Oracle Permissions

Ensure that CopyStorm is connected to an Oracle database. If this is the initial setup, follow the recommended best practices for configuring CopyStorm with Oracle.

CS:Govern using Oracle requires that the DBMS_CRYPTO package is installed and accessible. The following command can be executed to give permissions to use the functions in that package:

GRANT EXECUTE ON SYS.DBMS_CRYPTO TO PUBLIC;

The GuardianKey table, created by CS:Govern, contains highly sensitive data and should be granted the highest level of protection. It is strongly recommended that the database administrator execute the following command to restrict access to this table:

REVOKE ALL ON GUARDIANKEY FROM public;

Required Permissions

Permission Required

Why It’s Needed

CREATE TABLE

Allows creation of Govern tables for metadata, keys, masking rules, access control, etc.

CREATE PROCEDURE

Required to create stored procedures and user-defined functions used by Govern (e.g., decrypt functions).

CREATE TRIGGER

Needed to define insert/update/delete triggers used for enforcing masking and auditing.

CREATE FUNCTION

Required to create user-defined functions used by Govern (e.g., field access logic and decryption routines).

CREATE INDEX

Allows creation of indexes to improve performance on Govern metadata queries.

SELECT

Allows querying Govern-owned tables (e.g., key lookup, access category resolution).

INSERT

Used to seed initial data such as access categories, masking rules, and configuration.

UPDATE

Required to modify Govern configuration or metadata records.

DELETE

Needed to remove config data or reset records during upgrades or testing.

REFERENCES

Required to define foreign key constraints between Govern tables.

EXECUTE ON DBMS_CRYPTO

Needed to perform encryption and decryption using Oracle’s DBMS_CRYPTO package.

SELECT ON DBA_ROLES

Allows Govern to evaluate database roles for user access enforcement.

GRANT SELECT_CATALOG_ROLE (optional)

Grants read access to all data dictionary views, including DBA_ROLES. Required if explicit access isn’t granted.

GRANT EXECUTE ON Govern Functions

If using AUTHID DEFINER, users must be granted EXECUTE to call decrypt/access functions directly.

Check If The User Has Essential Database Level Privileges

You can remove the WHERE clause from the query to display all session-level privileges granted to the current user. This will return an exhaustive list of effective privileges and will typically encapsulate most, if not all, of the required permissions for installing and operating CS:Govern, including those related to table operations, object creation, and encryption support.

SELECT * 
FROM SESSION_PRIVS
WHERE PRIVILEGE IN (
  'CREATE FUNCTION',
  'CREATE PROCEDURE',
  'CREATE TRIGGER',
  'CREATE INDEX',
  'EXECUTE ANY PROCEDURE',
  'CREATE TABLE',
  'ALTER ANY TABLE',
  'DROP ANY TABLE',
  'SELECT ANY TABLE',
  'INSERT ANY TABLE',
  'UPDATE ANY TABLE',
  'DELETE ANY TABLE',
  'CREATE SEQUENCE',
  'CREATE VIEW',
  'CREATE SYNONYM',
  'CREATE TYPE'
);

Expected Output

This list represents typical permissions required for the application to function end-to-end. These include creating and indexing tables, defining stored logic (procedures and triggers), and executing or reading objects across the database. Your user account should return most, if not all, of these privileges.

PRIVILEGE

CREATE TABLE

CREATE PROCEDURE

CREATE TRIGGER

CREATE INDEX

EXECUTE ANY PROCEDURE

SELECT ANY TABLE

Check If the User Has EXECUTE Permission On `DBMS_CRYPTO`

This query checks if the current user has permission to execute the DBMS_CRYPTO package, which is often required for encryption or decryption operations. This privilege must be explicitly granted and is essential if the application uses database-native cryptographic functions.

SELECT * 
FROM DBA_TAB_PRIVS 
WHERE TABLE_NAME = 'DBMS_CRYPTO' 
  AND PRIVILEGE = 'EXECUTE' 
  AND GRANTEE = USER;

Expected Output

A row with EXECUTE on DBMS_CRYPTO confirms that your user can call built-in cryptographic procedures. If no results are returned, that permission must be granted manually by an admin.

GRANTEE

TABLE_NAME

PRIVILEGE

MY_USER

DBMS_CRYPTO

EXECUTE

Check If The User Can View Roles

This query verifies whether the current session has permission to query the database’s internal dictionary views. This is required to inspect role assignments, privileges, and metadata — necessary for features like role-based access auditing or privilege introspection.

SELECT * 
FROM SESSION_PRIVS
WHERE PRIVILEGE = 'SELECT ANY DICTIONARY';

Expected Output

If SELECT ANY DICTIONARY is listed, the user has access to system-level metadata views. This enables advanced functionality such as privilege inspection, audit logging, or dynamic permission validation within the application.

PRIVILEGE

SELECT ANY DICTIONARY

Last updated 17 days ago

Was this helpful?

Good night

hashtagOracle Permissions

hashtagRequired Permissions

hashtagCheck If The User Has Essential Database Level Privileges

hashtagExpected Output

hashtagCheck If the User Has EXECUTE Permission On DBMS_CRYPTO

hashtagExpected Output

hashtagCheck If The User Can View Roles

hashtagExpected Output