Solution: WinXP Restricted users connecting to Oracle

For a while we've been having the problem that with a default install of the Oracle Client (in our case 9.2 - Not sure if the problem exists with earlier versions), restricted users on WinXP (possibly 2K too, I've not been able to test it) cannot connect to any server because they cannot see the oracle client files. For some reason, the oracle client install sets strange permissions that mean only administrators can access the client files. Worse still, any attempt to reset the permissions on the ORACLE_HOME directory and propagate them down all the sub directories always fails with Permission Denied (even for admins?!?!?!). Even attempting to take ownership fails.
Anyway, we've found a solution:
Logged in as an admin, we copied the c:\oracle\Ora92 directory from a fresh install of the oracle client on WinXP to a machine with Fat32 (Win98) - Thereby removing all permissions from the files. We then renamed the old Oracle directory on the WinXP PC, created a new one and copied back the Ora92 directory from the Win98 PC - This resulted in the c:\Oracle directory and all sub directories having default permissions, specifically Read and Execute to all users and Full to admins. We also reset the permission on all sub-directories of c:\program files\oracle to those of c:\program files\oracle ( Using the "Reset permission on all child objects and enable propagation of inheritable permissions" check box in windows advanced security ).
The end result is that restricted users can now access the necessary oracle client files, but don't have permission to alter them (which prevents them changing any connection parameters).
The problem still remains that the installer creates strange permissions on files in the Oracle Home directory, but at least there is a workaround until Oracle sorts out the installer.
Anyone think of a better way to get the same result?

if you set the restricted users into the power users group you may be asking for other troubles as these users will then have update permissions to most files on the system, including those files in the winnt folder.
it is not clear to me whether you are unable to set the file permissions to read/write access, or whether you are able to do so but that after you do so the users still get errors launching the client. it sounds like the solution to your problem may have been setting the read/write access in the \program files\oracle folder.
you should make sure you install oracle when you are logged in as administrator. note that this is different than doing the install while logged in as user "X", where "X" is a member of the administrator group.
if after doing the install as administrator you still have problems, i would recommend that you turn on auditing, reboot the system, launch the client as a restricted user, and then review the event log to see what file(s) are being denied access.
to set up auditing, go to start->programs->administrative tools->local security policy. select local policies, then audit policies. set "audit object access" to failure. then go to my computer, right click on C:, select properties, then the security tab. click on the advanced button, then the auditing tab. select the "everyone" group, then click ok. in the next window, check all boxes in the "failed" column. click ok.
don't forget to reverse the process and turn off auditing once you have found the problem files and set the necessary permissions.

Similar Messages

Proxy user connection in oracle form10g

Dear All,
Any one could help me out how to use proxy user connection in oracle form10g ?
proxyapp[SCOTT]/proxyapp@orcl which is running fine is database side i like to use this user in oracle forms 10g and would like to know the syntax of connection .
Thanks & Regards
zeeshan

Do you know if there is there anyway to use proxy users without using OAM? It is working fine for us assuming the combined prox_user[real_user] does exceed 30 characters .... Need to expand the forms user id field ...???

Restrict User Connections Using Logon Trigger

Hi all,
Now I am restricting user connections from selected terminals, using following logon trigger.
It allows users with DBA privileged user.
How to restrict DBA Privileged users users ?
Note:- As per my application needs DBA privilege.
CREATE OR REPLACE TRIGGER on_logon
AFTER LOGON
ON DATABASE
DECLARE
VPROGRAM VARCHAR2(30);
Vusername VARCHAR2(30);
VTERMINAL VARCHAR2(30);
CURSOR user_prog IS
SELECT UPPER(program),UPPER(username),NVL(TERMINAL,'X') FROM v$session
WHERE audsid=sys_context('USERENV','SESSIONID');
BEGIN
OPEN user_prog;
FETCH user_prog INTO Vprogram,Vusername,VTERMINAL;
IF VTERMINAL NOT IN ( 'APP1','APP2','APP3')+
and Vusername='ABUL'+
THEN
RAISE_APPLICATION_ERROR(-20001, 'You are not allowed to login');
END IF;
CLOSE user_prog;
END;
Thanks i Advance
Abk

Your application needs the DBA role? That is a terrible design-- it violates every principle of secure coding.
Login triggers don't fire for users with the DBA role, so you won't be able to use a login trigger here. You could ditch the login trigger and configure invited and excluded nodes in the listener's sqlnet.ora file, i.e.
tcp.validnode_checking = yes
tcp.excluded_nodes = (hostname1,hostname2,hostname3)You'll have to restart the listener after making that change.
Justin

Howmany oracle user connect with oracle server.

hi all
howmany oracle user connect with oracle server.
i want query for above sentance.

Robert,
This query will show us the username who are connect to a particular database. If OP wants that how many overall users are connected to his/her oracle server (which is having more than one db) then please tell us. Suppose 10 users are connected with db1 and 20 users are connected with db2.. like that.
Regards
Girish Sharma

No. of users connected to oracle

Hi everyone,
How to find out howmany users connected to oracle?

http://download.oracle.com/docs/cd/B19306_01/server.10
2/b14237/dynviews_2088.htm#sthref3985That identifies how many sessions are connected to Oracle. It's an awful long time since I saw a system that had a predictable relationship between number of sessions and number of users. Nearly every system I see does one or more of the following.
1. Uses connection pooling.
2. Opens more than 1 connection for a single user session.
3. Uses the same user account for authenticating connections.
Often those 3 are related of course, but if you have an app that does that querying v$session won't answer the original question - though it might set limits on possible answers.
In short I'd say that how many users, as opposed to user sessions, were active at any one time was an application development issue. If however the question is really a management question about how busy the database server is I have found that answering accurately, but perhaps misleadingly, "there are on average 42 user sessions" is a perfectly adequate answer to the question - since the motive is usually about "busyness" not actual end-users.
Niall Litchfield
http://www.orawin.info/

Script to Determine Users Connected to Oracle Apps and For Imitating Users

I found this great script (Note:430948.1 on Metalink) to track users connected to the E-Business Suite.
My colleague though noticed that users who had shut their browsers without logging off or those users who had 'timed out of their session' would still come back in the report.
He wanted an accurate measure of who was in fact using the e-Business suite.
We took the original query and added the last line (below). It basically takes the ‘last connect’ time and adds 60 minutes to it to figure out who is ‘validly’ still connected.
select distinct ic.disabled_flag, fu.user_name User_Name,fr.RESPONSIBILITY_KEY Responsibility, fu.user_name,fu.user_id, fu.description, fu.employee_id,
ic.responsibility_application_id, ic.responsibility_id, ic.org_id, ic.function_type, ic.counter, ic.first_connect, ic.last_connect,
ic.nls_territory, ic.time_out, fr.menu_id, fr.responsibility_key
from apps_fnd.fnd_user fu,
apps_fnd.fnd_responsibility fr, apps_fnd.icx_sessions ic
where fu.user_id = ic.user_id AND
fr.responsibility_id = ic.responsibility_id AND
ic.disabled_flag='N' AND
ic.responsibility_id is not null AND
ic.last_connect > sysdate - (ic.time_out/60)/96
Can anybody see any issues with this query? or a better way to do this?
It looks like Oracle runs a clean up script to wipe out sessions after a certain amount of time so they are no longer active sessions - so this works around that.

From my Exchange Server in an Exchange PS session:
Name        : Admin Audit Log Agent
Enabled     : True
Priority    : 255
WhenCreated : 6/15/2012 9:54:46 AM
WhenChanged : 6/15/2012 9:54:46 AM
Name        : Scripting Agent
Enabled     : False
Priority    : 6
WhenCreated : 6/15/2012 9:54:46 AM
WhenChanged : 6/15/2012 9:54:46 AM
Name        : OAB Resources Management Agent
Enabled     : True
Priority    : 5
WhenCreated : 6/15/2012 9:54:46 AM
WhenChanged : 6/15/2012 9:54:46 AM
Name        : Provisioning Policy Agent
Enabled     : True
Priority    : 4
WhenCreated : 6/15/2012 9:54:46 AM
WhenChanged : 6/15/2012 9:54:46 AM
Name        : Mailbox Creation Time Agent
Enabled     : True
Priority    : 3
WhenCreated : 6/15/2012 9:54:46 AM
WhenChanged : 6/15/2012 9:54:46 AM
Name        : Mailbox Resources Management Agent
Enabled     : True
Priority    : 2
WhenCreated : 6/15/2012 9:54:46 AM
WhenChanged : 6/15/2012 9:54:46 AM
Name        : Rus Agent
Enabled     : True
Priority    : 1
WhenCreated : 6/15/2012 9:54:46 AM
WhenChanged : 6/15/2012 9:54:46 AM
Name        : Query Base DN Agent
Enabled     : True
Priority    : 0
WhenCreated : 6/15/2012 9:54:46 AM
WhenChanged : 6/15/2012 9:54:46 AM
The output is the same from my workstation after loading the PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
Rob Smura, MCSE

How to restrict user access in Oracle Application Server 10g (9.0.4)?

Can anybody please let me know how to restrict user access in 10g AS? To be specific, how to allow http requests from specific IPs only?

Hi,
You have to edit httpd.conf and modify acces rights for each protected directory
e.g.
<Directory /var/www/sub/payroll/>
Order allow,deny
Allow from 192.168.1.0/24
</Directory>
then you have to restart Oracle HTTP Server
jm--

NO OF USER CONNECTIONS TO ORACLE

Hi all
I am new to administration . could anybody please let me know
how to find out the total no of users who have connected to
oracle during one session.
any light on this is greatly appreciated.
thanks
mahima
null

srini (guest) wrote:
: MAHIMA (guest) wrote:
: : Hi all
: : I am new to administration . could anybody please let me
know
: : how to find out the total no of users who have connected to
: : oracle during one session.
: : any light on this is greatly appreciated.
: : thanks
: : mahima
: Hi
: i don't understand what do you mean by one session. But you
: can find out the no. of users using v$session view. when you
: give the following statement
: select * from v$session where type != 'BACKGROUND'
: it'll return all the users who've logged in oracle except the
: background processes. No. of rows you've got is the no. of
: sessions opened in oracle.
: i believe, this should answer your question.
: regards
: srini J
null

Restricting User Sessions

I want to restrict user session through oracle forms
I am using Developer 6.0
I dont want to user V$Session Table to restrict the session
Pl Suggest if there is any alternative solution to restrict user sessions
Thanks
Sarfraz Attari

Hi,
in When New form intance
declare
un:=get_application_property(username);
pw:=get_application_property(password);
cn:=get_application_property(connectstring);
begin
if upper(un)<>'XYZ' then
message('U r not a valid user');
end if;
end;
Hope this helps u..
Prashanth Deshmukh

Restricting User-Defined Layout in CV04N

Hi All
A user having cv04n authorization can change the layout and save as User-Specific Layout. We may be giving various information via CHARS / Values and users add those to layouts and see
Now a User who do not have Authorization to a Document type , say FIN (for Finance) , can get the details in the CHARS and Values of FIN Document Type using cv04n, by modifying the standard layout.
Any Authorization to control user not to change layouts in cv04n...?
I have found one Authorization S_ALV_LAYO which restricts to make Global layout, but it allows to make User Defined layouts..
Any solutions to restrict User not to modify default layout in cv04n?? Or in way can we restrict User not to add CHAR s into search layouts?
Regards
Aby

Hi Aby,
We can restrict the user from viewing the documents based on document type and authorization group. This can be achieved by implementing BADI "DOCUMENT_SEARCH01" and interface "CHANGE_SEARCH_ORDER". Inside this we can do an authority check on each document (DOKAR), using standard authorization object for document type C_DRAW_TCD. And similarly authorization group (BEGRU) can be checked using auth obj C_DRAW_BGR can be checked.
The authority check can be done in following way,
LOOP AT EACH DOC.
    AUTHORITY-CHECK OBJECT 'C_DRAW_TCD'
         ID 'DOKAR' FIELD LV_DOKAR                              " LV_DOKAR is doc no.
         ID 'ACTVT' FIELD '03'.                                           " 03 is display mode
Similarly check for auth grp.
Hope this will help you. If you need any more inputs let me know.

Exact details of users connected-APPS

Dear all,
Tried various varieties of queries to find out the exact details of users connected in oracle EBS.. tried thru sysadmin-users-monitor also.. but it shows all the old users ..
I need to get the users who are connected at the time when I execute the query
is this possible in EBS using query ?
If so, please do tell me ?
Thanks
Yusuf

Hi,
Forms sessions: yes as they are session based.
Framework sessions: no as they are not session based.
See:
Re: USERS CONNECTED
Re: No of Apps users log-in.
Re: Need to find the SID of a forms session.
Regards,
Gareth
Blog: http://garethroberts.blogspot.com/

User permission issue in connecting to Oracle using java in Cent OS

Hi ,
I am facing a peculiar issue and since I am new to Cent OS, I hope somebody can help me.
I am using Cent OS 4.2 and I installed Oracle client 10.2 in cent os 4.2.
I am having a java application which connects to Oracle server in another Linux system using Oracle OCI driver which comes along with Oracle client
I have a user called user1 which belongs to group group1 as primary group and my application runs under this user user1.
This user is a member of oinstall group (which is the group for oracle uesr which has access to oracle client directories/files)
But when my application tries to connect to Oracle server, I am getting connectivity error saying "Oracle driver not found" or "cannot load libocijdbc10.so". All environment variables like ORACLE_HOME, PATH,CLASSPATH, LD_LIBRARY_PATH are set properly.
The permissions to Oracle folder/files are rwx for owner(oracle user) , rx for group(oinstall) and none for others
What we observed are
1. When the application is start under root user, it works
2. When we give rx permission to others, it works
3. When we make oinstall group as the primary group for my user user1, it works
My questions here
1. Why it is not working even though my user user1 is a member of oinstall group
2. Why it is working when I make oinstall as the primary group
3. Is there any difference in security policy of RHEL and Cent OS
4. How can I access libraries from multiple folders which created by different user and belongs to different groups, if this is the case
I never faced this issue in RHEL4
Hope some body can help me.
Regards
Sunil

Sorry, I should have been more specific. The error message I was referring to shows up in a pop-up windows when I try to run the program. The actual java error message (that shows up in the command prompt window) is as follows:
"Exception in thread "main" java.lang.UnsatisfiedLinkError: C:\WINNT\system32\ocijdbc8.dll: The specified procedure could not be found
at java.lang.ClassLoader$NativeLibrary.load(Native Method)
at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1473)
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1397)
at java.lang.Runtime.loadLibrary0(Runtime.java:788)
at java.lang.System.loadLibrary(System.java:832)
at oracle.jdbc.oci8.OCIDBAccess.logon(OCIDBAccess.java:192)
at oracle.jdbc.driver.OracleConnection.<init>(OracleConnection.java:142)
at oracle.jdbc.driver.OracleDriver.getConnectionInstance(OracleDriver.java:214)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:193)
at java.sql.DriverManager.getConnection(DriverManager.java:512)
at java.sql.DriverManager.getConnection(DriverManager.java:171)
at lookup.main(lookup.java:16)"
I'm running the program through Windows 200 Pro command prompt, and the version of java is, as I mentioned in the previous message, 1.4.1:
java -version
java version "1.4.1_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.1_01-b01)
Java HotSpot(TM) Client VM (build 1.4.1_01-b01, mixed mode)

Allow connection to RDS applicatoins and restrict RDP connection for domain users

I have configured RDS setup, with the following Roles: RD Web Access, RD Gate Way, RD Connection Broker, RD Session Host and RD Licensing.
the problem is that the domain users can't run the published applications unless I add the "Domain Users" group into the remote desktop users on the RDS servers, but now all domain users can connect RDP to the RDS servers.
so we need domain users to connect to the RDS published applications and restricting them from connecting RDP to the RDS servers, in addition I can see that internal servers are accessible from outside through the RD gateway server.
any ideas ?

Hi,
Thank you for posting in Windows Server Forum.
For a test you can create one group, assign the specified user under that group. Add that group under “Remote Desktop User” local group. For getting access to published Remote Application you can simply assign\add the group under collection properties of the
application and that user can get access.
For restricting user to server remotely, you can add that group of user under “Deny logon through remote desktop service” under User Rights assignment. Also you can check “Deny
New User Logons to an RD Session Host Server” settings.
Hope it helps!
Thanks.
Dharmesh Solanki

Connect to oracle sys user

Hi folks
when i try to connect to oracle sys user from the unixbox its opening an idle instance .
[u01/appl/ora817]$ set ORACLE_SID=fclaie1
[u01/appl/ora817]$ sqlplus
SQL*Plus: Release 8.1.7.0.0 - Production on Thu Feb 28 09:37:55 2008
(c) Copyright 2000 Oracle Corporation. All rights reserved.
Enter user-name: / as sysdba
Connected to an idle instance.
SQL>
can someone suggest me why an idle instance is starting rather then the normal instance .
Your expert suggestion is highly appriciated
Thanks

Connected to an idle instance.Idle Instance means the instance has not started.
You can issue
c) Copyright 2000 Oracle Corporation. All rights reserved.
Enter user-name: / as sysdba
Connected to an idle instance.
SQL> startup <-- (Here)
After which your instance will be started. By the way what you mean by normal instance?
Adith

Oracle instance shutdown normal vs immediate (users connected) how-to?

Hello Oracle crowd, recently, i tried to shutdown my instance Oracle 9.2.0.1.0 using sqlplus shutdown. i assume the default is shutdown normal but the instance would not shutdown. after reading the admin docs i realized it must be waiting for connected users to logoff. my question is how do i get a list of the current users connected so i don't have to resort to: shutdown immediate. pls advise, david.

Hi,
the v$session view answers this question, try 'select distinct username from v$session;' . If there are any other users besides your own, you must use 'shutdown immediate'.

Solution: WinXP Restricted users connecting to Oracle

Similar Messages

Maybe you are looking for