Minimum Permissions for Scan Accounts

Forcepoint DSPM MySQL Structured Data connectors scan MySQL data sources for cataloging and classification. This section documents the minimum MySQL grants required for a dedicated scan account, allowing customers to provision a least-privilege login instead of using an admin account.

Applies to: MySQL 8.0 or later is the minimum supported version. Where applicable, differences in guidance between the default caching_sha2_password authentication plugin and the legacy mysql_native_password plugin are noted throughout.

Connection Prerequisites
Requirement Reason
Network reachability to MySQL host:port Establish TCP connection
Valid MySQL account with login privilege Establish JDBC connection

The connector uses the official MySQL JDBC driver. No global privileges (SUPER, PROCESS, RELOAD, etc.) are required.

Operations and Required Permissions

  1. Connection test and database metadata
    Operation Tables read Minimum grant
    Test connection   Login
    List schemas (paginated) information_schema.schemata SELECT on at least one object in each target schema
    List tables (paginated) information_schema.tables SELECT on <db>.*
    Get table & column metadata (JDBC getTables/getColumns) information_schema.tables, information_schema.columns SELECT on <db>.*
    Approximate row count / table size information_schema.tables SELECT on <db>.*
  2. Data sampling
    Operation Tables read Minimum grant
    First-N-rows sample Target user table/view SELECT on the target table/view
    Column payload sampling Target user table/view SELECT on the target table/view

    Random sampling is not supported on MySQL — only first-N-rows reads are issued, so no RAND() or TABLESAMPLE-related privileges apply.

  3. Trustee (users and roles) extraction
    Operation Tables read Minimum grant
    List users and roles mysql.user SELECT on mysql.user
    Resolve group memberships (recursive) mysql.role_edges, mysql.user SELECT on mysql.role_edges, mysql.user

    MySQL 8.0+ represents roles as locked accounts in mysql.user. The connector classifies trustee type using account_locked, password_expired, and authentication_string, so all three columns must be readable.

  4. Permissions extraction
    Operation Tables read Minimum grant
    Database-level grants mysql.db, mysql.user SELECT on mysql.db, mysql.user
    Schema-level grants information_schema.schema_privileges, mysql.user SELECT on mysql.user
    Table-level grants information_schema.table_privileges, mysql.user SELECT on mysql.user
    Column-level grants information_schema.column_privileges, mysql.user SELECT on mysql.user
    Super-admin (SUPER) holders information_schema.user_privileges, mysql.user SELECT on mysql.user
    Effective permissions (recursive role expansion) mysql.role_edges, mysql.user SELECT on mysql.role_edges, mysql.user

Granting data access

The scan account must be granted full read access to the entire datasource. This applies to all current and future user databases automatically and ensures cataloging and classification work without gaps.
GRANT SELECT ON *.* TO 'fp_user'@'%';

SELECT ON *.* is the MySQL global read-only equivalent of SQL Server's db_datareader role. It excludes write/DDL privileges and does not grant access to mysql.* system tables (those are still controlled separately via the trustee + permissions grants below).

Consolidated grant script
-- 1) Create the scan account (tighten host scope as needed, e.g. '10.0.%')
CREATE USER 'fp_user'@'%' IDENTIFIED BY 'ChangeMe_StrongPwd!23';

-- 2) Data + metadata access — full read access to the entire datasource
GRANT SELECT ON *.* TO 'fp_user'@'%';

-- 3) Trustee + permissions extraction
GRANT SELECT ON `mysql`.`user`       TO 'fp_user'@'%';
GRANT SELECT ON `mysql`.`db`         TO 'fp_user'@'%';
GRANT SELECT ON `mysql`.`role_edges` TO 'fp_user'@'%';

-- 4) Apply
FLUSH PRIVILEGES;

Run each GRANT as a separate statement if the SQL client (DataGrip, JDBC without allowMultiQueries=true, etc.) rejects multi-statement execution.

If your environment policy allows for a broader system-level grant, the following simplified form can be used as an alternative to step 3:
GRANT SELECT ON `mysql`.* TO 'fp_user'@'%';

Verification

Run as fp_user to confirm each capability:
-- Connection + grants overview
SHOW GRANTS;

-- Metadata & data scan
SELECT schema_name FROM information_schema.schemata;
SELECT table_name, table_rows, data_length, index_length
  FROM information_schema.tables WHERE table_schema = '<your_database>';
SELECT * FROM `<your_database>`.`<table>` LIMIT 10;

-- Trustee scan
SELECT user, host, account_locked, password_expired FROM mysql.user;
SELECT from_user, from_host, to_user, to_host FROM mysql.role_edges;

-- Permissions extraction
SELECT * FROM mysql.db;
SELECT * FROM information_schema.schema_privileges;
SELECT * FROM information_schema.table_privileges;
SELECT * FROM information_schema.column_privileges;
SELECT * FROM information_schema.user_privileges WHERE privilege_type = 'SUPER';

All queries should return without ERROR 1142 (command denied) or ERROR 1227 (access denied). Empty result sets are acceptable when the underlying object has no matching rows (e.g. no SUPER holders, no role grants).

What is not required

The scan account does not need any of the following:

  • SUPER, SYSTEM_VARIABLES_ADMIN, AUDIT_ADMIN, or any *_ADMIN dynamic privilege

  • PROCESS, RELOAD, SHUTDOWN, REPLICATION CLIENT, REPLICATION SLAVE

  • INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX, LOCK TABLES, EXECUTE on any object

  • Write access of any kind on mysql.*