Does Symantec DLP require data_dictionary access?

book

Article ID: 159435

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Database security requires strict attention to which accounts have access to data dictionary tables, those database objects that describe the database itself. Needless to say, determining what Symantec DLP requires access to and why is very important.

Resolution

While the installation of Symantec DLP requires the use of SYS as SYSDBA (Oracle's version of "root"), the PROTECT account used by the application does not need such broad privileges.  PROTECT user owns the application schema and has select privileges to specific data dictionary tables in order to fulfill two functions:
  1. provide tablespace sizing information via the Symantec DLP Enforce application (an alert message is sent when a space consumption threshold is reached), and
  2. provide a means to start troubleshooting basic database issues without having to hassle with sys, at least not immediately.

Here is the list of select privileges that are granted to protect in the course of the installation (read the oracle_create_user.sql for the full list):

grant select on dba_tablespaces to protect;
grant select on dba_data_files to protect;
grant select on dba_temp_files to protect;
grant select on dba_extents to protect;
grant select on v_$session to protect;
grant select on v_$database to protect;
grant select on v_$instance to protect;
grant all on dbms_monitor to protect;  
grant select on v_$parameter to protect;
grant select on dba_segments to protect;
grant select on v_$sqlarea to protect;
grant select on v_$session_longops to protect;