Oracle® Database Vault Administrator's Guide 11g Release 2 (11.2) Part Number E10576-01 |
|
|
View PDF |
This section describes new features in Oracle Database Vault for this release of Oracle Database.
This section contains:
Oracle Data Pump users now can export and import data in an Oracle Database Vault environment.
See "Using Oracle Data Pump in an Oracle Database Vault Environment" for more information.
Users who are responsible for scheduling database jobs now can do so in an Oracle Database Vault environment.
See "Scheduling Database Jobs in an Oracle Database Vault Environment" for more information.
Oracle Database Vault includes the following new roles:
DV_MONITOR
DV_STREAMS_ADMIN
DV_PATCH_ADMIN
See the following sections for more information:
Oracle Database Vault now provides the following additional rule sets:
Allow Fine Grained Control of System Parameters
Allow Oracle Data Pump Operation
Allow Scheduler Job
See "Default Rule Sets" for more information.
You are no longer restricted to negative numbers when you specify a fail code for the creation of a rule set. You can enter a number the ranges of -20999 to -20000 or 20000 to 20999.
See "Error Handling Options" for more information.
The DBMS_MACADM
and DBMS_MACSEC_ROLES
PL/SQL packages have changed as follows:
The DBMS_MACADM.CREATE_RULE_SET and UPDATE_RULE_SET procedure have a new parameter, is_static. The is_static
parameter determines how often a rule set is evaluated when a SQL statement accesses it. See "CREATE_RULE_SET Procedure" and "UPDATE_RULE_SET Procedure" for more information.
The DBMS_MACADM package has the following new procedures:
AUTHORIZE_DATAPUMP_USER
authorizes an Oracle Database Pump user perform Oracle Data Pump operations when Oracle Database Vault is enabled. See "AUTHORIZE_DATAPUMP_USER Procedure" for more information.
UNAUTHORIZE_DATAPUMP_USER
revokes the authorization that was granted by the AUTHORIZE_DATAPUMP_USER
procedure. See "UNAUTHORIZE_DATAPUMP_USER Procedure" for more information.
AUTHORIZE_SCHEDULER_USER
grants a user authorization to schedule database jobs when Oracle Database Vault is enabled. See "AUTHORIZE_SCHEDULER_USER Procedure" for more information.
UNAUTHORIZE_SCHEDULER_USER
revokes the authorization that was granted by the AUTHORIZE_SCHEDULER_USER
procedure. See "UNAUTHORIZE_SCHEDULER_USER Procedure" for more information.
The DBMS_MACSEC_ROLES.SET_ROLE procedure has been enhanced. You now can specify multiple roles with the p_role
parameter. See "SET_ROLE Procedure" for more information.
Database Vault Configuration Assistant (DVCA) has the following changes:
Addition of the dbuniquename parameter. The dbuniquename
parameter enables you to specify a globally unique name for an Oracle database. See "Adding Languages to Oracle Database Vault" for more information.
Removal of the optionrac parameter. The optionrac
parameter was used for configuring Oracle Database Vault on Oracle Real Application Clusters (Oracle RAC) nodes. The new procedure for configuring Oracle Database Vault on Oracle RAC nodes is simpler. See "Configuring Oracle Database Vault on Oracle RAC Nodes" for more information.
Starting with Oracle Database 11g Release 2 (11.2), you now can access Oracle Database Vault from both Oracle Database Enterprise Manager Database Control and Grid Control. The integration also applies to releases 9.2.0.8, 10.2.0.4, and 11.1.0.7 of Oracle Database Vault.
This feature enables you to perform the following tasks:
Using Grid Control, propagate Oracle Database Vault security policies across multiple database servers to help ensure consistent policies across the enterprise
Administer and monitor all Oracle Database Vault-protected servers from a single centralized management console
Automate alerts when unauthorized attempts are made to access Oracle Database Vault-protected databases
Access Oracle Database Vault reports from the Database Control and Grid Control consoles, as well as within Database Vault Administrator
See the following sections for more information:
"Accessing Oracle Database Vault Pages from Oracle Enterprise Manager"
"Using Oracle Database Vault with Oracle Enterprise Manager Grid Control"
You now can use Oracle Recovery Manager (RMAN) in an Oracle Database Vault environment.
See "Using Oracle Database Vault with Oracle Recovery Manager".
In previous releases of Oracle Database Vault, the SYS
user was prevented from granting or revoking the EXECUTE
privilege on the DBMS_RLS
PL/SQL package to other users. Starting with this release, user SYS
can resume granting and revoking EXECUTE
on DBMS_RLS
to other users.
To keep DVSYS
as a protected schema, you can no longer drop its objects, even if the recycle bin is disabled. For better security for other realms, you should disable the recycle bin.
See "Security Considerations for the Recycle Bin".
Oracle Database Vault no longer modifies the OS_AUTHENT_PREFIX
initialization parameter during installation. The default value for the OS_AUTHENT_PREFIX
parameter is OPS$
.
See Oracle Database Reference for more information about this parameter.
The NOSYSDBA
parameter of the ORAPWD
utility has been deprecated in this release. It is no longer necessary in Oracle Database Vault. As part of this deprecation, the lockout
parameter of the DVCA utility has been deprecated as well.