Role and privilege used by JDBC

Similar Messages

• Error in reconcilation Function - Job "Reconcile roles and privileges"

  SAP NW 7.0 SP2 Patch 3
  Roles contain Privileges
  Help file says: "If you are using roles and privileges, you will need to perform a reconciliation of the roles/privileges assigned to the users in the identity store after the roles are modified. "
  Job imported as described.
  When I let the job run on the ID-Store, for each entry, the following error message occurs:
  runFunctionsInString($FUNCTION.reconcile( MSKEY )$$) got exception
  org.mozilla.javascript.NotAFunctionException: reconcile( MSKEY )
  ...where MSKEY is, of course, the MSKEY of the entry.
  If I let run the job with the Windows-Dispatcher and as a VB-script, it produces no error; however, in the output file, there are a lot of Messages like
  "!ERROR: Invalid use of Null"
  Only some entries (of Type MX_PERSON) show the "Priviliege added: (...)" output. But the job does not add the Privileges assigend to the role, as it should.
  So, I would suggest that one redefines the SQL-Query of the Job so that it runs only on MX_PERSONS. But then, still, in my case, it does nothing.
  Has anyone better experiences with the Job?
  Edited by: Thomas P. Felder on Sep 25, 2008 10:32 AM

  The job when imported by default uses java runtime engine but the script is written in vbscript syntax so you have to change the engine or the script syntax.
  When you did your select statement did you use SELECT DISTINCT.  That will also cause errors.  I do not narrow the entry type to MX_PERSON.
  I'm installing the patch now;  I will see if I get any errors.

• Role and Privileges for OLAP metadata

  Hi,
  Is there any document which specifies what all roles and privileges are required for creating any OLAP meta data ( Dimension, Cube, Measure and Catalog etc)?
  I think these are impt roles:-
  SELECT_CATALOG_ROLE
  EXECUTE_CATALOG_ROLE
  DELETE_CATALOG_ROLE
  RECOVERY_CATALOG_OWNER
  OLAP_DBA
  OLAP_USER
  Through system/manager I created one user TEST_BI_OLAP and granted CONNECT.
  After login as TEST_BI_OLAP I am able to create dimension. Why it is possible whereas doc says user should have OLAP_USER or OLAP_DBA role associated with it.
  OR only CONNECT is sufficient for creating OLAP metadata!!!!!
  regds
  P

  The difference is in what the end user sees. Say you want to deploy an analytical workspace based off of a ROLAP dimensional cube. Here is how I've been approaching the problem:
  1. Create a new user with the OLAP_USER role to hold the AW (say "AW_USER")
  2. Now log in with a userid that has OLAP_DBA role, and create the AW utilizing the ROLAP cube - but direct the AW to be stored in the AW_USER schema. Note that because it is in a separate schema from the ROLAP cube, you will not need to append characters to the dimension or measure names.
  3. Have end users log in using the AW_USER name. Then they will see the AW information, but they will not have access to the ROLAP cube data.
  Hope this helps,
  Scott

• Mapping a user's role and privilege to another

  Hi all,
  Is there a command/way to map the role and privileges of a current user to a new user? I am new to oracle, I did read through the online docs but was not able to figure it out.
  Thank you very much!

  Check this link would help: Check the part where they are copying roles and grants for the users using dbms_metadata. You can limit this to one user you want by adding additional where clause like "where username = <username>
  Copying Oracle Users

• Export and Import of Roles and Privileges

  Hi,
  We're nearing the end of our development phase and are now preparing for initial load in our QA / Test environment.
  Is there a way to export the Roles and Privilege metadata from one environment to import them into the other. The Staging guide states you need to create them before importing your Identity Stores. I was hoping we didn't need to do this as it's a time consuming task to create them manually.
  Thanks
  Paul

  What I've seen is Business Role Export / Import functionality. It is pretty straight-forward to do, just export the Business Roles in a job (limit what to export in the source SQL) to a CSV-file, then read it back in to different environment in similar job.
  When we were exporting the Business Roles we expored the privilege-references as MSKEYVALUEs not MSKEYs. Note how you have named your repositories in different environments (as you know the name of the MX_PRIVILEGE differs if your ERP repository in development is eg ERP100 and in Q/A ERP200), you may need to convert the privilege names accordingly in export or import.
  One more thing you need to keep in mind is to pay attention whether your data has CR+LFs, which will break the CSV, we tackled this by encrypting/decrypting the data that had line feeds (DESCRIPTION-attribute).

• Create new user same as a existing roles and Privileges

  Hi Team,
  I am a junior DBA. New user Joined in Application team. So, Client requested me.....
  Crerate new user with same privileges as like as existing user.
  As of now i am creating user like "create user username identified by "password". Then grant privileges to that user. earliar I never comapare or copied users.
  Please suggest any one how to create new user as like as existing user roles and privileges.
  Thanks,
  Venkat

  For basic cloning:
  select dbms_metadata.get_ddl('USER', '...') FROM DUAL;
  SELECT DBMS_METADATA.GET_GRANTED_DDL('ROLE_GRANT','...') FROM DUAL;
  SELECT DBMS_METADATA.GET_GRANTED_DDL('SYSTEM_GRANT','...') FROM DUAL;
  SELECT DBMS_METADATA.GET_GRANTED_DDL('OBJECT_GRANT','...') FROM DUAL;
  SELECT DBMS_METADATA.GET_granted_DDL(‘TABLESPACE_QUOTA’, ‘...’) FROM dual;
  Then just replace the username with the new one you want to create.

• Roles and Privileges for 10g AWR and ASH reports

  Are there specific roles and privileges are required for one to run AWR and ASH reports for users who don't have DBA roles? If so, I would like to know about them.

  I think sysdba privilege need to run AWR report.
  Also check, how privilege is granted to PERFSTAT user in $ORACLE_HOME/rdbms/admin/spcuser.sql, you might get some clue!!!
  Cheer,
  Virag

• Trying to auto generate roles and privileges

  Greetings All,
  Oracle Enterprise 11g v11.2.0.1.0 on Windows Server 2008
  I have a database with many schemas. One of the schemas is referred to as the CM_MASTER schema in that it has been granted the following: dba, create user, drop user, alter user, create any table, select any table, and a few others, all with the “with admin option” clause.
  We have developers that need select only access to the tables and views of the non-master schemas. My plan was to create a unique ROLE for each schema, then grant select on each table and view in that schema to that unique role. Then grant the appropriate role(s) to each developer hence giving them read only access.
  I can accomplish the above manually while logged on as the CM_MASTER schema.
  I am trying to create a procedure owned and executed only by the CM_MASTER schema that creates a new role and then grants to that role. The procedure accepts a parameter containing the user name of the target schema. The procedure is able to create the role (create role scott_r) successfully.
  However, I am getting an insufficient privileges error (see below) after the role has been created, when trying to issue the “grant select on scott.some_table to scott_r” command via "execute immediate".
  Any ideas what privilege(s) the CM_MASTER user needs in order to be able to issue the grant(s) to the role?
  Error message below:
  exec gen_schema_role('scott');
  Error report:
  ORA-01031: insufficient privileges
  ORA-06512: at "CM_MASTER.GEN_SCHEMA_ROLE", line 30
  ORA-06512: at line 1
  01031. 00000 - "insufficient privileges"
  The procedure code is below:
  The utl_file.put_line commands were added for debugging but nothing gets output.
  When the "execute immediate" lines are commented out, the output from the utl_file.put_line commands displays the correct SQL create and grant statements.
  create or replace
  procedure gen_schema_role(p_db_user in varchar)
  as
  v_role_name varchar2(30);
  v_bat_out utl_file.file_type;
  cursor get_object_names is
  select object_name from dba_objects
  where owner = upper(p_db_user)
  and object_type in ('TABLE','VIEW')
  and status = 'VALID'
  and object_name not like 'DR$%'
  and object_name not like 'XT%';
  begin
  v_bat_out := utl_file.fopen('SR_BACKUP', 'Create_Roles.sql', 'W');
  v_role_name := substr(p_db_user,1,28) || '_r';
  utl_file.put_line(v_bat_out, ' ');
  utl_file.put_line(v_bat_out, 'create role '||v_role_name);
  execute immediate 'create role '||v_role_name; <<-- This seems to work, the role gets created
  for a in get_object_names
  loop
  utl_file.put_line(v_bat_out,' grant select on ' || p_db_user || '.' || a.object_name || ' to ' || v_role_name);
  execute immediate 'grant select on ' || p_db_user || '.' || a.object_name || ' to ' || v_role_name;
  end loop;
  utl_file.fclose(v_bat_out);
  end gen_schema_role;
  Thanks,
  Snyds

  sb92075,
  I just tried, and YES the SQL is able to apply the "grant select" statements to the newly created role.
  I wanted to call this new procedure from the procedure that creates a new user by scheduling a job to perform an IMPDP job to import a base schema (using the remap schema clause).
  Any suggestions how to automate generating this role?
  Thanks,
  Snyds

• Create Roles and Permissions using API

  Hello,
  I'm new to Java and I'm trying to create Roles and Permissions in LiveCycle using API's. Can someone please check and correct my code below?
              //Create a ServiceClientFactory object
              ServiceClientFactory myFactory = ServiceClientFactory.createInstance(connectionProps);
              // Create an AuthorizationManagerServiceClient object
              AuthorizationManagerServiceClient amClient = new AuthorizationManagerServiceClient(myFactory);
              RoleImpl ri = new RoleImpl();
              ri.setName("Test ES Role");
              ri.setDescription("Test Role via API");
              ri.setMutableStatus(true);
              amClient.createRole(ri);
  Executing the above code throws exception as below;
  com.adobe.idp.um.api.UMException| [com.adobe.livecycle.usermanager.client.AuthorizationManagerServiceClient] errorCode:16385 errorCodeHEX:0x4001 message:Exception thrown is NOT a DSCException : UnExpected From DSC chainedException:java.lang.IllegalStateExceptionchainedExceptionMessage:null chainedException trace:java.lang.IllegalStateException
            at com.adobe.idp.dsc.clientsdk.ServiceClientFactory$1.handleThrowable(ServiceClientFactory.j ava:72)
            at com.adobe.idp.dsc.clientsdk.ServiceClient.invoke(ServiceClient.java:220)
            at com.adobe.livecycle.usermanager.client.AuthorizationManagerServiceClient.createRole(Autho rizationManagerServiceClient.java:159)
            at com.adobe.lc.ManageRolesAndPermissions.main(ManageRolesAndPermissions.java:70)
  Caused by: java.lang.NoClassDefFoundError: javax.ejb.EJBException
            at com.adobe.idp.dsc.clientsdk.ServiceClientFactory.evaluateMessageDispatcher(ServiceClientF actory.java:595)
            at com.adobe.idp.dsc.clientsdk.ServiceClient.invoke(ServiceClient.java:215)
            ... 2 more
  Caused by: java.lang.ClassNotFoundException: javax.ejb.EJBException
  Thank you,
  Sandeep

  Mahesh,
  Refer to your other thread ..
  API to create new items in inventory
  API to create new items in  inventory
  Regards,
  Hussein

• How to find Shared Serivces Roles and Groups using scripts in IR?

  hi all,
  I am in IR 9.3.1 environment.
  I am trying to see if I can find a user's shared service group or role when they come into a BQY file, and I can code my IR accordingly to provide different needs.
  I know I can create a simple query using those V8 tables to do so in version 8, but in 9.3.1, it is not the same anymore. so is there a way that I can do this easily?
  I just need to be able to set users into different groups and provide different front-end screens and/or dfferent data results according to the groups they belong to.
  thanks.

  http://social.technet.microsoft.com/forums/sharepoint/en-US/87129bee-4cd5-47d7-8fe0-adcb3260570c/remove-share-option
  These links are displayed using the Promoted Actions Delegate Control. You can remove these by overriding the control, there is no other conventional way available to have them removed. Please use the below link for more details:
  http://www.learningsharepoint.com/2013/02/19/add-links-to-promoted-actions-sharefollowsync-in-sharepoint-2013/
  There is a way to do away with the SharePoint ribbon altogether. Using this method you can expose the top ribbon only to users having 'FullControl' level privilege (or any other level you want).
  1. Locate your master page (below example is for Seattle.html) and wrap your ribbon control with a 'SPTrimmedControl'
  <!--MS:<SharePoint:SPSecurityTrimmedControl PermissionsString="FullMask" runat="server"> -->
  <div id="ms-designer-ribbon">
  <!--SID:02 {Ribbon}-->
  <!--PS: Start of READ-ONLY PREVIEW (do not modify) --><div class="DefaultContentBlock" style="background:rgb(0, 114, 198); color:white; width:100%; padding:8px; height:64px; overflow:hidden;">In true previews of your site, the SharePoint ribbon will be here.</div><!--PE: End of READ-ONLY PREVIEW -->
  </div>
  <!--ME:</SharePoint:SPSecurityTrimmedControl> -->
  Refer to below link for more details:
  http://social.technet.microsoft.com/Forums/en-US/sharepointcustomization/thread/6d78ac4a-82a1-4221-b2ad-2b47e506d929 
  Also try
  http://www.eliostruyf.com/hiding-the-social-actions-follow-share-from-the-document-libraries-in-sharepoint-2013/
  hide all people group
  Here is one solution:
  http://msdn.microsoft.com/en-us/library/ff650031.aspx
  If this helped you resolve your issue, please mark it Answered

• Login and privileges using UIX, Urgent

  I have a application where I want to give privileges based on user who login to the application. How can I do this using ADF-UIX? Any built in methods available?
  Any help will be highly appreciable, because I am stuck at this point, as I am a newbie in UIX.
  Thanks in advance.
  Ponic

  Hi,
  you can follow the steps in http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf
  I am using FORM based authentication, you can use a JSP or a UIX page.
  by example:
    <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
        <form-login-page>Login.uix</form-login-page>
        <form-error-page>Login.uix</form-error-page>
      </form-login-config>
    </login-config>

• How can I keep every single photo from saving to "collections""my photo stream""camera role" and just use one folder? And why do I have to delete the same pictures 4 times? In "collections""myphotostream"camera role""deleted photos" I need ONE FOLDER

  im sick of deleting the same picture 4 separate times, I want to limit everything to one folder and only have to delete one time, how? Why does this have to be so complicated

  Photos you take on your camera are in the Camera Roll and are like the film in a camera.
  Photo Stream is an independent stream of photos from all devices that are logged onto the same iCloud account and that have Photo Stream turned on. Photo Stream photos are kept in the cloud for 30 days or up to 1000 photos, whichever comes first, so unless you have a particular photo you just don't want to stay out there for 30 days, you don't really need to delete Photo Stream Photos. They are temporary. Your device will continue to keep your Photo Stream photos from prior to the 30 day limit, but if you switch Photo Stream off in iCloud and then right back on, the only photos that will re-display in Photo Stream on that device are the ones that remain within the 30 Day/1000 photo parameter.
  Collections is simply a single place which shows all of the photos that you have on your device. You do not need to delete photos from Collections. It is just a single place where you can see the contents of all of your albums.
  Photos in albums that you have created on the device itself are tied to the photos in your Camera Roll, so if you delete them from the Camera Roll, it will tell you that it will also be deleted from an album.
  Albums that you have sync'd from your computer should be removed the same way you got them there - by hooking the device up to a the computer you did the sync with, and un-selecting the album from the Photo profile screen.
  So, really, there are only two places that you need to delete photos - Camera Roll and Photo Stream.
  Cheers,
  GB

• DFD diagram and ER crossmatrix for role definitions and role's privileges on objects

  Hello,
  Having the question on derivative use of combination of DFDs and ER diagrams ( let us be more fixes and focus on Relational model ).
  In DFD there are defined external entities and functions, data flows and data stores that are forming processes.
  Functions represents procedures, transactions, transformations.
  Dataflows presents procedures parameters, intermediate reports, temporary table data, data that is passed , retrieved/written, signals, triggers/events that controle or trigger function...
  Context of my question is focused on external entities.
  External entity suppose to denote the sourced or destinationed system ( for example Archiving system ) or operator, system that is out of scope of the DFD and it is mentioned just as target or destination or source of dataflow or control flow.
  In context of these understandings I am using external entitiy also for types of users of the system:  staff that is triggering functions or schedulers or job managers, or reporting systems ( or components of reporting systems like for example business intelligence extraction processes ).
  What is my problem that on basis of external entity definitions and E/R model also define roles and privilege classes for access to data objects.
  And from those generating ddls for database roles, privileges on entitities to those roles.
  But in privileges granting to role having two different kind of privileges on data objects:
  - privileges that are granted on various schema objects
     For example role1 has grant on tab1, view2, procedure1, package3,
  - the other type of privilega is based on the scope or range of semantically defined scope or semantic area.
  Semantic area is scattered through tables because of normalisation and using semantic area as entity of which primary key is
  partitioning the table data through many semantic areas.
  So this privilege should be granted on basis of the rows in table not column ( more semantically then structurally ...row oriented more than column ).
  Both privileges that are granted to roles are also basis for functional roles
  ( privilege that is granted that functional role has grant to trigger or execute some function or process ).
  My question is?
  How do you handle modeling technology for analysis and design for role privileges and consolidation between database and functional roles ?
  Grateful for any idea, experience and suggestions.

  Hello,
  Guess I was looking for the formal sequence of steps that would bring me to the
  ddls for "create role ..." and "grant privileges to role".
  You can do that.
  1) I assume you have logical model and it's engineered to relational model, also you have data flow diagram created
  2) You need to define information structures for flows connecting "Information store" to primitive process - attribute usage of particular entities should be defined for those "information structures" processed in flows
  3) You need to define create, update and delete operation for flow going from primitive process to store - read is assumed in opposite direction
  4) create a role in Process model and assign primitive processes to it - list of available processes to add depends on current data flow diagram
  5) You need an open physical model for your relational model
  6) Select "transfer process model roles to physical model roles" from context menu of top level DFD - select roles, relational and physical model there - roles with related permissions will be created in physical model
  Entity1 is divided in several subtypes for different business areas.
  And account manager for business_area1 is allowed to work on subtype1 ( view on prime table )...
  Different implementation of entity hierarchies are not processed correctly in that wizard - i.e to get permissions to table corresponding to child entity - that entity should be used in information structure and flow.
  Philip

• REDIRECT JDBC URL WHEN USING DYNAMIC JDBC CREDENTIALS SO NOT HARDCODED

  I have taken over an application that uses row-level security and ADF (using
  dynamic JDBC Credentials). I have been able to set the internal_connection to
  a JDBCDatasource, but cannot set the Connection Type in the Oracle Business
  Component Configuration to a JDBCDatasource. When I do, I receive errors that
  tables are not found. When I set the value back to a JDBC URL, everything
  works fine again.
  I am looking for a solution where the userid and password are not hardcoded in
  the BC4J.xcfg or a way to redirect this information, as we change our system
  passwords every nighty days. Otherwise, I will have to redeploy the
  application every nighty days.
  I did not create this application, but I am sure that you could simply follow
  the "How to Support Dynamic JDBC Credentials" article. From that point, you
  will probably be where I am, where I have the internal_connection set to a
  JDBCDataSource and working properly, but cannot set the Connection Type to
  anything where the userid and password will not be hardcoded or cause failure.
  I wanted to let you know that I have
  found the updated How to Support Dynamic JDBC Credentials
  (http://www.oracle.com/technology/products/jdev/howtos/bc4j/howto_dynamic_jdbc.h
  tml) and was going to run through the "Advanced: Supporting Dynamic JDBC URLs",
  but once I was done keying in
  env.remove(ConnectionStrategy.DB_CONNECT_STRING_PROPERTY); I received a
  depreciation message on the DB_CONNECT_STRING_PROPERTY. (Note: I am coding in
  JDeveloper 10.1.3, so this may be depreciated as of then, but the ADF Libraries
  for JDeveloper 10.1.3 are on our Oracle 10gAS 10.1.2 server.)
  I thought maybe this would resolve my issue, but I can't be sure as the
  deprecation message leads me to believe that this solution may not be viable in
  the future.
  UPDATE
  =======
  The article you are referencing is definitely an older version.
  There is a newer article for 10g at:
  http://www.oracle.com/technology/products/jdev/howtos/10g/dynamicjdbchowto.html
  Please see if that helps.
  I have already reviewed this article.
  In fact, I have reviewed many versions of this document. I have not seen one
  created yet for 10.1.3 though (especially without JSF as our 10.1.2 AS server
  will not support it). I need to find an example or documentation that shows
  how we can keep from having the JDBC URL stored in the BC4J.xcfg or a way to
  use dynamic JDBC credentials with a JDBCDataSource. We do not want to store
  the userid and password in the application, rather, we would like to setup
  something that can be configurable from the application server.
  I think we need to use the dynamic JDBC credentials because we are using the
  row-level security, where we setup a database context for the user and only
  allow certain records of a database table to be returned to the browser based
  on that context.
  Might there be a way to still use the JDBCDataSource?

  I understand that the user provides the userid and password and that these values are setup using the Configuration class.
  However, when I am to deploy the ADF Business Module with my application, I have to specify either a JDBC URL or a JDBC DataSource in the Oracle Business Component Configuration.
  When I use JDBC DataSource, the code does not work properly, almost like the user's credentials are not used for the connection (I get errors like table or view does not exist).
  When I use the JDBC URL, the bc4j.xcfg stores a reference in the JDBCName attribute to a ConnectionDefinition in the same file. It is in this tag of the bc4j.xcfg where the userid, sid, and password (encrypted) is stored and used when retrieving the initial context of the ADF business components.
  It is these values that I want to have stored else where so that the application does not have to be redeployed in order for the password (or sid, or other connection information) to be change.

• Sql to show all roles object privileges owned by a specific schema

  maybe this is simple but i'm just not getting it...
  i need sql to show me all of the distinct roles that have privileges granted against objects in a specific schema.
  thanks in advance.

  Feel free to modify the script to reduce the rows to only what you need.
  In terms of Oracle users, roles and privileges, it is just that complicated. Internally, a user and role exist in the same structure (user$). And privileges can be granted to users or roles. Roles can be granted to users and other roles. This means that a privilege (object or system) may have been granted to a user multiple times. USER1 can have 'SELECT' on 'TABLEA' that has been granted directly or via ROLE1, ROLE2 and ROLE3 (since ROLE1 is granted to ROLE3).