This section contains best practices for setting up an Oracle database in a secure way.
For a typical setup, it is recommended to follow the default Oracle database creation instructions, which include creating the 'zabbix' user with full privileges on the Zabbix database. This user is the database owner that also has the necessary privileges for modifying the database structure when upgrading Zabbix.
To improve security, creating additional database users with minimal privileges is recommended. These users should be configured based on the principle of least privilege, that is, they should only have privileges that are essential for performing the intended functions.
The support for Oracle DB is deprecated since Zabbix 7.0.
Assuming that the pluggable database (PDB) owner is USR_OWNER
, creating two additional users with the corresponding privileges (for daily operations) are recommended:
These users must be created by the PDB owner (USR_OWNER
) using the following commands:
CREATE USER USR_SRV IDENTIFIED BY "USR_SRV" DEFAULT TABLESPACE "USR_OWNER" TEMPORARY TABLESPACE TEMP;
CREATE USER USR_WEB IDENTIFIED BY "USR_WEB" DEFAULT TABLESPACE "USR_OWNER" TEMPORARY TABLESPACE TEMP;
GRANT CREATE SESSION, DELETE ANY TABLE, INSERT ANY TABLE, SELECT ANY TABLE, UPDATE ANY TABLE, SELECT ANY SEQUENCE TO USR_SRV;
GRANT CREATE SESSION, DELETE ANY TABLE, INSERT ANY TABLE, SELECT ANY TABLE, UPDATE ANY TABLE, SELECT ANY SEQUENCE TO USR_WEB;
Table restoration and upgrade should be performed by the database owner.
After creating the users, proceed to creating synonyms.
The script below creates synonyms, so that USR_SRV
and USR_WEB
can access tables in the USR_OWNER
schema without specifying the schema explicitly.
BEGIN
FOR x IN (select owner,table_name from all_tables where owner ='USR_OWNER')
LOOP
EXECUTE IMMEDIATE 'CREATE OR REPLACE SYNONYM USR_SRV.'|| x.table_name ||' FOR '||x.OWNER||'.'|| x.table_name;
EXECUTE IMMEDIATE 'CREATE OR REPLACE SYNONYM USR_WEB.'|| x.table_name ||' FOR '||x.OWNER||'.'|| x.table_name;
END LOOP;
END;
/
This script should be run each time after Zabbix database structure is created or changed (for example, after Zabbix upgrade if some tables were created or renamed).