Professional Documents
Culture Documents
Audit Vault
In this Document
Purpose
All About Security: User, Privilege, Role, SYSDBA, O/S Authentication, Audit, Encryption, OLS, Database
Vault, Audit Vault
1) Alerts
2) System Privileges
3) Object Privileges
4) Users and Roles
5) User and Tablespace Quotas
6) Profiles and Resource Limits
7) Password Management
8) Connect Internal and Password Files
9) O/S Authentication
10) Auditing
11) Event Triggers
12) Fine Grained Access Control
13) Oracle Label Security
14) Database Vault
15) Audit Vault
16) Data Encryption
17) Security Server
Applies to:
Purpose
- Bulletins explaining the method used to perform specific tasks and related Documentation (Oracle uides)
- Problem / Solutions
- Parameters & Events , Bugs
- Supplied Scripts
All About Security: User, Privilege, Role, SYSDBA, O/S Authentication, Audit, Encryption, OLS, Database
Vault, Audit Vault
1) Alerts
These articles provide a solution to correct or avoid an issue, and highlight a specific condition, situation or event that
requires awareness by an Oracle customer or partner.
2) System Privileges
These articles and documentation explain what system privileges are useful for, how they should be used and handled,
and how they are related to some init.ora parameters in various Oracle versions.
Oracle 8, 8i, 9i,10g and 11g Performance Tuning Guide and Reference -
Chapter - Understanding Indexes and Clusters -
Using Function-based Indexes
2.4 Bugs
--------
Bug 1875604 ABLE TO SELECT FROM SYS.OBJ$, BUT DESCRIBE THROWS ORA-4043
Bug 3123973 ORA-1031 WHEN CREATE VIEW IN SESSION SET AS ANOTHER CURRENT_SCHEMA
2.5 Scripts
-----------
Note 18074.1 Script To Capture System Privilege Grants
Note 1020286.6 Script to Create View to Show All User Privs
Note 241997.1 Script to Create a Procedure to Show All User Privs and Roles
3) Object Privileges
3.4 Bugs
--------
Bug 155762 GRANTS ASSIGNED TO ROLES ARE NOT BEING UTILIZED BY STORED PROCEDURES.
Bug 668998 RECEIVE INCORRECT ERROR WHEN CREATING A VIEW WHEN GRANT SELECT BY A ROLE
Bug 179841 REMOTE INSERT REQUIRES INSERT AND SELECT PRIVILEGES
Bug 371507 GRANT ALL ON TABLE ALLOWS OTHER USER TO DROP PK, BUT NOT TO CREATE A NEW ONE
Bug 522453 NEEDS OBJECT PRIVILEGE TO ADD PRIMARY KEY TO ANOTHER USERS TABLE
Bug 371124 DROP PRIMARY KEY DOES NOT REQUIRE DROP ANY INDEX PRIVILEGE, BUT CREATE DOES
Bug 372734 MUST HAVE CREATE ANY INDEX PRIVILEGE TO ALTER TABLE ADD CONSTRAINT TO TABLE
Bug 702389 PRIVS GRANTED ON COLS THROUGH A VIEW DOES NOT STAY WITH THOSE COLS WHEN VIEW
CHANGES
Bug 1364403 ORA-942 WITH THE COMBINATION OF AUTHID AND EXECUTE IMMEDIATE
Bug 1190886 ORA-4042 CAN'T GRANT EXECUTE ON SYS.SYS_GROUP TO OTHER USER BY SYS
Bug 2948123 CREATE VIEW ON EXTERNAL TABLE ORA-6564
3.5 Scripts
-----------
Note 1020176.6 SCRIPT: Script to Generate object privilege GRANTS
Note 1050267.6 SCRIPT: Script to show table privileges for users and roles
Note 138232.1 SCRIPT: How to grant select on dictionary tables only
The following notes particularly lists all articles that have as their topic the kind of errors you may encounter as a result of
the fact that privileges granted trough a role are not in effect in stored procedures.
PLS-00201
ORA-01031
Note 1048327.6 ORA-1031 WHILE EXECUTING A STORED PROCEDURE
Note 1011393.6 0RA-01031 IN STORED PROCEDURE WHEN USING DBMS_SQL TO CREATE A VIEW
Note 11740.1 Role Restrictions
Note 13615.1 Roles and Privileges Administration and Restrictions
Note 1079983.6 ORA-01031 DDL on Materialized View With Enable Query Rewrite Option
Note 1011211.6 ORA-01031 WHEN EXECUTING 'GRANT CREATE SESSION' STATEMENT
Note 18622.1 OERR: ORA 1031 "insufficient privileges"
Note 1083534.6 ORA-01031 When Connecting to Target via Rman
PLS-00904
Note 1014765.6 PLS-00904 WHEN COMPILING PL/SQL STORED PROCEDURE, FUNCTION, OR DATABASE
TRIGGER
Note 27442.1 OERR: PLS-904 insufficient privilege to access object %s
ORA-00942
Note 1062335.6 ORA-942 when select from any v$view within stored PL/SQL procedure
Note 100076.1 ORA-942 or ORA-1031 Creating Views Based on Data Dictionary Objects
Note 1011899.6 Roles and Creating Stored Objects / Views
4.4 Bugs
--------
Bug 145295 NEED TO CHANGE OS ROLE SUFFIX CHARACTER
Bug 168358 ENHANCEMENT: ALLOW CREATE VIEW (DDL STATEMENTS) WITH PRIVILEGES THRU A ROLE
Bug 172360 GRANTING RESOURCE ROLE TO ANOTHER ROLE PREVENTS USER FROM CREATING TABLES
Bug 176997 ENH: ABILITY TO GRANT QUOTA ON TABLESPACES TO A ROLE
Bug 186769 SELECTING FROM SESSION_ROLES WITHIN A STORED PROCEDURE DOESN'T GIVE ANYTHING
Bug 222316 GRANTED ROLE DOESNT SHOW UP AS DEFAULT ROLE
Bug 943648 ORA-3113 EXECUTING COMPLEX SQL STATEMENT
Bug 178587 USER CAN CREATE MORE ROLES THAN MAX_ENABLED_ROLES FROM WITH IN ONE SESSION
Bug 641775 ENHANCEMENT REQUEST TO INCREASE THE MAX_ENABLED_ROLES FROM 148 TO 200 OR MORE
Bug 1384922 WHEN USING SQLPLUS SELECT * FROM USER_ROLE_PRIVS GIVES ORA-2434
Bug 1149002 ORA-24347 AND " NO ROWS SELECTED " IN SELECT JOIN AGGREGATE GROUP BY PARALLEL
Bug 1618315 DOCUMENTATION SHOULD STATE THATOUTLN USER SHOULD NOT BE DROPPED
4.5 Scripts
-----------
Note 18079.1 Script to Capture Role Grants
Note 18080.1 Script to Create Roles
Note 1019486.6 Script: Report Roles Granted to Users
Note 1019508.6 Script to Show System and Object Privs for a User
Note 1020086.6 SCRIPT: To Report Privileges Granted To a User
Note 107182.1 SCRIPT: Generate ROLE Creation Script for 8.X.X
Note 241997.1 SCRIPT: Create procedure to Show All User Privs and roles
Note 98572.1 Script to create user OUTLN in 8i
Note 240478.1 Script to create user OUTLN in 9i
Note 1005485.6 ORA-1950 When Creating an Object and Resource Role is Granted to the User
Note 91969.1 IMPORT FROMUSER/TOUSER Fails to Generate Tables With LOBs into TOUSER Tablespace
Note 91799.1 EXP: IMP-3, ORA-1950, IMP-17: During Import of Recreated Tablespace
Note 205722.1 Create New Ultra Search Instance Fails WKG-5000 ORA-1950
<Note 137037.1 > RECEVING WWV-08301/ORA-1950 WHEN CREATING TABLE IN WEBDB
Note 1062153.6 GL PROGRAM OPTIMIZER FAILED: APP-6077, APP-6083, ORA-1950 NO PRIVILEGES ON
TABLESPACE RGX
Note 1058205.6 ORA-01950 AND ORA-06512 TRYING TO OPEN PERIOD
5.4 Bugs
--------
Bug 1270191 ORA-1950 ON ALLOCATE EXTENT - POSSIBLE DICTIONARY CORRUPTION
5.5 Scripts
-----------
Note 1019712.6 SCRIPT: Show Tablespace Quota Used by User
6.4 Bugs
--------
Bug 2653232 SPATIAL QUERIES DON'T PROGRESSIVELY RECORD RESOURCE (CPU) USAGE
Bug 2085332 SET OVER 5 HOURS TO CPU_PER_CALL, YOU GET ORA-2394, DON'T GET ORA-2393
Bug 2231683 UGA MEMORY LEAK WHEN USING OBJECT INHERITANCE IN PL/SQL
Bug 1182131 ORA-2399 RUNNING JOB OR PROCEDURE WITH CURSOR & CONNECT_TIME<UNLIMITED
Bug 2695242 ORA-22 AND ORA-600 [18260] WORKING WITH MTS (MICROSFT TX SERVER) AND XA
Bug 2134498 ORA-2391 ON BOTH NODES OF A OPS-CLUSTER ALTHOUGH RESOURCE_LIMIT=FALSE
Bug 2319471 ORA-2391 AND ORA-7445S IN PQ SLAVES, THEN ORA-7445 PMON CRASH
Bug 2117349 LOTS OF ORA-2391 ERRORS FILLING UP ALERT.LOG
Bug 777970 TEST VALIDITY OF AM4CICS THREAD CONNECTIONS BEFORE ASSIGNING THEM TO CICS TASKS
Bug 1898254 JDBC THIN APPLICATION KEEPS CONNECTION WHEN IDLE_TIME PROFILE IS SET.
6.5 Scripts
-----------
Note 1019933.6 Script to list profile resources and limits
7) Password Management
7.5 Bugs
--------
Bug 1231172 ORA-28003 WHEN CHANGING PASSWORD FOR A USER
Bug 1620381 ORA-24315 RESULTS ON CONNECT REQUEST AFTER PASSWORD VERIFICATION FAILURE
Bug 2161716 PASSWORD GRACE PERIOD MESSAGE NOT WORKING IN 8.1.7.2
Bug 1654141 USER ACCOUNTS IN GRACE PERIOD CANNOT PERFORM EXPORT, GET EXP-56 ORA-28002
ERRORS
Bug 1494651 OCILOGON DOES NOT CREATE A SESSION WHEN A PASSWORD IS IN GRACE TIME
Bug 1668134 PROTOCOL VIOLATION WHEN THIN DRIVER CONNECTING TO USER WITH EXPIRED PASSWORD.
Bug 2269177 IAS: MOD_PLSQL AUTHENTICATION DENIED WHEN USER ACCOUNT IS IN GRACE PERIOD
7.6 Scripts
-----------
Note 227010.1 Script to Check for Default Passwords Being Used for Common Usernames
Note 135878.1 Script to prevent a user from changing his password
Note 161671.1 Script to Identify Accounts with a Password Equal to their Username
These articles and documentation explain how to administer the administrative privileges,
still loosely referred to as 'connect internal' and how to manage access with a password file.
Note 19276.1 OERR: ORA 1990 error opening password file <name>
Note 19277.1 OERR: ORA 1991 invalid password file <name>
Note 19278.1 OERR: ORA 1992 error closing password file <name>
Note 19279.1 OERR: ORA 1993 error writing password file <name>
Note 19280.1 OERR: ORA 1994 GRANT failed: cannot add users to public password file
Note 19281.1 OERR: ORA 1995 error reading password file <name>
Note 19282.1 OERR: ORA 1996 GRANT failed: password file <name> is full
8.4 Bugs
--------
Bug 2688911 SQLPLUS DOES NOT CORRECTLY SUPPORT THE 'AS SYSDBA' FUNCTIONALITY IN 8.1.7
Bug 425862 ORA-600 [1113] SELECTING FROM V$PWFILE_USERS IF MORE THAN 14 SYSDBA USERS
8.5 Scripts
-----------
Note 67984.1 UNIX: Diagnostic C program for ORA-1031 from CONNECT INTERNAL / AS SYSDBA
9) O/S Authentication
This section has references to documentation and notes about O/S authentication, a.k.a.
external authentication, the authentication is delegated to the operating system which
hence needs to be trustworthy. Please note the distinction between authenticating via
the O/S with administrative privileges (see 8.) and as a normal (application) user.
Note 19283.1 OERR: ORA 1997 GRANT failed: user <name> is identified externally
9.4 Bugs
--------
Bug 4312390 ORADIM COMMAND CAN'T SHUTDOWN DATABASE : ORA-1031
Bug 530697 CONNECT INTERNAL DOES NOT WORK FOR DOMAIN USERS IN LOCAL ORA_DBA GROUP
Bug 370253 OS AUTHENTICATION FAILS WITH ORA-1017 FOR ROOT USER
Bug 1632293 ORA-28150 SELECTING ACROSS DATABASE LINK WITH OS AUTHENTICATED USER
10) Auditing
Note 72203.1 OERR ORA-16006 audit_trail destination incompatible with database open mode
Note 19287.1 OERR ORA 2002 error while writing to audit trail
Note 21073.1 OERR ORA-9925 "Unable to create audit trail
Note 20985.1 OERR ORA-9822 Translation of audit file name failed.
Note 249438.1 10G: New Value DB_EXTENDED for the AUDIT_TRAIL init.ora Parameter
10.4 Bugs
---------
Bug 2916125 AUDITED_CURSORID ONLY AVAILABLE FOR REGULAR AUDITING
Bug 2998476 SQL_TEXT COLUMN IN DBA_FGA_AUDIT_TRAIL VIEW IS GARBLED AFTER APPLYNG BUG#2973008
Bug 2973008 FINE-GRAINED AUDITING FAILS WITH ORA-22921 USING MULTI-BYTE CHARACTER SET
Bug 3684796 ORA-904 WHEN EXPLAINING GROUPING SETS QUERY WITH FINE GRAINED AUDITING
Bug 3836829 Columns That Are Not Selected In View Still Audited Using Fga
10.5 Scripts
------------
Note 287436.1 SCRIPT: Generate AUDIT and NOAUDIT Statements for Current Audit Settings
Note 1019377.6 Script to move SYS.AUD$ table out of SYSTEM tablespace
Note 1019552.6 Script to Show Audit Options/Audit Trail
Note 279169.1 Script: How To Store the Checksum of PL/SQL Code
11.4 Bugs
---------
Bug 2469532 ORA-29539, CANNOT INSTALL THE JVM AFTER REMOVING IT
11.5 Scripts
------------
These articles and documentations relate to FGAC, new 8i feature that allows
a more granular level of security : row level.
Note 155477.1 Parameter DIRECT: Conventional Path Export Versus Direct Path Export
Note 187239.1 Execution plan may change when you use Fine Grained Access Control (FGAC)
Note 250795.1 10G: Policy Enforced Only When the Relevant Column is Queried in Any Way
12.4 Bugs
---------
Bug 1517613 ORA-1762 USING PARTITIONS AND FINE GRAINED ACCESS CONTROL
Bug 2539145 EXEMPT ACCESS POLICY PRIVILEGE NOT PROPERLY RECOGNIZED BY THE EXPORT UTILITY
Bug 1802004 EXP-0: EXPORT TERMINATED UNSUCCESSFULLY
Bug 3771415 ORA-903 WHEN SELECT A TABLE WITH RLS POLICY AND FUNCTION WITH UNION OPERATOR
Bug 3988219 Dbms_Output.Put_Line Fires Multiple Times From Policy Function In Fgac
13) Oracle Label Security
Oracle Label Security enables application developers to add label-based access control for the applications. It mediates
access to rows in database tables based on a label contained in the row, and the label and privileges associated with
each user session. For queries Oracle Label Security is using the Oracle Virtual Private Database technology. For DMLs
it is using a set of triggers.
Note 231777.1 ORA-12445 When Applying a Label Function on a Table Protected by an OLS Policy
Note 238599.1 ORA-12447 When Creating an Already Existing OLS Policy
Note 278301.1 ORA-12414: Internal Lbac Error: Zllcfpo:Ocitypebyname and ORA-22303 at Database STARTUP
Note 285429.1 sa_session.set_label generates ORA-12470
Note 303791.1 Oracle Label Security And Foreign Key DEFERRABLE INITIALLY DEFERRED Issues Ora-28117
Note 304137.1 ORA-12406 When Updating a Table With an OLS Policy Though Granted EXEMPT ACCESS POLICY
Privilege
Note 735375.1 "LbacException User does not exist" Encountered While Adding An User To a Profile Using
OLSADMINTOOL
Note 735801.1 ORA-0109 ORA-12432 LBAC ERROR ZLLEGNP While Starting Up The Database
Note 577569.1 Queries Against Tables Protected by OLS Are Erroring Out
13.3 Bugs
---------
Bug 3870317 UNABLE TO INSTALL ADDITIONAL OPTIONS AFTER 10.1.0.3.0 PATCHSET IS APPLIED
Bug 2499257 ORA-28115 TO_DATA_LABEL WILL WORK ON ADMINISTRATOR CREATED DATA LABELS
Bug 2367197 ORACLE SPATIAL INDEX CREATION AND QUERIES FAIL WHEN OLS IS APPLIED
Note 400667.1 Ora-01918: User 'Dvsys' Does Not Exist when installing Database Vault
Note 417869.1 Unable To Access Dva Until Dbconsole is Restarted
Note 433887.1 Datapump Export Fails When Database Vault is Enabled ORA-47401
Note 465685.1 ORA-7445 Error Encountered When Running An ALTER USER Statement On a Database Vault Protected
DB
Note 467476.1 Import Into A Non SecuredTable After Installing Database Vault Fails With ORA-1031
Note 436617.1 Database Vault Default Realms Can't Be Seen Within The Browser
Note 465685.1 ORA-7445 Error Encountered When Running An ALTER USER Statement On a Database Vault Protected
DB
Note 470838.1 SYSDBA OS Authentication Works In A Database Vault Environment After Applying a Patch or Patchset
Note 557381.1 DBMS_MACVPD Might Be Invalid After Upgrade To 10.2.0.4
14.4 Bugs
---------
Note 564306.1 How To Check Connectivity And Wallet Credentials In A 10.2.2 Audit Vault Environment
Note 437062.1 Mandatory Patches to be aplied on Oracle Audit Vault 10.2.2.0.0
Note 729280.1 Can OSAUD Collect SQL Text or Bind Variables?
Note 753577.1 How To Change The Port of The Listener Configured for the AV Database ?
@Note 437049.1 AUDIT VAULT How to Add an Oracle Database Source running Database Vault
Note 751085.1 Errors While Installing Audit Vault Or While Applying An Audit Vault Patchset
15.4 Bugs
---------
These are the references to the database encryption features provided with the DBMS_OBFUSCATION_TOOLKIT and
DBMS_CRYPTO supplied packages. For references relating to network encryption see the Networking Security and
Authentication Knowledge Browser Page (Note 267607.1).
Note 445147.1 How To Generate A New Master Encryption Key for the TDE
Note 317311.1 10g R2 New Feature TDE : Transparent Data Encryption
Note 232000.1 Selective Data Encryption in Oracle RDBMS, Overview and References
Note 225214.1 New IV Parameter to DES3Encrypt en DES3Decrypt Enhances Interoperability
Note 338325.1 How DBMS_OBFUSCATION_TOOLKIT Interoperates With DBMS_CRYPTO
Note 165465.1 Oracle Advanced Security Frequently Asked Questions
Note 104410.1 How to Enable Encryption & Checksumming using JDBC Drivers
Note 39612.1 Secure Network Services V1.0 Configuration Overview on OpenVMS
Note 126079.1 Net8 overview and explanation (3)
Note 228636.1 Meaning of "WHICH" Parameter in DES3Decrypt And DES3Encrypt Procedures
Note 263616.1 Given two Different DES Encryption Keys, Encrypted Strings can Appear Identical
Note 270919.1 Transferring Encrypted Data from one Database to Another
Note 280801.1 How to Find the Oracle Java Cryptographic Extension (JCE) Provider
Note 460293.1 How to Open the Encryption Wallet Automatically When the Database Starts.
Note 416526.1 How to Avoid Performance Overhead Associated With Certificate Based TDE Encryption
Note 389958.1 Using Transparent Data Encryption In An Oracle Dataguard Config
Note 454980.1 Best Practices for having indexes on encrypted columns using TDE in 10gR2
16.4 Bugs
---------
16.5 Scripts
------------
Note 102902.1 Encrypting Data using the DBMS_OBFUSCATION_TOOLKIT package
Note 166884.1 How to use DBMS_OBFUSCATION_TOOLKIT.DES3Encrypt and DES3Decrypt procedures.
Note 197400.1 Example code encrypting credit card numbers
Note 118686.1 Example: Enable Encryption in a JDBC Program
Note 123091.1 Wrapper for DBMS_OBFUSCATION_TOOLKIT, cope with 8-byte input limitation
Note 244133.1 SCRIPT: Encrypting Binary Large Objects (BLOBS) with dbms_obfuscation_toolkit.