| Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-04 |
|
|
View PDF |
| Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-04 |
|
|
View PDF |
The Oracle Database Vault packages enable you to write custom applications that use the functionality in Oracle Database Vault Administrator, in addition to a few extra capabilities.
This appendix includes the following sections:
The functions within the DVSYS.DBMS_MACADM package allow you to write applications that configure the realms, factors, rule sets, command rules, secure application roles, and Oracle Label Security policies normally configured in Oracle Database Vault Administrator.
The DVSYS.DBMS_MACADM package is available only for users who have the DV_ADMIN or DV_OWNER role.
This section includes the following topics:
Table E-1 lists functions within the DVSYS.DBMS_MACADM package that you can use to configure realms. For constants that you can use with these functions, see Table E-77 for more information.
Chapter 3, "Configuring Realms" describes realms in detail. See also "DVSYS.DBMS_MACUTL Package" for a set of general purpose utility functions that you can use with the realm functions.
Table E-1 DVSYS.DBMS_MACADM Realm Configuration Functions
| Function | Description |
|---|---|
|
|
Authorizes a user or role to access a realm as a participant. |
|
|
Authorizes a user or role to access a realm as an owner or participant (no rule set). |
|
|
Authorizes a user or role to access a realm as a participant. Optionally, you can specify a rule set for the authorization. |
|
|
Authorizes a user or role to access a realm as a participant or owner. Optionally, you can specify a rule set for the authorization. |
|
|
|
|
|
Creates a realm. |
|
DELETE_AUTH_FROM_REALM Function |
Removes the authorization of a user or role to access a realm. |
|
DELETE_OBJECT_FROM_REALM Function |
Removes a set of objects from realm protection. |
|
|
Deletes a realm. |
|
|
Deletes a realm, including its related Database Vault configuration information. |
|
|
Renames a realm. The name change takes effect everywhere the realm is used. |
|
|
Used to allow mixed-case identifiers. This preserves the case and quotation marks of Oracle identifiers used in the packages and generally supported by Oracle. |
|
|
|
|
|
Updates the authorization of a user or role to access a realm. |
This function authorizes a user or role to access a realm as a participant. The person running this function cannot add himself or herself to the realm as a realm owner.
Syntax
ADD_AUTH_TO_REALM( realm_name VARCHAR2, grantee VARCHAR2);
Parameters
Table E-2 ADD_AUTH_TO_REALM Parameters
| Parameter | Description |
|---|---|
|
|
Realm name. To find the existing realms in the current database instance, use the |
|
|
User or role name to authorize as a participant. To find the existing users and roles in the current database instance, use the To find the authorization of a particular user or role, use the |
This function authorizes a user or role to access a realm as an owner or a participant. The person running this function cannot add himself or herself to the realm as a realm owner.
Syntax
ADD_AUTH_TO_REALM( realm_name VARCHAR2, grantee VARCHAR2, auth_options NUMBER);
Parameters
Table E-3 ADD_AUTH_TO_REALM Parameters
| Parameter | Description |
|---|---|
|
|
Realm name. To find the existing realms in the current database instance, use the |
|
|
User or role name to authorize as owner or participant. To find the existing users and roles in the current database instance, use the To find the authorization of a particular user or role, use the |
|
|
Specify one of the following ways to authorize the realm:
See "Defining Realm Authorization" for more information on participants and owners. |
This function authorizes a user or role to access a realm as a participant. The person running this function cannot add himself or herself to the realm as a realm owner. Optionally, you can specify a rule set to check data before allowing the authorization to proceed.
Syntax
ADD_AUTH_TO_REALM( realm_name VARCHAR2, grantee VARCHAR2, rule_set_name VARCHAR2);
Parameters
Table E-4 ADD_AUTH_TO_REALM Parameters
| Parameter | Description |
|---|---|
|
|
Realm name. To find the existing realms in the current database instance, use the |
|
|
User or role name to authorize as participant. To find the existing users and roles in the current database instance, use the To find the authorization of a particular user or role, use the |
|
|
Rule set to check before authorizing (optional). If the rule set evaluates to TRUE, then the authorization is allowed. To find the available rule sets, use the |
This function authorizes a user or role to access a realm as a participant or owner. The person running this function cannot add himself or herself to the realm as a realm owner. Optionally, you can specify a rule set to check data before authorizing.
Syntax
ADD_AUTH_TO_REALM( realm_name VARCHAR2, grantee VARCHAR2, rule_set_name VARCHAR2, auth_options NUMBER);
Parameters
Table E-5 ADD_AUTH_TO_REALM Parameters
| Parameter | Description |
|---|---|
|
|
Realm name. To find the existing realms in the current database instance, use the |
|
|
User or role name to authorize as owner or participant. To find the available users and roles, use the To find the authorization of a particular user or role, use the |
|
|
Rule set to check before authorizing (optional). If the rule set evaluates to TRUE, then the authorization is allowed. To find the available rule sets, use the |
|
|
Specify one of the following ways to authorize the realm:
See "Defining Realm Authorization" for more information on participants and owners. |
This function registers a set of objects for realm protection.
Syntax
ADD_OBJECT_TO_REALM( realm_name VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2, object_type VARCHAR2);
Parameters
Table E-6 ADD_OBJECT_TO_REALM Parameters
| Parameter | Description |
|---|---|
|
|
Realm name. To find the existing realms in the current database instance, use the |
|
|
Database schema owner to own this realm. To find the available users, use the To find the authorization of a particular user, use the |
|
|
Object name. (The wildcard % is allowed. See "Object Name" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) To find the available objects, use the To find objects that are secured by existing realms, use the |
|
|
Object type, such as |
This function creates a realm. After you create the realm, use the following functions to complete the realm definition:
ADD_OBJECT_TO_REALM function registers one or more objects for the realm.
ADD_AUTH_TO_REALM functions authorize users or roles for the realm.
Syntax
CREATE_REALM( realm_name VARCHAR2, description VARCHAR2, enabled VARCHAR2, audit_options NUMBER);
Parameters
Table E-7 CREATE_REALM Parameters
| Parameter | Description |
|---|---|
|
|
Realm name, up to 90 characters in mixed-case. To find the existing realms in the current database instance, use the |
|
|
Description of the purpose of the realm, up to 1024 characters in mixed-case. |
|
|
|
|
|
Specify one of the following ways to audit the realm:
|
This function removes the authorization of a user or role to access a realm.
Syntax
DELETE_AUTH_FROM_REALM( realm_name VARCHAR2, grantee VARCHAR2);
Parameters
Table E-8 DELETE_AUTH_FROM_REALM Parameters
| Parameter | Description |
|---|---|
|
|
Realm name. To find the existing realms in the current database instance, use the |
|
|
User or role name. To find the authorization of a particular user or role, use the |
This function removes a set of objects from realm protection.
Syntax
DELETE_OBJECT_FROM_REALM( realm_name VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2, object_type VARCHAR2);
Parameters
Table E-9 DELETE_OBJECT_FROM_REALM Parameters
| Parameter | Description |
|---|---|
|
|
Realm name. To find the existing realms in the current database instance, use the |
|
|
Database schema owner. To find the available users, use the To find the authorization of a particular user, use the |
|
|
Object name. (The wildcard % is allowed. See "Object Name" under "Creating Realm-Secured Objects" for exceptions to the wildcard %.) To find objects that are secured by existing realms, use the |
|
|
Object type, such as |
This function deletes a realm but does not remove its associated objects and authorizations. Before you delete a realm, you can locate its associated objects by running the DBA_DV_REALM_OBJECT view, described in"Oracle Database Vault Public Views".
If you want to remove the associated objects and authorizations as well as the realm, see "DELETE_REALM_CASCADE Function".
Syntax
DELETE_REALM( realm_name VARCHAR2);
Parameters
Table E-10 DELETE_REALM Parameter
| Parameter | Description |
|---|---|
|
|
Realm name. To find the existing realms in the current database instance, use the |
This function deletes a realm, including its related Database Vault configuration information that says who is authorized (dba_dv_realm_auth) and what objects are protected (dba_dv_realm_object). It does not delete the actual database objects or users. To find a listing of the realm-related objects, run the DBA_DV_REALM view. To find its authorizations, run DBA_DV_REALM_AUTH. Both are described under "Oracle Database Vault Public Views".
Syntax
DELETE_REALM_CASCADE( realm_name VARCHAR2);
Parameters
Table E-11 DELETE_REALM_CASCADE Parameter
| Parameter | Description |
|---|---|
|
|
Realm name. To find the existing realms in the current database instance, use the |
This function renames a realm. The name change takes effect everywhere the realm is used.
Syntax
RENAME_REALM( realm_name VARCHAR2, new_name VARCHAR2);
Parameters
Table E-12 RENAME_REALM Parameters
| Parameter | Description |
|---|---|
|
|
Current realm name. To find the existing realms in the current database instance, use the |
|
|
New realm name, up to 90 characters in mixed-case. |
This function allows mixed-case identifiers. It preserves the case and quotation marks of Oracle identifiers used in the packages and generally supported by Oracle.
Syntax
SET_PRESERVE_CASE( setting BOOLEAN);
Parameter
This function updates a realm.
Syntax
UPDATE_REALM( realm_name VARCHAR2, description VARCHAR2, enabled VARCHAR2, audit_options NUMBER);
Parameters
Table E-14 UPDATE_REALM Parameters
| Parameter | Description |
|---|---|
|
|
Realm name. To find the existing realms in the current database instance, use the |
|
|
Description of the purpose of the realm, up to 1024 characters in mixed-case. |
|
|
|
|
|
Specify one of the following ways to audit the realm:
|
Updates the authorization of a user or role to access a realm.
Syntax
UPDATE_REALM_AUTH( realm_name VARCHAR2, grantee VARCHAR2, rule_set_name VARCHAR2, auth_options NUMBER);
Parameters
Table E-15 UPDATE_REALM_AUTH Parameters
| Parameter | Description |
|---|---|
|
|
Realm name. To find the existing realms in the current database instance, use the |
|
|
User or role name. To find the available users and roles, use the To find the authorization of a particular user or role, use the |
|
|
Rule set to check before authorizing (optional). If the rule set evaluates to TRUE, then the authorization is allowed. To find the available rule sets, use the |
|
|
Specify one of the following ways to authorize the realm for either realm participants or owners:
|
Table E-16 lists functions within the DVSYS.DBMS_MACADM package that you can use to configure factors.
Chapter 4, "Configuring Factors" describes factors in detail. See also "DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility functions that you can use with the factor functions.
Table E-16 DVSYS.DBMS_MACADM Factor Configuration Functions
| Function | Description |
|---|---|
|
|
Specifies a parent-child relationship for two factors. |
|
|
Specifies that the label for a factor contributes to the Oracle Label Security label for a policy. |
|
CHANGE_IDENTITY_FACTOR Function |
Associates an identity with a different factor. |
|
CHANGE_IDENTITY_VALUE Function |
Updates the value of an identity. |
|
CREATE_DOMAIN_IDENTITY Function |
Adds an Oracle Real Application Clusters (RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy. |
|
|
Creates a factor. |
|
|
Creates a factor type. |
|
|
Creates an identity. |
|
|
Defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors). |
|
|
Deletes a factor. |
|
|
Removes a parent-child relationship for two factors. |
|
|
Deletes a factor type. |
|
|
Removes an identity. |
|
|
Removes an identity map from a factor. |
|
|
Removes an Oracle Real Application Clusters (RAC) database node from a domain. |
|
|
Returns information from the |
|
|
Returns information from the |
|
|
Renames a factor. The name change takes effect everywhere the factor is used. |
|
|
Renames a factor type. The name change takes effect everywhere the factor type is used. |
|
|
|
|
|
Updates a factor. |
|
|
Updates a factor type. |
|
|
Updates a factor identity. |
This function specifies a parent-child relationship for two factors.
Syntax
ADD_FACTOR_LINK( parent_factor_name VARCHAR2, child_factor_name VARCHAR2, label_indicator VARCHAR2);
Parameters
Table E-17 ADD_FACTOR_LINK Parameters
| Parameter | Description |
|---|---|
|
|
Parent factor name. To find existing factors in the current database instance, use the |
|
|
Child factor name. To find the relationships of existing factors whose identities are determined by the association of child factors, use the |
|
|
Indicates that the child factor being linked to the parent factor contributes to the label of the parent factor in an Oracle Label Security integration. Specify either
To find the Oracle Label Security policies and labels associated with factors, use the following views, described in "Oracle Database Vault Public Views":
|
This function specifies that the label for a factor contributes to the Oracle Label Security label for a policy.
Syntax
ADD_POLICY_FACTOR( policy_name VARCHAR2, factor_name VARCHAR2);
Parameters
Table E-18 ADD_POLICY_FACTOR Parameters
| Parameter | Description |
|---|---|
|
|
Oracle Label Security policy name. To find the policies defined in the current database instance, use the |
|
|
Factor name. To find existing factors, use the |
This function associates an identity with a different factor.
Syntax
CHANGE_IDENTITY_FACTOR( factor_name VARCHAR2, value VARCHAR2, new_factor_name VARCHAR2);
Parameters
Table E-19 CHANGE_IDENTITY_FACTOR Parameters
| Parameter | Description |
|---|---|
|
|
Current factor name. To find existing factors in the current database instance, use the |
|
|
Value of the identity to update. To find existing identities for each factor in the current database instance, use the |
|
|
Name of the factor to associate with the identity. |
This function updates the value of an identity.
Syntax
CHANGE_IDENTITY_VALUE( factor_name VARCHAR2, value VARCHAR2, new_value VARCHAR2);
Parameters
Table E-20 CHANGE_IDENTITY_VALUE Parameters
| Parameter | Description |
|---|---|
|
|
Factor name. To find existing factors in the current database instance, use the |
|
|
Current value associated with the identity. To find existing identities for each factor in the current database instance, use the |
|
|
New identity value, up to 1024 characters in mixed-case. |
This function adds an Oracle Real Application Clusters (RAC) database node to the domain factor identities and labels it according to the Oracle Label Security policy.
Syntax
CREATE_DOMAIN_IDENTITY( domain_name VARCHAR2, domain_host VARCHAR2, policy_name VARCHAR2 DEFAULT NULL, domain_label VARCHAR2 DEFAULT NULL);
Parameters
Table E-21 CREATE_DOMAIN_IDENTITY Parameters
| Parameter | Description |
|---|---|
|
|
Name of the domain to which to add the host. To find the logical location of the database within the network structure within a distributed database system, use the |
|
|
Oracle Real Application Clusters host name being added to the domain. To find host name of a database, use the |
|
|
Oracle Label Security policy name. To find the available policies, use the |
|
|
Name of the domain to which to add the Oracle Label Security policy. |
This function creates a factor. After you create a factor, you need to give it an identity by using the CREATE_IDENTITY function, described in "CREATE_IDENTITY Function".
Syntax
CREATE_FACTOR( factor_name VARCHAR2, factor_type_name VARCHAR2, description VARCHAR2, rule_set_name VARCHAR2, get_expr VARCHAR2, validate_expr VARCHAR2, identify_by NUMBER, labeled_by NUMBER, eval_options NUMBER, audit_options NUMBER, fail_options NUMBER);
Parameters
Table E-22 CREATE_FACTOR Parameters
| Parameter | Description |
|---|---|
|
|
Factor name, up to 30 characters in mixed-case, without spaces. To find existing factors in the current database instance, use the |
|
|
Factor type name, up to 30 characters in mixed-case, without spaces. |
|
|
Description of the purpose of the factor, up to 1024 characters in mixed-case. |
|
|
Rule set name if you want to use a rule set to control when and how a factor identity is set. To find existing rule sets, use the |
|
|
Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Retrieval Method" for more information. See also the |
|
|
Name of the function to validate the factor. This is a valid PL/SQL expression that returns a Boolean value ( |
|
|
Options for determining the identity of a factor, based on the expression set for the
See "Factor Identification" for more information. |
|
|
Options for labeling the factor:
See "Factor Labeling" for more information. |
|
|
Options for evaluating the factor when the user logs on:
See "Evaluation" for more information. |
|
|
Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record.
See "Audit Options" for more information. |
|
|
Options for reporting factor errors:
See "Error Options" for more information. |
This function creates a user-defined factor type.
Syntax
CREATE_FACTOR_TYPE( name VARCHAR2, description VARCHAR2);
Parameters
Table E-23 CREATE_FACTOR_TYPE Parameters
| Parameter | Description |
|---|---|
|
|
Factor type name, up to 30 characters in mixed-case, without spaces. To find existing factor types, use the |
|
|
Description of the purpose of the factor type, up to 1024 characters in mixed-case. |
This function creates an identity. After you create a factor, you must assign it an identity.
Syntax
CREATE_IDENTITY( factor_name VARCHAR2, value VARCHAR2, trust_level NUMBER);
Parameters
Table E-24 CREATE_IDENTITY Parameters
| Parameter | Description |
|---|---|
|
|
Factor name. To find existing factors in the current database instance, use the |
|
|
The actual value of the factor, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 234.43.41.99. |
|
|
Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring an Identity" for more information about trust levels and label security. |
This function defines a set of tests that are used to derive the identity of a factor from the value of linked child factors (subfactors).
Syntax
CREATE_IDENTITY_MAP( identity_factor_name VARCHAR2, identity_factor_value VARCHAR2, parent_factor_name VARCHAR2, child_factor_name VARCHAR2, operation VARCHAR2, operand1 VARCHAR2, operand2 VARCHAR2);
Parameters
Table E-25 CREATE_IDENTITY_MAP Parameters
| Parameter | Description |
|---|---|
|
|
Factor the identity map is for. To find existing factors in the current database instance, use the |
|
|
Value the factor will assume if the identity map evaluates to TRUE. To find existing factor identities, use the |
|
|
The parent factor link to which the map is related. To find existing parent-child factor mappings, use the |
|
|
The child factor link to which the map is related. |
|
|
Relational operator for the identity map (for example, <, >, =, and so on). |
|
|
Left operand for the relational operator; refers to the low value you enter. |
|
|
Right operand for the relational operator; refers to the high value you enter. |
This function deletes a factor.
Syntax
DELETE_FACTOR( factor_name VARCHAR2);
Parameters
Table E-26 DELETE_FACTOR Parameter
| Parameter | Description |
|---|---|
|
|
Factor name. To find existing factors in the current database instance, use the |
This function removes a parent-child relationship for two factors.
Syntax
DELETE_FACTOR_LINK( parent_factor_name VARCHAR2, child_factor_name VARCHAR2);
Parameters
Table E-27 DELETE_FACTOR_LINK Parameters
| Parameter | Description |
|---|---|
|
|
Factor name. To find factors that are used in parent-child mappings in the current database instance, use the |
|
|
Factor name. |
This function deletes a factor type.
Syntax
DELETE_FACTOR_TYPE( name VARCHAR2);
Parameters
Table E-28 DELETE_FACTOR_TYPE Parameters
| Parameter | Description |
|---|---|
|
|
Factor type name. To find existing factor types in the current database instance, use the |
This function removes an identity from an existing factor.
Syntax
DELETE_IDENTITY( factor_name VARCHAR2, value VARCHAR2);
Parameters
Table E-29 DELETE_IDENTITY Parameters
| Parameter | Description |
|---|---|
|
|
Factor name. To find existing factors in the current database instance, use the |
|
|
Identity value associated with the factor. To find the identities for each factor in the current database instance, use the |
This function removes an identity map for a factor.
Syntax
DELETE_IDENTITY_MAP( identity_factor_name VARCHAR2, identity_factor_value VARCHAR2, parent_factor_name VARCHAR2, child_factor_name VARCHAR2, operation VARCHAR2, operand1 VARCHAR2, operand2 VARCHAR2);
Parameters
Table E-30 DELETE_IDENTITY_MAP Parameters
| Parameter | Description |
|---|---|
|
|
Factor the identity map is for. To find existing factors in the current database instance, use the |
|
|
Value the factor will assume if the identity map evaluates to TRUE. To find existing factor identities, use the |
|
|
The parent factor link to which the map is related. To find existing factors, use the |
|
|
The child factor link to which the map is related. |
|
|
Relational operator for the identity map (for example, <, >, =, and so on). |
|
|
Left operand for the relational operator. |
|
|
Right operand for the relational operator. |
This function removes an Oracle Real Application Clusters database node from a domain.
Syntax
DROP_DOMAIN_IDENTITY( domain_name VARCHAR2, domain_host VARCHAR2);
Parameters
Table E-31 DROP_DOMAIN_IDENTITY Parameters
| Parameter | Description |
|---|---|
|
|
Name of the domain to which the host was added. To find the domain of a database as specified by the |
|
|
Oracle Real Application Clusters host name being that was added to the domain. To find the host name for a specified database, use the |
This function returns information from the SYS.V_$INSTANCE view; it returns a VARCHAR2 value. For more information about SYS.V_$INSTANCE, see Oracle Database Reference.
Syntax
GET_INSTANCE_INFO( p_parameter VARCHAR2);
Parameters
Table E-32 GET_INSTANCE_INFO Parameter
| Parameter | Description |
|---|---|
|
|
Column name in the |
This function returns information from the SYS.V_$SESSION view for the current session; it returns a VARCHAR2 value. For more information about SYS.V_$SESSION, see Oracle Database Reference.
Syntax
GET_SESSION_INFO( p_parameter VARCHAR2);
Parameters
Table E-33 GET_SESSION_INFO Parameter
| Parameter | Description |
|---|---|
|
|
Column name in the |
This function renames a factor. The name change takes effect everywhere the factor is used.
Syntax
RENAME_FACTOR( factor_name VARCHAR2, new_factor_name VARCHAR2);
Parameters
Table E-34 RENAME_FACTOR Parameters
| Parameter | Description |
|---|---|
|
|
Factor name. To find existing factors in the current database instance, use the |
|
|
New factor name, up to 30 characters in mixed-case, without spaces. |
This function renames a factor type. The name change takes effect everywhere the factor type is used.
Syntax
RENAME_FACTOR_TYPE( old_name VARCHAR2, new_name VARCHAR2);
Parameters
Table E-35 RENAME_FACTOR_TYPE Parameters
| Parameter | Description |
|---|---|
|
|
Current factor type name. To find existing factor types in the current database instance, use the |
|
|
New factor type name, up to 30 characters in mixed-case, without spaces. |
This function allows mixed-case identifiers. It preserves the case and quotation marks of Oracle identifiers used in the packages and generally supported by Oracle.
Syntax
SET_PRESERVE_CASE( setting BOOLEAN);
Parameter
This function updates a factor.
Syntax
UPDATE_FACTOR( factor_name VARCHAR2, factor_type_name VARCHAR2, description VARCHAR2, rule_set_name VARCHAR2, get_expr VARCHAR2, validate_expr VARCHAR2, identify_by NUMBER, labeled_by NUMBER, eval_options NUMBER, audit_options NUMBER, fail_options NUMBER);
Parameters
Table E-37 UPDATE_FACTOR
| Parameter | Description |
|---|---|
|
|
Factor name. To find existing factors in the current database instance, use the |
|
|
Factor type name. To find existing factor types, use the |
|
|
Description of the purpose of the factor, up to 1024 characters in mixed-case. |
|
|
Name of the rule set used to control when and how a factor identity is set. To find existing rule sets, use the |
|
|
Valid PL/SQL expression that retrieves the identity of a factor. It can use up to 255 characters in mixed-case. See "Retrieval Method" for more information. See also the |
|
|
Name of the function to validate factor. This is a valid PL/SQL expression that returns a Boolean value ( |
|
|
Options for determining the identity of a factor, based on the expression set for the
See "Factor Identification" for more information. |
|
|
Options for labeling the factor:
See "Factor Labeling" for more information. |
|
|
Options for evaluating the factor when the user logs on:
See "Evaluation" for more information. |
|
|
Options for auditing the factor if you want to generate a custom Oracle Database Vault audit record.
See "Audit Options" for more information. |
|
|
Options for reporting factor errors:
See "Error Options" for more information. |
This function updates a factor type.
Syntax
UPDATE_FACTOR_TYPE( name VARCHAR2, description VARCHAR2);
Parameters
Table E-38 UPDATE_FACTOR_TYPE Parameters
| Parameter | Description |
|---|---|
|
|
Factor type name. To find existing factor types in the current database instance, use the |
|
|
Description of the purpose of the factor type, up to 1024 characters in mixed-case. |
This function updates a factor identity.
Syntax
UPDATE_IDENTITY( factor_name VARCHAR2, value VARCHAR2, trust_level NUMBER);
Parameters
Table E-39 UPDATE_IDENTITY Parameters
| Parameter | Description |
|---|---|
|
|
Factor name. To find existing factors in the current database instance, use the |
|
|
New value for the factor identity, up to 1024 characters in mixed-case. For example, the identity of an IP_Address factor could be the IP address of 234.43.41.99. |
|
|
Number that indicates the magnitude of trust relative to other identities for the same factor. In general, the higher the trust level number is set, the greater the trust. A trust level of 10 indicates "very trusted." Negative trust levels are not trusted. See "Creating and Configuring an Identity" for more information about trust levels and label security. |
Table E-40 lists functions within the DVSYS.DBMS_MACADM package that you can use to configure rule sets.
Chapter 6, "Configuring Rule Sets" describes rule sets in detail. See also "DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility functions that you can use with the rule set functions.
Table E-40 DVSYS.DBMS_MACADM Rule Set Configuration Functions
| Function | Description |
|---|---|
|
|
Adds an enabled rule to the end of a rule set. |
|
|
Adds a rule to the end of a rule set. |
|
|
Adds a rule to a rule set. |
|
|
Creates a rule. |
|
|
Creates a rule set. |
|
|
Deletes a rule. |
|
DELETE_RULE_FROM_RULE_SET Function |
Deletes a rule from a rule set. |
|
|
Deletes a rule set. |
|
|
Renames a rule. The name change takes effect everywhere the rule is used. |
|
|
Renames a rule set. The name change takes effect everywhere the rule set is used. |
|
|
|
|
|
Synchronizes the rules in Oracle Database Vault and Advanced Queuing Rules engine. You must perform this operation immediately after a rollback of an Add, Delete, or Modify rule operation. |
|
|
Updates a rule. |
|
|
Updates a rule set. |
This function adds an enabled rule to the end of a rule set.
Syntax
ADD_RULE_TO_RULE_SET( rule_set_name VARCHAR2, rule_name VARCHAR2, rule_order NUMBER, enabled VARCHAR2);
Parameters
Table E-41 ADD_RULE_TO_RULE_SET Parameters
| Parameter | Description |
|---|---|
|
|
Rule set name. To find existing rule sets in the current database instance, use the |
|
|
Rule to add to the rule set. To find existing rules, use the |
|
|
Order of evaluation for the rule in the rule set. Enter |
|
|
|
This function adds a rule to the end of a rule set.
Syntax
ADD_RULE_TO_RULE_SET( rule_set_name VARCHAR2, rule_name VARCHAR2, rule_order NUMBER);
Parameters
Table E-42 ADD_RULE_TO_RULE_SET Parameters
| Parameter | Description |
|---|---|
|
|
Rule set name. To find existing rule sets in the current database instance, use the |
|
|
Rule to add to the rule set. To find existing rules, use the |
|
|
Order of evaluation for the rule in the rule set. |
This function adds a rule to a rule set.
Syntax
ADD_RULE_TO_RULE_SET( rule_set_name VARCHAR2, rule_name VARCHAR2);
Parameters
Table E-43 ADD_RULE_TO_RULE_SET Parameters
| Parameter | Description |
|---|---|
|
|
Rule set name. To find existing rule sets in the current database instance, use the |
|
|
Rule to add to the rule set. To find existing rules in the current database instance, use the |
Syntax
CREATE_RULE( rule_name VARCHAR2, rule_expr VARCHAR2);
Parameters
Table E-44 CREATE_RULE Parameters
| Parameter | Description |
|---|---|
|
|
Rule name, up to 90 characters in mixed-case. To find existing rules in the current database instance, use the |
|
|
PL/SQL See "Creating a New Rule" for more information on rule expressions. |
This function creates a rule set. After you create a rule set, you can use the CREATE_RULE and ADD_RULE_TO_RULE set functions to create and add a rule to the rule set.
Syntax
CREATE_RULE_SET( rule_set_name VARCHAR2, description VARCHAR2, enabled VARCHAR2, eval_options NUMBER, audit_options NUMBER, fail_options NUMBER, fail_message VARCHAR2, fail_code NUMBER, handler_options NUMBER, handler VARCHAR2);
Parameters
Table E-45 CREATE_RULE_SET Parameters
| Parameter | Description |
|---|---|
|
|
Rule set name, up to 90 characters in mixed-case, without spaces. To find existing rule sets in the current database instance, use the |
|
|
Description of the purpose of the rule set, up to 1024 characters in mixed-case. |
|
|
|
|
|
If you plan to assign more than one rule to the rule set, enter one of the following settings:
|
|
|
Select one of the following settings:
See "Audit Options" for more information. |
|
|
Options for reporting factor errors:
See "Error Handling Options" for more information. |
|
|
Error message for failure, up to 80 characters in mixed-case, to associate with the fail code you specify for |
|
|
Enter a negative number in the range of -20000 to -20999, to associate with the |
|
|
Select one of the following settings:
See "Error Handling Options" for more information. |
|
|
Custom event handler logic. See "Error Handling Options" for more information. |
Syntax
DELETE_RULE( rule_name VARCHAR2);
Parameter
Table E-46 DELETE_RULE Parameter
| Parameter | Description |
|---|---|
|
|
Rule set name. To find existing rule sets in the current database instance, use the |
This function deletes a rule from a rule set.
Syntax
DELETE_RULE_FROM_RULE_SET( rule_set_name VARCHAR2, rule_name VARCHAR2);
Parameters
Table E-47 DELETE_RULE_FROM_RULE_SET Parameters
| Parameter | Description |
|---|---|
|
|
Rule set name. To find existing rule sets in the current database instance, use the |
|
|
Rule to remove from the rule set. To find rules that have been associated with rule sets, use |
This function deletes a rule set.
Syntax
DELETE_RULE_SET( rule_set_name VARCHAR2);
Parameters
Table E-48 DELETE_RULE_SET Parameter
| Parameter | Description |
|---|---|
|
|
Rule set name. To find existing rule sets in the current database instance, use the |
This function renames a rule. The name change takes effect everywhere the rule is used.
Syntax
RENAME_RULE( rule_name VARCHAR2, new_name VARCHAR2);
Parameters
Table E-49 RENAME_RULE Parameters
| Parameter | Description |
|---|---|
|
|
Rule name. To find existing rules in the current database instance, use the |
|
|
New rule name, up to 90 characters in mixed-case. |
This function renames a rule set. The name change takes effect everywhere the rule set is used.
Syntax
RENAME_RULE_SET( rule_set_name VARCHAR2, new_name VARCHAR2);
Parameters
This function allows mixed-case identifiers. It preserves the case and quotation marks of Oracle identifiers used in the packages and generally supported by Oracle.
Syntax
SET_PRESERVE_CASE( setting BOOLEAN);
Parameters
This function synchronizes the rules in Oracle Database Vault and Advanced Queuing Rules engine. You must perform this operation immediately after a rollback of an Add, Delete, or Modify rule operation.
Syntax
SYNC_RULES();
Parameters
None.
Syntax
UPDATE_RULE( rule_name VARCHAR2, rule_expr VARCHAR2);
Parameters
Table E-52 UPDATE_RULE Parameters
| Parameter | Description |
|---|---|
|
|
Rule name. To find existing rules in the current database instance, use the |
|
|
PL/SQL See "Creating a New Rule" for more information on rule expressions. |
This function updates a rule set.
Syntax
UPDATE_RULE_SET( rule_set_name VARCHAR2, description VARCHAR2, enabled VARCHAR2, eval_options NUMBER, audit_options NUMBER, fail_options NUMBER, fail_message VARCHAR2, fail_code NUMBER, handler_options NUMBER, handler VARCHAR2);
Parameters
Table E-53 UPDATE_RULE_SET Parameters
| Parameter | Description |
|---|---|
|
|
Rule set name. To find existing rule sets in the current database instance, use the |
|
|
Description of the purpose of the rule set, up to 1024 characters in mixed-case. |
|
|
|
|
|
If you plan to assign more than one rule to the rule set, enter one of the following settings:
|
|
|
Select one of the following settings:
See "Audit Options" for more information. |
|
|
Options for reporting factor errors:
See "Error Handling Options" for more information. |
|
|
Error message for failure, up to 80 characters in mixed-case, to associate with the fail code you specify for |
|
|
Enter a negative number in the range of -20000 to -20999, to associate with the |
|
|
Select one of the following settings:
See "Error Handling Options" for more information. |
|
|
Custom event handler logic. See "Error Handling Options" for more information. |
Table E-54 lists functions within the DVSYS.DBMS_MACADM package that you can use to configure command rules.
Chapter 5, "Configuring Command Rules" describes command rules in detail. See also "DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility functions that you can use with the command rule functions.
Table E-54 DVSYS.DBMS_MACADM Command Rule Configuration Functions
| Function | Description |
|---|---|
|
|
Creates a command rule and associates it with a rule set. |
|
|
Drops a command rule declaration. |
|
|
|
|
|
Updates a command rule declaration. |
This function creates a command rule and associates it with a rule set.
Syntax
CREATE_COMMAND_RULE( command VARCHAR2, rule_set_name VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2, enabled VARCHAR2);
Parameters
Table E-55 CREATE_COMMAND_RULE Parameters
| Parameter | Description |
|---|---|
|
|
SQL statement to protect. See Oracle Database SQL Reference for more information of SQL statements. |
|
|
Name of rule set to associate with this command rule. To find existing rule sets in the current database instance, use the |
|
|
Database schema owner for this command rule. To find the available users, use the |
|
|
Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing Command Rules" for more information about objects protected by command rules.) To find the available objects, use the |
|
|
|
This function drops a command rule declaration.
Syntax
DELETE_COMMAND_RULE( command VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2);
Parameters
Table E-56 DELETE_COMMAND_RULE Parameters
| Parameter | Description |
|---|---|
|
|
SQL statement the command rule protects. See Oracle Database SQL Reference for more information of SQL statements. |
|
|
Database schema owner for this command rule. To find the available users in the current database instance, use the |
|
|
Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing Command Rules" for more information about objects protected by command rules.) To find the available objects, use the |
This function allows mixed-case identifiers. It preserves the case and quotation marks of Oracle identifiers used in the packages and generally supported by Oracle.
Syntax
SET_PRESERVE_CASE( setting BOOLEAN);
Parameter
This function updates a command rule declaration.
Syntax
UPDATE_COMMAND_RULE( command VARCHAR2, rule_set_name VARCHAR2, object_owner VARCHAR2, object_name VARCHAR2, enabled VARCHAR2);
Parameters
Table E-58 UPDATE_COMMAND_RULE Parameters
| Parameter | Description |
|---|---|
|
|
SQL statement to protect. See Oracle Database SQL Reference for more information of SQL statements. |
|
|
Name of rule set to associate with this command rule. To find existing rule sets in the current database instance, use the |
|
|
Database schema owner for this command rule. To find the available users, use the |
|
|
Object name. (The wildcard % is allowed. See "Object Name" in "Creating and Editing Command Rules" for more information about objects protected by command rules.) To find the available objects, use the |
|
|
|
Table E-59 lists functions within the DVSYS.DBMS_MACADM package that you can use to configure Oracle Database Vault secure application roles.
Chapter 7, "Configuring Secure Application Roles for Oracle Database Vault" describes secure application roles in detail. See also "DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility functions that you can use with the secure application role functions.
Table E-59 DVSYS.DBMS_MACADM Secure Application Role Configuration Functions
| Function | Description |
|---|---|
|
|
Creates an Oracle Database Vault secure application role. |
|
|
Deletes an Oracle Database Vault secure application role. |
|
|
Renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used. |
|
|
|
|
|
Updates a Oracle Database Vault secure application role. |
This function creates an Oracle Database Vault secure application role.
Syntax
CREATE_ROLE( role_name VARCHAR2, enabled VARCHAR2, rule_set_name VARCHAR2);
Parameters
Table E-60 CREATE_ROLE Parameters
| Parameter | Description |
|---|---|
|
|
Role name, up to 30 characters, with no spaces. Preferably, enter the role name in upper case letters, though you are not required to do so. Ensure that this name follows the standard Oracle naming conventions for role creation described in Oracle Database SQL Reference. To find existing secure application roles in the current database instance, use the |
|
|
|
|
|
Name of rule set to determine whether a user can set this secure application role. To find existing rule sets in the current database instance, use the |
This function deletes an Oracle Database Vault secure application role.
Syntax
DELETE_ROLE( role_name VARCHAR2);
Parameters
Table E-61 DELETE_ROLE Parameter
| Parameter | Description |
|---|---|
|
|
Role name. To find existing secure application roles in the current database instance, use the |
This function renames an Oracle Database Vault secure application role. The name change takes effect everywhere the role is used.
Syntax
RENAME_ROLE( role_name VARCHAR2, new_role_name VARCHAR2);
Parameters
Table E-62 RENAME_ROLE Parameters
| Parameter | Description |
|---|---|
|
|
Role name. To find existing secure application roles in the current database instance, use the |
|
|
Role name, up to 30 characters, in uppercase, with no spaces. Ensure that this name follows the standard Oracle naming conventions for role creation described in Oracle Database SQL Reference. |
This function allows mixed-case identifiers. It preserves the case and quotation marks of Oracle identifiers used in the packages and generally supported by Oracle.
Syntax
SET_PRESERVE_CASE( setting BOOLEAN);
Parameter
This function updates a Oracle Database Vault secure application role.
Syntax
UPDATE_ROLE( role_name VARCHAR2, enabled VARCHAR2, rule_set_name VARCHAR2);
Parameters
Table E-64 UPDATE_ROLE Parameters
| Parameter | Description |
|---|---|
|
|
Role name. To find existing secure application roles in the current database instance, use the |
|
|
|
|
|
Name of rule set to determine whether a user can set this secure application role. To find existing rule sets in the current database instance, use the |
Table E-65 lists functions within the DVSYS.DBMS_MACADM package that you can use to configure Oracle Label Security policies.
Chapter 8, "Integrating Oracle Database Vault with Other Oracle Products" describes Oracle Label Security policies in detail. See also "DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility functions that you can use with the Oracle Label Security policy functions.
Table E-65 DVSYS.DBMS_MACADM Oracle Label Security Configuration Functions
| Function | Description |
|---|---|
|
|
Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label. |
|
|
Labels an identity within an Oracle Label Security policy. |
|
DELETE_MAC_POLICY_CASCADE Function |
Deletes all Oracle Database Vault objects related to an Oracle Label Security policy. |
|
|
Removes the factor from contributing to the Oracle Label Security label. |
|
|
Removes the label from an identity within an Oracle Label Security policy. |
|
|
|
|
|
Specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label. |
This function specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.
Syntax
CREATE_MAC_POLICY( policy_name VARCHAR2, algorithm VARCHAR2);
Parameters
Table E-66 CREATE_MAC_POLICY Parameters
| Parameter | Description |
|---|---|
|
|
Name of existing policy. To find existing policies in the current database instance, use the |
|
|
Merge algorithm for cases when Oracle Label Security has merged two labels. Enter the code listed in Table E-67 that corresponds to the merge algorithm you want. For example, enter For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide. |
Table E-67 Merge Algorithm Codes
| Code | Value |
|---|---|
|
|
Maximum Level/Union/Union |
|
|
Maximum Level/Intersection/Union |
|
|
Maximum Level/Minus/Union |
|
|
Maximum Level/Null/Union |
|
|
Maximum Level/Union/Intersection |
|
|
Maximum Level/Intersection/Intersection |
|
|
Maximum Level/Minus/Intersection |
|
|
Maximum Level/Null/Intersection |
|
|
Maximum Level/Union/Minus |
|
|
Maximum Level/Intersection/Minus |
|
|
Maximum Level/Minus/Minus |
|
|
Maximum Level/Null/Minus |
|
|
Maximum Level/Union/Null |
|
|
Maximum Level/Intersection/Null |
|
|
Maximum Level/Minus/Null |
|
|
Maximum Level/Null/Null |
|
|
Minimum Level/Union/Union |
|
|
Minimum Level/Intersection/Union |
|
|
Minimum Level/Minus/Union |
|
|
Minimum Level/Null/Union |
|
|
Minimum Level/Union/Intersection |
|
|
Minimum Level/Intersection/Intersection |
|
|
Minimum Level/Minus/Intersection |
|
|
Minimum Level/Null/Intersection |
|
|
Minimum Level/Union/Minus |
|
|
Minimum Level/Intersection/Minus |
|
|
Minimum Level/Minus/Minus |
|
|
Minimum Level/Null/Minus |
|
|
Minimum Level/Union/Null |
|
|
Minimum Level/Intersection/Null |
|
|
Minimum Level/Minus/Null |
|
|
Minimum Level/Null/Null |
This function labels an identity within an Oracle Label Security policy.
Syntax
CREATE_POLICY_LABEL( identity_factor_name VARCHAR2, identity_factor_value VARCHAR2, policy_name VARCHAR2, label VARCHAR2);
Parameters
Table E-68 CREATE_POLICY_LABEL Parameters
| Parameter | Description |
|---|---|
|
|
Name of factor being labeled. To find existing factors in the current database instance, use the See also "Label Security Policy Factors" for more information. |
|
|
Value of identity for the factor being labeled. To find the identities of existing factors in the current database instance, use the |
|
|
Name of existing policy. To find existing policies in the current database instance, use the |
|
|
Oracle Label Security label name. To find existing policy labels for factor identifiers, use the |
This function deletes all Oracle Database Vault objects related to an Oracle Label Security policy.
Syntax
DELETE_MAC_POLICY_CASCADE( policy_name VARCHAR2);
Parameters
Table E-69 DELETE_MAC_POLICY_CASCADE Parameter
| Parameter | Description |
|---|---|
|
|
Name of existing policy. To find existing policies in the current database instance, use the |
This function removes the factor from contributing to the Oracle Label Security label.
Syntax
DELETE_POLICY_FACTOR( policy_name VARCHAR2, factor_name VARCHAR2);
Parameters
Table E-70 DELETE_POLICY_FACTOR Parameters
| Parameter | Description |
|---|---|
|
|
Name of existing policy. To find existing policies in the current database instance, use the |
|
|
Name of factor associated with the Oracle Label Security label. To find factors that are associated with Oracle Label Security policies, use |
This function removes the label from an identity within an Oracle Label Security policy.
Syntax
DELETE_POLICY_LABEL( identity_factor_name VARCHAR2, identity_factor_value VARCHAR2, policy_name VARCHAR2, label VARCHAR2);
Parameters
Table E-71 DELETE_POLICY_LABEL Parameters
| Parameter | Description |
|---|---|
|
|
Name of factor that was labeled. To find existing factors in the current database instance that are associated with Oracle Label Security policies, use See also "Label Security Policy Factors" for more information. |
|
|
Value of identity for the factor that was labeled. To find the identities of existing factors in the current database instance, use the |
|
|
Name of existing policy. To find existing policies in the current database instance, use the |
|
|
Oracle Label Security label name. To find existing policy labels for factor identifiers, use the |
This function allows mixed-case identifiers. It preserves the case and quotation marks of Oracle identifiers used in the packages and generally supported by Oracle.
Syntax
SET_PRESERVE_CASE( setting BOOLEAN);
Parameter
This function specifies the algorithm that is used to merge labels when computing the label for a factor, or the Oracle Label Security Session label.
Syntax
UPDATE_MAC_POLICY( policy_name VARCHAR2, algorithm VARCHAR2);
Parameters
Table E-73 UPDATE_MAC_POLICY
| Parameter | Description |
|---|---|
|
|
Name of existing policy. To find existing policies in the current database instance, use the |
|
|
Merge algorithm for cases when Oracle Label Security has merged two labels. For example: "LII - Minimum Level/Intersection/Intersection" For more information on label-merging algorithms, see Oracle Label Security Administrator's Guide. |
You can modify your applications to use the functions within the DVSYS.DBMS_MACSEC_ROLES package to check the authorization for a user or to set an Oracle Database Vault secure application role. The DVSYS.DBMS_MACSEC_ROLES package is available to all users.
Chapter 7, "Configuring Secure Application Roles for Oracle Database Vault" describes secure application roles in detail. See also "DVSYS.DBMS_MACUTL Package" for a set of general-purpose utility functions that you can use with the secure application role functions.
Table E-74 lists the DVSYS.DBMS_MACSEC_ROLES package functions.
Table E-74 DVS.DBMS_MACSEC_ROLES Oracle Label Security Configuration Functions
| Function | Description |
|---|---|
|
|
Checks whether the user invoking the method is authorized to use the specified Oracle Database Vault secure application role. Returns a |
|
|
Issues the |
This function checks whether the user invoking the method is authorized to use the specified Oracle Database Vault secure application role. It returns a BOOLEAN value.
Syntax
CAN_SET_ROLE( p_role VARCHAR2);
Parameters
Table E-75 CAN_SET_ROLE Parameter
| Parameter | Description |
|---|---|
|
|
Role name. To find existing secure application roles, use the |
This function issues the SET ROLE statement for an Oracle Database Vault secure application role. If a rule set that is associated with the role evaluation to false, then the role is not set.
Syntax
SET_ROLE( p_role VARCHAR2);
Parameters
Table E-76 SET_ROLE Parameter
| Parameter | Description |
|---|---|
|
|
Role name. To find existing secure application roles in the current database instance, use the |
The DVSYS.DBMS_MACUTL package provides a set of general purpose utility functions that you can use throughout the application code you write for Oracle Database Vault. This package is available to all users.
This section explores the following topics:
Table E-77 summarizes field (that is, constant) descriptions for the DVSYS.DBMS_MACUTL package.
Table E-77 DVSYS.DBMS_MACUTL Field Summary
| FIeld Name | Data Type | Description |
|---|---|---|
|
|
|
Realm Objects: Wildcard to indicate all object names or all object types |
|
|
|
Factor |
|
|
|
|
|
|
|
Factor |
|
|
|
Factor |
|
|
|
Factor |
|
|
|
Factor |
|
|
|
Factor |
|
|
|
Factor |
|
|
|
|
|
|
|
Code groups: |
|
|
|
Code groups: Database object types |
|
|
|
Code groups: DDL commands. |
|
|
|
Code groups: Factor |
|
|
|
Code groups: Factor |
|
|
|
Code groups: Factor |
|
|
|
Code groups: Factor |
|
|
|
Code groups: Factor |
|
|
|
Code groups: Oracle Label Security Policy merge algorithms |
|
|
|
Code groups: Oracle Database Vault Error messages |
|
|
|
Code groups: SQL relational operators |
|
|
|
Code groups: Realm |
|
|
|
Code groups: Rule Set |
|
|
|
Code groups: Rule set |
|
|
|
Code groups: Rule set handler_options |
|
|
|
Code groups: Rule set |
|
|
|
Code groups: SQL statements |
|
|
|
Factors: The term context in the field name refers to the application context capability in Oracle Database. |
|
|
|
Factor labels: The term context in the field name refers to the application context capability in Oracle Database. |
|
|
|
The access control and Oracle Label Security context start with this field name The term context in the field name refers to the application context capability in Oracle Database. |
|
|
|
Realm: The term context in the field name refers to the application context capability in Oracle Database. |
|
|
|
Session Labels: The term context in the field name refers to the application context capability in Oracle Database. |
|
|
|
Factor |
|
|
|
|
|
|
|
|
|
|
|
Fail_options: Fail with no message |
|
|
|
Fail_options: Fail with message |
|
|
|
Factor |
|
|
|
Factor |
|
|
|
Factor |
|
|
|
Factor |
|
|
|
Factor |
|
|
|
Factor |
|
|
|
Factor |
|
|
|
This is the highest label a user could set based on the factors. It does not take into account the label for a user. |
|
|
|
The label that a factor with a null label defaults to |
|
|
|
No constant for enabled and |
|
|
|
The Oracle Label Security session label for a user at the time |
|
|
|
|
|
|
|
Realm |
|
|
|
Realm |
|
|
|
Realm authorizations: Owner |
|
|
|
Realm authorizations: Participant |
|
|
|
|
|
|
|
Rule set |
|
|
|
Rule set |
|
|
|
Rule set |
|
|
|
Rule set |
|
|
|
Rule set |
|
|
|
Rule set |
|
|
|
Rule set |
|
|
|
Rule set |
|
|
|
Rule set |
|
|
|
This is what Oracle Label Security has decided the user's label should be set to after factoring in the preceding values. |
|
|
|
Yes constant for enabled and |
Table E-78 lists the functions in the DVSYS.DBMS_MACUTL package.
Table E-78 DVSYS.DBMS_MACUTL Utility Functions
| Function | Descriptions |
|---|---|
|
CHECK_DVSYS_DML_ALLOWED Function |
Verifies that public-packages are not being bypassed by users updating the Oracle Database Vault configuration. |
|
|
Looks up the ID for a code within a code group; returns a |
|
|
Looks up the value for a code within a code group; returns a |
|
|
Constructs an XML document that contains the values for all of the factors; returns a Use this function to retrieve factors at the current time for a session. It is also useful for auditing purposes. |
|
|
Returns the seconds in Oracle SS format (00-59); returns a |
|
|
Returns the minute in Oracle MI format (00–59); returns a |
|
|
Returns the month in Oracle HH24 format (00–23); returns a |
|
|
Returns the day in Oracle DD format (01–31); returns a |
|
|
Returns the month in Oracle MM format (01–12); returns a |
|
|
Returns the year in Oracle YYYY format (0001–9999); returns a |
|
|
Checks for a string in the PL/SQL call stack; returns a |
|
|
Concatenates the elements of |
|
|
Checks whether the character is alphabetic; returns a |
|
|
Checks whether the character is numeric; returns a |
|
|
Determines whether a user is authorized to manage the Oracle Database Vault configuration; returns a |
|
|
Returns an indicator as to whether or not Oracle Label Security is installed; returns a |
|
IS_OLS_INSTALLED_VARCHAR Function |
Returns an indicator as to whether or not Oracle Label Security is installed; returns a |
|
RAISE_UNAUTHORIZED_OPERATION Function |
|
|
|
Looks up an Oracle RDBMS error message; returns a |
|
|
Looks up an Oracle RDBMS error message; returns a |
|
|
Alters a string to make it a legal Oracle identifier; returns a |
|
USER_HAS_OBJECT_PRIVILEGE Function |
Checks whether a user or role may access an object through an object privilege grant; returns a |
|
|
Checks whether a user has a role privilege, directly or indirectly (through another role); returns a |
|
USER_HAS_ROLE_VARCHAR Function |
Checks whether a user has a role privilege, directly or indirectly (through another role); returns a |
|
USER_HAS_SYSTEM_PRIVILEGE Function |
Checks whether a user has a system privilege, directly or indirectly (through a role); returns a |
This function verifies that public packages are not being bypassed by users updating the Oracle Database Vault configuration.
Syntax
CHECK_DVSYS_DML_ALLOWED( p_user VARCHAR2 DEFAULT USER);
Parameter
Table E-79 CHECK_DVSYS_DML_ALLOWED Parameter
| Parameter | Description |
|---|---|
|
|
User performing the operation. To find existing users in the current database instance, use the following views:
|
This function looks up the ID for a code within a code group, and then returns a NUMBER value. These codes are used for the user interface, views, and for validating input in a translatable fashion.
Syntax
GET_CODE_ID( p_code_group VARCHAR2, p_code VARCHAR2);
Parameters
Table E-80 GET_CODE_ID Parameters
| Parameter | Description |
|---|---|
|
|
Code group, for example, To find available code groups in the current database instance, use the |
|
|
Value of the code from This value is listed when you run the |
This function looks up the value for a code within a code group, and then returns a VARCHAR2 value.
Syntax
GET_CODE_VALUE( p_code_group VARCHAR2, p_code VARCHAR2);
Parameters
Table E-81 GET_CODE_VALUE Parameters
| Parameter | Description |
|---|---|
|
|
Code group, for example, To find existing code groups in the current database instance, use the |
|
|
ID of the code. This ID is listed when you run the |
This function constructs an XML document that contains the values for all of the factors. This XML document is only intended for auditing or tracing and is truncated if it is longer than 4000 characters. The function returns a VARCHAR2 value.
Use this function to retrieve factors at the current time for a session. It is also useful for auditing purposes.
Syntax
GET_FACTOR_CONTEXT();
Parameters
None.
This function returns the seconds in Oracle SS (seconds) format (00–59), and then returns a NUMBER value. It is useful for rule expressions based on time data.
Syntax
GET_SECOND( p_date DATE DEFAULT SYSDATE);
Parameter
This function returns the minute in Oracle MI (minute) format (00–59); returns a NUMBER value. Useful for rule expressions based on time data.
Syntax
GET_MINUTE( p_date DATE DEFAULT SYSDATE);
Parameter
Table E-83 GET_MINUTE Parameter
| Parameter | Description |
|---|---|
|
|
Date in MI format, for example, If you do not specify a date, Oracle Database Vault uses the Oracle Database |
This function returns the hour in Oracle HH24 (hour) format (00–23); returns a NUMBER value. Useful for rule expressions based on time data.
Syntax
GET_HOUR( p_date DATE DEFAULT SYSDATE);
Parameter
Table E-84 GET_HOUR Parameter
| Parameter | Description |
|---|---|
|
|
Date in HH24 format, for example, If you do not specify a date, Oracle Database Vault uses the Oracle Database |
This function returns the day in Oracle DD (day) format (01–31); returns a NUMBER value. It is useful for rule expressions based on time data.
Syntax
GET_DAY( p_date DATE DEFAULT SYSDATE);
Parameter
Table E-85 GET_DAY Parameter
| Parameter | Description |
|---|---|
|
|
Date in DD format, for example, If you do not specify a date, Oracle Database Vault uses the Oracle Database |
This function returns the month in Oracle MM (month) format (01–12); returns a NUMBER value. Useful for rule expressions based on time data.
Syntax
GET_MONTH( p_date DATE DEFAULT SYSDATE);
Parameter
This function returns the year in Oracle YYYY (year) format (0001–9999); returns a NUMBER value. Useful for rule expressions based on time data.
Syntax
GET_YEAR( p_date DATE DEFAULT SYSDATE);
Parameter
This function concatenates the elements of ora_name_list_t into a single VARCHAR2 value, and then returns a VARCHAR2 value.
Syntax
GET_SQL_TEXT( p_sql_text ora_name_list_t);
Parameters
This function checks for a string in the PL/SQL call stack, and then returns a BOOLEAN value. IN_CALL_STACK returns TRUE if the string is in the call stack.
Syntax
IN_CALL_STACK( p_search_term VARCHAR2);
Parameter
This function checks whether the character is alphabetic, and then returns a BOOLEAN value. IS_ALPHA returns TRUE if the character is alphabetic.
Syntax
IS_ALPHA( c VARCHAR2);
Parameter
This function checks whether the character is numeric, and then returns a BOOLEAN value. IS_DIGIT returns TRUE if the character is a digit.
Syntax
IS_DIGIT( c VARCHAR2);
Parameter
This function determines whether a user is authorized to manage the Oracle Database Vault configuration, and then returns a BOOLEAN value. IS_DVSYS_OWNER returns TRUE if the user is authorized.
Syntax
IS_DVSYS_OWNER( p_user VARCHAR2 DEFAULT USER);
Parameter
Table E-92 IS_DVSYS_OWNER Parameter
| Parameter | Description |
|---|---|
|
|
User to check. To find existing users, use the following views:
|
This function returns an indicator as to whether or not Oracle Label Security is installed, and then returns a TRUE or FALSE BOOLEAN value. If Oracle Label Security is installed, IS_OLS_INSTALLED returns TRUE.
Syntax
IS_OLS_INSTALLED()
Parameters
None.
This function returns an indicator as to whether or not Oracle Label Security is installed, and then returns a Y or N VARCHAR2 value. If Oracle Label Security is installed, IS_OLS_INSTALLED_VARCHAR returns Y.
Syntax
IS_OLS_INSTALLED_VARCHAR()
Parameters
None.
This function looks up an Oracle RDBMS error message, and then returns a VARCHAR2 value.
Syntax
GET_MESSAGE_LABEL( p_message_code VARCHAR2);
Parameters
Table E-93 GET_MESSAGE_LABEL Parameter
| Parameter | Description |
|---|---|
|
|
Message code. See Oracle Database Error Messages for a listing of error messages. |
|
|
Value to substitute for %1 |
|
|
Value to substitute for %2 |
|
|
Value to substitute for %3 |
|
|
Value to substitute for %4 |
|
|
Value to substitute for %5 |
|
|
Value to substitute for %6 |
This function looks up an Oracle RDBMS error message, and then returns a NUMBER value.
Syntax
GET_MESSAGE_LABEL( p_message_code NUMBER);
Parameters
Table E-94 GET_MESSAGE_LABEL Parameter
| Parameter | Description |
|---|---|
|
|
Message code. See Oracle Database Error Messages for a listing of error messages. |
|
|
Value to substitute for %1 |
|
|
Value to substitute for %2 |
|
|
Value to substitute for %3 |
|
|
Value to substitute for %4 |
|
|
Value to substitute for %5 |
|
|
Value to substitute for %6 |
This function generates an ORA-20920 (Unauthorized Operation) error for unauthorized users.
Syntax
RAISE_UNAUTHORIZED_OPERATION( p_user VARCHAR2 DEFAULT USER);
Parameter
Table E-95 RAISE_UNAUTHORIZED_OPERATION Parameter
| Parameter | Description |
|---|---|
|
|
User performing the operation. To find existing users, use the following views:
|
This function turns string into a legal Oracle identifier, and then returns a VARCHAR2 value.
Syntax
TO_ORACLE_IDENTIFIER( id VARCHAR2);
Parameter
This function checks whether a user or role may access an object through an object privilege grant, and then returns a BOOLEAN value. If the user or role has object privileges, then USER_HAS_OBJECT_PRIVILEGE returns TRUE.
Syntax
USER_HAS_OBJECT_PRIVILEGE( p_user VARCHAR2, p_object_owner VARCHAR2, p_object_name VARCHAR2, p_privilege VARCHAR2);
Parameters
Table E-97 USER_HAS_OBJECT_PRIVILEGE Parameters
| Parameter | Description |
|---|---|
|
|
User or role to check. To find existing users, use the following views:
|
|
|
Object owner. To find the available users, use the To find the authorization of a particular user, use the |
|
|
Object name. To find the available objects, use the To find objects that are secured by existing realms, use the |
|
|
Object privilege, for example, To find privileges for a database account excluding |
This function checks whether a user has a role privilege, directly or indirectly (through another role), and then returns a BOOLEAN value. If the user has a role privilege, then USER_HAS_ROLE returns TRUE.
Syntax
USER_HAS_ROLE( p_role VARCHAR2, p_user VARCHAR2 DEFAULT USER);
Parameters
Table E-98 USER_HAS_ROLE Parameters
| Parameter | Description |
|---|---|
|
|
Role privilege to check. To find existing roles, use the following views:
|
|
|
User to check. To find existing users, use the following views:
|
This function checks whether a user has a role privilege, directly or indirectly (through another role), and then returns a VARCHAR2 value. If the user has the role privilege specified, then USER_HAS_ROLE_VARCHAR returns Y.
Syntax
USER_HAS_ROLE_VARCHAR( p_role VARCHAR2, p_user VARCHAR2 DEFAULT USER);
Parameters
Table E-99 USER_HAS_ROLE_VARCHAR Parameters
| Parameter | Description |
|---|---|
|
|
Role to check. To find existing roles, use the following views:
|
|
|
User to check. To find existing users, use the following views:
|
This function checks whether a user has a system privilege, directly or indirectly (through a role), and then returns a BOOLEAN value. If the user has the system privilege specified, then USER_HAS_SYSTEM_PRIVILEGE returns TRUE.
Syntax
USER_HAS_SYSTEM_PRIVILEGE( p_privilege VARCHAR2, p_user VARCHAR2 DEFAULT USER);
Parameters
Table E-100 USER_HAS_SYSTEM_PRIVILEGE Parameters
| Parameter | Description |
|---|---|
|
|
System privilege to check for. To find privileges for a database account excluding |
|
|
User to check. To find existing users, use the following views:
|
