How to avoid a table to be selected by a user with 'select any table' grant
Hello,
I want a table to be non selectable for a particular user even if that user has a 'select any table' grant.
either the query can return no rows or an error message, it doesn't matter.
how can I achieve this with a standard database configuration? I mean I am not allowed to use any tool of Oracle like vault etc..
thanks in advance...
Fine-grained access control (aka VPD, more or less) is part of Enterprise Edition. It is not a separate tool. See Oracle Database Editions
You can read about it here Using Oracle Virtual Private Database to Control Data Access
The main thing to understand is the predicte-generating function, and all the opportunities there. This example is from a presentation I once gave to a local Oracle users group.
The policy (not shown) specifies FGAC_PKG.FGAC_PREDICATE_FNC as the predicate-generating function. If the user has role FGAC_DEMO_ALL_COMPANIES_ROLE then his view is not restricted; if his username does not appear in the COMPANY_AUTHORIZATION table he will get an error when querying the protected table; otherwise he will be restricted to see only the companies he is authorized for. So this has some elements that may be useful to you.
CREATE OR REPLACE PACKAGE BODY FGAC_DEMO_SCHEMA.FGAC_PKG AS
FUNCTION FORCE_FGAC_ERROR_FNC (in_object VARCHAR2) RETURN NUMBER IS
e_not_authorized exception;
PRAGMA exception_init(e_not_authorized, -20667);
BEGIN
RAISE e_not_authorized;
RETURN (-1); -- will NEVER get here (have already raised an error)
EXCEPTION
WHEN e_not_authorized then
RAISE_APPLICATION_ERROR (sqlcode,
sqlerrm||'Access to '|| in_object ||
' requires access to at least one company, but none have been authorized.' );
END FORCE_FGAC_ERROR_FNC;
FUNCTION FGAC_PREDICATE_FNC (in_schema VARCHAR2, in_object VARCHAR2)
RETURN VARCHAR2
IS
out_predicate VARCHAR2 (400);
c_filter_predicate constant varchar2(400) :=
'COMPANY_ID IN (SELECT COMPANY_ID FROM COMPANY_AUTHORIZATION '||
'WHERE USER_NAME = USER)';
c_bypass_filtering_role VARCHAR2(30) := 'FGAC_DEMO_ALL_COMPANIES_ROLE';
v_authorization_count NUMBER;
c_error_predicate constant varchar2(400) :=
'FGAC_DEMO_SCHEMA.FGAC_PKG.FORCE_FGAC_ERROR_FNC('''||
in_schema||'.'||in_object||''') = 0';
BEGIN
IF DBMS_SESSION.is_role_enabled (c_bypass_filtering_role) THEN
out_predicate := NULL;
ELSE
SELECT COUNT(*) INTO v_authorization_count
FROM COMPANY_AUTHORIZATION
WHERE USER_NAME = USER;
IF v_authorization_count = 0 then
out_predicate := c_error_predicate;
ELSE
out_predicate := c_filter_predicate;
END IF;
END IF;
RETURN out_predicate;
END FGAC_PREDICATE_FNC;
END FGAC_PKG;
Similar Messages
-
Create user with select privilege only one schema
can someone tell me how i can create user with select priviliges only one schema.
i don't want the user to have any select privileges with other schema.
can someone advise me.
ThanskIn general, you would do something like
CREATE ROLE abc_read_only;
FOR x IN (SELECT * FROM dba_tables WHERE owner='ABC')
LOOP
EXECUTE IMMEDIATE 'GRANT SELECT ON abc.' || x.table_name || ' TO abc_read_only';
END LOOP;
CREATE USER your_user ...;
GRANT abc_read_only TO your_userYou create a role, grant the role SELECT access to all the tables in the ABC schema (you can extend this to grant access to views, functions, etc depending on the requirements), and then grant that role to your user.
Justin -
Hi ,how can I get a list of all laptops or users with folder direction enabled or offline files enabled, be it sccm
or poerwshell . i have struggled for a week
tchocrHi,
There is no such PowerShell command can achiev this. Maybe you can use a script to get the user name with folder redirection enabled. However, I am not familiar with writing script, and it would be better for you to ask in script forum below for professional
assistance:
http://social.technet.microsoft.com/Forums/en-US/home?forum=ITCG&filter=alltypes&sort=lastpostdesc
Best Regards,
Mandy
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
How can I get a list of all laptops or users with folder direction enabled or offline files enabled, be it sccm or poerwshell . i have struggled for a week.
Hi,
There is no such PowerShell command can achiev this. Maybe you can use a script to get the user name with folder redirection enabled. However, I am not familiar with writing script, and it would be better for you to ask in script forum below for professional
assistance:
http://social.technet.microsoft.com/Forums/en-US/home?forum=ITCG&filter=alltypes&sort=lastpostdesc
Best Regards,
Mandy
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
How to find out the IBU of the logges in user with some relationship?
Hi,
How to find out the IBU of the logges in user with some relationship?
Regards,
JayaHi Jaya,
I am not sure if i understood you correctly. Do you want to find the corresponding account of logged in User? If yes, then you can use the below FM:-
CALL FUNCTION 'BP_CENTRALPERSON_GET'
EXPORTING
IV_USERNAME = im_usr_name
IMPORTING
EV_BU_PARTNER_GUID = lv_partner_guid
EXCEPTIONS
NO_CENTRAL_PERSON = 1
NO_BUSINESS_PARTNER = 2
NO_ID = 3
OTHERS = 4.
Thanks and Regars,
Rohit -
How do you change an used ipad to a new user with a new itunes account?
How do you cange a used ipad to a new user with a new itunes account?
plug your ipad to your computer, open your itunes, click on the ipad icon, at the first page there is an option to "restore" ipad to its factory settings, click it. Don't remove USB connection, wait until it finishes wiping the data and it should place a new window that asks you to register the ipad.
There you go, your iPad is sync with your itunes account under your name, its best to also use "Find my iPad" just in case it gets lost, you can track it from your computer. Very handy tool and its free!
But if you want the data that is in the iPad, back up it first and sync the content to your library before restoring it to its factory settings
Have a great day and enjoy your iPad -
Problem in passing select-options to class meathods , type any table
<h1>how to pass type any table to class meathod</h1>
<h3>hi all
i'm trying to build class to validate the selection screen , like select-options and parameters
while writing meathod to validate the select-options
its throwing parameter mismath error</h3>
<h4>i tried like made import parameter in class meathod as 'TYPE ANY TABLE' and tried to pass select-options from my program it is saying type mismatch , how to overcome this problem </h4>
<h4>and i want to pass any select option , either of type lfa1-lifnr or mara-matnr or any other</h4>
Moderator message : Don't shout, use proper font size for explaining the question. This has been discussed in ABAP forums before. Search for available information. Thread locked.
Edited by: Vinod Kumar on Sep 14, 2011 11:20 AMhI
Triggering and Handling events
At the moment of implementation, a class defines its:
Instance events (using the EVENTS statement)
Static events (using the CLASS-EVENTS statement)
Classes or their instances that receive a message when an event is triggered at runtime and want to react to this event define event handler methods. Statement: METHODS
CLASS IC1_VEICHLE DEFINATION.
PUBLIC SECTION.
METHOD CONSTRUCTOR IMPORTING
EVENTS VEICHEL_CREATION.
ENDCLASS
CLASS LC1_VEICHLE IMPLIMENTATION.
METHOD CONSTRUCTOR
RAISE EVENT VEICHLE_CREATION.
REWARD IF USEFULL -
How to avoid shut down BPELPM Server when creating a user?
Hi,
How to avoid shut down BPELPM Server when creating a JAZN user and after doing changes to user-properties.xml?
Thanks,
Jorgethis configuration is only supported on a midtier - there is a work around for a standalone install, nevertheless I would not recommend this for production ..
if this is NOT a production enviroment - I can try to get you the information .
/clemens -
How can a jsp page tell which Oracle Responsibility the user has selected?
We have two responsibilities - Timecard Administrator and Timecard Viewer. Everything that they can access is the same, except for one particular jsp page which we want to present a slightly different view if the user's responsibility is Timecard Viewer (specifically, the edit link in the results page will be suppressed). Unfortunately in order to implement this, the jsp code needs to be able to distinguish which of those two responsibilities the user has selected. I have written jsp code to print all the environment variables and unfortunately the environment is essentially identical regardless of which of the two responsibilities the user selected.
How do I pass in the active responsibility to that page/environment in a way that can be tested by the jsp code?
Thank you,
Graham Toal <[email protected]>Yes, I tried something like this (shortened to the basics for this post):
<pre>
sqlQuery="select responsibility_name from fnd_responsibility_vl where responsibility_id = FND_GLOBAL.RESP_ID";
stmt=con.createStatement();
rs=stmt.executeQuery(sqlQuery);
int field_count=rs.getMetaData().getColumnCount();
while (rs.next()) {
for (int i=0; i<field_count; i++) {
logger.write("Responsibility: "+rs.getObject(i+1),"JSP",objName,0,-1,1001);
</pre>
However it did not print any results at all.
I'm trying a different approach at the moment - I've cloned the menus from the Administrator responsibility to the new Viewer responsibility, and have altered the top-level menu so that I can insert a new variable into the process state myself; that way by the time the user navigates to the changed page, there should be a variable there that can be tested.
Unfortunately the top-level menu isn't just a simple menu, it's a piece of code that issues an HTML redirect depending on the parameter passed in - which is set in the Oracle function screen for the function attached to that menu.
(was something like utpa_top_menu.jsp?ADMIN and I changed it to utpa_top_menu.jsp?VIEWER, with appropriate tests for the new module name:
<tt>
else if ("VIEWER".equals(moduleName))
url = "/utpa/jsp/admin_reports-viewer.jsp";
</tt>
In admin_reports-viewer.jsp I've added <tt>session.putValue("REPVIEWER","y");</tt> and in the actual target main page I have:
<pre>
if (session.getValue("REPVIEWER") == "y") {
// viewer
out.println("<CENTER><B>You are using the Timecard Viewer responsibility</B></CENTER><BR>");
} else {
</pre>
And although the URL bar at the top of the screen is displaying the correct (redirected) URL, the page that is displayed is blank. Completely empty. 0 bytes. The file is present on the filing system; has content; has the correct ownership and permissions; I've reloaded apache, even had the systems guys reboot completely. I'm at a loss :-/
Graham -
In Yosemite Mail, the control click option no longer works when clicking on attachments, that previously allowed you to save, quicklook, and select app to open with etc. Any solutions?
Hi
It shows just 4 always as an option in the "open with" lsit. Also I haven't downloaded any apps for a while so why would it start now?
Do you know how I can estabilsh how many apps are counting toward this 10 and what they are? -
Want to get the list users with select access to v$ synonyms and v$ views
I've to write a sql (DB 11.1) to get the list of users who has select access to v$ synonym and v$ views. I've written the following sqls to do this but they both return the same result and I don't know how to verify it. It will be a great help if you could validate the sqls and let me know if something is wrong. Thanks for the help.
-- v$ views
select 'vview',
substr(SYS_CONNECT_BY_PATH(c, '->'),3,512) path, c
from (select null p, view_name c
from dba_views
where view_name like ('V$%')
union all
select -- users/roles and roles granted
granted_role p,
grantee c
from dba_role_privs
where granted_role != 'DBA'
union all
select -- users/roles with select on DBA views
table_name p, grantee c
from dba_tab_privs
where privilege = 'SELECT'
and table_name like ('V$%'))
where (c = 'PUBLIC' OR c in (select username from dba_users))
AND c NOT IN('MDSYS','DMSYS','CTXSYS','WMSYS','ORDSYS','OLAPSYS','DBSNMP')
start with p is null connect by p = prior c
-- v$ synonyms
select 'vsynonyms',
substr(SYS_CONNECT_BY_PATH(c, '->'),3,512) path, c
from (select null p, SYNONYM_NAME c
from ALL_SYNONYMS
where table_name like ('V$%')
union all
select -- users/roles and roles granted
granted_role p,
grantee c
from dba_role_privs
where granted_role != 'DBA'
union all
select -- users/roles with select on DBA views
table_name p, grantee c
from dba_tab_privs
where privilege = 'SELECT'
and table_name like ('V$%'))
where (c = 'PUBLIC' OR c in (select username from dba_users))
AND c NOT IN('MDSYS','DMSYS','CTXSYS','WMSYS','ORDSYS','OLAPSYS','DBSNMP')
start with p is null connect by p = prior cI've modified the sql to include GV$ and all select [any] privs.
select 'vview',
substr(SYS_CONNECT_BY_PATH(c, '->'),3,512) path, c
from (select null p, view_name c
from dba_views
where view_name like ('V$%') OR view_name like ('GV$%')
union all
select -- users/roles and roles granted
granted_role p,
grantee c
from dba_role_privs
where granted_role != 'DBA'
union all
select -- users/roles with select on DBA views
table_name p, grantee c
from dba_tab_privs
where privilege like 'SELECT%'
and table_name like ('V$%') OR table_name like ('GV$%') )
where (c = 'PUBLIC' OR c in (select username from dba_users))
AND c NOT IN('MDSYS','DMSYS','CTXSYS','WMSYS','ORDSYS','OLAPSYS','DBSNMP')
start with p is null connect by p = prior c
union
select 'vsynonyms',
substr(SYS_CONNECT_BY_PATH(c, '->'),3,512) path, c
from (select null p, SYNONYM_NAME c
from ALL_SYNONYMS
where table_name like ('V$%') OR table_name like ('GV$%')
union all
select -- users/roles and roles granted
granted_role p,
grantee c
from dba_role_privs
where granted_role != 'DBA'
union all
select -- users/roles with select on DBA views
table_name p, grantee c
from dba_tab_privs
where privilege like 'SELECT%'
and table_name like ('V$%') OR table_name like ('GV$%') )
where (c = 'PUBLIC' OR c in (select username from dba_users))
AND c NOT IN('MDSYS','DMSYS','CTXSYS','WMSYS','ORDSYS','OLAPSYS','DBSNMP')
start with p is null connect by p = prior c -
Why can't I select and move guides with selection tools?
I'm using Illustrator CC and I cannot select and move guides with the selection tools. The guides are not locked. I can select the guides in the Layers Panel, but I can only move with the arrow keys. I can also "Release" the guides once they are selected in the Layers Panel, but I still cannot move them with the mouse - only the arrow key.
Summary of Problem:
Guides are not locked.
Some guides can only be moved when they are selected in the Layer Panels and when using the arrow keys
Non-selectable Guides can be "Released" but only altered in color and line weight and still only moved with the arrow keys.
Desired Outcome:
I want to be able to move all guides using the mouse for greater accuracy vs the arrow keys.
Thank you for your help.Channing, anotherhead,
The following is a general list of things you may try when the issue is not in a specific file (you may have tried/done some of them already); 1) and 2) are the easy ones for temporary strangenesses, and 3) and 4) are specifically aimed at possibly corrupt preferences); 5) is a list in itself, and 6) is the last resort.
1) Close down Illy and open again;
2) Restart the computer (you may do that up to 3 times);
3) Close down Illy and press Ctrl+Alt+Shift/Cmd+Option+Shift during startup (easy but irreversible);
4) Move the folder (follow the link with that name) with Illy closed (more tedious but also more thorough and reversible);
5) Look through and try out the relevant among the Other options (follow the link with that name, Item 7) is a list of usual suspects among other applications that may disturb and confuse Illy, Item 15) applies to CC, CS6, and maybe CS5);
Even more seriously, you may:
6) Uninstall, run the Cleaner Tool (if you have CS3/CS4/CS5/CS6/CC), and reinstall.
http://www.adobe.com/support/contact/cscleanertool.html -
Dynamic Select query is failing with error "Invalid Table Name"
OPEN rc FOR 'SELECT count(*) from :s' USING tab_name;
fetch rc into rec_count;
CLOSE rc;
my requirement is to build dynamic select query to retrieve the total count of rows in each table ( variable tab_name contains the table_name )
But I am getting stuck by this errror, not sure if there is any alternative !
ORA-00903: invalid table name
ORA-06512: at line 43OPEN rc FOR 'SELECT count(*) from '||tab_name;
fetch rc into rec_count;
CLOSE rc;
-- This will work
1. Create a sql statement.
2. Open ref cursor for that statement. -
How to avoid the attach error in sparc(64bit) driver complied with GCC
If you want to avoid the error,failed to attach in sparc 64 bit driver ,
you must add the flags .as bellowing.
CC = /usr/local/bin/gcc
LD = /usr/ucb/ld
GCCFLAGS = -m64 -mcpu=v9 -fno-builtin
CFLAGS = -O $(INCL) $(GCCFLAGS) -D_KERNEL -D_SYSCALL32 -Wall
Ms. Anda
MSN:[email protected]Vini160409, You totally Rule!
I noted just one brief update: I am using Access 2007, and my database has the suffix .accdb. That uses a slightly different driver than the one described in your (very careful) instructions; fortunately, it was also available in the drivers in the program odbcad32.exe in the System 32 folder, so it was available to me when I added the new database from within the SysWOW64 folder. This fix allows me to use LiveView with a ColdFusion site from within DreamWeaver. Thanks much for making this public! -
Create new user like another user with select privilege???
our user requested create another user similar to "apps" , but only "selec t" privilege to "apps" objects and other user's objects which grant to "apps".
In this case they can use tool login and do some work.
Does anyone know how to "create a new user like APPS", bur only copy APPS "select" privilege to this new user?
Thanks.This has been discussed many times in the forums. Pl see this thread Re: How to create a read only database or conduct a search for more hits.
HTH
Srini
Maybe you are looking for
-
Installing Boot Camp with Windows XP
I just bought a new game for my computer, but as it turns out, it's a PC ONLY game. So I thought I'd try out Boot Camp for the Mac. I went to http://www.microsoft.com/windows/windows-xp/default.aspx and clicked on "Important: Download Windows XP Serv
-
How to turn off screen while computer is on an hdmi tv/projector hook up
How to turn off screen while computer is on an hdmi tv/projector hook up?
-
How do I import video from SonyHandycam DCR-SR82? Please Help!
Hello, I have an Imac G5 before the intel processor. I have Imovie 5.0.2, I just bought a Sony Handycam DCR-SR82 with a hard drive. This is my first camcorder. I can't figure out how to get imovie to accept the video clips. This error comes up when I
-
How to create a security group to manage a Distribution list in exchange 2013
Hi folks, We have AD synced with Online Exchange 2013. Dirsync is installed on AD. We would like to create a security group for a Distribution list(for instance: distribution list name is [email protected] and it is managed via a security group named
-
Flash builder 4 productivity issue
Hi! We are currently using flash builder 4.0.1 and I believe we are running into the source path issue : http://bugs.adobe.com/jira/browse/FB-27301 We have around twenty developers using flash builder on a large project and this issue is slowing us c