Other option to check which DB user got “EXEMPT ACCESS POLICY” system privilege
Have check SYS or DB logon triggers.
Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx on behalf of Jonathan Lewis
<jonathan@xxxxxxxxxxxxxxxxxx>
Sent: Monday, November 4, 2019 5:14 PM
To: Oracle-L Freelists
Subject: Re: Where is this Privilege coming from?
Do the accounts that have the privilege own any packages / procedures /
functions that have grant execute to the account that gets audited as taking
advantage of exempt access policy.
I don't think you'd find any source text saying "exempt access policy" as
that's a privilege that would have to be granted to a schema or role, and not
simply activated for a session. I think the most dynamic it could be would be
as a privilege granted to a role where the role was then dynamically set by the
session.
Regards
Jonathan Lewis
________________________________________
From: Charlotte Hammond <charlottejanehammond@xxxxxxxxx>
Sent: 04 November 2019 19:52
To: Oracle-L Freelists; Jonathan Lewis
Subject: Re: Where is this Privilege coming from?
Hi Jonathan,
This account is defined as a proxy user but the client it can proxy to does not
have EXEMPT ACCESS POLICY either (directly or indirectly).
There are a couple of other accounts in the database which do have this
privilege but do not appear to be used (and are definitely not proxy clients)
and do not feature in the audit trail.
Thanks,
Charlotte
On Monday, November 4, 2019, 06:59:09 PM GMT, Jonathan Lewis
<jonathan@xxxxxxxxxxxxxxxxxx> wrote:
Do you make use of proxy users ?
Do you have any users with this privilege ?
Regards
Jonathan Lewis
________________________________________
From: oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>
<oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>> on behalf
of Charlotte Hammond
<dmarc-noreply@xxxxxxxxxxxxx<mailto:dmarc-noreply@xxxxxxxxxxxxx>>
Sent: 04 November 2019 18:36
To: dmarc-noreply@xxxxxxxxxxxxx<mailto:dmarc-noreply@xxxxxxxxxxxxx>; Stefan
Knecht
Cc: Oracle-L Freelists
Subject: Re: Where is this Privilege coming from?
Hi Stefan,
Yes - VPD is in use. We see EXEMPT ACCESS POLICY in the audit trail when any of
the tables with a policy on it is accessed by this user. So that makes sense.
But I just can't figure out how it is getting the privilege in the first place.
Thanks,
Charlotte
On Monday, November 4, 2019, 06:12:28 PM GMT, Stefan Knecht
<knecht.stefan@xxxxxxxxx<mailto:knecht.stefan@xxxxxxxxx>> wrote:
Are you using VPD in that database?
On Tue, Nov 5, 2019 at 12:36 AM Charlotte Hammond
<dmarc-noreply@xxxxxxxxxxxxx<mailto:dmarc-noreply@xxxxxxxxxxxxx><mailto:dmarc-noreply@xxxxxxxxxxxxx<mailto:dmarc-noreply@xxxxxxxxxxxxx>>>
wrote:
Hello All,
In my database audit trail I can see lots of entries for use of the privilege
"EXEMPT ACCESS POLICY" (PRIV_USED) for a particular database user (a shared
account used by the front end application - sessions are created/destroyed
dynamically through the day). The RETURNCODE is 0 for these entries.
However this database user does not have this privilege granted to them either
directly or through a role (and the 1 role they have does not have any system
privileges). Also, if I log in directly as this database user using sqlplus I
do not have this privilege. I presume the application is doing something
special when it creates the session but I cannot think what!
So where is this privilege coming from to appear in the audit trail? Any
suggestions on how to track this down much appreciated!
Thanks,
Charlotte
--
//
zztat - The Next-Gen Oracle Performance Monitoring and Reaction Framework!
Visit us at zztat.net<http://zztat.net/> | @zztat_oracle |
fb.me/zztat<http://fb.me/zztat> | zztat.net/blog/<http://zztat.net/blog/>
--
//www.freelists.org/webpage/oracle-l
--
//www.freelists.org/webpage/oracle-l
