Auditing the ALTER USER command

How exactly does one use FGA to capture the "tail-end" of the ALTER USER command? Could you provide or point me toward an example with detailed "how to" information?
Thanks.

You need to have "ALTER USER " privilege to change the password for any other user.
It seems you are not login with scott user and actually "Scott.tiger"
it shld be
Alter user scott identified by tiger;

Similar Messages

Oracle Security - Controlling the 'alter user' privilege

Hi,
1. DB 10.1.0.5 and 10.2.0.3
2. "Admin User" needs to be able to change some users passwords in database.
3. Create user adminuser - grant alter user to adminuser.
4. DBAs will grant "approle" role to list of required users. DBAs will maintain control of who gets this role.
4. Create system trigger on alter database - will prevent "adminuser" from changing passwords for accounts not authorized - Script does not fire for DBAs and anyone changing their own password.
The trigger works as intended - the "adminuser" account can only change the specific set of users.
Question: We've discovered that the "adminuser" can also use the "alter user" privilege to change default tablespace and tablespace quota. User should only be able to change password.
Anyone have ideas on adding to the trigger to make sure the "adminuser" is only altering the password?
I am playing with the ora_is_alter_column system event, thinking that maybe the password column in user$ would be changed but so far I can't get this to work: Here is my trigger --
CREATE OR REPLACE TRIGGER SYS.PASSWORD_CONTROL AFTER ALTER ON DATABASE
DECLARE
DBACHK varchar2(50);
USRCHK varchar2(50);
BEGIN
BEGIN
-- Ensure users can change their own passwords --
IF
ora_login_user = ora_dict_obj_name
THEN
RETURN;
ELSE
-- Do not apply trigger to DBA group --
select grantee into DBACHK from dba_role_privs where granted_role='DBA'
and grantee = ora_login_user;
IF
DBACHK = ora_login_user
THEN
RETURN;
END IF;
END IF;
EXCEPTION
WHEN NO_DATA_FOUND
THEN
NULL;
END;
BEGIN
select grantee into USRCHK from dba_role_privs where
granted_role='DISCUSR' and grantee = ora_dict_obj_name;
IF
ora_dict_obj_type = 'USER'
and ora_dict_obj_name = USRCHK
---- Need to check that only the password is being change -- the line below does not work
and ora_is_alter_column('PASSWORD') = TRUE
THEN
RETURN;
ELSE
RAISE_APPLICATION_ERROR(-20003,
'You are not allowed to alter user.');
END IF;
EXCEPTION
WHEN NO_DATA_FOUND
THEN
RAISE_APPLICATION_ERROR(-20003,
'You are not allowed to alter user.');
END;
END;

user602453 wrote:
Ed, thank you for your reply. But, let me explain in more detail.
More detail is always helpful. ;-)
>
A specific user has been assigned as the application administrator. This admininstrator is responsible for reseting application user passwords. The DBA (me) recognizes the DB security issues so I am trying to craft a solution that will allow the application administrator the ability to change only the password of the application users.
I see that this may be out your hands, but I'd still question the wisdom of having an apps administrator being the one to change user passwords. Especially if that were a model where the users couldn't change their own passwords. I might accept it if the app admin were acting more of a helper to a clueless user.
Since the only way to change user passwords is to grant the 'alter user' privilege I need a system trigger to keep the user from changing non-application user passwords. Also, because I support nearly 100 production databases that support about 35 different applications I need a solution that can apply to multiple databases. I've been assured that there will only be one administrator charged with resetting passwords.
So,
Given those requirements, I have this trigger that will allow the the specific administrator to change the password of a specific set of user while not impacting DBAs or people wanting to change their own password. The way I've implemented this is to create a "dummy" role and assigning the role to the application user. The trigger will allow the administrator to change the password only if the user has the role assigned. The role has no privileges, it is just a way to "mark" the user as an application user. The administrator cannot grant this "dummy" role, only the DBA can.
Hope that clears things up.I still see another problem in that it still comes back to the dba to create the apps user in the first place, and to assign that dummy role to the user. Also, I'd hope that this proposed apps admin user is a role assigned to a real user. If not, as I mentioned before, you have no real accountability to who is using that account. Simply saying "it shall not be shared", even if written in corporate policy, won't secure it, and you won't be able to trace it. Well, you could turn on auditing and capture the OS userid in the audit log.

Objects not created after the AT USER-COMMAND

Hi experts, gud evening. I'm new to ooabap. in my prog. after the at user-command the objects are not getting created. so i've created even before that. even then i couldn't get that created. so pls help me where the prob. is
Prog :
REPORT yrj_my_oops.
      CLASS cl_vbak DEFINITION
CLASS cl_vbak DEFINITION.
PUBLIC SECTION.
    METHODS : load_data IMPORTING value(im_kunnr) TYPE vbak-kunnr,
              display_head,
              write_data.
PROTECTED SECTION.
PRIVATE SECTION.
    DATA : it_vbak TYPE TABLE OF vbak,
           wa_vbak TYPE vbak.
ENDCLASS.                    "cl_vbak DEFINITION
DATA : w_vbeln TYPE vbak-vbeln.
      CLASS cl_vbap DEFINITION
CLASS cl_vbap DEFINITION.
PUBLIC SECTION.
    METHODS : load_data IMPORTING value(im_vbeln) TYPE vbak-vbeln,
              write_data.
PROTECTED SECTION.
PRIVATE SECTION.
    DATA : it_vbap TYPE TABLE OF vbap,
           wa_vbap TYPE vbap.
ENDCLASS.                    "cl_vbap DEFINITION
      CLASS cl_vbap IMPLEMENTATION
CLASS cl_vbap IMPLEMENTATION.
METHOD load_data.
    SELECT * FROM vbap INTO TABLE it_vbap WHERE vbeln = w_vbeln.
ENDMETHOD.                    "load_data
METHOD write_data.
    LOOP AT it_vbap INTO wa_vbap.
      WRITE : /5 wa_vbap-posnr,
              20 wa_vbap-matnr,
              35 wa_vbap-arktx,
              70 wa_vbap-netpr.
    ENDLOOP.
ENDMETHOD.                    "write_data
ENDCLASS.                    "cl_vbap IMPLEMENTATION
      CLASS cl_vbak IMPLEMENTATION
CLASS cl_vbak IMPLEMENTATION.
METHOD load_data.
    SELECT * FROM vbak INTO TABLE it_vbak WHERE kunnr EQ im_kunnr.
ENDMETHOD.                    "load_data
METHOD display_head.
    WRITE : /5 'Order No.',
            15 'Order Date',
            30 'Net Value'.
ENDMETHOD.                    "display_head
METHOD write_data.
    LOOP AT it_vbak INTO wa_vbak.
      WRITE : /5 wa_vbak-vbeln,
              15 wa_vbak-audat,
              30 wa_vbak-netwr.
    ENDLOOP.
ENDMETHOD.                    "write_data
ENDCLASS.                    "cl_vbak IMPLEMENTATION
PARAMETERS : p_kunnr TYPE vbak-kunnr.
DATA   : o_vbak TYPE REF TO cl_vbak,
         o_vbap TYPE REF TO cl_vbap.
START-OF-SELECTION.
SET PF-STATUS : 'YRJ_MY_OOPS'.
CREATE OBJECT o_vbak.
CREATE OBJECT o_vbap.
CALL METHOD o_vbak->load_data
    EXPORTING
      im_kunnr = p_kunnr.
CALL METHOD o_vbak->display_head.
CALL METHOD o_vbak->write_data.
AT USER-COMMAND.
w_vbeln = sy-lisel+4(10).
CASE sy-ucomm.
    WHEN 'BACK' or 'EXIT'.
      LEAVE LIST-PROCESSING.
    WHEN 'ITEM'.
     CREATE OBJECT o_vbap.
      CALL METHOD o_vbap->load_data
        EXPORTING
          im_vbeln = w_vbeln.
      CALL METHOD o_vbap->write_data.
     WHEN OTHERS.
ENDCASE.

Hi,
I dont see any problem with you code. I ran your code in my system and worked fine. Except for one thing that is you need to do a conversion exit on the w_vbeln before selecting data from VBAP in method load data. This is because when you ouput the data, the VBELN is converted to external format and thus needs to be converted to internal format if you want to do further selects based on it.
CLASS cl_vbap IMPLEMENTATION.
METHOD load_data.
" Add this , so it converts the VBELN to internal format.
    CALL FUNCTION 'CONVERSION_EXIT_ALPHA_INPUT'
      EXPORTING
        input = w_vbeln
      IMPORTING
        output = w_vbeln.
    SELECT * FROM vbap INTO TABLE it_vbap WHERE vbeln = w_vbeln.
ENDMETHOD. "load_data
METHOD write_data.
    LOOP AT it_vbap INTO wa_vbap.
      WRITE : /5 wa_vbap-posnr,
      20 wa_vbap-matnr,
      35 wa_vbap-arktx,
      70 wa_vbap-netpr.
    ENDLOOP.
ENDMETHOD. "write_data
regards,
Advait

Alter user command failed

Hello,
I login to my audit vault database as "/as sysdba" and tried to unlock the user. I must have missed something because I thought SYS can do almost everything. Any ideas?
SQL> ALTER USER "AV" ACCOUNT UNLOCK;
ALTER USER "AV" ACCOUNT UNLOCK
ERROR at line 1:
ORA-01031: insufficient privileges
Thanks.

feverlove wrote:
Hello,
I login to my audit vault database as "/as sysdba" and tried to unlock the user. I must have missed something because I thought SYS can do almost everything. Any ideas?
SQL> ALTER USER "AV" ACCOUNT UNLOCK;
ALTER USER "AV" ACCOUNT UNLOCK
ERROR at line 1:
ORA-01031: insufficient privileges
Thanks.By default, Oracle Database Vault is enabled in the Audit Vault Server. Oracle Database Vault restricts access to the data in the Audit Vault Server from any user, including users who have administrative access. For Oracle Audit Vault, Oracle Database Vault protects the Audit Vault Server by using a realm. To ensure that the data in the Audit Vault Server is protected, do not disable Oracle Database Vault.
Please check if data vault is enabled:
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
Read more about:
http://download.oracle.com/docs/cd/E14472_01/doc.102/e14459/avadm_mng_security.htm
Best Regards,
Gokhan
If this question is answered, please mark appropriate posts as correct/helpful and the thread as closed. Thanks

What does the killall -user command do

I used this command and now i cant get into my account.

-u user Limit potentially matching processes to those belonging
to the specified user.
Restart your computer. The command doesn't erase anything.

Issue ALTER USER command without DBA previlage ...

1 > don't want to give DBA previlage, or create DB link ..
2 > we know SYSTEM / PASSWORD, Hard code in PL/SQL programme
3 > Dynamically generate sql ('aleter user .. ')
4 > Issue command in procedure .
In short we want to give previlage to help desk to change application users password on request .. but without giving DBA previlages .. as programmer knows System user's password .. so he can hard code in procedure and issue stmt with username SYSTEM..
Help is highly appreciated ..
null

Hi,
You can even give the users to change their own password as user can alter its own password without having dba privileges.or else if you want to give that right to help desk then connect to the user you want to change the password and change it. you need not hardcode system.
hope this helps you.
regards
gaurav
null

Move_table_clause of the alter table command

Oracle Workspace Manager: 10.2.0.4.3
Database version: 10.2.0.4.0
Can one use the following technique to relocate a version enabled table from one tablespace to another? Is this supported?
exec dbms_wm.beginDDL(tablename)
alter table tablename_lts move tablespace ...
exec dbms_wm.commitDDL
I tried this in a development environment; the lt table moved, but the lck table remained behind. This history seems to be all there.

Hi,
Yes, that is the supported method to move the LT table into a new tabelspace. It will also move the AUX table and the _VT table(if it exists).
Regards,
Ben

'alter session' command generating a vast number of audit files

Oracle: 10.2.0.5
OS: HP Itanium.
We have requirements to turn on auditing to the operating system for security purposes. We have only set the init.ora parameters and have not actually enabled any sql statement tracing yet. The parameters we have set are:
audit_file_dest
audit_sys_operations=true
audit_trail =xml, extended (the xml is based on requirements).
We have a login trigger that runs 'alter session set current_schema=<>' This has been a part of the application for years. Every time someone logs in this gets set.
We are getting 1 trace file every time this is run.
Is this from the audit_sys_operations?
I ran some queries of the Audit views and I don't think we have anything turned on. This is an old legacy system so someone may have issued some commands at some point in the past. There are a lot of views and I may have missed this.
How do we disable auditing the 'alter session commands' ?
Edited by: Guess2 on Sep 17, 2012 6:46 AM

Hi,
You could try: noaudit alter session;
Regards,

How to audit alter user sql statements in Oracle 11g.

I want to audit all the alter user sql statements that show who is altered with what sql stment including the connections performed by sys and system.
Ex: If I use the command : alter user xxx quota 50 GB on users;
Then how can i grab this sql stement and who performed it with the timings.

Pl post OS and database versions.
What have you learned from the documentation ?
http://download.oracle.com/docs/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107
http://download.oracle.com/docs/cd/E11882_01/network.112/e16543/guidelines.htm#DBSEG508
What have you tried to implement so far ?
HTH
Srini

Problems with the imadmin purge user command

I am using iMS 5.2 hot fix 1.05, iDA1.2sp1 and iDS 5.1
When I try to use the imadmin purge user command I get the following errors:
[email protected]: purging user
[email protected]: purge user failed
Failed connection refused.
If I don't use the -g 0 option then it reports success, but the user account is still in LDAP...
I found a reference to the imadmin user purge command not working when you have iDA 1.2patch1 and iMS 5.1 patch 1 unless you make a change to your resource.properties file but i have tried the file both way and I get the same error with the purge user command.
I can use the imadmin delete user or imadmin modify user without any problem. I am just having trouble with the imadmin purge user command.
Any ideas?

This problem is documented in bug id 4671472. I have attempted the recommeded fix, but the problem persists. If anyone else has been having a similar problem and has any solution let me know. Thanks.
Peter

ALTER USER를 실행한 사용자를 확인하는 방법(SYSTEM EVENT TRIGGER)

제품 : ORACLE SERVER
작성날짜 : 2002-11-07
ALTER USER를 실행한 사용자를 확인하는 방법(SYSTEM EVENT TRIGGER)
================================================================
PURPOSE
자신이나 또는 다른 user들의 password를 바꾸는 등의 alter user command를
사용한 사용자를 확인하는 방법을 알아보자.
Explanation & Example
1. 사용자 정보를 저장할 event table을 생성한다.
Create event table and users to store the alterations made:
SQL> connect / as sysdba;
create table event_table
ora_sysevent varchar2(20),
ora_login_user varchar2(30),
ora_instance_num number,
ora_database_name varchar2(50),
ora_dict_obj_name varchar2(30),
ora_dict_obj_type varchar2(20),
ora_dict_obj_owner varchar2(30),
timestamp date
create user test1 identified by test1;
grant create session, alter user to test1;
create user test2 identified by test2;
grant create session to test2;
2. SYS user에서 AFTER ALTER Client Event Trigger 를 생성한다.
Note: This step creates a trigger and it is fired whenever the user "test1"
issues ALTER command (It can be ALTER USER or ALTER TABLE)
SQL> CREATE or REPLACE TRIGGER after_alter AFTER ALTER on database
BEGIN
IF (ora_dict_obj_type='USER') THEN
insert into event_table
values (ora_sysevent,
ora_login_user,
ora_instance_num,
ora_database_name,
ora_dict_obj_name,
ora_dict_obj_type,
ora_dict_obj_owner,
sysdate);
END IF;
END;
3. test1 user로 접속한 후 test2 user의 password를 변경하는 작업을 실행한다.
SQL> connect test1/test1
SQL> alter user test2 identified by foo;
4. test2 user의 password가 test1 user에 의해 변경되면 그런 내용을
event_table 에서 확인할 수 있다.
Now that we have altered the "test2" user password from user "test1", the
event_table should have captured this details.
Now Login in as sys and Query on event_table:
SQL> connect / as sysdba;
SQL> select * from event_table;
ORA_SYSEVENT ORA_LOGIN_USER ORA_INSTANCE_NUM
ORA_DATABASE_NAME
ORA_DICT_OBJ_NAME ORA_DICT_OBJ_TYPE
ORA_DICT_OBJ_OWNER TIMESTAMP
ALTER TEST1 1
T901.IDC.ORACLE.COM
TEST2 USER
13-JUN-02
event_table의 내용을 조회하여 LOGIN_USER와 ALTERED USER 는
ORA_LOGIN_USER와 ORA_DICT_OBJ_NAME column을 통해 확인할 수 있다.
비슷한 방법으로 아래의 event에서 trigger를 생성하여 확인할 수 있다.
1) BEFORE DROP
2) AFTER DROP
3) BEFORE ANALYZE
4) AFTER ANALYZE
5) BEFORE DDL
6) AFTER DDL
7) BEFORE TRUNCATE
8) AFTER TRUNCATE
Related Documents
Oracle Application Developer's Guide

Alter user + ora-03114

Hello...
Using Forms 10gR1(9.0.4.19).
When the command call database procedure "execute immediate alter user..."
return the error "ORA-03114".
Can you help me?
Thanks.

ORA - 3114 Not connected to OracleIt looks like you somehow got disconnected from the database or never connected in the first place. You don't suppress logging on to the database by overriding the ON-LOGON trigger?
If you are initially connected you somehow got disconnected. Could be that you're database session crashed on a previous action. Check the bdump directory at the database server to see if there is a log file of a crashed session.
I haven't ever experienced this myself, but could it be that you are altering the current user in such a way that the session is ended? You did not specify what you are doing in the ALTER USER, so it's only guessing for me

SSO alter user problem

Hello,
I have an apex application on apex.oracle.com. Im trying to set up SSO but having trouble getting started.
When I go to SQL Workshop > SQL commands to type in the 'alter user FLOWS_xxxxxx account unlock' it gives me a ORA-01031: insufficient privileges ... The instructions here http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html say that I am supposed to connect as sys then run this command. But using the browser SQL command line it doesnt seem possible?
Also, does the SSOSDK come pre-loaded on apex.oracle schema's, or do I have to request this be installed in my schema?

Scott, I appreciate your continued support for this thread!
I have downloaded several AS packages: including
Application Server 10g Release 3 (10.1.3.x)
http://download.oracle.com/otn/nt/ias/101310/soa_windows_x86_101310_disk1.zip
Oracle Application Server 10g Release 2 (10.1.2.0.1) Standard Edition One
http://download.oracle.com/otn/nt/ias/101201/as_windows_x86_101201_disk1.zip
http://download.oracle.com/otn/nt/ias/101201/as_windows_x86_101201_disk2.zip
Oracle Application Server 10g Release 2 (10.1.2.0.2)
Application Server Companion CD
http://download.oracle.com/otn/nt/ias/101202/as_windows_x86_companion_101202_disk1.zip
http://download.oracle.com/otn/nt/ias/101202/as_windows_x86_companion_101202_disk2.zip
None of these have the SSO SDK on them...I read a metalink page (http://download.oracle.com/docs/cd/B14099_08/manage.1012/b14087/mod_osso.htm#BABIGABA) that says SSO SDK is no longer used as of OAS 10.1.2. and i'm supposed to be using MOD_OSSO...If this is the case then should I stop trying to find the deprecated SSO SDK and use the mod_osso functionality of Oracle HTTP Server? And will this mod_osso functionality work with apex?

Gui status (AT USER-COMMAND) trigger at first

Hello all,
I wrote a basic list shown below.
In it , AT USER-COMMAND and AT LINE-SELECTION events are used all.
when i double click on line in the list, I think the at line-selection should be trigger at first. but in fact ,the AT USER-COMMAND trigger.
and the sy-ucomm get the first button value in the GUI-STATUS BAR(There's only one button on it).
how can i solve it .
any answers should be appreciated.
START-OF-SELECTION.
SET PF-STATUS 'ZSATMM24F1'.
write : \ 'aaaaaaaaaaaa'
write : \ 'aaaaaaaaaaaa'
write : \ 'aaaaaaaaaaaa'
write : \ 'aaaaaaaaaaaa'
AT USER-COMMAND.
CASE sy-ucomm.
WHEN 'TO_a'.
PERFORM to_a.
ENDCASE.
AT LINE-SELECTION.
write : 'test'.
best regards,
daniel.

Please make sure to add the fcode PICK to the F2 function code in your gui status and try again.
Regards,
Rich Heilman

At user-command & At Line-selection

Hi,
I am using ECC5 ver. of ABAP.
Can I use AT USER-COMMAND and AT LINE-SELECTION
in the same report?
I have used it but only At user command works, not At line selection.
When I remove Set pf-Status, At line selection works.
Here is my code.
REPORT PF&ATLINE.
AT LINE-SELECTION.
MESSAGE 'Line Selected' TYPE 'I'.
AT USER-COMMAND.
IF sy-ucomm = 'PUSH'.
    MESSAGE 'Button Pushed' type 'I'.
elseif sy-ucomm = 'EXIT'.
    LEAVE PROGRAM.
ENDIF.
START-OF-SELECTION.
SET PF-STATUS 'ZRND3'.
DO 10 TIMES.
    WRITE:/01 SY-INDEX HOTSPOT.
ENDDO.
END-OF-SELECTION.

Hi Rajiv,
Setting the PICK function code to F2 will definitely solve it..
and it triggers the at user-command and at line-selection event as per user interaction...
If it is not working properly... then there might me something wrong in your code...
can you place the code... so that we can know the exact problem
regards
padma

Auditing the ALTER USER command

Similar Messages

Maybe you are looking for