Oracle Permissions
Ensure that CopyStorm is connected to an Oracle database. If this is the initial setup, follow the recommended best practices for configuring CopyStorm with Oracle.
CS:Govern using Oracle requires that the DBMS_CRYPTO package is installed and accessible. The following command can be executed to give permissions to use the functions in that package:
The GuardianKey table, created by CS:Govern, contains highly sensitive data and should be granted the highest level of protection. It is strongly recommended that the database administrator execute the following command to restrict access to this table:
Required Permissions
| Permission Required | Why It’s Needed |
|---|---|
| CREATE TABLE | Allows creation of Govern tables for metadata, keys, masking rules, access control, etc. |
| CREATE PROCEDURE | Required to create stored procedures and user-defined functions used by Govern (e.g., decrypt functions). |
| CREATE TRIGGER | Needed to define insert/update/delete triggers used for enforcing masking and auditing. |
| CREATE FUNCTION | Required to create user-defined functions used by Govern (e.g., field access logic and decryption routines). |
| CREATE INDEX | Allows creation of indexes to improve performance on Govern metadata queries. |
| SELECT | Allows querying Govern-owned tables (e.g., key lookup, access category resolution). |
| INSERT | Used to seed initial data such as access categories, masking rules, and configuration. |
| UPDATE | Required to modify Govern configuration or metadata records. |
| DELETE | Needed to remove config data or reset records during upgrades or testing. |
| REFERENCES | Required to define foreign key constraints between Govern tables. |
| EXECUTE ON DBMS_CRYPTO | Needed to perform encryption and decryption using Oracle’s DBMS_CRYPTO package. |
| SELECT ON DBA_ROLES | Allows Govern to evaluate database roles for user access enforcement. |
| GRANT SELECT_CATALOG_ROLE (optional) | Grants read access to all data dictionary views, including DBA_ROLES. Required if explicit access isn’t granted. |
| GRANT EXECUTE ON Govern Functions | If using AUTHID DEFINER, users must be granted EXECUTE to call decrypt/access functions directly. |
Check If The User Has Essential Database Level Privileges
You can remove the WHERE clause from the query to display all session-level privileges granted to the current user. This will return an exhaustive list of effective privileges and will typically encapsulate most, if not all, of the required permissions for installing and operating CS:Govern, including those related to table operations, object creation, and encryption support.
Expected Output
This list represents typical permissions required for the application to function end-to-end. These include creating and indexing tables, defining stored logic (procedures and triggers), and executing or reading objects across the database. Your user account should return most, if not all, of these privileges.
| PRIVILEGE |
|---|
| CREATE TABLE |
| CREATE PROCEDURE |
| CREATE TRIGGER |
| CREATE INDEX |
| EXECUTE ANY PROCEDURE |
| SELECT ANY TABLE |
Check If the User Has EXECUTE Permission On DBMS_CRYPTO
This query checks if the current user has permission to execute the DBMS_CRYPTO package, which is often required for encryption or decryption operations. This privilege must be explicitly granted and is essential if the application uses database-native cryptographic functions.
Expected Output
A row with EXECUTE on DBMS_CRYPTO confirms that your user can call built-in cryptographic procedures. If no results are returned, that permission must be granted manually by an admin.
| GRANTEE | TABLE_NAME | PRIVILEGE |
|---|---|---|
| MY_USER | DBMS_CRYPTO | EXECUTE |
Check If The User Can View Roles
This query verifies whether the current session has permission to query the database’s internal dictionary views. This is required to inspect role assignments, privileges, and metadata — necessary for features like role-based access auditing or privilege introspection.
Expected Output
If SELECT ANY DICTIONARY is listed, the user has access to system-level metadata views. This enables advanced functionality such as privilege inspection, audit logging, or dynamic permission validation within the application.
| PRIVILEGE |
|---|
| SELECT ANY DICTIONARY |