Oracle Cloud Infrastructure Documentation

Grant and Revoke Roles from the Oracle Data Safe Service Account

The Oracle Data Safe features that you can use with your target database depend on the roles granted to the Oracle Data Safe service account on that target database. Oracle recommends that you grant only the roles needed on each target database. How you grant roles depends on the type of target database.

This article has the following topics:

Roles for the Oracle Data Safe Service Account

The roles that you grant to the Oracle Data Safe service account determine the Oracle Data Safe features that you can use with the target database. There are five roles, and the role names for DB systems are different than those for Autonomous Databases.

The following table describes each role.

DB System Role Autonomous Database Role Description

ASSESSMENT

DS$ASSESSMENT_ROLE

Privileges required for the User Assessment and Security Assessment features

AUDIT_COLLECTION

DS$AUDIT_COLLECTION_ROLE

Privileges required for accessing audit trails for the target database

DATA_DISCOVERY

DS$DATA_DISCOVERY_ROLE

Privileges required for the Data Discovery feature (discovering sensitive data in the target database)

MASKING

DS$DATA_MASKING_ROLE

Privileges required for the Data Masking feature (masking sensitive data in the target database)

AUDIT_SETTING

DS$AUDIT_SETTING_ROLE

Privileges required for updating target database audit policies

Grant Roles to the Oracle Data Safe Service Account on an Autonomous Database

To grant or revoke roles from the Oracle Data Safe service account on an Autonomous Database database, you can run the DS_TARGET_UTIL PL/SQL package on the Autonomous Database. You need to run this package as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package. By default, DS$ASSESSMENT_ROLE and DS$AUDIT_COLLECTION_ROLE are granted to the Oracle Data Safe service account (DS$ADMIN). These roles allow you to assess the target database and start audit trail collection immediately after you register the database.
  1. Using a tool like SQL*Plus or SQL Developer, log in to your Autonomous Database as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package.
  2. Grant or revoke a role from the Oracle Data Safe service account by running one of the following commands:
    EXECUTE DS_TARGET_UTIL.GRANT_ROLE('role_name');

    or

    EXECUTE DS_TARGET_UTIL.REVOKE_ROLE('role_name');

    where role_name is the name of an Oracle Data Safe role. role_name must be in quotation marks.

Grant Roles to the Oracle Data Safe Service Account on a DB System

To grant or revoke roles from the Oracle Data Safe service account on a DB system, you need to run the SQL privileges script. To run the script, you need to be connected to your DB system as the SYS user. You can run the script as many times as needed.

For example, suppose that in the beginning you only need to use the Activity Auditing feature in Oracle Data Safe. You can run the SQL privileges script to grant the target database access to only Activity Auditing. Later, you decide you want to use the Data Discovery feature too. You can run the SQL privileges script again on the target database to grant the database access to Data Discovery. You cannot run the SQL privileges script on the root container of a target database (CDB$ROOT).

  1. Download the SQL privileges script from the Oracle Data Safe Console:
    1. Sign in to the Oracle Data Safe Console, and click the Targets tab.
    2. Click Add.
      The Add Target dialog box is displayed.
    3. Click Download Privilege Script and save the dscs_privileges.sql script to your computer.
    4. Click Cancel.
  2. With SQL Developer or SQL*Plus, connect to your database as the SYS user, and then run the SQL privileges script with the following statement:
    @dscs_privileges.sql <DATASAFE_ADMIN> <GRANT/REVOKE> <AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL> [-VERBOSE]
    • <DATASAFE_ADMIN> is the name of the Oracle Data Safe service account that you created on your DB system. It is case-sensitive and must match the account name in the dba_users data dictionary view in your database.
    • Specify GRANT or REVOKE depending on whether you want to add privileges to or remove privileges from the Oracle Data Safe service account.
    • Specify one or more Oracle Data Safe features, separated by a forward slash: AUDIT_COLLECTION/AUDIT_SETTING/DATA_DISCOVERY/MASKING/ASSESSMENT/ALL. ALL grants or revokes all the features.
    • -VERBOSE shows only the actual GRANT/REVOKE commands. This parameter is optional.