7 Managing Entitlements

This chapter contains:

Managing and Viewing Entitlement Data

Oracle AVDF provides a set of default entitlement reports and allows you to retrieve entitlement data from Oracle Database secured targets. In addition, you can create snapshots of entitlement data at specific points in time, and group them under labels that you specify, in order to compare them in the reports.

You can filter a report to show the data from an earlier snapshot or label, or you can compare the entitlement data from two snapshots or two labels. For example, you can find how user privileges have been modified between two snapshots or labels.

Note:

For Oracle Database 12c secured targets, if you are not using multitenant container databases (CDBs), entitlement data appears as for earlier versions of Oracle Database. If you are using CDBs, each pluggable database (PDB) or CDB is configured as a separate secured target in the Audit Vault Server, and entitlement data appears accordingly in snapshots and reports.

The general steps for managing and viewing entitlement data are:

  1. Retrieve the entitlement data from the secured target to create a snapshot of the data at that point in time. See:

  2. Optionally, create labels to organize the snapshots into meaningful groups, and assign the labels to snapshots. See:

  3. View entitlement reports, using snapshot and labels to filter and compare data. See:

Working With Entitlement Snapshots and Labels

This section contains:

About Entitlement Snapshots and Labels

When you retrieve entitlement data from an Oracle Database secured target, a snapshot of that data is created, and added to the list in the User Entitlement Snapshots page in the Secured Targets tab. See "Retrieving User Entitlement Data for Oracle Database Secured Targets".

An entitlement snapshot captures the state of user entitlement information at a specific point in time. The snapshot contains the metadata of users and roles that a user has to that Oracle Database: system and other SQL privileges, object privileges, role privileges, and user profiles. You can only view and manage snapshots for secured targets to which you have access.

Each snapshot is unique for a secured target. The name for a snapshot is the time stamp assigned to it when the entitlement data was retrieved, for example, 9/22/2009 07:56:17 AM. If you retrieve entitlement data for all your secured targets at this time, then each secured target has its own 9/22/2012 07:56:17 AM snapshot.

Labels allow you to organize snapshots into meaningful categories so that you can view and compare groups of snapshots together. For example, suppose the secured targets payroll, sales, and hr each have a 9/22/2012 07:56:17 AM snapshot. You can create a label and then assign these three snapshots to that label. This enables you to compare the entitlement data at that time from the three secured targets, together in the same report.

Creating, Modifying, or Deleting Labels for Snapshots

To create or delete a label:

  1. Log into the Audit Vault Server console as an auditor, and click the Secured Targets tab.

  2. From the Entitlement Snapshots menu on the left, click Manage Labels.

  3. From this page:

    • To create a label, click Create, enter a name and an optional description, and then click Save.

    • To delete a label, select the label, and then click Delete.

    • To edit the name or description of a label, click the name of the label, make your changes, and then click Save.

Assigning Labels to Snapshots

To manage entitlement snapshots and assign labels for your secured targets:

  1. Log into the Audit Vault Server console as an auditor, and click the Secured Targets tab.

  2. From the Entitlement Snapshots menu on the left, click Manage Snapshots.

    A list of snapshots of user entitlement data appears along with the timestamp for when the data was collected and the label assigned to the snapshot, if any.

    You can adjust the appearance of the list from the Actions menu. See "Working with Lists of Objects in the UI".

  3. To assign a label to snapshots:

    1. Select the snapshots, and click Assign Label.

    2. Select a Label from the drop-down list.

    3. Optionally, enter a description.

    4. Click Save.

  4. To delete a snapshot, select the snapshot, and then click Delete.

Generating Entitlement Reports

This section contains:

About Viewing Entitlement Reports with Snapshots and Labels

You can use snapshots and labels to filter and compare entitlement data in reports. After snapshots have been created, and you have optionally created and assigned labels to them, then you are ready to check the entitlement reports.

The type of entitlement report determines whether you can view its entitlement data by snapshot or by label. Reports that show data by secured target (for example, User Accounts by Secured Target) let you view and compare snapshots for a specific secured target. The other entitlement reports (such as User Accounts) let you view and compare entitlement data by label across all the secured targets.

Viewing Entitlement Reports by Snapshot or Label

To check entitlement reports for an individual snapshot or label:

  1. Log in to the Audit Vault Server console as an auditor.

  2. Click the Reports tab, and in the Audit Reports page, expand Entitlement Reports.

  3. Click the Browse report data icon for the entitlement report that you want.

  4. In the entitlement report, do the following:

    • If the report is "by secured target," select a secured target.

    • From the Snapshot or Label list, select the snapshot or label.

  5. Click Go.

    The entitlement report data appears. The generated report contains a column, either Snapshot or Label, indicating which snapshot or label was used for the report. From here, you can expand the Snapshot or Label column to filter its contents. See "Filtering Data in a Report".

  6. Optionally, you can save the report. See "Saving your Customized Reports".

Comparing Entitlement Data Using Snapshots or Labels

To compare the entitlement data for two snapshots or labels:

  1. Log in to the Audit Vault Server console as an auditor.

  2. Click the Reports tab, and in the Audit Reports page, expand Entitlement Reports.

  3. Click the Browse report data icon for the entitlement report that you want.

  4. In the report, do the following:

    • If the report is "by secured target," select a secured target.

    • From the Snapshot or Label list, select the first snapshot or label.

    • Click the compare check box.

    • Select another snapshot or label from the second drop-down list for comparison.

  5. Click Go.

The entitlement report data appears and the name of the report is appended with Changes. The Change Category column shows how the data has changed between the two snapshots or labels. From here, you can filter the data to show only MODIFIED, NEW, DELETED, or UNCHANGED data.

Entitlement Report Descriptions

This section contains:

About the Entitlement Reports

An entitlement report describes the types of access that users have to an Oracle database secured target. It provides information about the user, role, profile, and privileges used in the secured target.

For example, the entitlement reports capture information such as access privileges to key data or privileges assigned to a particular user. These reports are useful for tracking unnecessary access to data, finding duplicate privileges, and simplifying privilege grants.

After you generate a default entitlement report, you can view a snapshot of the metadata that describes user, role, profile, and privilege information. This enables you to perform tasks such as comparing different snapshot labels to find how the entitlement information has changed over time. See "Generating Entitlement Reports".

See Also:

User Accounts Reports

The User Accounts Report and User Accounts by Secured Target Report show the following information about user accounts: secured target in which the user account was created, user account name, account status (LOCKED or UNLOCKED), expiration date for the password, initial lock state (date the account will be locked), default tablespace, temporary tablespace, initial resource consumer group, when the user account was created, associated profile, and external name (the Oracle Enterprise User DN name, if one is used).

In Oracle AVDF 12.1.2: You can select these additional columns relating to Oracle 12c secured targets:

  • Edition Enabled: Whether editions are enabled for this user

  • Authentication Type: Authentication mechanism for this user

  • Proxy Only Connect: Whether this user can connect only through a proxy

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Last Login: Last login timestamp for this user

  • Oracle Maintained: Whether the user was created, and is maintained, by Oracle Database-supplied scripts. A Y value means this user must not be changed in any way except by running an Oracle Database-supplied script.

  • Container: Container name. This is null if the database is not a PDB or CDB.

User Privileges Reports

The User Privileges Report and User Privileges by Secured Target Report show the following information about user privileges: secured target in which the privilege was created, user name, privilege, schema owner, table name, column name, type of access (direct access or if through a role, the role name), whether the user privilege was created with the ADMIN option, whether the user can grant the privilege to other users, and who granted the privilege.

In Oracle AVDF 12.1.2: You can select these additional columns relating to Oracle 12c secured targets:

  • Hierarchy: Privilege is with hierarchy option

  • Type: Object type (table, view, sequence, etc.)

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Container: Container name. This is null if the database is not a PDB or CDB.

User Profiles Reports

The User Profiles Report and User Profiles by Secured Target Report show the following information about user profiles: secured target in which the user profile was created, profile name, resource name, resource type (KERNEL, PASSWORD, or INVALID), and profile limit.

In Oracle AVDF 12.1.2: You can select these additional columns relating to Oracle 12c secured targets:

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Container: Container name. This is null if the database is not a PDB or CDB.

Database Roles Reports

The Database Roles Report and Database Roles by Secured Target Report lists names of database roles and application roles. If the role is a secure application role, then the Schema and Package columns of the report indicate the underlying PL/SQL package used to enable the role.

In Oracle AVDF 12.1.2: You can select these additional columns relating to Oracle 12c secured targets:

  • Oracle Maintained: Whether the user was created, and is maintained, by Oracle Database-supplied scripts. A Y value means this user must not be changed in any way except by running an Oracle Database-supplied script.

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Container: Container name. This is null if the database is not a PDB or CDB.

System Privileges Reports

The System Privileges Report and System Privileges by Secured Target Report show the following information about system privileges: secured target in which the system privilege was created, user granted the system privilege, privilege name, type of access (direct access or if through a role, the role name), and whether it was granted with the ADMIN option.

In Oracle AVDF 12.1.2: You can select these additional columns relating to Oracle 12c secured targets:

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Container: Container name. This is null if the database is not a PDB or CDB.

Object Privileges Reports

The Object Privileges Report and Object Privileges by Secured Target Report show the following information about object privileges: the secured target in which the object was created, users granted the object privilege, schema owner, target name (which lists tables, packages, procedures, functions, sequences, and other objects), column name (that is, column-level privileges), privilege (object or system privilege, such as SELECT), type of access allowed the object (direct access or if through a role, the role name), whether the object privilege can be granted, and who the grantor was.

In Oracle AVDF 12.1.2: You can select these additional columns relating to Oracle 12c secured targets:

  • Hierarchy: Privilege is with hierarchy option

  • Type: Object type (table, view, sequence, etc.)

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Container: Container name. This is null if the database is not a PDB or CDB.

Privileged Users Reports

The Privileged Users and Privileged Users by Secured Target reports show the following information about privileged users: secured target in which the privileged user account was created, user name, privileges granted to the user, type of access (direct access, or if through a role, the role name), and whether the privileged user was granted the ADMIN option.

For Oracle Database versions prior to 12c, privileged users are identified by these roles:

SYSDBA
SYSOPER

For Oracle Database version 12c, the above two roles identify privileged users, in addition to the following roles:

SYSASM
SYSBACKUP
SYSDG
SYSKM

In Oracle AVDF 12.1.2: You can select these additional columns relating to Oracle 12c secured targets:

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Container: Container name. This is null if the database is not a PDB or CDB.