Oracle Database
Description
The Oracle Database connector scans an Oracle Database instance via JDBC (ojdbc11) to discover database users, roles, and privilege assignments. It uses the Oracle Thin driver — no Oracle Client installation is required on the OrbisID server.
System Type Classification
| Field | Value |
|---|---|
| System Type | Infrastructure |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Oracle Database scanning requires a Pro or Enterprise licence.
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| JDBC / Oracle Thin (TCP) | 1521 TCP | Default; configurable per instance |
What OrbisID Discovers
| Data | Source | Requires |
|---|---|---|
| Database users (full details) | DBA_USERS | SELECT_CATALOG_ROLE or DBA |
| Database users (fallback) | ALL_USERS | Any connected user |
| Account status (OPEN, LOCKED, EXPIRED) | DBA_USERS.account_status | SELECT_CATALOG_ROLE |
| User profiles | DBA_USERS.profile | SELECT_CATALOG_ROLE |
| Database roles | DBA_ROLES | SELECT_CATALOG_ROLE |
| Role grants to users | DBA_ROLE_PRIVS | SELECT_CATALOG_ROLE |
| Direct system privilege grants | DBA_SYS_PRIVS | SELECT_CATALOG_ROLE |
If the scanning user does not have access to DBA_* views, OrbisID falls back to ALL_USERS for user discovery and skips role/privilege data.
Every distinct system privilege found in DBA_SYS_PRIVS is discovered as its own Entitlement (type ORACLE_SYS_PRIVILEGE) and mapped to every grantee holding it — this covers privileges granted directly to a user, not just those granted via a role, so a user with e.g. GRANT ANY PRIVILEGE assigned directly (without going through a role) is still correctly reported as privileged.
Privileged Roles Detected
DBA, SYSDBA, SYSOPER, SYSBACKUP, SYSDG, SYSKM, SYSRAC, IMP_FULL_DATABASE, EXP_FULL_DATABASE, DATAPUMP_IMP_FULL_DATABASE, DATAPUMP_EXP_FULL_DATABASE, SCHEDULER_ADMIN
Privileged System Privileges Detected
ALTER SYSTEM, ALTER DATABASE, CREATE USER, DROP USER, GRANT ANY PRIVILEGE, GRANT ANY ROLE, GRANT ANY OBJECT PRIVILEGE, SELECT ANY TABLE, INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANY TABLE, AUDIT ANY, AUDIT SYSTEM, SYSDBA, SYSOPER
Connection Requirements
Credential Requirements
Recommended: Create a dedicated Oracle user for OrbisID with read-only access to catalogue views:
-- Create the scanning user
CREATE USER orbisid_scanner IDENTIFIED BY "<strong-password>";
GRANT CREATE SESSION TO orbisid_scanner;
-- Grant read access to DBA catalogue views (for full discovery)
GRANT SELECT_CATALOG_ROLE TO orbisid_scanner;
SELECT_CATALOG_ROLE gives read access to all DBA_* views without granting DBA itself, following the principle of least privilege.
Credential Mapping
| OrbisID Field | Oracle Value |
|---|---|
credential.username | Oracle database username |
credential.password | Oracle database password |
System Attributes
| Attribute | Required | Default | Description |
|---|---|---|---|
oracleServiceName | Recommended | — | Oracle service name (e.g., ORCL, pdb1.example.com). Used in the JDBC URL as jdbc:oracle:thin:@//host:port/serviceName |
oracleSid | Fallback | — | Oracle SID (legacy). Used only when oracleServiceName is not set. |
If neither oracleServiceName nor oracleSid is configured, OrbisID defaults to connecting via service name XE.
Network Requirements
| Requirement | Detail |
|---|---|
| Oracle Listener | TCP listener must be accessible from the OrbisID server (or On-Premise Agent) on port 1521 (or the configured port) |
| TNS Listener configured | The listener must be registered with the service name or SID being used |
Configuration Steps
- Create the
orbisid_scanneruser and grantSELECT_CATALOG_ROLE - Create a Credential in OrbisID:
- Username:
orbisid_scanner - Password: The scanning user's password
- Username:
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., Oracle – prod-db01) |
| Hostname / IP | Oracle host or SCAN address |
| Port | 1521 (or custom listener port) |
| OS Type | Oracle |
| System Type | Infrastructure |
| Credential | The scanning credential |
- In the Connection Attributes section, set:
- Service Name (
oracleServiceName) — preferred, or - SID (
oracleSid)
- Service Name (
- Click Test Connection to verify connectivity and authentication
- Click Save
Use service name wherever possible — it is the modern Oracle connection method and supports RAC, Data Guard, and PDBs. SID connections are legacy and may not work with Oracle 12c+ PDB containers.
For Oracle 12c+ Container Databases, set oracleServiceName to the PDB service name (e.g., pdb1) to scan users within that pluggable database. Connecting to the CDB root (CDB$ROOT) requires the C## prefix convention for common users.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
ORA-01017: invalid username/password | Wrong credentials | Verify the username and password; ensure the account is not locked |
ORA-12541: no listener | Port blocked or listener down | Check that port 1521 is reachable; verify the Oracle listener is running |
ORA-12505: SID not found | Wrong SID | Check the SID or switch to service name (oracleServiceName) |
ORA-28000: account is locked | User account locked | Unlock the scanning user: ALTER USER orbisid_scanner ACCOUNT UNLOCK |
| No roles or privileges returned | Missing SELECT_CATALOG_ROLE | Grant SELECT_CATALOG_ROLE to the scanning user |
| Scan falls back to ALL_USERS | Missing SELECT_CATALOG_ROLE | As above — the fallback returns limited data |
A user with a direct GRANT ANY PRIVILEGE (or similar) isn't flagged privileged | Fixed in this connector — earlier versions only recorded direct system privileges as a raw account attribute, invisible to entitlement-based reporting | Upgrade to the current connector version, which discovers each DBA_SYS_PRIVS grant as its own entitlement regardless of whether it was granted via a role |