Alter Object Privilege onm Oracle 9i

Similar Messages

• Oracle Security - Controlling the 'alter user' privilege

  Hi,
  1. DB 10.1.0.5 and 10.2.0.3
  2. "Admin User" needs to be able to change some users passwords in database.
  3. Create user adminuser - grant alter user to adminuser.
  4. DBAs will grant "approle" role to list of required users. DBAs will maintain control of who gets this role.
  4. Create system trigger on alter database - will prevent "adminuser" from changing passwords for accounts not authorized - Script does not fire for DBAs and anyone changing their own password.
  The trigger works as intended - the "adminuser" account can only change the specific set of users.
  Question: We've discovered that the "adminuser" can also use the "alter user" privilege to change default tablespace and tablespace quota. User should only be able to change password.
  Anyone have ideas on adding to the trigger to make sure the "adminuser" is only altering the password?
  I am playing with the ora_is_alter_column system event, thinking that maybe the password column in user$ would be changed but so far I can't get this to work: Here is my trigger --
  CREATE OR REPLACE TRIGGER SYS.PASSWORD_CONTROL AFTER ALTER ON DATABASE
  DECLARE
  DBACHK varchar2(50);
  USRCHK varchar2(50);
  BEGIN
  BEGIN
  -- Ensure users can change their own passwords --
  IF
  ora_login_user = ora_dict_obj_name
  THEN
  RETURN;
  ELSE
  -- Do not apply trigger to DBA group --
  select grantee into DBACHK from dba_role_privs where granted_role='DBA'
  and grantee = ora_login_user;
  IF
  DBACHK = ora_login_user
  THEN
  RETURN;
  END IF;
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  NULL;
  END;
  BEGIN
  select grantee into USRCHK from dba_role_privs where
  granted_role='DISCUSR' and grantee = ora_dict_obj_name;
  IF
  ora_dict_obj_type = 'USER'
  and ora_dict_obj_name = USRCHK
  ---- Need to check that only the password is being change -- the line below does not work
  and ora_is_alter_column('PASSWORD') = TRUE
  THEN
  RETURN;
  ELSE
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END;
  END;

  user602453 wrote:
  Ed, thank you for your reply. But, let me explain in more detail.
  More detail is always helpful. ;-)
  >
  A specific user has been assigned as the application administrator. This admininstrator is responsible for reseting application user passwords. The DBA (me) recognizes the DB security issues so I am trying to craft a solution that will allow the application administrator the ability to change only the password of the application users.
  I see that this may be out your hands, but I'd still question the wisdom of having an apps administrator being the one to change user passwords. Especially if that were a model where the users couldn't change their own passwords. I might accept it if the app admin were acting more of a helper to a clueless user.
  Since the only way to change user passwords is to grant the 'alter user' privilege I need a system trigger to keep the user from changing non-application user passwords. Also, because I support nearly 100 production databases that support about 35 different applications I need a solution that can apply to multiple databases. I've been assured that there will only be one administrator charged with resetting passwords.
  So,
  Given those requirements, I have this trigger that will allow the the specific administrator to change the password of a specific set of user while not impacting DBAs or people wanting to change their own password. The way I've implemented this is to create a "dummy" role and assigning the role to the application user. The trigger will allow the administrator to change the password only if the user has the role assigned. The role has no privileges, it is just a way to "mark" the user as an application user. The administrator cannot grant this "dummy" role, only the DBA can.
  Hope that clears things up.I still see another problem in that it still comes back to the dba to create the apps user in the first place, and to assign that dummy role to the user. Also, I'd hope that this proposed apps admin user is a role assigned to a real user. If not, as I mentioned before, you have no real accountability to who is using that account. Simply saying "it shall not be shared", even if written in corporate policy, won't secure it, and you won't be able to trace it. Well, you could turn on auditing and capture the OS userid in the audit log.

• Roles/System privileges/Object privileges

  Oracle 10g. we created a role and assigned this role to the user. We also assigned some system privileges and Object privileges directly to the same user. Now the company's new policy is that the user's permissions have to be assigned only via role. system privileges and Object privileges cannot be assigned directly to the user. So I have to alter the role. The steps are:
  1. grant system privileges and Object privileges to role. (this will be executed as a script)
  These privileges were directly assigned to the user.
  2. revoke all privileges which were directly assigned to the user.
  Do I miss anything?
  Please advise.
  Thanks
  S.

  Object privileges cannot be assigned directly to the user.Privileges acquired via ROLE do not apply within PL/SQL procedures.
  You may face some coding challenges in the future due to this policy.

• Object Privilege

  Dear All,
  I'm having one problem in my database. I'm having two database one is testdb1 and another is proddb1 running in two different server. I've done the followings-
  1. I've created a dblink from testdb1 to proddb1 database using two different schema (test1 to prod1).
  2. Now through dblink test1 schema of testdb database can access all objects available in prod1 schema of proddb1 database.
  Now I want to give object privileges on some selected objects of prod1 schema to test1 schema. How to do it?
  Can any Guru provide me this solution?

  Hi,
  Come you said that you have created a DataBase link...asking to provide commands... !!
  Any How..
  Follow the Steps:-
  1 > Create a Required User in Prod (assign the default tablespaces etc.,).
  2 > Grant the Necessary Privilges
  3 > Grant the Object Privilges as per your Requirements, as you said that you want to Restrict to some Objects only.
  4 > Test it with that Create User Whether you can Access the Objects with Respective Privi's are working fine or not
  5 > Then Create a DataBase Link From Test DB to Prod with that Created User.
  Bingo.. !!
  Now, Test the User Over DB Link... Any thing else Requried..
  Now, I don't have DB on My System to show the Demo... :-(
  Reference for Creating User and DB Links .. !!
  http://www.dba-oracle.com/concepts/create_users.htm
  http://download.oracle.com/docs/cd/B19306_01/server.102/b14231/ds_admin.htm#sthref4108
  - Pavan Kumar N

• How to view object privileges of a user in Oracle10g?

  I try to view the object privileges of a user through the table user_object_privs but it didn't work. I didn't get the correct name of the table or there were some problem with my Oracle. Please help me. Thanks a lot.

  Thanks, that link helped me out. I was looking for this:
  SELECT OWNER, TABLE_NAME, GRANTEE, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE='<put name here>';

• Export object privileges to another user

  dear,
  i want to export thr object privilege to another user on oracle 10g. how can do it? i try to export the user/scheam than immport to another user but still no work..
  Regards

  I guess he want user B to have same object privileges as user A
  If this is the case, it depends on what object privileges user A has.
  You can find that out from user_tab_privs after logon as user A.
  If the GRANTABLE = 'NO' you have to logon as each schema holder to grant the privs.

• ALTER TABLE privilege and CREATE/DROP/ENABLE/DISABLE constraint privilege

  Hi,
  I am looking for some detailed info regarding the below previleges
  ALTER TABLE, CREATE CONSTRAINT, DROP CONSTRAINT, ENABLE CONSTRAINT AND DISABLE CONSTRAINT PRiVILEGES.
  I have two schemas 'A' and 'B', I want to provide user 'A' with Alter table, create or drop constraint,Enable or Disable constraint on schema B.
  Please let me know how to make this work.
  Thank you

  I got the answer for my second question, I have an option to grant 'Alter ANY table' privilege to the user.Yes, but you should not do that.
  Regarding question one, Suppose I have two schemas A and B and I want Schema A to have alter table privilege on all tables of Schema B.
  Can I do this in one command No
  or I need to grant alter on each table saperately?Yes
  If I am chosing the second option for each table saperately then whenever a table is added in schema B we need to grant privilege on that table as well.Yes. But nothing strange there. Designing and creating objects includes the privileges on them.
  If user A is granted with alter table privilege on a table which user B owns then can user A drop/create/enable/disable constraints for that table?Yes, isn't that what all this about?
  Again, letting one user alter the objects of another user is generally not such a good idea. Hope you see this from our discussion.
  Alter table privilege includes adding and dropping columns. This is why I suggested writing a procedure that does exactly what you need. And then grant execute on that to A.
  The best thing of course would be NOT TO disable the constraints, they are probably there for a reason.
  I am currently handling an issue where one session doing this, deadlocks with another session doing only selects - From other tables, that is!
  Regards
  Peter

• Data Modeler - Importing Object Privileges

  Is there a way to import object privileges to DM (from database or Oracle Designer) or do I just have to add them manually to the model?

  It should be possible to import them from database but I see it doesn't work - I created bug for that. You can define them in physical model - be aware that these privileges are generated after create statement for object.
  No problems with import of system privileges.
  Philip

• Object privilege question

  Hi, the oracle documentation says:
  A user automatically has all object privileges for schema objects contained in his or her schema. A user can grant any object privilege on any schema object he or she owns to any other user or role. A user with the GRANT ANY OBJECT PRIVILEGE can grant or revoke any specified object privilege to another user with or without the GRANT OPTION of the GRANT statement. Otherwise, the grantee can use the privilege, but cannot grant it to other users.
  For example, assume user SCOTT has a table named t2:
  SQL>GRANT grant any object privilege TO U1;
  SQL> connect u1/u1
  Connected.
  SQL> GRANT select on scott.t2 \TO U2;
  SQL> SELECT GRANTEE, OWNER, GRANTOR, PRIVILEGE, GRANTABLE FROM DBA_TAB_PRIVS
  WHERE TABLE_NAME = 'employees';
  GRANTEE                        OWNER                                GRANTOR                        PRIVILEGE                            GRA
  U2                             SCOTT                              SCOTT                          SELECT                                NONow this confuses me. Surely it is U1 who is the grantor, and not Scott, no??

  Oracleguy,
  I do got your point but I guess the right reason for this would be this only that even though the user U1 didn't have the privilege and could grant it only because of Grant Any Object priv, he is not shown as the grantor but Scott does!
  [oracle@edhdr1p0-prod sqlplus]$ sqlplus / as sysdba
  SQL*Plus: Release 11.2.0.1.0 Production on Thu Feb 18 09:19:39 2010
  Copyright (c) 1982, 2009, Oracle.  All rights reserved.
  Connected to:
  Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> create user u1 identified by u1;
  User created.
  SQL> grant create session, create table to u1;
  Grant succeeded.
  SQL> conn u1/u1
  Connected.
  SQL> select * from tab;
  no rows selected
  SQL> conn scott/tiger
  Connected.
  SQL> create table t2( a number);
  Table created.
  SQL> conn  / as sysdba
  Connected.
  SQL> grant grant any object privilege to u1;
  Grant succeeded.
  SQL> conn u1/u1
  Connected.
  SQL> select * from scott.t2
    2  ;
  select * from scott.t2
  ERROR at line 1:
  ORA-01031: insufficient privileges
  SQL> grant select on scott.t2 to system;
  Grant succeeded.
  SQL> conn / as sysdba
  Connected.
  SQL>  SELECT GRANTEE, OWNER, GRANTOR, PRIVILEGE, GRANTABLE FROM DBA_TAB_PRIVS
  WHERE TABLE_NAME = 'T2';
  WHERE TABLE_N 'T2'
  ERROR at line 2:
  ORA-00920: invalid relational operator
  SQL> SELECT GRANTEE, OWNER, GRANTOR, PRIVILEGE, GRANTABLE FROM DBA_TAB_PRIVS
    2  where table_name='T2';
  GRANTEE                        OWNER
  GRANTOR                        PRIVILEGE                                GRA
  SYSTEM                         SCOTT
  SCOTT                          SELECT                                   NO
  SQL>
  Now, when I explicitly give the priv to U1 and than he grants it, he is shown as the Grantee
  Sorry, I didn't realize that its still Scott only which is shown at both the places.
  USER is "SYS"
  SQL> grant select on scott.t2 to U1;
  Grant succeeded.
  SQL> conn u1/u1
  Connected.
  SQL> grant select on scott.t2 to system;
  Grant succeeded.
  SQL> conn / as sysdba
  Connected.
  SQL> SELECT GRANTEE, OWNER, GRANTOR, PRIVILEGE, GRANTABLE FROM DBA_TAB_PRIVS
  WHERE TABLE_NAME = 'T2';   2 
  GRANTEE                        OWNER
  GRANTOR                        PRIVILEGE                                GRA
  SYSTEM                         SCOTT
  SCOTT                          SELECT                                   NO
  U1                             SCOTT
  SCOTT                          SELECT                                   NO
  SQL> Update:
  Oracleguy,
  This is what I found about this priv from docs,
  http://download.oracle.com/docs/cd/E11882_01/server.112/e10592/statements_9013.htm#i2077938
  GRANT ANY OBJECT PRIVILEGE
       Grant any object privilege that the object owner is permitted to grant.So I guess this should explain what is being shown in the view. Since the owner is Scott who is permitted to grant the privilege , its his name which is shown here since its his privilege which is passed to the second user. Does that sounds like a reasonable explanation?
  HTH
  Aman....
  Edited by: Aman.... on Feb 18, 2010 9:36 AM
  Edited by: Aman.... on Feb 18, 2010 11:55 AM added update

• Granting ALTER SYSTEM privilege to Application user

  DB version:10gR2
  When we purchased a logistics application software, we have been asked to grant alter system privileges to the Application Oracle user/schema by the application vendor. They said they need this to change Instance level parameters like OPTIMIZER_MODE,..etc. What do you guys think?
  Edited by: GarryB on Feb 17, 2009 10:25 PM

  GarryB,
  This is a strange idea. Many parameters can be altered on session level.
  If they want to change static parameters, do they also require the privilege to bounce the instance?
  Even if the application would need to change parameters, this should be encapsulated in a procedure created in a privileged user, with execute privilege granted to the application owner.
  If feel you will regret to have purchased this application sooner or later, the vendor doesn't seem to know much about Oracle.
  Hth
  Sybrand Bakker
  Senior Oracle DBA

• PL/SQL Object Type - Java oracle.jbo.domain

  PL/SQL Object Type <-> Java oracle.jbo.domain
  can anybody help me, getting my domains to work?
  Following scenario:
  in pl/sql we have an object type called MULTI_LANGUAGE. This type is used for storing multilingual texts as nested table in one(!) column.
  So the object MULTI_LANGUAGE contains a member variable LANGUAGE_COLLECTION of type LANGUAGE_TABLE, which itself is a nested table of objects
  of the type LANGUAGE_FIELD (this again is only a language id and the corresponding content)
  Also the methods setContent(langID, langContent) and getContent(langId) are defined on Object MULTI_LANGUAGE.
  For example: Table having primary key, 2 other columns and one column of object type MULTI_LANGAGE (=nested table of objects)
  |ID|Column1|Column2|  multilingual Column  |
  |--|---------------------------------------|
  |  |       |       |  -------------------  |
  |  |       |       | | 1 | hello         | |
  |  |       |       |  -------------------  |
  |1 | foo   | bar   | | 2 | hallo         | |   <- Row Nr 1
  |  |       |       |  -------------------  |
  |  |       |       | | 3 | ola           | |
  |  |       |       |  -------------------  |
  |--|-------|-------|-----------------------|
  |  |       |       |  -------------------  |
  |  |       |       | | 1 | world         | |
  |  |       |       |  -------------------  |
  |2 | abc   | def   | | 2 | welt          | |   <- Row Nr 2
  |  |       |       |  -------------------  |
  |  |       |       | | 3 | ???  ;-)      | |
  |  |       |       |  -------------------  |
  |--|-------|-------|-----------------------|Now i've tried to modell this structure as an oracle.jbo.domain.
  class MultiLanguage extends Struct having this StructureDef:
  attrs[(0)] = new DomainAttributeDef("LanguageColl", "LANGUAGE_COLL", 0, oracle.jbo.domain.Array.class, 2003, "ARRAY", -127, 0, false, "campusonlinepkg.common.LanguageField");
  and
  class LanguageField extends Struct having this StructureDef:
  attrs[(0)] = new DomainAttributeDef("Id", "ID", 0, oracle.jbo.domain.Number.class, 2, "NUMERIC", -127, 0, false);
  attrs[(1)] = new DomainAttributeDef("Content", "CONTENT", 1, java.lang.String.class, 12, "VARCHAR", -127, 4000, false);
  Is there anything wrong with this StructureDef?
  When running the BC-Browser with -Djbo.debugoutput=console -Djbo.jdbc.driver.verbose=true parameters I get suspect warnings when browsing the records
  [196] Executing FAULT-IN...SELECT NR, NAME FROM B_THESAURI BThesauri WHERE NR=:1
  [197] SQLException: SQLState(null) vendor code(17074)
  [198] java.sql.SQLException: Ungültiges Namensmuster: XMLTEST.null
  ...snip: detail of stack...
  [240] SQLException: SQLState(null) vendor code(17060)
  [241] java.sql.SQLException: Deskriptor konnte nicht erstellt werden: Unable to resolve type "null"
  ...snip: detail of stack...
  [280] Warning:No element type set on this array. Assuming java.lang.Object.
  (XMLTEST is the name of the schema)
  Seems as if the framework can't read the TypeDescriptor or does not know which descriptor to read (XMLTEST.null??)
  Do I have to implement my own JboTypeMap?
  Please help, I'm stuck.
  Thanks in advance, Christian

  Thanks for your suggestion, but it seems to me as if there is one level missing.
  in pl/sql I have following structure:
  Struct MULTI_LANGUAGE (Object type) - outermost
    Array LANGUAGE_TABLE (nested table type)
      Struct LANGUAGE_FIELD (Object type simple) - innermostthe reason why i had to wrap another struct around the array was because it is not possible to define methods on a nested table. this is only possible on objects.
  on the outermost object type (which holds the array of language fields) I needed to define following 2 methods for direct access:
  getContent (langId in number) returns varchar2
  setContent (langId in number, langContent in varchar2)
  I would like to rebuild the same structure in java, because newly written java code should live in perfect harmony with legacy pl/sql code ;-)
  Both applications (Java and pl/sql) have to access the same data as long as migration to java goes on.
  Is this nested structure too much for a Domain?
  Any other suggestions?
  Thanks again, Christian

• How to call a COM object from an Oracle Form?

  Hi All,
  Pls advice. How to call a COM object from an Oracle Form?
  Thanks.

  try asking the "Form" forum

• System and Object privileges question

  hello everyone.
  I was really making it a priority to really understand both system and object privileges for users. I have setup a couple of 'sandboxes' at home and have done lots of testing. So far, it has gone very well in helping me understand all the security involved with Oralce (which, IMHO, is flat out awesome!).
  Anyway, a couple of quick questions.
  As a normal user, what view can I use to see what permissions I have in general? what about permissions on other schemas?
  I know I can do a:
  select * from session_privs
  which lists my session privileges.
  What other views (are they views/data dictionary?) that I can use to see what I have? Since this is a normal user, they don't have access to any of the DBA_ views.
  I'll start here for now, but being able to see everything this user has, would be fantastic.
  Cheers,
  TCG

  Sorry. should have elaborated more.
  In SQLPLUS, (logged in while logged into my Linux OS), I am working to try and get sqlplus to display the results of my query so it is easy to read. Right now, it just displays using the first 1/4 or 1/3 of the monitor screen to the left. Make sense? So it does not stretch the results out to utilize the full screen. it is hard to break down and read the results because they are "stacked" on top of each other.
  Would be nice if I could adjust sqlplus so the results are easier to read.
  HTH.
  Jason

• Error Message: JBO-25009: Cannot create an object of type:oracle.jbo.domain

  Hi, When im giving a default value to a date column in the attribute settings i get this error when im running my jsp page (bc4j web application):
  Error Message: JBO-25009: Cannot create an object of type:oracle.jbo.domain.Date with value: 31-dic-2099
  How can i fix that? I�ve already trying all possible date formats.
  Thanku

  The default format for Date (oracle.sql.DATE which is the superclass of oracle.jbo.domain.Date) is yyyy-mm-dd.

• ALLOW A USER TO KILL A SESSION WITHOUT ALTER SYSTEM PRIVILEGE.

  Hi
  I need a user to have permission to kill a session without having the ALTER SYSTEM privilege. I created a procedure on sys schema and granted the EXECUTE privilege to the user but it doesn't work, how can I do, help please.
  CREATE OR REPLACE PROCEDURE SYS.PRC_SESSION_KILLER (P_SID IN NUMBER, P_SERIAL IN NUMBER)
  AS
  BEGIN
       EXECUTE IMMEDIATE 'GRANT ALTER SYSTEM TO SYSADMIN';
       EXECUTE IMMEDIATE 'ALTER SYSTEM KILL SESSION ''' || P_SID || ',' || P_SERIAL || ''' IMMEDIATE';
       EXECUTE IMMEDIATE 'REVOKE ALTER SYSTEM FROM SYSADMIN';
  END;
  Thank you very much.

  Hi,
  I second everything John said.
  Are you sure the arguments are correct?
  Below is the procedure I use. You may want to run it, just to see what the error is.
  PROCEDURE     kill_internal
       s_id          IN     NUMBER,
       serial_num     IN     NUMBER,
       stat_out     OUT     VARCHAR2
  IS
       alter_handle     INTEGER;
       ex_val          INTEGER;     -- Returned by dbms_sql.execute
  BEGIN
       alter_handle := dbms_sql.open_cursor;
       dbms_sql.parse
            alter_handle,
            'ALTER SYSTEM     KILL SESSION '''     ||
                 TO_CHAR (s_id, '999990')     ||
                 ', '                    ||
                 TO_CHAR (serial_num, '999990')     ||
            dbms_sql.native
       ex_val := dbms_sql.execute (alter_handle);
       dbms_sql.close_cursor (alter_handle);
       stat_out := 'Success: '                    ||
                 TO_CHAR (s_id, '999990')     ||
                 ', '                    ||
                 TO_CHAR (serial_num, '999990');
  EXCEPTION
       WHEN OTHERS
       THEN
            stat_out := 'Failure:'          ||
                 SQLERRM;
  --          dbms_output.put_line (stat_out);
            dbms_sql.close_cursor (alter_handle);
  END     kill_internal
  ;