Protecting a schema???
Hello!
I just created a 9i schema and it contains a few tables, triggers, views, etc...however I'm not ready for it to go live just yet. How can I make this schema read-only even to the schema owner? Is this possible?
TIA!
-orasyb
<quote>How can I make this schema read-only even to the schema owner?</quote>
A schema can do nothing to the objects it contains (it is a database artifact, a thing, after all) ⦠it takes a human to do/initiate something. So, to protect the schema objects from humans you:
1. revoke all privileges on the schema objects
2. change the schema password or even better (in order to avoid the password management) just lock the account.
Should one still require read/only access to the data then you grant select privileges for the relevant data to some unlocked schema and publish its password to the relevant parties.
In a properly structured production environment you would do this setup anyway ⦠100% protect the main application schema (the one having the objects) and control access to the objects through a proxy account having precisely the privileges required for the level of access (nothing more nothing less). Should the level of access be read/only of data then ⦠well, you grant just that.
<quote> ⦠however I'm not ready for it to go live just yet</qoute>
Think in reverse ⦠assume you were live (and hence read/write) and had to go read/only at a moment notice ⦠how would you proactively setup your objects/schemas/roles/etc. to be able to achieve that?
Since the DBA will be doing all the âprotectingâ it goes without saying that the database/software cannot protect itself from the DBA. For that one has to go outside the database and implement company policies.
This last paragraph requires some further explanation ⦠should the DBA grant âinsert any tableâ to some schema then, in fact, a slice of the all powerful DBA role (so to speak) would be floated out ⦠if that is done without due diligence then the DBA would, in effect, expose for exploit something s(he)âs supposedly âprotectingâ. So the theme remains the same: the database cannot protect itself from the DBA.
Similar Messages
-
Oracle Portal 11.1.1.6 with OAM 11.1.1.5
Hi All,
I have the following customer requirement.
Oracle Portal 11.1.1.6 which is deployed on WebLogic Server 10.3.6
Oracle Access Manager 11.1.1.5.0
Oracle Internet Directory 11.1.1.6.0
The customer wants to have Single Sign On for the Oracle Portal Application. This is my understanding about the Architecture.
Oracle HTTP Server (with WebLogic Proxy Plug-in) talks to Oracle Portal
Oracle HTTP Server (the same above with WebGate) talks to Oracle Access Manager
Oracle HTTP Server has Oracle Web Cache
Oracle Access Manager talks to OID
Oracle Portal talks to OID with OID Authenticator
When I went through the Oracle Portal documents, they give steps for Oracle Portal which is deployed on Oracle Application Server but not with WebLogic.
My questions
1) Do I need to configure OID Authenticator at myrealm of WebLogic Domain (which hosts Oracle Portal) to connect to OID?
2) Is there anything more I need to do to integrate Oracle Portal with OID (Meaning running pl/sql scripts or any)?
3) Kindly advice me about the flow of Oracle HTTP Server, Oracle Web Cache, Oracle Web Gate to OAS and Oracle Portal?
Thank you
Regards,
Somersetuser8901406 wrote:
Hi Somerset,
I am going through the similar problems as you are so was able to find some high level answers (although still have problems implementing.)
As for the questions:
1.
Yes, you can check the details here:
http://docs.oracle.com/cd/E17904_01/webcenter.1111/e12405/wcadm_security_sso.htm#WCADM8176
Chapter 30.2.4.1 Configuring the Oracle Internet Directory Authenticator, item 9)
2.
This is in no way a complete list, as it is still not working for me, but some of it:
OAM:You need to set up host identifier, resources(urls) to protect, define schemas and policies
OHS: Need to set portal name in mod_wl_ohs.CONF
Domain-level jps-config.xml: Needs to be set as per
http://docs.oracle.com/cd/E15586_01/doc.1111/e15478/opssadf.htm, appendix c,
Example C-1 Sample SSO Configuration for OAM 11g
3.
This graphic explains it I believe:
Same doc as above, at the beginning.
Figure 30-1 OAM Single Sign-On Components and Topology
You can also check the thread I have started describing my setup/issue:
OHS/OAM/Portal SSO integration - mod_wl_ohs.conf problem
Hope this helps!
ZoranZoran,
What you are tryiing to accomplish is the different than what Somerset's. Yours is the Oracle webcenter portal vs. Somerset's is the Oracle Portal.
For The road map of Oracle Portal integrating with Oracle Access Manager there is no other way than what I explained. ;) -
Database Server - SQL Access: Cannot connect from code but from SSMS
Hi,
I am using following connection string in my asp.net web.config:
[Less than symbol] add name="FMMConnectionString" connectionString="Data Source=xxxxxxxxx,1234;Initial Catalog=Test1Db;User Id=Rajeev;Password=xxxxxxxxxxxxx;" providerName="System.Data.SqlClient" [Slash][Greater than symbol]
The database is on remote database server. The sql user/ developer 'Rajeev' is deliberately given restricted permissions (to protect our schema) using following sql commands:
GRANT ALTER,EXECUTE, SELECT,INSERT,UPDATE,DELETE ON SCHEMA ::dbo TO Rajeev
DENY VIEW DEFINITION ON SCHEMA::dbo TO Rajeev;
GRANT CREATE PROCEDURE TO Rajeev;
GRANT CREATE FUNCTION TO Rajeev;
DENY ALTER ON SCHEMA::dbo TO Rajeev; -- To disallow Rajeev to create objects on dbo schema but only create in Rajeev schema while still being able to select, insert, execute on dbo schema.
The above connection string works perfectly fine when used from Visual Studio> Server Explorer. I am able to execute following sql queries without issues. Same is true when using SQL Server Management Studio using Rajeev credentials.
select top 100 * from XYZEmployees
execute usp_GetMMBSchemeDetails '1'
The error I get in web page is following:
The stored procedure 'usp_GetMMBSchemeDetails' doesn't exist.
When I ran code using breakpoints to see what is happening, I see that when connection object is being instantiated, the connection state is being closed with following error:
at System.Data.SqlClient.SqlConnection.GetOpenConnection()
at System.Data.SqlClient.SqlConnection.get_ServerVersion()
I turned off my firewall to see if it was blocking but it did not help. I tried using Visual Studio 2012 as well as Visual Studio 2013 but same issue showed up.
Kindly let me know why I am able to execute sql queries from SSMS and Visual Studio's Server Explorer but not from application code. Is there something that needs to be enabled on remote database server so that the queries can run from code? I like to create
more users like Rajeev with restricted permissions to develop my application. So kindly provide a solution if you know.
Thanks,
PulletThanks Everyone for your insights :)
RSingh, Your approach works when using SSMS, not when called from application code (example: asp.net code-behind page calling a stored proc using connection object).
My requirement is, I only wanted developer to do front end programming without having the ability to look at backend sql objects definitions. He/she can call the sql objects in the program as needed.
I am able to finally solve this requirement by following approach. Hope it helps others.
1. Right-click Rajeev user in Database> Security>Users and unselect 'dbowner' from 'General' tab> 'Database Role Membership' section even though Default Schema shows up as Rajeev schema. Now, this user can't do anything on dbo schema of database
(as well as in any other user's schema in this database).
2. Ran above commands but excluded following command which was identified as root-cause.
DENY VIEW DEFINITION ON SCHEMA::dbo TO Rajeev;
3. Now ran a script that denies 'view definition' of dbo schema's tables. It loops through all tables and denies 'view definition' on each table. Adapted the script of http://blog.extreme-advice.com/2013/01/23/grant-view-defination-permission-to-all-stored-procedures-in-sql-server/.
Now, the user Rajeev can execute dbo schema objects both from SSMS as well as from application code.
4. DENY EXECUTE, SELECT ON SCHEMA::INFORMATION_SCHEMA TO Rajeev; -- Restricts Rajeev from executing INFORMATION_SCHEMA objects seen in SSMS.
However one remaining open item is, I could not hide the system objects (which are part of sys schema) in SSMS. Ideally, I do not want Rajeev to execute the 'system views', 'system stored procedures', etc. When I execute same command (below command), it
runs without errors but does not apply this restriction.
DENY EXECUTE, SELECT ON SCHEMA::sys TO Rajeev;
If you know the reason why it is happening like this, please kindly share.
Cheers,
Pullet
Cheers | Pullet -
How do program 3 independent finite pulse train generators from 3 counter pairs
I need to drive a 3-axis piezo leadscrew friction type motor by finite train of pulses from a PCI-6602.How do I specify the counter pairs in my code with out any one counter conflicting with the others?
Bernardino Jerez Buenaobra
Senior Test and Systems Development Engineer
Test and Systems Development Group
Integrated Microelectronics Inc.- Philippines
Telephone:+632772-4941-43
Fax/Data: +632772-4944
URL: http://www.imiphil.com/our_location.html
email: [email protected]This scheme (and the examples) works fine when you want finite generation done in sequence, but seems not to work with when they are done independently and in synchronously run in parallel fashion.
Berns B.
Bernardino Jerez Buenaobra
Senior Test and Systems Development Engineer
Test and Systems Development Group
Integrated Microelectronics Inc.- Philippines
Telephone:+632772-4941-43
Fax/Data: +632772-4944
URL: http://www.imiphil.com/our_location.html
email: [email protected]
Attachments:
Mutliaxis_test_drive_version_0.vi 85 KB
NF8096Exercise.vi 206 KB -
Client or module information in oracle database in citrix environment
We have oracle 10g database in citrix environment . We are enable to get client information when he is logon in oracle database or application through citrix. How can we get client information in oracle. we want to stop sqlplus or any other tools except our application. How it would be possible.
Thanks
Edited by: Wason Naveen on Feb 19, 2010 6:39 AMSorry I wasn't sure.... But let me try to give you another idea.
So if you want to protect your schema I suggest to use roles.
I mean collect all schema privileges into two roles.
Set default role for your schema user an almost empty role. (create session)
Plus create a full featured role which is password protected.
So you can implement in your application that when it connects it "SET ROLE" to the full featured one with password of course...
This way only your application can use/see objects in schema...
HTH, Zoltan -
Too many Broadband marketing mailshots
My elderly neighbour is not interested in broadband, and is so fed up with receiving mailshots from BT invitiing her to get broadband, that she has stopped opening her BT mail. Recently, this meant that she didn't open her bills, because she thought they were yet more mailshots, and she was cut off.
Two things:
1. Can she ask not to be sent broadband mailshots any more? She is never, ever going to buy broadband, so please please is there a way to stop sending them to her?
2. Is there a way to prioritise her, since she should never be cut off, as she is an elderly, frail person living alone, and relies on her phone to summon help.
ThanksHi MovingStuff,
I can answer one of those questions for you.
Your neighbour can apply for the Protected Service Scheme, if they are eligible for the scheme. If they are eligible, then if they haven't paid their BT Retail bill or haven't answered the letters, emails or calls from BT Retail about their bill then BT Retail will work with the customers selected nominee to do all BT Retail can to help the customer keep their phone service working.
For more information on the Protected Service Scheme go to http://www.bt.com/includingyou/redesign2012/assets/downloads/ProtectedServicesScheme.pdf
jac_95 | BT.com Help Site | BT Service Status
Someone Solved Your Question?
Please let other members know by clicking on ’Mark as Accepted Solution’
Try a Search
See if someone in the community had the same problem and how they got it resolved. -
Hi Guys,
I have Oracle 10.2.0.4 RAC replication to 10.2.0.4 RAC and Capture process aborted with the error message "ORA-04031: unable to allocate 136 bytes of shared memory ("streams pool","unknown object","streams pool","kolccst obj")" then I tried to start capture again and I saw that in the status of Capture process waiting for very old logfile belongs to first day of the Replication has been setup. Now Capture is stuck awaiting for that a month old Archive log file. Could you please help me ? Those archived files already removed a long time ago.How can I fix it ?
Thanks in advance.Hi,
it's an interesting problem.
Do you have set the parameter STREAMS_POOL_SIZE and the AQ_TM_PROCESES ?
I think you could do 2 things :
1) Recreate the target duplicated db..
2) Stop capture and application processes, remove propagation/application rules, truncate table on the target, import the data from source to target , resync scn number from source to target, readd propagation/application rules, restart processes. package => dbms_streams_adm
for resync scn :
declare
vscn NUMBER;
begin
vscn:= dbms_flashback.get_system_change_number();
[email protected](
source_object_name => 'SCHEMA.TABLE_NAME',
source_database_name => 'DB_SOURCE',
instantiation_scn => vscn);
end;
I hope it could help you :)
See yu soon
Mat -
Somebody knows if exists a merge module for Oracle 8i?.
We are deploying an application which uses Oracle 8.1.6 Client with OCI calls between Oracle and Delphi.
We built an installation kit, and we want to install Oracle Client in same setup via merge modules.
Is it posible?
I appreciate some help
Best RegardsSorry I wasn't sure.... But let me try to give you another idea.
So if you want to protect your schema I suggest to use roles.
I mean collect all schema privileges into two roles.
Set default role for your schema user an almost empty role. (create session)
Plus create a full featured role which is password protected.
So you can implement in your application that when it connects it "SET ROLE" to the full featured one with password of course...
This way only your application can use/see objects in schema...
HTH, Zoltan -
Can anyone suggest any details about WAN hardening or any pointers. I guess, I would like to know about using ONS15454 to switch the DS3's between primary and secondary routers. By this we are trying to give redundancy for the customers channeslised T1 going through single DS3 get failed, it gets switched to another DS3 connected to another router.
Thanks
Regards
Anantha Subramanian NatarajanManufacturer should indicate for which interfaces the equipment provides a protection card scheme (1+1 or 1+N), which protects the working cards against a hardware failure.
-
I lost ability to login to Marval
I registered and received email with password, and then I logged in and looked at some tables inside my schema. Then I red quick tour that suggested to change my password. I pushed big Administrator icon and try to change password and then username but got constraint violation error. Next time I tried to login to marvel I received: "Invalid company, username, password combination. ORA-20001: Login".
Then I tried "forget your password?" In order to reset my password, I got massage: "Confirmation. Password successfully changed. Your new password has been sent to your email address" but I did not receive email. I tried it several times but still did not receive email. Now I have only original email with information that I used to login first time.
Now I am not able to login to Marval, please help.Sergio,
This is from first email that I resived after registration:
Thank you for requesting an Project Marvel beta account. The activation of your account is pending approval.
ACCOUNT REQUEST
Company Name : dao
Industry : Commercial business
Administrator : David Natsvlishvili
Username : dat****[email protected]
Requested schema : dao
The Project Marvel team
This may help -
Configure Database Vault on PeopleSoft
hi,
We have a customer who needs to have row level secuirity and some secuirity features (data encryption) to be implemented in PeopleSoft. Since PeopleSoft Does not directly do Data encryption or Do raw level access controll, the best option is to have advanced secuirity and Database Vault to be installed in the database. but these are options to
database enterprise edition. PeopleSoft Enterprise comes bundled with the database. So how do we license the Options? and also are these row level secuirity and data encryption
transparent to the PeopleSoft Applications?
sashika.Hi Paul,
I have tried your suggestion and I am not sure if I did not understand your suggestion, or if it does not work, as the "Power" users do not have access to the "Special" schema data, which is what we whanted, but unfortunetly they do not have the same priviliges/rights as if the dva had never been installed which is the requirement i.e. create new users, manage TDE keys, expdp, etc. I can only assume that you also meant that I should restore the revocked priviliges? but will this not be the equivalent of not having installed the DBV for the "Special" schema I am trying to protect ? i am not sure how to proceed at this stage.
So I think I may require some help regarding the realm to be created around the 'special' schema. Is it just a matter or creating a normal realm? were all objects in the schema are protected, or do I need to generate a very complex realm to protect the schema because of having turn off all other default dbv realms?
Do you have any suggestion on this?
I have also been ask (Instructed, is probably a better word) to ensure that the realm stops all users, except the realm owner, and the dbv owner from having access to the schema object definitions i.e. no user shall be able to view table, procedure, view, package, function, etc definitions? I am not sure if this is possible or how to achieve this?
Any suggestions are very welcome.
Thank you
Daniel
Edited by: zooid on Mar 20, 2012 4:14 AM -
How to protect Developer know Password of Schema in Production system?
Hi, I'm newbies about Database Securities.
My new job have environment about Client/Server by Oracle10gR2 working with Delphi Application.
I found developer fixed schmea user/password on program code for connect to DB.
So, Now password of Production Schema is same with Development Schema
and Developer can access to Production environment.
How to solve this situaltion?, I think maybe ever have best pratice for this.
I think about keep password on other location and Application get to use for connect DB.
Howerver, This way developer can coding for print out password to see it.
Or maybe DBA must change fix password in Programmer coding before migrate to production (It's no good). To do that, DBA can change password of Production and Developerment to differrence.
Now we protect this by trigger to fix about protect Developer connect DB by Tools (by osuser, machine and program filed in v$session). I know this can leak by change osuser, change exec name of Tools.
Previouse job use Oracle DB with E-Business suite. It's no this problem cause of It's have interface to manage connection between App & DB.
Thank you for every advice.
Best Regards,Hi, I'm newbies about Database Securities.
My new job have environment about Client/Server by Oracle10gR2 working with Delphi Application.
I found developer fixed schmea user/password on program code for connect to DB.
So, Now password of Production Schema is same with Development Schema
and Developer can access to Production environment.
How to solve this situaltion?, I think maybe ever have best pratice for this.
I think about keep password on other location and Application get to use for connect DB.
Howerver, This way developer can coding for print out password to see it.
Or maybe DBA must change fix password in Programmer coding before migrate to production (It's no good). To do that, DBA can change password of Production and Developerment to differrence.
Now we protect this by trigger to fix about protect Developer connect DB by Tools (by osuser, machine and program filed in v$session). I know this can leak by change osuser, change exec name of Tools.
Previouse job use Oracle DB with E-Business suite. It's no this problem cause of It's have interface to manage connection between App & DB.
Thank you for every advice.
Best Regards, -
ITA Policies and protection schemas - What should I expect.
Hi all. I am working on a streaming windows store app the uses a PMP and I need to apply protection to the output. I have tried several protection schema to determine if my implementation is correct but the results have not been what I
expected.
For example for my DVI connection (MFCONNECTOR_DVI) it states that it supports
MFPROTECTION_DISABLE. If I enable it I get a decode error and playback is rejected. According to the documentation that I have what should have happened is the video rectangle should
have been blanked while the rest of the screen is left unaffected. If I look at the logs I can see that GetSchemaType() of my IMFOutputSchema implementation object returns the guid MFPROTECTION_DISABLE
and GetConfigurationData() returns the non-zero value that states that it should be enabled. However I don't see a call to GetOriginatorID().
I have also tried MFPROTECTION_CONSTRICTVIDEO. In this case GetSchemaType() also returns the appropriate guid and GetConfigurationData() returns a nonzero value stating that it should
be enabled. For the max number of pixels allowed I set that as a double word attribute MFPROTECTIONATTRIBUTE_CONSTRICTVIDEO_IMAGESIZE set to 50 which equates to 50,000 pixels. This is all per the documentation I have. I was expecting the
video to be degraded. I tried less and more but didn't see an affect. In this case I also don't see the call to GetOrigonatorID().
Have any of you used these protections systems? What were your observations? Difficulties?
In the end I have to have HDCP and CGMSA but I need test equipment to verify that its actually working.
ThanksAFAIK, these attributes are only compatible with desktop app, I'm not sure if they can work in Store app...
Best Regards,
Please remember to mark the replies as answers if they help -
Adp accidental damage protection scheme
how to check( adp) accidental protection scheme activated or not9
According to the Accidental Damage Protection Service Agreement, service is only available in the US.
http://download.lenovo.com/lenovo/lsw/adp_sa_global.pdf
You can check to make sure by dialing Warranty Service in Romania at:
40-1-330-4555
40-1-330-4536
Did you find a post awesome? A great response? Kudo them!
Did the post you read answer your question? Did someone help you figure out your problem? Hit Solution Provided and give that person a 'thank you' for helping you out! -
Run Schema Exporter on password protected Access 97 mdb
I'm trying to generate the Microsoft Access XML file required by OMWB. The MS-ACCESS 97 database that I want to migrate is password protected. When I attempt to use the MDB, I must put in an id/pw. When I try to run the "Database Schema Exporter" (version 10.1.0.2), I receive "Error 3033: You don't have necessary permissions to use path\to\access\mdb".
There is no way to enter an id/pw from the Database Schema Exporter. Is there any way around this? Any help is greatly appreciated. Thanks!What a Muppet!
Was thinking alone the same lines as your post, if it thinks the username or password is wrong maybe it is?!?
Anyway � what I have found out is �wait for it
Access passwords are limited to 20 characters, but there is no audio feedback to show you have reached the limit. So if you look at the keyboard when you type (like I do) you are blissfully unaware the last four characters of your password have not been accepted!
Therefore as the Exception caught by my application said; my password was wrong!
Maybe this will help others out in the future - although I have a sinking feeling that maybe I am the only one here who could be so dumb!
Doh!
Maybe you are looking for
-
How to use a collection type of bind variable for execute dynamic statement
Hi, We have a case where we copy selective data from Schema A To Schema B in one oracle database. The copy is achieved by using execute immediate 'insert into '||target_schema||'.tablea select * from '||from_schema||'.table a where a.id in (select te
-
Tried everything. Still get "backup could not be saved on the computer". Have iPad 1 and Windows 7 (64 bit) with all latest updates. Now what? Is iPad 1 now incompatible with iTunes?
-
Hi Experts, I required help on the following process which we follow for issuing out loan items to our customers: We are distributors of IT products selling to dealers, any time a new product is launched in the market we need to provide few top custo
-
Launching a never ending vi in sequence
Hi! I have a vi that can basically be represented by a while loop that never stops until i press a button. I want to load and run this vi from a sequence without it hanging up that sequence. Also, at the end of the sequence it would be great if it co
-
Activating screen variant created in 4.7 Version
Dear All, Want to know is there any way to activate the screen variant created in 4.7 version. Thank you. Regards, Venkat