Auditor Help: Using Limited Access Mode

What is Limited Access Mode?

The Standard Access Mode requires the Oracle user account to have SELECT_ANY_TABLE system privilege. For sites where non-DBA users run the product or where additional restrictions prevent this level of access, there is Limited Access Mode.

The Standard Access Mode requires read access to DBA_USERS or SYS.USER$. Limited Access Mode does not require read access to DBA_USERS or SYS.USER$. Instead, Limited Access Mode relies on a user account (ECORA_USER) with more restricted privileges.

Ecora provides a script that creates the appropriate account, role, and view to enable Limited Access Mode.

How do I enable Limited Access Mode?

This script (CreateEcoraAccess.sql) does the following:

  1. Creates a view (ECORA_USER$) on the sys.user$ table that restricts access to only the USER# and NAME columns.
  2. Creates a view (ECORA_DBA_USERS) on the dba_users table that restricts access to only the USERNAME, DEFAULT_TABLESPACE, TEMPORARY_TABLESPACE, CREATED, PROFILE, ACCOUNT_STATUS columns.
  3. Creates a role (ECORA_ROLE) that encapsulates the minimum privilege set for the Ecora for Oracle product.
  4. Creates a user account (ECORA_USER) that will be granted the ECORA_ROLE role. This account (and any others granted that role) can be used to run the product in the new Limited Access Mode.
  5. Grants SELECT privilege on the two new ECORA views to the ECORA_ROLE.
  6. Grants SELECT privilege on the remaining system tables/views.
  7. Grants CREATE SESSION system privilege to ECORA_ROLE.
  8. Grants ECORA_ROLE to ECORA_USER user.

The script must be run by the DBA manually - no automated (programmatic) creation of the database objects is required. The SQL script is be designed to run on Oracle 7.3.4, 8.0, 8.1, and 9.0.1.

To run the script:

  1. Login into the database as the user SYS, using SQL Plus or equivalent tool.
  2. Execute the script CreateEcoraAccess.sql located in the Ecora installation directory, by default C:\Program Files\Ecora\Ecora for Oracle\bin. You should receive the message, "Database is now set up for Ecora limited access mode."

Warning! Warning: The script checks for the Ecora user, role, and views. If they exist, it drops and recreates them. While this does not adversely affect Ecora, we suggest not using this user ID for other purposes.

Screen cap of script command

How do I use Limited Access Mode?

The Access Mode is set by database instance, so it is set when the database is specified to the software. The below is just ONE way to access the Database Specification dialog box where the Access Mode is set.

  1. Double-click on the Ecora software icon.
  2. Choose New... Data Collection Only... from the menus.
  3. Accept the defaults (i.e. Choose Interactively) and click OK.
  4. In the Select Database Instances dialog box, select the database instance for which you would like to change modes, and click Edit....
    Helpful Hint Tip: If you need to specify a new database, click New....
  5. From the drop-down list for Mode, choose Limited Access.
  6. Click the OK button to save the database specification.
  7. Repeat steps 4 - 6 for each database you wish to change to Limited Access Mode.
  8. Click the Cancel button (unless you want to proceed to collect data).

Database Instance Specification dialog box