Delphix Products

 View Only
Expand all | Collapse all

Oracle 19c schemas without authentication

  • 1.  Oracle 19c schemas without authentication

    Posted 12-04-2019 08:24:00 AM
    We are leveraging new security features of Oracle 19c by building schemas without authentication.  What Delphix masking version will support changing connectors to a generic account for Oracle versus relying on schemas to connect for profiling or masking?

    ------------------------------
    Suzanne Lusardi
    IT DB Governance & Compliance Analyst
    Paychex, Inc.
    ------------------------------


  • 2.  RE: Oracle 19c schemas without authentication
    Best Answer

    Posted 12-04-2019 09:31:00 AM
    Hi Suzanne,

    You don't need to use the schema account in your masking connector and I would always advise not to.  Best practice is that applications, middle tiers, masking products etc should never use an Oracle schema account to connect.  All Delphix masking versions support connecting via an operational account.

    You need to create a separate database account and grant to it the necessary privileges on the required tables and then use that in your connector (Login ID).  I can't find the latest docs that explains it but Google found an old doc that is actually still relevant.

    https://docs.delphix.com/display/DOCS50/Delphix+Masking+Engine+-+Database+User+Permissions+for+executing+Masking+and+Profiling+jobs

    As I've said, Delphix aside, connecting directly to an Oracle schema is a security issue.  Thankfully Oracle now make enforcing this policy much easier and its good you are going to leverage it.


    ------------------------------
    Matthew Griffith
    Principal Consultant
    https://thedatalobby.kuzodata.com
    Kuzo Data
    ------------------------------



  • 3.  RE: Oracle 19c schemas without authentication

    Posted 12-04-2019 12:59:00 PM
    Hi Suzanne and Matthew,
    This is the corresponding new link in the docs: https://maskingdocs.delphix.com/Getting_Started/Users_Roles/ .
    Let me know if this helps?

    Thanks,
    Michael

    ------------------------------
    Michael Torok
    Director of Knowledge and Community Management
    Delphix
    ------------------------------



  • 4.  RE: Oracle 19c schemas without authentication

    Posted 12-05-2019 04:23:00 AM
    Michael - that's the masking engine user and roles page.  We need the page that details the database user permissions, which is what I'm struggling to find in the latest docs.

    ------------------------------
    Matthew Griffith
    Principal Consultant
    https://thedatalobby.kuzodata.com
    Kuzo Data
    ------------------------------



  • 5.  RE: Oracle 19c schemas without authentication

    Posted 12-05-2019 08:03:00 AM
    Agreed, the page I linked was the page I was directed to by our doc team when I could not find a similar page as the one you provided. I will open a ticket to have that section expanded to include the more complete permissions, like the ones you were able to locate. I believe it was overlooked.
    Thanks for confirming.
    Michael

    ------------------------------
    Michael Torok
    Director of Knowledge and Community Management
    Delphix
    ------------------------------



  • 6.  RE: Oracle 19c schemas without authentication

    Posted 12-06-2019 07:55:00 AM
    Thank you for getting the documentation updated!  Much appreciated.  - Suzanne

    The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.





  • 7.  RE: Oracle 19c schemas without authentication

    Posted 12-04-2019 09:35:00 AM
    Edited by Mouhssine Saidi 12-04-2019 09:41:30 AM
    Hi,

    One question, have you tried to use advanced option of connector using jdbc string with proxy user instead of standard connexion mode.

    And as Mat. says it’s a security issue to use the schema account for profiling/masking, generally we create specific account for this purpose

    Regards,

    Mouhssine


    ------------------------------
    Mouhssine SAIDI
    Community Member
    Delphix Community Members
    ------------------------------



  • 8.  RE: Oracle 19c schemas without authentication

    Posted 12-05-2019 07:59:00 AM
    Thank you all for your feedback.  This is great news and I concur with the security risk as our policy is to lock schemas.  Professional services had originally told us there was a bug that prevented us from using a separate installation account for Oracle and we had to use schema accounts to connect. 

    To answer Moushssine's question, we tried awhile back on the jdbc connection, but to be honest, I don't recall what the issue was at the time.  We were testing both Oracle and MSSQL during the POC then, had some issues, and ended up having to use basic connectors.    I appreciate the community assistance !

    ------------------------------
    Suzanne Lusardi
    IT DB Governance & Compliance Analyst
    Paychex, Inc.
    ------------------------------



  • 9.  RE: Oracle 19c schemas without authentication

    Posted 12-05-2019 08:15:00 AM
    Hi Suzanne,

    I hope the POC was on one of the latest delphix releases  (5.3.5/5.3.6) as I knew there were some bugs with jdbc connectors in earlier versions.

    Regards,

    Mouhssine

    ------------------------------
    Mouhssine SAIDI
    Community Member
    Delphix Community Members
    ------------------------------



  • 10.  RE: Oracle 19c schemas without authentication

    Posted 12-06-2019 07:52:00 AM
    No, it was about 2 years ago on an earlier version of 5.2.

    ------------------------------
    Suzanne Lusardi
    IT DB Governance & Compliance Analyst
    Paychex, Inc.
    ------------------------------