The DBMS_PRIVILEGE_CAPTURE package provides an interface to database privilege analysis.
See Also:
Oracle Database Vault Administrator's Guide regarding on how to analyze the use of privilege grantsThis chapter contains the following topics:
Overview
Security Model
Constants
Examples
Database privilege analysis enables you to create a policy that records the usage of system and object privileges that have been granted to users. You then can determine the privileges that your users are using and not using. From there, you can revoke any unused privileges, thereby reducing the number of excess privilege grants for users.
By analyzing the privileges that users must have to perform specific tasks, privilege analysis policies help you to achieve a least privilege model for your users.
The privilege analysis administrator role, CAPTURE_ADMIN, is granted EXECUTE permission on the DBMS_PRIVILEGE_CAPTURE package by default.
The CAPTURE_ADMIN role is granted to the DBA role WITH ADMIN OPTION during database installation.
The DBMS_PRIVILEGE_CAPTURE package uses the constants shown in the following table:
Table 115-1 Values for "type" Parameter of DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
| Constant | Value | Type | Description |
|---|---|---|---|
|
|
|
|
Analyzes all privilege use, except privileges used by the |
|
|
|
|
Analyzes privilege use for the specified roles. |
|
|
3 |
|
Analyzes privilege use when the |
|
|
4 |
|
Analyzes privilege use for the specified roles when the |
The following examples illustrate using the DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE procedure to create various types of privilege analysis, like database analysis, role analysis, and context-specific analysis. The examples also illustrate combining different conditions in context-specific analysis.
--Create a database privilege analysis policy
BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'all_priv_analysis_pol',
description => 'database-wide policy to analyze all privileges',
type => DBMS_PRIVILEGE_CAPTURE.G_DATABASE);
END;
--Create a privilege analysis policy to analyze privileges from the role PUBLIC
BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'pub_analysis_pol',
description => 'Policy to record privilege use by PUBLIC',
type => DBMS_PRIVILEGE_CAPTURE.G_ROLE,
roles => role_name_list('PUBLIC'));
END;
-- Create a policy to analyze privileges from the application module, "Account
-- Payable"
BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'acc_pay_analysis_pol',
type => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT,
condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'') = ''Account Payable''');
END;
-- Create a policy that records privileges for session user APPS when running the
-- application module "Account Payable"
BEGIN
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE(
name => 'acc_pay_analysis_pol',
type => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT,
condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'') = ''Account Payable'' AND
SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''APPS''');
END;
Table 115-2 DBMS_PRIVILEGE_CAPTURE Package Subprograms
| Subprogram | Description |
|---|---|
|
Creates a policy that specifies the conditions for analyzing privilege use. |
|
|
Stops the recording of privilege use for a specified privilege analysis policy |
|
|
Removes a privilege analysis policy together with the data recorded |
|
|
Starts the recording of privilege analysis for a specified privilege analysis policy |
|
|
Populates the privilege analysis data dictionary views with data |
This procedure creates a privilege analysis policy that specifies the conditions for analyzing privilege use. It also optionally specifies the roles for which privilege use is to be analyzed, and the conditions under which privilege use is to be analyzed.
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE ( name IN VARCHAR2, description IN VARCHAR2 DEFAULT NULL, type IN NUMBER DEFAULT G_DATABASE, roles IN ROLE_NAME_LIST DEFAULT ROLE_NAME_LIST(), condition IN VARCHAR2 DEFAULT NULL);
Table 115-3 CREATE_CAPTURE Procedure Parameters
| Parameter | Description |
|---|---|
|
|
Name of the privilege analysis policy. A string of size up to 30 characters. |
|
|
Description of the policy (up to 1024 characters) |
|
|
Type of the privilege analysis policy. Possible values are:
|
|
|
The roles whose privileges are to be analyzed. Required if the |
|
|
PL/SQL boolean expression containing up to 4000 characters. Required if |
When using role-based analysis for the CREATE_CAPTURE procedure, privilege use is analyzed even if the privilege is indirectly granted to the specified role.
For example, say role R2 contains role R1, and R1 contains privilege P1. If the privilege policy includes only role R2, any use of the P1 privilege is still analyzed, as privilege P1 is an indirect part of role R2.
When using the condition parameter, use the following syntax for the PL/SQL expression:
condition::= predicate | (predicate1) AND (predicate2) | (predicate1) OR (predicate2)
Where,
predicate::= sys_context(namespace, attribute) relop constant_value | sys_context(namespace, attribute) between constant_value and constant_value | sys_context(namespace, attribute) in {constant_value (,constant_value)* }
Where,
relop::= = | < | <= | > | >= | <>
A privilege analysis policy cannot analyze the use of SYS user privileges.
This procedure stops the recording of privilege use for a specified privilege analysis policy. When a policy is disabled, privilege use meeting the policy condition is no longer recorded.
This procedure removes a privilege analysis policy together with the data recorded. When a policy is removed, all previously recorded privilege use data associated with the policy is deleted.
This procedure starts the recording of privilege analysis for a specified privilege analysis policy. After a policy is enabled, all privilege use under the policy condition is recorded.
The following usage notes apply:
When a privilege analysis policy is first created, it is disabled by default. You must run ENABLE_CAPTURE to enable the privilege analysis policy.
You can enable only one privilege analysis policy at a time. However, a database-wide privilege analysis of the G_DATABASE type can be enabled together with another non G_DATABASE privilege analysis.