Description
The MySQL/MariaDB connector scans a MySQL or MariaDB instance via JDBC (MySQL Connector/J) to discover database user accounts and their global privilege grants. MySQL 8.x and MariaDB 10.x role memberships are discovered where available.
System Type Classification
| Field | Value |
|---|
| System Type | Infrastructure |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
MySQL/MariaDB scanning requires a Pro or Enterprise licence.
Supported Protocol
| Protocol | Port | Notes |
|---|
| JDBC / MySQL Protocol (TCP) | 3306 TCP | Default; configurable per instance |
What OrbisID Discovers
| Data | Source | Minimum Version |
|---|
| User accounts | mysql.user | MySQL 5.7 / MariaDB 10.x |
| Account lock status | mysql.user.account_locked | MySQL 5.7.6+ |
| Password expiry status | mysql.user.password_expired | MySQL 5.7+ |
| Global privilege entitlements | mysql.user columns | MySQL 5.7 / MariaDB 10.x |
| Database-scoped privilege entitlements | mysql.db columns | MySQL 5.7 / MariaDB 10.x |
| Role memberships | mysql.role_edges | MySQL 8.0+ / MariaDB 10.3+ |
Privileged Entitlement Detection
Each global privilege granted directly to a user (not just those granted via a role) is discovered as its own Entitlement of type MYSQL_GLOBAL_PRIVILEGE, flagged privileged, and mapped to every account that holds it — so privileged accounts are correctly reported even on servers that never use MySQL 8/MariaDB 10.3+ roles at all. A user is granted one of these entitlements when the corresponding mysql.user column is set to Y:
mysql.user column | Entitlement name |
|---|
Super_priv | SUPER |
Grant_priv | GRANT OPTION |
Shutdown_priv | SHUTDOWN |
Reload_priv | RELOAD |
Process_priv | PROCESS |
File_priv | FILE |
Create_user_priv | CREATE USER |
Database-Scoped Privilege Detection
Grants made with GRANT ... ON dbname.* TO user (rather than at the global *.* level) are stored in mysql.db, one row per (user, host, database). Each granted privilege in that row is discovered as its own entitlement named "PRIVILEGE on DATABASE" (type MYSQL_DB_PRIVILEGE), so the same privilege on different databases is tracked separately — for example SELECT on finance and SELECT on hr are distinct entitlements. GRANT OPTION, DROP, ALTER, CREATE, and INDEX are flagged privileged (schema-altering or privilege-granting); routine data-access privileges (SELECT, INSERT, UPDATE, DELETE, etc.) are not.
Connection Requirements
Credential Requirements
Recommended: Create a dedicated MySQL user for OrbisID with minimal permissions:
CREATE USER 'orbisid_scanner'@'%' IDENTIFIED BY '<strong-password>';
GRANT SELECT ON mysql.user TO 'orbisid_scanner'@'%';
GRANT SELECT ON mysql.db TO 'orbisid_scanner'@'%';
GRANT SELECT ON mysql.role_edges TO 'orbisid_scanner'@'%';
FLUSH PRIVILEGES;
Replace % with the OrbisID server IP address for tighter access control (e.g., 'orbisid_scanner'@'10.0.1.50').
Credential Mapping
| OrbisID Field | MySQL Value |
|---|
credential.username | MySQL username |
credential.password | MySQL password |
System Attributes
| Attribute | Required | Default | Description |
|---|
mysqlDatabase | No | mysql | Initial database to connect to. Account discovery always reads from the mysql system schema regardless of this setting. |
mysqlSslMode | No | PREFERRED | SSL mode for the JDBC connection. Values: DISABLED, PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY. |
Network Requirements
| Requirement | Detail |
|---|
| TCP port 3306 | Must be accessible from the OrbisID server (or On-Premise Agent) |
| MySQL remote connections | The bind-address in my.cnf must not restrict connections from the OrbisID server |
Configuration Steps
- Create the
orbisid_scanner user with the grants above
- Create a Credential in OrbisID:
- Username:
orbisid_scanner
- Password: The scanning user's password
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|
| Name | Descriptive name (e.g., MySQL – prod-db01 or MariaDB – prod-db01) |
| Hostname / IP | MySQL/MariaDB host |
| Port | 3306 (or custom port) |
| OS Type | MySQL |
| System Type | Infrastructure |
| Credential | The scanning credential |
- Optionally, in the Connection Attributes section, set Database Name (
mysqlDatabase) and SSL Mode (mysqlSslMode)
- Click Test Connection to verify connectivity and authentication
- Click Save
MySQL Connector/J is fully compatible with MariaDB when using the standard jdbc:mysql:// URL. For strict MariaDB-native behaviour (e.g., specific MariaDB features), consider using the On-Premise Agent with a Custom Script scanner backed by the MariaDB JDBC driver.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|
Access denied for user | Invalid credentials or host not allowed | Verify the password; check the user's host column in mysql.user — it must match the OrbisID server IP |
| Connection refused / timeout | Port blocked or bind-address restricts access | Check bind-address in my.cnf; open port 3306 in firewall rules |
SELECT command denied … mysql.user | Insufficient privileges | Grant SELECT ON mysql.user to the scanning user |
| Database privilege discovery skipped | Scanning user lacks SELECT on mysql.db | Grant SELECT ON mysql.db to the scanning user |
| No roles returned | MySQL < 8.0 or mysql.role_edges not accessible | Role discovery is skipped on MySQL 5.x; grant SELECT ON mysql.role_edges on MySQL 8+ |
| No global privilege entitlements shown, or no accounts flagged privileged | Fixed in this connector — earlier versions only recorded global privileges as a raw account attribute, invisible to entitlement-based reporting, and never produced entitlements unless mysql.role_edges roles were configured | Upgrade to the current connector version, which discovers each granted global privilege (SUPER, GRANT OPTION, etc.) as its own privileged Entitlement regardless of whether roles are used |
| Entitlements still show 0 after upgrading the connector | The On-Premise Agent executing the scan is running an older build that predates this fix | Rebuild and redeploy the agent JAR, then restart the agent process and re-run the scan — the backend's own fix does not update an already-running, separately-deployed agent |
| SSL error | SSL certificate validation failed | Set mysqlSslMode to DISABLED for testing; use REQUIRED with a valid certificate for production |