Oracle Database
Description
The Oracle Database connector scans an Oracle Database instance via JDBC (ojdbc11) to discover database users, roles, and privilege assignments. It uses the Oracle Thin driver — no Oracle Client installation is required on the OrbisID server.
System Type Classification
| Field | Value |
|---|---|
| System Type | Infrastructure |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Oracle Database scanning requires a Pro or Enterprise licence.
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| JDBC / Oracle Thin (TCP) | 1521 TCP | Default; configurable per instance |
What OrbisID Discovers
| Data | Source | Requires |
|---|---|---|
| Database users (full details) | DBA_USERS | SELECT_CATALOG_ROLE or DBA |
| Database users (fallback) | ALL_USERS | Any connected user |
| Account status (OPEN, LOCKED, EXPIRED) | DBA_USERS.account_status | SELECT_CATALOG_ROLE |
| User profiles | DBA_USERS.profile | SELECT_CATALOG_ROLE |
| Database roles | DBA_ROLES | SELECT_CATALOG_ROLE |
| Role grants to users | DBA_ROLE_PRIVS | SELECT_CATALOG_ROLE |
| Direct system privilege grants | DBA_SYS_PRIVS | SELECT_CATALOG_ROLE |
If the scanning user does not have access to DBA_* views, OrbisID falls back to ALL_USERS for user discovery and skips role/privilege data.
Privileged Roles Detected
DBA, SYSDBA, SYSOPER, SYSBACKUP, SYSDG, SYSKM, SYSRAC, IMP_FULL_DATABASE, EXP_FULL_DATABASE, DATAPUMP_IMP_FULL_DATABASE, DATAPUMP_EXP_FULL_DATABASE, SCHEDULER_ADMIN
Connection Requirements
Credential Requirements
Recommended: Create a dedicated Oracle user for OrbisID with read-only access to catalogue views:
-- Create the scanning user
CREATE USER orbisid_scanner IDENTIFIED BY "<strong-password>";
GRANT CREATE SESSION TO orbisid_scanner;
-- Grant read access to DBA catalogue views (for full discovery)
GRANT SELECT_CATALOG_ROLE TO orbisid_scanner;
SELECT_CATALOG_ROLE gives read access to all DBA_* views without granting DBA itself, following the principle of least privilege.
Credential Mapping
| OrbisID Field | Oracle Value |
|---|---|
credential.username | Oracle database username |
credential.password | Oracle database password |
System Attributes
| Attribute | Required | Default | Description |
|---|---|---|---|
oracleServiceName | Recommended | — | Oracle service name (e.g., ORCL, pdb1.example.com). Used in the JDBC URL as jdbc:oracle:thin:@//host:port/serviceName |
oracleSid | Fallback | — | Oracle SID (legacy). Used only when oracleServiceName is not set. |
If neither oracleServiceName nor oracleSid is configured, OrbisID defaults to connecting via service name XE.
Network Requirements
| Requirement | Detail |
|---|---|
| Oracle Listener | TCP listener must be accessible from the OrbisID server (or On-Premise Agent) on port 1521 (or the configured port) |
| TNS Listener configured | The listener must be registered with the service name or SID being used |
Configuration Steps
- Create the
orbisid_scanneruser and grantSELECT_CATALOG_ROLE - Create a Credential in OrbisID:
- Username:
orbisid_scanner - Password: The scanning user's password
- Username:
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., Oracle – prod-db01) |
| Hostname / IP | Oracle host or SCAN address |
| Port | 1521 (or custom listener port) |
| OS Type | Oracle |
| System Type | Infrastructure |
| Credential | The scanning credential |
- Add system attributes:
oracleServiceName→ Oracle service name (preferred) ororacleSid→ SID
- Click Test Connection to verify connectivity and authentication
- Click Save
Use service name wherever possible — it is the modern Oracle connection method and supports RAC, Data Guard, and PDBs. SID connections are legacy and may not work with Oracle 12c+ PDB containers.
For Oracle 12c+ Container Databases, set oracleServiceName to the PDB service name (e.g., pdb1) to scan users within that pluggable database. Connecting to the CDB root (CDB$ROOT) requires the C## prefix convention for common users.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
ORA-01017: invalid username/password | Wrong credentials | Verify the username and password; ensure the account is not locked |
ORA-12541: no listener | Port blocked or listener down | Check that port 1521 is reachable; verify the Oracle listener is running |
ORA-12505: SID not found | Wrong SID | Check the SID or switch to service name (oracleServiceName) |
ORA-28000: account is locked | User account locked | Unlock the scanning user: ALTER USER orbisid_scanner ACCOUNT UNLOCK |
| No roles or privileges returned | Missing SELECT_CATALOG_ROLE | Grant SELECT_CATALOG_ROLE to the scanning user |
| Scan falls back to ALL_USERS | Missing SELECT_CATALOG_ROLE | As above — the fallback returns limited data |