Oracle  grant schema level security

Similar Messages

• Grant schema-level privileges to a Oracle  user

  Hi Experts,
  Do we have easy way to grant all objects to user (select only) in one schema?
  Thanks for help!
  Jim

  Thanks for help.
  actually, this is a group user account as
  CREATE USER user
  IDENTIFIED BY appuser
  DEFAULT TABLESPACE users
  QUOTA 10M ON example
  TEMPORARY TABLESPACE temp
  QUOTA 5M ON system
  PROFILE scapp_user
  Do you need to assign quota and profile?
  Also you need to access all data in database that i was told. this account should be grant a right to run view and procedures?
  do i need to go to all_object to find it?
  thanks for your suggestion in detail.
  JIm

• How to add new tables in Streams for Schema level replication ( 10.2.0.3 )

  Hi,
  I am in process of setting up Oracle Streams schema level replication on version 10.2.0.3. I am able to setup replication for one table properly. Now I want to add 10 more new tables for schema level replication. Few questions regarding this
  1. If I create new tables in source, shall I have to create tables in target database manually or I have to do export STREAMS_INSTANTIATION=Y
  2. Can you tell me metalink note id to read more on this topic ?
  thanks & regards
  parag

  The same capture and apply process can be used to replicate other tables. Following steps should suffice your need:
  Say table NEW is the new table to be added with owner SANTU
  downstr_cap is the capture process which is already running
  downstr_apply is the apply process which is already there
  1. Now stop the apply process
  2. Stop the capture process
  3. Add the new table in the capture process using +ve rule
  BEGIN
  DBMS_STREAMS_ADM.ADD_TABLE_RULES
  table_name      => 'SANTU.NEW',
  streams_type    => 'capture',
  streams_name    => 'downstr_cap',
  queue_name      => 'strmadmin.DOWNSTREAM_Q',
  include_dml     => true,
  include_ddl     => true,
  source_database =>  ' Name of the source database ',
  inclusion_rule  => true
  END;
  4. Take export of the new table with "OBJECT_CONSISTENT=Y" option
  5. Import the table at destination with "STREAMS_INSTANTIATION=Y' option
  6. Start the apply process
  7. Start the capture process

• How to check the row level security in TOAD for oracle

  Hi ,
  for ex, i have 2 types of users
  normal user and super user
  super user can see the group set (some column name) created by normal user
  but normal user can not see the set created by super user
  this set crestion aslso has 3 types "U','P',S'
  P & S can be viewed by even normal user
  but U should not
  so here we are having some row level security for the normal user .....
  So, in TOAD for oracle how to check that......
  Let me know if i'm not clear

  Like
  I'm the super user....
  And some records are inserted to a table by different users ('a' , 'b', etc....)
  So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
  how to see in TOAD where such type of scripts (filter conditions) are written.....

• Data level Security with Oracle Apps as Source

  Hi all
  I am implementing Data level Security with Apps as Source(OLTP) on Single Sign On.(Oracle has provided the Vanila rpd & we are working on that)
  I need to Filter data based on Business Group, Users are created in Apps and they are registered with some Responsibilities.
  (for eg, OBI User CHINA is a Responsibility; Now he will get only Business Group ID for China)
  I have created Groups in rpd with same name as the responsibility in Apps.
  I have created Initialization Blocks from which I m getting only 1 business group ID for every :USER.(I tried the code in TOAD & I m getting the correct BG ID)
  I have created Group in WEB with the same name as the Group name in rpd.
  If I say show all Users and Groups in WEB, I m getting the APPS Users.
  I hv Reloaded the server metadata files and restarted the BI Server/WEB Server also...
  But in the Report, I m getting all the Business Group Ids,
  Plz advice if I m doing something wrong.
  ThanQ
  Anand

  You need to be creating your "business groups" as a group in the RPD, init blocks to retrieve the user business group at login. Filters in the Logical table sources to restrict data to relevant business groups only.
  Presentation 'Web Cat' groups with the same name as the RPD groups so a user inherits membership automatically.
  I'd suggest sourcing a vanilla OBIA rpd to see how it is implemented out of the box.

• Column Level Security Using VPD under oracle 11g

  Hi
  I am using an example from Oracle Database 10g: Advance Security -- Virtual Private Databases
  1. The Application Context -- that sets the session environment for the use is ok.
  2. The Logon Trigger that executes the above is ok. It had been tested.
  3. The Security Policy that returns a predicate after checking the output of the Application Context is ok.
  4. The security policy applied to the STOCK_TRX table is ok.
  5. Select and Insert from the database work.
  However, after dropping both the insert and select policy, I am having problem getting a select policy to work with column-level VPD. I will get the ORA-28104 -- input value for statement type is not valid and ORA-06512 at SYS.DBMS_RLS line 20. See code below
  begin
  DBMS_RLS.ADD_POLICY
  ('PRACTICE', 'STOCK_TRX', 'STOCK_TRX_SELECT_POLICY', 'PRACTICE', 'SECURITY_PACKAGE.STOCK_TRX_SELECT_SECURITY', 'PRICE');
  end;
  Note:
  PRICE is the sec_relevant_cols
  STOCK_TRX is the table
  Can you please help.
  Thx

  The syntax for row level security is not the same for columns level security. All the parameters to the DBMS_RLS.ADD_Policy() function should be preceded by the type of the parameter for:
  begin
  DBMS_RLS.ADD_POLICy(object_schema=>PRACTICE, ... sec_relevant_cols=>'PRICE);
  end;
  I did not know this before. I thought they were there in the example for explanatory reasons. I decided to answer the question for myself because I know others have the same interpretation.

• Oracle Virtual Private Database (VPD), Column Level Security

  Hello,
  About Oracle Virtual Private Database (VPD), is it possible to set a Column Level Security without setting a Row Level Security (without using any predicate)?
  Thanks,
  Herve.

  Thanks, Zoran.
  A colleague shared with me a link containing a function without returning a predicate (in using SYS_CONTEXT function to skip row restriction).
  Herve.
  Link

• Oracle Unix 9 - slow granting Schema object to User

  I have a problem. I can't figure out why granting schema object to users take longer time. here is my codes:
  DECLARE
  alert_button     NUMBER;
  CURSOR Teller_Cur IS SELECT * FROM TELLER_M;
  BEGIN
       alert_button := Show_Alert('AlertOK');
       IF alert_button = ALERT_BUTTON1 THEN           
            FOR Teller_Rec IN Teller_Cur LOOP
       Message('Setting table access for ' || Teller_Rec.Teller_ID || ' in progress, please wait....', No_acknowledge);
            IF :DTABLE IS NOT NULL THEN
            -- Granting Schema object to new User
            IF SUBSTR(:DTABLE, 1, 4) = 'TEMP' THEN
            Forms_DDL('GRANT SELECT, INSERT, UPDATE, DELETE ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
            ELSE     
       IF Teller_Rec.SELECT_ACCESS = 'Y' THEN
       Forms_DDL('GRANT SELECT ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
       END IF;
  IF Teller_Rec.INSERT_ACCESS = 'Y' THEN
  Forms_DDL('GRANT INSERT ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
  END IF;     
            IF Teller_Rec.UPDATE_ACCESS = 'Y' THEN
  Forms_DDL('GRANT UPDATE ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
            END IF;      
            IF Teller_Rec.DELETE_ACCESS = 'Y' THEN
  Forms_DDL('GRANT DELETE ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
  END IF;      
            END IF;
       -- Creating Synonyms in new User schema
            Forms_DDL('CREATE SYNONYM ' || Teller_Rec.Teller_Id||'.'|| :DTABLE || ' FOR ' || :DTABLE ||'');
  ELSE
                           -- for stored procedure:
            Forms_DDL('CREATE SYNONYM ' || Teller_Rec.Teller_Id||'.'|| :DSTOREDP || ' FOR ' || :DSTOREDP ||'');
       Forms_DDL('GRANT EXECUTE ON ' || :DSTOREDP || ' TO ' || Teller_Rec.Teller_Id || '');
  END IF;
       END LOOP;     
       Message('Setting table access completed!!!', No_acknowledge);
       END IF;
  END;
  If i use oracle 8.1.7 locally, it doesn't take than 5 minutes to grant access. But whereas to Oracle 9.0.1 (through network) is taking more than 20 minutes.
  If anyone knows, do help me.
  Thank you.

  The problem is not the difference between the database versions I think; it's the location of the Server.
  Take a look what one call of forms_ddl causes network traffic. you have this traffic for each call of forms_ddl. On the Local Server this might not be so much of a problem but with the network between it I this is much slower...
  Try to bundle up your statements or even better put the whole stuff in a database procedure to do it via one call. I speeded up creating grants and synonyms from 10 minutes via forms_ddl to 3 minutes using database procedure.
  The only limitation is that your messages won't display for each user.
  regards

• Data level Security for Oracle Apps as Source

  Hi all
  I need to implement Data level Security on Apps Users in OBIA
  We are using Apps as source with Single sign On. I need to apply Data level security on Business Group Field.
  We dont have users in OBI, we need to register apps users in OBI.
  Could anybody tell me how to register Apps users in OBI???
  OR tell me if you know some other way to implement D L Sec on Single sing On and Apps as source.
  Thanks in avd
  V P

  You need to be creating your "business groups" as a group in the RPD, init blocks to retrieve the user business group at login. Filters in the Logical table sources to restrict data to relevant business groups only.
  Presentation 'Web Cat' groups with the same name as the RPD groups so a user inherits membership automatically.
  I'd suggest sourcing a vanilla OBIA rpd to see how it is implemented out of the box.

• How to query Cell level Security in 11g AW

  Are there any views/tables that we might be able to use to query the Security settings in 11g AW?
  In AWM 11g we have the ability to grant users/groups security at a cell level, with this functionality there is no need for us to maintain the PERMIT_WRITE program to manage Write access to users. I could not find any document that states how we can manage/view the security outside the AWM tool.

  For Oracle 11.1, there is a dba-level view called
  DBA_XDS_INSTANCE_SETS which provides the data security definitions
  for both rdbms table-based and olap dimension/cube-based data security
  documents. The actual definition of data security is stored in the XML DB
  repository under the XDB schema.
  SQL> desc dba_xds_instance_sets
  Name Type
  SCHEMA_NAME VARCHAR2(30)
  OBJECT_NAME VARCHAR2(30)
  INSTANCE_SET VARCHAR2(30)
  DESCRIPTION VARCHAR2(4000)
  STATIC VARCHAR2(5)
  EVAL_RULE VARCHAR2(4000)
  ACLIDS SYS.XMLTYPE
  There is no way to actually manage the data security documents outside of
  AWM for 11.1 in terms of creating/editting/deleting the data security documents
  at least none that is documented.
  Here is an example of what the DBA_XDS_INSTANCE_SETS view returns:
  SQL> select * from dba_xds_instance_sets;
  SCHEMA_NAME OBJECT_NAME INSTANCE_SET
  DESCRIPTION
  STATI
  EVAL_RULE
  ACLIDS
  GLOBAL TIME DEFAULT_POLICY
  false
  1 = 1
  <aclids xmlns="http://xmlns.oracle.com/xs">
  <aclid>4C96964E68CC309FE040578C550414E2</aclid>
  </aclids>
  GLOBAL TIME policy1
  false
  GLOBAL."TIME".DIM_KEY IN ('186', '176', '133', '134', '135', '177', '136', '137', '138')
  <aclids xmlns="http://xmlns.oracle.com/xs">
  <aclid>4C96964E68CF309FE040578C550414E2</aclid>
  </aclids>
  Have you created data security in AWM on dimensions/cubes in 11.1?
  Any feedback about your experiences with AWM around data security would
  be welcome.

• Row level security in BI Publisher

  Hi All ,
  I am using BI publisher for reporting on Siebel system.The issue I am facing is regarding row level security.Even if I am logging with Employee Id, when I generate report ,I have acess to all the information of the other employees.
  e.g. If as a cashier I made some entry , when I generate report on collection made by me, its bringing me all the collections made by other cashiers also.
  I am generating these report from siebel side.I am not sure if we can apply the rowlevel security to BI Publisher.
  Does anyone has used Siebel or EBS with BI Publisher and have row level security ? I am also not sure How to see the reports by loging into BI Publisher .If I am using Siebel or EBS, what is going to be my Data Model or Data Set.
  Can anyone help me on this?
  Thanks!!

  Oracle HRMS has its own security built-in to the schemas. Other modules you will need to customize for your own use.

• Row-level security problem using VPD

  Hi all,
  I've implemented row-level security for my application using the following procedure:
  1) Created a procedure for setting the context for the application:
  PROCEDURE set_empno
  IS
  emp_id NUMBER;
  BEGIN
  BEGIN
  SELECT empno
  INTO emp_id
  FROM SCOTT.EMP
  WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
  DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
  EXCEPTION
  WHEN OTHERS THEN emp_id := 0;
  END;
  END;
  2) Created the application context:
  CREATE CONTEXT emp_sel_context USING secman.app_security_context;
  In which secman is my security schema and app_security_context is the name of above procedure package.
  3) Created a function to access the application context:
  FUNCTION emp_sec(E1 VARCHAR2, E2 VARCHAR2) RETURN VARCHAR2
  IS
  e_predicate VARCHAR2(2000);
  BEGIN
  e_predicate := 'empno = SYS_CONTEXT(''emp_sel_context'', ''empno'')';
  RETURN e_predicate;
  END;
  END;
  4) Created a logon trigger:
  CREATE OR REPLACE
  TRIGGER INIT_CONTEXT AFTER
  LOGON ON DATABASE
  BEGIN
  SECMAN.APP_SECURITY_CONTEXT.SET_EMPNO;
  END;
  5) Added a policy on scott.emp like this:
  begin
  dbms_rls.add_policy (
  object_schema => 'SCOTT',
  object_name => 'EMP',
  policy_name => 'EMP_SEL_POLICY',
  function_schema => 'SECMAN',
  policy_function => 'EMP_SECURITY.EMP_SEC',
  statement_types => 'SELECT',
  update_check => TRUE
  end;
  My problem is that when a user queries the EMP table the above procedure does not work and 'no rows selected' is returned for each user that queries the table. Does anybody know which part of my procedure is wrong?
  Any helps is really appreciated.
  S/\EE|)

  i,
  I suggest:
  create another table emp1(logon with scott),this table only include empno,ename,then insert a few record,then modify
  procedure set_empno as
  PROCEDURE set_empno
  IS
  emp_id NUMBER;
  BEGIN
  BEGIN
  SELECT empno
  INTO emp_id
  FROM SCOTT.EMP1
  WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
  DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
  EXCEPTION
  WHEN OTHERS THEN emp_id := 0;
  END;
  END;
  certainly ,you should grant select on emp1 to the user who will be test.
  lixinzhu
  2007/09/17

• [Security]   Row-level security in ADF

  Hi all,
  I want to implement row-level security in my application, the scenario is like this:
  There are several users that connect to the application
  These users are authenticated in some way (XML file, OID, DB)
  When each user wants to access (Select, Update, Delete) an ADF Table, either updatable or read-only, a predefined 'where condition' based on that table and the operation the user wants to do, must be concatenated to his DML, transparent from the user.
  So if for example a user queries the Emp Salary table only records with salary < 10K/Month will be fetched from the underlying table. This should be done automatically and not hard-coded in the application.
  I have tried VPD and it has some useful features but my problems are:
  1) Where and how to define the 'where conditions'?
  2) How to attach the 'where conditions' to the executing DML?
  3) What is the best way to make DB know which user is really executing DMLs? (Not a single Application Server admin user)
  4) What is the best authentication approach?
  Any helps will be really appreciated.
  S/\EE|)

  Hi,
  yes you can. Database proxy user is setup in the prepare session method as well and EUS can be configured to take the J2EE username to then re-connect the app to teh database schema
      public void prepareSession(SessionData SessionData)
         super.prepareSession(SessionData);
         oconn = ((PrxyTransactionImpl)this.getDBTransaction()).getPrxyConnection();
         // Specify the user that connects through the proxy user and its roles
         Properties prop = new Properties();
         prop.put(OracleConnection.PROXY_USER_NAME,"hr");
         //prop.put(OracleConnection.PROXY_ROLES, roles);
         String appContext = "Begin ctxhrpckg.set_userinfo('"+getApplicationUserName()+"'); END;";
         java.sql.CallableStatement st= null;
        // Open the proxy session (DB-authenticated users)
        try
          oconn.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, prop);
          st = getDBTransaction().createCallableStatement(appContext,0);
          st.execute();
        catch (SQLException e)
          e.printStackTrace();
  package oracle.sample.dbprxy.adfbc;
  import oracle.jbo.server.DBTransactionImpl2;
  import oracle.jbo.server.DatabaseTransactionFactory;
  * TransactionFactory that returns PrxTransactionImpl, which is a subclass of
  * DBTransactionImpl2
  * @author Frank Nimphius
  public class PrxyDatabaseTransactionFactory extends DatabaseTransactionFactory
    public PrxyDatabaseTransactionFactory()
      super();
     * Override the create method to return an instance of PrxyTransactionImpl instead
     * of DBTransactionImpl2
     * @return PrxyTransactionImpl
    public DBTransactionImpl2 create()
      return new PrxyTransactionImpl();
  package oracle.sample.dbprxy.adfbc;
  import oracle.jbo.server.DBTransactionImpl2;
  import oracle.jdbc.OracleConnection;
  public class PrxyTransactionImpl
    extends DBTransactionImpl2
    public PrxyTransactionImpl()
      super();
     * The DBTransactionImpl2 does not expose the connection in a public
     * method. This class is a wrapper to expose the connection to the
     * BC app, so it can be accessed in the ApplicationModuleImpl class
     * @return OracleConnection - SQL Connection
    public OracleConnection getPrxyConnection()
      return (OracleConnection) this.getJdbcConnection();
  }Note that for EUS ApplicationModule pooling should be disabled
  Frank

• Help with implementing Row Level Security in Interactive Reporting

  We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
  The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
  I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?

  The 3 tables used with the RLS are stored in the same schema as your repository by default.
  The RLS store all the Rules for any database that you are using.
  You define the rules based on the tablename (owner.tablename) and the column name.

• Setting up item level security access

  Hello,
  I am new to Oracle Instant Portal and I'm trying to figure out how to set up item level security on a particular tab page. Can anyone give step by step instructions on how to make it work?
  So, say that I have a tab page called HR. On that HR page, I have 3 items. For item1 and item2, I want user1 to have view access to these only, and for user2 they could have view access to item3 only.
  I checked the option in the HR page's Page Access settings to Enable Item Level Security, saved the changes, and even cleared the cache, but it doesn't seem to give me any new functionality where I could specify that for item1 and item2, only user1 should have access to it, and for item3, only user2 should access it.
  Can someone please help?
  Thanks!

  Please disregard--I figured out how to do this:
  1. When you are editing the page, you must click on the "Edit Item" icon next to the item.
  2. Then click on the Access tab in the upper right.
  3. Select Define Item Level Access Privileges and click Apply.
  4. In the Grant Access section that now appears just below, select the user id you want to grant access to the item and then click Add.