I am working with Oracle Database Vault (11gr2)
I create a realm and I add all sensible data, (owner-object-and type of object).
I include, in the section user privileges, the role DBA with a rule; I can control the access to sensible data to different users with DBA privilege. DVSYS.DBMS_MACUTL.USER_HAS_ROLE_VARCHAR(' DBA ')='Y'
If a user needs access to sensible data, this user must have granted the role CPERFIL
I include, in user privileges, the role CPERFIL with a rule.
In this rule, I deny the access with DVSYS.DBMS_MACUTL.USER_HAS_ROLE_VARCHAR(' CPERFIL ')!='Y'.
I cannot control the access to sensible data to different users with privilege.
I tried to manage the command, example SELECT, and join a rule. But If I use this way I restrict the SELECT to all user.
Other test, DBA user created a new role called TEST and grantee CPERFIL and TEST role to a user, then in the rule ask for this rule, but don’t work. This user can access to sensible data. DVSYS.DBMS_MACUTL.USER_HAS_ROLE_VARCHAR(' TEST ')!='Y'