Role vs privilege

Similar Messages

• Error in reconcilation Function - Job "Reconcile roles and privileges"

  SAP NW 7.0 SP2 Patch 3
  Roles contain Privileges
  Help file says: "If you are using roles and privileges, you will need to perform a reconciliation of the roles/privileges assigned to the users in the identity store after the roles are modified. "
  Job imported as described.
  When I let the job run on the ID-Store, for each entry, the following error message occurs:
  runFunctionsInString($FUNCTION.reconcile( MSKEY )$$) got exception
  org.mozilla.javascript.NotAFunctionException: reconcile( MSKEY )
  ...where MSKEY is, of course, the MSKEY of the entry.
  If I let run the job with the Windows-Dispatcher and as a VB-script, it produces no error; however, in the output file, there are a lot of Messages like
  "!ERROR: Invalid use of Null"
  Only some entries (of Type MX_PERSON) show the "Priviliege added: (...)" output. But the job does not add the Privileges assigend to the role, as it should.
  So, I would suggest that one redefines the SQL-Query of the Job so that it runs only on MX_PERSONS. But then, still, in my case, it does nothing.
  Has anyone better experiences with the Job?
  Edited by: Thomas P. Felder on Sep 25, 2008 10:32 AM

  The job when imported by default uses java runtime engine but the script is written in vbscript syntax so you have to change the engine or the script syntax.
  When you did your select statement did you use SELECT DISTINCT.  That will also cause errors.  I do not narrow the entry type to MX_PERSON.
  I'm installing the patch now;  I will see if I get any errors.

• Export and Import of Roles and Privileges

  Hi,
  We're nearing the end of our development phase and are now preparing for initial load in our QA / Test environment.
  Is there a way to export the Roles and Privilege metadata from one environment to import them into the other. The Staging guide states you need to create them before importing your Identity Stores. I was hoping we didn't need to do this as it's a time consuming task to create them manually.
  Thanks
  Paul

  What I've seen is Business Role Export / Import functionality. It is pretty straight-forward to do, just export the Business Roles in a job (limit what to export in the source SQL) to a CSV-file, then read it back in to different environment in similar job.
  When we were exporting the Business Roles we expored the privilege-references as MSKEYVALUEs not MSKEYs. Note how you have named your repositories in different environments (as you know the name of the MX_PRIVILEGE differs if your ERP repository in development is eg ERP100 and in Q/A ERP200), you may need to convert the privilege names accordingly in export or import.
  One more thing you need to keep in mind is to pay attention whether your data has CR+LFs, which will break the CSV, we tackled this by encrypting/decrypting the data that had line feeds (DESCRIPTION-attribute).

• Role and privilege used by JDBC

  Is there any reqiured role and privilege used by JDBC?
  I use Oracle JDBC9203 for Oracle to connect Oracle8163, when executing certion codes, the JDBC raise a exception as below:
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:134)
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:179)
       at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:269)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.initCollElemTypeName(OracleTypeCOLLECTION.java:1026)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.getAttributeType(OracleTypeCOLLECTION.java:1056)
       at oracle.jdbc.oracore.OracleNamedType.getFullName(OracleNamedType.java:110)
       at oracle.jdbc.oracore.OracleTypeADT.createStructDescriptor(OracleTypeADT.java:2262)
       at oracle.jdbc.oracore.OracleTypeADT.unpickle81(OracleTypeADT.java:1656)
       at oracle.jdbc.oracore.OracleTypeUPT.unpickle81UPT(OracleTypeUPT.java:466)
       at oracle.jdbc.oracore.OracleTypeUPT.unpickle81rec(OracleTypeUPT.java:416)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81_imgBody_elems(OracleTypeCOLLECTION.java:979)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81_imgBody(OracleTypeCOLLECTION.java:923)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81(OracleTypeCOLLECTION.java:743)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION._unlinearize(OracleTypeCOLLECTION.java:242)
       at oracle.jdbc.oracore.OracleTypeCOLLECTION.unlinearize(OracleTypeCOLLECTION.java:208)
       at oracle.sql.ArrayDescriptor.toJavaArray(ArrayDescriptor.java:963)
  I decompile "OracleTypeCOLLECTION.class", in funtion "initCollElemTypeName", i see a SQL as "select elem_type_name, elem_type_owner from all_coll_types where ....", this sql raise the error.
  Since all_coll_types is a system view of Oracle, i think the user connect to Oracle must have some role and privilege, it has connect role and execution privileges on some user-defined packages, is there any other role and privilege it needs? I don't like to grant DBA role to it for security reason.
  Very thanks for your reply.

  Can you post the code (Java and PL/SQL) that is being executed when this error is thrown? You don't need any particular privilege to execute PL/SQL via JDBC-- just the privileges you'd need to execute it in SQL*Plus or anywhere else.
  Justin
  Distributed Database Consulting, Inc.
  www.ddbcinc.com/askDDBC

• DFD diagram and ER crossmatrix for role definitions and role's privileges on objects

  Hello,
  Having the question on derivative use of combination of DFDs and ER diagrams ( let us be more fixes and focus on Relational model ).
  In DFD there are defined external entities and functions, data flows and data stores that are forming processes.
  Functions represents procedures, transactions, transformations.
  Dataflows presents procedures parameters, intermediate reports, temporary table data, data that is passed , retrieved/written, signals, triggers/events that controle or trigger function...
  Context of my question is focused on external entities.
  External entity suppose to denote the sourced or destinationed system ( for example Archiving system ) or operator, system that is out of scope of the DFD and it is mentioned just as target or destination or source of dataflow or control flow.
  In context of these understandings I am using external entitiy also for types of users of the system:  staff that is triggering functions or schedulers or job managers, or reporting systems ( or components of reporting systems like for example business intelligence extraction processes ).
  What is my problem that on basis of external entity definitions and E/R model also define roles and privilege classes for access to data objects.
  And from those generating ddls for database roles, privileges on entitities to those roles.
  But in privileges granting to role having two different kind of privileges on data objects:
  - privileges that are granted on various schema objects
     For example role1 has grant on tab1, view2, procedure1, package3,
  - the other type of privilega is based on the scope or range of semantically defined scope or semantic area.
  Semantic area is scattered through tables because of normalisation and using semantic area as entity of which primary key is
  partitioning the table data through many semantic areas.
  So this privilege should be granted on basis of the rows in table not column ( more semantically then structurally ...row oriented more than column ).
  Both privileges that are granted to roles are also basis for functional roles
  ( privilege that is granted that functional role has grant to trigger or execute some function or process ).
  My question is?
  How do you handle modeling technology for analysis and design for role privileges and consolidation between database and functional roles ?
  Grateful for any idea, experience and suggestions.

  Hello,
  Guess I was looking for the formal sequence of steps that would bring me to the
  ddls for "create role ..." and "grant privileges to role".
  You can do that.
  1) I assume you have logical model and it's engineered to relational model, also you have data flow diagram created
  2) You need to define information structures for flows connecting "Information store" to primitive process - attribute usage of particular entities should be defined for those "information structures" processed in flows
  3) You need to define create, update and delete operation for flow going from primitive process to store - read is assumed in opposite direction
  4) create a role in Process model and assign primitive processes to it - list of available processes to add depends on current data flow diagram
  5) You need an open physical model for your relational model
  6) Select "transfer process model roles to physical model roles" from context menu of top level DFD - select roles, relational and physical model there - roles with related permissions will be created in physical model
  Entity1 is divided in several subtypes for different business areas.
  And account manager for business_area1 is allowed to work on subtype1 ( view on prime table )...
  Different implementation of entity hierarchies are not processed correctly in that wizard - i.e to get permissions to table corresponding to child entity - that entity should be used in information structure and flow.
  Philip

• Create new user same as a existing roles and Privileges

  Hi Team,
  I am a junior DBA. New user Joined in Application team. So, Client requested me.....
  Crerate new user with same privileges as like as existing user.
  As of now i am creating user like "create user username identified by "password". Then grant privileges to that user. earliar I never comapare or copied users.
  Please suggest any one how to create new user as like as existing user roles and privileges.
  Thanks,
  Venkat

  For basic cloning:
  select dbms_metadata.get_ddl('USER', '...') FROM DUAL;
  SELECT DBMS_METADATA.GET_GRANTED_DDL('ROLE_GRANT','...') FROM DUAL;
  SELECT DBMS_METADATA.GET_GRANTED_DDL('SYSTEM_GRANT','...') FROM DUAL;
  SELECT DBMS_METADATA.GET_GRANTED_DDL('OBJECT_GRANT','...') FROM DUAL;
  SELECT DBMS_METADATA.GET_granted_DDL(‘TABLESPACE_QUOTA’, ‘...’) FROM dual;
  Then just replace the username with the new one you want to create.

• I want to know the role's privileges

  I want to select all ROLES's privileges.

  Hi,
  The DBA_SYS_PRIVS dictionary view, describes system privileges granted to users and roles. For more information, take a look at [url http://tahiti.oracle.com]documentation
  SQL> select privilege from dba_sys_privs where grantee = 'CONNECT';
  PRIVILEGE
  CREATE VIEW
  CREATE TABLE
  ALTER SESSION
  CREATE CLUSTER
  CREATE SESSION
  CREATE SYNONYM
  CREATE SEQUENCE
  CREATE DATABASE LINKCheers
  Legatti

• Roles/System privileges/Object privileges

  Oracle 10g. we created a role and assigned this role to the user. We also assigned some system privileges and Object privileges directly to the same user. Now the company's new policy is that the user's permissions have to be assigned only via role. system privileges and Object privileges cannot be assigned directly to the user. So I have to alter the role. The steps are:
  1. grant system privileges and Object privileges to role. (this will be executed as a script)
  These privileges were directly assigned to the user.
  2. revoke all privileges which were directly assigned to the user.
  Do I miss anything?
  Please advise.
  Thanks
  S.

  Object privileges cannot be assigned directly to the user.Privileges acquired via ROLE do not apply within PL/SQL procedures.
  You may face some coding challenges in the future due to this policy.

• Same select (user, name, profile, role, table_name, privilege table)

  hello Everyone
  1.- i don't know how to merge the two qys to see in the same select (user, name, profile, role, table_name, privilege table)
  Im using the tables usuarios and view dba_users : See next qry
  SELECT Nvl(US.IDUSUARIO,DU.USERNAME) USUARIO,
  US.DESCRIPCION NAME,
  ACCOUNT_STATUS STATUS,
  DU.PROFILE,
  CREATED FECHA_CREACION
  FROM USUARIOS US,
  SYS.DBA_USERS DU
  WHERE DU.USERNAME = US.IDUSUARIO(+)
  UNION
  SELECT Nvl(US.IDUSUARIO,DU.USERNAME) USUARIO,
  US.DESCRIPCION NAME,
  ACCOUNT_STATUS STATUS,
  DU.PROFILE,
  CREATED FECHA_CREACION
  FROM USUARIOS US,
  SYS.DBA_USERS DU
  WHERE DU.USERNAME = UPPER(US.IDUSUARIO)
  ORDER BY NAME;
  this extract me, USER, REAL NAME, STATUS, PROFILE, CREATION_DATE
  JP01 Johan Pena OPEN DEFAULT 05-07-2010
  on the other hand:
  select * from role_tab_privs
  this extract me, ROLE, TABLE_NAME and PRIVILEGE
  DBA TABLE1 SELECT
  DBA TABLE1 INSERT
  DBA TABLE2 DELETE
  1.- i don't know how to merge the two qys to see in the same select (user, name, profile, role, table_name, privilege table)
  2.-i want something like this.
  USER, REAL NAME, STATUS, PROFILE, CREATION_DATE ROLE, TABLE_NAME PRIVILEGE
  JP01 Johan Pena OPEN DEFAULT 05-07-2010 DBA TABLE1 SELECT
  JP01 Johan Pena OPEN DEFAULT 05-07-2010 DBA TABLE1 DELETE
  Ect Ect. Ect.
  who can HELP ME.

  I have part understood your requirement and assumed the rest! Hence, I have used dba_role_privs in addition to the list of tables you used.
  Also, I think your LEFT OUTER JOIN on sys.dba_users is incorrect. I think you are trying to get all users from USUARIOS table for which roles / privileges exist in the database. If that is what you want the following query should help out. If not change the LEFT keyword in the MAIN query (NOT the one in WITH clause) to RIGHT but the results might be unpredictable.
  Note: Using ANSI standard keywords for JOIN allows you to use functions in the JOIN clause (such as UPPER(column name), which the Oracle propreitary notation does not allow and hence made you opt for the UNION option).
  WITH OS AS
          SELECT
               DU.USERNAME
              ,DU.ACCOUNT_STATUS
              ,DU.PROFILE
              ,DU.CREATED
              ,DRP.GRANTED_ROLE
              ,RTP.TABLE_NAME
              ,RTP.PRIVILEGE
          FROM
              sys.dba_role_privs drp
          LEFT OUTER JOIN
              role_tab_privs     rtp
          ON
              ( drp.granted_role    = rtp.role    )
          LEFT OUTER JOIN
              sys.dba_users      du
          ON   
              ( du.username         = drp.grantee )
  SELECT
       NVL (US.IDUSUARIO, OS.USERNAME)    USUARIO
      ,US.DESCRIPCION                     NAME
      ,OS.ACCOUNT_STATUS                  STATUS
      ,OS.PROFILE                         PROFILE
      ,OS.CREATED                         FECHA_CREACION
      ,OS.GRANTED_ROLE                    ROLE
      ,OS.TABLE_NAME                      TABLE_NAME
      ,OS.PRIVILEGE                       PRIVILEGE
  FROM
      USUARIOS US
  LEFT OUTER JOIN
      OS -- temporary result set created using WITH clause above
  ON
      UPPER (US.USERNAME) = OS.USERNAME
  ORDER BY 2 ;Edited by: VishnuR on Jul 5, 2010 8:44 PM
  Edited by: VishnuR on Jul 5, 2010 8:47 PM

• Role and Privileges for OLAP metadata

  Hi,
  Is there any document which specifies what all roles and privileges are required for creating any OLAP meta data ( Dimension, Cube, Measure and Catalog etc)?
  I think these are impt roles:-
  SELECT_CATALOG_ROLE
  EXECUTE_CATALOG_ROLE
  DELETE_CATALOG_ROLE
  RECOVERY_CATALOG_OWNER
  OLAP_DBA
  OLAP_USER
  Through system/manager I created one user TEST_BI_OLAP and granted CONNECT.
  After login as TEST_BI_OLAP I am able to create dimension. Why it is possible whereas doc says user should have OLAP_USER or OLAP_DBA role associated with it.
  OR only CONNECT is sufficient for creating OLAP metadata!!!!!
  regds
  P

  The difference is in what the end user sees. Say you want to deploy an analytical workspace based off of a ROLAP dimensional cube. Here is how I've been approaching the problem:
  1. Create a new user with the OLAP_USER role to hold the AW (say "AW_USER")
  2. Now log in with a userid that has OLAP_DBA role, and create the AW utilizing the ROLAP cube - but direct the AW to be stored in the AW_USER schema. Note that because it is in a separate schema from the ROLAP cube, you will not need to append characters to the dimension or measure names.
  3. Have end users log in using the AW_USER name. Then they will see the AW information, but they will not have access to the ROLAP cube data.
  Hope this helps,
  Scott

• Sql to show all roles object privileges owned by a specific schema

  maybe this is simple but i'm just not getting it...
  i need sql to show me all of the distinct roles that have privileges granted against objects in a specific schema.
  thanks in advance.

  Feel free to modify the script to reduce the rows to only what you need.
  In terms of Oracle users, roles and privileges, it is just that complicated. Internally, a user and role exist in the same structure (user$). And privileges can be granted to users or roles. Roles can be granted to users and other roles. This means that a privilege (object or system) may have been granted to a user multiple times. USER1 can have 'SELECT' on 'TABLEA' that has been granted directly or via ROLE1, ROLE2 and ROLE3 (since ROLE1 is granted to ROLE3).

• Oracle APM: Grant 'authenticated-role' a privilege to access a taskflow?

  Hi
  Using Oracle APM (Authorization Policy Manager), I need to grant the 'authenticated-role' a privilege to access a particular taskflow.
  Usually one is able to search for a role and add it, however the 'authenticated-role' does not turn up in the search. How do I add it?
  If I create such a role, how will I be able to link it to the appropriate enterprise role using APM.
  Thanks,
  Rohit
  Edited by: 909799 on May 29, 2012 3:04 AM

  Hi there,
  I am afraid you were referring to a different documentation at 11g.
  Have a look at this: [http://download.oracle.com/docs/cd/B28359_01/server.111/b28286/statements_9013.htm#i2155015]
  So, same behavior.
  Hope this helps,
  Regards,
  Jozsef

• 401 Unauthorized Error when accessing a task from REST API which contains Role or Privilege in Access Control definition

  Hi Team,
  As of IDM 7.2 SP8 patch2, when we use Enterprise role or Privilege in the access control definition of a task, accessing this task from UI5 i.e REST API is giving unauthorized error even though user is already having the required role or privilege.
  But the task is working fine if we use fixed user ID or keeping blank value in allowed users field.
  Attached the current access control definition of the task we configured & the error message info for reference
  Regards,
  Venkata Bavirisetty

  Hi Ralitsa,
  Thanks for your response and sorry for late reply.
  The XXXX in role is not used as a wild card. the name itself is in that format. I have searched the role and then selected from search list.
  Let me know if you need any clarifications?
  Refards,
  Venkata Bavirisetty

• Roles and Privileges for 10g AWR and ASH reports

  Are there specific roles and privileges are required for one to run AWR and ASH reports for users who don't have DBA roles? If so, I would like to know about them.

  I think sysdba privilege need to run AWR report.
  Also check, how privilege is granted to PERFSTAT user in $ORACLE_HOME/rdbms/admin/spcuser.sql, you might get some clue!!!
  Cheer,
  Virag

• Mapping a user's role and privilege to another

  Hi all,
  Is there a command/way to map the role and privileges of a current user to a new user? I am new to oracle, I did read through the online docs but was not able to figure it out.
  Thank you very much!

  Check this link would help: Check the part where they are copying roles and grants for the users using dbms_metadata. You can limit this to one user you want by adding additional where clause like "where username = <username>
  Copying Oracle Users