Re: Where is this Privilege coming from?
Date: Mon, 4 Nov 2019 22:13:19 +0000
Message-ID: <CWXP265MB1750FE05DBD986FB15BFCA8FA57F0_at_CWXP265MB1750.GBRP265.PROD.OUTLOOK.COM>
Do the accounts that have the privilege own any packages / procedures / functions that have grant execute to the account that gets audited as taking advantage of exempt access policy.
I don't think you'd find any source text saying "exempt access policy" as that's a privilege that would have to be granted to a schema or role, and not simply activated for a session. I think the most dynamic it could be would be as a privilege granted to a role where the role was then dynamically set by the session.
Regards
Jonathan Lewis
From: Charlotte Hammond <charlottejanehammond_at_yahoo.com> Sent: 04 November 2019 19:52
To: Oracle-L Freelists; Jonathan Lewis
Subject: Re: Where is this Privilege coming from?
Hi Jonathan,
This account is defined as a proxy user but the client it can proxy to does not have EXEMPT ACCESS POLICY either (directly or indirectly).
There are a couple of other accounts in the database which do have this privilege but do not appear to be used (and are definitely not proxy clients) and do not feature in the audit trail.
Thanks,
Charlotte
On Monday, November 4, 2019, 06:59:09 PM GMT, Jonathan Lewis <jonathan_at_jlcomp.demon.co.uk> wrote:
Do you make use of proxy users ?
Do you have any users with this privilege ?
Regards
Jonathan Lewis
From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org> <oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>> on behalf of Charlotte Hammond <dmarc-noreply_at_freelists.org<mailto:dmarc-noreply_at_freelists.org>> Sent: 04 November 2019 18:36
To: dmarc-noreply_at_freelists.org<mailto:dmarc-noreply_at_freelists.org>; Stefan Knecht Cc: Oracle-L Freelists
Subject: Re: Where is this Privilege coming from?
Hi Stefan,
Yes - VPD is in use. We see EXEMPT ACCESS POLICY in the audit trail when any of the tables with a policy on it is accessed by this user. So that makes sense. But I just can't figure out how it is getting the privilege in the first place.
Thanks,
Charlotte
On Monday, November 4, 2019, 06:12:28 PM GMT, Stefan Knecht <knecht.stefan_at_gmail.com<mailto:knecht.stefan_at_gmail.com>> wrote:
Are you using VPD in that database?
On Tue, Nov 5, 2019 at 12:36 AM Charlotte Hammond <dmarc-noreply_at_freelists.org<mailto:dmarc-noreply_at_freelists.org><mailto:dmarc-noreply_at_freelists.org<mailto:dmarc-noreply_at_freelists.org>>> wrote: Hello All,
In my database audit trail I can see lots of entries for use of the privilege "EXEMPT ACCESS POLICY" (PRIV_USED) for a particular database user (a shared account used by the front end application - sessions are created/destroyed dynamically through the day). The RETURNCODE is 0 for these entries.
However this database user does not have this privilege granted to them either directly or through a role (and the 1 role they have does not have any system privileges). Also, if I log in directly as this database user using sqlplus I do not have this privilege. I presume the application is doing something special when it creates the session but I cannot think what!
So where is this privilege coming from to appear in the audit trail? Any suggestions on how to track this down much appreciated!
Thanks,
Charlotte
--
//
zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
Visit us at zztat.net<http://zztat.net/> | _at_zztat_oracle | fb.me/zztat<http://fb.me/zztat> | zztat.net/blog/<http://zztat.net/blog/>
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
Received on Mon Nov 04 2019 - 23:13:19 CET