Security aware permissions
This page descibes the minimum configuration of an Oracle database server in terms of permissions granted. Some customers prefer to assign minimum permissions to users and to the PUBLIC role in order to enhance security. The following set constitutes the minimum set of permissions for running the Planon software.
Required permissions
Here it is assumed that the user SYSTEM is used to manage other users. Usage of user SYS is kept to a minimum.
To user SYSTEM
As user SYS
Grant Execute On DBMS_LOB To SYSTEM With grant option;
Grant Execute On DBMS_SQL To SYSTEM With grant option;
Grant Execute On DBMS_UTILITY To SYSTEM With grant option;
Grant Execute On DBMS_ASSERT To SYSTEM With grant option;
Grant Execute On DBMS_OUTPUT To SYSTEM With grant option;
Grant Execute on UTL_FILE To SYSTEM With grant option;
Grant Select on sys.v_$session to system with grant option;
Grant Execute On DBMS_SQL To SYSTEM With grant option;
Grant Execute On DBMS_UTILITY To SYSTEM With grant option;
Grant Execute On DBMS_ASSERT To SYSTEM With grant option;
Grant Execute On DBMS_OUTPUT To SYSTEM With grant option;
Grant Execute on UTL_FILE To SYSTEM With grant option;
Grant Select on sys.v_$session to system with grant option;
 | The With grant option part ensures that user SYSTEM can further assign permissions to other users. |
To users for running the Planon software
For this example, the user containing the Planon data is called “PLANON“
As user SYSTEM (if configured as described previously)
All users need the following permissions:
GRANT CREATE TRIGGER TO PLANON;
GRANT CREATE PROCEDURE TO PLANON;
GRANT CREATE SESSION TO PLANON;
GRANT ALTER SESSION TO PLANON;
GRANT CREATE CLUSTER TO PLANON;
GRANT CREATE DATABASE LINK TO PLANON;
GRANT CREATE SEQUENCE TO PLANON;
GRANT CREATE SYNONYM TO PLANON;
GRANT CREATE TABLE TO PLANON;
GRANT CREATE VIEW TO PLANON;
GRANT QUERY REWRITE TO PLANON;
GRANT SELECT ON SYS.V_$SESSION TO PLANON;
GRANT CREATE MATERIALIZED VIEW TO PLANON;
GRANT CREATE PROCEDURE TO PLANON;
GRANT CREATE SESSION TO PLANON;
GRANT ALTER SESSION TO PLANON;
GRANT CREATE CLUSTER TO PLANON;
GRANT CREATE DATABASE LINK TO PLANON;
GRANT CREATE SEQUENCE TO PLANON;
GRANT CREATE SYNONYM TO PLANON;
GRANT CREATE TABLE TO PLANON;
GRANT CREATE VIEW TO PLANON;
GRANT QUERY REWRITE TO PLANON;
GRANT SELECT ON SYS.V_$SESSION TO PLANON;
GRANT CREATE MATERIALIZED VIEW TO PLANON;
By default, the following required permissions are obtained by the PUBLIC role. This is a default role that each user always gets. However, when you follow the security best practises, these can be removed from the PUBLIC role. In this case, the following permissions must be granted to the user directly:
Grant Execute On DBMS_LOB To PLANON;
Grant Execute On DBMS_SQL To PLANON;
Grant Execute On DBMS_UTILITY To PLANON;
Grant Execute On DBMS_ASSERT To PLANON;
Grant Execute On DBMS_OUTPUT To PLANON;
Grant Execute On DBMS_SQL To PLANON;
Grant Execute On DBMS_UTILITY To PLANON;
Grant Execute On DBMS_ASSERT To PLANON;
Grant Execute On DBMS_OUTPUT To PLANON;
| | The Upgrade (Suite Database Upgrade tool) and standard application will have the same permissions. |