Privileges for Assessment

To run assessment, the FortiDB users for your target databases need the following privileges:

DB2 UDB

Required Privileges for	Required Privileges
Assessment	CREATE TABLE SELECT on the following SYSIBM tables: `SYSCOLAUTH` `SYSDBAUTH` `SYSINDEXAUTH` `SYSPLANAUTH` `SYSSCHEMAAUTH` `SYSTABAUTH` `SYSTBSPACEAUTH`
Privileges Summary Use	SELECT on the following SYSCAT tables: `COLAUTH` `DBAUTH` `INDEXAUTH` `PACKAGEAUTH` `SCHEMAAUTH` `TABAUTH` `TBSPACEAUTH` SELECT on the following SYSIBM tables: `SYSCOLAUTH` `SYSDBAUTH` `SYSINDEXAUTH` `SYSPLANAUTH` `SYSSCHEMAAUTH` `SYSTABAUTH` `SYSSYSTABLESPACES` `SYSTBSPACEAUTH` `SYSUSERAUTH`
Pen Test Use	SELECT on the following SYSCAT tables: `COLAUTH` `DBAUTH` `INDEXAUTH` `PACKAGEAUTH` `SCHEMAAUTH` `TABAUTH` `TBSPACEAUTH` SELECT on the following SYSIBM tables: `SYSCOLAUTH` `SYSDBAUTH` `SYSINDEXAUTH` `SYSPLANAUTH` `SYSSCHEMAAUTH` `SYSTABAUTH` `SYSTBSPACEAUTH` `SYSUSERAUTH`

MSSQL 2000

Required Privileges for	Required Privileges
Assessment	SELECT on: `MASTER.DBO.SPT_VALUES` `MASTER.DBO.SYSALTFILES` `MASTER.DBO.SYSDATABASES` `MASTER.DBO.SYSLOGINS` `MASTER.DBO.SYSXLOGINS` `SYSCOLUMNS` `SYSMEMBERS` `SYSOBJECTS` `SYSPROTECTS` `SYSUSERS` EXECUTE on: `MASTER.DBO.XP_CMDSHELL` `MASTER.DBO.XP_INSTANCE_REGENUMVALUES` `MASTER.DBO.XP_INSTANCE_REGREAD` `MASTER.DBO.XP_LOGINCONFIG` `MASTER.DBO.XP_LOGININFO` `MASTER.DBO.XP_REGENUMVALUES` `MASTER.DBO.XP_REGREAD` Note:The MS-SQL `sysadmin` role is an additional requirement if you want to use these policies during your assessment: DVA MSSQL 01.01 password field empty DVA MSSQL 01.02 password is the same as login name
Privileges Summary Use	For each individual MS-SQL 2000 database you want to connect to, SELECT on: `MASTER.DBO.SYSDATABASES` (for MS-SQL 2000 server-level connections) `SYSMEMBERS` `SYSOBJECTS` `SYSPROTECTS` `SYSUSERS`
Pen Test Use	SELECT on: `MASTER.DBO.SYSDATABASES` (for MS-SQL 2000 server-level connections) `MASTER.DBO.SYSXLOGINS` `SYS.DATABASE_ROLE_MEMBERS` `SYSMEMBERS` `SYSOBJECTS` `SYSPROTECTS` `SYSUSERS` (for each individual MS-SQL 2000 database you want to connect to)

MSSQL 2005/2008

Required Privileges for	Required Privileges
Assessment	SELECT on: `MASTER.DBO.SPT_VALUES` `MASTER.DBO.SYSALTFILES` `MASTER.DBO.SYSDATABASES` `MASTER.DBO.SYSLOGINS` `MASTER.DBO.SYSXLOGINS` `SYS.COLUMNS` `SYS.MEMBERS` `SYS.OBJECTS` `SYS.PROTECTS` `SYS.USERS` EXECUTE on: `MASTER.DBO.XP_CMDSHELL` `MASTER.DBO.XP_INSTANCE_REGENUMVALUES` `MASTER.DBO.XP_INSTANCE_REGREAD` `MASTER.DBO.XP_LOGINCONFIG` `MASTER.DBO.XP_LOGININFO` `MASTER.DBO.XP_REGENUMVALUES` `MASTER.DBO.XP_REGREAD` Note:The MS-SQL `sysadmin` role is an additional requirement if you want to use these policies during your assessment: DVA MSSQL 01.01 password field empty DVA MSSQL 01.02 password is the same as login name DVA MSSQL 05.36 List database logins that are part of the local Administrators group DVA MSSQL 05.37 Verify SQL Server not run as local System Administrator DVA MSSQL 05.42 Default MS SQL Listener Port Report
Privileges Summary Use	SELECT on: `MASTER.SYS.DATABASES` (for MS-SQL 2005 server-level connections) For each individual MS-SQL 2005 database you want to connect to, SELECT on: `SYS.DATABASE_PERMISSIONS` `SYS.DATABASE_PRINCIPALS` (for each individual MS-SQL 2005 database you want to connect to) `SYS.DATABASE_ROLE_MEMBERS` `SYS.OBJECTS`
Pen Test Use	SELECT on: `MASTER.SYS.DATABASES` (for MS-SQL 2005 server-level connections) `SYS.DATABASE_PERMISSIONS` `SYS.DATABASE_PRINCIPALS` (for each individual MS-SQL 2005 database you want to connect to) `SYS.DATABASE_ROLE_MEMBERS` `SYS.OBJECTS` `SYS.SQL_LOGINS`

Oracle

Required Privileges for	Required Privileges
Assessment	CREATE SESSION SELECT_CATALOG_ROLE SELECT on: `SYS.AUDIT$` `SYS.LINK$` `SYS.REGISTRY$HISTORY` (Oracle 10g only) `SYS.USER$` `SYSTEM.SQLPLUS_PRODUCT_PROFILE`
Privilege Summary Use	SELECT on: `ALL_USERS` `DBA_COL_PRIVS` `DBA_ROLE_PRIVS` `DBA_ROLES` `DBA_SYS_PRIVS` `DBA_TAB_PRIVS`
Pen Test Use	SELECT on: `ALL_USERS` `DBA_COL_PRIVS` `DBA_ROLE_PRIVS` `DBA_ROLES` `DBA_SYS_PRIVS` `DBA_TAB_PRIVS` `SYS.USER$`

Sybase

Required Privileges for	Required Privileges
Assessment	The SSO_ROLE and: If the Sybase Server is using SybSecurity, you need: On the MASTER database, you need to add the FortiDB user to the database, and you need SELECT on: SYSSRVROLES SYSLOGINROLES SYSSECMECHS SYSDATABASES (AUDFLAGS column) SYSLOGINS (AUDFLAGS column) On any user-defined databases, you need to add the FortiDB user to the database, and you need SELECT on: SYSUSERS If the Sybase Server is not using SybSecurity, you need SELECT on: `SYSSRVROLES` `SYSLOGINROLES` `SYSSECMECHS` `SYSDATABASES (AUDFLAGS column)`
Privilege Summary Use	For each individual database you want to connect to, SELECT on: `MASTER.DBO.SYSDATABASES` (for server-level connections) `SYSOBJECTS` `SYSPROTECTS` `SYSUSERS`
Pen Test Use	SELECT on: `MASTER.DBO.SYSDATABASES` (for server-level connections) `SYSOBJECTS` `SYSPROTECTS` `SYSUSERS` (for each individual database you want to connect to)

MySQL

Required Privileges for	Required Privileges
Assessment	SELECT on: mysql.user mysql.db mysql.columns_priv mysql.tables_priv
Privilege Summary Use	SELECT on: `INFORMATION\_SCHEMA`.* mysql.user Granted User privilege: SHOW DATABASES
Pen Test Use	SELECT on: mysql.user

Parent topic: Privileges of DB User for FortiDB

Related concepts

Privileges of DB User for FortiDB

Related tasks

FortiDB 5.0.0 Handbook
1st Edition , July 11 2013
© Copyright 2013 Fortinet Inc. All rights reserved.
Latest documentation: http://docs.fortinet.com/fdb.html