My Oracle Support Banner

EM 13c: How To Patch Or Upgrade Standalone DB/RAC DB DataVault Enabled Databases Using Enterprise Manager 13c Cloud Control Fleet Maintenance Operations (Doc ID 2708319.1)

Last updated on AUGUST 31, 2021

Applies to:

Enterprise Manager for Oracle Database - Version 13.3.1.0.0 and later
Information in this document applies to any platform.

Goal

1. What is DataVault?

Oracle Database Vault provides powerful security controls to protect sensitive data from unauthorized access, and implement separation of duties between database administrators and data owners to comply with privacy and regulatory requirements. Controls can be deployed to block privileged account access to application data and control sensitive operations inside the database using an authorized trusted path. Oracle Database Vault secures existing database environments transparently, eliminating costly and time-consuming application changes.

2. What is DV_PATCH_ADMIN role?

Note:
Privileges Associated with the DV_PATCH_ADMIN Role

The DV_PATCH_ADMIN role does not provide access to any secured data.

The DV_PATCH_ADMIN role a special Database Vault role that does not have any object or system privilege. It is designed to allow the database administrator or the user SYS to patch Database Vault enabled databases (for example, applying a database patch without disabling Database Vault). It also enables the database administrator to create users, because some patches may require the need to create new schemas. After applying the patch/upgrade role can be revoked from SYS user.

https://www.oracle.com/database/technologies/security/db-vault.html

3. How To Patch Or Upgrade DataVault Enabled Databases using Fleet Maintenance Operations

DataVault configured Databases by default will not have DV_PATCH_ADMIN role assigned to sys user. Fleet operations requires sys user to have DV_PATCH_ADMIN role. Datavault owner should provide this role to sys user.

Datavault administrators can either provide this role permanently to sys user or temporarily assign this role before fleet operation and revoke the role after the fleet (Patch/Upgrade) operation.

In order to automate this grant and revoke operation for a large scale of databases fleet provides the functionality of Pre and Post scripts. Grant operation can be provided in Pre script and Revoke opeartion can be performed using Post script.



Entgerprise Manager (EM) 13.3.1 Cloud Control

 

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
 1. What is DataVault?
 2. What is DV_PATCH_ADMIN role?
 3. How To Patch Or Upgrade DataVault Enabled Databases using Fleet Maintenance Operations
Solution
 Case 1: How to grant the "DV_PATCH_ADMIN" to SYS user permanently
 Case 2: In order to use custom Pre and Post here are the high level steps
 a.  Create custom Pre and Post script
 b. Stage custom scripts ( Pre and Post) to the Software Library.
 c. Repeat the Step 2 to create POSTSCRIPT Directive and to add post script files (post_script_sql.pl and samplesql.sql) to SWLIB entity
 d.  Capture the URN from SWLIB Entity.
 e. Usage of Pre and Post scripts using respective URN during fleet operations

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.