Grants and privs
hi,
i want to grant a user to access all the objects of another user. what privs or roles should i set. and he should not access other schema objects.
for example.
i need to give full access to scott schema to modify,add or drop any objects of hr schema ..
what privs or roles should i give to scott.
he should able to access only hr schema.
regards,
Deepak
no Girish,
i just gota call from one of my dba regarding that he needs to create a user named B and the user B need to access all the objects of USER A(already exists).and he should not access any other users objects. so what privs should be given for user B.?
this this question came from him.. i trhought in many ways,, but not exact..
regards,
Deepak
Similar Messages
-
Error while running Re-create grants and synonyms for APPS schema
Hi,
I have upgraded customer's Oracle Apps 11i (11.5.10) database to Oracle 10g R2. While executing '+Re-create grants and synonyms+ ' as given in Note: 362203.1, I am gettng error:
plus80 -s APPS/***** @E:\EBSTEST\ebstestappl\ad\11.5.0\admin\sql\adappsgs.pls &systempwd 1 INV APPLSYS APPS TRUE FALSE TRUE
Error:
Program exited with status 3
Cause: The program terminated, returning status code 3.
Action: Check your installation manual for the meaning of this code on this operating system.Connected.
old 2: ad_apps_private.create_grants_and_synonyms(&2,'&3','&4','&5','FALSE');
new 2: ad_apps_private.create_grants_and_synonyms(1,'INV','APPLSYS','APPS','FALSE');
begin
*+
ERROR at line 1:
ORA-20000: ORA-00955: name is already used by an existing
object:create_grants_and_synonyms(1,INV,APPLSYS,APPS): create_base_gs(INV,APPS): In Synonyms
Loop:create_synonym(INV,MTL_ONHAND_DISCREPANCY,APPS,MTL_ONHAND_DISCREPANCY):
do_apps_ddl(APPS,CREATE SYNONYM "MTL_ONHAND_DISCREPANCY" FOR INV."MTL_ONHAND_DISCREPANCY"):
ORA-06512: at line 5
MTL_ONHAND_DISCREPANCIES
I checked the database and there isn't MTL_ONHAND_DISCREPANCY synonym. But there is MTL_ONHAND_DISCREPANCIES synonym.
This is an upgraded instance from 11.0.3 and first time I am running Re-create grants and synonyms for APPS schema.
Plz let me know if anyone of you faced this issue.
Rgds,
ThiruHi,
there is no such table MTL_ONHAND_DISCREPANCY or synonym in Applications 11.5.10.2. Is that custom table created in your db?
After dropping this table from APPS schema 'Re-create grants and synonyms for APPS schema' went thru fine.Its correct
This table does not exist in INV schema in 11.5.10.2.
Could be possible that the consultant could have created this table in INV and APPS schema by mistake or whatever.Yes, with the same name, there might be table in APPS SCHEMA. When you run recreate grants and synonyms, adadmin tries to create synonym for that table in APPS schema. since there is object available with the same name in apps chema, you got that error. -
Error In Adadmin Re-Create Grants And Synonyms For Apps Schema
HI,
I upgraded the my DB from 9.2.6 to 10.2.4.It was sucessfull.
While doing Postupgradayion steps -
Recreate grants and synonym for apps
a. Log in to server with applmgr user
b. Execute adadmin
c. Choose -> Maintain Applications Database Entities menu
d. Choose -> Re-create grants and synonyms for APPS schema
2 workers got failed ...
i chked the worker log file i found
sqlplus -s APPS/***** @/stageAPP/stageappl/ad/11.5.0/admin/sql/adappsgs.pls &systempwd 1 PO APPLSYS APPS TRUE FALSE TRUE
Connected.
old 2: ad_apps_private.create_grants_and_synonyms(&2,'&3','&4','&5','FALSE');
new 2: ad_apps_private.create_grants_and_synonyms(1,'PO','APPLSYS','APPS','FALSE');
begin
ERROR at line 1:
ORA-20000: ORA-00955: name is already used by an existing
object:create_grants_and_synonyms(1,PO,APPLSYS,APPS): create_base_gs(PO,APPS):
In Synonyms
Loop:create_synonym(PO,XXGOD_SEQ_DECORTIMESHEET_HDR,APPS,XXGOD_SEQ_DECORTIMESHEE
T_HDR): do_apps_ddl(APPS,CREATE SYNONYM "XXGOD_SEQ_DECORTIMESHEET_HDR" FOR
PO."XXGOD_SEQ_DECORTIMESHEET_HDR"):
ORA-06512: at line 5
Workaround $adctrl
Control
Worker Code Context Filename Status
1 Run Grants/Synonyms R115 adappsgs.pls FAILED
2 Run Grants/Synonyms R115 Wait
3 Run Grants/Synonyms R115 Wait
4 Run Grants/Synonyms R115 Wait
5 Run Grants/Synonyms R115 Wait
6 Run Grants/Synonyms R115 Wait
7 Run Grants/Synonyms R115 Wait
8 Run Grants/Synonyms R115 Wait
9 Run Grants/Synonyms R115 Wait
10 Run Grants/Synonyms R115 Wait
11 Run Grants/Synonyms R115 Wait
12 Run Grants/Synonyms R115 Wait
13 Run Grants/Synonyms R115 Wait
14 Run Grants/Synonyms R115 Wait
15 Run Grants/Synonyms R115 Wait
16 Run Grants/Synonyms R115 Wait
SQL> select owner, object_type from dba_objects where object_name = 'XXGOD_SEQ_DECORTIMESHEET_HDR';
OWNER OBJECT_TYPE
PO SEQUENCE
APPS SEQUENCE
Its Cutom Object .. I think i need to drop/rename anyone .. which one i should drop / rename .
Or
Is it possible to skip the failed workers .. if do .. please give me the steps ...
ThanksHi;
There is 8 option(hidden) avaliable but i suggest dont use this option.(As you mention its a custom,if you belive it wont problem you can use this hidden option or drop 'XXGOD_SEQ_DECORTIMESHEET_HDR' and recreate it later,its own your risk) By the way please check below notes which is similar error like yours
Run Adadmin To Recreate Grants And Synonyms ORA-20000 ORA-00955 In Synonyms Loop:create_synonym(GL,PLAN_TABLE,APPS,PLAN_TABLE) [ID 437714.1]
ADADMIN MAINTAINING APPLICATIONS GRANTS AND SYNONYMS APP-931 ORA-955 ORA-20000 [ID 1014455.102]
Regard
Helios -
Script to create grants and synonyms for objects in database
Hello,
We are building a patch to be applied to the production environment. I want to create a script/sql query that builds a list of grants and synonyms for all the objects created after august 09.
for ex:
create or replace synonym abc for schema_name.abc;
Grant execute on abc to user_xyz;
How can I use Oracle's data dictionary to do this?
thankzHi,
You'll probably want to use these views:
user_objects - includes created (DATE) column.
user_synonyms
user_tab_privs - not just tables (e.g., includes EXECUTE privileges on functions).
Data dictionary views beginning with 'user_' cover objects owned by the current user only.
Almost all of the data dictionary views (and all of the three mentioned above) also have 'all_' and 'dba_' versions.
For example:
all_objects inculdes everything in user_objects, plus objects in other schemas on which the current user has privileges.
dba_objects include every object in the database. (Not everyone is allowed to see the dba_ views.)
Here's one of many possible ways to use these views:
SELECT 'GRANT '
|| privilege
|| ' ON "'
|| table_name
|| '" TO '
|| grantee
|| CASE
WHEN grantable = 'YES'
THEN ' WITH GRANT OPTION;'
ELSE ';'
END
FROM user_tab_privs
WHERE table_name IN ( -- Only interested in objects created after August 9
SELECT object_name
FROM all_objects
WHERE created >= TO_DATE ( '10-Aug-2009'
, 'DD-Mon-YYYY'
; -
Do I need to reapply grants and synonyms. Altering Rename for other schema
Hi,
We are following the process to replace some tables in UAT/PROD with new structure of tables.
So for example for Table A in Schema A:
Step1- Create TableA_NEW with the required structure and partitions.
Step2- Insert into TableA_NEW Select * from TableA.
Step3- Alter Table TableA Rename to TableA_OLD --Take Backup of TableA
Step4- Alter Table TableA_NEW Rename to TableA --Change the New table ti Original Table
Now do I need to reapply all the grants and synonyms originally applied to TableA.
When I test in Dev, all the grants and synonyms still hold. But I can't take any chances for UAT/PROD.
Also when I rollback these changes and Rename the tables back to Original table.
Then do I need to Reapply all the grants and synonyms originally applied to TableA.
Please suggest..user8941550 wrote:
Hi,
We are following the process to replace some tables in UAT/PROD with new structure of tables.
So for example for Table A in Schema A:
Step1- Create TableA_NEW with the required structure and partitions.
Step2- Insert into TableA_NEW Select * from TableA.
Step3- Alter Table TableA Rename to TableA_OLD --Take Backup of TableA
Step4- Alter Table TableA_NEW Rename to TableA --Change the New table ti Original Table
Now do I need to reapply all the grants and synonyms originally applied to TableA.
When I test in Dev, all the grants and synonyms still hold. But I can't take any chances for UAT/PROD.
Also when I rollback these changes and Rename the tables back to Original table.
Then do I need to Reapply all the grants and synonyms originally applied to TableA.
Please suggest..
Step1- Create TableA_NEW with the required structure and partitions. New table - does not have grants
Step2- Insert into TableA_NEW Select * from TableA.
Step3- Alter Table TableA Rename to TableA_OLD --Take Backup of TableA Renamed table keeps grants. Synonym not valid at this point
Step4- Alter Table TableA_NEW Rename to TableA --Change the New table ti Original Table New table still does not have grants, synonym now valid
So, grants disappear but synonym will be valid at end of process. -
Grants and Snynyms -ORA-01031: insufficient privileges
Hi
I did a script for DBA to execute, this script contain GRANTS and creation of the synonyms, the Owner
of tableS is OLOGBGF
I create synonym as :
CREATE OR REPLACE SYNONYM ULOGBGF.ZBI_STOCK FOR OLOGBGF.ZBI_STOCK;
CREATE OR REPLACE SYNONYM ULOGBGF.ZBI_STOCK FOR OLOGBGF.ZBI_STOCK
Why did not work, see code below
thank you in advance
Script executado.
SQL> select * from global_name;
GLOBAL_NAME
ISLQ.WORLD
SQL> PROMPT **********************************
SQL> PROMPT GRANTS/SYNONYMS
GRANTS/SYNONYMS
SQL> PROMPT **********************************
SQL> GRANT SELECT, INSERT, UPDATE, DELETE ON OLOGBGF.TEMPO_FILA TO ULOGBGF;
Grant succeeded.
SQL> GRANT DELETE, INSERT, SELECT, UPDATE ON OLOGBGF.ZBI_STOCK TO ULOSBGF;
Grant succeeded.
SQL> CREATE OR REPLACE SYNONYM ULOGBGF.TEMPO_FILA FOR OLOGBGF.TEMPO_FILA;
CREATE OR REPLACE SYNONYM ULOGBGF.TEMPO_FILA FOR OLOGBGF.TEMPO_FILA
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> CREATE OR REPLACE SYNONYM ULOGBGF.ZBI_STOCK FOR OLOGBGF.ZBI_STOCK;
CREATE OR REPLACE SYNONYM ULOGBGF.ZBI_STOCK FOR OLOGBGF.ZBI_STOCK
ERROR at line 1:
ORA-01031: insufficient privilegesCheck the privileges that have been granted to the user running the script.
For example, if "HEMANT" is running the script :
select granted_role from dba_role_privs where grantee = 'HEMANT'
union
select privilege from dba_sys_privs where grantee = 'HEMANT'
order by 1;Hemant K Chitale
http://hemantoracledba.blogspot.com -
Tacacs authorization and Priv levels
Hi
I'm strugling with TACACS+ and priv levels, and hoping someone out there can help me solve an issue.
So, in this enviroment we need the following:
Read-only users
Users with access to some configuration commands.
Okay, the TACACS configuration for the read-only users looks like this:
group = readonly-users {
default service = deny
cmd = show
permit running-config
permit interface
permit privilege
permit vlan
deny .*
service = exec
priv-lvl = 15
# Note that priv lvl 15 has been set to allow the users to run the "show running-config", all other commands than the one mentioned is denied.
The TACACS configuration for the Users with configuration access looks like this.
group = restricted-user {
default service = deny
cmd = show
permit interface
permit vlan
permit privilege
deny .*
service = exec
priv-lvl = 7
And the following has been configured on the switches to allow further configurations, these commands we had to enable after I had made the previous read-only user in tacacs:
privilege interface level 7 switchport access vlan
privilege interface level 7 switchport mode access
privilege interface level 7 switchport voice vlan
privilege configure level 7 interface
privilege exec level 7 configure terminal
privilege exec level 7 show running-config
privilege exec level 7 write memory
It all worked just fine, the read-only users only had access to the commands configured in TACACS. But when I configured the users with configuration access and enter the privilege commands on the switch it stopped working.
Somehow the privilege commands on the switch applies to all privilege levels above lvl 7. Meaning that my read-only users with priv lvl 15, all commands exept show commands denied, they can suddenly enter priviledged exec mode because I allowed the priv lvl 7 users to enter it.
This does not make sense to me, because I've read on cisco's HP that when configuring privilege level commands on the equipment, you allow only that level to access the command, and not all above.
I hope someone can help me with this issue, and it should be solved in the TACACS configuration, because the TACACS server is controlling over 500 switches and routers. So it aint just a question of reconfiguring the switches, that would take the rest of 2011.
I hope you guys know the answer to this.
Thanks in advance.
Kind regardsThanks for your answer.
Well when I started to configure this TACACS setup, I tried to create 2 profiles with privilege level 15 and just allow/deny the different commands. But the thing is that you cannot allow all commands in the TACACS configuration. For example, you cannot give a user privilege level 15 and deny all commands, but allow the user to configure VLANs on interfaces, and duplex settings which is what I want the users to be able to do.
That's why I needed to configure the commands to be accessable from privilege level 7 on the equipment.
If only I could create a profile with privilege level 15 and give the user access to the commands he needs, and only those from the TACACS configuration file, that would make it allot easier, but that just aint the way TACACS works, unfortunately. -
Recreate Grants and Synonyms for APPS schema
Hi,
how can I Recreate Grants and Synonyms for APPS schema ?
Many thanks.Hi,
You can recreate grants and sysnonyms through adadmin utility.
Navigation : adadmin - > Maintain Applications Database Entities menu - > Re-create grants and synonyms for APPS schema.
Rgds,
S.Jai
Shanthi Gears (LTD) -
Hi,
i have a doubt.
When a user is created and the connect role is granted he is not able to create objects until the resource role is granted, right?
But look at my following example:
SQL> create user tarek identified by tarek
2 default tablespace tools
3 temporary tablespace temp;
User created.
SQL> grant connect to tarek;
Grant succeeded.
SQL> connect tarek
Enter password:
Connected.
SQL> create table a (a number(1));
create table a (a number(1))
ERROR at line 1:
ORA-01950: no privileges on tablespace 'TOOLS'
SQL> connect system
Enter password:
Connected.
SQL> grant resource to tarek;
Grant succeeded.
SQL> connect tarek
Enter password:
Connected.
SQL> create table a (a number(1));
Table created.
SQL> connect system
Enter password:
Connected.
SQL> select grantee,privilege from dba_sys_privs where grantee='CONNECT';
GRANTEE PRIVILEGE
CONNECT ALTER SESSION
CONNECT CREATE CLUSTER
CONNECT CREATE DATABASE LINK
CONNECT CREATE SEQUENCE
CONNECT CREATE SESSION
CONNECT CREATE SYNONYM
CONNECT CREATE TABLE
CONNECT CREATE VIEW
8 rows selected.
SQL> select grantee,privilege from dba_sys_privs where grantee='RESOURCE';
GRANTEE PRIVILEGE
RESOURCE CREATE CLUSTER
RESOURCE CREATE INDEXTYPE
RESOURCE CREATE OPERATOR
RESOURCE CREATE PROCEDURE
RESOURCE CREATE SEQUENCE
RESOURCE CREATE TABLE
RESOURCE CREATE TRIGGER
RESOURCE CREATE TYPE
8 rows selected.
Why i have to grant resource if connect has the same privileges?
Thanks
TarekThe reason that RESOURCE role allows a user to create tables with no further grants and CONNECT doesn't is because these roles a special Oracle defined.
With only CONNECT role you only have the grants that you see in role_sys_privs. With RESOURCE, you have the grants you see in role_sys_privs plus one important grant viz.
SQL> CREATE USER jtest IDENTIFIED BY jtest;
User created.
SQL> GRANT CONNECT TO jtest;
Grant succeeded.
SQL> CONNECT jtest/jtest
Connected.
SQL> SELECT * FROM session_privs;
PRIVILEGE
CREATE SESSION
ALTER SESSION
CREATE TABLE
CREATE CLUSTER
CREATE SYNONYM
CREATE VIEW
CREATE SEQUENCE
CREATE DATABASE LINK
8 rows selected.
SQL> CONNECT ops$oracle/password
Connected.
SQL> GRANT RESOURCE TO jtest;
Grant succeeded.
SQL> CONNECT jtest/jtest
Connected.
SQL> SELECT * FROM session_privs
PRIVILEGE
CREATE SESSION
ALTER SESSION
UNLIMITED TABLESPACE
CREATE TABLE
CREATE CLUSTER
CREATE SYNONYM
CREATE VIEW
CREATE SEQUENCE
CREATE DATABASE LINK
CREATE PROCEDURE
CREATE TRIGGER
CREATE TYPE
12 rows selected.It's the UNLIMITED TABLESPACE that allows resource to allocate space anywhere without having quota on a tablespace.
IMHO both roles are far too permissive, and should never be granted to users.
TTFN
John -
Hi,
could any one please answer to these queries.
1.)what is the difference between normal grants and permissions & public grants and permissions?
2.)what is the sql to find out public permissions/grants in databaseHi,
could any one please answer to these queries.
1.)what is the difference between normal grants and
permissions & public grants and permissions?
You may be granted Permissions to write or read from certain folder or to access or execute certain objects.
A privilege granted to normal user (private) is only to that specified user. A grant to Public means every user in the database has access to it (for security, this is not recommended unless you know what you are doing)
2.)what is the sql to find out public
permissions/grants in databaseQuery the DBA_xxx_PRIVS views
DBA_AQ_AGENT_PRIVS
DBA_COL_PRIVS
DBA_ROLE_PRIVS
DBA_SYS_PRIVS
DBA_TAB_PRIVS
E.g
SQL> select * from dba_tab_privs where grantee ='PUBLIC'; -
Need to find out how to implement grants and permissions for a Page. Which module/responsibility/navigation path we have to select to set this
Hi,
could any one please answer to these queries.
1.)what is the difference between normal grants and
permissions & public grants and permissions?
You may be granted Permissions to write or read from certain folder or to access or execute certain objects.
A privilege granted to normal user (private) is only to that specified user. A grant to Public means every user in the database has access to it (for security, this is not recommended unless you know what you are doing)
2.)what is the sql to find out public
permissions/grants in databaseQuery the DBA_xxx_PRIVS views
DBA_AQ_AGENT_PRIVS
DBA_COL_PRIVS
DBA_ROLE_PRIVS
DBA_SYS_PRIVS
DBA_TAB_PRIVS
E.g
SQL> select * from dba_tab_privs where grantee ='PUBLIC'; -
Limits to SNMPv3 auth and priv passwords in LMS4.0?
I'm required to build an LMS 4.0 server that meets DISA STIGs. One of the requirements is to meet the password complexity rules. DISA requires at least 15 characters (2 upper, 2 lower, 2 numeric, 2 special and the rest are dealer's choice).
While 12.x and 15.x IOS will support this length (as validated by using Solarwinds), LMS reports the SNMPv3 secure device as unreachable.
Unless I've missed it, I can't find anything in the LMS docs that tells me what LMS' limits are for SNMPv3 auth password and priv password.
In my own testing, I've managed to get it to accept eight (8) character (alpha, num, sym) auth passwords and 10 character (alpha, num, sym) priv passwords. However, if I take the auth password up to 12, LMS reports the device as unreachable again and complains about a digest error.
Anyone else run into this?
Thanks.Hi Afroy,
What is the command for the view.
We configured SNMPv3 with 2 lines
snmp-server group v3 priv
snmp-server user ...
what do we have to do with view?
Steffen -
I created a custom security extension following the steps listed in the Readme_Security Extension Sample. It works fine if I login as the user that is specified AdminConfiguration section of the rsreportserver.config file but if I
log in as another user, I get this error: User '' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed. I've added the user to both System Administrator
and System User roles to try to get it to work but still no luck.
Does anyone know how to fix this?
Thanks.Hi MetronM,
The issue is due to that user have no permission to access the report server. In report manager, Reporting Services includes predefined roles that we can assign to users and groups to provide immediate access to a report server. Each role defines a collection
of related tasks.
You can refer to the following steps to assign corresponding role to the user.
Open report manager.
Click “Folder Setting” button.
Click “New Role Assignment” icon.
Type the user name and select the corresponding role.
There is an article about Granting Permissions on a Native Mode Report Server, you can refer to it.
http://technet.microsoft.com/en-us/library/ms156014.aspx
Regards,
Alisa Tang
Alisa Tang
TechNet Community Support -
I have an user1 with table test in his schema.
When I log in as system and try to grant user2 select on table test and am getting the following error:
SQL> grant select on user1.test to user2;
grant select on user1.test to user2
Eror at line 1:
ORA-01031: insufficient privileges
System has DBA role and system priv SYSDBA granted by default. I added GRANT ANY ROLE, GRANT ANY PRIVILEGE and am still getting the error. I can grant any privilege on the table when logged in as user1.
Thanks for any help.
KenThanks for your posts. I have already posted this question twice, and had one reply, but still don't understand.
I have training cd which does that very thing in a simulation (grant select on a.table to b) while connected as sysdba.
It would be very tedious to have to log in as the user, grant system all the individual privilegs to all the objects in the other schema, then connect as sysdba and administer them. What happens when a new table in created in that schema? Same thing over again?
I guess MSSQL has made it too easy for me in the past, and I can't believe Oracle could make it this difficult.
Winford
null -
Hi I am a lecturer at a university in the UK.
I am preparing a proposal to the Vice Chancellor about incorporating Ipads into the learning process.
I am thinking it would be a tangible gift as part of their fees.
Does anyone have experience of Ipads in education, what are your view? I have seen Apples articles but want an un corportae viewpoint.
Does anyone know of any funding routes?
Do Apple have grants available or specific support for institutions?
Thanks in anticipation of your constructive help.
KarlApple has no grants or funding I've ever heard of other than the standard discounts for purchasing multiple units. I'm sure you're probably far more aware of other funding resources available to UK institutions that I would be.
As to non-corporate opinions and resources, if you seach the web for "ipads in education" and "ipads in the classroom", you'll find a plethora of sites with information that should be of help. The "iPads in Education" ning is probably a good place to start:
http://ipadeducators.ning.com/
Regards.
Maybe you are looking for
-
Error while trying to change Material master
Hi , I am getting following error when I am trying to Change material master thru Tcode MM02 "Required parameter missing when calling up module MARA_SINGLE_READ" In fact , I also couldn't select this Material in Purchase order .Error which i am getti
-
Errors in code that captures images from webcam
Here is the code import javax.swing.*; import javax.swing.border.*; import java.io.*; import javax.media.*; import javax.media.datasink.*; import javax.media.format.*; import javax.media.protocol.*; import javax.media.util.*; import javax.media.contr
-
Iphoto directory structure and multiple copies
I want to manage the directory structure of my photos because I use them with applications and want to put them where I want to. Thus, I never cared for iPhoto 08 and how it organized the directory structure how it wanted to. Additionally, it seems i
-
Hi Friends Whats the need of Badi BBP_SAPXML1_OUT_BADI and BBP-SAPXML1_IN_BADI.In MM-XI-SUS scenario which badi can be used for Inbound and which badi can be used for Outbound Regards Emil
-
i lost all my contacts upon upgrading to ios7. Does anyone know how I can get them back. my phone was not backed up beforehand.