Oracle 12c Capture Privilege Usage


From Oracle 12.1 we have the ability to "record" the usage of permissions in our application and then we can narrow the permissions only to the minimal requirement.

Installation

CREATE USER YOSSI IDENTIFIED BY YOSSI;
GRANT DBA, RESOURCE TO YOSSI;

A user defined condition, when user is YOSSI (type = G_CONTEXT).

BEGIN
    DBMS_PRIVILEGE_CAPTURE.create_capture ( name => 'yossi_pol', TYPE => DBMS_PRIVILEGE_CAPTURE.g_context, condition => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''YOSSI''' );
    DBMS_PRIVILEGE_CAPTURE.enable_capture ( 'yossi_pol' );
END;
/

Verify that the capture is defined and enabled

COLUMN ROLES                FORMAT a20
COLUMN CONTEXT              FORMAT a30
COLUMN ENABLED              FORMAT a7
  SELECT name
,        TYPE
,        enabled
,        roles
,        context
    FROM dba_priv_captures
ORDER BY name;

Work with user YOSSI (run the application)...

Stop the capture and generate the results

BEGIN
    DBMS_PRIVILEGE_CAPTURE.disable_capture ( 'yossi_pol' );
    DBMS_PRIVILEGE_CAPTURE.generate_result ( 'yossi_pol' );
END;
/

Query system privileges results

  SELECT username, sys_priv
    FROM dba_used_sysprivs
   WHERE capture = 'yossi_pol'
ORDER BY username, sys_priv;

Query object privileges results

SELECT username
,      obj_priv
,      object_owner
,      object_name
,      object_type
  FROM dba_used_objprivs
 WHERE capture = 'yossi_pol';

Investigate system privileges

  SELECT username
,        sys_priv
,        used_role
,        PATH
    FROM dba_used_sysprivs_path
   WHERE capture = 'yossi_pol'
ORDER BY username, sys_priv;

Investigate object privileges

SELECT username
,      obj_priv
,      object_owner
,      object_name
,      used_role
,      PATH
  FROM dba_used_objprivs_path
 WHERE capture = 'yossi_pol';

At the end - drop the capture definition

BEGIN
    DBMS_PRIVILEGE_CAPTURE.drop_capture ( 'yossi_pol' );
END;
/

Comments

Post a Comment

Popular posts from this blog

Data Guard - Changing IP Addresses

Image
When changing IP of a host we should update/recheck the following places: /etc/hosts or DNS listener.ora tnsnames.ora Database parameters (local_listener, remote_listener) Data Guard configuration This document is also relevant when changing the IP address of the connection between the hosts, other than the original IP addresses we used during the installation. When installation is done using the hostname and not the IP address, most of the changes are not relevant except for /etc/hosts. In this document, I will describe how to change the Data Guard Broker configuration. Dataguard configuration Show the environment DGMGRL> show configuration Configuration - dr   Protection Mode: MaxAvailability   Members:   pdb7 - Primary database     fdb7 - Far sync instance       sdb7 - Physical standby database Fast-Start Failover: DISABLED Configuration Status: SUCCESS   (status updated 351 seconds ago) Show detailed information of the Primary
Read more

Install Oracle Internet Directory (OID) in Standalone mode

Image
Oracle Internet Directory (OID) is an LDAP server which uses an Oracle database as a datastore. Client machines can use the OID for all TNS lookups. With OID. Once all client machines are configured correctly any modifications to the TNS lookups can be done from a central location reducing the amount of client machine administration. This guide is about installing and using Oracle Internet Directory in Standalone mode, no need for Oracle Fusion Middleware Infrastructure. Step-by-step guide Download Oracle Internet Directory (Part of identity management) from http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/index.html Install OID, follow instructions: https://docs.oracle.com/en/middleware/lifecycle/12.2.1.3/inoim/installing-product-software.html#GUID-5D47117E-3983-4BED-BADB-CB7DDD63DB34 Starting the Installation Program: ./fmw_12.2.1.3.0_oid_linux64.bin Configure the Domain: $ORACLE_HOME/oracle_common/common/bin/config.sh Start the Servers for Standal
Read more

Fixing & Registering ORACLE_HOMES in Central Inventory

Central Inventory location is determined by oraInst.loc located in: HP/Solaris /var/opt/oracle/oraInst.loc Linux /etc/oraInst.loc Windows \\HKEY_LOCAL_MACHINE\Software\Oracle\inst_loc To check if all oracle homes are registered within the Central Inventory run the following command: ${ORACLE_HOME}/oui/bin/opatch lsinventory -all Invoking OPatch 10.2.0.3.0 Oracle interim Patch Installer version 10.2.0.3.0 Copyright (c) 2005, Oracle Corporation. All rights reserved.. Oracle Home : /software/oracle/OEM10gR2/agent10g Central Inventory : /software/oracle/oraInventory from : /var/opt/oracle/oraInst.loc OPatch version : 10.2.0.3.0 OUI version : 10.2.0.3.0 OUI location : /software/oracle/OEM10gR2/agent10g/oui Log file location : /software/oracle/OEM10gR2/agent10g/cfgtoollogs/opatch/opatch....log Lsinventory Output file location : /software/oracle/OEM10gR2/agent10g/cfgtoollogs/....lsinventory.....txt ----------------------------------... List of Oracle Homes:
Read more