Granting ALTER SYSTEM privilege to Application user
DB version:10gR2
When we purchased a logistics application software, we have been asked to grant alter system privileges to the Application Oracle user/schema by the application vendor. They said they need this to change Instance level parameters like OPTIMIZER_MODE,..etc. What do you guys think?
Edited by: GarryB on Feb 17, 2009 10:25 PM
GarryB,
This is a strange idea. Many parameters can be altered on session level.
If they want to change static parameters, do they also require the privilege to bounce the instance?
Even if the application would need to change parameters, this should be encapsulated in a procedure created in a privileged user, with execute privilege granted to the application owner.
If feel you will regret to have purchased this application sooner or later, the vendor doesn't seem to know much about Oracle.
Hth
Sybrand Bakker
Senior Oracle DBA
Similar Messages
-
ALLOW A USER TO KILL A SESSION WITHOUT ALTER SYSTEM PRIVILEGE.
Hi
I need a user to have permission to kill a session without having the ALTER SYSTEM privilege. I created a procedure on sys schema and granted the EXECUTE privilege to the user but it doesn't work, how can I do, help please.
CREATE OR REPLACE PROCEDURE SYS.PRC_SESSION_KILLER (P_SID IN NUMBER, P_SERIAL IN NUMBER)
AS
BEGIN
EXECUTE IMMEDIATE 'GRANT ALTER SYSTEM TO SYSADMIN';
EXECUTE IMMEDIATE 'ALTER SYSTEM KILL SESSION ''' || P_SID || ',' || P_SERIAL || ''' IMMEDIATE';
EXECUTE IMMEDIATE 'REVOKE ALTER SYSTEM FROM SYSADMIN';
END;
Thank you very much.Hi,
I second everything John said.
Are you sure the arguments are correct?
Below is the procedure I use. You may want to run it, just to see what the error is.
PROCEDURE kill_internal
s_id IN NUMBER,
serial_num IN NUMBER,
stat_out OUT VARCHAR2
IS
alter_handle INTEGER;
ex_val INTEGER; -- Returned by dbms_sql.execute
BEGIN
alter_handle := dbms_sql.open_cursor;
dbms_sql.parse
alter_handle,
'ALTER SYSTEM KILL SESSION ''' ||
TO_CHAR (s_id, '999990') ||
', ' ||
TO_CHAR (serial_num, '999990') ||
dbms_sql.native
ex_val := dbms_sql.execute (alter_handle);
dbms_sql.close_cursor (alter_handle);
stat_out := 'Success: ' ||
TO_CHAR (s_id, '999990') ||
', ' ||
TO_CHAR (serial_num, '999990');
EXCEPTION
WHEN OTHERS
THEN
stat_out := 'Failure:' ||
SQLERRM;
-- dbms_output.put_line (stat_out);
dbms_sql.close_cursor (alter_handle);
END kill_internal
; -
How to grant create table privilege for a user on a specific table
Hi:
I created a user, for a test scenario. I granted this user create any table, and I made the default tablespace as example.
When I connect as the user and try to create a table, I get this:
SQL> create table T1 (NAME varchar2 (500), AGE number(2));
create table T1 (NAME varchar2 (500), AGE number(2))
ERROR at line 1:
ORA-01950: no privileges on tablespace 'EXAMPLE'
How can I grant the necessary privilege to have user create/delete tables on tablespace example?
Thanks.
DAcreate user ADAM identified by radge default tablespace EXAMPLE
quota 10M on EXAMPLE;
for example 10Mbytes given to Example tablespace.... or you can write:
.....quota unlimited on EXAMPLE
and
grant connect to ADAM
grant create table to ADAM .....
or
grant connect , resource to ADAM .... although grant resource is not recommended...
....and something else....
you should define temporary tablespace in create user command... otherwise the system would be used...
Greetings...
Sim
Message was edited by:
sgalaxy -
Who may grant a system privilege?
I am asking this as the Oracle doc explains:
Only users who have been granted a specific system privilege with the ADMIN OPTION or users with the system privileges GRANT ANY PRIVILEGE or GRANT ANY OBJECT PRIVILEGE can grant or revoke system privileges to other users.
http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96524/c24privs.htm#791
Im not clear on this: why does GRANT ANY OBJECT PRIVILEGE give you the ability to grant SYSTEM privs??
Thanks,
DAThis conflicts with the admin guide (http://download-uk.oracle.com/docs/cd/B10501_01/server.920/a96521/privs.htm#15326) which says: "To grant a system privilege, you must have been granted the system privilege with the ADMIN OPTION or have been granted the GRANT ANY PRIVILEGE system privilege."
It works as said in the admin guide.
SQL> create user test identified by test;
User created.
SQL> grant grant any object privilege to test;
Grant succeeded.
SQL> grant create session to test;
Grant succeeded.
SQL> conn test
Enter password:
Connected.
SQL> grant create any synonym to test2;
grant create any synonym to test2
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> conn sys as sysdba
Enter password:
Connected.
SQL> grant grant any privilege to test;
Grant succeeded.
SQL> conn test
Enter password:
Connected.
SQL> grant create any synonym to test2;
Grant succeeded.
Message was edited by:
Yas -
What is the version of grant alter table, drop table to user in Oracle 10g?
Hi,
Oracle support "grant alter table and drop table" before, but I get the "invalid privilege" error in Oracle 10g. Oracle 10g have the "DROP ANY TABLE" and "Alter any table". Is these two means can drop and alter tables belonging to other users? How do I grant the total control (CRUD) of tables in the owner's schema to the owner in Oracle10g?
Thanks,
JiangCREATE TABLE privilege grants complete control on owner's tables :
SYS@db102 SQL> create user test01 identified by test01;
User created.
SYS@db102 SQL> grant create session, create table to test01;
Grant succeeded.
SYS@db102 SQL> alter user test01 quota unlimited on users;
User altered.
SYS@db102 SQL> conn test01/test01
Connected.
TEST01@db102 SQL> create table test(a number);
Table created.
TEST01@db102 SQL> alter table test add(b varchar2(100));
Table altered.
TEST01@db102 SQL> drop table test purge;
Table dropped.
TEST01@db102 SQL> -
Flush Shared Pool without Alter System Priv
I am trying to device a way to flush the shared pool by a user who doesn't have ALTER SYSTEM priv. I tried creating a stored proc in user's schema who has DBA role
with the following:
execute immediate 'alter system flush shared_pool';
and then granted execute on this to a normal user without explicit alter system priv, but the execution fails and seems that I need to grant alter system explicitly to this user. Is there any other workaorund for this?
Thank You
Kevinit works for me! V10.2.0.4 too.
SQL> set time on
12:11:24 SQL> @privs
12:11:28 SQL> SET TERM ON ECHO ON
12:11:28 SQL> SET SERVEROUTPUT ON
12:11:28 SQL> CREATE USER PTST IDENTIFIED BY PTST DEFAULT TABLESPACE USERS QUOTA UNLIMITED ON users TEMPORARY TABLESPACE TEMP;
User created.
12:11:28 SQL> grant create session to ptst;
Grant succeeded.
12:11:28 SQL> grant alter system to dbadmin;
Grant succeeded.
12:11:28 SQL> connect dbadmin/admindb
Connected.
12:11:28 SQL> set term on echo on
12:11:28 SQL> create or replace procedure flush_pool
12:11:28 2 as
12:11:28 3 begin
12:11:28 4 execute immediate 'alter system flush shared_pool';
12:11:28 5 end flush_pool;
12:11:28 6 /
Procedure created.
12:11:28 SQL> grant execute on flush_pool to ptst;
Grant succeeded.
12:11:28 SQL> connect ptst/ptst
Connected.
12:11:28 SQL> SET TERM ON ECHO ON
12:11:28 SQL> execute dbadmin.flush_pool;
PL/SQL procedure successfully completed.
12:11:29 SQL> connect / as sysdba
Connected.
12:11:29 SQL> drop user ptst;
User dropped. -
Granting any privilege system privilege....in Ora10g
Hi,
In order to be given to a user -Info_bi let's name him - the grant to select any table from user Info , This user (Info) must be given the system privilege "any privilege".... So :
connect sys/....@.... as sysdba;
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.1.0
Connected as SYS
SQL> GRANT ANY PRIVILEGE TO "INFO";
GRANT ANY PRIVILEGE TO "INFO"
ORA-00990:Privilege is missing or invalidWhat error do i do...????
Many thanks...
SimThere is.......!!!!
Read at :
Oracle® Database SQL Reference
10g Release 2 (10.2)
Part Number B14200-02
The Prerequisites section of the grant command....
I pasted there an extract of it...
To grant a system privilege, you must either have been granted the system privilege with the ADMIN OPTION or have been granted the GRANT ANY PRIVILEGE system privilege. Greetings,
Sim -
Still only grants me "Guest" privileges!?
OK the problem I have was briefly touched upon in another thread, but that seems to be dead at this stage.
I am trying to connect (over a wireless router connection) the shared documents folder of a PC running XP Home, with my Macbook running the latest update of leopard 10.5.3.
Once networking is configured in XP, the computer running Windows XP will come up automatically in Finder. You can click on the Shared computer and it will connect as "Guest". When you hit "Connect As," it gives you the option to connect as the registered user (the XP username and password on the other computer). When I do that, it STILL only grants me guest privileges, NOT Registered User privileges (can't delete, move files, etc).
Please can anyone help?Here are my results - found the server and 2 printers but not the other PCs on the network:
Laptop:~ greghasking$ nmblookup -M -- -
querying _MSBROWSE_ on 192.168.1.255
192.168.1.163 _MSBROWSE_<01>
192.168.1.35 _MSBROWSE_<01>
169.254.25.129 _MSBROWSE_<01>
Laptop:~ greghasking$ smbclient -g -p 139 -NL 192.168.1.35
session request to 192.168.1.35 failed (Called name not present)
session request to 192 failed (Called name not present)
Domain=[GENIESERVER] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Disk|ProSolv|
Disk|E$|Default share
IPC|IPC$|Remote IPC
Disk|SharedDocs|
Disk|Genie|
Disk|Users|
Disk|Applications|
Disk|Temp|
Disk|F$|Default share
Disk|ADMIN$|Remote Admin
Disk|C$|Default share
Disk|Holter|
Laptop:~ greghasking$ smbclient -g -p 139 -NL 192.168.1.163
session request to 192.168.1.163 failed (Called name not present)
session request to 192 failed (Called name not present)
Domain=[QUINTON] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
IPC|IPC$|Remote IPC
Disk|print$|Printer Drivers
Disk|SharedDocs|
Disk|Imported Patients|
Disk|ADMIN$|Remote Admin
Disk|C$|Default share
Disk|xmlreports|
Printer|Printer|Printrex MP200 for XP
Laptop:~ greghasking$ smbclient -g -p 139 -NL 169.254.25.129
timeout connecting to 169.254.25.129:139
Error connecting to 169.254.25.129 (Operation already in progress)
Connection to 169.254.25.129 failed -
Does GRANT CREATE ANY PROCEDURE auto grants EXECUTE on created obj to user?
I have a User ABC which has GRANT CREATE ANY PROCEDURE on schema XYZ. Now, I create a new Function in schema XYZ using my ID ABC named "func123". My question is, would my User ID ABC being creator of func123 be able to EXECUTE it by default ???
Note: ID ABC has not been explicitly given GRANT EXECUTE on this func123 function, neither it has GRANT EXECUTE ANY PROCEDURE on schema XYZ.
Thanks in advance.There is no such thing as 'create any procedure on schema xyz'. When an user has create any procedure, he can create a procedure in any schema, including SYS.
You have an unprotected and unsecured database by granting this powerful privilege to multiple users.
Also when you create a procedure in a different schema, that schema becomes the owner, not the user creating it.
Kindly brush up your basics and (re)read documentation.
Sybrand Bakker
Senior Oracle DBA -
Event tasks in SYSTEM Privilege ?
Hello Experts,
SAP IDM 7.2 SP8.
I have query on event task being defined on SYSTEM PRIVILEGE (PRIV:SYSTEM:<REPO_NAME>).
I believe IDM should not trigger provisioning tasks(ex. HOOK TASK 4) due to removal or addition of SYSTEM privilege.
Only removal/addition of ACCOUNT PRIVILEGE (PRIV:<REPO_NAME>:ONLY) should
trigger of provisioning tasks which also remove/add of system privilege for the user as defined in provisioning framework.
So, How Event tasks should be defined for system privileges ?
I think it should be empty (NONE).
Below screenshots shows the current configuration being done for system privileges in my client's IDM system.
This results in trigger of HOOK TASK 4 when SYSTEM privilege is removed/added from the user which causes errors which I know happen because of defining event tasks on SYSTEM PRIVILEGES.
Your help is appreciated.
Thanks & Regards,
PradeepHi Steffi,
Thank you very much.
I just compared Task defined at Repo level and privilege level and could relate then.
Add Task (Assignment at Repo level, screenshot 1) = Add Task (Assignment at Privilege level, screenshot 3)
Remove Task (Assignment at Repo level, screenshot 1) = Remove Task (Deassignment at Privilege level, screenshot 3)
Provisioning task (Privilege tasks at Repo level, screenshot 1) = Provisioning task (Privilege tasks at Privilege level, screenshot 2)
Deprovisioning task (Privilege tasks at Repo level, screenshot 1) = Deprovisioning task (Privilege tasks at Privilege level, screenshot 2)
So I need to set Add Task (Assignment at Privilege level, screenshot 3) and Remove Task (Deassignment at Privilege level, screenshot 3) to NONE .
In your case, this is the setting done and so provisioning does not trigger due to addition/removal SYSTEM privilege which is correct.
I would do this change in Dev system and test it .
I will update the thread with result.
Event task defined at repo level.
Screenshot 1:
Task defined at privilege level (tab Tasks)
Screenshot 2:
Event task defined at privilege level.
Screenshot 3:
Thanks & Regards,
Pradeep -
What is the system privilege required to grant "Analytic Privilege" to a user
Hi SCN,
I have the user with following privileges:
SYSTEM Privileges: CATALOG READ,CREATE STRUCTURED PRIVILEGE,DATA ADMIN,STRUCTUREDPRIVILEGE ADMIN,USER ADMIN
PACKAGE Privileges: SECURITY
OBJECT Privileges: _SYS_BI,_SYS_BIC and REPOSITORY_TEST
Am able to create a AP, but not able to assign to a user. Checked different threads and documents, Am able to add with "SYSTEM" user but not with the generic user i have
I can't do tracing as it is disabled in the client system
Am i missing something here? Can someone help me please?
Regards,
Krishna TanguduThank you so much Raj.
I was expecting this kind of privilege under SYSTEM PRIVILEGE.
So other privileges which i mentioned are fine right?
Regards,
Krishna Tangudu -
Grant privileges to new user + few tables
Hi all. How can I give my new user all privileges for inserting deleting records in some tables...
CREATE USER user1 IDENTIFIED BY user1May be it will be better to make nobody the owner of the tables?It's definitely a good idea to make somebody else the owner of the table rather than SYSTEM... you shouldn't really be putting your own objects in the SYSTEM schema anyway if you can help it.
Whether NOBODY is the best schema to use depends on what you want the table for. If this is just a test system you are playing about with then it doesn't really matter... but if you are trying to put together a proper development/test system with a plan to move into a production environment then think through what you want (and whether NOBODY is the best name for your application schema).
Saying that, if this is just a database you are 'playing' with to learn some Oracle then you might want to look at granting system privileges rather than object privileges.
GRANT SELECT ANY TABLE TO ALEX;
Will let ALEX select form any table (other than the data dictionary).
Again, though, a word of caution - if you intend to put this into a 'real' system (rather than just one you are learning on) then think it through and only grant what you need. If you go for the 'easy' system privilege now you'll find you'll always be stuck with it because you'll never be 100% certain that you can revoke it without affecting your application. -
Create a new user for oracle 10G ASM instance with sysdba system privilege
Hi,
In our Golden Gate Project, we require the SYS user credential to connect to the Oracle 10g ASM instance to read the database transaction logs.But our client is not providing the SYS user credential to connnect to ASM instance.
I'm getting the error message "ORA-01109: database not open",When I tried to create a new user using the below the steps in oracle 10g ASM instance
1. Login using "sqlplus / as sysdba"
2. Create user <username> identified by <password>;
But in oracle 11g ASM instance, I'm able to create new user by connecting the ASM instance with SYSASM role without issues.
Is there is any workaround to create a new user with sysdba system privilege in oracle 10g ASM instance?.
Thanks in advance .Hi,
Recreate the password file for the ASM instance as follows:
Unix:
orapwd file=<ORACLE_HOME>/dbs/PWD<SID> password=<sys_password>
Windows:
orapwd file=<ORACLE_HOME>/database/PWD<SID>.ora password=<sys_password>
Now sys password is reset, we are ready to use sys for ASM management. I decided to create another user ASMDBA as I tried above.
SQL> create user ASMDBA identified by test01;
User created.
SQL> grant SYSASM, SYSOPER to ASMDBA;
Grant succeeded.
SQL> select * from v$pwfile_users;
USERNAME SYSDBA SYSOPE SYSASM
SYS TRUE TRUE TRUE
ASMDBA FALSE TRUE TRUE
Please see this link : http://orachat.com/how-to-change-asm-sys-password-creating-sysasm-user-11g/
Thank you -
How can we give a user, alter procedure privilege on only one procedure of another schema.
Scenerio:
User A owns a procedure
called 'TESTPROCEDURE'.
User B has execute privilege on 'TESTPROCEDURE';
Now i want to give user
B , alter procedure privilege for only one procedure i.e 'TESTPROCEDURE';
I do not want to give
ALTER ANY PROCEDURE to user B since the user just wants to alter only 1
procedure.
How can we do that?
Thanks & regards,
Mohd Shahid Shaikh.Why do you want to do this?
If I'm allowed to alter a procedure, I can alter it to do something completely different. I can modify the procedure to do anything that B can do. If that's what you want to allow, why not just log in as A?
There is no way to grant B the ability to alter a single procedure. You could, I suppose, create another procedure in A that accepts a DDL statement as a string, checks to see if it meets your criteria, and then executes it. You could then grant B the ability to execute this new procedure. A could then send an appropriate CREATE OR REPLACE PROCEDURE statement to the new procedure that replaces TestProcedure. But that's a fair amount of effort and complexity to deal with (particularly when there are errors)-- if you can explain the underlying business problem, we may be able to help you come up with alternate technical solutions.
Justin -
ALTER SYSTEM KILL SESSION privilege
Hi All,
Is there any possibility to use this command from a without having DBA priviileges, what is the privilege to be grantd to the ordinary users to execute ALTER SYSTEM KILL SESSION... statement..
Thanks in advanceThe procedure proposed by Rusell would be more or less so:
SQL> create or replace procedure kill_session
2 ( v_sid number, v_serial number )
3 as
4 v_varchar2 varchar2(100);
5 begin
6 execute immediate 'ALTER SYSTEM KILL SESSION '''
7 || v_sid || ',' || v_serial || '''';
8 end;
9 /
Procedure created.
SQL> select username, sid, serial# from v$session;
USERNAME SID SERIAL#
147 5078
SYS 148 6161
151 6769
156 1
158 1
159 1
REPOS_OWNER 161 14502
163 1
164 1
165 1
166 1
USERNAME SID SERIAL#
167 1
168 1
169 1
170 1
15 rows selected.
SQL>
SQL> exec kill_session(161,14502);
PL/SQL procedure successfully completed.
SQL>Joel Pérez
http://otn.oracle.com/experts
Maybe you are looking for
-
Dynamic graphics in Smart Forms
Dear All: I have a requirement in my SMARTFORM page development that i have to place a dynamic graphics and printout. Does anyone know how to control the dynamic graphics in Smart Forms? Any help whould be highly appreciated. Many thanks in advance.
-
Physical Harddrive Size in x100e
Sorry if this is obvious, but I've looked at the specs and searched google and everything and can't for the life of me figure out what size the harddrive is for the x100e. Is it 1.8" or 2.5"? Thanks much! Solved! Go to Solution.
-
Under SICF if I find a WD ABAP service, how can I change it. Do I copy the service or is there a way to create the service? Thanks Mikie
-
Infoobject Specific Properties
Hi All, I'm trying to create a multiprovider based on an IfoCube which has the characterics with navigational attributes but when i select that infocube for the multiprovider then cube doesnt show those 2 charactericstics and the navigational attribu
-
Syncing between my MacBook, iPhone & iPad.
My Contacts don't seem to be syncing any longer between my MacBook, iPad & iPhone. I've just updated to iOS 7 - could this be part of the problem?? Help!