Control Compliance Suite

 View Only

Minimum privileges to scan Oracle 12c 

May 08, 2018 06:01 AM

For scanning Oracle DB, CCS requires privileges to import and scan CCS Oracle asset. When requesting DBA to create a user for CCS, answering their question on what are the permissions required takes a bit of research. Starting with CCS Planning and Deployment guide, under section “Configuring credentials for asset import and data collection”, Symantec lists general requirements for querying targets on Oracle, reading further in that section, there is a link at the end paragraph “For information on minimum required privileges to query an Oracle database, see http://www.symantec.com/docs/HOWTO83943

Following above link will lead us to “Privileges for Oracle database-related queries”:

  • Privileges required for Oracle Database Version 9i and later

Privilege

Description

SELECT ANY DICTIONARY

Allows access to the required data dictionary objects.

SELECT ON SYSTEM.PRODUCT_USER_PROFILE

Allows access to the SYSTEM.PRODUCT_USER_PROFILE synonym, which is used for reporting in the SQL*Plus Security data source.

 

Our DBA translated above requirements into following “SQL instructions”:

create role ccsoracle_role ;
grant SELECT ANY DICTIONARY to ccsoracle_role;
grant SELECT ON SYSTEM.PRODUCT_USER_PROFILE to ccsoracle_role;
create user ccsoracle identified by <password> default tablespace USERS temporary tablespace TEMP;
grant create session to ccsoracle;
grant ccsoracle_role to ccsoracle;

 

However after we tried running CCS scan against Oracle 12c assets, we go error:

Failure occured in query execution. ERROR at line 1:=0AORA-01031: insufficient privileges=0A. Scope is database '<DB_NAME>' on server '<HOSTNAME>'

Oracle 11g scans worked fine (NOTE: we did not have older versions).

With help from our DBA, we reviewed the following information: https://support.oracle.com/knowledge/Oracle%20Database%20Products/2209413_1.html and granted "SELECT ON SYS.USER$" to our ccsoracle_role. After that scans on Oracle 12c worked fine.

Symantec Support was also contacted and they confirmed that "SELECT ON SYS.USER$" is required for Orace 12c. Also asked them to update information on https://support.symantec.com/en_US/article.HOWTO83943.html.

Updated “SQL instruction” to create Oracle user/role which CCS will use to scan the Oracle asset with MINIMUM privileges (applicable for Oracle 9i up to Oracle 12c):

create role ccsoracle_role ;
grant SELECT ANY DICTIONARY to ccsoracle_role;
grant SELECT ON SYS.USER$ to ccsoracle_role;
grant SELECT ON SYSTEM.PRODUCT_USER_PROFILE to ccsoracle_role;
create user ccsoracle identified by <password> default tablespace USERS temporary tablespace TEMP;
grant create session to ccsoracle;
grant ccsoracle_role to ccsoracle;

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.