SlideShare a Scribd company logo

MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and partial revokes

A
Arnab Ray

This document discusses database user authorization and privileges. It outlines different types of database users, including privileged users, non-privileged users, system users, and power users. It emphasizes granting users only the minimum privileges required to perform their jobs following the principle of least privilege. The document also provides examples of using privileges like CREATE USER, SYSTEM_USER, and partial revokes to restrict access.

Software
1 of 20
Download to read offline
Principal Member of Technical Staff MySQL March 05, 2020 Rahul Sisondia Multiple DB accounts for an app
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation. Safe harbor statement Copyright © 2020, Oracle and/or its affiliates2
Copyright © 2020, Oracle and/or its affiliates3 4 3 2 1 Asses vulnerability Users categorization Overview Program agenda Prevention
Copyright © 2020, Oracle and/or its affiliates4 DB users Copyright © 2020, Oracle and/or its affiliates | Confidential: Internal/Restricted/Highly Restricted 4 Instance admins Applications App admins
Copyright © 2020, Oracle and/or its affiliates5 Authorization Dynamic privileges • Defined by Server, component or plugin at run rime • Administrative operations - BACKUP_ADMIN, AUDIT_ADMIN Static privileges • Built into the server • Database Operations - SELECT, INSERT, UPDATE • Administrative operations - CREATE USER, PROCESS • Grant privileges to user - GRANT SELECT, INSERT, SUPER ON *.* TO foo_user; - GRANT SELECT ON db.table TO foo_user; • Revoke Privileges - REVOKE SELECT, INSERT ON *.* FROM foo_user; - REVOKE SELECT ON db.table FROM foo_user;
Copyright © 2020, Oracle and/or its affiliates6 Privilege you need to create users ? CREATE USER Do not have either of the two privileges Privileged User Non- privileged User
Copyright © 2020, Oracle and/or its affiliates7 Privileged or Non-privileged users Copyright © 2020, Oracle and/or its affiliates | Confidential: Internal/Restricted/Highly Restricted 7 Applications Instance admins Privileged Non-Privileged Privileged App admins
Copyright © 2020, Oracle and/or its affiliates8 Applicatio n App Users App user accounts management DB Users Micro Services Privileged user Non privileged user app.user
Copyright © 2020, Oracle and/or its affiliates9 Application s App Users App user accounts management DB Users Privileged user Non privileged user
Copyright © 2020, Oracle and/or its affiliates10 Privilege escalation ! Copyright © 2020, Oracle and/or its affiliates | Confidential: Internal/Restricted/Highly Restricted 10 Root user App admins
Copyright © 2020, Oracle and/or its affiliates11 SYSTEM_USER privilege - Allows maintaining separation of duty better DBAs managing instances and NOT data E.g. Uptime, Backup, High Level Security DBAs managing data Users with access to part of data SYSTEM_USER ALTER USER root@localhost IDENTIFIED BY ‘voodoo’;
System Users -  Granted at least ‘SYSTEM_USER’ privilege, but not the CREATE USER privilege. Power Users - Granted at least ‘CREATE USER’ and ‘SYSTEM_USER’ privilege. Privileged Users - Granted at least ‘CREATE USER’ privilege, but not the ‘SYSTEM_USER’ privilege. Non-privileged Users -  Neither ‘SYSTEM_USER’ nor ‘CREATE USER’ privilege, but may be granted other privileges. Copyright © 2020, Oracle and/or its affiliates12 Power Users
Copyright © 2020, Oracle and/or its affiliates13 DB users DB Users Non- privileged users Privileged users Regular Users Power Users System Users
Copyright © 2020, Oracle and/or its affiliates14 Is that sufficient ? Do not have either of the two privileges Privileged User Non- privileged User CREATE USER INSERT | UPDATE on mysql schema OR
Copyright © 2020, Oracle and/or its affiliates | Confidential: Internal/Restricted/Highly Restricted 15 Partial Revokes • Allows creating exception to global grants (Everything except ‘this’ and ‘that’) • Execute GRANT at global level followed by REVOKE at schema level GRANT INSERT ON *.* TO `foo_admin`; REVOKE INSERT ON `mysql`.* FROM `foo_admin`;
Copyright © 2020, Oracle and/or its affiliates16 • Segregate the users as power users and regular users. • Principle of least privileges. • Revoke access to mysql schema from privileged users Prevention Policy !
Copyright © 2020, Oracle and/or its affiliates17 Application s App Users Multiple app admins can be used DB Users Privileged user Non privileged user
Copyright © 2020, Oracle and/or its affiliates18 Thank you
Copyright © 2020, Oracle and/or its affiliates19 Questions
MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and partial revokes

Recommended

Better access control of administrators
Better access control of administratorsBetter access control of administrators
Better access control of administratorsRahul Sisondia
 
Fusion_apps extending and customizations
Fusion_apps extending and customizationsFusion_apps extending and customizations
Fusion_apps extending and customizationsBerry Clemens
 
Oracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer PresentationOracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer PresentationDelivery Centric
 
Oracle Access Management - Customer presentation
Oracle Access Management - Customer presentation Oracle Access Management - Customer presentation
Oracle Access Management - Customer presentation Delivery Centric
 
Con9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - finalCon9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - finalOracleIDM
 
Group Manager
Group ManagerGroup Manager
Group ManagerEmpowerID
 
Idm Workshop
Idm WorkshopIdm Workshop
Idm WorkshopMohamed Atef
 
User Manager
User ManagerUser Manager
User ManagerEmpowerID
 

Recommended

Better access control of administrators
Better access control of administratorsBetter access control of administrators
Better access control of administratorsRahul Sisondia
 
Fusion_apps extending and customizations
Fusion_apps extending and customizationsFusion_apps extending and customizations
Fusion_apps extending and customizationsBerry Clemens
 
Oracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer PresentationOracle Identity Governance - Customer Presentation
Oracle Identity Governance - Customer PresentationDelivery Centric
 
Oracle Access Management - Customer presentation
Oracle Access Management - Customer presentation Oracle Access Management - Customer presentation
Oracle Access Management - Customer presentation Delivery Centric
 
Con9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - finalCon9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - finalOracleIDM
 
Group Manager
Group ManagerGroup Manager
Group ManagerEmpowerID
 
Idm Workshop
Idm WorkshopIdm Workshop
Idm WorkshopMohamed Atef
 
User Manager
User ManagerUser Manager
User ManagerEmpowerID
 
Oim Poc1.0
Oim Poc1.0Oim Poc1.0
Oim Poc1.0Mohamed Atef
 
Oracle Access Manager Overview
Oracle Access Manager OverviewOracle Access Manager Overview
Oracle Access Manager Overviewguestf6dc99b
 
Presentation- on OIM
Presentation- on OIMPresentation- on OIM
Presentation- on OIMTamim Khan
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalOracleIDM
 
Exchange Manager
Exchange ManagerExchange Manager
Exchange ManagerEmpowerID
 
Identity management11gr2launch finalv2
Identity management11gr2launch finalv2Identity management11gr2launch finalv2
Identity management11gr2launch finalv2OracleIDM
 
Oracle Identity & Access Management
Oracle Identity & Access ManagementOracle Identity & Access Management
Oracle Identity & Access ManagementDLT Solutions
 
12.2 l2 implement-and_use_order management_ame integration
12.2 l2 implement-and_use_order management_ame integration12.2 l2 implement-and_use_order management_ame integration
12.2 l2 implement-and_use_order management_ame integrationVishal Sharma
 
Overview one pager
Overview one pagerOverview one pager
Overview one pagerAndrew Keenan
 
Sim-webcast-part1-1aa
Sim-webcast-part1-1aaSim-webcast-part1-1aa
Sim-webcast-part1-1aaOracleIDM
 
Oracle Identity Governance Technical Overview - 11gR2PS3
Oracle Identity Governance Technical Overview - 11gR2PS3Oracle Identity Governance Technical Overview - 11gR2PS3
Oracle Identity Governance Technical Overview - 11gR2PS3Atul Goyal
 
Overview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer PresentationOverview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer PresentationDelivery Centric
 
eMAS Indentity and Access Management
eMAS Indentity and Access ManagementeMAS Indentity and Access Management
eMAS Indentity and Access ManagementKalyana Sundaram
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBACAjit Dadresa
 
Sharepoint Admin
Sharepoint AdminSharepoint Admin
Sharepoint AdminYogesh Madav
 
Federation Services
Federation ServicesFederation Services
Federation ServicesEmpowerID
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introductionwardell henley
 
SANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity ManagerSANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity ManagerOracleIDM
 
RM5 IdM, Centralized Entitlement Management
RM5 IdM, Centralized Entitlement ManagementRM5 IdM, Centralized Entitlement Management
RM5 IdM, Centralized Entitlement ManagementChristian Sundell
 
Oracle Directory Services - Customer Presentation
Oracle Directory Services - Customer PresentationOracle Directory Services - Customer Presentation
Oracle Directory Services - Customer PresentationDelivery Centric
 
Integrate Oracle Identity Management and Advanced Controls for maximum effici...
Integrate Oracle Identity Management and Advanced Controls for maximum effici...Integrate Oracle Identity Management and Advanced Controls for maximum effici...
Integrate Oracle Identity Management and Advanced Controls for maximum effici...Oracle
 
Oracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideOracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideCourtney Llamas
 

More Related Content

What's hot

Oracle Access Manager Overview
Oracle Access Manager OverviewOracle Access Manager Overview
Oracle Access Manager Overviewguestf6dc99b
 
Presentation- on OIM
Presentation- on OIMPresentation- on OIM
Presentation- on OIMTamim Khan
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalOracleIDM
 
Exchange Manager
Exchange ManagerExchange Manager
Exchange ManagerEmpowerID
 
Identity management11gr2launch finalv2
Identity management11gr2launch finalv2Identity management11gr2launch finalv2
Identity management11gr2launch finalv2OracleIDM
 
Oracle Identity & Access Management
Oracle Identity & Access ManagementOracle Identity & Access Management
Oracle Identity & Access ManagementDLT Solutions
 
12.2 l2 implement-and_use_order management_ame integration
12.2 l2 implement-and_use_order management_ame integration12.2 l2 implement-and_use_order management_ame integration
12.2 l2 implement-and_use_order management_ame integrationVishal Sharma
 
Sim-webcast-part1-1aa
Sim-webcast-part1-1aaSim-webcast-part1-1aa
Sim-webcast-part1-1aaOracleIDM
 
Oracle Identity Governance Technical Overview - 11gR2PS3
Oracle Identity Governance Technical Overview - 11gR2PS3Oracle Identity Governance Technical Overview - 11gR2PS3
Oracle Identity Governance Technical Overview - 11gR2PS3Atul Goyal
 
Overview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer PresentationOverview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer PresentationDelivery Centric
 
eMAS Indentity and Access Management
eMAS Indentity and Access ManagementeMAS Indentity and Access Management
eMAS Indentity and Access ManagementKalyana Sundaram
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBACAjit Dadresa
 
Federation Services
Federation ServicesFederation Services
Federation ServicesEmpowerID
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introductionwardell henley
 
SANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity ManagerSANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity ManagerOracleIDM
 
RM5 IdM, Centralized Entitlement Management
RM5 IdM, Centralized Entitlement ManagementRM5 IdM, Centralized Entitlement Management
RM5 IdM, Centralized Entitlement ManagementChristian Sundell
 
Oracle Directory Services - Customer Presentation
Oracle Directory Services - Customer PresentationOracle Directory Services - Customer Presentation
Oracle Directory Services - Customer PresentationDelivery Centric
 

What's hot (20)

Oim Poc1.0
Oim Poc1.0Oim Poc1.0
Oim Poc1.0
 
Oracle Access Manager Overview
Oracle Access Manager OverviewOracle Access Manager Overview
Oracle Access Manager Overview
 
Presentation- on OIM
Presentation- on OIMPresentation- on OIM
Presentation- on OIM
 
Con8823 access management for the internet of things-final
Con8823 access management for the internet of things-finalCon8823 access management for the internet of things-final
Con8823 access management for the internet of things-final
 
Exchange Manager
Exchange ManagerExchange Manager
Exchange Manager
 
Identity management11gr2launch finalv2
Identity management11gr2launch finalv2Identity management11gr2launch finalv2
Identity management11gr2launch finalv2
 
Oracle Identity & Access Management
Oracle Identity & Access ManagementOracle Identity & Access Management
Oracle Identity & Access Management
 
12.2 l2 implement-and_use_order management_ame integration
12.2 l2 implement-and_use_order management_ame integration12.2 l2 implement-and_use_order management_ame integration
12.2 l2 implement-and_use_order management_ame integration
 
Overview one pager
Overview one pagerOverview one pager
Overview one pager
 
Sim-webcast-part1-1aa
Sim-webcast-part1-1aaSim-webcast-part1-1aa
Sim-webcast-part1-1aa
 
Oracle Identity Governance Technical Overview - 11gR2PS3
Oracle Identity Governance Technical Overview - 11gR2PS3Oracle Identity Governance Technical Overview - 11gR2PS3
Oracle Identity Governance Technical Overview - 11gR2PS3
 
Overview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer PresentationOverview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer Presentation
 
eMAS Indentity and Access Management
eMAS Indentity and Access ManagementeMAS Indentity and Access Management
eMAS Indentity and Access Management
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBAC
 
Sharepoint Admin
Sharepoint AdminSharepoint Admin
Sharepoint Admin
 
Federation Services
Federation ServicesFederation Services
Federation Services
 
Iam suite introduction
Iam suite introductionIam suite introduction
Iam suite introduction
 
SANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity ManagerSANS Institute Product Review of Oracle Identity Manager
SANS Institute Product Review of Oracle Identity Manager
 
RM5 IdM, Centralized Entitlement Management
RM5 IdM, Centralized Entitlement ManagementRM5 IdM, Centralized Entitlement Management
RM5 IdM, Centralized Entitlement Management
 
Oracle Directory Services - Customer Presentation
Oracle Directory Services - Customer PresentationOracle Directory Services - Customer Presentation
Oracle Directory Services - Customer Presentation
 

Similar to MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and partial revokes

Integrate Oracle Identity Management and Advanced Controls for maximum effici...
Integrate Oracle Identity Management and Advanced Controls for maximum effici...Integrate Oracle Identity Management and Advanced Controls for maximum effici...
Integrate Oracle Identity Management and Advanced Controls for maximum effici...Oracle
 
Oracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideOracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideCourtney Llamas
 
Automating Security Management in PBCS!
Automating Security Management in PBCS!Automating Security Management in PBCS!
Automating Security Management in PBCS!Dayalan Punniyamoorthy
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 
Oracle_ebs_12.2_Admin_guide_for_dba.pptx
Oracle_ebs_12.2_Admin_guide_for_dba.pptxOracle_ebs_12.2_Admin_guide_for_dba.pptx
Oracle_ebs_12.2_Admin_guide_for_dba.pptxAbdallahAttia9
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteOracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteEdgar Alejandro Villegas
 
Security Inside Out: Latest Innovations in Oracle Database 12c
Security Inside Out: Latest Innovations in Oracle Database 12cSecurity Inside Out: Latest Innovations in Oracle Database 12c
Security Inside Out: Latest Innovations in Oracle Database 12cTroy Kitch
 
API Design Principles Essential 
API Design Principles Essential API Design Principles Essential 
API Design Principles Essential Oracle Korea
 
Oracle - Enterprise Manager 12c Overview
Oracle - Enterprise Manager 12c OverviewOracle - Enterprise Manager 12c Overview
Oracle - Enterprise Manager 12c OverviewFred Sim
 
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!Dayalan Punniyamoorthy
 
How to configure p6 to present the right experience for each participant - Or...
How to configure p6 to present the right experience for each participant - Or...How to configure p6 to present the right experience for each participant - Or...
How to configure p6 to present the right experience for each participant - Or...p6academy
 
Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Oracle
 
Oracle Enterprise Manager Security: A Practitioners Guide
Oracle Enterprise Manager Security: A Practitioners GuideOracle Enterprise Manager Security: A Practitioners Guide
Oracle Enterprise Manager Security: A Practitioners GuideCourtney Llamas
 
Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager OracleIDM
 
Con8811 converged identity governance for speeding up business and reducing c...
Con8811 converged identity governance for speeding up business and reducing c...Con8811 converged identity governance for speeding up business and reducing c...
Con8811 converged identity governance for speeding up business and reducing c...OracleIDM
 
Kscope Not Your Father's Enterprise Manager
Kscope Not Your Father's Enterprise ManagerKscope Not Your Father's Enterprise Manager
Kscope Not Your Father's Enterprise ManagerKellyn Pot'Vin-Gorman
 
Oracle databáze - zkonsolidovat, ochránit a ještě ušetřit! (2. část)
Oracle databáze - zkonsolidovat, ochránit a ještě ušetřit! (2. část)Oracle databáze - zkonsolidovat, ochránit a ještě ušetřit! (2. část)
Oracle databáze - zkonsolidovat, ochránit a ještě ušetřit! (2. část)MarketingArrowECS_CZ
 
Con8834 bring your own identity - final
Con8834 bring your own identity - finalCon8834 bring your own identity - final
Con8834 bring your own identity - finalOracleIDM
 
IOUG Collaborate 2014 Auditing/Security in EM12c
IOUG Collaborate 2014 Auditing/Security in EM12cIOUG Collaborate 2014 Auditing/Security in EM12c
IOUG Collaborate 2014 Auditing/Security in EM12cKellyn Pot'Vin-Gorman
 
MySQL Group Replication: Handling Network Glitches - Best Practices
MySQL Group Replication: Handling Network Glitches - Best PracticesMySQL Group Replication: Handling Network Glitches - Best Practices
MySQL Group Replication: Handling Network Glitches - Best PracticesFrederic Descamps
 

Similar to MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and partial revokes (20)

Integrate Oracle Identity Management and Advanced Controls for maximum effici...
Integrate Oracle Identity Management and Advanced Controls for maximum effici...Integrate Oracle Identity Management and Advanced Controls for maximum effici...
Integrate Oracle Identity Management and Advanced Controls for maximum effici...
 
Oracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners GuideOracle Enterprise Manager Security A Practitioners Guide
Oracle Enterprise Manager Security A Practitioners Guide
 
Automating Security Management in PBCS!
Automating Security Management in PBCS!Automating Security Management in PBCS!
Automating Security Management in PBCS!
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - final
 
Oracle_ebs_12.2_Admin_guide_for_dba.pptx
Oracle_ebs_12.2_Admin_guide_for_dba.pptxOracle_ebs_12.2_Admin_guide_for_dba.pptx
Oracle_ebs_12.2_Admin_guide_for_dba.pptx
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteOracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
 
Security Inside Out: Latest Innovations in Oracle Database 12c
Security Inside Out: Latest Innovations in Oracle Database 12cSecurity Inside Out: Latest Innovations in Oracle Database 12c
Security Inside Out: Latest Innovations in Oracle Database 12c
 
API Design Principles Essential 
API Design Principles Essential API Design Principles Essential 
API Design Principles Essential 
 
Oracle - Enterprise Manager 12c Overview
Oracle - Enterprise Manager 12c OverviewOracle - Enterprise Manager 12c Overview
Oracle - Enterprise Manager 12c Overview
 
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
ODTUG Learn from Home S E R I E S-Automating Security Management in PBCS!
 
How to configure p6 to present the right experience for each participant - Or...
How to configure p6 to present the right experience for each participant - Or...How to configure p6 to present the right experience for each participant - Or...
How to configure p6 to present the right experience for each participant - Or...
 
Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824
 
Oracle Enterprise Manager Security: A Practitioners Guide
Oracle Enterprise Manager Security: A Practitioners GuideOracle Enterprise Manager Security: A Practitioners Guide
Oracle Enterprise Manager Security: A Practitioners Guide
 
Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager Con9573 managing the oim platform with oracle enterprise manager
Con9573 managing the oim platform with oracle enterprise manager
 
Con8811 converged identity governance for speeding up business and reducing c...
Con8811 converged identity governance for speeding up business and reducing c...Con8811 converged identity governance for speeding up business and reducing c...
Con8811 converged identity governance for speeding up business and reducing c...
 
Kscope Not Your Father's Enterprise Manager
Kscope Not Your Father's Enterprise ManagerKscope Not Your Father's Enterprise Manager
Kscope Not Your Father's Enterprise Manager
 
Oracle databáze - zkonsolidovat, ochránit a ještě ušetřit! (2. část)
Oracle databáze - zkonsolidovat, ochránit a ještě ušetřit! (2. část)Oracle databáze - zkonsolidovat, ochránit a ještě ušetřit! (2. část)
Oracle databáze - zkonsolidovat, ochránit a ještě ušetřit! (2. část)
 
Con8834 bring your own identity - final
Con8834 bring your own identity - finalCon8834 bring your own identity - final
Con8834 bring your own identity - final
 
IOUG Collaborate 2014 Auditing/Security in EM12c
IOUG Collaborate 2014 Auditing/Security in EM12cIOUG Collaborate 2014 Auditing/Security in EM12c
IOUG Collaborate 2014 Auditing/Security in EM12c
 
MySQL Group Replication: Handling Network Glitches - Best Practices
MySQL Group Replication: Handling Network Glitches - Best PracticesMySQL Group Replication: Handling Network Glitches - Best Practices
MySQL Group Replication: Handling Network Glitches - Best Practices
 

Recently uploaded

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 

Recently uploaded (20)

Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 

MySQL: Create multiple DB accounts for an app using SYSTEM_USER privilege and partial revokes

  • 1. Principal Member of Technical Staff MySQL March 05, 2020 Rahul Sisondia Multiple DB accounts for an app
  • 2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation. Safe harbor statement Copyright © 2020, Oracle and/or its affiliates2
  • 3. Copyright © 2020, Oracle and/or its affiliates3 4 3 2 1 Asses vulnerability Users categorization Overview Program agenda Prevention
  • 4. Copyright © 2020, Oracle and/or its affiliates4 DB users Copyright © 2020, Oracle and/or its affiliates | Confidential: Internal/Restricted/Highly Restricted 4 Instance admins Applications App admins
  • 5. Copyright © 2020, Oracle and/or its affiliates5 Authorization Dynamic privileges • Defined by Server, component or plugin at run rime • Administrative operations - BACKUP_ADMIN, AUDIT_ADMIN Static privileges • Built into the server • Database Operations - SELECT, INSERT, UPDATE • Administrative operations - CREATE USER, PROCESS • Grant privileges to user - GRANT SELECT, INSERT, SUPER ON *.* TO foo_user; - GRANT SELECT ON db.table TO foo_user; • Revoke Privileges - REVOKE SELECT, INSERT ON *.* FROM foo_user; - REVOKE SELECT ON db.table FROM foo_user;
  • 6. Copyright © 2020, Oracle and/or its affiliates6 Privilege you need to create users ? CREATE USER Do not have either of the two privileges Privileged User Non- privileged User
  • 7. Copyright © 2020, Oracle and/or its affiliates7 Privileged or Non-privileged users Copyright © 2020, Oracle and/or its affiliates | Confidential: Internal/Restricted/Highly Restricted 7 Applications Instance admins Privileged Non-Privileged Privileged App admins
  • 8. Copyright © 2020, Oracle and/or its affiliates8 Applicatio n App Users App user accounts management DB Users Micro Services Privileged user Non privileged user app.user
  • 9. Copyright © 2020, Oracle and/or its affiliates9 Application s App Users App user accounts management DB Users Privileged user Non privileged user
  • 10. Copyright © 2020, Oracle and/or its affiliates10 Privilege escalation ! Copyright © 2020, Oracle and/or its affiliates | Confidential: Internal/Restricted/Highly Restricted 10 Root user App admins
  • 11. Copyright © 2020, Oracle and/or its affiliates11 SYSTEM_USER privilege - Allows maintaining separation of duty better DBAs managing instances and NOT data E.g. Uptime, Backup, High Level Security DBAs managing data Users with access to part of data SYSTEM_USER ALTER USER root@localhost IDENTIFIED BY ‘voodoo’;
  • 12. System Users -  Granted at least ‘SYSTEM_USER’ privilege, but not the CREATE USER privilege. Power Users - Granted at least ‘CREATE USER’ and ‘SYSTEM_USER’ privilege. Privileged Users - Granted at least ‘CREATE USER’ privilege, but not the ‘SYSTEM_USER’ privilege. Non-privileged Users -  Neither ‘SYSTEM_USER’ nor ‘CREATE USER’ privilege, but may be granted other privileges. Copyright © 2020, Oracle and/or its affiliates12 Power Users
  • 13. Copyright © 2020, Oracle and/or its affiliates13 DB users DB Users Non- privileged users Privileged users Regular Users Power Users System Users
  • 14. Copyright © 2020, Oracle and/or its affiliates14 Is that sufficient ? Do not have either of the two privileges Privileged User Non- privileged User CREATE USER INSERT | UPDATE on mysql schema OR
  • 15. Copyright © 2020, Oracle and/or its affiliates | Confidential: Internal/Restricted/Highly Restricted 15 Partial Revokes • Allows creating exception to global grants (Everything except ‘this’ and ‘that’) • Execute GRANT at global level followed by REVOKE at schema level GRANT INSERT ON *.* TO `foo_admin`; REVOKE INSERT ON `mysql`.* FROM `foo_admin`;
  • 16. Copyright © 2020, Oracle and/or its affiliates16 • Segregate the users as power users and regular users. • Principle of least privileges. • Revoke access to mysql schema from privileged users Prevention Policy !
  • 17. Copyright © 2020, Oracle and/or its affiliates17 Application s App Users Multiple app admins can be used DB Users Privileged user Non privileged user
  • 18. Copyright © 2020, Oracle and/or its affiliates18 Thank you
  • 19. Copyright © 2020, Oracle and/or its affiliates19 Questions