DBA role and system privileges

Similar Messages

• User Roles and System Privilegies????

  I need to know “MY_USER” Roles and System Privilegies.
  What query do I have to execute?
  Thanks!

  Querying DBA_ROLE_PRIVS will give you the roles a user has been assigned. Querying DBA_SYS_PRIVS will give you the system privileges a user has been assigned.
  Justin
  Distributed Database Consulting, Inc.
  http://www.ddbcinc.com/askDDBC

• Differences Between Object And System Privileges

  Hi,
  Whats the difference between object and system privileges in oracle?
  Cheers
  Paul

  System Privileges
  A system privilege is the right to perform a particular action, or to perform an action on any schema objects of a particular type. For example, the privileges to create tablespaces and to delete the rows of any table in a database are system privileges.
  Schema Object Privileges
  A schema object privilege is a privilege or right to perform a particular action on a specific schema object:
  For example, the privilege to delete rows from the departments table is an object privilege.
  Some schema objects, such as clusters, indexes, triggers, and database links, do not have associated object privileges. Their use is controlled with system privileges. For example, to alter a cluster, a user must own the cluster or have the ALTER ANY CLUSTER system privilege.
  A schema object and its synonym are equivalent with respect to privileges. That is, the object privileges granted for a table, view, sequence, procedure, function, or package apply whether referencing the base object by name or using a synonym.
  Granting object privileges on a table, view, sequence, procedure, function, or package to a synonym for the object has the same effect as if no synonym were used. When a synonym is dropped, all grants for the underlying schema object remain in effect, even if the privileges were granted by specifying the dropped synonym.

• DBA role and privacy problem

  I have some problems understanding DBA role. I have DBA privs on a database (I'm a developer, not a DBA). Because of a privacy problem, I have not to select data in only one table of the database. A solution could be to encrypt rows of this table... This will be the last choice, because in this case I will have to rewrite some applications. So, I'm trying to create a new role in which I have all privileges except SELECT ANY TABLE. Then I will have to lose my DBA privs. During ordinary operations necessary to mantain my applications (like backup, import and export and so on...), I will have DBA privs granted again from the privacy manager only for the period necessary to mantain the site. After this period I have to sign a paper in which I declare I have not seen the records of that table. As you can imagine, this solution is very bad (during that period I can create 1000 users with dba privs...), but seems to be fine to the privacy manager.
  Now my problem is: after creating the role DBA_WSAT that is the DBA role without select any table, I can connect as sysdba again... Why? Which is the privilege that enable a user to connect as sysdba? Any suggestions will be appreciated to solve this bad situation...
  Thank you very much.
  Ste.

  You probably have an entry in the password file that needs to be removed if you are no longer a DBA.
  Have you considered auditing access to this sensitive table, either in addition to the current proposal or instead of it? That would be far more secure than signing the piece of paper periodically.
  Justin
  Distributed Database Consulting, Inc.
  http://www.ddbcinc.com/askDDBC

• Unable to authorize user using AccessControlService and user.roles and user.privileges are not set properly

  Hi,
  I am trying to enable/disable a feature based on user.roles.
  Added a constraint for that feature as below,
      <adfmf:constraints>
        <adfmf:constraint property="user.roles" operator="contains" value="manager" id="c1"/>
      </adfmf:constraints>
  In this case, Users have manager role should be able to access this feature.
  My AccessControlService response is
  {"userId" : "sales_mgr","roles" : [ "manager","MOO_OPPORTUNITY_SALES_MANAGER_DUTY","ZBS_ENT_SALES_MANAGER_DUTY"],"privileges" : [ "managerPriv","ZSF_DEFINE_SALES_FORECAST_PRIV","MOO_MANAGE_OPPORTUNITY_GROUP_SPACE_PRIV"]}
  Repsonse has "manager" as one such role.
  After adding constraint to the feature, am unable to access it.
  I tried many possibilities like  operator="contains" or "not" or "equal", but no use.
  I don't know what is going wrong. Appreciate you help.
  Thanks.

  If you are on 11.5.10 or greater or standalone 2.6.4 if you pass the responder value to wf_notification.respond API it should be updated in wf_notifications.responder column. The comments is now updated in wf_comments table against the notification id and not wf_notifications.user_comment column.
  Thanks, Vijay

• Question about Roles And priviledges

  I have designed my database and i have generated the ddl script. Now I want to design or somehow to create the system roles and system priviledges for every role.
  for example:
  CREATE ROLE DOCTOR;
  GRANT SELECT ON DOCTOR TO DOCTOR;
  So is there any way to do that from Enterprise manager or jdevelopper gui? Can I generate the dcl script somehow?

  aa8a14cf-4c39-4940-8315-e35d47cccb28 wrote:
  I know which roles and system privileges should be created. How am i gonna create them and generate the dcl script?
  You've been shown two variants on how to have "sql write sql" to create a script.  We assumed you know how to use sqlplus to run a script, and in this case to spool the output of the script we showed to create the script you want. (That was covered in my commend "I leave the details as an exercise for the student")
  Since you wanted a script we also assumed NOT using a GUI.  Live by the GUI, die by the GUI.
  But since it seems our assumptions were false ...
  Log on with sqlplus and do the following:
  set echo off feedback off verify off head off trimsp on tab off lines 512 pages 0
  spool doit.sql
  select 'grant '||privilege||' on '||owner||'.'||table_name||' to '|| role||';'  from ROLE_TAB_PRIVS WHERE ROLE='DOCTOR';
  spool off
  edit doit.sql
  After examining and doing a sanity check on 'doit.sql', you just execute it in sqlplus ..
  sql> @doit

• Role and privilege used by JDBC

  Is there any reqiured role and privilege used by JDBC?
  I use Oracle JDBC9203 for Oracle to connect Oracle8163, when executing certion codes, the JDBC raise a exception as below:
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:134)
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:179)
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:269)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.initCollElemTypeName(OracleTypeCOLLECTION.java:1026)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.getAttributeType(OracleTypeCOLLECTION.java:1056)
       at oracle.jdbc.oracore.OracleNamedType.getFullName(OracleNamedType.java:110)
       at oracle.jdbc.oracore.OracleTypeADT.createStructDescriptor(OracleTypeADT.java:2262)
       at oracle.jdbc.oracore.OracleTypeADT.unpickle81(OracleTypeADT.java:1656)
       at oracle.jdbc.oracore.OracleTypeUPT.unpickle81UPT(OracleTypeUPT.java:466)
       at oracle.jdbc.oracore.OracleTypeUPT.unpickle81rec(OracleTypeUPT.java:416)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81_imgBody_elems(OracleTypeCOLLECTION.java:979)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81_imgBody(OracleTypeCOLLECTION.java:923)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81(OracleTypeCOLLECTION.java:743)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION._unlinearize(OracleTypeCOLLECTION.java:242)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.unlinearize(OracleTypeCOLLECTION.java:208)
       at oracle.sql.ArrayDescriptor.toJavaArray(ArrayDescriptor.java:963)
  I decompile "OracleTypeCOLLECTION.class", in funtion "initCollElemTypeName", i see a SQL as "select elem_type_name, elem_type_owner from all_coll_types where ....", this sql raise the error.
  Since all_coll_types is a system view of Oracle, i think the user connect to Oracle must have some role and privilege, it has connect role and execution privileges on some user-defined packages, is there any other role and privilege it needs? I don't like to grant DBA role to it for security reason.
  Very thanks for your reply.

  Can you post the code (Java and PL/SQL) that is being executed when this error is thrown? You don't need any particular privilege to execute PL/SQL via JDBC-- just the privileges you'd need to execute it in SQL*Plus or anywhere else.
  Justin
  Distributed Database Consulting, Inc.
  www.ddbcinc.com/askDDBC

• Lock sys and system user

  Dear all,
  We have 10.2.0.4 on solaris 10.
  Currently we had I.T audit on our environment and auditor commented to lock sys and system user and use one user with any name (not oracle generic name) and grant him sys and system privilege and to use this user for admin purposes. is this right ?.. is this recommended ?
  Please advise

  Hello,
  I think it's not a right way to lock SYS.
  More over, if you connect as OS Administrator (root for Unix/linux) on the server and use
  OS Authentification then, you can connect on SYS AS SYSDBA anyway.
  So, in fact, it's not possible to lock out SYS even if you execute the following:
  ALTER USER SYS ACCOUNT LOCK;If you want to prevent access on SYS you should set a complex and long password and
  apply the same rule for the Administrator / root OS user.
  These passwords must be known by very few and well - identified people and written nowhere
  (in any files or scripts).
  More over, you should limit DBA roles to SYS and SYSTEM and remove this powerful Role
  from other Oracle Users.
  Then, you may enable session AUDIT so as to control the connexion on the database and,
  create a LOGON TRIGGER so as to check the login, workstation, program of the end users
  who connect to the database.
  On 10g, EM DBConsole shows an alert everytime a User is connected with SYS.
  Please, find enclosed, an interesting document written by Pete Finigan on this topic:
  http://www.insight.co.uk/files/presentations/Hacking%20and%20securing%20Oracle.pdf
  Hope this help.
  Best regards,
  Jean-Valentin

• DBA role dropped

  Hi,
  I recently saw that the DBA role is missing from one of our databases and the connect privileges are revoked from almost all schemas in the database. I tried investing about how this. Initially I went to check the dba_audit_trail,unfortunately it's empty. Secondly I tried using log miner to analyse redo logs for last 5 days in short intervals. Analysing from V$LOGMNR_CONTENTS using a "DROP" filter on operation column,but still couldn't get anything. Can anyone suggest any other way to investigate this.

  If you had access to a database of the same version you could use the scripts from Pete Finnigan (http://www.petefinnigan.com/tools.htm) to see what privileges are given to the DBA role and re-create the role.
  On metalink there is Note: 1068678.6 How to Recreate DBA Role if Dropped. Last revision is 26-Nov-2002 and only mentions version 8.X.

• Roles and Object Scripts

  I need to know if someone has scripts to obtain this info or they know any tools that can be used...
  1. List of roles available in the database, their full description and circumstance used
  2. List of object and system privileges for every role.
  Best regards,
  Ashish nanda

  The view DBA_ROLES lists all roles in the database.
  The view DBA_ROLE_TAB_PRIVS lists all object grants granted to roles.
  The view DBA_ROLE_SYS_PRIVS lists all system privileges granted to roles.

• Encrypt sys and system tables

  How to encrypt/restrict sys and system tables so that no user can view them.
  On one of the database few user are having dba access.
  Is it possible to restrict their access on the dictionary tables.

  I have not heard of anyone encrypting the sys and system schemas, and suspect it is not possible due to the number of tools that need access to these tables and views (OEM, RMAN etc)
  Maybe the application needs to run "create user" or "select * from v$session", but this does not mean that it needs DBA role. Turn on tracing or auditing to find out what priveleges the application actually needs, then grant minimum priveleges and revoke DBA.
  In the worst case if the application won't start unless it has been granted a role called "DBA" then you may be able to revoke all priveleges from the DBA role and then grant them via a custom role called "MY_DBA", but there is potential for this to go very wrong, so test in a DEV environment first, and I doubt Oracle Support would approve.
  Or you could use Database Vault ....

• System Privileges, Object Privileges and Roles in Oracle 10g r2

  Hello,
  I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
  I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
  Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
  Thanks,
  R

  Rich V wrote:
  Hello,
  I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
  I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
  Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
  Thanks,
  RHi, you can use dba_role_privs,role_sys_privs views,for more information see
  http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/admusers.htm
  http://www.cuddletech.com/articles/oracle/node36.html

• Create new user same as a existing roles and Privileges

  Hi Team,
  I am a junior DBA. New user Joined in Application team. So, Client requested me.....
  Crerate new user with same privileges as like as existing user.
  As of now i am creating user like "create user username identified by "password". Then grant privileges to that user. earliar I never comapare or copied users.
  Please suggest any one how to create new user as like as existing user roles and privileges.
  Thanks,
  Venkat

  For basic cloning:
  select dbms_metadata.get_ddl('USER', '...') FROM DUAL;
  SELECT DBMS_METADATA.GET_GRANTED_DDL('ROLE_GRANT','...') FROM DUAL;
  SELECT DBMS_METADATA.GET_GRANTED_DDL('SYSTEM_GRANT','...') FROM DUAL;
  SELECT DBMS_METADATA.GET_GRANTED_DDL('OBJECT_GRANT','...') FROM DUAL;
  SELECT DBMS_METADATA.GET_granted_DDL(‘TABLESPACE_QUOTA’, ‘...’) FROM dual;
  Then just replace the username with the new one you want to create.

• Roles/System privileges/Object privileges

  Oracle 10g. we created a role and assigned this role to the user. We also assigned some system privileges and Object privileges directly to the same user. Now the company's new policy is that the user's permissions have to be assigned only via role. system privileges and Object privileges cannot be assigned directly to the user. So I have to alter the role. The steps are:
  1. grant system privileges and Object privileges to role. (this will be executed as a script)
  These privileges were directly assigned to the user.
  2. revoke all privileges which were directly assigned to the user.
  Do I miss anything?
  Please advise.
  Thanks
  S.

  Object privileges cannot be assigned directly to the user.Privileges acquired via ROLE do not apply within PL/SQL procedures.
  You may face some coding challenges in the future due to this policy.

• Role and Privileges for OLAP metadata

  Hi,
  Is there any document which specifies what all roles and privileges are required for creating any OLAP meta data ( Dimension, Cube, Measure and Catalog etc)?
  I think these are impt roles:-
  SELECT_CATALOG_ROLE
  EXECUTE_CATALOG_ROLE
  DELETE_CATALOG_ROLE
  RECOVERY_CATALOG_OWNER
  OLAP_DBA
  OLAP_USER
  Through system/manager I created one user TEST_BI_OLAP and granted CONNECT.
  After login as TEST_BI_OLAP I am able to create dimension. Why it is possible whereas doc says user should have OLAP_USER or OLAP_DBA role associated with it.
  OR only CONNECT is sufficient for creating OLAP metadata!!!!!
  regds
  P

  The difference is in what the end user sees. Say you want to deploy an analytical workspace based off of a ROLAP dimensional cube. Here is how I've been approaching the problem:
  1. Create a new user with the OLAP_USER role to hold the AW (say "AW_USER")
  2. Now log in with a userid that has OLAP_DBA role, and create the AW utilizing the ROLAP cube - but direct the AW to be stored in the AW_USER schema. Note that because it is in a separate schema from the ROLAP cube, you will not need to append characters to the dimension or measure names.
  3. Have end users log in using the AW_USER name. Then they will see the AW information, but they will not have access to the ROLAP cube data.
  Hope this helps,
  Scott