Oracle 12c contains the feature to analyze the privileges actually used by an individual user account in order to implement least privilege policies within the RDBMS.  This article gives an overview of User privilege analysis in Oracle 12c.

1. Privilege analysis is provided by Oracle Data Vault and it allows for creation of profile which captures system and object privileges used by a user.
2. This profile can be used to bounce used privileges against granted privileges.
3. You can reduce privileges that are not in use through this analysis.
4. It is possible to perform privilege analysis with or without have Database Vault configured and enabled.
5. It is possible to administer privilege analysis by EM Cloud Control or the package DBMS_PRIVILEGE_CAPTURE
6. The role CAPTURE_ADMIN grants execute privilege on DBMS_PRIVILEGE_CAPTURE package and select on views to results.
7. The DBMS_PRIVILEGE_CAPTURE package allows you to create/enable/disable/drop privilege analysis policies.
8. Only one privilege analysis policy can be enabled in the database at a time, but the DBMS_PRIVILEGE_CPATURE.G_DATABASE privilege analysis can be done with one other user defined policy at the same time.
9. Analysis policies running will still be running after DB restart.
10. Privilege analysis policies must be disabled, before reports can be generated.
11. Policies must be disabled before they are dropped.
12. Dropping a privilege policy, also drops all collected data by that policy.
13. List of some view available with Privilege Analysis:
    1. DBA_PRIV_CAPTURES — Lists information about existing privilege analysis policies
    2. DBA_USED_PRIVS — Lists the privileges that have been used for reported privilege analysis policies
    3. DBA_UNUSED_PRIVS — Lists the privileges that have not been used for reported privilege analysis policies
    4. DBA_USED_OBJPRIVS — Lists the object privileges that have been used for reported privilege analysis policies. It does not include the object grant paths.
    5. DBA_UNUSED_OBJPRIVS — Lists the object privileges that have not been used for reported privilege analysis policies. It does not include the object privilege grant paths.
    6. DBA_USED_SYSPRIVS — Lists the system privileges that have been used for reported privilege analysis policies. It does not include the system privilege grant paths.
    7. DBA_UNUSED_SYSPRIVS — Lists the system privileges that have not been used for reported privilege analysis policies. It does

Larry Catt

OCP