search cancel

Why is it necessary to add the CREATE JOB grant to the DLP protect user in Oracle 19c?

book

Article ID: 214030

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Oracle Standard Edition 2

Issue/Introduction

Beginning with Oracle 19c, there is a requirement for the "protect" user in the DLP database to be given the CREATE JOB grant. With earlier Oracle versions, this requirement was not part of the "protect" user's grants. 

Cause

Starting with Oracle 10g, DBMS_SCHEDULER was created as a more robust replacement for DBMS_JOB. However, unlike DBMS_JOB, DBMS_SCHEDULER actually explicitly requires the CREATE JOB system privilege.

Since DLP did not use DBMS_SCHEDULER in earlier versions, DBMS_JOB did not require it, so it was not necessary to grant CREATE JOB for DLP to work correctly.  

Prior to Oracle 19c, DBMS_JOB existed independently from DBMS_SCHEDULER, so as a result, users could use both. However, starting with Oracle 19c, Oracle has removed the guts from the DBMS_JOB package, instead making it kind of a wrapper for DBMS_SCHEDULER. As of 19c, creating a job using DBMS_JOB with this limitation is essentially creating the job using DBMS_SCHEDULER. Because of this change, Oracle 19c DBMS_JOB now also requires the CREATE JOB grant, given that it's now fully dependent on DBMS_SCHEDULER in its execution.

Environment

Release : DLP version which support Oracle 19c and higher

Resolution

Beginning with Oracle 19c, DLP has added an explicit requirement to grant CREATE JOB to the "protect" user - since Oracle 19c now does not have any method of creating jobs which do not require that grant.

The CREATE JOB needs to be granted to the "protect" user after moving to Oracle 19c. 

The below two KB articles explicitly call out the need to grant CREATE JOB to the protect user after the move to Oracle 19c:

https://knowledge.broadcom.com/external/article/198173/symantec-dlp-error-ora27486-insufficient.html

https://knowledge.broadcom.com/external/article/160076/verify-or-grant-oracle-database-permissi.html