# Oracle Permissions

![](/files/bV66cgZUHAhsDBXbIqYV)

## **Oracle Permissions**

Ensure that CopyStorm is connected to an Oracle database. If this is the initial setup, follow the recommended best practices for configuring [CopyStorm with Oracle](https://learn.capstorm.com/copystorm/readme/best-practices/oracle-database-setup).

CS:Govern using Oracle **requires that the DBMS\_CRYPTO** package is installed and accessible. The following command can be executed to give permissions to use the functions in that package:

```
GRANT EXECUTE ON SYS.DBMS_CRYPTO TO PUBLIC;
```

The `GuardianKey` table, created by CS:Govern, contains highly sensitive data and should be granted the highest level of protection. It is strongly recommended that the database administrator execute the following command to restrict access to this table:

```
REVOKE ALL ON GUARDIANKEY FROM public;
```

## Required Permissions

| Permission Required                    | Why It’s Needed                                                                                                    |
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| CREATE TABLE                           | Allows creation of Govern tables for metadata, keys, masking rules, access control, etc.                           |
| CREATE PROCEDURE                       | Required to create stored procedures and user-defined functions used by Govern (e.g., decrypt functions).          |
| CREATE TRIGGER                         | Needed to define insert/update/delete triggers used for enforcing masking and auditing.                            |
| CREATE FUNCTION                        | Required to create user-defined functions used by Govern (e.g., field access logic and decryption routines).       |
| CREATE INDEX                           | Allows creation of indexes to improve performance on Govern metadata queries.                                      |
| SELECT                                 | Allows querying Govern-owned tables (e.g., key lookup, access category resolution).                                |
| INSERT                                 | Used to seed initial data such as access categories, masking rules, and configuration.                             |
| UPDATE                                 | Required to modify Govern configuration or metadata records.                                                       |
| DELETE                                 | Needed to remove config data or reset records during upgrades or testing.                                          |
| REFERENCES                             | Required to define foreign key constraints between Govern tables.                                                  |
| EXECUTE ON DBMS\_CRYPTO                | Needed to perform encryption and decryption using Oracle’s `DBMS_CRYPTO` package.                                  |
| SELECT ON DBA\_ROLES                   | Allows Govern to evaluate database roles for user access enforcement.                                              |
| GRANT SELECT\_CATALOG\_ROLE (optional) | Grants read access to all data dictionary views, including `DBA_ROLES`. Required if explicit access isn’t granted. |
| GRANT EXECUTE ON Govern Functions      | If using `AUTHID DEFINER`, users must be granted `EXECUTE` to call decrypt/access functions directly.              |

## Check If The User Has Essential Database Level Privileges

You can remove the `WHERE` clause from the query to display **all session-level privileges** granted to the current user. This will return an **exhaustive list** of effective privileges and will typically encapsulate **most, if not all**, of the required permissions for installing and operating CS:Govern, including those related to table operations, object creation, and encryption support.

```
SELECT * 
FROM SESSION_PRIVS
WHERE PRIVILEGE IN (
  'CREATE FUNCTION',
  'CREATE PROCEDURE',
  'CREATE TRIGGER',
  'CREATE INDEX',
  'EXECUTE ANY PROCEDURE',
  'CREATE TABLE',
  'ALTER ANY TABLE',
  'DROP ANY TABLE',
  'SELECT ANY TABLE',
  'INSERT ANY TABLE',
  'UPDATE ANY TABLE',
  'DELETE ANY TABLE',
  'CREATE SEQUENCE',
  'CREATE VIEW',
  'CREATE SYNONYM',
  'CREATE TYPE'
);
```

## Expected Output

This list represents typical permissions required for the application to function end-to-end. These include creating and indexing tables, defining stored logic (procedures and triggers), and executing or reading objects across the database. Your user account should return most, if not all, of these privileges.

| PRIVILEGE             |
| --------------------- |
| CREATE TABLE          |
| CREATE PROCEDURE      |
| CREATE TRIGGER        |
| CREATE INDEX          |
| EXECUTE ANY PROCEDURE |
| SELECT ANY TABLE      |

## Check If the User Has EXECUTE Permission On `DBMS_CRYPTO`

This query checks if the current user has permission to execute the `DBMS_CRYPTO` package, which is often required for encryption or decryption operations. This privilege must be explicitly granted and is essential if the application uses database-native cryptographic functions.

```
SELECT * 
FROM DBA_TAB_PRIVS 
WHERE TABLE_NAME = 'DBMS_CRYPTO' 
  AND PRIVILEGE = 'EXECUTE' 
  AND GRANTEE = USER;
```

## Expected Output

A row with `EXECUTE` on `DBMS_CRYPTO` confirms that your user can call built-in cryptographic procedures. If no results are returned, that permission must be granted manually by an admin.

| GRANTEE  | TABLE\_NAME  | PRIVILEGE |
| -------- | ------------ | --------- |
| MY\_USER | DBMS\_CRYPTO | EXECUTE   |

## Check If The User Can View Roles

This query verifies whether the current session has permission to query the database’s internal dictionary views. This is required to inspect role assignments, privileges, and metadata — necessary for features like role-based access auditing or privilege introspection.

```
SELECT * 
FROM SESSION_PRIVS
WHERE PRIVILEGE = 'SELECT ANY DICTIONARY';
```

## Expected Output

If `SELECT ANY DICTIONARY` is listed, the user has access to system-level metadata views. This enables advanced functionality such as privilege inspection, audit logging, or dynamic permission validation within the application.

| PRIVILEGE             |
| --------------------- |
| SELECT ANY DICTIONARY |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://learn.capstorm.com/cs-govern/best-practices/oracle-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.