Fine grained security permissions
I think fine grained security permissions are needed. If I use all permissions on a signed jar, that would grant too many permissions to the application. If I do not use all permissions, I can not use System.setSecurityManager(myOwnSecurityManager).
When all permissions are used, after my own security manager is set, the old security policy appears to be valid still.
Any comments? How can I easily apply my own policy to a WebStart based application?
I did additional tests. It looks that when the security manager is activated, even the simplest JSP application is no longer working. It is simple to simulate (jdev 10.1.2 + ias 9.0.4.0.0):
1. Create a new Web project containing a jsp page
2. Deploy the application to the AS
3. Test the JSP page. It works.
4. Activate the security manager (add -Djava.security.manager into the Java options of the j2ee container)
5. Restart the j2ee container and test. Crash
Any idea?
thanks
Similar Messages
-
Function-based index error due to fine-grained security
Hi, i'm working on Oracle version 9.2.0.5.
I'm trying to create a function-based index but i'm getting an error due to fine-grained security. I checked resource_view but if i'm not wrong I should have all necessary roles. I also added xdbadmin to this user to be sure.
I tried also to alter my session but it didn't worked.
Connected to Oracle9i Enterprise Edition Release 9.2.0.5.0
Connected as test_ste
SQL>
SQL> create index fbidx_schede_xml
2 on schede_progetti_xml p
3 (p.PROGETTO.extract('/Project/Elenco_unita/Unita/Responsabile/Cognome/text()').getStringVal());
create index fbidx_schede_xml
on schede_progetti_xml p
(p.PROGETTO.extract('/Project/Elenco_unita/Unita/Responsabile/Cognome/text()').getStringVal())
ORA-28133: full table access is restricted by fine-grained security
ORA-06512: at "SYS.XMLTYPE", line 0
ORA-06512: at line 1
SQL>
SQL> alter session set query_rewrite_enabled = true;
Session altered
SQL> alter session set query_rewrite_integrity = trusted;
Session altered
SQL> create index fbidx_schede_xml
2 on schede_progetti_xml p
3 (p.PROGETTO.extract('/Project/Elenco_unita/Unita/Responsabile/Cognome/text()').getStringVal());
create index fbidx_schede_xml
on schede_progetti_xml p
(p.PROGETTO.extract('/Project/Elenco_unita/Unita/Responsabile/Cognome/text()').getStringVal())
ORA-28133: full table access is restricted by fine-grained security
ORA-06512: at "SYS.XMLTYPE", line 0
ORA-06512: at line 1
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE OS_GRANTED
TEST_STE CONNECT NO YES NO
TEST_STE CTXAPP NO YES NO
TEST_STE RESOURCE NO YES NO
TEST_STE XDBADMIN NO YES NO
SQL> This are ACL on my schema:
<ACL>
<acl description="Private:All privileges to OWNER only and not accessible to others" xmlns="http://xmlns.oracle.com/xdb/acl.xsd" xmlns:dav="DAV:"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/xdb/acl.xsd http://xmlns.oracle.com/xdb/acl.xsd">
<ace>
<principal>dav:owner</principal>
<grant>true</grant>
<privilege>
<all/>
</privilege>
</ace>
</acl>
</ACL>I tried to create a similar function-based index on Oracle 10.2.0.3 without any problem and without touching any ACL, is an Oracle 9.2.0.5 problem?
Thanks for your attention.I didn't really (production wise)work yet with VPD. I know a lot is based on DBMS_RLS and I guess (IF it is VPD related) it should be to hard to find in the doc's how you could check what is beyond your privileges. As a DBA I noticed that even the dba account SYSTEM isn't always allow to export the full content for the tables anymore.
There is a privilege that grants you all access that you need, despite the fact that you are not allowed to read certain rows from a table. Look it up.
In all, as I said, it looks like account is not allowed to see all data from a table. In that respect it sounds logical that you also are, in that case, not allowed to build a function based index on that data -
Fine-Grained Password Policy problem
Hi All,
I'm testing a Fine-Grained Password Policy for a group of users.
I created a test PSO using ASDI Edit and applied the PSO to a global security group.
Test user has been added to this group.
The PSO settings include "Enforce password history: 5"
The user has changed the password.
After 24h when I logged in as the user and changed the password - for example: Password1.
After another 24 hours I changed the password to Password2.
One day later I've been asked to change the password again.
In theory I shouldn't be able to use any of the 5 previous passwords (password history = 5) but when I entered Password1 it was accepted.
Do you know where can be the problem ?
System info: Windows Server 2008 R2 (forest/domain level is also 2008)
Regards,
MarcinThis is very interesting. I don't have any lab to repro though... So I can't look at it closer.
From an LDAP perspective, when you change your password on AD, you have to comply with the password history policy. This requirement is send by the server to the client thanks to the supported control: LDAP_SERVER_POLICY_HINTS_OID that you can see just by
looking at the RootDSE of one of your DC (http://msdn.microsoft.com/en-us/library/cc223320.aspx Used with an LDAP operation to enforce password history policies during password set). I am
aware of issues with AD-LDS not honoring it, but not AD... I am not sure if the situation described with FIM here matches your issue:
http://support.microsoft.com/kb/2443871 in this article:
"The "Enforce password history" and "Minimum password age" Group Policy settings do not work when you reset the password for a Windows Server 2008 R2-based or a Windows Server 2008-based computer."
But it would mean that it also affects users not having a FGGP (because this isn't specific to FGGP), ad the minimum password age as well. If you have a chance to try this in a lab, let us now... In the mean time, if you can share logs or code from your
app? Like the section that does the password change?
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Fine Grained Access ERROR on INSERT when generating unique keys
I'm using VPD/Fine Grained Access Control (FGAC) to implement security on my 9i backend. I created a security policy function that returns the predicate 'owner = USER'; - each of the tables has an additional column titled OWNER which contains the name of the logged-in user. Every time a user inserts a record, a BEFORE INSERT trigger fires (for every row) and inserts the USER name into the OWNER column. This is fairly straightforward and ensures that users can see only their rows. Using the DBMS_RLS.add_policy procedure, I attached the security policy to several tables and made it effective upon SELECT, UPDATE, INSERT, and DELETE statements.
However, the frontend Java application (custom-made) generates unique IDs (sequences are not used) by selecting max(ID)+1 from the primary key columns of the tables. The problem is that the predicate is appended to the SELECT max(ID)+1 query to limit the max(ID) to only those rows where 'owner = USER'. Therefore, the max(ID) generated is not the largest ID for the entire table, but only the largest among the USER rows.
So unless that USER happens to have the the largest ID in the whole table (and it has worked then), a primary-key violation error will be returned and the INSERT operation will be aborted.
How can I allow every USER to select from AND get the absolute largest ID from the PK column without allowing that user to select records that don't belong to him? If I had developed the application, I would have made use of sequences on the back-end to generate unique primary key IDs. Unfortunately, I don't have this option and must work with the application as is.
NOTE: the front-end Java application understands only the base table names, NOT Views created by me on the server. If the answer to this problem involves views, how can I make use of them on the backend when the front-end code does not recognize them?
Any help is greatly appreciated!
Michaelfirst you could use default column values, not a trigger, which is more expensive.
if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it ) -
FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징
제품 : ORACLE SERVER
작성날짜 : 2005-11-24
FINE GRAINED ACCESS CONTROL(FGAC)를 위한 DBMS_RLS.ADD_POLICY의 VERSION별 특징
=======================================================================
PURPOSE
row leve의 security 및 context관리 방법인 FGAC에 대한 간단한 개념 및 사용방법은
<bul 23026>에 제시하였다.
이 문서에는 FGAC를 위한 dbms_rls package의 8i ~ 10g까지의 version별 특징을
정리하며, STATIC_POLICY와 POLCICY_TYPE parameter에 대해서는 예제를 이용하여
자세히 살펴보도록 한다.
Explanation & Examples
dbms_rls.add_policy를 사용할 때 일반적으로 주는 value값의 예제는 다음과 같다.
이중 대부분은 default값을 이용하여, 일반적으로는 앞의 5개의 parameter만
value를 주면 된다.
SQL> exec DBMS_RLS.ADD_POLICY ( -
> object_schema => 'SCOTT', -
> object_name => 'EMP', -
> policy_name => 'POL1', -
> function_schema => 'SYS', -
> policy_function => 'PREDICATE', -
> statement_types => 'SELECT', -
> static_policy => false, -
> policy_type => DBMS_RLS.DYNAMIC
> long_predicate => false);
1. FGAC의 version별 특징
(1) sec_relevant_cols/sec_relevant_cols_opt : 10G
위에 기술한 add_policy procedure의 parameter외에 10g에서 추가된
parameter로 다음 두 parameter가 존재한다.
이 parameter는 해당되는 column이 조회될때만 policy가 작동하게 하기 위한
것으로 metalink.oracle.com site에서 <Note 250795.1> 를 살펴보면 사용 방법
및 예제를 확인 가능하다.
- sec_relevant_cols
- sec_relevant_cols_opt
(2) long_predicate : 10G
default는 false이며, true로 지정하는 경우 predicate이 4000 bytes이상이
될 수 있다.
(3) statement_types : 10G부터 INDEX type추가
9i까지는 SELECT, INSERT, UPDATE, DELETE에 대해서는 FGAC를 적용할 수
있었으나, 10g부터는 INDEX type도 지정 가능하다.
index를 지정하는 경우, function-based index 생성을 제한할 수 있으며,
자세한 예제는 metalink.oracle.com site에서 <Note 315687.1>를 조회하여
확인할 수 있다.
(4) EXEMPT ACCESS POLICY 권한 : 9i
특정 user가 모든 fine-grained access control policy의 영향을 받지
않도록 하려면 exempt access policy권한을 grant하면 되며, 이것은 9i부터
소개되었다.
SQL> grant exempt access policy to scott;
와 같은 방식으로 권한을 부여하면 되며, 이에 대한 자세한 예제는
metalink.oracle.com site에서 <Note 174799.1>를 통해 확인 가능하다.
(5) synonym에 대한 policy설정 : 9.2
synonym에 대해서 VPD (Virtudal Private Database)에 대한 policy를 설정하는
것이 가능해 졌으며 이에 대해서는 metalink.oracle.com에서 <Note 174368.1>를
조회하여 자세한 방법 및 예제를 살펴볼 수 있다.
(6) static_policy : 8.1.7.4
static_policy paramter는 8i에는 없던 것으로 9i에서 도입되면서, 8.1.7.4에도
반영되었다. default값은 false이며, 8173까지는 항상 false인 형태로 동작한다.
즉, policy function이 매번 object를 access할때마다 실행된다.
8.1.7.4부터는 이 parameter를 true로 설정할 수 있는대, 이렇게 되면
해당 session에서 policy function이 한번 실행되고 그 function이 shared pool에
cache되어 있으면 재실행없이 그대로 사용된다.
10g부터는 (7)번에 설명하는 policy_type parameter가 추가되어,
이 parameter에 true로 지정하는 대신, static_type은 false로 두고,
policy_type을 dbms_rls.static 으로 지정하면,
9i와 8174에서 static_policy를 true로 한것과 같은 결과가 나타난다.
(7) policy_type: 10g
다음과 같이 5가지 value가 가능하며, 이 중 default는 dynamic이다.
- STATIC
policy fuction에 포함된 predicate이 runtime환경에 따라 다른 결과를 내지
않는 경우 사용하게 된다. 예를 들어 sysdate의해 다른 결과를 return하는
경우에는 사용하면 사용하면 문제가 될 수 있다.
static을 사용하는 경우 policy function은 한번 실행되어 SGA에 올라온 다음
이후 같은 session에서 같은 object를 사용시에는 재실행 없이 해당 predicate의
결과를 그대로 사용한다.
- SHARD_STATIC
STATIC과 같으나, 이 값은 다른 object에 대해서도 같은 predicate function이
사용되는 경우, 먼저 cache된 predicate을 찾아서 있으면 그 값을 이용한다.
STATIC의 경우는 다른 object 사이에서는 공유하지 않으며 같은 object에
대해서만 cache된 값을 사용한다.
- CONTEXT_SENSITIVE
한 session에서 context가 변경되면 그때 predicate를 재 실행시킨다.
WAS(web application server)를 사용하는 경우 connection pooling방법을
기본적으로 사용하는대, 이 경우 하나의 session을 여러 사용자가 이어서
교대로 사용하는 방식이 된다. 이 경우 middle tier단에서 context를 설정해
주면 context가 변경될때마다 predicate를 새로 실행시켜 변경된 sysdate나
session_user등의 값을 다시 계산하게 되는것이다.
jdbc에서 context설정에 관한 예제는 metalink.oracle.com에서
<Note 110604.1>에서 확인가능하다.
- SHARED_CONTEXT_SENSITIVE
context_sensitive와 동일하며, 단 shared_static과 마찬가지로 여러 object에
대해서 같은 predicate을 사용하는 경우 다른 object에 대한 같은 predicate이
cache되어 있는지를 먼저 살펴본다.
존재하면 session private application context가 변경되기 전까지 그 predicate의
결과를 그대로 사용한다.
- DYNAMIC
이 값이 default값이다. 즉, predicate function이나 시스템이나 환경에
영향을 받는다고 판단하여 statement가 실행될때마다 매번 predicate function을
재 실행하여 환경에 맞는 값을 return하여 준다.
아래에서 sysdate 값에 따라 다른 결과를 return하게 되어 있는
predicate을 이용한 예제를 통해 정확한 메카니즘을 확인한다.
2. static_policy 및 policy_type의 value에 따른 policy function의 작동예제
(a) STATIC_POLICY => TRUE and POLICY_TYPE => NULL
(1) 기존에 pol1 policy가 존재하는 경우 다음과 같이 drop시킨다.
SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
(2) 다음과 같이 predicate function을 scott user로 만들어둔다.
SQL> create or replace function PREDICATE (obj_schema varchar2, obj_name varchar2)
2 return varchar2 is d_predicate varchar2(2000);
3 begin
4 if to_char(sysdate, 'HH24') >= '06' and to_char(sysdate, 'MI')<'05' then
5 d_predicate := 'ename = sys_context (''USERENV'' , ''SESSION'');
6 else d_predicate := 'sal>=3000';
7 end if;
8 return d_predicate;
9 end predicate;
10 /
(3) pol1을 새로 add시킨다.
SQL> exec DBMS_RLS.ADD_POLICY ( -
object_schema => 'SCOTT', -
object_name => 'EMP', -
policy_name => 'POL1', -
function_schema => 'SCOTT', -
policy_function => 'PREDICATE', -
statement_types => 'SELECT', -
static_policy => TRUE, -
policy_type => NULL);
(4) adams user에서 scott.emp를 조회해 본다.
단 다음과 같이 scott.emp에 대한 select권한을 king에게 주어야 한다.
SQL>grant select on emp to king;
SQL>!date
Thu Nov 24 14:01:13 EST 2005
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
5분이후가 되어 predicate function의 if조건을 만족하지 않아도,
king user는 같은 값을 emp table에 대해서 return한다.
SQL>!date
Thu Nov 24 14:10:13 EST 2005
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
(b) STATIC_POLICY => FALSE and POLICY_TYPE => DBMS_RLS.DYNAMIC
(1) 기존의 policy를 다음과 같이 drop시킨다.
SQL> exec DBMS_RLS.DROP_POLICY ('SCOTT', 'EMP','POL1');
(2) pol1을 새로 add시키는대 이대 static_policy와 policy_type을 다음과 같이
변경한다.
SQL> exec DBMS_RLS.ADD_POLICY ( -
object_schema => 'SCOTT', -
object_name => 'EMP', -
policy_name => 'POL1', -
function_schema => 'SCOTT', -
policy_function => 'PREDICATE', -
statement_types => 'SELECT', -
static_policy => flase, -
policy_type => dbms_rls.dynamic);
(3) king user에서 조회해본다.
predicate function은 위의 2-(a)에서 실행한 것을 그대로 사용한다.
즉 (a)를 실행하지 않은 경우, 조회전에 (a)-(2)번을 실행해야 한다.
SQL>!date
Thu Nov 24 15:01:13 EST 2005
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
5분 이후가 되어 다시한번 king user에서 실행해본다.
SQL>!date
Thu Nov 24 15:10:13 EST 2005
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7788 SCOTT ANALYST 7566 19-APR-87 3000
20
7839 KING PRESIDENT 17-NOV-81 5000
10
7902 FORD ANALYST 7566 03-DEC-81 3000
20
RELATED DOCUMENTS
<Note 281970.1> 10g Enhancement on STATIC_POLICY with POLICY_TYPE Behaviors
in DBMS_RLS.ADD_POLICY Procedure
<Note 281829.1> Evolution of Fine Grain Access Control FGAC Feature From 8i
to 10gfirst you could use default column values, not a trigger, which is more expensive.
if your apps already assumes full access to table to get max id ( another RT ), this is bad. Current RLS can not really help if you can not change the apps because of this flaw logic ( you can store the maxid anywhere, why scanning the whole table to find it ) -
Hi All,
I am running a fresh install of SCDPM 2012 R2 with a protection group that is backing up the 'C:\', Bare Metal and System State of some VMs. If i add any additional servers to the group since the first creation it returns the following error:
Modify protection group: System State & Bare Metal Recovery failed:
Error 419: DPM could not set security permissions on the replica or recovery point volume that was created.
Error details: The process cannot access the file because it is being used by another process
Recommended action: Review the error details, take appropriate action and retry the operation.
If i re-create the whole protection group it works fine.
Could any one advise any further diagnostics I can do to try and locate the reason behind not being able to modify the group after the first creation? I can add new servers to other PGs without any issues.
Thanks in advance,
DanIf you are protecting any of the system state/BMR protection. Can you stop protection by deleting the older recovery points and then recreate the protection group.
This thread mentions this to be a hardware issue, albeit with less information on what exact hardware issue:
https://social.technet.microsoft.com/Forums/en-US/480679c2-1079-4847-ab38-5cc8f454ef86/error-419-dpm-could-not-set-security-permissions-on-the-replica-or-recovery-point-volume-that-was?forum=dataprotectionmanager
Regards, Trinadh [MSFT] This posting is provided AS IS with no warranties, and confers no rights. If you found the reply helpful, please MARK IT AS ANSWER. Looking for source of information for DPM? http://blogs.technet.com/b/dpm/ http://technet.microsoft.com/en-in/library/hh758173.aspx -
How to know if Fine Grain Auditing is used
I have to migrate a exsisting database to a new plattaform.The old database is a Enterprise Edition and the new must be a Standard Edition.
But first I must make sure that none of the functions of the Enterpise edition is being used.
How I can know if the database is using the Fine Grain Auditing?
thanksThank you. Furthermore you can find a lot of resource about it.
Regards
http://www.oracle.com/technetwork/database/security/index-083815.html -
I'm endlessly frustrated with iTunes Cloud syncing, something that was supposed to make lenjoying my music easier. I routinely find that, though itunes and podcasts have been split, iTunes arbitrairily removes music files or in progress podcast in favor of 'new' podcasts. The settings are just not fine-grained enough to allow true user control and so we are instead subjected to 'Apple knows best' protocols. I understand and appreciate the level of exacting control Apple excercises over their ecosystem, however, more and more often I see them tightening control over things that should be user control while dropping the ball on aesthetic desisions made in producing their own software (see the hideous pull down tab for iTunes to access Podcast, TV shows, Music, etc.
I would like to see features like those in Mail and the Podcasting apps implemented in iTunes afor the management of content on mobile devices, for instance it would be great to swipe to delete files that you know longer want on your device, at both the album and song level. Another issues is the new pushiness of iRadio and iTunes Store, the app now seems to default to the iRadio page (versus the last page Albums, songs, etc. that the user was navigating, or in the instance of the iTunes Store push, if I doon't have all the tracks of an album i own on my mobile device 'complete my album' takes you to iTunes store rather than showing the 'cloud' download icon next to missing tracks. These are the tactics I expect from Google, not Apple (pushing commerce over quality user experience).
Fix these things Apple, please. -
How to pass the context from Portal to Database for fine grain access?
Hi,
I am developing an omniportlet and I need to pass on the context of the logged in user to the database so that when the user tries to access data in the omniportlet, he can see data relevant to him only. Does anyone know how to do that?
I have set up a light weight user scott and also has a schema in the database by the same name (scott)..
what I am trying is when the user logs in as scott in the portal site and runs an omniportlet, he should be dynamically be logged in to scott the schema so that the data visible to him can be restricted. Same should happen for other users as well.
Does anyone know in which table in the PORTAL schema is this connection information stored, so that I can override it using some API..?
Thanks,
AbhiI had tried sending the user_name in the sql and that works fine. but my requirement is that the user should login to his schema and only his schema directly and automatically.. such that even if an omniportlet is created using some default schema, when user logs in he can access only the schema meant for him..
e.g. While running the omniportlet when logged-in as user scott, he should be logged-in to scott schema in the database, so that the fine grain access can be enabled ..
Edited by: user6386347 on Mar 12, 2009 12:15 PM -
Windows Update files: Security permissions has "unknown user"
Ok, this is weird. I have 30 files added in a November Windows update with a compile date or add-to date of 11/21/14. If I look at one of the files. MsSpellCheckingFacility.exe. I can see it is a legit file.
https://www.virustotal.com/en/file/e9dcf987838e9a70fca4e1b1dda217bd1e309cd4f6bac47402120f76aac6edc7/analysis/
However, the security permissions on the file are strange. The user TrustedInstaller is the owner. Now that seems to be typical when the file is a Microsoft updated file. However, the file also has a user added that is unknown.
user ? S-1-14-21
Umm, why is this? Its 30 files like this all REAL Microsoft files....all apparently part of the update. All scanned against virustotal as being revised about that date/time. Did Microsoft release an Update Build with files as a part
of that build that had Microsoft users still attached to them?Hi!
This machine is joined to a domain? This SID with parameter "-21-" indicates a domain. If so, it is needed to verify on local polices if any user had permission on domain workstations enforced by network Administration.
But when researching by SID "S-1-14-21" we have no
reference, as parameter "-14-" is not commonly used.
From articles bellow, we can find how SID works and the well known SIDs:
http://msdn.microsoft.com/en-us/library/dd302645.aspx
http://technet.microsoft.com/en-us/library/dn743661.aspx
As this is not a known SID, I suggest you to try to use the script on link bellow to determine who is the user account:
http://blogs.technet.com/b/heyscriptingguy/archive/2004/12/03/how-can-i-determine-the-sid-for-a-user-account.aspx
The problem can be a user account that had already deleted (this is why SID is not resolved to a name) or a problem on WMI component that is not able to resolve SID.
If not successfull with article above, please post a screenshot on file permission in order to help you further.
Cheers!
Alan Martins -
Should I use the fine-grained auditing?
I need to record the changes (of data) made to serveral tables by users. For example, I have to check the before and after images of the changes and what kind of transactions they do to cause the changes. Sould I program the logging procedure in the application or should I use the fine-grained auditing function of oracle to do it. I am not sure what this built-in function can do for me. Can anyone give me some advice on this? Thks.
A beginnerWhy Fine-Grained Auditing?
You may want to check standard auditing if it is suitable for you
http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/cfgaudit.htm#BABCFIHB
I don't think you can get pre and post update values of the affected data with Auditing.
FGA is useful when you want to audit just a "subset" of the data in the table.
(for instance, audit everyone that wants to get all records from EMP table where SALARY > 100000)
Message was edited by:
tekicora -
Fine Grained Audit records to syslog
Hello experts,
I am working on Standard Auditing and Fine Grained Auditing on 11.2.0.3 databases on Red Hat x86_64.
I am trying to send Fine Grained Audit records to syslog as for my Standard Audit records with audit_trail set to OS, but can't find any appropriate option.
When I create FGA policies with the ADD_POLICY procedure of the DBMS_FGA package, the audit_trail parameter can only be set to DB or XML, as stated in [PL/SQL Packages and Types Reference|http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_fga.htm#CDEIECAG].
Does somebody know if it is possible to send FGA audit records to syslog directly:
1. without using any additional product (e.g. Oracle Audit Vault)?
2. without doing manual extraction from fga_log$ or DBA_COMMON_AUDIT_TRAIL?
Thanks for any suggestion.Hi,
Well, i did not used FGA yet.
I used audit_Trail=db and the query SELECT username,extended_timestamp,owner,obj_name,action_name,sql_text FROM dba_audit_trail WHERE to_char(extended_timestamp, 'DD/MM/RR') = to_char(SYSDATE - 1, 'DD/MM/RR') ORDER BY timestamp)
Then i wrote a procedure, and exported the results using utl_file .
And i scheduled this procedure to run daily.
It works pretty good, if you like the solution as ask for details.
Hope that helps,
Regards. -
Enhancement request for more fine-grained templates
JHeadstart version : 10.1.2.0
I like to have the possibility to define templates on the level of table rows. If I am correct, currently the 'lowest' level of a .jtt template is the $FORM_ITEMS$ token. According to the userguide this token "is used to indicate the place where a form must be generated". My question is now: How can I influence this generation process? For example, I want to embed text-items within <c:if's in order to conditionally set a text-item attribute. Am I right to conclude that on this "deeper" level of a jsp (for instance table-row level), it is not possible to define templates?
If so, I want to request an enhancement for a further 'fine-graining' of the templating technique.
Thanks and greetings, Erik
Message was edited by:
ekerkhovErik,
Yes, this is not possible in he current release.
Your enhancement request has already been implemented for the JDev10.1.3/Faces release. We will the support two kinds of tokens, one that outputs all items as it is today ($FORM_ITEMS$ or $TABLE_ITEMS$), and one token that refers to an individual item. This reference can be bpoth on index number and name:
FORM_ITEM_1 or
FORM_ITEM_DepartmentName
This will allow you to layout the items exactly as you want.
Note that in the 10.1.3 release, we will also support item-level templates where you can add code to conditonally render items.
Steven Davelaar,
JHeadstart Team. -
Security Permissions from Management Console Not Being Replicated on SQL Server Database
Hi Everyone,
We have been encountering issues with access to Reporting Services for most console users since we upgraded to SCCM 2012 R2. We have observed that since the R2 upgrade, security permissions
that are set in the console are not being replicated on the SQL database. Users/Groups that had access prior to the R2 upgrade are now only able to access Reports via the web interface. All new users/groups are not able to get access at all.
We are not sure what the problem could be and would appreciate any guidance.
We have tried the following without success:
Manually adding new users/groups to the database
Reinstalling the the Reporting Service point and Reporting Service, Removing all of the security groups from the console and from the database, and Adding the security groups back
to the console.
Our current environment:
SCCM 2012 R2
1 Site
Primary Site:
OS: Server 2008 R2
Roles: Site Server / Software Update Point / Management
Point
SQL Server
OS: Server 2008 R2
SQL Version: Microsoft SQL Server 2008 R2
Roles: Site Database Server / Reporting Services PointThanks for your feedback.
Permissions
We have two main types of users: Full Administrators and local departmental IT administrators. (Local IT Admins only have full control over their own departmental collections. They have Read/Add to All Systems.)
The only account that's currently able to run Reports from both the console and web is the admin account used to perform the R2 upgrade.
Full Administrator
Role: Full Administrator
Scope: All instances of the objects that are related to the assigned security roles.
Local Departmental Administrator
Role: Full Administrator & Read/Add
Scope: Main Departmental Collection (Full Admin) & All Systems, All Users, and All User Groups (Read/Add)
Report Service Execution
On the database, we have tried assigning the Report Service Execution Account to the built-in Network Service Account, Local Service Account, and to a separate AD role account.
Error Messages
Console: We are able to select reports from the Console however nothing appears when we click on Run.
Web: Generating Reports from the Web works for only the Full Administrators. Nothing appears for a Local Departmental Admin.
This is a partial output from srsrp.log:
Set configuration SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Check state SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Check server health. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Successfully created srsserver SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Reporting Services URL from Registry [http://132.205.120.154/ReportServer/ReportService2005.asmx] SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Reporting Services is running SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Retrieved datasource definition from the server. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
[SCM-SQL.concordia.ca] [CM_SCM] [ConfigMgr_SCM] [SCM-SQL.CONCORDIA.CA] SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
[MSSQLSERVER] [1] [] [CONCORDIA\SVC-SCM_REPORT] SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
[1] [0] SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Confirmed version [10.50.2811.0] for the Sql Srs Instance. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Retrieved datasource definition from the server. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Updating data source {5C6358F2-4BB6-4a1b-A16E-8D96795D8602} at ConfigMgr_SCM SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Loading localization resources from directory [E:\SMS_SRSRP\SrsResources.dll] SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Looking for 'English (United States)' resources SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Looking for 'English' resources SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Found resources for 'English' SMS_SRS_REPORTING_POINT 3/10/2015 2:28:05 PM 2588 (0x0A1C)
Confirmed the configuration of SRS role [ConfigMgr Report Users]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C)
Confirmed the configuration of SRS role [ConfigMgr Report Administrators]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C)
Error retrieving users - [The EXECUTE permission was denied on the object 'spGetReportUsers', database 'CM_SCM', schema 'SCCM_Rpt'.]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C)
Error retrieving users - [The EXECUTE permission was denied on the object 'spGetReportUsers', database 'CM_SCM', schema 'SCCM_Rpt'.]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C)
Confirmed the security policy for folder [/]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C)
Error retrieving users - [The EXECUTE permission was denied on the object 'spGetReportUsers', database 'CM_SCM', schema 'SCCM_Rpt'.]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C)
Error retrieving users - [The EXECUTE permission was denied on the object 'spGetReportUsers', database 'CM_SCM', schema 'SCCM_Rpt'.]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C)
Confirmed the security policy for folder [/ConfigMgr_SCM]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C)
Error retrieving users - [The EXECUTE permission was denied on the object 'spGetReportUsers', database 'CM_SCM', schema 'SCCM_Rpt'.]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C)
Error retrieving users - [The EXECUTE permission was denied on the object 'spGetReportUsers', database 'CM_SCM', schema 'SCCM_Rpt'.]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C)
Confirmed the security policy for folder [/ConfigMgr_SCM/Asset Intelligence]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C)
Error retrieving users - [The EXECUTE permission was denied on the object 'spGetReportUsers', database 'CM_SCM', schema 'SCCM_Rpt'.]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C)
Error retrieving users - [The EXECUTE permission was denied on the object 'spGetReportUsers', database 'CM_SCM', schema 'SCCM_Rpt'.]. SMS_SRS_REPORTING_POINT 3/10/2015 2:28:06 PM 2588 (0x0A1C) -
Fine-grained control with Magic Trackpad?
One thing I find difficult with the Magic Trackpad is making very small adjustments to slider controls in apps such as image and audio editors. I'm referring to the sort of sliders that are sensitive to mouse scroll wheels.
Aside from keeping a mouse connected to operate these controls, or going back and forth to System Preferences to change the tracking speed, are there any ways to do this more easily with a trackpad? For example, a utility that lets you switch to fine-grained movement with the trackpad when you hold down a certain key?you do not invalidate the session, but the session object is
unavailable only on that page.That is my understanding of how this works.
In effect it removes the implicit call to request.getSession(true) that every jsp makes to populate the variable "session"
If I use the <c:url> tag on page 2 using a cookieless browser the link
is still encoded with the session? Sorry, don't know that one.
The <url> tag will still call response.encodeURL() of course.
I'm not sure if it would pick up the presence of the sessionid or not though.
The session is definitely still there.
The cookie (if present) is obviously still there.
The sessionId is sent as part of the request.
Theoretically it SHOULD pick it up and encode it still if present. I've never tried it myself though.
Good luck,
evnafets
Maybe you are looking for
-
How to make standalone program in java?
I have try use jar and it work. but how to access a folder that in the jar file? example: ------files--------------------------------------------------------------- pic ( folder that storage images) mainClass.txt (set where is the "main" class) mycla
-
Have an ajax memory tree in a pl/sql region be rendered only once in a page
Hi all, I have a pl/sql region with region source calling a function "ajax_memory_tree.render". Everytime I come back to this particular page, I am having a tree being rendered. Can you give any suggestion as to how I can have only one tree. Thank yo
-
Use IBM JVM in presense of 64 and 32 bit
Hello, I am running WIN7 and have both the 32 and the 64 bit IBM JVM installed on it, the 64 bit IBM JVM being the system JVM. The latter is mandatory for various applications. I am experiencing problems with the Java plugin of Firefox (version 31.5.
-
Viewing size of folio (in MB) of an Android rendition
Hi all, Does anyone know of a way to view the file size of a completed folio in Android? In iOS there's the option to 'Remove Issues from iPad' and it will show the size in megabytes. The Android version of Adobe Content Viewer only allows archiving
-
Running GoldenGate against Oracle 11g Standard Edition?
We're looking to run Oracle GoldenGate against an Oracle 11g Standard edition database to another Oracle 11g DB also on Standard. I've been reading though the documents and they talk of Oracle to Oracle using XStreams which is part of Streams. But it