Restricting svcadm privileges to the owner of an instance
I have installed JBoss and run separate instances of it. Each instance is started and stopped using its own method_credentials in the instance manifest. So instance 1 is owned by user 1 and so on.
On top of that I have created properties that can be assigned to each user allowing them to stop and start their instance:
<property_group name='general' type='framework'>
<propval name='modify_authorization' type='astring'
value='solaris.smf.manage.jboss' />
<propval name='action_authorization' type='astring'
value='solaris.smf.manage.jboss' />
</property_group>The question is: How do I limit users to being able to stop and start only their own instance?
OK, value_authorizations allows the user to change existing properties in the service whereas modify_authorization also allows the user to create and delete properties.
So, rather than specifying the properties in the service manifest, I should specify the following in the instance manifest.
<property_group name='general' type='framework'>
<propval name='value_authorization' type='astring'
value='solaris.smf.manage.jboss.user1' />
<propval name='action_authorization' type='astring'
value='solaris.smf.manage.jboss.user1' />
</property_group>
Similar Messages
-
Hi,
Is there a way to change the owner of an instance? I see in Link: [Changing the owner of a report|Changing the owner of the report] that this not possible for a report, but hopefully it is for report instances.
My reason for wanting to do this is that I've imported 1000+ objects and instances from an old CE9 server usingthe Import Wizard and its kindly assigned the Administrator as the owner of all of them. Admitedly I hadn't configured the security by this time so it couldn't do much else. I would like to be able to return ownership to specific instances to the original owners without them having to rescuedule.
I'm using BusinessObjects Enterprise XI 3.1 SP2 on IIS if it makes any difference.
Any ideas?
Thanks,
MikeAs for as i know for a existing instance you can not change the ownership. Once Administrator occupied thats instance then you can not cahnge back to any other..perhaps you can not change on other user name also.
Thanks,
Anil -
Is "parse as" the only way to restrict user privileges?
I have an application which is working in a schema blabla_owner.
Users do not need to log into this app, but I don't want them to be able to update data. Although I only have reports and no updateable forms or anything, my client is not very happy that all queries are implicitly done by the schema owner.
I read that "parse as" can be used, so we created a user blabla_read that can only read in the owner's schema and selected this user in the "parse as" attribute of the application, but unfortunately using this mechanism we need to grant the select privileges directly instead of through a role.
I tried changing the dad to use the readonly user but that is no use since the HTMLDB_PUBLIC_USER is only a dummy user and its privileges do not matter.
Is there another way of accomplishing the following:
- not requiring the users to log in
- be sure all queries are done by a user with readonly privileges only
- be able to use a role to grant privileges instead of doing this directly
ThanksNot to put too fine a point on it, but as I said earlier An Apex application is no different than a "stored procedure" in that object privileges need to be granted directly to the parsing schema and not via a role
The reason for this might be that DBMS_SYS_SQL.PARSE_AS_USER, the underlying mechanism used by Apex to parse all SQLs requires object privileges to be granted directly to the "parse as" schema (for security reasons), but in any case whatever the reason, it is what is.
I have also "wished" many times that stored procedures/views would work with privileges granted through roles and not directly, but hey, what you gonna do?! -
Does the user have to be the owner of CWM2 objects to access them via OLAP API?
Hi,
What are required for RDBMS users to use OLAP API? Regarding page 6-9 of Oracle9i OLAP User's Guide 9.2.0.1, following access rights are required.
CONNECT role
QUERY REWRITE system privilege
SELECT privilegs on the database objects containing the data to be analyzed
So, I created a new user TEST1 and granted all the priviges above. Then I tried to create a new crosstab using New Crosstab Wizard in JDev903_pre(OLAPConnecton is using TEST1). When I choose a measure that is created in CWM1, I could create a crosstab without problem. But when I tried to create a crosstab from a measure that is created in CWM2 by OLAPSYS user, I recieved the following error.
BIB-9509 Oracle OLAP did not create cusor.
oracle.express.ExpressServerExceptionError class:OLAPI
Server error descriptions:
DPR: Unable to create server cursor, Generic at TxsOqDefinitionManager::createCursorManager
OES: ORA, Generic at TxsRdbSelectStatement:execute()
The curious thing is that I can create a crosstab from the same measure if I use another connection that uses OLAPSYS. Does the user that connects to CWM2 using OLAP API have to be the owner of those CWM2 objects?
Thank you.
Best Regards,
SeijiThe user does not have to be the owner of the cwm2 objects to access them. Access to cwm2 objects is based on database security. Therefore, if the user is not the owner of the object (if user is the owner, they obviously have access to the object), then as long as the user has been granted access to the underlying physical object (i.e., the table the dimension or cube has been mapped to), the user will be able to access the object.
-
How to determine the owner of the current package ?
From a package (that is defined with invoker's rights: AUTHID CURRENT_USER) I want to determine the owner of that package. (We plan to deploy the same code into multiple schemas.)
One approach would be to parse the results of DBMS_UTILITY.format_call_stack . . . any other ideas?
Thanks,
Mikemtefft wrote:
We are using Total Recall aka Flashback Data Archive.
If you have a Flashback Data Archive on a table, you can not drop it without removing the archive, and to do that you need ADMINISTER FLASHBACK ARCHIVE privilege. We want to give users the ability to remove the flashback archive (this is an ALTER TABLE) from their own tables without granting that privilege.
So, we have a utilty schema which has this privilege. We created a definer-rights package to issue the alter, but it does not have ALTER ANY TABLE privilege. So, we added an invoker-rights package that the table-owner can call. This first issues GRANT ALTER ON [input-table-name] TO itself, then calls the definer-rights package, which now has both the system privilege and the object privilege needed. Why not just create a procedure owned by an "admin" user that does the alter table and grant execute on the proc to the utility schema ?
As an example with scott and sys (using sys in a real-world system would be a Bad Idea© but I'm on a playground database on my laptop) :
As Scott :Scott@my11g SQL>!cat createTable.sql
create table mytable (
id integer,
val varchar2(30),
constraint mytable_pk primary key(id)
Scott@my11g SQL>@createTable
Table created.As admin user :Sys@my11g SQL>!cat startFlashback.sql
alter table scott.mytable flashback archive fl_archive;
Sys@my11g SQL>alter table scott.mytable flashback archive fl_archive;
Table altered.
Sys@my11g SQL>select * from dba_flashback_archive_tables;
TABLE_NAME OWNER_NAME FLASHBACK_ARCHIVE_NAME
ARCHIVE_TABLE_NAME STATUS
MYTABLE SCOTT FL_ARCHIVE
SYS_FBA_HIST_79498 ENABLEDAs admin user, I create the procedure and grant execute to scott :Sys@my11g SQL>!cat createProc.sql
create or replace procedure remove_flarch(
p_tabname varchar2
is
l_strcmd varchar2(200);
begin
for cur in (
select owner, table_name from dba_tables where owner=user and table_name=upper(p_tabname)
) loop
l_strcmd := 'alter table '||cur.owner||'.'||cur.table_name||' no flashback archive' ;
execute immediate l_strcmd ;
end loop;
end;
sho err
grant execute on remove_flarch to scott;
Sys@my11g SQL>@createProc.sql
Procedure created.
No errors.
Grant succeeded.As Scott I cannot disable the flashback archive explicitly :Scott@my11g SQL>alter table mytable no flashback archive ;
alter table mytable no flashback archive
ERROR at line 1:
ORA-55620: No privilege to use Flashback ArchiveBut I can do it using the procedure :Scott@my11g SQL>begin
2 sys.remove_flarch('MYTABLE');
3 end;
4 /
PL/SQL procedure successfully completed.Checking from admin point of view :Sys@my11g SQL>select * from dba_flashback_archive_tables;
no rows selected
mtefft wrote:All is well, except for the fact that we want to deploy this under multiple schemas. So we need to know 'to whom should the ALTER TABLE grant be given?'Just grant execute on the procedure to your different users. -
Restricted session privilege in 9i and 10g
We recently upgraded from 9.2.0.7 to 10.2.0.3. Oracle 9i allowed a user with RESTRICTED SESSION priv to connect (sqlplus user /@db) when the database was in restricted mode as it should. However, our Oracle 10g database will not allow a user with RESTRICTED SESSION privilege to log in after 'alter system enable restricted session' is executed. The DBA role does not work nor does granting the system privs CREATE SESSION and RESTRICTED SESSION directly to the user. The error I get when trying to log on is ORA-12526. Any advice on how to remedy this would be much appreciated.
what is the alternative to achieve the same in 10g other than locally?
Thanks,
VishalFrom 10g doc (Oracle® Database Administrator's Guide):
Typically, all users with the CREATE SESSION system privilege can connect to an open database. Opening a database in restricted mode allows database access only to users with both the CREATE SESSION and RESTRICTED SESSION system privilege. Only database administrators should have the RESTRICTED SESSION system privilege. Further, when the instance is in restricted mode, a database administrator cannot access the instance remotely through an Oracle Net listener, but can only access the instance locally from the machine that the instance is running on. -
How to find the OWNER of a table with JDBC metaData?
Hi,
i write a dynamique dataBase gui for multiple dataBase (oracle, postgre..)
I want to use JDBC meta data to configure the gui
I can't find methode to optain a specifique table list for a owner...
with getTablePrivileges I see the Grantor but not the owner (the grantor isn't always the owner)
and I can't use schema because schema isn't supported by postgre
some one can help me ?
thanks a lot
ChristopheYes of course but it is DataBase dependent...
and I want to use different DataBase...And what sort of owner would you expect in a MS Access
database?
if they are only one user we work only whith one "schema owner" the data base is structured in this way
but when multi user is possible we want to work with specifique relation beetwen different user ...
we want to use users because more dataBase suppport multiple owner than multiple schema
and generaly our information are divide in
genereral and referential information ( explain of data and list of values etc ...)
and the specifique data.
And our GUI distingue the "META DATA" and the pure "DATA" and propose specifique properties to interact with those data
i hope that my problem is better explain now .
example we use
resultSet = connection.getMetaData().getTables("","%","%",new String[]{"TABLE","VIEW"});
to optain all the table and view
resultSet = connection.getMetaData().getTablePrivileges(null,null,"tableName");
to optain privileges for a table
the trouble is that in specifique catatalog table like oracle we find a colomn whith the owner properites and when we use getTablePrivileges we can't see it idem for posgree
Each privilige description has the following columns:
TABLE_CAT String => table catalog (may be null)
TABLE_SCHEM String => table schema (may be null)
TABLE_NAME String => table name
GRANTOR => grantor of access (may be null)
GRANTEE String => grantee of access
PRIVILEGE String => name of access
IS_GRANTABLE String => "YES" if grantee is permitted to grant to others; "NO" if not; null if unknown
has you see we have GRANTOR information but not OWNER information
and the GRANTOR isn't allways the OWNER ...
Christophe -
How can I change the OWNER of a table?
How can I change the OWNER of a table entr2009mm ?
Resp. the OWNER of all TABLES whose tablename match the pattern *2009* ?
PeterHello,
There're different posiibilities, Export/Import can do it.
But, if it's not a too large Table, you can use CTAS (from a user with DBA privilege for instance).
Create Table <schema_target>.<table_name> as select * from <shema_source>.<table_name>;Then, you have to recreate the dependent objects (Index, ...) and drop the Source Table.
If you have a set of Tables, it's better to use Export/Import.
Hope this help.
Best regards,
Jean-Valentin
Edited by: Lubiez Jean-Valentin on Feb 9, 2010 8:20 PM -
Only the owner of a versioned file can Check-In?
Oracle iFS 1.1.9
Server: Sun
Client: Windows 2000 Pro
I didn't create the file and I don't own the file. It is
versioned and I have (Delete)(Modify)(Protected) privileges to
the file through its ACL. I Check-Out the file. I edit the
file. When I try to Check-In the file, I get "IFS-30064:
Insufficient Access to change PublicObjects
SecurityPublicObject".
If I do the above steps as the owner of the file, It works.
Should this be happening?
Thanks,
David FrankelWhat about ACL on the folders?
-
Can't download Acrobat Pro because of "restrictive access privilege" on Mac
I am prevented from downloading Acrobat Pro because of "restrictive access privilege" on a Mac Mavericks folder ("Applications", where else?), yet I have allowed "Read & Write". I will not install anywhere else, so need assistance. Thanks.
Mickey McFly please make sure you are downloading to your download folder or another folder besides your Applications folder. Once Adobe Acrobat is downloaded you then can install the software to your Applications folder.
-
Hi,
I am guessing not...but, is there any way to setup restricted admin privileges so an account only has privileges to bounce the server?
Thanks.>
I am guessing not...but, is there any way to setup restricted admin privileges so an account only has privileges to bounce the server?
>
Indeed, there was the sysoper privilege invented for that purpose.
SQL> grant sysoper to fred;
SQL> connect fred/pwoffred as sysoper;
SQL> shutdown immediateKind regards
Uwe
http://uhesse.wordpress.com -
How to make my self administrator since I am the owner?
I am not the administrator but am the owner what are the advantages of being an administrator? I have Spybot and does not go to far because I am Not the administrator
I found an article addressing your issue: [http://www.safer-networking.org/faq/how-can-i-get-administrator-rights-under-windows-vista-or-windows-7/ How can I get Administrator rights under Windows Vista or Windows 7? | Spybot - Search & Destroy].
If that doesn't help, could I suggest posing this question on a forum dedicated to Windows issues? They are more likely to be able to describe the pros and cons of giving the Owner user administrator privileges. Here are a couple of options:
* [http://windowssecrets.com/forums/forumdisplay.php/52-Windows-7-Forum Windows 7 Forum | Windows Secrets Lounge]
* [http://answers.microsoft.com/en-us/windows/forum/windows_7?auth=1 Windows - Microsoft Community] -
Can not find SeManageVolumePrivilege privilege in the process token
I need to enable the privilege of SE_MANAGE_VOLUME_NAME(SeManageVolumePrivilege) in my application according to the article http://support.microsoft.com/default.aspx/kb/156932?p=1.
I called GetTokenInformation in my process to get all of the privileges: GetTokenInformation(hToken, TokenPrivileges, pTKPs, lenght, &lenght).
On XP and Vista, I could find SeManageVolumePrivilege privilege in the process token, and I could enable it successfully. However, on Win7, I failed to find it in the process token. So I doubt maybe some setting of my login account is disabled. But my Windows login account is belong to the Administrator group and I also add it to the "Perform volume maintenance tasks" of local policies->user rights assignment.
Does anyone know about this issue? Thank you very much!You will only see the privilege if you have the Full token (ie if UAC is enabled, you must be elevated).
thanks
Frank K [MSFT]
Follow us on Twitter, www.twitter.com/WindowsSDK -
Can you help me return a MacBook Air that I found to the owner?
I found someone's Mac Book Air. Can you help me determine the owner so that it can be reunited?
Hi Detective Colombo,
You need to contact your local brothers in blue - hopefully it was reported to them and they can reunite it with the owner.
You can also contact Apple Support, and provide them with the serial number to see if the owner reported it to them, but that is not always successful.
Good citizen, detective! We salute you!
GB -
Changing the Owner from Peoplesoft8.8 to Peoplesoft 9.0 causes Data errors
Hi
for a particular task in DAC, i changed a parameter in Parameter sub-tab of Tasks Tab in the Design view. the Default one was Dept_Security which i changed to Division_Tree. the Owner for Dept_security was Peoplesoft 8.8 in the Parameter sub-tab of the tasks tab (SDE_PSFT_Stage_InternalOrganizationDimension_DepartmentHierarchy_GetDept), when i changed this Parameter to Division_tree, the Owner was changed to the custom container we created out of exisitng delivered container.
i am not able to predict if this causing the problem, whats happening is the ETL Process loads multiple Department and Division related dimensions and facts and its is doing that by incrementing the data by 1 each time. for example: the headcounts are always one at any point of time selected. but after changing this parameter i guess, the ETL Process is triggered five times and so facts and related dimensions are loaded five times in Data warehouse.
what possible changes or errors in DAC or Informatica could cause this issue. i never heard this type of issue on web. this is not data issue in Source i guess.
thank you
kumrThis issue has been corrected and a supported fix can be download from
http://support.microsoft.com/kb/3038387
This is already included in Host Integration server 2010 Cumulative Update 10 available at
http://support.microsoft.com/kb/2917398
Manfred MIttermüller
- MSFT -
Maybe you are looking for
-
Transfer posting with clearing
Does anyone know how to transfer open item from one customer account to another customer account using TCode F-30.
-
APEX support in Internet Explorer 10
Hi I need to know whether APEX works ok in IE10 - both whether it is officially supported and whether there are issues regardless of certification. The oracle doco seems to only say IE7+ which is pretty meaningless. I'm looking at APEX v3.0, 3.1 and
-
请教Micriosoft, Google, Eclipse等大公司是如何通过构架和规范解决软件工程中Java API兼容性问题的
最近忙于写一篇关于<<Architecture patterns and rules for compatible development of Java components>>的文章.目的是考察业界针对J软件工程中Java API兼容性的研发解决过程,提出适合本公司的构架和规范. 因为这个题目的范围实在是广泛.在这里想集思广益,了解Microsoft, Google, Eclipse等软件开发商是如何利用architecture and Rules解决例如, Backward Compati
-
Hi, Can C4C integrate with external collaboration tool such as Yammer. Regards, Roy
-
Dialog box with one button, when clicked will launch another script
How do I create a button inside a dialog box, which, when clicked, will open up another script?