User Assessment Overview

About User Assessment

Knowing which users have access to sensitive data is essential for managing risk. Which database accounts have powerful roles, such as Database Administrator, Database Vault Administrator, or Audit Administrator? Who can make changes that seriously impact the system, access sensitive data, or grant access to unauthorized users? Is there a risk of attackers compromising some user accounts because the passwords have not been changed in a long time? Is password complexity being checked for all user accounts? If not, for how many users? The User Assessment feature in Oracle Data Safe answers these questions to help you identify highly privileged user accounts that could pose a threat if misused or compromised. Administrators can then deploy appropriate security controls and policies.

User Assessment reviews information about your users in the data dictionaries on your target databases and then calculates a risk score for each user based on system privileges and role grants. For example, it displays the user types, how users are authenticated, the password policies assigned to each user, and how long it has been since each user has changed their password. With this information, you can decide whether to implement more restrictive password policies, use Oracle Database Vault, or add other security controls to further limit user access, if needed.

After you register a target database, Oracle Data Safe automatically runs a User Assessment for that target database. The User Assessment feature is supported for all database types and versions currently certified by Oracle Data Safe. To view audit records for users in User Assessment, you must start audit data collection in Activity Auditing for your target database.

For all registered target databases, User Assessment automatically generates an assessment once per week and saves a copy of it to the Assessment History. This assessment is referred to as the "latest" assessment. If needed, you can modify its schedule. You also have the option to create a schedule that saves a copy of the latest assessment to a different compartment and with a different name.

User Assessment lets you refresh the latest assessment at any time by using the Refresh Now option. After the latest assessment is refreshed, User Assessment saves the assessment to the history and also overwrites the latest assessment. To monitor security drift on your target database, you can compare two assessments. You can define a baseline assessment and compare other assessments to it, or, you can compare two selected assessments. Lastly, you can generate a PDF or XLS report from an assessment.

The following are use cases for the User Assessment feature:

Quickly assess your databases to learn about the existing user accounts, their privilege and role grants, and the potential risk a compromised or misused account would pose.
Identify highly privileged users.
Identify system privileges and role grants that could be unnecessary.
Identify dormant accounts.
Identify users with stale passwords.
Review existing user profiles, their password parameters including their password complexity verification function.
Identify users and profiles without password governance policies.
Identify which profiles are assigned to which users.
Identify discrepancies in user profile password attributes across multiple targets.
Promote database security best practices.
Monitor security drift by comparing an assessment against a baseline.

A user assessment shows all registered Oracle Data Safe target databases in a selected compartment. You have the option to include all child compartments of the selected compartment. This is the scope of the assessment. If you select the root compartment and include child compartments, then the assessment shows all assessments across all compartments in the tenancy.

Assessment Scope

The assessment scope refers to the target databases that you want to assess together. You set the scope by selecting the appropriate compartments that contain those target databases.

You can set the scope to the root compartment, the root and all child compartments, or any individual compartment - either alone or including its sub-compartments. For a complete view of your tenancy’s security posture, select the root compartment with all child compartments.

It's important to remember that within the selected scope, your view within User Assessment is determined by the privileges your account has been granted in Oracle Cloud Infrastructure Identity and Access Management (IAM).

Potential Risk Levels of Users

User Assessment assigns potential risk levels to users based on their granted roles and privileges. The following table describes these levels.

Note:

Potential risk levels are different for Security Assessment. User Assessment designates some user risk factors as CRITICAL; however, this designation is not used in Security Assessment. Likewise, the ADVISORY and EVALUATE risk levels in Security Assessment are not used in User Assessment.

Potential Risk Level	Description
Critical	Scope: database level. Impact: database availability and integrity. Has direct read/modify/copy access to data. Can bypass or alter security policies. Clean up audit data. Malicious activity possible.
High	Scope: feature level. Potential for malicious activity is limited to a smaller scope than that of a user in the Critical category. Ability to read/modify/copy data indirectly through use of the corresponding privileges. This requires more effort to accomplish than the direct access capability of a user in the Critical category. Can degrade performance at a query level – alter/drop SQL profiles or SQL translation profiles. Allows key management. Can create, alter, or drop database profiles.
Medium	Has privileges which have a large scope, but do not have serious effects. For example, a user with ALTER RESOURCE COST privilege can set costs for user sessions.
Low	Scope: Privileges specific to the grantee.

User Types

User Assessment categorizes users into different user types. These are the possible user types:

Admin Privileged - The user has administrative privileges such as, SYSDBA, SYSOPER, SYSBACKUP, SYSDG, SYSKM, or SYSRAC.
Application - The user is an Oracle E-Business Suite Applications (EBS) or Fusion Applications (FA) user.
Privileged - The user is a privileged user. Users that pose a potential risk level of High or Critical are flagged as privileged.
Schema - The user is EXPIRED & LOCKED, EXPIRED, LOCKED, or a schema-only account (whose authentication type is NONE).
Non-privileged - The user is a non-privileged user. A non-privileged user is a user who does not have elevated access rights and, thus, is not classified under any specific user type. Their granted privileges are limited and cannot cause any system-wide impact. Such a user cannot make changes at the database or user level, nor can they impact objects not owned by them.

User Profiles

User Profile details are gathered by a User Assessment run. Managing user profiles across multiple Oracle databases can be challenging as the number of databases and users increases. Multiple databases make it hard to spot inconsistencies in these profiles. For example, a specific user profile can have password parameters set differently in various databases, leading to non-compliance with regulatory requirements. As the number of users and potentially the number of profiles grow, managing them can become increasingly complex and time-consuming, especially if managing them at scale for multiple databases. User Profiles helps to spot inconsistencies and work towards unifying user profiles across all databases in your fleet.

Terms in User Assessment

On-demand user assessment
You can select the Refresh now button on any user assessment to rerun it immediately against the selected target database.
Scheduled user assessment
A weekly user assessment is automatically scheduled for every registered target database. You can change the schedule to a different time and/or a daily or monthly interval.
Latest user assessment
The most recent assessment completed (either on demand or scheduled) for the selected compartment. Each new assessment becomes the latest assessment.
Saved user assessment
A copy of the latest assessment saved to a compartment of your choice. The copy is listed in the history.
Assessment History
The archive of all saved assessments of a target database.
Baseline user assessment
A user assessment that you can designate as the standard for a target database. When an assessment runs, in addition to finding potential risks, the job tells you whether there is any deviation on users in the baseline. There is a Set as baseline option in each assessment.

User Assessment Landing Page

User Assessment's home page provides you a high-level view of the user security posture in one or more of your target databases. It consists of the following interactive tabs: Overview, Risk summary, Target summary, and Target group summary.

Overview tab

The charts on this tab provide summarized views of user activity. Charts included are Potential user risk, User roles, Last password change, Last login, and Password expiry date.

Risk summary tab

The table on this tab displays counts of potential risk levels by target databases, users, privileged users, DBAs, DV admins, and Audit admins. The risk levels are critical, high, medium, and low.

Target summary tab

The table on this tab lists your target databases within the selected scope. For each target, you can access a link to the latest assessment and view the status of the latest assessment, the target database name, whether the latest assessment deviates from the baseline, and the last assessment date and time. You can also view the total number of potential risks that are critical and high level, as well as the total number of DBAs, users with the Database Vault DV_ADMIN role, and Audit admins.

Target group summary tab

The table on this tab shows you the overview of all target group assessments and their respective risk levels. For each target database group, it lists the number of critical risks, high risks, DBAs, DV admins, and Audit admins, as well as when the last assessment completed. You can select the name of a target database group to view more assessment details.

Structure of a User Assessment for a Target Database

A user assessment for a target database is organized into five tabs: Details, Overview, Assessment details, Compare with baseline, and User profiles.

Details tab

On the Details tab, you can view the following general information about the assessment, target database, and baseline.

OCID for the assessment
Compartment name
Created (timestamp)
Assessed time (timestamp)
Schedule
Target database name
Baseline (whether the assessment is a baseline)
Complies with baseline (No baseline set or No comparison done)

Overview tab

The Overview tab shows you six charts:

Potential user risk
User roles
Top 5 users by schema access
Last login
Last password change
Password expiry date

Assessment details tab

On the Assessment details tab, you can view the following user details.

User name
User type (for example, PRIVILEGED or SCHEMA)
Whether the user is a DBA, DV admin, or Audit admin
Potential risk level (for example, LOW or CRITICAL)
Status (for example, LOCKED, OPEN, or EXPIRED_AND_LOCKED)
Password changed time (timestamp)
Last login time (timestamp)
Schema access (a list of schemas the user has access to)
User profile
Audit records - You can select the View activity link to view the user's audit records in the All Activity Report. From here you can select other auditing reports or select the browser's back button to return to the Assessment details tab.
Password expiry date
Created (timestamp)
Authentication (for example, NONE or PASSWORD)

Compare with baseline tab

On the Compare with baseline tab, you can view a comparison report. The report shows the differences between the lastest user assessment and a baseline user assessment.

User profiles tab

The User profiles tab shows you details about the user profiles on the target database.

Profile name
Number of users using the profile
Allowed failed login attempts
Password requirements (for example, CLOUD_VERIFY_FUNCTION)
Sessions per user (for example, UNLIMITED, DEFAULT, or 10)
Defined by Oracle (Yes or No)

User Assessment Workflow

This is an end-to-end walkthrough of User Assessment functionality for new users, not a fixed procedure.

When you register a target database in Oracle Data Safe, a user assessment is run on the database automatically. So the first time you check the User Assessment page after registration, assessment data is already there. By default, this data is refreshed on a weekly schedule at the same time as when the registration was completed. This workflow explains how to view that data.

Check that your target database that you want to assess is registered and that you have assigned the necessary permissions in IAM.
On the left navigation pane, under Data Safe - Database Security, select User assessment.
Review the high-level security posture of the users on your target databases.
- On the Overview tab, analyze the chart data.
- View the Risk summary, Target summary, and Target group summary tabs.
- Set the scope of the data that you want to see.
On each tab, analyze the data further by drilling down into items.
- On the Risk summary tab, you can view a high-level assessment at each potential risk level. You can select a risk level to get more detail. For example, you can select Critical and view the list of users that are deemed a critical potential risk, along with details about their database activities.
- On the Target summary tab, you can view a high-level assessment for each of your target databases within the selected scope and quickly access their latest assessments.
- On the Target group summary tab, you can view a high-level assessment for all of your target groups.
On the Target summary tab, open and review the latest assessment for a target database.
- You can select the Refresh now button to immediately run a user assessment to refresh the data. The new assessment is added to the Assessment History.
Change the names of your user assessments to names that are meaningful to you. The default names that Oracle Data Safe assigns follow this pattern: UA_<unique number>. It's helpful to choose your own names. You may want to retain the UA_ prefix because it will distinguish user assessments from security assessments (SA_).
Schedule user assessments.
- You can modify the schedule for latest assessments and saved assessments.
- Adjust the schedules of your security assessments to suit the needs of your organization.
Compare user assessments to determine if there is any security drift.
- You can set the latest assessment or a saved assessment as the baseline.
- When you compare assessments, User Assessment generates a comparison report against your latest assessment results.
Create PDF or XLS versions of your User Assessment reports as needed and then download them.
In the Event service in Oracle Cloud Infrastructure (OCI), you can create event notifications. For example, you can subscribe to the UserAssessmentDriftFromBaseline event to be automatically informed if a user assessment differs from the baseline.

Prerequisites for Using User Assessment

User Assessment requires registered, properly provisioned target databases. Users must be granted specific permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM).

These are the prerequisites for User Assessment:

Register the target databases where you want to run User Assessment. After you register a target database, Oracle Data Safe automatically runs a user assessment for your target database and updates it according to the schedule (once per week by default).
For all database types supported by Oracle Data Safe, except for Autonomous AI Databases, grant the ASSESSMENT role to the Oracle Data Safe service account on the target database. An Autonomous AI Database is automatically provisioned with the equivalent DS$ASSESSMENT_ROLE when it is registered as a target database.
Obtain either the view permission or the manage permission on the user-assessments resource in IAM.
To set baselines or compare assessments: Obtain read permission on the data-safe-work-requests resource in IAM.
To view details about schemas and tables that a user has access to: Obtain read or use permission on the data-safe-security-policy-reports resource in IAM if you need to view details about the schemas and tables that a user has access to, as well as what privileges the user was granted on these schemas and tables. See data-safe-security-policy-reports Resource in the Administering Oracle Data Safe guide. You may need to re-run the database privilege script for non-Autonomous AI Databases. See Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database in the Administering Oracle Data Safe guide.

As an alternative to selectively granting permissions, you can grant permissions on data-safe-assessment-family in the relevant compartments, which would include permissions on all of the resources above as well as security-assessments. See data-safe-assessments-family Resource in the Administering Oracle Data Safe guide for more information.

Recommended Before You Start

Oracle recommends you try the Get Started with Oracle Data Safe Fundamentals workshop in LiveLabs before you use User Assessment.

The Get Started with Oracle Data Safe Fundamentals workshop includes hands-on training for User Assessment. Whether or not you've taken the workshop before, you'll find that the lab for User Assessment provides an up-front familiarity with this feature that makes it easier for you to put it to work in your organization. Consider going through the workshop to learn about User Assessment before you proceed.

Try it now:

Get Started with Oracle Data Safe Fundamentals