Skip to main content
Version: v4.14

Local account discovery

Use Cyral to find all the database accounts that have access to your database. This helps you find accounts that should have been deprovisioned but remain active as well as accounts that lack known provenance and might be used for unauthorized access.

note

Local account discovery is supported only on Oracle and SQL Server repositories.

Discover local accounts

To discover local accounts, you'll use the Cyral Repo Crawler to scan repositories. You can see the Repo Crawler's results in the Data Repos section of the Cyral control plane UI.

  1. Click Data Repos ➡️ click your database's name.

  2. The Overview tab shows the results of the Repo Crawler's latest scan. It shows a row for each discovered database user account that the crawler found.

    • Database account: The account name of the discovered account, which is its native account name on the database service. Note:

      • Black text indicates an account that has been registered in Cyral.
      • Red text indicates an account that is not managed in Cyral.
    • Predefined roles: Roles assigned to this user that are standard roles available on this database platform, such as the DBA role in an Oracle database.

      If a number icon appears (for example, +3) next to a role name here, it means there are more roles for this database account. Click the number icon to see them.

    • Custom roles: The user's assigned roles that were created by administrators in the database platform such as the Oracle Database or PostgreSQL instance.

      As with the previous column, a number icon like +3 indicates more roles exist for this user.

    • Account Status: The status of the account, e.g. whether it is enabled, locked, etc.

    • Controls applied: Security measures applied to this user account in Cyral, if any. These can include:

      • SSO (single sign-on)
      • MFA (multifactor authenticaton)
      • Network Shield (connections allowed only from known IP addresses)
      • SAR (service account resolution)
    • Users: The count of users who have used this database account in the last 7 days.

    • Last used: The date and time this database account most recently connected to the database.

An asterisk (* in the Users or Last used column) indicates this information came from the Cyral sidecar. Otherwise, the information was collected from the database directly.

SQL Server Specific Columns

SQL Server's model of database permissions is unique enough to warrant additional columns in the overview tab.

  • Predefined roles (server) and Custom roles (server): the server-level roles assigned to the database account (a.k.a. the SQL Server "login").

  • Database and Database user: the "database user" mapped to the database account (login) for the database listed in the Database column.

  • Predefined roles (database) and Custom roles (database): the database-level roles assigned to the database user.

See the SQL Server documentation for more information on SQL Server's model of authentication access.

Generate an audit report for a database

Click Data Repos ➡️ click your database's name. In the Overview tab, click Generate Audit Report to generate a shareable PDF document listing the database accounts discovered in the Cyral Repo Crawler's most recent run.

The data shown in the report is the same as that listed in Discover local accounts, above, with three additional fields:

  • Data Repo Type is the type of database, such as Oracle or SQLServer.
  • Data Repo Name is the name you've used to track this database in Cyral.
  • Database Endpoint is the network address (the Cyral sidecar address) where users connect to this database.

Prerequisite

Make sure your Cyral administrator has installed and run the Repo Crawler.