Oracle Cloud Infrastructure Documentation

Roles for the Oracle Data Safe Service Account

The Oracle Data Safe features that you can use with a target database depend on the roles granted to the Oracle Data Safe service account on that target database.

The following table describes the roles that you can grant or revoke from the Oracle Data Safe service account on a DB system or Autonomous Database.

DB System Role Autonomous Database Role Description

ASSESSMENT

DS$ASSESSMENT_ROLE

Privileges required for User Assessment and Security Assessment

AUDIT_COLLECTION

DS$AUDIT_COLLECTION_ROLE

Privileges required for accessing audit trails for the target database

DATA_DISCOVERY

DS$DATA_DISCOVERY_ROLE

Privileges required for Data Discovery (discovering sensitive data in the target database)

MASKING

DS$DATA_MASKING_ROLE

Privileges required for Data Masking (masking sensitive data in the target database)

AUDIT_SETTING

DS$AUDIT_SETTING_ROLE

Privileges required for updating target database audit policies

Following the least privileges rule, Oracle recommends that you grant only the roles needed on each target database. How you grant or revoke roles from the Oracle Data Safe service account depends on the type of target database:

  • For a DB system, you need to run the SQL privileges script as the SYS user. You can run the script as many times as needed. For example, suppose that in the beginning you only need to use the Activity Auditing feature in Oracle Data Safe. You can run the SQL privileges script to grant the target database access to only Activity Auditing. Later, you decide you want to use the Data Discovery feature too. You can run the SQL privileges script again on the target database to grant the database access to Data Discovery. You cannot run the SQL privileges script on the root container of a target database (CDB$ROOT).
  • For an Autonomous Database, you need to run the PL/SQL package named DS_TARGET_UTIL as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package. By default, DS$ASSESSMENT_ROLE and DS$AUDIT_COLLECTION_ROLE are granted to the Oracle Data Safe service account (DS$ADMIN). These roles allow you to assess the target database and start audit trail collection immediately after you register the database.