Other Permissions Needed or Not Needed for PPM Schemas Accounts

This section provides more information about other permissions needed or not needed for PPM database schema and RML database schema accounts. You can decide whether you want to have them revoked after reading this section.

PPM has not tested every access grant and its impact, because every access grant has a different impact on each customer, as every customer is using PPM differently and for different scenarios. If you are looking for specific access grant impact, you may need to test that out.

SELECT_CATALOG_ROLE

SELECT ANY DICTIONARY

If only SELECT_CATALOG_ROLE is enabled then it provides access to all SYS views only.

If only SELECT ANY DICTIONARY privilege is enabled then it provides access to SYS schema objects only.

If both SELECT ANY TABLE privilege and SELECT ANY DICTIONARY privilege are enabled then it allow access to all SYS and non-SYS objects.

PPM needs to access many SYS/DBA views and objects, thus needs SELECT_CATALOG_ROLE role and SELECT ANY DICTIONARY privilege.

To generate AWR/ADDM/ASH reports, PPM needs SELECT_CATALOG_ROLE role too.

PPM needs access to the following packages:
  • DBMS_JAVA
  • DBMS_JAVA_TEST
  • DBMS_LOB
  • DBMS_SCHEDULER
  • DBMS_SQL

PPM does not need access to the following packages:

  • UTL_FILE
  • UTL_HTTP
  • UTL_TCP

For other packages, read the information below to decide whether your PPM still needs access to them:

  • DBMS_JAVA — PPM uses a stored procedure written in Java, to generate a hash that is used as REFERENCE_CODEs for various PPM entities. Generating this hash using pure PL/SQL is cumbersome and unreliable, if not impossible. So, PPM used Java for it and the application code needs access to this package.
  • DBMS_JAVA_TEST — Allows you to test Java Stored Procedures. PPM might not need to access this package. So far there seems no harm or implications of revoking the access.
  • DBMS_LOB — PPM stores a lot of data in BLOB and CLOB columns and the application code might need to parse or modify the contents.
  • DBMS_SCHEDULER — Not needed for core PPM. This is required for Operational Reporting. If your organization does not use Operational Reporting, you may revoke access to this package.
  • DBMS_SQL — PPM generates dynamic SQL and executes it during installation and upgrade. This package is also used to create triggers as part of the application functionality.

EXECUTE ANY PROCEDURE

EXECUTE ANY PROGRAM

PPM does not need the EXECUTE ANY PROCEDURE privilege.

PPM needs the EXECUTE ANY PROGRAM privilege. The definition of EXECUTE ANY PROGRAM is: use any program in a job in the grantee's schema.

CREATE ANY VIEW, CREATE ANY TABLE, SELECT ANY TABLE

RML_USER needs these three privileges:

  • CREATE ANY TABLE — Create tables in any schema. The owner of the schema containing the table must have space quota on the tablespace to contain the table.

  • SELECT ANY TABLE — Query tables, views, or materialized views in any schema.

  • CREATE ANY VIEW — Create views in any schema.

Privileges required for RML database schema

grant create session to &RML_USERNAME;
grant create table to &RML_USERNAME;
grant create view to &RML_USERNAME;
grant create synonym to &RML_USERNAME;
grant resource to &RML_USERNAME;

For information about other Oracle database privileges, see Oracle documentation.