Making new user & granting select any table privilages

Similar Messages

• How to avoid a table to be selected by a user with 'select any table' grant

  Hello,
  I want a table to be non selectable for a particular user even if that user has a 'select any table' grant.
  either the query can return no rows or an error message, it doesn't matter.
  how can I achieve this with a standard database configuration? I mean I am not allowed to use any tool of Oracle like vault etc..
  thanks in advance...

  Fine-grained access control (aka VPD, more or less) is part of Enterprise Edition. It is not a separate tool. See Oracle Database Editions
  You can read about it here Using Oracle Virtual Private Database to Control Data Access
  The main thing to understand is the predicte-generating function, and all the opportunities there. This example is from a presentation I once gave to a local Oracle users group.
  The policy (not shown) specifies FGAC_PKG.FGAC_PREDICATE_FNC as the predicate-generating function. If the user has role FGAC_DEMO_ALL_COMPANIES_ROLE then his view is not restricted; if his username does not appear in the COMPANY_AUTHORIZATION table he will get an error when querying the protected table; otherwise he will be restricted to see only the companies he is authorized for. So this has some elements that may be useful to you.
  CREATE OR REPLACE PACKAGE BODY FGAC_DEMO_SCHEMA.FGAC_PKG AS
  FUNCTION  FORCE_FGAC_ERROR_FNC (in_object VARCHAR2) RETURN NUMBER IS
      e_not_authorized exception;
      PRAGMA exception_init(e_not_authorized, -20667);
  BEGIN
      RAISE e_not_authorized;
      RETURN (-1);  -- will NEVER get here (have already raised an error)
  EXCEPTION
     WHEN e_not_authorized  then
       RAISE_APPLICATION_ERROR (sqlcode,
                                sqlerrm||'Access to '|| in_object ||
                                ' requires access to at least one company, but none have been authorized.' );
  END FORCE_FGAC_ERROR_FNC;
  FUNCTION FGAC_PREDICATE_FNC (in_schema VARCHAR2, in_object VARCHAR2)
     RETURN VARCHAR2
  IS
     out_predicate   VARCHAR2 (400);
     c_filter_predicate constant varchar2(400) :=
        'COMPANY_ID IN (SELECT COMPANY_ID FROM COMPANY_AUTHORIZATION '||
        'WHERE USER_NAME = USER)';
     c_bypass_filtering_role VARCHAR2(30) := 'FGAC_DEMO_ALL_COMPANIES_ROLE';
     v_authorization_count NUMBER;
     c_error_predicate constant varchar2(400) :=
        'FGAC_DEMO_SCHEMA.FGAC_PKG.FORCE_FGAC_ERROR_FNC('''||
             in_schema||'.'||in_object||''') = 0';
  BEGIN
    IF DBMS_SESSION.is_role_enabled (c_bypass_filtering_role) THEN
        out_predicate :=  NULL;
    ELSE
       SELECT COUNT(*) INTO v_authorization_count
          FROM COMPANY_AUTHORIZATION
          WHERE USER_NAME = USER;
       IF  v_authorization_count = 0 then
         out_predicate :=  c_error_predicate;
       ELSE
        out_predicate :=  c_filter_predicate;
      END IF;
    END IF;
    RETURN out_predicate;
  END FGAC_PREDICATE_FNC;
  END FGAC_PKG;

• Hide tables to "SELECT ANY TABLE" granted users

  Hi everybody
  Where I work, I need to create a manteniance table with reserved data and we have several users granted with "SELECT ANY TABLE". I would like to hide that table to everyone else that the owner. Is it possible?
  Bye Alessandro

  Are you jokeing? Do it for yourself but don't give such suggestion please! Do you imagine what could happen if someone thinks it's right? Keep disastrous ideas for your own please.
  SQL> set hea ON feed ON ver ON
  SQL> ttitle ON
  SQL>
  SQL> drop user eavesdropper cascade;
  Utente eliminato.
  SQL> drop table reserved cascade constraints;
  Tabella eliminata.
  SQL>
  SQL> create table reserved (
    2          username varchar2(30) not null,
    3          password varchar2(30) not null,
    4          constraint reserved_PK primary key (username)
    5  );
  Tabella creata.
  SQL>
  SQL> insert into reserved values ('administrator of the bank','password of the administrator');
  Creata 1 riga.
  SQL> commit;
  Commit completato.
  SQL> select * from reserved;
  Mar Nov 14                                                           pagina    1
                               select * from reserved
  USERNAME                       PASSWORD
  administrator of the bank      password of the administrator
  Selezionata 1 riga.
  SQL>
  SQL>
  SQL> create user eavesdropper identified by eavesdropper;
  Utente creato.
  SQL> create synonym eavesdropper.reserved for reserved;
  Sinonimo creato.
  SQL> grant resource, connect, select any table to eavesdropper;
  Concessione riuscita.
  SQL> revoke all on reserved from eavesdropper;
  Revoca riuscita.
  SQL> conn eavesdropper/eavesdropper@svi3;
  Connesso.
  SQL> select * from reserved;
  Mar Nov 14                                                           pagina    1
                               select * from reserved
  USERNAME                       PASSWORD
  administrator of the bank      password of the administrator
  Selezionata 1 riga.
  SQL>Message was edited by:
  alessandro.miami

• Grant select on table to user

  IN A SCHEMA TEST1 THERE ARE 200 PLUS TABLES AND VIEWS.NOW I WANT TO GRANT SELECT ON TABLES AND VIEWS TO TEST2 USER.HOW CAN I GRANT SELECT ON THOSE TABLES AND VIEWS IN BULK INSTED OF GRANTING INDIVIDUALLY.
  Any idea?
  Thankx...
  Sorry for suing cap.letters....

  That works providing the grantee doesn't want to be able to build stored procedures or (more likely) views on the granted tables...
  SQL> conn u1/u1
  Connected.
  SQL> create role select_u1
    2  /
  Role created.
  SQL> grant select on t1 to select_u1
    2  /
  Grant succeeded.
  SQL> grant select_u1 to u3
    2  /
  Grant succeeded.
  SQL> conn u3/u3
  Connected.
  SQL> select * from u1.t1
    2  /
        COL1
           1
  SQL> create view my_view as
    2  select * from u1.t1
    3  /
  select * from u1.t1
  ERROR at line 2:
  ORA-01031: insufficient privileges
  SQL> As it happens, we know from the OP's other thread that they want a read only user, so perhaps the role will suffice. But they still need to grant selects on 200 objects to the role, so the automation will still come in handy :)
  Cheers, APC

• Unable to revoke "select any table" system priv

  I created a new user and unable to revoke select any table permissions. It appears that any new oracle user i create has the select any table permissions. I want to only alow this new user to select from 5 tables and not others. It seems as though there is a global setting on the database to allow select from any table. I can't change that if thats the case but i would like to create this restricted user.
  How can I modify permissions on my new oracle user to not allow select any table?
  Any help would be appreciated

  My thanks again to all that took the time to post!
  I ran those statements and the select that Aman had posted. The output surprised me and probably will lead to identifying the problem.
  As you can see below the SELECT ANY TABLE privilege is under the sessioni_privs. however im also confused why the "revoke select any table from ITEAMS;" didnt work. here is the output from the suggestions in your posts.
  SQL> connect iteams
  Enter password:
  Connected.
  SQL> show user
  USER is "ITEAMS"
  SQL> select * from dba_sys_privs where grantee = 'ITEAMS';
  GRANTEE PRIVILEGE ADM
  ITEAMS CREATE SESSION NO
  SQL> select * from session_privs;
  PRIVILEGE
  CREATE SESSION
  UNLIMITED TABLESPACE
  SELECT ANY TABLE
  SQL> connect sys as sysdba
  Enter password:
  Connected.
  SQL> show user
  USER is "SYS"
  SQL> revoke select any table from ITEAMS;
  revoke select any table from ITEAMS
  ERROR at line 1:
  ORA-01952: system privileges not granted to 'ITEAMS'
  SQL> select * from user_tab_privs_made where grantee='ITEAMS';
  no rows selected
  So if the SELECT ANY TABLE is within the session_privs as seen above. How can i reovke that priv?

• Dynamic SQL and GRANT CREATE ANY TABLE

  hi gurus,
  i have a dynamic SQL in a procedure where a table will be created from an existing table without data.
  strSQL:='create table ' || strTemp || ' as select * from ' || strArc || ' where 1=2';
  execute immediate strSQL;
  without GRANT CREATE ANY TABLE for the user, *"ORA-01031: insufficient privileges"* error during execution.
  Is there a way to tackle this issue without providing GRANT CREATE ANY TABLE privilige?
  many thanks,
  Charles

  ravikumar.sv wrote:
  The problem is not because of dynamic sql...It probably has something to do with dynamic SQL or, more accurately, dynamic SQL within a stored procedure.
  From a SQL*Plus command prompt, you can create a table if your account has the CREATE TABLE privilege either granted directly to it or granted to a role that has been granted to your account. Most people probably have the CREATE TABLE privilege through a role (hopefully a custom "developer role" that has whatever privileges you grant to users that will own objects but potentially through the default RESOURCE role). That is not sufficient to create tables dynamically via a definer's rights stored procedure. Only privileges that are granted directly to the user, not those granted via a role, are visible in that case.
  I expect that the DBAs are granting the CREATE ANY TABLE privilege directly to the account in question rather than through whatever role(s) are being used which is why that appears to solve the problem.
  Justin

• Query to find who has select any table privs?

  HI.
  Whos has select any table privilege?
  I can find this for specific table, but i need to query it database wide.
  Is it object_privs? I am not sure which view.
  Thanks
  10.2.0.4
  Linux 4

  Hello,
  Select any privllege is a system privillege.
  you can use following query for finding who all has the select any table
  select GRANTEE,privilege from sys.dba_sys_privs where privilege='SELECT ANY TABLE';
  Anil Malkai

• New User Database schema and table name

  When i create a new user in Oracle Webcenter Spaces 11g, I am not able to get the name of the database schema and table, where it is stored. Any insight on this will be very helpful.

  WebCenter (and WebCenter spaces) uses an 'identity store' instead of database schema for storing user information - in an 'out of the box' installation, users are maintained through an embedded WebLogic LDAP store.
  See the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter, p. 34-2.
  At the end of section 34.4.1:
  WebCenter Spaces supports self-registration. When new WebCenter users
  self-register, they create their own login and password and a new user account is
  created in the identity store. See also, Section 34.4, "Allowing Self-Registration".
  user9097357 wrote:
  When i create a new user in Oracle Webcenter Spaces 11g, I am not able to get the name of the database schema and table, where it is stored. Any insight on this will be very helpful.

• Granting SELECT on Tables

  Friends
  What'd be the simplest way to give an user access to SELECT a table but excluding from it one specific column?
  Tks!

  Hello KeenOnOracle
  Yes.
  And it is recommended that you do not use the star-operator for creating views.
  Because it is possible to create a view with this "CREATE VIEW view_name AS SELECT * FROM table_name;" -> But it is only in special cases recommended... (Architecture-View)
  But because you have to exclude a column so in your case it is no problem. You have to list up your columns in the create command so if you change the structure of the table you have to change your view definition too.

• 10.6 server on w2k AD domain, trouble making new user home folders

  i recently starting working as a public school which has over 800 macs, both intel and ppc, laptops and desktops. there are also 300 windows machines as well. my job is to create the new user accounts for the students and staff as well as perform routine maintenance on the computers/servers. there are 3 xserves (intel) running 10.6.8 and 3 windows boxes running 2000 server. (i know thats old but it was top of the line when the building was build in 2002) the windows machines perform the user authentication via active directory and the xserves house the home folders stored on an xserve raid. the problem i am having it that i cannot create the new home folders for the incoming students on the xserve. the accounts are created in AD with no problems, and everything points to where it should be. however, when i try to manually create them (either by createhomedir in terminal, or by a script one of the previous system admins made) nothing happens. both active directory and open directory are up and running and all the servers seem to be talking to each other. on a side note, if i deleted an existing home folder and than ran the terminal command, it creates it perfectly. in one last attempt i re-bound all the mac servers to the AD and now it wont even let me re-create an existing home folder. anyone have any thoughts or ideas?? i have about a month left to get this fixed and all the computers imaged with the new config. i'd rather not have to re-build the AD domain but if it comes down to it, i may not have any choice.

  sorry i havent posted back sooner. i tried server cleanup and it did seem to fix other minor issues with the server, and it mapped the correct path to the user home folders. but it won't let me fix the permissions. when a student logs in to a client machine their home folder window opens up and all the folders are there but it won't let you open them stating that "you do not have the correct permissions" i ran fix permissions in server cleanup a few times, but it didnt fix the situation. also, i noticed that when i tell SC to look at the active directory domain, i get an error window and it stops loading users after the C's (alphabetical by last name) could this be because the AD domain is windows 2000 server? i just got 2 win2003 server machines freed up that i could migrate the AD domain to. that might fix some issues.

• Sharpener Pro 3 has problems in Aperture as the Pre sharpener continually asks one to buy or activate and the Output Sharpener causes Aperture to hang. Have removed all duplicate fonts and tried using a new user account. Any ideas?

  I am experiencing problems with Sharpener Pro 3 as an Aperture 3 plug-in. These are:  the Pre sharpener continually asks one to buy or activate and the Output Sharpener causes Aperture to hang. Following discussions with Nik Software I have removed all duplicate fonts and tried using a new user account. Neither of the courses of action worked. Have other users experienced these difficulties? Can you suggest an alternative remedy?

  I am experiencing problems with Sharpener Pro 3 as an Aperture 3 plug-in. These are:  the Pre sharpener continually asks one to buy or activate and the Output Sharpener causes Aperture to hang. Following discussions with Nik Software I have removed all duplicate fonts and tried using a new user account. Neither of the courses of action worked. Have other users experienced these difficulties? Can you suggest an alternative remedy?

• Error When trying to add new user field to OCHH table

  Hi
  can you please check the following code ? I am geting an error "Ref count for this object is higher than 0"
  Dim RetVal, ErrCode As Integer
          Dim ErrMsg As String
          Dim oUserFieldsMD As SAPbobsCOM.UserFieldsMD
          oUserFieldsMD = oCompany.GetBusinessObject(SAPbobsCOM.BoObjectTypes.oUserFields)
          ' Adding "BPCode" field
          '// Setting the Field's properties
          oUserFieldsMD.TableName = "OCHH"
          oUserFieldsMD.Name = "OBJ"
          oUserFieldsMD.Description = "OB Code"
          oUserFieldsMD.Type = SAPbobsCOM.BoFieldTypes.db_Alpha
          oUserFieldsMD.EditSize = 2
          '// Adding the Field to the Table
          RetVal = oUserFieldsMD.Add
          '// Check for errors
          If RetVal <> 0 Then
              oCompany.GetLastError(RetVal, ErrMsg)
              MsgBox(ErrMsg)
          Else
              'chkUDOAfter.SetItemChecked(1, True)
              MsgBox("Field: '" & oUserFieldsMD.Name & "' was added successfuly to " & oUserFieldsMD.TableName & " Table")
          End If
  Thanks
  George

  Hi Denilo
  Your suggestion did not solve the problem . I want to add that the code works fine with user-tables but not when I try with OCHH
  Thanks
  George
  After alot of search
  GC.select
  Did the job
  Thanks again
  Regards
  George
  Edited by: George Pachakis on Sep 7, 2009 6:51 PM
  Edited by: George Pachakis on Sep 7, 2009 6:54 PM

• New User - Cannot select drum kit loops

  Hi,
  I am a trying out GarageBand for the first time and having a lot of fun.
  However I was following one of the Apple tutorials where I clicked on song writing and had a basic drum track. The tutorial said if you don't like the drum track you can delete it and then use the Loop browser to select different drum kits.
  However when I click on the Loop browser I can't click on the drum kit icons to then select a drum loop - they are all ghosted out - like as if they are not installed on my system.
  Yet the basic drum loop played fine - so it must be there somewhere.
  Do I have to install these loops somehow like I had to install the instruments? (The system told me I needed to install some things online - but I've not seen anything regarding loops)
  Help !!!
  Thanks

  In case anyone had the same problems as me - I had to use the Applications disc that came with my laptop to re-install Garageband from the DVD.
  Just take care using it - make sure you backup your system just in case (always a good idea) - insert the disc and follow the instructions. Make sure you take all the tick boxes out of the other applications so that you only install Garageband.
  Then let it install and when the computer restarts there are all the loops in their glory.
  Its a shame that Garageband lets you download the loops online because that is a complete waste of time as even after downloading 1.2 gigs worth of data Garageband ignores the loops even though they are there on your system. The only way to get the loops to work is by installing off the dvd that came with your computer.
  Hope this helps other users.
  Cheers
  Phil

• Deleting and making new user profiles

  How to manage user profiles.. Create and delete

  http://support.apple.com/kb/PH11468 - Creating/Adding a user
  http://support.apple.com/kb/PH6596 - Deleting a user
  The user removal link is for Snow Leopard but the process is virtually identical, just couldn't find my Mt. Lion KBase link.

• Grant privileges  to new user + few tables

  Hi all. How can I give my new user all privileges for inserting deleting records in some tables...
  CREATE USER user1 IDENTIFIED BY user1

  May be it will be better to make nobody the owner of the tables?It's definitely a good idea to make somebody else the owner of the table rather than SYSTEM... you shouldn't really be putting your own objects in the SYSTEM schema anyway if you can help it.
  Whether NOBODY is the best schema to use depends on what you want the table for. If this is just a test system you are playing about with then it doesn't really matter... but if you are trying to put together a proper development/test system with a plan to move into a production environment then think through what you want (and whether NOBODY is the best name for your application schema).
  Saying that, if this is just a database you are 'playing' with to learn some Oracle then you might want to look at granting system privileges rather than object privileges.
  GRANT SELECT ANY TABLE TO ALEX;
  Will let ALEX select form any table (other than the data dictionary).
  Again, though, a word of caution - if you intend to put this into a 'real' system (rather than just one you are learning on) then think it through and only grant what you need. If you go for the 'easy' system privilege now you'll find you'll always be stuck with it because you'll never be 100% certain that you can revoke it without affecting your application.