Well i just had a strong sweet coffee and feeling good about vault already down in delhi..
Some very very important tips for Oracle Vault Security DBA's, please do read the following tips :=
1) Firstly you need to have advanced security option enabled in your oracle system.
2) When you install vault you need label security also, so label security is also needed to work with vault.
3) You will see 2 roles now DV_OWNER and DV_ACCTMGR
DV_OWNER gets roles like DV_ADMIN, DV_PATCH_ADMIN, DV_STREAMS_ADMIN, DV_SECANALYST so that he can log on to database vault administrator and modify vault configurations but the interesting fact is that he cant change user passwords and even sys and system users now cannot change passwords. Not even they can simply access objects if they are protected by realms.
DV_ACCTMGR on the other hand can only create users and modify their passwords. And 1 special thing which everybody loves is that DV_ACCTMGR cannot modify the password of DV_OWNER.
Please try to understand sys and system are no more powerful users, they cannot create users and cannot even change anybody's passwords, however they can change their own passwords, obviously. Thats why we have vault owner which is mentioned at the time vault installation, this vault manager created user will be the master here for security responsibilities.
DV_OWNER can modify vault security configurations, and can also disable security components and auditing. NOTE = SYS and SYSTEM cannot create users now after vault configurations.
There is another role which is DV_ACCTMGR for the seperation of responsibilties. Let us say that KARAN is the vault owner with DV_OWNER role and ASHISH is the the one with DV_ACCTMGR role. Now ashish can modify passwords of all users and create users but he cannot change password of DV_OWNER. Otherwise imagine if he was able to change password of KARAN then ASHISH would have added a user to the realm, do the damage and drop the user from realm, thats why KARAN is the one who is responsible for REALMS, RULE SETS , FACTORS and so on ...
Database views = DBA_DV_REALM, DBA_DV_REALM_OBJECT, DBA_DV_REALM_AUTH
DVSYS schema contains procedures to create|modify|delete a realm. Everything you do from DVA can be done using API.
Procedures are in the DVSYS.MACADM.
Have a nice day DBA's ..
---------------------------
HOME
Related links:
2 comments:
Karan,
Since the dv_owner can reset the sys and system users then who is responsible for resetting the dv_owner user?
Justice
great
Post a Comment