Roles and Security
I have setup a 11g Oracle database.
Can I please have some help to create some user accounts (3 levels, eg. Administrator, Power User, and Guest style users) as well as setting up appropriate levels of security implemented via ROLES and PRIVILEGES for Roles.
Thanks in advance
996403 wrote:
I am wanting the Administrator to have control over everything, the Power User to be a User who also has the ability to create tables, triiggers etc, and the Guest to just be able to view data in the database without changing anything.
Can you correct me if I am wrong with the following suitable roles for the users:
Administrator
- All roles
Power User
- Connect
- Resource
Guest
- ConnectYou have to get out of this Administrator/Power User/Guest Windows security group paradigm. Windows security groups cannot be directly correlated to Oracle security groups, and that is why you are having so much trouble doing so. I recommend that you:
-stop comparing Oracle to Windows
-learn what security rights your database users need
-fully understand the predefined roles, and then assign users to those roles only if they require every right that those roles grant
-create your own application roles for any users that have requirements that do not align exactly with the predefined groups
We are only encouraging you to do things in a manner that follows best practices, and doing so will keep your headaches to a minimum later on down the road.
Similar Messages
-
Security-role and security-role-assignment not working in WL7.0
Hello all..
Some EJB components that worked fine in WebLogic 6.1 no longer work in
WL7.0. It has to do with the security-role and security-role-assignment
descriptor elements no longer allowing anonymous users to be included in the
authorization for a bean.
For example, in WL6.1 placing these items in ejb-jar.xml:
<assembly-descriptor>
<security-role>
<role-name>Employees</role-name>
</security-role>
<method-permission>
<role-name>Employees</role-name>
<method>
<ejb-name>CustomerEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
and mapping WebLogic default users to this role in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>Employees</role-name>
<principal-name>guest</principal-name>
<principal-name>system</principal-name>
</security-role-assignment>
worked fine for clients creating their context using a simple
InitialContext() constructor without specifying SECURITY_PRINCIPAL or
SECURITY_CREDENTIALS. These users were basically "guest" to WebLogic, and
the security-role-assignment element above told WebLogic that "guest" was in
the Employees role for purposes of this EJB archive.
Worked in WL6.1, no longer works in WL7.0. Client receives typical
permission exception:
java.rmi.AccessException: Security violation: insufficient permission to
access method 'create'
If I explicity connect as "system" things are fine, or I can create a new
user in the default realm in WebLogic, put a matching <principal-name>
element in the section above, and connect as that user. Note that if I leave
off the <security-role> section completely, or set the required role name to
"everyone", the anonymous access works fine. Apparently the anonymous user
is a member of "everyone" behind the scenes even though "everyone" does not
appear in the realm list of groups or roles.
So, my question boils down to this: Is there a "magic" username in WL7 like
"guest" was in WL6.1 that can be mapped to the required role name, or must
every client connection use a true weblogic-created user with appropriate
role assignments used to map it to the required role name.
-Greg
P.S. Note that none of the EJB examples provided with WL used
<security-role>..
Check out my WebLogic 6.1 Workbook for O'Reilly EJB Third Edition
www.amazon.com/exec/obidos/ASIN/1931822468 or www.titan-books.comBelow are the screen shots for PFCG:
-
How do you enable menu roles and enforce security in forms?
For example in an complex application if we want to have a control of access of menus based on user login
I know it can be done thru the front-end itself by using an if then condition.
but can it be integrated with the database user logins itself
kindly reply
Thanx in advanceHi,
first RUN frm60sec.sql under system/manager
create different roles
GRANT roles to users
Grant select access to the view created by frm60sec as follows:
SQL > Grant select on frm50_enabled_roles to public;
Note it is NOT frm60_enabled_roles.
To verify that your roles and grants are correct, log on as a user and run the following:
SQL>Select * from frm50_enabled_roles;
You should be able to see the users roles.
then come to MMB file contibue assiging the roles in each menu Item. U ll see get the result.
regards -
i have problem with role in my database
i have 2 table
t1 and t2
owner = ERP
i create user HAMID with grant connect,resource
then
create role xx and grant all on t1 and t2 to xx
then grant xx to HAMID
when hamid connect to database and select from t2 get error table dosnt exist
whyyyyyyyyyyyyyyyyy?plz help me
see this:
i have 2 table
t1 and t2
owner = ERP
conn sys
create role r1;
create role r2;
grant all on erp.t1 to r1
grant all on erp.t2 to r2
create user HAMID identified by hamid;
grant resource,connect to hamid;
alter user hamid default role connect;
grant r1 to hamid;
conn hamid
SELECT * FROM SESSION_ROLES;
see this
CONNECT
RESOURCE
R1
conn sys
grant r2 to hamid;
conn hamid
SELECT * FROM SESSION_ROLES;
see this
CONNECT
RESOURCE
R1
where is R2 ?????????????????????????????????????????? -
Roles and responsiblities of oracle dba in development team
What should be the roles and responsiblities of oracle dba in development team?
Does Application dba should have oracle user credentials on db box?Hi, Application DBA work as like production DBA, while resolving issue SLA would not apply for them . Apart from this developement team pressure will be there.
These are points remembered.
Creating test Db for testing environment,
Schema Replication of POC
replication the DB for interface setup .
User , Space management.
Roles and Security management
Space Forecasting -this will be useful when you are estimating for storage
need to give application set up to Production DBA with proper specification.
maintaining the schema changes
Ensure that right script shas to provide the Production DBA team .
Deployment of the application.
performance tuning..
All environment memory /CPU statistisc need to check by regular interval.If any issues need to escalte to INFRASTRUCTURE team
HTC
tippu -
Interaction of BW Roles and BWA Explorer Security
We secure all our BW users via roles these roles have Analysis
authorizations embedded in them which restrict access to specific
infoproviders and values in these based on authorization relevant
infobjects.
When we try to create a BWA Explorer object in RSDDTPS we are forced to
assign a userid and an analysis authorization directly in
the "Authorizations" tab. Our security group only wants to have too
assign roles to users either via SU01 or CUA.
Configuration
BO 2008 Enterprise Server (connected to BW system)
BW system (Netweaver 7.01 EHP1)
BWA 7.2
1) How can we create BWA Explorer objects on a infoprovider without
directly assigning users in Authorization Tab and how can we make the
system ignore whatever is on this tab and base access to a BWA explorer
object on the roles assigned to the user via SU01/CUA.
2) If a User has roles assigned in BW that give them access to a
specific infoprovider will this automatically also give them access to
a BO Server published BWA explorer object built on that infoprovider.
Related to this do we also need import the same roles and assign to the
user in CMS server with link to BWA Explorer Server or does the user
automatically get access to BWA Explorer as long as BWA Explorer is
published on BO Server.
3) If the user in BW is assigned roles that limit values based on an
authorization relevant object is this restriction enforced in the
values returned in published BWA Explorer for the user. Example
Authorization Relevant object is Profit Ctr and the user has two value
roles one contains access to all profit center that role up to a
hierarchy node limited to the USA and the other contains hierarchy
analysis authorization limiting access to all profit centers rolling up
to hierarchy node representing Europe. When a user access's the BWA
Explorer object which contain profit ctr will the values be limited
only to USA AND Europe Profit centers or will the BW value based
security be ignored.
Please provide advice on above questions and document resources on how
BW role based security interacts with BWA Explorer.Hi Expert,
I need a solution for same scenario, anyone can give inputs.
Regards,
Ganesh -
Issues with test-all role and browser security
WLS 10.3.5
I have a deployed application on Linux using a SQLAuthentication and Authorization - all is well here.
I have setup all the security (without the test-all role) and I cannot access any of the system.
If I put the test-all role in - I can access the system.
I have verified the user has all the roles (I used the example bean to display the user and roles on the menu page) and the test-all role is not in the list.
I have the menu setup to not display items unless the user has the role (this is working fine - SecurityContext.inRole(rolelist).
So the context is fine.
I used jazn-data to set the same roles in the taskflows - this is not working at all unless the test-all role is set - I get authorization errors - not authorized).
Have I missed something in this?
I have also noticed that if I close the browser (X) without logging out and come back into the system the authentication is totally bypassed and I go back in as the same user as before.
Is there some way to destroy the previous context every time the welcome screen is executed.Add the following parameters to the Run options for the ViewController project:
-Djps.auth.debug=true -Djps.auth.debug.verbose=true
Then restart WebLogic, run the app and watch the console - you'll see all the security evaluations take place which should help you to identify the problem. -
Hello,
I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
So:
1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
Your response is appreciated.Hello,
I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
So:
1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
Your response is appreciated. -
Hello,
Could you please provide information on "security roles and profiles "
I would appreciate.
Regards,
AlexRoles give you authorization to specific area of the system. Use TC pfcg and you will see different setting for a role.
In specific Role -> Authorization -> click on Display Authorization Data.
Here all specific InfoArea, Cube, ODS, Reporting componets: display, execute and other security rules are defined.
User Section: defines who has access to this role.
Multiple authorization are combined to create an Authorization Profile. You defined a profile at TC su01 and under profile section.
Hope that helps.
thanks.
Wond -
Configure security-role and method permission for EJB 3.0 using Jdev 11g
The EJB 3.0 session bean created by Jdev 11g EJB wizard does not have ejb-jar.xml. Where and how can security-role and method permission for the EJB be configured?
For example,
<assembly-descriptor>
<security-role>
<role-name>managers</role-name>
</security-role>
<method-permission>
<role-name>managers</role-name>
<method>
<ejb-name>Employees</ejb-name>
<method-name>setSalary</method-name>
<method-params>
<method-param>java.lang.Long</method-param>
</method-params>
</method>
</method-permission>
</assembly-descriptor>user516954,
By default annotations are used. However, you can create a new descriptor and that will take presidence over any declared annotation.
--Ric -
Security report with native roles and the roles they have access to.
We need a security report that shows the Native/Custom Roles and the roles that they have access to.
So, an example would be the role US_Acct, and the report would show what roles that has access to (Post Journals, Consolidate, etc).Can this be done?Export the Provision report from Shared Services.
Upload report to Excel or Access.
Build Tables to show what tasks each Role has access to.
Build a report that links the provision report and the xref tables.
You should also do this with Security Classes. -
Role Base Security SSAS Tabular and PPS not working
Hi,
I am having SSAS (Tabular Model) with Role based Security. It is working fine with Powerview and PowerPivot.
But when i am using same with PPS. it is giving me error like 'Data source not accessible'.
If i don't Provide Role while connecting and if i select
unattended account, it is working but no security.
Please help me out on this situation or provide any steps with snapshot(if possible), how to make pps
working with SSAS Tabular model with Role.
Thanks in Advance
Pinak kakadiyaHi Vishal,
According to your description, you are trying to use time intelligence functions in SQL Server Analysis Services Tabular model without success, right?
In order to use time intelligence functions in DAX formulas, you must specify a date table and a unique identifier (datetime) column of the Date data type. Once a column in the date table is specified as a unique identifier, you can create relationships
between columns in the date table and any fact tables. Please refer to the links below to see the details steps to use time intelligence functions in DAX formulas.
https://msdn.microsoft.com/en-us/library/hh758415.aspx?f=255&MSPPError=-2147217396
http://blog.gbrueckl.at/2013/02/fiscal-periods-tabular-models-and-time-intelligence/
If the issue persists, please provide us more information about your tabular structure, so that we can make further analysis.
Regards,
Charlie Liao
TechNet Community Support -
Configuring roles and users (adf security) application context wise.
Dear All,
I referred this tutorial (http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html) which shows how to hook up adf security with database schema but at domain level which will be common to all applications in that domain. I want to make it different to each application. (i.e each application will use differene database schema for storing user credientials i.e enterprise roles,application roles and users.)
Can any one please point me to proper way..
Regards,
Santosh
jdev 11.1.1.2.0Dear Frank,
<i>
Instead you have a single identity management system and have the application policies being different for the applications.Using ADF Security, users and groups can have different privileges in different applications
</i>
suppose i have 3 applications that use adf security, the users will be common to all applications. right..?Roles and group can be different for applications.
application polices means roles and group..?
So how it(application polices) can be made different for applications? is it inbuilt or some configurations needed ?. Can you point me to some blogs or tutorials for more reference.
Bet: Incase i hook up adf security with database schema.
Regards,
Santosh. -
Developing security Roles and profiles
Hi Team,
Can you guys let me know how to develop security roles and profiles. We are rolling out for a company in Japan, and the congif is completed. We are in the process of developing test cases ans also security roles and profiles for users? Can somebody guide and help me on this?
Regards,Hi,
Use Tcode = PFCG -->then create any customized roles and profiles for any users on module based.
user masters: USR01 to 09, UST04,
profiles: USR10, USR11, UST10S, UST10C,
authorisations: USR12, USR13, UST12.
password exceptions USR40.
History tables(may not be applicable but FYI): users: USH02, USH04,
profiles: USH10, auths USH12.
R/3 Security Tcodes
End User Transaction Code Menu Path Purpose
SU3 System > User Profile> Own Data Set address/defaults/parameters
SU53 System > Utilities > Display Authorization Check Display last authority check that failed
SU56 Tools --> Administration --> Monitor --> User Buffer Display user buffer
Role Administration Transaction Code Menu Path Purpose
PFCG
Tools --> Administration --> User Maintenance --> Roles Maintain roles using the Profile Generator
PFUD Work on SAP check indicators and field values
Select: Copy SAP check IDu2019s and field values
Installation
1. Initial Customer Tables Fill
Upgrade
2a. Preparation: Compare with SAP values
2b. Reconcile affected transactions
2c. Roles to be checked
2d. Display changed transaction codes
SU24
Same as for SU25:
Select: Change Check Indicators > Maintain Check Indicators>Maintain
Regards,
Srini Nookala -
New role created and Security zone.
When I create the new role and I need to set the properties for that role. Then after I try to add this role to user and have user test the access.
Why there are some error happen and I need to go to 'security zone' by follow path from the error, then my new role into security zone, then user can access without any problem.
Please anyone explain why do we need to add role again in security zone even though we already set the property to that role in 'content administration.' Please let me know the difference. Thank you very much.Hi,
Security Zones are used to prevent unauthorized users from accessing iviews, Portal Components and Portal Services through a direct url used outside of the portal environment. It will be controlled by means of progressive safety levels and permissions, which are assigned by the system administrators to authorized users in the permission editor.
Regards,
Saraswathi
Maybe you are looking for
-
How do I install Version 11.1.4 of iTunes successfully?
I received an update to iTunes which I tried to install on my Windows 7 desktop, as I always have, but found that there was a file MSVCR80.dll missing - it couldn't open the service. I followed the advice from Apple of clearing a Temp folder, uninsta
-
Vowels and consonants count of a string
Hi... 1. plz provide code for counting no of vowels and Consonants in a STRING.... suppose the string is BUSINESS. and also other 2. program to pass the string during runtime and couting vowels,consonants and also checking whether th
-
Creative Cloud unable to update
I have reinstalled my creative cloud and still not able to update my apps...looking at other discussions it seems to be an on going issue....would be great if someone at Adobe would address this issue....
-
Anyone else find that Speed Dial fails to work after reinstalling version 3.6?
''locking as a duplicate - https://support.mozilla.com/en-US/questions/810782'' Since I cannot go without the McAfee Site advisor, I ran a system restore. THAT did not work, Firefox won't start. So, I reinstalled 3.6. That got Site Advisor to work ag
-
Can't type or play music and videos.
I spilled water on my iPod, now every time when i'm typing it blocks after a few letters. I also can't play music and videos, when i pres play it just sets itself back on pause. Anyone has advice?