SlideShare a Scribd company logo
1 of 6
Download to read offline
Article Published in OTech Magazine Winter 2014 Edition
Original Magazine at http://www.otechmag.com/2014/otech-magazine-winter-2014/
Enforcing Principle of Least Privilege
- Biju Thomas
One of the top features of Oracle Database 12c that attracted me is the ability to enforce principle of least privilege with
ease. Ever since database vendors started taking security seriously, the principle of least privilege theory is in play. To
identify the privileges required by an application or user in Oracle database versions prior 12c was a tedious trial and
error process. Many applications I have come across run with DBA or DBA like privileges, this is because no privilege
analysis done at application design and development time. For application design and development team the focus is
always on getting the development work completed and delivering the project. Security, especially least privilege, is not
a focus item where team wants to spend time. It is easy to grant system privileges (especially DBA or ANY privileges like
INSERT ANY TABLE) to get the application working.
Oracle Database 12c brings the Privilege Analysis feature to clearly identify the privileges required by an application for
its functioning and tells the DBA which privileges can be revoked, to enforce the principle of least privilege and make the
database and application more secure. Privilege analysis feature is available only in Enterprise Edition and it requires
Database Vault license, which is an extra cost option. The good thing is that Database Vault need not be enabled to use
Privilege Analysis - one less thing to worry.
In a nutshell, privilege analysis works as below:
- Define a capture - to identify what need to be analyzed
- Enable the capture, to start capturing
- Run the application or utility whose privilege need to be analyzed
- Disable the capture
- Generate results from capture for review
- Implement the results, from the findings
Figure 1: Privilege Analysis
I will explain the steps using SQL command line as well as using Enterprise Manager Cloud Control 12c. To do the
privilege analysis you need the CAPTURE_ADMIN role, this role is granted to DBA role, so if you have DBA privileges on
the 12c database, you can perform the analysis.
Demo Environment
For demonstration purposes I am going to use the OE schema that comes with Oracle Database 12c examples - it has 14
tables and several other objects. We want to analyze the privileges of OE_ADM user who currently has the following
privileges.
- SELECT ANY TABLE
- INSERT ANY TABLE
- UPDATE ANY TABLE
- DELETE ANY TABLE
- ALTER ANY TRIGGER
- CREATE PROCEDURE
- CREATE TABLE
- CREATE SYNONYM
- CREATE ANY INDEX
- ALL privs on ORDERS and ORDER_ITEMS tables
- CONNECT and DBA Roles
SQL> select object_type, count(*) from dba_objects
where owner = 'OE' group by object_type;
OBJECT_TYPE COUNT(*)
----------------------- ----------
SEQUENCE 1
LOB 15
TYPE BODY 3
TRIGGER 4
TABLE 14
INDEX 48
SYNONYM 6
VIEW 13
FUNCTION 1
TYPE 37
OE_ADM user connects using SQL*Developer to run the scripts and reports. Our objective is to remove the ANY
privileges from OE_ADM user and grant appropriate privileges based on the tasks performed during the analysis period.
New package DBMS_PRIVILEGE_CAPTURE has the subprograms to manage the privilege analysis. The
CAPTURE_ADMIN role has execute privilege on this package.
Define and Start Capture
The very first step in privilege analysis is to create a capture, to define what actions need to be monitored. Four types of
analysis can be defined in the capture:
- Database (G_DATABASE - 1): If no condition is defined, analyzes used privilege on all objects within the whole
database. No condition or roles parameter specified for this type of capture.
- Role (G_ROLE - 2): Analyses privileges exercised through a role. Specify the roles to analyze using the ROLES
parameter.
- Context (G_CONTEXT - 3): Use this to analyze privileges that are used through an application module or specific
context. Specify a CONDITION to analyze
- Role and Context (G_ROLE_AND_CONTEXT - 4): Combination of role and context.
The CREATE_CAPTURE subprogram is used to define the capture. For our demo, we want to use the Role and Context,
because we want to know what privilege from the DBA role is being used as well as what other privileges granted to
OE_ADM are used when the application used is “SQL Developer”.
Figure 2 shows the OEM screen to create a capture policy. With few clicks you can easily create the policy. Based on the
context additional input is captured.
Figure 2: OEM Screen to Create a Privilege Analysis Policy
The SQL to define the policy as shown in Figure 2 is:
BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'Analyze_OE_ADM' ,
description => 'Review Privileges used by OE_ADM through SQL Developer' ,
type => DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT ,
roles => ROLE_NAME_LIST('DBA','CONNECT') ,
condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'') = ''SQL Developer'' AND
SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''OE_ADM''');
END;
/
Once the policy is defined, it shows up in the OEM Privilege Analysis main screen, from where you can enable, disable,
generate report and drop the policy. See figure 3.
Figure 3: Privilege Analysis screen of OEM
You can click on the start button to start capture, or use the below SQL to start the capture.
EXECUTE DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE (name => 'Analyze_OE_ADM');
Now run the application and for a period of time, so that Oracle can capture all the privileges used.
Stop Capture and Generate Reports
Ok, now that OE_ADM user has performed their tasks using SQL Developer, let us stop the capture and review the
privileges used.
EXECUTE DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE (name => 'Analyze_OE_ADM');
Using OEM you can click on the Stop Capture button as shown in Figure 3. Now click the Generate Report button. Using
SQL you can accomplish this by
EXECUTE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT (name => 'Analyze_OE_ADM');
OEM shows the number of unused privileges in the summary screen as shown in figure 4.
Once you run the Generate Results procedure, all the DBA_USED_ views as well as DBA_UNUSED_ views are populated.
You may query these views to generate revoke scripts or to prepare reports. The DBA_USED_ views show the privileges
used by the user for the policy. The DBA_UNUSED_ views show the privileges that are assigned to the user, but are not
used. The _PATH views show the privilege path (how the privileged was given to the user, through which role).
Capture Privilege - DBA Views Populated with Generate Results Procedure
DBA_USED_OBJPRIVS
DBA_USED_OBJPRIVS_PATH
DBA_USED_PRIVS
DBA_USED_PUBPRIVS
DBA_USED_SYSPRIVS
DBA_USED_SYSPRIVS_PATH
DBA_USED_USERPRIVS
DBA_USED_USERPRIVS_PATH
DBA_UNUSED_COL_TABS
DBA_UNUSED_OBJPRIVS
DBA_UNUSED_OBJPRIVS_PATH
DBA_UNUSED_PRIVS
DBA_UNUSED_SYSPRIVS
DBA_UNUSED_SYSPRIVS_PATH
DBA_UNUSED_USERPRIVS
DBA_UNUSED_USERPRIVS_PATH
OEM makes it easier on you to see the reports and even generate a revoke script. Figure 5 shows the drop down menu
under Actions.
Figure 5: OEM Options under Actions
The Reports menu shows a summary, as well as used and unused privilege listing that you can export to an excel file. To
be able to use the Revoke Scripts option, OEM needs to complete a setup as shown in figure 6.
Figure 6: OEM Setup for Revoke Scripts Generation
The revoke script revokes all unused roles and privileges from the role granted to the user, in this case this is not
desired, because we do not want to mess with the DBA role.
Here the Create Role menu comes for help. Figure 7 shows the OEM screen to create the role; you have option to
customize the role creation as well.
Figure 7: Create Role screen of OEM
This creates a new role for you with only the used privileges - how sweet is that!
Read OTech Magazine at http://www.otechmag.com/2014/otech-magazine-winter-2014/

More Related Content

More from Biju Thomas

Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1Biju Thomas
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeBiju Thomas
 
Create non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsCreate non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsBiju Thomas
 
Install oracle database 12c software on windows
Install oracle database 12c software on windowsInstall oracle database 12c software on windows
Install oracle database 12c software on windowsBiju Thomas
 
2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation2008 Collaborate IOUG Presentation
2008 Collaborate IOUG PresentationBiju Thomas
 
2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation2009 Collaborate IOUG Presentation
2009 Collaborate IOUG PresentationBiju Thomas
 
2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation2011 Collaborate IOUG Presentation
2011 Collaborate IOUG PresentationBiju Thomas
 
2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - PresentationBiju Thomas
 

More from Biju Thomas (8)

Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least Privilege
 
Create non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsCreate non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windows
 
Install oracle database 12c software on windows
Install oracle database 12c software on windowsInstall oracle database 12c software on windows
Install oracle database 12c software on windows
 
2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation
 
2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation
 
2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation
 
2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation
 

Recently uploaded

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهMohamed Sweelam
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)Wonjun Hwang
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 

Recently uploaded (20)

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 

Enforcing principle of least privilege

  • 1. Article Published in OTech Magazine Winter 2014 Edition Original Magazine at http://www.otechmag.com/2014/otech-magazine-winter-2014/ Enforcing Principle of Least Privilege - Biju Thomas One of the top features of Oracle Database 12c that attracted me is the ability to enforce principle of least privilege with ease. Ever since database vendors started taking security seriously, the principle of least privilege theory is in play. To identify the privileges required by an application or user in Oracle database versions prior 12c was a tedious trial and error process. Many applications I have come across run with DBA or DBA like privileges, this is because no privilege analysis done at application design and development time. For application design and development team the focus is always on getting the development work completed and delivering the project. Security, especially least privilege, is not a focus item where team wants to spend time. It is easy to grant system privileges (especially DBA or ANY privileges like INSERT ANY TABLE) to get the application working. Oracle Database 12c brings the Privilege Analysis feature to clearly identify the privileges required by an application for its functioning and tells the DBA which privileges can be revoked, to enforce the principle of least privilege and make the database and application more secure. Privilege analysis feature is available only in Enterprise Edition and it requires Database Vault license, which is an extra cost option. The good thing is that Database Vault need not be enabled to use Privilege Analysis - one less thing to worry. In a nutshell, privilege analysis works as below: - Define a capture - to identify what need to be analyzed - Enable the capture, to start capturing - Run the application or utility whose privilege need to be analyzed - Disable the capture - Generate results from capture for review - Implement the results, from the findings Figure 1: Privilege Analysis I will explain the steps using SQL command line as well as using Enterprise Manager Cloud Control 12c. To do the privilege analysis you need the CAPTURE_ADMIN role, this role is granted to DBA role, so if you have DBA privileges on the 12c database, you can perform the analysis. Demo Environment For demonstration purposes I am going to use the OE schema that comes with Oracle Database 12c examples - it has 14 tables and several other objects. We want to analyze the privileges of OE_ADM user who currently has the following privileges.
  • 2. - SELECT ANY TABLE - INSERT ANY TABLE - UPDATE ANY TABLE - DELETE ANY TABLE - ALTER ANY TRIGGER - CREATE PROCEDURE - CREATE TABLE - CREATE SYNONYM - CREATE ANY INDEX - ALL privs on ORDERS and ORDER_ITEMS tables - CONNECT and DBA Roles SQL> select object_type, count(*) from dba_objects where owner = 'OE' group by object_type; OBJECT_TYPE COUNT(*) ----------------------- ---------- SEQUENCE 1 LOB 15 TYPE BODY 3 TRIGGER 4 TABLE 14 INDEX 48 SYNONYM 6 VIEW 13 FUNCTION 1 TYPE 37 OE_ADM user connects using SQL*Developer to run the scripts and reports. Our objective is to remove the ANY privileges from OE_ADM user and grant appropriate privileges based on the tasks performed during the analysis period. New package DBMS_PRIVILEGE_CAPTURE has the subprograms to manage the privilege analysis. The CAPTURE_ADMIN role has execute privilege on this package. Define and Start Capture The very first step in privilege analysis is to create a capture, to define what actions need to be monitored. Four types of analysis can be defined in the capture: - Database (G_DATABASE - 1): If no condition is defined, analyzes used privilege on all objects within the whole database. No condition or roles parameter specified for this type of capture. - Role (G_ROLE - 2): Analyses privileges exercised through a role. Specify the roles to analyze using the ROLES parameter. - Context (G_CONTEXT - 3): Use this to analyze privileges that are used through an application module or specific context. Specify a CONDITION to analyze - Role and Context (G_ROLE_AND_CONTEXT - 4): Combination of role and context.
  • 3. The CREATE_CAPTURE subprogram is used to define the capture. For our demo, we want to use the Role and Context, because we want to know what privilege from the DBA role is being used as well as what other privileges granted to OE_ADM are used when the application used is “SQL Developer”. Figure 2 shows the OEM screen to create a capture policy. With few clicks you can easily create the policy. Based on the context additional input is captured. Figure 2: OEM Screen to Create a Privilege Analysis Policy The SQL to define the policy as shown in Figure 2 is: BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'Analyze_OE_ADM' , description => 'Review Privileges used by OE_ADM through SQL Developer' , type => DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT , roles => ROLE_NAME_LIST('DBA','CONNECT') , condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'') = ''SQL Developer'' AND SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''OE_ADM'''); END; / Once the policy is defined, it shows up in the OEM Privilege Analysis main screen, from where you can enable, disable, generate report and drop the policy. See figure 3.
  • 4. Figure 3: Privilege Analysis screen of OEM You can click on the start button to start capture, or use the below SQL to start the capture. EXECUTE DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE (name => 'Analyze_OE_ADM'); Now run the application and for a period of time, so that Oracle can capture all the privileges used. Stop Capture and Generate Reports Ok, now that OE_ADM user has performed their tasks using SQL Developer, let us stop the capture and review the privileges used. EXECUTE DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE (name => 'Analyze_OE_ADM'); Using OEM you can click on the Stop Capture button as shown in Figure 3. Now click the Generate Report button. Using SQL you can accomplish this by EXECUTE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT (name => 'Analyze_OE_ADM'); OEM shows the number of unused privileges in the summary screen as shown in figure 4. Once you run the Generate Results procedure, all the DBA_USED_ views as well as DBA_UNUSED_ views are populated. You may query these views to generate revoke scripts or to prepare reports. The DBA_USED_ views show the privileges used by the user for the policy. The DBA_UNUSED_ views show the privileges that are assigned to the user, but are not used. The _PATH views show the privilege path (how the privileged was given to the user, through which role). Capture Privilege - DBA Views Populated with Generate Results Procedure DBA_USED_OBJPRIVS DBA_USED_OBJPRIVS_PATH DBA_USED_PRIVS DBA_USED_PUBPRIVS DBA_USED_SYSPRIVS
  • 5. DBA_USED_SYSPRIVS_PATH DBA_USED_USERPRIVS DBA_USED_USERPRIVS_PATH DBA_UNUSED_COL_TABS DBA_UNUSED_OBJPRIVS DBA_UNUSED_OBJPRIVS_PATH DBA_UNUSED_PRIVS DBA_UNUSED_SYSPRIVS DBA_UNUSED_SYSPRIVS_PATH DBA_UNUSED_USERPRIVS DBA_UNUSED_USERPRIVS_PATH OEM makes it easier on you to see the reports and even generate a revoke script. Figure 5 shows the drop down menu under Actions. Figure 5: OEM Options under Actions The Reports menu shows a summary, as well as used and unused privilege listing that you can export to an excel file. To be able to use the Revoke Scripts option, OEM needs to complete a setup as shown in figure 6. Figure 6: OEM Setup for Revoke Scripts Generation The revoke script revokes all unused roles and privileges from the role granted to the user, in this case this is not desired, because we do not want to mess with the DBA role. Here the Create Role menu comes for help. Figure 7 shows the OEM screen to create the role; you have option to customize the role creation as well.
  • 6. Figure 7: Create Role screen of OEM This creates a new role for you with only the used privileges - how sweet is that! Read OTech Magazine at http://www.otechmag.com/2014/otech-magazine-winter-2014/