Hi Jonathan,
This account is defined as a proxy user but the client it can proxy to does not
have EXEMPT ACCESS POLICY either (directly or indirectly).
There are a couple of other accounts in the database which do have this
privilege but do not appear to be used (and are definitely not proxy clients)
and do not feature in the audit trail.
Thanks,Charlotte
On Monday, November 4, 2019, 06:59:09 PM GMT, Jonathan Lewis
<jonathan@xxxxxxxxxxxxxxxxxx> wrote:
Do you make use of proxy users ?
Do you have any users with this privilege ?
Regards
Jonathan Lewis
________________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx <oracle-l-bounce@xxxxxxxxxxxxx> on behalf
of Charlotte Hammond <dmarc-noreply@xxxxxxxxxxxxx>
Sent: 04 November 2019 18:36
To: dmarc-noreply@xxxxxxxxxxxxx; Stefan Knecht
Cc: Oracle-L Freelists
Subject: Re: Where is this Privilege coming from?
Hi Stefan,
Yes - VPD is in use. We see EXEMPT ACCESS POLICY in the audit trail when any
of the tables with a policy on it is accessed by this user. So that makes
sense. But I just can't figure out how it is getting the privilege in the
first place.
Thanks,
Charlotte
On Monday, November 4, 2019, 06:12:28 PM GMT, Stefan Knecht
<knecht.stefan@xxxxxxxxx> wrote:
Are you using VPD in that database?
On Tue, Nov 5, 2019 at 12:36 AM Charlotte Hammond
<dmarc-noreply@xxxxxxxxxxxxx<mailto:dmarc-noreply@xxxxxxxxxxxxx>> wrote:
Hello All,
In my database audit trail I can see lots of entries for use of the privilege
"EXEMPT ACCESS POLICY" (PRIV_USED) for a particular database user (a shared
account used by the front end application - sessions are created/destroyed
dynamically through the day). The RETURNCODE is 0 for these entries.
However this database user does not have this privilege granted to them either
directly or through a role (and the 1 role they have does not have any system
privileges). Also, if I log in directly as this database user using sqlplus I
do not have this privilege. I presume the application is doing something
special when it creates the session but I cannot think what!
So where is this privilege coming from to appear in the audit trail? Any
suggestions on how to track this down much appreciated!
Thanks,
Charlotte
--
//
zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
Visit us at zztat.net<http://zztat.net/> | @zztat_oracle |
fb.me/zztat<http://fb.me/zztat> | zztat.net/blog/<http://zztat.net/blog/>
--
//www.freelists.org/webpage/oracle-l