Minimum permissions for User used in GUI

In Oracle, what are the minimum permissions for a user to be able to fully use the GUI.

I am trying to not assign the DBA role to someone to be able to assign or report on the auditing results. In addtion I would like this user to be able to run the background sysmove and syspurge dbms jobs.

Can (Or should) I use the db_audit ID for this?

I currently am trying to use that and I have assign the following:

Connect, select_catalog_role roles
audit any, create table, select any table, select any dictionary permisssions
delete on sys.aud$
execute on sys. dbms_job, dbms_log, dbms_output, dbms_utility
select on sys. aud$, v_$mystat, v_$session

I get insufficient priviliges when I try to set up or take away SQL Stmt audits.

Hi,

The GUI is available in two forms, the DB Audit Management console and the Report Viewer.

The first one is designed for DBAs and for security officers so that they can initially setup the audit and manage audit functions later. Of course these people should have maximum permissions in order to be able to configure core system functions.

The second type is designed for everybody who need, to run audit reports. There, their access permissions should be controlled by the first group of people and normally be given on a table-by-table case. For example, if they need to run system audit reports in Oracle they should have SELECT permissions for DBA_AUDIT_xxx views. If they need have access to data-change audit reports, the permissions can be more granular. Different people can get SELECT permissions for different audited tables.

Please note that DB_AUDIT should not be used by anybody for database connections or for running reports. This is just a storage schema used to group different audit objects together and avoid various naming conflicts with existing objects. Moreover, after initial setup the account for DB_AUDIT should be disabled to prevent any misuse of it.

Ok, then one follow on question.

I am setting up the jobs for running the audit move and purge procedures. Should I set those up so they are always run (owner of the job) by the SYS id (as sysdba) or another ID?

It seems that what ever ID I use, I need to make sure they are not being auditing as I get deadlocks during the move process. The owner defaults to whomever is signed on to the GUI at the time of setup.

Thanks for the info.!

I guess you mean the alternative location for the audit trail tables, not a central repository. Normally you can use any ID that has SELECT/DELETE permissions for SYS.AUD$ and INSERT permissions for DB_AUDIT.AUD$. Please ensure that DB_AUDIT has a quota on the tablespace where DB_AUDIT.AUD$ is going to be created.

You can exclude SELECT and DELETE for that user on SYS.AUD$ table but normally this is not required. The dead-locking is probably a result of something else, not the auditing. Oracle makes sure that SYS.AUD$ is not part of any transactions so that changes cannot be rolled back and this table cannot be locked implicitly and block everybody else.

Thanks, I think I got it set the way I want it now. I created a second user for to be the owner of the jobs and I used that to log in to DBAUDIT. I initially had to give it DBA rights to get the stuff set correctly and the jobs running. After I got it all set up, I removed the DBA privilige and locked that id and the db_audit id. It seems to be working correctly for me now.

Thanks for your help.

Very good. Thank you for the update!