Grant role for a session

Hi,
What is the Syntax for Granting a role just for the current
session? If the user abnormally terminate the session will the
role still be revoked?
Thanks in advance,
Viji

Vamsee,
If you dwell down to the bottom of the access/authorizations/profile/roles etc what ever you call....you have something called authorizations.
If you are talking about a particular transaction a custom one or a standard one, there is an auth. group assigned to it. Basis is the team which creates auth. objects and they create a profile which are infact added to the roles.
These are the roles which are added to the user ids of the people using the system.
Different roles which give us different authorizations to work with in the system.
Hope I made my point clear.
One more important thing is, you cant just ask basis to assign a particular profile or role which you might have found by some means like SU53. Because a tcode can be there in many roles or profiles. It is up to basis to decide what role they have to assign based on what authorizations you need. The profile or role which you might have found out may contain other auth's for other tcodes which basis may not want to offer.
Thanks,
Message was edited by: Naren Somen

Similar Messages

Script to Grant Role for All User Objects.

Hi DBAs,
I have created a select_only role. I need a script to populate that role with all user_objects belonging to one person and eventually grant that role to another person. Perhaps a dynamic sql.
Please help.
Thanks
-Samar-

Samar,
Please see if the following documents help.
Note: 18080.1 - Script to Create Roles
Note: 174138.1 - How to Tranfer all Roles and Grants to Another Database
Note: 729428.1 - Script to create roles & apply grants from database A to B
Regards,
Hussein

DEFAULT ROLE FOR USER

I swich to Oracle11g express and create user
CREATE USER LEO
IDENTIFIED BY xy
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
-- 3 Roles for LEO
GRANT AUTHENTICATEDUSER TO LEO;
GRANT CONNECT TO LEO;
GRANT FER_ADMIN TO LEO WITH ADMIN OPTION;
ALTER USER LEO DEFAULT ROLE FER_ADMIN;
-- 1 System Privilege for LEO
GRANT CREATE SESSION TO LEO;
-- 1 Tablespace Quota for LEO
ALTER USER LEO QUOTA UNLIMITED ON USERS;
and after login i check
select * from SESSION_ROLES
and i have none role
if I set role all works fine.
Why I doesn't have DEFAULT ROLE after login.
Pleas for help .

here is the solution
default roles and grants
Edited by: Leo Lakota on 4.10.2012 5:52

How to create and grant role

hello all
I have created a new database called TEST
I need to create a role for following purposes
create table
read access to all the tables, write access to all the tables that the users created.
and then i need to connect this role to a user (grant)
how can i do this
sample script is much of a help?
Thanks in advance
PRash

As DBA :
SQL> create role my_role;
Role created.
SQL> grant CREATE SESSION to my_role;
Grant succeeded.
SQL> grant ALTER SESSION to my_role;
Grant succeeded.
SQL> grant CREATE TABLE to my_role;
Grant succeeded.
SQL> grant my_role to <your user>;
Grant succeeded.
SQL>Same way you can grant other privileges to the role, and the user will automatically be granted.

How to enable remote debugging for a session other than the current one

Hi all,
I am trying to figure out how to enable remote debugging for a session other than the one I am currently using.
More specifically, we have an application that is making database calls to Oracle 11gR2. Something is causing an exception during this invocation. My system is currently not set up to recompile said application, so I can't just add the debug call to the code and recompile. Therefore I would like to be able to log into the database (as sys, if necessary) and invoke dbms_debug_jdwp.connect_tcp on the desired session.
The docs indicate that I should be able to do so:
dbms_debug_jdwp.connect_tcp(
host IN VARCHAR2,
port IN VARCHAR2,
session_id IN PLS_INTEGER := NULL,
session_serial IN PLS_INTEGER := NULL,
debug_role IN VARCHAR2 := NULL,
debug_role_pwd IN VARCHAR2 := NULL,
option_flags IN PLS_INTEGER := 0,
extensions_cmd_set IN PLS_INTEGER := 128);
But when I try (even as sys), I get the following:
exec dbms_debug_jdwp.connect_tcp('1.2.3.4',5678,<session id>,<session serial>);ORA-00022: invalid session ID; access denied
ORA-06512: at "SYS.DBMS_DEBUG_JDWP", line 68
ORA-06512: at line 1
00022. 00000 - "invalid session ID; access denied"
*Cause: Either the session specified does not exist or the caller
does not have the privilege to access it.
*Action: Specify a valid session ID that you have privilege to access,
that is either you own it or you have the CHANGE_USER privilege.
I've tried granting the 'BECOME USER' privilege for the relevant users, but that didn't help. I read something about having to set some kind of ACL as of 11gR1, but the reference documentation was very confusing.
Would someone be able to point me in the right direction? Is this even possible, or did I misread the documentation?

Interesting deduction, that would be very useful indeed. I hate recompiling just to add the debug call, and it can't be done in our production environment. But it seems unlikely to me it would be implemented this way.
I would cross-post this in the SQL AND PL/SQL forum though, as this is really a database issue, not with the SQL Developer tool. Do add the links to the other posts in each.
Regards,
K.

How to set new role for new custom entity only

I created a new custom entity, I want to create new role for it only. So I created new role and set custom entity User role. But When I login the user with created role, it show now right to access CRM.
Awen

Are you trying to grant access so that users can use this custom entity but no other data at all?
You will still have to include access to all sorts of bits of CRM just to make the user interface work - especially the things on the Business Management and Customization tabs of your security role. You also need to check these 6 settings:
Special privileges in CRM Security Roles
If this is the only security role you plan to give to your users, I would suggest you start from a standard role and remove access to other entities, rather than start from blank and work upwards.
Hope this helps.
Adam Vero, Microsoft Certified Trainer | Microsoft Community Contributor 2011
UK CRM Guru Blog

Roles for each Product in Oracle Apps 11i

Hi,
I have one requirement to create role for each product...
For example:
Inventory (INV)... I need to create a role, which will have select privileges on all tables of Inventory...like that for each production, I need to create...
I have one procedure:
(a) create role inv_read_role;
(b) spool the following statement
sql> spool inv_read.lst
sql> select 'grant select on INV.'||object_name||' '||'to INV_READ_ROLE;' from dba_objects where owner='INV' and object_type='TABLE';
sql> spool off
(c) Run the above spool file
Here we are done...
But, If I want to do this for all products in oracle apps 11.5.10.2..
is there any smarter way to do this????? any stored procedure???

I want to give readonly access to AP Tables to one database user or more no of database users.....how can we give...for that , we are going to create seperate role for each module in database..assign that role to database user...then he will be able to select only on that module tables......

Allowing Airwatch MDM access to the Captive-Portal guest users in pre-auth role for android and BB?

Requirement:
How to allow Airwatch MDM access to the Captive-Portal guest users in pre-authentication role for Android and Blackberry devices?
What is Airwatch MDM?
Airwatch MDM is Mobile Device Management. The Airwatch is an enterprise which helps to manage and secure data traveling through the mobile devices like Laptops, Tablets, Android, iPhones, iPads etc.
Solution:
Why we need to allow access to Airwatch MDM?
The network administrator can force the guest users to register to Airwatch MDM before they get authenticated and access the internet. So that the network administrator could manage the guest devices through Airwatch Management tool. This can be achieved by CPPM server. To download the Airwatch MDM app and register with the Airwatch MDM server certain domains should be permitted in the captive portal pre-authentication role. This KB provides the configuration steps to allow the guest users to download the Airwatch MDM app and register with the Airwatch MDM server.
Configuration:
Below is the configuration
Configuration steps:
1. Create the following netdestinations
netdestination Airwatch
name *.awagent.com
name *.awmdm.com
name air-watch.com
netdestination Google-Play
name android.clients.google.com
name .ggpht.com
name gstatic.com
name accounts.google.com
name clients1.google.com
name clients2.google.com
name clients3.google.com
name clients4.google.com
name i.ytimg.com
name google-analytics.com
name .1e100.net
name android.l.google.com
name mtalk.google.com
name clients.l.google.com
name googleapis.com
name gvt1.com
netdestination BlackBerry
name *.blackberry.com
2. Now define the rules in the session acl and map it to the pre-authentication Role of the captive portal.
ip access-list session Airwatch_Access
any   alias Airwatch svc-http permit
any   alias Airwatch svc-https permit
ip access-list session Google-Play-Store
               any   alias Google-Play any permit
ip access-list session BlackBerry-Access
               any   alias BlackBerry any permit
3. Now map the session ACLs to captive-portal pre-authentication Role as follows
user-role Guest-Pre-Auth-Role
access-list session Airwatch_Access
access-list session Google-Play-Store
access-list session BlackBerry-Access
access-list session logon-control
access-list session captiveportal
4. Now whitelist the list of domain names in the Captive Portal profle
aaa authentication captive-portal Airwatch-Captive-Portal-Profile
white-list Airwatch
white-list Google-Play                                                                                ------------>Netdestinations where you defined the Domains.
white-list BlackBerry
Verification
Now the user will be placed under the "Guest-Pre-Auth-Role" before the authentication. The user can now go the Google Play-Store or BlackBerry Appworld to download the Airwatch MDM and register to Airwatch Management Server.

Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence!  Thanks,Chris

SAP Best Practices on assigning roles for Auditors

Dear Gurus,
We need to set up SAP roles for auditors in or system for SRM ECC & BI.
Could you please suggest on wich roles should be granted to the auditors as best practice to follow on?
I will really apprecciate your help.
Best Regards,
Valentino

Hi Martin,
Thanks for your interest. I would be very happy to work with folks like you to slowly improve such roles as we find improvement possibilities for them, and all benefit from the joint knowledge and cool features which go into them. I have been filing away at a set of them for years now - they are not evil but still usefull and I give them to an auditor without being concerned as long as they can tell me approximately what they have been tasked to look into.
I then also show them the corresponding user menu of my role for these tasks and then leave them alone for a while...
Anyway... SAP told me that if we host the content on SDN for the collaboration and documentation to the changes in the files, then version management of the files can be hosted externally for downloading them (actually, SAP does not have an option because their software does not support it...).
I will rather host them on my own site and add the link in the SDN wiki and a sticky forum post link to it than use a generic download service, at least to start with. Via change management to the wiki, we can easily map this to version management of the files on a monthly periodic update cycle once there are enough changes to the wiki.
How about "Update Tuesday" as a maintenance cycle --> config updates each second Tuesday of the month... to remove authorizations to access backdoors which are more than "just display"...
Cheers,
Julius

Oracle Role for User Administration

Hello,
I am a DBA. We have a separate group that maintains oracle user accounts within an oracle database. We would like that group to maintain users (add/remove users from database, add/remove roles, etc.) but we do not want to give them the 'DBA' role for security reasons. Ideally, we want to grant them a role that gives them the ability to administer users but not do anything else.
Does a role like this exist within Oracle? If not is there a workaround to obtain this type of functionality?
Thank you!

Do you have this actually working? I have it complaining about permissions on the line that tries to create the user. I thought oracle restricted doing this for security reasons. I am creating this as a user with the 'DBA' role and then when I try to execute it as the same user (which can create users normally) I get this error:
SQL> exec system.create_user('troy1','troy1');
BEGIN system.create_user('troy1','troy1'); END;
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "SYSTEM.CREATE_USER", line 4
ORA-06512: at line 1
And here is the code (based off of the example)...
CREATE OR REPLACE PROCEDURE create_user( p_username IN VARCHAR2, p_password IN VARCHAR2 )
AS
BEGIN
EXECUTE IMMEDIATE 'CREATE USER ' || p_username || ' IDENTIFIED BY ' || p_password || ' DEFAULT TABLESPACE users ';
END;
Any ideas?

Changing role for users

Hi,
in forms 10g , it's possible to change the role for user
REVOKE role_name FROM :USERNAME;

This should work, but the user revoking a role from a different user needs to have the admin option of this role.
When creating a role, by default the "Admin option" for that role should be enabled for the user creating the role.
Normally, this would be the schema-owner of the application objects ...
A user holding the "admin option" may grant a role to a different user and grant the other user "admin option" on this role...

Role for SPRO or Customizing

Hello,
I have a question regarding the creation of a role. I just want to know if I could create a role for a functional consultant for an specific module (i.e. PM or MM) and I don't know how to create it. The specific role will permit the consultant to create or modify customizing of the specific SAP module.
To resume, I need grant permissions with a role to the SPRO for an specific module operations.
Please let me know if I'm clear or not.
Thanks in advance to everyone that gives me an answer!!!!!!

Hi,
please go to PFCG and create a role. Within the menu tab select the utilities and custom authorizations. You must have a IMG project set up already .
Select project and all of the tcodes from the IMG you be inserted.
For listing of transaction codes go to se16 and enter table name AGR_HIER.click view.
<b>Reward points if helpful,</b>
Regards,
jinesh.

Need to call SET ROLE for Oracle before running report

Hi all,
does anyone know how I can call SET ROLE for Oracle with Crystal Reports, before running report? I'm using Crystal Reports 2008 to design report (with Server Oracle connection) and Java Reporting Component to run report within a J2EE apllication. If anyone has any idea, I'd greatly appreciate as I'm in trouble.
Thanks a lot.

Just a thought...
If your report's datasource was an Oracle stored procedure, you could call a function to set the role from that SP
You would be in the same Oracle session from Report --> SP --> Function, so the role would be retained

Empty ROLE or ROLEGUID session

I was using Oracle BI Server as the Security Model of BI Publisher. When I logined BI Publisher via http://localhost:9704/xmlpserver, I couldn't see any folder in BI Catalog.
I got the following error message from BI Presentation Service log file: sawlog0.log. I used the initialization blocks to get the user ROLES and other system variables from DB tables. Not sure why it works for BI Analytics service but doesn't work for BI Publisher.
[2011-09-17T02:41:09.000-07:00] [OBIPS] [WARNING:16] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 3e8b0288400534f9:-1cd4418a:1326fd2ac19:-8000-0000000000009385,0:1:1] [tid: 1868] Empty ROLE or ROLEGUID session variable recieved for the user qudu. User may not have
access to many features in Oracle Business Intelligence[[
File:checkauthentication.cpp
Line:1150
Location:
     saw.securitysubsystem.checkauthentication.runimpl
     saw.threadpool
     saw.threads
ecid: 3e8b0288400534f9:-1cd4418a:1326fd2ac19:-8000-0000000000009385,0:1:1
ThreadID: 1868
]]

Log into Oracle BI Publisher Server using ADMIN user and then Go to ADMIN Tab and click on the Roles and Responsibilities.
select the Folder for perticular users.

Procedure for Killing sessions

Hi All,
Almost everyday we have requirement to kill user sessions for dev user, I'm thinking to create a procedure for this and grant to the users so that they can kill it by themself.
Below is the what I got from Ask Tom forum, however appreciate if someone can share few information if already imlemented in there environment
<quote>
create or replace procedure kill_session( p_sid in number,
p_serial# in number)
is
ignore pls_integer;
BEGIN
select count(*) into ignore
from V$session
where username = USER
and sid = p_sid
and serial# = p_serial# ;
if ( ignore = 1 )
then
execute immediate '
alter system kill session ''' ||
to_char(p_sid,'999999')||','||
to_char(p_serial#,'999999')||'''';
else
raise_application_error( -20001,
'You do not own session ''' ||
p_sid || ',' || p_serial# ||
end if;
END;/
grant execute on kill_session to <username>
</quote>
Regards,
shaan

rp0428 wrote:
>
Instead of killing session with alter systemn kill session, better you opt for below two methods (still perform the same)
>
Please clarify what you mean. KILL and DISCONNECT do NOT perform the same.
From the SQL Language doc
http://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_2013.htm
KILL is the nice one -
>
The KILL SESSION clause lets you mark a session as terminated, roll back ongoing transactions, release all session locks, and partially recover session resources
>
While DISCONNECT is the ogre
>
Use the DISCONNECT SESSION clause to disconnect the current session by destroying the dedicated server process (or virtual circuit if the connection was made by way of a Shared Sever).
>
The difference between the two is roughly analogous to the difference between SHUTDOWN IMMEDIATE and SHUTDOWN ABORT.
I agree that, for OPs use case DISCONNECT (with IMMEDIATE or POST TRANSACTION) may be better since it gets rid of things immediately while KILL can leave things hanging around for a while.From the same link:
DISCONNECT SESSION Clause:
The POST_TRANSACTION setting allows ongoing transactions to complete before the session is disconnected. If the session has no ongoing transactions, then this clause has the same effect described for as KILL SESSION.
The IMMEDIATE setting disconnects the session and recovers the entire session state immediately, without waiting for ongoing transactions to complete.
If you also specify POST_TRANSACTION and the session has ongoing transactions, then the IMMEDIATE keyword is ignored.
If you do not specify POST_TRANSACTION, or you specify POST_TRANSACTION but the session has no ongoing transactions, then this clause has the same effect as described for KILL SESSION IMMEDIATE.
basically the difference is not between DISCONNECT and KILL SESSION, the difference exists if you allow pending/ongoing transactions to finish(IMMEDIATE vs POST_TRANSACTION)
Edited by: Keilor on Jun 25, 2012 12:57 PM
Edited by: Keilor on Jun 25, 2012 1:39 PM

Grant role for a session

Similar Messages

Maybe you are looking for