Grant Roles to the Oracle Data Safe Service Account on Your Target Database

The Oracle Data Safe features that you can use with your target database depend on the roles you grant to the Oracle Data Safe service account on that target database. You can grant and revoke roles as needed.

The roles are different for Autonomous Databases versus non-Autonomous Databases. For non-Autonomous databases, you can grant roles to the Oracle Data Safe service account prior to or after registering your database. For Autonomous Databases, you first need to register your database, which unlocks the Oracle Data Safe preseeded service account, and then grant and revoke roles as needed. By default, the Oracle Data Safe service account on an Autonomous Database is already granted some of the roles.

Roles for the Oracle Data Safe Service Account

Oracle Recommendation:

Grant only the roles needed to the Oracle Data Safe service on your target databases. How you grant roles depends on the type of target databases that you have.

The following table describes the roles for non-Autonomous Databases and Autonomous Databases. If you are registering a non-Autonomous Database (for example, a DB system, on-premises Oracle Database, or an Oracle Database on a compute instance), you can grant the roles in the first column. If you are registering an Autonomous Database, you can grant the roles in the second column. By default, some or most of the roles are granted by default so it is best to refer to each type of target registration.

Roles for Non-Autonomous Databases	Roles for Autonomous Databases	Description
`ASSESSMENT`	`DS$ASSESSMENT_ROLE`	Privileges required for the User Assessment and Security Assessment features
`AUDIT_COLLECTION`	`DS$AUDIT_COLLECTION_ROLE`	Privileges required for accessing audit trails for the target database
`DATA_DISCOVERY`	`DS$DATA_DISCOVERY_ROLE`	Privileges required for the Data Discovery feature (discovering sensitive data in the target database)
`MASKING`	`DS$DATA_MASKING_ROLE`	Privileges required for the Data Masking feature (masking sensitive data in the target database)
`AUDIT_SETTING`	`DS$AUDIT_SETTING_ROLE`	Privileges required for updating target database audit policies
`SQL_FIREWALL`	`DS$SQL_FIREWALL_ROLE`	Privileges required for the SQL Firewall feature (collect, monitor, and allow and block SQL traffic) Only for Oracle Database 23ai or later

Grant Roles to the Oracle Data Safe Service on an Autonomous Database

By default, an Autonomous Database comes with a database account specifically created for Oracle Data Safe named DS$ADMIN. The roles that you grant to this account determine the Oracle Data Safe features that you can use with your Autonomous Database.

For an Autonomous Database, all roles are already granted by default, except for DS$DATA_MASKING_ROLE and DS$SQL_FIREWALL_ROLE.

Note:

If Database Vault is enabled on your Autonomous Database, be aware that there are specific steps to take in the procedure below to get Oracle Data Safe to work with Database Vault.

To grant or revoke roles from the Oracle Data Safe service account on an Autonomous Database database, you can run the DS_TARGET_UTIL PL/SQL package on the Autonomous Database. You need to run this package as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package.

You can grant or revoke roles as often as needed.

To grant or revoke a role from the Oracle Data Safe service account, do the following:
1. Using a tool like SQL*Plus or SQL Developer, log in to your Autonomous Database as the PDB Admin user (ADMIN) or as a user that has execute permission on the DS_TARGET_UTIL PL/SQL package.
2. Run one of the following commands:
  - ```
  EXECUTE DS_TARGET_UTIL.GRANT_ROLE('role_name');
```
  Note:
  If Database Vault is enabled on your database and you grant the DS$DATA_MASKING_ROLE role, expect an ORA-20001 error and proceed to step 3.
  or
- ```
EXECUTE DS_TARGET_UTIL.REVOKE_ROLE('role_name');
```
    where role_name is the name of an Oracle Data Safe role. role_name must be in quotation marks.
If Database Vault is enabled on your database and you want to use the following features in Oracle Data Safe, do the following:
- User Assessment or Security Assessment features: connect to your database as a user with the DV_OWNER role and grant the DV_SECANALYST role to the DS$ADMIN user.
- Data Masking feature:
  1. Connect to the database as a user with the DV_OWNER role and authorize the ADMIN user to the Oracle System Privilege and Role Management Realm.
  2. Connect to the database as the ADMIN user and grant UNLIMITED TABLESPACE to the DS$ADMIN user.
- SQL Firewall: If you granted the role as the PDB Admin user (ADMIN) or as a user that has the DV_ADMIN or DV_OWNER role, then this step is not necessary. However, if you did not, then connect to your database as a user with the DV_ADMIN or DV_OWNER role and run the following command as a user that has either the DV_ADMIN or DV_OWNER role:
```
BEGIN
    DBMS_MACADM.AUTHORIZE_SQL_FIREWALL (
    uname => '<DATASAFE_ADMIN>',
    manage_dv_admins => 'N');
END;
/
```
  .
If Database Vault is enabled on your database and you want to revoke the following features in Oracle Data Safe, do the following:
- User Assessment or Security Assessment feature: Connect to the database as the a user with the DV_OWNER role and revoke the DV_SECANALYST role from the DS$ADMIN user.
- Data Masking feature:
  1. Connect to the database as the ADMIN user and revoke UNLIMITED TABLESPACE from the DS$ADMIN user.
  2. Connect to the database as a user with the DV_OWNER role and unauthorize the ADMIN user from the Oracle System Privilege and Role Management Realm.
- SQL Firewall feature:
  1. Connect to your database as a user with the DV_ADMIN or DV_OWNER roles and run the following:
```
BEGIN
    DBMS_MACADM.UNAUTHORIZE_SQL_FIREWALL (
        uname => '<DATASAFE_ADMIN>',
        manage_dv_admins => 'Y');
    END;
/
```
- Revoke the SQL_FIREWALL role by following step one.

Grant Roles to the Oracle Data Safe Service on a Non-Autonomous Database

To grant or revoke roles from the Oracle Data Safe service account on a non-Autonomous Database, you need to run a SQL privileges script called datasafe_privileges.sql. You can download this script from Oracle Data Safe in Oracle Cloud Infrastructure. To run the script, you need to be connected to your database as the SYS user.

You can run the script as many times as needed. For example, suppose that in the beginning you only need to use the Activity Auditing feature in Oracle Data Safe. You can run the SQL privileges script to grant the database access to only Activity Auditing. Later, you decide you want to use the Data Discovery feature too. You can run the SQL privileges script again on the database to grant the database access to Data Discovery.

If Database Vault is enabled on your target database and you want to use the User Assessment or Security Assessment features or view audit data in Oracle Data Safe, connect to your database as a user with the DV_OWNER role and grant the DV_SECANALYST and DV_MONITOR roles to the Oracle Data Safe service account.
Download the SQL privileges script. This script is available within the wizards that assist with target database registration. You don't need to work through the wizard and register your target database at this time. Just start the wizard and you'll see the link to download the script on the first page. Download the script and exit the wizard.
1. On the Overview page in the Oracle Data Safe service, find the tile for the wizard that corresponds to the type of database you are working with. Click Start Wizard.The wizard displays the Data Safe Target Information form.
2. Click Download Privilege Script and save the datasafe_privileges.sql script to your computer.
3. Click Cancel.
With SQL Developer or SQL*Plus, connect to your database as the SYS user, and then run the SQL privileges script with the following statement:
```
@datasafe_privileges.sql <DATASAFE_ADMIN> <GRANT|REVOKE> <AUDIT_COLLECTION|AUDIT_SETTING|DATA_DISCOVERY|MASKING|ASSESSMENT|SQL_FIREWALL|ALL> [-RDSORACLE][-VERBOSE]
```
- <DATASAFE_ADMIN> is the name of the Oracle Data Safe service account that you created on your database. It is case-sensitive and must match the account name in the dba_users data dictionary view in your database.
- Specify GRANT or REVOKE depending on whether you want to add privileges to or remove privileges from the Oracle Data Safe service account.
- You can specify only one feature per command, although ALL grants or revokes privileges for all features.
- -RDSORACLE is required if you are registering Amazon RDS for Oracle, otherwise remove the parameter
- -VERBOSE is optional.
If Database Vault is enabled on your database and you want to use the SQL Firewall feature in Data Safe, run the following as a user with either the DV_ADMIN or DV_OWNER role:
```
BEGIN
    DBMS_MACADM.AUTHORIZE_SQL_FIREWALL (
    uname => <DATASAFE_ADMIN>,
    manage_dv_admins => 'N');
END;
/
```
If Database Vault is enabled on your database and you want to stop using the SQL Firewall feature in Data Safe, perform the following as a user with either the DV_ADMIN or DV_OWNER role:
1. Run the following:
```
BEGIN
    DBMS_MACADM.UNAUTHORIZE_SQL_FIREWALL (
        uname => '<DATASAFE_ADMIN>',
        manage_dv_admins => 'Y');
    END;
/
```
2. Revoke the SQL Firewall privilege by following step three.

Example 3-1 Grant all privileges and make all Oracle Data Safe features available

@datasafe_privileges.sql <DATASAFE_ADMIN> GRANT ALL -VERBOSE

Example 3-2 Grant the privileges required to use the making feature

@datasafe_privileges.sql <DATASAFE_ADMIN> GRANT MASKING