Creating adapter user account

You must create a user account for the adapter on the managed resource. Provide the account information when creating application for oracle on IBM® Security Verify.

The accounts must be able to remotely connect to the Oracle Database server and must have sufficient privileges to administer the Oracle Database users. Table1 lists the required privileges that the user account must have to administer the Oracle Database users.

Table 1. Required privileges and their descriptions
Privilege Description
CREATE USER To create an Oracle database user.
GRANT ANY ROLE To grant or remove roles to the Oracle database user.
SELECT ANY TABLE To perform the reconciliation operation and retrieve the following information from the Oracle database:
  • List of Users and its attributes
  • List of Tables
  • List of Roles
  • List of Privileges
  • List of Consumer groups
  • Oracle version
GRANT ANY PRIVILEGE To grant or remove privileges to the Oracle database user.
SELECT ANY DICTIONARY

The SELECT ANY DICTIONARY privilege replaces the default setting of the O7_DICTIONARY_ACCESSIBILITY initialization parameter. The default value of the parameter is FALSE.

Using this system privilege, users can access all the objects in the SYS schema, including tables that are created in that schema.

You must grant the required privileges to the individual users based on the requirements. The SELECT ANY DICTIONARY privilege is not included in the GRANT ALL PRIVILEGES privilege. You can also grant the SELECT ANY DICTIONARY privilege through a role.

You might use the following scenarios, depending on your requirements:
  • If the O7_DICTIONARY_ACCESSIBILITY=TRUE, then the SELECT ANY TABLE privilege provides access to all SYS and non-SYS objects.
  • If the O7_DICTIONARY_ACCESSIBILITY=FALSE, then the SELECT ANY TABLE privilege provides access only to non-SYS objects.
  • If the SELECT_CATALOG_ROLE privilege is enabled, then the SELECT_CATALOG_ROLE privilege provides access to all SYS views only.
  • If only the SELECT ANY DICTIONARY privilege is enabled, then the SELECT ANY DICTIONARY privilege provides access to SYS schema objects only.
  • If both SELECT ANY TABLE and SELECT ANY DICTIONARY privileges are enabled, then the SELECT ANY TABLE and SELECT ANY DICTIONARY privileges provide access to all SYS and non-SYS objects.
  • The SELECT ANY DICTIONARY and SELECT_CATALOG_ROLE privileges do not affect the O7_DICTIONARY_ACCESSIBILITY settings.
SELECT ON SYS.USER$

For Oracle 12c support (non-container database) to access the date when the password was last changed or the PTIME column from the SYS.USER$ table.

To retrieve Last password change date, grant this privilege to the user.

WM_ADMIN_ROLE or SELECT_CATALOG_ROLE To access DBA_WM_SYS_PRIVS view.
EXECUTE permission on DBMS_LOCK and ADMINISTER_RESOURCE_MANAGER system privilege To execute stored procedures that set the consumer group.

By default, a user is granted access on objects within the schema of the user. The ANY keyword grants access to users on all objects of that type in all schemas. For example,

  • To grant a system privilege, you must either have system privileges that are granted with ADMIN OPTION or GRANT ANY PRIVILEGE.
  • To grant an object privilege, one of the following conditions must be met:
    • You must be an object owner.
    • The object owner must grant you the object privileges with the GRANT OPTION.
    • The object owner must grant you the GRANT ANY OBJECT PRIVILEGE system privilege.

If you do not use the ANY keyword, you must either grant privileges, roles, tables, and so on, to a user account or the user account must be an object owner. When a new privilege, role, or a table is added in the schema, you must update the permissions for the user account.

To reduce security risks, do not use the ANY keyword to grant privileges to user accounts.