Set up Oracle
Configure an Oracle user with the required permissions to enable Atlan to extract metadata from your Oracle database. You need Oracle database administrator access to run these commands.
Prerequisites
Before you begin, make sure you have:
- Oracle Database version 11.2 or later
- Oracle database administrator access or equivalent privileges
- Access to run SQL commands in your Oracle database
Create user
Create a dedicated user for Atlan to connect to your Oracle database.
- Create a new user with basic authentication:
CREATE USER <username> IDENTIFIED BY <password>;
GRANT CREATE SESSION TO <username>;
- Replace
<username>with the username you want to create. - Replace
<password>with a secure password for that username.
Grant permissions
Grant the necessary permissions to enable Atlan to extract metadata from Oracle.
- Least Permission (Recommended)
- Legacy Permission (Deprecated)
Grant metadata extraction permissions
- Run the following commands to grant permissions for metadata extraction:
GRANT SELECT_CATALOG_ROLE TO <username>;
GRANT SELECT ON DBA_TABLES TO <username>;
GRANT SELECT ON DBA_VIEWS TO <username>;
GRANT SELECT ON DBA_TAB_COLUMNS TO <username>;
GRANT SELECT ON DBA_SYNONYMS TO <username>;
Replace <username> with the username you created.
Why these grants are required
These grants are metadata-only—they give Atlan read access to Oracle's data dictionary so it can discover and catalog your database structure. None of them grant access to actual data in your tables.
SELECT_CATALOG_ROLE
This is a built-in Oracle role that grants read-only access to Oracle's internal catalog views (USER_*, ALL_*, and basic V$ views). Atlan uses it as the baseline to probe dictionary access at the start of each crawl and to read from DBA_CATALOG. Without this role, the connector fails at the preflight check step with ORA-00942: table or view does not exist.
Why explicit DBA_* grants are still needed
SELECT_CATALOG_ROLE doesn't include DBA_* views by Oracle's design—these views expose system-wide information across all schemas and require explicit grants. The following grants cover the specific dictionary views the connector queries during metadata extraction:
| Grant | Purpose |
|---|---|
GRANT SELECT ON DBA_TABLES | Enumerating all tables across all schemas |
GRANT SELECT ON DBA_VIEWS | Discovering views and their definitions |
GRANT SELECT ON DBA_TAB_COLUMNS | Reading column metadata (name, data type, nullability) |
GRANT SELECT ON DBA_SYNONYMS | Resolving synonym definitions |
These grants give the Atlan service user complete schema-level visibility across all schemas without requiring the DBA role or any write privileges.
This approach is deprecated. Switch to the Least Permission (Recommended) approach described in the other tab.
Run the following commands to grant permissions for metadata extraction:
GRANT SELECT ANY TABLE TO <username>;
GRANT SELECT ANY SEQUENCE TO <username>;
Replace <username> with the username you created.
Grant query and preview permissions
Grant additional permissions to enable users to query and preview data in Atlan.
- Specific tables
- All tables
Grant access to specific tables or views.
- Run the following command for each table you want to provide access to:
GRANT SELECT ON <schema_name>.<table_name> TO <username>;
- Replace
<schema_name>with the name of the schema. - Replace
<table_name>with the name of the table or view. - Replace
<username>with the username you created.
Grant access to all tables across schemas.
- Run the following command to grant access to all tables:
GRANT SELECT ANY TABLE TO <username>;
- Replace
<username>with the username you created.
This permission grants access to query tables or views in any schema except SYS and AUDSYS. Oracle recommends granting ANY privileges only to trusted users.
Set up TCPS
If your organization requires encrypted connections to Oracle, configure TCPS (TCP with SSL/TLS) to encrypt data in transit between the Atlan connector and your Oracle database.
Prerequisites
Before you begin, make sure you have:
- Oracle database administrator access with permissions to modify the listener configuration
- Access to the server hosting your Oracle database listener
Configure TCPS on your Oracle database
- Enable TCPS on your Oracle database listener by adding a TCPS endpoint to your
listener.oraconfiguration. After this step, your listener accepts connections on a TCPS port. For details, see Oracle's Configuring TLS Authentication guide. - Create an Oracle Wallet containing the SSL/TLS certificates required for your authentication mode. For details, see Using Oracle Wallet Manager.
- One-way TLS: The wallet must contain the server's CA certificate.
- Two-way TLS (mutual): The wallet must contain the server's CA certificate, the client certificate, and the client private key.
Once your Oracle database is configured, package the wallet directory into a .zip file and upload it when configuring the Oracle crawler workflow.
Next steps
- Crawl Oracle: Create a crawler workflow to extract metadata from Oracle