Synonym for Sequence e grant to other user
Hola,
I have two user
AAA e BBB
In AAA I have this sequence SQ_NUMEAVVI
I create in BBB user
CREATE SYNONYM SQ_NUMEAVVI_AAA FOR AAAA.SQ_NUMEAVVIAnd from sql connection of user BBB I haven't problem to see this sequence, but when I compile this function
CREATE OR REPLACE FUNCTION F_CALCNUMEAVVISEQU (VC_USER IN VARCHAR2)
RETURN varchar2 IS
VC_NUMEAVVI VARCHAR2(15);
BEGIN
SELECT DECODE((SELECT CODI_TIPO_UTEN FROM ANAGUTEN WHERE NOME_UTEN = upper(ltrim(rtrim(VC_USER)))),10,'C',11,'R',12,'S',13,'D','C')||SQ_NUMEAVVI_AAA.NEXTVAL
INTO VC_NUMEAVVI
FROM DUAL;
RETURN(VC_NUMEAVVI);
EXCEPTION
WHEN OTHERS THEN
RETURN(1);
END;
/I have the error "The sequence doesn't exist"
Do you have to give a grant to this sequence from AAA to BBB?
And How can do?
Thank's!!
Paolo
GRANT SELECT ON SQ_NUMEAVVI TO BBB;SY.
Similar Messages
-
Deleted synonyms for sequences when checking catalog
Hi forum,
we are using community version 7.6.06.03 on Linux 64bit (yes - it's rather old, but still working well). There we have created some sequences for db user A and added grants to db user B. User B works with own synonyms on the sequences of user A (needed for generic application). Running "dbmcli ... db_execute check catalog" gives a warning about inconsistencies. Same command plus additional "... with update" deletes the synonyms from user B and removes the inconsistencies.
How to reproduce:
1. dbuserA: create sequence seq1
2. dbuserA: grant select on seq1 to dbuserB
3. dbuserB: create synonym dbuserB.ownseq1 for dbuserA.seq1
4. dbmcli ... db_execute check catalog with update
=> synonyms from step 3 are deleted (at new db sessions)
Is this a false construct in our structure, a wrong usage of a command or maybe an error in maxdb? I've found the command "check catalog [with update]" only in this forum, but not in the official documentation of 7.6.
BTW: Version 7.6.06.10 shows the same behaviour.
Regards,
ThomasHi Thomas,
I was able to reproduce this even with 7.7.06 Build 15.
OK - wild guess: in SAP we don't make use of cross-schema synonyms on MaxDB.
So, maybe this awkward little part of the catalog check had been created before there was something like SCHEMAs in MaxDB (say. before 7.5).
Back then, a non-public synonym not belonging to the same schema would have been a inconsistency (well, likely).
I tried to use public synonym instead - that works (that is, the check doesn't delete them).
Hope that helps a bit.
regards,
Lars -
Synonym for sequence.nextval
Hi all,
I have an error on this
Error(48,48): PL/SQL: ORA-02287: sequence number not allowed here
SELECT MAX (capacity_id_seq) - capacity_id_seq.NEXTVAL
INTO lv_new_importmaxrecord
FROM capacity_current;
Shoud I create a public synonym for this??to solve this...SQL>
SQL> drop table t;
Table dropped.
SQL> drop sequence t_seq;
Sequence dropped.
SQL> create table t (x) as
select rownum from all_objects
where rownum <= 1000;
Table created.
SQL>
SQL> create sequence t_seq;
Sequence created.
SQL>
declare
n number;
begin
select max(x) - t_seq.nextval
into n
from t;
dbms_output.put_line(n);
end;
select max(x) - t_seq.nextval
ERROR at line 4:
ORA-06550: line 4, column 25:
PL/SQL: ORA-02287: sequence number not allowed here
ORA-06550: line 4, column 3:
PL/SQL: SQL Statement ignored
SQL>
SQL> set serveroutput on size 1000000
SQL>
declare
n number;
begin
select maxn - t_seq.nextval
into n
from (select max(x) as maxn from t);
dbms_output.put_line(n);
end;
999
PL/SQL procedure successfully completed.
SQL>
SQL>pratz -
How to create Transaction code for ABAP and execution by other user
Hi All,
Could someone please let me know how to create transaction code in detail for ABAP program. Step by step procedure expected. I would like to know how other user can execute the report using same transaction code which I have created.
More about authorization.
Thanks in advance.Hello,
You can create transaction code from se80 as well.In object navigator,right click on your program name and create->transaction code.You can create transaction and select if it is only a report,a report with selection-screen depending on your requirement.You can run your report directly by entering the transaction code in the command field.
You can authorise the users who can use your transaction:
<b>Authorisation objects</b> are used to restrict certain transactions to users.Critical data must be protected from unauthorised users.For example,the head has access to certain data.But it cannot be accessed by his subordinate.For this we need to define <b>roles</b>.
Create an authorization object with transaction SU21.
An object usually consists of the ACTVT (activity) field and one other field,which specifies the data type to be protected.By ACTVT, we can decide if the data is accessible for change,display only etc.
Add authorization fields to the authorization object created.
Assign the authorization object to the transaction using SE93.
Attach the authorization object to the role using transaction PFCG.
If you want <b>to assign roles</b>,use transaction PFCG.Create a new role.In the AUTHORIZATIONS tab,you can get a self generated profile name and a profile text by clicking on the icon next to it.Then go to the "Change Authorization data" and choose an authorization template.Then you can choose to display/change/create an activity and after the selection,click on the red and white circle.The profile will now be created.
In the user tab,you can give the user details who can use this role.
<b>Also check this link:</b>
http://www.*********************/r3_security/r3_security_tips.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/52/6716a6439b11d1896f0000e8322d00/content.htm
<b>Very helpful guide:</b>
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
Regards,
Beejal
**Reward if answer is helpful -
Like it says in the title basically.
I want to use a time capsule to store my files and backups and access it from my phone and MacBook Air. However I do not want the others in my house who are currently connected to the same wifi/ethernet router to use my connection or my TC hard drives.
I had also been thinking about wirelessly extending the wifi network (a linksys N router) but I guess that will allow everyone to access my Time Capsule?
I hope you guys can help me.
Regards, Guido......will other users on the primary network (not the private wifi one) be able to access my files on my TCapsule?
No, if you have not provided them with the Time Capsule device password.
Users will be able to "see" the Time Capsule icon under the SHARED heading in the Finder on their Macs, but they will not be able to access the drive or the files.
I had also been thinking about wirelessly extending the wifi network (a linksys N router) but I guess that will allow everyone to access my Time Capsule?
Same answer as above. -
ITunes will launch for specific admin but no other user (including root).
Mac OS X 10.6.3, iTunes 9.1.1
I have re-installed iTunes using a different admin user and even as root and the problem persists. I have repaired permissions with root as well (after trying with 2 admin users). Permissions show as being repaired.
I have never seen an issue on any *nix system where an app won't launch for root but will launch for a user.
Any ideas on how to fix it or anyone know how to completely uninstall iTunes from the system to try again from scratch?The application starts to launch in the Dock but never finishes and I've looked all over Console's logs to try and find an error message but there isn't one. It does not bring up the "Unexpectedly Quit" dialog, either.
If you are familiar with how apps crash on the iPhone, where they just immediately exit back to SpringBoard, it is like that.
The strange thing is, my main account which is an administrator, does not have any problems launching iTunes. I only discovered this problem because I can't use the File Sharing feature of any of my iPad apps so I was using a different test login (also an admin) to troubleshoot. Then I thought maybe there was a permissions error I couldn't find so I logged in with root and the problem persisted there, too. I am thinking if I fix this error I will be able to use File Sharing (which works on the same iPad with my VAIO and Win7).
I would just re-install Mac OS X but my optical drive doesn't work any more. -
Script for request a certificate using other user's credentials
Hi,
I need to request for a certificate using other test user's credential. For this requirement I came up with the following script,
cd C:\temp-folder
Add-Content C:\temp-folder\req.inf "[NewRequest]`r`nSubject=`"CN=Test01`"`r`nRequestType=pkcs10`r`n`r`n[RequestAttributes]`r`nCertificateTemplate=TestUser" #This line would create the inf file
$username = 'MyDomain\Test01'
$password = 'Pass1234'
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList @($username,(ConvertTo-SecureString -String $password -AsPlainText -Force))
Invoke-Command -Credential $cred -ComputerName localhost -scriptblock {
certreq -new req.inf certnew.req
certreq -submit -config "ca.mydomain.com\MyEnterpriceCA" certnew.req certnew.cer
certreq -accept certnew.cer
But when it comes to executing the certreq command, the script hangs. Is there a possible way to come around this issue and request a certificate under MyDomain\Test01 user account via a script ?
Thank you...Hi,
In MMC you can add Certificates and in personal certificate Advance option you can use ON BEHALF OF users.
Regards,
Yan Li
Cataleya Li
TechNet Community Support -
QueueSubmitTimesheet for other users with impersonation? Project Server 2013
Hello.
In an console application using TimeSheet.asmx on Project Server 2013 I want to call QueueSubmitTimesheet for timesheets that belong to other user.
Is this possible?
Thanks and best regards, TimoJust start with:
http://www.apple.com/ipad/business/it/management.html -
Why one user can not see plan output for some orgs while other users can?
We have several inventory/planning orgs. Suddenly one of the users is not seeing any plan output for some organizations. While other users are able to see plan out (planner workbench) for all org.
All users use the same responsibility.
Deleted all the folders to eliminate hidden query in default folder.
Any other thoughts?
Edited by: 918894 on May 5, 2013 10:22 PMThe issue is resolved.
In the user preferences, one user has Inventory Category Set and other user has Planning Category Set as the default. Items belonging to one Org were not assigned Planning Category Set. Thus they were not showing for the other user.
Thanks for the response. -
Convergence problem -- users seeing other users' mailboxes
Hello, all!
We seem to be having rather a shocking problem with Convergence -- in certain rare circumstances, people logging in to Convergence sometimes end up with other people's mailboxes instead of their own.
Today, we had another of such incidents reported to our helpdesk -- after the issue was passed to my division, I decided to visit the affected user's desktop to see who they were logged in as, plus some particulars from cookes that Convergence uses, thinking that it may be related to a recent patch we received as a response from a Sun Support ticket filed about a similar incident. Afterwards, I went back to the server and started reading logs to see if I could pinpoint the root cause of what happened.
Note that these logs have been sanitized -- <INCORRECT_USER> represents the username of the mailbox that the affected user saw instead of their own, <AFFECTED_IP> represents the IP address of the affected user's IP address, and <PREVIOUS_IP> represents the IP address of the user trying to access their mailbox that was seen by the affected user as well. (The IPs are not the same and are not in the same subnet.)
So, from our Glassfish domain's access logs:
"<AFFECTED_IP>" "NULL-AUTH-USER" "09/Nov/2010:11:04:37 -0600" "GET /iwc/svc/wmap/msg.mjs?rev=3&sid=&mbox=INBOX&uid=457&process=html%2Cjs%2Clink%2Ctarget%2Cbinhex&maxtext=155000&security=false&lang=en&token=KZc9jnOair&dojo.preventCache=1289322277283 HTTP/1.1" 200 6184
That was the last access from the affected user's IP address before the incident begins -- this is just to show that they didn't log out. Then:
"<PREVIOUS_IP>" "NULL-AUTH-USER" "09/Nov/2010:11:19:06 -0600" "GET /iwc_static/layout/login.html?lang=en-us&14.01_234924&svcs=abs,im,mail,calendar,c11n HTTP/1.1" 200 5095
...the other user visits the login page to try and log in. (I'll spare everyone the accesses to the preloading of Convergence's UI images. =) After a while, the other user attempts to log in and is successfully sent to main.html:
"<PREVIOUS_IP>" "NULL-AUTH-USER" "09/Nov/2010:11:19:11 -0600" "POST /iwc/svc/iwcp/login.iwc HTTP/1.1" 200 312
"<PREVIOUS_IP>" "NULL-AUTH-USER" "09/Nov/2010:11:19:11 -0600" "GET /iwc_static/layout/main.html?lang=en&14.01_234924& HTTP/1.1" 200 8856
However, out of the blue:
"<AFFECTED_IP>" "NULL-AUTH-USER" "09/Nov/2010:11:19:11 -0600" "POST /iwc/svc/iwcp/login.iwc HTTP/1.1" 200 312
"<AFFECTED_IP>" "NULL-AUTH-USER" "09/Nov/2010:11:19:11 -0600" "POST /iwc/svc/wmap/cmd.mjs HTTP/1.1" 200 17
...the affected user tries to log in as well, then ask the AJAX cmd process to do something. The affected user mentioned that they usually stay connected to Convergence and just reopen a browser window when they need to check their mail. This seems consistent -- main.html probably prompted the affected user to retype their password to continue on after the previous commmand above failed after an expired session after they closed their browser window.
Now, according to Convergence's iwc.log:
AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter Thread httpSSLWorkerThread-443-36 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:06,582- SSO is disabled
AUTH: DEBUG from com.sun.comms.client.web.auth.IwcAuthController Thread httpSSLWorkerThread-443-36 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:06,583- No valid session found, redirecting to login page
AUTH: DEBUG from com.sun.comms.client.web.auth.IwcAuthController Thread httpSSLWorkerThread-443-36 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:06,584- Redirecting to: /iwc_static/layout/login.html?lang=en-us&14.01_234924&svcs=abs,im,mail,calendar,c11n
The other user visits the site and is redirected to login.html, then...
AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,410- SSO is disabled
PROTOCOL: DEBUG from com.sun.comms.client.protocol.ProtocolEngineServlet Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,411- Iwc Protocol command issued: login.iwc
AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,413- Subject not found in session, creating one
AUTH: DEBUG from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,414- Loaded com.sun.comms.client.security.auth.AppCallbackHandler class
AUTH: DEBUG from com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,416- SunLDAPLoginModule:initialize()
AUTH: DEBUG from com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,504- SunLDAPLoginModule:login()
AUTH: INFO from com.sun.comms.client.security.auth.modules.impl.SunAuthCallBack Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,506- User LoginID is <INCORRECT_USER>
AUTH: DEBUG from com.sun.comms.client.security.auth.modules.impl.SunAuthCallBack Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,508- Host header is connect.siue.edu
AUTH: DEBUG from com.sun.comms.client.security.auth.modules.impl.SunAuthCallBack Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,510- Attempting to resolve User's domain/organization: siue.edu from the host header...
AUTH: INFO from com.sun.comms.client.security.auth.modules.impl.SunAuthCallBack Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,511- User domain is siue.edu
AUTH: DEBUG from com.sun.comms.client.security.auth.AppCallbackHandler Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,513- Done Handling Callback class: com.sun.comms.client.security.auth.modules.impl.SunLDAPAuthCallBack
AUTH: DEBUG from com.sun.comms.client.security.auth.AppCallbackHandler Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,514- Done Handling Callback class: com.sun.comms.client.security.auth.AuthorizationIdCallback
AUTH: DEBUG from com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,516- SunLDAPLoginModule:lookupUser()
AUTH: INFO from com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,517- Loaded UG LDAP pool...
AUTH: DEBUG from com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,521- Releasing UG LDAP to pool
AUTH: DEBUG from com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,523- Loaded Auth LDAP pool...
AUTH: DEBUG from com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,527- Releasing Auth LDAP to pool
AUTH: INFO from com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,529- SunLDAPLoginModule:User <INCORRECT_USER> Authenticated
AUTH: INFO from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,533- Loading user entry from LDAP
...the other user successfully logs in (using an external Sun-based LDAP server), then starts asking the LDAP server for their Convergence preferences.
AUTH: DEBUG from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,535- Creating Comms User.....
AUTH: DEBUG from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,537- Creating new User
(That's interesting...)
AUTH: DEBUG from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,539- Login id of the user is <INCORRECT_USER>
AUTH: DEBUG from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,541- Domain name of the user is siue.edu
AUTH: DEBUG from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,544- Org DN of the user is o=siue.edu,o=usergroup
AUTH: DEBUG from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,546- Real domain name of the user is siue.edu
AUTH: INFO from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,548- User entry loaded successfully
AUTH: DEBUG from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,550- Updating user cache with default attribute values
AUTH: DEBUG from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,552- Updating user cache common preference with default values
AUTH: DEBUG from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,555- Processing AttrName: sunUCDefaultApplication
AUTH: DEBUG from com.sun.comms.client.security.auth.CommsUserInitContext Thread httpSSLWorkerThread-443-33 ipaddress=<PREVIOUS_IP> sessionid= at 11/09/10 11:19:14,557- Preference Attribute : sunUCDefaultApplication is not present in user cache
And intermixed with the loading of preferences for the other user...
AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter Thread httpSSLWorkerThread-443-18 ipaddress=<AFFECTED_IP> sessionid= at 11/09/10 11:19:14,666- SSO is disabled
PROTOCOL: DEBUG from com.sun.comms.client.protocol.ProtocolEngineServlet Thread httpSSLWorkerThread-443-18 ipaddress=<AFFECTED_IP> sessionid= at 11/09/10 11:19:14,667- Iwc Protocol command issued: login.iwc
AUTH: WARN from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-443-18 ipaddress=<AFFECTED_IP> sessionid= at 11/09/10 11:19:14,669- Subject not found in session, creating one
AUTH: DEBUG from com.sun.comms.client.protocol.delegate.agent.LoginContextAgent Thread httpSSLWorkerThread-443-18 ipaddress=<AFFECTED_IP> sessionid= at 11/09/10 11:19:14,671- Loaded com.sun.comms.client.security.auth.AppCallbackHandler class
AUTH: DEBUG from com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule Thread httpSSLWorkerThread-443-18 ipaddress=<AFFECTED_IP> sessionid= at 11/09/10 11:19:14,674- SunLDAPLoginModule:initialize()
AUTH: DEBUG from com.sun.comms.client.security.auth.modules.impl.SunLDAPLoginModule Thread httpSSLWorkerThread-443-18 ipaddress=<AFFECTED_IP> sessionid= at 11/09/10 11:19:14,676- SunLDAPLoginModule:login()
AUTH: INFO from com.sun.comms.client.security.auth.modules.impl.SunAuthCallBack Thread httpSSLWorkerThread-443-18 ipaddress=<AFFECTED_IP> sessionid= at 11/09/10 11:19:14,678- User LoginID is <INCORRECT_USER>
...there's the affected user trying to log in -- and getting the same username as the other user!
AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter Thread httpSSLWorkerThread-443-32 ipaddress=<AFFECTED_IP> sessionid=0fabb5152fbab756c5ef6cdb2c1d at 11/09/10 11:19:14,933- SSO is disabled
AUTH: DEBUG from com.sun.comms.client.web.authorization.MailAuthorizationFilter Thread httpSSLWorkerThread-443-32 ipaddress=<AFFECTED_IP> sessionid=0fabb5152fbab756c5ef6cdb2c1d at 11/09/10 11:19:14,935- Removing token parameter from the mail backend service request
PROXY_MAIL: DEBUG from com.sun.comms.client.web.services.sun.MailServiceProxy Thread httpSSLWorkerThread-443-32 ipaddress=<AFFECTED_IP> sessionid=0fabb5152fbab756c5ef6cdb2c1d at 11/09/10 11:19:14,938- reqURI: /iwc/svc/wmap/cmd.mjs
The affected user (seeing that they have less to load) tries to send the command referenced above. Note their session ID...
AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter Thread httpSSLWorkerThread-443-37 ipaddress=<PREVIOUS_IP> sessionid=1a60d56c1deb585e05bf126aa4fe at 11/09/10 11:19:15,740- SSO is disabled
PROTOCOL: DEBUG from com.sun.comms.client.protocol.ProtocolEngineServlet Thread httpSSLWorkerThread-443-37 ipaddress=<PREVIOUS_IP> sessionid=1a60d56c1deb585e05bf126aa4fe at 11/09/10 11:19:15,831- Iwc Protocol command issued: get_allprefs.iwc
PROTOCOL: WARN from com.sun.comms.client.protocol.delegate.UserPrefsCommandDelegate Thread httpSSLWorkerThread-443-37 ipaddress=<PREVIOUS_IP> sessionid=1a60d56c1deb585e05bf126aa4fe at 11/09/10 11:19:15,834- get_allprefs.iwc : Service is not enabled : smime
CONFIG: DEBUG from com.sun.comms.client.web.ServerConfiguration Thread httpSSLWorkerThread-443-37 ipaddress=<PREVIOUS_IP> sessionid=1a60d56c1deb585e05bf126aa4fe at 11/09/10 11:19:15,837- Virtual domain is enabled
PROTOCOL: WARN from com.sun.comms.client.protocol.delegate.agent.ClientOptionsAgent Thread httpSSLWorkerThread-443-37 ipaddress=<PREVIOUS_IP> sessionid=1a60d56c1deb585e05bf126aa4fe at 11/09/10 11:19:15,839- client preferences not found for domain: siue.edu
...and how it's completely different from the other user's session ID. (One odd note -- the other user's browser asks for get_allprefs.iwc, but the affected user's browser doesn't until much later when, after seeing the incorrect mailbox, tried to rectify the problem by closing their browser and revisiting the domain, which bounced them off to main.html since they (apparently) had a valid session:
From Glassfish's access logs:
"<AFFECTED_IP>" "NULL-AUTH-USER" "09/Nov/2010:11:24:48 -0600" "GET / HTTP/1.1" 200 279
"<AFFECTED_IP>" "NULL-AUTH-USER" "09/Nov/2010:11:24:48 -0600" "GET /iwc/ HTTP/1.1" 302 0
"<AFFECTED_IP>" "NULL-AUTH-USER" "09/Nov/2010:11:24:48 -0600" "GET /iwc_static/layout/main.html?lang=en-us&14.01_234924 HTTP/1.1" 200 8856
And from Convergence's iwc.log:
AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter Thread httpSSLWorkerThread-443-36 ipaddress=<AFFECTED_IP> sessionid=1a60de74f3d0ef2780bc181221e2 at 11/09/10 11:24:50,928- SSO is disabled
AUTH: DEBUG from com.sun.comms.client.web.auth.IwcAuthController Thread httpSSLWorkerThread-443-36 ipaddress=<AFFECTED_IP> sessionid=1a60de74f3d0ef2780bc181221e2 at 11/09/10 11:24:50,934- Found a valid session, redirecting user to the main view page
PROTOCOL: WARN from com.sun.comms.client.protocol.delegate.agent.ClientOptionsAgent Thread httpSSLWorkerThread-443-36 ipaddress=<AFFECTED_IP> sessionid=1a60de74f3d0ef2780bc181221e2 at 11/09/10 11:24:50,952- client preferences not found for domain: siue.edu
AUTH: DEBUG from com.sun.comms.client.web.sso.SSOFilter Thread httpSSLWorkerThread-443-37 ipaddress=<AFFECTED_IP> sessionid=1a60de74f3d0ef2780bc181221e2 at 11/09/10 11:24:51,947- SSO is disabled
PROTOCOL: DEBUG from com.sun.comms.client.protocol.ProtocolEngineServlet Thread httpSSLWorkerThread-443-37 ipaddress=<AFFECTED_IP> sessionid=1a60de74f3d0ef2780bc181221e2 at 11/09/10 11:24:51,949- Iwc Protocol command issued: get_allprefs.iwc
PROTOCOL: WARN from com.sun.comms.client.protocol.delegate.UserPrefsCommandDelegate Thread httpSSLWorkerThread-443-37 ipaddress=<AFFECTED_IP> sessionid=1a60de74f3d0ef2780bc181221e2 at 11/09/10 11:24:51,951- get_allprefs.iwc : Service is not enabled : smime
CONFIG: DEBUG from com.sun.comms.client.web.ServerConfiguration Thread httpSSLWorkerThread-443-37 ipaddress=<AFFECTED_IP> sessionid=1a60de74f3d0ef2780bc181221e2 at 11/09/10 11:24:51,952- Virtual domain is enabled
PROTOCOL: WARN from com.sun.comms.client.protocol.delegate.agent.ClientOptionsAgent Thread httpSSLWorkerThread-443-37 ipaddress=<AFFECTED_IP> sessionid=1a60de74f3d0ef2780bc181221e2 at 11/09/10 11:24:51,954- client preferences not found for domain: siue.edu
(Again, what's odd is that the JSESSIONID changes again.)
I thought initially that it may be a pooling problem, so I decided to check out the logs for the Sun ONE Directory Server that this instance of Convergence is connected to and:
[09/Nov/2010:11:19:14 -0600] conn=407075 op=22106 msgId=86900 - SRCH base="o=siue.edu,o=usergroup" scope=2 filter="(uid=<INCORRECT_USER>)" attrs="* isMemberOf"
[09/Nov/2010:11:19:14 -0600] conn=407075 op=22106 msgId=86900 - RESULT err=0 tag=101 nentries=1 etime=0
[09/Nov/2010:11:19:14 -0600] conn=408714 op=2173 msgId=86901 - BIND dn="uid=<INCORRECT_USER>,ou=People,o=siue.edu,o=usergroup" method=128 version=3
[09/Nov/2010:11:19:14 -0600] conn=408714 op=2173 msgId=86901 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=<INCORRECT_USER>,ou=people,o=siue.edu,o=usergroup"
[09/Nov/2010:11:19:14 -0600] conn=408784 op=4786 msgId=86902 - SRCH base="o=siue.edu,o=usergroup" scope=2 filter="(uid=<INCORRECT_USER>)" attrs="* isMemberOf"
[09/Nov/2010:11:19:14 -0600] conn=408784 op=4786 msgId=86902 - RESULT err=0 tag=101 nentries=1 etime=0
[09/Nov/2010:11:19:14 -0600] conn=408714 op=2174 msgId=86903 - BIND dn="uid=<INCORRECT_USER>,ou=People,o=siue.edu,o=usergroup" method=128 version=3
[09/Nov/2010:11:19:14 -0600] conn=408714 op=2174 msgId=86903 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=<INCORRECT_USER>,ou=people,o=siue.edu,o=usergroup"
But two different LDAP connections.... well, actually four... searched for and bound to the other user's username.
The other interesting thing I found was while I was searching for the other user's username in the LDAP logs -- earlier I pointed out an interesting entry about "creating a Comms user"; however, the other user logged in previously to Convergence:
[08/Nov/2010:21:23:10 -0600] conn=407075 op=18839 msgId=75351 - SRCH base="o=siue.edu,o=usergroup" scope=2 filter="(uid=<INCORRECT_USER>)" attrs="* isMemberOf"
[08/Nov/2010:21:23:10 -0600] conn=407075 op=18839 msgId=75351 - RESULT err=0 tag=101 nentries=1 etime=0
[08/Nov/2010:21:23:10 -0600] conn=408714 op=680 msgId=75352 - BIND dn="uid=<INCORRECT_USER>,ou=People,o=siue.edu,o=usergroup" method=128 version=3
[08/Nov/2010:21:23:10 -0600] conn=408714 op=680 msgId=75352 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=<INCORRECT_USER>,ou=people,o=siue.edu,o=usergroup"
I'm stumped -- anyone have any ideas why this is happening to us? (Due to these problems, we've been forced to shutdown our Convergence servers and redirect users to another older webmail product until this is fixed.)>
The other interesting thing I found was while I was searching for the other user's username in the LDAP logs -- earlier I pointed out an interesting entry about "creating a Comms user"; however, the other user logged in previously to Convergence:"creating a Comms user" => means creating user object in memory using details in the LDAP and configuration, it does not create a User entry in LDAP.
Can you please provide following details:
- version of Convergence
- output of 'iwcadmin -l'
- full iwc.log and glassfish access log file -
Loopback GPO on Replace prevents other user GPOs from applying
I had the need to create a GPO and use a loopback. Simple little GPO, just to add some stuff to trusted sites on a specific Citrix server. I created it as a user GPO then did a loopback so I could apply it to only the application hosting XenApp
server I wanted.
I set the loopback to replace, just because it was default and the trusted site settings were not applied anywhere else; I didn't really care.
Long story short, when I linked that GPO, it, for some reason, prevented all other user GPOs from applying. Not denied, they just didn't even show up.
I figured it out shortly after, and when I changed it to merge, the other user GPOs applied again. This is not the way I believe Loopback is supposed to work, in either replace or merge.
Any insight on why that might have happened?> Long story short, when I linked that GPO, it, for some reason, prevented
> all other user GPOs from applying. Not denied, they just didn't even
> show up.
> I figured it out shortly after, and when I changed it to merge, the
> other user GPOs applied again. This is not the way I believe Loopback
> is supposed to work, in either replace or merge.
This actually IS the way it is supposed to work:
http://evilgpo.blogspot.com/2012/02/loopback-demystified.html
http://blogs.technet.com/b/askds/archive/2013/02/08/circle-back-to-loopback.aspx
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))
That makes a lot more sense.
What it says on the GPO itself is:
"Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.
I was interpreting that as GPOs it would replace were only the settings in the loopback. -
View + stored function + synonym for other user
Dear All!
I've got a quite strange problem which I cannot decide whether it's caused by my lack of knowledge on the appropriate topic or by an Oracle bug. I'm already after some heavy googling on the topic and I was unable to track any valuable answers neither in forums nor in the Oracle documentation. I'll try to be as short and specific as possible.
Database: Oracle 10g
Result of "SELECT BANNER FROM V$VERSION":
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi
PL/SQL Release 10.2.0.4.0 - Production
"CORE 10.2.0.4.0 Production"
TNS for Solaris: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production
I have two users in the database for a single Web application: UAPP01, which is the owner of application DB objects and UAPP02 which is the application user connecting to the DB. The application runs for quite many years by now and DB structure layout has always been following a simple logic: for each DB object used by the app. (tables, views, packages and stored procedures/functions) and found in the UAPP01 there exists a synonym in the UAPP02 schema. For the privileges to be set correctly a role is created: RL_MY_APPL which is granted the necessary privileges on objects of UAPP01 (CRUD on tables, SELECT on views, EXECUTE on procedures, etc..). This role is granted to UAPP02.
In the previous days I was about to extend the DB with a view that invokes a stored function. This pattern has already occured in the DB previously so I kept following existing conventions: I've created the stored function and the view in the UAPP01 schema, granted SELECT on the view to RL_MY_APPL and created the synonym for it in the UAPP02 schema. This is where the entire functionality began to act strange. I'll try to explain with a simplified example that was sufficient to reproduce the problem:
REM ========================================
REM Execute below code as UAPP01 user.
REM ========================================
REM Test function.
CREATE OR REPLACE FUNCTION testfunction(p_param NUMBER) RETURN NUMBER IS
BEGIN
RETURN p_param *2;
END;
REM Testview version 1. causing trouble.
CREATE OR REPLACE VIEW testview AS
WITH testdata AS
SELECT /*+ materialize*/ LEVEL AS d
FROM dual CONNECT BY LEVEL <= 100
SELECT a, b, c, SUM(d) AS sum_d
FROM
SELECT FLOOR(dbms_random.VALUE(1, 100)) a, FLOOR(dbms_random.VALUE(1, 100)) b, FLOOR(dbms_random.VALUE(1, 100)) c, testfunction(d) AS d
FROM testdata
GROUP BY CUBE(a, b, c)
REM Testview version 2. not causing trouble.
CREATE OR REPLACE VIEW testview AS
SELECT a, b, c, SUM(d) AS sum_d
FROM
SELECT FLOOR(dbms_random.VALUE(1, 100)) a, FLOOR(dbms_random.VALUE(1, 100)) b, FLOOR(dbms_random.VALUE(1, 100)) c, testfunction(d) AS d
FROM
SELECT LEVEL AS d FROM dual CONNECT BY LEVEL <= 100
GROUP BY (a, b, c)
REM Synonym.
CREATE OR REPLACE SYNONYM UAPP02.testview FOR UAPP01.testview;
REM Grants.
GRANT SELECT ON testview TO RL_MY_APPL;
When creating TESTVIEW with the 1 ^st^ version I cannot query it using the UAPP02 user, I'm constantly getting the error: ORA-00904: : invalid identifier. However, when I use the 2 ^nd^ version everything runs perfectly. What is common in the two cases is that both versions use the TESTFUNCTION function. I have not granted the EXECUTE rights on TESTFUNCTION to the RL_MY_APPL since it was never needed previously (for other views using stored functions) and as far as I know it's not necessary (as both the view and the function are owned by UAPP01). The strange thing in the above behaviour is that the function is used by both versions, however only one of them fails. This is where I thought it's not a granting issue, otherwise neither of the versions would have worked and I think I would have received a different error stating that UAPP02 lacks the necessary privileges on underlying objects of the view.
As I further digged into the problem by examining the EXPLAIN PLAN output for the two versions I found that version 1. leads to a TEMP TABLE TRANSFORMATION and to MULTI TABLE INSERTs, whereas version 2. simply executes the query without doing such things. In my setup I presume the MULTI TABLE INSERTs were caused by the GROUP BY CUBE. When I simply removed the CUBE and used only GROUP BY the TEMP TABLE TRANSFORMATION remained in place but the MULTI TABLE INSERTs disappeared. As a result of this small modification the view again began to work when I executed it through the synonym and using the UAPP02 user.
With the original DB objects of our application the behaviour is even more strange: the error comes up if I select from the view and filter for a column that is grouped in the query whereas it works correctly if I filter for the aggregated columns. However, I couldn't reproduce this with the above simplified example.
No problem occurs with any of the versions if I query the view using the UAPP01 user.
This hectic behaviour made me suspect that the TEMP TABLE TRANSFORMATION + MULTI TABLE INSERT + synonym + stored function combo appears to bring a strange Oracle bug to the surface...
As a final note: when executing GRANT EXECUTE ON TESTFUNCTION TO RL_MY_APPL everything works fine in all cases. I know I could simply live with this but I'd really like to get to the bottom of this. Although this extra GRANT appears to solve the problem I don't really trust it. I'd really like to avoid the bug emerging again in Production in case this extra GRANT were not sufficient due to some unknown misteries.
Excuse me, the post has become a bit lengthy. Thanks in advance for anyone who's willing to read through and answer it!
Regards,
Krisztian Balazs SzaniszloThe error is thrown at run-time and only for the UAPP02 (second) user.
The problem is that the appearance of errors is independent of whether the query contains the call to the stored function or not.
So far I thought that if I use a stored function indirectly, like in this setup: UAPP02.synonym -> UAPP01.view -> UAPP01.stored function, then I don't need the grant. Of course, I understand that if I had used it directly, like :UAPP02.synonym -> UAPP01.stored function then I'd need the GRANT EXECUTE.
Shall I just ignore the strange behaviour and go on by adding GRANT EXECUTE privilege on all the functions used indirectly through views? It seems to solve the problem, but this behaviour is disturbing me quite and I fear the real root cause of the problem can emerge later in a different fashion. -
Grant to a specific user and deny for all other users
I have 100 users. Out of 100 users, i have windows & sql authentication users. I have a view "SQL_CONFIG_V" and want to give access to "corp\abc" (windows authentication user) and "poc" (sql authentication user) and all
system user id's(by default) like sys, information_schema etc. I want to deny all other users to see view defintion or alter this view "SQL_CONFIG_V" except the users that i specified here.You can deny access to those users to the database, or they are have the access but you do not want them to SELECT that specific view? Do the users members of db_owner role?
GRANT SELECT on viewname TO freddie
Best Regards,Uri Dimant SQL Server MVP,
http://sqlblog.com/blogs/uri_dimant/
MS SQL optimization: MS SQL Development and Optimization
MS SQL Consulting:
Large scale of database and data cleansing
Remote DBA Services:
Improves MS SQL Database Performance
SQL Server Integration Services:
Business Intelligence -
Error In Adadmin Re-Create Grants And Synonyms For Apps Schema
HI,
I upgraded the my DB from 9.2.6 to 10.2.4.It was sucessfull.
While doing Postupgradayion steps -
Recreate grants and synonym for apps
a. Log in to server with applmgr user
b. Execute adadmin
c. Choose -> Maintain Applications Database Entities menu
d. Choose -> Re-create grants and synonyms for APPS schema
2 workers got failed ...
i chked the worker log file i found
sqlplus -s APPS/***** @/stageAPP/stageappl/ad/11.5.0/admin/sql/adappsgs.pls &systempwd 1 PO APPLSYS APPS TRUE FALSE TRUE
Connected.
old 2: ad_apps_private.create_grants_and_synonyms(&2,'&3','&4','&5','FALSE');
new 2: ad_apps_private.create_grants_and_synonyms(1,'PO','APPLSYS','APPS','FALSE');
begin
ERROR at line 1:
ORA-20000: ORA-00955: name is already used by an existing
object:create_grants_and_synonyms(1,PO,APPLSYS,APPS): create_base_gs(PO,APPS):
In Synonyms
Loop:create_synonym(PO,XXGOD_SEQ_DECORTIMESHEET_HDR,APPS,XXGOD_SEQ_DECORTIMESHEE
T_HDR): do_apps_ddl(APPS,CREATE SYNONYM "XXGOD_SEQ_DECORTIMESHEET_HDR" FOR
PO."XXGOD_SEQ_DECORTIMESHEET_HDR"):
ORA-06512: at line 5
Workaround $adctrl
Control
Worker Code Context Filename Status
1 Run Grants/Synonyms R115 adappsgs.pls FAILED
2 Run Grants/Synonyms R115 Wait
3 Run Grants/Synonyms R115 Wait
4 Run Grants/Synonyms R115 Wait
5 Run Grants/Synonyms R115 Wait
6 Run Grants/Synonyms R115 Wait
7 Run Grants/Synonyms R115 Wait
8 Run Grants/Synonyms R115 Wait
9 Run Grants/Synonyms R115 Wait
10 Run Grants/Synonyms R115 Wait
11 Run Grants/Synonyms R115 Wait
12 Run Grants/Synonyms R115 Wait
13 Run Grants/Synonyms R115 Wait
14 Run Grants/Synonyms R115 Wait
15 Run Grants/Synonyms R115 Wait
16 Run Grants/Synonyms R115 Wait
SQL> select owner, object_type from dba_objects where object_name = 'XXGOD_SEQ_DECORTIMESHEET_HDR';
OWNER OBJECT_TYPE
PO SEQUENCE
APPS SEQUENCE
Its Cutom Object .. I think i need to drop/rename anyone .. which one i should drop / rename .
Or
Is it possible to skip the failed workers .. if do .. please give me the steps ...
ThanksHi;
There is 8 option(hidden) avaliable but i suggest dont use this option.(As you mention its a custom,if you belive it wont problem you can use this hidden option or drop 'XXGOD_SEQ_DECORTIMESHEET_HDR' and recreate it later,its own your risk) By the way please check below notes which is similar error like yours
Run Adadmin To Recreate Grants And Synonyms ORA-20000 ORA-00955 In Synonyms Loop:create_synonym(GL,PLAN_TABLE,APPS,PLAN_TABLE) [ID 437714.1]
ADADMIN MAINTAINING APPLICATIONS GRANTS AND SYNONYMS APP-931 ORA-955 ORA-20000 [ID 1014455.102]
Regard
Helios -
How create synonym for more than one user
Hi,
In a DB I have more than one schema. For example:
1) User1 has these tables:
Menu
Employes
Zipcode
Billing etc..
2) User2 has only the a personalized table Menu
3) User3 has only the a personalized table Menu
How can enable User2, User3 and other to use the tables Employes, Zipcode, Billing etc. of schema User1 ?
I think with synonyms. Can You help to write a script in order to create this ?
I hope in Your Help.
Thank You and Best Regards.
GaetanoHi Gaetano,
If I understand your requirement correctly User2, User3 and other users should be able to access tables owned by User1. If that's the case, synonyms won't help at all.
Read up any English dictionary and you'll understand what a synonym is.
What you need to do (as User1) is: GRANT the appropriate privilege (SELECT, UPDATE...) on the tables to the other users.
Oh, btw: what is a 'personalized table Menu'? I never heard that.
Regards,
Guido
Maybe you are looking for
-
How to Mosaic 167,958 georasters?
Hello, I have a table named RASTER that contains 167,958 georasters. I have a table named RR_RDT that contains the blocks for the georasters. There are 65,284 georasters that have "content" and the remaining georasters are blanks that were generated
-
So will I need to buy Lion from the app store to upgrade, after I transfer my old snow leopard system to a new macbook air, that came with Lion? Thanks!
-
Renders fine in DW8, not CS3
Ok, I've got a site where the pages rendered fine in the design view in DW8, but with CS3 the navbar on the left shows shifted to the right. Renders fine in browsers too. That said, I certainly wouldn't rule out that I've done something that's not qu
-
JBoss Warnings - What do they mean?
I am getting a bunch of warnings and I don't know if it's bad and/or how to fix it. For example, it says it can't find JTA - does this mean I won't be able to do transactions?! THE WARNINGS: 20:56:57,934 WARN [MainDeployer] The manifest entry in file
-
Missing Emails!!!! Please Help
Hi, my emails just recently disappeared from my inbox leaving just the latest mails. Can anybody help please? I use yahoo mail and I also have it set up in my mail application on mac os. I usually save my imp mails and docs in my inbox now it just va