SET Role and PL/SQL

Similar Messages

• Sql server agent roles and job's owner issue

  Hi,
  We have a tricky question about agent role and job owner. If I granted sqlagentoperatorrole to a windows account in a sql instance, the account will have permission to create a sql job, the job's owner is the account and he can edit the job. But we want
  to keep all agent jobs' owner as SA. But after I (have sysadmin role) changed the job's owner to SA, the windows account won't be able to edit the job any more. but I don't want to give sysadmin role to the account, Does anybody have solution for my issue?
  so recap my question,
  1. all jobs owners should be SA
  2. Allow some accounts without sysadmin permission can edit these jobs
  3. Which kid of permission shall I grant to these accounts?
  Thanks
  David

  Its not secessary to have SA for all the jobs, normally we avoid using SA...
  Depends if you want to have some sort of security measures in place. If not, doesn't matter much. As for the 'sa' topic, I change the name of that account or disable immediately after install. It practically eliminates that vector of attack.
  If you SQLAgentOperatorRole permissions then you can do the below... this is just a agent role so this comes under MSDB....
  http://msdn.microsoft.com/en-us/library/ms188283.aspx
  Also if you have sql SA access with doamin account or sql account then you can play with sql server completely without any issues, no harm in this...
  Agenet principals are scoped to msdb; make sure you are running the statement from msdb DB. For example:
  use [msdb]
  go
  -- The code where @userName is declared & set
  EXEC sp_addrolemember 'SQLAgentOperatorRole', @userName
  go
  If you still have problems let us know, and please include the error number and message in order to help us understand the nature of the fauilure.
  Best practice...
  http://technet.microsoft.com/en-us/library/cc966485.aspx
  Raju Rasagounder Sr MSSQL DBA

• How to set up fax solution using Windows 2008 R2 Fax server role and Exchange 2007

  Hello, 
  I don't know if this is the right forum to post this but since it is related to Exchange I thought it might be. If this is not the right place, please direct me to the forum where my post would be more appropriate.  
  I'm looking to set up a Fax solution for the company that I work for as we are moving away from analog phone lines to VoIP using SIP. My original thought was to set up a Windows 2008 R2 server with Fax server role installed and have it route the fax message
  to Exchange 2007 SP3 so the fax message can be delivered to each user's inbox. I was reading a little bit on the Windows Fax server role and from what I saw it looks like it can only route fax messages to one email address. This not ideal for my company. Is
  there a way to have the fax server role route the email to each user's inbox? If so, how can I achieve this?
  How can implement this for this sending outgoing faxes as well?
  I don't know if this releveant or not but I will be using Asterisk as a media gateway between our SIP trunks and the Windows Fax server. 
  Any help is appreciated. Thanks!

  Please find the below url for the complete Fax configuration in Exchange 2007 Unified Messaging
  http://blogs.technet.com/b/exchange/archive/2007/04/18/3401950.aspx
  The article is so easy to understand with detail procedure and guideliness
  Exchange Queries

• How to pull Roles and Policies from backend using SQL query in OIA

  Hello,
  I have Roles and Policies defined in OIA with mapping each other and there is no direct extract report from OIA Web console.
  Is there any oracle SQL query by which we can get the data and filter the Policies based on the role ?
  Note: We have one Role having more than one Polcies defined in OIA.
  Appreciate your help.
  Thanks

  I am quoting this from MOS Doc Id "Why would multiple session records be present in the User Sessions screen in P6 Web, and why might some of them have different IP addresses? (Doc ID 1600172.1)"
  Multiple sessions show up for users since different sections of P6 Web have their own sessions associated with them. If a user is authorized to use multiple areas of the software they will have multiple sessions each time they log in. Additionally, if users are closing their browsers before logging out of P6 Web Access you might see some past sessions still appearing in the list. These will eventually be cleared out by background jobs, however you can also reset the sessions in the software by clicking the "Reset User" link (Administer > User Sessions > Manage User Sessions), or by choosing the "Reset All Users" link (Administer > User Sessions > Manage User Sessions) to do this for all past sessions.
  Multiple IP addresses for sessions can happen when a user logs in from different machines. For example, a person may login at their desk, but then go to a colleagues workstation to discuss a project, and log in from there. Doing so will leave them with multiple IP addresses in the session records.
  Hope this helps
  Regards,
  Sachin Gupta

• Set role with Java JPA and NativeSQL

  Hi,
  using 10g setting roles with Java JPA and NativeSQL works fine. After the upgrade to 11g the same commands will not work.
  Ars ther any significant changes to set roles in 11g?
  Regards
  Siegwin

  siegwin.port wrote:
  using 10g setting roles with Java JPA and NativeSQL works fine. After the upgrade to 11g the same commands will not work.
  Ars ther any significant changes to set roles in 11g?When I eval'd 11g, I did not notice any changes in setting my roles. I did notice a significant difference in Java. I cannot remember the JDK version change from 10g to 11g. We ended up settling back to 10g for other reasons.

• Error while Assigning database level role (db_datareader) to SQL login (Domain Account)

  Team,
  I got an error while creating a User for Domain Account. Below is the screen shot of the error (error : 15401)
  Database instance is on SQL 2000 SP3. ( I know it is out of support, But the customer is relutanct to upgrade)
  On Google search, i found below article which is best matching for this error
  http://support.microsoft.com/kb/324321
  I have follows each step of troubleshooting. But still the issue persists.
  Step 1. The login does not exist == The login is very much exist in the domain as i am able to add the same domain id to other database instances
  Step 2. Duplicate security identifiers == i have used this query to find duplicate SID
  /*  SELECT name FROM syslogins WHERE sid = SUSER_SID ('YourDomain\YourLogin') */
  But there was only one row returned with create date of today's.
  Error while Assigning database level role (db_datareader) to SQL login (Domain Account) 
  Step 3. Authentication failure == Domain is available. User is able to login on other servers via RDP connection.
  Step 4. Case sensitivity == Database collation is set to Case insensitivity. (CI)
  Other two 5. Local Accounts & 6. Name resolution == is not applicable to me.
  I tried other ways also.
  A. Creating login and providing permission in one go only = User account is not created
  B. Instead of GUI, use query to create login and provide required permission = Same error.
  Does anybody has faced any such situation
  Chetan

  See the below output
  srvid
  sid
  xstatus
  xdate1
  xdate2
  name
  password
  dbid
  language
  isrpcinmap
  ishqoutmap
  selfoutmap
  NULL
  0x010500000000000515000000A1F66E1BFC1DC75D26E72530A2B80400
  14
  20:25.9
  57:33.4
  UKBAA\LHRAPPMuttavarapuS
  NULL
  1
  us_english
  0
  0
  0
  Chetan

• How to set roles from JDBC connections

  Hi guys,
  I have a jdbc connection which purpose is to run queries based on a string that I construct in my program.
  My question is: if I have to run a DCL, like: SET ROLE RL_XXX TO USER1;
  What's the easiest way to do it with my same connection?
  Thanks.

  Hi Marc,
  Sorry for the typo. It's a BDC source, I use a WCF client to access a SQL Database (HR External System) that has 4 fields that are necessary to present in the Sharepoint User Profile. The issue occurs with a Full or a Delta Sync. The problem is that if the
  BDC source is not present the fields are deleted (I get a SPS-Dummy Added and all of the pbjects in the BDC Connector Space are deleted).
  I do not want this to happen. I do not want the User Profile Attributes/Fields to be empty/deleted if there is no connection I simply want them to stay what they are... I have two issues.
  1) Is that the even if i change my data on SQL Server side, the changes do not get picked up by the sync. Since the only field that is being tested for change is an ADid, since the id does not change the BDC does not consider them changes.
  2) If there is no connection I do not want the attributes to be deleted. I have not figured out a way to effectively do this.
  So my issue appears to be simple to solve, but after 4 days and hundreds of tutorial pages read I have yet to figure out a proper way to do this.
  Here is the pseudo-specification
  The Fields that come form the HR System (SQL Server) are to be presented in the user profile. If there is no connection to the BDC file the fields remain as they are until there is a connection and updates can be made. Changes to any of the fields are performed
  manually in the HR system. These changes must be picked up by the daily sync.

• Set role does not appear to be working

  Below, I've listed two blocks of code. The first block executes just fine. The second block throws an exception on the last line. The error returned from the server is "ORA-04043: object PERSON_VIEW does not exist". The only difference between the two blocks of code is how they log in. The first block logs in as a user with more rights. The second block logs in as a user with very little rights, but obtains more rights using the "set role" statement. I used SQL Plus to log in manually as the second user, executed the "set role" statement, and had no problem describing PERSON_VIEW. What am I doing wrong in the second block of code?
  Environment *pEnv = Environment::createEnvironment( Environment::OBJECT);
  Connection *pCon = pEnv->createConnection( "MYAPP", "PASSWORD", "MYDB");
  MetaData data = pCon->getMetaData( "PERSON_VIEW", MetaData::PTYPE_VIEW);
  Environment *pEnv = Environment::createEnvironment( Environment::OBJECT);
  Connection *pCon = pEnv->createConnection( "USER", "PASSWORD", "MYDB");
  Statement *pStatement = pCon->createStatement( "set role MYAPP_ROLE identified by PASSWORD");
  pStatement->executeUpdate();
  MetaData data = pCon->getMetaData( "PERSON_VIEW", MetaData::PTYPE_VIEW);

  In case anyone cares, the actual problem is that the OCCI throws an Ora-4043 when describing a SYNONYM in 10.1.0.3. This has been designated a bug and assigned to the development team. :o)

• Associate roles and permissions to users that existe on a database

  Hi,
  i want realise a secure authentification i used ADF Configuration but i found out that i cant bring my users from my database. i can just create new users with roles in Jdeveloper.
  do you how we can bring users to Jdeveloper and associate to them roles and permission ?

  i found this tutorial that is that what i did :
  1. Start up weblogic server (Run .. Start Server Instance)
  2. Log on to weblogic console ( http://localhost:7101/console/ )
  3. Use default username/password weblogic/weblogic1
  4. Create a datasource to connect to the schema where the authenticating database tables are (Services .. JDBC .. Data Sources)
  5. Use unique name for datasource. Use JINDI name of jdbc/
  6. Enter database name, schema name and password and test
  7. Add new Authentication provider (Security Realms .. myrealm .. Providers .. New)
  8. Enter datasource name, type SQLAuthenticator click Ok
  9. Going back into provider, change control flag to Sufficient
  10. Select Provider Specific tab and choose Plaintext passwords, password algorithm SHA-1
  11. Shut down weblogic
  12. Edit config.xml file in JDEV_DIR/system11.1.1.2.36.55.36/DefaultDomain/config and replace sql authenticator sql statements with those from web blog
  13. Restart weblogic.
  14. Go to users/groups tab in securty realm and view users and groups imported from database
  15. Set control flag for other providers to "Sufficient"
  source : http://brent.hmdclinical.com/2010/03/using-database-tables-as-weblogic.html
  but the step 12 i dont know what i need to change and with what ?

• Roles and authorization - 0BI_ALL

  hi all,
  i have problem creating a proper role for our users in sem-bcs. The problem is in the transaction ucmon. They cant see the list of journals unless i give them authorization object S_RS_AUTH with 0BI_ALL. But i dont want to use 0BI_ALL because they see all data and they shouldnt.
  I created two authorizations in rsecadmin and had put them into the role in S_RS_AUTH:: one with infoobject ZIOCELOK and one with ZIOICOUJ and gave them values that the user needs to see only his data. I also added  But he still cant see it. I run rsecadmin analysis and found this in error logs, but i dont have a clue what does this mean.
  Following Set Is Checked          Comparison with Following Authorized Set          Result
  Characteristic     Content(in SQL Format)     Characteristic     Content(in SQL Format)     Not Authorized
  0TCAACTVT     NOT ZIOCELOK = 'KAP10'     ZIOICOUJ     I EQ 00699021     
  ZIOCELOK     AND ZIOICOUJ = '00699021'          I EQ 30806101       Not Authorized
  ZIOICOUJ     AND 0TCAACTVT = '03'             I EQ 31819559     
                                                   I EQ 35822163     
                                                 0TCAACTVT       I EQ 03     
                                                   ZIOCELOK  I EQ KAP10     
  All Authorizations Tested
  Message EYE007: You do not have sufficient authorization
  No Sufficient Authorization for This Subselection (SUBNR)
  Following CHANMIDs Are Affected:
  477 ( ZIOCELOK )
  478 ( ZIOICOUJ )
  Authorization Check Complete
  PLS help
  Edited by: Martin  Zluky on Jul 30, 2010 10:12 AM
  Edited by: Martin  Zluky on Jul 30, 2010 10:12 AM

  Hi,
  here is the full error log. Please take a look. ZIOCELOK is a variable in ISJUS_BCS, which is our infocube from where ucmon
  is getting data.
  Authorization Check Log
  For a general description see the Note 1234567
  Date and Execution Time (Local Server)
  Execution Date: 05.08.2010
  Execution Time: 08:11:24
  TransactionUCWB_INT ( List of Totals Records )
  Executed by User TE001019
  Executed with Analysis Authorizations of Another UserTE001019
  Software Component     Release     Level     Support Package
  SAP_ABA     700     0019     SAPKA70019
  SAP_BASIS     700     0019     SAPKB70019
  SAP_BW     700     0021     SAPKW70021
    InfoProvider Check 
  Building the Buffer...
  ...Buffer Built
  Are there authorizations for accessing InfoProvider ISJUS_BCS with activity 03?
  Authorization exists for general access to InfoProvider ISJUS_BCS with activity 03
    Relevant Characteristics for Detailed Authorization Check 
  (Characteristics with Full Authorization Are Not Listed!)
    List of Effective Authorization-Relevant Characteristics for InfoProvider ISJUS_BCS: 
  ZIOCELOK
  ZIOICOUJ
  0TCAACTVT
    Authorization Check 
    Detail Check for InfoProvider ISJUS_BCS 
    Preprocessing: 
  Selection Checked for Consistency, Preprocessed and Supplemented As Needed
  Subselection (Technical SUBNR) 1
  Check Node Definitions and Value Authorizations...
  Node- and Value Authorizations Are OK
  End of Preprocessing
  Filling the Buffer...
  ...Buffer Filled
    Main Check: 
    Subselection (Technical SUBNR) 1 
  Supplementation of Selection for Aggregated Characteristics
    No Check for Aggregation Authorization Required 
  Following Set Is Checked     Comparison with Following Authorized Set     Result     Remaining Set
  Characteristic     Content(in SQL Format)
  0TCAACTVT
  ZIOCELOK
  ZIOICOUJ
       ZIOICOUJ IN ('00699021','30806101','31819559','35822163')
  AND 0TCAACTVT = '03'
  AND ZIOCELOK LIKE *
  Characteristic     Content(in SQL Format)
  0TCAACTVT     I EQ 03
  ZIOCELOK     I EQ KAP10
  ZIOICOUJ     I EQ 00699021
  I EQ 30806101
  I EQ 31819559
  I EQ 35822163
       Partially or Fully Authorized (Intersection) Partially or Fully Authorized (Intersection)     
  Characteristic     Content(in SQL Format)
  0TCAACTVT
  ZIOCELOK
  ZIOICOUJ
       NOT ZIOCELOK = 'KAP10'
  AND ZIOICOUJ IN ('00699021','30806101','31819559','35822163')
  AND 0TCAACTVT = '03'
  Value selection partially authorized. Check of remainder at end
  Following Set Is Checked     Comparison with Following Authorized Set     Result     Remaining Set
  Characteristic     Content(in SQL Format)
  0TCAACTVT
  ZIOCELOK
  ZIOICOUJ
       NOT ZIOCELOK = 'KAP10'
  AND ZIOICOUJ IN ('00699021','30806101','31819559','35822163')
  AND 0TCAACTVT = '03'
  Characteristic     Content(in SQL Format)
  0TCAACTVT     I EQ 03
  ZIOCELOK     I EQ KAP10
  ZIOICOUJ     I EQ 00699021
  I EQ 30806101
  I EQ 31819559
  I EQ 35822163
       Not Authorized Selection is not authorized     
  All Authorizations Tested
    Message EYE007: You do not have sufficient authorization 
    No Sufficient Authorization for This Subselection (SUBNR) 
  Following CHANMIDs Are Affected:
  477 ( ZIOCELOK )
  478 ( ZIOICOUJ )
    Authorization Check Complete

• Why does SET ROLE start a transaction?

  Hi,
  I wonder why SQL command SET ROLE starts a transaction?
  Is it considered to be a DML command?
  If yes, then why?
  Check this simple PL/SQL example (where FND_ADMIN is any role granted to the user executing the code):
  SET SERVEROUT ON
  BEGIN
  dbms_output.put_line('[1]');
  dbms_output.put_line(dbms_transaction.local_transaction_id);
  dbms_output.put_line('[2]');
  dbms_session.set_role('FND_ADMIN');
  dbms_output.put_line('[3]');
  dbms_output.put_line(dbms_transaction.local_transaction_id);
  dbms_output.put_line('[4]');
  END;
  It gives the following output:
  [1]
  [2]
  [3]
  6.40.1217
  [4]
  Regards
  Håkan

  Hm... as documentation states, DBMS_SESSION.SET_ROLE is, quote, "... equivalent to the SET ROLE SQL statement", unquote.
  However, seems that it's doing something more than just SET ROLE:
  SQL> commit;
  Commit complete.
  SQL> select sid, taddr
    2    from v$session
    3   where sid = (select sid from v$mystat where rownum = 1);
         SID TADDR
          46
  SQL> set role CTXAPP;
  Role set.
  SQL> select sid, taddr
    2    from v$session
    3   where sid = (select sid from v$mystat where rownum = 1);
         SID TADDR
          46TADDR is empty – we don't have transaction and there is no transaction state object for our session.
  However:
  SQL> exec dbms_session.set_role('CTXAPP')
  PL/SQL procedure successfully completed.
  SQL> select sid, taddr
    2    from v$session
    3   where sid = (select sid from v$mystat where rownum = 1);
         SID TADDR
          46 5756BD74Why so? I don't know :) But obviously, DBMS_SESSION.SET_ROLE is not a precise equivalent to SET ROLE.
  Regards.

• Database roles and APEX

  Can database roles be used with APEX to control table and other object access between schemas?
  If so, please provide an example.
  If not, please explain why the product would be limited in this way. One of the major short comings we see is the need to directly grant privileges to each schema, rather than having the power of roles to do this.

  Kannan,
  With DATABASE ACCOUNT credentials set, we were able to authenticate users for each page, in accordance with their table privileges, as follows. Please join us in encouraging Oracle to build this logic into Application Express, as one of the authentication options. We consider this to be a major shortcoming of an otherwise great product.
  For each page, create a PL/SQL anonymous block process "before header", to determine if the user has the necessary privileges. In this example, the user must have UPDATE privilege for one table, and SELECT privilege for the other table used by the page.
  DECLARE
  CURSOR c_get_role IS
  SELECT DISTINCT drp.granted_role,dtp.privilege,dtp.table_name
  FROM dba_tab_privs dtp, dba_role_privs drp
  WHERE dtp.grantor = '<database name>'
  AND dtp.grantee = drp.granted_role
  AND drp.grantee = v('APP_USER')
  AND dtp.table_name IN ('<updateable table name>','<readable table name>')
  AND dtp.privilege IN ('UPDATE','SELECT');
  BEGIN
  :Pnn_USER_ROLE_MESSAGE := 'NO ROLE';
  :Pnn_USER_ROLE_PROTOCOL := 'NO ROLE';
  :Pnn_USER_HAS_PRIVS_FLAG := 0;
  FOR rec IN c_get_role
  LOOP
  IF rec.table_name = '<updateable table name>' AND
  (rec.privilege = 'UPDATE')
  THEN
  :Pnn_USER_ROLE_MESSAGE := rec.granted_role;
  ELSIF rec.table_name = '<readable table name>' AND
  (rec.privilege = 'SELECT' OR rec.privilege = 'UPDATE')
  THEN
  :Pnn_USER_ROLE_PROTOCOL := rec.granted_role;
  END IF;
  END LOOP;
  IF (:Pnn_USER_ROLE_MESSAGE != 'NO ROLE') AND (:Pnn_USER_ROLE_PROTOCOL != 'NO ROLE')
  THEN
  :Pnn_USER_HAS_PRIVS_FLAG := 1;
  END IF;
  END;
  Note that APEX_PUBLIC_USER must have read privilege for the dictionary tables.
  Now you can use the flag variable and create an HTML region to source the error message to display if the user has insufficient privileges.
  PL/SQL Function Body Returning a Boolean..
  IF :Pnn_USER_HAS_PRIVS_FLAG = 0 THEN
  RETURN TRUE;
  ELSE
  RETURN FALSE;
  END IF;
  Add a condition to the normal page regions to display themselves only if the user has privileges and appropriate role, based on the flag being TRUE (same as the IF block above, except FLAG = 1).

• Question about Roles And priviledges

  I have designed my database and i have generated the ddl script. Now I want to design or somehow to create the system roles and system priviledges for every role.
  for example:
  CREATE ROLE DOCTOR;
  GRANT SELECT ON DOCTOR TO DOCTOR;
  So is there any way to do that from Enterprise manager or jdevelopper gui? Can I generate the dcl script somehow?

  aa8a14cf-4c39-4940-8315-e35d47cccb28 wrote:
  I know which roles and system privileges should be created. How am i gonna create them and generate the dcl script?
  You've been shown two variants on how to have "sql write sql" to create a script.  We assumed you know how to use sqlplus to run a script, and in this case to spool the output of the script we showed to create the script you want. (That was covered in my commend "I leave the details as an exercise for the student")
  Since you wanted a script we also assumed NOT using a GUI.  Live by the GUI, die by the GUI.
  But since it seems our assumptions were false ...
  Log on with sqlplus and do the following:
  set echo off feedback off verify off head off trimsp on tab off lines 512 pages 0
  spool doit.sql
  select 'grant '||privilege||' on '||owner||'.'||table_name||' to '|| role||';'  from ROLE_TAB_PRIVS WHERE ROLE='DOCTOR';
  spool off
  edit doit.sql
  After examining and doing a sanity check on 'doit.sql', you just execute it in sqlplus ..
  sql> @doit

• Defining roles and access for OWB Designer

  Hi,
  Can i Define roles and access rights to different on 1 OWB Designer repository?
  I want to send my mappings for code review but i dont want them to log into the OWB designer with write access.
  How can i achieve this in the same OWB designer repository as the one i am using?
  I am using OWB 10.1.
  I found some table - WMP_USER_ROLES,WMP_GROUP_ROLES,WMP_GROUP_REPOSITORIES
  when i logged into the designer schema through sqlplus
  Thanks
  Sagar

  Hi Sagar,
  Yes you can do that. Basically you can create a db user, and then register the user with a repository. By default that user has all privileges, however it now is audited per user as to what he/she did. How to do this look at the doc (find SecurityHelper)
  To enable you to protect metadata there are a couple of strategies (implemented via a simple PL/SQL API). For an example (this one works with policies on the module level) take a look here (http://www.oracle.com/technology/sample_code/products/warehouse/files/Dev_Status_Policy.SQL)
  This would work as follows:
  - Create user REVIEW
  - Register user REVIEW to repos QA
  - For a module you want review for, set the status to QA
  Now the REVIEW user logs in and he can look at QA but cannot touch.
  Hope this helps,
  Jean-Pierre
  In your situation

• UCM 11g and Weblogic SQL Authenticator

  A bit lengthy question about UCM 11g using WLS Security providers for user authentication.
  There's a lot of stuff on the web about integrating UCM 11g with WLS AD/LDAP authenticators. However there's literally nothing about integrating it with SQL-based authenticators. Does it mean that using WLS's built-in providers other than AD/LDAP is not supported ?
  I tried configuring my Custom DBMS Authenticator - it works fine. I can see my users/groups and membership info read from the DB in WLS Admin Console. The users can even log in to the Content Server but their WLS groups are never mapped to UCM roles/accounts. I tried reordering the WLS authenticators so that the DBMS authenticator is at the top but this does not help. Does this mean that group -> role/account mapping works only with LDAP ?
  thanks in advance

  Hi Sirnath,
  Thanks for the prompt reply.
  I did another exercise and defined the contributor group in both the DefaultAuthenticator and the SQL Authenticator and created two users 'default' (int the DefaultAuthenticator) and 'sql' (in the SQL authenticator). Both users are members of the 'contributor' group (in the respective Authenticator). If I log in as either of the users they all have the proper principals/credentials set in the javax.security.auth.Subject instance (the 'contributor' is a principal and a credential in both cases). However UCM maps it to a role only for the 'default' user.
  Is it possible that the JPS provider somehow bypasses the javax.security.auth.Subject abstraction? Do you know of any related docs available online ?