Remove sysdba privilege for user

Similar Messages

• Mailbox cleanup could not completely remove the mailbox for user

  Hello.
  I have Exchange 2010SP3 2 DAG member in cluster.
  Recently i have warning in app log on a second DAG member:
  Mailbox cleanup could not completely remove the mailbox for user GUID.Encountered error 0xfffffae8. Should this message continue to persist for the same mailbox, it may be indicative of a problem that requires further investigation. 
  I read all post wich say just unmount and mount database.
  I can't find any user wich have guid containted in error.
  So that i need to do?
  Can i use StartDAGmaintenance and reboot a server,then after reboot use StopDAGmaintenance?

  Hi,
  I suggest to refer to this blog to find this mailbox by GUID.
  http://blogs.technet.com/b/ehlro/archive/2010/04/22/how-to-find-the-object-that-belongs-to-a-guid.aspx
  Then check which database this mailbox belongs to, dismount and mount this database.
  Best Regards.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Lynn-Li
  TechNet Community Support

• "Create User" gives ORA-01031: insufficient privileges for user sys

  I am on Oracle 11g db, 11.1.0.6 and login successfully using sys/password as sysdba. This login is successful.
  [oracle@RH5-32-OR bin]$ ./sqlplus sys/abcd1234 as sysdba
  SQL*Plus: Release 11.1.0.6.0 - Production on Thu Jan 21 06:06:51 2010
  Connected to:
  Oracle Database 11g Enterprise Edition Release 11.1.0.6.0 - Production
  With the Partitioning, Oracle Label Security, OLAP, Data Mining,
  Oracle Database Vault and Real Application Testing options
  However, I cannot create a new user, getting error about insufficient privileges. I though since this is a sys login with role DBA, it should be allowed to create user.
  I also logged in to enterprise manager console using the same credentials, and navigated to: Security->Sys.
  - Under the system tab, and can see "Create User" granted.
  - Under the role tab, there is DBA granted.
  SQL> create user myuser identified globally;
  create user myuser identified globally
  ERROR at line 1:
  ORA-01031: insufficient privileges
  Where to check for previleges? And how to debug. I am really very surprised.
  Thanks.

  I don't have first hand experience of using Database Vault myself, but according the manual the default setup prevents SYSDBA from creating users when Database Vault is enabled (which I would guess is the case based on the banner posted above) This behaviour can be modified by the Vault administrator.
  http://download.oracle.com/docs/cd/B28359_01/server.111/b31222/db_objects.htm#BEIJIFGA

• OIM 9.1.0.2 provisioning privileges for user?

  Hi there,
  I can provision users to my DB. Great.
  However, if the user then logs on to the DB, they are rejected because they do not have connect privileges.
  How can I set up my provisioning so that the user is not only created in the DB, but also granted basic privileges that allow them access DB features?
  All the best, 2Hugh

  I am using the Standard Connector.
  The question is how do I use it?
  The tasks described below were performed in the Design Console as xelsysadm.
  I have opened the process Database Access Oracle User and ticked the auto-prepopulate and Autosave form.
  I've set up a pre-populate rule that calls this process and refers to the resource object called Database Access Oracle User RO. It only fires if the user created is in group Oracle.
  I've opened Form Designer and created a new version of UD_DB_ORA_U (Database Access Provisioning form for Oracle User). Within the pre-populate tab of this form, I've added pre-populate entries for username, password and IT resource.
  In the child tables tab under the UD_DB_ORA_U form, the roles and privileges tables are present.
  However, I can not see how I can configure these so that they get pre-populated with the other user pre-populate entries (IT resource, username and password).
  Any help with my impasse much appreciated.
  Thanks,
  2Hugh
  Edited by: 2hughg on 16-Feb-2011 07:31

• [Gnome] Sometimes (!) missing privileges for user

  Hello,
  every 10th or so boot, I don't seem to get all the rights I specified for my user - that means I'm unable to mount DVDs and under System I'm missing the shutdown/reboot/... options. That's very peculiar since usually it is there and I don't see any reason why sometimes it just doesn't work.
  Thanks
  Moritz

  If we gave you the solution to this issue, we would also give you the solution to your ability to change the stop time.
  It's unix, there may be a way of doing what you want. In this situation, I think it would be hard. You need to look into sudo.  To install a program you need admin priveleges.
  Robert

• Remove admin requirements for user font installation..

  I have been struggling with a solution to this issue.
  My web/design teams are constantly installing font packages on their windows 7. However, I cannot find a way to allow them to install fonts with their local accounts without giving them admin rights. I built a little batch file that I thought would take care
  of the issue when i deployed the machines, but it doesn't seem to be working (clears all attributes from c:\windows\fonts and gives ownership to the current user.
  Another issue is that we have decided (within group policy) to disable the admin escalation popups for standard users (whenever something requires admin access, it doesn't give them the option to type in user/pass).
  Any ideas guys? I would prefer to do this through a GP but I havent been able to find a solution
  Batch File Contents:
  attrib -r -s c:\Windows\Fonts
  takeown /f c:\Windows\Fonts /r /d n
  cacls c:\Windows\Fonts /e /t /g users:c
  cacls c:\Windows\System32\FNTCACHE.DAT /e /t /g users:c
  Registry Setting is :
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsot\Windows NT\Current Version\Fonts = full control.

  Check this post:
  http://community.spiceworks.com/topic/133185-how-can-a-standard-user-install-fonts-in-windows-7
  The last replies will show you how to solve this via GPO.
  Kind regards,
  Tim
  MCITP, MCTS, MCSA
  http://directoryadmin.blogspot.com
  This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.
  "If this thread answered your question, please click on "Mark as Answer"

• Remove encryption for users?

  Hi,
  Is it possible to remove the possibility for users to encrypt documents, both using certificates and password? I am a aware that a combination of removing DigSig.api and PKKlite.api, and setting FIPSMode will do the job. But is it a better way of achieving this?
  -Rasmus

  I removed the beforementioned plug-ins, but unfortunately this interefered with other critical Acrobat plug-ins. I created a pdf with buttons and actions, saved the document and closed Acrobat. When tried to open the document with Acrobat Pro the program would crash. After I reinstalled the plug-ins this behaviour stopped. Do I really have to sacrifice program functionality and reliability to keep my users from encrypting documents?
  -Rasmus

• How can I find exact username if I connected with sysdba privilege?

  I granted sysdba privilge to a database user. I can connect that user as sysdba. From that users session, 'show user' command showing "SYS" and also username from v$session is also showing "SYS". How can I find actual username used for connecting the database as sysdba?
  Steve Abraham

  user10247588 wrote:
  Thanks for the replay..
  But my requirement is that in our production system auditors want to give separate username for each administrators (they are not recommending sys and system).
  Normal dba privilege is not a problem. But for sysdba privilege every users are showing the user "SYS". How we can I identify which user is login to the database for a particular work if they connected as sysdba. How can I find which user did that (not just want the username "SYS", because all the administrators are identified by sys if they are connected as sysdba). If auditing is enabled how can I find the exact username. Because we are planning to give sysdba privilege to some of the administrators.
  Also, is there any option to find the username, if one user is initiate shutdown of the database?First Please close the thread and keep questioning in only one thread.
  then do not connect as sysdba

• ADDM Report is not produced by SQL DEV 4.0 if logged in user does not have SYSDBA privilege

  Hello -
  In SQLDEV 4.0 (Early Adapter), I logged in as user with no SYSDBA privilege granted. But ADVISOR granted and  execute on DBMS_ADDM granted and "select any dictionary" granted, etc.
  Then i go to the menu View --> DBA --> Performance --> Automatic Database Diagnostic Monitor
  Select ADDM report from the available choices.
  Out of 3 menu options: Summary, Findings and ADDM Report, I can see the first two, but I am getting a grey screen for ADDM Report.
  ^^^^^^^^^^^^^^^^^^^^^
  If i do exactly the same but login as SYSDBA, then ADDM Report can be produced and can be seen. So the issue is in the missing grants and privileges.
  ^^^^^^^^^^^^^^^^^^^^^^
  The goal that we are pursuing in our shop is to empower developers to work with ADDM reports by having them login as non-SYSDBA user.
  ^^^^^^^^^^^^^^^^^^^^^^^^
  Please advise what privilege should be granted to get this working for non-SYSDBA login
  The same user can successfully execute $ORACLE_HOME/rdbms/admin/addmrpt.sql and produce file with complete ADDM report. But not able to get the ADDM from SQL DEV 4.0
  Thank you,
  vr

  Thank you, Phil.
  This worked for me in my quick test case.
  Great help, as DBA group wants to allow NON-privileged users (like Developers and QA) to execute ADDM on demand.
  Here is my observation for RAC database with two instances.
  I have followed your instructions:
  "Performance / Automatic Database Diagnostic Monitor -> Run ADDM"
  Then
  - Uncheck box "By Creating New Snapshot" (this box was checked by default)
  - Provide new "Task Name" (let's say "vr1")
  - Select "Start Snapshot" (this is where my first confusion is: each screen shot # is shown twice, may be because i have two instances of RAC)
  - Select "End Snapshot" (the same way: each SNAP_ID is shown twice)
  - and finally APPLY button is pressed
  This creates 3 reports:
  vr1
  vr1$1 (for instance_id=1)
  vr1$2 (for instance_id=2_
  So, my question is: this expected and normal behavior of the tool?
  What if my RAC database has 8 instances? Then I would generate 9 separate ADDM reports?
  Is this correct observation?
  Thank you,
  vr

• ADDM Report is not produced if logged in user does not have SYSDBA privilege

  Hello -
  In SQLDEV 4.0 (Early Adapter), I logged in as user with no SYSDBA privilege granted. But ADVISOR granted and  execute on DBMS_ADDM granted and "select any dictionary" granted, etc.
  Then i go to the menu View --> DBA --> Performance --> Automatic Database Diagnostic Monitor
  Select ADDM report from the available choices.
  Out of 3 menu options: Summary, Findings and ADDM Report, I can see the first two, but I am getting a grey screen for ADDM Report.
  ^^^^^^^^^^^^^^^^^^^^^
  If i do exactly the same but login as SYSDBA, then ADDM Report can be produced and can be seen. So the issue is in the missing grants and privileges.
  ^^^^^^^^^^^^^^^^^^^^^^
  The goal that we are pursuing in our shop is to empower developers to work with ADDM reports by having them login as non-SYSDBA user.
  ^^^^^^^^^^^^^^^^^^^^^^^^
  Please advise what privilege should be granted to get this working for non-SYSDBA login
  Thank you,
  vr

  Thank you, Phil.
  This worked for me in my quick test case.
  Great help, as DBA group wants to allow NON-privileged users (like Developers and QA) to execute ADDM on demand.
  Here is my observation for RAC database with two instances.
  I have followed your instructions:
  "Performance / Automatic Database Diagnostic Monitor -> Run ADDM"
  Then
  - Uncheck box "By Creating New Snapshot" (this box was checked by default)
  - Provide new "Task Name" (let's say "vr1")
  - Select "Start Snapshot" (this is where my first confusion is: each screen shot # is shown twice, may be because i have two instances of RAC)
  - Select "End Snapshot" (the same way: each SNAP_ID is shown twice)
  - and finally APPLY button is pressed
  This creates 3 reports:
  vr1
  vr1$1 (for instance_id=1)
  vr1$2 (for instance_id=2_
  So, my question is: this expected and normal behavior of the tool?
  What if my RAC database has 8 instances? Then I would generate 9 separate ADDM reports?
  Is this correct observation?
  Thank you,
  vr

• New user with sysdba privilege gets connected as user sys

  hi ,
  I am using oracle 10g R2 . I have a user named test . I have provided sysdba privilege to this user . Now , when I login to this user as conn tkcsowner/password
  it gets connected , I created a table in that , the table data is fine . But, when I login as conn tkcsowner/password as sysdba , it connects , if I execute show user it shows "user is sys" , and the table is not here .
  My question is ............
  1. if I login to tkcsowner as sysdba , where do I login actually , to sys account or to tkcsowner ?
  2. I want to execute some stored procedures through tkcsowner , which requires sysdba privilege . But , how can I can execute those from tkcsowner , but not from sys ?
  Any additional info on this would be appreciated . thank you.

  My question is ............
  1. if I login to tkcsowner as sysdba , where do I login actually , to sys account or to tkcsowner ?Yes, teh correct behavior. If you would use the o/s authentication, you would be connected as Sys user since Oralce would bypass the supplied username and password of yours over the prompt.
  2. I want to execute some stored procedures through tkcsowner , which requires sysdba privilege . But , how can I can execute those from tkcsowner , but not from sys ?When you are going to connect with Sysdba role, you would be connected as Sys user. I am not sure what you exactly mean by saying that the procedure requires the Sysdba privilege? Procedure doesn't need any Sysdba privilege( there isn't such thing since its a role not a privilege) but the provilege of Execute on that procedure . So you do want to check it out what you are actually looking for and why?
  HTH
  Aman....

• Steps to find the password for users as sysdba

  What are the steps to find the password for users in dba_users as sysdba?
  It is in encrypted form ? How can I view it ?
  Pls tell in steps ?

  I asked for sysdba
  When he can change password why can't he view ?Can you see the users password on a windows domain? No
  Can you see the users password on a Unix box? No
  Can you see the users password on a mail server? No
  Why would it be different in Oracle?
  Why is hacking coming here ?Because it's something against the way the software works.
  This can, and is, dangerous to let the administrator (Oracle, MsSQL, Win*, Unix,...) know the users password for so many reasons. For example:
  . Privacy
  . Etiquette
  . Password reuse (password reused for Bank account, etc)
  . [insert a whole bunch of other good reasons I'm not going to bother writing]
  And anyway it is useless!
  Yoann.

• Can't retrieve folder privileges for a specific user

  I am trying to get the granted privilege for a specified user for a certain folder. I am using the wwsec_api.get_granted_user_privilege function. When I run my code, nothing is ever returned. Here is my code:
  l_priv_varchar := wwsec_api.get_granted_user_privilege(
  p_user_id => 0,
  p_object_type_name => 'FOLDER',
  p_name => '2889');
  p_user_id is from wwsec_person.id$
  p_object_type_name is my object type
  p_name is from wwv_corners.id
  I have looked at the properties of this folder and this user, 0, is set up as the owner. So I am expecting to see 'OWN' returned. I have another user set up to only VIEW the folder and when I put that user's id into the p_user_id parameter I still do not get any return. I can run this same code (with different parameter values) and get the privileges for a 'PAGE', but never for a FOLDER.
  Does anyone have this problem or can tell what I am missing?
  Thanks.
  null

  p_name for a folder is "sitename/parentfolder/foldername". You can see that in the syspriv_name field on the WWV_CORNERS table.

• Limited privileges for ReSA users

  Hi Experts,
  Can someone help me create users in Oracle Retail Sales Audit. Granting limited privileges to RMS users that only can only access Sales Audit or what script shall I use
  to grant limited privileges to roles like Manager and accounting Clerk?
  Thanks,
  Jeremy

  You may be able to do things with a script.
  Typical "Changing the EUL tables is a risky thing and could cause all sorts of problems..." disclaimers apply.
  I'm not sure how things work with responsibilities, but here's how they work for users.
  The query governor restrictions are stored in the EUL5EUL_USERS table. The "Warn user if predicted time exceeds..." value is stored in the EU_QUERY_EST_LMT column. The "Prevent queries from running longer than..." value is stored in the EU_QUERY_TIME_LMT column. The "Limit retrieved data to..." value is stored in the EU_ROW_FETCH_LIMIT column.
  You should be able to update these values with a simple update statement. Setting the values to 0 essentially acts as if there is no limit

• Task Privileges for Existing Users - Looking for a global update solution

  After some reading I understand that if you set the task privileges for the PUBLIC user in the Privileges section of Discoverer Administrator (10g), any new user created in the system will pick up the privileges you have assigned to the PUBLIC user.
  I currently have 4000+ users who have access to Discoverer Plus and the ability to create/edit queries. I want to limit who can access Discoverer Plus functionality to approximately 150 users.
  I have changed my PUBLIC user to NOT have privileges but this will only affect new users. Is there any way to restrict 4000+ users without having to go through each user individually and set the privileges.
  I am looking for a global update solution. I am wondering if this can be done through the back-end.

  Hi Mezzobella
  If you change the rights for the public user then other users, who have not been manually adjusted in any way, will automatically pick up the public rights. Therefore, if you have a lot of users that are not changing this means that at some point in their life you will have clicked OK or Apply on the screen with a user displayed. This now assigns the rights to that user as opposed to inheriting them from the public user.
  What you are describing is the perfect reason why you should not administer Discoverer using user accounts but to use roles or responsibilities instead.
  In your case you are now somewhat stuck. The programatic way to revoke these rights is to drop rows from the EUL5_ACCESS_PRIVS table but this could take longer than doing inside Discoverer. Basically, when a user has been granted privileges one row per privilege is inserted into this table. The column AP_EU_ID contains the ID of the user. The column GP_APP_ID is the one that tells you what privilege a user has. Here is a list of the privileges:
  1000 Desktop / Plus Privilege (U)
  1001 Create / Edit Query (U)
  1002 Item Drill (U)
  1003 Drill Out (U)
  1004 Grant Workbook (aka Sharing) (U)
  1005 Collect Query Statistics (U)
  1006 Admin Privilege (A)
  1007 Set Privilege (A)
  1008 Create / Edit Business Area (A)
  1009 Format Business Area (A)
  1010 Create / Edit Summaries (A)
  1011 Not used as far as can be determined
  1012 Schedule (U)
  1013 User is never required to schedule workbooks (U)
  1014 Save workbooks to database (U)
  1015 Managed scheduled workbooks (A)
  1016 This is an apps mode EUL
  1017 This is the user's assigned language
  1018 User is allowed to change password
  1019 to 1023 Not used as far as can be determined
  1024 Create Link (U)
  Note: A = Admin privilege, U = User privilege
  Theoretically you could manually delete rows from this table and that will revoke the rights. In reality, Oracle do not like it when inexperienced users manually the EUL as you could corrupt it. Therefore, any manual updates must be done with utmost caution after making sure you back up or have a copy of the table you will be updating - just in case.
  Try running this query to see the content:
  SELECT DECODE( AP_EU_ID, 104198, 'Viewer', 103697, 'Plus', 'Other' ) "Who" , AP_ID, AP_TYPE, AP_EU_ID, AP_PRIV_LEVEL, GP_APP_ID, GBA_BA_ID, GD_DOC_ID, AP_ELEMENT_STATE
  FROM EUL5_ACCESS_PRIVS
  Best wishes
  Michael