2 Replies Latest reply on Apr 30, 2020 1:50 PM by partlycloudy

    Non-DBA user - Database Vault

    partlycloudy

      ORDS 19.4 on Oracle 12.1 with Database Vault enabled.

       

      As per Document ID 2239301.1, there is a known issue upgrading APEX when Oracle Database Vault is enabled. The whitepaper referenced in the Document is dated 2014. I am surprised this is still an issue. 

       

      More to the point, ORDS 19.1 added the ability to install & upgrade ORDS with a non-SYSDBA user. We set this up but running the [schema] command throws the same Vault error

       

      grant create job to ords_metadata

      *

      ERROR at line 1:

      ORA-47410: Realm violation for GRANT on CREATE JOB

       

      Following the steps in this document to add  DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER to my non-SYSDBA ORDS_INSTALLER user did not fix this issue.

       

      Are we saying that Vault needs to be disabled to install or ugrade ORDS using a non-SYSDBA account? That's dissapointing.

       

      Am I missing something?

       

      Thanks

       

      joelkallman-Oracle thatJeffSmith-Oracle

        • 1. Re: Non-DBA user - Database Vault
          thatJeffSmith-Oracle

          We are not saying that.

           

          ORDS is doing DB work. The Vault feature is preventing it, based on some rule or threshold, yes?

           

          Have you opened an SR with the Vault product/security folks?

          • 2. Re: Non-DBA user - Database Vault
            partlycloudy
            The Vault feature is preventing it, based on some rule or threshold, yes?

             

            Not based on some rule or threshold, just basic Vault functionality. I would have thought that running DVSYS.DBMS_MACADM.AUTHORIZE_SCHEDULER_USER and then the ORDS scripts would take care of it but it did not help.

             

            Have you opened an SR with the Vault product/security folks?

             

            Not yet, will do.  Stay tuned

             

            Given that Vault prevents this ORDS feature (installing as non-SYSDBA user) from working as documented, it might make sense to note this in the ORDS documentation.