LDAP/OID Users granting other users access issue

Similar Messages

• WebLogic 10.3.0 WLI Domain - Microsoft AD administrator user access issue.

  Hi SOA Experts,
  We are facing issue of getting noaccess exception on console (below) when doing datasource testing using Microsoft AD administrator user. The same works fine when testing using WLS embedded LDAP administrator user in WLI domain. In plain WLS 10.3.0 domain (without WLI) with same Microsoft AD configuration they do not see this issue, they are able to successfully test data source using both embedded WLS administrator and Microsoft AD administrator user.
  I enabled security ATN and ATZ debug flags and below is my observation.
  In plain WLS 10.3.0 domain I see that default weblogic administrator user in embedded LDAP is part of administrators group. Microsoft AD administrator user is part of Administrators group from MS AD.
  Whereas in WLI domain I see that default weblogic administrator user is part of Administrators & IntegrationAdministrators groups. In WLI domain Administrators group is again part of IntegrationAdministrators group (below is debug logs).
  Below is Plain WLS Domain Debug log
  ####<Dec 6, 2010 5:20:14 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)
  '> <<WLS Kernel>> <> <> <1291674014123> <BEA-000000> < Subject: 2
  Principal = weblogic.security.principal.WLSUserImpl("weblogic")
  Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
  Below is WLI Domain Debug Log
  <> <1291669863989> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
  ####<Dec 6, 2010 4:11:03 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
  <> <1291669863989> <BEA-000000> < Subject: 3
  Principal = weblogic.security.principal.WLSUserImpl("weblogic")
  Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
  Principal = weblogic.security.principal.WLSGroupImpl("IntegrationAdministrators")
  The issue of Microsoft AD administrator user not able to test datasource in WLI domain seems to be happening because of IntegrationAdministrators group which comes by default with WLI domain (in plain WLS domain we do not have this group). Looks like the datasource which is being created in WLI domain seems to be being treated as WLI resource and user accessing it is being checked if it part of IntegrationAdministrators group. In this case weblogic default administrator user is part of IntegrationAdministrators, for which we do not see issue where as Microsoft AD administrator user which is not part of IntegrationAdministrators seems to be having problem.
  Below is snipper of Microsoft AD administrator user in Debug logs
  ####<Dec 6, 2010 4:13:31 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
  <> <1291670011687> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
  ####<Dec 6, 2010 4:13:31 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <>
  <> <1291670011687> <BEA-000000> < Subject: 2
  Principal = weblogic.security.principal.WLSUserImpl("MSADAdminUser")
  Principal = weblogic.security.principal.WLSGroupImpl("Administrators")
  Also one more observation about datasource which is created is in plain WLS & WLI domain created datasource resource type is shown as “jdbc” which is expected, but in addition in WLI domain I observe that created datasource resource type is marked as JMX and DS is being considered as application (below), not sure if this has something to do with the issue.
  Below is WLS domain debug log, below you can see that datasource is being treated as JDBC resource which is expected.
  ####<Dec 6, 2010 5:21:03 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1291674063776> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<jdbc>, application=, module=, resourceType=ConnectionPool, resource=testDS, action=reserve>
  Below is WLI domain debug log, below you can see that datasource is being treated as application and it says resource type as JMX
  ####<Dec 6, 2010 4:12:17 PM EST> <Debug> <SecurityAtz> <slsol10> <AdminServer> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1291669937755> <BEA-000000> < Resource: type=<jmx>, operation=get, application=testDS, mbeanType=weblogic.j2ee.descriptor.wl.JDBCDataSourceBean, target=Name>
  I created user in embedded LDAP in WLI domain with same name as MS AD administrator user and assigned it to Administrators group, that obviously works but is not acceptable solution.
  Below is exception thrown on console when testing datasource using Microsoft AD administrator user.
  weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[MSADAdminUser, Administrators], on Resource weblogic.management.runtime.JDBCDataSourceRuntimeMBean Operation: invoke , Target: testPool at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:205) at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222) at javax.management.remote.rmi.RMIConnectionImpl_1030_WLStub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:978) at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544) at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380) at $Proxy92.testPool(Unknown Source) at com.bea.console.actions.jdbc.datasources.testjdbcdatasource.TestJDBCDataSource.begin(TestJDBCDataSource.java:114) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:870) at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:809) at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:478) at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:306) at
  - BoyelT

  This issue has been resolved.
  The problem of Microsoft active directory administrator user not able to test the datasource in WLI domain is caused because of IntegrationAdministrators group & IntegrationAdmin role which comes in WLI domain. Assigning the Microsoft Administrator group to IntegrationAdmin role from WebLogic console has resolved the issue.
  Below are steps for assigning the MS AD administrator group to IntegrationAdmin role from console in WLI domain.
  ======================================================
  - Login to console and click on "Security Realms" and "myrealm"
  - Go to "Roles and Policies" tab and expand "Global Roles" tree and "Roles" tree view under it.
  - Click on "View Role Conditions" link for "IntegrationAdmin" role.
  - Click on "Add Conditions" button select Group (default) for "Predicate List" drop down box and click Next button.
  - Specify MS AD admin group name for "Group Argument Name" text box and hit on Add button.
  ======================================================
  - BoyelT
  Edited by: BoyelT on Dec 20, 2010 1:36 PM

• CUIC Scheduler user access issue

  This one has me stumped.  
  We recently finished an upgrade for a client that included a transition to a new virtual environment.  I built out two  9.1.1 clusters, and did a disaster recovery restore from the old prod systems into the new prod system.  After much foul language we got everything working, except an issue with runnihg scheduled reports.
   If a superuser makes an edit to the report, like changing the scheluded run time, a normal level user can no longer make a change to the report.  The superuser has to then delete the report, and the user recreate it.  Even with the new reports, if the superuser makes a change, it locks out the user.
  This is CUIC 9.1.1, and I am not seeing anything strange in the web interface.  My CUIC fu is weak here, so any help would be greatly appreciated

  I see this behavior in CUIC 8.5 as well. The workaround is for the superuser to do a "Run As" (from Security -> User List) as the user who made the schedule, then edit the schedule from there. The schedule will then stay owned by that user instead of the superuser.
  -Jameson

• New user access issue

  i have one business user which i have added through EAS and this user is in MSAD and added into one of the group in Native directory. This users group has access to planning application provision and i can see him in this group and has access to the planning application. but when he tries to connect through essbase addin he can not connect to the planning databse.
  Thanks in advance for the reply.

  I am using the planning version 9.3.1 and first i tried to add the user from EAS and update the security but when user complained about the access i went to shared service and first remove him from the group refreshed the security and then i add him in the group from the shared service. the other users in the same group dont have any problem and this user can access other database but he can not connect to the specific one database only. Also the error says that user has not permitted access to the database.
  Thanx john.

• SAP Business One 8.81 PL08 Mobile APP CRM Standalone User Access issue

  Dear All
  Is any facing the problem of Mobile application user with CRM Standalone license ,this user always has a permission denied problem (he is assigned all the licenses required .and authorization on the SAP is full .  SSL certificate is installed ). I have installed the troubleshooting (.zip) file which dosent show up the panel .
  Any Idea how to resolve?
  Regards
  Dayal

  Hi Dayal,
  well, it is neither recommended, nor tested or supported. Such installation attempt would go on your own responsibility. Of course you can try if, for example, a newer version from 8.82 works here, but this should be tested extensively, depending on how other processe are based on it.
  Actually your 8.81 PL08 should not have reported problem since B1if version 1.10.0 should have been included in this package and last update action, maybe you can check here again.
  In general, we recommend you upgrade to version 9.1 currently, unlike version 8.81 this version is in maintenance and offers all improvements, new features and bugfixes from the last 3,5 years.
  I'm sure it's worth to consider a general upgrade.
  I wish you success!
  Best, Peter

• Multiple SAP User Access Issue?

  Dear Expert,
  SQL Express 2005
  Wndows Server 2003
  Client PC RAM 1GB
  Server RAM 16GB
  SAP Version 8.8 PL15
  14 Store Procedure
  When multiple user connected with SAP (Logedin) at that time any user add any SAP document then all remaining user hanged approx 2 min after successfully add all user working normally.
  Please Suggest me as early as possible
  Thanks,
  Srujal Patel

  Hi Srujal.......
  This is purely due to heavy customization may be thorugh Addon or through Stored Procedure.
  Try nullifying effect of these 14 Stored Procedures and DC Addons if any and then ask users to add the documents. I am sure they wil work normally. This may happen because of FMS also.......
  Regards,
  Rahul

• SuperUser access issue

  Hi guys,
  Just a critical issue that I'm trying to resolve, but i'm starting to turning in round...need help ...
  After a big crash reinstalling and restoring data on a new SUN Sparc Sol10_patched 118222-30. I've got an Super User access issue.
  Even if I'm logged in Super User I do not have Super User right. As an exemple as I can create files but I cannot move or copy those. When i start some application I cannot managed it because I do not have Super User right.
  Does any one have an idea?
  Tks
  Cheers

  Make sure you able to connect the db using command prompt or just ping <tnsname>
  In connection pool use hostname:port/ServiceName
  if helps mark
  ~ http://cool-bi.com

• Looking for Suggestions on granting all users access to an application *except a subset of users*

  This might not be the right forum for this question, but since it is related to an App-V application I figured I would try since this may have come up for some of you.  I am looking for the best way to grant all Domain Users access to an application
  except for Domain Admins.  Using the Full App-V infrastructure, I want to grant access to the App-V UI via User Targeting, but I don't want to allow Domain Admins access.  The reason for this is because when we make updates to provisioned
  server cores (stateless), we login with our Admin accounts to make modifications to the cores, and I would like to reduce the steps that need to be taken at the end to ensure that all AppV applications are removed before sealing up the core. 
  Currently, Domain Admins do not have access to any App-V applications, so this process is fairly clean.  All applications are User Targeted. 
  Packages are cached on a persistent D drive on each server, so the issue is that the registry, programdata, and packageinstallationroot become out of sync if packages are pulled down during core modifications after the core is attached to other servers (hence
  other D drives).  Because of this, Machine Targeting is not an option for this either.
   

  This would be so much easier with a "Configuration Manager" like feature where you could create a collection query to accomplish the same thing.  Are there other tools out there that will do the same thing?

• Financial reporting 11 1 2 2 Access issue for a user

  Hi All,
  I have a report designer group for Financial reporting 11.1.2.2. I have created a group called FR_GROUP in HSS and provide them the report designer access and added three MSAD users.
  Now as admin we have a created a folder in workspace called FR and gave the group FR_GROUP Full acces to this folder FR.
  Now the issue is the MSAD user who created the repot in FR folder can see the reports and open them and also the admin user but the other two MSAD users cant see the reports.
  Any ideas how to fix this access issue?
  Thanks,

  Hi,
  Try provisioning the FR_GROUP with Explorer role. Just in case here is the whole list of Reporting and Analysis Roles:
  http://docs.oracle.com/cd/E17236_01/epm.1112/hss_admin_1112200/apas04.html
  Cheers,
  Mehmet

• Multiple User Accessing the same record issue

  I am planning to design an app where we have the following use case requirement.
  If a user who is logged into the system is accessing a record(plan in this case) anyone else who is logged into the system at the same time should be locked out of that same plan but should still be able to access other plans in the system. A plan has many things associated with it so the 2nd user should be locked out of everything associated to the plan being accessed by the first user.
  What is the best way to implement this at the application or the database level?
  Here are some options we have been bouncing around.
  1. When the first user logs in and accesses the first plan we lock the plan at the app level using a singleton class which has one and only one instance on the app server. The plan_id can be put as an entry into a hashtable which can be in the session and is created if one does not exist. When the 2nd user tries to access the same plan, since the plan_id is still in the hashtable he would be locked out. However we somehow need to timeout the first user after 30 mts of inactivity or so so that others can access the plan and are not locked out for ever if the first user walks away from his PC or does not close his browser, thus keeping his session alive indefinitely.
  2. In the database in the plan table we add a column for 'locked'. When the first entry is created in the plan table locked column is marked as 'yes' or 1 and when the user closes the browser we use some javascript to trigger an event which changes that 'yes' or 1 to 'no' or 0 thus unlocking the plan. However the big issue we see in this concept is that we will have to put a javascript onUnload method in all jsp pages in the app because the user could be anywhere in the app after starting his plan access after login.
  Conceptually the 2 options are the same but one is done at the app whereas the other is at the database level.
  Is there a better way to handle this scenario using transactions or some other technological option.
  Thanks

  Another solution involving no modification of the database structure:
  As soon as a user want to access a plan, try to UPDATE the plan record... if it fails, the record was locked
  by another user before. When the user has finished with the plan, you can COMMIT or ROLLBACK the changes, which will free the lock for other users.
  An advantage of this solution is that if program crashes unexpectedly, there will automatically be a ROLLBACK.
  Of course, you need a transaction for this... and perhaps more if you want to separate the 'locking transaction' (virtual update just for restricting access) from the 'operating transaction' (in which you will
  do the DB stuff: inserts, updates, deletes, etc.)
  Hope this helped,
  Regards.

• Provisoning users from OIM to OID having org other than xellerate users

  Hi,
  when i provision a user belonging to default Xellerate Users organization in OIM to OID, it is done.
  what changes do i need to do if a want to provision a user in any other organization say 'MyCompany' to OID user
  (it gives naming exception error when i try doing so)

  let me explain what I am trying to acheive.
  I create a user using flat file reconciliation such that the user is created in organization say 'XYZ'. Also I've created a group say XYZmember (membership rule is organization name=XYZ)
  I created an access policy such that whenever a user who is a member of XYZmember group(means organization name is XYZ)is created in OIM the user gets provisioned to OID and will be assigned an OID role say role1.
  Now when i create a user with XYZ as organization,he becomes a member of XYZmember group.... according to access policy he should be provisioned to OID user and assigned role1
  But it gives naming exception error.
  i want to know if i create a user in some org other than xellerate users will it get provisioned to OID? and HOW?

• Granting Read Only Access to user in another schema

  Oracle Database 10g
  Red Hat Enterprise Linux Server release 5.3
  We are requested by a developer to grant his account read only access to TABLES, VIEWS, INDEXES, SEQUENCES, FUNCTIONS, PROCEDURES, PACKAGES, TRIGGERS, JOBS of another schema.
  I know granting read only access to Tables and Views. But is it possible to grant READ ONLY access to other mentioned objects ? How to do it ?
  And some views are in INVALID status.
  I tried to compile them using alter view owner.viewname compile;
  But got this ---- Warning: View altered with compilation errors.
  Those views are still in INVALID status. And then I tried to use utlrp.sql . Same result.
  Then I used the following
  SELECT TEXT FROM DBA_VIEWS WHERE VIEW_NAME='view-name';
  select REFERENCED_NAME,REFERENCED_TYPE from dba_dependencies where name='view-name';
  It turns out some reference types are non existent.
  Does that mean DBAs cannot do anything about this ?

  Nilton wrote:
  We are requested by a developer to grant his account read only access to TABLES, VIEWS, INDEXES, SEQUENCES, FUNCTIONS, PROCEDURES, PACKAGES, TRIGGERS, JOBS of another schema.
  I know granting read only access to Tables and Views. But is it possible to grant READ ONLY access to other mentioned objects ? How to do it ?
  TABLES -> YES grant SELECT
  VIEWS -> YES grant SELECT
  SEQUENCE -> YES grant SELECT
  INDEXES -> There is no read access for indexes...indexes are put on tables and a user who has read access on tables can read the index as well.
  FUNCTIONS / PROCEDURES / PACKAGES -> I am not sure what you mean by read access on procedures, functions and packages. You may grant EXECUTE privilege on these.
  TRIGGERS -> there is no read access on triggers required. They are implemented on tables for a DML event. If the user has DML access he has the execute access on the trigger as well.
  JOBS -> I am not sure what to read from Jobs.
  And some views are in INVALID status.
  I tried to compile them using alter view owner.viewname compile;
  But got this ---- Warning: View altered with compilation errors.
  Those views are still in INVALID status. And then I tried to use utlrp.sql . Same result.
  Then I used the following
  SELECT TEXT FROM DBA_VIEWS WHERE VIEW_NAME='view-name';
  select REFERENCED_NAME,REFERENCED_TYPE from dba_dependencies where name='view-name';
  It turns out some reference types are non existent.
  Does that mean DBAs cannot do anything about this ?There are compilation errors in the Views. e.g. the view may be referring to a table which doesn't exist etc.
  Unless you fix the error in the view you can't compile it and male it valid. Fix the view errors. If objects are non existing create them or refer to view to some where else.
  If the nonexistent objects were mistakenly dropped, or the data file which contained those objects was dropped, no matter what was the reason for that object to be gone a DBA can bring it back if he is a well prepared DBA and has setup his database for such kind of disasters.
  Now tell us why those objects are non-existent ? were they meant to be gone ? or they were dropped mistakenly?
  Now here are my guesses:
  If they were meant to be gone then probably the views definitions need to be adjusted not to refer them anymore.
  If they were mistakenly dropped then:
  Do you have them in recyclebin? (only tables) if YES just FLASHBACK TABLE <<tablename>> AS BEFORE DROP.
  Is your database has Flashback database ON? if YES FLASHBACK DATABASE until 'time/scn just before the object was dropped'
  Do you have backups and your database is running in ARCHIVE LOG mode? if YES perform an incomplete recovery using RMAN.

• Integrating LDAP/AD users to access servers console's

  Hello,
  I have to investigate the out of bound capabilities of the following server, actually to integrate the LDAP/AD users to access the console of the servers.
  SUN FIRE T2000
  SUN FIRE V240
  SUN FIRE V440
  SUN FIRE V120
  SUN FIRE V490
  SUN FIRE V480
  SUN FIRE V210
  SUN FIRE 280R
  I cant able to find the proper documentation in Oracle site to figure out OOB capabilities.
  I greatly appreciate your help.
  Thanks,
  Kartheek.

  Hi.
  IMHO. This servers don't have this capability.
  Some documentation about OOB of this servers:
  SUN FIRE T2000
  http://download.oracle.com/docs/cd/E19076-01/t2k.srvr/index.html
  http://download.oracle.com/docs/cd/E19076-01/t2k.srvr/819-7991-10/819-7991-10.pdf
  SUN FIRE V120
  http://download.oracle.com/docs/cd/E19088-01/v120.srvr/index.html
  Same system managment. 1:
  SUN FIRE V490
  http://download.oracle.com/docs/cd/E19095-01/sfv490.srvr/index.html
  http://download.oracle.com/docs/cd/E19095-01/sfv490.srvr/817-3951-12/817-3951-12.pdf
  SUN FIRE V480
  http://download.oracle.com/docs/cd/E19095-01/sfv480.srvr/index.html
  http://download.oracle.com/docs/cd/E19095-01/sfv480.srvr/816-0904-10/816-0904-10.pdf
  Same system managment. 2
  SUN FIRE V210
  http://download.oracle.com/docs/cd/E19088-01/v210.srvr/index.html
  http://download.oracle.com/docs/cd/E19088-01/v210.srvr/819-2445-11/819-2445-11.pdf
  SUN FIRE V440
  http://download.oracle.com/docs/cd/E19088-01/v440.srvr/index.html
  http://download.oracle.com/docs/cd/E19088-01/v440.srvr/819-2445-11/819-2445-11.pdf
  SUN FIRE V240
  http://download.oracle.com/docs/cd/E19088-01/v240.srvr/index.html
  http://download.oracle.com/docs/cd/E19088-01/v240.srvr/819-2445-11/819-2445-11.pdf
  SUN FIRE 280R
  http://download.oracle.com/docs/cd/E19088-01/280r.srvr/index.html
  http://download.oracle.com/docs/cd/E19088-01/280r.srvr/806-4806-10/806-4806-10.pdf
  Regards
  Edited by: Nik on 18.02.2011 15:12

• Letting users access other users home directories

  Hello,
  I am currently setting up an xserve at a school and I am running into some problems. I want to let the group teachers be able to access all of the students home directories. I added to the permissions the group teachers for the users folders, but the permissions do not carry through all subfolders. What would be the best way to set up these permissions in tiger server?
  Thanks
  Robert

  Hi
  When sharing a desired folder for automounting networked home directores the default POSIX values are:
  Owner: root/admin R/W (can be either)
  Group: admin Read Only
  Everyone Read Only
  Going beyond this folder and you can then view the default attributes for individual folders. These should be:
  Owner: the persons name Read & Write
  Group: admin Read Only
  Everyone: None
  This is as it should be and you should leave these alone. In the situation you describe it makes sense to grant Read/Write access for teachers so as students work can be marked and/or assessed. In which cae you want to preserve the POSIX permissions but use an additional permissions model that allows access withour breaking the default permissions.
  10.4 Server allows for this as Access Control Lists (ACLs) are available once you enable them for the volume that has the shared folder for automounting networked home folders on it. WorkGroup Manager > Sharing > General. Select the volume and tick the box that says 'Enable Access Control Lists on this volume'. When you have done this, restart the Server. Enabling/Disabling ACLs on any volume should always be followed by a restart.
  On successful log in launch WorkGroup Manager, select Sharing, select folder you are interested and and select Access. Below the Standard POSIX model there is a window. This window is where you add desired users or groups (or a mix of both) and define what access they have to the selected folder. At the bottom of this window is a small gear wheel. Selecting this will show a small sub-menu where you can propagate permissions as well as viewing effective permissions. I would suggest you create a year group, add desired teachers to that year group and then add this year group to each desired year folder. Define your permissions and propagate them. You should now have at the end of this the default POSIX permissions for individual student folders still in place and honoured as well as overriding permission for teachers.
  Hope this helps, Tony

• Best Practice - Securing Schema from User Access

  Scenario:
  User A requires access to schema called BLAH.
  User A is a developer that built an application using this schema in a separate development environment, although has the same privileges mirrored to production (same roles etc - required for operation of the application built).
  This means that the User has roles that grant Select, Update etc rights for the schema / table in order to use (and maintain) the applications.
  How can we restrict access to the BLAH schema in PRODUCTION, enforcing it to only be accessible via middle tier / application (proxy authentication?)?
  We've looked at using proxy authentication, however, it's not possible to grant roles and rights to the proxy account and NOT have them granted to the user (so they can dive straight in using development tooling and hit prod etc)>
  We've tried granting it on a session basis using proxy authentication (i.e. user a connects via proxy, an we ENABLE a disabled role on the user based on this connection), however, it causes performance issues.
  Are we tackling this the wrong way? What's the best practice for securing oracle schemas (and objects in general) for user access where the users actually get oracle user account (or even use SSO) for day to day business as usual.
  To me this feels like a common scenario, especially where SSO comes into play ...

  What about situations where we have Legacy Oracle Forms stuff? In these cases the user must be granted select etc rights to particular objects, as this can't connect via a middle tier.
  The problem we have is that our existing middle tier implementation is built expecting the user credentials to be passed to it during initial authentication and does not use a proxy, or super user style account.  We have, historically, been 100% reliant on Oracle rights and controls to validate and restrict access to our underlying data.  From what you are saying, we should start to look at using proxy or super user access and move this control process further up - i.e. into Code or Packages ?  If so, does this mean that there is no specific way to restrict schema access to given proxy accounts and then grant normal user accounts to connect through these to get access (kind of a delegated access scenario), without using disabled roles?