SlideShare a Scribd company logo
www.markusdba.net|.de
@markusdba
Oracle Database Privilege Analysis
On the way to the "Least Privilege Principle" …
Markus Flechtner
Markus Flechtner
• Principal Consultant / Trivadis Germany GmbH
• Studied Mathematics a long time ago
• Focus
• Oracle High Availability
• Database Upgrade + Migration
• Teacher:
RAC, New Features, Multitenant, PostgreSQL
@markusdba www.markusdba.net|.de
Source: https://twitter.com/swissOUC/status/1334440993572052994/photo/1
17.05.2022 Oracle Database Privilege Analysis
6
Agenda
• Introduction
• Package DBMS_PRIVILEGE_CAPTURE & Data Dictionary Objects
• Workflow
• Evaluation of the results and adopting the privileges
• Summary & Further Information
17.05.2022 Oracle Database Privilege Analysis
7
Introduction
17.05.2022 Oracle Database Privilege Analysis
8
• Security simply wasn’t a focus for many legacy applications
• Many applications run with DBA-like privileges
• No privilege specification or analysis was performed at design time
• Focus was on getting the application running versus least privilege
SQL> grant DBA to PUBLIC with admin option;
Grant succeeded.
History
17.05.2022 Oracle Database Privilege Analysis
9
Principle of the Least Privilege
"Every program and every privileged user of the system should operate using the
least amount of privilege necessary to complete the job."
Jerome Salzer, Communications of the ACM, 1974
17.05.2022 Oracle Database Privilege Analysis
10
Oracle 12c introduced Privilege Analysis
• Captures the privileges which are used by an application resp. a database user
• Reports the used privileges (and the way ("path") the privileges have been granted)
• Reports the privileges which have been granted but have not be used
• Helps you to achieve the "Least Privilege Principle" for your own database applications
• However, there was this small note in the "Oracle Database Licensing Information":
17.05.2022 Oracle Database Privilege Analysis
11
November 2018: Licensing changed
• Privilege Analysis is now available for Oracle Database Enterprise Edition
(for all versions since Oracle Database 12c Release 1), Database Vault is not required anymore
17.05.2022 Oracle Database Privilege Analysis
12
Of course, it's not that easy ..
• Logging database usage is a kind of auditing
• Especially when using personalized accounts
• Oracle Privilege Analysis captures which privileges were used
but not the exact time when they were used (you can only
determine the time range = time when the analysis ran)
• You may be required to ask the workers council for an
approval
• But security is a strong argument
• Expect resistance
• From 3rd party software vendors
• From your own developers
17.05.2022 Oracle Database Privilege Analysis
13
.. but it will helpyou as the DBA
• Required privileges will be documented
• High privileges which are not used (required) are documented
• Raise security concerns, tell your manager
• Then (s)he's in charge
17.05.2022 Oracle Database Privilege Analysis
14
Package
DBMS_PRIVILEGE_CAPTURE
&
Data Dictionary Objects
17.05.2022 Oracle Database Privilege Analysis
15
Package DBMS_PRIVILEGE_CAPTURE
17.05.2022 Oracle Database Privilege Analysis
16
Procedure Purpose
CREATE_CAPTURE Defines a capture policy
ENABLE_CAPTURE Starts a privilege capture run
DISABLE_CAPTURE Ends a privilege capture run
GENERATE_RESULT Fills the result views with the results of a capture run
DROP_CAPTURE Drops a capture policy and the associated results
DELETE_RUN Deletes the results of a capture run (but not the policy)
CAPTURE_DEPENDENCY_PRIVS Captures the privileges that are used by definer’s rights
and invoker’s rights PL/SQL program units for compilation
(has to be enabled manually after a capture was started)
Data Dictionary Views & Internal Tables
• (*) Both result tables are located in the SYSAUX tablespace
17.05.2022 Oracle Database Privilege Analysis
17
Name Purpose / Content
DBA_PRIV_CAPTURES defined capture policies and runs
(via "DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE")
PRIV_CAPTURE$ (basis of DBA_PRIV_CAPTURES)
CAPTURED_PRIV$ Captured privileges (*)
CAPTURE_RUN_LOG$ Information on the capture runs (*)
Contains information on start time and end time (which is not
visible in the DBA_%-views)
Result Views (1)
17.05.2022 Oracle Database Privilege Analysis
18
Views for used privileges Views for unused privileges
Overview (all privileges resp. grants)
DBA_USED_PRIVS DBA_UNUSED_PRIVS
DBA_UNUSED_GRANTS
Privileges granted to Public
DBA_USED_PUBPRIVS DBA_UNUSED_PUBPRIVS
System Privileges
DBA_USED_SYSPRIVS DBA_UNUSED_SYSPRIVS
DBA_USED_SYSPRIVS_PATH DBA_UNUSED_SYSPRIVS_PATH
Result Views (2)
• CDB_%-Views are available, too.
17.05.2022 Oracle Database Privilege Analysis
19
Views for used privileges Views for unused privileges
Object Privileges
DBA_USED_OBJPRIVS DBA_UNUSED_OBJPRIVS
DBA_USED_OBJPRIVS_PATH DBA_UNUSED_OBJPRIVS_PATH
User Privileges
DBA_USED_USERPRIVS DBA_UNUSED_USERPRIVS
DBA_USED_USERPRIVS_PATH DBA_UNUSED_USERPRIVS_PATH
Workflow
17.05.2022 Oracle Database Privilege Analysis
20
DefineCapture Policy (1) – What tocapture?
• You must know how to identify the application in the database, e.g.
• Specific user
• Role(s) granted to the user which is used by the application
• Session context
• Based on that you can define the capture policy
• Possible capture types
• All database activities
• Validate role privileges by capturing all privileges which are included in a role or a set of roles
• Database sessions which fullfill certain context conditions (function SYS_CONTEXT)
17.05.2022 Oracle Database Privilege Analysis
21
DefineCapture Policy (2) – What tocapture?
17.05.2022 Oracle Database Privilege Analysis
22
G_DATABASE capture all database activities (resp. used privileges)
except for SYS activities
G_ROLE captures privilege use of one ore more roles
G_CONTEXT captures all privilege use in a specified context
G_ROLE_AND_CONTEXT combination of G_ROLE and G_CONTEXT
• "CONDITION" has to be used to define the context for the capture types "G_CONTEXT" and
"G_ROLE_AND_CONTEXT"
Procedure DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
Argument Name Type In/Out Default?
------------------------ ---------------- ------ --------
NAME VARCHAR2 IN
DESCRIPTION VARCHAR2 IN DEFAULT
TYPE NUMBER IN DEFAULT
ROLES ROLE_NAME_LIST IN DEFAULT
CONDITION VARCHAR2 IN DEFAULT
DefineCapture Policy (3) – CREATE_CAPTURE
17.05.2022 Oracle Database Privilege Analysis
23
REM policy to capture all database activities
execute DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'POLICY_ALL_DB_ACTIVITIES',
description =>'captures all database privileges used by all users',
type => DBMS_PRIVILEGE_CAPTURE.G_DATABASE
);
REM which PUBLIC privileges are used by an application/user
execute DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'POLICY_CAPTURE_PUBLIC',
description =>'captures all required privileges granted to public',
type => DBMS_PRIVILEGE_CAPTURE.G_ROLE,
roles => 'PUBLIC'
);
Define Capture Policy (4) - Examples
17.05.2022 Oracle Database Privilege Analysis
24
REM which privileges are used by a specific user
execute DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'POLICY_CAPTURE_SCOTT',
description =>'captures the privileges required by SCOTT',
type => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT,
condition=> q'[sys_context('USERENV','SESSION_USER') = 'SCOTT']'
);
REM which DBA privileges are used by a specific user
execute DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'POLICY_CAPTURE_SCOTT_DBA',
description =>'captures all required DBA privileges granted to SCOTT',
type => DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT,
roles => 'DBA',
condition=> q'[sys_context('USERENV','SESSION_USER') = 'SCOTT']'
);
Define Capture Policy (5) - Examples
17.05.2022 Oracle Database Privilege Analysis
25
• SYS_CONTEXT is the only function which can be used to specify the conditions for
"DBMS_PRIVILEGE_CAPTURE.G_CONTEXT"
• No user defined functions (but you can use a user defined context)
• Examples:
Define Capture Policy (6) - SYS_CONTEXT
17.05.2022 Oracle Database Privilege Analysis
26
SESSION_USER User who logged in
HOST Client machine
OS_USER Client OS User
MODULE via DBMS_APPLICATION_INFO
ACTION via DBMS_APPLICATION_INFO
User defined context via DBMS_SESSSION.SET_CONTEXT
• For one profile multiple test runs can be stored
• Enable capture of dependency privileges if required
• Example for starting a privilege capture
• Start privilege capture
PROCEDURE DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE
Argument Name Type In/Out Default?
------------------------ ---------------- ------ --------
NAME VARCHAR2 IN
RUN_NAME VARCHAR2 IN DEFAULT
Execute DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE(
name => 'POLICY_CAPTURE_SCOTT',
run_name => 'TEST_RUN_20191110');
Start Privilege Capture
17.05.2022 Oracle Database Privilege Analysis
27
Run your Application
• That's the critical part
• You have to run all modules, screen, batch jobs etc. which are ever used by your application
• Hopefully you have got a complete (!) set of automated (!) tests
• Missing a function which runs e.g. once a year and which requires a special privilege will cause this
function to fail (some time later) if you adopt the privileges according to the results of the privilege
capture!
17.05.2022 Oracle Database Privilege Analysis
28
• Example:
• After the tests are complete the capture can be stopped
PROCEDURE DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE
Argument Name Type In/Out Default?
------------------------ ---------------- ------ --------
NAME VARCHAR2 IN
Execute DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE(
name => 'POLICY_CAPTURE_SCOTT');
Stop Privilege Capture
17.05.2022 Oracle Database Privilege Analysis
29
• Setting DEPENDENCY=TRUE is required when capturing dependent privileges
(CAPTURE_DEPENDENCY_PRIVS)
• The results which are stored in internal tables after the run has been stopped have to
transferred into the DBA_USED_%- and DBA_UNUSED_%-views
PROCEDURE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT
Argument Name Type In/Out Default?
------------------------ ---------------- ------ --------
NAME VARCHAR2 IN
RUN_NAME VARCHAR2 IN DEFAULT
DEPENDENCY BOOLEAN IN DEFAULT
Fill Result Views (1)
17.05.2022 Oracle Database Privilege Analysis
30
• The run_name must be the same as the one you specified when you enabled the capture
• If you do not specify the run_name, the capture will be stopped but the column
"RUN_NAME" in the result table will be empty.
• Example:
Execute DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT (
name => 'POLICY_CAPTURE_SCOTT',
run_name => 'TEST_RUN_20191110');
Fill Result Views (2)
17.05.2022 Oracle Database Privilege Analysis
31
Miscellaneous (1)
• The role CAPTURE_ADMIN is required to run procedures of the package DBMS_PRIVILEGE_CAPTURE
• Only one privilege capture policy can be active at a time
• Enabled capture policies remain active even after a restart of the database instance
• But the privileges which were captured before the restart are lost 
• Results are stored until the run is deleted (DBMS_PRIVILEGE_CAPTURE.DELETE_RUN) or the policy is
dropped (DBMS_PRIVILEGE_CAPTURE.DROP_POLICY)
• Create your own result tables via CTAS to avoid the loss of data
• In a Container Database you can run privilege analysis on container level only (CDB$ROOT and
individual PDBs), not globally for all containers
• The performance impact of privilege capture can be neglected (at least according to my experience)
17.05.2022 Oracle Database Privilege Analysis
33
Miscellaneous (2)
• If you consider the required space in tablespace SYSAUX as an issue, the following workflow may be
an option
• Run DBMS_PRIVILEGE_CAPTURE on a daily basis (e.g. via database job)
• ..
• disable_capture ('policy','current_run')
• Generate result ('policy','current_run')
• Insert into own_table select * from dba_used/unused where run_name='current_run'
• Delete_run ('policy','current_run')
• enable capture ('policy','next_run')
• ..
• Of course, there's the risk that special privileges which are used between disabling / enabling the
policy are not captured
• The same procedure may help preventing loss of capture data due to a restart of an instance.
17.05.2022 Oracle Database Privilege Analysis
34
Miscellaneous (3)
• When using objects from another schema for own objects, e.g. views or PL/SQL code, granting
privileges via a role is not sufficient: Direct grants are required
• Assuming a user has been granted a privilege both via role and directly and a direct grant is required,
this will be reflected in DBA_USED_PRIVS (USERNAME=USED_ROLE)
• When granting privileges (after the analysis), joining the results with DBA_DEPENDENCIES may be
beneficial, too.
17.05.2022 Oracle Database Privilege Analysis
35
SELECT run_name, object_owner, object_name, username, used_role
FROM dba_used_privs WHERE object_owner = 'HR';
Direct grant was required
for creating a view
SELECT only, role grant
was sufficient
Evaluating the results
&
Adopting the privileges
17.05.2022 Oracle Database Privilege Analysis
36
• Which system privileges were used and how were they granted? ("grant path")
SQL> select USED_ROLE,SYS_PRIV,PATH
2 from DBA_USED_SYSPRIVS_PATH where CAPTURE='POLICY_CAPTURE_SCOTT'
3 and RUN_NAME= 'TEST_RUN_20191110';
USED_ROLE SYS_PRIV PATH
---------- ----------------- ---------------------------------------------
TOP_SECRET SELECT ANY TABLE GRANT_PATH('SCOTT')
TOP_SECRET SELECT ANY TABLE GRANT_PATH('SCOTT', 'SECRET', 'TOP_SECRET')
TOP_SECRET ANALYZE ANY GRANT_PATH('SCOTT', 'SECRET', 'TOP_SECRET')
CONNECT CREATE SESSION GRANT_PATH('SCOTT', 'CONNECT')
Example Result Queries (1)
17.05.2022 Oracle Database Privilege Analysis
37
Role TOP_SECRET was granted to the role SECRET
and the role SECRET was granted to SCOTT
The privilege "SELECT ANY
TABLE" was granted in two ways
• Which object privileges were used?
SQL> select USERNAME,USED_ROLE,OBJ_PRIV,
2 OBJECT_OWNER O_OWNER,OBJECT_TYPE O_TYPE,OBJECT_NAME O_NAME
3 from DBA_USED_OBJPRIVS
4 where CAPTURE='POLICY_CAPTURE_SCOTT'
5 and RUN_NAME= 'TEST_RUN_20191110';
USERNAME USED_ROLE OBJ_PRIV O_OWNER O_TYPE O_NAME
-------- --------- --------- ------ --------- ---------------------
SCOTT PUBLIC EXECUTE SYS PACKAGE DBMS_APPLICATION_INFO
SCOTT PUBLIC SELECT SYS TABLE DUAL
SCOTT SCOTT SELECT HR TABLE DEPARTMENTS
SCOTT SCOTT SELECT HR TABLE EMPLOYEES
SCOTT SCOTT UPDATE HR TABLE EMPLOYEES
Example Result Queries (2)
17.05.2022 Oracle Database Privilege Analysis
38
• All privileges which were used during the privilege analysis capture
SQL> select OBJ_PRIV,SYS_PRIV,OBJECT_OWNER O_OWNER,
2 OBJECT_NAME O_NAME,OBJECT_TYPE O_TYPE from DBA_USED_PRIVS
3 where CAPTURE='POLICY_CAPTURE_SCOTT' and RUN_NAME= 'TEST_RUN_20191110';
OBJ_PRIV SYS_PRIV O_OWNER O_TYPE O_NAME
---------- ---------------- ------------ --------- ---------------------
UPDATE HR TABLE EMPLOYEES
SELECT ANY TABLE HR TABLE EMPLOYEES
SELECT ANY TABLE HR TABLE EMPLOYEES
SELECT HR TABLE DEPARTMENTS
ANALYZE ANY HR TABLE EMPLOYEES
SELECT SYS TABLE DUAL
SELECT HR TABLE EMPLOYEES
CREATE SESSION
EXECUTE SYS PACKAGE DBMS_APPLICATION_INFO
Example Result Queries (3)
17.05.2022 Oracle Database Privilege Analysis
39
• All privileges which were granted to the to the user SCOTT but not used during the privilege
analysis capture
SQL> select OBJ_PRIV,SYS_PRIV,OBJECT_OWNER O_OWNER,
2 OBJECT_NAME O_NAME,OBJECT_TYPE O_TYPE from DBA_UNUSED_PRIVS
3 where CAPTURE='POLICY_CAPTURE_SCOTT' and RUN_NAME= 'TEST_RUN_20191110';
OBJ_PRIV SYS_PRIV O_OWNER O_TYPE O_NAME
--------- --------------------- ------- ---------- ---------------------
SELECT ANY DICTIONARY
EXECUTE SYS DIRECTORY DATA_PUMP_DIR
READ SYS DIRECTORY DATA_PUMP_DIR
WRITE SYS DIRECTORY DATA_PUMP_DIR
SELECT SYS VIEW V_$SQL_PLAN_STATISTICS_ALL
SELECT SYS VIEW V_$SESSION
SELECT SYS VIEW V_$SQL_PLAN
SELECT SYS VIEW V_$SQL
EXECUTE SYS PACKAGE DBMS_FLASHBACK_ARCHIVE
EXECUTE SYS PACKAGE DBMS_FLASHBACK
EXECUTE SYS PACKAGE DBMS_MONITOR
SELECT HR TABLE LOCATIONS
UPDATE HR TABLE LOCATIONS
[..]
Example Result Queries (4)
17.05.2022 Oracle Database Privilege Analysis
40
• The views contain much more information
SQL> desc DBA_USED_PRIVS
Name Null? Type
---------------------------------- -------- ------------------------------------
CAPTURE NOT NULL VARCHAR2(128)
SEQUENCE NOT NULL NUMBER
OS_USER VARCHAR2(128)
USERHOST VARCHAR2(128)
MODULE VARCHAR2(64)
USERNAME NOT NULL VARCHAR2(128)
USED_ROLE VARCHAR2(128)
SYS_PRIV VARCHAR2(40)
OBJ_PRIV VARCHAR2(40)
USER_PRIV VARCHAR2(25)
OBJECT_OWNER VARCHAR2(128)
OBJECT_NAME VARCHAR2(128)
OBJECT_TYPE VARCHAR2(23)
COLUMN_NAME VARCHAR2(128)
OPTION$ NUMBER
PATH GRANT_PATH
RUN_NAME VARCHAR2(128)
Example Result Queries (5)
17.05.2022 Oracle Database Privilege Analysis
41
Privilege Analysis& OEM Cloud Control (1)
• OEM Cloud Control 13c can be used to manage Privilege Analysis
• Targets  Database  Security  Privilege Analysis
17.05.2022 Oracle Database Privilege Analysis
42
Privilege Analysis& OEM Cloud Control (2)
17.05.2022 Oracle Database Privilege Analysis
43
• The results of a privilege capture can be used to create a GRANT-script
• Example: GRANT all required privileges to a new role SCOTT_ROLE
• Part 1: System Privileges
SQL> SELECT 'grant '||sys_priv||' to SCOTT_ROLE;' PRIVS_TO_GRANT
2 FROM DBA_USED_PRIVS where SYS_PRIV not like '%ANY%'
3 and CAPTURE='POLICY_CAPTURE_SCOTT'
4 and RUN_NAME= 'TEST_RUN_20191110';
Generate "GRANT" commands (1)
17.05.2022 Oracle Database Privilege Analysis
44
• Part 2. Object Privileges
• Query originally based on https://apex.oracle.com/pls/apex/germancommunities/dbacommunity/tipp/7141/index.html
Credits to Norman Sibbing from Oracle
SQL> SELECT DISTINCT 'grant '||
2 CASE SYS_PRIV
3 WHEN 'SELECT ANY TABLE' THEN 'SELECT'
4 WHEN 'EXECUTE ANY PROCEDURE'THEN 'EXECUTE'
5 WHEN 'INSERT ANY TABLE' THEN 'INSERT'
6 WHEN 'UPDATE ANY TABLE' THEN 'UPDATE'
7 WHEN 'DELETE ANY TABLE' THEN 'DELETE'
8 WHEN 'ANALYZE ANY' THEN 'ANALYZE'
9 WHEN 'SELECT ANY SEQUENCE' THEN 'SELECT'
10 ELSE
11 OBJ_PRIV
12 END
13 ||' on '||OBJECT_OWNER||'.'|| OBJECT_NAME||' to SCOTT_ROLE;' PRIVS_TO_GRANT
14 FROM DBA_USED_PRIVS where object_name is not null;
Generate "GRANT" commands (2)
17.05.2022 Oracle Database Privilege Analysis
45
grant CREATE SESSION to SCOTT_RESTRICTED_PRIVS_ROLE;
grant EXECUTE on SYS.DBMS_APPLICATION_INFO to SCOTT_RESTRICTED_PRIVS_ROLE;
grant SELECT on HR.EMPLOYEES to SCOTT_RESTRICTED_PRIVS_ROLE;
grant SELECT on HR.EMP_TEST2 to SCOTT_RESTRICTED_PRIVS_ROLE;
grant SELECT on HR.DEPARTMENTS to SCOTT_RESTRICTED_PRIVS_ROLE;
grant ANALYZE on HR.EMPLOYEES to SCOTT_RESTRICTED_PRIVS_ROLE;
grant UPDATE on HR.EMP_TEST2 to SCOTT_RESTRICTED_PRIVS_ROLE;
grant SELECT on SYS.DUAL to SCOTT_RESTRICTED_PRIVS_ROLE;
Generate "GRANT" commands (3) -Result
17.05.2022 Oracle Database Privilege Analysis
46
Summary
&
Further Information
17.05.2022 Oracle Database Privilege Analysis
47
Summary
• "Privilege Analysis" is a great tool for achieving the "Principle of the Least Privilege"
• Privilege Analysis should be included in your tests
• It's critical that you run all functions, modules, batch jobs etc. of your application during the capture
phase (Automation can help  )
• Lifting the license restrictions (Database Vault) was an important step made by Oracle to help the
customers making their applications more secure
• Unfortunately, "Privilege Analysis" helps only to analyze the current situation but not to overcome it
by generating roles etc. with the required privileges only
17.05.2022 Oracle Database Privilege Analysis
48
Further Information
• Wikipedia: "Principle of least privilege": https://en.wikipedia.org/wiki/Principle_of_least_privilege
• Documentation of the package DBMS_PRIVILEGE_CAPTURE:
https://docs.oracle.com/en/database/oracle/oracle-
database/19/arpls/DBMS_PRIVILEGE_CAPTURE.html#GUID-6522AC3E-A457-4C7B-8996-
B065957F73E4
• Database Security Guide, Chapter 5 " Performing Privilege Analysis to Find Privilege Use":
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/performing-privilege-
analysis-find-privilege-use.html#GUID-44CB644B-7B59-4B3B-B375-9F9B96F60186
• (in German) Deutschsprachiger Datenbank & Cloud Technologie Blog:
"Least Privileges mit Oracle Privilege Analysis"
https://blogs.oracle.com/coretec/least-privileges-mit-oracle-privilege-analysis
• MOS-Note "Privilege Analysis Feature of Database Vault (Doc ID 2588251.1)"
• https://gavinsoorma.com/2015/02/oracle-12c-new-feature-privilege-analysis/
17.05.2022 Oracle Database Privilege Analysis
49
Questions & Answers
Markus Flechtner
markus.flechtner@trivadis.com
Phone +49 211 5866 64725
@markusdba www.markusdba.net|.de
Privilege Analysis with the Oracle Database

More Related Content

What's hot

Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAM
Jonathan Katz
 
MariaDB 10: The Complete Tutorial
MariaDB 10: The Complete TutorialMariaDB 10: The Complete Tutorial
MariaDB 10: The Complete Tutorial
Colin Charles
 
Achieving High Availability in PostgreSQL
Achieving High Availability in PostgreSQLAchieving High Availability in PostgreSQL
Achieving High Availability in PostgreSQL
Mydbops
 
MySQL Shell for DBAs
MySQL Shell for DBAsMySQL Shell for DBAs
MySQL Shell for DBAs
Frederic Descamps
 
Conquering Data Migration from Oracle to Postgres
Conquering Data Migration from Oracle to PostgresConquering Data Migration from Oracle to Postgres
Conquering Data Migration from Oracle to Postgres
EDB
 
Oracle db performance tuning
Oracle db performance tuningOracle db performance tuning
Oracle db performance tuning
Simon Huang
 
[2018] MySQL 이중화 진화기
[2018] MySQL 이중화 진화기[2018] MySQL 이중화 진화기
[2018] MySQL 이중화 진화기
NHN FORWARD
 
Oracle Database 12c Multitenant for Consolidation
Oracle Database 12c Multitenant for ConsolidationOracle Database 12c Multitenant for Consolidation
Oracle Database 12c Multitenant for Consolidation
Yudi Herdiana
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19c
Maria Colgan
 
Sql Server Basics
Sql Server BasicsSql Server Basics
Sql Server Basics
rainynovember12
 
ORACLE 12C DATA GUARD: FAR SYNC, REAL-TIME CASCADE STANDBY AND OTHER GOODIES
ORACLE 12C DATA GUARD: FAR SYNC, REAL-TIME CASCADE STANDBY AND OTHER GOODIESORACLE 12C DATA GUARD: FAR SYNC, REAL-TIME CASCADE STANDBY AND OTHER GOODIES
ORACLE 12C DATA GUARD: FAR SYNC, REAL-TIME CASCADE STANDBY AND OTHER GOODIES
Ludovico Caldara
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
Marco Alamanni
 
Oracle to Azure PostgreSQL database migration webinar
Oracle to Azure PostgreSQL database migration webinarOracle to Azure PostgreSQL database migration webinar
Oracle to Azure PostgreSQL database migration webinar
Minnie Seungmin Cho
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
Vibhor Kumar
 
Understanding oracle rac internals part 1 - slides
Understanding oracle rac internals   part 1 - slidesUnderstanding oracle rac internals   part 1 - slides
Understanding oracle rac internals part 1 - slides
Mohamed Farouk
 
Oracle Performance Tools of the Trade
Oracle Performance Tools of the TradeOracle Performance Tools of the Trade
Oracle Performance Tools of the Trade
Carlos Sierra
 
Oracle Database performance tuning using oratop
Oracle Database performance tuning using oratopOracle Database performance tuning using oratop
Oracle Database performance tuning using oratop
Sandesh Rao
 
Oracle Drivers configuration for High Availability, is it a developer's job?
Oracle Drivers configuration for High Availability, is it a developer's job?Oracle Drivers configuration for High Availability, is it a developer's job?
Oracle Drivers configuration for High Availability, is it a developer's job?
Ludovico Caldara
 
MySQL8.0_performance_schema.pptx
MySQL8.0_performance_schema.pptxMySQL8.0_performance_schema.pptx
MySQL8.0_performance_schema.pptx
NeoClova
 
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13cClone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Alfredo Krieg
 

What's hot (20)

Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAM
 
MariaDB 10: The Complete Tutorial
MariaDB 10: The Complete TutorialMariaDB 10: The Complete Tutorial
MariaDB 10: The Complete Tutorial
 
Achieving High Availability in PostgreSQL
Achieving High Availability in PostgreSQLAchieving High Availability in PostgreSQL
Achieving High Availability in PostgreSQL
 
MySQL Shell for DBAs
MySQL Shell for DBAsMySQL Shell for DBAs
MySQL Shell for DBAs
 
Conquering Data Migration from Oracle to Postgres
Conquering Data Migration from Oracle to PostgresConquering Data Migration from Oracle to Postgres
Conquering Data Migration from Oracle to Postgres
 
Oracle db performance tuning
Oracle db performance tuningOracle db performance tuning
Oracle db performance tuning
 
[2018] MySQL 이중화 진화기
[2018] MySQL 이중화 진화기[2018] MySQL 이중화 진화기
[2018] MySQL 이중화 진화기
 
Oracle Database 12c Multitenant for Consolidation
Oracle Database 12c Multitenant for ConsolidationOracle Database 12c Multitenant for Consolidation
Oracle Database 12c Multitenant for Consolidation
 
What to Expect From Oracle database 19c
What to Expect From Oracle database 19cWhat to Expect From Oracle database 19c
What to Expect From Oracle database 19c
 
Sql Server Basics
Sql Server BasicsSql Server Basics
Sql Server Basics
 
ORACLE 12C DATA GUARD: FAR SYNC, REAL-TIME CASCADE STANDBY AND OTHER GOODIES
ORACLE 12C DATA GUARD: FAR SYNC, REAL-TIME CASCADE STANDBY AND OTHER GOODIESORACLE 12C DATA GUARD: FAR SYNC, REAL-TIME CASCADE STANDBY AND OTHER GOODIES
ORACLE 12C DATA GUARD: FAR SYNC, REAL-TIME CASCADE STANDBY AND OTHER GOODIES
 
Oracle Database Vault
Oracle Database VaultOracle Database Vault
Oracle Database Vault
 
Oracle to Azure PostgreSQL database migration webinar
Oracle to Azure PostgreSQL database migration webinarOracle to Azure PostgreSQL database migration webinar
Oracle to Azure PostgreSQL database migration webinar
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
 
Understanding oracle rac internals part 1 - slides
Understanding oracle rac internals   part 1 - slidesUnderstanding oracle rac internals   part 1 - slides
Understanding oracle rac internals part 1 - slides
 
Oracle Performance Tools of the Trade
Oracle Performance Tools of the TradeOracle Performance Tools of the Trade
Oracle Performance Tools of the Trade
 
Oracle Database performance tuning using oratop
Oracle Database performance tuning using oratopOracle Database performance tuning using oratop
Oracle Database performance tuning using oratop
 
Oracle Drivers configuration for High Availability, is it a developer's job?
Oracle Drivers configuration for High Availability, is it a developer's job?Oracle Drivers configuration for High Availability, is it a developer's job?
Oracle Drivers configuration for High Availability, is it a developer's job?
 
MySQL8.0_performance_schema.pptx
MySQL8.0_performance_schema.pptxMySQL8.0_performance_schema.pptx
MySQL8.0_performance_schema.pptx
 
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13cClone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
Clone Oracle Databases In Minutes Without Risk Using Enterprise Manager 13c
 

Similar to Privilege Analysis with the Oracle Database

SOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security FeaturesSOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security Features
Stefan Oehrli
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least Privilege
Biju Thomas
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demo
Viaggio Italia
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
DB2Locksmith
 
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
NomanKhalid56
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
Alex Zaballa
 
Presentation database security enhancements with oracle
Presentation   database security enhancements with oraclePresentation   database security enhancements with oracle
Presentation database security enhancements with oracle
xKinAnx
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
TechEvent 18c Multitenant New Features
TechEvent 18c Multitenant New FeaturesTechEvent 18c Multitenant New Features
TechEvent 18c Multitenant New Features
Trivadis
 
NoCOUG_201411_Patel_Managing_a_Large_OLTP_Database
NoCOUG_201411_Patel_Managing_a_Large_OLTP_DatabaseNoCOUG_201411_Patel_Managing_a_Large_OLTP_Database
NoCOUG_201411_Patel_Managing_a_Large_OLTP_Database
Paresh Patel
 
Flashback in OCI
Flashback in OCIFlashback in OCI
Flashback in OCI
Tércio Costa
 
Oracle database 12c intro
Oracle database 12c introOracle database 12c intro
Oracle database 12c intro
pasalapudi
 
Security Multitenant
Security MultitenantSecurity Multitenant
Security Multitenant
Arush Jain
 
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAsOracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Zohar Elkayam
 
Role-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jRole-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4j
Neo4j
 
PostgreSQL 15 and its Major Features -(Aakash M - Mydbops) - Mydbops Opensour...
PostgreSQL 15 and its Major Features -(Aakash M - Mydbops) - Mydbops Opensour...PostgreSQL 15 and its Major Features -(Aakash M - Mydbops) - Mydbops Opensour...
PostgreSQL 15 and its Major Features -(Aakash M - Mydbops) - Mydbops Opensour...
Mydbops
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
Satishbabu Gunukula
 
RMOUG 18 - Winning Performance Challenges in Oracle Multitenant
RMOUG 18 - Winning Performance Challenges in Oracle MultitenantRMOUG 18 - Winning Performance Challenges in Oracle Multitenant
RMOUG 18 - Winning Performance Challenges in Oracle Multitenant
Pini Dibask
 
Oracle database 12.2 new features
Oracle database 12.2 new featuresOracle database 12.2 new features
Oracle database 12.2 new features
Alfredo Krieg
 

Similar to Privilege Analysis with the Oracle Database (20)

SOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security FeaturesSOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security Features
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
 
OTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least PrivilegeOTech magazine article - Principle of Least Privilege
OTech magazine article - Principle of Least Privilege
 
Odv oracle customer_demo
Odv oracle customer_demoOdv oracle customer_demo
Odv oracle customer_demo
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
 
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Presentation database security enhancements with oracle
Presentation   database security enhancements with oraclePresentation   database security enhancements with oracle
Presentation database security enhancements with oracle
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
TechEvent 18c Multitenant New Features
TechEvent 18c Multitenant New FeaturesTechEvent 18c Multitenant New Features
TechEvent 18c Multitenant New Features
 
NoCOUG_201411_Patel_Managing_a_Large_OLTP_Database
NoCOUG_201411_Patel_Managing_a_Large_OLTP_DatabaseNoCOUG_201411_Patel_Managing_a_Large_OLTP_Database
NoCOUG_201411_Patel_Managing_a_Large_OLTP_Database
 
Flashback in OCI
Flashback in OCIFlashback in OCI
Flashback in OCI
 
Oracle database 12c intro
Oracle database 12c introOracle database 12c intro
Oracle database 12c intro
 
Security Multitenant
Security MultitenantSecurity Multitenant
Security Multitenant
 
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAsOracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
 
Role-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4jRole-Based Access Control (RBAC) in Neo4j
Role-Based Access Control (RBAC) in Neo4j
 
PostgreSQL 15 and its Major Features -(Aakash M - Mydbops) - Mydbops Opensour...
PostgreSQL 15 and its Major Features -(Aakash M - Mydbops) - Mydbops Opensour...PostgreSQL 15 and its Major Features -(Aakash M - Mydbops) - Mydbops Opensour...
PostgreSQL 15 and its Major Features -(Aakash M - Mydbops) - Mydbops Opensour...
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
RMOUG 18 - Winning Performance Challenges in Oracle Multitenant
RMOUG 18 - Winning Performance Challenges in Oracle MultitenantRMOUG 18 - Winning Performance Challenges in Oracle Multitenant
RMOUG 18 - Winning Performance Challenges in Oracle Multitenant
 
Oracle database 12.2 new features
Oracle database 12.2 new featuresOracle database 12.2 new features
Oracle database 12.2 new features
 

More from Markus Flechtner

My SYSAUX tablespace is full, please
My SYSAUX tablespace is full, pleaseMy SYSAUX tablespace is full, please
My SYSAUX tablespace is full, please
Markus Flechtner
 
Rolle Rückwärts - Backported Features in Oracle Database 19c
Rolle Rückwärts - Backported Features in Oracle Database 19cRolle Rückwärts - Backported Features in Oracle Database 19c
Rolle Rückwärts - Backported Features in Oracle Database 19c
Markus Flechtner
 
Oracle vs. PostgreSQL - Unterschiede in 45 Minuten
Oracle vs. PostgreSQL - Unterschiede in 45 MinutenOracle vs. PostgreSQL - Unterschiede in 45 Minuten
Oracle vs. PostgreSQL - Unterschiede in 45 Minuten
Markus Flechtner
 
Container Only - Neue Features für Multitenant in Oracle 21c
Container Only - Neue Features für Multitenant in Oracle 21cContainer Only - Neue Features für Multitenant in Oracle 21c
Container Only - Neue Features für Multitenant in Oracle 21c
Markus Flechtner
 
Oracle Datenbank-Architektur
Oracle Datenbank-ArchitekturOracle Datenbank-Architektur
Oracle Datenbank-Architektur
Markus Flechtner
 
Wie kommt der Client zur Datenbank?
Wie kommt der Client zur Datenbank?Wie kommt der Client zur Datenbank?
Wie kommt der Client zur Datenbank?
Markus Flechtner
 
OraChk
OraChkOraChk
TFA - Trace File Analyzer Collector
TFA - Trace File Analyzer CollectorTFA - Trace File Analyzer Collector
TFA - Trace File Analyzer Collector
Markus Flechtner
 
High Availability for Oracle SE2
High Availability for Oracle SE2High Availability for Oracle SE2
High Availability for Oracle SE2
Markus Flechtner
 
My SYSAUX tablespace is full - please help
My SYSAUX tablespace is full - please helpMy SYSAUX tablespace is full - please help
My SYSAUX tablespace is full - please help
Markus Flechtner
 
Datenbank-Hausputz für Einsteiger
Datenbank-Hausputz für EinsteigerDatenbank-Hausputz für Einsteiger
Datenbank-Hausputz für Einsteiger
Markus Flechtner
 
Should I stay or should I go?
Should I stay or should I go?Should I stay or should I go?
Should I stay or should I go?
Markus Flechtner
 
Oracle - Checklist for performance issues
Oracle - Checklist for performance issuesOracle - Checklist for performance issues
Oracle - Checklist for performance issues
Markus Flechtner
 
Einführung in den SQL-Developer
Einführung in den SQL-DeveloperEinführung in den SQL-Developer
Einführung in den SQL-Developer
Markus Flechtner
 
Oracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesOracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection Issues
Markus Flechtner
 
Checklist for Upgrades and Migrations
Checklist for Upgrades and MigrationsChecklist for Upgrades and Migrations
Checklist for Upgrades and Migrations
Markus Flechtner
 
Codd & ACID - ein Ausflug in die Datenbank-Theorie und Geschichte
Codd & ACID - ein Ausflug in die Datenbank-Theorie und GeschichteCodd & ACID - ein Ausflug in die Datenbank-Theorie und Geschichte
Codd & ACID - ein Ausflug in die Datenbank-Theorie und Geschichte
Markus Flechtner
 
Datenbank-Selbstverwaltung - Das Oracle-Data-Dictionary
Datenbank-Selbstverwaltung - Das Oracle-Data-DictionaryDatenbank-Selbstverwaltung - Das Oracle-Data-Dictionary
Datenbank-Selbstverwaltung - Das Oracle-Data-Dictionary
Markus Flechtner
 
Die Datenbank ist nicht immer Schuld - Gründe warum Datenbank-Migration schei...
Die Datenbank ist nicht immer Schuld - Gründe warum Datenbank-Migration schei...Die Datenbank ist nicht immer Schuld - Gründe warum Datenbank-Migration schei...
Die Datenbank ist nicht immer Schuld - Gründe warum Datenbank-Migration schei...
Markus Flechtner
 
Taming the PDB: Resource Management and Lockdown Profiles
Taming the PDB: Resource Management and Lockdown ProfilesTaming the PDB: Resource Management and Lockdown Profiles
Taming the PDB: Resource Management and Lockdown Profiles
Markus Flechtner
 

More from Markus Flechtner (20)

My SYSAUX tablespace is full, please
My SYSAUX tablespace is full, pleaseMy SYSAUX tablespace is full, please
My SYSAUX tablespace is full, please
 
Rolle Rückwärts - Backported Features in Oracle Database 19c
Rolle Rückwärts - Backported Features in Oracle Database 19cRolle Rückwärts - Backported Features in Oracle Database 19c
Rolle Rückwärts - Backported Features in Oracle Database 19c
 
Oracle vs. PostgreSQL - Unterschiede in 45 Minuten
Oracle vs. PostgreSQL - Unterschiede in 45 MinutenOracle vs. PostgreSQL - Unterschiede in 45 Minuten
Oracle vs. PostgreSQL - Unterschiede in 45 Minuten
 
Container Only - Neue Features für Multitenant in Oracle 21c
Container Only - Neue Features für Multitenant in Oracle 21cContainer Only - Neue Features für Multitenant in Oracle 21c
Container Only - Neue Features für Multitenant in Oracle 21c
 
Oracle Datenbank-Architektur
Oracle Datenbank-ArchitekturOracle Datenbank-Architektur
Oracle Datenbank-Architektur
 
Wie kommt der Client zur Datenbank?
Wie kommt der Client zur Datenbank?Wie kommt der Client zur Datenbank?
Wie kommt der Client zur Datenbank?
 
OraChk
OraChkOraChk
OraChk
 
TFA - Trace File Analyzer Collector
TFA - Trace File Analyzer CollectorTFA - Trace File Analyzer Collector
TFA - Trace File Analyzer Collector
 
High Availability for Oracle SE2
High Availability for Oracle SE2High Availability for Oracle SE2
High Availability for Oracle SE2
 
My SYSAUX tablespace is full - please help
My SYSAUX tablespace is full - please helpMy SYSAUX tablespace is full - please help
My SYSAUX tablespace is full - please help
 
Datenbank-Hausputz für Einsteiger
Datenbank-Hausputz für EinsteigerDatenbank-Hausputz für Einsteiger
Datenbank-Hausputz für Einsteiger
 
Should I stay or should I go?
Should I stay or should I go?Should I stay or should I go?
Should I stay or should I go?
 
Oracle - Checklist for performance issues
Oracle - Checklist for performance issuesOracle - Checklist for performance issues
Oracle - Checklist for performance issues
 
Einführung in den SQL-Developer
Einführung in den SQL-DeveloperEinführung in den SQL-Developer
Einführung in den SQL-Developer
 
Oracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesOracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection Issues
 
Checklist for Upgrades and Migrations
Checklist for Upgrades and MigrationsChecklist for Upgrades and Migrations
Checklist for Upgrades and Migrations
 
Codd & ACID - ein Ausflug in die Datenbank-Theorie und Geschichte
Codd & ACID - ein Ausflug in die Datenbank-Theorie und GeschichteCodd & ACID - ein Ausflug in die Datenbank-Theorie und Geschichte
Codd & ACID - ein Ausflug in die Datenbank-Theorie und Geschichte
 
Datenbank-Selbstverwaltung - Das Oracle-Data-Dictionary
Datenbank-Selbstverwaltung - Das Oracle-Data-DictionaryDatenbank-Selbstverwaltung - Das Oracle-Data-Dictionary
Datenbank-Selbstverwaltung - Das Oracle-Data-Dictionary
 
Die Datenbank ist nicht immer Schuld - Gründe warum Datenbank-Migration schei...
Die Datenbank ist nicht immer Schuld - Gründe warum Datenbank-Migration schei...Die Datenbank ist nicht immer Schuld - Gründe warum Datenbank-Migration schei...
Die Datenbank ist nicht immer Schuld - Gründe warum Datenbank-Migration schei...
 
Taming the PDB: Resource Management and Lockdown Profiles
Taming the PDB: Resource Management and Lockdown ProfilesTaming the PDB: Resource Management and Lockdown Profiles
Taming the PDB: Resource Management and Lockdown Profiles
 

Recently uploaded

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
Tobias Schneck
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
leebarnesutopia
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
christinelarrosa
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 

Recently uploaded (20)

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!Containers & AI - Beauty and the Beast!?!
Containers & AI - Beauty and the Beast!?!
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users",  Kevin Goedecke"Scaling RAG Applications to serve millions of users",  Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfLee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdf
 
Christine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptxChristine's Supplier Sourcing Presentaion.pptx
Christine's Supplier Sourcing Presentaion.pptx
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 

Privilege Analysis with the Oracle Database

  • 1. www.markusdba.net|.de @markusdba Oracle Database Privilege Analysis On the way to the "Least Privilege Principle" … Markus Flechtner
  • 2. Markus Flechtner • Principal Consultant / Trivadis Germany GmbH • Studied Mathematics a long time ago • Focus • Oracle High Availability • Database Upgrade + Migration • Teacher: RAC, New Features, Multitenant, PostgreSQL @markusdba www.markusdba.net|.de
  • 3.
  • 5. Agenda • Introduction • Package DBMS_PRIVILEGE_CAPTURE & Data Dictionary Objects • Workflow • Evaluation of the results and adopting the privileges • Summary & Further Information 17.05.2022 Oracle Database Privilege Analysis 7
  • 7. • Security simply wasn’t a focus for many legacy applications • Many applications run with DBA-like privileges • No privilege specification or analysis was performed at design time • Focus was on getting the application running versus least privilege SQL> grant DBA to PUBLIC with admin option; Grant succeeded. History 17.05.2022 Oracle Database Privilege Analysis 9
  • 8. Principle of the Least Privilege "Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job." Jerome Salzer, Communications of the ACM, 1974 17.05.2022 Oracle Database Privilege Analysis 10
  • 9. Oracle 12c introduced Privilege Analysis • Captures the privileges which are used by an application resp. a database user • Reports the used privileges (and the way ("path") the privileges have been granted) • Reports the privileges which have been granted but have not be used • Helps you to achieve the "Least Privilege Principle" for your own database applications • However, there was this small note in the "Oracle Database Licensing Information": 17.05.2022 Oracle Database Privilege Analysis 11
  • 10. November 2018: Licensing changed • Privilege Analysis is now available for Oracle Database Enterprise Edition (for all versions since Oracle Database 12c Release 1), Database Vault is not required anymore 17.05.2022 Oracle Database Privilege Analysis 12
  • 11. Of course, it's not that easy .. • Logging database usage is a kind of auditing • Especially when using personalized accounts • Oracle Privilege Analysis captures which privileges were used but not the exact time when they were used (you can only determine the time range = time when the analysis ran) • You may be required to ask the workers council for an approval • But security is a strong argument • Expect resistance • From 3rd party software vendors • From your own developers 17.05.2022 Oracle Database Privilege Analysis 13
  • 12. .. but it will helpyou as the DBA • Required privileges will be documented • High privileges which are not used (required) are documented • Raise security concerns, tell your manager • Then (s)he's in charge 17.05.2022 Oracle Database Privilege Analysis 14
  • 14. Package DBMS_PRIVILEGE_CAPTURE 17.05.2022 Oracle Database Privilege Analysis 16 Procedure Purpose CREATE_CAPTURE Defines a capture policy ENABLE_CAPTURE Starts a privilege capture run DISABLE_CAPTURE Ends a privilege capture run GENERATE_RESULT Fills the result views with the results of a capture run DROP_CAPTURE Drops a capture policy and the associated results DELETE_RUN Deletes the results of a capture run (but not the policy) CAPTURE_DEPENDENCY_PRIVS Captures the privileges that are used by definer’s rights and invoker’s rights PL/SQL program units for compilation (has to be enabled manually after a capture was started)
  • 15. Data Dictionary Views & Internal Tables • (*) Both result tables are located in the SYSAUX tablespace 17.05.2022 Oracle Database Privilege Analysis 17 Name Purpose / Content DBA_PRIV_CAPTURES defined capture policies and runs (via "DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE") PRIV_CAPTURE$ (basis of DBA_PRIV_CAPTURES) CAPTURED_PRIV$ Captured privileges (*) CAPTURE_RUN_LOG$ Information on the capture runs (*) Contains information on start time and end time (which is not visible in the DBA_%-views)
  • 16. Result Views (1) 17.05.2022 Oracle Database Privilege Analysis 18 Views for used privileges Views for unused privileges Overview (all privileges resp. grants) DBA_USED_PRIVS DBA_UNUSED_PRIVS DBA_UNUSED_GRANTS Privileges granted to Public DBA_USED_PUBPRIVS DBA_UNUSED_PUBPRIVS System Privileges DBA_USED_SYSPRIVS DBA_UNUSED_SYSPRIVS DBA_USED_SYSPRIVS_PATH DBA_UNUSED_SYSPRIVS_PATH
  • 17. Result Views (2) • CDB_%-Views are available, too. 17.05.2022 Oracle Database Privilege Analysis 19 Views for used privileges Views for unused privileges Object Privileges DBA_USED_OBJPRIVS DBA_UNUSED_OBJPRIVS DBA_USED_OBJPRIVS_PATH DBA_UNUSED_OBJPRIVS_PATH User Privileges DBA_USED_USERPRIVS DBA_UNUSED_USERPRIVS DBA_USED_USERPRIVS_PATH DBA_UNUSED_USERPRIVS_PATH
  • 18. Workflow 17.05.2022 Oracle Database Privilege Analysis 20
  • 19. DefineCapture Policy (1) – What tocapture? • You must know how to identify the application in the database, e.g. • Specific user • Role(s) granted to the user which is used by the application • Session context • Based on that you can define the capture policy • Possible capture types • All database activities • Validate role privileges by capturing all privileges which are included in a role or a set of roles • Database sessions which fullfill certain context conditions (function SYS_CONTEXT) 17.05.2022 Oracle Database Privilege Analysis 21
  • 20. DefineCapture Policy (2) – What tocapture? 17.05.2022 Oracle Database Privilege Analysis 22 G_DATABASE capture all database activities (resp. used privileges) except for SYS activities G_ROLE captures privilege use of one ore more roles G_CONTEXT captures all privilege use in a specified context G_ROLE_AND_CONTEXT combination of G_ROLE and G_CONTEXT
  • 21. • "CONDITION" has to be used to define the context for the capture types "G_CONTEXT" and "G_ROLE_AND_CONTEXT" Procedure DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE Argument Name Type In/Out Default? ------------------------ ---------------- ------ -------- NAME VARCHAR2 IN DESCRIPTION VARCHAR2 IN DEFAULT TYPE NUMBER IN DEFAULT ROLES ROLE_NAME_LIST IN DEFAULT CONDITION VARCHAR2 IN DEFAULT DefineCapture Policy (3) – CREATE_CAPTURE 17.05.2022 Oracle Database Privilege Analysis 23
  • 22. REM policy to capture all database activities execute DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'POLICY_ALL_DB_ACTIVITIES', description =>'captures all database privileges used by all users', type => DBMS_PRIVILEGE_CAPTURE.G_DATABASE ); REM which PUBLIC privileges are used by an application/user execute DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'POLICY_CAPTURE_PUBLIC', description =>'captures all required privileges granted to public', type => DBMS_PRIVILEGE_CAPTURE.G_ROLE, roles => 'PUBLIC' ); Define Capture Policy (4) - Examples 17.05.2022 Oracle Database Privilege Analysis 24
  • 23. REM which privileges are used by a specific user execute DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'POLICY_CAPTURE_SCOTT', description =>'captures the privileges required by SCOTT', type => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT, condition=> q'[sys_context('USERENV','SESSION_USER') = 'SCOTT']' ); REM which DBA privileges are used by a specific user execute DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'POLICY_CAPTURE_SCOTT_DBA', description =>'captures all required DBA privileges granted to SCOTT', type => DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT, roles => 'DBA', condition=> q'[sys_context('USERENV','SESSION_USER') = 'SCOTT']' ); Define Capture Policy (5) - Examples 17.05.2022 Oracle Database Privilege Analysis 25
  • 24. • SYS_CONTEXT is the only function which can be used to specify the conditions for "DBMS_PRIVILEGE_CAPTURE.G_CONTEXT" • No user defined functions (but you can use a user defined context) • Examples: Define Capture Policy (6) - SYS_CONTEXT 17.05.2022 Oracle Database Privilege Analysis 26 SESSION_USER User who logged in HOST Client machine OS_USER Client OS User MODULE via DBMS_APPLICATION_INFO ACTION via DBMS_APPLICATION_INFO User defined context via DBMS_SESSSION.SET_CONTEXT
  • 25. • For one profile multiple test runs can be stored • Enable capture of dependency privileges if required • Example for starting a privilege capture • Start privilege capture PROCEDURE DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE Argument Name Type In/Out Default? ------------------------ ---------------- ------ -------- NAME VARCHAR2 IN RUN_NAME VARCHAR2 IN DEFAULT Execute DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE( name => 'POLICY_CAPTURE_SCOTT', run_name => 'TEST_RUN_20191110'); Start Privilege Capture 17.05.2022 Oracle Database Privilege Analysis 27
  • 26. Run your Application • That's the critical part • You have to run all modules, screen, batch jobs etc. which are ever used by your application • Hopefully you have got a complete (!) set of automated (!) tests • Missing a function which runs e.g. once a year and which requires a special privilege will cause this function to fail (some time later) if you adopt the privileges according to the results of the privilege capture! 17.05.2022 Oracle Database Privilege Analysis 28
  • 27. • Example: • After the tests are complete the capture can be stopped PROCEDURE DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE Argument Name Type In/Out Default? ------------------------ ---------------- ------ -------- NAME VARCHAR2 IN Execute DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE( name => 'POLICY_CAPTURE_SCOTT'); Stop Privilege Capture 17.05.2022 Oracle Database Privilege Analysis 29
  • 28. • Setting DEPENDENCY=TRUE is required when capturing dependent privileges (CAPTURE_DEPENDENCY_PRIVS) • The results which are stored in internal tables after the run has been stopped have to transferred into the DBA_USED_%- and DBA_UNUSED_%-views PROCEDURE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT Argument Name Type In/Out Default? ------------------------ ---------------- ------ -------- NAME VARCHAR2 IN RUN_NAME VARCHAR2 IN DEFAULT DEPENDENCY BOOLEAN IN DEFAULT Fill Result Views (1) 17.05.2022 Oracle Database Privilege Analysis 30
  • 29. • The run_name must be the same as the one you specified when you enabled the capture • If you do not specify the run_name, the capture will be stopped but the column "RUN_NAME" in the result table will be empty. • Example: Execute DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT ( name => 'POLICY_CAPTURE_SCOTT', run_name => 'TEST_RUN_20191110'); Fill Result Views (2) 17.05.2022 Oracle Database Privilege Analysis 31
  • 30. Miscellaneous (1) • The role CAPTURE_ADMIN is required to run procedures of the package DBMS_PRIVILEGE_CAPTURE • Only one privilege capture policy can be active at a time • Enabled capture policies remain active even after a restart of the database instance • But the privileges which were captured before the restart are lost  • Results are stored until the run is deleted (DBMS_PRIVILEGE_CAPTURE.DELETE_RUN) or the policy is dropped (DBMS_PRIVILEGE_CAPTURE.DROP_POLICY) • Create your own result tables via CTAS to avoid the loss of data • In a Container Database you can run privilege analysis on container level only (CDB$ROOT and individual PDBs), not globally for all containers • The performance impact of privilege capture can be neglected (at least according to my experience) 17.05.2022 Oracle Database Privilege Analysis 33
  • 31. Miscellaneous (2) • If you consider the required space in tablespace SYSAUX as an issue, the following workflow may be an option • Run DBMS_PRIVILEGE_CAPTURE on a daily basis (e.g. via database job) • .. • disable_capture ('policy','current_run') • Generate result ('policy','current_run') • Insert into own_table select * from dba_used/unused where run_name='current_run' • Delete_run ('policy','current_run') • enable capture ('policy','next_run') • .. • Of course, there's the risk that special privileges which are used between disabling / enabling the policy are not captured • The same procedure may help preventing loss of capture data due to a restart of an instance. 17.05.2022 Oracle Database Privilege Analysis 34
  • 32. Miscellaneous (3) • When using objects from another schema for own objects, e.g. views or PL/SQL code, granting privileges via a role is not sufficient: Direct grants are required • Assuming a user has been granted a privilege both via role and directly and a direct grant is required, this will be reflected in DBA_USED_PRIVS (USERNAME=USED_ROLE) • When granting privileges (after the analysis), joining the results with DBA_DEPENDENCIES may be beneficial, too. 17.05.2022 Oracle Database Privilege Analysis 35 SELECT run_name, object_owner, object_name, username, used_role FROM dba_used_privs WHERE object_owner = 'HR'; Direct grant was required for creating a view SELECT only, role grant was sufficient
  • 33. Evaluating the results & Adopting the privileges 17.05.2022 Oracle Database Privilege Analysis 36
  • 34. • Which system privileges were used and how were they granted? ("grant path") SQL> select USED_ROLE,SYS_PRIV,PATH 2 from DBA_USED_SYSPRIVS_PATH where CAPTURE='POLICY_CAPTURE_SCOTT' 3 and RUN_NAME= 'TEST_RUN_20191110'; USED_ROLE SYS_PRIV PATH ---------- ----------------- --------------------------------------------- TOP_SECRET SELECT ANY TABLE GRANT_PATH('SCOTT') TOP_SECRET SELECT ANY TABLE GRANT_PATH('SCOTT', 'SECRET', 'TOP_SECRET') TOP_SECRET ANALYZE ANY GRANT_PATH('SCOTT', 'SECRET', 'TOP_SECRET') CONNECT CREATE SESSION GRANT_PATH('SCOTT', 'CONNECT') Example Result Queries (1) 17.05.2022 Oracle Database Privilege Analysis 37 Role TOP_SECRET was granted to the role SECRET and the role SECRET was granted to SCOTT The privilege "SELECT ANY TABLE" was granted in two ways
  • 35. • Which object privileges were used? SQL> select USERNAME,USED_ROLE,OBJ_PRIV, 2 OBJECT_OWNER O_OWNER,OBJECT_TYPE O_TYPE,OBJECT_NAME O_NAME 3 from DBA_USED_OBJPRIVS 4 where CAPTURE='POLICY_CAPTURE_SCOTT' 5 and RUN_NAME= 'TEST_RUN_20191110'; USERNAME USED_ROLE OBJ_PRIV O_OWNER O_TYPE O_NAME -------- --------- --------- ------ --------- --------------------- SCOTT PUBLIC EXECUTE SYS PACKAGE DBMS_APPLICATION_INFO SCOTT PUBLIC SELECT SYS TABLE DUAL SCOTT SCOTT SELECT HR TABLE DEPARTMENTS SCOTT SCOTT SELECT HR TABLE EMPLOYEES SCOTT SCOTT UPDATE HR TABLE EMPLOYEES Example Result Queries (2) 17.05.2022 Oracle Database Privilege Analysis 38
  • 36. • All privileges which were used during the privilege analysis capture SQL> select OBJ_PRIV,SYS_PRIV,OBJECT_OWNER O_OWNER, 2 OBJECT_NAME O_NAME,OBJECT_TYPE O_TYPE from DBA_USED_PRIVS 3 where CAPTURE='POLICY_CAPTURE_SCOTT' and RUN_NAME= 'TEST_RUN_20191110'; OBJ_PRIV SYS_PRIV O_OWNER O_TYPE O_NAME ---------- ---------------- ------------ --------- --------------------- UPDATE HR TABLE EMPLOYEES SELECT ANY TABLE HR TABLE EMPLOYEES SELECT ANY TABLE HR TABLE EMPLOYEES SELECT HR TABLE DEPARTMENTS ANALYZE ANY HR TABLE EMPLOYEES SELECT SYS TABLE DUAL SELECT HR TABLE EMPLOYEES CREATE SESSION EXECUTE SYS PACKAGE DBMS_APPLICATION_INFO Example Result Queries (3) 17.05.2022 Oracle Database Privilege Analysis 39
  • 37. • All privileges which were granted to the to the user SCOTT but not used during the privilege analysis capture SQL> select OBJ_PRIV,SYS_PRIV,OBJECT_OWNER O_OWNER, 2 OBJECT_NAME O_NAME,OBJECT_TYPE O_TYPE from DBA_UNUSED_PRIVS 3 where CAPTURE='POLICY_CAPTURE_SCOTT' and RUN_NAME= 'TEST_RUN_20191110'; OBJ_PRIV SYS_PRIV O_OWNER O_TYPE O_NAME --------- --------------------- ------- ---------- --------------------- SELECT ANY DICTIONARY EXECUTE SYS DIRECTORY DATA_PUMP_DIR READ SYS DIRECTORY DATA_PUMP_DIR WRITE SYS DIRECTORY DATA_PUMP_DIR SELECT SYS VIEW V_$SQL_PLAN_STATISTICS_ALL SELECT SYS VIEW V_$SESSION SELECT SYS VIEW V_$SQL_PLAN SELECT SYS VIEW V_$SQL EXECUTE SYS PACKAGE DBMS_FLASHBACK_ARCHIVE EXECUTE SYS PACKAGE DBMS_FLASHBACK EXECUTE SYS PACKAGE DBMS_MONITOR SELECT HR TABLE LOCATIONS UPDATE HR TABLE LOCATIONS [..] Example Result Queries (4) 17.05.2022 Oracle Database Privilege Analysis 40
  • 38. • The views contain much more information SQL> desc DBA_USED_PRIVS Name Null? Type ---------------------------------- -------- ------------------------------------ CAPTURE NOT NULL VARCHAR2(128) SEQUENCE NOT NULL NUMBER OS_USER VARCHAR2(128) USERHOST VARCHAR2(128) MODULE VARCHAR2(64) USERNAME NOT NULL VARCHAR2(128) USED_ROLE VARCHAR2(128) SYS_PRIV VARCHAR2(40) OBJ_PRIV VARCHAR2(40) USER_PRIV VARCHAR2(25) OBJECT_OWNER VARCHAR2(128) OBJECT_NAME VARCHAR2(128) OBJECT_TYPE VARCHAR2(23) COLUMN_NAME VARCHAR2(128) OPTION$ NUMBER PATH GRANT_PATH RUN_NAME VARCHAR2(128) Example Result Queries (5) 17.05.2022 Oracle Database Privilege Analysis 41
  • 39. Privilege Analysis& OEM Cloud Control (1) • OEM Cloud Control 13c can be used to manage Privilege Analysis • Targets  Database  Security  Privilege Analysis 17.05.2022 Oracle Database Privilege Analysis 42
  • 40. Privilege Analysis& OEM Cloud Control (2) 17.05.2022 Oracle Database Privilege Analysis 43
  • 41. • The results of a privilege capture can be used to create a GRANT-script • Example: GRANT all required privileges to a new role SCOTT_ROLE • Part 1: System Privileges SQL> SELECT 'grant '||sys_priv||' to SCOTT_ROLE;' PRIVS_TO_GRANT 2 FROM DBA_USED_PRIVS where SYS_PRIV not like '%ANY%' 3 and CAPTURE='POLICY_CAPTURE_SCOTT' 4 and RUN_NAME= 'TEST_RUN_20191110'; Generate "GRANT" commands (1) 17.05.2022 Oracle Database Privilege Analysis 44
  • 42. • Part 2. Object Privileges • Query originally based on https://apex.oracle.com/pls/apex/germancommunities/dbacommunity/tipp/7141/index.html Credits to Norman Sibbing from Oracle SQL> SELECT DISTINCT 'grant '|| 2 CASE SYS_PRIV 3 WHEN 'SELECT ANY TABLE' THEN 'SELECT' 4 WHEN 'EXECUTE ANY PROCEDURE'THEN 'EXECUTE' 5 WHEN 'INSERT ANY TABLE' THEN 'INSERT' 6 WHEN 'UPDATE ANY TABLE' THEN 'UPDATE' 7 WHEN 'DELETE ANY TABLE' THEN 'DELETE' 8 WHEN 'ANALYZE ANY' THEN 'ANALYZE' 9 WHEN 'SELECT ANY SEQUENCE' THEN 'SELECT' 10 ELSE 11 OBJ_PRIV 12 END 13 ||' on '||OBJECT_OWNER||'.'|| OBJECT_NAME||' to SCOTT_ROLE;' PRIVS_TO_GRANT 14 FROM DBA_USED_PRIVS where object_name is not null; Generate "GRANT" commands (2) 17.05.2022 Oracle Database Privilege Analysis 45
  • 43. grant CREATE SESSION to SCOTT_RESTRICTED_PRIVS_ROLE; grant EXECUTE on SYS.DBMS_APPLICATION_INFO to SCOTT_RESTRICTED_PRIVS_ROLE; grant SELECT on HR.EMPLOYEES to SCOTT_RESTRICTED_PRIVS_ROLE; grant SELECT on HR.EMP_TEST2 to SCOTT_RESTRICTED_PRIVS_ROLE; grant SELECT on HR.DEPARTMENTS to SCOTT_RESTRICTED_PRIVS_ROLE; grant ANALYZE on HR.EMPLOYEES to SCOTT_RESTRICTED_PRIVS_ROLE; grant UPDATE on HR.EMP_TEST2 to SCOTT_RESTRICTED_PRIVS_ROLE; grant SELECT on SYS.DUAL to SCOTT_RESTRICTED_PRIVS_ROLE; Generate "GRANT" commands (3) -Result 17.05.2022 Oracle Database Privilege Analysis 46
  • 44. Summary & Further Information 17.05.2022 Oracle Database Privilege Analysis 47
  • 45. Summary • "Privilege Analysis" is a great tool for achieving the "Principle of the Least Privilege" • Privilege Analysis should be included in your tests • It's critical that you run all functions, modules, batch jobs etc. of your application during the capture phase (Automation can help  ) • Lifting the license restrictions (Database Vault) was an important step made by Oracle to help the customers making their applications more secure • Unfortunately, "Privilege Analysis" helps only to analyze the current situation but not to overcome it by generating roles etc. with the required privileges only 17.05.2022 Oracle Database Privilege Analysis 48
  • 46. Further Information • Wikipedia: "Principle of least privilege": https://en.wikipedia.org/wiki/Principle_of_least_privilege • Documentation of the package DBMS_PRIVILEGE_CAPTURE: https://docs.oracle.com/en/database/oracle/oracle- database/19/arpls/DBMS_PRIVILEGE_CAPTURE.html#GUID-6522AC3E-A457-4C7B-8996- B065957F73E4 • Database Security Guide, Chapter 5 " Performing Privilege Analysis to Find Privilege Use": https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/performing-privilege- analysis-find-privilege-use.html#GUID-44CB644B-7B59-4B3B-B375-9F9B96F60186 • (in German) Deutschsprachiger Datenbank & Cloud Technologie Blog: "Least Privileges mit Oracle Privilege Analysis" https://blogs.oracle.com/coretec/least-privileges-mit-oracle-privilege-analysis • MOS-Note "Privilege Analysis Feature of Database Vault (Doc ID 2588251.1)" • https://gavinsoorma.com/2015/02/oracle-12c-new-feature-privilege-analysis/ 17.05.2022 Oracle Database Privilege Analysis 49
  • 47. Questions & Answers Markus Flechtner markus.flechtner@trivadis.com Phone +49 211 5866 64725 @markusdba www.markusdba.net|.de

Editor's Notes

  1. As a DBA you probably know the situation: one of the first SQL commands when installing third-party software is “GRANT DBA TO ..”. Or: the developers in your own development department don’t know which privileges they need in the database – and first demand DBA rights in the development environment. And then the security officer appears on stage and says “everyone may only get the rights he really needs” – the well-known least privilege principle is required. But how can this be found out? Since database version 12c Oracle offers the feature “Privilege Analysis” for this purpose. Unfortunately, the use of this feature was originally linked to the Database-Vault-License – and therefore not (legally) applicable for most DBAs. This restriction was lifted in November 2018: all customers with Enterprise Edition are allowed to use the feature. Reason enough to take a closer look at this functionality in the presentation: how can the DBA determine which rights the applications and users really need and set up a suitable rights concept for them?
  2. Here are the most important facts & figures at a glance. Trivadis was founded in 1994 as an independent service provider. Today, we have roughly 700 employees at 16 locations in Switzerland, Germany, Austria, Denmark and Romania. In the past financial year, we carried out over 1900 customer projects successfully and generated sales of roughly CHF 118 million. In addition to this large number of projects, we supported our customers with more than 250 Service Level Agreements. The foundation for sustainable technological excellence lies in our emphasis on research and development. Each year, we invest roughly CHF 5 million in analyzing and evaluating new technologies and in developing our methods and products. We are shaping the digital future together with our customers and partners. Transition to next slide: In keeping with our mission
  3. Quote from https://en.wikipedia.org/wiki/Principle_of_least_privilege