1. Administering Oracle Data Safe
  2. Target Database Registration
  3. Pre and Post Registration Tasks
  4. Grant Roles to the Oracle Data Safe Service Account on Your Target Database

Grant Roles to the Oracle Data Safe Service Account on Your Target Database

The Oracle Data Safe features that you can use with your target database depend on the roles you grant to the Oracle Data Safe service account on that target database. You can grant and revoke roles as needed.

The roles are different for Autonomous Databases versus non-Autonomous Databases. For non-Autonomous databases, you can grant roles to the Oracle Data Safe service account prior to or after registering your database. For Autonomous Databases, you first need to register your database, which unlocks the Oracle Data Safe preseeded service account, and then grant and revoke roles as needed. By default, the Oracle Data Safe service account on an Autonomous Database is already granted some of the roles.

Roles for the Oracle Data Safe Service Account

Oracle Recommendation:

Grant only the roles needed to the Oracle Data Safe service on your target databases. How you grant roles depends on the type of target databases that you have.

The following table describes the roles for non-Autonomous Databases and Autonomous Databases. If you are registering a non-Autonomous Database (for example, a DB system, on-premises Oracle Database, or an Oracle Database on a compute instance), you can grant the roles in the first column. If you are registering an Autonomous Database, you can grant the roles in the second column. By default, some or most of the roles are granted by default so it is best to refer to each type of target registration.

Roles for Non-Autonomous Databases Roles for Autonomous Databases Description

ASSESSMENT

DS$ASSESSMENT_ROLE

Privileges required for the User Assessment and Security Assessment features

AUDIT_COLLECTION

DS$AUDIT_COLLECTION_ROLE

Privileges required for accessing audit trails for the target database

DATA_DISCOVERY

DS$DATA_DISCOVERY_ROLE

Privileges required for the Data Discovery feature (discovering sensitive data in the target database)

MASKING

DS$DATA_MASKING_ROLE

Privileges required for the Data Masking feature (masking sensitive data in the target database)

AUDIT_SETTING

DS$AUDIT_SETTING_ROLE

Privileges required for updating target database audit policies
SQL_FIREWALL Not applicable

Only for Oracle Database 23c

Privileges required for the SQL Firewall feature (collect, monitor, and allow and block SQL traffic)

Grant Roles to the Oracle Data Safe Service on an Autonomous Database

By default, an Autonomous Database comes with a database account specifically created for Oracle Data Safe named DS$ADMIN. The roles that you grant to this account determine the Oracle Data Safe features that you can use with your Autonomous Database.

For an Autonomous Database, all roles are already granted by default, except for DS$DATA_MASKING_ROLE.

Note:

If Database Vault is enabled on your Autonomous Database, be aware that there are specific steps to take in the procedure below to get Oracle Data Safe to work with Database Vault.

To grant or revoke roles from the Oracle Data Safe service account on an Autonomous Database database, you can run the DS_TARGET_UTIL PL/SQL package on the Autonomous Database. You need to run this package as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package.

You can grant or revoke roles as often as needed.

  1. If Database Vault is enabled on your database and you want to use the User Assessment or Security Assessment features in Oracle Data Safe, connect to your database as a user with the DV_OWNER role and grant the DV_SECANALYST role to the DS$ADMIN user.
  2. To grant or revoke a role from the Oracle Data Safe service account, do the following:
    1. Using a tool like SQL*Plus or SQL Developer, log in to your Autonomous Database as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package.
    2. Run one of the following commands:
      EXECUTE DS_TARGET_UTIL.GRANT_ROLE('role_name');

      or

      EXECUTE DS_TARGET_UTIL.REVOKE_ROLE('role_name');

      where role_name is the name of an Oracle Data Safe role. role_name must be in quotation marks.

      Note:

      If Database Vault is enabled on your database and you grant the DS$DATA_MASKING_ROLE role, expect an ORA-20001 error and proceed to step 3.
  3. If Database Vault is enabled on your database and you want to use the Data Masking feature in Oracle Data Safe, do the following:
    1. Connect to the database as a user with the DV_OWNER role and authorize the ADMIN user to the Oracle System Privilege and Role Management Realm.
    2. Connect to the database as the ADMIN user and grant UNLIMITED TABLESPACE to the DS$ADMIN user.
    You can now use the Data Masking feature.
  4. (Optional) If Database Vault is enabled on your database and you want to revoke the User Assessment or Security Assessment feature: Connect to the database as the a user with the DV_OWNER role and revoke the DV_SECANALYST role from the DS$ADMIN user.
    The Assessment features are no longer available for the database.
  5. (Optional) If Database Vault is enabled on your database and you want to revoke the Data Masking feature:
    1. Connect to the database as the ADMIN user and revoke UNLIMITED TABLESPACE from the DS$ADMIN user.
    2. Connect to the database as a user with the DV_OWNER role and unauthorize the ADMIN user from the Oracle System Privilege and Role Management Realm.
    The Data Masking feature is no longer available for the database.

Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database

To grant or revoke roles from the Oracle Data Safe service account on a non-Autonomous Database, you need to run a SQL privileges script called datasafe_privileges.sql. You can download this script from Oracle Data Safe in Oracle Cloud Infrastructure. To run the script, you need to be connected to your database as the SYS user.

You can run the script as many times as needed. For example, suppose that in the beginning you only need to use the Activity Auditing feature in Oracle Data Safe. You can run the SQL privileges script to grant the database access to only Activity Auditing. Later, you decide you want to use the Data Discovery feature too. You can run the SQL privileges script again on the database to grant the database access to Data Discovery.

  1. If Database Vault is enabled on your target database and you want to use the User Assessment or Security Assessment features or view audit data in Oracle Data Safe, connect to your database as a user with the DV_OWNER role and grant the DV_SECANALYST and DV_MONITOR roles to the Oracle Data Safe service account.
  2. Download the SQL privileges script. This script is available within the wizards that assist with target database registration. You don't need to work through the wizard and register your target database at this time. Just start the wizard and you'll see the link to download the script on the first page. Download the script and exit the wizard.
    1. On the Overview page in the Oracle Data Safe service, find the tile for the wizard that corresponds to the type of database you are working with. Click Start Wizard.The wizard displays the Data Safe Target Information form.
    2. Click Download Privilege Script and save the datasafe_privileges.sql script to your computer.
    3. Click Cancel.
  3. With SQL Developer or SQL*Plus, connect to your database as the SYS user, and then run the SQL privileges script with the following statement: 
    @datasafe_privileges.sql <DATASAFE_ADMIN> <GRANT|REVOKE> <AUDIT_COLLECTION|AUDIT_SETTING|DATA_DISCOVERY|MASKING|ASSESSMENT|ALL> [-RDSORACLE][-VERBOSE]
    • <DATASAFE_ADMIN> is the name of the Oracle Data Safe service account that you created on your database. It is case-sensitive and must match the account name in the dba_users data dictionary view in your database.
    • Specify GRANT or REVOKE depending on whether you want to add privileges to or remove privileges from the Oracle Data Safe service account.
    • You can specify only one feature per command, although ALL grants or revokes privileges for all features.
    • -RDSORACLE is required if you are registering Amazon RDS for Oracle, otherwise remove the parameter
    • -VERBOSE is optional.

Example 3-1 Grant all privileges and make all Oracle Data Safe features available 

@datasafe_privileges.sql <DATASAFE_ADMIN> GRANT ALL -VERBOSE

Example 3-2 Grant the privileges required to use the making feature

@datasafe_privileges.sql <DATASAFE_ADMIN> GRANT MASKING