Oracle Database Vault helps us address some of the most difficult security problems such as protecting against insider threats and enforcing separation of duties. It provides a number of flexible features that can be used to apply fine-grained access control to our sensitive data. Most importantly, it protects our data from super privileged users but still allows them to maintain our Oracle databases.
Currently R12 with Database Vault 11gR2 is certified on the following platforms –
- Linux x86
- Linux x86-64 (64-bit)
- Oracle Solaris on SPARC (64-bit)
- Oracle Solaris on x86-64 (64-bit)
- Microsoft Windows Server (32-bit)
- Microsoft Windows x64 (64-bit)
- IBM AIX
- HP-UX Itanium
Starting with 11g Release 2 Oracle Database Vault is included as an installed program with Oracle Database. To make it functional, one just needs to register it with the database. So, for using Database Vault 11gR2 with R12, we can upgrade our R12 database to 11gR2.
After we install Oracle Database Vault 11gR2, we must register it with the database and then create its accounts. Oracle recommends certain security-related initialization parameter settings to better secure our database configuration. Some of these parameters are already set in Oracle E-Business Suite Release 12 database by default, with the values that Oracle Database Vault recommends.
We can use Database Vault to audit SYS operations for the R12 database for which we need to set the “
AUDIT_SYS_OPERATIONS” parameter to “True”.
For preparing E-Business Suite for the integration, we need to apply the R12 Realm Creation Patch. If we have multiple application tiers, we can apply this patch to any one application tier. This patch delivers the necessary scripts through which we can create Database Vault realms and manage Oracle E-Business Suite Release 12 integration with Oracle Database Vault.
Also, we need to apply a patch to get an update version of adgrants.sql that will run when database vault is enabled. Though for 12.1.1, this patch is not needed.
The next step is to create restrictions known as a Realm around Oracle E-Business Suite Release 12 product schemas, for which we need to run the
fnddbvebs.sqlscript that comes with the Realm Creation Patch. Following are the default realms created by the script –
- E-Business Suite Realm – Protects all tables in Oracle E-Business Suite Release 12 Product Schemas
- E-Business Suite Realm – Applsys Schema – Protects most tables in the APPLSYS Schema
- E-Business Suite Realm – Apps Schema – Protects all objects in the APPS Schema (except the views)
- E-Business Suite Realm – Applsyspub Schema – Protects objects required for E-Business Suite authorization
- E-Business Suite Realm – MSC Schema – Protects tables in the MSC Schema – except those that require partitions to be exchanged
- CTXSYS Data Dictionary – Protects Objects in the CTXSYS Schema
This script also adds APPS, APPLSYS and CTXSYS users in the realm authorizations for the Oracle Data Dictionary realm. This realm is created by default when we install Oracle Database Vault.
Integrating R12 with Database Vault has certain Patching and Administration implications, for instance, before applying a patch, the SYSTEM user must be granted theDV_ACCTMGR role to ensure successful patch application.
Also, while using the FNDCPASS utility, we need to Use Database Vault Account Manager user or any user with the
DV_ACCTMGR Role assigned instead of SYSTEM user.
In addition to the Oracle-supplied realms, we may optionally create our own realms to specify certain named users.
One important consideration while integration E-Biz with Database Vault is that we may have Oracle or third party products installed and integrated with our Oracle E-Business Suite Release 12 environment which may need to access the APPS schema or product schemas directly from other external or third-party schemas. Such integrations may face issues when Database Vault is activated in an Oracle E-Business Suite Release 12 Database. Following are the applications that are compatible with Database Vault currently –
- OracleAS 10g Single Sign-On
- OracleAS 10g Oracle Internet Directory
- OracleAS 10g Portal
- OracleAS 10g Discoverer