{"id":11441,"date":"2018-07-13T19:31:29","date_gmt":"2018-07-13T17:31:29","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/"},"modified":"2023-06-09T17:00:58","modified_gmt":"2023-06-09T15:00:58","slug":"database-vault-rules-rule-sets-and-command-rules","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/","title":{"rendered":"Database Vault : Rules, Rule Sets and Command Rules"},"content":{"rendered":"

By Mouhamadou Diaw<\/strong><\/p>\n

In a previous blog <\/a> I talked about protecting data using Realms. With Database Vault we can also protect our database against some SQL statements. These statements can include SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements.
\nWe can do this with Command Rules. In this blog I am demonstrating how we can use a Command Rule to prevent SYS from creating a new pluggable database in a multitenant environment.<\/p>\n

Before starting the demonstration, we can see that there are some predefined Command Rules which apply to all users.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n
16<\/div>\n
17<\/div>\n
18<\/div>\n
19<\/div>\n
20<\/div>\n
21<\/div>\n
22<\/div>\n<\/td>\n
\n
\n
SQL> show <\/code>user<\/code><\/div>\n
USER<\/code> is<\/code> \"C##DBV_OWNER_ROOT\"<\/code><\/div>\n
SQL> show con_name<\/code><\/div>\n
<\/div>\n
CON_NAME<\/code><\/div>\n
------------------------------<\/code><\/div>\n
PDB1<\/code><\/div>\n
SQL> <\/code>SELECT<\/code> COMMAND, RULE_SET_NAME <\/code>FROM<\/code> DVSYS.DBA_DV_COMMAND_RULE;<\/code><\/div>\n
<\/div>\n
COMMAND\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RULE_SET_NAME<\/code><\/div>\n
-------------------- --------------------------------------------------<\/code><\/div>\n
ALTER<\/code> PROFILE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Can Maintain Accounts\/Profiles<\/code><\/div>\n
ALTER<\/code> SYSTEM\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Allow Fine Grained Control <\/code>of<\/code> System Parameters<\/code><\/div>\n
ALTER<\/code> USER<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Can Maintain Own Account<\/code><\/div>\n
CHANGE <\/code>PASSWORD<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0 Can Maintain Own Account<\/code><\/div>\n
CREATE<\/code> PROFILE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Can Maintain Accounts\/Profiles<\/code><\/div>\n
CREATE<\/code> USER<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Can Maintain Accounts\/Profiles<\/code><\/div>\n
DROP<\/code> PROFILE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Can Maintain Accounts\/Profiles<\/code><\/div>\n
DROP<\/code> USER<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Can Maintain Accounts\/Profiles<\/code><\/div>\n
<\/div>\n
8 <\/code>rows<\/code> selected.<\/code><\/div>\n
SQL><\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Because of these default Command Rules, for example, user sys cannot create a user once Database Vault is enabled.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n<\/td>\n
\n
\n
SQL> conn sys\/root@pdb1 <\/code>as<\/code> sysdba<\/code><\/div>\n
Connected.<\/code><\/div>\n
SQL> <\/code>create<\/code> user<\/code> myuser identified <\/code>by<\/code> test;<\/code><\/div>\n
create<\/code> user<\/code> myuser identified <\/code>by<\/code> test<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>*<\/code><\/div>\n
ERROR <\/code>at<\/code> line 1:<\/code><\/div>\n
ORA-01031: insufficient <\/code>privileges<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

To grant a user the ability to use these commands, you can grant the user the role that the rule set checks.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n
15<\/div>\n<\/td>\n
\n
\n
SQL> <\/code>SELECT<\/code> PRIVILEGE <\/code>FROM<\/code> DBA_SYS_PRIVS <\/code>WHERE<\/code> GRANTEE = <\/code>'DV_ACCTMGR'<\/code>;<\/code><\/div>\n
<\/div>\n
PRIVILEGE<\/code><\/div>\n
----------------------------------------<\/code><\/div>\n
DROP<\/code> PROFILE<\/code><\/div>\n
ALTER<\/code> PROFILE<\/code><\/div>\n
ALTER<\/code> USER<\/code><\/div>\n
CREATE<\/code> PROFILE<\/code><\/div>\n
CREATE<\/code> USER<\/code><\/div>\n
CREATE<\/code> SESSION<\/code><\/div>\n
DROP<\/code> USER<\/code><\/div>\n
<\/div>\n
7 <\/code>rows<\/code> selected.<\/code><\/div>\n
<\/div>\n
SQL><\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

To allow sys to create a user we can grant the DV_ACCTMGR role to SYS<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n<\/td>\n
\n
\n
SQL> show <\/code>user<\/code><\/div>\n
USER<\/code> is<\/code> \"C##DBV_ACCTMGR_ROOT\"<\/code><\/div>\n
<\/div>\n
SQL> show con_name<\/code><\/div>\n
<\/div>\n
CON_NAME<\/code><\/div>\n
------------------------------<\/code><\/div>\n
PDB1<\/code><\/div>\n
SQL><\/code><\/div>\n
<\/div>\n
SQL> <\/code>grant<\/code>\u00a0 DV_ACCTMGR <\/code>to<\/code> sys;<\/code><\/div>\n
<\/div>\n
Grant<\/code> succeeded.<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

And now SYS can create a user<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n<\/td>\n
\n
\n
SQL> conn sys\/root@pdb1 <\/code>as<\/code> sysdba<\/code><\/div>\n
Connected.<\/code><\/div>\n
SQL> <\/code>create<\/code> user<\/code> myuser identified <\/code>by<\/code> test;<\/code><\/div>\n
<\/div>\n
User<\/code> created.<\/code><\/div>\n
<\/div>\n
SQL><\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

Before starting the demonstration let’s verify that user SYS, by default, can create a pluggable database<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n<\/td>\n
\n
\n
SQL> conn sys <\/code>as<\/code> sysdba<\/code><\/div>\n
Enter <\/code>password<\/code>:<\/code><\/div>\n
Connected.<\/code><\/div>\n
SQL> show con_name<\/code><\/div>\n
<\/div>\n
CON_NAME<\/code><\/div>\n
------------------------------<\/code><\/div>\n
CDB$ROOT<\/code><\/div>\n
SQL> <\/code>create<\/code> pluggable <\/code>database<\/code> PDB2 ADMIN <\/code>USER<\/code> pdb2adm IDENTIFIED <\/code>BY<\/code> root create_file_dest=<\/code>'\/u01\/app\/oracle\/oradata\/DBSEC\/PDB2'<\/code>;<\/code><\/div>\n
<\/div>\n
Pluggable <\/code>database<\/code> created.<\/code><\/div>\n
<\/div>\n
SQL><\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

To prevent sys from creating a pluggable database, we are first going to create a RULE. This rule will determine when the command rule will be fired.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n<\/td>\n
\n
\n
SQL> <\/code>exec<\/code> DVSYS.DBMS_MACADM.CREATE_RULE(rule_name => <\/code>'MY_PDB_RULE'<\/code>, <\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>rule_expr => <\/code>'SYS_CONTEXT('<\/code>'USERENV'<\/code>', '<\/code>'SESSION_USER'<\/code>') != '<\/code>'SYS'<\/code>''<\/code>);<\/code><\/div>\n
<\/div>\n
PL\/SQL <\/code>procedure<\/code> successfully completed.<\/code><\/div>\n
<\/div>\n
SQL><\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

After we have to create a RULE SET which is a collection of one or more rules. We can associate a rule set with a realm authorization, factor assignment, command rule, or secure application role.<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n<\/td>\n
\n
\n
SQL> <\/code>exec<\/code> DVSYS.DBMS_MACADM.CREATE_RULE_SET(rule_set_name => <\/code>'MY_PDB_RULESET'<\/code>, <\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>description => <\/code>' About managing Pdbs'<\/code>, <\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>enabled => DBMS_MACUTL.G_YES, eval_options => DBMS_MACUTL.G_RULESET_EVAL_ANY,<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>audit_options => DBMS_MACUTL.G_RULESET_AUDIT_FAIL + DBMS_MACUTL.G_RULESET_AUDIT_SUCCESS, <\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>fail_options => DBMS_MACUTL.G_RULESET_FAIL_SILENT, fail_message => <\/code>''<\/code>, <\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>fail_code => <\/code>''<\/code>, <\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>handler_options => DBMS_MACUTL.G_RULESET_HANDLER_OFF, <\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>handler => <\/code>''<\/code>,<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>is_static => <\/code>FALSE<\/code>);<\/code><\/div>\n
<\/div>\n
PL\/SQL <\/code>procedure<\/code> successfully completed.<\/code><\/div>\n
SQL><\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

We then add the RULE to the RULE SET<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n<\/td>\n
\n
\n
BEGIN<\/code><\/div>\n
DVSYS.DBMS_MACADM.ADD_RULE_TO_RULE_SET(<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>rule_set_name => <\/code>'MY_PDB_RULESET'<\/code>,<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>rule_name => <\/code>'MY_PDB_RULE'<\/code>);<\/code><\/div>\n
END<\/code>;<\/code><\/div>\n
\u00a0\u00a0\u00a0<\/code>\/<\/code><\/div>\n
<\/div>\n
PL\/SQL <\/code>procedure<\/code> successfully completed.<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

And finally create a COMMAND RULE which will prevent SYS to execute a CREATE PLUGGABLE DATABASE statement<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n<\/td>\n
\n
\n
SQL> <\/code>exec<\/code> DVSYS.DBMS_MACADM.CREATE_COMMAND_RULE(command=> <\/code>'CREATE PLUGGABLE DATABASE'<\/code>, <\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>rule_set_name => <\/code>'MY_PDB_RULESET'<\/code>, <\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>object_owner => DBMS_ASSERT.ENQUOTE_NAME(<\/code>'%'<\/code>,<\/code>FALSE<\/code>), <\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>object_name => <\/code>'%'<\/code>,<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>enabled => <\/code>'Y'<\/code>);<\/code><\/div>\n
<\/div>\n
PL\/SQL <\/code>procedure<\/code> successfully completed.<\/code><\/div>\n
<\/div>\n
SQL><\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

And now if we try to create a Pdb with SYS<\/p>\n

\n
\n\n\n\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n
4<\/div>\n
5<\/div>\n
6<\/div>\n
7<\/div>\n
8<\/div>\n
9<\/div>\n
10<\/div>\n
11<\/div>\n
12<\/div>\n
13<\/div>\n
14<\/div>\n<\/td>\n
\n
\n
SQL> show <\/code>user<\/code><\/div>\n
USER<\/code> is<\/code> \"SYS\"<\/code><\/div>\n
SQL> show con_name<\/code><\/div>\n
<\/div>\n
CON_NAME<\/code><\/div>\n
------------------------------<\/code><\/div>\n
CDB$ROOT<\/code><\/div>\n
SQL>\u00a0 <\/code>CREATE<\/code> PLUGGABLE <\/code>DATABASE<\/code> PDB3 ADMIN <\/code>USER<\/code> pdb3adm IDENTIFIED <\/code>BY<\/code> root create_file_dest=<\/code>'\/u01\/app\/oracle\/oradata\/DBSEC\/PDB3'<\/code>;<\/code><\/div>\n
\u00a0<\/code>CREATE<\/code> PLUGGABLE <\/code>DATABASE<\/code> PDB3 ADMIN <\/code>USER<\/code> pdb3adm IDENTIFIED <\/code>BY<\/code> root create_file_dest=<\/code>'\/u01\/app\/oracle\/oradata\/DBSEC\/PDB3'<\/code><\/div>\n
*<\/code><\/div>\n
ERROR <\/code>at<\/code> line 1:<\/code><\/div>\n
ORA-47400: Command <\/code>Rule<\/code> violation <\/code>for<\/code> CREATE<\/code> PLUGGABLE <\/code>DATABASE<\/code> on<\/code> PDB3<\/code><\/div>\n
<\/div>\n
SQL><\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

By Mouhamadou Diaw In a previous blog I talked about protecting data using Realms. With Database Vault we can also protect our database against some SQL statements. These statements can include SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements. We can do this with Command Rules. In this blog I […]<\/p>\n","protected":false},"author":27,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[229],"tags":[209,1398,1384,353],"type_dbi":[],"class_list":["post-11441","post","type-post","status-publish","format-standard","hentry","category-database-administration-monitoring","tag-oracle-12c","tag-oracle-database-vault","tag-oracle-security","tag-pluggable-database"],"acf":[],"yoast_head":"\nDatabase Vault : Rules, Rule Sets and Command Rules - dbi Blog<\/title>\n<meta name=\"description\" content=\"Oracle Database Vault, oracle security,Oracle 12c, Pluggable database\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Database Vault : Rules, Rule Sets and Command Rules\" \/>\n<meta property=\"og:description\" content=\"Oracle Database Vault, oracle security,Oracle 12c, Pluggable database\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-07-13T17:31:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-06-09T15:00:58+00:00\" \/>\n<meta name=\"author\" content=\"Oracle Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Oracle Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/\"},\"author\":{\"name\":\"Oracle Team\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"headline\":\"Database Vault : Rules, Rule Sets and Command Rules\",\"datePublished\":\"2018-07-13T17:31:29+00:00\",\"dateModified\":\"2023-06-09T15:00:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/\"},\"wordCount\":284,\"commentCount\":0,\"keywords\":[\"Oracle 12c\",\"Oracle Database Vault\",\"oracle security\",\"Pluggable Database\"],\"articleSection\":[\"Database Administration & Monitoring\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/\",\"name\":\"Database Vault : Rules, Rule Sets and Command Rules - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2018-07-13T17:31:29+00:00\",\"dateModified\":\"2023-06-09T15:00:58+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\"},\"description\":\"Oracle Database Vault, oracle security,Oracle 12c, Pluggable database\",\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Database Vault : Rules, Rule Sets and Command Rules\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee\",\"name\":\"Oracle Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g\",\"caption\":\"Oracle Team\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Database Vault : Rules, Rule Sets and Command Rules - dbi Blog","description":"Oracle Database Vault, oracle security,Oracle 12c, Pluggable database","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/","og_locale":"en_US","og_type":"article","og_title":"Database Vault : Rules, Rule Sets and Command Rules","og_description":"Oracle Database Vault, oracle security,Oracle 12c, Pluggable database","og_url":"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/","og_site_name":"dbi Blog","article_published_time":"2018-07-13T17:31:29+00:00","article_modified_time":"2023-06-09T15:00:58+00:00","author":"Oracle Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Oracle Team","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/"},"author":{"name":"Oracle Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"headline":"Database Vault : Rules, Rule Sets and Command Rules","datePublished":"2018-07-13T17:31:29+00:00","dateModified":"2023-06-09T15:00:58+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/"},"wordCount":284,"commentCount":0,"keywords":["Oracle 12c","Oracle Database Vault","oracle security","Pluggable Database"],"articleSection":["Database Administration & Monitoring"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/","url":"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/","name":"Database Vault : Rules, Rule Sets and Command Rules - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2018-07-13T17:31:29+00:00","dateModified":"2023-06-09T15:00:58+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee"},"description":"Oracle Database Vault, oracle security,Oracle 12c, Pluggable database","breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/database-vault-rules-rule-sets-and-command-rules\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Database Vault : Rules, Rule Sets and Command Rules"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/66ab87129f2d357f09971bc7936a77ee","name":"Oracle Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f711f7cd2c9b09bf2627133755b569fb5be0694810cfd33033bdd095fedba86d?s=96&d=mm&r=g","caption":"Oracle Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/oracle-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/11441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=11441"}],"version-history":[{"count":1,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/11441\/revisions"}],"predecessor-version":[{"id":25775,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/11441\/revisions\/25775"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=11441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=11441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=11441"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=11441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}