ALTER USER를 실행한 사용자를 확인하는 방법(SYSTEM EVENT TRIGGER)

Similar Messages

• Alter user system identified by manager; need help

  SQL> connect /as sysdba;
  Connected.
  SQL> alter user system account unlock;
  User altered.
  SQL> alter user system identified by manager;
  User altered.
  SQL> connect system/manager@q17als;
  ERROR:
  ORA-28000: the account is locked
  Warning: You are no longer connected to ORACLE.

  can you try do to the connect system/manager without
  putting the @q17als on it?
  I bet it will work
  Well that one should work, although it may not connect to the right database.
  What may have happened is he logged in to a different database using "/as sysdba" and unlocked SYSTEM account there. Therefore connecting as system without using an alias would work (if the password is manager).
  the net service name for q17als probably uses different database in its connect descriptor. We can see that if we know what connect descriptor for q17als looks like. (tnsping q17als or checking tnsnames.ora)
  I agree with the earlier posts - I think you are
  dealing with two different databasesThat is what I am trying to prove as well

• Working with system events          TRIGGER

  I run this script, but oracle rises error ORA-30506.
  Help me please)) do this properly.
  create or replace trigger on_DLL after
  create on name_shema
  begin
  null;
  end;
  Lena Darmogray

  What you need to do is to include the schama name when creating the trigger. something like this:
  create or replace trigger on_DLL after
  create on SCOTT.schema
  begin
       null;
  end;

• A user granted with alter user privilege

  Dear all
  i have granted a user with create user, alter user system privilege so that he can create or alter users. But i found the user is able to alter the sys and system also.
  Tell me how to restrict the user so that he can not effect sys and system.

  Yes. I have created device collection with
  installed specific software and used  this collection to pull report from out the box report for Primary Device users( Not sure about exact report name but similar) for
  this collection. Did some excel work to find primary device user.
  But looks like there is no straight forward solution. It would be great if i know how to import multiple users from a text/csv file into a User collection.
  Thanks

• Re: How to alter user using variable

  I need to reset all Oracle default accounts to a custom password in one of our databases (11.1.0.7). I am using two files:
  File 1 called mydb.sh
  This file is Solaris shell script to run sql file. Here is the content:
  #!/bin/bash
  cd $HOME
  . ./agsdb
  sqlplus "/as sysdba"<<EOF
  start /h/bin/mydb.sql
  exit
  EOF
  if [$? !=0 ]; then
  echo "Error, mydb.sh did not run"
       echo "Exiting."
       exit 1
  fi
  echo "********** mydb.sh is complete **********"And here is file2 mydb.sql
  This file has content similar this the following:
  >
  alter user anonymous identified by password;
  alter user oracle_ocm identified by password;
  alter user DI identified by password;
  alter user system identified by password;
  Our problem is we don't want to use the password in plain text. To get arround, we will pass the password as a variable instead of the plain password text.
  Maybe something like this:
  alter user anonymous identified by variable_name;How can I mitigate this by passing this variable from solaris to sqlplus?
  Thanks in advance.

  Alex wrote:
  01. Create a procedure to get the username and password and then alter that user. For this you can use synamic sql
  CREATE OR REPLACE PROCEDURE (username VARCHAR2, password VARCHAR2)
  IS
  BEGIN
  EXECUTE IMMEDIATE 'ALTER USER '||username||' IDENTIFIED BY ||password;
  END;
  I have already dealt with the above. My problem is how to get the procedure to pass the password in variable as you mentioned below:
  02. Then in your shell script call that procedure by passing username and password variables..

• User system, password lost..

  hi, this could be stupid, but i lost the system password of my oracle 9i database..
  are there any way to recover it??
  please help me!

  If you have access to login as oracle(os user) onto the server. Log on to the database as sys using option "/ as sysdba", then change the password for system user.
  Ex:
  sqlplus "/ as sysdba"
  alter user system identified by <new_system_passwd>;

• I Forgot Oracle XE Password for Database administrator user "system"

  Hello,
  is there a chance to get my password back for the database administraor account with the username "system" or to reset it otherwise? Unfortunately I have no change to remember it. Is there help for that problem?

  If you would like to change password:
  you login to sys and then change password of some users if you need
  linux:
  export ORACLE_SID=XE
  export ORACLE_HOME=<ORACLE_PATH>
  sqlplus / as sysdba
  SQL> alter user system identified by <new_pass>;
  window:
  set ORACLE_SID=XE
  set ORACLE_HOME=<ORACLE_PATH>
  sqlplus / as sysdba
  SQL> alter user system identified by <new_pass>;
  Re: Oracle XE default username / password

• How do you map a custom event trigger to a DHCP ?

  In the Auto Smarports Config Guide, Cisco IOS Rel 15.0(1)SE, July 2011, it states Auto Smartports can detect devices based on DHCP options. There are predefined macros for devices detected through DHCP.  I have a few questions:  1) What are these predefined macros? and 2) can I specify a user-defined event trigger from DHCP options?  How do I do this?

  Hi Flowserve1,
  What hardware are you using to make your measurement? What driver are you working with? You will be able to make measurements with your counter on a digital signal. If you look at the device pinouts for your device in Measurement and Automation Explorer you will see the counter terminals.
  Steve B

• Alter user privilege

  Hello,
  is there any way to grant just certain privileges that involve the Alter User system privilege? That is, How can i do so that a user can execute just: alter user <user> account lock or account unlock, but not password expires as an example?
  Thanks in advance.

  Hi, you can set the AUTHID DEFINER clause when you crate the stored procedure for execute how owner, the stored procedure must be owner of SYS user.
  Please review the nexts links
  http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_5009.htm#sthref6483
  http://www.adp-gmbh.ch/ora/plsql/authid.html
  Luck.
  Have a good day.
  Regards.

• 특정 USER에서 DDL 등의 COMMAND 실행을 제한하는 방법 - DDL EVENT TRIGGER

  제품 : ORACLE SERVER
  작성날짜 :
  특정 USER에서 DDL 등의 COMMAND 실행을 제한하는 방법 - DDL EVENT TRIGGER
  =======================================================================
  Purpose
  User에 있는 table등에 DDL 문장이 실행되지 않도록 막고 싶은 경우가 있다.
  Oracle8.1.6 부터 사용가능한 system trigger에 의해 이런 기능을 구현해 보자.
  Explanation
  Oracle8.1.6 의 new feature인 DDL event trigger를 이용하여 특정 user에서
  특정 DDL(예를 들어 create, drop, truncate 등)이나 모든 DDL이 실행할 때
  에러를 발생시킨다거나 특정한 action을 하도록 설정할 수 있다.
  DML 의 경우는 기존의 trigger 대로 각 object에 대해 각각 생성하여야 한다.
  이 자료에서는 주로 DDL 이나 DML 이 실행될 때 에러를 발생하도록 하여 해당
  문장이 실행되지 않도록 하는 방법을 기술하였다.
  (system or ddl event trigger에 대한 다른 자료로 Bulletin 11903,11848 참고)
  DDL event trigger 를 이용하기 위해서는 $ORACLE_HOME/dbs/initSID.ora
  file에서 COMPATIBLE parameter의 값이 "8.1.6" 이상으로 설정되어 있어야 한다.
  DDL event trigger 는 각 DDL이 발생할 때에 실행되는 trigger로
  다음과 같은 시점에서 실행되도록 만들 수 있다.
  BEFORE ALTER, AFTER ALTER, BEFORE DROP, AFTER DROP,
  BEFORE ANALYZE, AFTER ANALYZE, BEFORE ASSOCIATE STATISTICS,
  AFTER ASSOCIATE STATISTICS, BEFORE AUDIT, AFTER AUDIT,
  BEFORE NOAUDIT, AFTER NOAUDIT, BEFORE COMMENT, AFTER COMMENT,
  BEFORE CREATE, AFTER CREATE, BEFORE DDL, AFTER DDL,
  BEFORE DISASSOCIATE STATISTICS, AFTER DISASSOCIATE STATISTICS,
  BEFORE GRANT, AFTER GRANT, BEFORE RENAME, AFTER RENAME,
  BEFORE REVOKE, AFTER REVOKE, BEFORE TRUNCATE, AFTER TRUNCATE
  Example
  * 아래의 trigger 를 system 등의 별도로 관리하는 dba user에서 생성한다.
  [예제1] EJ user에서 table과 index에 해당하는 DDL의 실행을 막는 경우
  $ sqlplus system/manager
  CREATE OR REPLACE TRIGGER ej_no_ddl
  before DDL ON ej.schema
  WHEN (ora_dict_obj_type = 'TABLE' or
  ora_dict_obj_type = 'INDEX')
  begin
  raise_application_error (-20101, 'Cannot execute any DDL !!');
  end;
  -> 위의 trigger는 ej user의 schema 에서 Table과 Index 에 대한 DDL이
  실행될 때 user-defined error ora-20101 이 발생하도록 한 것이다.
  [예제2] EJ user에서 실행되는 모든 DDL을 막는 경우
  $ sqlplus system/manager
  CREATE OR REPLACE TRIGGER ej_no_ddl
  before DDL ON ej.schema
  begin
  raise_application_error (-20101, 'Cannot execute any DDL !!');
  end;
  -> 위의 예제는 모든 DDL 이 실행될 때 에러를 발생시키게 된다.
  예제1과 2의 경우 EJ user에서 DDL 실행시 아래와 같은 에러가 발생한다.
  $ sqlplus ej/ej
  SQL> create table test ( a number );
  create table test ( a number )
  ERROR at line 1:
  ORA-00604: error occurred at recursive SQL level 1
  ORA-20101: Cannot execute any DDL !!
  ORA-06512: at line 2
  SQL> drop table dept;
  drop table dept
  ERROR at line 1:
  ORA-00604: error occurred at recursive SQL level 1
  ORA-20101: Cannot execute any DDL !!
  ORA-06512: at line 2
  [예제3] EJ user에서 실행되는 drop과 truncate 문장을 막는 경우
  $ sqlplus system/manager
  CREATE OR REPLACE TRIGGER ej_no_ddl
  before drop or truncate ON ej.schema
  begin
  raise_application_error (-20102, 'Cannot execute DROP or TRUNCATE !!');
  end;
  위와 같이 trigger를 생성한 경우 EJ user에서 table의 생성은 되지만 drop은 할 수
  없다.
  $ sqlplus ej/ej
  SQL> create table test2 ( a number );
  Table created.
  SQL> drop table test2;
  drop table test2
  ERROR at line 1:
  ORA-00604: error occurred at recursive SQL level 1
  ORA-20102: Cannot execute DROP or TRUNCATE !!
  ORA-06512: at line 2
  [예제4] EJ user의 docu2 table에 대한 dml을 막는 경우
  $ sqlplus system/manager
  CREATE OR REPLACE TRIGGER ej_no_dml_docu2
  before insert or update or delete on ej.docu2
  begin
  raise_application_error (-20103, 'Cannot execute DML');
  end;
  $ sqlplus ej/ej
  SQL> delete from docu2 where docu_id=2;
  delete from docu2 where docu_id=2
  ERROR at line 1:
  ORA-20103: Cannot execute DML
  ORA-06512: at "SYSTEM.EJ_NO_DML_DOCU2", line 2
  ORA-04088: error during execution of trigger 'SYSTEM.EJ_NO_DML_DOCU2'
  * table의 작업을 위해 일시적으로 trigger의 기능을
  disable 또는 enable시킬 수 있다.
  $ sqlplus system/manager
  SQL> alter trigger ej_no_ddl disable;
  or
  SQL> alter trigger ej_no_ddl enable;

• Alter system or alter session set events

  Can we use interchangeably alter session or alter system set events?
  Thank you.

  DBA-ES wrote:
  For example this statement
  alter session set events '8103 trace name errorstack level 3';
  Can it be done at the system level? How to check it?Sure it can be,
  SQL*Plus: Release 11.2.0.1.0 Production on Fri Oct 21 15:32:54 2011
  Copyright (c) 1982, 2010, Oracle.  All rights reserved.
  Connected to:
  Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> alter session set events '8103 trace name errorstack level 3';
  Session altered.
  SQL> alter system set events '8103 trace name errorstack level 3';
  System altered.
  SQL>And to check, for the alter system , the statement would be logged in the alert log,
  Fri Oct 21 15:31:46 2011
  OS Pid: 4656 executed alter system set events '8103 trace name errorstack level 3'
  D:\app\aristadba\diag\rdbms\orcl112\orcl112\trace>sqlplus / as sysdbaHTH
  Aman....

• Oracle Security - Controlling the 'alter user' privilege

  Hi,
  1. DB 10.1.0.5 and 10.2.0.3
  2. "Admin User" needs to be able to change some users passwords in database.
  3. Create user adminuser - grant alter user to adminuser.
  4. DBAs will grant "approle" role to list of required users. DBAs will maintain control of who gets this role.
  4. Create system trigger on alter database - will prevent "adminuser" from changing passwords for accounts not authorized - Script does not fire for DBAs and anyone changing their own password.
  The trigger works as intended - the "adminuser" account can only change the specific set of users.
  Question: We've discovered that the "adminuser" can also use the "alter user" privilege to change default tablespace and tablespace quota. User should only be able to change password.
  Anyone have ideas on adding to the trigger to make sure the "adminuser" is only altering the password?
  I am playing with the ora_is_alter_column system event, thinking that maybe the password column in user$ would be changed but so far I can't get this to work: Here is my trigger --
  CREATE OR REPLACE TRIGGER SYS.PASSWORD_CONTROL AFTER ALTER ON DATABASE
  DECLARE
  DBACHK varchar2(50);
  USRCHK varchar2(50);
  BEGIN
  BEGIN
  -- Ensure users can change their own passwords --
  IF
  ora_login_user = ora_dict_obj_name
  THEN
  RETURN;
  ELSE
  -- Do not apply trigger to DBA group --
  select grantee into DBACHK from dba_role_privs where granted_role='DBA'
  and grantee = ora_login_user;
  IF
  DBACHK = ora_login_user
  THEN
  RETURN;
  END IF;
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  NULL;
  END;
  BEGIN
  select grantee into USRCHK from dba_role_privs where
  granted_role='DISCUSR' and grantee = ora_dict_obj_name;
  IF
  ora_dict_obj_type = 'USER'
  and ora_dict_obj_name = USRCHK
  ---- Need to check that only the password is being change -- the line below does not work
  and ora_is_alter_column('PASSWORD') = TRUE
  THEN
  RETURN;
  ELSE
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END;
  END;

  user602453 wrote:
  Ed, thank you for your reply. But, let me explain in more detail.
  More detail is always helpful. ;-)
  >
  A specific user has been assigned as the application administrator. This admininstrator is responsible for reseting application user passwords. The DBA (me) recognizes the DB security issues so I am trying to craft a solution that will allow the application administrator the ability to change only the password of the application users.
  I see that this may be out your hands, but I'd still question the wisdom of having an apps administrator being the one to change user passwords. Especially if that were a model where the users couldn't change their own passwords. I might accept it if the app admin were acting more of a helper to a clueless user.
  Since the only way to change user passwords is to grant the 'alter user' privilege I need a system trigger to keep the user from changing non-application user passwords. Also, because I support nearly 100 production databases that support about 35 different applications I need a solution that can apply to multiple databases. I've been assured that there will only be one administrator charged with resetting passwords.
  So,
  Given those requirements, I have this trigger that will allow the the specific administrator to change the password of a specific set of user while not impacting DBAs or people wanting to change their own password. The way I've implemented this is to create a "dummy" role and assigning the role to the application user. The trigger will allow the administrator to change the password only if the user has the role assigned. The role has no privileges, it is just a way to "mark" the user as an application user. The administrator cannot grant this "dummy" role, only the DBA can.
  Hope that clears things up.I still see another problem in that it still comes back to the dba to create the apps user in the first place, and to assign that dummy role to the user. Also, I'd hope that this proposed apps admin user is a role assigned to a real user. If not, as I mentioned before, you have no real accountability to who is using that account. Simply saying "it shall not be shared", even if written in corporate policy, won't secure it, and you won't be able to trace it. Well, you could turn on auditing and capture the OS userid in the audit log.

• Enabling Level-12 trace in SYSTEM.LOGON trigger

  I am trying to enable level-12 trace for a user as soon as it login to the database.
  CREATE OR REPLACE TRIGGER SYSTEM.LOGON_ASPIRE
  AFTER LOGON
  ON DATABASE
  BEGIN
  if(upper(USER) = 'U_DATAHUB') then
  EXECUTE IMMEDIATE 'ALTER SESSION SET EVENTS ''10046 TRACE NAME CONTEXT FOREVER,LEVEL 12''';
  execute immediate 'alter session set current_schema=DATAHUB';
  end if;
  I have Grant DBA to user U_DATAHUB and I am able to generatr trace for all sessions..but all the trace file is showing this error
  PARSING IN CURSOR #4 len=68 dep=2 uid=5 oct=42 lid=5 tim=14297715680259 hv=753686485 ad='0'
  ALTER SESSION SET EVENTS '10046 TRACE NAME CONTEXT FOREVER,LEVEL 12'
  END OF STMT
  PARSE #4:c=0,e=18,p=0,cr=0,cu=0,mis=0,r=0,dep=2,og=0,tim=14297715680254
  ERROR #2:err=1031 tim=2228813739
  Skipped error 604 during the execution of SYSTEM.LOGON_ASPIRE
  *** 2008-10-24 16:09:40.272
  ksedmp: internal or fatal error
  ORA-00604: error occurred at recursive SQL level 1
  ORA-01031: insufficient privileges
  ORA-06512: at line 192

  See Note:376442.1 Recommended Method for Obtaining 10046 trace for Tuning, it seems the owner of the trigger must be sys:
  CREATE OR REPLACE TRIGGER SYS.LOGON_ASPIRE
  AFTER LOGON
  ON DATABASE
  WHEN (USER = 'U_DATAHUB')
  BEGIN
  EXECUTE IMMEDIATE 'ALTER SESSION SET EVENTS ''10046 TRACE NAME CONTEXT FOREVER,LEVEL 12''';
  execute immediate 'alter session set current_schema=DATAHUB';
  END;It worked for me...
  /u01/app/oracle/admin/orcl/udump/orcl_ora_21932.trcOracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  ORACLE_HOME = /u01/app/oracle/product/10.2.0/db_1
  System name: Linux
  Node name: caliope.localdomain
  Release: 2.6.9-67.0.0.0.1.ELsmp
  Version: #1 SMP Sun Nov 18 00:23:42 EST 2007
  Machine: i686
  Instance name: orcl
  Redo thread mounted by this instance: 1
  Oracle process number: 15
  Unix process pid: 21932, image: [email protected] (TNS V1-V3)
  *** ACTION NAME:() 2008-09-10 06:52:45.598
  *** MODULE NAME:([email protected] (TNS V1-V3)) 2008-09-10 06:52:45.598
  *** SERVICE NAME:(SYS$USERS) 2008-09-10 06:52:45.598
  *** SESSION ID:(159.3667) 2008-09-10 06:52:45.598
  =====================
  PARSING IN CURSOR #2 len=40 dep=2 uid=0 oct=42 lid=0 tim=1192429263279537 hv=4026204711 ad='0'
  alter session set current_schema=DATAHUB
  END OF STMT
  PARSE #2:c=1000,e=123,p=0,cr=0,cu=0,mis=0,r=0,dep=2,og=0,tim=1192429263279527
  EXEC #2:c=0,e=48,p=0,cr=0,cu=0,mis=0,r=0,dep=2,og=0,tim=1192429263280625
  =====================
  PARSING IN CURSOR #1 len=186 dep=1 uid=100 oct=47 lid=0 tim=1192429263281298 hv=2889369088 ad='4177de24'
  BEGIN
  EXECUTE IMMEDIATE 'ALTER SESSION SET EVENTS ''10046 TRACE NAME CONTEXT FOREVER,LEVEL 12''';
  execute immediate 'alter session set current_schema=DATAHUB';
  END;
  END OF STMT
  EXEC #1:c=2999,e=2971,p=0,cr=0,cu=0,mis=1,r=1,dep=1,og=4,tim=1192429263281290
  WAIT #0: nam='SQL*Net message to client' ela= 7 driver id=1650815232 #bytes=1 p3=0 obj#=-1 tim=1192429263282196
  >
  Enrique
  Edited by: Enrique Orbegozo on Oct 24, 2008 4:29 PM

• Restrict user having alter user privilege

  When a user is granted with alter user, the user can change the password for sys. How to restrict the user, so that he can do user administration but cannot do anything with sys or system.

  could you solve my problem.
  I want to store picture in table using insert statement. But when save trigger executes system generates error message: bad bind variable
  my email: [email protected]

• Event trigger filename wildcard

  Post Author: poputlal
  CA Forum: Administration
  Is it possible to specify a wildcard for the filename for an event trigger?  Right now it asks me for a filename, but I want an event to be triggered whenever a file is created in a folder (or a subfolder).Also, if a wildcard is possible, then is it possible for the event to know the filename that triggered that event?

  Hi Scott,
  I created an event level trigger in APEX to check if user is trying to create/ drop/ modify a column "ROW_ID" and a bunch of other activities encapsuled in a procedure.
  The trigger got created but, when I create a table in the same schema, this trigger does not fire. It works as desired in SQL * PLUS and TOAD
  Trigger script is as under:
  CREATE OR REPLACE TRIGGER ASYED.TADDLS_CHECK_ROWID
  AFTER ALTER OR CREATE OR DROP
  ON ASYED.SCHEMA
  DECLARE
  oper VARCHAR2(2000);
  sql_text ora_name_list_t;
  v_oper VARCHAR2(30);
  i PLS_INTEGER;
  n PLS_INTEGER;
  v_obj_name VARCHAR2(100);
  v_obj_type VARCHAR2(100);
  v_owner VARCHAR2(100);
  v_login VARCHAR2(30);
  v_stmnt VARCHAR2(2000) := null;
  BEGIN
  SELECT ora_sysevent
  INTO oper
  FROM dual;
  i := sql_txt(sql_text);
  SELECT upper(ora_login_user), ora_sysevent,
  ora_dict_obj_name, ora_dict_obj_type,
  ora_dict_obj_owner, upper(sql_text(1))
  INTO v_login, v_oper ,v_obj_name,
  v_obj_type, v_owner, v_stmnt
  FROM dual;
  IF (v_oper = 'CREATE' and (v_stmnt like '% ROW_ID %' or
  v_stmnt like '%(ROW_ID %' or v_stmnt like '%,ROW_ID
  or(v_oper = 'ALTER' AND v_obj_type = 'TABLE' AND
  V_STMNT LIKE '%DROP COLUMN%' and (v_stmnt like '%
  ROW_ID%'))
  or(v_oper = 'ALTER' AND v_obj_type = 'TABLE' AND
  V_STMNT LIKE '%MODIFY%' and (v_stmnt like '%
  ROW_ID%') )
  THEN
  RAISE_APPLICATION_ERROR(-20997,'COLUMN NAME ROW_ID
  RESERVED FOR ADMINISTRATIVE PURPOSE');
  END IF;
  IF v_oper = 'CREATE' AND v_obj_type = 'TABLE' THEN
  SP_POST_DDL (v_obj_name, v_owner, oper);
  END IF;
  END;
  Thanks