10G OEM - Revoke privileges from PUBLIC

Similar Messages

• Impact of revoking APEX_040000 view and privileges from public ?

  Forum...
  We are in an integration scenario where we do not want to have a user connecting through SQL see the apex product database objects to which apex has granted public access show up. ( As per the "Granted Priviliges" of the Apex documentation - specifically the views and tables for which public synonyms are created)
  Does anyone have an idea of what the impact of revoking these public privileges would be on apex users and applications ?
  Thanks
  Pierre

  Hi Pierre,
  I'm just curious - can you give a couple examples of objects for which you wish to revoke privileges from PUBLIC?
  Joel

• Revoke unnecessary privileges from public = enterpise manager problems

  Hi,
  After revoking the execute privilege on the following packages from public I have problems with enterprise manager (DB version 10.1.0.3.0) :
  UTL_SMTP
  UTL_TCP
  UTL_HTTP
  UTL_FILE
  DBMS_OBFUSCATION_TOOLKIT
  I have revoked the privileges via sqlplus:
  revoke execute on utl_smtp from public;
  If I login now on enterprise manager (user sys)
  the home tab on enterprise manager says "Status pending", the performance/administration and maintenance tabs work.
  Does anyone knows how to solve this?
  Thank You.

  I have had pretty good luck with the following - YMMV
  revoke execute on sys.utl_http from public;
  revoke execute on sys.utl_smtp from public;
  revoke execute on sys.utl_tcp from public;
  revoke execute on sys.dbms_random from public;
  revoke execute on sys.utl_file from public;
  revoke execute on sys.dbms_lob from public;
  revoke execute on dbms_job from public;
  grant execute on sys.utl_http to ORDPLUGINS;
  grant execute on sys.utl_file to xdb;

• After revoked UTL_FILE from PUBLIC, found problem...

  Hi All
  I created new role that is "UTL_PUBLIC" and granted below package to new role and grant new role to all users in database after that revoke below roles from PUBLIC.
  UTL_FILE
  UTL_TCP
  UTL_SMTP
  UTL_HTTP
  DBMS_LOB
  DBMS_SQL
  DBMS_JOB
  DBMS_SCHEDULER
  DBMS_XMLGEN
  But I got the problem when export data that show about package error. So I granted above package back to PUBLIC and export again that was work.
  My question is Can I grant above package to new role and grant to db user instead of PUBLIC role? If yes, How will I do ? If no, please explain the reason.
  Thank you,
  Hiko

  Oracle support confirmed about this already.
  I cannot grant privilege execute on those packages via roles that will have troubles with procedures and packages.
  Only one solution, I must grant to users directly.
  Thank you
  Hiko

• REVOKE EXECUTE ON UTL_HTTP FROM public in apps database

  Hello,
  could any one share your knowledge to me for database security on oracle apps.
  my client's aduit have some issue on public acceess.
  select table_name from dba_tab_privs
  where grantee='PUBLIC'
  and privilege ='EXECUTE'
  and table_name in
  ('UTL_SMTP', 'UTL_TCP', 'UTL_HTTP', 'UTL_FILE',
  'DBMS_RANDOM','DBMS_LOB', 'DBMS_SQL','DBMS_JOB',
  'DBMS_BACKUP_RESTORE','DBMS_OBFUSCATION_TOOLKIT');
  I know we could not revoke any privileges from public.
  IS there any document says that don't revoke public access for E-bus database?
  I could not find out any document in metalink. if have any one document could you please share with me.
  Thanks
  Prince

  Hi Prince,
  Oracle does not say "do not revoke privileges from PUBLIC." Oracle suggests caution when revoking privileges from PUBLIC. :-) Have a look at the following Metalink Note: [Be Cautious When Revoking Privileges Granted to PUBLIC|https://metalink2.oracle.com/metalink/plsql/showdoc?db=NOT&id=247093.1|Metalink Note 247093.1].
  To satisfy your auditors, you could identify which database users actually need to use UTL_HTTP, and assign that privilege directly to the individual users. Then you should be able to revoke those privileges from PUBLIC.
  For more information about securing E-Business Suite itself, review [Best Practices for Securing the E-Business Suite|https://metalink2.oracle.com/metalink/plsql/showdoc?db=NOT&id=189367.1|Metalink Note 189367.1], or for Release 12, [Best Practices For Securing Oracle E-Business Suite Release 12|https://metalink2.oracle.com/metalink/plsql/showdoc?db=NOT&id=403537.1|Metalink Note 403537.1].
  Regards,
  John P.
  http://only4left.jpiwowar.com

• Revoking sys.utl_smpt  from PUBLIC

  Oracle 10.2. We have ASP application on the top.
  I granted sys.utl_smpt to ST schema/user
  Then I revoke sys.utl_smpt FROM PUBLIC. This caused 5 invalid objects: sys.utl_smtp, sys.utl_mail, sys.dbms_aqelm, st.mail_files, st.mail_pkg. After re-compiled, two ST objects are still not valid: mail_files, mail_pkg. The error message is UTL_SMTP must be declared.
  The line is Mail_files procedure causing this problem: conn utl_smpt.connection
  I granted sys.utl_smpt specificly to this user and this user's procedure is still having problem. What am I doing wrong?
  Thanks
  S.

  After re-compiled, two ST objects are still not valid: mail_files, mail_pkg. The error message is UTL_SMTP must be declared.
  I granted sys.utl_smpt specificly to this user and this user's procedure is still having problemWhat Grant did you execute ?
  What is the "problem" that you are still having ?
  Hemant K Chitale

• Revoking User tables privileges from one user to other user thru DBA.

  Hi,
  I want to revoke the select privilege from user granted tables to other user from Sys/Dba roled user.
  Detail
  ---------------I have 3 users namely
  1.User1 (Role: Normal User)
  2.User2 (Role: Normal User)
  3.SYS (Role: DBA privileged user)
  User1 has created a table called Table1 and grant the select privilege to User2.
  Is it possible that sys (DBA privileged user) user can revoke the select privilege of table1 from user2??.
  Thanks,
  Natarajan.U

  You can not revoke the privileges that were not granted by you or you will hit the error ORA-01927: cannot REVOKE privileges you did not grant.
  Even SYS/user with SYSDBA role can not revoke others grants.

• Connecting 9i database from 10g OEM

  Does anyone know how you would connect to a 9i database from 10g OEM?

  If you want to manage a 9i environment just as if this was a 10g environment, it is not possible with the regular EM DB Control console. First of all this console is setup on a per oracle instance basis, so in the event you had a 10g Console configured this is exclusively to mange the database it is attached to.
  On the other hand, you can setup db 10g Grid control, this way, by properly installing and configuring a grid agent in the target node, you can monitor and manage the 10g database. You should keep in mind that even if the 9i database is visible from the 10g grid control console, it doesn't mean the 10g features will be availabe, such as ADDM or some other advisors. If you want to monitor performance you must configure the regular Statspack available in 9i.
  EM Grid Control can manage databases starting from 8.1.7.4.0
  ~ Madrid
  http://hrivera99.blogspot.com

• Revoke execute on packages from Public

  Dear all.
  I've got a doubt. I did the Oracle recommendations and on my Primary Database I revoke execute priviledge on the packges UTL_FILE, UTL_TCP, UTL_SMTP and UTL_HTTP using the command revoke execute on <package> from public.
  I tryed to do the same on my Physical Standby Database but it wasn't possible. I got a message saying that the database isn't open. My question is: When I do the faiolver, will the physical standby database apply thoe changes I had made on the Primary?
  Thanks a lot.

  It will be applied to the standby by archive log recovery.
  When I ran these "recommended" revokes I ended up with a broken database due to invalid objects, so make sure you compile invalid objects before and after the revoke, and compare counts to see if they have increased.

• Is there a way to revoke DDL privileges from a user

  I would like to revoke DDL privileges from a user.
  My requirement goes like this
  1.Create a user with DDL privileges
  2. Create the required tables in that user. Fill the data.
  3. Revoke DDL privileges from that user (CREATE,ALTER,DROP).
  I was able to achieve this by creating two users where in the 1st user contains all the physical objects and data, where in the 2nd user contains only synonyms with select/execute privileges.
  Is there any other way to achieve this.
  Bcoz in SQL SERVER 2005 we have
  REVOKE ALTER TABLE FROM USER; and likewise.
  Kindly help me out!
  Thnx in advance

  You can easily satisfy all your requirements using facilities provided by the database. Here is a sample:
  SQL&gt; create user test identified by test;
  User created.
  SQL&gt; grant create session to test;
  Grant succeeded.
  SQL&gt; connect test/test
  SQL&gt; CREATE TABLE ddl_in_my_schema(x number);
  CREATE TABLE ddl_in_my_schema(x number)
  ERROR at line 1:
  ORA-01031: insufficient privileges
  -- Connect as administrator
  SQL&gt; GRANT CREATE TABLE TO test;
  Grant succeeded.
  SQL&gt; ALTER USER test QUOTA 10M ON USERS;
  User altered.
  SQL&gt; connect test/test
  Connected.
  Session altered.
  SQL&gt; CREATE TABLE ddl_table(x number);
  Table created.
  SQL&gt; INSERT INTO ddl_table SELECT OBJECT_ID FROM ALL_OBJECTS;
  4468 rows created.
  -- Connect as administrator again
  SQL&gt; REVOKE CREATE TABLE FROM test;
  Revoke succeeded.
  SQL&gt; connect test/test
  Connected.
  SQL&gt; CREATE TABLE ddl_table2(x number);
  CREATE TABLE ddl_table2(x number)
  ERROR at line 1:
  ORA-01031: insufficient privileges

• How to revoke everything from a user when opening a new session.

  HI,
  I am using oracle 10g Express Edition and SQL Developer.
  I have 2 user, 2 database connections in my SQL Developer.
  First user is Oracle and its database connection is called TCF.
  Second user is SMITH and its database connection is called TCF_SMITH.
  Oracle user has privileges to do anything.
  SMITH user has no privileges except for CREATE SESSION.
  What I am trying to achieve is assign a user to a role (this role will have grants to select, insert , update from tables) for the current session (this step is successful), and then revoke
  The role from that user (set it back to its default/or revoke everything from it) if opening another session, or session has been terminated (what I am trying to achieve).
  From TCF I was able to do the following:
  CREATE synonym SMITH.EMP_IOD FOR EMP_IOD;
  CREATE ROLE TCF_I;
  GRANT SELECT, INSERT, UPDATE ON EMP_IOD TO TCF_I;
  GRANT TCF_I TO SMITH;In TCF_SMITH
  SMITH has the same privileges as TCF_I.
  so, smith now can select, insert , and update from EMP_IOD table.
  If I open another TCF_SMITH session, and select * from EMP_IOD I should not be able to see any of the records.
  I am trying to make this session base only. Unfortunately when opening another session I am able to select, update and insert records in the new session.
  Is there a way to make this session based ?
  How can I revoke everything from user SMITH from TCF connection ?
  Thanks,

  Oh My Good Lord!
  Rooney,
  What are you attempting to do ?
  In programming anything can be achieved, but there are speicifc tools to solve specific problems .
  I think you are trying to use fork to paint a wall* (If painting the wall indeed is your requirement).
  The "need" as you say...
  +The need for this is to grant the user different roles each time the user logs in.
  for example I can log in 5 different time in one week with different role each time.
  Moday I could have access to X,Y,Z,
  Tuesday I could have access to X,A,B
  Wednesday I could have access to A,B,C.+
  ... is to solve WHAT PROBLEM?
  Please describe your original requirement , not what you think should be the solution/tool to satisfy the requirement.
  In your previous thread you "solved" privilege/role problem by creating SYNONYM. That does not compute at all.
  Re: database roles seems like its not working for me - your help is appreciated
  Think about it. We are here to help each other as best we can.
  Please read more* about Oracle capabilities and "tools" it provides.
  http://tahiti.oracle.com/
  Especially the Oracle Concepts Guide ...
  http://download.oracle.com/docs/cd/B14117_01/server.101/b10743.pdf
  Also, please take time to respond as "helpfully" as possible. each response from you should take you closer to the solution.
  Hopefully, your original requirement will be solved.
  vr,
  Sudhakar B.

• How to Access Table Space Map in Oracle 10g OEM

  How and from where to Access Table Space Map in Oracle 10g OEM ??
  Thanks

  Hi,
  first of all, the online help system of grid control is outstanding. Just click on Help in the upper right corner and enter "Tablespace Extent Map" in the search form.
  Result:
  Show Tablespace Contents Page
  Each Oracle database is divided into one or more logical units called tablespaces. You can use Oracle Enterprise Manager to manage these tablespaces and create or modify the parameters for the tablespaces. Use the Tablespace property sheet to set general and storage information for the specified tablespace.
  Use the Show Tablespace Contents page to display the list of tablespace segments that comprise the existing tablespace. You can display Tablespace Extents by choosing Show Tablespace Extent Map at the bottom of the page. An extent is a logical unit of database storage space allocation made up of a number of contiguous data blocks. One or more extents in turn make up a segment. When the existing space in a segment is completely used, Oracle allocates a new extent for the segment.
  You can view segment extents by clicking on the link in the Extents column to display the Extents in Segments page.
  You can display the Show Tablespace Contents page by choosing Show Tablespace Contents from the command drop down list on the Tablespace property page, the Tablespace View page, or the Tablespace search results page.
  Note: Developers could only display the tablespace map to a maximum hard coded number of 30,000 extents. Tablespaces are often larger than that. If a tablespace is larger than 30,000 extents, the portion over that is displayed as Unmapped. To avoid exceeding the memory capacity of the tablespace map and to display the map without unmapped extents, use a search criteria displaying results of less than 30K extents.
  For an overview of tablespaces, see the "Overview of Tablespaces " chapter of the Oracle Database Concepts Guide.
  For more information about managing tablespaces, see the " Managing Tablespaces" chapter of the Oracle Database Administrators Guide.
  For more information about managing datafiles, see the " Managing Datafiles and Tempfiles" chapter of the Oracle Database Administrator's Guide.

• How to access Data Guard option in Oracle 10g OEM

  Hi All,
  I have Oracle 10g ENTERPRISE EDITION on Unix envoirement. I want to setup logical standby Database through Data Guard technology. But when I brows through OEM I do not find Link for DATA GUARD????
  1) How to access Data Guard option from oracle 10g OEM.
  2) Does It come with Enterprise Edition OR I have to install it separately.
  Regards,
  Darshan

  I am managing almost everything through EM Grid Control. It is easy to setup and configure.
  Anyways, if you have read the documentation on
  Oracle® Data Guard Concepts and Administration and setup your environment accordingly then you should not have any problems. Atleast I can assure you that your production database will not be affected by it.
  Just make sure that you follow each step and read thoroughly. If you have spare machines then you can test and record your configuration before performing it on your production db. This link will provide you with the information on DataGuard.
  http://download-uk.oracle.com/docs/cd/B19306_01/server.102/b14239/concepts.htm
  If you think that way then you will never be able to do any new stuff since you will always fear that something might go wrong. Go ahead pal, try it on test machines and you will know that it is not that difficult.
  There are real experts who help people like us in this forum and I know that they are doing a pretty good job.
  All the best.
  Rgds
  Adnan

• Oracle users and revoking privileges

  Hello,
  To test out some error conditions in an application, I'd like to temporarily revoke a privilege on a table from a database user.
  I am trying to do that, logged into SQL*Plus as "sys" or "system", and running the command:
  REVOKE UPDATE ON USERX.TABLE_A FROM USERX;
  However, this is failing with the following message:
  ORA-01927: cannot REVOKE privileges you did not grant
  I've also tried logging into my server as oracle, typing "sqlplus /nolog" at the command line, then "connect internal as sysdba;" from the SQL*Plus prompt, and then running the REVOKE command, but that results in the same error message.
  So basically my question is: if neither the "sys" nor the "system" user is able to revoke the privilege from the "userx" user (because they did not specifically grant it), how would I determine which oracle user would be able to do this? Or how else would I go about revoking the privilege?
  I'm running Oracle8i Enterprise Edition Release 8.1.6.1.0 on Linux.
  Thanks for your help with this. I am not very familiar with Oracle DBA concepts.

  Hello,
  I am fully agree with Eric....Yes! a User created a table means...the User is OWNER of the table....and that means......the User is by default having the privilege of DML operations...i belive...OK
  And the privilege which you have not granted...then how could you revoke them...Whether it may b e SYS or SYSTEM or for that matter any User a/c.
  If you really want to restrict the restrict option on table owned by your User, then i can suggest to put a Schema Level Trigger on DML action. This will be fired when update in invoked on table by the user and there you can have your STOP mechanism.....BUT..this is not really suggested.
  Regards,
  Kamesh Rastogi
  Oracle - DBA

• Clarification regarding the revoke privilege

  The customer revoked "select any table" privilege from a user.
  (If SELECT ANY TABLE is revoked from a user, then all procedures contained in that users schema relying on this privilege will fail until the privilege is reauthorized)
  In the below user's procedure,there isn't any select statement.But,the procedure still becomes invalid after revoke.why ?
  And after the customer had run the procedure again,it becomes valid again .(The customer hasn't recompiled the procedure explicitly).
  SQL>create or replace procedure calling
  is
  i number;
  begin
  --pining;
  dbms_lock.sleep(60);
  end;
  /

  To answer the question as to why the procedure worked when invoked: Oracle automatically attempts to recompile any invalid stored procedure, function, or package when an attempt to execute the objects occurs. If all necessary privileges are in place the recompile works and the execution proceeds. If the recompile is not successful then an error is returned to the caller.
  As to why the procedure went invalid when the "select any" privilege was revoked I am not sure though I suspect it has to do with the way the privilege is tracked and maintained internally.
  The full Oracle version should have been included in your post. You never know when it is important to some specifics of the question. Such as with 11g Oracle has improved dependency tracking so that many table alterations should no longer result in stored code going invalid in cases where the change does not affect the actual code logic.
  HTH -- Mark D Powell --