In the Oracle community, the terms “Data Vault” and “Database Vault” are often confused, although they have nothing to do with each other. A short clarification.
Some time ago I had a meeting with the development team and the database administrator of one of my customers. The topic was what database schemas we needed for a new data warehouse. At some point the keyword “Data Vault” came up, which caused the DBA to react surprised. She asked if we had discussed this with the security officer. Now I was surprised. Why should the security manager care about our data modelling method?
After a short moment of confusion, I realized that we had both fallen for a misunderstanding that I have encountered several times before: I was talking about the Data Vault data modeling method, whereas the DBA meant Database Vault.
What do Data Vault and Database Vault have in common besides the similar sounding name? Nothing! With this blog post, I try to clarify the two terms. So I can refer to this post whenever I’m involved in such confusions in the future.
Data Vault Modeling is a database modeling method, especially designed for data warehouses with a high number of structure changes. The basic concept of Data Vault is to split information in a way that allows easy integration and historization of the data. Additionally, the model can be enhanced without migration of the existing tables. With three types of tables – Hubs, Links and Satellites – comprehensive and extensible data models can be built.
Figure 1: Data warehouse architecture with Data Vault
Data Vault Modeling is typically used for modeling the Core layer of a data warehouse or to build an Enterprise Data Warehouse (EDW) with many different source systems. BI users do not access the Data Vault tables directly, but run their queries and reports on dimensional data marts that are loaded from the Data Vault layer.
If you want to get an idea of how data models can be created and extended with Data Vault, have a look at the video How to Create a Data Vault Model. In this video, I create and explain a Data Vault model for a microbrewery.
Data Vault is not Oracle specific, but can be implemented on Oracle databases. I already published several blog posts about Data Vault with Oracle on my blog.
Oracle Database Vault
Database Vault is a security option for Oracle Database Enterprise Edition. It makes it possible to protect sensitive data with higher security rules than usual. Normally, a database administrator with the DBA role has access to all data in the Oracle database. With Oracle Database Vault the responsibilities are distributed to several persons (separation of duties).
Database schemas, database objects (tables, views, packages, etc.) and roles are grouped in so-called Realms. The owner of a Realm can define who has access to the objects within the Realm. Nobody else – not even a user with DBA role or SELECT ANY TABLE privilege can access the data within a Realm.
Figure 2: Example of an Oracle Database Vault configuration (source: OraDBA blog of Stefan Oehrli)
Oracle Database Vault is a powerful security feature that is very useful for classified databases with sensitive data. But the usage of Database Vault has an impact on the administration of the Oracle databases. Therefore you have to plan carefully for each system whether you want to use this option or not.
My Trivadis colleague Stefan Oehrli presented a session about Oracle Database Vault last year at the DOAG conference. The slides of his presentation and some additional information and links can be found on this blog post.
Although the terms Data Vault and Database Vault sound similar, they have nothing in common. Data Vault is a data modeling method for data warehouses. Database Vault is a security option for Oracle databases. The next time I get involved in a discussion in which the two terms are confused, I can refer to this blog post.