User Assessment Overview

The User Assessment feature in Oracle Data Safe helps you to identify highly privileged user accounts that could pose a threat if misused or compromised.

About User Assessment

Knowing which users have access to sensitive data is essential to managing risk. Which database accounts have powerful roles, such as Database Administrator, Database Vault Administrator, or Audit Administrator? Who can make changes that seriously impact the system, access sensitive data, or grant access to unauthorized users? Is there a risk of attackers taking over some user accounts because the passwords have not been changed in a long time? Is password complexity being checked for all user accounts? If not, for how many users? The User Assessment feature in Oracle Data Safe answers these questions and more to help you identify highly privileged user accounts that could pose a threat if misused or compromised. Administrators can then deploy appropriate security controls and policies.

User Assessment reviews information about your users in the data dictionaries on your target databases and then calculates a risk score for each user, based on system privileges and role grants. For example, it displays the user types, how users are authenticated, the password policies assigned to each user, and how long it has been since each user has changed their password. With this information, you can decide whether to implement more restrictive password policies, use Oracle Database Vault, or add other security controls to further limit user access, if needed.

After you register a target database, Oracle Data Safe automatically runs a User Assessment for that target database. The User Assessment feature is supported for all database types and versions currently certified by Oracle Data Safe. To view audit records for users in User Assessment, you must start audit data collection in Activity Auditing for your target database.

For all registered target databases, User Assessment automatically generates an assessment once per week and saves a copy of it to the history. This assessment is referred to as the "latest" assessment. If needed, you can modify its schedule. You also have the option to create a schedule that saves a copy of the latest assessment to a different compartment and with a different name.

User Assessment lets you refresh the latest assessment at any time by using the Refresh Now option. After the latest assessment is refreshed, Security Assessment saves the assessment to the history and also overwrites the latest assessment. To monitor security drift on your target database, you can compare two assessments. You can define a baseline assessment and compare other assessments to it, or, you can compare two selected assessments. Lastly, you can generate a PDF or XLS report from an assessment.

The following are use cases for the User Assessment feature:

• Quickly assess your databases to learn about the existing user accounts, their privilege and role grants, and the potential risk a compromised or misused account would pose.
• Identify highly privileged users.
• Identify system privileges and role grants that could be unnecessary.
• Identify dormant accounts.
• Identify users with stale passwords.
• Review existing user profiles, their password parameters including their password complexity verification function.
• Identify users and profiles without password governance policies.
• Identify which profiles are assigned to which users.
• Identify discrepancies in user profiles password attributes across multiple targets.
• Promote database security best practices.
• Monitor security drift by comparing an assessment against a baseline.

A user assessment shows all registered Oracle Data Safe target databases in a selected compartment. You have the option to include all child compartments of the selected compartment. This is the scope of the assessment. If you select the root compartment and include child compartments, then the assessment shows all assessments across all compartments in the tenancy.

User Assessment Compared to Security Assessment

User Assessment and Security Assessment are complementary features of Oracle Data Safe. While Security Assessment analyzes risks pertaining to database configuration, User Assessment focuses exclusively on the inherent risk factors in user access to the database.

Understanding Potential Risk in User Assessment

Potential Risk Levels in User Assessment

Each user is assigned a potential risk level that is determined by their granted roles and privileges.

Potential Risk Level	Description
Critical	Scope: database level. Impact: database availability and integrity. Has direct read/modify/copy access to data. Can bypass or alter security policies. Cleanup audit data. Malicious activity possible.
High	Scope: feature level. Potential for malicious activity is limited to a smaller scope than that of a user in the Critical category. Ability to read/modify/copy data indirectly through use of the corresponding privileges. This requires more effort to accomplish than the direct access capability of a user in the Critical category. Can degrade performance at a query level – alter/drop SQL profiles or SQL translation profiles. Allows key management. Can create, alter, or drop database profiles.
Medium	Has privileges which have a large scope, but do not have serious effects. For example, a user with ALTER RESOURCE COST privilege can set costs for user sessions.
Low	Scope: Privileges specific to the grantee.

Note:

Risk levels in User Assessment and System Assessment are different. User Assessment designates some user risk factors as CRITICAL. This designation is not used in Security Assessment. Likewise, the ADVISORY and EVALUATE risk levels in Security Assessment are not part of User Assessment.

User Types

User Assessment categorizes users into different user types. These are the possible user types:

• Admin Privileged - The user has administrative privileges such as, SYSDBA, SYSOPER, SYSBACKUP, SYSDG, SYSKM, or SYSRAC.
• Application - The user is an Oracle E-Business Suite Applications (EBS) or Fusion Applications (FA) user.
• Privileged - The user is a privileged user. Users that pose a potential risk level of High or Critical are flagged as privileged.
• Schema - The user is EXPIRED & LOCKED, EXPIRED, LOCKED, or a schema-only account (whose authentication type is NONE).
• Non-privileged - The user is a non-privileged user. A non-privileged user is a user who does not have elevated access rights and, thus, is not classified under any specific user type. Their granted privileges are limited and cannot cause any system-wide impact. Such a user cannot make changes at the database or user level, nor can they impact objects not owned by them.

Scope

You can set the scope of your view of User Assessment to the root compartment alone or root with all of its child compartments or to any compartment under root with or without that compartment's child compartments.

When you look at potential risk findings and target database users in User Assessment you can set the scope to root with its child compartments to review the overall security posture of your tenancy. You can also set the scope to focus on a specific compartment of interest.

Note:

It's important to remember that within the selected scope, your view within User Assessment is determined by the privileges your account has been granted in OCI.

Risk Summary and Target Summary

On the User Assessment page, the Risk Summary tab gives you a broad look at all of the current potential risk findings in the selected scope.

The Target Summary tab lets you focus on a specific target database and all of the users within that database.

User Profiles

User Profile details are gathered by a User Assessment run. Managing user profiles across multiple Oracle databases can be challenging as the number of databases and users increases. Multiple databases make it hard to spot inconsistencies in these profiles. For example, a specific user profile can have password parameters set differently in various databases, leading to non-compliance with regulatory requirements. As the number of users and potentially the number of profiles grow, managing them can become increasingly complex and time-consuming, especially if managing them at scale for multiple databases. User Profiles helps to spot inconsistencies and work towards unifying user profiles across all databases in your fleet.

Terms in User Assessment

• On demand (Refresh Now) Assessment

  You can click the Refresh Now button on any assessment to rerun it immediately against the selected target database.

• Scheduled Assessment

  A weekly user assessment is automatically scheduled for every registered target database. You can change the schedule to a different time and/or a daily or monthly interval.

• Latest Assessment

  The most recent assessment completed (either on demand or scheduled) for the selected compartment. Each new assessment becomes the Latest assessment.

• Saved Assessment

  A copy of the latest assessment saved to a compartment of your choice. The copy is listed in the history.

• Assessment History

  The archive of all saved assessments of a target database.

• Baseline

  An assessment that you can designate as the standard for a target database. When an assessment runs, in addition to finding potential risks the job tells you whether or not there is any deviation (security drift) from the findings in the baseline. There is a Set as Baseline option in each assessment.

User Assessment Workflow

This is an end-to-end walkthrough of User Assessment functionality for new users, not a fixed procedure.

When you register a target database in Oracle Data Safe, a user assessment is run on the database automatically. So the first time you check the User Assessment page after registration, assessment data is already there. By default, this data is refreshed on a weekly schedule at the same time as when the registration was completed. This workflow explains how to view that data.

1. Check that your target database that you want to assess are registered and that you have assigned the necessary permissions in IAM.
2. In Security Center, click User Assessment. On the User Assessment dashboard, check the charts and the Risk Summary and Target Summary to evaluate the overall security posture of your databases. Set the scope of data you want to see. The scope can encompass the databases in the root compartment alone or the root and everything under it. It can also be limited to any selected compartment, with or without its child compartments. From there, you can drill down for more data.
3. There are several drill down paths you can follow:
   • Click the Risk Summary tab and then click through the Potential Risk links. For example, you can click on Critical and see another set of charts, which summarize the critical roles held among users in the database, date of last password changes, and last login times among users at the Critical potential risk level. On the same page you can review the Critical Potential Risk Details table which provides more information about each user account at the critical level.
   • Also from the User Assessment page, you can click the Target Summary tab to get a different perspective on the potential risk findings. This tab shows you the target databases in the selected scope, the number of users per database at each potential risk level, the number of critical roles held with each database, and other factors. This table also shows you whether or not you have run a comparison of the latest assessment to the baseline assessment and if there has been deviation (security drift) from the baseline. You can click View Report for any target database to view latest User Assessment of the database.
4. Run or schedule user assessments.
   • Use the Refresh Now button to immediately run a user assessment. The assessment is added to the Assessment History. Refresh Now also refreshes the latest user.
   • Modify the schedule for the weekly User Assessment job. The job updates the latest report view and also saves a copy to the history. If needed, you can also specify that the reports be saved under a different name or to a different compartment. This option is helpful if you want to share reports with users from other lines of business.
5. Compare user assessments to determine if there is any security drift.
   • You can set the latest assessment or a saved assessment as the baseline.
   • When you compare assessments, User Assessment generates a comparison report.
6. Adjust the schedules of your security assessments to suit the needs of your organization.
7. Change the names of your user assessments to names that are meaningful to you. The default names that Oracle Data Safe assigns follow this pattern: UA_<unique number>. It's helpful to choose your own names. You may want to retain the UA_ prefix because it will distinguish user assessments from user assessments (SA_).
8. Create PDF or XLS versions of you user assessment reports as needed and then download them.
9. Set up event notifications. For example, you can subscribe to the UserAssessmentDriftFromBaseline event to be automatically informed if a user assessment differs from the baseline.

Prerequisites for User Assessment

User Assessment requires registered, properly provisioned target databases. Users must be granted specific permissions in IAM.

These are the prerequisites for User Assessment:

• Register the target databases where you want to run User Assessment.

  After you register a target database, Oracle Data Safe automatically runs a user assessment for your target database and updates it according to the schedule (once per week by default).

• For all database types supported by Oracle Data Safe except Autonomous Database, grant the ASSESSMENT role to the Oracle Data Safe service account on the target database.

  An Autonomous Database is automatically provisioned with the equivalent DS$ASSESSMENT_ROLE when it is registered as a target database.

• Obtain either the view permission or the manage permission on the user-assessments resource in IAM (Oracle Cloud Infrastructure Identity and Access Management).
• Obtain read permission on the data-safe-work-requests resource in IAM if you need to set baselines or compare assessments.
• Obtain read or use permission on the data-safe-security-policy-reports resource in IAM if you need to view details about the schemas and tables that a user has access to, as well as what privileges the user was granted on these schemas and tables.

As an alternative to selectively granting permissions, you can grant permissions on data-safe-assessment-family in the relevant compartments, which would include permissions on all of the resources above as well as security-assessments. See data-safe-assessments-family Resource in the Administering Oracle Data Safe guide for more information.

See Also:

The Administering Oracle Data Safe guide provides these sections to help with establishing the prerequisites:

• Migrate to Oracle Cloud Infrastructure You can follow the one-time migration procedure described in the guide or you can do the migration manually. The migration described in the guide does not include permissions on the data-safe-work-requests resource. Add that resource as needed.
• Grant Roles to the Oracle Data Safe Service Account on Your Target Database describes the roles required for User Assessment and for other Oracle Data Safe features.
• user-assessments Resource provides the policy statement for granting users read permissions on user-assessments.
• data-safe-work-requests Resource provides the policy statement for granting users read permissions on data-safe-work-requests.

Recommended Before You Start

Oracle recommends you try the Get Started with Oracle Data Safe Fundamentals workshop in LiveLabs before you use User Assessment.

The Get Started with Oracle Data Safe Fundamentals workshop includes hands-on training for User Assessment. Whether or not you've taken the workshop before, you'll find that the lab for User Assessment provides an up-front familiarity with this feature that makes it easier for you to put it to work in your organization. Consider going through the workshop to learn about User Assessment before you proceed.

Try it now:

Get Started with Oracle Data Safe Fundamentals