Restricting svcadm privileges to the owner of an instance

Similar Messages

• Change owner of an instance

  Hi,
  Is there a way to change the owner of an instance? I see in Link: [Changing the owner of a report|Changing the owner of the report] that this not possible for a report, but hopefully it is for report instances.
  My reason for wanting to do this is that I've imported 1000+ objects and instances from an old CE9 server usingthe Import Wizard and its kindly assigned the Administrator as the owner of all of them. Admitedly I hadn't configured the security by this time so it couldn't do much else. I would like to be able to return ownership to specific instances to the original owners without them having to rescuedule.
  I'm using BusinessObjects Enterprise XI 3.1 SP2 on IIS if it makes any difference.
  Any ideas?
  Thanks,
  Mike

  As for as i know for a existing instance you can not change the ownership. Once Administrator occupied thats instance then you can not cahnge back to any other..perhaps you can not change on other user name also.
  Thanks,
  Anil

• Is "parse as" the only way to restrict user privileges?

  I have an application which is working in a schema blabla_owner.
  Users do not need to log into this app, but I don't want them to be able to update data. Although I only have reports and no updateable forms or anything, my client is not very happy that all queries are implicitly done by the schema owner.
  I read that "parse as" can be used, so we created a user blabla_read that can only read in the owner's schema and selected this user in the "parse as" attribute of the application, but unfortunately using this mechanism we need to grant the select privileges directly instead of through a role.
  I tried changing the dad to use the readonly user but that is no use since the HTMLDB_PUBLIC_USER is only a dummy user and its privileges do not matter.
  Is there another way of accomplishing the following:
  - not requiring the users to log in
  - be sure all queries are done by a user with readonly privileges only
  - be able to use a role to grant privileges instead of doing this directly
  Thanks

  Not to put too fine a point on it, but as I said earlier An Apex application is no different than a "stored procedure" in that object privileges need to be granted directly to the parsing schema and not via a role
  The reason for this might be that DBMS_SYS_SQL.PARSE_AS_USER, the underlying mechanism used by Apex to parse all SQLs requires object privileges to be granted directly to the "parse as" schema (for security reasons), but in any case whatever the reason, it is what is.
  I have also "wished" many times that stored procedures/views would work with privileges granted through roles and not directly, but hey, what you gonna do?!

• Does the user have to be the owner of CWM2 objects to access them via OLAP API?

  Hi,
  What are required for RDBMS users to use OLAP API? Regarding page 6-9 of Oracle9i OLAP User's Guide 9.2.0.1, following access rights are required.
  CONNECT role
  QUERY REWRITE system privilege
  SELECT privilegs on the database objects containing the data to be analyzed
  So, I created a new user TEST1 and granted all the priviges above. Then I tried to create a new crosstab using New Crosstab Wizard in JDev903_pre(OLAPConnecton is using TEST1). When I choose a measure that is created in CWM1, I could create a crosstab without problem. But when I tried to create a crosstab from a measure that is created in CWM2 by OLAPSYS user, I recieved the following error.
  BIB-9509 Oracle OLAP did not create cusor.
  oracle.express.ExpressServerExceptionError class:OLAPI
  Server error descriptions:
  DPR: Unable to create server cursor, Generic at TxsOqDefinitionManager::createCursorManager
  OES: ORA, Generic at TxsRdbSelectStatement:execute()
  The curious thing is that I can create a crosstab from the same measure if I use another connection that uses OLAPSYS. Does the user that connects to CWM2 using OLAP API have to be the owner of those CWM2 objects?
  Thank you.
  Best Regards,
  Seiji

  The user does not have to be the owner of the cwm2 objects to access them. Access to cwm2 objects is based on database security. Therefore, if the user is not the owner of the object (if user is the owner, they obviously have access to the object), then as long as the user has been granted access to the underlying physical object (i.e., the table the dimension or cube has been mapped to), the user will be able to access the object.

• How to determine the owner of the current package ?

  From a package (that is defined with invoker's rights: AUTHID CURRENT_USER) I want to determine the owner of that package. (We plan to deploy the same code into multiple schemas.)
  One approach would be to parse the results of DBMS_UTILITY.format_call_stack . . . any other ideas?
  Thanks,
  Mike

  mtefft wrote:
  We are using Total Recall aka Flashback Data Archive.
  If you have a Flashback Data Archive on a table, you can not drop it without removing the archive, and to do that you need ADMINISTER FLASHBACK ARCHIVE privilege. We want to give users the ability to remove the flashback archive (this is an ALTER TABLE) from their own tables without granting that privilege.
  So, we have a utilty schema which has this privilege. We created a definer-rights package to issue the alter, but it does not have ALTER ANY TABLE privilege. So, we added an invoker-rights package that the table-owner can call. This first issues GRANT ALTER ON [input-table-name] TO itself, then calls the definer-rights package, which now has both the system privilege and the object privilege needed. Why not just create a procedure owned by an "admin" user that does the alter table and grant execute on the proc to the utility schema ?
  As an example with scott and sys (using sys in a real-world system would be a Bad Idea© but I'm on a playground database on my laptop) :
  As Scott :Scott@my11g SQL>!cat createTable.sql
  create table mytable (
  id integer,
  val varchar2(30),
  constraint mytable_pk primary key(id)
  Scott@my11g SQL>@createTable
  Table created.As admin user :Sys@my11g SQL>!cat startFlashback.sql
  alter table scott.mytable flashback archive fl_archive;
  Sys@my11g SQL>alter table scott.mytable flashback archive fl_archive;
  Table altered.
  Sys@my11g SQL>select * from dba_flashback_archive_tables;
  TABLE_NAME                     OWNER_NAME                     FLASHBACK_ARCHIVE_NAME
  ARCHIVE_TABLE_NAME                                    STATUS
  MYTABLE                        SCOTT                          FL_ARCHIVE
  SYS_FBA_HIST_79498                                    ENABLEDAs admin user, I create the procedure and grant execute to scott :Sys@my11g SQL>!cat createProc.sql
  create or replace procedure remove_flarch(
  p_tabname varchar2
  is
  l_strcmd varchar2(200);
  begin
  for cur in (
  select owner, table_name from dba_tables where owner=user and table_name=upper(p_tabname)
  ) loop
  l_strcmd := 'alter table '||cur.owner||'.'||cur.table_name||' no flashback archive' ;
  execute immediate l_strcmd ;
  end loop;
  end;
  sho err
  grant execute on remove_flarch to scott;
  Sys@my11g SQL>@createProc.sql
  Procedure created.
  No errors.
  Grant succeeded.As Scott I cannot disable the flashback archive explicitly :Scott@my11g SQL>alter table mytable no flashback archive ;
  alter table mytable no flashback archive
  ERROR at line 1:
  ORA-55620: No privilege to use Flashback ArchiveBut I can do it using the procedure :Scott@my11g SQL>begin
    2  sys.remove_flarch('MYTABLE');
    3  end;
    4  /
  PL/SQL procedure successfully completed.Checking from admin point of view :Sys@my11g SQL>select * from dba_flashback_archive_tables;
  no rows selected
  mtefft wrote:All is well, except for the fact that we want to deploy this under multiple schemas. So we need to know 'to whom should the ALTER TABLE grant be given?'Just grant execute on the procedure to your different users.

• Restricted session privilege in 9i and 10g

  We recently upgraded from 9.2.0.7 to 10.2.0.3. Oracle 9i allowed a user with RESTRICTED SESSION priv to connect (sqlplus user /@db) when the database was in restricted mode as it should. However, our Oracle 10g database will not allow a user with RESTRICTED SESSION privilege to log in after 'alter system enable restricted session' is executed. The DBA role does not work nor does granting the system privs CREATE SESSION and RESTRICTED SESSION directly to the user. The error I get when trying to log on is ORA-12526. Any advice on how to remedy this would be much appreciated.
  what is the alternative to achieve the same in 10g other than locally?
  Thanks,
  Vishal

  From 10g doc (Oracle® Database Administrator's Guide):
  Typically, all users with the CREATE SESSION system privilege can connect to an open database. Opening a database in restricted mode allows database access only to users with both the CREATE SESSION and RESTRICTED SESSION system privilege. Only database administrators should have the RESTRICTED SESSION system privilege. Further, when the instance is in restricted mode, a database administrator cannot access the instance remotely through an Oracle Net listener, but can only access the instance locally from the machine that the instance is running on.

• How to find the OWNER of a table with JDBC metaData?

  Hi,
  i write a dynamique dataBase gui for multiple dataBase (oracle, postgre..)
  I want to use JDBC meta data to configure the gui
  I can't find methode to optain a specifique table list for a owner...
  with getTablePrivileges I see the Grantor but not the owner (the grantor isn't always the owner)
  and I can't use schema because schema isn't supported by postgre
  some one can help me ?
  thanks a lot
  Christophe

  Yes of course but it is DataBase dependent...
  and I want to use different DataBase...And what sort of owner would you expect in a MS Access
  database?
  if they are only one user we work only whith one "schema owner" the data base is structured in this way
  but when multi user is possible we want to work with specifique relation beetwen different user ...
  we want to use users because more dataBase suppport multiple owner than multiple schema
  and generaly our information are divide in
  genereral and referential information ( explain of data and list of values etc ...)
  and the specifique data.
  And our GUI distingue the "META DATA" and the pure "DATA" and propose specifique properties to interact with those data
  i hope that my problem is better explain now .
  example we use
  resultSet = connection.getMetaData().getTables("","%","%",new String[]{"TABLE","VIEW"});
  to optain all the table and view
  resultSet = connection.getMetaData().getTablePrivileges(null,null,"tableName");
  to optain privileges for a table
  the trouble is that in specifique catatalog table like oracle we find a colomn whith the owner properites and when we use getTablePrivileges we can't see it idem for posgree
  Each privilige description has the following columns:
  TABLE_CAT String => table catalog (may be null)
  TABLE_SCHEM String => table schema (may be null)
  TABLE_NAME String => table name
  GRANTOR => grantor of access (may be null)
  GRANTEE String => grantee of access
  PRIVILEGE String => name of access
  IS_GRANTABLE String => "YES" if grantee is permitted to grant to others; "NO" if not; null if unknown
  has you see we have GRANTOR information but not OWNER information
  and the GRANTOR isn't allways the OWNER ...
  Christophe

• How can I change the OWNER of a table?

  How can I change the OWNER of a table entr2009mm ?
  Resp. the OWNER of all TABLES whose tablename match the pattern *2009* ?
  Peter

  Hello,
  There're different posiibilities, Export/Import can do it.
  But, if it's not a too large Table, you can use CTAS (from a user with DBA privilege for instance).
  Create Table <schema_target>.<table_name> as select * from <shema_source>.<table_name>;Then, you have to recreate the dependent objects (Index, ...) and drop the Source Table.
  If you have a set of Tables, it's better to use Export/Import.
  Hope this help.
  Best regards,
  Jean-Valentin
  Edited by: Lubiez Jean-Valentin on Feb 9, 2010 8:20 PM

• Only the owner of a versioned file can Check-In?

  Oracle iFS 1.1.9
  Server: Sun
  Client: Windows 2000 Pro
  I didn't create the file and I don't own the file. It is
  versioned and I have (Delete)(Modify)(Protected) privileges to
  the file through its ACL. I Check-Out the file. I edit the
  file. When I try to Check-In the file, I get "IFS-30064:
  Insufficient Access to change PublicObjects
  SecurityPublicObject".
  If I do the above steps as the owner of the file, It works.
  Should this be happening?
  Thanks,
  David Frankel

  What about ACL on the folders?

• Can't download Acrobat Pro because of "restrictive access privilege" on Mac

  I am prevented from downloading Acrobat Pro because of "restrictive access privilege" on a Mac Mavericks folder ("Applications", where else?),  yet I have allowed "Read & Write". I will not install anywhere else, so need assistance. Thanks.

  Mickey McFly please make sure you are downloading to your download folder or another folder besides your Applications folder.  Once Adobe Acrobat is downloaded you then can install the software to your Applications folder.

• Restricted admin privileges

  Hi,
  I am guessing not...but, is there any way to setup restricted admin privileges so an account only has privileges to bounce the server?
  Thanks.

  >
  I am guessing not...but, is there any way to setup restricted admin privileges so an account only has privileges to bounce the server?
  >
  Indeed, there was the sysoper privilege invented for that purpose.
  SQL> grant sysoper to fred;
  SQL> connect fred/pwoffred as sysoper;
  SQL> shutdown immediateKind regards
  Uwe
  http://uhesse.wordpress.com

• How to make my self administrator since I am the owner?

  I am not the administrator but am the owner what are the advantages of being an administrator? I have Spybot and does not go to far because I am Not the administrator

  I found an article addressing your issue: [http://www.safer-networking.org/faq/how-can-i-get-administrator-rights-under-windows-vista-or-windows-7/ How can I get Administrator rights under Windows Vista or Windows 7? | Spybot - Search & Destroy].
  If that doesn't help, could I suggest posing this question on a forum dedicated to Windows issues? They are more likely to be able to describe the pros and cons of giving the Owner user administrator privileges. Here are a couple of options:
  * [http://windowssecrets.com/forums/forumdisplay.php/52-Windows-7-Forum Windows 7 Forum | Windows Secrets Lounge]
  * [http://answers.microsoft.com/en-us/windows/forum/windows_7?auth=1 Windows - Microsoft Community]

• Can not find SeManageVolumePrivilege privilege in the process token

  I need to enable the privilege of SE_MANAGE_VOLUME_NAME(SeManageVolumePrivilege) in my application according to the article http://support.microsoft.com/default.aspx/kb/156932?p=1. 
  I called GetTokenInformation in my process to get all of the privileges: GetTokenInformation(hToken, TokenPrivileges, pTKPs, lenght, &lenght).
  On XP and Vista, I could find SeManageVolumePrivilege privilege in the process token, and I could enable it successfully. However, on Win7, I failed to find it in the process token. So I doubt maybe some setting of my login account is disabled.  But my Windows login account is belong to the Administrator group and I also add it to the "Perform volume maintenance tasks" of local policies->user rights assignment.
  Does anyone know about this issue? Thank you very much!

  You will only see the privilege if you have the Full token (ie if UAC is enabled, you must be elevated).
  thanks
  Frank K [MSFT]
  Follow us on Twitter, www.twitter.com/WindowsSDK

• Can you help me return a MacBook Air that I found to the owner?

  I found someone's Mac Book Air.  Can you help me determine the owner so that it can be reunited?

  Hi Detective Colombo,
  You need to contact your local brothers in blue - hopefully it was reported to them and they can reunite it with the owner.
  You can also contact Apple Support, and provide them with the serial number to see if the owner reported it to them, but that is not always successful.
  Good citizen, detective! We salute you!
  GB

• Changing the Owner from Peoplesoft8.8 to Peoplesoft 9.0 causes Data errors

  Hi
  for a particular task in DAC, i changed a parameter in Parameter sub-tab of Tasks Tab in the Design view. the Default one was Dept_Security which i changed to Division_Tree. the Owner for Dept_security was Peoplesoft 8.8 in the Parameter sub-tab of the tasks tab (SDE_PSFT_Stage_InternalOrganizationDimension_DepartmentHierarchy_GetDept), when i changed this Parameter to Division_tree, the Owner was changed to the custom container we created out of exisitng delivered container.
  i am not able to predict if this causing the problem, whats happening is the ETL Process loads multiple Department and Division related dimensions and facts and its is doing that by incrementing the data by 1 each time. for example: the headcounts are always one at any point of time selected. but after changing this parameter i guess, the ETL Process is triggered five times and so facts and related dimensions are loaded five times in Data warehouse.
  what possible changes or errors in DAC or Informatica could cause this issue. i never heard this type of issue on web. this is not data issue in Source i guess.
  thank you
  kumr

  This issue has been corrected and a supported fix can be download from
  http://support.microsoft.com/kb/3038387
  This is already included in Host Integration server 2010 Cumulative Update 10 available at
  http://support.microsoft.com/kb/2917398
  Manfred MIttermüller
  - MSFT -