2 Replies Latest reply: Sep 19, 2012 3:45 AM by 963023 RSS

    Combining Database Vault and FGA


      a quick synopsis.

      Using Database Vault I wish to put schema_1 in it's own realm (to be be protected from SYS & SYSTEM) etc. However I also want the ability to have FGA on and running in schema_1. This is to ensure if a DBA logs in as schema_1 and tries to delete or update from the schema_1 tables directly then this is audited using FGA.

      Will Database Vault prevent Fine Grained Auditing from working in this scenario?

        • 1. Re: Combining Database Vault and FGA
          Harm Joris ten Napel-Oracle
          Hi ,

          please keep in mind if a DBA uses the schema_1 to login, then there's no longer any way to distinguish the DBA from that user,
          part of Database Vault security is strict separation of duties: the DBA should not also have access to the <DV_ACCTMGR>
          account that would be necessary to reset the schema_1 password with the alter user statement.

          Otherwise FGA can work in a Database Vault environment, I did a quick test and it is possible for the schema_1 user to add
          an FGA policy if there is execute privilege on dbms_fga, this means a protected application schema (separate DBA) has
          the possibility to add FGA policies to the application tables independently, the resulting audit records, however will still go to SYS.FGA_LOG$.

          If you want to share your experiences with your peers in the industry and also get their feedback you may consider
          to post your (future) question in the Support Communities at :


          (this will land you in the security area, but there are many others for several product areas)

          Naturally these communities are also monitored by Oracle and we will try to answer any questions also from our perspective,


          Harm ten Napel
          Oracle Support
          • 2. Database vault Alternatives
            Can we somehow restrict a sys and system user from accessing tables of a particular schema? They should be able to read the tables but cannot alter the data in any way? I know data vault is one option but without buying data vault how can we get this kind of security from insider threats?

            I tried to alter the privileges provided to dba role by revoking delete,update,insert any table privileges from the oracle provided role .

            I used

            revoke delete any table from dba

            It got executed also. However when i logged in from sytem user and tried to delete rows from tables in any schema it still worked. Not only this it also worked for any other users who had dba roles.

            Can we somewho create a new role new_dba with all the privileges of dba role except access to a particular schema objects and then assign this new role to sys and system user and revoke the original dba role so that they can't access some sensitive information? Please let me know if this sounds feasible.