Users, privileges and roles problem!
Hi everyone,
I am using oracle 10.2.0.
I have a user (dba1) who is the owner of tables in my database. I have connected to sqlplus as sysdba and created the role <b>admin</b> and granted the admin all the privileges.
SQL> grant all privileges to admin;
Grant succeeded.
SQL>Then I granted the <b>admin</b> role to the user dba1:
SQL> grant admin to dba1;
Grant succeeded.I have created another role, sel_role and given that role the privileges to select tables. For example:
SQL> grant select on kund to sel_role;
Grant succeeded.Now I have created another user, Anton, and have given that user the role sel_role:
grant sel_role to Anton;
Grant succeeded.Now when I try to log in as anton and try to use the select statement which is given to Anton by sysdba, using the sel_role, to select the table kund, I got an error:
SQL> connect anton/oracle
Connected.
SQL> select * from kund;
select * from kund
ERROR at line 1:
ORA-00942: table or view does not existWhat could be the solution to this problem?
Thanks in advance
Solomon Yakobson wrote:
Connect as sysdba and issue:
ALTER USER anton DEFAULT ROLE ALL;SY.Same problem!
SQL> alter user anton default role all;
User altered.
SQL> connect anton/oracle
Connected.
SQL> select * from kund;
select * from kund
ERROR at line 1:
ORA-00942: table or view does not exist
Similar Messages
-
Report to see user type and roles assigned to users in EP?
Hi,
a) Is there any reporting mechanism in EP? Any specific report which throws up user types and roles assigned to the users? There is an option of 'Export' in the user management role but unfortunately it does not give information on User Type.
b) If the group is assigned a role, How can we see ( in any report) the roles assigned to a group? In the 'export' option of the 'User Management' this information does not come.By default Portal UME comes along with the installation of portal.
Sometimes we may integrate external users using LDAP. At that time users come from ABAP stack or some active directories. But you can also create users in the portal UME. The purpose of using LDAP is to maintain the users centrally rather than creating again in portal.
You can check them in user administration->identity management and search for the users.
THere you can see some users will be from UME and some from LDAP.
User Admin tool is nothing but User Administration only.
Raghu -
Hello,
how can I save userparameters and userroles?
We use a CUA.
After a client Copy i have to create all parameter and roles for all the users in this client new!
How can i solve this problem?hello Fabian,
Did not get your issue. In case you have done client copy involving copy of user master data then user master of source will show up in target . If you have done without it then no data will be changed.
Please clearly explain what your problem is.
Regards.
Ruchit. -
I use CS_ADMIN to login DB, querying its role
select * from dba_role_privs where grantee = 'CS_ADMIN';
GRANTEE GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE
CS_ADMIN RESOURCE NO YES
CS_ADMIN CONNECT NO YES
CS_ADMIN DBA NO YES
Then I query the DBA'S privilege
select * from role_sys_privs rsp WHERE rsp.privilege LIKE '%TABLESPACE%' AND rsp.role = 'DBA'
ROLE PRIVILEGE
DBA DROP TABLESPACE
DBA ALTER TABLESPACE
DBA CREATE TABLESPACE
DBA MANAGE TABLESPACE
Then, We can know that CS_ADMIN user has DBA role and DBA role can create tablespace
But I use CS_ADMIN to create a procedure to run statement in the package
EXECUTE IMMEDIATE ‘create tablesapce...’;
The procedure will throw a error, ORA-01031 :insufficient privileges
But I can directly run the ‘create tablesapce...’ statement in the command pattern.
Why?
Thanks.I recommend before you post you always search for the error.
There have been questions in this forum on this very error really more than a million times, just because most people don't like to put effort in resolving their own issues.
That said, the cause is always the same: roles are disabled during compilation of pl/sql.
However, I think creating a tablespace in pl/sql is fundamentally evil, as it makes you loose control over the database.
Sybrand Bakker
Senior Oracle DBA -
Privileges and Roles Based Views
Hello,
I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great. I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view. I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!! fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
I hope someone can help with the config:
Below is the config I use on the 2960's and 3750's and also what I use on the radius servers. I guess I would need ot use a priv 15 setup and a custom view called priv3?
Priv3 radius user settings
cisco av-pair cli-view-name=priv3
Priv 15 or root user settings
cisco av-pair shell:priv-lvl=15
cisco av-pair shell:cli-view-name=root
Config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 3750
boot-start-marker
boot-end-marker
logging buffered 64000
logging console informational
logging monitor informational
enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default line
aaa authorization console
aaa authorization exec default group radius local
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
system mtu routing 1500
udld aggressive
no ip domain-lookup
ip domain-name CB-DI
login on-failure log
login on-success log
crypto pki trustpoint TP-self-signed-3817403392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3817403392
revocation-check none
rsakeypair TP-self-signed-3817403392
crypto pki certificate chain TP-self-signed-3817403392
certificate self-signed 01
removed
quit
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10 priority 8192
vlan internal allocation policy ascending
ip ssh version 2
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/24
interface Vlan1
description ***Default VLAN not to be used***
no ip address
no ip route-cache
no ip mroute-cache
shutdown
interface Vlan10
description ****
ip address 10.10.150.11 255.255.255.0
no ip route-cache
no ip mroute-cache
ip default-gateway 10.10.150.1
ip classless
no ip http server
ip http secure-server
logging trap notifications
logging facility local4
logging source-interface Vlan10
logging 10.10.21.8
logging 172.23.1.3
access-list 23 permit 10.10.1.65
snmp-server community transm1t! RO
snmp-server trap-source Vlan10
radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
exec-timeout 60 0
logging synchronous
line vty 0 4
access-class 23 in
exec-timeout 60 0
logging synchronous
transport input ssh
line vty 5 14
access-class 23 in
no exec
transport input ssh
parser view priv3
secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
! Last configuration change at 16:34:56 BST Fri Apr 13 2012
commands interface include shutdown
commands interface include no shutdown
commands interface include no
commands configure include interface
commands exec include configure terminal
commands exec include configure
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show arp
commands exec include show privilege
commands exec include show interfaces status
commands exec include show interfaces Vlan10 status
commands exec include show interfaces Vlan1 status
commands exec include show interfaces GigabitEthernet2/0/12 status
commands exec include show interfaces GigabitEthernet2/0/11 status
commands exec include show interfaces GigabitEthernet2/0/10 status
commands exec include show interfaces GigabitEthernet2/0/9 status
commands exec include show interfaces GigabitEthernet2/0/8 status
commands exec include show interfaces GigabitEthernet2/0/7 status
commands exec include show interfaces GigabitEthernet2/0/6 status
commands exec include show interfaces GigabitEthernet2/0/5 status
commands exec include show interfaces GigabitEthernet2/0/4 status
commands exec include show interfaces GigabitEthernet2/0/3 status
commands exec include show interfaces GigabitEthernet2/0/2 status
commands exec include show interfaces GigabitEthernet2/0/1 status
commands exec include show interfaces GigabitEthernet1/0/12 status
commands exec include show interfaces GigabitEthernet1/0/11 status
commands exec include show interfaces GigabitEthernet1/0/10 status
commands exec include show interfaces GigabitEthernet1/0/9 status
commands exec include show interfaces GigabitEthernet1/0/8 status
commands exec include show interfaces GigabitEthernet1/0/7 status
commands exec include show interfaces GigabitEthernet1/0/6 status
commands exec include show interfaces GigabitEthernet1/0/5 status
commands exec include show interfaces GigabitEthernet1/0/4 status
commands exec include show interfaces GigabitEthernet1/0/3 status
commands exec include show interfaces GigabitEthernet1/0/2 status
commands exec include show interfaces GigabitEthernet1/0/1 status
commands exec include show interfaces Null0 status
commands exec include show interfaces
commands exec include show configuration
commands exec include show
commands configure include interface GigabitEthernet1/0/1
commands configure include interface GigabitEthernet1/0/2
commands configure include interface GigabitEthernet1/0/3
commands configure include interface GigabitEthernet1/0/4
commands configure include interface GigabitEthernet1/0/5
commands configure include interface GigabitEthernet1/0/6
commands configure include interface GigabitEthernet1/0/7
commands configure include interface GigabitEthernet1/0/8
commands configure include interface GigabitEthernet1/0/9
commands configure include interface GigabitEthernet1/0/10
commands configure include interface GigabitEthernet1/0/11
commands configure include interface GigabitEthernet1/0/12
commands configure include interface GigabitEthernet2/0/1
commands configure include interface GigabitEthernet2/0/2
commands configure include interface GigabitEthernet2/0/3
commands configure include interface GigabitEthernet2/0/4
commands configure include interface GigabitEthernet2/0/5
commands configure include interface GigabitEthernet2/0/6
commands configure include interface GigabitEthernet2/0/7
commands configure include interface GigabitEthernet2/0/8
commands configure include interface GigabitEthernet2/0/9
commands configure include interface GigabitEthernet2/0/10
commands configure include interface GigabitEthernet2/0/11
commands configure include interface GigabitEthernet2/0/12
ntp logging
ntp clock-period 36028961
ntp server 10.10.1.33
ntp server 10.10.1.34
end
Thanks!!!!DBelt --
Hopefully this example suffices.
Setup
SQL> CREATE USER test IDENTIFIED BY test;
User created.
SQL> GRANT CREATE SESSION TO test;
Grant succeeded.
SQL> GRANT CREATE PROCEDURE TO test;
Grant succeeded.
SQL> CREATE ROLE test_role;
Role created.
SQL> GRANT CREATE SEQUENCE TO test_role;
Grant succeeded.
SQL> GRANT test_role TO test;
logged on as Test
SQL> CREATE OR REPLACE PACKAGE definer_rights_test
2 AS
3 PROCEDURE test_sequence;
4 END definer_rights_test;
5 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
2 AS
3 PROCEDURE test_sequence
4 AS
5 BEGIN
6 EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
7 END;
8 END definer_rights_test;
9 /
Package body created.
SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
2 AUTHID CURRENT_USER
3 AS
4 PROCEDURE test_sequence;
5 END invoker_rights_test;
6 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
2 AS
3 PROCEDURE test_sequence
4 AS
5 BEGIN
6 EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
7 END;
8 END invoker_rights_test;
9 /
Package body created.
SQL> EXEC definer_rights_test.test_sequence;
BEGIN definer_rights_test.test_sequence; END;
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
ORA-06512: at line 1
SQL> EXEC invoker_rights_test.test_sequence;
PL/SQL procedure successfully completed.
SQL> SELECT test_seq.NEXTVAL from dual;
NEXTVAL
1 -
I am a PC user and I have Adobe Creative Cloud Muse 2014. I have received the 'Could not sign you in [Access denied: 530]. Check your user name and password' error when trying to upload my muse site to my ftp host, GoDaddy. I have successfully done this in the past and only recently it has stopped working. I looked online at the FAQ Adobe Muse Help | Uploading an Adobe Muse Site to a third-party hosting service and it said to download the ftpprefs.xml file but this file simply leads to a blank page that says /*Not found*//*Not found*/.
Can someone direct me to a working page with this file or provide a different solution? Thank you!Hello,
As you are getting error [Access denied: 530] it means issue is with access. Either the username and password you are entering is incorrect or you do not have proper permissions.
I would suggest you to contact Godaddy to either reset password or reset the permissions.
Regards
Vivek -
ValidTo and ValidFrom for privileges and roles (since SP2) - no effect
Hi IDM Community,
has anybody tried the new functionality that you can enter validfrom and validto values for role assignments and privilege assignments in business roles?
In my case I can define these values in a workflow but I don't see any effect. There are no values for these attributes written to the database. I think that normally there should be some MX_PENDING_VALUE objects created in which the validfrom, validto should be stored. But nothing happens. When I define a validfrom, validto value for a privilege in a business role and submit the change and view the details of the role again there is no validto or validfrom assigned for this privilege.
Has anybody encountered the same problem?
BR
Jörn KaplanHello,
I am testing the abap -- initial load (SP2)"WriteABAPUsersRolePrivilegeAssigments"-pass with the ValidTo and ValidFrom and the "sap_getTimeDependentPrivilege"- Jscript.
There is always an error:
"putNextEntry failed storingXXXXXXX
Exception from Modify operation:java.lang.IllegalArgumentException: Entry does not exist - entry: XXXXXXX
The logonuid XXXXXXX is stored in sap%$rep.$NAME%roleAssign and sap%$rep.$NAME%role.
SP1 is running!
But I dont want to lose TimeDependentPrivilege like in Initial Load (SP1)
Who can help me?
BR Chris -
Is there User Group and Role Reporting in SAP Enterprise Portal?
I want to know if there is a way to pull users statistics our of SAP Enterprise Portal like you can out of the R3 backend systems.
I would like functionality similar to the SUIM transaction. I know through user administration you can access any user, even a list of all users, and you can do similar lists with roles and groups. You can then access any of these things individually and look at their assignments. However, I want to do this on a large scale. I want to know for example every group that has a user assigned to it. Evergroup that has roles assigned to it. Or groups that have no user or role assignments. We have approximately 1904 groups in our Production Portal system and I am trying to clean up the groups that have no user assignment, but I don't want to look through them one by one.Hi Chris,
There is no standard report available for this purpose. However all this information is stored in table UME_STRINGS.
You can write your own SQL queries to generate such reports. However please note that this table is not normalized, and it's a master UME table. You should use it strictly for READ ONLY purpose.
For a sample code you which i wrote some time back, you might refer:
http://forums.sdn.sap.com/thread.jspa?threadID=2088099&messageID=10859334#10859334
Thanks
Prashant -
System Privileges, Object Privileges and Roles in Oracle 10g r2
Hello,
I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
Thanks,
RRich V wrote:
Hello,
I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
Thanks,
RHi, you can use dba_role_privs,role_sys_privs views,for more information see
http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/admusers.htm
http://www.cuddletech.com/articles/oracle/node36.html -
Check users authorizations and role
Hello!
How can I check the authorizations of
Web Dynpro application users and also his role.
Thanks
rgds
sasHI,
Pl go through Following link
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/webdynpro/wd%20java/web%20dynpro%20security.pdf
https://help.sap.com/javadocs/index.html
use the method isMemberOfRole.
Regards
Ayyapparaj -
Hi All
I did a queries
SELECT GRANTEE, PRIVILEGE,GRANTABLE FROM DBA_TAB_PRIVS
WHERE TABLE_NAME='TABLE1' AND GRANTEE IN ('USER1', 'USER_ROLE');
GRANTEE PRIVILEGE GRANTABLE
USER1 SELECT NO
USER1 INSERT NO
USER1 DELETE NO
USER1 UPDATE NO
USER_ROLE SELECT YES
USER_ROLE INSERT YES
USER_ROLE DELETE YES
USER_ROLE UPDATE YES
SELECT 'ROLE' TYP, GRANTEE, GRANTED_ROLE, ADMIN_OPTION FROM DBA_ROLE_PRIVS WHERE GRANTEE ='USER1';
TYP GRANTEE GRANTED_ROLE ADMIN_OPTION
ROLE USER1 CONNECT NO
ROLE USER1 RESOURCE NO
ROLE USER1 USER_ROLE NO
My question is since the USER1 is granted the role of USER_ROLE, will it cause conflict to the table privilege?
Because I can't perform Insert when I'm using USER1. It give me an error of ORA-01031L insufficent privileges SQL source: ..Since you did not mention how you are performing the Inserts/DML's on the TABLE1, and you are facing privileges issues, I presume you are performing it from a PL/SQL Block. However, the priviliges acquired via a Role are not valid in Function/Procedure. You need to have explicit privileges to perform an action in Function/Procedure.
Even without the privilege, you would be able to perform the Inserts/DML's as in static SQL statements that are not contained in PL/SQL blocks.
Try:
grant insert on table1 to user1; -
User groups and permissions problem
Hello everyone,
I've been running Arch Linux for about a month now and I have noticed a few things related to permissions associated with user groups that annoy me. My user is part of the storage, wheel and network groups, amongst others. I can see this when I run the `groups` command. From what I could read on the Wiki, the storage group should allow me to mount/umount drives such as my USB key and my iPod when they are plugged in and access the files from my user account without using sudo. The network group should let me manage the network connection via ifconfig, iwconfig, etc. once again without using sudo.
However, when I run iwconfig as my normal user, I get incomplete and inaccurate information. I get about 2 lines telling me essentially that I am not associated with any Access Point, which I clearly am. When I run it with sudo, I get the full information, including my Access Point's ESSID. iwconfig does not get the same data when run with and without sudo. Same goes with ifconfig. Also, I can not run dhcpcd or wpa_supplicant at all as a normal user.
I get a similar problem with the storage group. I can not mount or umount drives without sudo and I can not write to mounted drives that I've mounted with sudo. This is particularly annoying when I try to manage my iPod.
Does anyone have a clue what could be causing this?
Thanks a lotI have searched Google and the Arch Wiki, have tried a lot of the suggestions from the forums, such as the 'how I beat policykit and hal' forum post. Nothing seems to let me mount my drives. I can see them in Nautilus, I click them but they don't mount. I can do it as root. It's really frustrating because I can't figure it out. I haven't filed a bug report because I thought it was a problem that I was having.
I haven't tried the iwconfig or network yet.
This is pretty much the only thing holding me back from everything working. -
Advanced Group Policy Management - On privileges and roles
Hello!
We are rolling out AGPM 4.0 SP2. Seems to work well enough.
We currently have more than one set of standard permissions. For example, our Citrix team controls GPOs for Citrix, our Desktop team controls GPOs for desktops, etc.
Is there no way to delineate this in AGPM?
My first thought was that I could use PowerShell to rapidly set, and regularly audit and auto-correct these privileges. True to Group Policy form, there is limited PowerShell support - in this case, none at all.
My second thought was that templates might include AGPM roles. So I could say 'Group X has privileges to Template A,' 'Group Y and Z have privileges to Template B,' and so forth. When I create a template, it would include those permissions.
Nope.
I'm all for opening up access, but this might be a tough sell. Am I the only one who has disparate security boundaries around group policies? Am I overlooking a solution to this?
Thanks!
RCMHave you thought about multiple AGPM Servers, one for each group? Each AGPM store could utilize separate standard permissions and control the subset of policies which are within the scope of the
group. You can even
use Group Policy itself to manage a multiple AGPM Server environment.
Brandon
MDOP on the Springboard Series on TechNet -
End User Authorizations and Roles
Hi,
What all the authorizations i need to give to an End User, who uses the device.
Is it necessary for the userid to be same in <b>MI Client, MI server, Backend</b> systems.
Let me explain wat an end user does
>logs into MI client
>performs first synchronization
>Executes Mobile Application assigned
>and performs synchronization at the end of the day
rgds,
KiranHi Kiran
Probably I wanst clear with my reply. You need to assign both the above mentioned authorizations to the same user who is performing a sync from the MI Client. S_ME_SYNC is required for the user to perform a sync from MI Client to MI server. S_RFC is required for the same user so that the data can be transferred from MI server to SAP backend and vise versa.
Hope I am clear now
Best Regards
Sivakumar -
Impossible to set up a TC with admin and users privileges
Hi,
Sorry for my english first. I'm not an english speaker...
That's one week I'm playing with my Tc to try to set it up with admin and users privileges and and doesn't succeed to find a good way to do it....
What I want to do: set up my Tc so that I'm an admin and can do whatever I want in the folders of each user. I want the user to have access to one folder with their name. Let's say I would like to user my TC like a usual network drive or NAS.
What I discover: if I enable file sharing with accounts on my TC and define two users user1 and user2 with Read write privileges, user1 can see a folder user1 and put whatever he wants in it and there's a share folder for user1 and user2. BUT I cannot be admin on the TC when account filesharing is on. It means I cannot put anything in user1 folder beacuse I don't see user1 folder. It is just like if you have user accounts on TC you can just change the privileges but not defined an administrator. I'm able to see user1 folder for instance solely changing the filesharing back to secure shared disks "with time capsule password". If i do so I can see all the folders on the TC.
But it's very annoying because it means that each time I want to put a file inside the folder of one of my user, I have to restart my TC "with time capsule password", put the file, set it up back to user account and restart again the TC.... Not really practical!
Anyone got an idea how to use the Tc with user accounts (one admin and others users...)I forgot to mention that I tried also another method: giving guest access to TC to my two users but there are several problems here: first they can only read (if not they would have the same privileges as me) what means they can put any document in the TC. Second, they see all the folders on the TC and the idea is that they can only see the shared one....
Maybe you are looking for
-
Why doesn't verizon allow you to schedule a payment in advance?
-
Can we pass runtime input varibles to Actives X componets
Hi, Can we pass the runtime input variables to Active X componets, so the output can be varied depending upon the inpur variable we pass. The main idea is : I am using Active X compnets to inteface with C code and Excel sheet where we have to pa
-
Scan source paths... and performance.
In another thread, Struts Page Flow Editor Unusably Slow poor performance turned out to be due to a problem with having 'Scan source paths to determine project contents' enabled. Apart from the problems with the diagrammer, this manifested itself as
-
Hai, When ever iam moving to the properties of the dashboard, and clicking on the "move up" button to change the position of the tabs, the url is changing unknowingly.... this is occurred regularly...please find me the solution. Thanks in advance.
-
Adobe CS3 - Acrobot Pro 8 Activation Issue
I reinstall CS3 design premium. Everything seems to be working fine except for Acrobat Pro 8, which won't activate. When you go to Help ---> Activate from the DVD, but it made no difference. When i run acrobot, "Continue Trial or Buy" menu shown, the