5 Performing Privilege Analysis to Identify Privilege Use
Privilege analysis dynamically analyzes the privileges and roles that users use and do not use.
- What Is Privilege Analysis?
Privilege analysis increases the security of your applications and database operations by helping you to implement least privilege best practices for database roles and privileges. - Creating and Managing Privilege Analysis Policies
You can create and manage privilege analysis policies by using tools such as SQL*Plus, SQLcl, SQL Developer, or Enterprise Manager Cloud Control. - Creating Roles and Managing Privileges Using Cloud Control
You can create new roles using privileges found in a privilege analysis report and then grant this role to users. - Tutorial: Using Capture Runs to Analyze ANY Privilege Use
This tutorial demonstrates how to create capture runs to analyze the use of theREAD ANY TABLE
system privilege. - Tutorial: Analyzing Privilege Use by a User Who Has the DBA Role
This tutorial demonstrates how to analyze the privilege use of a user who has theDBA
role and performs database tuning operations. - Privilege Analysis Policy and Report Data Dictionary Views
Oracle Database provides data dictionary views that show information about analyzed privileges.
Parent topic: Managing User Authentication and Authorization
5.1 What Is Privilege Analysis?
Privilege analysis increases the security of your applications and database operations by helping you to implement least privilege best practices for database roles and privileges.
- About Privilege Analysis
Running inside the Oracle Database kernel, privilege analysis helps reduce the attack surface of user, tooling, and application accounts by identifying used and unused privileges to implement the least-privilege model. - Benefits and Use Cases of Privilege Analysis
Analyzing privilege use is beneficial in finding unnecessarily granted privileges and implementing least privilege best practices. - Who Can Perform Privilege Analysis?
To use privilege analysis, you must be granted theCAPTURE_ADMIN
role. - Types of Privilege Analysis
You can create different types of privilege analysis policies to achieve specific goals. - How Does a Multitenant Environment Affect Privilege Analysis?
You can create and use privilege analysis policies in a multitenant environment. - How Privilege Analysis Works with Pre-Compiled Database Objects
Privilege analysis can be used to capture the privileges that have been exercised on pre-compiled database objects.
Parent topic: Performing Privilege Analysis to Identify Privilege Use
5.1.1 About Privilege Analysis
Running inside the Oracle Database kernel, privilege analysis helps reduce the attack surface of user, tooling, and application accounts by identifying used and unused privileges to implement the least-privilege model.
Privilege analysis dynamically captures privileges used by database users and applications during a specified window of time.
The use of privilege analysis can help to quickly and efficiently enforce least privilege guidelines. In the least-privilege model, users are only given the privileges and access they need to do their jobs. Frequently, even though users perform different tasks, users are all granted the same set of powerful privileges. Without privilege analysis, figuring out the privileges that each user must have can be hard work and in many cases, users could end up with some common set of privileges even though they have different tasks. Even in organizations that manage privileges, users tend to accumulate privileges over time and rarely lose any privileges. Separation of duty breaks a single process into separate tasks for different users. Least privileges enforces the separation so users can only do their required tasks. The enforcement of separation of duty is beneficial for internal control, but it also reduces the risk from malicious users who steal privileged credentials.
Privilege analysis captures privileges used by database users and applications at runtime and writes its findings to data dictionary views that you can query. If your applications include definer’s rights and invoker’s rights procedures, then privilege analysis captures the privileges that are required to compile a procedure and execute it, even if the procedure was compiled before the privilege capture was created and enabled. Instead of revoking a privilege from the user, you can audit the user's use of the privilege and use an application such as Oracle Audit Vault and Database Firewall to send an alert to the appropriate administrator.
Parent topic: What Is Privilege Analysis?
5.1.2 Benefits and Use Cases of Privilege Analysis
Analyzing privilege use is beneficial in finding unnecessarily granted privileges and implementing least privilege best practices.
- Least Privileges Best Practice
The privileges of the account that accesses a database should be limited to the privileges that are strictly required by the application or the user. - Development of Secure Applications
During the application development phase, some administrators may grant many powerful system privileges and roles, and theSYSDBA
administrative privilege, to application developers.
Parent topic: What Is Privilege Analysis?
5.1.2.1 Least Privileges Best Practice
The privileges of the account that accesses a database should be limited to the privileges that are strictly required by the application or the user.
But when an application is developed, especially by a third party, more privileges than necessary may be granted to the application connection pool accounts for convenience. In addition, some developers grant system and application object privileges to the PUBLIC
role.
For example, to select from application data and run application procedures, the system privileges SELECT ANY TABLE
and EXECUTE ANY PROCEDURE
are granted to an application account appsys
. The account appsys
now can access non-application data even if he or she does not intend to. In this situation, you can analyze the privilege usage by user appsys
, and then based on the results, revoke and grant privileges as necessary.
Application accounts also frequently have additional privileges needed to install and maintain the application on the database. These are only needed during application maintenance periods, but yet are available all the time. A better process would be to add the privileges needed for application maintenance into a separate role and grant that to the application only during maintenance periods.
Parent topic: Benefits and Use Cases of Privilege Analysis
5.1.2.2 Development of Secure Applications
During the application development phase, some administrators may grant many powerful system privileges and roles, and the SYSDBA
administrative privilege, to application developers.
The administrators may do this because at that stage they may not know what privileges the application developer needs or is not concerned with privileges and roles during development.
Once the application is developed and working, the privileges that the application developer needs — and does not need — become more apparent. Capturing privilege analysis while the application is run through a full regression test can capture most, if not all the privileges needed by the application for runtime use. Capturing privilege analysis when testing a maintenance update can provide the privileges needed during an update of the production system. At that time, the security administrator can begin to revoke unnecessary privileges. However, the application developer may resist this idea on the basis that the application is currently working without problems. The administrator can use privilege analysis to examine each privilege that the application uses, to ensure that when he or she does revoke any privileges, the application will continue to work.
For example, app_owner
is an application database user through whom the application connects to a database. User app_owner
must query tables in the OE
, SH
, and PM
schemas. Instead of granting the SELECT
object privilege on each of the tables in these schemas, a security administrator grants the SELECT ANY TABLE
privilege to app_owner
. After a while, a new schema, HR
, is created and sensitive data are inserted into HR.EMPLOYEES
table. Because user app_owner
has the SELECT ANY TABLE
privilege, he can query this table to access its sensitive data, which is a security issue. Instead of granting system privileges (particularly the ANY
privileges), it is far better to grant object privileges for specific tables.
Parent topic: Benefits and Use Cases of Privilege Analysis
5.1.3 Who Can Perform Privilege Analysis?
To use privilege analysis, you must be granted the CAPTURE_ADMIN
role.
You use the DBMS_PRIVILEGE_CAPTURE
PL/SQL package to manage privilege capture. You use the data dictionary views provided by privilege analysis to analyze your privilege use.
Parent topic: What Is Privilege Analysis?
5.1.4 Types of Privilege Analysis
You can create different types of privilege analysis policies to achieve specific goals.
-
Context-based privilege use capture. You must specify a Boolean expression only with the
SYS_CONTEXT
function. The used privileges will be captured if the condition evaluates toTRUE
. This method can be used to capture privileges and roles used by a database user by specifying the user inSYS_CONTEXT
. -
Role-based privilege use capture. You must provide a list of roles. If the roles in the list are enabled in the database session, then the used privileges for the session will be captured. You can capture privilege use for the following types of roles: Oracle default roles, user-created roles, Code Based Access Control (CBAC) roles, and secure application roles.
-
Role- and context-based privilege use capture. You must provide both a list of roles that are enabled and a
SYS_CONTEXT
Boolean expression for the condition. When any of these roles is enabled in a session and the given context condition is satisfied, then privilege analysis starts capturing the privilege use. -
Database-wide privilege capture. If you do not specify any type in your privilege analysis policy, then the used privileges in the database will be captured, except those for the user
SYS
. (This is also referred to as unconditional analysis, because it is turned on without any conditions.)
Note the following restrictions:
-
You can enable only one privilege analysis policy at a time. The only exception is that you can enable a database-wide privilege analysis policy at the same time as a non-database-wide privilege analysis policy, such as a role or context attribute-driven analysis policy.
-
You cannot analyze the privileges of the
SYS
user. -
Privilege analysis shows the grant paths to the privilege but it does not suggest which grant path to keep.
-
If the role, user, or object has been dropped, then the values that reflect the privilege captures for these in the privilege analysis data dictionary views are dropped as well.
Parent topic: What Is Privilege Analysis?
5.1.5 How Does a Multitenant Environment Affect Privilege Analysis?
You can create and use privilege analysis policies in a multitenant environment.
If you are using a multitenant environment, then you can create privilege analysis policies in either the CDB root or in individual PDBs. The privilege analysis policy applies only to the container in which it is created, either to the privileges used within the CDB root or the application root, or to the privileges used within a PDB. It cannot be applied globally throughout the multitenant environment. You can grant the CAPTURE_ADMIN
role locally to a local user or a common user. You can grant the CAPTURE_ADMIN
role commonly to common users.
Parent topic: What Is Privilege Analysis?
5.1.6 How Privilege Analysis Works with Pre-Compiled Database Objects
Privilege analysis can be used to capture the privileges that have been exercised on pre-compiled database objects.
Examples of these objects are PL/SQL packages, procedures, functions, views, triggers, and Java classes and data.
Because these privileges may not be exercised during run time when a stored procedure is called, these privileges are collected when you generate the results for any database-wide capture, along with run-time captured privileges. A privilege is treated as an unused privilege when it is not used in either pre-compiled database objects or run-time capture, and it is saved under the run-time capture name. If a privilege is used for pre-compiled database objects, then it is saved under the capture name ORA$DEPENDENCY
. If a privilege is captured during run time, then it is saved under the run-time capture name. If you want to know what the used privileges are for both pre-compiled database objects and run-time usage, then you must query both the ORA$DEPENDENCY
and run-time captures. For unused privileges, you only need to query with the run-time capture name.
To find a full list of the pre-compiled objects on which privilege analysis can be used, query the TYPE
column of the ALL_DEPENDENCIES
data dictionary view.
Parent topic: What Is Privilege Analysis?
5.2 Creating and Managing Privilege Analysis Policies
You can create and manage privilege analysis policies by using tools such as SQL*Plus, SQLcl, SQL Developer, or Enterprise Manager Cloud Control.
- About Creating and Managing Privilege Analysis Policies
You can use theDBMS_PRIVILEGE_CAPTURE
PL/SQL package or Oracle Enterprise Manager Cloud Control to analyze privileges. - General Steps for Managing Privilege Analysis
You must follow a general set of steps to analyze privileges. - Creating a Privilege Analysis Policy
You can use theDBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
procedure to create a privilege analysis policy. - Examples of Creating Privilege Analysis Policies
You can create a variety of privilege analysis policies. - Enabling a Privilege Analysis Policy
After you create a privilege analysis policy, you must enable it to capture privilege use. - Disabling a Privilege Analysis Policy
You must disable the privilege analysis policy before you can generate a privilege analysis report. - Generating a Privilege Analysis Report
You can generate a privilege analysis policy report using either Enterprise Manager Cloud Control or from SQL*Plus, using theDBMS_PRIVILEGE_CAPTURE
PL/SQL package. - Dropping a Privilege Analysis Policy
Before you can drop a privilege analysis policy, you must first disable it.
Parent topic: Performing Privilege Analysis to Identify Privilege Use
5.2.1 About Creating and Managing Privilege Analysis Policies
You can use the DBMS_PRIVILEGE_CAPTURE
PL/SQL package or Oracle Enterprise Manager Cloud Control to analyze privileges.
Before you can do so, you must be granted the CAPTURE_ADMIN
role. The DBMS_PRIVILEGE_CAPTURE
package enables you to create, enable, disable, and drop privilege analysis policies. It also generates reports that show the privilege usage, which you can view in DBA_*
views.
Related Topics
Parent topic: Creating and Managing Privilege Analysis Policies
5.2.2 General Steps for Managing Privilege Analysis
You must follow a general set of steps to analyze privileges.
Related Topics
Parent topic: Creating and Managing Privilege Analysis Policies
5.2.3 Creating a Privilege Analysis Policy
You can use the DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
procedure to create a privilege analysis policy.
After you create the privilege analysis policy, you can find it listed in the DBA_PRIV_CAPTURES
data dictionary view. When a policy is created, it resides in the Oracle data dictionary and the SYS
schema. However, both SYS
and the user who created the policy can drop it. After you create the policy, you must manually enable it so that it can begin to analyze privilege use.
- Log in to the database instance as a user who has the
CAPTURE_ADMIN
role. - Use the following syntax for the
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
procedure:DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name VARCHAR2, description VARCHAR2 DEFAULT NULL, type NUMBER DEFAULT DBMS_PRIVILEGE_CAPTURE.G_DATABASE, roles ROLE_NAME_LIST DEFAULT ROLE_NAME_LIST(), condition VARCHAR2 DEFAULT NULL);
In this specification:
-
name
: Specifies the name of the privilege analysis policy to be created. Ensure that this name is unique and no more than 128 characters. You can include spaces in the name, but you must enclose the name in single quotation marks whenever you refer to it. To find the names of existing policies, query theNAME
column of theDBA_PRIV_CAPTURES
view. -
description
: Describes the purpose of the privilege analysis policy, up to 1024 characters in mixed-case letters. Optional. -
type
: Specifies the type of capture condition. If you omit thetype
parameter, then the default isDBMS_PRIVILEGE_CAPTURE.G_DATABASE
. Optional.Enter one of the following types:
-
DBMS_PRIVILEGE_CAPTURE.G_DATABASE
: Captures all privileges used in the entire database, except privileges from userSYS
. -
DBMS_PRIVILEGE_CAPTURE.G_ROLE
: Captures privileges for the sessions that have the roles enabled. If you enterDBMS_PRIVILEGE_CAPTURE.G_ROLE
for thetype
parameter, then you must also specify theroles
parameter. For multiple roles, separate each role name with a comma. -
DBMS_PRIVILEGE_CAPTURE.G_CONTEXT
: Captures privileges for the sessions that have the condition specified by thecondition
parameter evaluating toTRUE
. If you enterDBMS_PRIVILEGE_CAPTURE.G_CONTEXT
for thetype
parameter, then you must also specify thecondition
parameter. -
DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT
: Captures privileges for the sessions that have the role enabled and the context condition evaluating toTRUE
. If you enterDBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT
for thetype
parameter, then you must also specify both theroles
andcondition
parameters.
-
-
roles
: Specifies the roles whose used privileges will be analyzed. That is, if a privilege from one of the given roles is used, then the privilege will be analyzed. You must specify this argument if you specifyDBMS_PRIVILEGE_CAPTURE.G_ROLE
orDBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT
for thetype
argument. Each role you enter must exist in the database. (You can find existing roles by querying theDBA_ROLES
data dictionary view.) For multiple roles, use varray typerole_name_list
to enter the role names. You can specify up to 10 roles.For example, to specify two roles:
roles => role_name_list('role1', 'role2'),
-
condition
: Specifies a Boolean expression up to 4000 characters. You must specify this argument if you specifyDBMS_PRIVILEGE_CAPTURE.G_CONTEXT
orDBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT
for thetype
argument. OnlySYS_CONTEXT
expressions with relational operators(==
,>
,>=
,<
,<=
,<>
,BETWEEN
, andIN
) are permitted in this Boolean expression.The
condition
expression syntax is as follows:predicate::= SYS_CONTEXT(namespace, attribute) relop constant_value | SYS_CONTEXT(namespace, attribute) BETWEEN constant_value AND constant_value | SYS_CONTEXT(namespace, attribute) IN {constant_value (,constant_value)* } relop::= = | < | <= | > | >= | <> context_expression::= predicate | (context_expression) AND (context_expression) | (context_expression) OR (context_expression )
For example, to use a condition to specify the IP address
192.0.2.1
:condition => 'SYS_CONTEXT(''USERENV'', ''IP_ADDRESS'')=''192.0.2.1''';
After you create the privilege analysis policy, you must enable the policy to begin capturing privilege and role use.
-
* You can add as many constant values as you need (for example, IN {
constant_value1
}
, or IN {
constant_value1
,
constant_value2
,
constant_value3
}
).
Related Topics
Parent topic: Creating and Managing Privilege Analysis Policies
5.2.4 Examples of Creating Privilege Analysis Policies
You can create a variety of privilege analysis policies.
- Example: Privilege Analysis of Database-Wide Privileges
TheDBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
can be used to analyze database-wide privileges. - Example: Privilege Analysis of Privilege Usage of Two Roles
TheDBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
procedure can be used to analyze the privilege usage of multiple roles. - Example: Privilege Analysis of Privileges During SQL*Plus Use
TheDBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
procedure can be used to capture privileges for analysis. - Example: Privilege Analysis of PSMITH Privileges During SQL*Plus Access
TheDBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
can be used to analyze user access when the user is running SQL*Plus.
Parent topic: Creating and Managing Privilege Analysis Policies
5.2.4.1 Example: Privilege Analysis of Database-Wide Privileges
The DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
can be used to analyze database-wide privileges.
Example 5-1 shows how to use the DBMS_PRIVILEGE_CAPTURE
package to create a privilege analysis policy to record all privilege use in the database.
Example 5-1 Privilege Analysis of Database-Wide Privileges
BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'db_wide_capture_pol', description => 'Captures database-wide privileges', type => DBMS_PRIVILEGE_CAPTURE.G_DATABASE); END; /
Parent topic: Examples of Creating Privilege Analysis Policies
5.2.4.2 Example: Privilege Analysis of Privilege Usage of Two Roles
The DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
procedure can be used to analyze the privilege usage of multiple roles.
Example 5-2 shows how to analyze the privilege usage of two roles.
Example 5-2 Privilege Analysis of Privilege Usage of Two Roles
BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'dba_roles_capture_pol', description => 'Captures DBA and LBAC_DBA role use', type => DBMS_PRIVILEGE_CAPTURE.G_ROLE, roles => role_name_list('dba', 'lbac_dba')); END; /
Parent topic: Examples of Creating Privilege Analysis Policies
5.2.4.3 Example: Privilege Analysis of Privileges During SQL*Plus Use
The DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
procedure can be used to capture privileges for analysis.
Example 5-3 shows how to analyze privileges used to run SQL*Plus.
Example 5-3 Privilege Analysis of Privileges During SQL*Plus Use
BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'sqlplus_capture_pol', description => 'Captures privilege use during SQL*Plus use', type => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT, condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'')=''sqlplus'''); END; /
Parent topic: Examples of Creating Privilege Analysis Policies
5.2.4.4 Example: Privilege Analysis of PSMITH Privileges During SQL*Plus Access
The DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
can be used to analyze user access when the user is running SQL*Plus.
Example 5-4 shows how to analyze the privileges used by session user PSMITH
when running SQL*Plus.
Example 5-4 Privilege Analysis of PSMITH Privileges During SQL*Plus Access
BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'psmith_sqlplus_analysis_pol', description => 'Analyzes PSMITH role priv use for SQL*Plus module', type => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT, condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'')=''sqlplus'' AND SYS_CONTEXT(''USERENV'', ''SESSION_USER'')=''PSMITH'''); END; /
Parent topic: Examples of Creating Privilege Analysis Policies
5.2.5 Enabling a Privilege Analysis Policy
After you create a privilege analysis policy, you must enable it to capture privilege use.
DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE
procedure enables a privilege policy and creates a capture run name for it. The run name defines the period of time that the capture took place.
Parent topic: Creating and Managing Privilege Analysis Policies
5.2.6 Disabling a Privilege Analysis Policy
You must disable the privilege analysis policy before you can generate a privilege analysis report.
DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE
procedure to disable a privilege analysis policy.
Parent topic: Creating and Managing Privilege Analysis Policies
5.2.7 Generating a Privilege Analysis Report
You can generate a privilege analysis policy report using either Enterprise Manager Cloud Control or from SQL*Plus, using the DBMS_PRIVILEGE_CAPTURE
PL/SQL package.
- About Generating a Privilege Analysis Report
After the privilege analysis policy has been disabled, you can generate a report based on the capture run that you created for the privilege analysis policy. - General Process for Managing Multiple Named Capture Runs
When you enable a privilege analysis policy, you can create a named capture run for the policy’s findings. - Generating a Privilege Analysis Report Using DBMS_PRIVILEGE_CAPTURE
TheDBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT
procedure generates a report showing the results of a privilege capture. - Generating a Privilege Analysis Report Using Cloud Control
You can generate a privilege analysis report using Cloud Control. - Accessing Privilege Analysis Reports Using Cloud Control
A privilege analysis report provides information about both used and unused privileges.
Parent topic: Creating and Managing Privilege Analysis Policies
5.2.7.1 About Generating a Privilege Analysis Report
After the privilege analysis policy has been disabled, you can generate a report based on the capture run that you created for the privilege analysis policy.
To view the report results in SQL*Plus, query the privilege analysis-specific data dictionary views. In Enterprise Manager Cloud Control, you can view the reports from the Privilege Analysis page Actions menu. If a privilege is used during the privilege analysis process and then revoked before you generate the report, then the privilege is still reported as a used privilege, but without the privilege grant path.
Related Topics
Parent topic: Generating a Privilege Analysis Report
5.2.7.2 General Process for Managing Multiple Named Capture Runs
When you enable a privilege analysis policy, you can create a named capture run for the policy’s findings.
The capture run defines a period of time from when the capture is enabled (begun) and when it is disabled (stopped). This way, you can create multiple runs and then compare them when you generate the privilege capture results.
The general process for managing multiple named capture runs is as follows:
-
Create the policy.
-
Enable the policy for the first run.
-
After a period time to collect user behavior data, disable this policy and its run.
-
Generate the results and then query the privilege analysis data dictionary views for information about this capture run.
If you omit the
run_name
parameter from theDBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT
procedure, then this procedure looks at all records as a whole and then analyzes them. -
Re-enable the policy for the second run. You cannot create a new capture run if the policy has not been disabled first.
-
After you have collected the user data, disable the policy and the second run.
-
Generate the results.
-
Query the privilege analysis data dictionary views. The results from both capture runs are available in the views. If you only want to show the results of one of the capture runs, then you can regenerate the results and requery the privilege analysis views. You can also filter the results on the run name.
Once enabled, the privilege analysis policy will begin to record the privilege usage when the condition is satisfied. At any given time, only one privilege analysis policy in the database can be enabled. The only exception is that a privilege analysis policy of type DBMS_PRIVILEGE_CAPTURE.G_DATABASE
can be enabled at the same time with a privilege analysis of a different type.
When you drop a privilege analysis policy, its associated capture runs are dropped as well and are not reflected in the privilege analysis data dictionary views.
Restarting a database does not change the status of a privilege analysis. For example, if a privilege analysis policy is enabled before a database shutdown, then the policy is still enabled after the database shutdown and restart.
Related Topics
Parent topic: Generating a Privilege Analysis Report
5.2.7.3 Generating a Privilege Analysis Report Using DBMS_PRIVILEGE_CAPTURE
The DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT
procedure generates a report showing the results of a privilege capture.
Parent topic: Generating a Privilege Analysis Report
5.2.7.4 Generating a Privilege Analysis Report Using Cloud Control
You can generate a privilege analysis report using Cloud Control.
Parent topic: Generating a Privilege Analysis Report
5.2.7.5 Accessing Privilege Analysis Reports Using Cloud Control
A privilege analysis report provides information about both used and unused privileges.
Parent topic: Generating a Privilege Analysis Report
5.2.8 Dropping a Privilege Analysis Policy
Before you can drop a privilege analysis policy, you must first disable it.
Related Topics
Parent topic: Creating and Managing Privilege Analysis Policies
5.3 Creating Roles and Managing Privileges Using Cloud Control
You can create new roles using privileges found in a privilege analysis report and then grant this role to users.
- Creating a Role from a Privilege Analysis Report in Cloud Control
You can use the report summary to find the least number of privileges an application needs, and encapsulate these privileges into a role. - Revoking and Regranting Roles and Privileges Using Cloud Control
You can use Enterprise Manager Cloud Control to revoke and regrant roles and privileges to users. - Generating a Revoke or Regrant Script Using Cloud Control
You can generate a script that revokes or regrants privileges from and to users, based on the results of privilege analysis reports.
Parent topic: Performing Privilege Analysis to Identify Privilege Use
5.3.1 Creating a Role from a Privilege Analysis Report in Cloud Control
You can use the report summary to find the least number of privileges an application needs, and encapsulate these privileges into a role.
5.3.2 Revoking and Regranting Roles and Privileges Using Cloud Control
You can use Enterprise Manager Cloud Control to revoke and regrant roles and privileges to users.
Related Topics
5.3.3 Generating a Revoke or Regrant Script Using Cloud Control
You can generate a script that revokes or regrants privileges from and to users, based on the results of privilege analysis reports.
- About Generating Revoke and Regrant Scripts
You can perform a bulk revoke of unused system and object privileges and roles by using scripts that you can download after you have generated the privilege analysis. - Generating a Revoke Script
You can use Enterprise Manager Cloud Control to generate a script that revokes privileges from users. - Generating a Regrant Script
You can use Enterprise Manager Cloud Control to generate a script that regrants privileges that have been revoked from users.
5.3.3.1 About Generating Revoke and Regrant Scripts
You can perform a bulk revoke of unused system and object privileges and roles by using scripts that you can download after you have generated the privilege analysis.
Later on, if you want to regrant these privileges back to the user, you can generate a regrant script. In order to generate the regrant script, you must have a corresponding revoke script.
Execute the revoke scripts in a development or test environment. Be aware that you cannot revoke privileges and roles from Oracle-supplied accounts and roles.
5.3.3.2 Generating a Revoke Script
You can use Enterprise Manager Cloud Control to generate a script that revokes privileges from users.
Related Topics
5.4 Tutorial: Using Capture Runs to Analyze ANY Privilege Use
This tutorial demonstrates how to create capture runs to analyze the use of the READ ANY TABLE
system privilege.
- Step 1: Create User Accounts
You must create two users, one user to create the policy and a second user whose privilege use will be analyzed. - Step 2: Create and Enable a Privilege Analysis Policy
The userpa_admin
must create and enable the privilege analysis policy. - Step 3: Use the READ ANY TABLE System Privilege
Userapp_user
uses theREAD ANY TABLE
system privilege. - Step 4: Disable the Privilege Analysis Policy
You must disable the policy before you can generate a report that captures the actions of userapp_user
. - Step 5: Generate and View a Privilege Analysis Report
With the privilege analysis policy disabled, userpa_admin
then can generate and view a privilege analysis report. - Step 6: Create a Second Capture Run
Next, you are ready to create a second capture run for theANY_priv_analysis_pol
privilege analysis policy. - Step 7: Remove the Components for This Tutorial
You can remove the components that you created for this tutorial if you no longer need them.
Parent topic: Performing Privilege Analysis to Identify Privilege Use
5.4.1 Step 1: Create User Accounts
You must create two users, one user to create the policy and a second user whose privilege use will be analyzed.
5.4.2 Step 2: Create and Enable a Privilege Analysis Policy
The user pa_admin
must create and enable the privilege analysis policy.
5.4.3 Step 3: Use the READ ANY TABLE System Privilege
User app_user
uses the READ ANY TABLE
system privilege.
5.4.4 Step 4: Disable the Privilege Analysis Policy
You must disable the policy before you can generate a report that captures the actions of user app_user
.
5.4.5 Step 5: Generate and View a Privilege Analysis Report
With the privilege analysis policy disabled, user pa_admin
then can generate and view a privilege analysis report.
5.4.6 Step 6: Create a Second Capture Run
Next, you are ready to create a second capture run for the ANY_priv_analysis_pol
privilege analysis policy.
5.5 Tutorial: Analyzing Privilege Use by a User Who Has the DBA Role
This tutorial demonstrates how to analyze the privilege use of a user who has the DBA
role and performs database tuning operations.
- Step 1: Create User Accounts
You must create two users, one to create the privilege analysis policy and a second user whose privilege use will be analyzed. - Step 2: Create and Enable a Privilege Analysis Policy
Userpa_admin
must create the and enable the privilege analysis policy. - Step 3: Perform the Database Tuning Operations
Usertjones
uses theDBA
role to perform database tuning operations. - Step 4: Disable the Privilege Analysis Policy
You must disable the policy before you can generate a report that captures the actions of usertjones
. - Step 5: Generate and View Privilege Analysis Reports
With the privilege analysis policy disabled, userpa_admin
can generate and view privilege analysis reports. - Step 6: Remove the Components for This Tutorial
You can remove the components that you created for this tutorial if you no longer need them.
Parent topic: Performing Privilege Analysis to Identify Privilege Use
5.5.1 Step 1: Create User Accounts
You must create two users, one to create the privilege analysis policy and a second user whose privilege use will be analyzed.
5.5.2 Step 2: Create and Enable a Privilege Analysis Policy
User pa_admin
must create the and enable the privilege analysis policy.
5.5.3 Step 3: Perform the Database Tuning Operations
User tjones
uses the DBA
role to perform database tuning operations.
5.5.4 Step 4: Disable the Privilege Analysis Policy
You must disable the policy before you can generate a report that captures the actions of user tjones
.
5.5.5 Step 5: Generate and View Privilege Analysis Reports
With the privilege analysis policy disabled, user pa_admin
can generate and view privilege analysis reports.
5.6 Privilege Analysis Policy and Report Data Dictionary Views
Oracle Database provides data dictionary views that show information about analyzed privileges.
Table 5-1 lists these data dictionary views.
Table 5-1 Data Dictionary Views That Display Privilege Analysis Information
View | Description |
---|---|
|
Lists information about existing privilege analysis policies |
|
Lists the privileges and capture runs that have been used for reported privilege analysis policies |
|
Lists the privilege grants that have not been used |
|
Lists the privileges and capture runs that have not been used for reported privilege analysis policies |
|
Lists the object privileges and capture runs that have been used for reported privilege analysis policies. It does not include the object grant paths. |
|
Lists the object privileges and capture runs that have not been used for reported privilege analysis policies. It does not include the object privilege grant paths. |
|
Lists the object privileges and capture runs that have been used for reported privilege analysis policies. It includes the object privilege grant paths. |
|
Lists the object privileges and capture runs that have not been used for reported privilege analysis policies. It includes the object privilege grant paths. |
|
Lists the system privileges and capture runs that have been used for reported privilege analysis policies. It does not include the system privilege grant paths. |
|
Lists the system privileges and capture runs that have not been used for reported privilege analysis policies. It does not include the system privilege grant paths. |
|
Lists the system privileges and capture runs that have been used for reported privilege analysis policies. It includes the system privilege grant paths. |
|
Lists the system privileges and capture runs that have not been used for reported privilege analysis policies. It includes system privilege grant paths |
|
Lists all the privileges and capture runs for the |
|
Lists the user privileges and capture runs that have been used for reported privilege analysis policies. It does not include the user privilege grant paths. |
|
Lists the user privileges and capture runs that have not been used for reported privilege analysis policies. It does not include the user privilege grant paths. |
|
Lists the user privileges and capture runs that have been used for reported privilege analysis policies. It includes the user privilege grant paths. |
|
Lists the privileges and capture runs that have not been used for reported privilege analysis policies. It includes the user privilege grant paths. |
Related Topics
Parent topic: Performing Privilege Analysis to Identify Privilege Use