Privilege Analysis (PA), a feature of Oracle Database 19c Enterprise Edition, dynamically analyzes privilege and role usage for database users and application service accounts. PA reports on which privileges were used as well as those that were not used. PA increases the security of your applications and database operations by helping you to implement least privilege best practices for database roles and privileges.
Privilege Analysis (PA), dynamically analyzes privilege and role usage for database users and application service accounts at run time. PA helps to further harden the application by identifying unused privileges and roles based upon the actual usage of the roles and privileges by a user or from within the application. Understanding the set of unused roles and privileges is key to identify the least number of privileges the application needs to run. Reports generated by PA are richer and reflect the actual privileges and roles used/unused by users and applications during runtime. Static based role/privilege analysis tools can only show which roles and privileges are granted to users. Understanding actual usage of roles and privilege is essential to implementing a least privilege model for all database accounts and reduces your application attack surface.
Privilege Analysis allows to:
Least privilege is a security model that limits access rights for users (user, application, utility) to the minimum privileges/roles they require to execute their work. This applies to any system – not just databases. Extraordinarily powerful privileges that are only used for troubleshooting should be requested and checked out as required, and not granted as part of a user’s everyday set of roles and privileges. Least privilege also requires continuous management with granting additional privileges as required/approved and revocation of privileges when they are no longer required.