Database Vault Owner Grant Any Role Permission
So I just noticed that the role DV_OWNER has the system privilege to GRANT ANY ROLE assigned to it by default. I was wondering if this is necessary for something. If not I would like to remove it. We would prefer the Database Vault owner person to not have any permissions execept for logging into the Data Vault console to modify realms and rules and stuff, and as well as looking at audit logs. The DV_OWNER role also has ADMINISTER DATABASE TRIGGER and ALTER ANY TRIGGER privileges which I would like to remove as well. Any body have any opinions on this?
Oracle EE 11.2.0.2 on Windows 2008 R2
Thanks.
Sysdba can issue powerful statements such as create user, drop user, alter user, create profile .. and so on... can be done only if it is allowed so by modifying the Can maintain accounts/profiles rule set.
You can also login with dvsys account but that account is locked after installation. So unlock it with
alter user username account unlock; command. And be aware that ANY system privileges are blocked in protected schemas. You can try to grant the following roles in DB Vault := DV_OWNER, DV_REALM_OWNER, DV_REALM_RESOURCE, DV_ADMIN, DV_PUBLIC, DV_ACCTMGR, DV_SECANALYST
Following can help you
SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
Regards
Karan
Similar Messages
-
Grant role DBA with Database Vault
Hi all,
I need help granting the role DBA to a user with Database Vault option installed. I created a user account and I need that this user be able to do all the things that a regular DBA role can do. I can't find a way to do this in Database Vault... any help will be appreciated.
Thanks!Sysdba can issue powerful statements such as create user, drop user, alter user, create profile .. and so on... can be done only if it is allowed so by modifying the Can maintain accounts/profiles rule set.
You can also login with dvsys account but that account is locked after installation. So unlock it with
alter user username account unlock; command. And be aware that ANY system privileges are blocked in protected schemas. You can try to grant the following roles in DB Vault := DV_OWNER, DV_REALM_OWNER, DV_REALM_RESOURCE, DV_ADMIN, DV_PUBLIC, DV_ACCTMGR, DV_SECANALYST
Following can help you
SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
Regards
Karan -
OIM 11g R2: Insufficent Privileges after Enable Database Vault
Hi,
i am trying to implement database vault on oim 11g r2 database for a customer proof of concept, but after enable database vault i am got the following error
oracle.iam.ui.platform.exception.OIMRuntimeException: IAM-7130125 : Search token caused Oracle text DRG issue, DB exception is :ORA-20000: Oracle Text error:
DRG-50857: oracle error in drdmdcnt
ORA-01031: insufficient privileges
ORA-06512: at "CTXSYS.DRVUTL", line 14
ORA-06512: at "CTXSYS.DRVXMD", line 140
ORA-06512: at line 1
this error occurs when i run Catalog Synchronization Job and i when try to search items in catalog
i guess that database vault blocked the ctxapp role granted to oim database owner, but i am not sure how to fix it. Do i have to create a database realm for oim database user?As I continue to forage around looking for an answer, I came across the following statement in a document on Metalink: "The home where you plan to install ODV must already have OLS installed at the same patch level as the database.". Is this correct? I have never seen this in any Database Vault documentation.
(https://metalink.oracle.com/metalink/plsql/f?p=200:27:4287075139009922213::::p27_id,p27_show_header,p27_show_help:714182.992,1,1) -
Hi, i have experienced many time that when you give dba role to any schema it should get the privilege of Create any on all object. but it is not the case after giving dba privilege to schema i have to give create any privilege to that schema though DBA role have that Facility, why is it so.
Regards
Vikas ChopkarAre you talking about the default role named DBA? If so, that role should rarely be granted to anyone. Either way, on my database it has the privileges you say it doesn't.
SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='DBA' ORDER BY PRIVILEGE;
GRANTEE PRIVILEGE ADM
DBA ADMINISTER ANY SQL TUNING SET YES
DBA ADMINISTER DATABASE TRIGGER YES
DBA ADMINISTER RESOURCE MANAGER YES
DBA ADMINISTER SQL TUNING SET YES
DBA ADVISOR YES
DBA ALTER ANY CLUSTER YES
DBA ALTER ANY DIMENSION YES
DBA ALTER ANY EVALUATION CONTEXT YES
DBA ALTER ANY INDEX YES
DBA ALTER ANY INDEXTYPE YES
DBA ALTER ANY LIBRARY YES
DBA ALTER ANY MATERIALIZED VIEW YES
DBA ALTER ANY OUTLINE YES
DBA ALTER ANY PROCEDURE YES
DBA ALTER ANY ROLE YES
DBA ALTER ANY RULE YES
DBA ALTER ANY RULE SET YES
DBA ALTER ANY SEQUENCE YES
DBA ALTER ANY SQL PROFILE YES
DBA ALTER ANY TABLE YES
DBA ALTER ANY TRIGGER YES
DBA ALTER ANY TYPE YES
DBA ALTER DATABASE YES
DBA ALTER PROFILE YES
DBA ALTER RESOURCE COST YES
DBA ALTER ROLLBACK SEGMENT YES
DBA ALTER SESSION YES
DBA ALTER SYSTEM YES
DBA ALTER TABLESPACE YES
DBA ALTER USER YES
DBA ANALYZE ANY YES
DBA ANALYZE ANY DICTIONARY YES
DBA AUDIT ANY YES
DBA AUDIT SYSTEM YES
DBA BACKUP ANY TABLE YES
DBA BECOME USER YES
DBA CHANGE NOTIFICATION YES
DBA COMMENT ANY TABLE YES
DBA CREATE ANY CLUSTER YES
DBA CREATE ANY CONTEXT YES
DBA CREATE ANY DIMENSION YES
DBA CREATE ANY DIRECTORY YES
DBA CREATE ANY EVALUATION CONTEXT YES
DBA CREATE ANY INDEX YES
DBA CREATE ANY INDEXTYPE YES
DBA CREATE ANY JOB YES
DBA CREATE ANY LIBRARY YES
DBA CREATE ANY MATERIALIZED VIEW YES
DBA CREATE ANY OPERATOR YES
DBA CREATE ANY OUTLINE YES
DBA CREATE ANY PROCEDURE YES
DBA CREATE ANY RULE YES
DBA CREATE ANY RULE SET YES
DBA CREATE ANY SEQUENCE YES
DBA CREATE ANY SQL PROFILE YES
DBA CREATE ANY SYNONYM YES
DBA CREATE ANY TABLE YES
DBA CREATE ANY TRIGGER YES
DBA CREATE ANY TYPE YES
DBA CREATE ANY VIEW YES
DBA CREATE CLUSTER YES
DBA CREATE DATABASE LINK YES
DBA CREATE DIMENSION YES
DBA CREATE EVALUATION CONTEXT YES
DBA CREATE EXTERNAL JOB YES
DBA CREATE INDEXTYPE YES
DBA CREATE JOB YES
DBA CREATE LIBRARY YES
DBA CREATE MATERIALIZED VIEW YES
DBA CREATE OPERATOR YES
DBA CREATE PROCEDURE YES
DBA CREATE PROFILE YES
DBA CREATE PUBLIC DATABASE LINK YES
DBA CREATE PUBLIC SYNONYM YES
DBA CREATE ROLE YES
DBA CREATE ROLLBACK SEGMENT YES
DBA CREATE RULE YES
DBA CREATE RULE SET YES
DBA CREATE SEQUENCE YES
DBA CREATE SESSION YES
DBA CREATE SYNONYM YES
DBA CREATE TABLE YES
DBA CREATE TABLESPACE YES
DBA CREATE TRIGGER YES
DBA CREATE TYPE YES
DBA CREATE USER YES
DBA CREATE VIEW YES
DBA DEBUG ANY PROCEDURE YES
DBA DEBUG CONNECT SESSION YES
DBA DELETE ANY TABLE YES
DBA DEQUEUE ANY QUEUE YES
DBA DROP ANY CLUSTER YES
DBA DROP ANY CONTEXT YES
DBA DROP ANY DIMENSION YES
DBA DROP ANY DIRECTORY YES
DBA DROP ANY EVALUATION CONTEXT YES
DBA DROP ANY INDEX YES
DBA DROP ANY INDEXTYPE YES
DBA DROP ANY LIBRARY YES
DBA DROP ANY MATERIALIZED VIEW YES
DBA DROP ANY OPERATOR YES
DBA DROP ANY OUTLINE YES
DBA DROP ANY PROCEDURE YES
DBA DROP ANY ROLE YES
DBA DROP ANY RULE YES
DBA DROP ANY RULE SET YES
DBA DROP ANY SEQUENCE YES
DBA DROP ANY SQL PROFILE YES
DBA DROP ANY SYNONYM YES
DBA DROP ANY TABLE YES
DBA DROP ANY TRIGGER YES
DBA DROP ANY TYPE YES
DBA DROP ANY VIEW YES
DBA DROP PROFILE YES
DBA DROP PUBLIC DATABASE LINK YES
DBA DROP PUBLIC SYNONYM YES
DBA DROP ROLLBACK SEGMENT YES
DBA DROP TABLESPACE YES
DBA DROP USER YES
DBA ENQUEUE ANY QUEUE YES
DBA EXECUTE ANY CLASS YES
DBA EXECUTE ANY EVALUATION CONTEXT YES
DBA EXECUTE ANY INDEXTYPE YES
DBA EXECUTE ANY LIBRARY YES
DBA EXECUTE ANY OPERATOR YES
DBA EXECUTE ANY PROCEDURE YES
DBA EXECUTE ANY PROGRAM YES
DBA EXECUTE ANY RULE YES
DBA EXECUTE ANY RULE SET YES
DBA EXECUTE ANY TYPE YES
DBA EXPORT FULL DATABASE YES
DBA FLASHBACK ANY TABLE YES
DBA FORCE ANY TRANSACTION YES
DBA FORCE TRANSACTION YES
DBA GLOBAL QUERY REWRITE YES
DBA GRANT ANY OBJECT PRIVILEGE YES
DBA GRANT ANY PRIVILEGE YES
DBA GRANT ANY ROLE YES
DBA IMPORT FULL DATABASE YES
DBA INSERT ANY TABLE YES
DBA LOCK ANY TABLE YES
DBA MANAGE ANY FILE GROUP YES
DBA MANAGE ANY QUEUE YES
DBA MANAGE FILE GROUP YES
DBA MANAGE SCHEDULER YES
DBA MANAGE TABLESPACE YES
DBA MERGE ANY VIEW YES
DBA ON COMMIT REFRESH YES
DBA QUERY REWRITE YES
DBA READ ANY FILE GROUP YES
DBA RESTRICTED SESSION YES
DBA RESUMABLE YES
DBA SELECT ANY DICTIONARY YES
DBA SELECT ANY SEQUENCE YES
DBA SELECT ANY TABLE YES
DBA SELECT ANY TRANSACTION YES
DBA UNDER ANY TABLE YES
DBA UNDER ANY TYPE YES
DBA UNDER ANY VIEW YES
DBA UPDATE ANY TABLE YES -
Grant Privileges in Database Vault for DATAPUMP.
HI,
I am using ORACLE DATABASE 11g R2.
I have installed/enabled DATABASE VAULT 11g on it.
I have configured many user in it for privileges like 'SELECT on table','INSERT on table' ,DELETE .....
I want to give a user DATAPUMP privilege so that he can export and import.
I have 2 users.
1) MAIN
2) BACKUP
MAIN user is the owner and the most important schema. Now i want one more schema named 'BACKUP' which will be able to take backup from MAIN schema. NO OTHER SCHEMA SHOULD BE ALLOWED TO TAKE BACKUP OF MAIN SCHEMA NOT EVEN SYS.
*Can anyone tell me how i can grant proper privilege to BACKUP schema so that he can use DATAPUMP and import/export from OS prompt on the MAIN schema.
NOTE :- I have Database vault installed on my server. Please let me know what all RULES or RULE SETS I need to make to make this happen.
Thanks in advance.I have managed with privileges to grant BACKUP user right to start an IMPORT but i get these errors while importing :-
Failing sql is:
CREATE TABLE "MAIN"."FLX_PM_OFFER_SELECTOR_B" ("USER_NAME" VARCHAR2(50 BYTE), "PRODUCT_GROUP" VARCHAR2(5 BYTE), "REFERENCE_NUM" VARCHAR2(30 BYTE) NOT NULL ENABLE, "SESSION_STATE" VARCHAR2(5 BYTE), "OFFER_FEATURES" BLOB, "RECOMMENDED_OFFERS" VARCHAR2(500 BYTE), "SELECTED_OFFERS" VARCHAR2(500 BYTE), "MAKER_NAME" VARCHAR2(12 BYTE), "MAK
ORA-39083: Object type TABLE:"MAIN"."FLX_PM_ACCOUNT_ROLE_FLOW" failed to create with error:
ORA-47401: Realm violation for CREATE TABLE on MAIN.FLX_PM_ACCOUNT_ROLE_FLOW
{code}
I am getting this error for all the objects :- SYSNONMY,SEQUENCE,
I have granted MAIN users all the privileges but still i am getting these errors. Do i need to create any realm or rule set for this?
Thanks. -
How to check the owner of any Object in the database.
How to check the owner of any Object in the database.
Thanks
HimanshuWhat about this ?
SELECT owner,Object_name,object_type FROM all_objects
OR
SELECT owner,Object_name,object_type FROM dba_objects -
Find particular database role permission on all the databases of an instance
Hi Team,
I want to find particular database role permission on all the databases of a instance.
Example: 50 databases are running on an instance. I want to find datareader permission of ABCDE account, on which of the databases it exist?
Please provide me a customized script to find it.
Thanks
KumarHi K735,
According to your description, you want to find databases where a specific database role of a specific user exists. To do this, you could execute the stored procedure below by proving a value for each of the two parameters (@databaseRole, @user) to
specify the database role and the user as the following example: execute findDatabaseRole 'db_datareader', 'testUser'
USE master
GO
CREATE PROCEDURE dbo.findDatabaseRole
@databaseRole VARCHAR(200),
@user VARCHAR(250)
AS
DECLARE @DBuser_sql VARCHAR(4000)
DECLARE @DBuser_table TABLE
AssociatedDatabaseRole VARCHAR(200),
DBName VARCHAR(200),
UserName VARCHAR(250),
LoginType VARCHAR(500)
INSERT @DBuser_table
EXEC sp_MSforeachdb @command1='SELECT USER_NAME(b.role_principal_id) AS AssociatedDatabaseRole, "[?]" AS DBName, a.name AS Name,
a.type_desc AS LoginType FROM [?].sys.database_principals a
, [?].sys.database_role_members b where a.principal_id=b.member_principal_id and
a.sid NOT IN (0x01,0x00) AND a.sid IS NOT NULL AND a.type NOT IN ("C")
AND a.is_fixed_role <> 1 AND a.name NOT LIKE "##%" AND "?" NOT IN ("master","msdb","model","tempdb")
ORDER BY Name'
SELECT AssociatedDatabaseRole, DBName,UserName,LoginType
FROM @DBuser_table WHERE UserName=@user and AssociatedDatabaseRole=@databaseRole
group by AssociatedDatabaseRole, DBName,UserName,LoginType
GO
Regards,
Michelle Li -
Can grant truncate table permission to a user?
Whether can grant truncate table permission to a user separately.
I know that the role db_ddladmin can do,but the create,alter and drop permissions will be granted the same time(These permissions are not what we want to
grant to user).
Is there any solution?
Best regards!!
If you haven't all the things you want,be grateful for the things you don't have that you didn't want.You can't grant truncate because for whatever reason, that permission doesn't exist. What you can do is use a stored procedure and use EXECUTE AS OWNER to get around it.
create database foo
go
create login foobar with password = 'alkdsfji9eorngv';
go
use foo
go
create user foobar from login foobar;
go
create table test(rowid int identity)
go
insert into test default values;
go
select * from test
go
create procedure dbo.truncate_test
with execute as owner
as
truncate table test
go
grant execute on dbo.truncate_test to foobar
go
execute as login='foobar'
execute dbo.truncate_test
revert
go
select * from test
go
use master
go
drop database foo
drop login foobar
This keeps your database safe and allows you to grant execute on the truncate procedure to allow them to truncate the table.Jonathan Kehayias
http://sqlblog.com/blogs/jonathan_kehayias/
http://www.twitter.com/SQLSarg
http://www.sqlclr.net/
Please click the Mark as Answer button if a post solves your problem! -
Schema export via Oracle data pump with Database Vault enabled question
Hi,
I have installed and configured Database Vault on an Oracle 11g-r2-11.2.0.3 to protect a specific schema (SCHEMA_NAME) via a realm. I have followed the following doc:
http://www.oracle.com/technetwork/database/security/twp-databasevault-dba-bestpractices-199882.pdf
to ensure that the sys and the system user has sufficient rights to complete a schedule Oracle data pump export operation.
I.e. I have granted to sys and system the following:
execute dvsys.dbms_macadm.authorize_scheduler_user('sys','SCHEMA_NAME');
execute dvsys.dbms_macadm.authorize_scheduler_user('system','SCHEMA_NAME');
execute dvsys.dbms_macadm.authorize_datapump_user('sys','SCHEMA_NAME');
execute dvsys.dbms_macadm.authorize_datapump_user('system','SCHEMA_NAME');
I have also create a second realm on the same schema (SCHEMA_NAME) to allow sys and system to maintain indexes for real-protected tables, To allow a sys and system to maintain indexes for realm-protected tables. This separate realm was created for all their index types: Index, Index Partition, and Indextype, sys and system have been authorized as OWNER to this realm.
However, when I try and complete an Oracle Data Pump export operation on the schema, I get two errors directly after the following line displayed in the export log:
Processing object type SCHEMA_EXPORT/TABLE/INDEX/DOMAIN_INDEX/INDEX:
ORA-39127: unexpected error from call to export_string :=SYS.DBMS_TRANSFORM_EXIMP.INSTANCE_INFO_EXP('AQ$_MGMT_NOTIFY_QTABLE_S','SYSMAN',1,1,'11.02.00.00.00',newblock)
ORA-01031: insufficient privileges
ORA-06512: at "SYS.DBMS_TRANSFORM_EXIMP", line 197
ORA-06512: at line 1
ORA-06512: at "SYS.DBMS_METADATA", line 9081
ORA-39127: unexpected error from call to export_string :=SYS.DBMS_TRANSFORM_EXIMP.INSTANCE_INFO_EXP('AQ$_MGMT_LOADER_QTABLE_S','SYSMAN',1,1,'11.02.00.00.00',newblock)
ORA-01031: insufficient privileges
ORA-06512: at "SYS.DBMS_TRANSFORM_EXIMP", line 197
ORA-06512: at line 1
ORA-06512: at "SYS.DBMS_METADATA", line 9081
The export is completed but with this errors.
Any help, suggestions, pointers, etc actually anything will be very welcome at this stage.
Thank youHi Srini,
Thank you very much for your help. Unfortunately after having followed the instructions of the DOC I am still getting the same errors ?
none the less thank you for your input.
I was also wondering if someone could tell me how to move this thread to the Database Security area of the forum, as I feel I may have posted the thread in the wrong place as it appears to be a Database Vault issue and not an imp/exp problem. ?
Edited by: zooid on May 20, 2012 10:33 PM
Edited by: zooid on May 20, 2012 10:36 PM -
Dear DBAs,
Is it possible to install a new Oracle home for VAULT on a RAC struc. using the existing clusterware handling 3 instances ?
The fact of installing a new clusterware on the same RAC is strange .
Please your help .
RegardsHi,
You have 2 options to work around the SYSDBA ISSUE :
1. You can disable all of the default Command roles and REALMS - I do it any way on a Database Vault Deployment, I want to full control over the database vault roles and realms.
2. Database vault manual - 9.5.1 Step 1: Enable Logins for the SYSDBA Role - shows you how disable the SYSDBA enforcement (See CUT&PASTE at the bottom of this message)
Checkout my site - [http://www.dbsnaps.com/groups/oracle_security] for useful information about database vault.
9.5.1 Step 1: Enable Logins for the SYSDBA :
To enable the ability to log in using the SYSDBA role:
1. Log in using the Oracle software owner account (usually oracle) to the computer where Oracle Database is installed.
2. Go to the following directory, which is the default location for password files:
cd $ORACLE_HOME/dbs
3. Run the orapwd utility to create two copies of the password file: one with SYSDBA enabled and the second with SYSDBA disabled.
This way, you can enable or disable SYSDBA in the future by simply using the appropriate password file.
First, create a password file that disables SYSDBA:
orapwd file=$ORACLE_HOME/dbs/orapwdSID.sysdba_closed password=pwd nosysdba=y
Do not enter spaces around the equal (=) character.
Next, create a password file that enables SYSDBA:
orapwd file=$ORACLE_HOME/dbs/orapwdSID.sysdba_open password=pwd nosysdba=n
For more information on running orapwd, see "Enable or Disable Connections with the SYSDBA Privilege" in Oracle Database Vault Installation Guide.
4. Copy the password file to the $ORACLE_HOME/dbs directory, which is where Oracle Database checks for the password file.
cp –p orapwdSID.sysdba_open orapwdSID
When you are ready to disable the SYSDBA, you can enter the following command:
cp –p orapwdSID.sysdba_closed orapwdSID -
Select Granted By Role Doesn't Work
Oracle 11.1.0.7.0 running on AIX
This is crazy I don't know why it is happening or even how it is happening but when I grant a role to a user they still cannot select from the granted tables & views.
CREATE ROLE RETROMAN_USERS NOT IDENTIFIED
GRANT SELECT ON YBP.DDA_STATUS_CODES TO RETROMAN_USERS
GRANT SELECT ON YBP.DEMAND_DRIVEN_ACTIVITY TO RETROMAN_USERS
GRANT SELECT ON YBP.V_DDA_STATUS_CODES TO RETROMAN_USERS
GRANT SELECT ON YBP.V_DEMAND_DRIVEN_ACTIVITY TO RETROMAN_USERS
GRANT RETROMAN_USERS TO SABEL WITH ADMIN OPTION
GRANT RETROMAN_USERS TO CKING
GRANT RETROMAN_USERS TO FCROWELL
GRANT RETROMAN_USERS TO HCAMPBELL
GRANT RETROMAN_USERS TO LJOHNSON
GRANT RETROMAN_USERS TO RWILLIAMS
GRANT RETROMAN_USERS TO LMONTCALM
When I try to Select * from ybp.Demand_Driven_Activity as hcampbell I get a "table or view does not exist" error. where other users can get results using the same query. Any ideas? I am completely out of them. I am not a DBA and our company doesn't employ a DBA - scary huh. Any help would be greatly appreciated.
ScottOK, the user cannot select from the table...
$ sqlplus hcampbell@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 07:51:33 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from ybp.demand_driven_activity;
select * from ybp.demand_driven_activity
ERROR at line 1:
ORA-00942: table or view does not exist-----
Let's grant the role and verify that the role is assigned and what privileges it has.
oracle@qa:/home/oracle
$ sqlplus sabel@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 07:53:21 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> grant retroman_users to hcampbell;
Grant succeeded.
SQL> select * from DBA_ROLE_PRIVS where grantee = 'HCAMPBELL';
GRANTEE GRANTED_ROLE ADM DEF
HCAMPBELL YBPREGUSER NO YES
HCAMPBELL OOPS NO YES
HCAMPBELL YBPENDUSER NO YES
HCAMPBELL RETROMAN_USERS NO NO-----
The role does exist (I think) and has the following permissions
SQL> set linesize 132
SQL> Select * from role_tab_privs Where role = 'RETROMAN_USERS';
ROLE OWNER TABLE_NAME COLUMN_NAME
PRIVILEGE GRA
RETROMAN_USERS YBP DEMAND_DRIVEN_ACTIVITY
SELECT NO
RETROMAN_USERS YBP V_DEMAND_DRIVEN_ACTIVITY
SELECT NO
RETROMAN_USERS YBP DDA_STATUS_CODES
SELECT NO
ROLE OWNER TABLE_NAME COLUMN_NAME
PRIVILEGE GRA
RETROMAN_USERS YBP V_DDA_STATUS_CODES
SELECT NO
SQL> exit
Disconnected from Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options-----
sys can't see the role though - but that may be normal...
$ sqlplus sys@devorcl as sysdba
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:30:34 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> Select * from role_tab_privs Where role = 'RETROMAN_USERS';
no rows selected-----
The user still cannot select from the table
$ sqlplus hcampbell@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:39:46 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select * from ybp.demand_driven_activity;
select * from ybp.demand_driven_activity
ERROR at line 1:
ORA-00942: table or view does not exist-----
let's try to make it a default role....
$ sqlplus sabel@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:42:59 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> ALTER USER HCAMPBELL DEFAULT ROLE YBPREGUSER, OOPS, YBPENDUSER, retroman_users;
User altered.
SQL> exit-----
after the user logs out and then back on, now user can access the table.
oracle@qa:/home/oracle
$ sqlplus hcampbell@devorcl
SQL*Plus: Release 11.1.0.7.0 - Production on Wed Aug 22 08:47:57 2012
Copyright (c) 1982, 2008, Oracle. All rights reserved.
Enter password:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> Select Count(1) from ybp.demand_driven_activity;
COUNT(1)
161295If I remove the retroman_users from the default role I can still access the table until I log out and then back in so it must have something to do with default roles. I don't know why I didn't see this before but the other users that were granted the retroman_users role and could access the table had their default role set to ALL. Sorry, I didn't give you all the information that you needed to help me, this might have helped:
CREATE USER HCAMPBELL
IDENTIFIED BY h
DEFAULT TABLESPACE DATASMALL
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK
-- 4 Roles for HCAMPBELL
GRANT YBPREGUSER TO HCAMPBELL
GRANT OOPS TO HCAMPBELL
GRANT YBPENDUSER TO HCAMPBELL
GRANT RETROMAN_USERS TO HCAMPBELL
ALTER USER HCAMPBELL DEFAULT ROLE YBPREGUSER, OOPS, YBPENDUSERI guess I need to read more about Default Roles. Sorry for my belligerent responses. -
Hi, i want export the database schema which is protected by database vault.
Metalink Note:433887.1 describes this, but i receive errors.
expdp bernst/password schemas=HR file=/tmp/test
ORA-31626 job does not exist
ORA-31633 unable to create master table bernst.sys_export_schema_05
ORA-06512 at sys.dbms_sys_error
ORA-06512 at sys.KUPV$FT
ORA-01950 no privileges on tablespace USERS
any ideas?
regards FrankThis is late but, somebody will see it.
Be sure to do this.
First of all, create a user called pepe in this way.
create user pepe identified by PASSWORD default tablespace users temporary tablespace temp;
Then...
SQL> CREATE DIRECTORY datapump AS 'full_path';
SQL> GRANT EXP_FULL_DATABASE to pepe;
SQL> GRANT READ, WRITE ON DIRECTORY datapump to pepe;
You should be able then to run the expdp utility.
Alex. -
Oracle Database Vault vs Audit Vault and database firewall
Hi All,
I would like to know the main difference between Oracle Database Vault and Oracle Audit Vault and Database firewall.
I have read all the white papers and documents on them both and find them very similar in work process.
Only difference I see in the pricing.
I feel Oracle audit Vault can do all the work of Database Vault with added feature of proactive session monitoring.
If someone can help me based on their knowledge and experience it would be appreciated.
Thank you.I have read the white papers of both Database Vault and Audit Vault
According to database Vault sessions can be managed using various roles created as per business requirements.
Audit vault offers same thing in terms of a firewall which manages and restrictions based on roles created .
From the white papers:
DATABAES VAULT:
Oracle Database Vault restricts access to specific areas in an Oracle database from any user, including users who have administrative access.
This enables you to apply fine_grained access control to your sensitive data in a variety of ways.
Oracle Database Vault enables you to create the following components to manage security for your database:
Realms
Command Rules
Factors
Rule Sets.
DATABAE AUDIT AND FIREWALL:
Oracle Audit Vault and database Firewall consolidates database activity monitoring events and audit logs. Policies enforce expected application behaviour, helping preventing SQL injection, application bypass, and other malicious activities from reaching the database while also monitoring and auditing privileged users and other activities inside the database.
To me these sound very similar of doing same work.
My apologies as I am unable to paste the whole text here and I cannot type full documents here -
SQL Text in DATABASE VAULT Events
I'm using Audit Vault 10.2.3.2 to collect audit data from a source database 11gR2 (11.2.0.1) protected with Database Vault. The DBAUD collector is collecting all the Database Vault Events, but in all cases the SQL Text column is empty.
The collector seems to be working fine, I've added the collector user to the Oracle Data Dictionary Realm and I've also granted dv_secanalyst to the user.
Are there any aditional steps that have to be done in order to get the SQL Text?
Thanks.In case anybody is interested, this error has been filed as bug 11818022 with Oracle Support.
Thanks. -
Database Vault on e-Business suite R12
Hi,
As i know, database vault prevents even DBA's from querying the critical data from the database. Can somebody please tell me what advantage does database vault on e-business suite offers in terms of security. I have installed vault on my e-business R12 database?
If DBA has password for both system and apps schema, they he can access any critical information from the e-business suite database.
Thanks,
PrasadPrasad,
Did you review "Section 1: Overview" in the following note? I believe it answers your question.
Note: 744363.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.3
https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=744363.1
In addition, please review the following links.
Oracle Database Vault 10.2.0.3 Certified with Apps 12
http://blogs.oracle.com/stevenChan/2008/05/oracle_database_vault_10203_ce.html
Oracle Database Vault
http://www.oracle.com/database/database-vault.html
Remember, someone always has the key (as mentioned in the other thread), which means the Realm Owner (created in Oracle Database Vault) has access to the Realm schemas.
Using Oracle Database Vault 10gR2 With Apps 11i
http://blogs.oracle.com/stevenChan/2008/02/using_oracle_database_vault_10.html
Oracle® Audit Vault Administrator's Guide Release 10.2.3.1
http://download.oracle.com/docs/cd/E13850_01/doc.102/e13841/toc.htm
Regards,
Hussein
Maybe you are looking for
-
Haven't been able to use MyKuler for months.
Hi! I used to really like using Kuler. Then, a few months ago, something went haywire, and I was no longer able to use MyKuler at all. I haven't been able to use it, since. I use both the website AND the desktop application (and CS5.5 integration
-
Report for Material PO Text in purchase requisition
Hi Team, In Purchase requisition user maintains specifications in Material PO Text in item details-TEXT tab. User wants a report which can pull this text against a PR Item No. Anybody knowa a way to do this Rajesh
-
How can I choose the target image in Magic Move?
Hello, I'm trying to use Magic Move to transition between slides. There are multiple shapes that are the same size and color on the target slide. Is there a way to control what the "target" shape is in Keynote? Here's what I mean (please pardon my co
-
Place of newly opened tabs is not logical (not put to the end of row)
When I have more tabs opened (for example 5) and I click a link with the middle mouse-button NOT on the last tab (for example on the 2nd one) Firefox does not put the newly opened tab to the end of the row, it is inserted right after the clicked page
-
Running Win7