SoftTree Technologies SoftTree Technologies
Technical Support Forums
RegisterSearchFAQMemberlistUsergroupsLog in
Minimum permissions for User used in GUI

 
Reply to topic    SoftTree Technologies Forum Index » DB Audit, DB Mail, DB Tools View previous topic
View next topic
Minimum permissions for User used in GUI
Author Message
jrunt



Joined: 27 Jan 2007
Posts: 6
Country: USA

Post Minimum permissions for User used in GUI Reply with quote
In Oracle, what are the minimum permissions for a user to be able to fully use the GUI.

I am trying to not assign the DBA role to someone to be able to assign or report on the auditing results. In addtion I would like this user to be able to run the background sysmove and syspurge dbms jobs.

Can (Or should) I use the db_audit ID for this?

I currently am trying to use that and I have assign the following:

Connect, select_catalog_role roles
audit any, create table, select any table, select any dictionary permisssions
delete on sys.aud$
execute on sys. dbms_job, dbms_log, dbms_output, dbms_utility
select on sys. aud$, v_$mystat, v_$session

I get insufficient priviliges when I try to set up or take away SQL Stmt audits.
Mon Jan 29, 2007 3:29 pm View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 6500

Post Reply with quote
Hi,

The GUI is available in two forms, the DB Audit Management console and the Report Viewer.

The first one is designed for DBAs and for security officers so that they can initially setup the audit and manage audit functions later. Of course these people should have maximum permissions in order to be able to configure core system functions.

The second type is designed for everybody who need, to run audit reports. There, their access permissions should be controlled by the first group of people and normally be given on a table-by-table case. For example, if they need to run system audit reports in Oracle they should have SELECT permissions for DBA_AUDIT_xxx views. If they need have access to data-change audit reports, the permissions can be more granular. Different people can get SELECT permissions for different audited tables.


Please note that DB_AUDIT should not be used by anybody for database connections or for running reports. This is just a storage schema used to group different audit objects together and avoid various naming conflicts with existing objects. Moreover, after initial setup the account for DB_AUDIT should be disabled to prevent any misuse of it.
Mon Jan 29, 2007 10:56 pm View user's profile Send private message
jrunt



Joined: 27 Jan 2007
Posts: 6
Country: USA

Post Reply with quote
Ok, then one follow on question.

I am setting up the jobs for running the audit move and purge procedures. Should I set those up so they are always run (owner of the job) by the SYS id (as sysdba) or another ID?

It seems that what ever ID I use, I need to make sure they are not being auditing as I get deadlocks during the move process. The owner defaults to whomever is signed on to the GUI at the time of setup.

Thanks for the info.!
Tue Jan 30, 2007 4:21 pm View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 6500

Post Reply with quote
I guess you mean the alternative location for the audit trail tables, not a central repository. Normally you can use any ID that has SELECT/DELETE permissions for SYS.AUD$ and INSERT permissions for DB_AUDIT.AUD$. Please ensure that DB_AUDIT has a quota on the tablespace where DB_AUDIT.AUD$ is going to be created.

You can exclude SELECT and DELETE for that user on SYS.AUD$ table but normally this is not required. The dead-locking is probably a result of something else, not the auditing. Oracle makes sure that SYS.AUD$ is not part of any transactions so that changes cannot be rolled back and this table cannot be locked implicitly and block everybody else.
Tue Jan 30, 2007 6:53 pm View user's profile Send private message
jrunt



Joined: 27 Jan 2007
Posts: 6
Country: USA

Post Reply with quote
Thanks, I think I got it set the way I want it now. I created a second user for to be the owner of the jobs and I used that to log in to DBAUDIT. I initially had to give it DBA rights to get the stuff set correctly and the jobs running. After I got it all set up, I removed the DBA privilige and locked that id and the db_audit id. It seems to be working correctly for me now.

Thanks for your help.
Thu Feb 01, 2007 10:51 am View user's profile Send private message
SysOp
Site Admin


Joined: 26 Nov 2006
Posts: 6500

Post Reply with quote
Very good. Thank you for the update!
Thu Feb 01, 2007 4:13 pm View user's profile Send private message
Display posts from previous:    
Reply to topic    SoftTree Technologies Forum Index » DB Audit, DB Mail, DB Tools All times are GMT - 4 Hours
Page 1 of 1

 
Jump to: 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


 

 

Powered by phpBB © 2001, 2005 phpBB Group
Design by Freestyle XL / Flowers Online.