Establishing Enterprise Users Under OracleAS 10gR3

Similar Messages

• Get error while Integrating with Oracle's Enterprise User Security

  Hi,
  I am trying to create an Oracle Enterprise User integrating with OVD and MS Active Directory.
  I am following all the steps in Integrating with Oracle's Enterprise User Security.
  In the documentation section: "Configuring Oracle Virtual Directory for the Integration"
  I have applied the steps successfully until:
  Update and load the entries into the Local Store Adapters by performing the following steps:
  I have successfully extended the Oracle Virtual Directory schema with the loadOVD.ldif
  However I am getting errors in the next step: Update realmRoot.ldif to use your namespaces
  The next step states the following:
  Update realmRoot.ldif to use your namespaces, including the dn, dc, o, orclsubscriberfullname,
  and memberurl attributes in the file. If you have a DN mapping between Active Directory and
  Oracle Virtual Directory, use the DN that you see from Oracle Virtual Directory.
  The realmRoot.ldif file is located in ORACLE_VIRTUAL_DIRECTORY_HOME/eus,
  where ORACLE_VIRTUAL_DIRECTORY_HOME represents the location where Oracle Virtual Directory is installed.
  The realmRoot.ldif file contains core entries in the directory namespace that Enterprise User Security queries. The realmRoot.ldif file also contains the dynamic group that contains the registered Enterprise User Security databases to allow secured access to sensitive Enterprise User Security related attributes, like the user's Enterprise User Security hashed password attribute.
  Load your domain root information in the realmRoot.ldif file into Oracle Virtual Directory using the following command:
  ldapmodify -h Oracle_Virtual_Directory_Host –p OVD_Port -D cn=admin -w Admin_Password -v -a –f realmRoot.ldif
  When I run the ldapmodify command I get the following error:
  add dc:
  testldap
  add objectclass:
  top
  domain
  domainDNS
  adding new entry DC=testldap,DC=local
  ldap_add: Operations error
  ldap_add: additional info: LDAP Error 1 : null
  The actual realmRoot.ldif looks like this:
  # Please uncomment the following one line if you are importing this
  # LDIF file via OVD Manager or OVD Server's ldapmodify tool.
  #version: 1
  #dn: dc=com
  #dc: com
  #objectclass: domain
  dn: DC=testldap,DC=local
  changetype: add
  dc: testldap
  #o: subarashii
  objectclass: top
  objectclass: domain
  objectclass: domainDNS
  #objectclass: orclSubscriber
  #orclsubscriberfullname: subarashii
  #orclVersion: 90400
  # If your domain structure has more layers than dc=subarashii,dc=com,
  # for example, it's dc=us,dc=subarashii,dc=com, you will need to load
  # the following ldif entry/entries too.
  # Uncomment out the following, if required.
  #dn: dc=us,dc=subarashii,dc=com
  #orclversion: 90400
  #orclsubscriberfullname: us
  #objectclass: domain
  #objectclass: top
  #objectclass: orclSubscriber
  #dc: us
  # Adding EUSDBGroup entry
  # Modify the memberurl attribute and replace it with your own domain name
  #dn: cn=EUSDBGROUP,dc=subarashii,dc=com
  #cn: EUSDBGROUP
  #memberurl:ldap:///dc=subarashii,dc=com??sub?(&(objectclass=orclService)(objectclass=orclDBServer))
  #objectclass:groupofuniquenames
  #objectclass:groupofurls
  #objectclass:top

  Did you ever get your questions answered about the realmRoot.ldif file? Did you manage to configure a successful integration of OVD with EUS? I am battling with trying to get Oracle Virtual Directory integrated with Enterprise User Security, but every step I take in Chapter 7 of the OVD manual fails in some way, and the instructions are often vague. I am not sure how to modify the realmRoot.ldif file. Is there any improved documentation on this? I have logged a Service Request, but not getting any help. Any resources or documentation you know of that provides better guidance would be much appreciated. I am way behind my schedule now and this is a very frustrating exercise.
  Thanks.

• Oracle Enterprise User, OVD and MS Active Directory (AD)

  Hi,
  I need to authenticate Oracle Users from MS Active Directory.
  If I create an Oracle Enterprise User, can I just use OVD or do I need also OID ?
  If the answer is YES, I just need OVD do I need just to install OVD or do I need any other installation from OIM in order for it to work?
  Thanks in advance for answering this post : )
  CMT

  Hi,
  I am not sure that you are correct.
  In the meantime, some one mentioned a white paper to read: "Directory Services Integration with Database Enterprise User Secuirty. In page 10 it mentions a scenario: EUS deployment using Active Directory and OVD
  (without OID).
  The cons mentioned are: Need to extend AD schema to include EUS meta-data (which I am not sure how its done).

• Starting Oracle Application Server as a particular user under windows

  Hi All,
  I am wondering if there is any way of starting the Oracle Application Server with a users default operating system environment variables set.
  The reason I ask this, is that we have deployed a webapp which contains a piece of software which needs to be run on the command line for generating reports using the reports 6i client (rwcli60). We have had issues with this in regards to the application not finding a proper service under Oracle Application Server.
  Our company then had to revert going back to a Apache/Tomcat setting and deploying the same web app on the tomcat server. Originally we were getting the same error. As a consequence we decided to change the user who runs tomcat as the same user who runs the oracle reports 6i server. This worked.
  Also of note is that when this was done, the tomcat server has ALL the environment settings as the os user. This can easily be seen by using the Runtime.exec("cmd /c set") command and printing its outputs. However executing the same command withan Oracle App Server results in a dramatically reduced environment to the logged in user who started the app server.
  Any help would be most helpful.
  Cheers
  Rodney

  Hi All,
  From much research and experimenting to get this to work I looked at the java.lang.Runtime class and noticed that seperate processes can be started using this very important Java class.
  The first thing that I experimented with was in regards to seeing the environment OC4J runs against. Using the java.lang.Runtime class I executed a standard "cmd /c set" command in my Windows environment, and noticed that Oracle Application Server uses its own environment and not a standard windows login environment for its OC4J containers. Apache Tomcat on the other hand uses the standard user login environment.
  So to get the application to be able to work properly we needed to override the particular environment the process needed to be able to get it to work. There is a exec command which allows you to override completely the environment for a process you would like to run. This method call does not in any way shape or form change the standard OC4J environment. This was done by executing the same "set" but with the overriden environment. Note that no environment variables from the OC4J container are carried into this new environment.
  Cheers
  Rodney

• Oracle BPM Enterprise User Guide

  I want to know about the importance of using Oracle BPM Enterprise.Can any one help where i can get the "Oracle BPM Enterprise User Guide" document.
  Edited by: user613889 on May 7, 2010 3:16 AM

  Here's where you can find all of the Oracle BPM 10g documentation: http://download.oracle.com/docs/cd/E13154_01/bpm/docs65/index.html
  Oracle BPM Studio 10g
  Oracle BPM Studio is the integrated development and test environment where business analysts and developers can create, document and simulate process models, integrate services, create business rules and logic and create end user interfaces. Projects built in Studio can be deployed to Oracle BPM Enterprise. Although Studio has a small database (Derby) and Tomcat environment, these are only used for rapid testing. Studio's end user Workspace looks the same as Enterprise, but is limited to the number of concurrent users and the Workspace login only has a user id field and no password because it is only used for rapid and iterative testing. As a result, you cannot and should not use Studio's Workspace as your production environment.
  Oracle BPM Enterprise 10g
  Oracle BPM Enterprise is the production environment. At its heart, it has an engine that manages and executes the business services according to rules in the designed process models. The platform supports high-availability, fail-over and backup capabilities for mission critical processing. The engine is J2EE compliant or can run separately on a standalone JVM. When run on a J2EE application server, the Engines can be clustered.
  Work item instance information is automatically persisted in the Engine's database tables as the instances flow through processes.
  Orchestrated processes running on the engine are automatically exposed as Web services and executed across both internal and external processes and other applications.
  Oracle BPM Enterprise engines are managed through the Oracle BPM Process Administrator Console. This is a web-based client that enables administrators to monitor and administer the Engines remotely.
  The Oracle BPM Enterprise engine is exposed via both a Java Process Application Program Interface (PAPI) and a web service API (PAPI-WS).
  Dan

• Move grid standalone installation under oracle user

  Dear Experts,
  I have a requirement from the customer to move a recent 11gR2 grid standalone infrastructure from grid os user to Oracle os user.
  We don't want to disturb the installed database and ASM.
  I am wondering if there is any easy / quick way to do it? For example make the grid user equivalent to the oracle user ? Kindly provide the steps.
  My OS is Redhat Linux 5.
  Best Regards,
  D
  PS: I know Oracle recommends role separation grid vs Oracle os user. But that's a customer requirement

  Thank you. I understand of that I have to deinstall and make new fresh install of grid standalone under oracle user. Is it correct?

• Enterprise User Security (EUS) with Oracle RAC database

  Hi all,
  i'm experiencing a problem configuring centralized AAA on Oracle OID for Oracle RAC Database.
  My environment is:
  1) Oracle OID 10g (192.168.15.245 - rh4oidserver.klab.it)
  2) Oracle RAC database 11g
  I successfull configured a standalone Oracle Database to authenticate user in OID centralized repository, but i'm experiencing different problem to do, with RAC, same things.
  In dept:
  1) Oracle RAC works correctly and internal user (SYS,Oracle, ecc.) are correctly authenticated and authorizated against database
  2) Oracle RAC register himself in OID (see attached snapshoot)
  3) I run sqlplus to connect on Oracle RAC using OID users and i get following error: ORA-28030 Server encountered problems accessing LDAP directory service
  Using a sniffer, i can see a reset message after SSL handshake (SSL v3 encrypted alert), but i don't undenstand root cause....
  Host file on RAC server is:
  # Do not remove the following line, or various programs
  # that require network functionality will fail.
  127.0.0.1          localhost.localdomain localhost
  ::1          localhost6.localdomain6 localhost6
  # Public
  192.168.15.177          orclrac1.klab.it orclrac1
  192.168.15.178 orclrac2.klab.it orclrac2
  #Private
  192.168.1.100          orclrac1-priv.klab.it orclrac1-priv
  192.168.1.105 orclrac2-priv.klab.it orclrac2-priv
  #Virtual
  192.168.15.88 orclrac1-vip.klab.it orclrac1-vip
  192.168.15.96 orclrac2-vip.klab.it orclrac2-vip
  92.168.15.184 openfiler.klab.it openfiler
  192.168.1.90 openfiler-priv.klab.it openfiler-priv
  192.168.15.246     acti.klab.it acti
  #192.168.1.245 rh4oidserver.klab.it rh4oidserver
  192.168.15.245 rh4oidserver.klab.it rh4oidserver
  tnsname.ora is:
  # tnsnames.ora Network Configuration File: /u01/app/oracle/product/11.1.0/db_1/network/admin/tnsnames.ora
  # Generated by Oracle configuration tools.
  RACDB1 =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = orclrac1-vip)(PORT = 1521))
  (CONNECT_DATA =
  (SERVER = DEDICATED)
  (SERVICE_NAME = racdb.klab.it)
  (INSTANCE_NAME = racdb1)
  RACDB =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = orclrac1-vip)(PORT = 1521))
  (ADDRESS = (PROTOCOL = TCP)(HOST = orclrac2-vip)(PORT = 1521))
  (LOAD_BALANCE = yes)
  (CONNECT_DATA =
  (SERVER = DEDICATED)
  (SERVICE_NAME = racdb.klab.it)
  LISTENERS_RACDB =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = TCP)(HOST = orclrac1-vip)(PORT = 1521))
  (ADDRESS = (PROTOCOL = TCP)(HOST = orclrac2-vip)(PORT = 1521))
  RACDB2 =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = orclrac2-vip)(PORT = 1521))
  (CONNECT_DATA =
  (SERVER = DEDICATED)
  (SERVICE_NAME = racdb.klab.it)
  (INSTANCE_NAME = racdb2)
  ldap.ora is:
  # ldap.ora Network Configuration File: /u01/app/oracle/product/11.1.0/db_1/network/admin/ldap.ora
  # Generated by Oracle configuration tools.
  DIRECTORY_SERVERS= (rh4oidserver.klab.it:389:636)
  DEFAULT_ADMIN_CONTEXT = "dc=dbtest101,dc=klab,dc=it"
  DIRECTORY_SERVER_TYPE = OID
  sqlnet.ora is:
  # sqlnet.ora.orclrac1 Network Configuration File: /u01/app/oracle/product/11.1.0/db_1/network/admin/sqlnet.ora.orclrac1
  # Generated by Oracle configuration tools.
  NAMES.DIRECTORY_PATH= (LDAP,TNSNAMES)
  WALLET_LOCATION =
  (SOURCE =
  (METHOD = FILE)
  (METHOD_DATA =
  (DIRECTORY = /u01/app/oracle/admin/racdb)
  listener.ora is:
  # listener.ora.orclrac1 Network Configuration File: /u01/app/oracle/product/11.1.0/db_1/network/admin/listener.ora.orclrac1
  # Generated by Oracle configuration tools.
  LISTENER_ORCLRAC1 =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = orclrac1-vip)(PORT = 1521)(IP = FIRST))
  (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.15.177)(PORT = 1521)(IP = FIRST))
  LISTENER_ORCLRAC2 =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = orclrac1-vip)(PORT = 1521)(IP = FIRST))
  (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.15.178)(PORT = 1521)(IP = FIRST))
  Thank's in advance for any help or suggestion.
  Antonio

  Hello bipkary,
  what version are you using?
  the following link tells you everything about EUS in oracle10g R2:
  http://download.oracle.com/docs/cd/B19306_01/network.102/b14269/toc.htm

• Adding all users under one subtree to a role

  Hi,
  We have a role call PaymentsGroup under  cn=Groups,dc=companyname,dc=com
  There are sub trees which contains many users which categorised by city, country.
  Example :
  cn=michael wood,ou=users,ou=cal,ou=us,ou=dept1,cn=users,dc=companyname,dc=com
  cn=harry wilson,ou=users,ou=lon,ou=uk,ou=dept1,cn=users,dc=companyname,dc=com
  Can we add the subtree (upper level) onto the group so all users under that subtree will get granted to the role?
  Example : ou=users,ou=ny,ou=us,ou=dept1,cn=users,dc=companyname,dc=com
  Thanks!

  Hi,
  To clarify, are you talking about the Role mechanism defined by DSEE as described at Managing Roles - Oracle Directory Server Enterprise Edition Administration Guide?
  -Sylvain
  When closing a thread as answered remember to mark the correct and helpful posts to make it easier for others to find them

• How to configure Enterprise User Security ?

  Hi All,
  I am following the oracle document for setting up Enterprise User Security to setup Enterprise user security between OID 11g and database 11g . but right now if i click on the "Enterprise User Security" link in the Security under the Server tab , I am getting a HTTP 500 internal error , please kindly provide your inputs .
  Regards,
  Senthil.

  Hi,
  You don't so much configure enterprise voice for federation, you just configure enterprise voice. Then when you configure you're environment for federation, the voice features will take care of themselves. The two are separation components / features.
  But you'll need to be a little more specific; Are the two user forests using the same Lync environment through a forest trust(s) (resource or central forest topologies)? If they are, then you don't need to do anything with federation for these
  two forests to leverage enterprise voice between their users - it will just work. However if each user forest is using a separate Lync environment, then you will need to configure federation between the two and make use of Lync Edge servers.
  You can enable enterprise voice for users without an SBC or gateway, this component is used merely to connect your Lync platform to the PSTN. You may also use a direct SIP trunk to your mediation server as you have eluded to, although I never recommend this
  in production for security reasons (which I feel others will back me on), it is still a supported option.
  Let me know if I've interpreted this completely wrong.
  Kind regards
  Ben
  Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
  Lync | Skype | Blog: Gecko-Studio

• API for creating new User in Oracle E-Business Suite through BPEL

  Hello,
  I would like to use a BPEL process to create a new User in Oracle E-Business Suite. In the Integration Repository I was able to find an API called FND_USER_PKG/LOAD_ROW that creates/updates Application's User data. Is this the API I should be using? If so, I would like to better understand how to use this API.
  I have created a simple BPEL process and added an Oracle Application Service, which uses this FND_USER_PKG/LOAD_ROW API. I set the following parameter before Invoking the Oracle Application Service: X_USER_NAME, X_ENCRYPTED_USER_PASSWORD and X_START_DATE. When I run the BPEL process I get the following error. I suspect that I am not passing all the required input parameters. Does anyone have any sample data I can use to get this API to load correctly? If I am using the wrong API, please let me know.
  Please note, I have also posted this question to the SOA Suite and BPEL discussion forums...
  Thank you kindly!
  Christine
  - <input>
  - <Invoke_OracleEBS_SecurityUser_InputVariable>
  - <part xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="InputParameters">
  - <InputParameters xmlns:db="http://xmlns.oracle.com/pcbpel/adapter/db/APPS/FND_USER_PKG/LOAD_ROW/" xmlns="http://xmlns.oracle.com/pcbpel/adapter/db/APPS/FND_USER_PKG/LOAD_ROW/">
  <db:X_USER_NAME>
  CRILEY
  </db:X_USER_NAME>
  <db:X_ENCRYPTED_USER_PASSWORD>
  CRILEY
  </db:X_ENCRYPTED_USER_PASSWORD>
  <db:X_START_DATE>
  2009-01-01
  </db:X_START_DATE>
  </InputParameters>
  </part>
  </Invoke_OracleEBS_SecurityUser_InputVariable>
  </input>
  - <fault>
  - <bindingFault xmlns="http://schemas.oracle.com/bpel/extension">
  - <part name="code">
  <code>
  20001
  </code>
  </part>
  - <part name="summary">
  <summary>
  file:/E:/product/10.1.3.1/OracleAS_1/bpel/domains/default/tmp/.bpel_OracleEBS_OnBoarding_1.0_d71e16636aa9ff51b9975926da6faeb2.tmp/OracleEBS_SecurityUser.wsdl OracleEBS_SecurityUser_ptt::OracleEBS_SecurityUser(InputParameters) - WSIF JCA Execute of operation 'OracleEBS_SecurityUser' failed due to: Error while trying to prepare and execute an API.
  An error occurred while preparing and executing the APPS.FND_USER_PKG.LOAD_ROW API. Cause: java.sql.SQLException: ORA-20001: APP-FND-02600: Unable to create user CRILEY due to the following reason(s):
  Unabled to call fnd_ldap_wrapper.create_user due to the following reason:
  ORA-20001: Unabled to call fnd_ldap_wrapper.create_user due to the following reason:
  An unexpected error occurred. Please contact your System Administrator...
  ORA-06512: at "APPS.APP_EXCEPTION", line 72
  ORA-06512: at "APPS.FND_USER_PKG", line 783
  ORA-06512: at "APPS.FND_USER_PKG", line 916
  ORA-06512: at "APPS.FND_USER_PKG", line 1035
  ORA-06512: at "APPS.FND_USER_PKG", line 645
  ORA-06512: at line 1

  Hello and thank you for your response. I am new to using APIs so please excuse my inexperience... I am not sure how to run the API outside of BPEL... Is that something you could easily walk me through?
  I have made the following changes in BPEL based on your recommendation: 1) Added Oracle Application Service and used the API, LDAP_WRAPPER_CREATE_USER, found in the Oracle Application Module Browser* under: Applications Technology (ATG_PF)&gt; User Management (UMX)&gt; User (FND_USER)&gt; PLSQL&gt; User (FND_USER_PKG)&gt; LDAP_WRAPPER_CREATE_USER
  2) Set the following parameter prior to Invoking the Oracle App Service: X_USER_NAME, X_UNENCRYPTED_PASSWORD,X_START_DATE, X_END_DATE, X_DESCRIPTION, X_EMAIL_ADDRESS, X_FAX, X_EXPIRE_PWD.
  3) Deploy and run BPEL through BPEL Control.
  I get the following {color:#ff0000}error on the Invoke{color}. {color:#339966}Do you see any issues with the values I am passing in the input{color}? Any idea why I am getting this error? Is there anything that I need to have configured for the API to work correctly, other than adding an Oracle Application Service in the BPEL?
  Thank you for your time,
  Christine
  bq. Faulted while invoking operation "OracleEBS_LDAP_Create_User" on provider "OracleEBS_LDAP_Create_User". \\     - &lt;messages&gt; \\     - &lt;input&gt; \\     - &lt;Invoke_OracleEBS_LDAP_Create_User_InputVariable&gt; \\     - &lt;part xmlns:xsi="[http://www.w3.org/2001/XMLSchema-instance]" name="InputParameters"&gt; \\     - &lt;{color:#339966}InputParameters{color} xmlns:db="[http://xmlns.oracle.com/pcbpel/adapter/db/APPS/FND_USER_PKG/LDAP_WRAPPER_CREATE_USER/]" xmlns="[http://xmlns.oracle.com/pcbpel/adapter/db/APPS/FND_USER_PKG/LDAP_WRAPPER_CREATE_USER/]"&gt; \\     &lt;db:X_USER_NAME&gt; \\     CRILEY \\     &lt;/db:X_USER_NAME&gt; \\     &lt;db:X_UNENCRYPTED_PASSWORD&gt; \\     CRILEY \\     &lt;/db:X_UNENCRYPTED_PASSWORD&gt; \\     &lt;db:X_START_DATE&gt; \\     2009-01-01 \\     &lt;/db:X_START_DATE&gt; \\     &lt;db:X_END_DATE&gt; \\     2010-01-01 \\     &lt;/db:X_END_DATE&gt; \\     &lt;db:X_DESCRIPTION&gt; \\     CRILEY \\     &lt;/db:X_DESCRIPTION&gt; \\     &lt;db:X_EMAIL_ADDRESS&gt; \\[[email protected]|mailto:[email protected]] \\ &lt;/db:X_EMAIL_ADDRESS&gt; \\     &lt;db:X_FAX&gt; \\     999-888-7777 \\     &lt;/db:X_FAX&gt; \\     &lt;db:X_EXPIRE_PWD&gt; \\     0 \\     &lt;/db:X_EXPIRE_PWD&gt; \\     &lt;/InputParameters&gt; \\     &lt;/part&gt; \\     &lt;/Invoke_OracleEBS_LDAP_Create_User_InputVariable&gt; \\     &lt;/input&gt; \\     - &lt;fault&gt; \\     - &lt;bindingFault xmlns="[http://schemas.oracle.com/bpel/extension]"&gt; \\     - &lt;part name="code"&gt; \\     &lt;code&gt; \\     20001 \\     &lt;/code&gt; \\     &lt;/part&gt; \\     - &lt;part name="summary"&gt; \\     &lt;summary&gt; \\     file:/D:/product/10.1.3.1/OracleAS_1/bpel/domains/default/tmp/.bpel_OracleEBS_OnBoarding_1.0_d71e16636aa9ff51b9975926da6faeb2.tmp/OracleEBS_LDAP_Create_User.wsdl [OracleEBS_LDAP_Create_User_ptt::OracleEBS_LDAP_Create_User(InputParameters) |http://forums.oracle.com/forums/]- WSIF JCA Execute of operation 'OracleEBS_LDAP_Create_User' failed due to: Error while trying to prepare and execute an API. \\     An error occurred while preparing and executing the APPS.FND_USER_PKG.LDAP_WRAPPER_CREATE_USER API. Cause: java.sql.SQLException: ORA-20001: Unabled to call fnd_ldap_wrapper.create_user due to the following reason: \\     ORA-20001: {color:#ff0000}Unabled to call fnd_ldap_wrapper.create_user due to the following reason: \\     An unexpected error occurred. Please contact your System Administrator.. \\     {color}ORA-06512: at "APPS.APP_EXCEPTION", line 72 \\     ORA-06512: at "APPS.FND_USER_PKG", line 3877 \\     ORA-06512: at line 1 \\\\     ;
  Edited by: Christine Riley on Jan 28, 2009 1:22 PM
  Edited by: Christine Riley on Jan 28, 2009 1:26 PM

• Create Read Only User in Oracle 10.2.0.4

  Hi., Friends,
  I want to create an user in Oracle 10.2.0.4 with read only rights of my hole database. I am not having Enterprise Manager Console so i want create from command prompt.Can u please explain me the step for create and assign read only role to user.
  Regards
  Mahendran

  Hi Mahendra,
  I am happy with Surendrajain's reply, but with this sql you will not able to view the data present in SAP Schema,
  The entire sql query with the comments in bracket  is given below
  1) create user PPMTEST identified by program1;    
  2) Create role PPMROLE;                           {  PPMROLE is the role name which will be later assigned to the user PPMTEST}
  3) Grant CONNECT to PPMROLE;                                 { CONNECT role allows the user to connect to oracle database}
  4) Grant SELECT_CATALOG_ROLE to PPMROLE;       { SELECT_CATALOG_ROLE role allows the user to view the oracle data dictionary}
  5) GRANT SELECT ANY TABLE to PPMROLE;             { "SELECT ANY TABLE" privilege allows the user to view the table which is present in the SAP schema}
  6) Grant PPMROLE to PPMTEST;                                         { Assigning the role PPMROLE to the user PPMTEST}
  7) COMMIT; 
  Thanks and Regards
  Debdeep

• Performance of PL/SQL-packages under Oracle 11gR2

  Under Oracle 9i I have used PL/SQL-packages/procedures to perform complicated initializations of the tables of a database schema.
  This was always a long job ... but an execution time of about 4 hours was acceptable!
  Now I changed to Oracle 11g.
  And now there is the following behaviour:
  When I create a NEW instance of the database and then create the schema the execution time ( using the same PL/SQL-packages as in Oracle 9i ) is more than 12 hours which is not acceptable anymore!
  When I only drop the schema ( in the EXISTING instance ) with a drop user (owner of the schema) cascading and then create the schema again the execution time for the same initialization is less than 3 hours which is OK.
  Does anyone have an idea about the reason for such a 'strange' behaviour?
  ... Or does anyone have a hint where I could look for such reasons?

  Hi,
  did you compare the execution plan in 9i and 11g R2?
  when you go to 11gR2, did you keep the statistic of the 9i, so if any regression, 11g can use 9i plan?
  thanks

• Setting Application Context Attributes for Enterprise Users Based on Roles

  Hello,
  We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
  I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
  -- For each record in my RoleSitePrivileges table, set
  --   an attribute named 'SITE_PRIVILEGE_<SiteID>'.
  --   If the current user has been assigned a role matching
  --   the value in the 'RoleName' field, set the corresponding
  --   attribute to 'Y'... otherwise, set it to 'N'.
  FOR iPrivRec IN (SELECT RoleName, SiteID
                     FROM RoleSitePrivileges
                     ORDER BY SiteID)
     LOOP
        SELECT COUNT(*)
          INTO roleExists
          FROM dba_role_privs
          WHERE granted_role = UPPER(iPrivRec.RoleName)
            AND grantee = USER;
        IF roleExists > 0 THEN
           DBMS_SESSION.set_context(
                       namespace   => 'my_ctx',
                       attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                       value       => 'Y');
        ELSE
           DBMS_SESSION.set_context(
                       namespace   => 'my_ctx',
                       attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                       value       => 'N');
        END IF;
     END LOOP;To finish things off, I created a security policy function for the table which returns the following:
  RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
                       FROM session_context
                       WHERE attribute LIKE ''SITE_PRIVILEGE_%''
                          AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
  I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
  I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
  So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
  Thank you!

  Hello,
  We have an Oracle 11g database with a table containing data from multiple sites (a SiteID field identifies the site for a record). Since application users can have access to different subsets of sites, we would like to use Oracle's Virtual Private Database feature to enforce row-level security on the table.
  I did a successful proof-of-concept with database users. I created a role for each site (example: USER_SITE_A, USER_SITE_B, ...), and then assigned the appropriate site roles to each database user. I then created a package (run via a logon trigger) which set application context attributes for each site. If the current database user has been assigned a role for a given site, then the corresponding attribute named "SITE_PRIVILEGE_SiteID" is set to 'Y'... otherwise, it is set to 'N'. Here is the code which worked to set application context attributes for database users:
  -- For each record in my RoleSitePrivileges table, set
  --   an attribute named 'SITE_PRIVILEGE_<SiteID>'.
  --   If the current user has been assigned a role matching
  --   the value in the 'RoleName' field, set the corresponding
  --   attribute to 'Y'... otherwise, set it to 'N'.
  FOR iPrivRec IN (SELECT RoleName, SiteID
                     FROM RoleSitePrivileges
                     ORDER BY SiteID)
     LOOP
        SELECT COUNT(*)
          INTO roleExists
          FROM dba_role_privs
          WHERE granted_role = UPPER(iPrivRec.RoleName)
            AND grantee = USER;
        IF roleExists > 0 THEN
           DBMS_SESSION.set_context(
                       namespace   => 'my_ctx',
                       attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                       value       => 'Y');
        ELSE
           DBMS_SESSION.set_context(
                       namespace   => 'my_ctx',
                       attribute   => 'SITE_PRIVILEGE_' || iPrivRec.SiteID,
                       value       => 'N');
        END IF;
     END LOOP;To finish things off, I created a security policy function for the table which returns the following:
  RETURN 'SiteID IN (SELECT TO_NUMBER(SUBSTR(attribute, 15))
                       FROM session_context
                       WHERE attribute LIKE ''SITE_PRIVILEGE_%''
                          AND value = ''Y'')';This setup worked great for database users. I am now working to do a comparable proof-of-concept for enterprise users created in Oracle Internet Directory (OiD). I have Enterprise User Security (EUS) up and running with OiD, global roles created in the database, enterprise roles defined in EUS with global role assignments, and enterprise roles assigned to OiD users. The enterprise users are able to successfully login to the database, and I can see the appropriate global role assignments when I query the session_roles view.
  I tried using the same application context package, logon trigger, and security policy function with the enterprise users that I had used with the database users. Unfortunately, I found that the application context attributes are not being set correctly. As you can see from the code above, the applicaiton context package was referencing the dba_role_privs view. Apparently, although this view is populated for database users, it is not populated for enterprise users.
  I tried changing the application context package to use invoker's rights and to query the session_roles view instead of the dba_role_privs view. Although this package sets the attributes correctly when called manually, it does not work when called from the logon trigger. That was an oops on my part, as I didn't realize initially that a PL/SQL procedure cannot be called with invoker's rights from a trigger.
  So, I am now wondering, is there another view that I could use in code called from a logon trigger to access the roles assigned to the enterprise user ? If not, is there a better way for me to approach this problem? From a maintenance standpoint, I like the idea of controlling site access from the LDAP directory service via role assignments. But, I am open to other ideas as well.
  Thank you!

• Workspace/Developer users and Oracle accounts

  We plan to install Apex 4 (for first time) into an existing database with many schemas and users. Some users already have developer privileges in their schemas pre-Apex install. Will their user/schema privileges be 'inherited' into the Apex environment or will they have to be re-defined as Workspace admins/developers? If they have to be re-defined as developer user in Apex is there a way for them to keep their old passwords?
  Also, we are implementing Oracle Identity Management and plan to move all developer-type accounts to be Enterprise User accounts in OIM. Will Apex developer users be compatible with this?
  Thanks,
  Pat

  Yes, I have no problem with end-user authentication -- we have already implemented LDAP authentication in another Apex environment with our central LDAP directory as an alternate user authentication. I am glad to hear that some plans are being made for other methods of authentication of developers--why not become compatible with Oracle's own OIM and the concept of Enterprise User??
  Quoting an Oracle whitepaper entitled: Directory Services Integration with Database Enterprise User Security
  "... many enterprises today are still managing database users and privileges in individual databases. From end user perspective, managing passwords in multiple databases is confusing and results in poor user experience. From administration perspective, redundant user management is costly, and managing user authorizations in multiple databases is error prone. From auditing and compliance perspective, on time provision and de-provision of user access and privileges across databases is challenging.
  Enterprise User Security (EUS), an Oracle Database Enterprise Edition feature, leverages the Oracle Directory Services, and gives you the ability to centrally manage database users and role memberships in an LDAP directory. Enterprise User Security reduces administration cost, increases security, and improves compliance through centralized database user account management, centralized provisioning and de-provisioning of database users, centralized password management and self-service password reset, and centralized management of authorizations using global database roles. "
  Sounds like a great option to consider!!
  Pat

• OSB 10gR3 + Oracle 10gR3 BPEL

  Hello
  Is anyone using a combination of OSB 10gR3 + Oracle 10gR3 BPEL and if so, how are you getting on with it?
  Hannah

  You can use OSB 10gR3 + Oracle 10gR3 BPEL together, but each of them must be installed in his own directory. OSB is running on Java 1.6, while BPEL is running in Java 1.5. Out of the box, BPEL is runing on the Oracle Application Server (OC4J), it can run under Weblogic, but this is WLS 9.2
  Marc
  http://orasoa.blogspot.com