Expire password - alter user - privilege authid (2) english

Similar Messages

• Expire password - alter user - privilege authid

  Hello to all
  I need to allow the users of Data base, that when the password expires, can enter the new password from a page. What I am trying to do is to add a function to modify the user
  create function usu_mod
  as
  begin
  execute immediate 'alter user pepe identified by pepe2';
  end;
  some idea, raised affluent estaria? also it sends an insufficient error to me of privileges, since apex uses the APEX_PUBLIC_USER. I was looking for and I saw AUTHID DEFINER AUTHID, CURRENT_USER. it is necessary to use some of these commandos, somebody can give an idea me of like using them
  Thank you very much
  Juan Pablo

  Juan - We talked about this here: Re: ORACLE Password Change using APEX FORM
  Scott

• Oracle Security - Controlling the 'alter user' privilege

  Hi,
  1. DB 10.1.0.5 and 10.2.0.3
  2. "Admin User" needs to be able to change some users passwords in database.
  3. Create user adminuser - grant alter user to adminuser.
  4. DBAs will grant "approle" role to list of required users. DBAs will maintain control of who gets this role.
  4. Create system trigger on alter database - will prevent "adminuser" from changing passwords for accounts not authorized - Script does not fire for DBAs and anyone changing their own password.
  The trigger works as intended - the "adminuser" account can only change the specific set of users.
  Question: We've discovered that the "adminuser" can also use the "alter user" privilege to change default tablespace and tablespace quota. User should only be able to change password.
  Anyone have ideas on adding to the trigger to make sure the "adminuser" is only altering the password?
  I am playing with the ora_is_alter_column system event, thinking that maybe the password column in user$ would be changed but so far I can't get this to work: Here is my trigger --
  CREATE OR REPLACE TRIGGER SYS.PASSWORD_CONTROL AFTER ALTER ON DATABASE
  DECLARE
  DBACHK varchar2(50);
  USRCHK varchar2(50);
  BEGIN
  BEGIN
  -- Ensure users can change their own passwords --
  IF
  ora_login_user = ora_dict_obj_name
  THEN
  RETURN;
  ELSE
  -- Do not apply trigger to DBA group --
  select grantee into DBACHK from dba_role_privs where granted_role='DBA'
  and grantee = ora_login_user;
  IF
  DBACHK = ora_login_user
  THEN
  RETURN;
  END IF;
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  NULL;
  END;
  BEGIN
  select grantee into USRCHK from dba_role_privs where
  granted_role='DISCUSR' and grantee = ora_dict_obj_name;
  IF
  ora_dict_obj_type = 'USER'
  and ora_dict_obj_name = USRCHK
  ---- Need to check that only the password is being change -- the line below does not work
  and ora_is_alter_column('PASSWORD') = TRUE
  THEN
  RETURN;
  ELSE
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END;
  END;

  user602453 wrote:
  Ed, thank you for your reply. But, let me explain in more detail.
  More detail is always helpful. ;-)
  >
  A specific user has been assigned as the application administrator. This admininstrator is responsible for reseting application user passwords. The DBA (me) recognizes the DB security issues so I am trying to craft a solution that will allow the application administrator the ability to change only the password of the application users.
  I see that this may be out your hands, but I'd still question the wisdom of having an apps administrator being the one to change user passwords. Especially if that were a model where the users couldn't change their own passwords. I might accept it if the app admin were acting more of a helper to a clueless user.
  Since the only way to change user passwords is to grant the 'alter user' privilege I need a system trigger to keep the user from changing non-application user passwords. Also, because I support nearly 100 production databases that support about 35 different applications I need a solution that can apply to multiple databases. I've been assured that there will only be one administrator charged with resetting passwords.
  So,
  Given those requirements, I have this trigger that will allow the the specific administrator to change the password of a specific set of user while not impacting DBAs or people wanting to change their own password. The way I've implemented this is to create a "dummy" role and assigning the role to the application user. The trigger will allow the administrator to change the password only if the user has the role assigned. The role has no privileges, it is just a way to "mark" the user as an application user. The administrator cannot grant this "dummy" role, only the DBA can.
  Hope that clears things up.I still see another problem in that it still comes back to the dba to create the apps user in the first place, and to assign that dummy role to the user. Also, I'd hope that this proposed apps admin user is a role assigned to a real user. If not, as I mentioned before, you have no real accountability to who is using that account. Simply saying "it shall not be shared", even if written in corporate policy, won't secure it, and you won't be able to trace it. Well, you could turn on auditing and capture the OS userid in the audit log.

• Alter user privilege

  Hello,
  is there any way to grant just certain privileges that involve the Alter User system privilege? That is, How can i do so that a user can execute just: alter user <user> account lock or account unlock, but not password expires as an example?
  Thanks in advance.

  Hi, you can set the AUTHID DEFINER clause when you crate the stored procedure for execute how owner, the stored procedure must be owner of SYS user.
  Please review the nexts links
  http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_5009.htm#sthref6483
  http://www.adp-gmbh.ch/ora/plsql/authid.html
  Luck.
  Have a good day.
  Regards.

• A user granted with alter user privilege

  Dear all
  i have granted a user with create user, alter user system privilege so that he can create or alter users. But i found the user is able to alter the sys and system also.
  Tell me how to restrict the user so that he can not effect sys and system.

  Yes. I have created device collection with
  installed specific software and used  this collection to pull report from out the box report for Primary Device users( Not sure about exact report name but similar) for
  this collection. Did some excel work to find primary device user.
  But looks like there is no straight forward solution. It would be great if i know how to import multiple users from a text/csv file into a User collection.
  Thanks

• Restrict user having alter user privilege

  When a user is granted with alter user, the user can change the password for sys. How to restrict the user, so that he can do user administration but cannot do anything with sys or system.

  could you solve my problem.
  I want to store picture in table using insert statement. But when save trigger executes system generates error message: bad bind variable
  my email: [email protected]

• Expire password as user is created

  How can I set a user password to expire as soon as the user is created?
  Thsnk

  I got the solution from Sun:
             <Field name='password.accounts[Lighthouse].expire'>
                <Expansion>
                  <i>1</i>
                </Expansion>
             </Field>

• Let group leader change his memeber's pwd without giving him 'alter user' p

  Hi, all
  Is there any way that I can let a group leader to reset his own member's password without giving him the 'alter user' privilege ?
  I know I can use following simplified procedure to allow one person to change his own password, but I am looking for a way to let leader to reset when his members forget their pwd, and the following script can't work. I also created the synonym and grant 'execute on' to him. Can someone help me on this?
  Thanks in advance.
  CREATE OR REPLACE PROCEDURE change_pwd ( v_username in varchar2, v_pwd in varchar2)
  authid current_user
  is
  BEGIN
  execute immediate 'alter user '||m_username||' identified by '||v_pwd ;
  END ;
  ----

  SQL> @example
  SQL> spool capture.log
  SQL> create user alladmin identified by adminall;
  User created.
  SQL> grant connect to alladmin;
  Grant succeeded.
  SQL> grant resource to alladmin;
  Grant succeeded.
  SQL> grant alter user to alladmin;
  Grant succeeded.
  SQL> create user member1 identified by No1knows;
  User created.
  SQL> grant connect to member1;
  Grant succeeded.
  SQL> create user member2 identified by No1knows;
  User created.
  SQL> grant connect to member2;
  Grant succeeded.
  SQL> create user gl1 identified by secret;
  User created.
  SQL> grant connect to gl1;
  Grant succeeded.
  SQL> grant resource to gl1;
  Grant succeeded.
  SQL> connect alladmin/adminall
  Connected.
  SQL> CREATE OR REPLACE PROCEDURE change_pwd ( v_username in varchar2)
    2  is
    3  m_username varchar2(100);
    4  v_pwd varchar2(30) := 'FUBAR1';
    5  BEGIN
    6  select user into m_username from dual;
    7  if (m_username = 'GL1')
    8  then
    9       execute immediate 'alter user '||v_username||' identified by '||v_pwd ;
  10  end if;
  11  END ;
  12  /
  Procedure created.
  SQL> grant execute on change_pwd to gl1;
  Grant succeeded.
  SQL> connect gl1/secret
  Connected.
  SQL> exec alladmin.change_pwd('MEMBER1');
  PL/SQL procedure successfully completed.
  SQL> exec alladmin.change_pwd('MEMBER2');
  PL/SQL procedure successfully completed.
  SQL> connect member1/FUBAR1
  Connected.
  SQL> select user from dual;
  USER
  MEMBER1
  SQL> connect member2/FUBAR1
  Connected.
  SQL> select user from dual;
  USER
  MEMBER2
  SQL> exit
  Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
  With the Partitioning, OLAP and Data Mining optionsAny more questions?

• Alter User Inside procedure

  Hi to all,
  I have a user named dbo and vijay.
  I have a procedure under dbo named as sp_alteruser
  CREATE OR REPLACE PROCEDURE DBO.SP_ALTERUSER
  P_USER_ID IN VARCHAR2,P_PASSWORD IN VARCHAR2,P_MSG OUT VARCHAR2)
  --Declaration of IN parameters
  IS
  E_PASSWORD EXCEPTION;
  E_INVALIDUSER EXCEPTION;
  PRAGMA EXCEPTION_INIT(E_PASSWORD,-00988);
  PRAGMA EXCEPTION_INIT(E_INVALIDUSER,-01918);
  BEGIN
  DECLARE
  V_COUNT NUMBER;
  V_STATEMENT1 VARCHAR2(200);
  BEGIN
  --To check whether the user has been already exists
  SELECT COUNT(*) INTO V_COUNT
  FROM ALL_USERS
  WHERE USERNAME = P_USER_ID;
  IF V_Count = 0 THEN
  --If the count is 0 means that the user does not exist
  DBMS_OUTPUT.PUT_LINE('User Does Not exist');
  END IF;
  IF V_COUNT>0 THEN
  --If the count is greater than 0 then the Alter statement is executed
  V_STATEMENT1:= 'ALTER USER ' ||P_USER_ID||' IDENTIFIED BY '
  ||P_PASSWORD;
       -- EXECUTE IMMEDIATE 'GRANT ALTER USER TO VIJAY';
  -- EXECUTE IMMEDIATE 'ALTER USER ' ||P_USER_ID||' IDENTIFIED BY ' ||P_PASSWORD;
  --EXECUTE IMMEDIATE v_STATEMENT1;
  P_MSG := 'Password Changed Sucessfully';
  END IF;
  END;
  EXCEPTION
  WHEN E_PASSWORD THEN
  P_MSG := 'Missing or Invalid Password';
  WHEN E_INVALIDUSER THEN
  P_MSG := 'User '||P_USER_id||' Does not exist';
  END;
  I have created a synonym with the same name as sp_alteruser and given the execute privilege to the user vijay...
  This procedure works fine when I run as DBO user, when I am trying from the vijay user it is throwing the error as insufficient privilege.
  I tried to give the alter user privilege explicitly but none gone right, when i gave dba privilege and checked with it works fine..
  Please help me in this regard.
  Thanks
  vijay

  Yes, I got it and apologies. Its not there so the error is correct. I am not sure that which priv is letting the dba role change another user, here is a list of privs for some default roles but none of them is there which depicts clearly the option to change another user.
  A very stupid answer, try giving the alter user with the admin option and see what happens. I don't ahve a db here otherwise I would had done it.
  HTH
  Aman....

• Grant Alter User

  Hi
  I want to grant a user the "Alter User" privilege but I want to restrict him to alter Sys, System and other users with high privileges.
  Regards

  Is that possible? I think the Alter User privilege will allow him to alter sys and system. Is there any other way to do that? I want him to have only access to change the password of regular users

• Alter User Externally

  I can do "alter user myid identified by newpwd;". But I got a message of "insufficient privileges" when I do "alter user myid identified externally;"
  So what special previliges do I need to alter user externally?
  THANKS

  alter user myid identified by newpwdchanges the user's own password and doesn't require the ALTER USER privilege.
  alter user myid identified externally;changes the user's identification mode and requires the ALTER USER privilege.
  Max
  [My Italian Oracle blog|http://oracleitalia.wordpress.com/2010/01/31/le-direttive-di-compilazione-pragma/]

• Auditing the  ALTER USER command

  How exactly does one use FGA to capture the "tail-end" of the ALTER USER command? Could you provide or point me toward an example with detailed "how to" information?
  Thanks.

  You need to have "ALTER USER " privilege to change the password for any other user.
  It seems you are not login with scott user and actually "Scott.tiger"
  it shld be
  Alter user scott identified by tiger;

• ALTER USER를 실행한 사용자를 확인하는 방법(SYSTEM EVENT TRIGGER)

  제품 : ORACLE SERVER
  작성날짜 : 2002-11-07
  ALTER USER를 실행한 사용자를 확인하는 방법(SYSTEM EVENT TRIGGER)
  ================================================================
  PURPOSE
  자신이나 또는 다른 user들의 password를 바꾸는 등의 alter user command를
  사용한 사용자를 확인하는 방법을 알아보자.
  Explanation & Example
  1. 사용자 정보를 저장할 event table을 생성한다.
  Create event table and users to store the alterations made:
  SQL> connect / as sysdba;
  create table event_table
  ora_sysevent varchar2(20),
  ora_login_user varchar2(30),
  ora_instance_num number,
  ora_database_name varchar2(50),
  ora_dict_obj_name varchar2(30),
  ora_dict_obj_type varchar2(20),
  ora_dict_obj_owner varchar2(30),
  timestamp date
  create user test1 identified by test1;
  grant create session, alter user to test1;
  create user test2 identified by test2;
  grant create session to test2;
  2. SYS user에서 AFTER ALTER Client Event Trigger 를 생성한다.
  Note: This step creates a trigger and it is fired whenever the user "test1"
  issues ALTER command (It can be ALTER USER or ALTER TABLE)
  SQL> CREATE or REPLACE TRIGGER after_alter AFTER ALTER on database
  BEGIN
  IF (ora_dict_obj_type='USER') THEN
  insert into event_table
  values (ora_sysevent,
  ora_login_user,
  ora_instance_num,
  ora_database_name,
  ora_dict_obj_name,
  ora_dict_obj_type,
  ora_dict_obj_owner,
  sysdate);
  END IF;
  END;
  3. test1 user로 접속한 후 test2 user의 password를 변경하는 작업을 실행한다.
  SQL> connect test1/test1
  SQL> alter user test2 identified by foo;
  4. test2 user의 password가 test1 user에 의해 변경되면 그런 내용을
  event_table 에서 확인할 수 있다.
  Now that we have altered the "test2" user password from user "test1", the
  event_table should have captured this details.
  Now Login in as sys and Query on event_table:
  SQL> connect / as sysdba;
  SQL> select * from event_table;
  ORA_SYSEVENT ORA_LOGIN_USER ORA_INSTANCE_NUM
  ORA_DATABASE_NAME
  ORA_DICT_OBJ_NAME ORA_DICT_OBJ_TYPE
  ORA_DICT_OBJ_OWNER TIMESTAMP
  ALTER TEST1 1
  T901.IDC.ORACLE.COM
  TEST2 USER
  13-JUN-02
  event_table의 내용을 조회하여 LOGIN_USER와 ALTERED USER 는
  ORA_LOGIN_USER와 ORA_DICT_OBJ_NAME column을 통해 확인할 수 있다.
  비슷한 방법으로 아래의 event에서 trigger를 생성하여 확인할 수 있다.
  1) BEFORE DROP
  2) AFTER DROP
  3) BEFORE ANALYZE
  4) AFTER ANALYZE
  5) BEFORE DDL
  6) AFTER DDL
  7) BEFORE TRUNCATE
  8) AFTER TRUNCATE
  Related Documents
  Oracle Application Developer's Guide

• Re: How to alter user using variable

  I need to reset all Oracle default accounts to a custom password in one of our databases (11.1.0.7). I am using two files:
  File 1 called mydb.sh
  This file is Solaris shell script to run sql file. Here is the content:
  #!/bin/bash
  cd $HOME
  . ./agsdb
  sqlplus "/as sysdba"<<EOF
  start /h/bin/mydb.sql
  exit
  EOF
  if [$? !=0 ]; then
  echo "Error, mydb.sh did not run"
       echo "Exiting."
       exit 1
  fi
  echo "********** mydb.sh is complete **********"And here is file2 mydb.sql
  This file has content similar this the following:
  >
  alter user anonymous identified by password;
  alter user oracle_ocm identified by password;
  alter user DI identified by password;
  alter user system identified by password;
  Our problem is we don't want to use the password in plain text. To get arround, we will pass the password as a variable instead of the plain password text.
  Maybe something like this:
  alter user anonymous identified by variable_name;How can I mitigate this by passing this variable from solaris to sqlplus?
  Thanks in advance.

  Alex wrote:
  01. Create a procedure to get the username and password and then alter that user. For this you can use synamic sql
  CREATE OR REPLACE PROCEDURE (username VARCHAR2, password VARCHAR2)
  IS
  BEGIN
  EXECUTE IMMEDIATE 'ALTER USER '||username||' IDENTIFIED BY ||password;
  END;
  I have already dealt with the above. My problem is how to get the procedure to pass the password in variable as you mentioned below:
  02. Then in your shell script call that procedure by passing username and password variables..

• Using alter user to change oracle password for logged in web user on XE

  Hi All
  I'm building an app using the pl/sql web toolkit on XE (installed on Win XP Pro SP2). (I'm not using the APEX front-end).
  I'm using basic authentication and oracle database user accounts, and when a user registers for the first time I create them an oracle user account with dynamic sql, followed by some initial setup stuff, and they then log in with it.
  All fine so far.
  However I want to allow the user to change their oracle password as part of maintaining their user details. I've done this in the past using the web toolkit and Oracle 9i and it has worked fine using dynamic sql.
  Unfortunately I can't get the same thing to work in XE.
  For example, if I create the following procedure in the schema aligned to the DAD which holds my application and then run it from a browser (IE or Firefox) then the
  Browser and the db just hangs - not even an error message:
  CREATE OR REPLACE PROCEDURE ut
  AS
  v_stmt varchar2(300);
  BEGIN
  HTP.htmlOpen;
  HTP.headOpen;
  HTP.title ('User Test');
  HTP.headClose;
  HTP.bodyOpen;
  v_stmt := 'alter user "'||user||'" identified by "BERT"';
  htp.print(v_stmt);
  EXECUTE IMMEDIATE v_stmt;
  htp.print('Done');
  HTP.bodyClose;
  HTP.htmlClose;
  END;
  If I run the same statement in SQL*plus it's fine, and if I run the same proc for a different user then it's fine too.
  I'm sure it's something to do with trying to change the credentials of the currently logged in user, but I would at least have expected an error message.
  I'd be grateful for any ideas.
  Thanks
  Steve

  Hi g.myers
  Thanks for your response.
  Sorry, yes, bad turn of phrase there. It's not the entire db that hangs. The web browser (either IE or FF) hangs, and if I look at v$session at this point, I can see that the user STATUS=ACTIVE and the STATE=WAITING.
  I should also point out that I am using standard Oracle users as users of the application, (e.g. create a new user account called TESTER1). These users are then granted the appropriate privileges on the owning schema in order to run the app, access the tables etc.
  Therefore it is the user account (e.g. TESTER1) that is running the password change procedure that is owned by the SYS schema. (However again, this is the exact code and method that I've used in the past and it has worked fine).
  If I leave the browser hanging long enough, it will eventually return with the following error:
  Proxy Error
  The proxy server received an invalid response from an upstream server.
  The proxy server could not handle the request POST /h/hopapp.pwdmaint_do.
  Reason: Error reading from remote server
  cheers
  Steve