# Oracle Database (AWS RDS) ### Overview Veza supports Oracle Database on AWS RDS as part of the [AWS integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/aws.md). When enabled for an AWS integration, Veza will discover Oracle Database instances and clusters in the account, and connect to each database to extract authorization metadata. This document includes steps to enable Oracle Database extraction for a configured AWS integration. See [Notes and Supported Entities](#notes-and-supported-entities) for more information about the metadata collected by Veza. ### Configure Oracle Database discovery for AWS RDS To discover Oracle Database on RDS, you will need: * An [AWS Integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/aws.md) enabled for the host AWS account. * A local database user created in each Oracle database to discover, including any tenant databases. The user must have the `CREATE SESSION` and `SELECT ANY DICTIONARY` privileges. * An [Insight Point](/4yItIzMvkpAvMVFAamTf/integrations/connectivity.md) is recommended for secure communication between Veza and the databases to extract. The parent AWS integration should be configured to use this insight point. #### Update Veza-AWS extraction policy * In the AWS account console, ensure that the [IAM policy for the Veza Integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/aws.md#1-create-a-veza-aws-connector-policy) includes the `rds:DescribeTenantDatabases` capability. The RDS section should look like: ```json { "Sid": "RDS", "Effect": "Allow", "Action": [ "rds:DescribeDBClusters", "rds:DescribeDBInstances", "rds-db:connect", "rds:DescribeTenantDatabases" ], "Resource": "*" }, ``` #### Create local database users Create a local user in each Oracle database to discover (including tenant databases): 1. Log in to the Oracle Database instance as an administrator. 2. Create a local user. This user must have the same name and password for all Oracle databases the integration will discover. 3. Grant permissions: ```sql GRANT CREATE SESSION TO veza_db_user; GRANT SELECT ANY DICTIONARY TO veza_db_user; ``` 4. Repeat this process for each database to extract authorization metadata. #### Enable Oracle Database discovery and extraction 1. In Veza, go to the **Integrations** page. 2. Search for the parent AWS account integration and click **Edit**. 3. In the configuration, check that the **DB User** matches the name of the user you created. 4. Enter the user **Password**. 5. Configure **Connection Security** if your RDS Oracle instances require encrypted connections. See [Connection Security](#connection-security) below. 6. **Save** the configuration. ### Connection Security AWS RDS Oracle instances can require SSL/TLS encrypted connections depending on your RDS instance configuration. The integration supports three connection security modes for RDS Oracle databases. #### TLS with CA Certificate The integration establishes an encrypted TLS connection using a CA certificate to verify the RDS Oracle server's identity. Upload a PEM-encoded CA certificate file (`.pem`, maximum 1MB) through the integration configuration interface. AWS provides RDS certificate bundles that can be downloaded from the [AWS RDS SSL/TLS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html). The integration automatically detects whether your RDS instances use port 1521 (standard) or 2484 (SSL/TLS default) and negotiates appropriate TLS protocol versions. To configure TLS with a CA certificate, select **TLS** from the **Connection Security** dropdown and upload your CA certificate file when prompted. #### Oracle Wallet The integration establishes an encrypted connection using an Oracle Wallet file. Upload an auto-login wallet file (`cwallet.sso`, maximum 1MB) that contains the necessary certificates, private keys, and trusted Certificate Authorities. This method is less common for RDS deployments but supported for organizations that standardize on Oracle Wallet across all Oracle database types. To configure Oracle Wallet authentication, select **Oracle Wallet** from the **Connection Security** dropdown and upload your wallet file when prompted. #### Default (Unencrypted) The integration connects without SSL/TLS encryption. Database credentials and authorization metadata are transmitted in cleartext. This mode should only be used for development or testing RDS instances that do not process sensitive data. ### Enabling Lifecycle Management See [Oracle Database provisioning](/4yItIzMvkpAvMVFAamTf/integrations/integrations/oracle-database/provisioning.md) for more details and a list of supported actions. The Veza integration user will need additional permissions to modify database users and roles: ```sql GRANT CREATE USER TO veza_db_user; GRANT DROP USER TO veza_db_user; GRANT ALTER USER TO veza_db_user; GRANT CREATE ROLE TO veza_db_user; GRANT GRANT ANY ROLE TO veza_db_user; GRANT GRANT ANY PRIVILEGE TO veza_db_user; ``` ### Notes and Supported Entities The AWS integration discovers RDS Services, RDS Clusters, and RDS Instances, which can be RDS Oracle instances. These can contain a single Oracle DB Database, or multiple tenant databases, modeled with the following graph entities: #### OracleDB Database Represents an Oracle database instance. Multitenant configurations can have more than one database within a single RDS Oracle instance. | Attribute | Description | | --------- | ----------------------------------- | | Name | The name of the Oracle database. | | Id | Unique identifier for the database. | | Type | The type of the database entity. | #### OracleDB Object Privilege Grants Represents the privilege grants for objects in the Oracle database. These are granted explicitly to Users and Roles and apply to specific Tables. | Attribute | Description | | ------------------------ | ------------------------------------------ | | Name | The name of the privilege grant. | | Id | Unique identifier for the privilege grant. | | Type | The type of the privilege grant entity. | | Privileges Grantable | List of grantable privileges. | | Privileges Non Grantable | List of Non Grantable privileges. | There are no explicit privileges over schemas in OracleDB versions currently supported by AWS. Each user owns their own schema, created for each user. Note that **Column privileges** are not yet modeled. **Schema privileges** are only available in Oracle DB version 23 (not currently supported on AWS RDS). #### OracleDB Roles Represents the roles defined within the Oracle database. Roles describe Object Privilege Grants that enable specific actions on tables. OracleDB roles can assume other roles. | Attribute | Description | | ------------------- | ------------------------------------------------- | | Name | The name of the role. | | Id | Unique identifier for the role. | | Type | The type of the role entity. | | Authentication Type | The type of authentication used for the role. | | Common | Indicates if the role is common across databases. | | Oracle Maintained | Indicates if the role is maintained by Oracle. | | Password Required | Indicates if a password is required for the role. | #### OracleDB Schema Represents a schema within the Oracle database. A schema within an OracleDB Database contains individual tables. Users can be assigned to Schema as owners. | Attribute | Description | | --------- | --------------------------------- | | Name | The name of the schema. | | Id | Unique identifier for the schema. | | Type | The type of the schema entity. | #### OracleDB User Represents a user within the Oracle database. OracleDB Users are local accounts within a database. | Attribute | Description | | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | | Name | The name of the user. | | Id | Unique identifier for the user. | | Type | The type of the user entity. | | Account Status | The status of the user's account. | | Authentication Type | The type of authentication used for the user. | | Common | Indicates if the user is common across databases. | | Identity Type | The type of identity of the user. | | Is Active | Indicates if the user is active. | | Profile | The profile associated with the user. | | System Privileges Admin | List of system privileges granted to the user. | | Created At | Timestamp when the user was created. | | Last Used At | Timestamp when the user last logged in. Updated via volatile extraction for frequent refresh. | | Password Change Date | Timestamp when the user last changed their password. Available in Oracle 19c+, only populated when authentication type is PASSWORD. | | Password Expiration Date | Profile-based password expiration timestamp. | | Oracle Maintained | Indicates if the user is maintained by Oracle. | | System Privileges Non-Admin | List of non-admin system privileges granted to the user. | | System Privileges Common Admin | List of common admin system privileges granted to the user, optional. | | System Privileges Common Non-Admin | List of common non-admin system privileges granted to the user, optional. | #### OracleDB Table Represents a table within the Oracle database. Veza shows effective permissions from OracleDB Users to OracleDB Tables. | Attribute | Description | | --------- | -------------------------------- | | Name | The name of the table. | | Id | Unique identifier for the table. | | Type | The type of the table entity. | #### OracleDB View A view is a virtual table that provides a way to represent the result of a SQL query as if it were a table. It does not store data itself but dynamically retrieves it from the underlying tables when queried. | Attribute | Description | | -------------------- | ----------------------------------------- | | Name | The name of the view. | | Id | Unique identifier for the view. | | Type | The type of the view entity. | | Read Only | Whether the view is read-only. | | Container Data | Whether the view contains container data. | | Bequeath | Bequeath privilege setting for the view. | | Has Sensitive Column | Whether the view has sensitive columns. | #### OracleDB Materialized View A materialized view is a database object that contains the results of a query and stores the data physically. It can be refreshed periodically to reflect changes in the underlying data. This entity has the standard Name, Id, and Type attributes. #### OracleDB Procedure A procedure is a stored PL/SQL block that performs a specific task. It can take parameters, execute multiple SQL statements, and encapsulate business logic. | Attribute | Description | | ----------- | ---------------------------------------------------------------------- | | Name | The name of the procedure. | | Id | Unique identifier for the procedure. | | Type | The type of the procedure entity. | | Object Type | The type of the procedure object (e.g., PROCEDURE, FUNCTION, PACKAGE). | #### OracleDB Trigger A trigger is a special type of stored procedure that automatically executes in response to certain events on a table or view, such as INSERT, UPDATE, or DELETE operations. | Attribute | Description | | ------------------ | ---------------------------------------------------------------------------- | | Name | The name of the trigger. | | Id | Unique identifier for the trigger. | | Type | The type of the trigger entity. | | Trigger Type | The type of trigger (e.g., BEFORE, AFTER, INSTEAD OF). | | Triggering Event | The event that fires the trigger (e.g., INSERT, UPDATE, DELETE). | | Base Object Type | Type of the object the trigger is defined on (e.g., TABLE, VIEW, SCHEMA). | | Base Object Schema | Schema of the base object, if applicable. | | Base Object Name | Name of the base object, if applicable (not set for DATABASE/SCHEMA scopes). | | Status | Status of the trigger (e.g., ENABLED, DISABLED). | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/aws-oracle-db.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.