DB Wiki

User Tools

Site Tools

Trace: privilegeanalysis
privilegeanalysis

Table of Contents

Privilege Analysis

It is possible to use privilege analysis without having Database Vault configured.

Define Policy

Below shows an example of a Role and Context Policy 

BEGIN
  DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE (
    name      => 'rolecontext_policy',
    type      => DBMS_PRIVILEGE_CAPTURE.g_role_and_context,
    roles     => role_name_list('DBA', 'EXP_FULL_DATABASE')
    condition => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''SYSTEM''');
END;

Other types available are …

  • g_database
  • g_role
  • g_context

Use the view DBA_PRIV_CAPTURES to view details on existing privilege capture policies.

Enable Policy

BEGIN
  DBMS_PRIVILEGE_CAPTURE.enable_capture('rolecontext_policy');
END;

Disable Policy

After a few days have passed you must disable the capture before you can see the results 

BEGIN
  DBMS_PRIVILEGE_CAPTURE.disable_capture('rolecontext_policy');
END;

Generate Results

BEGIN
  DBMS_PRIVILEGE_CAPTURE.generate_result('rolecontext_policy');
END;

The following views can now be used to see the results …

  • DBA_USED_SYSPRIVS
  • DBA_USED_SYSPRIVS_PATH
  • DBA_USED_OBJPRIVS
  • DBA_USED_OBJPRIVS_PATH
privilegeanalysis.txt · Last modified: 2021/12/06 11:30 by 127.0.0.1