130 DBMS_PRIVILEGE_CAPTURE
The DBMS_PRIVILEGE_CAPTURE
package provides an interface to database privilege analysis.
See Also:
Oracle® Database Security Guide regarding on how to analyze the use of privilege grants
This chapter contains the following topics:
130.1 DBMS_PRIVILEGE_CAPTURE Overview
Database privilege analysis enables you to create a policy that records the usage of system and object privileges that have been granted to users. You then can determine the privileges that your users are using and not using. From there, you can revoke any unused privileges, thereby reducing the number of excess privilege grants for users.
By analyzing the privileges that users must have to perform specific tasks, privilege analysis policies help you to achieve a least privilege model for your users.
130.2 DBMS_PRIVILEGE_CAPTURE Security Model
The privilege analysis administrator role, CAPTURE_ADMIN,
is granted EXECUTE
permission on the DBMS_PRIVILEGE_CAPTURE
package by default.
The CAPTURE_ADMIN
role is granted to the DBA
role during database installation.
130.3 DBMS_PRIVILEGE_CAPTURE Constants
The DBMS_PRIVILEGE_CAPTURE
package defines several enumerated constants for specifying parameter values.
Table 130-1 DBMS_PRIVILEGE_CAPTURE Constants
Constant | Value | Type | Description |
---|---|---|---|
|
|
|
Analyzes all privilege use, except privileges used by the |
|
|
|
Analyzes privilege use for the specified roles. |
|
3 |
|
Analyzes privilege use when the |
|
4 |
|
Analyzes privilege use for the specified roles when the |
130.4 DBMS_PRIVILEGE_CAPTURE Examples
These examples illustrate using the DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE
procedure to create various types of privilege analysis, like database analysis, role analysis, and context-specific analysis. The examples also illustrate combining different conditions in context-specific analysis.
--Create a database privilege analysis policy BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'all_priv_analysis_pol', description => 'database-wide policy to analyze all privileges', type => DBMS_PRIVILEGE_CAPTURE.G_DATABASE); END; --Create a privilege analysis policy to analyze privileges from the role PUBLIC BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'pub_analysis_pol', description => 'Policy to record privilege use by PUBLIC', type => DBMS_PRIVILEGE_CAPTURE.G_ROLE, roles => role_name_list('PUBLIC')); END; -- Create a policy to analyze privileges from the application module, "Account -- Payable" BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'acc_pay_analysis_pol', type => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT, condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'') = ''Account Payable'''); END; -- Create a policy that records privileges for session user APPS when running the -- application module "Account Payable" BEGIN DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE( name => 'acc_pay_analysis_pol', type => DBMS_PRIVILEGE_CAPTURE.G_CONTEXT, condition => 'SYS_CONTEXT(''USERENV'', ''MODULE'') = ''Account Payable'' AND SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''APPS'''); END;
130.5 Summary of DBMS_PRIVILEGE_CAPTURE Subprograms
This table lists and briefly describes the DBMS_PRIVILEGE_CAPTURE
package subprograms.
Table 130-2 DBMS_PRIVILEGE_CAPTURE Package Subprograms
Subprogram | Description |
---|---|
Captures the privileges that are used by definer’s rights and invoker’s rights PL/SQL program units for compilation. |
|
Creates a policy that specifies the conditions for analyzing privilege use. |
|
Deletes a privilege analysis capture run |
|
Stops the recording of privilege use for a specified privilege analysis policy |
|
Removes a privilege analysis policy together with the data recorded |
|
Starts the recording of privilege analysis for a specified privilege analysis policy |
|
Populates the privilege analysis data dictionary views with data |
130.5.1 CAPTURE_DEPENDENCY_PRIVS Procedure
This procedure captures the privileges that are used by definer’s rights and invoker’s rights PL/SQL program units for compilation.
Syntax
DBMS_PRIVILEGE_CAPTURE.CAPTURE_DEPENDENCY_PRIVS ();
Parameters
This procedure has no parameters.
Usage Notes
Every rerun of the DBMS_PRIVILEGE_CAPTURE.CAPTURE_DEPENDENCY_PRIVS
procedure deletes any existing records from the privilege analysis data dictionary views. It then recaptures records based on the existing PL/SQL program units.
130.5.2 CREATE_CAPTURE Procedure
This procedure creates a privilege analysis policy that specifies the conditions for analyzing privilege use. It also optionally specifies the roles for which privilege use is to be analyzed, and the conditions under which privilege use is to be analyzed.
Syntax
DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE ( name IN VARCHAR2, description IN VARCHAR2 DEFAULT NULL, type IN NUMBER DEFAULT G_DATABASE, roles IN ROLE_NAME_LIST DEFAULT ROLE_NAME_LIST(), condition IN VARCHAR2 DEFAULT NULL);
Parameters
Table 130-3 CREATE_CAPTURE Procedure Parameters
Parameter | Description |
---|---|
|
Name of the privilege analysis policy. A string of size up to 30 characters. |
|
Description of the policy (up to 1024 characters) |
|
Type of the privilege analysis policy. Possible values are:
|
|
The roles whose privileges are to be analyzed. Required if the |
|
PL/SQL boolean expression containing up to 4000 characters. Required if |
Usage Notes
-
When using role-based analysis for the
CREATE_CAPTURE
procedure, privilege use is analyzed even if the privilege is indirectly granted to the specified role.For example, say role R2 contains role R1, and R1 contains privilege P1. If the privilege policy includes only role R2, any use of the P1 privilege is still analyzed, as privilege P1 is an indirect part of role R2.
-
When using the
condition
parameter, use the following syntax for the PL/SQL expression:condition::= predicate | (predicate1) AND (predicate2) | (predicate1) OR (predicate2)
Where,
predicate::= sys_context(namespace, attribute) relop constant_value | sys_context(namespace, attribute) between constant_value and constant_value | sys_context(namespace, attribute) in {constant_value (,constant_value)* }
Where,
relop::= = | < | <= | > | >= | <>
-
A privilege analysis policy cannot analyze the use of
SYS
user privileges.
130.5.3 DELETE_RUN Procedure
This procedure deletes a privilege analysis capture run.
Syntax
DBMS_PRIVILEGE_CAPTURE.DELETE_RUN ( name IN VARCHAR2, run_name IN VARCHAR2);
Parameters
Table 130-4 DELETE_RUN Procedure Parameters
Parameter | Description |
---|---|
|
Name of the privilege analysis policy with which the capture run is associated |
|
Name of the capture run |
Usage Notes
-
You can find the names of existing privilege capture policies by querying the
DBA_PRIV_CAPTURES
data dictionary view. -
Another way to delete a capture run is to drop the policy with which the capture run is associated. Dropping the policy automatically drops its associated capture runs.
-
When you drop a capture run it is no longer accessible through the privilege capture data dictionary views.
130.5.4 DISABLE_CAPTURE Procedure
This procedure stops the recording of privilege use for a specified privilege analysis policy. When a policy is disabled, privilege use meeting the policy condition is no longer recorded.
Syntax
DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE ( name IN VARCHAR2);
Parameters
Table 130-5 DISABLE_CAPTURE Procedure Parameters
Parameter | Description |
---|---|
|
Name of the privilege analysis policy to be disabled |
Usage Notes
When a privilege analysis policy is first created, it is disabled by default.
130.5.5 DROP_CAPTURE Procedure
This procedure removes a privilege analysis policy together with the data recorded. When a policy is removed, all previously recorded privilege use data associated with the policy is deleted.
Syntax
DBMS_PRIVILEGE_CAPTURE.DROP_CAPTURE ( name IN VARCHAR2);
Parameters
Table 130-6 DROP_CAPTURE Procedure Parameters
Parameter | Description |
---|---|
|
Name of the privilege analysis policy to be removed |
Usage Notes
-
You must disable a privilege analysis policy before removing it. An enabled policy cannot be removed.
-
If there are capture runs associated with this policy, then they are automatically dropped when you drop the policy.
130.5.6 ENABLE_CAPTURE Procedure
This procedure starts the recording of privilege analysis for a specified privilege analysis policy and optionally provides a capture run for this policy. After a policy is enabled, all privilege use under the policy condition is recorded.
Syntax
DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE ( name IN VARCHAR2, run_name IN VARCHAR2 DEFAULT NULL);
Parameters
Table 130-7 ENABLE_CAPTURE Procedure Parameters
Parameter | Description |
---|---|
|
Name of the privilege analysis policy to be enabled |
|
Name of the capture run to associate with this policy, less than 128 characters. Enclose exotic characters in double quotation marks. |
Usage Notes
The following usage notes apply:
-
When a privilege analysis policy is first created, it is disabled by default. You must run
ENABLE_CAPTURE
to enable the privilege analysis policy. -
You can enable only one privilege analysis policy at a time. However, a database-wide privilege analysis of the
G_DATABASE
type can be enabled together with another nonG_DATABASE
privilege analysis. -
You cannot enable the same run multiple times. For example,
run_01
cannot be used again if you want to re-enable the capture forrun_01
. Instead, create a new run.
130.5.7 GENERATE_RESULT Procedure
This procedure populates the privilege analysis data dictionary views with data.
See Also:
Oracle® Database Security Guide for more information about privilege analysis views.
Syntax
DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT ( name IN VARCHAR2, run_name IN VARCHAR2 DEFAULT NULL, DEPENDENCY IN BOOLEAN DEFAULT NULL);
Parameters
Table 130-8 GENERATE_RESULT Procedure Parameters
Parameter | Description |
---|---|
|
Name of the privilege analysis policy for which views are populated |
|
Name of the capture run that is associated with the privilege analysis policy. If you omit this parameter, then the records of all created runs will be analyzed. When you specify the |
|
Enter |
Usage Notes
You must disable a privilege analysis policy before populating the privilege analysis views for the policy. You cannot invoke this subprogram on an enabled privilege analysis policy.