ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Why is it necessary to add the CREATE JOB grant to the DLP protect user in Oracle 19c?

book

Article ID: 214030

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Since Oracle 19c, there is a requirement for the protect user in the DLP database to be given the CREATE JOB grant. With earlier Oracle versions, this requirement was not part of the protect user's grants. 

Environment

Release : DLP 15.5 and later.

Resolution

Starting with Oracle 10g, DBMS_SCHEDULER was created as a more robust replacement for DBMS_JOB. However, unlike DBMS_JOB, DBMS_SCHEDULER actually explicitly required the CREATE JOB system privilege. So the situation was the other way round - it was DBMS_JOB that did not require it, while DBMS_SCHEDULER didn't. This is why in earlier versions of Oracle, the requirement for the CREATE JOB grant for the protect user was not required. 

Until Oracle 19c, DBNS_JOB existed independently from DBMS_SCHEDULER, so as a result, users could use both. However, starting with Oracle 19c, Oracle has removed the guts from the DBMS_JOB package, instead making it kind of a wrapper for DBMS_SCHEDULER. From 19c, creating a job using DBMS_JOB with its limitation is essentially creating the job using DBMS_SCHEDULER. Because of this change, since Oracle 19c DBMS_JOB now also requires the CREATE JOB grant, given that it's now fully dependent on DBMS_SCHEDULER in its execution.

This is the exact reason why since Oracle 19c we have added an explicit requirement to grant CREATE JOB to the protect user - as of now, Oracle does not have any method of creating jobs which does not require that grant at all. Thus, there is no way to go around this and the CREATE JOB needs to be granted to the protect user after moving to Oracle 19c. Before that version, it was enough for that user to have the grant for EXECUTE DBMS_JOB. Since 19c, protect needs to have both this and CREATE JOB. 

The below two KB articles explicitly call out the need to grant CREATE JOB to the protect user after the move to Oracle 19c:

https://knowledge.broadcom.com/external/article/198173/symantec-dlp-error-ora27486-insufficient.html

https://knowledge.broadcom.com/external/article/160076/verify-or-grant-oracle-database-permissi.html