ORASSO database user privileges

Similar Messages

• Java Database User Role Privileges Framework

  Hello
  I am looking Java Framework which automatic generates Java Code for
  Database User Role Privileges Administration.
  Like in database we have a table of Users
  Now we have table of Author, Book etc. (Related to Library)
  Now i want to give insert permission to user1
  update and delete permission to user2 etc.
  Is there any framework related
  Remeber i do not need User Role Privileges in database.
  I need a framework to do this job.
  Thanks in Advance.

  There are tables created under the SAPSR3DB or SAP<SID>DB schema with extension .UME, such as SAPSR3DB.UME.ACL_ACL or SAPSR3DB.UME_ACL_ACLENTRY for AS-JAVA.
  There are other tables with the UME extension too.
  Regards,
  Anwar

• Multiple database users, ORM, entity framework, best practices

  Hello everyone!
  You've already helped me several times, however I must ask for an advice once more.
  I was assigned to develop .NET application with Data Access Layer and I've decided to use Oracle Database Software to provide sample data.
  As I'm absolute novice considering creating DAL I'd be grateful if you can examine my plan in terms of security and reliability:
  My database:
  1) I've created database with sample tables and relations between them. All tables belongs to databaseAdmin.
  2) I've created HR and Manager database users and granted them some privileges on certain databaseAdmin's tables. My intention is to reduce access to unnecessary tables. If my application user want to make some changes to Customers table it should be enough to connect to database as HR.
  And now I'd like to map my database using Entity Framework in my application. And that's where I have a problem:
  -If I create Entity Model basing on databaseAdmin tables I get perfect model, however every Entity SQL query would be executed on behalf of databaseAdmin, which breaks my idea of hiding unnecessary tables.
  -If I create Entity Model for HR and Manager users, my models could overlap on tables that both users have access to and no connection between tables would be generated (as from their point of view those tables are just some tables that belong to databaseAdmin)
  Could you help me with this deadlock? Or maybe my assumptions about multiple database users are incorrect? Please, bear in mind I'm a novice.
  I was trying to find a solution in web, and there're tons of data discussing technical aspects of Entity Framework etc., but not so many documents about conceptual model of database.

  hi Michael,
  Thanks for you posting!
  Sorry for I am not totally understanding your issue. Maybe two points need your confirm:
  1. I confuse with the "Service controller"? IS your meaning MVC controller? Or ServiceController(http://www.codeproject.com/Articles/31688/Using-the-ServiceController-in-C-to-stop-and-start
  2.whether  The type of ID in the model is match to the database ? In other words, Is the type of IDin .edmx matched to the database?
  By the way, it seems that this issue is more related to EF. You could post this issue on EF discussion for better support.
  Thanks & Regards,
  Will
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• How to set user privilege

  i want to NEW USER excute procedure which
  is other schema!
  i want not to use prefix for execute procedure!
  how to set NEW user privilege?
  null

  Hi
  I create a user in a Database using SQL developer,
  so it is a Database User.
  Now I want to give this user access to some table in
  read , write mode and just let it to read some other
  tables.
  how i can do this ? SQL*Developer currently doesn't support security admininstration through the GUI, but you can use sqlworksheet to issue grant statements.
  grant select on mytable to otheruser1;
  grant select,insert,update,delete on mytable to otheruser2;
  It looks like that when we create a use SQL developer
  create a schema for that user , how i can make more
  users without creating Schema for each of them ?
  A schema is the collection of objects owned by a user. A user can exist without owning any objects.
  If you are using XE, you might be better off using the XE GUI to manage this.

• Oracle Security - Controlling the 'alter user' privilege

  Hi,
  1. DB 10.1.0.5 and 10.2.0.3
  2. "Admin User" needs to be able to change some users passwords in database.
  3. Create user adminuser - grant alter user to adminuser.
  4. DBAs will grant "approle" role to list of required users. DBAs will maintain control of who gets this role.
  4. Create system trigger on alter database - will prevent "adminuser" from changing passwords for accounts not authorized - Script does not fire for DBAs and anyone changing their own password.
  The trigger works as intended - the "adminuser" account can only change the specific set of users.
  Question: We've discovered that the "adminuser" can also use the "alter user" privilege to change default tablespace and tablespace quota. User should only be able to change password.
  Anyone have ideas on adding to the trigger to make sure the "adminuser" is only altering the password?
  I am playing with the ora_is_alter_column system event, thinking that maybe the password column in user$ would be changed but so far I can't get this to work: Here is my trigger --
  CREATE OR REPLACE TRIGGER SYS.PASSWORD_CONTROL AFTER ALTER ON DATABASE
  DECLARE
  DBACHK varchar2(50);
  USRCHK varchar2(50);
  BEGIN
  BEGIN
  -- Ensure users can change their own passwords --
  IF
  ora_login_user = ora_dict_obj_name
  THEN
  RETURN;
  ELSE
  -- Do not apply trigger to DBA group --
  select grantee into DBACHK from dba_role_privs where granted_role='DBA'
  and grantee = ora_login_user;
  IF
  DBACHK = ora_login_user
  THEN
  RETURN;
  END IF;
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  NULL;
  END;
  BEGIN
  select grantee into USRCHK from dba_role_privs where
  granted_role='DISCUSR' and grantee = ora_dict_obj_name;
  IF
  ora_dict_obj_type = 'USER'
  and ora_dict_obj_name = USRCHK
  ---- Need to check that only the password is being change -- the line below does not work
  and ora_is_alter_column('PASSWORD') = TRUE
  THEN
  RETURN;
  ELSE
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END;
  END;

  user602453 wrote:
  Ed, thank you for your reply. But, let me explain in more detail.
  More detail is always helpful. ;-)
  >
  A specific user has been assigned as the application administrator. This admininstrator is responsible for reseting application user passwords. The DBA (me) recognizes the DB security issues so I am trying to craft a solution that will allow the application administrator the ability to change only the password of the application users.
  I see that this may be out your hands, but I'd still question the wisdom of having an apps administrator being the one to change user passwords. Especially if that were a model where the users couldn't change their own passwords. I might accept it if the app admin were acting more of a helper to a clueless user.
  Since the only way to change user passwords is to grant the 'alter user' privilege I need a system trigger to keep the user from changing non-application user passwords. Also, because I support nearly 100 production databases that support about 35 different applications I need a solution that can apply to multiple databases. I've been assured that there will only be one administrator charged with resetting passwords.
  So,
  Given those requirements, I have this trigger that will allow the the specific administrator to change the password of a specific set of user while not impacting DBAs or people wanting to change their own password. The way I've implemented this is to create a "dummy" role and assigning the role to the application user. The trigger will allow the administrator to change the password only if the user has the role assigned. The role has no privileges, it is just a way to "mark" the user as an application user. The administrator cannot grant this "dummy" role, only the DBA can.
  Hope that clears things up.I still see another problem in that it still comes back to the dba to create the apps user in the first place, and to assign that dummy role to the user. Also, I'd hope that this proposed apps admin user is a role assigned to a real user. If not, as I mentioned before, you have no real accountability to who is using that account. Simply saying "it shall not be shared", even if written in corporate policy, won't secure it, and you won't be able to trace it. Well, you could turn on auditing and capture the OS userid in the audit log.

• How to create user privileges in java

  Hello, I need help! I'm now creating a system based in Java which I need to create a user privilege for security purposes. I need to create 3 kinds of users, 1st is the administrator and the 2nd is a viewer access which can only view the software but can't edit anything and the last 1 is the encoder view. Please help!!! If there is a website which teach me about this, please post the website. Thanks!

  What do you mean by swing application? Well, it is just an application, not web based. After I finished the application, I'm thinking of networking the application but unfortunately, I think MS access don't support networking but it is an added feature. I'm using MS Access for my database because that is the only databse they have. I want to create an user privileges for security purposes but I don't know how to do it. Thanks for your reply!

• How to restrict database user.

  I need to create a database user who have only read only access to the 10g database. Is there any note which will help on this. Thanks in advance.
  regards,
  manish

  Hi,
  Is this an Oracle E-Business Suite database? Do you want to create a user similar to APPS with read privileges? If yes, please refer to the following link:
  Read Only Schema in Oracle APPS 11i
  http://oracle.anilpassi.com/read-only-schema-in-oracle-apps-11i-2.html
  If you want to create just a read only database user (not APPS), grant this user select privilege only on the objects you want this user to access.
  [Create Read only user for a Schema |http://arjudba.blogspot.com/2008/09/create-read-only-user-for-schema.html]
  Regards,
  Hussein

• New HTMLDB User - Want to authenticate against a database user

  Greetings... I would like to authenticate a user sign-in/logon screen against database users setup in the database. It appears to me that DAD might do this, but I'm a bit fuzzy on how to make it work. I looked in some of the FAQ's here and can't seem to find something that tells me how to do this. I'd be thankful for any help you can give this old DBA who's stepping into HTMLDB Development.
  (Love the product so far by the way!)
  Robert

  Robert - It depends on what your aim is, but one way to do it is to create a new DAD without a username or password in the connect info. This will require users to respond to the basic authentication challenge allowing those who have database accounts to authenticate to your application.
  Regardless of which database account is used to authenticate, keep in mind that all SQL and PL/SQL in the application executes as the schema designated as the application's "owner" or parsing schema, so the identity of the authenticated user with respect to database roles and privileges plays no part unless you actively use the session's USER value in VPD/RLS, for example.
  Scott

• Session require user privileges

  I am learning PL/SQ, might as well, learn it in a real environment, even tho at home I created a TEST environment too using Ubuntu 10G Express and Oracle Developer (runs on Ubuntu too)... anyways, when I press the ladybug, I get these errors, I am thinking that the DBA needs to grant me access, here is the error:
  I need to write a Rationale for access, and I don't want to sound like an idiot, what are these objects ? Are there any security concerns that a company would have to think about before granting me access ? I need to go through the right channels first!
  Thanks!
  Connecting to the database XXX.
  Executing PL/SQL: ALTER SESSION SET PLSQL_DEBUG=TRUE
  Executing PL/SQL: CALL DBMS_DEBUG_JDWP.CONNECT_TCP( 'X.X.X.X', '3819' )
  ORA-01031: insufficient privileges
  ORA-06512: at "SYS.DBMS_DEBUG_JDWP", line 68
  ORA-06512: at line 1
  This session requires DEBUG CONNECT SESSION and DEBUG ANY PROCEDURE user privileges.
  Process exited.
  Disconnecting from the database XXX.

  GRANT ALL ON TABLENAME TO USER;

• Multiple Database Users

  Dear Experts
  I have created 3 database users (SCOTT, X, and Y). SCOTT user has all the database. I wanted to give the full rights to X and Y on the objects of SCOTT, so, I issued the command
  SQL>grant all on emp to X;
  Connecting X, i have to give schema.table_name to access data in EMP. Is there any way that i can extract data from SCOTT's object without using schema name with table or without creating synonyms.
  Regads

  user832095 wrote:
  I am extremly sorry,
  I am creating a duplicate server. The existing server has linux as os and oracle 10g db. All the users are created as database users and they can manipulate data through an application. I have a user dump, so, I restored data and created same users in new database and granted all the priviliges the are found in the existing db server, but I was getting user privileges error. I have checked the existibg server database thoroughly but i did not get sysnonyms there. I wonder how the users and their privileges are being maintained there. The same situation I have seen in Maximo database also.
  I am thankfull to my friends in this forum who gave me the valuable solutions. I hope if anybody can help me further
  Regards
  MASo exactly how did you create your "user dump"?
  And exactly How did you "restored data and created same users in new database"?
  And exactly what were you doing when you were "getting user privileges error"
  And what was the exact error message associated with "user privileges error"?
  It's really, really, really difficult (impossible, actually) to help when all you give us are vague descriptions of your interpretation of what you do and how oracle responds. There is no tax on using sqlplus and the fine copy and paste features available with most modern OS products.

• HTMLDB, Database Users, Permissions

  I am working with a client that has an Oracle DB app that uses Forms 6i for the UI. We want to start using HTMLDB in addition to Forms. Currently, all the users have a database username and password, and user permissions are controlled by database roles and individual table permissions. The goal is to allow the users to login to HTMLDB with their db username and password so the existing db roles and permissions will be in effect.
  I have my HTMLDB configuration setup without a PLSQL Username/Password in the marvel.conf file, and this allows users to login to the HTMLDB apps with their DB username and password. This works fine.
  I have a report setup that selects from an employee table. Only a few roles have select permissions on this table. (I will also add that this table is in a schema that is mapped to the HTMLDB workspace) What I am finding is that, regardless of the permissions assigned to the logged in user, they can run this report.
  Looking at the DB connections in Enterprise Manager, it shows the username of the logged in user, so it would apper that the webserver is connecting to the DB as I would expect. How is it that even non-privileged users can run this report?
  If I login via sqlplus as the same user and attempt to run a select against this table, I get "ora-00942 table or view does not exist", so I am sure my permissions are correct. What am I missing?
  Any help on this is greatly appreciated.
  -Tony

  Tony,
  It is not your imagination, this is how things are 'sposed to work. At a Forms/HTML DB site we worked on, individual users were granted database roles, as you described. Forms controlled access to functionality by interrogating user_role_privs and would display access points to modules via menus in strict accordance with the connected user's privileges. In the back-end, however, the application executed in the super-user schema that had object privileges on everything. But user-level access control had already been accomplished by filtering what could be presented in the UI.
  With HTML DB, your users are connected as their database account. This achieves authentication and obtains the value of USER from the database for :APP_USER. Those users have privileges on schema objects through roles. Roles are not enabled in stored procedures, which is the mechanism through which all database interaction is performed in HTML DB.
  The minimum that you'll need to do is to establish row-level access control by using Oracle's Virtual Private Database feature, or VPD (aka, FGAC/RLS), which you can enable for every page request using the VPD application attribute. There will be an excellent how-to published very soon about that. (BTW, you don't need to connect using the database accounts to use this feature, in fact it's designed assuming the opposite situation.)
  When you need to limit access to application components based on user privileges, you'll have to do much more. For example, you might build an authorization model based on user_role_privs. Ensure that all SQL against the application schema is performed through APIs. The APIs will run in the application schema which should own the objects and would therefore have all required object privileges. The authorization model will be implemented as an API that is called from HTML DB authorization schemes attached to pages, regions, processes, etc. Then you can do things like, if the current user is not a manager don't show them links to the 'Show My Employee Detail' page and don't let them run the page if they attempt to do so and also send someone an email if that happens.
  Scott

• Registering Database Users as Warehouse Builder Users - Paris

  On OWB 10.2.0.1 When I do this (Registering Database Users as Warehouse Builder Users - Target) I am getting ORA-01031: insufficient privileges
  DEVDW error:ORA-01031: insufficient privileges
  ORA-06512: at
  "REP_OWNER.WB_RTI_TARGET_SCHEMA_PRIVS", line 356 ORA-06152: at line 1

  i too get the same error..............even i had given that privs externally through OEM the same error is repeating.we could not able to log into the registry as repoitory owner.can some one give what sort of databse privs should a repository owner and repository user should have.

• Difference Between Database Schema and Database User Account ??

  First i would like to know what an Oracle Database schema exactly is ?
  And what is it for and also What is it's use ?
  Later the exact "Difference Between Database Schema and Database User Account".
  I googled about it but i'm unable to find out it's The difference,
  Please try to explain in a simple manner........
  Thank you very Much in Advance..........

  user13655582 wrote:
  Greate example. but i would like add one more point..
  a user is a schema and schema is a user. but when this applies to the user that he become a schema, only if he has got some objects. so we can say while creating the user which dosent contain any objects called simple user account but afterwords when he has got an objects then we can say its a schema as the above user has shown you through the exampleIt is just word-play. There is nothing in like a 'status' indicator to say "USER_A is just a user but USER_B has become a schema". Many people use the terms "user" and "schema" interchangeably, and some very good DBAs will insist this is correct. I don't disagree with them even though I usually try to make the distinction.
  In a typical application, all of the objects (tables, procedures, etc) that implement the app will be owned by a "application schema owner" - a user which exists for the sole purpose of owning the schema. Said user will have no privileges at all .. especially not CREATE SESSION. Except for possible maintenance activity no one ever actually connects as this user. User accounts are then given to actual humans who connect with their own accounts. The accounts have the necessary system and object privileges granted to them - via a role. One could also create a special account (let's call it APP_ADMIN) that is used for maintenance and batch operations within the application.

• Export schema's user privileges

  How to find the export schema's user privileges in originating database?

  If you have acces to the database where export has been taken, you can use dba_user_privs view to find out.
  Else, use imp with indexfile option to write the imp output to the file and look for it.
  Jaffar
  OCP DBA

• OIM 9.1.0 with Database User Management: Connector Exception upon Connect

  Hi,
  I've been struggling with the Database User Management connector (9.0.4) with Sybase, following the steps word-for-word as per the documentation (Oracle® Identity Manager Connector Guide for Database User Manage Release 9.0.4; E10425-0; July 2009).
  When defining the IT Resource through the Install Connector wizard, I get the following when it does a connection test:
  14:51:52,795 ERROR [WEBAPP] Class/Method: CreateITResourceAction/testConnectivityForDataBase/ClassNotFoundException encounter some problems: No ClassLoaders found for: com.sybase.jdbc2.jdbc.SybDriver
  java.lang.ClassNotFoundException: No ClassLoaders found for: com.sybase.jdbc2.jdbc.SybDriver
  even though I've ensured jconn2.jar is in the ThirdParty directory, reflushed the cache, and restarted OIM; the connector still can't seem to load the driver.
  I've tried the database testing script with similar results.
  Any thoughts?
  Cheers
  Simon
  PS: I believe v5.5 of JConnect (as required by the OIM Connector) has been EOL'd and Sybase. They recommend you use v6.0 (v6 is jconn3.jar)), which from what I can see should work as com.sybase.jdbc3.jdbc.SybDriver; I tried that as well but had the same ClassNotFoundException.

  I've fixed it; needed to copy jconn2.jar into the $JBOSS_HOME/lib directory and restart the server.