3 Replies Latest reply: Mar 19, 2011 6:24 PM by Zoran Pavlovic RSS

    Data Vault

    325965
      I installed Data vault using dbca. Oracle version is 11.2.0.1. After install, I still be able to create/drop users using system account. These privileges should have been revoked as part of DV install as given in the doc. http://download.oracle.com/docs/cd/E11882_01/server.112/e16544/dv_impact.htm#BABCFCBE

      Please let me know the debug steps to resolve this.

      Also is there a separate forum for DV or should be under audit vault?

      Thanks.
        • 1. Re: Data Vault
          683924
          Hi KR,

          yes you are right when you install the database vault on your database diffrent privileeges are revoked from diffrent users so you can not drop and create user by system user. these privileges are revoked from sys and system users, these are granted to a new roll. DV ACCOUNT MANAGER. so you should be the DV accountmanger to create and delete user.

          these Privileges Are Revoked During Database Vault Installation



          REVOKE BECOME USER FROM DBA;
          REVOKE BECOME USER FROM IMP_FULL_DATABASE;
          REVOKE SELECT ANY TRANSACTION FROM DBA;
          REVOKE EXECUTE ON DBMS_LOGMNR FROM EXECUTE_CATALOG_ROLE;
          REVOKE EXECUTE ON DBMS_LOGMNR_D FROM EXECUTE_CATALOG_ROLE;
          REVOKE EXECUTE ON DBMS_LOGMNR_LOGREP_DICT FROM; EXECUTE_CATALOG_ROLE;
          REVOKE EXECUTE ON DBMS_LOGMNR_SESSION FROM EXECUTE_CATALOG_ROLE;
          REVOKE EXECUTE ON DBMS_FILE_TRANSFER FROM EXECUTE_CATALOG_ROLE;
          REVOKE EXECUTE ON UTL_FILE FROM PUBLIC;
          REVOKE CREATE ANY JOB FROM DBA;
          REVOKE CREATE ANY JOB FROM SCHEDULER_ADMIN;
          REVOKE CREATE EXTERNAL JOB FROM DBA;
          REVOKE CREATE EXTERNAL JOB FROM SCHEDULER_ADMIN;
          REVOKE EXECUTE ANY PROGRAM FROM DBA;
          REVOKE EXECUTE ANY PROGRAM FROM SCHEDULER_ADMIN;
          REVOKE EXECUTE ANY CLASS FROM DBA;
          REVOKE EXECUTE ANY CLASS FROM SCHEDULER_ADMIN;
          REVOKE MANAGE SCHEDULER FROM DBA;
          REVOKE MANAGE SCHEDULER FROM SCHEDULER_ADMIN;
          REVOKE DEQUEUE ANY QUEUE FROM DBA;
          REVOKE ENQUEUE ANY QUEUE FROM DBA;
          REVOKE MANAGE ANY QUEUE FROM DBA;
          REVOKE MANAGE ANY QUEUE FROM IMP_FULL_DATABASE;


          To find the full list of system and object privileges associated with the DV_ACCTMGR
          role, log in to SQL*Plus with administrative privileges and then enter the following
          queries:

          SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_
          ACCTMGR';
          SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
          • 2. Re: Data Vault
            848104
            Hi KR,

            Was it a clean installation? Did you configured your database to use OLS before running dbca?
            • 3. Re: Data Vault
              Zoran Pavlovic
              Hi,

              In EM on Home Page -> General do you see Database Vault - Enabled?

              Try to go on https://hostname:port/dva There you should see 4 Oracle Defined Realms and they must be enabled. Try to see command rules and Rule Sets. Are they enabled too?

              Zoran