Oracle Security - Controlling the 'alter user' privilege

Hi,
1. DB 10.1.0.5 and 10.2.0.3
2. "Admin User" needs to be able to change some users passwords in database.
3. Create user adminuser - grant alter user to adminuser.
4. DBAs will grant "approle" role to list of required users. DBAs will maintain control of who gets this role.
4. Create system trigger on alter database - will prevent "adminuser" from changing passwords for accounts not authorized - Script does not fire for DBAs and anyone changing their own password.
The trigger works as intended - the "adminuser" account can only change the specific set of users.
Question: We've discovered that the "adminuser" can also use the "alter user" privilege to change default tablespace and tablespace quota. User should only be able to change password.
Anyone have ideas on adding to the trigger to make sure the "adminuser" is only altering the password?
I am playing with the ora_is_alter_column system event, thinking that maybe the password column in user$ would be changed but so far I can't get this to work: Here is my trigger --
CREATE OR REPLACE TRIGGER SYS.PASSWORD_CONTROL AFTER ALTER ON DATABASE
DECLARE
DBACHK varchar2(50);
USRCHK varchar2(50);
BEGIN
BEGIN
-- Ensure users can change their own passwords --
IF
ora_login_user = ora_dict_obj_name
THEN
RETURN;
ELSE
-- Do not apply trigger to DBA group --
select grantee into DBACHK from dba_role_privs where granted_role='DBA'
and grantee = ora_login_user;
IF
DBACHK = ora_login_user
THEN
RETURN;
END IF;
END IF;
EXCEPTION
WHEN NO_DATA_FOUND
THEN
NULL;
END;
BEGIN
select grantee into USRCHK from dba_role_privs where
granted_role='DISCUSR' and grantee = ora_dict_obj_name;
IF
ora_dict_obj_type = 'USER'
and ora_dict_obj_name = USRCHK
---- Need to check that only the password is being change -- the line below does not work
and ora_is_alter_column('PASSWORD') = TRUE
THEN
RETURN;
ELSE
RAISE_APPLICATION_ERROR(-20003,
'You are not allowed to alter user.');
END IF;
EXCEPTION
WHEN NO_DATA_FOUND
THEN
RAISE_APPLICATION_ERROR(-20003,
'You are not allowed to alter user.');
END;
END;

user602453 wrote:
Ed, thank you for your reply. But, let me explain in more detail.
More detail is always helpful. ;-)
>
A specific user has been assigned as the application administrator. This admininstrator is responsible for reseting application user passwords. The DBA (me) recognizes the DB security issues so I am trying to craft a solution that will allow the application administrator the ability to change only the password of the application users.
I see that this may be out your hands, but I'd still question the wisdom of having an apps administrator being the one to change user passwords. Especially if that were a model where the users couldn't change their own passwords. I might accept it if the app admin were acting more of a helper to a clueless user.
Since the only way to change user passwords is to grant the 'alter user' privilege I need a system trigger to keep the user from changing non-application user passwords. Also, because I support nearly 100 production databases that support about 35 different applications I need a solution that can apply to multiple databases. I've been assured that there will only be one administrator charged with resetting passwords.
So,
Given those requirements, I have this trigger that will allow the the specific administrator to change the password of a specific set of user while not impacting DBAs or people wanting to change their own password. The way I've implemented this is to create a "dummy" role and assigning the role to the application user. The trigger will allow the administrator to change the password only if the user has the role assigned. The role has no privileges, it is just a way to "mark" the user as an application user. The administrator cannot grant this "dummy" role, only the DBA can.
Hope that clears things up.I still see another problem in that it still comes back to the dba to create the apps user in the first place, and to assign that dummy role to the user. Also, I'd hope that this proposed apps admin user is a role assigned to a real user. If not, as I mentioned before, you have no real accountability to who is using that account. Simply saying "it shall not be shared", even if written in corporate policy, won't secure it, and you won't be able to trace it. Well, you could turn on auditing and capture the OS userid in the audit log.

Similar Messages

  • Alter user privilege

    Hello,
    is there any way to grant just certain privileges that involve the Alter User system privilege? That is, How can i do so that a user can execute just: alter user <user> account lock or account unlock, but not password expires as an example?
    Thanks in advance.

    Hi, you can set the AUTHID DEFINER clause when you crate the stored procedure for execute how owner, the stored procedure must be owner of SYS user.
    Please review the nexts links
    http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_5009.htm#sthref6483
    http://www.adp-gmbh.ch/ora/plsql/authid.html
    Luck.
    Have a good day.
    Regards.

  • Auditing the  ALTER USER command

    How exactly does one use FGA to capture the "tail-end" of the ALTER USER command? Could you provide or point me toward an example with detailed "how to" information?
    Thanks.

    You need to have "ALTER USER " privilege to change the password for any other user.
    It seems you are not login with scott user and actually "Scott.tiger"
    it shld be
    Alter user scott identified by tiger;

  • Expire password - alter user - privilege authid

    Hello to all
    I need to allow the users of Data base, that when the password expires, can enter the new password from a page. What I am trying to do is to add a function to modify the user
    create function usu_mod
    as
    begin
    execute immediate 'alter user pepe identified by pepe2';
    end;
    some idea, raised affluent estaria? also it sends an insufficient error to me of privileges, since apex uses the APEX_PUBLIC_USER. I was looking for and I saw AUTHID DEFINER AUTHID, CURRENT_USER. it is necessary to use some of these commandos, somebody can give an idea me of like using them
    Thank you very much
    Juan Pablo

    Juan - We talked about this here: Re: ORACLE Password Change using APEX FORM
    Scott

  • Expire password - alter user - privilege authid (2) english

    Hello to all
    I need to allow the users of Data base, that when the password expires, can enter the new password from a page. What I am trying to do is to add a function to modify the user
    create function usu_mod
    as
    begin
    execute immediate 'alter user pepe identified by pepe2';
    end;
    some idea, raised affluent estaria? also it sends an insufficient error to me of privileges, since apex uses the APEX_PUBLIC_USER. I was looking for and I saw AUTHID DEFINER AUTHID, CURRENT_USER. it is necessary to use some of these commandos, somebody can give an idea me of like using them
    Thank you very much
    Juan Pablo

    Juan - We talked about this here: Re: ORACLE Password Change using APEX FORM
    Scott

  • A user granted with alter user privilege

    Dear all
    i have granted a user with create user, alter user system privilege so that he can create or alter users. But i found the user is able to alter the sys and system also.
    Tell me how to restrict the user so that he can not effect sys and system.

    Yes. I have created device collection with
    installed specific software and used  this collection to pull report from out the box report for Primary Device users( Not sure about exact report name but similar) for
    this collection. Did some excel work to find primary device user.
    But looks like there is no straight forward solution. It would be great if i know how to import multiple users from a text/csv file into a User collection.
    Thanks

  • Oracle AS control hangs after user login - AIX 5.3

    Hi,
    We are engaged with a customer who deploys OracleAS 10.1.2.0.2 on AIX 5.3. After installation, AS control hangs after user logins. This issue is addressed in release note and metalink doc365725.1. We followed the guide in metalink to do the modification and we can access AS control successfully after that. However, due to some other reasons, we restart the AIX, and after that AS control hangs again. This is quite strange. Does anyone meet with this symptom before? How can we resolve this issue?
    Thanks in advance.
    Sindhiya V.

    Thanks everyone for the response and help.
    I completed the task yesterday with the permission method. However, I think I found the solution after completion. The trick lies at the oraInst.loc file. It lies at /etc directory for my case (AIX 5.3).
    If you do a opatch lsinventory, it shows you the Central Inventory location and the location of orainst.loc. For my case, it is pointing to /oracle/DE1/920_64/inventory. Therefore, even though I am logging in as oraqa1 with all env and oracle settings correct, it still points to DE1 inventory.
    I think modifying the Central inventory location in oraInst.loc will solve this problem.

  • User Exit & BADI for controling the END user in co06

    Hi
    I HAVE SOME 2 DOUBTS
    1.  I  need a user exit /  BADI  for controlling the user to edit a specific document type in co06 (BACKORDER PROCESSING) .
    the control should be actve for specfic order type for specfic users
    2  DEPENDS ON ORDER TYPE I NEED TO CONTROL THE ALLOCATION , AND HOW TO CHECK THE SAFETY STOCK

    Answer cannot be Provided properly , so has to Post more questions . i am jus closing my ques??

  • Restrict user having alter user privilege

    When a user is granted with alter user, the user can change the password for sys. How to restrict the user, so that he can do user administration but cannot do anything with sys or system.

    could you solve my problem.
    I want to store picture in table using insert statement. But when save trigger executes system generates error message: bad bind variable
    my email: [email protected]

  • Let group leader change his memeber's pwd without giving him 'alter user' p

    Hi, all
    Is there any way that I can let a group leader to reset his own member's password without giving him the 'alter user' privilege ?
    I know I can use following simplified procedure to allow one person to change his own password, but I am looking for a way to let leader to reset when his members forget their pwd, and the following script can't work. I also created the synonym and grant 'execute on' to him. Can someone help me on this?
    Thanks in advance.
    CREATE OR REPLACE PROCEDURE change_pwd ( v_username in varchar2, v_pwd in varchar2)
    authid current_user
    is
    BEGIN
    execute immediate 'alter user '||m_username||' identified by '||v_pwd ;
    END ;
    ----

    SQL> @example
    SQL> spool capture.log
    SQL> create user alladmin identified by adminall;
    User created.
    SQL> grant connect to alladmin;
    Grant succeeded.
    SQL> grant resource to alladmin;
    Grant succeeded.
    SQL> grant alter user to alladmin;
    Grant succeeded.
    SQL> create user member1 identified by No1knows;
    User created.
    SQL> grant connect to member1;
    Grant succeeded.
    SQL> create user member2 identified by No1knows;
    User created.
    SQL> grant connect to member2;
    Grant succeeded.
    SQL> create user gl1 identified by secret;
    User created.
    SQL> grant connect to gl1;
    Grant succeeded.
    SQL> grant resource to gl1;
    Grant succeeded.
    SQL> connect alladmin/adminall
    Connected.
    SQL> CREATE OR REPLACE PROCEDURE change_pwd ( v_username in varchar2)
      2  is
      3  m_username varchar2(100);
      4  v_pwd varchar2(30) := 'FUBAR1';
      5  BEGIN
      6  select user into m_username from dual;
      7  if (m_username = 'GL1')
      8  then
      9       execute immediate 'alter user '||v_username||' identified by '||v_pwd ;
    10  end if;
    11  END ;
    12  /
    Procedure created.
    SQL> grant execute on change_pwd to gl1;
    Grant succeeded.
    SQL> connect gl1/secret
    Connected.
    SQL> exec alladmin.change_pwd('MEMBER1');
    PL/SQL procedure successfully completed.
    SQL> exec alladmin.change_pwd('MEMBER2');
    PL/SQL procedure successfully completed.
    SQL> connect member1/FUBAR1
    Connected.
    SQL> select user from dual;
    USER
    MEMBER1
    SQL> connect member2/FUBAR1
    Connected.
    SQL> select user from dual;
    USER
    MEMBER2
    SQL> exit
    Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Production
    With the Partitioning, OLAP and Data Mining optionsAny more questions?

  • Alter User Externally

    I can do "alter user myid identified by newpwd;". But I got a message of "insufficient privileges" when I do "alter user myid identified externally;"
    So what special previliges do I need to alter user externally?
    THANKS

    alter user myid identified by newpwdchanges the user's own password and doesn't require the ALTER USER privilege.
    alter user myid identified externally;changes the user's identification mode and requires the ALTER USER privilege.
    Max
    [My Italian Oracle blog|http://oracleitalia.wordpress.com/2010/01/31/le-direttive-di-compilazione-pragma/]

  • Alter User Inside procedure

    Hi to all,
    I have a user named dbo and vijay.
    I have a procedure under dbo named as sp_alteruser
    CREATE OR REPLACE PROCEDURE DBO.SP_ALTERUSER
    P_USER_ID IN VARCHAR2,P_PASSWORD IN VARCHAR2,P_MSG OUT VARCHAR2)
    --Declaration of IN parameters
    IS
    E_PASSWORD EXCEPTION;
    E_INVALIDUSER EXCEPTION;
    PRAGMA EXCEPTION_INIT(E_PASSWORD,-00988);
    PRAGMA EXCEPTION_INIT(E_INVALIDUSER,-01918);
    BEGIN
    DECLARE
    V_COUNT NUMBER;
    V_STATEMENT1 VARCHAR2(200);
    BEGIN
    --To check whether the user has been already exists
    SELECT COUNT(*) INTO V_COUNT
    FROM ALL_USERS
    WHERE USERNAME = P_USER_ID;
    IF V_Count = 0 THEN
    --If the count is 0 means that the user does not exist
    DBMS_OUTPUT.PUT_LINE('User Does Not exist');
    END IF;
    IF V_COUNT>0 THEN
    --If the count is greater than 0 then the Alter statement is executed
    V_STATEMENT1:= 'ALTER USER ' ||P_USER_ID||' IDENTIFIED BY '
    ||P_PASSWORD;
         -- EXECUTE IMMEDIATE 'GRANT ALTER USER TO VIJAY';
    -- EXECUTE IMMEDIATE 'ALTER USER ' ||P_USER_ID||' IDENTIFIED BY ' ||P_PASSWORD;
    --EXECUTE IMMEDIATE v_STATEMENT1;
    P_MSG := 'Password Changed Sucessfully';
    END IF;
    END;
    EXCEPTION
    WHEN E_PASSWORD THEN
    P_MSG := 'Missing or Invalid Password';
    WHEN E_INVALIDUSER THEN
    P_MSG := 'User '||P_USER_id||' Does not exist';
    END;
    I have created a synonym with the same name as sp_alteruser and given the execute privilege to the user vijay...
    This procedure works fine when I run as DBO user, when I am trying from the vijay user it is throwing the error as insufficient privilege.
    I tried to give the alter user privilege explicitly but none gone right, when i gave dba privilege and checked with it works fine..
    Please help me in this regard.
    Thanks
    vijay

    Yes, I got it and apologies. Its not there so the error is correct. I am not sure that which priv is letting the dba role change another user, here is a list of privs for some default roles but none of them is there which depicts clearly the option to change another user.
    A very stupid answer, try giving the alter user with the admin option and see what happens. I don't ahve a db here otherwise I would had done it.
    HTH
    Aman....

  • Grant Alter User

    Hi
    I want to grant a user the "Alter User" privilege but I want to restrict him to alter Sys, System and other users with high privileges.
    Regards

    Is that possible? I think the Alter User privilege will allow him to alter sys and system. Is there any other way to do that? I want him to have only access to change the password of regular users

  • ALLOW A USER TO KILL A SESSION WITHOUT ALTER SYSTEM PRIVILEGE.

    Hi
    I need a user to have permission to kill a session without having the ALTER SYSTEM privilege. I created a procedure on sys schema and granted the EXECUTE privilege to the user but it doesn't work, how can I do, help please.
    CREATE OR REPLACE PROCEDURE SYS.PRC_SESSION_KILLER (P_SID IN NUMBER, P_SERIAL IN NUMBER)
    AS
    BEGIN
         EXECUTE IMMEDIATE 'GRANT ALTER SYSTEM TO SYSADMIN';
         EXECUTE IMMEDIATE 'ALTER SYSTEM KILL SESSION ''' || P_SID || ',' || P_SERIAL || ''' IMMEDIATE';
         EXECUTE IMMEDIATE 'REVOKE ALTER SYSTEM FROM SYSADMIN';
    END;
    Thank you very much.

    Hi,
    I second everything John said.
    Are you sure the arguments are correct?
    Below is the procedure I use. You may want to run it, just to see what the error is.
    PROCEDURE     kill_internal
         s_id          IN     NUMBER,
         serial_num     IN     NUMBER,
         stat_out     OUT     VARCHAR2
    IS
         alter_handle     INTEGER;
         ex_val          INTEGER;     -- Returned by dbms_sql.execute
    BEGIN
         alter_handle := dbms_sql.open_cursor;
         dbms_sql.parse
              alter_handle,
              'ALTER SYSTEM     KILL SESSION '''     ||
                   TO_CHAR (s_id, '999990')     ||
                   ', '                    ||
                   TO_CHAR (serial_num, '999990')     ||
              dbms_sql.native
         ex_val := dbms_sql.execute (alter_handle);
         dbms_sql.close_cursor (alter_handle);
         stat_out := 'Success: '                    ||
                   TO_CHAR (s_id, '999990')     ||
                   ', '                    ||
                   TO_CHAR (serial_num, '999990');
    EXCEPTION
         WHEN OTHERS
         THEN
              stat_out := 'Failure:'          ||
                   SQLERRM;
    --          dbms_output.put_line (stat_out);
              dbms_sql.close_cursor (alter_handle);
    END     kill_internal
    ;

  • How to audit alter user sql statements in Oracle 11g.

    I want to audit all the alter user sql statements that show who is altered with what sql stment including the connections performed by sys and system.
    Ex: If I use the command : alter user xxx quota 50 GB on users;
    Then how can i grab this sql stement and who performed it with the timings.

    Pl post OS and database versions.
    What have you learned from the documentation ?
    http://download.oracle.com/docs/cd/E11882_01/server.112/e26088/statements_4007.htm#SQLRF01107
    http://download.oracle.com/docs/cd/E11882_01/network.112/e16543/guidelines.htm#DBSEG508
    What have you tried to implement so far ?
    HTH
    Srini

Maybe you are looking for

  • SendRedirect - can not find server

    Hi, I have a jsp page with a form. This form's action is another jsp. This jsp checks some values in the request and redirects the call to a servlet. I am using response.sendRedirect. The application works well if the webserver is running in port 80.

  • Windows 8 64-bit: Java 7 u51 installation failure (including Java 8)

    Hi, I have been fighting for several months trying to install any version of Java > 7u51. Until Java 8u25 (probably u20), the installation almost completes but at the very end a message says "installation error" without any reason specified and Java

  • HT-ST9 Spotify Connect Issue

    Just purchased the HT-ST9. It's absolutely awesome! However I'm having issues playing Spotify with Spotify Connect. The speaker connects to my wifi no problem and has updated to the latest firmware, but when listening to Spotify from any device - iPh

  • Flash Player not loading in IE

    I have reinstalled IE and also Flash Player, still the flash does not work, I can only see a blank space where the flash has to load, anyone had this issues?

  • Why can I only hear one track of the song?

    1st gen only plays one track of songs on new headphones.