database vault的opeation control的目的是为了防止cdb的common user去访问pdb里的customer data,也就是pdb的local data
我们建了一个pdb ,名字为comp1pdb21044,里面创建了一个local user 为u100,u100有一个table,名字为t_1,这就算是local data,customer data
common user的名字为c##common1
在我们enable operation control的情况下,common user是无法访问该数据的
23:18:12 SQL> connect pdbadmin/comp1@comp1pdb21044
Connected.
23:18:23 SQL> select * from dba_dv_status;
NAME STATUS
-------------------- --------------
DV_CONFIGURE_STATUS TRUE
DV_ENABLE_STATUS TRUE
DV_APP_PROTECTION ENABLED
在pdb里查看,是可以确认 operation control是enabled的状态
在这种情况下,common user是无法访问pdb里的lcoal data的,但是common user可以登录到pdb里,只是无法访问local data
23:14:27 SQL> connect c##common1/comp1@comp1pdb21044
Connected.
23:14:47 SQL> select object_name from u100.t_1 where rownum<2;
select object_name from u100.t_1 where rownum<2
*
ERROR at line 1:
ORA-01031: insufficient privileges
我们将该pdb的operation control disable掉,或者将c##common1加入到exception list里,
23:22:32 SQL> exec dbms_macadm.add_app_exception(owner=>'C##COMMON1',package_name=>null);
PL/SQL procedure successfully completed.
Elapsed: 00:00:07.24
23:23:18 SQL> select * from dba_dv_app_exception;
OWNER PACKAGE
-------------------- --------------------
C##COMMON1 %
在将c##common1加入到exception list之后,c##common1就可以访问pdb里的local data了,也就是costomer data了
23:23:27 SQL> connect c##common1/comp1@comp1pdb21044
Connected.
23:23:53 SQL> select object_name from u100.t_1 where rownum<2;
OBJECT_NAME
--------------------------------------------------------------------------------------------------------------------------------
I_FILE#_BLOCK#
Elapsed: 00:00:00.05
operation control是用来阻止common user去访问别人的数据的
operation control无法用来阻止pdb 里的local administrator访问pdb里的数据,也就是无法阻止pdb里的权限大的local user访问别的local user的数据,这种阻止只能使用realm或者command rule来实现