Removing users ability to grant object priviledges

I have a security need where I would like to remove the ability for user A to grant priviledges to user A objects to user B.
We have a complex development shop where developers are creating a nightmare for database security. Is there a means by which all development "grants" must be granted through the DBA ?

If user A owns a particular object, that user by definition has permission to grant privileges on that object. Nothing the DBA can do will prevent this.
Generally, organizations will structure things so that developers are not logging in to the schemas where objects are created, at least not in the production or staging environments. If you have a central schema A that owns objects, and developers have individual schemas B-Z, developers can write code in their own schema and, when it is at an appropriate point, submit the code to the DBA to get added to the central schema A. If you create appropriate synonyms, developers won't need to know (or care) where the actual tables/ packages/ etc are located.
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC

Similar Messages

  • Which view I can query to get the granted objects privilege to a user?

    Hi all,
    which view I can query to get the granted objects privilege to a user?
    for example:
    grant execute on accounting.get_name to scott;
    Which view has above object granted information?
    Thanks

    SQL> select * FROM all_tab_privs where grantor = upper('accounting');
    no rows selected

  • Granting object privileges to remote users.

    Hello,
    Here's the situation:
    I have 2 databases located on 2 different servers both running Win2k3. In the first database the main schema is M1 and it has to read objects on the another schema M2, located on the second database.
    I created a database link on the first database, to point to the second database
    create database link connect2M2db connect to M2 identified by M2 using 'connect2M2db'Now I would like to grant object privileges(insert,update,delete) to M1 on M2' objects. Can anyone tell me how to do that?
    Thanks in advance.

    I didn't put the whole thing, (my bad) but your reply was helpful. As I said before, I have 2 dbs, on 2 differents servers. I created the dblink on the first server. I also created synonyms on the first server using the following syntax:
    "create or replace synonym syn_name for user2.table" which from the link you provided me, is wrong as I didn't append the dblink name.
    After that, I would like to grant object privileges to user1, by executing the command from server2. For doing that, is the following syntax correct: "grant select on table_name to user1". My issue is that user1 does not exist on server2. Should I rather use the following: "grant select on table_name@dblink to user1"?

  • Accidentally removed the ability to use remote desktop

    Hi,
    Thanks to anyone that can assist.
    Using SBS2011 Standard:
    Whilst remotely connected and investigating ways to allow an ordinary domain user to have login access to the server, I inadvertently removed the ability of the primary domain admin user to gain access with remote desktop. By primary domain admin
    user, I mean the default user created for administrative purposes at SBS set up/install time.
    I was able to regain remote desktop access by adding this user to the Remote Desktop Users group. However this is really a workaround rather than proper corrective action. I know that this is not necessary in a basic default setup of SBS2011 as there are
    other almost identical servers I look after where I have not needed to do this and yet still have remote desktop connection capability with "out of the box" settings.
    Also, I would really like to find out what mistake I made so that I can avoid doing this again.
    Tricky

    Hello Larry,
    Your suggestion of comparing ADUC across servers was one that I had already thought of and done but I did not notice any differences. Nonetheless, your post suggested to me that I ought to recheck my steps, so I revisited it and was mortified to find that
    somehow the admin user was no longer a member of Administrators. I am baffled as to how I managed to achieve this because to the best of my memory, Administrators group membership was not one of the things I looked at in connection with my intent (read on
    for my logic in this respect).
    I suspect that this might be the problem! I will attempt to rectify and return to this thread in due course.
    WRT granting a user logon rights at the server, I hear what you are saying and even said the same to myself. But let's just for the moment look at the real world rather than the ideal world. Many SBS installations are in the types of businesses that are,
    let's face it, small (after all that is what the first S in SBS stands for). Such business cannot afford qualified IT personel and as such need to designate certain trusted members of staff to carry out some of the things that, if they had any, IT personel
    would normally do. For example, swapping external USB hdd's and monitoring backup success/failure.
    Rather than allow them to logon to the server as an administrator, safer I would have thought to allow them to logon as a user. Unless you can tell me of a way that this can be done from a user logon at their client PC? My knowledge is not encyclopaedic
    so I am open to suggestions of a better way if such a way exists.
    Tricky

  • Prevent User from receiving grant.

    Hi,
    I have one database "user", whom I have assigned "The role". All the needed access are assigned to "The role",
    Now, whenever my team member create new table, procedure, i expect them to grant necessary priviledges to "The role" and not to "user". Hence, I want to prevent them from granting any priviledges directly to "user".
    How can i achieve this?

    Hi
    Check this too..
    grant privileges for future object?
    you automate the process, to the role..
    - Pavan Kumar N

  • How to create a new user without any sample objects from any other user?

    Question as the title.
    I had the example dababase installed when I installed the Oracle database.
    Every time, when I create a new user, there will be some example objects coming
    with the new user.
    How can I remove these objects from the new user?
    Or, how can I create a new user without the example objects?
    Thanks in advance.

    I think the easiest way for you would be to use OEM.
    Just locate each object that you want to remove and right click->remove. Don't bother doing this for any indexes as these will be removed when you drop the corresponding tables.
    If you want to try command line through sqlplus then identify the objects you want to remove by selecting from the user_objects view while logged in as this user. This will give you the name and type of object. Then issue the relevant drop command.
    It's probably worth making sure you have a valid backup first, just in case things go wrong!

  • Removing the ability to drag columns

    In 11g the end-user has the ability to change the position of columns on a request... change the order, make them section headers etc.
    I want to remove that ability - any one been able to do this and can let me know how its done, please?
    Thanks - and 10 points to the first correct answer!!

    Hi User,
    Not possible for now.Open bug with Oracle,
    BUG:10222173 - ABILITY TO DISABLE DRAG AND SORT FUNCTIONALITY OF COLUMNS
    Rgds,
    Dpka

  • How to Remove User from Built in Administrators group With Group Policy Enabled

    Hi,
    I want to remove user from Administrator group which is in restricted group. So I cannot remove him through Active Directory what is the way to remove user from Administrator restricted group.
    Thanks
    Jibran Ishtiaq

    > Disable Group policy
    "Edit", not "Disable"
    > Under Domain click Delegation and went to the restricted group account.
    > Remove User from group.
    Why "Delegation"? Simply edit the GP object where the "Restricted
    Groups" setting is in place...
    > Also we have two DNS but one from where I remove account is the primary.
    How is DNS related to group policy?
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • OIA webservice for removing user role

    Hi,
    I need information regarding web services exposed in OIA for removing roles etc. We need it in our environment wherein we may not be having priviledge to make database query directly for removing user roles.
    (the use case is as follows:
    when user id disabled in OIM, assosciated database resource (DBAT, OIA database is used;rbx_users) is disabled ,and user's role is to be removed)
    how this can be achieved via web-service call.
    any pointers will be helpful
    regards,
    chhavi

    Hi Pallavi,
    i have the same problem, can you provide me more specific details?
    -exactly oimjdbc.properties location please?
    -which is what I have to modify?
    Thanks in advance!

  • CSOM: remove user at web application level

    Hi,
      I want to remove  user at web application level so that the user will permanently be removed from all the site collections including their sub sites . I want to do it for sharepoint 2013 CSOM(c#) for an office 365 site.
    Please guide me.
    Regards,
    Chaitanya.

    Using Apps server object model is not possible. But mine is not an app it's a console application. I will maintain a list which has 2 fields peoplepicker and expirydate. Based on the content of the list i wll remove the users from the web-application level
    directly, if users expirydate is matched. This exe of console application will be put in a scheduler of another server to run it periodically.
    Please let me know my above scenario is possible or not?
    Regards,
    Chaitanya.

  • How to remove User IDs for deleted users from the Disk Quota list

    Hello,
    We have a computer lab setup with an Xserve managing 15 stations in the lab. Users are setup with networked home directories and quota's are setup on the drive containing the home directories to limit users' storage.
    The user account and the quota limit are setup with Workgroup Manager. When a student has been gone for a while and we are sure they no longer need the account we delete their account within Workgroup Manager and move their Home folder to the trash.
    When viewing disk usage in Server Admin (by selecting the volume and clicking the Quatas tab) user ids for deleted users are listed and it still shows the disk usage and quota settings for the user.
    How can I remove theses user ids from the quota list?
    Any help would be appreciated.
    Brian

    I would restore User's file structre back to normal just by copying from standby user?
    Did you mean copy files to a new user profile? If so, hope this link can be helpful for you
    http://windows.microsoft.com/en-in/windows/fix-corrupted-user-profile#1TC=windows-7
    For the unknown user, as you said, it's probably a user account from second OS or
    action. If you're annoying about this unknown user, then you can remove all occurrences of granted rights to the specified SID with this command icals [/remove[:g|:d]] <Sid>[...]] [/t] [/c] [/l] [/q]
    http://technet.microsoft.com/en-us/library/cc753525.aspx
    Yolanda Zhu
    TechNet Community Support

  • ODI not able to detect primary/foreign keys from XML- user lacks privilege or object not found

    Hi Guys,
    Im trying to load an xml file with two entities address and employee as below. The topology reverse engineering everything works fine. Im even able to view the xml data  in ODI,  but when i try to load the data from these two entities joining by the schema primary keys and foreign keys which odi created on reverse engineering process for xml, im getting the below error.  Im able to load data from one entity, error only occurs when i use the join odi creates internally to identify the xml components employee and address
    XML File:
    <?xml version="1.0" encoding="UTF-8" ?>
    <EMP>
    <Empsch>
    <Employee>
    <EmployeeID>12345</EmployeeID>
    <Initials>t</Initials>
    <LastName>john</LastName>
    <FirstName>doe</FirstName>
    </Employee>
    <Address>
    <WorkPhone>12345</WorkPhone>
    <WorkAddress>Test 234</WorkAddress>
    </Address>
    </Empsch>
    </EMP>
    Topology:  jdbc:snps:xml?f=C:/Temp/RR/Empsch.xml&s=Empsch&re=EMP&dod=true&nobu=false
    Error Message:
    -5501 : 42501 : java.sql.SQLException: user lacks privilege or object not found: EMPSCH.EMPSCHPK
    java.sql.SQLException: user lacks privilege or object not found: EMPSCH.EMPSCHPK
        at org.hsqldb.jdbc.Util.sqlException(Unknown Source)
        at org.hsqldb.jdbc.JDBCPreparedStatement.<init>(Unknown Source)
        at org.hsqldb.jdbc.JDBCConnection.prepareStatement(Unknown Source)
        at com.sunopsis.jdbc.driver.xml.SnpsXmlConnection.prepareStatement(SnpsXmlConnection.java:1232)
        at sun.reflect.GeneratedMethodAccessor65.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at oracle.odi.core.datasource.dwgobject.support.OnConnectOnDisconnectDataSourceAdapter$OnDisconnectCommandExecutionHandler.invoke(OnConnectOnDisconnectDataSourceAdapter.java:200)
        at $Proxy2.prepareStatement(Unknown Source)
        at oracle.odi.runtime.agent.execution.sql.SQLCommand.doInitializeStatement(SQLCommand.java:83)
        at oracle.odi.runtime.agent.execution.sql.SQLCommand.getStatement(SQLCommand.java:117)
        at oracle.odi.runtime.agent.execution.sql.SQLCommand.getStatement(SQLCommand.java:111)
        at oracle.odi.runtime.agent.execution.sql.SQLDataProvider.readData(SQLDataProvider.java:81)
        at oracle.odi.runtime.agent.execution.sql.SQLDataProvider.readData(SQLDataProvider.java:1)
        at oracle.odi.runtime.agent.execution.DataMovementTaskExecutionHandler.handleTask(DataMovementTaskExecutionHandler.java:70)
        at com.sunopsis.dwg.dbobj.SnpSessTaskSql.processTask(SnpSessTaskSql.java:2913)
        at com.sunopsis.dwg.dbobj.SnpSessTaskSql.treatTask(SnpSessTaskSql.java:2625)
        at com.sunopsis.dwg.dbobj.SnpSessStep.treatAttachedTasks(SnpSessStep.java:577)
        at com.sunopsis.dwg.dbobj.SnpSessStep.treatSessStep(SnpSessStep.java:468)
        at com.sunopsis.dwg.dbobj.SnpSession.treatSession(SnpSession.java:2128)
        at oracle.odi.runtime.agent.processor.impl.StartSessRequestProcessor$2.doAction(StartSessRequestProcessor.java:366)
        at oracle.odi.core.persistence.dwgobject.DwgObjectTemplate.execute(DwgObjectTemplate.java:216)
        at oracle.odi.runtime.agent.processor.impl.StartSessRequestProcessor.doProcessStartSessTask(StartSessRequestProcessor.java:300)
        at oracle.odi.runtime.agent.processor.impl.StartSessRequestProcessor.access$0(StartSessRequestProcessor.java:292)
        at oracle.odi.runtime.agent.processor.impl.StartSessRequestProcessor$StartSessTask.doExecute(StartSessRequestProcessor.java:855)
        at oracle.odi.runtime.agent.processor.task.AgentTask.execute(AgentTask.java:126)
        at oracle.odi.runtime.agent.support.DefaultAgentTaskExecutor$2.run(DefaultAgentTaskExecutor.java:82)
        at java.lang.Thread.run(Thread.java:662)
    Caused by: org.hsqldb.HsqlException: user lacks privilege or object not found: EMPSCH.EMPSCHPK
        at org.hsqldb.error.Error.error(Unknown Source)
        at org.hsqldb.ExpressionColumn.checkColumnsResolved(Unknown Source)
        at org.hsqldb.QueryExpression.resolve(Unknown Source)
        at org.hsqldb.ParserDQL.compileCursorSpecification(Unknown Source)
        at org.hsqldb.ParserCommand.compilePart(Unknown Source)
        at org.hsqldb.ParserCommand.compileStatement(Unknown Source)
        at org.hsqldb.Session.compileStatement(Unknown Source)
        at org.hsqldb.StatementManager.compile(Unknown Source)
        at org.hsqldb.Session.execute(Unknown Source)
        ... 27 more
    Please advice
    Thanks
    Revanth

    Thats obvious from the xml file contents you have given here. In this xml file You have four complex type. Two of them are employee and address. However the employee doesnot have any relation with address as you have not added the relationship. Thats why its failing. Its not the fault of ODI.
    Also I would suggest not to use auto generated dtd by ODI as you might face problem in future. For example the address type of XML has 8 attributes and 4 of them are not mandatory. That means each of your xml file may have attributes between 4 to 8.  This is where ODI auto generated DTD fails.
    XML Schema complexType Element
    Thanks
    Bhabani

  • Unable to add/remove users in Mountain Lion Server (Options are greyed out)

    For some reason, im unable to add/remove users in Mountain Lion server. The + and - are greyed out. It seems like something is wrong with the permissons because it looks like it cant write the the Ldav3 file (although that may be speculation). Does anyone have any advice for me? I URGENTLY need to add users.
    Maybe theres a way to restore default permssions for the boot drive (if that in fact is the issue). Hopefully there is a way that I can fix this while leaving all users, groups, their permissions and shares intact.

    Anything interesting and relevent in the server logs?
    Anything interesting in the server alerts?
    Since it's far and away the most common cause of problems with OS X Server and with distributed authentication (Open Directory is entirely based on network encryption and digital certificates and on responses from your local DNS server(s)), verify your local DNS configuration is working and requires no changes with the following Terminal.app (Applications > Utilities) harmless, diagnostic command:
    sudo changeip -checkhostname
    sudo requires an administrative password.  You might get a one-time warning about the sudo, and that can safely be ignored.  The command will display some details, and indicate whether the local configuration appears valid and no changes are required, or further diagnostics for (most) common errors that can arise.

  • Can we give UNIQUE ACCESS FOR THE SPECIFIC FILE IN THE LIBRARY in SP2013? How can we remove users from SHARED WITH link where files are shared with users?

    Hi,
    Any help on this?
    Thanks
    srabon

    Hi srabon,
    For giving unique access for a specific file in a library, you can go to the library, and select the file , and click FILES->Shared With->ADVANCED, under PERMISSION ribbon, click ‘Stop Inheriting Permissions’, then the file will have unique permissions.
    For removing the shared users for a file, firstly, like the above steps, select the file , and click FILES->Shared With->ADVANCED , make sure the file has unique access, then select the users that you want to remove, and click Remove User Persmissions
    under PERMISSIONS ribbon.
    I hope this helps.
    Thanks,
    Wendy
    Wendy Li
    TechNet Community Support

  • Project Server 2013 - Remove user from resource pool via sync

    Hello everyone,
    has anyone managed to configure their Project Server 2013 box with a resource pool sync that will actually remove user from the resource pool (disable "User can be assigned as resource" or deactivate users) when the user is removed from the AD
    group(s)?
    Setup: Single box, SQL 2012 SP1, SharePoint/Project Server 2013 + PU March + CU April. 2 PWA instances, 1 in SharePoint and 1 in Project permission mode. Tried on 2 different machines (different setup, accounts, domains).
    Proceedings:
    Create AD user U, AD group G. Add U to G.
    Go to PWA, setup resource pool sync with G, sync.
    U is now in the resource pool, has no PWA permissions.
    Remove U from G. Resync resoure pool.
    U is still in resource pool, still a resource, still active, can still be assigned as resource.
    Adding U back to G an repeating the whole spiel with a resource pool and a PWA group sync of G will result in U being added and removed from the user list (as expected), and U being added but not removed from the resource pool.
    Having read
    http://technet.microsoft.com/en-us/library/gg982985.aspx and
    http://technet.microsoft.com/en-us/library/gg750243.aspx, there does not seem to be an omission on my part.
    The first article states:
    Note:
    The corresponding Project Server User Account is not deactivated based on this synchronization. If the same Active Directory user is configured to synchronize with a Project Server security group, the Project Server user account will be inactivated when
    that synchronization occurs. For more information, see
    Best practices to configure Active Directory groups for Enterprise Resource Pool synchronization in Project Server 2013.
    Unfortunately, this deactivation either does not seem to occur even with a PWA group sync or I misunderstood the article.
    So, did anyone manage to setup their resource pool sync in a way, that new resource will be added, but also be removed from the resource pool?
    Kind regards,
    Adrian

    Hi Adrian,
    you tried to sync the same AD group that you used for the resource pool sync also with a Project Server permission group?
    And on removal of the user of the AD group the project user/resource is not deactivated? Only removed from the group
    Regards
    Christoph
    Hi  Christoph,
    even though I might have tried that before, I tried it again in several constellations. It didn't change anything. The the user will be properly added to and removed from the PWA group whenever I remove them from the AD group, the use will also stay active
    (but cannot logon without permissions). However, the user will always remain in the resource pool, i.e. the "User can be assigned as resource." checkbox will remain unless it is cleared manually.
    Having re-read the technet articles, none of the scenarios actually seem to descibe or address the process that I require, or maybe I'm just misunderstanding. Let me just try to outline the core issue:
    Add user to AD group. Sync AD group with resource pool. User is now a PWA resource and PWA user.
    Remove user from AD group, but do not deactivate/delete user from AD.
    (Magic happens!)
    User cannot be assigned as ressource in PWA.
    So, is there anything to make this step 3 happen, or is it just not possible to sync users out of the resource pool anymore unless they are deleted/deactivated in AD?
    Kind regards,
    Adrian

Maybe you are looking for