As a data sources assessment utility, migVisor is aware of the sensitivity of different secured data types. Therefore, isolating migVisor from such data has been part of the design from the early stages of development.
migVisor Metadata Collector (mMC) runs a set of lightweight queries on the data source which are used to determine how the source is configured and which types of schema objects exist. The queries executed from mMC run solely on catalog and dictionary tables. For example, in an Oracle source, the migVisor Metadata Collector runs queries on v$* and dba_* tables.
mMC does not collect any application or user data. It collects only such data as types of schema objects, object names, server configuration, feature usage, and performance metrics.
The data collection process is fast (usually takes from a few seconds to a few minutes, depending on the complexity and number of objects in the source) and does not require any downtime of the source. Multiple sources can be scanned in parallel.
Types of Data Collected
The table below demonstrates which information is being collected by migVisor and which is not:
Information Type | Collected | Comments/Examples |
Application/user data | No | This type of information is excluded from migVisor’s collected data for the sake of privacy and security |
Source code object definition (stored procedures/functions) | No | migVisor has access to relevant tables to count how many lines of code but the total count is the information being stored and not any part of the business logic |
Passwords | No | This type of information is excluded from migVisor’s collected data for the sake of privacy and security |
Metadata about types of schema objects, object names | Yes | Being stored as part of the Feature detection to present where this Feature is being used in the source |
DB engine proprietary features being used | Yes | Example: DBMS_RANDOM / UTL_FILE etc. |
Servers names | Yes | This is an identifier for the user to recognize the server |
Server’s metadata information | Yes | This type of information is needed to support Complexities, Sizing and TCO calculations |
DB names | Yes | This is an identifier for the user to recognize the source |
DB's metadata information | Yes | This type of information is needed to support Complexities, Sizing and TCO calculations |
Performance metrics | Optional | For target sizing planning the user can choose to use performance tables while scanning |
Types of Data Stored
While it is clear that the more data migVisor collects, the more insights it can provide, migVisor is designed in a way that limits the data collection only to crucial information that must be collected in order to provide meaningful insights.
Based on our SMEs' extensive hands-on experience in source administration and cloud migrations, the types of data migVisor collects are widely accepted to be “safe to share”.
With that said, to increase the level of confidence migVisor users have regarding scanning and sending collected data, mMC provides an option to scan sources and store the results in a decrypted ZIP file. This allows migVisor’s users to ensure that uploading the collected information to the migVisor console is done in a way that follows the organization's standards and procedures.
Once the data is uploaded to and stored in the user account in migVisor Web Console, migVisor will provide reports and dashboards that will help you plan the migration path most suitable for you.
Once the insights were taken into account and the assessment is over, the user can remove specific sources from the repository in the migVisor console, wipe off all data or remove the profile and all its associated data permanently.
Required Permissions
Scanning by mMC does not require dba/sys/sa or any other system/root-level access to the source. Although it is possible to use a sysdba-type user, it is not required. Instead, we provide scripts that are used to create a separate new user in the sources with specific permissions on the specific tables migVisor needs access to.
These scripts grant only read-only permissions for this user on system catalog tables and the source data dictionary tables and not on any application/user data tables.
By using the custom-created user for source access, you will know exactly which specific tables are being accessed to collect the information we need for migVisor to do the analysis and support the migration assessment.
The migVisor user creation scripts which are used by mMC, present the specific list of source tables that are accessed as part of the scan process.
Below are the GRANT statements included in migVisor’s Getting Started scripts:
DB2 LUW
Script | GRANT on | Statement(s) | Purpose |
|---|
DB2 LUW | TOP_DYNAMIC_SQL | db2 update dbm cfg using SYSMON_GROUP mig_user | Acquire SELECT privilege on the SYSIBMADM.TOP_DYNAMIC_SQL administrative view |
*.* | GRANT SELECT ON *.* TO USER mig_user; | Acquire SELECT privilege to list all tables in the database. |
MON_GET_TABLESPACE | GRANT EXECUTE ON FUNCTION SYSPROC.MON_GET_TABLESPACE TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.MON_GET_TABLESPACE function |
ENV_GET_SYSTEM_RESOURCES | GRANT EXECUTE ON FUNCTION SYSPROC.ENV_GET_SYSTEM_RESOURCES TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.ENV_GET_SYSTEM_RESOURCES function |
MON_GET_MEMORY_SET | GRANT EXECUTE ON FUNCTION SYSPROC.MON_GET_MEMORY_SET TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.MON_GET_MEMORY_SET function |
ADMIN_GET_MEM_USAGE | GRANT EXECUTE ON FUNCTION SYSPROC.ADMIN_GET_MEM_USAGE() TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.ADMIN_GET_MEM_USAGE function |
ADMIN_GET_ENCRYPTION_INFO | GRANT EXECUTE ON FUNCTION SYSPROC.ADMIN_GET_ENCRYPTION_INFO TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.ADMIN_GET_ENCRYPTION_INFO function |
MON_GET_CONNECTION | GRANT EXECUTE ON FUNCTION SYSPROC.MON_GET_CONNECTION TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.MON_GET_CONNECTION function |
MON_GET_DATABASE | GRANT EXECUTE ON FUNCTION SYSPROC.MON_GET_DATABASE TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.MON_GET_DATABASE function |
MON_GET_HADR | GRANT EXECUTE ON FUNCTION SYSPROC.MON_GET_HADR TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.MON_GET_HADR function |
MON_GET_PKG_CACHE_STMT | GRANT EXECUTE ON FUNCTION SYSPROC.MON_GET_PKG_CACHE_STMT TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.MON_GET_PKG_CACHE_STMT function |
MON_GET_TABLE | GRANT EXECUTE ON FUNCTION SYSPROC.MON_GET_TABLE TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.MON_GET_TABLE function |
MON_GET_INDEX | GRANT EXECUTE ON FUNCTION SYSPROC.MON_GET_INDEX TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.MON_GET_INDEX function |
MON_GET_ACTIVITY | GRANT EXECUTE ON FUNCTION SYSPROC.MON_GET_ACTIVITY TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.MON_GET_ACTIVITY function |
MON_GET_TRANSACTION_LOG | GRANT EXECUTE ON FUNCTION SYSPROC.MON_GET_TRANSACTION_LOG TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.MON_GET_TRANSACTION_LOG function |
MON_GET_UNIT_OF_WORK | GRANT EXECUTE ON FUNCTION SYSPROC.MON_GET_UNIT_OF_WORK TO USER mig_user; | Acquire EXECUTE privilege on the SYSPROC.MON_GET_UNIT_OF_WORK function |
MySQL
MySQL | *.* | GRANT PROCESS, REFERENCES, SHOW DATABASES, SHOW VIEW ON *.* | Acquire PROCESS, REFERENCES, SHOW DATABASES, SHOW VIEW privileges to get metadata about database objects, views, processes |
sys.* | GRANT SELECT ON sys.* | Acquire SELECT privileges on sys x$ views in order to get database statistics |
GRANT SELECT ON performance_schema.* | GRANT SELECT ON performance_schema.* | Acquire SELECT privileges required to query performance_schema related information |
mysql.slave_master_info | GRANT SELECT ON mysql.slave_master_info | Acquire SELECT privileges required to query replications related information |
mysql.slave_relay_log_info | GRANT SELECT ON mysql.slave_relay_log_info | Acquire SELECT privileges required to query replications related information |
mysql.user | GRANT SELECT ON mysql.user | Acquire SELECT privileges required to query users related information |
mysql.proc | GRANT SELECT ON mysql.proc | Acquire SELECT privileges required to query stored procedures related information |
*.* | GRANT SHOW_ROUTINE ON * .* | Acquire SELECT privileges required to query stored procedures related information |
*.* | GRANT EVENT ON *.* TO | Acquire SELECT privileges required to query event objects related information |
*.* | GRANT TRIGGER ON *.* TO | Acquire SELECT privileges required to query trigger objects related information |
Oracle
Script | GRANT on | Statement(s) | Purpose |
|---|
Oracle | SYS.OBJ$ | GRANT SELECT ON SYS.OBJ$ TO mig_user; | Acquire SELECT privilege to list all objects in the database. |
SYS.USER$ | GRANT SELECT ON SYS.USER$ TO mig_user; | Acquire SELECT privilege to list all users in the database. |
SYS.PROCEDUREINFO$ | GRANT SELECT ON sys.procedureinfo$ TO mig_user; | Acquire SELECT privilege to list all PL/SQL objects in the database. |
CREATE SESSION | GRANT CREATE SESSION TO mig_user; | Acquire CREATE SESSION privileges to create a connection to the database |
SELECT_CATALOG_ROLE | GRANT SELECT_CATALOG_ROLE TO mig_user; | Acquire SELECT privileges on data dictionary views |
Oracle (CDB Common User) | CREATE SESSION | GRANT CREATE SESSION TO c##mig_comm_user; | Acquire CREATE SESSION privileges to create a connection to the database |
SELECT_CATALOG_ROLE | GRANT SELECT_CATALOG_ROLE TO c##mig_comm_user; | Acquire SELECT privileges on data dictionary views |
PostgreSQL
Script | GRANT on | Statement(s) | Purpose |
|---|
PostgreSQL | REFERENCES ON all tables IN SCHEMA public | GRANT REFERENCES ON all tables IN SCHEMA public TO mig_user; | Acquire REFERENCES privileges to get information about tables metadata |
SELECT ON pg_catalog.pg_config | GRANT SELECT ON pg_catalog.pg_config TO mig_user; | Acquire SELECT privileges on catalog views to get information about database configuration settings |
EXECUTE ON FUNCTION pg_catalog.pg_config | GRANT EXECUTE ON FUNCTION pg_catalog.pg_config TO mig_user; | Acquire EXECUTE privileges on the read-only pg_catalog.pg_config function to get information about database configuration settings |
pg_catalog.pg_proc | GRANT SELECT ON pg_catalog.pg_proc TO mig_user; | Acquire SELECT privileges on catalog views to get information about functions and procedures |
pg_catalog.pg_namespace | GRANT SELECT ON pg_catalog.pg_namespace TO mig_user; | Acquire SELECT privileges on catalog views to get namespaces information |
pg_catalog.pg_hba_file_rules | GRANT SELECT ON pg_catalog.pg_hba_file_rules TO mig_user; | Acquire SELECT privileges on catalog views to identify connection authentication settings (e.g. md5, ssl, etc.) |
pg_catalog.pg_roles | GRANT SELECT ON pg_catalog.pg_roles TO mig_user; | Acquire SELECT privileges on catalog views to get information about database roles |
SQL Server
Script | GRANT on | Statement(s) | Purpose |
|---|
SQL Server | VIEW SERVER STATE | GRANT VIEW SERVER STATE TO mig_user | Acquire VIEW SERVER STATE privileges to view Dynamic Management Objects information |
VIEW ANY DEFINITION | GRANT VIEW ANY DEFINITION TO mig_user | Acquire VIEW ANY DEFINITION privileges to view various database objects definitions (DDLs) such as view, stored procedures, triggers, functions and indexes |
SELECT ON dbo.sysaltfiles | GRANT SELECT ON dbo.sysaltfiles TO mig_user | Acquire SELECT privileges on database files related information (Required for SQL Server 2000 only) |
mMC Connection Details
To establish a connection to sources to be scanned, the mMC saves the connection details provided by the user in a dedicated file per DB Engine, called dbConfig_<DB_ENGINE>.txt e.g. dbConfig_oracle.txt.
Source Credentials
Among other connection properties, mMC requires credentials for authentication purposes while connecting to the source engines.
mMC encompasses an encryption mechanism that makes sure that these credentials are written encrypted to the dbConfig file.
If the user manually edits the dbConfig file and updates the password field in one or more of the connection strings saved in the file to include a password in clear text, upon loading of the mMC, these passwords are encrypted automatically and replace the ones saved in clear text by the user.
