Grant Access on .sys owned objects...?

Similar Messages

• ORA-28336: cannot encrypt SYS owned objects

  Hi ,I am getting the following error during impdp.
  Processing object type SCHEMA_EXPORT/TABLE/STATISTICS/TABLE_STATISTICS
  ORA-31693: Table data object "IDCFAPP"."ROBJECTOFSERVICE" failed to load/unload and is being skipped due to error:
  ORA-28336: cannot encrypt SYS owned objects
  any suggestions?

  ORA-31693: Table data object string failed to load/unload and is being skipped due to error: string
  Cause: Table failed to load or unload due to some error.
  Action: Check load/unload error, correct problem and retry command.
  This error is most likely because the SQL statements were run from the SYS user account
  ~ Madrid

• How to access sys owned objects for role based web user?

  Hi,
  we have tables and packages etc owned by test schema user, and we access the applications using mod pl/sql though DAD. we created a webuser role and granted the execute privillages to webuser role. we have some packages that we access sys owned such as dbms_random, which test user has execute privillage. how i can get these privillages to webuser? I dont like to give webuser execute privillages over web. any other thoughts and insights would appreciated.
  Thanks for the help!

  use invokers rights instead of definers rights and you won't need 'direct' grants anymore.
  create or replace procedure foo authid current_user is
  begin
  dbms_random....
  end;
  Sybrand Bakker
  Senior Oracle DBA

• GRANT ACCESS with sys user

  hi
  i have an user with objects, tables, views and procedures but it doesn't´t have dba privileges... how can i grant access to all the user to these objects? (with the sys or system user).
  thanks for your help.
  alex

  Hello,
  Every user in database has its objects and DBA privileges are not for everyone.
  how can i grant access to all the user to these objects? (with the sys or system user)<<<<<<Can explain these lines ?? What's your requirment ?? Please state clearly...
  As far as i got your problem, you require that all other users of databse should be able to access the objects of user (lets say A) which you specified in first line.
  For this purpose create public synonyms for all objects of user A and grant. So, everyone can use the objects of "A's" schema.
  Please update..... if you got the point or not...

• Grant access to SYS.V$TEMP_SPACE_HEADER view - how to?

  Hi,
  I created a user. I am trying to give select access on some of the System tables and views to this user to retrieve some information about the database.
  When I try
  grant select on sys.v$temp_space_header to usr1;
  I am getting the following error
  grant select on sys.v$temp_space_header to usr1
  ERROR at line 1:
  ORA-02030: can only select from fixed tables/views
  I am getting the same error when I try to give select access to SYS.V$TEMPSTAT view also.
  Does anyone know why this error is coming? Please let me know how I can grant select access to the user for these views.

  Hi,
  This two views are synonyms.
  SQL> grant select on sys.V$TEMPSTAT to scott;
  grant select on sys.V$TEMPSTAT to scott
  ERREUR à la ligne 1 :
  ORA-02030: une sélection n'est autorisée que depuis des tables fixes/vues
  SQL> grant select on sys.V$TEMP_SPACE_HEADER to scott;
  grant select on sys.V$TEMP_SPACE_HEADER to scott
  ERREUR à la ligne 1 :
  ORA-02030: une sélection n'est autorisée que depuis des tables fixes/vues
  SQL> select synonym_name,table_name
  2 from dba_synonyms
  3 where synonym_name in ('V$TEMP_SPACE_HEADER','V$TEMPSTAT');
  SYNONYM_NAME TABLE_NAME
  V$TEMPSTAT V_$TEMPSTAT
  V$TEMP_SPACE_HEADER V_$TEMP_SPACE_HEADER
  SQL> grant select on sys.V_$TEMPSTAT to scott;
  Autorisation de privilèges (GRANT) acceptée.
  SQL> grant select on sys.V_$TEMP_SPACE_HEADER to scott;
  Autorisation de privilèges (GRANT) acceptée.
  Nicolas.

• Trigger on SYS owned tables/views

  Hello DBA's,
  I need to achive something.. for which I have to write a trigger on SYS owned tables/views.
  My question is, IS IT POSSIBLE TO WRITE A TRIGGER ON SYS OWNED OBJECTS?. If so please provide me simple example.
  Depending on the value which will be inserted or updated into to this sys.views/sys.tables, I have to submit "job" which will inturn does some operation depending on the "value" which was inserted or updated on this view/table.
  Thankz in advance..
  Binny

  Justin,
  I will give some simple example...
  User-1 is created procedure... it will be in valid state.. after some time this procedure will be invalidated...(due to some other procedure creation, etc)..
  Stage1, during successful creation of procedure the status will be VALID (in DBA_OBJECTS)
  Stage2, the status will be INVALID..
  I need to write a trigger for this status change in dba_objects.. The status change will be caused due to some other operation..
  Is it possible to write a trigger at the point of status change? if so how?.
  This is the simple example I have remembered.
  Let me about this..
  Thankz
  Binny

• Grant access to all object/tables in other schemas to a user

  Is there any and simple way to grant access to all object/tables in other schemas (more than one) to a scheme/user?
  Thanks.
  Tarman.

  HI.
  grant SELECT ANY TABLE,delete any table, insert any table to user; Giving this delete,insert ANY TABLE privilege to a user can be dangerous and the use can mislead it. Its better to create a dynamic script and then grant it.
  E.g Suppose you want to give select,inert,delete,update privileges to user A on user B's object.
  sql> spool grants.sql
  sql> select 'grant select,insert,update,delete on '||owner||'.'||table_name||' to A;' from dba_tables where owner='B';
  sql>@grants.sqlHTH
  Anand

• Grant access to all the views created in user schema to another schema

  How to grant access for all the views created in own HAGGIS schema to comqdhb schema on the HAGGIS database.
  Oracle Grant Privileges
  ===============
  Object privileges assign the right to perform a particular operation on a specific object
  I read that we can use select 'grant select on' ||view_name||'HAGGIS' user_views where owner='COMQDHB'
  Is this right
  Oracle System Privileges
  ===============
  System privileges should be used in only cases where security isnt important,because a single grant statement could remove all security from the table
  Role based security
  ============
  Role security allows you to gather related grants into a collection-since the role is a predefined collection of privileges that are grouped together.privileges are easier to assign to users.
  [http://www.dba-oracle.com/art_builder_grant_sec.htm]
  can we grant select update to all the views at a time to the other schema.
  Are there any other ways to secure the data other than creating users and assigning roles.
  Thank you
  Edited by: Trooper on Dec 23, 2008 9:24 AM

  I think what was suggested was that you use SQL to generate the grants on each and every view, that is, you use SQL to generate SQL where the SQL being generated is "grant select on view_name to role'"
  If you users to connect to Oracle you have to create usernames for them though if the users only connect via an application the application might run just as one user and access to the application is controled via application security. The control on the application can be via Directory Services such as OID or MS Active Directory. User access to Oracle can also be controlled via OID.
  To connect to Oracle you can use OS authenication (not recommended), usernames with passwords, or via Advanced Security Option which supports single sign-on products like Kebros or Oracle Internet Directory etc....
  Example using SQL to generate SQL
  How do I find out which users have the rights, or privileges, to access a given object ?
  http://www.jlcomp.demon.co.uk/faq/privileges.html
  HTH -- Mark D Powell --

• To prevent user from droping his own object .

  Dear User
  I have a database user like "aaa" in oracle 7.3.4.0.1 database.i do not want user "aaa" to drop his own schema objects like table and any other objects that he is owner.Do i have any system privilege to stop this user from doing so.User should be able to create objects and modify object but not to drop his own objects.For this purpose i have created a database trigger at database level to stop user "aaa" for doing above action.this trigger is giving me error on creation in oracle 7.3.4.0.1 .But when i tried same trigger in oracle 8i and 9i it work well.In oracle 8i and 9i it is preventing user from droping his own objects but i get other errors also along with raised error in trigger which i want to stop .The error which i am raising in trigger is
  ORA-20001 INVALID COMMAND BUT OTHER TWO ERRORS THAT R RAISED AUTOMATICALLY ARE
  ORA-00604 ERROR OCCURED AT RECURSIVE SQL LEVEL 1
  AND
  ORA-06512 AT LINE 8
  I WANT TO STOP THESE TWO ERRORS .
  PLZ HELP ME IN THIS REGARD AS SOON AS POSSBILE .
  plz tell me is there any system privilege to stop user from droping his own object or any other way along with trigger at database level.
  Thank u.

  Hi
  DBAs can use PRODUCT_USER_PROFILE (in system schema) to disable certain SQL and SQL*Plus commands in the SQL*Plus environment on a per-user basis. SQL*Plus, not Oracle, enforces this security. DBAs can even restrict access to the GRANT, REVOKE, and SET ROLE commands in order to control users' ability to change their database privileges.
  The PRODUCT_USER_PROFILE table enables you to list roles which you do not want users to activate with an application. You can also explicitly disable use of various commands, such as SET ROLE. For example, you could create an entry in the PRODUCT_USER_PROFILE table to:
  read more about this at
  http://download-west.oracle.com/docs/cd/B10501_01/server.920/a90842/ch10.htm#1005648

• Grant access to users from different Domains

  Hi,
  Recently my company was merged with another. All users from my company are setup in our Domain (DomainA). Sharepoint is able to see the users in this domain and grant access to the users as well. When the merger happened, we created a Group (Test - Sharepoint)
  in our AD to add groups from other companie's domain:DomainB, totally different Forest. There is a two way trust setup between these domains. The group Test-Sharepoint is "domain local" and it is able to see the groups/users from other domain: DomainB.
  The other users are now able to access our sharepoint environment once access is granted to DomainA\Test-Sharepoint.
  Problem came when we applied Audience targetting around few web parts. The users from DomainB who are added as object in DomainA\Test-Sharepoint (group in DomainA) are not able to see the web parts that have audience targeting for this group. Someone
  suggested that AD groups should be Global or Universal but that is not our case. Most of the groups in our AD are domain local and SP is able to see the users within it.
  Please suggest how we can resolve audience targeting issue?
  Regards, Kapil ***Please mark answer as Helpful or Answered after consideration***

  My apologies, yes that is correct you'll have to use Domain Local in this case. http://technet.microsoft.com/en-us/library/cc755692(v=WS.10).aspx
  Actually what you'll need to do is not use Groups in your domain at all, as the users are Foreign Security Principals. Instead, use a group in the trusted domain, or attributes of the users you intend to target directly.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• How Can a User Access Georaster Data Owned by Another User

  We are unable to view raster data owned by one user with another user.
  Have a user that owns a Georaster table, and a spatial index table.
  We create another user, and grant him "SELECT", or "ALL" to these two tables.
  We still run into problems where the second user can not see some other table from the first user, so we run until we get an error message about some table, grant access to the table, and the next table, until we finally receive an error when trying to grant access to some table.
  "grant select on LGGI_DSC_COL_DBL_DATA_81 to schen;"
  ERROR at line 1:
  ORA-01720: grant option does not exist for 'LEICASYS.EDSC_VARRAY_DBL'
  Here are the users, and tables specific to our example
  User A: ORTHO (supplier)
  User B: SCHEN (consumer)
  We are trying to allow SCHEN view data from the raster table ORTHO.DEMOTB
  We grant SCHEN "ALL" on ORTHO.DEMOTB, ORTHO.LGGI_RDT_ORTHO_C1, ORTHO.LGGI_DSC_COL_MAP, then we fail granting access to ORTHO.LGGI_DSC_COL_DBL_DATA_81
  What are we doing wrong, it seems like this is a common work flow, we must be missing something obvious.

  Derrick,
  I suppose mashing up both Dan's answer and mine in this case is your best (and only option). The error, ORA-01720: grant option does not exist for 'LEICASYS.EDSC_VARRAY_DBL', is pointing to the fact that you not only have a GeoRaster table with GeoRaster and other native Oracle types, but also some extra user defined types (UDT) which your group has built to store nested arrays of information. Because the UDT in the table is its own object (just like a table is its own object) you must ALSO grant privileges to the UDT in order to use them in a cross-schema setup.
  In other words, this is not a simple "how do I use GeoRaster across schemas" question; this is a "how do I use GeoRaster, plus other UDTs that I have defined myself, across schemas" question.
  In this case you will have to login as a DBA or the user who created the EDSC_VARRAY_DBL type (LEICASYS), and specifically grant privileges on this type. Does that make sense? I know it's more work than what I alluded to before, but this is a different problem outside of the scope of GeoRaster.
  Finally, I work for Leica Geosystems, and noticed that your schema is called LEICASYS. If you would like to contact me directly you may do so at Justin dot Lokitz at lggi dot com.
  -Justin

• X$object_affinity_statistics stats for SYS owner objects .

  Hi,
  I'm on 10.2.0.3 linux RAC , a got question about SYS ownerd object and Dynamic Remastering .
  my affinity settings are
  NAME                                          VALUE                          DESCRIPTION
  _lm_drm_max_requests                          100                            dynamic remastering maximum affinity requests processed
                                                                               together
  _lm_num_pt_buckets                            4096                           number of buckets in the object affinity hash table
  _lm_num_pt_latches                            128                            number of latches in the object affinity hash table
  _lm_file_affinity                                                            mapping between file id and master instance number
  _gc_undo_affinity                             TRUE                           if TRUE, enable dynamic undo affinity
  _gc_affinity_time                             10                             if non zero, enable dynamic object affinity
  _gc_affinity_limit                            50                             dynamic affinity limit
  _gc_affinity_minimum                          6000                           dynamic affinity minimum activity per minute
  _gc_dynamic_affinity_locks                    TRUE                           if TRUE, get dynamic affinity locks
  _gc_undo_affinity_locks                       TRUE                           if TRUE, get affinity locks for undo
  _gc_dissolve_undo_affinity                    FALSE                          if TRUE, dissolve undo affinity after an offline
  _gc_initiate_undo_affinity                    TRUE                           if TRUE, initiate undo affinity after an online
  _affinity_on                                  TRUE                           enable/disable affinity at run time
  _enable_default_affinity                      0                              to enable default implementation of affinity osdsbut are that objects (SYS owned) done differently ?
  Or as usual segments .
  Regars
  GregG

  Hi,
  All_objects is a view in sys schema.
  This view has lot of where clause, one where clause is to find who is executing the query through a condition (userenv('SCHEMAID'), 1 /* PUBLIC */).
  Then it also a condtition to check the privilege of the user (sys.objauth$) who is querying with all the object in the database (obj$).
  This two condition along with many other condition helps Oracle to show you only the objects in which you have a access.
  Regards
  Anurag Tibrewal.

• Grant permissions on sys.sql_logins doesn't work: why?

  Using admin user I try to run:
  3> GRANT SELECT ON sys.sql_logins TO someuser
  4> go
  Msg 15151, Level 16, State 1, Server ..., Line 2
  Cannot find the object 'sql_logins', because it does not exist or you do not have permission.
  1>
  Why is that?

  Hi Martin
  No, it won't work.
  Features that are Not Supported in SQL Database
  GRANT/REVOKE/DENY endpoint, server-level, server principal, and system object permissions
  and related system tables such as sys.server_principals and sys.server_permissions.
  If you have any feedback on our support, you can click
  here.
  Eric Zhang
  TechNet Community Support

• How to grant access to?????

  User needs read access to triggers, procedures, function and MV's on all schema.
  Which system privileges I have to grant?

  If we're limiting ourselves to SQL*Plus, then access to the appropriate DBA_ tables, like DBA_SOURCE, should be sufficient. I assume that Amiel made a typo when he referred to the ALL_ tables-- every user has access to the ALL_SOURCE table by default, the rows that are returned from that view depend on the privileges the user has to execute that particular piece of code. The DBA_SOURCE table, on the other hand, has the source for all the PL/SQL in the database, so users with access to DBA_SOURCE can see the source code for any procedure/ package/ function in the database.
  SCOTT @ jcave102 Local> conn / as sysdba
  Connected.
  SYS @ jcave102 Local> create user sam identified by sam;
  User created.
  Elapsed: 00:00:00.29
  SYS @ jcave102 Local> grant create session to sam;
  Grant succeeded.
  Elapsed: 00:00:00.06
  SYS @ jcave102 Local> grant select on sys.dba_source to sam;
  Grant succeeded.
  Elapsed: 00:00:00.18
  SYS @ jcave102 Local> conn sam/sam
  Connected.
  SAM @ jcave102  > ed
  Wrote file afiedt.buf
    1  select text
    2  from dba_source
    3  where owner = 'SCOTT'
    4  and name = 'GET_NUM_TBL'
    5* order by line
  SAM @ jcave102  > /
  TEXT
  function get_num_tbl
    return num_tbl
  is
    l_nums num_tbl;
  begin
    l_nums := num_tbl();
    l_nums.extend;
    l_nums(1) := 1;
    return l_nums;
  end;
  10 rows selected.
  Elapsed: 00:00:00.06Justin

• Grant access to individual content

  Hello,
  I'm currently implementing a UCM solution and I came upon a customer requirement that I don't even know if it is possible to implement with UCM.
  I will try to explain by giving an example:
  The company has 2 Departments: Department 1 and Department 2 and for each department it was created a Security Group.
  SG_DEP_1 for Department 1 and SG_DEP_2 for Department 2.
  The company also has 2 users, one for each department, with full accesses:
  BOB_1 has RWDA to SG_DEP_1 and EDDIE_2 has RWDA to SG_DEP_2.
  Each user can manage its own Security_group, but what happens if BOB_1 needs to show a document to EDDIE_2 (example: for asking EDDIE_2 for an legal advice on a given document). Could BOB_1 grant read access to EDDIE_2 on that specific document ? (I'm not talking about granting access to SG_DEP_1, just the document).
  Note: in my specific projects, there are at least a dozen Departments, each tightly secured, but with needs to show 'some' content on a daily basis. What the customer really needs it the hability to specify access permissions individually on each content item (groups or specific users).
  How would you implement such a use case? I'm starting to consider the possibility on having to implement a BPM, or something like that to provide this level of control.
  Thanks
  Luís Duarte
  Edited by: user10359998 on Sep 25, 2008 4:19 AM

  Hi!
  In the HowtoComponents, there is a component named "SecurityFilter" :
  "This component demonstrates how to use the 'alterUserCredentials' filter to temporarilly boost a user's security privileges for one request. This filter is useful for dynamicly granting accounts and roles for specific service requests, or for specific users." quoting the readme of the component.
  You can download it there : http://www.oracle.com/technology/products/content-management/ucm/samples/index.html
  Hope it helps!
  romain.