首先创建两个用户,一个作为database vault用户,另外一个作为备份用户
SQL> create user c##dv_cloud_admin identified by cdb21ls;
User created.
SQL> create user c##dv_cloud_admin_backup identified by cdb21ls;
User created.
SQL> grant create session,set container to c##dv_cloud_admin,c##dv_cloud_admin_backup;
Grant succeeded.
config dv
SQL> exec configure_dv(dvowner_uname=>'c##dv_cloud_admin_backup',dvacctmgr_uname=>'c##dv_cloud_admin_backup',force_local_dvowner=>false);
PL/SQL procedure successfully completed.
recompile可能失效的对象,这个过程执行时间可能会比较长,耐心等待就是了,如果执行中又什么错误,可以重复执行,直到没有错误为止
@?/rdbms/admin/utlrp.sql;
enable_dv出现这个错误的原因是因为在dbca建库的时候没有安装database vault,需要使用dbca对该数据库重新安装database vault
SQL> exec dbms_macadm.enable_dv;
BEGIN dbms_macadm.enable_dv; END;
*
ERROR at line 1:
ORA-06550: line 1, column 7:
PLS-00201: identifier 'DBMS_MACADM' must be declared
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored
SQL> SELECT * from v$option where parameter like '%Vault%';
PARAMETER VALUE CON_ID
------------------------------ -------------------- ----------
Oracle Database Vault FALSE 0
对日常使用的用户赋予dv_acctmgr/dv_owner权限
SQL> connect c##dv_cloud_admin_backup/WelCome-123#@cdbs7
Connected.
SQL> grant dv_acctmgr to c##dv_cloud_admin with admin option;
Grant succeeded.
SQL> grant dv_owner to c##dv_cloud_admin;
Grant succeeded.
只有具有dv_acctmgr role的用户才能执行如下的command
create user
alter user
drop user
create profile
alter profile
drop profile
即使具有dv_owner role也无法做user和profile相关操作
查询是否具有dv_acctmgr role可以在视图dba_role_privs/cdb_role_privs里面查询
SQL> create user c##u8 identified by cdb1 container=all;
User created.
SQL> alter user c##u8 identified by cdb2;
User altered.
SQL> drop user c##u8;
User dropped.
SQL> create profile c##profile_test_1 limit password_verify_function ORA12C_VERIFY_FUNCTION container=all;
Profile created.
SQL> alter profile c##profile_test_1 limit password_life_time 90 container=all;
Profile altered.
SQL> drop profile c##profile_test_1;
Profile dropped.
不具有dv_acctmgr的人做下面操作时报的错
即使使用sys用户具有sysdba权限也不行
SQL> connect c##dv_owner/cdb1@cdb1
Connected.
SQL> create user c##u1 identified by cdb1 container=all;
create user c##u1 identified by cdb1 container=all
*
ERROR at line 1:
ORA-01031: insufficient privileges
Help: https://docs.oracle.com/error-help/db/ora-01031/
SQL> alter user c##u99 identified by u99;
alter user c##u99 identified by u99
*
ERROR at line 1:
ORA-01031: insufficient privileges
Help: https://docs.oracle.com/error-help/db/ora-01031/
SQL> drop user c##u99;
drop user c##u99
*
ERROR at line 1:
ORA-01031: insufficient privileges
Help: https://docs.oracle.com/error-help/db/ora-01031/
SQL> create profile profile_t1 limit password_verify_function ORA12C_VERIFY_FUNCTION container=all;
create profile profile_t1 limit password_verify_function ORA12C_VERIFY_FUNCTION container=all
*
ERROR at line 1:
ORA-47400: command rule violation for CREATE PROFILE on
PROFILE_T1
Help: https://docs.oracle.com/error-help/db/ora-47400/
SQL> alter profile default limit password_life_time 80 container=all;
alter profile default limit password_life_time 80 container=all
*
ERROR at line 1:
ORA-47400: command rule violation for ALTER PROFILE on
DEFAULT
Help: https://docs.oracle.com/error-help/db/ora-47400/
SQL> drop profile ORA_STIG_PROFILE;
drop profile ORA_STIG_PROFILE
*
ERROR at line 1:
ORA-47400: command rule violation for DROP PROFILE on
ORA_STIG_PROFILE
Help: https://docs.oracle.com/error-help/db/ora-47400/
SQL> connect sys/cdb1@cdb1 as sysdba
Connected.
SQL> create user c##u1 identified by cdb1 container=all;
create user c##u1 identified by cdb1 container=all
*
ERROR at line 1:
ORA-01031: insufficient privileges
Help: https://docs.oracle.com/error-help/db/ora-01031/
SQL> alter user c##u99 identified by u99;
alter user c##u99 identified by u99
*
ERROR at line 1:
ORA-01031: insufficient privileges
Help: https://docs.oracle.com/error-help/db/ora-01031/
SQL> drop user c##u99;
drop user c##u99
*
ERROR at line 1:
ORA-01031: insufficient privileges
Help: https://docs.oracle.com/error-help/db/ora-01031/
SQL> create profile profile_t1 limit password_verify_function ORA12C_VERIFY_FUNCTION container=all;
create profile profile_t1 limit password_verify_function ORA12C_VERIFY_FUNCTION container=all
*
ERROR at line 1:
ORA-47400: command rule violation for CREATE PROFILE on
PROFILE_T1
Help: https://docs.oracle.com/error-help/db/ora-47400/
SQL> alter profile default limit password_life_time 80 container=all;
alter profile default limit password_life_time 80 container=all
*
ERROR at line 1:
ORA-47400: command rule violation for ALTER PROFILE on
DEFAULT
Help: https://docs.oracle.com/error-help/db/ora-47400/
SQL> drop profile ORA_STIG_PROFILE;
drop profile ORA_STIG_PROFILE
*
ERROR at line 1:
ORA-47400: command rule violation for DROP PROFILE on
ORA_STIG_PROFILE
Help: https://docs.oracle.com/error-help/db/ora-47400/
因为有lockdown, database vault之类的安全措施,所以报下面的错不一定是真的,而是因为你没有这个权限
像这个错误PLS-00201: identifier ‘DBMS_MACADM’ must be declared,貌似是这个procedure不存在,其实是因为没有权限。
像这样的,报错不存在的也不是因为不存在,而是因为该用户没有访问权限
ORA-04043: Object “LBACSYS”.“DBA_OLS_STATUS” does not exist.
SQL> connect c##dv_owner/cdb3@cdb3
Connected.
SQL> exec dbms_macadm.enable_dv;
BEGIN dbms_macadm.enable_dv; END;
*
ERROR at line 1:
ORA-06550: line 1, column 7:
PLS-00201: identifier 'DBMS_MACADM' must be declared
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored
Help: https://docs.oracle.com/error-help/db/ora-06550/
SQL> connect c##dv_owner_backup/cdb3@cdb3
Connected.
SQL> exec dbms_macadm.enable_dv;
PL/SQL procedure successfully completed.
SQL> desc dba_ols_status;
ERROR:
ORA-04043: Object "LBACSYS"."DBA_OLS_STATUS" does not exist.
Help: https://docs.oracle.com/error-help/db/ora-04043/