Oracle grant schema level security
I am having more schemas for different applications in the same database.
Each time an object is created it access is granted to the appropriate role.
I don't like using the SELECT ANY TABLE privedge.
I would love to see a GRANT SELECT ON SCHEMA XXXX To ZZZZZ;
This would be almost like the SQL SERVER (YUK) DB_DATAREADER priviledge.
I have not seen anything to indicate Oracle 11g has this support.
Are you just complaining or asking a question?
You can use
Something like:
create or replace trigger do_grant
after CREATE on schema
declare
l_str varchar2(255);
l_job number;
begin
if ( ora_dict_obj_type = 'TABLE' )
then
l_str := 'execute immediate "grant select on ' ||
ora_dict_obj_name ||
' to scott";';
dbms_job.submit( l_job, replace(l_str,'"','''') );
end if;
end;
/as posted here in asktom
http://asktom.oracle.com/pls/asktom/f?p=100:11:4434422967201937::::P11_QUESTION_ID:646423863863
Similar Messages
-
Grant schema-level privileges to a Oracle user
Hi Experts,
Do we have easy way to grant all objects to user (select only) in one schema?
Thanks for help!
JimThanks for help.
actually, this is a group user account as
CREATE USER user
IDENTIFIED BY appuser
DEFAULT TABLESPACE users
QUOTA 10M ON example
TEMPORARY TABLESPACE temp
QUOTA 5M ON system
PROFILE scapp_user
Do you need to assign quota and profile?
Also you need to access all data in database that i was told. this account should be grant a right to run view and procedures?
do i need to go to all_object to find it?
thanks for your suggestion in detail.
JIm -
Hi,
I am in process of setting up Oracle Streams schema level replication on version 10.2.0.3. I am able to setup replication for one table properly. Now I want to add 10 more new tables for schema level replication. Few questions regarding this
1. If I create new tables in source, shall I have to create tables in target database manually or I have to do export STREAMS_INSTANTIATION=Y
2. Can you tell me metalink note id to read more on this topic ?
thanks & regards
paragThe same capture and apply process can be used to replicate other tables. Following steps should suffice your need:
Say table NEW is the new table to be added with owner SANTU
downstr_cap is the capture process which is already running
downstr_apply is the apply process which is already there
1. Now stop the apply process
2. Stop the capture process
3. Add the new table in the capture process using +ve rule
BEGIN
DBMS_STREAMS_ADM.ADD_TABLE_RULES
table_name => 'SANTU.NEW',
streams_type => 'capture',
streams_name => 'downstr_cap',
queue_name => 'strmadmin.DOWNSTREAM_Q',
include_dml => true,
include_ddl => true,
source_database => ' Name of the source database ',
inclusion_rule => true
END;
4. Take export of the new table with "OBJECT_CONSISTENT=Y" option
5. Import the table at destination with "STREAMS_INSTANTIATION=Y' option
6. Start the apply process
7. Start the capture process -
How to check the row level security in TOAD for oracle
Hi ,
for ex, i have 2 types of users
normal user and super user
super user can see the group set (some column name) created by normal user
but normal user can not see the set created by super user
this set crestion aslso has 3 types "U','P',S'
P & S can be viewed by even normal user
but U should not
so here we are having some row level security for the normal user .....
So, in TOAD for oracle how to check that......
Let me know if i'm not clearLike
I'm the super user....
And some records are inserted to a table by different users ('a' , 'b', etc....)
So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
how to see in TOAD where such type of scripts (filter conditions) are written..... -
Data level Security with Oracle Apps as Source
Hi all
I am implementing Data level Security with Apps as Source(OLTP) on Single Sign On.(Oracle has provided the Vanila rpd & we are working on that)
I need to Filter data based on Business Group, Users are created in Apps and they are registered with some Responsibilities.
(for eg, OBI User CHINA is a Responsibility; Now he will get only Business Group ID for China)
I have created Groups in rpd with same name as the responsibility in Apps.
I have created Initialization Blocks from which I m getting only 1 business group ID for every :USER.(I tried the code in TOAD & I m getting the correct BG ID)
I have created Group in WEB with the same name as the Group name in rpd.
If I say show all Users and Groups in WEB, I m getting the APPS Users.
I hv Reloaded the server metadata files and restarted the BI Server/WEB Server also...
But in the Report, I m getting all the Business Group Ids,
Plz advice if I m doing something wrong.
ThanQ
AnandYou need to be creating your "business groups" as a group in the RPD, init blocks to retrieve the user business group at login. Filters in the Logical table sources to restrict data to relevant business groups only.
Presentation 'Web Cat' groups with the same name as the RPD groups so a user inherits membership automatically.
I'd suggest sourcing a vanilla OBIA rpd to see how it is implemented out of the box. -
Column Level Security Using VPD under oracle 11g
Hi
I am using an example from Oracle Database 10g: Advance Security -- Virtual Private Databases
1. The Application Context -- that sets the session environment for the use is ok.
2. The Logon Trigger that executes the above is ok. It had been tested.
3. The Security Policy that returns a predicate after checking the output of the Application Context is ok.
4. The security policy applied to the STOCK_TRX table is ok.
5. Select and Insert from the database work.
However, after dropping both the insert and select policy, I am having problem getting a select policy to work with column-level VPD. I will get the ORA-28104 -- input value for statement type is not valid and ORA-06512 at SYS.DBMS_RLS line 20. See code below
begin
DBMS_RLS.ADD_POLICY
('PRACTICE', 'STOCK_TRX', 'STOCK_TRX_SELECT_POLICY', 'PRACTICE', 'SECURITY_PACKAGE.STOCK_TRX_SELECT_SECURITY', 'PRICE');
end;
Note:
PRICE is the sec_relevant_cols
STOCK_TRX is the table
Can you please help.
ThxThe syntax for row level security is not the same for columns level security. All the parameters to the DBMS_RLS.ADD_Policy() function should be preceded by the type of the parameter for:
begin
DBMS_RLS.ADD_POLICy(object_schema=>PRACTICE, ... sec_relevant_cols=>'PRICE);
end;
I did not know this before. I thought they were there in the example for explanatory reasons. I decided to answer the question for myself because I know others have the same interpretation. -
Oracle Virtual Private Database (VPD), Column Level Security
Hello,
About Oracle Virtual Private Database (VPD), is it possible to set a Column Level Security without setting a Row Level Security (without using any predicate)?
Thanks,
Herve.Thanks, Zoran.
A colleague shared with me a link containing a function without returning a predicate (in using SYS_CONTEXT function to skip row restriction).
Herve.
Link -
Oracle Unix 9 - slow granting Schema object to User
I have a problem. I can't figure out why granting schema object to users take longer time. here is my codes:
DECLARE
alert_button NUMBER;
CURSOR Teller_Cur IS SELECT * FROM TELLER_M;
BEGIN
alert_button := Show_Alert('AlertOK');
IF alert_button = ALERT_BUTTON1 THEN
FOR Teller_Rec IN Teller_Cur LOOP
Message('Setting table access for ' || Teller_Rec.Teller_ID || ' in progress, please wait....', No_acknowledge);
IF :DTABLE IS NOT NULL THEN
-- Granting Schema object to new User
IF SUBSTR(:DTABLE, 1, 4) = 'TEMP' THEN
Forms_DDL('GRANT SELECT, INSERT, UPDATE, DELETE ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
ELSE
IF Teller_Rec.SELECT_ACCESS = 'Y' THEN
Forms_DDL('GRANT SELECT ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
END IF;
IF Teller_Rec.INSERT_ACCESS = 'Y' THEN
Forms_DDL('GRANT INSERT ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
END IF;
IF Teller_Rec.UPDATE_ACCESS = 'Y' THEN
Forms_DDL('GRANT UPDATE ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
END IF;
IF Teller_Rec.DELETE_ACCESS = 'Y' THEN
Forms_DDL('GRANT DELETE ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
END IF;
END IF;
-- Creating Synonyms in new User schema
Forms_DDL('CREATE SYNONYM ' || Teller_Rec.Teller_Id||'.'|| :DTABLE || ' FOR ' || :DTABLE ||'');
ELSE
-- for stored procedure:
Forms_DDL('CREATE SYNONYM ' || Teller_Rec.Teller_Id||'.'|| :DSTOREDP || ' FOR ' || :DSTOREDP ||'');
Forms_DDL('GRANT EXECUTE ON ' || :DSTOREDP || ' TO ' || Teller_Rec.Teller_Id || '');
END IF;
END LOOP;
Message('Setting table access completed!!!', No_acknowledge);
END IF;
END;
If i use oracle 8.1.7 locally, it doesn't take than 5 minutes to grant access. But whereas to Oracle 9.0.1 (through network) is taking more than 20 minutes.
If anyone knows, do help me.
Thank you.The problem is not the difference between the database versions I think; it's the location of the Server.
Take a look what one call of forms_ddl causes network traffic. you have this traffic for each call of forms_ddl. On the Local Server this might not be so much of a problem but with the network between it I this is much slower...
Try to bundle up your statements or even better put the whole stuff in a database procedure to do it via one call. I speeded up creating grants and synonyms from 10 minutes via forms_ddl to 3 minutes using database procedure.
The only limitation is that your messages won't display for each user.
regards -
Data level Security for Oracle Apps as Source
Hi all
I need to implement Data level Security on Apps Users in OBIA
We are using Apps as source with Single sign On. I need to apply Data level security on Business Group Field.
We dont have users in OBI, we need to register apps users in OBI.
Could anybody tell me how to register Apps users in OBI???
OR tell me if you know some other way to implement D L Sec on Single sing On and Apps as source.
Thanks in avd
V PYou need to be creating your "business groups" as a group in the RPD, init blocks to retrieve the user business group at login. Filters in the Logical table sources to restrict data to relevant business groups only.
Presentation 'Web Cat' groups with the same name as the RPD groups so a user inherits membership automatically.
I'd suggest sourcing a vanilla OBIA rpd to see how it is implemented out of the box. -
How to query Cell level Security in 11g AW
Are there any views/tables that we might be able to use to query the Security settings in 11g AW?
In AWM 11g we have the ability to grant users/groups security at a cell level, with this functionality there is no need for us to maintain the PERMIT_WRITE program to manage Write access to users. I could not find any document that states how we can manage/view the security outside the AWM tool.For Oracle 11.1, there is a dba-level view called
DBA_XDS_INSTANCE_SETS which provides the data security definitions
for both rdbms table-based and olap dimension/cube-based data security
documents. The actual definition of data security is stored in the XML DB
repository under the XDB schema.
SQL> desc dba_xds_instance_sets
Name Type
SCHEMA_NAME VARCHAR2(30)
OBJECT_NAME VARCHAR2(30)
INSTANCE_SET VARCHAR2(30)
DESCRIPTION VARCHAR2(4000)
STATIC VARCHAR2(5)
EVAL_RULE VARCHAR2(4000)
ACLIDS SYS.XMLTYPE
There is no way to actually manage the data security documents outside of
AWM for 11.1 in terms of creating/editting/deleting the data security documents
at least none that is documented.
Here is an example of what the DBA_XDS_INSTANCE_SETS view returns:
SQL> select * from dba_xds_instance_sets;
SCHEMA_NAME OBJECT_NAME INSTANCE_SET
DESCRIPTION
STATI
EVAL_RULE
ACLIDS
GLOBAL TIME DEFAULT_POLICY
false
1 = 1
<aclids xmlns="http://xmlns.oracle.com/xs">
<aclid>4C96964E68CC309FE040578C550414E2</aclid>
</aclids>
GLOBAL TIME policy1
false
GLOBAL."TIME".DIM_KEY IN ('186', '176', '133', '134', '135', '177', '136', '137', '138')
<aclids xmlns="http://xmlns.oracle.com/xs">
<aclid>4C96964E68CF309FE040578C550414E2</aclid>
</aclids>
Have you created data security in AWM on dimensions/cubes in 11.1?
Any feedback about your experiences with AWM around data security would
be welcome. -
Row level security in BI Publisher
Hi All ,
I am using BI publisher for reporting on Siebel system.The issue I am facing is regarding row level security.Even if I am logging with Employee Id, when I generate report ,I have acess to all the information of the other employees.
e.g. If as a cashier I made some entry , when I generate report on collection made by me, its bringing me all the collections made by other cashiers also.
I am generating these report from siebel side.I am not sure if we can apply the rowlevel security to BI Publisher.
Does anyone has used Siebel or EBS with BI Publisher and have row level security ? I am also not sure How to see the reports by loging into BI Publisher .If I am using Siebel or EBS, what is going to be my Data Model or Data Set.
Can anyone help me on this?
Thanks!!Oracle HRMS has its own security built-in to the schemas. Other modules you will need to customize for your own use.
-
Row-level security problem using VPD
Hi all,
I've implemented row-level security for my application using the following procedure:
1) Created a procedure for setting the context for the application:
PROCEDURE set_empno
IS
emp_id NUMBER;
BEGIN
BEGIN
SELECT empno
INTO emp_id
FROM SCOTT.EMP
WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
EXCEPTION
WHEN OTHERS THEN emp_id := 0;
END;
END;
2) Created the application context:
CREATE CONTEXT emp_sel_context USING secman.app_security_context;
In which secman is my security schema and app_security_context is the name of above procedure package.
3) Created a function to access the application context:
FUNCTION emp_sec(E1 VARCHAR2, E2 VARCHAR2) RETURN VARCHAR2
IS
e_predicate VARCHAR2(2000);
BEGIN
e_predicate := 'empno = SYS_CONTEXT(''emp_sel_context'', ''empno'')';
RETURN e_predicate;
END;
END;
4) Created a logon trigger:
CREATE OR REPLACE
TRIGGER INIT_CONTEXT AFTER
LOGON ON DATABASE
BEGIN
SECMAN.APP_SECURITY_CONTEXT.SET_EMPNO;
END;
5) Added a policy on scott.emp like this:
begin
dbms_rls.add_policy (
object_schema => 'SCOTT',
object_name => 'EMP',
policy_name => 'EMP_SEL_POLICY',
function_schema => 'SECMAN',
policy_function => 'EMP_SECURITY.EMP_SEC',
statement_types => 'SELECT',
update_check => TRUE
end;
My problem is that when a user queries the EMP table the above procedure does not work and 'no rows selected' is returned for each user that queries the table. Does anybody know which part of my procedure is wrong?
Any helps is really appreciated.
S/\EE|)i,
I suggest:
create another table emp1(logon with scott),this table only include empno,ename,then insert a few record,then modify
procedure set_empno as
PROCEDURE set_empno
IS
emp_id NUMBER;
BEGIN
BEGIN
SELECT empno
INTO emp_id
FROM SCOTT.EMP1
WHERE upper(ename) = SYS_CONTEXT('USERENV', 'SESSION_USER');
DBMS_SESSION.SET_CONTEXT('emp_sel_context', 'empno', emp_id);
EXCEPTION
WHEN OTHERS THEN emp_id := 0;
END;
END;
certainly ,you should grant select on emp1 to the user who will be test.
lixinzhu
2007/09/17 -
[Security] Row-level security in ADF
Hi all,
I want to implement row-level security in my application, the scenario is like this:
There are several users that connect to the application
These users are authenticated in some way (XML file, OID, DB)
When each user wants to access (Select, Update, Delete) an ADF Table, either updatable or read-only, a predefined 'where condition' based on that table and the operation the user wants to do, must be concatenated to his DML, transparent from the user.
So if for example a user queries the Emp Salary table only records with salary < 10K/Month will be fetched from the underlying table. This should be done automatically and not hard-coded in the application.
I have tried VPD and it has some useful features but my problems are:
1) Where and how to define the 'where conditions'?
2) How to attach the 'where conditions' to the executing DML?
3) What is the best way to make DB know which user is really executing DMLs? (Not a single Application Server admin user)
4) What is the best authentication approach?
Any helps will be really appreciated.
S/\EE|)Hi,
yes you can. Database proxy user is setup in the prepare session method as well and EUS can be configured to take the J2EE username to then re-connect the app to teh database schema
public void prepareSession(SessionData SessionData)
super.prepareSession(SessionData);
oconn = ((PrxyTransactionImpl)this.getDBTransaction()).getPrxyConnection();
// Specify the user that connects through the proxy user and its roles
Properties prop = new Properties();
prop.put(OracleConnection.PROXY_USER_NAME,"hr");
//prop.put(OracleConnection.PROXY_ROLES, roles);
String appContext = "Begin ctxhrpckg.set_userinfo('"+getApplicationUserName()+"'); END;";
java.sql.CallableStatement st= null;
// Open the proxy session (DB-authenticated users)
try
oconn.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, prop);
st = getDBTransaction().createCallableStatement(appContext,0);
st.execute();
catch (SQLException e)
e.printStackTrace();
package oracle.sample.dbprxy.adfbc;
import oracle.jbo.server.DBTransactionImpl2;
import oracle.jbo.server.DatabaseTransactionFactory;
* TransactionFactory that returns PrxTransactionImpl, which is a subclass of
* DBTransactionImpl2
* @author Frank Nimphius
public class PrxyDatabaseTransactionFactory extends DatabaseTransactionFactory
public PrxyDatabaseTransactionFactory()
super();
* Override the create method to return an instance of PrxyTransactionImpl instead
* of DBTransactionImpl2
* @return PrxyTransactionImpl
public DBTransactionImpl2 create()
return new PrxyTransactionImpl();
package oracle.sample.dbprxy.adfbc;
import oracle.jbo.server.DBTransactionImpl2;
import oracle.jdbc.OracleConnection;
public class PrxyTransactionImpl
extends DBTransactionImpl2
public PrxyTransactionImpl()
super();
* The DBTransactionImpl2 does not expose the connection in a public
* method. This class is a wrapper to expose the connection to the
* BC app, so it can be accessed in the ApplicationModuleImpl class
* @return OracleConnection - SQL Connection
public OracleConnection getPrxyConnection()
return (OracleConnection) this.getJdbcConnection();
}Note that for EUS ApplicationModule pooling should be disabled
Frank -
Help with implementing Row Level Security in Interactive Reporting
We're deploying Hyperion BI+ 9.3.1, using Workspace and Interactive Reporting. I'm researching how we can use the Workspace row level security option. I've read what's available for documentation in the Workspace Administrator Guide and the Interactive Reporting Users Guide. I understand the concept of setting up rules with row_level_security.bqy, but I'm confused about where these tables should go and what actually happens when I go to Workspace > Administrator > Row Level Security and turn it on.
The Administrator's Guide tells me the "properties" are stored in the repository, but the "rules" are in the "data source". Does that mean my BRIOSEC* tables go in the database I'm running my reports from? If so, then what's the data source I'm filling in on Workspace > Administrator > Row Level Security?
I have many different database connections going to different Oracle and SQL*Plus instances, and I don't want to apply row level security to all of them. How does Workspace tell the difference between them? If I enable rules but create a report from a database that doesn't have rules defined for it, what happens?The 3 tables used with the RLS are stored in the same schema as your repository by default.
The RLS store all the Rules for any database that you are using.
You define the rules based on the tablename (owner.tablename) and the column name. -
Setting up item level security access
Hello,
I am new to Oracle Instant Portal and I'm trying to figure out how to set up item level security on a particular tab page. Can anyone give step by step instructions on how to make it work?
So, say that I have a tab page called HR. On that HR page, I have 3 items. For item1 and item2, I want user1 to have view access to these only, and for user2 they could have view access to item3 only.
I checked the option in the HR page's Page Access settings to Enable Item Level Security, saved the changes, and even cleared the cache, but it doesn't seem to give me any new functionality where I could specify that for item1 and item2, only user1 should have access to it, and for item3, only user2 should access it.
Can someone please help?
Thanks!Please disregard--I figured out how to do this:
1. When you are editing the page, you must click on the "Edit Item" icon next to the item.
2. Then click on the Access tab in the upper right.
3. Select Define Item Level Access Privileges and click Apply.
4. In the Grant Access section that now appears just below, select the user id you want to grant access to the item and then click Add.
Maybe you are looking for
-
Ipad mini retina display safari crashed with ios 8.0.2
After updating my daughters iPad Mini retina display, safari crashes as soon as anything is entered in the search box. This started after IOS 8.0.2 update. I have rebooted and reset the iPad. I have cleared the history and website data, but nothing h
-
new Firefox 32 will not allow update to my plugins ,page keeps opening in new tab going round in circlesrenewing
-
The uploaded file XX001.xml is invalid. The file should be in XSD form
Hi all, i have developed rdf and registered as output xml and when i am uploading xml file in data defination. The uploaded file SCCCFA001.xml is invalid. The file should be in XSD format. i have removed the comments and as well as same error i am ge
-
Oracle repositories for two servers-Production and Development
Hi, We have two new servers- One production and other Development. We need a place to maintain an Essbase shared services repository in data center for these two servers. My question is can we have both Oracle repositories in the same environment? If
-
I have created a scheduling agreement for a material i want to cancel.
i have created a scheduling agreement with a material i want to use the material in a contract with another vendor, is there any way i could use the material or i have to terminate the scheduling agreement and create the contract. in case of cancelin