On the way to the “Least Privilege Principle” – Privilege Analysis with the Oracle Database by Markus Flechtner

As a DBA you probably know the situation: one of the first SQL commands when installing third-party software is “GRANT DBA TO ..”. Or: the developers in your own development department don’t know which privileges they need in the database – and first demand DBA rights in the development environment.

And then the security officer appears on stage and says “everyone may only get the rights he really needs” – the well-known least privilege principle is required.

But how can this be found out?

Since database version 12c Oracle offers the feature “Privilege Analysis” for this purpose.

Unfortunately, the use of this feature was originally linked to the Database-Vault-License – and therefore not (legally) applicable for most DBAs.

This restriction was lifted in November 2018: all customers with Enterprise Edition are allowed to use the feature.

Reason enough to take a closer look at this functionality in the presentation: how can the DBA determine which rights the applications and users really need and set up a suitable rights concept for them?