SlideShare a Scribd company logo

OTech magazine article - Principle of Least Privilege

Biju Thomas
Biju Thomas

Original Magazine at http://www.otechmag.com/2014/otech-magazine-winter-2014/

Technology
1 of 7
Download to read offline
Winter 2014 And more: 18 authors, 17 articles, 4 ACE's, 6 ACE Directors, ... Future is now, ODI 12c Maturity of Service Oriented Architectures Enforcing Principle of Least Privilege ASM Metrics Content-Enabling Your Insurance Business Using Oracle BPM and WebCenter Content
Oracle Database 12c brings the Privilege Analysis feature to clearly identify the privileges required by an application for its functioning and tells the DBA which privileges can be revoked, to enforce the principle of least privilege and make the database and application more secure. Privilege analysis feature is available only in Enterprise Edition and it requires Database Vault license, which is an extra cost option. The good thing is that Database Vault need not be enabled to use Privilege Analysis - one less thing to worry. One of the top features of Oracle Database 12c that attracted me is the ability to enforce principle of least privilege with ease. Ever since database vendors started taking security seriously, the principle of least privilege theory is in play. To identify the privileges required by an application or user in Oracle database versions prior 12c was a tedious trial and error process. Many applications I have come across run with DBA or DBA like privileges, this is because no privilege analysis done at application design and development time. For application design and development team the focus is always on getting the development work completed and delivering the project. Security, especially least privilege, is not a focus item where team wants to spend time. It is easy to grant system privileges (especially DBA or ANY privileges like INSERT ANY TABLE) to get the application working. Biju Thomas - OneNeck IT Solutions Enforcing Principle of Least Privilege Figure 1: Privilege Analysis I will explain the steps using SQL command line as well as using Enterprise Manager Cloud Control 12c. To do the privilege analysis you need the CAPTURE_ADMIN role, this role is granted to DBA role, so if you have DBA privileges on the 12c database, you can perform the analysis. In a nutshell, privilege analysis works as below: - Define a capture - to identify what need to be analyzed - Enable the capture, to start capturing - Run the application or utility whose privilege need to be analyzed - Disable the capture - Generate results from capture for review - Implement the results, from the findings Oracle Database Security
SELECT ANY TABLE INSERT ANY TABLE UPDATE ANY TABLE DELETE ANY TABLE ALTER ANY TRIGGER CREATE PROCEDURE CREATE TABLE CREATE SYNONYM CREATE ANY INDEX ALL privs on ORDERS and ORDER_ITEMS tables CONNECT and DBA Roles OBJECT_TYPE COUNT(*) ----------------------- ---------SEQUENCE 1 LOB 15 TYPE BODY 3 TRIGGER 4 TABLE 14 INDEX 48 SYNONYM 6 VIEW 13 SQL> select object_type, count(*) from dba_objects where owner = 'OE' group by object_type; - Demo Environment For demonstration purposes I am going to use the OE schema that comes with Oracle Database 12c examples - it has 14 tables and several other objects. We want to analyze the privileges of OE_ADM user who currently has the following privileges. 1 37 - Database (G_DATABASE - 1): If no condition is defined, analyzes used privilege on all objects within the whole database. No condition or roles parameter specified for this type of capture. - Role (G_ROLE - 2): Analyses privileges exercised through a role. Specify the roles to analyze using the ROLES parameter. - Context (G_CONTEXT - 3): Use this to analyze privileges that are used through an application module or specific context. Specify a CONDITION to analyze - Role and Context (G_ROLE_AND_CONTEXT - 4): Combination of role and context. Define and Start Capture The very first step in privilege analysis is to create a capture, to define what actions need to be monitored. Four types of analysis can be defined in the capture: New package DBMS_PRIVILEGE_CAPTURE has the subprograms to manage the privilege analysis. The CAPTURE_ADMIN role has execute privilege on this package. OE_ADM user connects using SQL*Developer to run the scripts and reports. Our objective is to remove the ANY privileges from OE_ADM user and grant appropriate privileges based on the tasks performed during the analysis period. FUNCTION TYPE Oracle Database Security
Figure 2 shows the OEM screen to create a capture policy. With few clicks you can easily create the policy. Based on the context additional input is captured. Figure 2: OEM Screen to Create a Privilege Analysis Policy The CREATE_CAPTURE subprogram is used to define the capture. For our demo, we want to use the Role and Context, because we want to know what privilege from the DBA role is being used as well as what other privileges granted to OE_ADM are used when the application used is “SQL Developer”. BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'Analyze_OE_ADM' , description => 'Review Privileges used by OE_ADM through SQL Developer' , type => DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT , roles => ROLE_NAME_LIST('DBA','CONNECT') , condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'') = ''SQL Developer'' AND SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''OE_ADM'''); END; / The SQL to define the policy as shown in Figure 2 is: Oracle Database Security
EXECUTE DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE (name => 'Analyze_OE_ADM'); Stop Capture and Generate Reports Ok, now that OE_ADM user has performed their tasks using SQL Developer, let us stop the capture and review the privileges used. Now run the application and for a period of time, so that Oracle can capture all the privileges used. EXECUTE DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE (name => 'Analyze_OE_ADM'); You can click on the start button to start capture, or use the below SQL to start the capture. Figure 3: Privilege Analysis screen of OEM Once the policy is defined, it shows up in the OEM Privilege Analysis main screen, from where you can enable, disable, generate report and drop the policy. See figure 3. Once you run the Generate Results procedure, all the DBA_USED_ views as well as DBA_UNUSED_ views are populated. You may query these views to generate revoke scripts or to prepare reports. The DBA_USED_ views show the privileges used by the user for the policy. The DBA_UNUSED_ views show the privileges that are assigned to the user, but are not used. The _PATH views show the privilege path (how the privileged was given to the user, through which role). Figure 4: unused privileges OEM shows the number of unused privileges in the summary screen as shown in figure 4. EXECUTE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT (name => 'Analyze_OE_ADM'); Using OEM you can click on the Stop Capture button as shown in Figure 3. Now click the Generate Report button. Using SQL you can accomplish this by : Oracle Database Security
Figure 5: OEM Options under Actions OEM makes it easier on you to see the reports and even generate a revoke script. Figure 5 shows the drop down menu under Actions. DBA_USED_OBJPRIVS DBA_USED_OBJPRIVS_PATH DBA_USED_PRIVS DBA_USED_PUBPRIVS DBA_USED_SYSPRIVS DBA_USED_SYSPRIVS_PATH DBA_USED_USERPRIVS DBA_USED_USERPRIVS_PATH DBA_UNUSED_COL_TABS DBA_UNUSED_OBJPRIVS DBA_UNUSED_OBJPRIVS_PATH DBA_UNUSED_PRIVS DBA_UNUSED_SYSPRIVS DBA_UNUSED_SYSPRIVS_PATH DBA_UNUSED_USERPRIVS DBA_UNUSED_USERPRIVS_PATH Capture Privilege - DBA Views Populated with Generate Results Procedure Figure 6: OEM Setup for Revoke Scripts Generation The Reports menu shows a summary, as well as used and unused privilege listing that you can export to an excel file. To be able to use the Revoke Scripts option, OEM needs to complete a setup as shown in figure 6. Oracle Database Security
This creates a new role for you with only the used privileges how sweet is that! Figure 7: Create Role screen of OEM The revoke script revokes all unused roles and privileges from the role granted to the user, in this case this is not desired, because we do not want to mess with the DBA role. Here the Create Role menu comes for help. Figure 7 shows the OEM screen to create the role; you have option to customize the role creation as well. OneNeck IT Solutions Biju Thomas Oracle Database Security

Recommended

Apex and Virtual Private Database
Apex and Virtual Private DatabaseApex and Virtual Private Database
Apex and Virtual Private DatabaseJeffrey Kemp
 
Vpd
VpdVpd
VpdSage Computing Services
 
4 01 peters
4 01 peters4 01 peters
4 01 petersvenkat0001
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW AuditingDB2Locksmith
 
SQL Server Admin Best Practices with DMV's
SQL Server Admin Best Practices with DMV'sSQL Server Admin Best Practices with DMV's
SQL Server Admin Best Practices with DMV'sSparkhound Inc.
 
Getting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialGetting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialSam Garforth
 
Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabhguestd83b546
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionIvica Arsov
 

Recommended

Apex and Virtual Private Database
Apex and Virtual Private DatabaseApex and Virtual Private Database
Apex and Virtual Private DatabaseJeffrey Kemp
 
Vpd
VpdVpd
VpdSage Computing Services
 
4 01 peters
4 01 peters4 01 peters
4 01 petersvenkat0001
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW AuditingDB2Locksmith
 
SQL Server Admin Best Practices with DMV's
SQL Server Admin Best Practices with DMV'sSQL Server Admin Best Practices with DMV's
SQL Server Admin Best Practices with DMV'sSparkhound Inc.
 
Getting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialGetting Started with Nastel AutoPilot Business Views and Policies - a Tutorial
Getting Started with Nastel AutoPilot Business Views and Policies - a TutorialSam Garforth
 
Vpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By SaurabhVpd Virtual Private Database By Saurabh
Vpd Virtual Private Database By Saurabhguestd83b546
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionIvica Arsov
 
DB2 10 Security Enhancements
DB2 10 Security EnhancementsDB2 10 Security Enhancements
DB2 10 Security EnhancementsLaura Hood
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionAlex Zaballa
 
Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015 Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015 Alex Zaballa
 
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq lsTony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq lsInSync Conference
 
Database Foundation Training
Database Foundation TrainingDatabase Foundation Training
Database Foundation TrainingFranky Lao
 
Obiee 11.1.1.5 installation and configuration guide
Obiee 11.1.1.5 installation and configuration guideObiee 11.1.1.5 installation and configuration guide
Obiee 11.1.1.5 installation and configuration guideAmit Sharma
 
Oracle Data Redaction - UKOUG - TECH14
Oracle Data Redaction - UKOUG - TECH14Oracle Data Redaction - UKOUG - TECH14
Oracle Data Redaction - UKOUG - TECH14Alex Zaballa
 
Database security
Database securityDatabase security
Database securityJaved Khan
 
Cua setup procedure SAP security
Cua setup procedure SAP securityCua setup procedure SAP security
Cua setup procedure SAP securitySiva Pradeep Bolisetti
 
security-checklist-database
security-checklist-databasesecurity-checklist-database
security-checklist-databaseMohsen B
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security conceptsSiva Pradeep Bolisetti
 
Introducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriIntroducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriLucas Jellema
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questionsSiva Pradeep Bolisetti
 
Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabaseMarkus Flechtner
 
MySQL Administration and Monitoring
MySQL Administration and MonitoringMySQL Administration and Monitoring
MySQL Administration and MonitoringMark Leith
 
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptxFive_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptxMaria Colgan
 
What is sap security
What is sap securityWhat is sap security
What is sap securitygrconlinetraining
 
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...Leighton Nelson
 
Oracle audit and reporting in one hour or less
Oracle audit and reporting in one hour or lessOracle audit and reporting in one hour or less
Oracle audit and reporting in one hour or lessLeon Rzhemovskiy
 
oracle
oracleoracle
oracletarunamoria
 

More Related Content

What's hot

DB2 10 Security Enhancements
DB2 10 Security EnhancementsDB2 10 Security Enhancements
DB2 10 Security EnhancementsLaura Hood
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionAlex Zaballa
 
Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015 Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015 Alex Zaballa
 
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq lsTony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq lsInSync Conference
 
Database Foundation Training
Database Foundation TrainingDatabase Foundation Training
Database Foundation TrainingFranky Lao
 
Obiee 11.1.1.5 installation and configuration guide
Obiee 11.1.1.5 installation and configuration guideObiee 11.1.1.5 installation and configuration guide
Obiee 11.1.1.5 installation and configuration guideAmit Sharma
 
Oracle Data Redaction - UKOUG - TECH14
Oracle Data Redaction - UKOUG - TECH14Oracle Data Redaction - UKOUG - TECH14
Oracle Data Redaction - UKOUG - TECH14Alex Zaballa
 
Database security
Database securityDatabase security
Database securityJaved Khan
 
security-checklist-database
security-checklist-databasesecurity-checklist-database
security-checklist-databaseMohsen B
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questionssumitmsn2
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
Introducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriIntroducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriLucas Jellema
 

What's hot (15)

DB2 10 Security Enhancements
DB2 10 Security EnhancementsDB2 10 Security Enhancements
DB2 10 Security Enhancements
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015 Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015
 
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq lsTony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
 
Database Foundation Training
Database Foundation TrainingDatabase Foundation Training
Database Foundation Training
 
Obiee 11.1.1.5 installation and configuration guide
Obiee 11.1.1.5 installation and configuration guideObiee 11.1.1.5 installation and configuration guide
Obiee 11.1.1.5 installation and configuration guide
 
Oracle Data Redaction - UKOUG - TECH14
Oracle Data Redaction - UKOUG - TECH14Oracle Data Redaction - UKOUG - TECH14
Oracle Data Redaction - UKOUG - TECH14
 
Database security
Database securityDatabase security
Database security
 
Cua setup procedure SAP security
Cua setup procedure SAP securityCua setup procedure SAP security
Cua setup procedure SAP security
 
security-checklist-database
security-checklist-databasesecurity-checklist-database
security-checklist-database
 
sap security interview_questions
sap security interview_questionssap security interview_questions
sap security interview_questions
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
 
SAP BI 7 security concepts
SAP BI 7 security conceptsSAP BI 7 security concepts
SAP BI 7 security concepts
 
Introducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL PotpourriIntroducing Application Context - from the PL/SQL Potpourri
Introducing Application Context - from the PL/SQL Potpourri
 
SAP Security interview questions
SAP Security interview questionsSAP Security interview questions
SAP Security interview questions
 

Similar to OTech magazine article - Principle of Least Privilege

Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabaseMarkus Flechtner
 
MySQL Administration and Monitoring
MySQL Administration and MonitoringMySQL Administration and Monitoring
MySQL Administration and MonitoringMark Leith
 
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptxFive_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptxMaria Colgan
 
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...Leighton Nelson
 
Oracle audit and reporting in one hour or less
Oracle audit and reporting in one hour or lessOracle audit and reporting in one hour or less
Oracle audit and reporting in one hour or lessLeon Rzhemovskiy
 
MySQL Performance Schema : fossasia
MySQL Performance Schema : fossasiaMySQL Performance Schema : fossasia
MySQL Performance Schema : fossasiaMayank Prasad
 
Performance schema and_ps_helper
Performance schema and_ps_helperPerformance schema and_ps_helper
Performance schema and_ps_helperMark Leith
 
patchVantage Cloud Starter Pack
patchVantage Cloud Starter Pack patchVantage Cloud Starter Pack
patchVantage Cloud Starter Pack David McNish
 
DB2UDB_the_Basics Day 3
DB2UDB_the_Basics Day 3DB2UDB_the_Basics Day 3
DB2UDB_the_Basics Day 3Pranav Prakash
 
How to analyze_table_through_informatica
How to analyze_table_through_informaticaHow to analyze_table_through_informatica
How to analyze_table_through_informaticasushantbit04
 
Oracle - Program with PL/SQL - Lession 11
Oracle - Program with PL/SQL - Lession 11Oracle - Program with PL/SQL - Lession 11
Oracle - Program with PL/SQL - Lession 11Thuan Nguyen
 
Cursor injection
Cursor injectionCursor injection
Cursor injectionfangjiafu
 
D73549GC10_06.pptx
D73549GC10_06.pptxD73549GC10_06.pptx
D73549GC10_06.pptxVLQuyNhn
 

Similar to OTech magazine article - Principle of Least Privilege (20)

Privilege Analysis with the Oracle Database
Privilege Analysis with the Oracle DatabasePrivilege Analysis with the Oracle Database
Privilege Analysis with the Oracle Database
 
MySQL Administration and Monitoring
MySQL Administration and MonitoringMySQL Administration and Monitoring
MySQL Administration and Monitoring
 
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptxFive_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
 
What is sap security
What is sap securityWhat is sap security
What is sap security
 
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
UPGRADING FROM ORACLE ENTERPRISE MANAGER 10G TO CLOUD CONTROL 12C WITH ZERO D...
 
Oracle audit and reporting in one hour or less
Oracle audit and reporting in one hour or lessOracle audit and reporting in one hour or less
Oracle audit and reporting in one hour or less
 
oracle
oracleoracle
oracle
 
Sherlock holmes for dba’s
Sherlock holmes for dba’sSherlock holmes for dba’s
Sherlock holmes for dba’s
 
Aspects of 10 Tuning
Aspects of 10 TuningAspects of 10 Tuning
Aspects of 10 Tuning
 
MySQL Performance Schema : fossasia
MySQL Performance Schema : fossasiaMySQL Performance Schema : fossasia
MySQL Performance Schema : fossasia
 
Performance schema and_ps_helper
Performance schema and_ps_helperPerformance schema and_ps_helper
Performance schema and_ps_helper
 
patchVantage Cloud Starter Pack
patchVantage Cloud Starter Pack patchVantage Cloud Starter Pack
patchVantage Cloud Starter Pack
 
DB2UDB_the_Basics Day 3
DB2UDB_the_Basics Day 3DB2UDB_the_Basics Day 3
DB2UDB_the_Basics Day 3
 
Less11 Security
Less11 SecurityLess11 Security
Less11 Security
 
Sap basis and_security_administration
Sap basis and_security_administrationSap basis and_security_administration
Sap basis and_security_administration
 
How to analyze_table_through_informatica
How to analyze_table_through_informaticaHow to analyze_table_through_informatica
How to analyze_table_through_informatica
 
Oracle SQL Tuning
Oracle SQL TuningOracle SQL Tuning
Oracle SQL Tuning
 
Oracle - Program with PL/SQL - Lession 11
Oracle - Program with PL/SQL - Lession 11Oracle - Program with PL/SQL - Lession 11
Oracle - Program with PL/SQL - Lession 11
 
Cursor injection
Cursor injectionCursor injection
Cursor injection
 
D73549GC10_06.pptx
D73549GC10_06.pptxD73549GC10_06.pptx
D73549GC10_06.pptx
 

More from Biju Thomas

Notes from #OOW19
Notes from #OOW19Notes from #OOW19
Notes from #OOW19Biju Thomas
 
Using VirtualBox - Learn Oracle Database 12c and EBS R12
Using VirtualBox - Learn Oracle Database 12c and EBS R12Using VirtualBox - Learn Oracle Database 12c and EBS R12
Using VirtualBox - Learn Oracle Database 12c and EBS R12Biju Thomas
 
Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2Biju Thomas
 
GLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New FeaturesGLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New FeaturesBiju Thomas
 
GLOC 2014 NEOOUG - R12 Upgrade Downtime Reduction
GLOC 2014 NEOOUG - R12 Upgrade Downtime ReductionGLOC 2014 NEOOUG - R12 Upgrade Downtime Reduction
GLOC 2014 NEOOUG - R12 Upgrade Downtime ReductionBiju Thomas
 
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1Biju Thomas
 
Create non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsCreate non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsBiju Thomas
 
Install oracle database 12c software on windows
Install oracle database 12c software on windowsInstall oracle database 12c software on windows
Install oracle database 12c software on windowsBiju Thomas
 
2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation2008 Collaborate IOUG Presentation
2008 Collaborate IOUG PresentationBiju Thomas
 
2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation2009 Collaborate IOUG Presentation
2009 Collaborate IOUG PresentationBiju Thomas
 
2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation2011 Collaborate IOUG Presentation
2011 Collaborate IOUG PresentationBiju Thomas
 
2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - PresentationBiju Thomas
 

More from Biju Thomas (12)

Notes from #OOW19
Notes from #OOW19Notes from #OOW19
Notes from #OOW19
 
Using VirtualBox - Learn Oracle Database 12c and EBS R12
Using VirtualBox - Learn Oracle Database 12c and EBS R12Using VirtualBox - Learn Oracle Database 12c and EBS R12
Using VirtualBox - Learn Oracle Database 12c and EBS R12
 
Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2Install and upgrade Oracle grid infrastructure 12.1.0.2
Install and upgrade Oracle grid infrastructure 12.1.0.2
 
GLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New FeaturesGLOC 2014 NEOOUG - Oracle Database 12c New Features
GLOC 2014 NEOOUG - Oracle Database 12c New Features
 
GLOC 2014 NEOOUG - R12 Upgrade Downtime Reduction
GLOC 2014 NEOOUG - R12 Upgrade Downtime ReductionGLOC 2014 NEOOUG - R12 Upgrade Downtime Reduction
GLOC 2014 NEOOUG - R12 Upgrade Downtime Reduction
 
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
Collaborate 2014 OAUG - EBS 11i Upgrade to R12 - Compare versions 12.2 vs 12.1
 
Create non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsCreate non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windows
 
Install oracle database 12c software on windows
Install oracle database 12c software on windowsInstall oracle database 12c software on windows
Install oracle database 12c software on windows
 
2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation2008 Collaborate IOUG Presentation
2008 Collaborate IOUG Presentation
 
2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation2009 Collaborate IOUG Presentation
2009 Collaborate IOUG Presentation
 
2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation
 
2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation2013 Collaborate - OAUG - Presentation
2013 Collaborate - OAUG - Presentation
 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

OTech magazine article - Principle of Least Privilege

  • 1. Winter 2014 And more: 18 authors, 17 articles, 4 ACE's, 6 ACE Directors, ... Future is now, ODI 12c Maturity of Service Oriented Architectures Enforcing Principle of Least Privilege ASM Metrics Content-Enabling Your Insurance Business Using Oracle BPM and WebCenter Content
  • 2. Oracle Database 12c brings the Privilege Analysis feature to clearly identify the privileges required by an application for its functioning and tells the DBA which privileges can be revoked, to enforce the principle of least privilege and make the database and application more secure. Privilege analysis feature is available only in Enterprise Edition and it requires Database Vault license, which is an extra cost option. The good thing is that Database Vault need not be enabled to use Privilege Analysis - one less thing to worry. One of the top features of Oracle Database 12c that attracted me is the ability to enforce principle of least privilege with ease. Ever since database vendors started taking security seriously, the principle of least privilege theory is in play. To identify the privileges required by an application or user in Oracle database versions prior 12c was a tedious trial and error process. Many applications I have come across run with DBA or DBA like privileges, this is because no privilege analysis done at application design and development time. For application design and development team the focus is always on getting the development work completed and delivering the project. Security, especially least privilege, is not a focus item where team wants to spend time. It is easy to grant system privileges (especially DBA or ANY privileges like INSERT ANY TABLE) to get the application working. Biju Thomas - OneNeck IT Solutions Enforcing Principle of Least Privilege Figure 1: Privilege Analysis I will explain the steps using SQL command line as well as using Enterprise Manager Cloud Control 12c. To do the privilege analysis you need the CAPTURE_ADMIN role, this role is granted to DBA role, so if you have DBA privileges on the 12c database, you can perform the analysis. In a nutshell, privilege analysis works as below: - Define a capture - to identify what need to be analyzed - Enable the capture, to start capturing - Run the application or utility whose privilege need to be analyzed - Disable the capture - Generate results from capture for review - Implement the results, from the findings Oracle Database Security
  • 3. SELECT ANY TABLE INSERT ANY TABLE UPDATE ANY TABLE DELETE ANY TABLE ALTER ANY TRIGGER CREATE PROCEDURE CREATE TABLE CREATE SYNONYM CREATE ANY INDEX ALL privs on ORDERS and ORDER_ITEMS tables CONNECT and DBA Roles OBJECT_TYPE COUNT(*) ----------------------- ---------SEQUENCE 1 LOB 15 TYPE BODY 3 TRIGGER 4 TABLE 14 INDEX 48 SYNONYM 6 VIEW 13 SQL> select object_type, count(*) from dba_objects where owner = 'OE' group by object_type; - Demo Environment For demonstration purposes I am going to use the OE schema that comes with Oracle Database 12c examples - it has 14 tables and several other objects. We want to analyze the privileges of OE_ADM user who currently has the following privileges. 1 37 - Database (G_DATABASE - 1): If no condition is defined, analyzes used privilege on all objects within the whole database. No condition or roles parameter specified for this type of capture. - Role (G_ROLE - 2): Analyses privileges exercised through a role. Specify the roles to analyze using the ROLES parameter. - Context (G_CONTEXT - 3): Use this to analyze privileges that are used through an application module or specific context. Specify a CONDITION to analyze - Role and Context (G_ROLE_AND_CONTEXT - 4): Combination of role and context. Define and Start Capture The very first step in privilege analysis is to create a capture, to define what actions need to be monitored. Four types of analysis can be defined in the capture: New package DBMS_PRIVILEGE_CAPTURE has the subprograms to manage the privilege analysis. The CAPTURE_ADMIN role has execute privilege on this package. OE_ADM user connects using SQL*Developer to run the scripts and reports. Our objective is to remove the ANY privileges from OE_ADM user and grant appropriate privileges based on the tasks performed during the analysis period. FUNCTION TYPE Oracle Database Security
  • 4. Figure 2 shows the OEM screen to create a capture policy. With few clicks you can easily create the policy. Based on the context additional input is captured. Figure 2: OEM Screen to Create a Privilege Analysis Policy The CREATE_CAPTURE subprogram is used to define the capture. For our demo, we want to use the Role and Context, because we want to know what privilege from the DBA role is being used as well as what other privileges granted to OE_ADM are used when the application used is “SQL Developer”. BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'Analyze_OE_ADM' , description => 'Review Privileges used by OE_ADM through SQL Developer' , type => DBMS_PRIVILEGE_CAPTURE.G_ROLE_AND_CONTEXT , roles => ROLE_NAME_LIST('DBA','CONNECT') , condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'') = ''SQL Developer'' AND SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''OE_ADM'''); END; / The SQL to define the policy as shown in Figure 2 is: Oracle Database Security
  • 5. EXECUTE DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE (name => 'Analyze_OE_ADM'); Stop Capture and Generate Reports Ok, now that OE_ADM user has performed their tasks using SQL Developer, let us stop the capture and review the privileges used. Now run the application and for a period of time, so that Oracle can capture all the privileges used. EXECUTE DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE (name => 'Analyze_OE_ADM'); You can click on the start button to start capture, or use the below SQL to start the capture. Figure 3: Privilege Analysis screen of OEM Once the policy is defined, it shows up in the OEM Privilege Analysis main screen, from where you can enable, disable, generate report and drop the policy. See figure 3. Once you run the Generate Results procedure, all the DBA_USED_ views as well as DBA_UNUSED_ views are populated. You may query these views to generate revoke scripts or to prepare reports. The DBA_USED_ views show the privileges used by the user for the policy. The DBA_UNUSED_ views show the privileges that are assigned to the user, but are not used. The _PATH views show the privilege path (how the privileged was given to the user, through which role). Figure 4: unused privileges OEM shows the number of unused privileges in the summary screen as shown in figure 4. EXECUTE DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT (name => 'Analyze_OE_ADM'); Using OEM you can click on the Stop Capture button as shown in Figure 3. Now click the Generate Report button. Using SQL you can accomplish this by : Oracle Database Security
  • 6. Figure 5: OEM Options under Actions OEM makes it easier on you to see the reports and even generate a revoke script. Figure 5 shows the drop down menu under Actions. DBA_USED_OBJPRIVS DBA_USED_OBJPRIVS_PATH DBA_USED_PRIVS DBA_USED_PUBPRIVS DBA_USED_SYSPRIVS DBA_USED_SYSPRIVS_PATH DBA_USED_USERPRIVS DBA_USED_USERPRIVS_PATH DBA_UNUSED_COL_TABS DBA_UNUSED_OBJPRIVS DBA_UNUSED_OBJPRIVS_PATH DBA_UNUSED_PRIVS DBA_UNUSED_SYSPRIVS DBA_UNUSED_SYSPRIVS_PATH DBA_UNUSED_USERPRIVS DBA_UNUSED_USERPRIVS_PATH Capture Privilege - DBA Views Populated with Generate Results Procedure Figure 6: OEM Setup for Revoke Scripts Generation The Reports menu shows a summary, as well as used and unused privilege listing that you can export to an excel file. To be able to use the Revoke Scripts option, OEM needs to complete a setup as shown in figure 6. Oracle Database Security
  • 7. This creates a new role for you with only the used privileges how sweet is that! Figure 7: Create Role screen of OEM The revoke script revokes all unused roles and privileges from the role granted to the user, in this case this is not desired, because we do not want to mess with the DBA role. Here the Create Role menu comes for help. Figure 7 shows the OEM screen to create the role; you have option to customize the role creation as well. OneNeck IT Solutions Biju Thomas Oracle Database Security