{"id":92,"date":"2013-06-26T09:00:27","date_gmt":"2013-06-26T14:00:27","guid":{"rendered":"https:\/\/bijoos.com\/oraclenotes\/?p=92"},"modified":"2026-02-07T15:35:13","modified_gmt":"2026-02-07T21:35:13","slug":"oracledb12c-new-feature-capture-privilege-usage","status":"publish","type":"post","link":"https:\/\/bijoos.com\/oraclenotes\/2013\/92\/","title":{"rendered":"OracleDB12c New Feature: Capture Privilege Usage"},"content":{"rendered":"<p>One of the top features of the Oracle Database 12c that attracted me is capturing the privileges used (and unused). This feature is introduced to strengthen the security of the database to enforce the principle of least privilege. Many application users today have excessive privileges assigned, and believe me, have seen many applications connect to the database using an account with &#8220;DBA&#8221; role or &#8220;DBA like&#8221; role&#8230; Using the &#8220;Privilege Capture&#8221; feature of the Oracle Database 12c, we can now clearly and exactly know which privileges are used by the application or user and which privileges can be revoked.<\/p>\n<p>New PLSQL API <a title=\"Oracle Documentation Reference\" href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/appdev.121\/e17602\/d_priv_prof.htm#BABCIIEH\" target=\"_blank\">DBMS_PRIVILEGE_CAPTURE<\/a> is added to 12c. The procedures available in this package are:<\/p>\n<ul>\n<li><span style=\"line-height: 13px;\">CREATE_CAPTURE<\/span><\/li>\n<li>ENABLE_CAPTURE<\/li>\n<li>DISABLE_CAPTURE<\/li>\n<li>GENERATE_RESULT<\/li>\n<li>DROP_CAPTURE<\/li>\n<\/ul>\n<p>The new default role in 12c database CAPTURE_ADMIN has execute privilege on this new package. CAPTURE_ADMIN role is granted to DBA role as well.<\/p>\n<p>As the subprograms or procedure names indicate, you must first define a policy using the CREATE_CAPTURE procedure. The policy can be at the database level analysis, or role level or based on a context.<\/p>\n<p>Once policy is created, it is not enabled by default. Use the ENABLE_CAPTURE program to enable the policy.<\/p>\n<p>After the analysis period, you disable the policy using the DISABLE_CAPTURE program.<\/p>\n<p>Once the policy is disabled, you are ready to generate the results using the GENERATE_RESULT program. \u00a0Once the policy is created by giving a name, that name is the parameter to all the other programs.<\/p>\n<p>By running the GENERATE_RESULT, the following new data dictionary views are populated&#8230;<\/p>\n<ul>\n<li><span style=\"line-height: 13px;\">DBA_USED_xxx<\/span><\/li>\n<li>DBA_USED_xxx_PATH<\/li>\n<li>DBA_UNUSED_xxx<\/li>\n<li>DBA_UNUSED_xxx_PATH<\/li>\n<\/ul>\n<p>The DBA_USED_ views show the privileges used by the user for the policy. The DBA_UNUSED_ views show the privileges that are assigned to the user, but are not used. The _PATH views show the privilege path (how the privileged was given to the user, through which role).<\/p>\n<p>Reference to the views:<\/p>\n<ul>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23817.htm#I1023817\">DBA_USED_OBJPRIVS<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23812.htm#I1023812\">DBA_USED_OBJPRIVS_PATH<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23810.htm#I1023810\">DBA_USED_PRIVS<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23814.htm#I1023814\">DBA_USED_PUBPRIVS<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23816.htm#I1023816\">DBA_USED_SYSPRIVS<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23811.htm#I1023811\">DBA_USED_SYSPRIVS_PATH<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23947.htm#I1023947\">DBA_USED_USERPRIVS<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23948.htm#I1023948\">DBA_USED_USERPRIVS_PATH<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23300.htm#BABCADBD\">DBA_UNUSED_COL_TABS<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23821.htm#I1023821\">DBA_UNUSED_OBJPRIVS<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23819.htm#I1023819\">DBA_UNUSED_OBJPRIVS_PATH<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23813.htm#I1023813\">DBA_UNUSED_PRIVS<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23820.htm#I1023820\">DBA_UNUSED_SYSPRIVS<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23818.htm#I1023818\">DBA_UNUSED_SYSPRIVS_PATH<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23945.htm#I1023945\">DBA_UNUSED_USERPRIVS<\/a><\/li>\n<li><a href=\"http:\/\/docs.oracle.com\/cd\/E16655_01\/server.121\/e17615\/refrn23946.htm#I1023946\">DBA_UNUSED_USERPRIVS_PATH<\/a><\/li>\n<\/ul>\n<p>Once you have documented all the information required, you can use the DROP_CAPTURE program to delete the policy and all the usage data collected.<\/p>\n<p><span style=\"text-decoration: underline; color: #800000;\"><strong>Update on 01-May-2014<\/strong><\/span><\/p>\n<p><span style=\"color: #800000;\">Published an article on this subject in OTech Magazine. Download the article from\u00a0<strong>http:\/\/www.slideshare.net\/slideshow\/embed_code\/34193245<\/strong><\/span><\/p>\n<p><span style=\"color: #800000;\">Read the article and other articles in OTech Magazine at\u00a0<b>http:\/\/www.otechmag.com\/2014\/otech-magazine-winter-2014\/<\/b><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the top features of the Oracle Database 12c that attracted me is capturing the privileges used (and unused). This feature is introduced to strengthen the security of the database to enforce the principle of least privilege. Many application users today have excessive privileges assigned, and believe me, have seen many applications connect to &#8230; <a title=\"OracleDB12c New Feature: Capture Privilege Usage\" class=\"read-more\" href=\"https:\/\/bijoos.com\/oraclenotes\/2013\/92\/\" aria-label=\"Read more about OracleDB12c New Feature: Capture Privilege Usage\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[133],"tags":[40,63],"class_list":["post-92","post","type-post","status-publish","format-standard","hentry","category-oracledb","tag-oracle-12c","tag-security"],"acf":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/bijoos.com\/oraclenotes\/wp-json\/wp\/v2\/posts\/92","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bijoos.com\/oraclenotes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bijoos.com\/oraclenotes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bijoos.com\/oraclenotes\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bijoos.com\/oraclenotes\/wp-json\/wp\/v2\/comments?post=92"}],"version-history":[{"count":1,"href":"https:\/\/bijoos.com\/oraclenotes\/wp-json\/wp\/v2\/posts\/92\/revisions"}],"predecessor-version":[{"id":3043,"href":"https:\/\/bijoos.com\/oraclenotes\/wp-json\/wp\/v2\/posts\/92\/revisions\/3043"}],"wp:attachment":[{"href":"https:\/\/bijoos.com\/oraclenotes\/wp-json\/wp\/v2\/media?parent=92"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bijoos.com\/oraclenotes\/wp-json\/wp\/v2\/categories?post=92"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bijoos.com\/oraclenotes\/wp-json\/wp\/v2\/tags?post=92"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}