A user granted with alter user privilege

Similar Messages

• ALTER TABLE privilege and CREATE/DROP/ENABLE/DISABLE constraint privilege

  Hi,
  I am looking for some detailed info regarding the below previleges
  ALTER TABLE, CREATE CONSTRAINT, DROP CONSTRAINT, ENABLE CONSTRAINT AND DISABLE CONSTRAINT PRiVILEGES.
  I have two schemas 'A' and 'B', I want to provide user 'A' with Alter table, create or drop constraint,Enable or Disable constraint on schema B.
  Please let me know how to make this work.
  Thank you

  I got the answer for my second question, I have an option to grant 'Alter ANY table' privilege to the user.Yes, but you should not do that.
  Regarding question one, Suppose I have two schemas A and B and I want Schema A to have alter table privilege on all tables of Schema B.
  Can I do this in one command No
  or I need to grant alter on each table saperately?Yes
  If I am chosing the second option for each table saperately then whenever a table is added in schema B we need to grant privilege on that table as well.Yes. But nothing strange there. Designing and creating objects includes the privileges on them.
  If user A is granted with alter table privilege on a table which user B owns then can user A drop/create/enable/disable constraints for that table?Yes, isn't that what all this about?
  Again, letting one user alter the objects of another user is generally not such a good idea. Hope you see this from our discussion.
  Alter table privilege includes adding and dropping columns. This is why I suggested writing a procedure that does exactly what you need. And then grant execute on that to A.
  The best thing of course would be NOT TO disable the constraints, they are probably there for a reason.
  I am currently handling an issue where one session doing this, deadlocks with another session doing only selects - From other tables, that is!
  Regards
  Peter

• Restrict user having alter user privilege

  When a user is granted with alter user, the user can change the password for sys. How to restrict the user, so that he can do user administration but cannot do anything with sys or system.

  could you solve my problem.
  I want to store picture in table using insert statement. But when save trigger executes system generates error message: bad bind variable
  my email: [email protected]

• Granting ALTER SYSTEM privilege to Application user

  DB version:10gR2
  When we purchased a logistics application software, we have been asked to grant alter system privileges to the Application Oracle user/schema by the application vendor. They said they need this to change Instance level parameters like OPTIMIZER_MODE,..etc. What do you guys think?
  Edited by: GarryB on Feb 17, 2009 10:25 PM

  GarryB,
  This is a strange idea. Many parameters can be altered on session level.
  If they want to change static parameters, do they also require the privilege to bounce the instance?
  Even if the application would need to change parameters, this should be encapsulated in a procedure created in a privileged user, with execute privilege granted to the application owner.
  If feel you will regret to have purchased this application sooner or later, the vendor doesn't seem to know much about Oracle.
  Hth
  Sybrand Bakker
  Senior Oracle DBA

• Oracle Security - Controlling the 'alter user' privilege

  Hi,
  1. DB 10.1.0.5 and 10.2.0.3
  2. "Admin User" needs to be able to change some users passwords in database.
  3. Create user adminuser - grant alter user to adminuser.
  4. DBAs will grant "approle" role to list of required users. DBAs will maintain control of who gets this role.
  4. Create system trigger on alter database - will prevent "adminuser" from changing passwords for accounts not authorized - Script does not fire for DBAs and anyone changing their own password.
  The trigger works as intended - the "adminuser" account can only change the specific set of users.
  Question: We've discovered that the "adminuser" can also use the "alter user" privilege to change default tablespace and tablespace quota. User should only be able to change password.
  Anyone have ideas on adding to the trigger to make sure the "adminuser" is only altering the password?
  I am playing with the ora_is_alter_column system event, thinking that maybe the password column in user$ would be changed but so far I can't get this to work: Here is my trigger --
  CREATE OR REPLACE TRIGGER SYS.PASSWORD_CONTROL AFTER ALTER ON DATABASE
  DECLARE
  DBACHK varchar2(50);
  USRCHK varchar2(50);
  BEGIN
  BEGIN
  -- Ensure users can change their own passwords --
  IF
  ora_login_user = ora_dict_obj_name
  THEN
  RETURN;
  ELSE
  -- Do not apply trigger to DBA group --
  select grantee into DBACHK from dba_role_privs where granted_role='DBA'
  and grantee = ora_login_user;
  IF
  DBACHK = ora_login_user
  THEN
  RETURN;
  END IF;
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  NULL;
  END;
  BEGIN
  select grantee into USRCHK from dba_role_privs where
  granted_role='DISCUSR' and grantee = ora_dict_obj_name;
  IF
  ora_dict_obj_type = 'USER'
  and ora_dict_obj_name = USRCHK
  ---- Need to check that only the password is being change -- the line below does not work
  and ora_is_alter_column('PASSWORD') = TRUE
  THEN
  RETURN;
  ELSE
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END;
  END;

  user602453 wrote:
  Ed, thank you for your reply. But, let me explain in more detail.
  More detail is always helpful. ;-)
  >
  A specific user has been assigned as the application administrator. This admininstrator is responsible for reseting application user passwords. The DBA (me) recognizes the DB security issues so I am trying to craft a solution that will allow the application administrator the ability to change only the password of the application users.
  I see that this may be out your hands, but I'd still question the wisdom of having an apps administrator being the one to change user passwords. Especially if that were a model where the users couldn't change their own passwords. I might accept it if the app admin were acting more of a helper to a clueless user.
  Since the only way to change user passwords is to grant the 'alter user' privilege I need a system trigger to keep the user from changing non-application user passwords. Also, because I support nearly 100 production databases that support about 35 different applications I need a solution that can apply to multiple databases. I've been assured that there will only be one administrator charged with resetting passwords.
  So,
  Given those requirements, I have this trigger that will allow the the specific administrator to change the password of a specific set of user while not impacting DBAs or people wanting to change their own password. The way I've implemented this is to create a "dummy" role and assigning the role to the application user. The trigger will allow the administrator to change the password only if the user has the role assigned. The role has no privileges, it is just a way to "mark" the user as an application user. The administrator cannot grant this "dummy" role, only the DBA can.
  Hope that clears things up.I still see another problem in that it still comes back to the dba to create the apps user in the first place, and to assign that dummy role to the user. Also, I'd hope that this proposed apps admin user is a role assigned to a real user. If not, as I mentioned before, you have no real accountability to who is using that account. Simply saying "it shall not be shared", even if written in corporate policy, won't secure it, and you won't be able to trace it. Well, you could turn on auditing and capture the OS userid in the audit log.

• How can we give a user, alter procedure privilege on only one procedure of another schema.

  Scenerio:
  User A owns a procedure
  called 'TESTPROCEDURE'.
  User B has execute privilege on 'TESTPROCEDURE';
  Now i want to give user
  B , alter procedure privilege for only one procedure i.e 'TESTPROCEDURE';
  I do not want to give
  ALTER ANY PROCEDURE to user B since the user just wants to alter only 1
  procedure.
  How can we do that?
  Thanks & regards,
  Mohd Shahid Shaikh.

  Why do you want to do this?
  If I'm allowed to alter a procedure, I can alter it to do something completely different.  I can modify the procedure to do anything that B can do.  If that's what you want to allow, why not just log in as A?
  There is no way to grant B the ability to alter a single procedure.  You could, I suppose, create another procedure in A that accepts a DDL statement as a string, checks to see if it meets your criteria, and then executes it.  You could then grant B the ability to execute this new procedure.  A could then send an appropriate CREATE OR REPLACE PROCEDURE statement to the new procedure that replaces TestProcedure.  But that's a fair amount of effort and complexity to deal with (particularly when there are errors)-- if you can explain the underlying business problem, we may be able to help you come up with alternate technical solutions.
  Justin

• Create a new user for oracle 10G ASM instance with sysdba system privilege

  Hi,
  In our Golden Gate Project, we require the SYS user credential to connect to the Oracle 10g  ASM instance to read the database transaction logs.But our client is not providing the SYS user credential to  connnect to ASM instance.
  I'm getting the error message "ORA-01109:  database not open",When I tried to create a new user using the  below the steps in oracle 10g ASM instance
  1. Login using "sqlplus / as sysdba"
  2. Create user <username> identified by <password>;
  But in oracle 11g ASM instance, I'm able to create new  user  by connecting the ASM instance with SYSASM role without issues.
  Is there is any workaround to create a new user with sysdba system privilege in oracle 10g ASM instance?.
  Thanks in advance .

  Hi,
  Recreate the password file for the ASM instance as follows:
  Unix:
  orapwd file=<ORACLE_HOME>/dbs/PWD<SID> password=<sys_password>
  Windows:
  orapwd file=<ORACLE_HOME>/database/PWD<SID>.ora password=<sys_password>
  Now sys password is reset, we are ready to use sys for ASM management. I decided to create another user ASMDBA as I tried above.
  SQL> create user ASMDBA identified by test01;
  User created.
  SQL> grant SYSASM, SYSOPER to ASMDBA;
  Grant succeeded.
  SQL> select * from v$pwfile_users;
  USERNAME SYSDBA SYSOPE SYSASM
  SYS TRUE TRUE TRUE
  ASMDBA FALSE TRUE TRUE
  Please see this link : http://orachat.com/how-to-change-asm-sys-password-creating-sysasm-user-11g/
  Thank you

• ALLOW A USER TO KILL A SESSION WITHOUT ALTER SYSTEM PRIVILEGE.

  Hi
  I need a user to have permission to kill a session without having the ALTER SYSTEM privilege. I created a procedure on sys schema and granted the EXECUTE privilege to the user but it doesn't work, how can I do, help please.
  CREATE OR REPLACE PROCEDURE SYS.PRC_SESSION_KILLER (P_SID IN NUMBER, P_SERIAL IN NUMBER)
  AS
  BEGIN
       EXECUTE IMMEDIATE 'GRANT ALTER SYSTEM TO SYSADMIN';
       EXECUTE IMMEDIATE 'ALTER SYSTEM KILL SESSION ''' || P_SID || ',' || P_SERIAL || ''' IMMEDIATE';
       EXECUTE IMMEDIATE 'REVOKE ALTER SYSTEM FROM SYSADMIN';
  END;
  Thank you very much.

  Hi,
  I second everything John said.
  Are you sure the arguments are correct?
  Below is the procedure I use. You may want to run it, just to see what the error is.
  PROCEDURE     kill_internal
       s_id          IN     NUMBER,
       serial_num     IN     NUMBER,
       stat_out     OUT     VARCHAR2
  IS
       alter_handle     INTEGER;
       ex_val          INTEGER;     -- Returned by dbms_sql.execute
  BEGIN
       alter_handle := dbms_sql.open_cursor;
       dbms_sql.parse
            alter_handle,
            'ALTER SYSTEM     KILL SESSION '''     ||
                 TO_CHAR (s_id, '999990')     ||
                 ', '                    ||
                 TO_CHAR (serial_num, '999990')     ||
            dbms_sql.native
       ex_val := dbms_sql.execute (alter_handle);
       dbms_sql.close_cursor (alter_handle);
       stat_out := 'Success: '                    ||
                 TO_CHAR (s_id, '999990')     ||
                 ', '                    ||
                 TO_CHAR (serial_num, '999990');
  EXCEPTION
       WHEN OTHERS
       THEN
            stat_out := 'Failure:'          ||
                 SQLERRM;
  --          dbms_output.put_line (stat_out);
            dbms_sql.close_cursor (alter_handle);
  END     kill_internal
  ;

• New user with CREATE SESSION privilege

  Which statement is true concerning a new user that has only been granted the CREATE SESSION privilege?
  The user can create a table.
  The user can alter their password.
  The user can select from tables they have created
  I belive he can change his password , for that does not requir any sp. privileges.

  The user can alter their password. this is your answer

• Run with user privileges but write to restricted folder

  In Windows Server 2008 R2 (and in an Active Directory domain), the login and logoff scripts are run with user privileges.
  Suppose that I run script1.ps1, when user1 logs in; I need that script1.ps1 is associated to user1, because it will write some informations about that user: it modifies a log file in a folder. Anyway, script1.ps1 will be run with user1 privileges.
  I obviously made that file and that folder accessible (readable/writable) to user1: but I actually don't want the user to modify that log file. I would like that
  only the script could do it.
  Is there a way to work around this problem? Maybe should I run script1.ps1 in a different way?

  Henry.  You can add a subscription to a server that subscribes t event log entries on user computers.  Subscribe to the logon/logoff events. Now you have a central repository of logon and  logoff events.
  There is no way to accomplish what you are asking to do.  Any file that can be written to in logon script or during a user session can be changed by the user.
  Bil is suggesting a "startup" script that runs when the user logs on and not when the computer starts.  A user startup script runs as the user and not system.
  Another method is to schedule a script that run at logon.  This can run as system and write to a file that the user cannot change.
  ¯\_(ツ)_/¯

• Impossible to set up a TC with admin and users privileges

  Hi,
  Sorry for my english first. I'm not an english speaker...
  That's one week I'm playing with my Tc to try to set it up with admin and users privileges and and doesn't succeed to find a good way to do it....
  What I want to do: set up my Tc so that I'm an admin and can do whatever I want in the folders of each user. I want the user to have access to one folder with their name. Let's say I would like to user my TC like a usual network drive or NAS.
  What I discover: if I enable file sharing with accounts on my TC and define two users user1 and user2 with Read write privileges, user1 can see a folder user1 and put whatever he wants in it and there's a share folder for user1 and user2. BUT I cannot be admin on the TC when account filesharing is on. It means I cannot put anything in user1 folder beacuse I don't see user1 folder. It is just like if you have user accounts on TC you can just change the privileges but not defined an administrator. I'm able to see user1 folder for instance solely changing the filesharing back to secure shared disks "with time capsule password". If i do so I can see all the folders on the TC.
  But it's very annoying because it means that each time I want to put a file inside the folder of one of my user, I have to restart my TC "with time capsule password", put the file, set it up back to user account and restart again the TC.... Not really practical!
  Anyone got an idea how to use the Tc with user accounts (one admin and others users...)

  I forgot to mention that I tried also another method: giving guest access to TC to my two users but there are several problems here: first they can only read (if not they would have the same privileges as me) what means they can put any document in the TC. Second, they see all the folders on the TC and the idea is that they can only see the shared one....

• Unable to enter to user Privilege EXEC Mode with catalyst 1900

  Hello
  I am setting up some lab network . I have 10  Cisco 1900 series switches . But when i try to power up it shows the below message. I am not able to get into user privilege mode.
  Catalyst 1900 Management Console
  Copyright (c) Cisco Systems, Inc.  1993-1997
  All rights reserved.
  Ethernet address: 00-C0-1D-81-43-65
  1 user(s) now active on Management Console.
  Enter password:
  Catalyst 1900 - Main Menu
       [C] Console Password
       [S] System
       [N] Network Management
       [P] Port Configuration
       [A] Port Addressing
       [D] Port Statistics Detail
       [M] Monitoring
       [V] Virtual LAN
       [R] Multicast Registration
       [F] Firmware
       [I] RS-232 Interface
       [U] Usage Summaries
       [H] Help
       [X] Exit Management Console
  Enter Selection:
  could you pls tell me how can i get into the user mode such as 
  Switch1#
  Thanks
  Navaz

  There were two versions of software for the 1900 series switches, one that purely menu based configuration and management and the Enterprise version, which had an option to exit the menu and get access to a CLI. Note though that this is not Cisco IOS.
  There's a post, Catalyst 1900 Enterprise software, on the forum from 2002 that will give you some more details. As indicated in that post there's an option to upgrade to the Enterprise edition, but you obviously need to acquire the software.
  As per the reponses from Richard and Leo, these are very old switches and depending upon what you're trying to do with them, may not serve your purpose.
  Regards

• User privilege level for configuration backup with PI 1.2

  We have more than 50 devices handling by PI 1.2 (testing) I like to know how to do configuration archiving with user who doesn't have write privilege.
  I tried like this.
  username john privilege 6 password cisco
  privilege exec level 6 show running-config
  (result) show run --> blank
    I tried this user with one of switch in PI 1.2. It did not do configuration backup
  username inout password inout
  username inout privilege 15 autocommand show running-config
  (result) once logged in, it automatically showed running-config. However when I tried with PI 1.2 with this user (inout). I couldn't do configuration back.
  reference
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  so, my question is this. what is the solution for me to create certain user with read-only privilege while PI 1.2 is able to do configuration archiving ?
  thanks in advance

  7.4 MSE code will in fact require an update of Prime 1.2 to 1.3.0.20-
  It's pretty easy though and your licenses will still work from the Prime Infra side.
  Here's a link to upgrade PI to 1.3
  http://www.cisco.com/en/US/partner/docs/net_mgmt/prime/infrastructure/1.3/release/notes/cpi_rn_13.html#wp73605
  I personally would go ahead with the upgrade of both:::

• Insufficient privileges when creating MV with alter session set current_sch

  I am getting Insufficient privileges when creating MV with alter session set current_schema=Application schema name. User running the alter session is DBA user. If run as SYSDBA, MV is created successfully. DB Version is 10.2.0.3
  I observed similiar issue with regular View also in 9.2.0.6 also.
  Any advice is greatly appreciated.
  Thanks,
  Siva

  Sounds like your management needs a stern lecture on the concept of change management. <g>
  I am not debating what you do. I am questioning the logic, or lack thereof, of doing it that way. My recommendation would be to change your procedure to one that:
  A. Is more in line with good change management practices.
  B. Works.

• Session require user privileges

  I am learning PL/SQ, might as well, learn it in a real environment, even tho at home I created a TEST environment too using Ubuntu 10G Express and Oracle Developer (runs on Ubuntu too)... anyways, when I press the ladybug, I get these errors, I am thinking that the DBA needs to grant me access, here is the error:
  I need to write a Rationale for access, and I don't want to sound like an idiot, what are these objects ? Are there any security concerns that a company would have to think about before granting me access ? I need to go through the right channels first!
  Thanks!
  Connecting to the database XXX.
  Executing PL/SQL: ALTER SESSION SET PLSQL_DEBUG=TRUE
  Executing PL/SQL: CALL DBMS_DEBUG_JDWP.CONNECT_TCP( 'X.X.X.X', '3819' )
  ORA-01031: insufficient privileges
  ORA-06512: at "SYS.DBMS_DEBUG_JDWP", line 68
  ORA-06512: at line 1
  This session requires DEBUG CONNECT SESSION and DEBUG ANY PROCEDURE user privileges.
  Process exited.
  Disconnecting from the database XXX.

  GRANT ALL ON TABLENAME TO USER;