Grant Privileges in Database Vault for DATAPUMP.
HI,
I am using ORACLE DATABASE 11g R2.
I have installed/enabled DATABASE VAULT 11g on it.
I have configured many user in it for privileges like 'SELECT on table','INSERT on table' ,DELETE .....
I want to give a user DATAPUMP privilege so that he can export and import.
I have 2 users.
1) MAIN
2) BACKUP
MAIN user is the owner and the most important schema. Now i want one more schema named 'BACKUP' which will be able to take backup from MAIN schema. NO OTHER SCHEMA SHOULD BE ALLOWED TO TAKE BACKUP OF MAIN SCHEMA NOT EVEN SYS.
*Can anyone tell me how i can grant proper privilege to BACKUP schema so that he can use DATAPUMP and import/export from OS prompt on the MAIN schema.
NOTE :- I have Database vault installed on my server. Please let me know what all RULES or RULE SETS I need to make to make this happen.
Thanks in advance.
I have managed with privileges to grant BACKUP user right to start an IMPORT but i get these errors while importing :-
Failing sql is:
CREATE TABLE "MAIN"."FLX_PM_OFFER_SELECTOR_B" ("USER_NAME" VARCHAR2(50 BYTE), "PRODUCT_GROUP" VARCHAR2(5 BYTE), "REFERENCE_NUM" VARCHAR2(30 BYTE) NOT NULL ENABLE, "SESSION_STATE" VARCHAR2(5 BYTE), "OFFER_FEATURES" BLOB, "RECOMMENDED_OFFERS" VARCHAR2(500 BYTE), "SELECTED_OFFERS" VARCHAR2(500 BYTE), "MAKER_NAME" VARCHAR2(12 BYTE), "MAK
ORA-39083: Object type TABLE:"MAIN"."FLX_PM_ACCOUNT_ROLE_FLOW" failed to create with error:
ORA-47401: Realm violation for CREATE TABLE on MAIN.FLX_PM_ACCOUNT_ROLE_FLOW
{code}
I am getting this error for all the objects :- SYSNONMY,SEQUENCE,
I have granted MAIN users all the privileges but still i am getting these errors. Do i need to create any realm or rule set for this?
Thanks.
Similar Messages
-
Grant privileges to a user for user_lock
user_lock.sleep (3000);
i am using it in my procedure.
is it require to grant privileges to a user for user_lock.There is no built-in package namely user_lock. Actually it is dbms_lock.
http://download-east.oracle.com/docs/cd/B19306_01/appdev.102/b14258/d_lock.htm#sthref3898
I was using dbms_lock few days ago. Yes dba has to give the privilege to use this package.
SQL> grant execute on dbms_lock to scott;
Grant succeeded.
[My experiment]
http://mamohiuddin.blogspot.com/2007/02/plsql-block-abnormal-termination-ed.html -
DBUM Integration With Database Vault Realms
The dbum connector documentation mentions
"...In Oracle Database installations on which Oracle Database Vault is installed, the connector can be used to grant and manage authorization to Oracle Database Vault realms. The connector treats access to Oracle Database Vault realms as an entitlement. You can use the connector to provision database users with access to multiple realms with different levels of access.."
http://docs.oracle.com/cd/E22999_01/doc.111/e28315/intro.htm#CHDICGJF
but after setup database vault and run successfully direct provisioning using dbum connector, I could not grant access to database vault realms. As far as I understood the connector should present database vault realms as entitlements, but i did not find any schedule task or lookup to enable this feature.
Any help is more than appreciatedHi.
Note 428503.1 is applicable to Database Version 10.2.0.4 with EBS 11i. That is not what you're trying to achieve, you want 10.2.0.4 with EBS 12. (I was able to find note 428503.1 by the way)
There are two notes :
Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.3 : 744363.1
Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.5 : 11397981.1
So, I am not sure if you can integrate EBS 12 with 10.2.0.4. I would at least patch the database up to 10.2.0.5 or upgrade to 11.2 as Helios stated.
Either way you are better off contacting Oracle Support directly with your question.
Paul -
OIM 11g R2: Insufficent Privileges after Enable Database Vault
Hi,
i am trying to implement database vault on oim 11g r2 database for a customer proof of concept, but after enable database vault i am got the following error
oracle.iam.ui.platform.exception.OIMRuntimeException: IAM-7130125 : Search token caused Oracle text DRG issue, DB exception is :ORA-20000: Oracle Text error:
DRG-50857: oracle error in drdmdcnt
ORA-01031: insufficient privileges
ORA-06512: at "CTXSYS.DRVUTL", line 14
ORA-06512: at "CTXSYS.DRVXMD", line 140
ORA-06512: at line 1
this error occurs when i run Catalog Synchronization Job and i when try to search items in catalog
i guess that database vault blocked the ctxapp role granted to oim database owner, but i am not sure how to fix it. Do i have to create a database realm for oim database user?As I continue to forage around looking for an answer, I came across the following statement in a document on Metalink: "The home where you plan to install ODV must already have OLS installed at the same patch level as the database.". Is this correct? I have never seen this in any Database Vault documentation.
(https://metalink.oracle.com/metalink/plsql/f?p=200:27:4287075139009922213::::p27_id,p27_show_header,p27_show_help:714182.992,1,1) -
Database Vault Owner Grant Any Role Permission
So I just noticed that the role DV_OWNER has the system privilege to GRANT ANY ROLE assigned to it by default. I was wondering if this is necessary for something. If not I would like to remove it. We would prefer the Database Vault owner person to not have any permissions execept for logging into the Data Vault console to modify realms and rules and stuff, and as well as looking at audit logs. The DV_OWNER role also has ADMINISTER DATABASE TRIGGER and ALTER ANY TRIGGER privileges which I would like to remove as well. Any body have any opinions on this?
Oracle EE 11.2.0.2 on Windows 2008 R2
Thanks.Sysdba can issue powerful statements such as create user, drop user, alter user, create profile .. and so on... can be done only if it is allowed so by modifying the Can maintain accounts/profiles rule set.
You can also login with dvsys account but that account is locked after installation. So unlock it with
alter user username account unlock; command. And be aware that ANY system privileges are blocked in protected schemas. You can try to grant the following roles in DB Vault := DV_OWNER, DV_REALM_OWNER, DV_REALM_RESOURCE, DV_ADMIN, DV_PUBLIC, DV_ACCTMGR, DV_SECANALYST
Following can help you
SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
Regards
Karan -
Grant role DBA with Database Vault
Hi all,
I need help granting the role DBA to a user with Database Vault option installed. I created a user account and I need that this user be able to do all the things that a regular DBA role can do. I can't find a way to do this in Database Vault... any help will be appreciated.
Thanks!Sysdba can issue powerful statements such as create user, drop user, alter user, create profile .. and so on... can be done only if it is allowed so by modifying the Can maintain accounts/profiles rule set.
You can also login with dvsys account but that account is locked after installation. So unlock it with
alter user username account unlock; command. And be aware that ANY system privileges are blocked in protected schemas. You can try to grant the following roles in DB Vault := DV_OWNER, DV_REALM_OWNER, DV_REALM_RESOURCE, DV_ADMIN, DV_PUBLIC, DV_ACCTMGR, DV_SECANALYST
Following can help you
SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
Regards
Karan -
Granting privilege through role not working for PL/SQL
Version: 11.2.0.2
In our shop, we don't grant privileges directly to a user, we grant it to a role and grant that role to the intended grantee.
Granting privileges through a role seems to be fine with SQL Engine. But it doesn't work from PL/SQL engine.
In the below example GLS_DEV user is granted SELECT access on SCOTT.pets table through a role called tstrole. GLS_DEV can select this table from SQL. But PL/SQL Engine doesn't seem to know this.
Reproducing the issue:
SQL> show user
USER is "SCOTT"
SQL> select * from pets;
NAME
PLUTO
SQL> conn / as sysdba
Connected.
SQL> create user GLS_DEV identified by test1234 default tablespace TSTDATA;
User created.
SQL> alter user GLS_DEV quota 25m on TSTDATA;
User altered.
SQL> grant create session, resource to GLS_DEV;
Grant succeeded.
--- Granting SELECT privilege on scott.pets to tstrole and then grant this role to GLS_DEV.
SQL> conn / as sysdba
Connected.
SQL>
SQL> create role tstrole;
Role created.
SQL> grant select on scott.pets to tstrole;
Grant succeeded.
SQL> grant tstrole to GLS_DEV;
Grant succeeded.
SQL> conn GLS_DEV/test1234
Connected.
SQL>
SQL> select * From scott.pets;
NAME
PLUTO
---- All fine till here. From SQL engine , GLS_DEV user can SELECT scott.pets table.
--- Now , I am going to create a PL/SQL object in GLS_DEV which tries to refer scott.pets
SQL> show user
USER is "GLS_DEV"
create or replace procedure my_proc
is
myvariable varchar2(35);
begin
select name into myvariable from scott.pets ;
dbms_output.put_line(myvariable);
end my_proc;
Warning: Procedure created with compilation errors.
SQL> show errors
Errors for PROCEDURE MY_PROC:
LINE/COL ERROR
6/2 PL/SQL: SQL Statement ignored
6/41 PL/SQL: ORA-01031: insufficient privileges
SQL>
SQL> 6
6* select name into myvariable from scott.pets ;
--- PL/SQL Engine doesn't seem to know that GLS_DEV has select privilege on scott.pets indirectly granted through a role
--- Fix
--- Instead of granting privilege through a role, I am granting the SELECT privilege on scott.pets to GLS_DEV directly.
--- The error goes away, I can compile and execute the procedure !!
SQL> conn / as sysdba
Connected.
SQL>
SQL> grant select on scott.pets to GLS_DEV;
Grant succeeded.
SQL> conn GLS_DEV/test1234
Connected.
SQL>
SQL> create or replace procedure my_proc
is
myvariable varchar2(35);
begin
select name into myvariable from scott.pets ;
dbms_output.put_line(myvariable);
end my_proc; 2 3 4 5 6 7 8 9 10
11 /
Procedure created.
SQL> set serveroutput on
SQL> exec my_proc;
PLUTO
PL/SQL procedure successfully completed.Has anyone encountered the same issue ?You really should start your own new thread for this question instead of resurrecting an old one, but to answer your question.
There are two things going on here. First, there are a number of aler session commands that can be used by any user regardless of what privileges they are granted. Although I do not have the entire list at hand, things like nls_date_format and current_schema are available to all users, sort of like the grants to public in the data dictionary.
Second, when you use execute immediate, the PL/SQL engine never really sees the statement, as far as the compiler is concerned it is just a string. It is only when the string is passed to the sql engine that permissions are checked, and there roles are not enabled.
SQL> create role t_role;
Role created.
SQL> grant select on ops$oracle.t to t_role;
Grant succeeded.
SQL> create user a identified by a default tablespace users;
User created.
SQL> grant create session, create procedure to a;
Grant succeeded.
SQL> grant t_role to a;
Grant succeeded.
SQL> connect a/a
Connected.
SQL> select * from ops$oracle.t;
ID DESCR
1 One
1 Un
SQL> create function f (p_descr in varchar2) return number as
2 l_num number;
3 begin
4 select id into l_num
5 from ops$oracle.t
6 where descr = p_descr;
7 return l_num;
8 end;
9 /
Warning: Function created with compilation errors.
SQL> show error
Errors for FUNCTION F:
LINE/COL ERROR
4/4 PL/SQL: SQL Statement ignored
5/20 PL/SQL: ORA-00942: table or view does not exist
SQL> create or replace function f (p_descr in varchar2) return number as
2 l_num number;
3 begin
4 execute immediate 'select id from ops$oracle.t where descr = :b1'
5 into l_num using p_descr;
6 return l_num;
7 end;
8 /
Function created.
SQL> select f('One') from dual;
select f('One') from dual
ERROR at line 1:
ORA-00942: table or view does not exist
ORA-06512: at "A.F", line 4John -
Is the Database Vault portion of Audit Vault only for the Audit Vault DB?
Hi all, first of thanks in advance.
I am doing a bit of research in order to fulfill some security system requirements for an upcoming project. In summary the requirement states that DBAs should not have the ability to view personal health information stored in the database.
My initial thought was to use Oracle Label Security but recall that SYS is exempt from the OLS policies. Next I looked into Oracle Database Vault and the product appears to meet the requirements. However another part of the requirement states that we must prevent undetectable data tampering - which to me sounds like we need to have an auditing product in place not only to audit access and data changes but also to make sure that audit logs can't be tampered with. It seems like Oracle Audit Vault should meet the requirement. When looking into Audit Vault it mentions it comes with Oracle Database Vault and there is some wording which makes me believe that the Oracle Database Vault component is only for the Audit Vault database. Short of installing the product I thought I would post a message to see if my assumption is correct.
If the assumption is correct it sounds like we would need to purchase both Audit Vault and Database Vault to fully meet the requirement. Can anyone think of any reason we need to include OLS as well?
Once again, thanks in advance.
Cheers,
EricI imagine you are dealing with the HIPAA compliance requirements and facing the same issue faced by many others.
To audit who has viewed data ... SELECT statements ... you can use Fine Grained Auditing (FGA).
To meet the government's auditing requirements, as well as those for hospital accreditation Audit Vault will do the trick.
Keeping DBAs out of the data can be done by a number of means but the issue often comes down to the applications you have purchased and the quality of the vendors. One major source of hospital software in the US, for example, has installed thousands of systems with the exact same password for the schema owner ... and that schema owner has DBA privs.
So before your run too far down the road of closing the back door ... make sure the front door isn't wide open. -
Schema export via Oracle data pump with Database Vault enabled question
Hi,
I have installed and configured Database Vault on an Oracle 11g-r2-11.2.0.3 to protect a specific schema (SCHEMA_NAME) via a realm. I have followed the following doc:
http://www.oracle.com/technetwork/database/security/twp-databasevault-dba-bestpractices-199882.pdf
to ensure that the sys and the system user has sufficient rights to complete a schedule Oracle data pump export operation.
I.e. I have granted to sys and system the following:
execute dvsys.dbms_macadm.authorize_scheduler_user('sys','SCHEMA_NAME');
execute dvsys.dbms_macadm.authorize_scheduler_user('system','SCHEMA_NAME');
execute dvsys.dbms_macadm.authorize_datapump_user('sys','SCHEMA_NAME');
execute dvsys.dbms_macadm.authorize_datapump_user('system','SCHEMA_NAME');
I have also create a second realm on the same schema (SCHEMA_NAME) to allow sys and system to maintain indexes for real-protected tables, To allow a sys and system to maintain indexes for realm-protected tables. This separate realm was created for all their index types: Index, Index Partition, and Indextype, sys and system have been authorized as OWNER to this realm.
However, when I try and complete an Oracle Data Pump export operation on the schema, I get two errors directly after the following line displayed in the export log:
Processing object type SCHEMA_EXPORT/TABLE/INDEX/DOMAIN_INDEX/INDEX:
ORA-39127: unexpected error from call to export_string :=SYS.DBMS_TRANSFORM_EXIMP.INSTANCE_INFO_EXP('AQ$_MGMT_NOTIFY_QTABLE_S','SYSMAN',1,1,'11.02.00.00.00',newblock)
ORA-01031: insufficient privileges
ORA-06512: at "SYS.DBMS_TRANSFORM_EXIMP", line 197
ORA-06512: at line 1
ORA-06512: at "SYS.DBMS_METADATA", line 9081
ORA-39127: unexpected error from call to export_string :=SYS.DBMS_TRANSFORM_EXIMP.INSTANCE_INFO_EXP('AQ$_MGMT_LOADER_QTABLE_S','SYSMAN',1,1,'11.02.00.00.00',newblock)
ORA-01031: insufficient privileges
ORA-06512: at "SYS.DBMS_TRANSFORM_EXIMP", line 197
ORA-06512: at line 1
ORA-06512: at "SYS.DBMS_METADATA", line 9081
The export is completed but with this errors.
Any help, suggestions, pointers, etc actually anything will be very welcome at this stage.
Thank youHi Srini,
Thank you very much for your help. Unfortunately after having followed the instructions of the DOC I am still getting the same errors ?
none the less thank you for your input.
I was also wondering if someone could tell me how to move this thread to the Database Security area of the forum, as I feel I may have posted the thread in the wrong place as it appears to be a Database Vault issue and not an imp/exp problem. ?
Edited by: zooid on May 20, 2012 10:33 PM
Edited by: zooid on May 20, 2012 10:36 PM -
Hi, i want export the database schema which is protected by database vault.
Metalink Note:433887.1 describes this, but i receive errors.
expdp bernst/password schemas=HR file=/tmp/test
ORA-31626 job does not exist
ORA-31633 unable to create master table bernst.sys_export_schema_05
ORA-06512 at sys.dbms_sys_error
ORA-06512 at sys.KUPV$FT
ORA-01950 no privileges on tablespace USERS
any ideas?
regards FrankThis is late but, somebody will see it.
Be sure to do this.
First of all, create a user called pepe in this way.
create user pepe identified by PASSWORD default tablespace users temporary tablespace temp;
Then...
SQL> CREATE DIRECTORY datapump AS 'full_path';
SQL> GRANT EXP_FULL_DATABASE to pepe;
SQL> GRANT READ, WRITE ON DIRECTORY datapump to pepe;
You should be able then to run the expdp utility.
Alex. -
Creating a Database link for a user
Hello All,
I am trying to create a database link for one of my users.
When I create it as sysdba the link gets created in the SYS schema which tells me that my syntax is working/fine.
But when I ALTER my SESSION and set my CURRENT_SCHEMA = <USER_NAME> I get ORA-00990: missing or invalid privilege
So I tried granting the user CREATE DATABASE LINK, CREATE PUBLIC DATABASE LINK, and DROP PUBLIC DATABASE LINK.
Same error.
Any ideas what I am missing?
Thanks,
CraigCraigBoyd wrote:
Hello All,
I am trying to create a database link for one of my users.
When I create it as sysdba the link gets created in the SYS schema which tells me that my syntax is working/fine.
But when I ALTER my SESSION and set my CURRENT_SCHEMA = <USER_NAME> I get ORA-00990: missing or invalid privilege
So I tried granting the user CREATE DATABASE LINK, CREATE PUBLIC DATABASE LINK, and DROP PUBLIC DATABASE LINK.
Same error.
Any ideas what I am missing?
Thanks,
Craigyou need to create a new session after the GRANT was issued. -
Problem with granting privileges
We are creating a separate user for loading data into staging tables on our db and are having problems granting privileges. The original user is securities_developer and the new user is securities_loader. As securities_developer, I execute the following command:
grant delete,update,insert,select on securities_work to securities_loader;
The output indicates success, but when I switch to that user and perform 'select * from securities_work', the table isn't found. Using Oracle Enterprise Manager, I look up the table and it indicates that the above privileges have been granted. Am I missing something?
version info:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
PL/SQL Release 11.2.0.1.0 - Production
"CORE 11.2.0.1.0 Production"
TNS for Linux: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - ProductionHi,
Do you have a (public) synonym on your table securities_work ?
Or, try to add the schema owner in your query like: 'select * from securities_developer.securities_work'
Regards,
Thierry -
Problem in Import & Export using Database Vault
I have install oracle 10g Release 10.1.0.3 also i have installed database vault.
Conn to sqlplus datavault manager
Create user app1 identfied by app1;
grant connect to app1;
Now connect sys as sysdba to sqlplus
grant resource to app1;
In short i will give him all athe grants...
I make a realm of app1 'app1_realm'
All the authozation is perfomed in realm.
then i have add it to data dictionary realm as a participent.
now when i export at table level, it will export the schema with out warnings ie successfully
but when i export at schema level app1 then it will be exported but with errors.
the error numbers are
ora-39083
ora-31625
ora-01031
these errors are raised with grants such as
grant Unlimited tablespace to app1;
grant connect to app1;
grant resource to app1;
grant exp_full_database to app1;
grant imp_full_database to app1;
and with other grants...
Note that i have granted these grant to user app1
Please help me
Best Regards,
Kiramat UllahI tywill be nice if you post the error messages for the codes
ora-39083
ora-31625
ora-01031
Not everyone has the time to look them up or know them off head -
Grants on Function and Procedure for Network user
Hi all,
On my computer (user1), i created one function ( fun1 ). In the network, another user(user2) is there. I want to give execute or alter privilege on this function to user2. I created TNS name for user2 in my TNSNAMES.ORA.
what is the statement for this.
Thanks in advance,
PalI'm not sure I follow...
- You create TNS aliases for databases, not for users.
- A function can only be executed by a user connected to the database.
If you have databases A & B, you can create a database link between them. If user1 is a user on database A that owns a function, and user2 is a user on database B, you could create a new user, user3 in database A, create a database link from B to A that connects to A as user3, grant user3 in database A access to user1's function, and grant user2 in database B access to the database link.
Justin -
Grant Privileges to another user
Hi,
I am new to plsql. In course of my learning. I created two tables BOOKS and AUTHORS in orcl database(10g) through SYSDBA.
Again i logged in to SCOTT user account and am unable to see the BOOKS and AUTHORS tables.
Please let me know how do i grant administrative privileges(to edit,delete,insert,update) to SCOTT user for these tables.
Thanks & Regards,
Amrutha.808099 wrote:
1. Got now that SYSDBA is a role and SYS is user.
2. I was able to login to sqlplus through giving "/ as SYSDBA" as the username. Hence i thought it as user."/ as sysdba" connects to the database as the SYS user using operating system authentication with the SYSDBA role enabled.
3. Secondly, I dont know which schema does my BOOKS table belong to. Because i just ran a create table script in scott/tiger@orcl. PLease suggest how i can know which schema it belongs to.If you connected to the database as the SCOTT user and ran the script to create the table, the table would almost certainly be owned by SCOTT. If you connected to the database as the SYS user and ran the script to create the table, the table would most likely be owned by SYS. If the script specified the schema owner, i.e.
CREATE TABLE library.book ...the table would be created in the specified schema. But you need to have very powerful privileges in order to create objects in other user's schemas and SCOTT does not have those privileges unless you've specifically granted them.
4. Thirdly, I will delete the BOOKS and AUTHORS from SYS and create them in SCOTT user. But thought if GRANT privileges can be an alternative.Not really. It's much better to have the tables owned by the correct schema in the first place. You use grants to allow other users to access (or modify) tables but other users are not going to have the same level of privileges (for example, they're not going to be able to run DDL against the table).
Justin
Maybe you are looking for
-
HomeFusion- No support Service disappeared
I am hoping this may gain some attention, or anyone else can share if this has happened to them On July 5th, after 2 SOLID months of very good speeds and HomeFusion service with 3+ bars on the router, the service disappeared. YES: The 4G Signal is GO
-
As above, was using the updated version for a short time before this happened
-
Footage stalling as being captured
Am panicking! I am in the middle of logging 7 tapes of footage- all HDV (downconverting to DV) on my Final Cut Pro 5.0.4 with PowerBook G4. the first 3 tapes were fine, from tape 4 it began not playing back properly to the computer- on the camera scr
-
What PDF settings are used when creating DPS articles?
When you create a PDF file using Acrobat Distiller or InDesign you can modify settings such as font subsets, image down-sampling and compression which will have an impact on the final file size. Does anyone know what settings are used when articles a
-
Is there a 'send to' widget I can attach to a pdf document or form to send pdf without downloading and attaching to an email (one click send function)