8 Managing Entitlements

Learn about managing entitlements.

8.1 Managing and Viewing Entitlement Data

Oracle Audit Vault and Database Firewall provides default entitlement reports and allows you to retrieve entitlement data from Oracle Database targets.

In addition, you can create snapshots of entitlement data at specific points in time, and group them under labels that you specify, in order to compare them in the reports.

You can filter a report to show the data from an earlier snapshot or label, or you can compare the entitlement data from two snapshots or two labels. For example, you can find how user privileges have been modified between two snapshots or labels.

Note:

For Oracle Database 12c targets, if you are not using multitenant container databases (CDBs), then entitlement data appears as for earlier versions of Oracle Database. If you are using CDBs, each pluggable database (PDB) or CDB is configured as a separate target in the Audit Vault Server, and entitlement data appears accordingly in snapshots and reports.

The general steps for managing and viewing entitlement data are:

  1. Retrieve the entitlement data from the target to create a snapshot of the data at that point in time.

  2. Optionally, create labels to organize the snapshots into meaningful groups, and assign the labels to snapshots.

  3. View entitlement reports, using snapshots and labels to filter and compare data.

8.2 Working With Entitlement Snapshots and Labels

Learn about working with entitlement snapshots and labels.

8.2.1 About Entitlement Snapshots and Labels

An entitlement snapshot captures the state of user entitlement information at a specific point in time.

When you retrieve entitlement data from an Oracle Database target, a snapshot of that data is created, and added to the list in the User Entitlement Snapshots page in the Targets tab.

The snapshot contains the metadata of users and roles that a user has to that Oracle Database: system and other SQL privileges, object privileges, role privileges, and user profiles. You can only view and manage snapshots for targets to which you have access.

Each snapshot is unique for a target. The name for a snapshot is the time stamp assigned to it when the entitlement data was retrieved, for example, 9/22/2009 07:56:17 AM. If you retrieve entitlement data for all your targets at this time, then each target has its own 9/22/2012 07:56:17 AM snapshot.

Labels allow you to organize snapshots into meaningful categories so that you can view and compare groups of snapshots together. For example, suppose the targets payroll, sales, and hr each have a 9/22/2012 07:56:17 AM snapshot. You can create a label and then assign these three snapshots to that label. This enables you to compare the entitlement data at that time from the three targets, together in the same report.

8.2.2 Creating, Modifying, or Deleting Labels for Entitlement Snapshots

An auditor can create, modify, or delete labels for entitlement snapshots.

  1. Log into the Audit Vault Server console as an auditor.
  2. Click on Targets tab.
  3. Click on User Entitlement Snapshots sub tab in the left navigation menu.
  4. Click on Labels button in the top right corner of the main page.
  5. The Labels dialog is displayed. In this dialog:
    • To create a label, click Create, enter a name and an optional description, and then click Save.

    • To delete a label, select the label, and then click Delete.

    • To edit the name or description of a label, click the name of the label, make your changes, and then click Save.

8.2.3 Assigning Labels to Entitlement Snapshots

Before you can assign labels to snapshots, you must first retrieve entitlement data from an Oracle Database target.

This process creates a snapshot each time you do so.
  1. Log into the Audit Vault Server console as an auditor.

  2. Click on Targets tab.

  3. Click on User Entitlement Snapshots sub tab in the left navigation menu.

  4. A list of snapshots of user entitlement data appears along with the timestamp for when the data was collected and the label assigned to the snapshot.

  5. To assign a label to snapshots:

    1. Select the snapshots, select the check box for the targets and then click Assign Label.

    2. Select a Label from the list.

    3. Optionally, enter a description.

    4. Click Save.

  6. To delete a snapshot, select the snapshot, and then click Delete.

8.3 Generating Entitlement Reports

Learn about entitlement reports.

8.3.1 About Viewing Entitlement Reports with Snapshots and Labels

You can use snapshots and labels to filter and compare entitlement data in reports.

After snapshots have been created, and you have optionally created and assigned labels to them, then you are ready to check the entitlement reports.

The type of entitlement report determines whether you can view its entitlement data by snapshot or by label. Reports that show data by target (for example, User Accounts by Target) let you view and compare snapshots for a specific target. The other entitlement reports (such as User Accounts) let you view and compare entitlement data by label across all the targets.

8.3.2 Viewing Entitlement Reports by Snapshot or Label

An auditor can check entitlement reports for an individual snapshot or label.

  1. Log in to the Audit Vault Server console as an auditor.
  2. Click on Reports tab.

    The Activity Reports sub tab in the left navigation menu is selected by default.

  3. Scroll down in the main page and expand Entitlement Reports.
  4. Click on a specific entitlement report.
  5. In this page you can do the following:
    • If you want the report to be sorted by target, then select a target in the Target Name field.

    • From the Snapshot field, select the snapshot or label.

  6. Click Go.

    The entitlement report data appears. The generated report contains a column, either Snapshot or Label, indicating which snapshot or label was used for the report. From here, you can expand the Snapshot or Label column to filter its contents.

  7. Optionally, you can save the report.

8.3.3 Comparing Entitlement Data Using Snapshots or Labels

An auditor can compare the entitlement data for two snapshots or labels.

  1. Log in to the Audit Vault Server console as an auditor.
  2. Click on Reports tab.

    The Activity Reports sub tab in the left navigation menu is selected by default.

  3. Scroll down in the main page and expand Entitlement Reports.
  4. Click on a specific entitlement report.
  5. In the report, do the following:
    • If you want the report to be sorted by target, then select a target in the Target Name field.

    • From the Snapshot field, select the snapshot or label.

    • Click the compare check box.

    • Select another snapshot or label from the second drop-down list for comparison.

  6. Click Go.

The entitlement report data appears and the name of the report is appended with Changes. The Change column shows how the data has changed between the two snapshots or labels. From here, you can filter the data to show only MODIFIED, NEW, DELETED, or UNCHANGED data.

8.4 Entitlement Report Descriptions

Learn about entitlement reports.

8.4.1 About the Entitlement Reports

An entitlement report describes the types of access that users have to an Oracle Database target.

It provides information about the user, role, profile, and privileges used in the target.

For example, the entitlement reports capture information such as access privileges to key data or privileges assigned to a particular user. These reports are useful for tracking unnecessary access to data, finding duplicate privileges, and simplifying privilege grants.

After you generate a default entitlement report, you can view a snapshot of the metadata that describes user, role, profile, and privilege information. This enables you to perform tasks such as comparing different snapshot labels to find how the entitlement information has changed over time.

See Also:

8.4.2 Role Privileges

The Role Privileges report shows information about application roles and privileges.

Use this report to track the names of application roles and privileges. If the role is a secure application role, then the columns of the report indicate the same.

8.4.3 Object Privileges

The Object Privileges report shows object privileges and their grants to users.

Use these reports to track object privileges and their grants to users the following information about object privileges: the target in which the object was created, users granted the object privilege, schema owner, target name (which lists tables, packages, procedures, functions, sequences, and other objects), column name (that is, column-level privileges), privilege (object or system privilege, such as SELECT), type of access allowed the object (direct access or if through a role, the role name), whether the object privilege can be granted, and who the grantor was.

Columns Related to Oracle Database 12c

You can select these additional columns relating to Oracle 12c targets:

  • Hierarchy: Privilege is with hierarchy option

  • Type: Object type (table, view, sequence, and so on.)

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Container: Container name. This is null if the database is not a PDB or CDB.

8.4.4 Privileged Users

The Privileged Users report shows information about privileged users.

Use these reports to track the following information about privileged users: target in which the privileged user account was created, user name, privileges granted to the user, type of access (direct access, or if through a role, the role name), and whether the privileged user was granted the ADMIN option.

For Oracle Database versions prior to 12c, privileged users are identified by these roles:

DBA
SYSDBA
SYSOPER

For Oracle Database version 12c, the above two roles identify privileged users, in addition to the following roles:

SYSASM
SYSBACKUP
SYSDG
SYSKM

Columns Related to Oracle Database 12c

You can select these additional columns relating to Oracle 12c targets:

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Container: Container name. This is null if the database is not a PDB or CDB.

8.4.5 System Privileges

The System Privileges report shows system privileges and their grants to users.

Use these reports to track the following information about system privileges: target in which the system privilege was created, user granted the system privilege, privilege name, type of access (direct access or if through a role, the role name), and whether it was granted with the ADMIN option.

Columns Related to Oracle Database 12c

You can select these additional columns relating to Oracle 12c targets:

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Container: Container name. This is null if the database is not a PDB or CDB.

8.4.6 User Accounts Reports

The User Accounts report shows a summary of user accounts.

Use these reports to track the following information about user accounts: target in which the user account was created, user account name, account status (LOCKED or UNLOCKED), expiration date for the password, initial lock state (date the account will be locked), default tablespace, temporary tablespace, initial resource consumer group, when the user account was created, associated profile, and external name (the Oracle Enterprise User DN name, if one is used).

Columns Related to Oracle Database 12c

You can select these additional columns relating to Oracle Database 12c targets:

  • Edition Enabled: Whether editions are enabled for this user

  • Authentication Type: Authentication mechanism for this user

  • Proxy Only Connect: Whether this user can connect only through a proxy

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Last Login: Last login timestamp for this user

  • Oracle Maintained: Whether the user was created, and is maintained, by Oracle Database-supplied scripts. A Y value means this user must not be changed in any way except by running an Oracle Database-supplied script.

  • Container: Container name. This is null if the database is not a PDB or CDB.

8.4.7 User Privileges

The User Privileges report shows a summary of user privileges.

Use these reports to track the following information about user privileges: target in which the privilege was created, user name, privilege, schema owner, table name, column name, type of access (direct access or if through a role, the role name), whether the user privilege was created with the ADMIN option, whether the user can grant the privilege to other users, and who granted the privilege.

Columns Related to Oracle Database 12c

You can select these additional columns relating to Oracle 12c targets:

  • Hierarchy: Privilege is with hierarchy option

  • Type: Object type (table, view, sequence, and so on)

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Container: Container name. This is null if the database is not a PDB or CDB.

8.4.8 User Profiles

The User Profiles report shows a summary of user profiles.

Use these reports to track the following information about user profiles: target in which the user profile was created, profile name, resource name, resource type (KERNEL, PASSWORD, or INVALID), and profile limit.

Columns Related to Oracle Database 12c

You can select these additional columns relating to Oracle 12c targets:

  • Common: Whether this user is common to the PDB and CDB. Y indicates a common user, N indicates the user is local to the PDB, and null indicates the database is neither a PDB nor a CDB.

  • Container: Container name. This is null if the database is not a PDB or CDB.