Qury to Show DBA level access by user

Hi - is there a way to list usernames and access level, such as DBA (10g)?
Thanks

select grantee from dba_role_privs where granted_role = 'DBA'Of couse you need to be DBA yourself (at least have the select any data dictionary grant).

Similar Messages

Handling page level access to users for sub-pages

Hi,
In my webcenter portal application, in navigation , I have mainpage1 and 3 sub-pages under it: subpage1,subpage2 and subpage3. We have a requirement that users with role manager should have access to all sub-pages under mainpage1 and users with role employee should have access to only subpage3.
All these 3 pages are created in Jdeveloper (not at runtime) and have static region for different taskflow on each page. All 3 taskflows have access permission to all authenticated users.
Using WebCenter Portal Administration Console, Resources tab I am setting access levels for user groups with Delegate Security as follows:
mainpage1 -- manager and employee both have view
subpage1 - only manager have view
subpage2 - only manager have view
subpage3 - manager and employee both have view
When I am logging as user with manager role , I am able to see all three pages, but when I am logging as employee the link mainpage1 and all other subpages are hidden.
I am able to set different access permissions for different groups at mainpages but facing issue for sub pages.
Please help me if I am missing anything for setting page level access.
Thanks and Regards,
Minal

Try to add the users instead of groups and see if you get same page access error?

Restrict DBA from accessing User's Tables

How to restrict DBA from accessing objects created by a user?
Regards
Sumit

mbobak wrote:
Hi Ed,
Actually, if I understand it correctly (and I may not, as I've never installed or used Database Vault and the presentation I saw was a long time ago), my understanding of the security model is that the "DBA" that has system level privileges, is separate from the "security administrator" role, which is the person who decides which user can see what application data. In Database Vault parlance, the DBA has access to the system, system views, etc, but not the application data. The application data lives in a different "realm". There can be multiple "realms", and you must be assign specific rights in the different realms to access different data. The DBA doesn't get access to any realms.
If you do not assign those two roles to different people, then you might as well not configure Database Vault at all.
At least, that's my understanding.
-MarkMark,
That was pretty much my understanding as well. But even when I worked for a credit card processing company, they didn't have that separation of duties - even though the auditors kept asking for ways to keep the DBA's out of the database.
And even with strictly defined separation of duties, wouldn't it still come down to someone who having to have the keys to it all? How about the guy who has the password for "root"?

Username not showing up in access log for authenticated users

I'm using form-based authentication in a Java web application on Sun One Web Server v6.1 to restrict access to authenticated users. However, even after the users authenticate and access the application, the username field in the access log is showing them as anonymous.
request.getRemoteUser() is reporting the correct username, so it just seems to be the access log that is in error. Right now it is set to the default but changing formats to custom doesn't seem to help in displaying the username.
Here's an excerpt from the access log:
// anonymous access attempt, redirects to login page...
10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/index.jsp HTTP/1.1" 302 0
10.100.168.110 - - [01/May/2006:14:34:42 -0400] "GET /profile/login.jsp HTTP/1.1" 200 3355
10.100.168.110 - - [01/May/2006:14:34:47 -0400] "POST /profile/j_security_check HTTP/1.1" 302 0
// at this point they are logged in and their username should be reflected in the access log, but is not:
10.100.168.110 - - [01/May/2006:14:34:47 -0400] "GET /profile/index.jsp HTTP/1.1" 200 3532 And the relevant code from the web application's web.xml:
<security-constraint>
 <web-resource-collection>
 <web-resource-name>AllFiles</web-resource-name>
 <description>
 Restricts anonymous access.
 </description>
 <url-pattern>/*</url-pattern>
 <http-method>POST</http-method>
 <http-method>GET</http-method>
 </web-resource-collection>
 <auth-constraint>
 <description>
 Authenticated Users
 </description>
 <role-name>user</role-name>
 </auth-constraint>
</security-constraint>I've searched the forums and the manuals but can't see anything showing that the access log's username field doesn't work with form-based authentication. Can anyone shed some light on this?

Some background:
The Java Servlet container has its own authentication infrastructure (which is what you configure in web.xml) which is separate from the non-Java authentication infrastructure (ACLs, etc.). If you set up authentication via ACLs the resulting user identity can (though you may configure it not to) propagate to the Java Servlet container such that request.getRemoteUser() will return it, even though no web.xml-driven authentication occurred. The coverse is not true, however: if you authenticate via a Java Realm, based on web.xml configuration, that user identity is not available to non-Java code.
(Your web.xml snippet doesn't show you using FORM auth - but it doesn't matter, the explanation above applies in any case.)
That is why the log file (generated from non-Java code) doesn't have access to that user. It probably should, but there's no config option today for you to make that happen.
If you're using BASIC auth you may consider moving the authentication configuration from web.xml to ACLs as a possible workaround. It will then show up in the access logs.
If you prefer web.xml-based authentication, consider the <SECURITY audit="true"> option in server.xml. It won't be in the access log but you'll have an audit trail of authentications, which may help.

Are Profiles and DBA Access to users required after MRCA is installed ?

Customer has installed oracle B2B through MRCA .
There are 4 questions that need to be answered.
Question 1
===========
We would like to know if the profiles and DBA access to users are required after MRCA is installed ?
Question 2
==========
If we remove these privileges will there be any impact to future Application Server upgrades, applying of patches ?
Question 3
============
There is a schema called BASEDEF with the two roles BASEAPP_ADMIN and BASEAPP_INSTANCE_ADMIN .
Please could you let us know the purpose of this schema and its usage ?
Question 4
============
Does the schema BASEDEF affects b2b in any manner ?
Regards,
Suresh

Hi Suresh,
Please find below answer of your questions-
1. Profiles are created automatically during installation and they are required for maintaining the functionality of B2B. DBA access to these profiles are not required.
2. If you revoke DBA access from the profiles, then it should not affect the functionality of B2B. Generally Patch scripts are run on account "b2b" and this account does not have dba access so there should be no problem due to access revoke.
Any DBA can answer your 3rd and 4th question.
Regards,
Anuj

Can not assign custom access level with a user login

Hi,
I am using Business objects XiR3. When I am loging in with a user having full control access and then I select a folder added a principal from user sercurity and when I am trying to add custom access level it gave me error
An error occurred at the server during security batch commit: Request 0 of type 38 failed with server error : You do not have sufficient rights to make the requested security changes.
it allow me to give access to standard access levels. also when I tried to assign custom access level with administrator user, it assigns custom access level to a principal without error.
Can any body tell me what I am doing wrong?
Thanks in advance,
Rajendra

Hi Rajendra,
You have to make sure that the user group has the right 'Use access level for security assignment' assigned as granted on the access level you created. You can find this right under System / Access Level. That should do the trick!
Hope this helps...
Martijn van Foeken
Focuzz BI Services
http://www.focuzz.nl
http://nl.linkedin.com/in/martijnvanfoeken
http://twitter.com/mfoeken

Best practice for select access to users

Not sure if this is the correct forum to post, if not then let me know where should I post.
From my understanding this is the best forum to ask this questions.
Are you aware of any "Best Practice Document" to grant select accesses to users on databases. These users are developers which select data out of database for the investigation and application bug fix.
From time to time user want more and more access to different tables so that they can do investigation properly.
Let me know if there exists a best practice document around this space.
Asked in this forum as this is related to PL/SQL access.

Welcome to the forum!
Whenever you post provide your 4 digit Oracle version.
>
Are you aware of any "Best Practice Document" to grant select accesses to users on databases. These users are developers which select data out of database for the investigation and application bug fix.
From time to time user want more and more access to different tables so that they can do investigation properly.
Let me know if there exists a best practice document around this space.
>
There are many best practices documents about various aspects of security for Oracle DBs but none are specific to developers doing invenstigation.
Here is the main page for Oracles' OPAC white papers about security.
http://www.oracletechnetwork-ap.com/topics/201207-Security/resources_whitepaper.cfm
Take a look at the ones on 'Oracle Identity Management' and on 'Developers and Identity Services'.
http://www.dbspecialists.com/files/presentations/implementing_oracle_11g_enterprise_user_security.pdf
This paper by Database Specialists shows how to use Oracle Identity Management to limit access to users such as developers through the use of roles. It shows some examples of users using their own account but having limited privileges based on the role they are given.
http://www.dbspecialists.com/files/presentations/implementing_oracle_11g_enterprise_user_security.pdf
And this Oracle White Paper, 'Oracle Database Security Checklist', is a more basic security doc that discusses the entire range of security issues that should be considered for an Oracle Database.
http://www.oracle.com/technetwork/database/security/twp-security-checklist-database-1-132870.pdf
You don't mention what environment (PROD/QA/TEST/DEV) you are even talking about or whether the access is to deal with emergency issues or general reproduction and fixing of bugs.
Many sites create special READONLY roles, eg. READ_ONLY_APP1, and then grant privileges to those roles for tables/objects that application uses. Then that role can be granted to users that need privileges for that application and can be revoked when they no longer need it.
Some sites prefer creating special READONLY users that have those read only roles. If a user needs access the DBA changes the password and provides the account info to the user. When the user has completed their duties the DBA resets the password to something no one else knows.
Those special users have auditing on them and the user using them is responsible for all activity recorded in the logs during the time the user has access to that account.
In general you grant the minimum privileges needed and revoke them when they are no longer needed; generally through the use of roles.
>
Asked in this forum as this is related to PL/SQL access.
>
Please explain that. Your question was about 'access to different tables'. How does PL/SQL access fit into that?
The important reason for the difference is that access is easily controlled thru the use of roles but in named PL/SQL blocks roles are disabled. So those special roles and accounts mentioned above are well-suited to allowing developers to query data but are not well-suited if the user needs to execute PL/SQL code belonging to another schema (the app schema).

Hide Top level navigation if user assigned only one role

Hi,
I would like to hide the top level navigation if user assigned with only one role.
I can create role based rule to show desktop using Master rule collection, but is it possible by doing to with role count.
If user has multiple roles show desktop1 else show desktop2

not sure if this possible ,you may check feasibility of creating a application which checks user role count and if role count is = 1 load the Portal url (URL alais) which had TLN iview invisible in the same window else do nothing and load the portal with the desktop which has tln.
Put the application in framewrk page which has TLN visible.
create a URL alias and create a desktop -framework page which dont have TLN ,assign this desktop to this URL alias in rule collection set its priority before user conditions check in rule collection so that it has high priority before user or group check in rule collection.
you can create a poc in sandbox and check if it wiorks?

Database Studio 7.9.08.09 - Could not access to user management; Deleting old settings and reinstallation did not bring a change -- database studio deinstallation cannot be performed anymore

Hi Community,
for a few months I have been struggling with a SAP Max DB database Studio issue and finally, I had to give up the idea of being able to fix this on my own. I am desperately seeking for help and I hope that you may be able to give me a hint, advice or even a solution.
This is what happened:
I used to run Windows 7 on 32bit. I also had Database Studio installed - which was running fine then.
After a harware upgrade, I am running now Windows 7 on a 64 bit System. All my files from my local disk (C:\) have been restored and copied onto my new system.
I reinstalled Database Studio Version 7.9.08.09 onto my new System. But on the first try to start the program I received the error that said "Could not Access to user Management.See Window -> Show View-> Event Log Viewer for more Details."
However the Event Log Viewer was empty.
After searching the web for a solution, I followed the advice given in this community and deinstalled Database Studio and deleted the C.\Users\MyAccount\sdb folder manually.
I reinstalled Database Studio and started it as Administrator.
However, the error is still appearing.
And, what makes it even worse is : now I am not able to uninstall Database Studio anymore.
When I run SAP MaxDB Installation Manager and select the instance of database Studio to be uninstallled I am receiving the error:
"ERR: Unhandled Exception: Can't call method: "GenPackageList" on an undefined value at SDB/Install/Gui/Dialogs/SelectInstance.pm line 328"
Any advice is highly appreciated.
Thanks,
Agnieszka

Hello Yashwanth,
thank you for your quick Response.
Yes, I downloaded and installed the 64 bit Version of dbstudio.
I downloaded and ran the following .exe file: maxdb-studio-win-64bit-x86_64-7_9_08_09.exe
I am running the following Java-Version:
Java Plug-in 1.6.0_45
Using JRE version 1.6.0_45-b06 Java HotSpot(TM) Client VM
I myself am not a SAP customer. However, the Company I am working for is a SAP customer.
Can you explain in Detail, how to create a ticket with SAP?
Thanks,
Agnieszka

Windows 7 Desktop synchronisation - Windows cannot access \\server\users\name\desktop

Hi there
My client has a laptop which won’t load the desktop when disconnected from the network. When you log on (while disconnected) you get the error
“Windows cannot access \\server\users\name\desktop”
Works as expected while connected to the network.
The server is a Windows Small Business Server 2003 with active directory etc. and roaming profiles turned on. This issue does not occur on other workstations/laptops.
When I check the Users folder on the local system drive there is not a desktop folder. I assume this is the issue although I’m not sure how you would force windows to create one or why one hasn’t been created?
This is a brand new laptop so my initial reaction was to reset the laptop to factory state and then add the laptop back in to the domain. After this process the issue was still present!
I guess the only thing I should mention is that this was shipped as a Home Premium laptop and was then upgraded to Professional using an upgrade key.
I have checked Control Panel, System & Security, System, Advanced, User Profiles and the account shows as Local with Roaming Profiles greyed out.
Any ideas?
Martyn Fewtrell
[email protected]
Martyn Fewtrell TNC (IT Solutions) Ltd Email: [email protected] Web: http://www.tncit.co.uk

Hi,
I am just writing to check the status of this thread. Was the information provided in previous
reply helpful to you? Do you have any further questions or concerns? Please feel free to let us know.
Regards,
Alex Zhao
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Alex Zhao
TechNet Community Support

Hr_maintain_masterdata showing an infotype that the user does not have auth

subject: hr_maintain_masterdata showing an infotype that the user does not have authorisation for
Hi all,
I've a user account that's meant to perform staffing, based on the actual HR role. The system is also set up with an infogroup that contains infotypes 0000, 0001, 0006, 0185, XYZ and other infotypes; XYZ representing an actual infotype. The HR role is not supposed to have this infotype XYZ.
When PA40 is used, infotype XYZ will be skipped, as the user account do not have authorisation for it. I could then proceed to create the record.
When the fm: hr_maintain_masterdata is used, I was prompted that I do not have authorisation for infotype XYZ.
I have setup my fm with the mininum amount of values, as indicated below.
I did not populate a table for "proposed_values" so the infotypes called were due to the actions of the infogroup.
fm: hr_maintain_masterdata
pernr = 01234567
massn = 01          (new staff)
actio = INS          (insert record)
tclas = A          (master record)
begda = 01.09.2010
endda = 31.12.9999
werks = myCompanyPlant
dialog_mode = 2     (online)
luw_mode = 1          (commit, if no errors encountered)
no_existance_check = X
Q. Is there any way to let the function module call the infotypes, with authorisation checks, as what PA40 is doing?
Your guidance would be appreciated.
Thank you,
James Wong

A behaviour that has been observed was that, after infotype 0185 was saved, the function module throws me back to infotype 0000, citing, "No authorization to maintain XYZ exists". Data that I had populated to the screen, either via the FM or by manual input were cleared. If I skip the next 4 screens, I'll arrive at the Infotype after XYZ, with the data populated. Subsequent infotypes also have their data filled in.
Once I complete the sequence, the personnel record will be created. Upon examination, the frist 4 screens that were skipped in the 2nd pass contains data that were entered in the 1st pass.
My question, as posted in the original post, is why infotype XYZ is triggered by the function module, as the staffing account does not hae access for it. If I repeat the process using PA40, the infotype is skipped accordingly.
Any help would be appreciated.
Thank you,
James Wong,

Any option to restrict SE16 record level access based on company code?

Hi All,
I have a requirement to restrict record level access in SE16 based on company code.
Our SAP system has two company codes. The requirement is that users of one company code should not be able to see records of other company code in SE16.
Is it possible through some exits/badis/other methods?
Thanks in advance.
Regards,
Arun Mohan

You could write a small front end that accepts the company code, applies custom authorization code for each value and retains or removes, then calls the transaction and enters the selections the user requested and that your authorization check resulting in "passing".... Of course, you'd have to block those users from "pure" SE16... I once worked in situation similar, users in one country couldn't see USA data, etc. I think someone wrote an entire new program, called by ZSE16, for that.

Setting Item level access rights on sharepoint list item in ItemAdding event handler

Hi ,
I am using sharepoint 2013. I am trying to set item level access rights when a list item is added using the following code snippet,
public override void ItemAdding(SPItemEventProperties properties)
base.ItemAdding(properties);
ConfigureItemSecurity(properties);
private void ConfigureItemSecurity(SPItemEventProperties properties)
var item=properties.ListItem;
SPSecurity.RunWithElevatedPrivileges(delegate()
using (SPSite site = new SPSite(properties.SiteId))
using (SPWeb oWeb = site.OpenWeb())
item.ParentList.BreakRoleInheritance(true);
oWeb.AllowUnsafeUpdates = true;
var guestRole = oWeb.RoleDefinitions.GetByType(SPRoleType.Reader);
var editRole = oWeb.RoleDefinitions.GetByType(SPRoleType.Editor);
SPGroup HRGroup = oWeb.SiteGroups.Cast<SPGroup>().AsQueryable().FirstOrDefault(g => g.LoginName=="HR Team");
SPRoleAssignment groupRoleAssignment = new SPRoleAssignment(HRGroup);
groupRoleAssignment.RoleDefinitionBindings.Add(guestRole);
SPUserCollection users = oWeb.Users;
SPFieldUserValueCollection hm = (SPFieldUserValueCollection)item["HiringManager"];
SPFieldUserValueCollection pm = (SPFieldUserValueCollection)item["ProjectManager"];
SPFieldUserValueCollection pmChiefs = (SPFieldUserValueCollection)item["ProjectManagerChief"];
item.BreakRoleInheritance(true);
item.RoleAssignments.Add(groupRoleAssignment);
foreach (SPFieldUserValue staffMember in hm)
SetRightsOnItem(item, staffMember, editRole);
foreach (SPFieldUserValue staffMember in pm)
SetRightsOnItem(item, staffMember, guestRole);
foreach (SPFieldUserValue staffMember in pmChiefs)
SetRightsOnItem(item, staffMember, guestRole);
item.Update();
private void SetRightsOnItem(SPListItem item, SPFieldUserValue staffMember, SPRoleDefinition role)
SPUser employeeUser = staffMember.User;
var userRoleAssignment = new SPRoleAssignment(employeeUser);
userRoleAssignment.RoleDefinitionBindings.Add(role);
item.RoleAssignments.Add(userRoleAssignment);
Nothing is happening though... Is the event handler the right place to do this?
thank you

Hi ,
You can refer to the code working in my environment:
using System;
using System.Security.Permissions;
using Microsoft.SharePoint;
using Microsoft.SharePoint.Utilities;
using Microsoft.SharePoint.Workflow;
namespace ItemLevelSecurity.ItemSecurity
/// <summary>
/// List Item Events
/// </summary>
public class ItemSecurity : SPItemEventReceiver
/// <summary>
/// An item was added.
/// </summary>
public override void ItemAdded(SPItemEventProperties properties)
SPSecurity.RunWithElevatedPrivileges(delegate()
try
using (SPSite oSPSite = new SPSite(properties.SiteId))
using (SPWeb oSPWeb = oSPSite.OpenWeb(properties.RelativeWebUrl))
//get the list item that was created
SPListItem item = oSPWeb.Lists[properties.ListId].GetItemById(properties.ListItem.ID);
//get the author user who created the item
SPFieldUserValue valAuthor = new SPFieldUserValue(properties.Web, item["Created By"].ToString());
SPUser oAuthor = valAuthor.User;
//assign read permission to item author
AssignPermissionsToItem(item,oAuthor,SPRoleType.Reader);
//update the item
item.Update();
base.ItemAdded(properties);
catch (Exception ex)
properties.ErrorMessage = ex.Message; properties.Status = SPEventReceiverStatus.CancelWithError;
properties.Cancel = true;
public static void AssignPermissionsToItem(SPListItem item, SPPrincipal obj, SPRoleType roleType)
if (!item.HasUniqueRoleAssignments)
item.BreakRoleInheritance(false, true);
SPRoleAssignment roleAssignment = new SPRoleAssignment(obj);
SPRoleDefinition roleDefinition = item.Web.RoleDefinitions.GetByType(roleType);
roleAssignment.RoleDefinitionBindings.Add(roleDefinition);
item.RoleAssignments.Add(roleAssignment);
Thanks,
Eric
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected].
Eric Tao
TechNet Community Support

Column level access in Crystal Report Server

Hi,I have three fields in my Crystal Report. The crystal report will be exported to PDF by my customised web application. The application has a built in user security and access control model. However if user 1 logs in he should see all the 3 columns(database fields) on the exported PDF. If user 2 logs in he should see only first 2 columns as he has access to only those. We would also be using Crystal Report Server.I know this could be done in Crystal Report itself but is there any way to leverage column level access (and also row level) functionality using Crystal Report Server. The Crystal Report reports off an ODBC Datasource.It would be great if any one could help me in this regard. Cheers.  

If you were running the same version designer and server, you could open your reports straight from the repository, and save them straight back. Then you wouldnt have multiple versions of RPTs flying about.
I have just purchased a new licence for 2008 and an 2008 upgrade for a Xr2.
I don't think I completely understand, but we do have Crystal Reports 2008 and Crystal Reports Server 2008 available for purchase.

Collaborator on Document Level vs. Class Level Access

Hi Guys,
I am wondering what happens when you add a user as a collaborator / reviewer to a document that has not been given authorization on class level, ie. the user has no access to auctions but I am adding him/ her to an auction as a collaborator?
Any idea if I can select this user?
Thank you.
/Anita

System would throw an error message indicating the user does not have the requisite permissions.
It would be something like this:
"Either change the role to one with only a view right or add an edit permission to the user or the group. XXX could not be added because they do not have edit rights, but the selected role grants edit rights."
Thanks,
Vikram

Qury to Show DBA level access by user

Similar Messages

Maybe you are looking for