Skip to main content
HashnodeKeep It Simple. Developer's tips.

Command Palette

Search for a command to run...

How to securely connect MCP to the database (using Oracle DB 26AI and SQLcl) ?

Updated
4 min read
How to securely connect MCP to the database (using Oracle DB 26AI and SQLcl) ?
R
Rafal Grzegorczyk

Oracle APEX & PL/SQL Developer with 10 years of experience in IT, including financial systems for government administration, energy, banking and logistics industry. Enthusiast of database automation. Oracle ACE Associate. Certified Liquibase database versioning tool fan. Speaker at Kscope, APEX World, SOUG, HrOUG, POUG and DOAG. Likes swimming in icy cold lakes in winter and playing basketball.

Part of seriesSQLcl

What should we do to be sure of what AI can do using the SQLcl MCP server and what data is accessible to it?

Are there any extra security precautions we could take in case AI go crazy?

That's exactly what I gonna describe in this blog.

Prerequisites:

  • SQLcl standalone version installed - if not, please read how to do it here

  • Visual Studio Code installed

  • SQL Developer Extension for VS Code

  • MCP server for SQLcl added (read how to do it here )

Security context

MCP stands for Model Context Protocol.

In simpler terms, it’s a bridge between your AI (Copilot, Claude, or whatever you use) and your database, and it's already in SQLcl.

However, if you’d like to ask your AI Agent some questions about data in your database, your MCP needs access to that data.

And this needs to be done properly.

But, please, remember 3 things:

Never trust AI in 100%

If you are giving AI access to your data, do it with precision and full confidence in what you are doing (especially on production environments)

Never trust AI in 100%....

Create a database user for MCP usage

Using a privileged DBA user, create a new database user for further usage with the MCP Server. My user will be called MCP_DEV

create user mcp_dev identified by "password";

Grant basic roles and privileges Oracle believe are necessary for a database developer - using role DB_DEVELOPER_ROLE

grant DB_DEVELOPER_ROLE to mcp_dev;

More about DB_DEVELOPER_ROLE here and here

List roles & privileges associated with DB_DEVELOPER_ROLE

---- System Privileges
select sp.privilege
from   dba_sys_privs sp
where  sp.grantee = 'DB_DEVELOPER_ROLE'
order by 1;

-- Role Privileges
select rp.granted_role
from   dba_role_privs rp
where  rp.grantee = 'DB_DEVELOPER_ROLE'
order by 1;

-- Object Privileges
select tp.privilege, tp.table_name 
from   dba_tab_privs tp
where  tp.grantee = 'DB_DEVELOPER_ROLE'
order by 1, 2;

MCP_DEV user now has those grants & roles, but it doesn't have access to ANY other schemas than its own

Grant objects access (tables, views, etc.)

However, I would like to grant MCP_DEV access to my data (SELECT only, no modifications allowed)

I will use the latest enhancement in Oracle Database and the “SELECT ANY TABLE” grant.

The query below gives my MCP_DEV user access to read all schema tables in my database (useful in multi-schema applications)

GRANT SELECT ANY TABLE TO mcp_dev;

However, you may want to narrow those grants by granting only SELECT to a specific schema.

GRANT SELECT ANY TABLE ON SCHEMA demo TO mcp_dev;

Or you may wish to narrow it more to specific tables or views.

You decide, but do it carefully.

Configure database connection

This step has to be done using the SQL Developer Extension in VS Code

Test if it works by clicking “Test”

Connection called mcp_dev will be later used by my AI

Restrict levels in SQLcl MCP servers

According to SQLcl documentation, SQLcl is by default set to the most restrictive level 4.

However, I like to have things clear in my config files, so I've set it explicitly in the MCP JSON Config file. You can find it in VS Code under the "Extensions" tab.

{
	"servers": {
		"mcp_demo": {
			"type": "stdio",
			"command": "/Users/rg/apps/oracle/sqlcl/bin/sql",
			"args": ["-R","4","-mcp"]
		}
	},
	"inputs": []
}

This line sets the restrict level to "4":

"args": ["-R","4","-mcp"]

That gives you an extra layer of security.

Imagine that someone used a DBA connection with AI, and AI went crazy?

Having this restriction, crazy AI won't harm your database much :)

A small summary of the restricted levels is below.

Level Access Description
4(default) Most restrictive Blocks all commands from level 1-4
3 HIghly restrictive Disable running external scripts in SQLcl ( @, @@)
2 Medium restrictive Prevent saving SQL results to external files (SAVE, SPOOL, STORE)
1 Minimally restrictive Prevents HOST or EDIT commands
0 Unrestricted Allows all commands

The full list of commands blocked at certain restrict levels is here.

Ask AI about your database

I'm all set, so now I can talk with my database.

PS, what's the cover photo? That's Blue Herron spotted close to the entrance of Everglades National Park in Florida.

#sqlcl#mcp#ai#oracle-database#oracle
31 views

Comments

Join the discussion

No comments yet. Be the first to comment.

SQLcl

Part 3 of 13
Up next

How to quickly add SQLcl MCP Server to Visual Studio Code?

In this short guide, I’ll show you how to quickly add an SQLcl-based MCP server in Visual Studio Code so you can start “talking” with your Oracle Database using AI. No complex setup, no huge framework

More from this blog

Keep It Simple. Developer's tips.

58 posts