Minimum Permissions for Scan Accounts

Forcepoint DSPM Oracle structured data connectors scan Oracle data sources to enable cataloging and classification. This section outlines the minimum Oracle privileges needed for a scan account, enabling customers to create a least-privilege user instead of relying on SYS, SYSTEM, or a DBA-level account.

Applies to: Oracle Database 12c and later (on-prem / Oracle Cloud / Autonomous DB).

Connection Prerequisites
Requirement Reason
Network reachability to the Oracle listener host:port (default 1521) Establish TCP connection
A database user with CREATE SESSION system privilege Establish JDBC connection

The connector uses the Oracle thin JDBC driver. No SYSDBA / SYSOPER administrative connection is required. The DBA role is also not required, although a number of DBA_* dictionary views are read.

How Oracle data-dictionary access works

The connector reads a mix of ALL_* and DBA_* data-dictionary views. ALL_* views show only objects the current user has at least one privilege on; DBA_* views show every object in the database but require explicit dictionary access. Full coverage for table-size calculation depends on DBA_SEGMENTS, DBA_LOBS, and DBA_INDEXES, which are DBA-only.

The simplest way to grant DBA_* read access without granting the full DBA role is the SELECT ANY DICTIONARY system privilege.

Operations and Required Permissions

  1. Connection test and database metadata
    Operation Dictionary views read Minimum grant
    Test connection   CREATE SESSION
    Schema enumeration ALL_USERS Implicit
    Table/view listing ALL_TABLES, ALL_OBJECTS Implicit (rows filtered to objects the user can SELECT)
    Column / PK / FK metadata (bulk prefetch) ALL_TAB_COLUMNS, ALL_TAB_IDENTITY_COLS, ALL_CONSTRAINTS, ALL_CONS_COLUMNS Implicit
    Approximate row count ALL_TABLES (NUM_ROWS) Implicit
    Approximate table & index size DBA_TABLES, DBA_SEGMENTS, DBA_LOBS, DBA_INDEXES SELECT ANY DICTIONARY
  2. Data sampling
    Operation Tables read Minimum grant
    SAMPLE(percent) row sample Target user table/view SELECT on the target table/view
    First-N-rows fallback (WHERE ROWNUM <= ?) Target user table/view SELECT on the target table/view
    Column payload sampling Target user table/view SELECT on the target table/view
  3. Trustee (users & roles) extraction
    Operation Dictionary views read Minimum grant
    List users DBA_USERS SELECT ANY DICTIONARY
    List roles DBA_ROLES, SELECT ANY DICTIONARY
    Recursive role membership / admin-role detection DBA_ROLE_PRIVS SELECT ANY DICTIONARY

    The connector detects admin-role holders by checking membership in (DBA, SYSDBA, SYSOPER, SYSBACKUP', SYSDG, SYSKM, IMP_FULL_DATABASE, EXP_FULL_DATABASE, DATAPUMP_EXP_FULL_DATABASE, DATAPUMP_IMP_FULL_DATABASE) via DBA_ROLE_PRIVS via DBA_ROLE_PRIVS.

  4. Permissions extraction
    Operation Dictionary views read Minimum grant
    Database-level system privileges (CREATE SESSION, CONNECT) DBA_SYS_PRIVS, DBA_ROLE_PRIVS SELECT ANY DICTIONARY
    Schema- and table-level grants DBA_TAB_PRIVS SELECT ANY DICTIONARY
    Column-level grants DBA_COL_PRIVS SELECT ANY DICTIONARY
    Admin-role holders DBA_ROLE_PRIVS SELECT ANY DICTIONARY

Granting data access

The scan account must be granted full read access to the entire datasource. Oracle's standard single-grant analog of SQL Server's db_datareader is the SELECT ANY TABLE system privilege, which grants SELECT on every current and future user table and view (excluding the SYS schema by default):
GRANT SELECT ANY TABLE TO FP_USER;

This privilege is read-only; it does not allow INSERT, UPDATE, DELETE, or any DDL.

Consolidated grant script
-- 1) Create the scan account
CREATE USER FP_USER IDENTIFIED BY "<STRONG_PASSWORD>";

-- 2) Allow JDBC login
GRANT CREATE SESSION TO FP_USER;

-- 3) Data + metadata access — full read access to the entire datasource
GRANT SELECT ANY TABLE TO FP_USER;

-- 4) Dictionary access for metadata, trustee, and permissions extraction
GRANT SELECT ANY DICTIONARY TO FP_USER;

Verification

Connect as FP_USER and run:
-- Connection + privilege overview
SELECT * FROM SESSION_PRIVS;
SELECT * FROM USER_SYS_PRIVS;

-- Metadata & data scan
SELECT COUNT(*) FROM ALL_USERS;
SELECT OWNER, TABLE_NAME, NUM_ROWS FROM ALL_TABLES FETCH FIRST 5 ROWS ONLY;
SELECT * FROM <SCHEMA>.<TABLE> WHERE ROWNUM <= 10;
SELECT SUM(BYTES) FROM DBA_SEGMENTS;   -- via SELECT ANY DICTIONARY

-- Trustee scan
SELECT USERNAME, ACCOUNT_STATUS FROM DBA_USERS FETCH FIRST 5 ROWS ONLY;
SELECT ROLE FROM DBA_ROLES FETCH FIRST 5 ROWS ONLY;
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS FETCH FIRST 5 ROWS ONLY;

-- Permissions extraction
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS FETCH FIRST 5 ROWS ONLY;
SELECT * FROM DBA_TAB_PRIVS FETCH FIRST 5 ROWS ONLY;
SELECT * FROM DBA_COL_PRIVS FETCH FIRST 5 ROWS ONLY;

All queries should return without ORA-00942 (table or view does not exist) or ORA-01031 (insufficient privileges). Empty result sets are acceptable when the underlying object has no matching rows.

What is not required

The scan account does not need any of the following:

  • SYSDBA, SYSOPER, SYSBACKUP, SYSDG, SYSKM administrative connections

  • The DBA role

  • IMP_FULL_DATABASE, EXP_FULL_DATABASE, DATAPUMP_* roles

  • ALTER ANY TABLE, CREATE ANY TABLE, DROP ANY TABLE

  • INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANY TABLE

  • UNLIMITED TABLESPACE.