rule set evaluates to `TRUE`, then the authorization is allowed. To find the available rule sets, query the `DVSYS.DBA_DV_RULE_SET` view. To find rules that are associated with the rule sets, query the `DBA_DB_RULE_SET_RULE` view. Both are described in "Oracle Database Vault Data Dictionary Views".
`auth_options`	Optional. Specify one of the following options to authorize the realm: `0`: Participant. This account or role provides system or direct privileges to access, manipulate, and create objects protected by the realm, provided these rights have been granted using the standard Oracle Database privilege grant process. `1`: Owner. This account or role has the same privileges as the realm participant, plus the authorization to grant or revoke realm-secured database roles. A realm can have multiple owners. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_REALM_AUTH_PARTICIPANT` `G_REALM_AUTH_OWNER` The default for `auth_options` value is the previously set value, which you can find by querying the `DVSYS.DBA_DV_REALM_AUTH` data dictionary view.

Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_REALM_AUTH(
  realm_name    => 'Sector 2 Performance Statistics Realm', 
  grantee       => 'SYSADM', 
  rule_set_name => 'Check Conf Access', 
  auth_options  => DBMS_MACUTL.G_REALM_AUTH_OWNER);
END; 
/

Rule Set Procedures Within DVSYS.DBMS_MACADM

Table 12-12 lists procedures within the DVSYS.DBMS_MACADM package that you can use to configure rule sets.

See Also:

Chapter 5, "Configuring Rule Sets," for detailed information about rule sets
Chapter 14, "Using the DVSYS.DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the rule set procedures
Chapter 15, "Using the Oracle Database Vault PL/SQL Interfaces," for PL/SQL interfaces that you can use with rules

Table 12-12 DVSYS.DBMS_MACADM Rule Set Configuration Procedures

Procedure	Description
ADD_RULE_TO_RULE_SET Procedure	Adds a rule to a rule set
CREATE_RULE Procedure	Creates a rule
CREATE_RULE_SET Procedure	Creates a rule set
DELETE_RULE Procedure	Deletes a rule
DELETE_RULE_FROM_RULE_SET Procedure	Deletes a rule from a rule set
DELETE_RULE_SET Procedure	Deletes a rule set
RENAME_RULE Procedure	Renames a rule. The name change takes effect everywhere the rule is used.
RENAME_RULE_SET Procedure	Renames a rule set. The name change takes effect everywhere the rule set is used.
SYNC_RULES Procedure	Synchronizes the rules
UPDATE_RULE Procedure	Updates a rule
UPDATE_RULE_SET Procedure	Updates a rule set

ADD_RULE_TO_RULE_SET Procedure

The ADD_RULE_TO_RULE_SET procedure adds rule to a rule set, and lets you specify whether to have the rule be checked when the rule set is evaluated.

Syntax

DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(
  rule_set_name  IN VARCHAR2, 
  rule_name      IN VARCHAR2, 
  rule_order     IN NUMBER, 
  enabled        IN VARCHAR2);

Parameters

Table 12-13 ADD_RULE_TO_RULE_SET Parameters

Parameter	Description
`rule_set_name`	Rule set name. To find existing rule sets in the current database instance, query the `DVSYS.DBA_DV_RULE_SET` view, described in "DBA_DV_RULE_SET View".
`rule_name`	Rule to add to the rule set. To find existing rules, query the `DVSYS.DBA_DV_RULE` view, described in "DBA_DV_RULE View". To find rules that have been associated with rule sets, use `DVSYS.DBA_DV_RULE_SET_RULE`, described in "DBA_DV_RULE View".
`rule_order`	Does not apply to this release, but you must include a value for the `ADD_RULE_TO_RULE_SET` procedure to work. Enter `1`.
`enabled`	Optional. Determines whether the rule should be checked when the rule set is evaluated. Possible values are: `Y` (yes; default). Enables the rule to be checked during the rule set evaluation. `N` (no). Prevents the rule from being checked during the rule set evaluation. You can also enter the following `DVSYS.DBMS_MACUTL` constants: `G_YES` (default) `G_NO` See Table 14-1 for more information.

Examples

The following example adds a rule to a rule set, and by omitting the enabled parameter, automatically enables the rule to be checked when the rule set is evaluated.

BEGIN
 DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(
  rule_set_name => 'Limit_DBA_Access', 
  rule_name     => 'Restrict DROP TABLE operations',
  rule_order    => 1);
END;
/

This example adds the rule to the rule set but disables rule checking.

BEGIN
 DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(
  rule_set_name => 'Limit_DBA_Access',
  rule_name     => 'Check UPDATE operations',
  rule_order    => 1,
  enabled       => DBMS_MACUTL.G_NO);
END;
/

CREATE_RULE Procedure

The CREATE_RULE procedure creates a rule. After you create a rule, you can add it to a rule set.

Syntax

DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name  IN VARCHAR2, 
  rule_expr  IN VARCHAR2);

Parameters

Table 12-14 CREATE_RULE Parameters

Parameter Description

Parameter	Description
`rule_name`	Rule name, up to 90 characters in mixed-case. Spaces are allowed. To find existing rules in the current database instance, query the `DVSYS.DBA_DV_RULE` view, described in "DBA_DV_RULE View". To find rules that have been associated with rule sets, query `DVSYS.DBA_DV_RULE_SET_RULE`, described in "DBA_DV_RULE_SET_RULE View".
`rule_expr`	PL/SQL `BOOLEAN` expression. If the expression contains quotation marks, do not use double quotation marks. Instead, use two single quotation marks. Enclose the entire expression within single quotation marks. For example: 'TO_CHAR(SYSDATE,''HH24'') = ''12''' See "Creating a New Rule" for more information on rule expressions.

rule_name

Rule name, up to 90 characters in mixed-case. Spaces are allowed.

To find existing rules in the current database instance, query the DVSYS.DBA_DV_RULE view, described in "DBA_DV_RULE View".

To find rules that have been associated with rule sets, query DVSYS.DBA_DV_RULE_SET_RULE, described in "DBA_DV_RULE_SET_RULE View".

rule_expr

PL/SQL BOOLEAN expression.

If the expression contains quotation marks, do not use double quotation marks. Instead, use two single quotation marks. Enclose the entire expression within single quotation marks. For example:

'TO_CHAR(SYSDATE,''HH24'') = ''12'''

See "Creating a New Rule" for more information on rule expressions.

Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_RULE(
  rule_name  => 'Check UPDATE operations', 
  rule_expr  =>'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''SYSADM''');
END;
/

CREATE_RULE_SET Procedure

The CREATE_RULE_SET procedure creates a rule set. After you create a rule set, you can use the CREATE_RULE and ADD_RULE_TO_RULE_SET procedures to create and add rules to the rule set.

Syntax

DVSYS.DBMS_MACADM.CREATE_RULE_SET(
  rule_set_name    IN VARCHAR2, 
  description      IN VARCHAR2, 
  enabled          IN VARCHAR2, 
  eval_options     IN NUMBER, 
  audit_options    IN NUMBER, 
  fail_options     IN NUMBER, 
  fail_message     IN VARCHAR2, 
  fail_code        IN NUMBER, 
  handler_options  IN NUMBER, 
  handler          IN VARCHAR2,
  is_static        IN BOOLEAN DEFAULT FALSE);

Parameters

Table 12-15 CREATE_RULE_SET Parameters

Parameter	Description
`rule_set_name`	Rule set name, up to 90 characters in mixed-case. Spaces are allowed. To find existing rule sets in the current database instance, query the `DVSYS.DBA_DV_RULE_SET` view, described in "DBA_DV_RULE_SET View".
`description`	Description of the purpose of the rule set, up to 1024 characters in mixed-case.
`enabled`	`Y` (yes) enables the rule set; `N` (no) disables it. The default is `Y`. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_YES` `G_NO`
`eval_options`	If you plan to assign multiple rules to the rule set, enter one of the following settings: `1`: All rules in the rule set must evaluate to true for the rule set itself to evaluate to true (default). `2`: At least one rule in the rule set must evaluate to true for the rule set itself to evaluate to true. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_RULESET_EVAL_ALL` (default) `G_RULESET_EVAL_ANY`
`audit_options`	Select one of the following settings: `0`: Disables auditing for the rule set (default) `1`: Creates an audit record when a rule set violation occurs `2`: Creates an audit record for a successful rule set evaluation `3`: Creates an audit record for both successful and failed rule set evaluations You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_RULESET_AUDIT_OFF` (default) `G_RULESET_AUDIT_SUCCESS` `G_RULESET_AUDIT_FAIL` `G_RULESET_AUDIT_FAIL + G_RULESET_AUDIT_SUCCESS` See "Audit Options" for more information.
`fail_options`	Options for reporting factor errors: `1`: Shows an error message (default) `2`: Does not show an error message You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_RULESET_FAIL_SHOW` (default) `G_RULESET_FAIL_SILENT` See "Error Handling Options" for more information.
`fail_message`	Enter an error message for failure, up to 80 characters in mixed-case, to associate with the fail code you specify for `fail_code`.
`fail_code`	Enter a number in the range of -20000 to -20999 or 20000 to 20999 to associate with the `fail_message` parameter.
`handler_options`	Select one of the following settings: `0`: Disables error handling (default) `POWER(2,0)`: Calls handler on rule set failure `POWER(2,1)`: Calls handler on rule set success You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_RULESET_HANDLER_OFF` (default) `G_RULESET_HANDLER_FAIL` `G_RULESET_HANDLER_SUCCESS` See "Error Handling Options" for more information.
`handler`	Name of the PL/SQL function or procedure that defines the custom event handler logic. See "Error Handling Options" for more information.
`is_static`	Optional. Determines how often a rule set is evaluated when it is accessed. The default is `FALSE`. `TRUE`: The rule set is evaluated once during the user session. After that, the value is re-used. `FALSE`: The rule set evaluated every time.

Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_RULE_SET(
  rule_set_name    => 'Limit_DBA_Access', 
  description      => 'DBA access through predefined processes', 
  enabled          => 'Y',
  eval_options     => 2,
  audit_options    => DBMS_MACUTL.G_RULESET_AUDIT_FAIL + DBMS_MACUTL.G_RULESET_AUDIT_SUCCESS,
  fail_options     => 2,
  fail_message     => '',
  fail_code        => 20461,
  handler_options  => DBMS_MACUTL.G_RULESET_HANDLER_FAIL, 
  handler          => 'dbavowner.email_alert',
  is_static        => TRUE);
END;
/

DELETE_RULE Procedure

The DELETE_RULE procedure deletes a rule.

Syntax

DVSYS.DBMS_MACADM.DELETE_RULE(
  rule_name IN VARCHAR2);

Parameter

Table 12-16 DELETE_RULE Parameter

Parameter Description

Parameter	Description
`rule_name`	Rule name. To find existing rules in the current database instance, query the `DVSYS.DBA_DV_RULE` view, described in "DBA_DV_RULE View". To find rules that have been associated with rule sets, query `DVSYS.DBA_DV_RULE_SET_RULE`, described in "DBA_DV_RULE_SET_RULE View".

rule_name

Rule name.

To find existing rules in the current database instance, query the DVSYS.DBA_DV_RULE view, described in "DBA_DV_RULE View".

To find rules that have been associated with rule sets, query DVSYS.DBA_DV_RULE_SET_RULE, described in "DBA_DV_RULE_SET_RULE View".

Example

EXEC DVSYS.DBMS_MACADM.DELETE_RULE('Check UPDATE operations');

DELETE_RULE_FROM_RULE_SET Procedure

The DELETE_RULE_FROM_RULE_SET procedure deletes a rule from a rule set.

Syntax

DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET(
  rule_set_name IN VARCHAR2, 
  rule_name     IN VARCHAR2);

Parameters

Table 12-17 DELETE_RULE_FROM_RULE_SET Parameters

Parameter Description

rule_set_name

Rule set name.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".

rule_name

Rule to remove from the rule set.

To find existing rules in the current database instance, query the DVSYS.DBA_DV_RULE view, described in "DBA_DV_RULE View".

To find rules that have been associated with rule sets, query DVSYS.DBA_DV_RULE_SET_RULE, described in "DBA_DV_RULE_SET_RULE View".

Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_RULE_FROM_RULE_SET(
  rule_set_name => 'Limit_DBA_Access', 
  rule_name     => 'Check UPDATE operations');
END;
/

DELETE_RULE_SET Procedure

The DELETE_RULE_SET procedure deletes a rule set.

Syntax

DVSYS.DBMS_MACADM.DELETE_RULE_SET(
  rule_set_name IN VARCHAR2);

Parameters

Table 12-18 DELETE_RULE_SET Parameter

Parameter Description

rule_set_name

Rule set name.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".

Example

EXEC DVSYS.DBMS_MACADM.DELETE_RULE_SET('Limit_DBA_Access');

RENAME_RULE Procedure

The RENAME_RULE procedure renames a rule. The name change takes effect everywhere the rule is used.

Syntax

DVSYS.DBMS_MACADM.RENAME_RULE(
  rule_name  IN VARCHAR2, 
  new_name   IN VARCHAR2);

Parameters

Table 12-19 RENAME_RULE Parameters

Parameter Description

Parameter	Description
`rule_name`	Current rule name. To find existing rules in the current database instance, query the `DVSYS.DBA_DV_RULE` view, described in "DBA_DV_RULE View". To find rules that have been associated with rule sets, query `DVSYS.DBA_DV_RULE_SET_RULE`, described in "DBA_DV_RULE_SET_RULE View".
`new_name`	New rule name, up to 90 characters in mixed-case.

rule_name

Current rule name.

To find existing rules in the current database instance, query the DVSYS.DBA_DV_RULE view, described in "DBA_DV_RULE View".

To find rules that have been associated with rule sets, query DVSYS.DBA_DV_RULE_SET_RULE, described in "DBA_DV_RULE_SET_RULE View".

new_name

New rule name, up to 90 characters in mixed-case.

Example

BEGIN
 DVSYS.DBMS_MACADM.RENAME_RULE(
  rule_name  => 'Check UPDATE operations', 
  new_name   => 'Check Sector 2 Processes');
END; 
/

RENAME_RULE_SET Procedure

The RENAME_RULE_SET procedure renames a rule set. The name change takes effect everywhere the rule set is used.

Syntax

DVSYS.DBMS_MACADM.RENAME_RULE_SET(
  rule_set_name IN VARCHAR2, 
  new_name      IN VARCHAR2);

Parameters

Table 12-20 RENAME_RULE_SET Parameters

Parameter Description

Parameter	Description
`rule_set_name`	Current rule set name. To find existing rule sets in the current database instance, query the `DVSYS.DBA_DV_RULE_SET` view, described in "DBA_DV_RULE_SET View".
`new_name`	New rule set name, up to 90 characters in mixed-case. Spaces are allowed.

rule_set_name

Current rule set name.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".

new_name

New rule set name, up to 90 characters in mixed-case. Spaces are allowed.

Example

BEGIN
 DVSYS.DBMS_MACADM.RENAME_RULE_SET(
  rule_set_name => 'Limit_DBA_Access', 
  new_name      => 'Limit Sector 2 Access'); 
END;
/

SYNC_RULES Procedure

The SYNC_RULES procedure synchronizes the rules in Oracle Database Vault and Advanced Queuing Rules engine. You must perform this operation immediately after you roll back an ADD_RULE_TO_RULESET, a DELETE_RULE, or an UPDATE_RULE operation.

Syntax

DVSYS.DBMS_MACADM.SYNC_RULES();

Parameters

None.

Example

EXEC DVSYS.DBMS_MACADM.SYNC_RULES();

UPDATE_RULE Procedure

The UPDATE_RULE procedure updates a rule.

Syntax

DVSYS.DBMS_MACADM.UPDATE_RULE(
  rule_name  IN VARCHAR2, 
  rule_expr  IN VARCHAR2);

Parameters

Table 12-21 UPDATE_RULE Parameters

Parameter Description

Parameter	Description
`rule_name`	Rule name. To find existing rules in the current database instance, query the `DVSYS.DBA_DV_RULE` view, described in "DBA_DV_RULE View". To find rules that have been associated with rule sets, query `DVSYS.DBA_DV_RULE_SET_RULE`, described in "DBA_DV_RULE_SET_RULE View".
`rule_expr`	PL/SQL `BOOLEAN` expression. If the expression contains quotation marks, do not use double quotation marks. Instead, use two single quotation marks. Enclose the entire expression within single quotation marks. For example: 'TO_CHAR(SYSDATE,''HH24'') = ''12''' See "Creating a New Rule" for more information on rule expressions. To find existing rule expressions, query the `DVSYS.DBA_DV_RULE` view.

rule_name

Rule name.

To find existing rules in the current database instance, query the DVSYS.DBA_DV_RULE view, described in "DBA_DV_RULE View".

To find rules that have been associated with rule sets, query DVSYS.DBA_DV_RULE_SET_RULE, described in "DBA_DV_RULE_SET_RULE View".

rule_expr

PL/SQL BOOLEAN expression.

If the expression contains quotation marks, do not use double quotation marks. Instead, use two single quotation marks. Enclose the entire expression within single quotation marks. For example:

'TO_CHAR(SYSDATE,''HH24'') = ''12'''

See "Creating a New Rule" for more information on rule expressions.

To find existing rule expressions, query the DVSYS.DBA_DV_RULE view.

Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_RULE(
  rule_name  => 'Check UPDATE operations', 
  rule_expr  =>'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''SYSADM'' AND
               (
                 UPPER(SYS_CONTEXT(''USERENV'',''MODULE'')) LIKE ''APPSRVR%'' OR
                 UPPER(SYS_CONTEXT(''USERENV'',''MODULE'')) LIKE ''DBAPP%'' )'
               );
END;
/

UPDATE_RULE_SET Procedure

The UPDATE_RULE_SET procedure updates a rule set.

Syntax

DVSYS.DBMS_MACADM.UPDATE_RULE_SET(
  rule_set_name    IN VARCHAR2,
  description      IN VARCHAR2, 
  enabled          IN VARCHAR2, 
  eval_options     IN NUMBER, 
  audit_options    IN NUMBER, 
  fail_options     IN NUMBER, 
  fail_message     IN VARCHAR2, 
  fail_code        IN NUMBER, 
  handler_options  IN NUMBER, 
  handler          IN VARCHAR2,
  is_static        IN BOOLEAN DEFAULT FALSE);

Parameters

Table 12-22 UPDATE_RULE_SET Parameters

Parameter	Description
`rule_set_name`	Rule set name. To find existing rule sets in the current database instance, query the `DVSYS.DBA_DV_RULE_SET` view, described in "DBA_DV_RULE_SET View".
`description`	Description of the purpose of the rule set, up to 1024 characters in mixed-case.
`enabled`	`Y` (yes) enables rule set checking; `N` (no) disables it. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_YES` `G_NO` The default for the `enabled` setting is the previously set value, which you can find by querying the `DVSYS.DBA_DV_RULE_SET` data dictionary view.
`eval_options`	If you plan to assign multiple rules to the rule set, enter one of the following settings: `1`: All rules in the rule set must evaluate to true for the rule set itself to evaluate to true. `2`: At least one rule in the rule set must evaluate to true for the rule set itself to evaluate to true. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_RULESET_EVAL_ALL` `G_RULESET_EVAL_ANY` The default for `eval_options` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_RULE_SET` data dictionary view.
`audit_options`	Select one of the following settings: `0`: Disables auditing for the rule set `1`: Creates an audit record when a rule set violation occurs `2`: Creates an audit record for a successful rule set evaluation `3`: Creates an audit record for both successful and failed rule set evaluations You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_RULESET_AUDIT_OFF` `G_RULESET_AUDIT_FAIL` `G_RULESET_AUDIT_SUCCESS` `G_RULESET_AUDIT_FAIL + G_RULESET_AUDIT_SUCCESS` The default for `audit_options` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_RULE_SET` data dictionary view. See "Audit Options" for more information.
`fail_options`	Options for reporting factor errors: `1`: Shows an error message. `2`: Does not show an error message. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_RULESET_FAIL_SHOW` `G_RULESET_FAIL_SILENT` The default for `fail_options` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_RULE_SET` data dictionary view. See "Error Handling Options" for more information.
`fail_message`	Error message for failure, up to 80 characters in mixed-case, to associate with the fail code you specify for `fail_code`.
`fail_code`	Enter a number in the range of -20000 to -20999 or 20000 to 20999 to associate with the `fail_message` parameter.
`handler_options`	Select one of the following settings: `0`: Disables error handling. `POWER(2,0)`: Call handler on rule set failure. `POWER(2,1)`: Call handler on rule set success. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_RULESET_HANDLER_OFF` `G_RULESET_HANDLER_FAIL` `G_RULESET_HANDLER_SUCCESS` The default for `handler_options` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_RULE_SET` data dictionary view. See "Error Handling Options" for more information.
`handler`	Name of the PL/SQL function or procedure that defines the custom event handler logic. See "Error Handling Options" for more information.
`is_static`	Optional. Determines how often a rule set is evaluated when it is accessed by a SQL statement. `TRUE`: The rule set is evaluated once during the user session. After that, the value is re-used. `FALSE`: The rule set evaluated each time a SQL statement accesses it (default).

Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_RULE_SET(
  rule_set_name    => 'Limit_DBA_Access', 
  description      => 'DBA access through predefined processes', 
  enabled          => 'Y',
  eval_options     => 2,
  audit_options    => DBMS_MACUTL.G_RULESET_AUDIT_FAIL,
  fail_options     => DBMS_MACUTL.G_RULESET_FAIL_SHOW,
  fail_message     => 'Access denied!',
  fail_code        => 20900,
  handler_options  => DBMS_MACUTL.G_RULESET_HANDLER_OFF, 
  handler          => '',
  is_static        =  TRUE);
END;
/

Command Rule Procedures Within DVSYS.DBMS_MACADM

Table 12-23 lists procedures within the DVSYS.DBMS_MACADM package that you can use to configure command rules.

Chapter 6, "Configuring Command Rules," describes command rules in detail. See also Chapter 14, "Using the DVSYS.DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the command rule procedures.

Table 12-23 DVSYS.DBMS_MACADM Command Rule Configuration Procedures

Procedure	Description
CREATE_COMMAND_RULE Procedure	Creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set
DELETE_COMMAND_RULE Procedure	Drops a command rule declaration
UPDATE_COMMAND_RULE Procedure	Updates a command rule declaration

CREATE_COMMAND_RULE Procedure

The CREATE_COMMAND_RULE procedure creates a command rule, associates it with a rule set, and lets you enable the command rule for rule checking with a rule set.

Syntax

DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE(
  command         IN VARCHAR2, 
  rule_set_name   IN VARCHAR2, 
  object_owner    IN VARCHAR2, 
  object_name     IN VARCHAR2, 
  enabled         IN VARCHAR2);

Parameters

Table 12-24 CREATE_COMMAND_RULE Parameters

Parameter	Description
`command`	SQL statement to protect. See also the following: "DBA_DV_COMMAND_RULE View" for a listing of existing command rules "SQL Statements That Can Be Protected by Command Rules" for a listing of available SQL statements that you can use Oracle Database SQL Language Reference for more information about SQL statements
`rule_set_name`	Name of rule set to associate with this command rule. To find existing rule sets in the current database instance, query the `DVSYS.DBA_DV_RULE_SET` view, described in "DBA_DV_RULE_SET View".
`object_owner`	Database schema to which this command rule will apply. The wildcard `%` is allowed, except for the `SELECT`, `INSERT`, `UPDATE`, `DELETE`, and `EXECUTE` statements. To find the available users, query the `DBA_USERS` view, described in Oracle Database Reference. See also "Object Owner" in "Creating and Editing a Command Rule" for more information.
`object_name`	Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.) To find the available objects, query the `ALL_OBJECTS` view, described in Oracle Database Reference.
`enabled`	`Y` (yes) enables the command rule; `N` (no) disables it. The default is `Y`. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_YES` `G_NO`

Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE(
  command         => 'SELECT', 
  rule_set_name   => 'Limit Sector 2 Access', 
  object_owner    => 'SYSADM', 
  object_name     => 'EMP_DATA', 
  enabled         => DBMS_MACUTL.G_YES);
END; 
/

DELETE_COMMAND_RULE Procedure

The DELETE_COMMAND_RULE procedure drops a command rule declaration.

Syntax

DVSYS.DBMS_MACADM.DELETE_COMMAND_RULE(
  command      IN VARCHAR2, 
  object_owner IN VARCHAR2, 
  object_name  IN VARCHAR2);

Parameters

Table 12-25 DELETE_COMMAND_RULE Parameters

Parameter Description

Parameter	Description
`command`	SQL statement the command rule protects. To find available command rules, query the `DVSYS.DBA_DV_COMMAND_RULE` view, described in "DBA_DV_COMMAND_RULE View"
`object_owner`	Database schema to which this command rule applies. To find the available users in the current database instance, query the `DBA_USERS` view, described in Oracle Database Reference. See also "Object Owner" in "Creating and Editing a Command Rule" for more information.
`object_name`	Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.) To find the available objects, query the `ALL_OBJECTS` view, described in Oracle Database Reference.

command

SQL statement the command rule protects.

To find available command rules, query the DVSYS.DBA_DV_COMMAND_RULE view, described in "DBA_DV_COMMAND_RULE View"

object_owner

Database schema to which this command rule applies.

To find the available users in the current database instance, query the DBA_USERS view, described in Oracle Database Reference.

See also "Object Owner" in "Creating and Editing a Command Rule" for more information.

object_name

Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.)

To find the available objects, query the ALL_OBJECTS view, described in Oracle Database Reference.

Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_COMMAND_RULE(
  command      => 'SELECT', 
  object_owner => 'SYSADM', 
  object_name  => 'EMP_DATA'); 
END;
/

UPDATE_COMMAND_RULE Procedure

The UPDATE_COMMAND_RULE procedure updates a command rule declaration.

Syntax

DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
  command        IN VARCHAR2, 
  rule_set_name  IN VARCHAR2, 
  object_owner   IN VARCHAR2, 
  object_name    IN VARCHAR2, 
  enabled        IN VARCHAR2);

Parameters

Table 12-26 UPDATE_COMMAND_RULE Parameters

Parameter	Description
`command`	SQL statement to protect. See also the following: "SQL Statements That Can Be Protected by Command Rules" for a listing of available SQL statements that you can use "DBA_DV_COMMAND_RULE View" for a listing of existing command rules Oracle Database SQL Language Reference for more information about SQL statements
`rule_set_name`	Name of rule set to associate with this command rule. To find existing rule sets in the current database instance, query the `DVSYS.DBA_DV_RULE_SET` view, described in "Oracle Database Vault Data Dictionary Views".
`object_owner`	Database schema to which this command rule applies. To find the available users, query the `DBA_USERS` view, described in Oracle Database Reference. See also "Object Owner" in "Creating and Editing a Command Rule" for more information.
`object_name`	Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.) To find the available objects, query the `ALL_OBJECTS` view, described in Oracle Database Reference.
`enabled`	`Y` (yes) enables the command rule; `N` (no) disables it. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_YES` `G_NO` The default for `enabled` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_COMMAND_RULE` data dictionary view.

Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_COMMAND_RULE(
  command         => 'SELECT', 
  rule_set_name   => 'Limit Sector 2 Access', 
  object_owner    => 'SYSADM', 
  object_name     => '%', 
  enabled         => DBMS_MACUTL.G_NO);
END;
/

Factor Procedures and Functions Within DVSYS.DBMS_MACADM

Table 12-27 lists procedures and functions within the DVSYS.DBMS_MACADM package that you can use to configure factors.

See Also:

Chapter 7, "Configuring Factors," for detailed information about factors
Chapter 14, "Using the DVSYS.DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the factor procedures
Chapter 15, "Using the Oracle Database Vault PL/SQL Interfaces," for a set of PL/SQL interfaces that you can use with factors

Table 12-27 DVSYS.DBMS_MACADM Factor Configuration Procedures

Procedure	Description
ADD_FACTOR_LINK Procedure	Specifies a parent-child relationship for two factors
ADD_POLICY_FACTOR Procedure	Specifies that the label for a factor contributes to the Oracle Label Security label for a policy.
CHANGE_IDENTITY_FACTOR Procedure	Associates an identity with a different factor
CHANGE_IDENTITY_VALUE Procedure	Updates the value of an identity
CREATE_DOMAIN_IDENTITY Procedure	Adds an Oracle Real Application Clusters (Oracle RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.
CREATE_FACTOR Procedure	Creates a factor
CREATE_FACTOR_TYPE Procedure	Creates a factor type
CREATE_IDENTITY Procedure	Creates an identity
CREATE_IDENTITY_MAP Procedure	Defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors)
DELETE_FACTOR Procedure	Deletes a factor
DELETE_FACTOR_LINK Procedure	Removes a parent-child relationship for two factors
DELETE_FACTOR_TYPE Procedure	Deletes a factor type
DELETE_IDENTITY Procedure	Removes an identity
DELETE_IDENTITY_MAP Procedure	Removes an identity map from a factor
DROP_DOMAIN_IDENTITY Procedure	Removes an Oracle RAC database node from a domain
GET_INSTANCE_INFO Function	Returns information from the `SYS.V_$INSTANCE` system table about the current database instance; returns a `VARCHAR2` value
GET_SESSION_INFO Function	Returns information from the `SYS.V_$SESSION` system table for the current session; returns a `VARCHAR2` value
RENAME_FACTOR Procedure	Renames a factor. The name change takes effect everywhere the factor is used.
RENAME_FACTOR_TYPE Procedure	Renames a factor type. The name change takes effect everywhere the factor type is used.
UPDATE_FACTOR Procedure	Updates a factor
UPDATE_FACTOR_TYPE Procedure	Updates the description of a factor type
UPDATE_IDENTITY Procedure	Updates the trust level of a factor identity

ADD_FACTOR_LINK Procedure

The ADD_FACTOR_LINK procedure specifies a parent-child relationship for two factors.

Syntax

DVSYS.DBMS_MACADM.ADD_FACTOR_LINK(
  parent_factor_name IN VARCHAR2, 
  child_factor_name  IN VARCHAR2, 
  label_indicator    IN VARCHAR2);

Parameters

Table 12-28 ADD_FACTOR_LINK Parameters

Parameter Description

Parameter	Description
`parent_factor_name`	Parent factor name. To find existing parent and child factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR_LINK` view, described in "DBA_DV_FACTOR_LINK View".
`child_factor_name`	Child factor name.
`label_indicator`	Indicates that the child factor being linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Specify either `Y` (for Yes) or `N` (for No). You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_YES` `G_NO` To find the Oracle Label Security policies and labels associated with factors, query the following views, described in "Oracle Database Vault Data Dictionary Views": `DVSYS.DBA_DV_MAC_POLICY`: Lists Oracle Label Security policies defined in the current database instance. `DVSYS.DBA_DV_MAC_POLICY_FACTOR`: Lists the factors that are associated with Oracle Label Security policies for the current database instance. `DVSYS.DBA_DV_POLICY_LABEL`: Lists the Oracle Label Security label for each factor identifier in the `DVSYS.DBA_DV_IDENTITY` view for each policy.

parent_factor_name

Parent factor name.

To find existing parent and child factors in the current database instance, query the DVSYS.DBA_DV_FACTOR_LINK view, described in "DBA_DV_FACTOR_LINK View".

child_factor_name

Child factor name.

label_indicator

Indicates that the child factor being linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Specify either Y (for Yes) or N (for No).

You can also use the following DVSYS.DBMS_MACUTL constants:

G_YES
G_NO

To find the Oracle Label Security policies and labels associated with factors, query the following views, described in "Oracle Database Vault Data Dictionary Views":

DVSYS.DBA_DV_MAC_POLICY: Lists Oracle Label Security policies defined in the current database instance.
DVSYS.DBA_DV_MAC_POLICY_FACTOR: Lists the factors that are associated with Oracle Label Security policies for the current database instance.
DVSYS.DBA_DV_POLICY_LABEL: Lists the Oracle Label Security label for each factor identifier in the DVSYS.DBA_DV_IDENTITY view for each policy.

Example

BEGIN
 DVSYS.DBMS_MACADM.ADD_FACTOR_LINK(
  parent_factor_name => 'HQ_ClientID', 
  child_factor_name  => 'Div1_ClientID', 
  label_indicator    => 'Y');
END;
/

ADD_POLICY_FACTOR Procedure

The ADD_POLICY_FACTOR procedure specifies that the label for a factor contributes to the Oracle Label Security label for a policy.

Syntax

DVSYS.DBMS_MACADM.ADD_POLICY_FACTOR(
  policy_name  IN VARCHAR2, 
  factor_name  IN VARCHAR2);

Parameters

Table 12-29 ADD_POLICY_FACTOR Parameters

Parameter Description

Parameter	Description
`policy_name`	Oracle Label Security policy name. To find the policies defined in the current database instance, query the `DVSYS.DBA_DV_MAC_POLICY` view, described in "DBA_DV_MAC_POLICY View". To find factors that are associated with Oracle Label Security policies, query `DVSYS.DBA_DV_MAC_POLICY_FACTOR`, described in "DBA_DV_MAC_POLICY_FACTOR View".
`factor_name`	Factor name. To find existing factors, query the `DVSYS.DBA_DV_FACTOR` view, described in "DBA_DV_FACTOR View".

policy_name

Oracle Label Security policy name.

To find the policies defined in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".

To find factors that are associated with Oracle Label Security policies, query DVSYS.DBA_DV_MAC_POLICY_FACTOR, described in "DBA_DV_MAC_POLICY_FACTOR View".

factor_name

Factor name.

To find existing factors, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

Example

BEGIN
 DVSYS.DBMS_MACADM.ADD_POLICY_FACTOR(
  policy_name  => 'AccessData', 
  factor_name  => 'Sector2_ClientID'); 
END;
/

CHANGE_IDENTITY_FACTOR Procedure

The CHANGE_IDENTITY_FACTOR procedure associates an identity with a different factor.

Syntax

DVSYS.DBMS_MACADM.CHANGE_IDENTITY_FACTOR(
  factor_name     IN VARCHAR2, 
  value           IN VARCHAR2, 
  new_factor_name IN VARCHAR2);

Parameters

Table 12-30 CHANGE_IDENTITY_FACTOR Parameters

Parameter Description

Parameter	Description
`factor_name`	Current factor name. To find existing factors, query the `DVSYS.DBA_DV_FACTOR` view, described in "DBA_DV_FACTOR View".
`value`	Value of the identity to update. To find existing identities for each factor in the current database instance, query the `DVSYS.DBA_DV_IDENTITY` view, described in "DBA_DV_IDENTITY View". To find current identity mappings, query the `DVSYS.DBA_DV_IDENTITY_MAP` view, described in "DBA_DV_IDENTITY_MAP View".
`new_factor_name`	Name of the factor to associate with the identity, which you can find by querying the `DVSYS.DBA_DV_FACTOR` view, described in "DBA_DV_FACTOR View".

factor_name

Current factor name.

To find existing factors, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

value

Value of the identity to update.

To find existing identities for each factor in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DBA_DV_IDENTITY View".

To find current identity mappings, query the DVSYS.DBA_DV_IDENTITY_MAP view, described in "DBA_DV_IDENTITY_MAP View".

new_factor_name

Name of the factor to associate with the identity, which you can find by querying the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

Example

BEGIN
 DVSYS.DBMS_MACADM.CHANGE_IDENTITY_FACTOR(
  factor_name     => 'Sector2_ClientID', 
  value           => 'intranet', 
  new_factor_name => 'Sector4_ClientID'); 
END;
/

CHANGE_IDENTITY_VALUE Procedure

The CHANGE_IDENTITY_FACTOR procedure updates the value of an identity.

Syntax

DVSYS.DBMS_MACADM.CHANGE_IDENTITY_VALUE(
  factor_name  IN VARCHAR2, 
  value        IN VARCHAR2, 
  new_value    IN VARCHAR2);

Parameters

Table 12-31 CHANGE_IDENTITY_VALUE Parameters

Parameter Description

Parameter	Description
`factor_name`	Factor name. To find existing factors, query the `DVSYS.DBA_DV_FACTOR` view, described in "DBA_DV_FACTOR View"
`value`	Current value associated with the identity. To find existing identities for each factor in the current database instance, query the `DVSYS.DBA_DV_IDENTITY` view, described in "DBA_DV_IDENTITY View". To find current identity mappings, query the `DVSYS.DBA_DV_IDENTITY_MAP` view, described in "DBA_DV_IDENTITY_MAP View".
`new_value`	New identity value, up to 1024 characters in mixed-case.

factor_name

Factor name.

To find existing factors, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View"

value

Current value associated with the identity.

To find existing identities for each factor in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DBA_DV_IDENTITY View".

To find current identity mappings, query the DVSYS.DBA_DV_IDENTITY_MAP view, described in "DBA_DV_IDENTITY_MAP View".

new_value

New identity value, up to 1024 characters in mixed-case.

Example

BEGIN
 DVSYS.DBMS_MACADM.CHANGE_IDENTITY_VALUE(
  factor_name  => 'Sector2_ClientID', 
  value        => 'remote', 
  new_value    => 'intranet');
END; 
/

CREATE_DOMAIN_IDENTITY Procedure

The CREATE_DOMAIN_IDENTITY procedure adds an Oracle Real Application Clusters (Oracle RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.

Syntax

DVSYS.DBMS_MACADM.CREATE_DOMAIN_IDENTITY(
  domain_name  IN VARCHAR2, 
  domain_host  IN VARCHAR2, 
  policy_name  IN VARCHAR2 DEFAULT NULL, 
  domain_label IN VARCHAR2 DEFAULT NULL);

Parameters

Table 12-32 CREATE_DOMAIN_IDENTITY Parameters

Parameter	Description
`domain_name`	Name of the domain to which to add the host. To find the logical location of the database within the network structure within a distributed database system, run the `DVF.F$DATABASE_DOMAIN` function, described in "Oracle Database Vault PL/SQL Factor Functions".
`domain_host`	Oracle Real Application Clusters host name being added to the domain. To find host name of a database, run the `DVF.F$DATABASE_HOSTNAME` function, described in "Oracle Database Vault PL/SQL Factor Functions".
`policy_name`	Oracle Label Security policy name. If you omit the policy name, then the domain is not associated with any policy. To find the available policies, query the `DVSYS.DBA_DV_MAC_POLICY` view, described in "DBA_DV_MAC_POLICY View".
`domain_label`	Name of the domain to which to add the Oracle Label Security policy.

Examples

BEGIN
 DVSYS.DBMS_MACADM.CREATE_DOMAIN_IDENTITY(
  domain_name  => 'example', 
  domain_host  => 'mydom_host', 
  policy_name  => 'AccessData', 
  domain_label => 'sensitive'); 
END;
/

CREATE_FACTOR Procedure

The CREATE_FACTOR procedure creates a factor. After you create a factor, you can give it an identity by using the CREATE_IDENTITY procedure, described in "CREATE_IDENTITY Procedure".

Syntax

DVSYS.DBMS_MACADM.CREATE_FACTOR(
  factor_name       IN VARCHAR2, 
  factor_type_name  IN VARCHAR2, 
  description       IN VARCHAR2, 
  rule_set_name     IN VARCHAR2, 
  get_expr          IN VARCHAR2, 
  validate_expr     IN VARCHAR2, 
  identify_by       IN NUMBER, 
  labeled_by        IN NUMBER, 
  eval_options      IN NUMBER, 
  audit_options     IN NUMBER, 
  fail_options      IN NUMBER);

Parameters

Table 12-33 CREATE_FACTOR Parameters

Parameter	Description
`factor_name`	Factor name, up to 28 characters in mixed-case, without spaces. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` view, described in "DBA_DV_FACTOR View".
`factor_type_name`	Type of the factor, up to 30 characters in mixed-case, without spaces. To find existing factor types, query the `DBA_DV_FACTOR_TYPE` view, described in "DBA_DV_FACTOR_TYPE View".
`description`	Description of the purpose of the factor, up to 1024 characters in mixed-case.
`rule_set_name`	Rule set name if you want to use a rule set to control when and how a factor identity is set. To find existing rule sets, query the `DVSYS.DBA_DV_RULE_SET` view, described in "Oracle Database Vault Data Dictionary Views". See also "Assignment Rule Set" for more information about assigning rule sets to factors.
`get_expr`	Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Retrieval Method" for more information. See also the `audit_options` parameter.
`validate_expr`	Name of the procedure to validate the factor. This is a valid PL/SQL expression that returns a Boolean value (`TRUE` or `FALSE`) to validate the identity of the factor. See "Validation Method" for more information.
`identify_by`	Options for determining the identity of a factor, based on the expression set for the `get_expr` parameter: `0`: By constant `1`: By method `2`: By factor `3`: By context You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_IDENTIFY_BY_CONSTANT` `G_IDENTIFY_BY_METHOD` `G_IDENTIFY_BY_FACTOR` `G_IDENTIFY_BY_CONTEXT` See "Factor Identification" for more information.
`labeled_by`	Options for labeling the factor: `0`: Labels the identities for the factor directly from the labels associated with an Oracle Label Security policy (default) `1`: Derives the factor identity label from the labels of its child factor identities. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_LABELED_BY_SELF` (default) `G_LABELED_BY_FACTORS` See "Factor Labeling" for more information.
`eval_options`	Options for evaluating the factor when the user logs on: `0`: When the database session is created (default) `1`: Each time the factor is accessed `2`: On start-up You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_EVAL_ON_SESSION` `G_EVAL_ON_ACCESS` `G_EVAL_ON_STARTUP` See "Evaluation" for more information.
`audit_options`	Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record. `0`: Disables auditing. `POWER(2,0)`: Always audits. `POWER(2,1)`: Audits if `get_expr` returns an error. `POWER(2,2)`: Audits if `get_expr` is null. `POWER(2,3)`: Audits if the validation procedure returns an error. `POWER(2,4)`: Audits if the validation procedure is false. `POWER(2,5)`: Audits if there is no trust level set. `POWER(2,6)`: Audits if the trust level is negative. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_AUDIT_OFF` `G_AUDIT_ALWAYS` `G_AUDIT_ON_GET_ERROR` `G_AUDIT_ON_GET_NULL` `G_AUDIT_ON_VALIDATE_ERROR` `G_AUDIT_ON_VALIDATE_FALSE` `G_AUDIT_ON_TRUST_LEVEL_NULL` `G_AUDIT_ON_TRUST_LEVEL_NEG` See "Audit Options" for more information.
`fail_options`	Options for reporting factor errors: `POWER(2,0)`: Shows an error message (default) `POWER(2,1)`: Does not show an error message You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_FAIL_WITH_MESSAGE` (default) `G_FAIL_SILENTLY` See "Error Options" for more information.

Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_FACTOR(
  factor_name       => 'Sector2_DB', 
  factor_type_name  => 'Instance', 
  description       => ' ', 
  rule_set_name     => 'Limit_DBA_Access', 
  get_expr          => 'UPPER(SYS_CONTEXT(''USERENV'',''DB_NAME''))', 
  validate_expr     => 'dbavowner.check_db_access', 
  identify_by       => 2, 
  labeled_by        => 0, 
  eval_options      => DBMS_MACUTL.G_EVAL_ON_SESSION, 
  audit_options     => DBMS_MACUTL.G_AUDIT_OFF, 
  fail_options      => DBMS_MACUTL.G_FAIL_SILENTLY); 
END;
/

CREATE_FACTOR_TYPE Procedure

The CREATE_FACTOR_TYPE procedure creates a user-defined factor type.

Syntax

DVSYS.DBMS_MACADM.CREATE_FACTOR_TYPE(
  name        IN VARCHAR2, 
  description IN VARCHAR2);

Parameters

Table 12-34 CREATE_FACTOR_TYPE Parameters

Parameter Description

Parameter	Description
`name`	Factor type name, up to 30 characters in mixed-case, without spaces. To find existing factor types, query the `DVSYS.DBA_DV_FACTOR_TYPE` view, described in "DBA_DV_FACTOR_TYPE View".
`description`	Description of the purpose of the factor type, up to 1024 characters in mixed-case.

name

Factor type name, up to 30 characters in mixed-case, without spaces.

To find existing factor types, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DBA_DV_FACTOR_TYPE View".

description

Description of the purpose of the factor type, up to 1024 characters in mixed-case.

Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_FACTOR_TYPE(
  name        => 'Sector2Instance', 
  description => 'Checks DB instances used in Sector 2');
END;
/

CREATE_IDENTITY Procedure

The CREATE_IDENTITY procedure assigns an identity and an associated trust level for a given factor. After you create a factor, you must assign it an identity.

Syntax

DVSYS.DBMS_MACADM.CREATE_IDENTITY(
  factor_name  IN VARCHAR2, 
  value        IN VARCHAR2, 
  trust_level  IN NUMBER);

Parameters

Table 12-35 CREATE_IDENTITY Parameters

Parameter Description

Parameter	Description
`factor_name`	Factor name. To find existing factors, query the `DVSYS.DBA_DV_FACTOR` view, described in "DBA_DV_FACTOR View".
`value`	The actual value of the factor, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12.
`trust_level`	Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring a Factor Identity" for more information about trust levels and label security.

factor_name

Factor name.

To find existing factors, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

value

The actual value of the factor, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12.

trust_level

Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted.

See "Creating and Configuring a Factor Identity" for more information about trust levels and label security.

Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_IDENTITY(
  factor_name  => 'Sector2_ClientID', 
  value        => 'intranet', 
  trust_level  => 5); 
END;
/

CREATE_IDENTITY_MAP Procedure

The CREATE_IDENTITY_MAP procedure defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors).

Syntax

DVSYS.DBMS_MACADM.CREATE_IDENTITY_MAP(
  identity_factor_name  IN VARCHAR2,
  identity_factor_value IN VARCHAR2, 
  parent_factor_name    IN VARCHAR2, 
  child_factor_name     IN VARCHAR2, 
  operation             IN VARCHAR2, 
  operand1              IN VARCHAR2, 
  operand2              IN VARCHAR2);

Parameters

Table 12-36 CREATE_IDENTITY_MAP Parameters

Parameter	Description
`identity_factor_name`	Factor the identity map is for. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` view, described in "Oracle Database Vault Data Dictionary Views".
`identity_factor_value`	Value the factor assumes if the identity map evaluates to `TRUE`. To find existing factor identities, query the `DVSYS.DBA_DV_IDENTITY` view, described in "DBA_DV_IDENTITY View". To find current factor identity mappings, use `DVSYS.DBA_DV_IDENTITY_MAP`, described in "DBA_DV_IDENTITY_MAP View".
`parent_factor_name`	The parent factor link to which the map is related. To find existing parent-child factor mappings, query the `DVSYS.DBA_DV_IDENTITY_MAP` view, described in "DBA_DV_IDENTITY_MAP View".
`child_factor_name`	The child factor link to which the map is related.
`operation`	Relational operator for the identity map (for example, <, >, =, and so on).
`operand1`	Left operand for the relational operator; refers to the low value you enter.
`operand2`	Right operand for the relational operator; refers to the high value you enter.

Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_IDENTITY_MAP(
  identity_factor_name  => 'Sector2_ClientID',
  identity_factor_value => 'intranet', 
  parent_factor_name    => 'HQ_ClientID', 
  child_factor_name     => 'Div1_ClientID', 
  operation             => '<', 
  operand1              => '192.0.2.50', 
  operand2              => '192.0.2.100');
END;
/

DELETE_FACTOR Procedure

The DELETE_FACTOR procedure deletes a factor.

Syntax

DVSYS.DBMS_MACADM.DELETE_FACTOR(
  factor_name IN VARCHAR2);

Parameters

Table 12-37 DELETE_FACTOR Parameter

Parameter Description

factor_name

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

Example

EXEC DVSYS.DBMS_MACADM.DELETE_FACTOR('Sector2_ClientID');

DELETE_FACTOR_LINK Procedure

The DELETE_FACTOR_LINK procedure removes a parent-child relationship for two factors.

Syntax

DVSYS.DBMS_MACADM.DELETE_FACTOR_LINK(
  parent_factor_name IN VARCHAR2, 
  child_factor_name  IN VARCHAR2);

Parameters

Table 12-38 DELETE_FACTOR_LINK Parameters

Parameter Description

Parameter	Description
`parent_factor_name`	Factor name. To find factors that are used in parent-child mappings in the current database instance, query the `DVSYS.DBA_DV_FACTOR_LINK` view, described in "DBA_DV_FACTOR_LINK View".
`child_factor_name`	Factor name.

parent_factor_name

Factor name.

To find factors that are used in parent-child mappings in the current database instance, query the DVSYS.DBA_DV_FACTOR_LINK view, described in "DBA_DV_FACTOR_LINK View".

child_factor_name

Factor name.

Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_FACTOR_LINK(
  parent_factor_name => 'HQ_ClientID', 
  child_factor_name  => 'Div1_ClientID'); 
END;
/

DELETE_FACTOR_TYPE Procedure

The DELETE_FACTOR_TYPE procedure deletes a factor type.

Syntax

DVSYS.DBMS_MACADM.DELETE_FACTOR_TYPE(
  name IN VARCHAR2);

Parameters

Table 12-39 DELETE_FACTOR_TYPE Parameters

Parameter Description

Parameter	Description
`name`	Factor type name. To find existing factor types, query the `DVSYS.DBA_DV_FACTOR_TYPE` view, described in "DBA_DV_FACTOR_TYPE View".

name

Factor type name.

To find existing factor types, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DBA_DV_FACTOR_TYPE View".

Example

EXEC DVSYS.DBMS_MACADM.DELETE_FACTOR_TYPE('Sector2Instance');

DELETE_IDENTITY Procedure

The DELETE_IDENTITY procedure removes an identity from an existing factor.

Syntax

DVSYS.DBMS_MACADM.DELETE_IDENTITY(
  factor_name IN VARCHAR2, 
  value       IN VARCHAR2);

Parameters

Table 12-40 DELETE_IDENTITY Parameters

Parameter Description

factor_name

Factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

value

Identity value associated with the factor.

To find the identities for each factor in the current database instance, query the DVSYS.DBA_DV_IDENTITY view, described in "DBA_DV_IDENTITY View".

Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_IDENTITY(
  factor_name => 'Sector2_ClientID', 
  value       => 'intranet'); 
END;
/

DELETE_IDENTITY_MAP Procedure

The DELETE_IDENTITY_MAP procedure removes an identity map for a factor.

Syntax

DVSYS.DBMS_MACADM.DELETE_IDENTITY_MAP(
  identity_factor_name  IN VARCHAR2, 
  identity_factor_value IN VARCHAR2,
  parent_factor_name    IN VARCHAR2, 
  child_factor_name     IN VARCHAR2, 
  operation             IN VARCHAR2, 
  operand1              IN VARCHAR2, 
  operand2              IN VARCHAR2);

Parameters

Table 12-41 DELETE_IDENTITY_MAP Parameters

Parameter	Description
`identity_factor_name`	Factor the identity map is for. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` view, described in "DBA_DV_FACTOR View".
`identity_factor_value`	Value the factor assumes if the identity map evaluates to `TRUE`. To find existing factor identities, query the `DVSYS.DBA_DV_IDENTITY` view, described in "DBA_DV_IDENTITY View". To find current factor identity mappings, query `DVSYS.DBA_DV_IDENTITY_MAP`, described in "DBA_DV_IDENTITY_MAP View".
`parent_factor_name`	The parent factor link to which the map is related. To find existing parent-child factors, query the `DVSYS.DBA_DV_FACTOR` view, described in "DBA_DV_FACTOR_LINK View".
`child_factor_name`	The child factor to which the map is related.
`operation`	Relational operator for the identity map (for example, <, >, =, and so on).
`operand1`	Left (low value) operand for the relational operator.
`operand2`	Right (high value) operand for the relational operator.

Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_IDENTITY_MAP(
  identity_factor_name  => 'Sector2_ClientID',
  identity_factor_value => 'intranet', 
  parent_factor_name    => 'HQ_ClientID', 
  child_factor_name     => 'Div1_ClientID', 
  operation             => '<', 
  operand1              => '192.0.2.10', 
  operand2              => '192.0.2.15');
END;
/

DROP_DOMAIN_IDENTITY Procedure

The DROP_DOMAIN_IDENTITY procedure removes an Oracle Real Application Clusters database node from a domain.

Syntax

DVSYS.DBMS_MACADM.DROP_DOMAIN_IDENTITY(
  domain_name  IN VARCHAR2, 
  domain_host  IN VARCHAR2);

Parameters

Table 12-42 DROP_DOMAIN_IDENTITY Parameters

Parameter Description

Parameter	Description
`domain_name`	Name of the domain to which the host was added. To find the domain of a database as specified by the `DB_DOMAIN` initialization parameter, run the `DVF.F$DATABASE_DOMAIN` function, described in "Oracle Database Vault PL/SQL Factor Functions".
`domain_host`	Oracle Real Application Clusters host name being that was added to the domain. To find the host name for a specified database, run the `DVF.F$DATABASE_HOSTNAME` function, described in "Oracle Database Vault PL/SQL Factor Functions".

domain_name

Name of the domain to which the host was added.

To find the domain of a database as specified by the DB_DOMAIN initialization parameter, run the DVF.F$DATABASE_DOMAIN function, described in "Oracle Database Vault PL/SQL Factor Functions".

domain_host

Oracle Real Application Clusters host name being that was added to the domain.

To find the host name for a specified database, run the DVF.F$DATABASE_HOSTNAME function, described in "Oracle Database Vault PL/SQL Factor Functions".

Example

BEGIN
 DVSYS.DBMS_MACADM.DROP_DOMAIN_IDENTITY(
  domain_name  => 'example', 
  domain_host  => 'mydom_host'); 
END;
/

GET_INSTANCE_INFO Function

The GET_INSTANCE_INFO function returns information from the SYS.V_$INSTANCE system table about the current database instance. The V$INSTANCE data dictionary view also contains database instance information from this table. See Oracle Database Reference for more information.

Syntax

DVSYS.DBMS_MACADM.GET_INSTANCE_INFO(
  p_parameter IN VARCHAR2)
RETURN VARCHAR2;

Parameters

Table 12-43 GET_INSTANCE_INFO Parameter

Parameter	Description
`p_parameter`	Column name in the `SYS.V_$INSTANCE` system table

Example

DECLARE
 instance_var varchar2 := null;
BEGIN 
 instance_var = DVSYS.DBMS_MACADM.GET_INSTANCE_INFO('INSTANCE_NAME'); 
END;
/

GET_SESSION_INFO Function

The GET_SESSION_INFO function returns information from the SYS.V_$SESSION system table for the current session. The V$SESSION data dictionary view also contains session information from this table. See Oracle Database Reference for more information.

Syntax

DVSYS.DBMS_MACADM.GET_SESSION_INFO(
  p_parameter IN VARCHAR2)
RETURN VARCHAR2;

Parameters

Table 12-44 GET_SESSION_INFO Parameter

Parameter	Description
`p_parameter`	Column name in the `SYS.V_$SESSION` system table.

Example

DECLARE
 session_var varchar2 := null;
BEGIN 
 session_var = DVSYS.DBMS_MACADM.GET_SESSION_INFO('PROCESS'); 
END;
/

RENAME_FACTOR Procedure

The RENAME_FACTOR procedure renames a factor. The name change takes effect everywhere the factor is used.

Syntax

DVSYS.DBMS_MACADM.RENAME_FACTOR(
  factor_name     IN VARCHAR2, 
  new_factor_name IN VARCHAR2);

Parameters

Table 12-45 RENAME_FACTOR Parameters

Parameter Description

Parameter	Description
`factor_name`	Current factor name. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` view, described in "DBA_DV_FACTOR View".
`new_factor_name`	New factor name, up to 28 characters in mixed-case, without spaces.

factor_name

Current factor name.

To find existing factors in the current database instance, query the DVSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

new_factor_name

New factor name, up to 28 characters in mixed-case, without spaces.

Example

BEGIN
 DVSYS.DBMS_MACADM.RENAME_FACTOR(
  factor_name     => 'Sector2_ClientID', 
  new_factor_name => 'Sector2_Clients');
END;
/

RENAME_FACTOR_TYPE Procedure

The RENAME_FACTOR procedure renames a factor type. The name change takes effect everywhere the factor type is used.

Syntax

DVSYS.DBMS_MACADM.RENAME_FACTOR_TYPE(
  old_name  IN VARCHAR2, 
  new_name  IN VARCHAR2);

Parameters

Table 12-46 RENAME_FACTOR_TYPE Parameters

Parameter Description

Parameter	Description
`old_name`	Current factor type name. To find existing factor types in the current database instance, query the `DVSYS.DBA_DV_FACTOR_TYPE` view, described in "DBA_DV_FACTOR_TYPE View".
`new_name`	New factor type name, up to 30 characters in mixed-case, without spaces.

old_name

Current factor type name.

To find existing factor types in the current database instance, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DBA_DV_FACTOR_TYPE View".

new_name

New factor type name, up to 30 characters in mixed-case, without spaces.

Example

BEGIN
 DVSYS.DBMS_MACADM.RENAME_FACTOR_TYPE(
  old_name  => 'Sector2Instance', 
  new_name  => 'Sector2DBInstance'); 
END;
/

UPDATE_FACTOR Procedure

The UPDATE_FACTOR procedure updates the description of a factor type.

Syntax

DVSYS.DBMS_MACADM.UPDATE_FACTOR(
  factor_name       IN VARCHAR2, 
  factor_type_name  IN VARCHAR2, 
  description       IN VARCHAR2, 
  rule_set_name     IN VARCHAR2, 
  get_expr          IN VARCHAR2, 
  validate_expr     IN VARCHAR2, 
  identify_by       IN NUMBER, 
  labeled_by        IN NUMBER, 
  eval_options      IN NUMBER, 
  audit_options     IN NUMBER, 
  fail_options      IN NUMBER);

Parameters

Table 12-47 UPDATE_FACTOR

Parameter	Description
`factor_name`	Factor name. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` view, described in "DBA_DV_FACTOR View".
`factor_type_name`	Factor type name. To find existing factor types, query the `DVSYS.DBA_DV_FACTOR_TYPE` view, described in "DBA_DV_FACTOR_TYPE View".
`description`	Description of the purpose of the factor, up to 1024 characters in mixed-case.
`rule_set_name`	Name of the rule set used to control when and how a factor identity is set. To find existing rule sets, query the `DVSYS.DBA_DV_RULE_SET` view, described in "Oracle Database Vault Data Dictionary Views". See also "Assignment Rule Set" for more information about assigning rule sets to factors.
`get_expr`	Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Retrieval Method" for more information. See also the `audit_options` parameter.
`validate_expr`	Name of the procedure to validate factor. This is a valid PL/SQL expression that returns a Boolean value (`TRUE` or `FALSE`) to validate the identity of the factor. See "Validation Method" for more information.
`identify_by`	Options for determining the identity of a factor, based on the expression set for the `get_expr` parameter: `0`: By constant `1`: By method `2`: By factor `3`: By context You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_IDENTIFY_BY_CONSTANT` `G_IDENTIFY_BY_METHOD` `G_IDENTIFY_BY_FACTOR` `G_IDENTIFY_BY_CONTEXT` See "Factor Identification" for more information.
`labeled_by`	Options for labeling the factor: `0`: Labels the identities for the factor directly from the labels associated with an Oracle Label Security policy `1`: Derives the factor identity label from the labels of its child factor identities. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_LABELED_BY_SELF` `G_LABELED_BY_FACTORS` The default for `labeled_by` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_FACTOR` data dictionary view. See "Factor Labeling" for more information.
`eval_options`	Options for evaluating the factor when the user logs on: `0`: When the database session is created `1`: Each time the factor is accessed `2`: On start-up You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_EVAL_ON_SESSION` `G_EVAL_ON_ACCESS` `G_EVAL_ON_ACCESS` The default for `eval_options` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_FACTOR` data dictionary view. See "Evaluation" for more information.
`audit_options`	Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record. `0`: Disables auditing. `POWER(2,0)`: Always audits. `POWER(2,1)`: Audits if `get_expr` returns an error. `POWER(2,2)`: Audits if `get_expr` is null. `POWER(2,3)`: Audits if the validation procedure returns an error. `POWER(2,4)`: Audits if the validation procedure is false. `POWER(2,5)`: Audits if there is no trust level set. `POWER(2,6)`: Audits if the trust level is negative. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_AUDIT_OFF` `G_AUDIT_ALWAYS` `G_AUDIT_ON_GET_ERROR` `G_AUDIT_ON_GET_NULL` `G_AUDIT_ON_VALIDATE_ERROR` `G_AUDIT_ON_VALIDATE_FALSE` `G_AUDIT_ON_TRUST_LEVEL_NULL` `G_AUDIT_ON_TRUST_LEVEL_NEG` The default for `audit_options` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_FACTOR` data dictionary view. See "Audit Options" for more information.
`fail_options`	Options for reporting factor errors: `POWER(2,0)`: Shows an error message. `POWER(2,1)`: Does not show an error message. You can also use the following `DVSYS.DBMS_MACUTL` constants: `G_FAIL_WITH_MESSAGE` `G_FAIL_SILENTLY` The default for `fail_options` is the previously set value, which you can find by querying the `DVSYS.DBA_DV_FACTOR` data dictionary view. See "Error Options" for more information.

Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_FACTOR(
  factor_name       => 'Sector2_DB', 
  factor_type_name  => 'Instance', 
  description       => ' ', 
  rule_set_name     => 'Limit_DBA_Access', 
  get_expr          => 'UPPER(SYS_CONTEXT(''USERENV'',''DB_NAME''))', 
  validate_expr     => 'dbavowner.check_db_access', 
  identify_by       => 2, 
  labeled_by        => 0, 
  eval_options      => DBMS_MACUTL.G_EVAL_ON_ACCESS, 
  audit_options     => DBMS_MACUTL.G_AUDIT_ALWAYS, 
  fail_options      => DBMS_MACUTL.G_FAIL_WITH_MESSAGE); 
END;
/

UPDATE_FACTOR_TYPE Procedure

The UPDATE_FACTOR_TYPE procedure updates a factor type.

Syntax

DVSYS.DBMS_MACADM.UPDATE_FACTOR_TYPE(
  name         IN VARCHAR2, 
  description  IN VARCHAR2);

Parameters

Table 12-48 UPDATE_FACTOR_TYPE Parameters

Parameter Description

name

Factor type name.

To find existing factor types in the current database instance, query the DVSYS.DBA_DV_FACTOR_TYPE view, described in "DBA_DV_FACTOR_TYPE View".

description

Description of the purpose of the factor type, up to 1024 characters in mixed case.

Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_FACTOR_TYPE(
  name        => 'Sector2DBInstance', 
  description => 'Checks DB instances used in Sector 2');
END;
/

UPDATE_IDENTITY Procedure

The UPDATE_IDENTITY procedure updates the trust level of a factor identity.

Syntax

DVSYS.DBMS_MACADM.UPDATE_IDENTITY(
  factor_name  IN VARCHAR2, 
  value        IN VARCHAR2, 
  trust_level  IN NUMBER);

Parameters

Table 12-49 UPDATE_IDENTITY Parameters

Parameter Description

factor_name

Factor name.

To find existing factors in the current database instance, query the DBSYS.DBA_DV_FACTOR view, described in "DBA_DV_FACTOR View".

To find factors that have identities, query DVSYS.DBA_DV_IDENTITY, described in "DBA_DV_IDENTITY View".

value

New factor identity, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 192.0.2.12.

trust_level

See "Creating and Configuring a Factor Identity" for more information about trust levels and label security.

Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_IDENTITY(
  factor_name  => 'Sector2_ClientID', 
  value        => 'intranet', 
  trust_level  => 10); 
END;
/

Secure Application Role Procedures Within DVSYS.DBMS_MACADM

Table 12-50 lists procedures within the DVSYS.DBMS_MACADM package that you can use to configure Oracle Database Vault secure application roles.

Chapter 8, "Configuring Secure Application Roles for Oracle Database Vault," describes secure application roles in detail. See also Chapter 14, "Using the DVSYS.DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the secure application role procedures.

Table 12-50 DVSYS.DBMS_MACADM Secure Application Role Configuration Procedures

Procedure	Description
CREATE_ROLE Procedure	Creates an Oracle Database Vault secure application role
DELETE_ROLE Procedure	Deletes an Oracle Database Vault secure application role
RENAME_ROLE Procedure	Renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.
UPDATE_ROLE Procedure	Updates a Oracle Database Vault secure application role

CREATE_ROLE Procedure

The CREATE_ROLE procedure creates an Oracle Database Vault secure application role.

Syntax

DVSYS.DBMS_MACADM.CREATE_ROLE(
  role_name      IN VARCHAR2, 
  enabled        IN VARCHAR2,
  rule_set_name  IN VARCHAR2);

Parameters

Table 12-51 CREATE_ROLE Parameters

Parameter Description

role_name

Role name, up to 30 characters, with no spaces. Preferably, enter the role name in upper case letters, though you are not required to do so.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DBA_DV_ROLE View".

enabled

Y (yes) makes the role available for enabling; N (no) prevents the role from being enabled. The default is Y.

You can also use the following DVSYS.DBMS_MACUTL constants:

G_YES
G_NO

rule_set_name

Name of rule set to determine whether a user can set this secure application role.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".

Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_ROLE(
  role_name      => 'Sector2_APP_MGR', 
  enabled        => 'Y',
  rule_set_name  => 'Check App2 Access');
END;
/

DELETE_ROLE Procedure

The DELETE_ROLE procedure deletes an Oracle Database Vault secure application role.

Syntax

DVSYS.DBMS_MACADM.DELETE_ROLE(
  role_name IN VARCHAR2);

Parameters

Table 12-52 DELETE_ROLE Parameter

Parameter Description

role_name

Role name.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DBA_DV_ROLE View".

Example

EXEC DVSYS.DBMS_MACADM.DELETE_ROLE('SECT2_APP_MGR');

RENAME_ROLE Procedure

The RENAME_ROLE procedure renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.

Syntax

DVSYS.DBMS_MACADM.RENAME_ROLE(
  role_name      IN VARCHAR2, 
  new_role_name  IN VARCHAR2);

Parameters

Table 12-53 RENAME_ROLE Parameters

Parameter Description

role_name

Current role name. Preferably, enter the role name in upper case letters, though you are not required to do so.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DBA_DV_ROLE View".

new_role_name

Role name, up to 30 characters, in uppercase, with no spaces. Ensure that this name follows the standard Oracle naming conventions for role creation described in Oracle Database SQL Language Reference.

Example

BEGIN
 DVSYS.DBMS_MACADM.RENAME_ROLE(
  role_name      => 'SECT2_APP_MGR', 
  new_role_name  => 'SECT2_SYSADMIN');
END;
/

UPDATE_ROLE Procedure

The UPDATE_ROLE procedure updates a Oracle Database Vault secure application role.

Syntax

DVSYS.DBMS_MACADM.UPDATE_ROLE(
  role_name      IN VARCHAR2, 
  enabled        IN VARCHAR2, 
  rule_set_name  IN VARCHAR2);

Parameters

Table 12-54 UPDATE_ROLE Parameters

Parameter Description

role_name

Role name.

To find existing secure application roles in the current database instance, query the DVSYS.DBA_DV_ROLE view, described in "DBA_DV_ROLE View".

enabled

Y (yes) makes the role available for enabling; N (no) prevents the role from being enabled.

You can also use the following DVSYS.DBMS_MACUTL constants:

G_YES
G_NO

The default for enabled is the previously set value, which you can find by querying the DVSYS.DBA_DV_ROLE data dictionary view.

rule_set_name

Name of rule set to determine whether a user can set this secure application role.

To find existing rule sets in the current database instance, query the DVSYS.DBA_DV_RULE_SET view, described in "DBA_DV_RULE_SET View".

Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_ROLE(
  role_name      => 'SECT2_SYSADMIN', 
  enabled        => 'Y', 
  rule_set_name  => 'System Access Controls');
END;
/

Oracle Label Security Policy Procedures Within DVSYS.DBMS_MACADM

Table 12-55 lists procedures within the DVSYS.DBMS_MACADM package that you can use to configure Oracle Label Security policies for Oracle Database Vault.

Chapter 9, "Integrating Oracle Database Vault with Other Oracle Products," describes Oracle Label Security policies in detail. See also Chapter 14, "Using the DVSYS.DBMS_MACUTL Package," for a set of general-purpose utility procedures that you can use with the Oracle Label Security policy procedures.

Table 12-55 DVSYS.DBMS_MACADM Oracle Label Security Configuration Procedures

Procedure	Description
CREATE_MAC_POLICY Procedure	Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label
CREATE_POLICY_LABEL Procedure	Labels an identity within an Oracle Label Security policy
DELETE_MAC_POLICY_CASCADE Procedure	Deletes all Oracle Database Vault objects related to an Oracle Label Security policy.
DELETE_POLICY_FACTOR Procedure	Removes the factor from contributing to the Oracle Label Security label
DELETE_POLICY_LABEL Procedure	Removes the label from an identity within an Oracle Label Security policy
UPDATE_MAC_POLICY Procedure	Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label

CREATE_MAC_POLICY Procedure

The CREATE_MAC_POLICY procedure specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.

Syntax

DVSYS.DBMS_MACADM.CREATE_MAC_POLICY(
  policy_name  IN VARCHAR2,
  algorithm    IN VARCHAR2);

Parameters

Table 12-56 CREATE_MAC_POLICY Parameters

Parameter Description

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".

algorithm

Merge algorithm for cases when Oracle Label Security has merged two labels. Enter the code listed in Table 12-57 that corresponds to the merge algorithm you want. For example, enter HUU to if you want to select the Maximum Level/Union/Union merge algorithm.

For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide.

Table 12-57 Oracle Label Security Merge Algorithm Codes

Code	Value
`HUU`	Maximum Level/Union/Union
`HIU`	Maximum Level/Intersection/Union
`HMU`	Maximum Level/Minus/Union
`HNU`	Maximum Level/Null/Union
`HUI`	Maximum Level/Union/Intersection
`HII`	Maximum Level/Intersection/Intersection
`HMI`	Maximum Level/Minus/Intersection
`HNI`	Maximum Level/Null/Intersection
`HUM`	Maximum Level/Union/Minus
`HIM`	Maximum Level/Intersection/Minus
`HMM`	Maximum Level/Minus/Minus
`HNM`	Maximum Level/Null/Minus
`HUN`	Maximum Level/Union/Null
`HIN`	Maximum Level/Intersection/Null
`HMN`	Maximum Level/Minus/Null
`HNN`	Maximum Level/Null/Null
`LUU`	Minimum Level/Union/Union
`LIU`	Minimum Level/Intersection/Union
`LMU`	Minimum Level/Minus/Union
`LNU`	Minimum Level/Null/Union
`LUI`	Minimum Level/Union/Intersection
`LII`	Minimum Level/Intersection/Intersection
`LMI`	Minimum Level/Minus/Intersection
`LNI`	Minimum Level/Null/Intersection
`LUM`	Minimum Level/Union/Minus
`LIM`	Minimum Level/Intersection/Minus
`LMM`	Minimum Level/Minus/Minus
`LNM`	Minimum Level/Null/Minus
`LUN`	Minimum Level/Union/Null
`LIN`	Minimum Level/Intersection/Null
`LMN`	Minimum Level/Minus/Null
`LNN`	Minimum Level/Null/Null

Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_MAC_POLICY(
  policy_name  => 'Access Locations',
  algorithm    => 'HUU');
END;
/

CREATE_POLICY_LABEL Procedure

The CREATE_POLICY_LABEL procedure labels an identity within an Oracle Label Security policy.

Syntax

DVSYS.DBMS_MACADM.CREATE_POLICY_LABEL(
  identity_factor_name   IN VARCHAR2, 
  identity_factor_value  IN VARCHAR2, 
  policy_name            IN VARCHAR2, 
  label                  IN VARCHAR2);

Parameters

Table 12-58 CREATE_POLICY_LABEL Parameters

Parameter	Description
`identity_factor_name`	Name of the factor being labeled. To find existing factors in the current database instance, query the `DVSYS.DBA_DV_FACTOR` view, described in "DBA_DV_FACTOR View". To find factors that are associated with Oracle Label Security policies, use `DVSYS.DBA_DV_MAC_POLICY_FACTOR`, described in "DBA_DV_MAC_POLICY_FACTOR View". See also "Label Security Policy Factors" for more information.
`identity_factor_value`	Value of identity for the factor being labeled. To find the identities of existing factors in the current database instance, query the `DVSYS.DBA_DV_IDENTITY` view, described in "DBA_DV_IDENTITY View".
`policy_name`	Name of an existing policy. To find existing policies in the current database instance, query the `DVSYS.DBA_DV_MAC_POLICY` view, described in "DBA_DV_MAC_POLICY View".
`label`	Oracle Label Security label name. To find existing policy labels for factor identifiers, query the `DVSYS.DBA_DV_POLICY_LABEL` view, described in "DBA_DV_POLICY_LABEL View".

Example

BEGIN
 DVSYS.DBMS_MACADM.CREATE_POLICY_LABEL(
  identity_factor_name   => 'App_Host_Name', 
  identity_factor_value  => 'Sect2_Fin_Apps', 
  policy_name            => 'Access Locations', 
  label                  => 'Sensitive'); 
END;
/

DELETE_MAC_POLICY_CASCADE Procedure

The DELETE_MAC_POLICY_CASCADE procedure deletes all Oracle Database Vault objects related to an Oracle Label Security policy.

Syntax

DVSYS.DBMS_MACADM.DELETE_MAC_POLICY_CASCADE(
  policy_name  IN VARCHAR2);

Parameters

Table 12-59 DELETE_MAC_POLICY_CASCADE Parameter

Parameter Description

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".

Example

EXEC DVSYS.DBMS_MACADM.DELETE_MAC_POLICY_CASCADE('Access Locations');

DELETE_POLICY_FACTOR Procedure

The DELETE_POLICY_FACTOR procedure removes the factor from contributing to the Oracle Label Security label.

Syntax

DVSYS.DBMS_MACADM.DELETE_POLICY_FACTOR(
  policy_name  IN VARCHAR2, 
  factor_name  IN VARCHAR2);

Parameters

Table 12-60 DELETE_POLICY_FACTOR Parameters

Parameter Description

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".

factor_name

Name of factor associated with the Oracle Label Security label.

To find factors that are associated with Oracle Label Security policies, query DVSYS.DBA_DV_MAC_POLICY_FACTOR, described in "DBA_DV_MAC_POLICY_FACTOR View".

Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_POLICY_FACTOR(
  policy_name  => 'Access Locations', 
  factor_name  => 'App_Host_Name'); 
END;
/

DELETE_POLICY_LABEL Procedure

The DELETE_POLICY_LABEL procedure removes the label from an identity within an Oracle Label Security policy.

Syntax

DVSYS.DBMS_MACADM.DELETE_POLICY_LABEL(
  identity_factor_name   IN VARCHAR2, 
  identity_factor_value  IN VARCHAR2, 
  policy_name            IN VARCHAR2, 
  label                  IN VARCHAR2);

Parameters

Table 12-61 DELETE_POLICY_LABEL Parameters

Parameter	Description
`identity_factor_name`	Name of the factor that was labeled. To find existing factors in the current database instance that are associated with Oracle Label Security policies, query `DVSYS.DBA_DV_MAC_POLICY_FACTOR`, described in "DBA_DV_MAC_POLICY_FACTOR View". See also "Label Security Policy Factors" for more information.
`identity_factor_value`	Value of identity for the factor that was labeled. To find the identities of existing factors in the current database instance, query the `DVSYS.DBA_DV_IDENTITY` view, described in "DBA_DV_IDENTITY View".
`policy_name`	Name of an existing policy. To find existing policies in the current database instance, query the `DVSYS.DBA_DV_MAC_POLICY` view, described in "DBA_DV_MAC_POLICY View".
`label`	Oracle Label Security label name. To find existing policy labels for factor identifiers, query the `DVSYS.DBA_DV_POLICY_LABEL` view, described in "DBA_DV_POLICY_LABEL View".

Example

BEGIN
 DVSYS.DBMS_MACADM.DELETE_POLICY_LABEL(
  identity_factor_name   => 'App_Host_Name', 
  identity_factor_value  => 'Sect2_Fin_Apps', 
  policy_name            => 'Access Locations', 
  label                  => 'Sensitive'); 
END;
/

UPDATE_MAC_POLICY Procedure

The UPDATE_MAC_POLICY procedure specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.

Syntax

DVSYS.DBMS_MACADM.UPDATE_MAC_POLICY(
  policy_name  IN VARCHAR2, 
  algorithm    IN VARCHAR2);

Parameters

Table 12-62 UPDATE_MAC_POLICY

Parameter Description

policy_name

Name of an existing policy.

To find existing policies in the current database instance, query the DVSYS.DBA_DV_MAC_POLICY view, described in "DBA_DV_MAC_POLICY View".

algorithm

Merge algorithm for cases when Oracle Label Security has merged two labels. See Table 12-57 for listing of the available algorithms.

For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide.

Example

BEGIN
 DVSYS.DBMS_MACADM.UPDATE_MAC_POLICY(
  policy_name  => 'Access Locations',
  algorithm    => 'LUI');
END;
/

General System Maintenance Procedures Within DVSYS.DBMS_MACADM

Table 12-63 lists the procedures within the DVSYS.DBMS_MACADM PL/SQL package that you can use to perform general maintenance activities that require the protection of the DV_OWNER or DV_ADMIN role.

Table 12-63 DVSYS.DBMS_MACADM Disable/Enable Procedures

Procedure	Description
ADD_NLS_DATA Procedure	Adds a new language to Oracle Database Vault
AUTHORIZE_DATAPUMP_USER Procedure	Authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled
AUTHORIZE_SCHEDULER_USER Procedure	Authorizes a user to schedule database jobs when Oracle Database Vault is enabled
UNAUTHORIZE_DATAPUMP_USER Procedure	Revokes the authorization that was granted by the `DBMS_MACADM.AUTHORIZE_DATAPUMP_USER` procedure
UNAUTHORIZE_SCHEDULER_USER Procedure	Revokes authorization that was granted by the `DBMS_MACADM.AUTHORIZE_SCHEDULER_USER` procedure

ADD_NLS_DATA Procedure

The ADD_NLS_DATA procedure adds a new language to Oracle Database Vault.

Syntax

DVSYS.DBMS_MACADM.ADD_NLS_DATA(
  language      IN VARCHAR );

Parameters

Table 12-64 ADD_NLS_DATA

Parameter Description

language

Enter one of the following settings. (This parameter is case insensitive.)

ENGLISH
GERMAN
SPANISH
FRENCH
ITALIAN
JAPANESE
KOREAN
BRAZILIAN PORTUGUESE
SIMPLIFIED CHINESE
TRADITIONAL CHINESE

Examples

EXEC DVSYS.DBMS_MACADM.ADD_NLS_DATA('french');

AUTHORIZE_DATAPUMP_USER Procedure

The AUTHORIZE_DATAPUMP_USER procedure authorizes a user to perform Oracle Data Pump operations when Oracle Database Vault is enabled. It applies to both the expdp and impdp utilities. See "Granting a Database Administrator Authorization to Use Oracle Data Pump" for full usage information, including the levels of additional authorization the user must have to use Oracle Data Pump in an Oracle Database Vault environment.

Syntax

DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER(
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2 DEFAULT NULL,
  table_name     IN VARCHAR2 DEFAULT NULL);

Parameters

Table 12-65 AUTHORIZE_DATAPUMP_USER

Parameter Description

user_name

Name of the Oracle Data Pump user to whom you want to grant authorization.

To find a list of users who have privileges to use Oracle Data Pump (that is, the EXP_FULL_DATABASE and IMP_FULL_DATABASE roles), query the DBA_ROLE_PRIVS data dictionary view as follows:

SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE LIKE '%FULL%'

schema_name

Name of the database schema that the Oracle Data Pump user must export or import. If you omit this parameter, then the user is granted global authorization to export and import any schema in the database. In this case, ensure the user has been granted the DV_OWNER or DV_ADMIN role.

table_name

Name of the table within the schema specified by the schema_name parameter. If you omit this parameter, then the user you specified can export and import all tables within the schema specified by the schema_name parameter.

Examples

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR');

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR');

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR', 'HR', 'EMPLOYEES');

AUTHORIZE_SCHEDULER_USER Procedure

The AUTHORIZE_SCHEDULER_USER procedure grants a user authorization to schedule database jobs when Oracle Database Vault is enabled. This authorization applies to anyone who has privileges to schedule database jobs. These privileges include any of the following: CREATE JOB, CREATE ANY JOB, CREATE EXTERNAL JOB, EXECUTE ANY PROGRAM, EXECUTE ANY CLASS, MANAGE SCHEDULER. See "Scheduling Database Jobs in an Oracle Database Vault Environment" full usage information, including the levels of authorization the user must have to schedule database jobs in an Oracle Database Vault environment.

Syntax

DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER(
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2 DEFAULT NULL);

Parameters

Table 12-66 AUTHORIZE_SCHEDULER_USER

Parameter Description

user_name

Name of the user to whom you want to grant authorization.

To find a list of users who have privileges to schedule jobs, query the DBA_SYS_PRIVS data dictionary view for users who have privileges to schedule database jobs. See Step 2 in "Granting a Database Administrator Authorization to Use Oracle Data Pump".

schema_name

Name of the database schema for which a job will be scheduled. If you omit this parameter, then the user is granted global authorization to schedule a job for any schema in the database.

Examples

The following example authorizes the user JOB_MGR to run a job under any schema.

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR');

This example authorizes user JOB_MGR to run a job under the HR schema only.

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');

UNAUTHORIZE_DATAPUMP_USER Procedure

The UNAUTHORIZE_DATAPUMP_USER procedure revokes the authorization that was granted by the AUTHORIZE_DATAPUMP_USER procedure. When you run this procedure, ensure that its settings correspond exactly to the equivalent AUTHORIZE_DATAPUMP_USER procedure.

For example, the following two procedures will work because the parameters are consistent:

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('DP_MGR');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('DP_MGR');

However, because the parameters in the following procedures are not consistent, the UNAUTHORIZE_DATAPUMP_USER procedure will not work:

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_DATAPUMP_USER('JSMITH');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR');

Syntax

DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER(
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2 DEFAULT NULL,
  table_name     IN VARCHAR2 DEFAULT NULL);

Parameters

Table 12-67 UNAUTHORIZE_DATAPUMP_USER

Parameter Description

user_name

Name of the Oracle Data Pump user from whom you want to revoke authorization.

To find a list of users and authorizations from the AUTHORIZE_DATAPUMP_USER procedure, query the DVSYS.DBA_DV_RULE_SET data dictionary view as follows:

SELECT RULE_EXPR FROM DVSYS.DBA_DV_RULE_SET WHERE RULE_SET_NAME = 'Allow Oracle Data Pump Operation';

schema_name

Name of the database schema that the Oracle Data Pump user is authorized to export or import.

table_name

Name of the table within the schema specified by the schema name parameter.

Examples

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_DATAPUMP_USER('JSMITH', 'HR', 'SALARY');

UNAUTHORIZE_SCHEDULER_USER Procedure

The UNAUTHORIZE_SCHEDULER_USER procedure revokes the authorization that was granted by the AUTHORIZE_SCHEDULER_USER procedure. When you run this procedure, ensure that its settings correspond exactly to the equivalent AUTHORIZE_SCHEDULER_USER procedure.

For example, the following two procedures will work because the parameters are consistent:

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR');

However, because the parameters in the following procedures are not consistent, the UNAUTHORIZE_SCHEDULER_USER procedure will not work:

EXEC DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER('JOB_MGR');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');

Syntax

DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER
  user_name      IN VARCHAR2,
  schema_name    IN VARCHAR2 DEFAULT NULL);

Parameters

Table 12-68 UNAUTHORIZE_SCHEDULER_USER

Parameter Description

user_name

Name of the job scheduling user from whom you want to revoke authorization.

To find a list of users and authorizations from the AUTHORIZE_SCHEDULER_USER procedure, query the DVSYS.DBA_DV_RULE_SET data dictionary view as follows:

SELECT RULE_EXPR FROM DVSYS.DBA_DV_RULE_SET WHERE RULE_SET_NAME = 'Allow Scheduler Job';

schema_name

Name of the database schema for which the user is authorized to schedule jobs.

Examples

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR');

EXEC DVSYS.DBMS_MACADM.UNAUTHORIZE_SCHEDULER_USER('JOB_MGR', 'HR');