Identifying users without DEFAULT ROLE ALL

I want to query the database catalog to identify users who have been defined without DEFAULT ROLE ALL. Unfortunately I do not see anything in DBA_USERS that would tell me this.
I suppose I could run DBMS_METADATA.EXTRACT_DDL to generate scripts for all users, and examine the output, but I would like something more direct.
Thanks,
Mike Tefft

DBA_ROLE_PRIVS will tell me if there are any non-default roles. But it will not tell me if the user has been set for DEFAULT ROLE ALL.
Here is the scenario I am trying to detect:
06:56:27 > create user mjt_test_user_a identified by xxxx;
User created.
Elapsed: 00:00:00.01
06:56:27 > create user mjt_test_user_b identified by xxxx;
User created.
Elapsed: 00:00:00.03
06:56:27 >
06:56:27 > create role mjt_test_role1;
Role created.
Elapsed: 00:00:00.01
06:56:27 > create role mjt_test_role2;
Role created.
Elapsed: 00:00:00.00
06:56:27 >
06:56:27 > grant mjt_test_role1 to mjt_test_user_a ;
Grant succeeded.
Elapsed: 00:00:00.00
06:56:27 > grant mjt_test_role1 to mjt_test_user_b ;
Grant succeeded.
Elapsed: 00:00:00.01
06:56:27 >
06:56:27 >
06:56:27 > alter user mjt_test_user_a default role mjt_test_role1 ;
User altered.
Elapsed: 00:00:00.03
06:56:27 > alter user mjt_test_user_b default role all;
User altered.
Elapsed: 00:00:00.00
06:56:27 >
06:56:27 > select * from dba_role_privs where grantee like 'MJT%TEST%' order by 1,2;
GRANTEE                        GRANTED_ROLE                   ADM DEF
MJT_TEST_USER_A                MJT_TEST_ROLE1                 NO  YES
MJT_TEST_USER_B                MJT_TEST_ROLE1                 NO  YES
2 rows selected.
Elapsed: 00:00:00.03
06:56:27 > At this point, both users look the same from DBA_ROLE_PRIVS. But if I add another role, it may be added as a non-default role (the scenario which burned me last night, and which I want to find out if it exists elsewhere).
06:56:27 >
06:56:27 > grant mjt_test_role2 to mjt_test_user_a ;
Grant succeeded.
Elapsed: 00:00:00.00
06:56:27 > grant mjt_test_role2 to mjt_test_user_b ;
Grant succeeded.
Elapsed: 00:00:00.00
06:56:27 >
06:56:27 > select * from dba_role_privs where grantee like 'MJT%TEST%' order by 1,2;
GRANTEE                        GRANTED_ROLE                   ADM DEF
MJT_TEST_USER_A                MJT_TEST_ROLE1                 NO  YES
MJT_TEST_USER_A                MJT_TEST_ROLE2                 NO  NO
MJT_TEST_USER_B                MJT_TEST_ROLE1                 NO  YES
MJT_TEST_USER_B                MJT_TEST_ROLE2                 NO  YES
4 rows selected.
Elapsed: 00:00:00.07
06:56:27 >

Similar Messages

  • ALTER USER USERNAME DEFAULT ROLE ALL;

    Hi,
    I want to know, what is the meaning of "ALTER USER CARDS DEFAULT ROLE ALL"

    It's easy to understand things when you try them,
    Connected to:
    Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - Production
    With the Partitioning, Oracle Label Security, OLAP, Data Mining
    and Real Application Testing options
    SQL> grant connect to newuser identified by newuser;
    Grant succeeded.
    SQL> conn newuser/newuser
    Connected.
    SQL> select * from session_roles;
    ROLE
    CONNECT
    SQL> conn / as sysdba
    Connected.
    SQL> create role new_user;
    Role created.
    SQL> grant select any table to new_user;
    Grant succeeded.
    SQL> grant new_user to newuser;
    Grant succeeded.
    SQL> conn newuser/newuser
    Connected.
    SQL> select * from session_roles;
    ROLE
    CONNECT
    NEW_USER
    SQL> conn / as sysdba
    Connected.
    SQL> alter user newuser default role connect;
    User altered.
    SQL> conn newuser/newuser
    Connected.
    SQL> select * from session_roles;
    ROLE
    CONNECT
    SQL> set role new_role;
    set role new_role
    ERROR at line 1:
    ORA-01919: role 'NEW_ROLE' does not exist
    SQL> set role new_user;
    Role set.
    SQL> select * from scott.dept;
        DEPTNO DNAME          LOC
            10 ACCOUNTING     NEW YORK
            20 RESEARCH       DALLAS
            30 SALES          CHICAGO
            40 OPERATIONS     BOSTONHTH
    Aman....

  • DEFAULT ROLE ALL

    Hi,
    I wanted to know what does this ROLE contain?
    One of my application user has this role and I am wondering which all privileges does this ROLE has?
    Thanks!

    Hi user9104898,
    From Oracle documentation;
    DEFAULT ROLE Clause
    +Specify the roles granted by default to the user at logon. This clause can contain only roles that have been granted directly to the user with a GRANT statement. You cannot use the DEFAULT ROLE clause to enable+
    *Roles not granted to the user+
    *Roles granted through other roles+
    *Roles managed by an external service (such as the operating system), or by the Oracle Internet Directory+
    Oracle Database enables default roles at logon without requiring the user to specify their passwords or otherwise be authenticated. If you have granted an application role to the user, you should use the DEFAULT ROLE ALL EXCEPT role clause to ensure that, in subsequent logons by the user, the role will not be enabled except by applications using the authorized package.
    Ogan

  • Default roles and grants

    I have role called role_test and this is granted to user user_test and made it as default role.
    but role_test is protected by password i.e to set role need to give password.
    set role role_test identified by test_role_pass;
    My question is when the user user_test loggs in will automatically gets this role_test as it is grated as default role ?
    or still he needs to call set role identified by password to enable this role.
    I am using oracle 11g database.Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
    Is there any change of this behaviour with oracle versions 10g to 11g ?
    Thanks,
    Phani

    Phani_Orcl wrote:
    Is there any change of this behaviour with oracle versions 10g to 11g ?Yes, there is. Password protected roles in 11g are not enabled at login time even if it is a default role:
    SQL> create role r1;
    Role created.
    SQL> create role r2 identified by r2;
    Role created.
    SQL> create user u1 identified by u1
      2  /
    User created.
    SQL> grant create session to u1
      2  /
    Grant succeeded.
    SQL> grant r1,r2 to u1
      2  /
    Grant succeeded.
    SQL> alter user u1 default role all
      2  /
    User altered.
    SQL> connect u1/u1
    Connected.
    SQL> select * from session_roles;
    ROLE
    R1
    SQL>
    And it is documented
    Authorizing a Role by Using the Database
    You can protect a role authorized by the database by assigning the role a password. If a user is granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in the SET ROLE statement. <font color=red>You cannot authenticate a password-authenticated role on logon, even if you add it to the list of default roles. You must explicitly enable it with the SET ROLE statement using the required password.</font>
    SY.

  • Default roles... by default

    Is there a way to have a role be default by default. In other words rather than
    1. grant a role to a user
    and then
    2. make that role default for each user granted the role (i.e. ALTER USER user_name DEFAULT ROLE role_name;)
    is there a way to have #2 above happen automatically when granting a role to a user? So that by default, roles granted are enabled as a default role for the user?
    Thanks.

    when granting a role to a user? So that by default,
    roles granted are enabled as a default role for the user?The user attribute of sys.user$.defrole seem to play a part in whether subsequent grant <role> to <theuser> commands will put roles on the "default roles" list or not. But as far as I know this is not (widely) documented.
    What you could do is to once issue
    alter user <theuser> default role all | all except <list of roles> This will set defrole to 1 and 3, respectively, and subsequent grants will make roles default roles for the user. Using the grant command with none | <list of roles> implies that subsequent role grants will not be enabled by default.
    (So, somebody issued another alter user user default role command with none or role_name, before you granted another role to the user.
    Also, I've mentioned this in another post just recently:
    Re: user can not do select,insert,update,delete on view when user has the role

  • Users, privileges and roles problem!

    Hi everyone,
    I am using oracle 10.2.0.
    I have a user (dba1) who is the owner of tables in my database. I have connected to sqlplus as sysdba and created the role <b>admin</b> and granted the admin all the privileges.
    SQL> grant all privileges to admin;
    Grant succeeded.
    SQL>Then I granted the <b>admin</b> role to the user dba1:
    SQL> grant admin to dba1;
    Grant succeeded.I have created another role, sel_role and given that role the privileges to select tables. For example:
    SQL> grant select on kund to sel_role;
    Grant succeeded.Now I have created another user, Anton, and have given that user the role sel_role:
    grant sel_role to Anton;
    Grant succeeded.Now when I try to log in as anton and try to use the select statement which is given to Anton by sysdba, using the sel_role, to select the table kund, I got an error:
    SQL> connect anton/oracle
    Connected.
    SQL> select * from kund;
    select * from kund
    ERROR at line 1:
    ORA-00942: table or view does not existWhat could be the solution to this problem?
    Thanks in advance

    Solomon Yakobson wrote:
    Connect as sysdba and issue:
    ALTER USER anton DEFAULT ROLE ALL;SY.Same problem!
    SQL> alter user anton default role all;
    User altered.
    SQL> connect anton/oracle
    Connected.
    SQL> select * from kund;
    select * from kund
    ERROR at line 1:
    ORA-00942: table or view does not exist

  • DEFAULT ROLE FOR USER

    I swich to Oracle11g express and create user
    CREATE USER LEO
    IDENTIFIED BY xy
    DEFAULT TABLESPACE USERS
    TEMPORARY TABLESPACE TEMP
    PROFILE DEFAULT
    ACCOUNT UNLOCK;
    -- 3 Roles for LEO
    GRANT AUTHENTICATEDUSER TO LEO;
    GRANT CONNECT TO LEO;
    GRANT FER_ADMIN TO LEO WITH ADMIN OPTION;
    ALTER USER LEO DEFAULT ROLE FER_ADMIN;
    -- 1 System Privilege for LEO
    GRANT CREATE SESSION TO LEO;
    -- 1 Tablespace Quota for LEO
    ALTER USER LEO QUOTA UNLIMITED ON USERS;
    and after login i check
    select * from SESSION_ROLES
    and i have none role
    if I set role all works fine.
    Why I doesn't have DEFAULT ROLE after login.
    Pleas for help .

    here is the solution
    default roles and grants
    Edited by: Leo Lakota on 4.10.2012 5:52

  • Pictures not loaded in a Web Page Composer site without admin role

    Hello!
    I have got an new problem concerning SAP Web Page Composer.
    I have created an new site with some paragraphs and some pictures. The problem is when I, with admin role, access this site I am able to see everything. When another user, without admin role, is trying to access this site he is able to see everything but the pictures. All paragraphs or linklists are displayed but the pictures are not available. When giving the user the admin role he also become able to see the pictures.
    I know it is a permisson problem but not know where I forgot to set the permissions to "every user". But I do not understand why this is only concerning the pictures and every other Web Page Composer element is displayed properly, although the pictures permissions set to the same as the other elements. When trying to access the pictures by the user without admin role NetWeaver is throwing following exception:
    "com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/every_user/general/eu_role/com.sap.km.home_ws/com.sap.km.hidden/com.sap.km.urlaccess/com.sap.km.docs)"
    Thanks for your help in advance!
    Regards
    Georg

    The whole exception:
    [EXCEPTION]
    com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/every_user/general/eu_role/com.sap.km.home_ws/com.sap.km.hidden/com.sap.km.urlaccess/com.sap.km.docs - user: Manager,
    at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1932)
    at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:234)
    at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:316)
    at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:387)
    at com.sapportals.portal.prt.connection.PortalRequest.getRootContext(PortalRequest.java:488)
    at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:607)
    at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
    at com.sapportals.wcm.portal.connection.KmConnection.handleRequest(KmConnection.java:52)
    at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
    at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
    Caused by: com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/every_user/general/eu_role/com.sap.km.home_ws/com.sap.km.hidden/com.sap.km.urlaccess/com.sap.km.docs)
    at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:422)
    at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1248)
    at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
    at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
    at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
    at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
    at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
    at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
    at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
    at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookupLink(PcdProxyContext.java:1353)
    at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookup(PcdProxyContext.java:1300)
    at com.sapportals.portal.pcd.gl.PcdProxyContext.lookup(PcdProxyContext.java:1067)
    at com.sapportals.portal.pcd.gl.PcdGlContext.lookup(PcdGlContext.java:68)
    at com.sapportals.portal.pcd.gl.PcdURLContext.lookup(PcdURLContext.java:238)
    at javax.naming.InitialContext.lookup(InitialContext.java:347)
    at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1919

  • Default role

    When we perform this code :
    alter user smith default role r1,r2;
    Does this mean the only enabled role for smith are r1 and r2,if yes how about the others including the ones with passwords ? are they disabled now if yes do we have to use set role to enabled them ?
    I'm a little bit confused .Any help would be thankful.

    Check the following link.
    http://download-west.oracle.com/docs/cd/B10501_01/appdev.920/a96590/adgsec01.htm#1005730

  • Display default Group space for users in a Role  upon login

    Is it possible to configure the role/group space so that the users in that role will see the group space as default page after logging into webcenter.
    Scenario:
    Group Space : G_SPACE1
    Role: W_ROLE1
    Uers with W_ROLE1: user1, user2, etc
    Requirement:
    Whenever users with role W_ROLE1 login to webcenter(http://..../webcenter ),
    they should see the group space G_SPACE1.
    Note: I am aware that we can access the group space directly with url as http://...../webcenter/spaces/G_SPACE1.
    Thanks-
    Sachin

    Hi,
    Not as far as I know. This is something I had a requirement to do but couldn't find a way.
    Although PS3 added support to configure the landing page/space for a user, it wasn't a very useful addition in my opinion. It only allows the admin to hard-code a single Space as the default for all users and doesn't work with ELs either.

  • How to make custom append search help tab default for all users?

    I've implemented my own search help append and I need to make the F4 search help to display my tab as default for all users. I know that search help stores the last tab used by the user in memory and when user uses the search help next time the last used tab is displayed but I have to make the system display the tab od my search help append always as default tab. Any idea how to do it?
    Message was edited by:
            Marcin Milczynski

    hi
    <b>Enhancement using Append structures</b>
        Append structures allow you to attach fields to a table without actually having to modify the table itself. You can use the fields in append structures in ABAP programs just as you would any other field in the table.
    Click on the append structure tab and opt to create new
    structure.
    Append structures allow you to enhance tables by adding fields to them that are not part of the standard. With append structures; customers can add their own fields to any table or structure they want.
    Append structures are created for use with a specific table. However, a table can have multiple append structures assigned to it
        Customers can add their own fields to any table or structure they want.
    The customer creates append structures in the customer namespace. The append structure is thus protected against overwriting during an upgrade. The fields in the append structure should also reside in the customer namespace, that is the field names should begin with ZZ or YY. This prevents name conflicts with fields inserted in the table by SAP

  • Make XFCE4 default for all users

    I got Arch up and running with XFCE4. its great so far
    I am using either xdm or wdm as my login manager (havent decided which i want yet)
    I added a ".xinitrc" file to my home folder so that XFCE4 will start when I log in. is there a way to make XFCE4 the default wm for all new users without having to add a .xinitrc file to all of their home folders? I only plan on using XFCE4 so I dont need the login manager to load other wm's. but i would like to be able to add users and have their session automatically start as XCFE. all i have found by googling and on LQ.org is making a .xinitrc file, but these seem to lean toward a single user system. there has to be an easier way, ie with fedora when you make a new user, log out and log in as the new user and it will start  the default wm, or you can choose whichever wm you want to use.
    im using arch 0.7.2 'gimmick' and all packages have been updated

    If you just edit the skeleton file for <code>.xinitrc</code>, then for each user that is created, it will automatically be set to run xfce.  The location of the file is <code>/etc/skel/.xinitrc</code> if that answers your question.

  • Role being added as default to all

    Hi all,
    I am facing a strange issue where one role (Say Role1) nodes is displayed by default for every user though the role not added to all users. This goes for Super users as well. I checked my user User1 (a super_admin_role) in which the nodes is displayed by default along with Admin nodes. User1 doesn't have Role1 assigned to it in its User master, still this node appears. I checked Everyone role, Everyone group but Role 1 is not added to any of these.
    What could be the reason and how can I overcome this (one option is to delete this role altogether and create a new role but that is my last respite).
    Rgds,
    Sree

    Hi Piyush, Puneet,
    Thank you for your response guys. The issue got resolved. The Authenticated group was assigned this particular role, hence every user who had been assigned this group had this role as well.
    thank you again,
    Rgds,
    Sree

  • Getting UWL task count for all users in a role.

    Hi.
    I recently posted a question regarding a very similar issue, but I haven't got any response yet. I think my question might have been somewhat poorly phrased, so I will try to do better at explaining what we need.
    We have a number of processes, most of which need to be dynamically assigned to a user when created. The way we want to assign those tasks is by executing a WebService which would receive a role name and get all the users for that role. Then, using the UWL API, it would check how many tasks each of the users have in their UWL, and return the UserID for whoever has the least tasks. I haven't been able to get this to work. I keep getting Logged in users context or session doesn't exist Exception.
    Please, any help on this will be greatly appreciated.
    Currently working with SAP NWDS 7.1 SP05 PAT0005

    Hi,
    Thank you for your response, however, that's not what I need.
    For you and anyone esle who might find this extra info useful...
    I know how to get a user's role(s), and how to get the users in a role.
    I also know how to assign a task to a specific user dynamically.
    Using the UWL API, I know how to get the tasks (or items) in a user's UWL from a WD application, I need to do that from a WebService and using pretty much the same code, with the necessary adjustments, I can't get it to work.
    Furthermore, I'm able to get the UWL tasks for ONE user, that user being the one I log into the application with. For example, if I write code to get the tasks for user testUser1, I need to log in with testUser1 to get it to work, if I log in with any different user or make it a non-authenticated application, it won't work.
    Again, help on this is much needed and will be appreciated.

  • Apply the default user logon picture to all users

    Hi
    I applied gpo "apply the default user logon picture to all users"
     Computer Configuration\Administrative Templates\Control Panel\User Accounts\Apply the default user logon picture to all users
    C:\programdata\Microsoft\User Account Pictures\user.bmp  --> renamed my company log to user.bmp.
    Taken backup of old user.bmp.
    But policy is not working.
    Environment:
    Windows Server 2008 R2
    Clients:Windows 7 and Windows 8

    Hi S.Vijay Kumar,
    Based on my understanding, the GPO which configured the
    Apply the default user logon picture to all users would not apply successfully. What’s more, you have customized the default user logon picture
    %ProgramData%\Microsoft\User Account Pictures\user.bmp. Right?
     Firstly, please check if the scope of this GPO and the setting of Filtering are correct.
    Secondly, please follow the steps below to check if the GPO is applied to these Windows XP clients:
    Click Start, type rsop.msc in the search box to access
    Resultant set of policy.
    Check if the GPO is applied to these clients and the setting of the GPO is correct.
    In addition, it would be helpful for future troubleshooting if you could help to collect the following information:
    Did the GPO fail to apply for all the computers or only some computers?
    Can you set the user.bmp as the user logon picture
    manually?
    Regards,
    Lany Zhang

Maybe you are looking for