Oracle® Database Vault Administrator's Guide 11g Release 1 (11.1) Part Number B31222-01 |
|
|
View PDF |
The functions within the DVSYS.DBMS_MACADM
package allow you to write applications that configure the realms, factors, rule sets, command rules, secure application roles, and Oracle Label Security policies normally configured in Oracle Database Vault Administrator.
The DVSYS.DBMS_MACADM
package is available only for users who have the DV_ADMIN
or DV_OWNER
role.
This section includes the following topics:
Table E-1 lists functions within the DVSYS.DBMS_MACADM
package that you can use to configure realms. For constants that you can use with these functions, see Table G-1 for more information.
Chapter 4, "Configuring Realms" describes realms in detail. See also Appendix G, "Oracle Database Vault DVSYS.DBMS_MACUTL Package" for a set of general purpose utility functions that you can use with the realm functions.
Table E-1 DVSYS.DBMS_MACADM Realm Configuration Functions
Function | Description |
---|---|
|
Authorizes a user or role to access a realm as a participant. |
|
Authorizes a user or role to access a realm as an owner or participant (no rule set). |
|
Authorizes a user or role to access a realm as a participant. Optionally, you can specify a rule set for the authorization. |
|
Authorizes a user or role to access a realm as a participant or owner. Optionally, you can specify a rule set for the authorization. |
|
|
|
Creates a realm. |
DELETE_AUTH_FROM_REALM Function |
Removes the authorization of a user or role to access a realm. |
DELETE_OBJECT_FROM_REALM Function |
Removes a set of objects from realm protection. |
|
Deletes a realm. |
|
Deletes a realm, including its related Database Vault configuration information. |
|
Renames a realm. The name change takes effect everywhere the realm is used. |
|
|
|
Updates the authorization of a user or role to access a realm. |
This function authorizes a user or role to access a realm as a participant. The person running this function cannot add himself or herself to the realm as a realm participant.
Syntax
ADD_AUTH_TO_REALM( realm_name VARCHAR2, grantee VARCHAR2);
Parameters
Table E-2 ADD_AUTH_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, use the |
|
User or role name to authorize as a participant. To find the existing users and roles in the current database instance, use the To find the authorization of a particular user or role, use the |
This function authorizes a user or role to access a realm as an owner or a participant. The person running this function cannot add himself or herself to the realm as a realm owner or participant.
Syntax
ADD_AUTH_TO_REALM( realm_name VARCHAR2, grantee VARCHAR2, auth_options NUMBER);
Parameters
Table E-3 ADD_AUTH_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, use the |
|
User or role name to authorize as owner or participant. To find the existing users and roles in the current database instance, use the To find the authorization of a particular user or role, use the |
|
Specify one of the following ways to authorize the realm:
See "Defining Realm Authorization" for more information on participants and owners. |
This function authorizes a user or role to access a realm as a participant. The person running this function cannot add himself or herself to the realm as a realm participant. Optionally, you can specify a rule set to check before allowing the authorization to proceed.
Syntax
ADD_AUTH_TO_REALM( realm_name VARCHAR2, grantee VARCHAR2, rule_set_name VARCHAR2);
Parameters
Table E-4 ADD_AUTH_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, use the |
|
User or role name to authorize as participant. To find the existing users and roles in the current database instance, use the To find the authorization of a particular user or role, use the |
|
Rule set to check before authorizing (optional). If the rule set evaluates to TRUE, then the authorization is allowed. To find the available rule sets, use the |
This function authorizes a user or role to access a realm as a participant or owner. The person running this function cannot add himself or herself to the realm as a realm owner or participant. Optionally, you can specify a rule set to check before authorizing.
Syntax
ADD_AUTH_TO_REALM( realm_name VARCHAR2, grantee VARCHAR2, rule_set_name VARCHAR2, auth_options NUMBER);
Parameters
Table E-5 ADD_AUTH_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, use the |
|
User or role name to authorize as owner or participant. To find the available users and roles, use the To find the authorization of a particular user or role, use the |
|
Rule set to check before authorizing (optional). If the rule set evaluates to TRUE, then the authorization is allowed. To find the available rule sets, use the |
|
Specify one of the following ways to authorize the realm:
See "Defining Realm Authorization" for more information on participants and owners. |
This function registers a set of objects for realm protection.
Syntax
ADD_OBJECT_TO_REALM( realm_name VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2, object_type VARCHAR2);
Parameters
Table E-6 ADD_OBJECT_TO_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, use the |
|
Object owner to own this realm. To find the available users, use the To find the authorization of a particular user, use the |
|
Object name. (The wildcard % is allowed. See "Object Name" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) To find the available objects, use the To find objects that are secured by existing realms, use the |
|
Object type, such as |
This function creates a realm. After you create the realm, use the following functions to complete the realm definition:
ADD_OBJECT_TO_REALM
function registers one or more objects for the realm.
ADD_AUTH_TO_REALM
functions authorize users or roles for the realm.
Syntax
CREATE_REALM( realm_name VARCHAR2, description VARCHAR2, enabled VARCHAR2, audit_options NUMBER);
Parameters
Table E-7 CREATE_REALM Parameters
Parameter | Description |
---|---|
|
Realm name, up to 90 characters in mixed-case. To find the existing realms in the current database instance, use the |
|
Description of the purpose of the realm, up to 1024 characters in mixed-case. |
|
|
|
Specify one of the following ways to audit the realm:
|
This function removes the authorization of a user or role to access a realm.
Syntax
DELETE_AUTH_FROM_REALM( realm_name VARCHAR2, grantee VARCHAR2);
Parameters
Table E-8 DELETE_AUTH_FROM_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, use the |
|
User or role name. To find the authorization of a particular user or role, use the |
This function removes a set of objects from realm protection.
Syntax
DELETE_OBJECT_FROM_REALM( realm_name VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2, object_type VARCHAR2);
Parameters
Table E-9 DELETE_OBJECT_FROM_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, use the |
|
Database schema owner. To find the available users, use the To find the authorization of a particular user, use the |
|
Object name. (The wildcard % is allowed. See "Object Name" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) To find objects that are secured by existing realms, use the |
|
Object type, such as |
This function deletes a realm but does not remove its associated objects and authorizations. Before you delete a realm, you can locate its associated objects by querying the DBA_DV_REALM_OBJECT
view, described in"Oracle Database Vault Public Views".
If you want to remove the associated objects and authorizations as well as the realm, see "DELETE_REALM_CASCADE Function".
Syntax
DELETE_REALM( realm_name VARCHAR2);
Parameters
Table E-10 DELETE_REALM Parameter
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, use the |
This function deletes a realm, including its related Database Vault configuration information that specifies who is authorized (dba_dv_realm_auth
) and what objects are protected (dba_dv_realm_object
). It does not delete the actual database objects or users. To find a listing of the realm-related objects, use the DBA_DV_REALM
view. To find its authorizations, query DBA_DV_REALM_AUTH
. Both are described under "Oracle Database Vault Public Views".
Syntax
DELETE_REALM_CASCADE( realm_name VARCHAR2);
Parameters
Table E-11 DELETE_REALM_CASCADE Parameter
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, use the |
This function renames a realm. The name change takes effect everywhere the realm is used.
Syntax
RENAME_REALM( realm_name VARCHAR2, new_name VARCHAR2);
Parameters
Table E-12 RENAME_REALM Parameters
Parameter | Description |
---|---|
|
Current realm name. To find the existing realms in the current database instance, use the |
|
New realm name, up to 90 characters in mixed-case. |
This function updates a realm.
Syntax
UPDATE_REALM( realm_name VARCHAR2, description VARCHAR2, enabled VARCHAR2, audit_options NUMBER);
Parameters
Table E-13 UPDATE_REALM Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, use the |
|
Description of the purpose of the realm, up to 1024 characters in mixed-case. |
|
|
|
Specify one of the following ways to audit the realm:
|
Updates the authorization of a user or role to access a realm.
Syntax
UPDATE_REALM_AUTH( realm_name VARCHAR2, grantee VARCHAR2, rule_set_name VARCHAR2, auth_options NUMBER);
Parameters
Table E-14 UPDATE_REALM_AUTH Parameters
Parameter | Description |
---|---|
|
Realm name. To find the existing realms in the current database instance, use the |
|
User or role name. To find the available users and roles, use the To find the authorization of a particular user or role, use the |
|
Rule set to check before authorizing (optional). If the rule set evaluates to TRUE, then the authorization is allowed. To find the available rule sets, use the |
|
Specify one of the following ways to authorize the realm:
|
Table E-15 lists functions within the DVSYS.DBMS_MACADM
package that you can use to configure rule sets.
Chapter 5, "Configuring Rule Sets" describes rule sets in detail. See also Appendix G, "Oracle Database Vault DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility functions that you can use with the rule set functions.
Table E-15 DVSYS.DBMS_MACADM Rule Set Configuration Functions
Function | Description |
---|---|
|
Adds an enabled or disabled rule to the end of a rule set. |
|
Adds a rule to a rule set and lets you specify its order within the rule set. |
|
Adds a rule to a rule set. |
|
Creates a rule. |
|
Creates a rule set. |
|
Deletes a rule. |
DELETE_RULE_FROM_RULE_SET Function |
Deletes a rule from a rule set. |
|
Deletes a rule set. |
|
Renames a rule. The name change takes effect everywhere the rule is used. |
|
Renames a rule set. The name change takes effect everywhere the rule set is used. |
|
Synchronizes the rules in Oracle Database Vault and Advanced Queuing Rules engine. You must perform this operation immediately after a rollback of an Add, Delete, or Modify rule operation. |
|
Updates a rule. |
|
Updates a rule set. |
This function adds an enabled or disabled rule to a rule set, and lets you specify its order within the rule set.
Syntax
ADD_RULE_TO_RULE_SET( rule_set_name VARCHAR2, rule_name VARCHAR2, rule_order NUMBER, enabled VARCHAR2);
Parameters
Table E-16 ADD_RULE_TO_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, use the |
|
Rule to add to the rule set. To find existing rules, use the |
|
Does not apply to this release. The order in which rules appear affects performance. See "Improving Performance by Setting the Order in Which Rules Appear in a Rule Set" for more information. |
|
|
This function adds a rule to a rule set and lets you specify its order within the rule set.
Syntax
ADD_RULE_TO_RULE_SET( rule_set_name VARCHAR2, rule_name VARCHAR2, rule_order NUMBER);
Parameters
Table E-17 ADD_RULE_TO_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, use the |
|
Rule to add to the rule set. To find existing rules, use the |
|
Does not apply to this release. The order in which rules appear affects performance. See "Improving Performance by Setting the Order in Which Rules Appear in a Rule Set" for more information. |
This function adds a rule to a rule set.
Syntax
ADD_RULE_TO_RULE_SET( rule_set_name VARCHAR2, rule_name VARCHAR2);
Parameters
Table E-18 ADD_RULE_TO_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, use the |
|
Rule to add to the rule set. To find existing rules in the current database instance, use the |
Syntax
CREATE_RULE( rule_name VARCHAR2, rule_expr VARCHAR2);
Parameters
Table E-19 CREATE_RULE Parameters
Parameter | Description |
---|---|
|
Rule name, up to 90 characters in mixed-case. To find existing rules in the current database instance, use the |
|
PL/SQL See "Creating a New Rule" for more information on rule expressions. |
This function creates a rule set. After you create a rule set, you can use the CREATE_RULE
and ADD_RULE_TO_RULE
set functions to create and add rules to the rule set.
Syntax
CREATE_RULE_SET( rule_set_name VARCHAR2, description VARCHAR2, enabled VARCHAR2, eval_options NUMBER, audit_options NUMBER, fail_options NUMBER, fail_message VARCHAR2, fail_code NUMBER, handler_options NUMBER, handler VARCHAR2);
Parameters
Table E-20 CREATE_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name, up to 90 characters in mixed-case. Spaces are allowed. To find existing rule sets in the current database instance, use the |
|
Description of the purpose of the rule set, up to 1024 characters in mixed-case. |
|
|
|
If you plan to assign more than one rule to the rule set, enter one of the following settings:
|
|
Select one of the following settings:
See "Audit Options" for more information. |
|
Options for reporting factor errors:
See "Error Handling Options" for more information. |
|
Error message for failure, up to 80 characters in mixed-case, to associate with the fail code you specify for |
|
Enter a negative number in the range of -20000 to -20999, to associate with the |
|
Select one of the following settings:
See "Error Handling Options" for more information. |
|
Custom event handler logic. See "Error Handling Options" for more information. |
Syntax
DELETE_RULE( rule_name VARCHAR2);
Parameter
Table E-21 DELETE_RULE Parameter
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, use the |
This function deletes a rule from a rule set.
Syntax
DELETE_RULE_FROM_RULE_SET( rule_set_name VARCHAR2, rule_name VARCHAR2);
Parameters
Table E-22 DELETE_RULE_FROM_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, use the |
|
Rule to remove from the rule set. To find rules that have been associated with rule sets, use |
This function deletes a rule set.
Syntax
DELETE_RULE_SET( rule_set_name VARCHAR2);
Parameters
Table E-23 DELETE_RULE_SET Parameter
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, use the |
This function renames a rule. The name change takes effect everywhere the rule is used.
Syntax
RENAME_RULE( rule_name VARCHAR2, new_name VARCHAR2);
Parameters
Table E-24 RENAME_RULE Parameters
Parameter | Description |
---|---|
|
Rule name. To find existing rules in the current database instance, use the |
|
New rule name, up to 90 characters in mixed-case. |
This function renames a rule set. The name change takes effect everywhere the rule set is used.
Syntax
RENAME_RULE_SET( rule_set_name VARCHAR2, new_name VARCHAR2);
Parameters
This function synchronizes the rules in Oracle Database Vault and Advanced Queuing Rules engine. You must perform this operation immediately after a rollback of an Add, Delete, or Modify rule operation.
Syntax
SYNC_RULES();
Parameters
None.
Syntax
UPDATE_RULE( rule_name VARCHAR2, rule_expr VARCHAR2);
Parameters
Table E-26 UPDATE_RULE Parameters
Parameter | Description |
---|---|
|
Rule name. To find existing rules in the current database instance, use the |
|
PL/SQL See "Creating a New Rule" for more information on rule expressions. |
This function updates a rule set.
Syntax
UPDATE_RULE_SET( rule_set_name VARCHAR2, description VARCHAR2, enabled VARCHAR2, eval_options NUMBER, audit_options NUMBER, fail_options NUMBER, fail_message VARCHAR2, fail_code NUMBER, handler_options NUMBER, handler VARCHAR2);
Parameters
Table E-27 UPDATE_RULE_SET Parameters
Parameter | Description |
---|---|
|
Rule set name. To find existing rule sets in the current database instance, use the |
|
Description of the purpose of the rule set, up to 1024 characters in mixed-case. |
|
|
|
If you plan to assign more than one rule to the rule set, enter one of the following settings:
|
|
Select one of the following settings:
See "Audit Options" for more information. |
|
Options for reporting factor errors:
See "Error Handling Options" for more information. |
|
Error message for failure, up to 80 characters in mixed-case, to associate with the fail code you specify for |
|
Enter a negative number in the range of -20000 to -20999, to associate with the |
|
Select one of the following settings:
See "Error Handling Options" for more information. |
|
Custom event handler logic. See "Error Handling Options" for more information. |
Table E-28 lists functions within the DVSYS.DBMS_MACADM
package that you can use to configure command rules.
Chapter 6, "Configuring Command Rules" describes command rules in detail. See also Appendix G, "Oracle Database Vault DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility functions that you can use with the command rule functions.
Table E-28 DVSYS.DBMS_MACADM Command Rule Configuration Functions
Function | Description |
---|---|
|
Creates a command rule and associates it with a rule set. |
|
Drops a command rule declaration. |
|
Updates a command rule declaration. |
This function creates a command rule and associates it with a rule set.
Syntax
CREATE_COMMAND_RULE( command VARCHAR2, rule_set_name VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2, enabled VARCHAR2);
Parameters
Table E-29 CREATE_COMMAND_RULE Parameters
Parameter | Description |
---|---|
|
SQL statement to protect. See Oracle Database SQL Language Reference for more information of SQL statements. |
|
Name of rule set to associate with this command rule. To find existing rule sets in the current database instance, use the |
|
Database schema owner for this command rule. To find the available users, use the |
|
Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.) To find the available objects, use the |
|
|
This function drops a command rule declaration.
Syntax
DELETE_COMMAND_RULE( command VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2);
Parameters
Table E-30 DELETE_COMMAND_RULE Parameters
Parameter | Description |
---|---|
|
SQL statement the command rule protects. See Oracle Database SQL Language Reference for more information of SQL statements. |
|
Database schema owner for this command rule. To find the available users in the current database instance, use the |
|
Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.) To find the available objects, use the |
This function updates a command rule declaration.
Syntax
UPDATE_COMMAND_RULE( command VARCHAR2, rule_set_name VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2, enabled VARCHAR2);
Parameters
Table E-31 UPDATE_COMMAND_RULE Parameters
Parameter | Description |
---|---|
|
SQL statement to protect. See Oracle Database SQL Language Reference for more information of SQL statements. |
|
Name of rule set to associate with this command rule. To find existing rule sets in the current database instance, use the |
|
Database schema owner for this command rule. To find the available users, use the |
|
Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing a Command Rule" for more information about objects protected by command rules.) To find the available objects, use the |
|
|
Table E-32 lists functions within the DVSYS.DBMS_MACADM
package that you can use to configure factors.
Chapter 7, "Configuring Factors" describes factors in detail. See also Appendix G, "Oracle Database Vault DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility functions that you can use with the factor functions.
Table E-32 DVSYS.DBMS_MACADM Factor Configuration Functions
Function | Description |
---|---|
|
Specifies a parent-child relationship for two factors. |
|
Specifies that the label for a factor contributes to the Oracle Label Security label for a policy. |
CHANGE_IDENTITY_FACTOR Function |
Associates an identity with a different factor. |
CHANGE_IDENTITY_VALUE Function |
Updates the value of an identity. |
CREATE_DOMAIN_IDENTITY Function |
Adds an Oracle Real Application Clusters (RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy. |
|
Creates a factor. |
|
Creates a factor type. |
|
Creates an identity. |
|
Defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors). |
|
Deletes a factor. |
|
Removes a parent-child relationship for two factors. |
|
Deletes a factor type. |
|
Removes an identity. |
|
Removes an identity map from a factor. |
|
Removes an Oracle Real Application Clusters (RAC) database node from a domain. |
|
Returns information from the |
|
Returns information from the |
|
Renames a factor. The name change takes effect everywhere the factor is used. |
|
Renames a factor type. The name change takes effect everywhere the factor type is used. |
|
Updates a factor. |
|
Updates the description of a factor type. |
|
Updates the trust_level of a factor identity. |
This function specifies a parent-child relationship for two factors.
Syntax
ADD_FACTOR_LINK( parent_factor_name VARCHAR2, child_factor_name VARCHAR2, label_indicator VARCHAR2);
Parameters
Table E-33 ADD_FACTOR_LINK Parameters
Parameter | Description |
---|---|
|
Parent factor name. To find existing factors in the current database instance, use the |
|
Child factor name. To find the relationships of existing factors whose identities are determined by the association of child factors, use the |
|
Indicates that the child factor being linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Specify either
To find the Oracle Label Security policies and labels associated with factors, use the following views, described in "Oracle Database Vault Public Views":
|
This function specifies that the label for a factor contributes to the Oracle Label Security label for a policy.
Syntax
ADD_POLICY_FACTOR( policy_name VARCHAR2, factor_name VARCHAR2);
Parameters
Table E-34 ADD_POLICY_FACTOR Parameters
Parameter | Description |
---|---|
|
Oracle Label Security policy name. To find the policies defined in the current database instance, use the |
|
Factor name. To find existing factors, use the |
This function associates an identity with a different factor.
Syntax
CHANGE_IDENTITY_FACTOR( factor_name VARCHAR2, value VARCHAR2, new_factor_name VARCHAR2);
Parameters
Table E-35 CHANGE_IDENTITY_FACTOR Parameters
Parameter | Description |
---|---|
|
Current factor name. To find existing factors in the current database instance, use the |
|
Value of the identity to update. To find existing identities for each factor in the current database instance, use the |
|
Name of the factor to associate with the identity. |
This function updates the value of an identity.
Syntax
CHANGE_IDENTITY_VALUE( factor_name VARCHAR2, value VARCHAR2, new_value VARCHAR2);
Parameters
Table E-36 CHANGE_IDENTITY_VALUE Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, use the |
|
Current value associated with the identity. To find existing identities for each factor in the current database instance, use the |
|
New identity value, up to 1024 characters in mixed-case. |
This function adds an Oracle Real Application Clusters (RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.
Syntax
CREATE_DOMAIN_IDENTITY( domain_name VARCHAR2, domain_host VARCHAR2, policy_name VARCHAR2 DEFAULT NULL, domain_label VARCHAR2 DEFAULT NULL);
Parameters
Table E-37 CREATE_DOMAIN_IDENTITY Parameters
Parameter | Description |
---|---|
|
Name of the domain to which to add the host. To find the logical location of the database within the network structure within a distributed database system, use the |
|
Oracle Real Application Clusters host name being added to the domain. To find host name of a database, use the |
|
Oracle Label Security policy name. To find the available policies, use the |
|
Name of the domain to which to add the Oracle Label Security policy. |
This function creates a factor. After you create a factor, you need to give it an identity by using the CREATE_IDENTITY
function, described in "CREATE_IDENTITY Function".
Syntax
CREATE_FACTOR( factor_name VARCHAR2, factor_type_name VARCHAR2, description VARCHAR2, rule_set_name VARCHAR2, get_expr VARCHAR2, validate_expr VARCHAR2, identify_by NUMBER, labeled_by NUMBER, eval_options NUMBER, audit_options NUMBER, fail_options NUMBER);
Parameters
Table E-38 CREATE_FACTOR Parameters
Parameter | Description |
---|---|
|
Factor name, up to 30 characters in mixed-case, without spaces. To find existing factors in the current database instance, use the |
|
Factor type name, up to 30 characters in mixed-case, without spaces. |
|
Description of the purpose of the factor, up to 1024 characters in mixed-case. |
|
Rule set name if you want to use a rule set to control when and how a factor identity is set. To find existing rule sets, use the |
|
Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Retrieval Method" for more information. See also the |
|
Name of the function to validate the factor. This is a valid PL/SQL expression that returns a Boolean value ( |
|
Options for determining the identity of a factor, based on the expression set for the
See "Factor Identification" for more information. |
|
Options for labeling the factor:
See "Factor Labeling" for more information. |
|
Options for evaluating the factor when the user logs on:
See "Evaluation" for more information. |
|
Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record.
See "Audit Options" for more information. |
|
Options for reporting factor errors:
See "Error Options" for more information. |
This function creates a user-defined factor type.
Syntax
CREATE_FACTOR_TYPE( name VARCHAR2, description VARCHAR2);
Parameters
Table E-39 CREATE_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Factor type name, up to 30 characters in mixed-case, without spaces. To find existing factor types, use the |
|
Description of the purpose of the factor type, up to 1024 characters in mixed-case. |
This function assigns an identity and an associated trust level for a given factor. After you create a factor, you must assign it an identity.
Syntax
CREATE_IDENTITY( factor_name VARCHAR2, value VARCHAR2, trust_level NUMBER);
Parameters
Table E-40 CREATE_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, use the |
|
The actual value of the factor, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 234.43.41.99. |
|
Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring an Identity" for more information about trust levels and label security. |
This function defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors).
Syntax
CREATE_IDENTITY_MAP( identity_factor_name VARCHAR2, identity_factor_value VARCHAR2, parent_factor_name VARCHAR2, child_factor_name VARCHAR2, operation VARCHAR2, operand1 VARCHAR2, operand2 VARCHAR2);
Parameters
Table E-41 CREATE_IDENTITY_MAP Parameters
Parameter | Description |
---|---|
|
Factor the identity map is for. To find existing factors in the current database instance, use the |
|
Value the factor will assume if the identity map evaluates to TRUE. To find existing factor identities, use the |
|
The parent factor link to which the map is related. To find existing parent-child factor mappings, use the |
|
The child factor link to which the map is related. |
|
Relational operator for the identity map (for example, <, >, =, and so on). |
|
Left operand for the relational operator; refers to the low value you enter. |
|
Right operand for the relational operator; refers to the high value you enter. |
This function deletes a factor.
Syntax
DELETE_FACTOR( factor_name VARCHAR2);
Parameters
Table E-42 DELETE_FACTOR Parameter
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, use the |
This function removes a parent-child relationship for two factors.
Syntax
DELETE_FACTOR_LINK( parent_factor_name VARCHAR2, child_factor_name VARCHAR2);
Parameters
Table E-43 DELETE_FACTOR_LINK Parameters
Parameter | Description |
---|---|
|
Factor name. To find factors that are used in parent-child mappings in the current database instance, use the |
|
Factor name. |
This function deletes a factor type.
Syntax
DELETE_FACTOR_TYPE( name VARCHAR2);
Parameters
Table E-44 DELETE_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Factor type name. To find existing factor types in the current database instance, use the |
This function removes an identity from an existing factor.
Syntax
DELETE_IDENTITY( factor_name VARCHAR2, value VARCHAR2);
Parameters
Table E-45 DELETE_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, use the |
|
Identity value associated with the factor. To find the identities for each factor in the current database instance, use the |
This function removes an identity map for a factor.
Syntax
DELETE_IDENTITY_MAP( identity_factor_name VARCHAR2, identity_factor_value VARCHAR2, parent_factor_name VARCHAR2, child_factor_name VARCHAR2, operation VARCHAR2, operand1 VARCHAR2, operand2 VARCHAR2);
Parameters
Table E-46 DELETE_IDENTITY_MAP Parameters
Parameter | Description |
---|---|
|
Factor the identity map is for. To find existing factors in the current database instance, use the |
|
Value the factor will assume if the identity map evaluates to TRUE. To find existing factor identities, use the |
|
The parent factor link to which the map is related. To find existing factors, use the |
|
The child factor link to which the map is related. |
|
Relational operator for the identity map (for example, <, >, =, and so on). |
|
Left operand for the relational operator. |
|
Right operand for the relational operator. |
This function removes an Oracle Real Application Clusters database node from a domain.
Syntax
DROP_DOMAIN_IDENTITY( domain_name VARCHAR2, domain_host VARCHAR2);
Parameters
Table E-47 DROP_DOMAIN_IDENTITY Parameters
Parameter | Description |
---|---|
|
Name of the domain to which the host was added. To find the domain of a database as specified by the |
|
Oracle Real Application Clusters host name being that was added to the domain. To find the host name for a specified database, use the |
This function returns information from the SYS.V_$INSTANCE
view; it returns a VARCHAR2
value. For more information about SYS.V_$INSTANCE
, see Oracle Database Reference.
Syntax
GET_INSTANCE_INFO( p_parameter VARCHAR2);
Parameters
Table E-48 GET_INSTANCE_INFO Parameter
Parameter | Description |
---|---|
|
Column name in the |
This function returns information from the SYS.V_$SESSION
view for the current session; it returns a VARCHAR2
value. For more information about SYS.V_$SESSION
, see Oracle Database Reference.
Syntax
GET_SESSION_INFO( p_parameter VARCHAR2);
Parameters
Table E-49 GET_SESSION_INFO Parameter
Parameter | Description |
---|---|
|
Column name in the |
This function renames a factor. The name change takes effect everywhere the factor is used.
Syntax
RENAME_FACTOR( factor_name VARCHAR2, new_factor_name VARCHAR2);
Parameters
Table E-50 RENAME_FACTOR Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, use the |
|
New factor name, up to 30 characters in mixed-case, without spaces. |
This function renames a factor type. The name change takes effect everywhere the factor type is used.
Syntax
RENAME_FACTOR_TYPE( old_name VARCHAR2, new_name VARCHAR2);
Parameters
Table E-51 RENAME_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Current factor type name. To find existing factor types in the current database instance, use the |
|
New factor type name, up to 30 characters in mixed-case, without spaces. |
This function updates the description of a factor type.
Syntax
UPDATE_FACTOR( factor_name VARCHAR2, factor_type_name VARCHAR2, description VARCHAR2, rule_set_name VARCHAR2, get_expr VARCHAR2, validate_expr VARCHAR2, identify_by NUMBER, labeled_by NUMBER, eval_options NUMBER, audit_options NUMBER, fail_options NUMBER);
Parameters
Table E-52 UPDATE_FACTOR
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, use the |
|
Factor type name. To find existing factor types, use the |
|
Description of the purpose of the factor, up to 1024 characters in mixed-case. |
|
Name of the rule set used to control when and how a factor identity is set. To find existing rule sets, use the |
|
Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Retrieval Method" for more information. See also the |
|
Name of the function to validate factor. This is a valid PL/SQL expression that returns a Boolean value ( |
|
Options for determining the identity of a factor, based on the expression set for the
See "Factor Identification" for more information. |
|
Options for labeling the factor:
See "Factor Labeling" for more information. |
|
Options for evaluating the factor when the user logs on:
See "Evaluation" for more information. |
|
Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record.
See "Audit Options" for more information. |
|
Options for reporting factor errors:
See "Error Options" for more information. |
This function updates a factor type.
Syntax
UPDATE_FACTOR_TYPE( name VARCHAR2, description VARCHAR2);
Parameters
Table E-53 UPDATE_FACTOR_TYPE Parameters
Parameter | Description |
---|---|
|
Factor type name. To find existing factor types in the current database instance, use the |
|
Description of the purpose of the factor type, up to 1024 characters in mixed-case. |
This function updates the trust level of a factor identity.
Syntax
UPDATE_IDENTITY( factor_name VARCHAR2, value VARCHAR2, trust_level NUMBER);
Parameters
Table E-54 UPDATE_IDENTITY Parameters
Parameter | Description |
---|---|
|
Factor name. To find existing factors in the current database instance, use the |
|
New factor identity, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 234.43.41.99. |
|
Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring an Identity" for more information about trust levels and label security. |
Table E-55 lists functions within the DVSYS.DBMS_MACADM
package that you can use to configure Oracle Database Vault secure application roles.
Chapter 8, "Configuring Secure Application Roles for Oracle Database Vault" describes secure application roles in detail. See also Appendix G, "Oracle Database Vault DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility functions that you can use with the secure application role functions.
Table E-55 DVSYS.DBMS_MACADM Secure Application Role Configuration Functions
Function | Description |
---|---|
|
Creates an Oracle Database Vault secure application role. |
|
Deletes an Oracle Database Vault secure application role. |
|
Renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used. |
|
Updates a Oracle Database Vault secure application role. |
This function creates an Oracle Database Vault secure application role.
Syntax
CREATE_ROLE( role_name VARCHAR2, enabled VARCHAR2, rule_set_name VARCHAR2);
Parameters
Table E-56 CREATE_ROLE Parameters
Parameter | Description |
---|---|
|
Role name, up to 30 characters, with no spaces. Preferably, enter the role name in upper case letters, though you are not required to do so. Ensure that this name follows the standard Oracle naming conventions for role creation described in Oracle Database SQL Language Reference. To find existing secure application roles in the current database instance, use the |
|
|
|
Name of rule set to determine whether a user can set this secure application role. To find existing rule sets in the current database instance, use the |
This function deletes an Oracle Database Vault secure application role.
Syntax
DELETE_ROLE( role_name VARCHAR2);
Parameters
Table E-57 DELETE_ROLE Parameter
Parameter | Description |
---|---|
|
Role name. To find existing secure application roles in the current database instance, use the |
This function renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.
Syntax
RENAME_ROLE( role_name VARCHAR2, new_role_name VARCHAR2);
Parameters
Table E-58 RENAME_ROLE Parameters
Parameter | Description |
---|---|
|
Role name. To find existing secure application roles in the current database instance, use the |
|
Role name, up to 30 characters, in uppercase, with no spaces. Ensure that this name follows the standard Oracle naming conventions for role creation described in Oracle Database SQL Language Reference. |
This function updates a Oracle Database Vault secure application role.
Syntax
UPDATE_ROLE( role_name VARCHAR2, enabled VARCHAR2, rule_set_name VARCHAR2);
Parameters
Table E-59 UPDATE_ROLE Parameters
Parameter | Description |
---|---|
|
Role name. To find existing secure application roles in the current database instance, use the |
|
|
|
Name of rule set to determine whether a user can set this secure application role. To find existing rule sets in the current database instance, use the |
Table E-60 lists functions within the DVSYS.DBMS_MACADM
package that you can use to configure Oracle Label Security policies.
Chapter 9, "Integrating Oracle Database Vault with Other Oracle Products" describes Oracle Label Security policies in detail. See also Appendix G, "Oracle Database Vault DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility functions that you can use with the Oracle Label Security policy functions.
Table E-60 DVSYS.DBMS_MACADM Oracle Label Security Configuration Functions
Function | Description |
---|---|
|
Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label. |
|
Labels an identity within an Oracle Label Security policy. |
DELETE_MAC_POLICY_CASCADE Function |
Deletes all Oracle Database Vault objects related to an Oracle Label Security policy. |
|
Removes the factor from contributing to the Oracle Label Security label. |
|
Removes the label from an identity within an Oracle Label Security policy. |
|
Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label. |
This function specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.
Syntax
CREATE_MAC_POLICY( policy_name VARCHAR2, algorithm VARCHAR2);
Parameters
Table E-61 CREATE_MAC_POLICY Parameters
Parameter | Description |
---|---|
|
Name of existing policy. To find existing policies in the current database instance, use the |
|
Merge algorithm for cases when Oracle Label Security has merged two labels. Enter the code listed in Table E-62 that corresponds to the merge algorithm you want. For example, enter For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide. |
Table E-62 Merge Algorithm Codes
Code | Value |
---|---|
|
Maximum Level/Union/Union |
|
Maximum Level/Intersection/Union |
|
Maximum Level/Minus/Union |
|
Maximum Level/Null/Union |
|
Maximum Level/Union/Intersection |
|
Maximum Level/Intersection/Intersection |
|
Maximum Level/Minus/Intersection |
|
Maximum Level/Null/Intersection |
|
Maximum Level/Union/Minus |
|
Maximum Level/Intersection/Minus |
|
Maximum Level/Minus/Minus |
|
Maximum Level/Null/Minus |
|
Maximum Level/Union/Null |
|
Maximum Level/Intersection/Null |
|
Maximum Level/Minus/Null |
|
Maximum Level/Null/Null |
|
Minimum Level/Union/Union |
|
Minimum Level/Intersection/Union |
|
Minimum Level/Minus/Union |
|
Minimum Level/Null/Union |
|
Minimum Level/Union/Intersection |
|
Minimum Level/Intersection/Intersection |
|
Minimum Level/Minus/Intersection |
|
Minimum Level/Null/Intersection |
|
Minimum Level/Union/Minus |
|
Minimum Level/Intersection/Minus |
|
Minimum Level/Minus/Minus |
|
Minimum Level/Null/Minus |
|
Minimum Level/Union/Null |
|
Minimum Level/Intersection/Null |
|
Minimum Level/Minus/Null |
|
Minimum Level/Null/Null |
This function labels an identity within an Oracle Label Security policy.
Syntax
CREATE_POLICY_LABEL( identity_factor_name VARCHAR2, identity_factor_value VARCHAR2, policy_name VARCHAR2, label VARCHAR2);
Parameters
Table E-63 CREATE_POLICY_LABEL Parameters
Parameter | Description |
---|---|
|
Name of factor being labeled. To find existing factors in the current database instance, use the See also "Label Security Policy Factors" for more information. |
|
Value of identity for the factor being labeled. To find the identities of existing factors in the current database instance, use the |
|
Name of existing policy. To find existing policies in the current database instance, use the |
|
Oracle Label Security label name. To find existing policy labels for factor identifiers, use the |
This function deletes all Oracle Database Vault objects related to an Oracle Label Security policy.
Syntax
DELETE_MAC_POLICY_CASCADE( policy_name VARCHAR2);
Parameters
Table E-64 DELETE_MAC_POLICY_CASCADE Parameter
Parameter | Description |
---|---|
|
Name of existing policy. To find existing policies in the current database instance, use the |
This function removes the factor from contributing to the Oracle Label Security label.
Syntax
DELETE_POLICY_FACTOR( policy_name VARCHAR2, factor_name VARCHAR2);
Parameters
Table E-65 DELETE_POLICY_FACTOR Parameters
Parameter | Description |
---|---|
|
Name of existing policy. To find existing policies in the current database instance, use the |
|
Name of factor associated with the Oracle Label Security label. To find factors that are associated with Oracle Label Security policies, use |
This function removes the label from an identity within an Oracle Label Security policy.
Syntax
DELETE_POLICY_LABEL( identity_factor_name VARCHAR2, identity_factor_value VARCHAR2, policy_name VARCHAR2, label VARCHAR2);
Parameters
Table E-66 DELETE_POLICY_LABEL Parameters
Parameter | Description |
---|---|
|
Name of factor that was labeled. To find existing factors in the current database instance that are associated with Oracle Label Security policies, use See also "Label Security Policy Factors" for more information. |
|
Value of identity for the factor that was labeled. To find the identities of existing factors in the current database instance, use the |
|
Name of existing policy. To find existing policies in the current database instance, use the |
|
Oracle Label Security label name. To find existing policy labels for factor identifiers, use the |
This function specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.
Syntax
UPDATE_MAC_POLICY( policy_name VARCHAR2, algorithm VARCHAR2);
Parameters
Table E-67 UPDATE_MAC_POLICY
Parameter | Description |
---|---|
|
Name of existing policy. To find existing policies in the current database instance, use the |
|
Merge algorithm for cases when Oracle Label Security has merged two labels. For example: "LII - Minimum Level/Intersection/Intersection" For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide. |