Oracle Database

Overview

Oracle Database is a relational database management system (RDBMS) developed by Oracle Corporation. It enables organizations to store, manage, and retrieve data using SQL. The system provides features for maintaining data integrity, performing backups and recoveries, controlling access, and optimizing performance. Oracle Database can be deployed on-premises or in the cloud through Oracle Cloud Infrastructure (OIC).

Entitle can manage only pluggable databases (PDB), which are portable collections of schemas, schema objects, and non-schema objects that appear to an application as a separate database. The Container database (CDB) includes all the data files for the PDBs contained within it.

Entitle can manage the following resource types in pluggable databases (PDBs):

  • Databases
    • Roles
    • Administrative privileges
    • System privileges
  • Tables (for visibility only)

This page will provide you with instructions on how to integrate Entitle and pluggable Oracle Database.

Types of privileges in Oracle

  1. Administrative privileges - Administrative privileges are designed for commonly performed administrative tasks, such as backup and recovery operations. Oracle Database provides administrative privileges tailored to specific administrative tasks, such as the SYSKM administrative privilege for performing Transparent Data Encryption tasks.

  2. System privileges - enable users to perform actions on schema objects. Examples of a system privilege are the ability to create and update tables or tablespaces.

  3. Roles - group several privileges and roles, so that they can be granted to and revoked from users simultaneously. You must enable the role for a user before the user can use it.

  4. Object privileges - each type of object has privileges associated with it. Objects are schema objects, such as tables or indexes.

    • Table privileges (for visibility only) - enable security at the DML (data manipulation language) or DDL (data definition language) level. DML operations are DELETE, INSERT, SELECT, and UPDATE operations on tables. DDL operations are ALTER, INDEX, and REFERENCES operations on tables and views.
  5. You can grant privileges to a user in two ways using Oracle Database:

    • Grant privilege to users explicitly - for example, you can explicitly grant user Smith the privilege to insert records into the employees table.
    • Grant privilege to a role (a named group of privileges), and then grant the role to one or more users - for example, you can grant the privileges to select, insert, update, and delete records from the employees table to the role named Clerk, which in turn you can grant to users Smith and Robert.

    💡

    Note:

    As roles allow for easier and better management of privileges, it is recommended to grant privileges to roles rather than to specific users.

Prerequisites

  • The Oracle Database user you choose to integrate with Entitle must have the SYSDBA privilege. If the user does not have this privilege, it must at least have a DBA (Database Administrator) role.
    • If a user has the SYSDBA privilege, this privilege will surely be used in Entitle.
    • Only users that have the SYSDBA privilege will be able to manage administrative privileges.

💡

Note:

In Oracle Database the ability to grant the SYSDBA privilege to other users is restricted. Only users with the SYSDBA privilege themselves can grant it to others:

  • SYS users.
  • Users that have been granted the SYSDBA privilege.
  • Optional: GRANT_ANY_PRIVILEGE privilege. If not, the user will not be able to manage access to administrative privileges.

General guidelines

  • Note: Before proceeding with this guide, you may need to install Entitle's Agent for the integration to work. Follow this guide for installation instructions.
  • As mentioned earlier, Entitle integrates only with pluggable databases (PDBs) in Oracle, not with Container databases (CDBs).
  • To integrate Oracle Database with Entitle, you'll need to gather the following information:
    • User credentials — Username and password
    • Host name
    • Pluggable Database name
    • Port number — If not specified, the default port 1521 will be used

Set up Oracle Database to work with Entitle

  • If you need to create a service account for this integration, follow all steps in this section. Otherwise, if you already have a user with the required SYSDBA privilege or a DBA role, proceed from stage 3 onwards.

Stage 1: Connect to the Oracle Database

  • As mentioned earlier, connect to the database using an administrative user with SYSDBA privileges or the SYS user. This connection is typically established through _SQL_Plus* or another SQL client.

Stage 2: Create a user with SYSDBA privilege or DBA role

  1. Use the CREATE USER statement to create a new user. Replace username and password with your desired values.

  2. Grant SYSDBA privilege (recommended) or DBA role to the user:

    1. To grant the SYSDBA privilege, use the GRANT SYSDBA TO statement:

    2. To grant a DBA role to the user, use the GRANT DBA TO statement:

  3. In the lower part of the screen, you will be able to see whether the user was created and if the privilege/role was granted.

  4. Connecting to the database as the new user is recommended to verify everything works.

Stage 3: Fetch the user’s username and password

  • Copy the user’s credentials (username and password), as you will need them later on for the configuration.

Stage 4: Extract your organization’s host (required) and port (optional)

  1. The Entitle configuration requires your pluggable database’s host and port.
    1. If you don't specify a port for Entitle, it will default to 1521.
  2. Keep these details, as you will need them later on for the configuration.

Creating the integration in Entitle

All that is left to do is create an integration on the Entitle application.

  1. Log into Entitle and navigate to the Integrations page.
  2. After clicking the Add Integration button, type Oracle Database in the Application field.
  3. Don’t forget to set the Save on field with your configuration, i.e. your own hosted agent or Entitle’s cloud.
  1. In the connection JSON, add the following information:
    1. Fill the user’s username in the user field.
    2. Fill the user’s password in the password field.
    3. Paste your instance host in the host field.
    4. Optional: Enter your host port in the port field. If not, it will be set by default to 1521.
    5. Enter your (Pluggable) Database name in the database_name field.
      Note: In this field, make sure that the Database name includes PDB and not CDB, as Entitle can manage PDBs only.
      Example Connection JSON:
      {
      	"username": "YOUR_USERNAME",
      	"password": "YOUR_PASSWORD",
      	"host": "WWW.EXAMPLE.COM",
      	"port": "PORT_NUMBER or set to default 1521", {optional, if not provided - will be set to 1521}
      	"database_name": "YOUR_DATABASE_NAME"
      }
      
  2. Finally, click Save.

End-user experience

  1. After logging into Entitle, click the New Request button.

  2. In the new pop-up window, look for the Oracle Database application. Then, choose the resource and the role you want to request access. Finally, click Next.

  1. Choose the duration of your request. Then, click Next to continue.

  2. Briefly explain the reason for the request. Then, click the Review Request button.

  3. Review your request’s details and make adjustments if needed. Once done, click the Submit request button.

  4. Your request is now submitted and will be added to the My pending requests section.

  5. Once the request is approved, you will have access to the specific role.


What’s Next