Skip to main content

MySQL / MariaDB

Description

The MySQL/MariaDB connector scans a MySQL or MariaDB instance via JDBC (MySQL Connector/J) to discover database user accounts and their global privilege grants. MySQL 8.x and MariaDB 10.x role memberships are discovered where available.

System Type Classification

FieldValue
System TypeInfrastructure
Default Scan Priority500

Version Support

OrbisID EditionSupported
CommunityNo
ProYes
EnterpriseYes

MySQL/MariaDB scanning requires a Pro or Enterprise licence.

Supported Protocol

ProtocolPortNotes
JDBC / MySQL Protocol (TCP)3306 TCPDefault; configurable per instance

What OrbisID Discovers

DataSourceMinimum Version
User accountsmysql.userMySQL 5.7 / MariaDB 10.x
Account lock statusmysql.user.account_lockedMySQL 5.7.6+
Password expiry statusmysql.user.password_expiredMySQL 5.7+
Global privilege entitlementsmysql.user columnsMySQL 5.7 / MariaDB 10.x
Database-scoped privilege entitlementsmysql.db columnsMySQL 5.7 / MariaDB 10.x
Role membershipsmysql.role_edgesMySQL 8.0+ / MariaDB 10.3+

Privileged Entitlement Detection

Each global privilege granted directly to a user (not just those granted via a role) is discovered as its own Entitlement of type MYSQL_GLOBAL_PRIVILEGE, flagged privileged, and mapped to every account that holds it — so privileged accounts are correctly reported even on servers that never use MySQL 8/MariaDB 10.3+ roles at all. A user is granted one of these entitlements when the corresponding mysql.user column is set to Y:

mysql.user columnEntitlement name
Super_privSUPER
Grant_privGRANT OPTION
Shutdown_privSHUTDOWN
Reload_privRELOAD
Process_privPROCESS
File_privFILE
Create_user_privCREATE USER

Database-Scoped Privilege Detection

Grants made with GRANT ... ON dbname.* TO user (rather than at the global *.* level) are stored in mysql.db, one row per (user, host, database). Each granted privilege in that row is discovered as its own entitlement named "PRIVILEGE on DATABASE" (type MYSQL_DB_PRIVILEGE), so the same privilege on different databases is tracked separately — for example SELECT on finance and SELECT on hr are distinct entitlements. GRANT OPTION, DROP, ALTER, CREATE, and INDEX are flagged privileged (schema-altering or privilege-granting); routine data-access privileges (SELECT, INSERT, UPDATE, DELETE, etc.) are not.

Connection Requirements

Credential Requirements

Recommended: Create a dedicated MySQL user for OrbisID with minimal permissions:

-- MySQL / MariaDB
CREATE USER 'orbisid_scanner'@'%' IDENTIFIED BY '<strong-password>';
GRANT SELECT ON mysql.user TO 'orbisid_scanner'@'%';
GRANT SELECT ON mysql.db TO 'orbisid_scanner'@'%';
GRANT SELECT ON mysql.role_edges TO 'orbisid_scanner'@'%'; -- MySQL 8+ / MariaDB 10.3+
FLUSH PRIVILEGES;
Host Binding

Replace % with the OrbisID server IP address for tighter access control (e.g., 'orbisid_scanner'@'10.0.1.50').

Credential Mapping

OrbisID FieldMySQL Value
credential.usernameMySQL username
credential.passwordMySQL password

System Attributes

AttributeRequiredDefaultDescription
mysqlDatabaseNomysqlInitial database to connect to. Account discovery always reads from the mysql system schema regardless of this setting.
mysqlSslModeNoPREFERREDSSL mode for the JDBC connection. Values: DISABLED, PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY.

Network Requirements

RequirementDetail
TCP port 3306Must be accessible from the OrbisID server (or On-Premise Agent)
MySQL remote connectionsThe bind-address in my.cnf must not restrict connections from the OrbisID server

Configuration Steps

  1. Create the orbisid_scanner user with the grants above
  2. Create a Credential in OrbisID:
    • Username: orbisid_scanner
    • Password: The scanning user's password
  3. Navigate to Systems → Add System
  4. Fill in the fields:
FieldValue
NameDescriptive name (e.g., MySQL – prod-db01 or MariaDB – prod-db01)
Hostname / IPMySQL/MariaDB host
Port3306 (or custom port)
OS TypeMySQL
System TypeInfrastructure
CredentialThe scanning credential
  1. Optionally, in the Connection Attributes section, set Database Name (mysqlDatabase) and SSL Mode (mysqlSslMode)
  2. Click Test Connection to verify connectivity and authentication
  3. Click Save
MariaDB Compatibility

MySQL Connector/J is fully compatible with MariaDB when using the standard jdbc:mysql:// URL. For strict MariaDB-native behaviour (e.g., specific MariaDB features), consider using the On-Premise Agent with a Custom Script scanner backed by the MariaDB JDBC driver.

Troubleshooting

SymptomLikely CauseResolution
Access denied for userInvalid credentials or host not allowedVerify the password; check the user's host column in mysql.user — it must match the OrbisID server IP
Connection refused / timeoutPort blocked or bind-address restricts accessCheck bind-address in my.cnf; open port 3306 in firewall rules
SELECT command denied … mysql.userInsufficient privilegesGrant SELECT ON mysql.user to the scanning user
Database privilege discovery skippedScanning user lacks SELECT on mysql.dbGrant SELECT ON mysql.db to the scanning user
No roles returnedMySQL < 8.0 or mysql.role_edges not accessibleRole discovery is skipped on MySQL 5.x; grant SELECT ON mysql.role_edges on MySQL 8+
No global privilege entitlements shown, or no accounts flagged privilegedFixed in this connector — earlier versions only recorded global privileges as a raw account attribute, invisible to entitlement-based reporting, and never produced entitlements unless mysql.role_edges roles were configuredUpgrade to the current connector version, which discovers each granted global privilege (SUPER, GRANT OPTION, etc.) as its own privileged Entitlement regardless of whether roles are used
Entitlements still show 0 after upgrading the connectorThe On-Premise Agent executing the scan is running an older build that predates this fixRebuild and redeploy the agent JAR, then restart the agent process and re-run the scan — the backend's own fix does not update an already-running, separately-deployed agent
SSL errorSSL certificate validation failedSet mysqlSslMode to DISABLED for testing; use REQUIRED with a valid certificate for production