Oracle | DBMS_MACSEC

Oracle DBMS_MACSEC_ROLES Version 21c

General Information

Library Note

Morgan's Library Page Header

Which has the higher priority in your organization: Deploying a new database or securing the ones you already have? Looking for a website, and resources, dedicated solely to securing Oracle databases? Check out DBSecWorx.

Purpose Used to check the authorization for a user or to set an Oracle Database Vault secure application role. The DVSYS.DBMS_MACSEC_ROLES package is available to all users which is a gross violation of good security practices. The Library recommends revoking the GRANT to PUBLIC and only granting execute on this package to a very limited number of authorized and audited users.

AUTHID CURRENT_USER

Dependencies

DBMS_ASSERT	DBMS_STANDARD	IS_SECURE_APPLICATION_ROLE
DBMS_MACUTL	DBMS_UTILITY	ROLE_IS_ENABLED
DBMS_SESSION

Documented Yes

First Available Not Known

Security Model Owned by DVSYS with EXECUTE granted to PUBLIC

Source {ORACLE_HOME}/rdbms/admin/catmacp.sql

Subprograms

CAN_SET_ROLE

SET_ROLE

CAN_SET_ROLE

Checks whether the user invoking the method is authorized to use the specified DV Secure Application Role. The authorization is determined by checking the Rule Set associated with the role. dbms_macsec_roles.can_set_role(p_role IN VARCHAR2) RETURN BOOLEAN ;

BEGIN

       
      IF dbms_macsec_roles.can_set_role('UW_APP_MGR') THEN

             dbms_macsec_roles.set_role('UW_APP_MGR');

        ELSE

           RAISE_APPLICATION_ERROR(-20001, 'UW_APP_MGR Role Cannot Be Set');

        END IF;

      END;

      /

SET_ROLE

Issues the SET ROLE command for a DV Secure Application Role dbms_macsec_roles.set_role(p_role IN VARCHAR2); PRAGMA SUPPLEMENTAL_LOG_DATA(set_role, NONE);

See CAN_SET_ROLE function above