Mastering the Art of Least Privilege: Oracle Privilege Analysis in 23ai

 In the fast-paced world of database administration and development, the pressure to get things done often collides with the need for security. How many times have you, as a DBA, succumbed to the temptation of granting SELECT ANY TABLE or DBA privileges to a developer just to bypass a perplexing ORA-00942: table or view does not exist error? We’ve all been there. It’s the "Get it Working Now, Fix it Later" approach. The problem is, "later" rarely comes, and your database becomes a Swiss cheese of excessive permissions.

This is the anti-pattern of the Principle of Least Privilege (PoLP), which dictates that a user should only have the privileges necessary to perform their specific job - no more, no less. Over-privileged users are a massive security risk, turning a single compromised account into a database-wide breach.

Oracle Database 23ai changes the game. With its focus on "Security by Design," 23ai introduces features that make implementing least privilege not just possible, but practical. And at the heart of this strategy is Oracle Privilege Analysis.

What is Privilege Analysis?

Privilege Analysis, first introduced (licensable) in 12c and now a key component of the security suite, provides a mechanism to monitor a database and report on the privileges used by a user, a role, or an entire database. It compares the privileges granted with the privileges actually used during a defined capture period.

This tool transforms security from a guessing game into an evidence-based discipline. It answers the critical questions:

  • My application user has SELECT ANY TABLE. Does it actually use it, or is it just sitting there?

  • We granted DBA to a developer a year ago. What have they actually used it for?

  • Can I safely revoke these powerful privileges without breaking the application?

The Privilege Analysis Workflow

The workflow involves four straightforward steps, all managed via the DBMS_PRIVILEGE_CAPTURE package.

Step 1: Define the Capture Policy

You first define what you want to analyze. You can capture privileges for the entire database (G_DATABASE), but it’s often more effective to be specific.

  • By Role (G_ROLE): Analyze all users who are currently enabled with a specific role. This is perfect for verifying the new DB_DEVELOPER_ROLE.

  • By Context (G_CONTEXT): Analyze privileges based on specific session contexts. The most common use case is analyzing a specific user.

Example: Creating a policy to analyze a specific application user.


BEGIN
  DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
    name        => 'app_user_analysis',
    description => 'Analyze privileges used by the main application user',
    type        => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT,
    condition   => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''APP_USER'''
  );
END;
/

Step 2: Enable the Capture

Once the policy is defined, you turn on the recorder.

EXEC DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE('app_user_analysis');

This is where planning is key. You need to let the capture run for a period that covers all relevant business activities. If you only capture for an hour, you might miss important, infrequent operations (like end-of-month reporting or specific batch jobs). A full business cycle (e.g., one week or one month) is ideal.

Step 3: Stop and Generate Results

When your analysis window is complete, stop the capture. Crucially, you must then generate the results, which processes the captured raw data into readable Data Dictionary views.

EXEC DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE('app_user_analysis');

EXEC DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT('app_user_analysis');

Step 4: Analyze and Act

This is the payoff. You now query the Data Dictionary views to see the results. The most powerful views are:

  • DBA_USED_PRIVS: Shows all privileges that were actually exercised by the target during the capture period. This is your baseline of required privileges.

  • DBA_UNUSED_PRIVS: This is your hit list. It lists all granted privileges that were never used during the capture.

Turning Insight into Action in 23ai

The results from DBA_UNUSED_PRIVS provide clear, evidence-based recommendations for revoking over-privileged access.

With Oracle 23ai, you can be incredibly effective with this information. Instead of just revoking SELECT ANY TABLE (which might break a future application function), you can use the analysis to see which specific schemas the user actually queries.

For example, if DBA_USED_PRIVS shows the user only accessed HR.EMPLOYEES and FINANCE.INVOICES, you can:

  1. Revoke the dangerous SELECT ANY TABLE.

  2. Use the new 23ai schema-level grants to provide access only where needed:

    • GRANT SELECT ANY TABLE ON SCHEMA HR TO APP_USER;

    • GRANT SELECT ANY TABLE ON SCHEMA FINANCE TO APP_USER;

Conclusion: Security by Evidence

For too long, database security has relied on broad, "just in case" privilege grants that create significant vulnerabilities. Oracle Database 23ai provides the tools to break this cycle, and Privilege Analysis is the engine that drives this transformation.

By moving from a "guess-and-grant" model to an "analyze-and-refine" model, DBAs and security officers can finally implement a robust Least Privilege strategy. Privilege Analysis provides the evidence required to make surgical, safe, and effective security decisions, proving that in 23ai, security is no longer an afterthought - it’s built-in.

Comments

Post a Comment

Popular posts from this blog

ORA-65139: Mismatch between XML metadata file and data file

Error: CDB$ROOT@EBTUPRDC> CREATE PLUGGABLE DATABASE EBTUSPRDPDB1 using '/home/oracle/EBTUSPRDC.xml' nocopy tempfile reuse; CREATE PLUGGABLE DATABASE EBTUSPRDPDB1 using '/home/oracle/EBTUSPRDC.xml' nocopy tempfile reuse * ERROR at line 1: ORA-65139: Mismatch between XML metadata file and data file /u05/odb/ORADATA_1/EBTUSPRDC/datafile/system.1531.807800993 for value of fcpsb (2230502002 in the plug XML file, 2230505492 in the data file) Fix: Don't open Non-CDB database until we complete pdb creation other wise we will get above error. Shutdown immediate; startup mount; alter database open read only; create xml file. shutdown immediate; Connect to CDB and Create Pluggable database .
Read more

Useful OEM Queries to get Target details from OEM Repository

List Targets with TNS Listener ports configured : SELECT mgmt$target.host_name , mgmt$target.target_name , mgmt$target.target_type , mgmt$target_properties.property_name , mgmt$target_properties.property_value FROM mgmt$target , mgmt$target_properties WHERE ( mgmt$target.target_name = mgmt$target_properties.target_name ) AND ( mgmt$target.target_type = mgmt$target_properties.target_type ) and ( mgmt$target.target_type = 'oracle_listener' ) and ( mgmt$target_properties.property_name = 'Port' ); Devora02       LISTENER_ora02                       oracle_listener Port 1529 Devora01       LISTENER_ora01                       oracle_listener Port 1529 Devora04       LISTENE...
Read more

TFA-00002 : Oracle Trace File Analyzer (TFA) is not running

TFA Failed to start listening for commands on one of the Rac Node : As a root user /etc/init.d/init.tfa  start Starting TFA.. start: Job is already running: oracle-tfa Waiting up to 100 seconds for TFA to be started.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Successfully started TFA Process.. . . . . . TFA-00002 : Oracle Trace File Analyzer (TFA) is not running TFA Failed to start listening for commands Solution : run synctfanodes.sh  if you have root password . if no root password copy below files to TFA Failed node and try to restart TFA .. Please check whether these 4 files exist on all nodes are similar. TFA_HOME/server.jks TFA_HOME/client.jks TFA_HOME/internal/ssl.properties   TFA_HOME/internal/ portmapping.txt If not similar just copy these files to TFA Failing node and try TFA Restart ..It Worked for me .   [root@host01]# ./tfactl  -v "debug" start Starting TFA...
Read more