Compare User Assessments

You can compare two user assessments for a target database to determine if there has been any security drift in the time interval between the two assessments.

Compare options are only visible when you are viewing the latest user assessment.

About Comparing User Assessments

It is important to be able to track how the potential risks in a target database change over time so that you have the data you need to maintain the optimal security posture and to observe trends and patterns in changes that affect security.

This is done by comparing the latest user assessment to a baseline user assessment or to a previous saved user assessment for a target database.

Compare With Baseline

When an assessment indicates that the level of potential risk on a target database is low, consider setting that assessment as the baseline. You can then compare the latest assessment of the same target database against the baseline.

For example, suppose that for one target database you have scheduled assessments on a monthly cycle and the assessment that ran on March 1st reveals a number of potential risks. You address the most significant ones during that month and then find that the April 1st assessment indicates significant improvements, giving you confidence that the security posture is now strong. You may then want to set the April 1st assessment as the baseline. If a baseline is set, then for each scheduled assessment, Oracle Data Safe automatically reports new potential risks as deviations from the baseline, which is referred to as security drift.

Compare with Other Assessments

Another useful comparison is how the current security posture compares with a past posture. You can go back into the Assessment History for User Assessment and set an older assessment (for the same target database) as the baseline.

Structure of a Comparison Report for User Assessment

A comparison report shows you the differences between the latest user assessment and either a baseline assessment or saved assessment.

The comparison report consists of the following elements.

Baseline field

The name of the baseline to which you are comparing the assessment.

Comparison created time field

The date and time the comparison was done.

User name column

This column identifies users with changes.

Status column

For each user name, the Status column indicates if this is a new, existing, or deleted user.

  • Compare with baseline: A new user is one that did not exist when the baseline assessment ran. A deleted user is one that did exist in the baseline, but does not exist in the latest assessment. An existing user is one where the account was modified after the run of the assessment that has been set as the baseline.
  • Compare Assessment: A new user is one that exists in the latest assessment, but did not exist in the earlier assessment. Likewise, a deleted user no longer exists in the latest assessment. An existing user is one found in both compared assessments and whose account has been modified.

Potential risk column

The Potential risk column identifies the severity of the potential risk.

Comparison results column

The Comparison results column shows whether something was added, removed, or modified and names the areas (called User Details in User Assessment) where changes have occurred. The comparison shows the deltas between the two assessments. User accounts that exist in both assessments, but have not been modified are not listed.

Comparison details panel

You can view additional information about a change by selecting the three dots at the end of each row, and selecting the option to view more detail in the Comparison details panel. This panel provides the name and assessment data of the baseline and the latest assessment that are being compared. It also shows the specific changes that appear in the latest assessment, relative to the baseline or saved assessment. For example, an HR account existed in the baseline and the latest assessment indicates that it was modified at some point prior to the latest assessment. A number of grants were modified and one new grant was added.

Set a Baseline User Assessment for a Target Database

You can make the latest user assessment or any saved one in the Assessment History the baseline assessment for a target database.

After you set a baseline, future assessments for the target database automatically include a check for security drift, which is any deviation from the baseline. You are also then able to manually compare any saved assessment with the baseline to check for security drift.

  1. If needed, prepare a user assessment to be the baseline assessment:
    1. Assess your target database.
    2. Review the user accounts, their privileges, and potential risk levels, and fix them as needed.
    3. Assess the target database again. You can either wait for the next scheduled assessment or immediately refresh the assessment. If the new assessment shows fewer or no risks for the target database or target database group and you are satisfied that this assessment represents an optimal security posture, then you are ready to set it as the baseline.
  2. Open the user assessment that you want to use as the baseline. You can open the latest user assessment or one from the Assessment History.
  3. Verify that the assessment’s overall potential risk level is acceptable.
  4. If you're using the latest assessment: From the Actions menu, select Set as baseline.
  5. If you're using a saved assessment in the Assessment History: Select Set as baseline.
  6. In the confirm dialog box, select Yes to confirm.

Compare the Latest User Assessment with a Baseline Assessment

You can compare the latest user assessment to a baseline user assessment of the same target database to check for security drift. Setting a baseline assessment is a prerequisite.

  1. Open the latest user assessment for your target database.
  2. Select the Compare with baseline tab.
  3. Select View comparison report. The Comparison with baseline panel opens and shows a table listing what has changed in the latest assessment relative to the baseline.
  4. To view more detail about a change:
    1. At the end of a line in the table, select the three dots, and then select the option to view more detail. The Comparison details panel opens.
    2. Review the information, and then select Close.

Compare the Latest User Assessment with a Saved Assessment

You can compare the latest user assessment with any saved user assessment in the Assessment history to check for security drift in a target database.

  1. Open the latest user assessment for your target database.
  2. From the Actions menu, select Compare with other assessments. The Comparison with other assessments panel opens.
  3. From the Select assessment compartment dropdown list, select the compartment of the assessment that you want to compare with the latest assessment.
  4. From the Select assessments dropdown list, select an assessment.
  5. Select Compare.
  6. Review the list of changes in the table. The comparison shows what has changed in the latest assessment relative to the saved assessment that you selected.
  7. At the end of each line in the table, select the three dots and select the option to view more detail about the change. The Comparison details panel opens. Review the information, and then select Close.