Aurva

Read-Only User Creation

Create minimum-privilege read-only database users for Aurva DSPM scanning across PostgreSQL, MySQL, Oracle, SQL Server, and MongoDB.

Aurva DSPM requires a read-only database user to perform discovery and classification scans. This user should have the minimum privileges needed to read schema metadata and sample data rows -- never write access.

Why a Dedicated User?

  • Least privilege -- limits blast radius if credentials are ever exposed
  • Audit clarity -- all Aurva queries appear under a single, identifiable account
  • Compliance -- satisfies SOC 2, PCI-DSS, and RBI requirements for separation of duties

PostgreSQL

-- Connect as a superuser or role with CREATEROLE
CREATE ROLE aurva_reader WITH LOGIN PASSWORD 'use-a-strong-secret';

-- Grant connect and read access
GRANT CONNECT ON DATABASE your_database TO aurva_reader;
GRANT USAGE ON SCHEMA public TO aurva_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO aurva_reader;

-- Ensure future tables are also readable
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT SELECT ON TABLES TO aurva_reader;

MySQL

CREATE USER 'aurva_reader'@'%' IDENTIFIED BY 'use-a-strong-secret';

-- Grant read-only access to all databases
GRANT SELECT ON *.* TO 'aurva_reader'@'%';

-- If you prefer per-database grants:
-- GRANT SELECT ON your_database.* TO 'aurva_reader'@'%';

FLUSH PRIVILEGES;

Oracle

-- Connect as SYSDBA
CREATE USER aurva_reader IDENTIFIED BY "use-a-strong-secret"
  DEFAULT TABLESPACE users
  QUOTA 0 ON users;

GRANT CREATE SESSION TO aurva_reader;
GRANT SELECT ANY TABLE TO aurva_reader;
GRANT SELECT ANY DICTIONARY TO aurva_reader;

SQL Server

-- Connect as sysadmin
CREATE LOGIN aurva_reader WITH PASSWORD = 'use-a-strong-secret';

USE your_database;
CREATE USER aurva_reader FOR LOGIN aurva_reader;
ALTER ROLE db_datareader ADD MEMBER aurva_reader;

MongoDB

// Connect to the admin database
use admin;

db.createUser({
  user: "aurva_reader",
  pwd: "use-a-strong-secret",
  roles: [
    { role: "readAnyDatabase", db: "admin" },
    { role: "clusterMonitor", db: "admin" }
  ]
});

The clusterMonitor role allows Aurva to enumerate databases and collections during discovery.

Next Steps

  1. Store the credentials securely and provide them during Connector Setup.
  2. Run an initial scan to verify connectivity -- see Discovery & Classification.

Rotate the read-only user password on a regular schedule. Aurva stores credentials encrypted at rest and supports credential rotation without downtime.