PDB_DBA has DBA role, but no quota on tablespace
Hi all,
I have weird situation and I can't find in doco why is that:
I have created PDB with role DBA for admin user, I can see that PDB_DBA role has DBA role. I can create table in admin user schema, but can't insert rows there, as there are no quota on tablespace. If I grant DBA to admin user directly- I can insert rows - so, I got "quota unlimited" as part of DBA role:
SQL> conn / as sysdba
Connected.
SQL> create pluggable database P1 admin user a identified by a roles=(dba);
Pluggable database created.
SQL> alter session set container=P1;
Session altered.
SQL> alter pluggable database P1 open;
Pluggable database altered.
SQL> create table a.t(id integer);
Table created.
SQL> insert into a.t values(1);
insert into a.t values(1)
ERROR at line 1:
ORA-01950: no privileges on tablespace 'SYSTEM'
SQL> select * from dba_role_privs where grantee = 'A';
GRANTEE
GRANTED_ROLE ADM DEL DEF COM
A
PDB_DBA YES NO YES NO
SQL> select granted_role from dba_role_privs where grantee = 'PDB_DBA';
GRANTED_ROLE
DBA
SQL>
SQL> grant dba to a;
Grant succeeded.
SQL> insert into a.t values(1);
1 row created.
SQL> revoke dba from a;
Revoke succeeded.
SQL> insert into a.t values(1);
1 row created.
SQL>
What is the full version of Oracle 12c that you are using?
That does seem odd. Especially since revoking the direct grant leaves the privilege intact which could only come from the role.
What happens if you bounce the DB after the initial INSERT failure? Does it continue to fail if the direct grant isn't made?
Also - did you specify FILE_NAME_CONVERT as an init parameter?
If you have a MOS account I suggest you search to see if there are any bugs related to PDB privileges.
There have been some known issues with the whole PDB metadata link thing. System tables only exist in the root and the PDBs only have metadata links to the actual system entries. It's possible that the metadata link didn't get created or propagated properly after the PDB was created.
That is why I ask if you can try bouncing the database to see if the problem still persists.
The other, related, test to try is to first create the PDB (no other action at all such as grants, users, or anything). Then open the PDB and then shut it all down.
When you restart the entire DB and open the PDB then perform your test and see if you get the same results. The intent of that test is to see if the metadata entries are properly created and propogated AFTER the PDB actually exists.
Unfortunately (for you at least for now) there are so many nuances to the whole multitenant thing in the way privileges (among other things) work it will be a while until they all get sorted out.
Many of those are the management of privileges (roles, grants, etc) for PDBs given that some PDBs aren't open at the time the privilege change is made. If a PDB isn't open and you modify a common privilege there won't be any replication to that PDB and you will later have to update that PDBs privileges manually.
Similar Messages
-
Is there a way to create a role like DBA role?
is there a way to create a role just like DBA role?
Karl wrote:
thanks for the reply.
yes, i know the command. but i still have concerns.
DBA role come with oracle product, and it is very powerful. our client wants to have a role just like DBA role, but with the following excluded from it
DELETE_CATALOG_ROLE
GRANT ANY ROLEThen simply do NOT issue those two GRANT -
Finding is which userid has DBA authorization
Other than finding about by trying to log on as connect abc/abc as sysdba are there any tables which have all userids which hav DBA roles/priveleges assigend to them.
Or what's the fastest way to see if an id has DBA roles/priveleges assigned to it.
ThxZieja, Selecting from v$pwfile_users only works if a password file is in use while selecting from dba_role_privs will always return the DBA users:
UT1 > select count(*) from v$pwfile_users;
COUNT(*)
0
UT1 > select count(*) from dba_role_privs where Granted_Role = 'DBA';
COUNT(*)
14
Just something to keep in mind.
-- Mark D Powell -- -
Checking if a user has a role (FGAC)
Hi!
I am implementing Fine Grained Access Control on a table and in my policy function I do not want to restrict the amount of result data on a select if the current user has a certain role (otherwise I want to).
My idea was to check USER_ROLE_PRIVS/ROLE_ROLE_PRIVS for the role, but the stored procedure runs with definer-rights, so that won't help.
Running the procedure with invoker-rights won't help either, since not the current user is the invoker of the policy function but the DB system (user sys?).
And finally, the definer of the policy function does not have DBA privs, so I can't select the DBA_* views to check if the current user has the role.
Is there another way to check if the current user that is known inside the policy function by the USER variable has a certain role?
Thanks for your help!
MarcusHi Frank,
thanks for your answer!
Frank Kulash wrote:
Policy functions are run by the user who queries or tries to do DML on the table.I don't see that this is happening. Here's my test case:CREATE OR REPLACE FUNCTION CU_is_member_of
(v_role IN VARCHAR2) RETURN NUMBER
AUTHID CURRENT_USER
is
v_res VARCHAR2(255);
begin
SELECT COUNT(*)
INTO v_res
FROM
(SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS
UNION
select GRANTED_ROLE from role_role_privs)
WHERE UPPER(GRANTED_ROLE)=UPPER(v_role);
RETURN to_number(v_res);
end;
CREATE OR REPLACE FUNCTION POLIFUNC_PARTTYPES_WRITE
(p_schemaname IN varchar2, p_tablename IN varchar2)
RETURN VARCHAR2
IS
BEGIN
IF USER=p_schemaname
THEN RETURN '';
ELSE
BEGIN
if SYSWM_TOOL.CU_is_member_of('#ACT#WMT_MANAGE_PARTTYPES')=1
THEN RETURN ''; -- *****
ELSE
BEGIN
RETURN '1=0';
END;
end if;
end;
END IF;
END;
CALL SYS.DBMS_RLS.ADD_POLICY('SYSWM_TOOL', 'TBL_PARTTYPES', 'POL_PARTTYPES', 'SYSWM_TOOL', 'POLIFUNC_PARTTYPES_WRITE', 'select'); --TODO: SELECT->UPDATE,INSERT,DELETE
If the policy function is run by the user who queries, then I would expect that a user who has the role querying table TBL_PARTTYPES would see all entries since he would run into the line marked with *****.
SQL> select SYSWM_TOOL.CU_is_member_of('#ACT#WMT_MANAGE_PARTTYPES') FROM DUAL;
SYSWM_TOOL.CU_IS_MEMBER_OF('#ACT#WMT_MANAGE_PARTTYPES')
1
SQL> SELECT COUNT(*)
2 FROM
3 (SELECT GRANTED_ROLE FROM USER_ROLE_PRIVS
4 UNION
5 select GRANTED_ROLE from role_role_privs)
6 WHERE UPPER(GRANTED_ROLE)=UPPER('#ACT#WMT_MANAGE_PARTTYPES');
COUNT(*)
1
So, the current user has the role and the stored function CU_IS_MEMBER_OF works correctly. However:
SQL> select count(*) from syswm_tool.tbl_parttypes;
COUNT(*)
0
What am I missing here?
Marcus -
Hi
DB 11g
One user has GRANT ANY ROLE privilege, and when it's trying to grant "DBA" role... it's throwing insufficient privilege... where in case of ' IMP_FULL_DATABASE" & " SELECT_CATALOG_ROLE" it's went fine... why not DBA role .???Hi,
It seems that there is a little confusing among some Oracle documentations. According to [url http://download-west.oracle.com/docs/cd/A87860_01/doc/server.817/a76956/privs.htm#15013] Managing User Privileges and Roles since Oracle 8i documentation, the roles CONNECT, RESOURCE and DBA are automatically defined for Oracle databases as part of database creation. On the other hand, there is a note:
"Note: The previous three roles are provided to maintain compatibility with previous versions of Oracle and may not be created automatically in future versions of Oracle. Oracle Corporation recommends that you design your own roles for database security, rather than relying on these roles"
Now, according to [url http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/authoriz.htm#i1007401]Oracle 10g documentation:
"5.2.7 Predefined Roles
The following roles are defined automatically for Oracle Database:
* CONNECT
* RESOURCE
* DBA
* EXP_FULL_DATABASE
* IMP_FULL_DATABASE
These roles are provided for backward compatibility to earlier versions of Oracle Database and can be modified in the same manner as any other role in an Oracle database.
Note: Each installation should create its own roles and assign only those privileges that are needed, thus retaining detailed control of the privileges in use. This process also removes any need to adjust existing roles, privileges, or procedures whenever Oracle Database changes or removes roles that Oracle Database defines. For example, the CONNECT role now has only one privilege: CREATE SESSION. Both CONNECT and RESOURCE roles will be deprecated in future Oracle versions."
In resume, the CONNECT and RESOURCE roles will be deprecated in future Oracle versions, but there is nothing about DBA role.
Cheers
Legatti -
DBA role and system privileges
I created a new user (PIPPO) with the default dba role in my db.
I know that the dba_role has the SELECT ANY TABLE and INSERT ANY TABLE system privileges.
I expeperienced that if I select a table of another schema on a simple sqlplus session everything is OK, but if I select the same table on the same manner in a PL/SQL procedure or in the creation of a wiew, both owned by PIPPO, the error message is that the table not exists...
So I have to grant SELECT and INSERT on the tables I want to my user PIPPO.
Does anyone tell me if this is normal or strange?
ThanksThis is normal. To access other schema's table you need to have direct grant not through roles. DBA is a role.
-
APEX DBA role to monitor the database, is there a workaround?
I have a developer who wishes to access the database monitor for performance monitoring, but I do not wish to give him DBA privileges. Is apex looking for the DBA role explicitly?
I am trying to avoid having to perform a daily manual process (I monitor about a dozen email accounts - not all of them from ISP's with the 60 day deletion window). The ISP's 60 day deletion window is rolling - each day different existing messages are about to reach the threshold. I don't want to mark messages as Read for all messages, just those that are about to be 60 days old. I know that I can do this by creating a smart mailbox that only has messages that are 59 days old, select all of the smart mailbox messages and then right-click and "Mark as Read", but this would have to be a daily, manual process.
-
Hi, i have experienced many time that when you give dba role to any schema it should get the privilege of Create any on all object. but it is not the case after giving dba privilege to schema i have to give create any privilege to that schema though DBA role have that Facility, why is it so.
Regards
Vikas ChopkarAre you talking about the default role named DBA? If so, that role should rarely be granted to anyone. Either way, on my database it has the privileges you say it doesn't.
SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='DBA' ORDER BY PRIVILEGE;
GRANTEE PRIVILEGE ADM
DBA ADMINISTER ANY SQL TUNING SET YES
DBA ADMINISTER DATABASE TRIGGER YES
DBA ADMINISTER RESOURCE MANAGER YES
DBA ADMINISTER SQL TUNING SET YES
DBA ADVISOR YES
DBA ALTER ANY CLUSTER YES
DBA ALTER ANY DIMENSION YES
DBA ALTER ANY EVALUATION CONTEXT YES
DBA ALTER ANY INDEX YES
DBA ALTER ANY INDEXTYPE YES
DBA ALTER ANY LIBRARY YES
DBA ALTER ANY MATERIALIZED VIEW YES
DBA ALTER ANY OUTLINE YES
DBA ALTER ANY PROCEDURE YES
DBA ALTER ANY ROLE YES
DBA ALTER ANY RULE YES
DBA ALTER ANY RULE SET YES
DBA ALTER ANY SEQUENCE YES
DBA ALTER ANY SQL PROFILE YES
DBA ALTER ANY TABLE YES
DBA ALTER ANY TRIGGER YES
DBA ALTER ANY TYPE YES
DBA ALTER DATABASE YES
DBA ALTER PROFILE YES
DBA ALTER RESOURCE COST YES
DBA ALTER ROLLBACK SEGMENT YES
DBA ALTER SESSION YES
DBA ALTER SYSTEM YES
DBA ALTER TABLESPACE YES
DBA ALTER USER YES
DBA ANALYZE ANY YES
DBA ANALYZE ANY DICTIONARY YES
DBA AUDIT ANY YES
DBA AUDIT SYSTEM YES
DBA BACKUP ANY TABLE YES
DBA BECOME USER YES
DBA CHANGE NOTIFICATION YES
DBA COMMENT ANY TABLE YES
DBA CREATE ANY CLUSTER YES
DBA CREATE ANY CONTEXT YES
DBA CREATE ANY DIMENSION YES
DBA CREATE ANY DIRECTORY YES
DBA CREATE ANY EVALUATION CONTEXT YES
DBA CREATE ANY INDEX YES
DBA CREATE ANY INDEXTYPE YES
DBA CREATE ANY JOB YES
DBA CREATE ANY LIBRARY YES
DBA CREATE ANY MATERIALIZED VIEW YES
DBA CREATE ANY OPERATOR YES
DBA CREATE ANY OUTLINE YES
DBA CREATE ANY PROCEDURE YES
DBA CREATE ANY RULE YES
DBA CREATE ANY RULE SET YES
DBA CREATE ANY SEQUENCE YES
DBA CREATE ANY SQL PROFILE YES
DBA CREATE ANY SYNONYM YES
DBA CREATE ANY TABLE YES
DBA CREATE ANY TRIGGER YES
DBA CREATE ANY TYPE YES
DBA CREATE ANY VIEW YES
DBA CREATE CLUSTER YES
DBA CREATE DATABASE LINK YES
DBA CREATE DIMENSION YES
DBA CREATE EVALUATION CONTEXT YES
DBA CREATE EXTERNAL JOB YES
DBA CREATE INDEXTYPE YES
DBA CREATE JOB YES
DBA CREATE LIBRARY YES
DBA CREATE MATERIALIZED VIEW YES
DBA CREATE OPERATOR YES
DBA CREATE PROCEDURE YES
DBA CREATE PROFILE YES
DBA CREATE PUBLIC DATABASE LINK YES
DBA CREATE PUBLIC SYNONYM YES
DBA CREATE ROLE YES
DBA CREATE ROLLBACK SEGMENT YES
DBA CREATE RULE YES
DBA CREATE RULE SET YES
DBA CREATE SEQUENCE YES
DBA CREATE SESSION YES
DBA CREATE SYNONYM YES
DBA CREATE TABLE YES
DBA CREATE TABLESPACE YES
DBA CREATE TRIGGER YES
DBA CREATE TYPE YES
DBA CREATE USER YES
DBA CREATE VIEW YES
DBA DEBUG ANY PROCEDURE YES
DBA DEBUG CONNECT SESSION YES
DBA DELETE ANY TABLE YES
DBA DEQUEUE ANY QUEUE YES
DBA DROP ANY CLUSTER YES
DBA DROP ANY CONTEXT YES
DBA DROP ANY DIMENSION YES
DBA DROP ANY DIRECTORY YES
DBA DROP ANY EVALUATION CONTEXT YES
DBA DROP ANY INDEX YES
DBA DROP ANY INDEXTYPE YES
DBA DROP ANY LIBRARY YES
DBA DROP ANY MATERIALIZED VIEW YES
DBA DROP ANY OPERATOR YES
DBA DROP ANY OUTLINE YES
DBA DROP ANY PROCEDURE YES
DBA DROP ANY ROLE YES
DBA DROP ANY RULE YES
DBA DROP ANY RULE SET YES
DBA DROP ANY SEQUENCE YES
DBA DROP ANY SQL PROFILE YES
DBA DROP ANY SYNONYM YES
DBA DROP ANY TABLE YES
DBA DROP ANY TRIGGER YES
DBA DROP ANY TYPE YES
DBA DROP ANY VIEW YES
DBA DROP PROFILE YES
DBA DROP PUBLIC DATABASE LINK YES
DBA DROP PUBLIC SYNONYM YES
DBA DROP ROLLBACK SEGMENT YES
DBA DROP TABLESPACE YES
DBA DROP USER YES
DBA ENQUEUE ANY QUEUE YES
DBA EXECUTE ANY CLASS YES
DBA EXECUTE ANY EVALUATION CONTEXT YES
DBA EXECUTE ANY INDEXTYPE YES
DBA EXECUTE ANY LIBRARY YES
DBA EXECUTE ANY OPERATOR YES
DBA EXECUTE ANY PROCEDURE YES
DBA EXECUTE ANY PROGRAM YES
DBA EXECUTE ANY RULE YES
DBA EXECUTE ANY RULE SET YES
DBA EXECUTE ANY TYPE YES
DBA EXPORT FULL DATABASE YES
DBA FLASHBACK ANY TABLE YES
DBA FORCE ANY TRANSACTION YES
DBA FORCE TRANSACTION YES
DBA GLOBAL QUERY REWRITE YES
DBA GRANT ANY OBJECT PRIVILEGE YES
DBA GRANT ANY PRIVILEGE YES
DBA GRANT ANY ROLE YES
DBA IMPORT FULL DATABASE YES
DBA INSERT ANY TABLE YES
DBA LOCK ANY TABLE YES
DBA MANAGE ANY FILE GROUP YES
DBA MANAGE ANY QUEUE YES
DBA MANAGE FILE GROUP YES
DBA MANAGE SCHEDULER YES
DBA MANAGE TABLESPACE YES
DBA MERGE ANY VIEW YES
DBA ON COMMIT REFRESH YES
DBA QUERY REWRITE YES
DBA READ ANY FILE GROUP YES
DBA RESTRICTED SESSION YES
DBA RESUMABLE YES
DBA SELECT ANY DICTIONARY YES
DBA SELECT ANY SEQUENCE YES
DBA SELECT ANY TABLE YES
DBA SELECT ANY TRANSACTION YES
DBA UNDER ANY TABLE YES
DBA UNDER ANY TYPE YES
DBA UNDER ANY VIEW YES
DBA UPDATE ANY TABLE YES -
ColdFusion 11: allowedextforinclude functionality has changed. But the docs haven't been
G'day:
I am reposting this from my blog ("ColdFusion 11: allowedextforinclude functionality has changed. But the docs haven't been") at the suggestion of Adobe support:
@dacCfml@ColdFusionCan you post your queries athttp://t.co/8UF4uCajTCfor all cfclient and mobile queries.— Anit Kumar Panda (@anitkumar85)April 29, 2014
This particular question is not regarding <cfclient>, hence posting it on the regular forum, not on the mobile-specific one as Anit suggested. I have edited this in places to remove language that will be deemed inappropriate by the censors here. Changes I have made are in [square brackets]. The forums software here has broken some of the styling, but so be it.
G'day:
Remember this one: "ColdFusion 11: preventing files from being included? [WTH], Adobe?". I can confirm this verymoderatelyslightly contentious feature has been changed in ColdFusion 11, but the docs have not been updated to reflect the change.
The issue is summarised thus (from the article linked-to above):
[...]out of the box ColdFusion 11 will only allow the inclusion of CFML and HTML files. Why? They cite "for security reasons". Here's a quote (posted in the bugtracker, originally from the pre-release forums):
"Vamseekrishna Manneboina: Yes, this was done as part of a security measure. You can now only include CFM/CFML files by default. You can specify additional extensions via a property called allowedextforinclude in neo-runtime.xml. By default, HTM and HTML file extensions are already added to this list/property, thereby allowing for inclusion of HTM and HTML files too by default."
OK, I disagree there's merit in this, some others agree, others disagree. But... so be it. I actually thought - if I was in a charitable mood - that the people that were "for" this change made a reasonable case for its inclusion, so - whilst not agreeing with them - I was content to just shrug and go "yeah, oh well".
Now this feature is still in the docs: "New in ColdFusion 11 - Restrictions", but this is not the way it now works. Initially I thought it had been removed completely (and I am now in the midst of retooling this article from saying that... as I only worked out what was going on 2/3rds of the way through writing it).
I did a secure install the other day, and one of the first things I tested was this:
<!---test.cfm---> <cfset message = "before"> <cfoutput> #message#<br> <cfinclude template="code.inc"> <cfset message = "after"> #message#<br> </cfoutput>
<!--- code.inc ---> <cfset message="within"> <cfoutput> #message#<br> </cfoutput>
And this all runs fine, as one would expect:
before
within
after
Next I checked neo-runtime.xml to see if the settings had been augmented to switch this off by default: but I'm buggered if I can see any reference to it anywhere.
So I then checked ColdFusion Administrator to see if there was any hint of it there, as this was one of the things Adobe said they were going to do in their solution to this. And there it is:
So by default now, anything is allowed. I figured I must have missed the setting in neo-runtime.xml, so changed the setting to "FOOBAR" so I could easily spot it, and there it is down @ /wddxPacket/data/array/*[16]/var[@name="compileextforinclude"] in neo-runtime.xml:
<var name="compileextforinclude"> <string>FOOBAR</string> </var>
And - having changed it back to something sensible: CFM, then the feature now "works":
before
#message#
after
However this is probably a worse security hole than the one they were trying to fix! It looks OK when looking at the render in the browser, but look at the actual raw mark-up:
before<br> <cfset message="within"> <cfoutput> #message#<br> </cfoutput> after<br>
We have unparsed CFML source code sent to the browser. This is awful. What if someone switches this on, and doesn't spot one of their old includes which has less-than-trivial CFML in it? It's now publicly accessible. Adobe have created a feature which has the possibility to leak source code to the outside world. How is that a security feature?
Also interesting is that with the super-secure profile installed, this is still off by default? I would have thought it'd be on in this case?
I still don't think this feature has been implemented properly, and it all still points even more to the fact the Adobe ColdFusion bods don't really know what they're doing.
Anyway, I'll nudge Adobe to at least get the docs sorted out.
Time for work (3min ago)...
AdamHi Adam,
Regarding "What if someone switches this on, and doesn't spot one of their old includes which has less-than-trivial CFML in it?", yeah I agree that'd be a problem. Hmm, maybe both this.allowedextforinclude *and* this.compileextforinclude should've been supported (instead of replacing the former w/ the latter as was done)? Example:
this.compileextforinclude="cfm,cfml,inc";
this.allowedextforinclude="cfm,cfml,inc,txt";
That way an exception could be thrown if cf|included file's extension wasn't in the this.allowedextforinclude list.
Perhaps the above could be shortened to:
this.compileextforinclude="cfm,cfml,inc";
this.allowedextforinclude="txt";//implicitly includes * from this.compileextforinclude (since -compile- implies -allowed-)
Dunno if that'd be confusing.
Anyhow, just some thoughts..
Thanks!,
-Aaron -
T-code not in any role but shown in the SUIM report
Hi friends
I have a t-code which is not any role, but when i run the SUIM reports for Where used list>Authorization Values>In Roles by entering the S-tcode in the Object1 field and t-code in the entry value field the report brings out a role where this t-code is used. I have been into that role and checked if that t-code is in the menu tab, but i could not find it. I also ran the SUIM for Roles By Complex Selection Criteria but i could not find a role where this t-code is in. But how come when i run the report for Where Used list it brings this t-code
Any quick thoughts on this are highly appreciated as this is a High priortiy.
Thanks in advance
KVAbhishek Belokar wrote:Hello Abhishek,
As Alex indicated, you can use this FM (function module) to correct inconsistencies, primarily on the UST* tables which are used by SUIM. If you have been doing a lot of manual changes to authorizations and using ranges, then this can happen (particularly so if you are changing authorizations in production...). As far as I know, in the latest SAP releases (from 6.40 onwards) this should not normally occur that easily...
I looked into this FM a bit, as I have not used it in quite some time now (see above comments).
Right upfront, the function group name which it belongs to (SUSI) has a "(FOR INTERNAL USE ONLY!)" comment in it...
Perhaps you also read that comment (which is activity '03')...
I was however not able to generate a test environment and execute it, because I am not authorized for SUSI... (see SAP note 587410 to distinguish between them).
I did find reports which call this, so you might be lucky there (and not need S_DEVELOP authorizations to do this... but without the table_type = 'X')
However, I did try to make a bit more sense of it, without actually running it... (some corrections to my above post - but still not authoritative on the topic)
table_type 'U' = (which is default) synchronizes USR04 from UST04, however UST04 might still have phantom entries in it.
table_type 'P' = synchronizes UST10* from UST04, though how that is meant to work I really dont know.
table_type 'A' = synchronizes UST12 from UST10*, see above and also includes "BIS" values.
table_type 'X' = syncrhonize UST04 from USR04, then table_type 'U', 'P' and 'A'.
Running it "just for fun" is okay in a sandbox...
Running it in a production system.... is also okay to fix a mess once you are there... but you could seriously disrupt the business processes (see above comment about manual changes, also in production).
>
> I ran this function module in a sandbox....and guess what...i saw some changes :
> I ran with parameter 'X':
>
> (Picked 3 UST* tables, number of entries)
> Table Before After
> UST04 67,651 67,340
> UST10C 10,972 10,968
> UST10S 198,915 198,902
Consider yourself blessed (unless the developers run this regularly in the sandbox...
Kind regards,
Julius -
Hi,
I recently saw that the DBA role is missing from one of our databases and the connect privileges are revoked from almost all schemas in the database. I tried investing about how this. Initially I went to check the dba_audit_trail,unfortunately it's empty. Secondly I tried using log miner to analyse redo logs for last 5 days in short intervals. Analysing from V$LOGMNR_CONTENTS using a "DROP" filter on operation column,but still couldn't get anything. Can anyone suggest any other way to investigate this.If you had access to a database of the same version you could use the scripts from Pete Finnigan (http://www.petefinnigan.com/tools.htm) to see what privileges are given to the DBA role and re-create the role.
On metalink there is Note: 1068678.6 How to Recreate DBA Role if Dropped. Last revision is 26-Nov-2002 and only mentions version 8.X. -
DBA role cannot update a table
SQL> select * from v$version;
BANNER
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
PL/SQL Release 11.2.0.1.0 - Production
CORE 11.2.0.1.0 Production
TNS for Linux: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production
SQL> show user
USER is "JIMMYB"
SQL> select granted_role from dba_role_privs where grantee ='JIMMYB';
GRANTED_ROLE
CTXAPP
DBA
SQL> select user_seq, person_id from cmis.users
2 where last_name = 'ZIGGY';
USER_SEQ PERSON_ID
12788 1246277
SQL> update cmis.users
2 set
3 person_id = 10991
4 where user_seq = 12788;
update cmis.users
ERROR at line 1:
ORA-00942: table or view does not existHow can the DBA role not be allowed to update this table?I'm not sure what I am missing here. I've never encountered this before.
SQL> desc cmis.users
Name Null? Type
USER_SEQ NOT NULL NUMBER
PERSON_ID NUMBER ENCRYPT
USERNAME VARCHAR2(50) ENCRYPT
PREFIX VARCHAR2(10)
FIRST_NAME VARCHAR2(100) ENCRYPT
MIDDLE_NAME VARCHAR2(100) ENCRYPT
LAST_NAME VARCHAR2(100) ENCRYPT
SUFFIX VARCHAR2(12)
EMAIL_ADDRESSS VARCHAR2(1000) ENCRYPT
USER_STATUS_SEQ NUMBERI can't imagine it has anything to do with transparent data encryption. -
DBA role required to see indexes in Other Users schema
When my developers try to view indexes owned by other users that are unable to see them unless the have been added to the DBA Role. Is this a requirement to view indexes owned by others? Are there lesser privs than DBA that will allow this?
The developer already has this privilege. Using other development tools he can see the indexes in other schemas. It appears to be a problem or setting in SQL Developer. We are running version 1.2.1. Any other thoughts?
-
Mitigation runs against role but not user with same role assignment
Hello, I'm currently running Compliance Calibrator 4.0. I've created a Mitigation Control and assigned a number of Risks to the Mitigation Control.
I've then assigned the Risks in that Mitigation Control to a specific role.
When I run the SoD check, the role no longer shows any issues. This is good and expected.
However, when I run the SoD against a user that has that role assigned the user is reported with issues when no SoD issues should be shown.
Am I missing something? I don't believe I need to assign Mitigation Control to the user, because one day the risk might be valid to that user, but just not for the role I'm trying to mitigate against. Many thanks.Hi Dylan, the system is reacting correctly.
When you mitigate a role, you mitigate the risk associated with the role and under 'Role Analysis' you will see that this role has been mitigated.
However when u run a User analysis, the system will still identify him if there is a 'RISK' associated with the user and this is regardless of whether the associated Role is mitigated or not because what you want to know is the risk of the user and not what roles this user has.
You will need to specifically mitigate the User in order for the mitigation control to show against the User in the report.
This is the same Vice Versa. when you mitigate a User, it also does not mean that all the associated Roles that the user have are mitigated. The risk associated with the roles will still appear when you do 'Role Analysis'
Cheers! -
I have some problems understanding DBA role. I have DBA privs on a database (I'm a developer, not a DBA). Because of a privacy problem, I have not to select data in only one table of the database. A solution could be to encrypt rows of this table... This will be the last choice, because in this case I will have to rewrite some applications. So, I'm trying to create a new role in which I have all privileges except SELECT ANY TABLE. Then I will have to lose my DBA privs. During ordinary operations necessary to mantain my applications (like backup, import and export and so on...), I will have DBA privs granted again from the privacy manager only for the period necessary to mantain the site. After this period I have to sign a paper in which I declare I have not seen the records of that table. As you can imagine, this solution is very bad (during that period I can create 1000 users with dba privs...), but seems to be fine to the privacy manager.
Now my problem is: after creating the role DBA_WSAT that is the DBA role without select any table, I can connect as sysdba again... Why? Which is the privilege that enable a user to connect as sysdba? Any suggestions will be appreciated to solve this bad situation...
Thank you very much.
Ste.You probably have an entry in the password file that needs to be removed if you are no longer a DBA.
Have you considered auditing access to this sensitive table, either in addition to the current proposal or instead of it? That would be far more secure than signing the piece of paper periodically.
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC
Maybe you are looking for
-
i have updated my phone with the new 6 IOS. Since doing this my icloud account keeps saying that verification failed and the certificate for service is invalid. Folowin this problem my phone also does not recognise my other iphone contacts so i cann
-
When I synce my phone there is hardly any space available. The first few times there was plenty of space. Had hundreds of songs. Then one day I synced it and the "other" filled up and I can only store maybe 200 songs. Seemed really similar to the amo
-
Installing Flash Professional CS5.5 error
I've tried restarting, uninstalling and installing a few times and I still get the same error. Is this because the rest of my adobe software is CS3 or because I'm working on a mac OS X 10.5.8? Exit Code: 6 -------------------------------------- Summa
-
Hi all, I need to install agent but this machine don´t have ssh. Just telnet! I always use the Agent Installation by web(Grid Control). How can i install this without having ssh configured?? Tks, Paulo.
-
Hi there, I just bought a Zen Vision M 60GB here in Canada, and I updated the player to firmware version .20.02. I heard the FM recording was removed earlier, but then added again... My MP3 player however, does not have that feature. Whats wrong?