Editorial photograph of a database security architect and CISO reviewing Oracle Database Vault deployment design at the boardroom table
Guide · Oracle · Database Security

Oracle Database Vault. The complete licensing guide.

Database Vault is one of the most over deployed Oracle security options on the planet. This guide maps the licensing rules, the cost math, the audit exposures, the alternatives, and the seven commercial levers procurement carries into the renewal.

Read the Framework Oracle Hub
23,000USD list per processor
a leading industry analyst firmRecognized
Read the framework. · Independent. Buyer side. Reads in your browser. Read the framework →
Industry Recognized
500+ Enterprise Clients
$2B+ Under Advisory
11 Vendor Practices
100% Buyer Side Independent
Home Oracle Hub Oracle Database Vault Licensing: Buyer Side Complete GuideOracle Hub Database Licensing Database Pricing Oracle Services Vendor Shield
Portrait placeholder for Fredrik Filipsson, Co Founder and Group CEO
Written by Fredrik Filipsson Co Founder & Group CEO · ex Oracle, IBM, SAP
PublishedJune 10, 2025
Last updatedMay 16, 2026

Oracle Database Vault is a separately licensed option on Oracle Database Enterprise Edition. It enforces separation of duties for privileged users (DBAs cannot see application data without explicit grant) and applies command rules that restrict who can run what against which schema.

The licensing is straightforward in principle. Database Vault carries the same metric and the same processor count as the underlying Database Enterprise Edition deployment.

The exposure is straightforward too. Most customers either over deploy by licensing the option on every database when only a small subset needs it, or under deploy by enabling the feature on databases that are not licensed for it.

This guide is the complete buyer side reference. Read it alongside the Database licensing guide, the Database pricing 2026 reference, and the Oracle knowledge hub.

Key Takeaways

What every Oracle customer should know about Database Vault

  • Enterprise Edition prerequisite. Database Vault requires Database EE. Not available on Standard Edition 2.
  • Same metric, same count. The Database Vault option carries the same processor count or NUP count as the underlying EE deployment.
  • 23,000 USD per processor list. Plus 22 percent annual support.
  • 460 USD per Named User Plus list. With a 25 NUP per processor minimum applied to the underlying EE deployment.
  • License every database where the option is enabled. Configuration check in the DBA_REGISTRY view exposes whether the option is installed and used.
  • Audit risk is high. One of the top three Oracle Database options identified in LMS audits as unlicensed but enabled.
  • Alternatives exist. Native auditing, transparent data encryption configured differently, application level access controls, and third party database firewall products each address a subset of the use cases.

What Oracle Database Vault actually does

Database Vault is a privileged user control product. It does three things that the base Enterprise Edition does not do natively.

The three core functions

  • Separation of duties. A DBA holds SYSDBA but cannot select from a protected schema without an explicit Database Vault realm authorization.
  • Command rules. Restricts who can issue specific SQL commands (ALTER TABLE, CREATE USER, GRANT, EXECUTE on a specific package) based on factor evaluation.
  • Factors and rules. Authentication factors (IP address, time of day, application context) feed rule evaluation that the database enforces at the SQL execution layer.

Common buyer side use cases

  • Outsourced DBA controls. Where database administration is delegated to an offshore or third party provider, Database Vault prevents the DBA from reading PCI, PHI, or sensitive financial data.
  • Regulatory separation. SOX, HIPAA, PCI DSS, and GDPR controls that require demonstrable separation between privileged operations and data access.
  • Insider threat controls. Internal DBA staff prevented from running ad hoc queries against protected schemas without business approval.
  • Multi tenant database segregation. Where one Oracle Database instance hosts multiple business units or customer schemas with strict cross access controls.

Edition prerequisites and stack dependencies

Database Vault sits on top of Database Enterprise Edition. The licensing math starts with the underlying EE deployment.

Required underlying license

  • Database Enterprise Edition. Required prerequisite. Database Vault is not available as an option on Standard Edition 2.
  • Multitenant. Database Vault works inside multitenant container and pluggable databases, but the licensing of Multitenant is a separate decision with its own option price.
  • Audit Vault. Often deployed alongside Database Vault but is a separately licensed product, not an option on the database.
  • Advanced Security. A separately licensed option that delivers Transparent Data Encryption and Data Redaction. Different scope from Database Vault, often paired in regulated environments.

Real Application Clusters and Data Guard considerations

  • RAC. Database Vault enabled on a RAC cluster licenses every cluster node, each processor counted under the EE metric.
  • Data Guard physical standby. A licensed primary covers the standby for ten days of testing per year. Database Vault enabled on the primary requires the option on the standby if the standby is opened read write or used outside the 10 day rule.
  • Active Data Guard. Active Data Guard is a separately licensed option. Database Vault on a Data Guard physical standby used in Active Data Guard read mode requires Database Vault on the standby.
  • GoldenGate. GoldenGate environments with Database Vault enabled on the source or target carry their own option licensing on each affected database.

Metric, price, and the math

Database Vault is licensed on the same metric as the underlying Database Enterprise Edition deployment. Two metrics matter.

Database Vault price benchmarks

MetricList priceMinimumAnnual support
Processor23,000 USD per processorNone at the option level22 percent of net license fee
Named User Plus460 USD per NUP25 NUP per processor applied to EE22 percent of net license fee

Processor metric math

The processor count under Oracle's core factor table applies. On modern Intel x86 processors the factor is 0.5. A 32 core x86 server runs 16 processor licenses. Database Vault on that server runs 16 option licenses at 23,000 USD each.

  • Per server license math. 32 cores times 0.5 core factor equals 16 processor licenses. Sixteen Database Vault option licenses at 23,000 USD list equals 368,000 USD per server before discount.
  • Eight server estate. 16 processors per server times 8 servers equals 128 processors. Database Vault at 128 processors and 23,000 USD list equals 2.944M USD before discount.
  • Annual support. 22 percent of net license fee. After a 40 percent discount on the 2.944M USD estate, the annual support runs at 388K USD.

NUP metric math

  • NUP minimum applies. The 25 NUP per processor minimum is applied to the underlying EE deployment, not separately to Database Vault.
  • Per user math. 460 USD per NUP for Database Vault. On a 400 NUP deployment, Database Vault runs 184K USD at list.
  • When NUP makes sense. Small named user populations on dedicated infrastructure typically license cheaper on NUP than on processor.
  • When NUP does not work. Internet facing databases, high concurrency analytic workloads, and large transactional systems with thousands of users typically run cheaper on processor.

Audit risks and exposure patterns

Oracle LMS audits target Database Vault because the configuration data is in the database itself. The audit script extracts the option installation and option usage data in minutes.

How the audit detects Database Vault usage

  • DBA_REGISTRY view. Shows whether the Database Vault component is installed in the database.
  • DBA_OPTIONS view. Shows the option installed at the database level.
  • DV_REALMS, DV_RULES, DV_FACTORS views. Show the configured Database Vault objects. The presence of objects indicates active use.
  • FEATURE_USAGE_STATISTICS. The database tracks the usage of feature options. Database Vault usage shows in the table with a count of detected uses and last used dates.

Three common exposure patterns

  1. Build template drift. Database Vault enabled on a small set of databases for a regulated workload, then standardized into the database build template. Two years later the option is enabled on every new database.
  2. Dev test sprawl. Database Vault enabled on production cloned to dev test environments without licensing the option on the dev test footprint.
  3. RAC node count growth. Database Vault licensed on the initial RAC cluster size, then the cluster grows by additional nodes without updating the Database Vault option license count.

Alternatives to Database Vault

Not every regulatory control requires Database Vault. Several alternatives address subsets of the use cases at lower cost.

The four common alternatives

  • Native auditing. Oracle Database includes a native audit capability. With careful configuration, audit logs of every SYSDBA action provide the audit trail that some regulators accept in lieu of separation of duties.
  • Application level access controls. Database access mediated only through the application, with no direct DBA query access permitted by policy and enforced through procedure.
  • Third party database firewall. Products from non Oracle vendors deliver row level and command level controls on the database boundary, outside the licensed option.
  • Transparent Data Encryption (Advanced Security). Where the regulatory control is data at rest protection, TDE may be sufficient without Database Vault. Advanced Security is a separately licensed option on Database EE.

Cost compare for a 16 processor deployment

ApproachLicense cost (one time)Annual supportOperational fit
Database Vault on 16 processors368,000 USD81,000 USDSOX, HIPAA, PCI strong fit
Native auditing plus procedural controls0 USD additional0 USD additionalLower assurance, regulator acceptance varies
Third party database firewall (16 processor)140,000 to 220,000 USD30,000 to 48,000 USDStrong fit, no Oracle entitlement risk
Advanced Security TDE plus procedural controls240,000 USD (17,500 USD per processor for ASO list, on 16 processors after 14 percent discount)53,000 USDData at rest control only

Worked examples: three customer scenarios

Scenario one: pharma with offshore DBA

A global pharma customer outsources Oracle Database administration to an offshore provider. The regulator requires that the offshore DBA cannot query patient clinical trial data without an audit trail and an in country approval workflow.

  • Right answer. Database Vault enabled on the four clinical trial databases. Sixteen processors total. 368K USD list, around 220K USD net of standard 40 percent discount.
  • Wrong answer. Database Vault enabled on every database in the estate (84 databases, 128 processors). 2.944M USD list, 1.76M USD net of discount, only 5 databases actually needing the control.
  • Vendor Shield outcome. Disable Database Vault on the 80 databases not in regulatory scope. Reduce the licensed processor count from 128 to 16. Annual support drops from 388K to 48K.

Scenario two: bank with internal DBA team

A regional bank runs an internal DBA team. The audit requirement is separation of duties between DBAs and the trading desk schema. Six databases hold trading data.

  • Right answer. Database Vault on the six trading databases. Twenty four processors. 552K USD list, 330K USD net.
  • Alternative considered. Native auditing plus procedural controls. The internal audit committee accepted the alternative for two databases that hold low risk reference data. Net license saved 92K USD.
  • Final licensed footprint. Sixteen processors of Database Vault. 368K USD list, 220K USD net.

Scenario three: utility with PCI scope

A utility customer with a PCI in scope billing database. One database, two processors. The simple answer.

  • Licensed footprint. Two processors of Database Vault. 46K USD list, 28K USD net.
  • Audit posture. Documented DBA_REGISTRY export, documented DV_REALMS configuration. No drift across the rest of the estate because the option is explicitly excluded from the build template for non PCI databases.

Seven commercial levers procurement carries

The Database Vault renewal carries the same negotiation table as the broader Oracle Database renewal. Seven specific levers apply.

The seven levers

  1. Right sizing before the order. Disable Database Vault on the databases that do not need it before signing the renewal that locks the option count in.
  2. Migrate to alternatives. Move databases to alternative controls where the regulator accepts them. Reduce the option count.
  3. Bundle with other options. Negotiate Database Vault discount inside a multi option order alongside Advanced Security, Partitioning, and Multitenant.
  4. Support uplift cap. Cap the annual support uplift at 3 to 4 percent across the renewal term.
  5. Audit posture protection. Make explicit reference to the documented ELP and require Oracle to acknowledge it in the renewal correspondence.
  6. RAC and Data Guard scope clarity. Document the exact RAC cluster size and Data Guard topology in the order document to avoid drift.
  7. Build template control. Document the build template exclusion and audit it quarterly to prevent future drift.

What to do next

The checklist takes a Database Vault customer from current state to a clean licensed footprint and a defensible renewal position.

  1. Inventory every database with Database Vault installed or enabled. Pull DBA_REGISTRY and DBA_OPTIONS exports across the estate.
  2. Cross reference to FEATURE_USAGE_STATISTICS. Identify which databases actually use Database Vault (configured realms, rules, factors) vs installed but not used.
  3. Map to the order documents. Reconcile the licensed processor or NUP count to the deployed processor or NUP count by database.
  4. Identify the regulatory scope. Determine which databases actually require Database Vault for regulator compliance.
  5. Decommission the unnecessary use. Disable Database Vault on databases that do not require it. Update the build template.
  6. Build the audit defense pack. ELP, configuration export, usage statistics export, decommission evidence.
  7. Take the position to the renewal table. Right sized count, documented controls, support uplift cap, build template lock in.

Frequently asked questions

Does Database Vault require Enterprise Edition?

Yes. Database Vault is a separately licensed option on Oracle Database Enterprise Edition only. It is not available as an option on Standard Edition 2 or Standard Edition. A customer running Standard Edition 2 who needs separation of duties for privileged users has to choose between upgrading to Enterprise Edition plus Database Vault or implementing the controls through native auditing and procedural enforcement.

The cost gap is meaningful. Standard Edition 2 lists at 17,500 USD per socket. Enterprise Edition lists at 47,500 USD per processor. Database Vault adds 23,000 USD per processor on top.

What is the difference between Database Vault and Advanced Security?

Database Vault enforces separation of duties and command level access controls. Advanced Security delivers Transparent Data Encryption (data at rest protection) and Data Redaction (output masking at the query layer). They address different parts of the security control framework.

Customers running a complete PCI or HIPAA control set typically license both. Customers running TDE only as a data at rest control may license Advanced Security without Database Vault. Customers running separation of duties only may license Database Vault without Advanced Security. The choice turns on the specific control requirements, not on a blanket security posture.

How does Oracle audit detect Database Vault usage?

The Oracle LMS audit script extracts data from three sources. The DBA_REGISTRY view shows whether the option is installed in the database. The DBA_OPTIONS view shows the option installed at the database level. The FEATURE_USAGE_STATISTICS table tracks per feature usage with counts of detected uses and last used dates.

Installation alone does not constitute usage under the Oracle option licensing position. Active use, demonstrated by configured Database Vault objects (realms, rules, factors) or by the FEATURE_USAGE_STATISTICS table showing positive use counts, does constitute usage requiring the license.

Does the option apply to Data Guard standby databases?

The standard Data Guard physical standby rule allows ten days of testing per year on the standby without separate licensing of the database options. Beyond that window, or where the standby is in Active Data Guard read mode, the standby requires the same option licensing as the primary.

For Database Vault specifically, the standby in passive standby mode is covered for the 10 day rule. The standby in Active Data Guard mode requires Database Vault licensing equal to the primary processor count.

Can we use Database Vault on the cloud Oracle Database editions?

Oracle Database services on OCI (Base Database Service, Exadata Cloud Service, Autonomous Database) bundle Database Vault into the higher service tiers. The Base Database Service Enterprise Edition Extreme Performance tier includes Database Vault. The Autonomous Database includes Database Vault in the always free and paid tiers.

Customers running Oracle Database on AWS RDS or Azure with bring your own license must license Database Vault separately on each processor or NUP count that runs the option, under the standard Oracle licensing rules.

What is the typical discount on Database Vault at the renewal table?

Database Vault carries the standard Oracle option discount range. Mid market customers typically land at 25 to 40 percent off list. Enterprise customers with multi option orders or ULA exit positions land at 50 to 65 percent off list. The discount depends on the order size, the multi option bundle, and the customer's overall Oracle relationship.

The single largest cost lever at the renewal table is not the discount on Database Vault. It is the option count itself. Right sizing the option count from 128 processors to 16 processors before the renewal delivers far more value than negotiating a 50 percent discount on the wrong count.

How does Redress engage on Database Vault advisory?

Redress runs Database Vault advisory inside the Vendor Shield subscription, the Oracle services practice, the Software Spend Assessment, and the Renewal Program. The output is a complete option inventory, a usage statistics extract, a regulatory scope map, a decommission plan, an audit defense pack, and the renewal negotiation execution with Oracle.

The engagement is led by Oracle commercial professionals on the buyer side. We have run Database Vault advisory across pharma, banking, manufacturing, public sector, and utility customers running Oracle Database option estates from 200K to 12M USD per year.

How Redress engages on Database Vault advisory

Redress runs Database Vault advisory inside the Vendor Shield subscription, the Oracle services practice, the Software Spend Assessment, and the Renewal Program.

Read the related database licensing guide, the database pricing 2026, the ULA decision framework, the contract renewal strategy, the contract negotiation service, the Oracle knowledge hub, the PeopleSoft third party support, the PeopleSoft compliance, the benchmarking page, the about us page, and the contact page.

Score your Oracle Database option exposure in under five minutes.
Open the Health Check →
White Paper · Oracle

Download the Oracle ULA Decision Framework.

Buyer side reference on Oracle contracts. Scope, certification math, exit modeling, OMA term protection, and the seven levers procurement carries to every Oracle Database renewal.

Independent. Buyer side. Written for CIOs, CFOs, procurement leaders, and Oracle contract owners running active Database, EBS, and ULA renewals. No Oracle kickback. No conflict on the table.

Oracle ULA Decision Framework

Open the white paper in your browser. Corporate email only.

Open the Paper →
23K
USD per processor list
22%
Annual support
500+
Enterprise Clients
$2B+
Under advisory
100%
Buyer side

The single largest cost lever at the Database Vault renewal table is not the discount on the option. It is the option count itself. Right sizing the count from 128 processors to 16 processors before the renewal delivers far more value than negotiating a 50 percent discount on the wrong count.

Former Oracle Database Sales Director
On the buyer side, 22 Database option engagements in 2025
More Reading

More from this practice.

Oracle Hub →
Oracle Knowledge Hub
Oracle · Hub
Oracle Knowledge Hub
Master Oracle licensing reference.
20 min read
Database Licensing Guide
Oracle · Guide
Database Licensing Guide
EE, SE2, options, packs.
18 min read
Database Pricing 2026
Oracle · Article
Database Pricing 2026
Edition and option price reference.
16 min read
Oracle ULA Decision Framework
Oracle · Guide
Oracle ULA Decision Framework
Enter, exit, certify, preserve.
22 min read
PeopleSoft Third Party Support
Oracle · Article
PeopleSoft Third Party Support
Buyer side framework.
17 min read
Editorial photograph of enterprise contract negotiation strategy

Right size Oracle Database Vault before the renewal. Independent advisors, end to end.

We have run 500+ enterprise clients across 11 publishers. Every engagement starts with one conversation.

Contact Us Vendor Shield

Oracle Database intelligence, monthly.

Option licensing audit patterns, RAC and Data Guard scope, ULA exit math, Cloud Database service comparisons, and renewal lessons from every Oracle Database engagement we run.