# Oracle Database ### Overview The Veza integration for Oracle Database connects to a standalone Oracle deployment to discover Databases, Object Privilege Grants, Roles, Schemas, Users, and Tables. Veza connects as a local user to discover authorization entities and metadata within the root database and any container databases and pluggable databases in a multi-tenant configuration. After configuring the integration, you can: * Review effective and system-level permissions for users with access to the Oracle database, schemas, and tables. * Create rules for alerts, generate reports for tracking and visibility, and define Separation of Duties (SoD) violations for roles and privileges in Oracle Database. * Conduct user access and entitlement reviews based on the individual roles, privileges, and resources accessible to human and machine identities. This document includes steps to configure an Oracle Database integration, along with notes and supported entities. ### Prerequisites To connect to Oracle Database, you will need: * A local database user for the integration, with the `CREATE SESSION` and `SELECT ANY DICTIONARY` privileges. If your Oracle Database uses the multi-tenant option where a single Container Database (CDB) hosts individual pluggable databases (PDB), the user must be a common user with access to all databases to extract authorization metadata. * An [Insight Point](/4yItIzMvkpAvMVFAamTf/integrations/connectivity.md) for secure communication between Veza and the Oracle Database host in production environments. * For testing purposes, you can use the internal Insight Point for the connection. In this case, firewall rules and filters must allow inbound traffic from Veza's Gateway IP addresses. * Supported Oracle Database version 19c, 21c or 23ai ### Configure Oracle Database Discovery #### Create Database User Create a common user in the Oracle Database: 1. Connect to a common user with the `CREATE USER` privilege and ensure the current container is the root container. 2. Create a user, with the prefix "C##" or "c##". 3. Grant required permissions to the integration user. Run the following SQL commands to create a common user with access to all container databases. Update the integration user name and password in the example: ```sql ALTER SESSION SET CONTAINER=CDB$ROOT; CREATE USER c##veza_db_user IDENTIFIED BY password1223; GRANT CREATE SESSION, ALTER SESSION TO c##veza_db_user CONTAINER=ALL; GRANT SELECT ANY DICTIONARY TO c##veza_db_user CONTAINER=ALL; ALTER USER c##veza_db_user SET container_data=all CONTAINER=CURRENT; ``` Save the username and password to configure the integration in Veza. #### Enable the Oracle Database Integration in Veza 1. In Veza, go to the **Integrations** page. 2. Click **Add Integration**. 3. Search for **OracleDB**. Select it and click **Next**. 4. Configure the integration: * **Insight Point**: Select an Insight Point or choose to use the default internal Insight Point for the connection. * **Name**: Enter a display name to identify the provider. * **Server Address**: Address of your Oracle Database instance, e.g., `myoracleserver.domain.com` or `192.168.1.100`. * **Server Port**: Port for the connection, e.g., `1521` (or `2484` for SSL/TLS). * **Database Name**: Database name, e.g., `ORACLE`. You can retrieve this with the SQL command `select * from global_name;`. * **Username**: Name of the user created in the steps above, e.g., `c##veza_db_user`. * **Password**: Password of the integration user. * **Connection Security**: Select the connection security mode. See [Connection Security](#connection-security) below for configuration options. 5. Click **Save** to test the connection and save the configuration. 6. Validate the integration was successful by checking the integration status on the **Integrations** page. Click the integration name to view detailed status and events for each data source. ### Connection Security The Oracle Database integration supports three connection security modes. Select the appropriate mode based on your database deployment and security requirements. #### TLS with CA Certificate The integration establishes an encrypted TLS connection using a CA certificate to verify the Oracle server's identity. Upload a PEM-encoded CA certificate file (`.pem`, maximum 1MB) through the integration configuration interface. This method is commonly used with AWS RDS Oracle deployments and modern cloud-native environments. The integration automatically negotiates TLS protocol versions and cipher suites compatible with your Oracle database version. To configure TLS with a CA certificate, select **TLS** from the **Connection Security** dropdown and upload your CA certificate file when prompted. #### Oracle Wallet The integration establishes an encrypted connection using an Oracle Wallet file. Upload an auto-login wallet file (`cwallet.sso`, maximum 1MB) that contains the necessary certificates, private keys, and trusted Certificate Authorities. This method is the standard for traditional on-premises Oracle deployments and Oracle Cloud Autonomous Database instances. If you have a password-protected wallet (`ewallet.p12`), convert it to auto-login format using Oracle's `orapki` utility before uploading. To configure Oracle Wallet authentication, select **Oracle Wallet** from the **Connection Security** dropdown and upload your wallet file when prompted. #### Default (Unencrypted) The integration connects without SSL/TLS encryption. Database credentials and authorization metadata are transmitted in cleartext. This mode should only be used for development or testing environments that do not process sensitive data. #### Enabling Lifecycle Management See [Lifecycle Management: Oracle Database](/4yItIzMvkpAvMVFAamTf/integrations/integrations/oracle-database/provisioning.md) for more details and a list of supported actions. The Veza integration user will need additional permissions to modify database users and roles: ``` -- Connect to CDB root for common user creation ALTER SESSION SET CONTAINER=CDB$ROOT; -- Create the lifecycle management user CREATE USER c##veza_lcm_user IDENTIFIED BY your_secure_password; -- Basic connection privileges GRANT CREATE SESSION, ALTER SESSION TO c##veza_lcm_user CONTAINER=ALL; -- Read privileges for data extraction and user/role discovery GRANT SELECT ANY DICTIONARY TO c##veza_lcm_user CONTAINER=ALL; -- User management privileges GRANT CREATE USER TO c##veza_lcm_user CONTAINER=ALL; GRANT DROP USER TO c##veza_lcm_user CONTAINER=ALL; GRANT ALTER USER TO c##veza_lcm_user CONTAINER=ALL; -- Role management privileges GRANT CREATE ROLE TO c##veza_lcm_user CONTAINER=ALL; -- Note: DROP ROLE privilege doesn't exist - CREATE ROLE allows both create and drop GRANT GRANT ANY ROLE TO c##veza_lcm_user CONTAINER=ALL; -- System privilege management (for granting CREATE SESSION to new users) GRANT GRANT ANY PRIVILEGE TO c##veza_lcm_user CONTAINER=ALL; -- Container data access for multi-tenant environments ALTER USER c##veza_lcm_user SET container_data=all CONTAINER=CURRENT; ``` ### Notes and Supported Entities The integration discovers the following entities, along with attributes for filtering queries and fine-tuning the scope of access reviews. #### OracleDB Database Represents an Oracle database instance. Multi-tenant configurations can have more than one database within a single Oracle Database instance. | Attribute | Description | | --------- | ----------------------------------- | | **Name** | The name of the Oracle database. | | **Id** | Unique identifier for the database. | | **Type** | The type of the database entity. | #### OracleDB Object Privilege Grants Represents the privilege grants for objects in the Oracle database. These are granted explicitly to Users and Roles and apply to specific Tables. | Attribute | Description | | ---------------------------- | ------------------------------------------ | | **Name** | The name of the privilege grant. | | **Id** | Unique identifier for the privilege grant. | | **Type** | The type of the privilege grant entity. | | **Privileges Grantable** | List of grantable privileges. | | **Privileges Non Grantable** | List of non-grantable privileges. | Note that **Column privileges** are not yet modeled. **Schema privileges** are only available in Oracle DB version 23. #### OracleDB Roles Represents the roles defined within the Oracle database. Roles describe Object Privilege Grants that enable specific actions on tables. OracleDB roles can assume other roles. | Attribute | Description | | ----------------------- | ------------------------------------------------- | | **Name** | The name of the role. | | **Id** | Unique identifier for the role. | | **Type** | The type of the role entity. | | **Authentication Type** | The type of authentication used for the role. | | **Common** | Indicates if the role is common across databases. | | **Oracle Maintained** | Indicates if the role is maintained by Oracle. | | **Password Required** | Indicates if a password is required for the role. | #### OracleDB Schema Represents a schema within the Oracle database. A schema within an OracleDB Database contains individual tables. Users can be assigned to Schema as owners. | Attribute | Description | | --------- | --------------------------------- | | **Name** | The name of the schema. | | **Id** | Unique identifier for the schema. | | **Type** | The type of the schema entity. | #### OracleDB User Represents a user within the Oracle database. OracleDB Users are local accounts within a database. | Attribute | Description | | -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | | **Name** | The name of the user. | | **Id** | Unique identifier for the user. | | **Type** | The type of the user entity. | | **Account Status** | The status of the user's account. | | **Authentication Type** | The type of authentication used for the user. | | **Common** | Indicates if the user is common across databases. | | **Identity Type** | The type of identity of the user. | | **Is Active** | Indicates if the user is active. | | **Profile** | The profile associated with the user. | | **System Privileges Admin** | List of system privileges granted to the user. | | **Created At** | Timestamp when the user was created. | | **Last Used At** | Timestamp when the user last logged in. Updated via volatile extraction for frequent refresh. | | **Password Change Date** | Timestamp when the user last changed their password. Available in Oracle 19c+, only populated when authentication type is PASSWORD. | | **Password Expiration Date** | Profile-based password expiration timestamp. | | **Oracle Maintained** | Indicates if the user is maintained by Oracle. | | **System Privileges Non-Admin** | List of non-admin system privileges granted to the user. | | **System Privileges Common Admin** | List of common admin system privileges granted to the user, optional. | | **System Privileges Common Non-Admin** | List of common non-admin system privileges granted to the user, optional. | #### OracleDB Table Represents a table within the Oracle database. Veza shows effective permissions from OracleDB Users to OracleDB Tables. | Attribute | Description | | --------- | -------------------------------- | | **Name** | The name of the table. | | **Id** | Unique identifier for the table. | | **Type** | The type of the table entity. | #### OracleDB View A view is a virtual table that provides a way to represent the result of a SQL query as if it were a table. It does not store data itself but dynamically retrieves it from the underlying tables when queried. | Attribute | Description | | -------------------- | ----------------------------------------- | | Name | The name of the view. | | Id | Unique identifier for the view. | | Type | The type of the view entity. | | Read Only | Whether the view is read-only. | | Container Data | Whether the view contains container data. | | Bequeath | Bequeath privilege setting for the view. | | Has Sensitive Column | Whether the view has sensitive columns. | #### OracleDB Materialized View A materialized view is a database object that contains the results of a query and stores the data physically. It can be refreshed periodically to reflect changes in the underlying data. This entity has the standard Name, Id, and Type attributes. #### OracleDB Procedure A procedure is a stored PL/SQL block that performs a specific task. It can take parameters, execute multiple SQL statements, and encapsulate business logic. | Attribute | Description | | ----------- | ---------------------------------------------------------------------- | | Name | The name of the procedure. | | Id | Unique identifier for the procedure. | | Type | The type of the procedure entity. | | Object Type | The type of the procedure object (e.g., PROCEDURE, FUNCTION, PACKAGE). | #### OracleDB Trigger A trigger is a special type of stored procedure that automatically executes in response to certain events on a table or view, such as INSERT, UPDATE, or DELETE operations. | Attribute | Description | | ------------------ | ---------------------------------------------------------------------------- | | Name | The name of the trigger. | | Id | Unique identifier for the trigger. | | Type | The type of the trigger entity. | | Trigger Type | The type of trigger (e.g., BEFORE, AFTER, INSTEAD OF). | | Triggering Event | The event that fires the trigger (e.g., INSERT, UPDATE, DELETE). | | Base Object Type | Type of the object the trigger is defined on (e.g., TABLE, VIEW, SCHEMA). | | Base Object Schema | Schema of the base object, if applicable. | | Base Object Name | Name of the base object, if applicable (not set for DATABASE/SCHEMA scopes). | | Status | Status of the trigger (e.g., ENABLED, DISABLED). | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/oracle-database.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.