WorkSpace/Schema Developer Security

Similar Messages

• Export users from one workspace/schema to another

  Hello,
  I need to export APEX users from one workspace/schema to a different workspace/schema. I only know how to export a sql file that combines the workspace with the users.
  In addition to that I would like to bundle that with an application package so that I will be able to deploy the entire application all at once. Is this possible?
  In an ideal world, it would be create if someone could send me "step-by-step" directions on how to package and deploy an APEX application so that everything (i.e. all database objects, seed data, application definition, users, graphics, css, js - and tell me in what order each should be created) would be in one script.
  Any help would be appreciated.
  Thanks
  LEH

  LEH,
  You asked a similar question here: How to Create a Packaged Application
  It's best not to start multiple threads on the same topic.
  It is 100% impossible for anyone on this forum to tell you how to create seed data scripts without seeing your schema and understanding what data needs to be seeded. Have you taken the time to read the APEX user's guide on packaging applications? I believe that it's a good place to start, as once you understand the fundamentals of packaged applications, many of your questions will likely be answered.
  As for moving APEX users, you can navigate to any application, click Import/Export, select Export, then click on the Workspace Users tab.
  Thanks,
  – Scott –
  http://spendolini.blogspot.com/
  http://sumnertech.com/

• Developing security Roles and profiles

  Hi Team,
  Can you guys let me know how to develop security roles and profiles. We are rolling out for a company in Japan, and the congif is completed. We are in the process of developing test cases ans also security roles and profiles for users? Can somebody guide and help me on this?
  Regards,

  Hi,
  Use Tcode = PFCG -->then create any customized roles and profiles for any users on module based.
  user masters: USR01 to 09, UST04,
  profiles: USR10, USR11, UST10S, UST10C,
  authorisations: USR12, USR13, UST12.
  password exceptions USR40.
  History tables(may not be applicable but FYI): users: USH02, USH04,
  profiles: USH10, auths USH12.
  R/3 Security Tcodes
  End User Transaction Code  Menu Path   Purpose
  SU3  System > User Profile> Own Data  Set address/defaults/parameters
  SU53  System > Utilities > Display Authorization Check  Display last authority check that failed
  SU56  Tools --> Administration --> Monitor --> User Buffer  Display user buffer
  Role Administration Transaction Code  Menu Path   Purpose
  PFCG
  Tools --> Administration --> User Maintenance --> Roles  Maintain roles using the Profile Generator
  PFUD   Work on SAP check indicators and field values
  Select: Copy SAP check IDu2019s and field values
  Installation
  1. Initial Customer Tables Fill
  Upgrade
  2a. Preparation: Compare with SAP values
  2b. Reconcile affected transactions
  2c. Roles to be checked
  2d. Display changed transaction codes
  SU24
  Same as for SU25:
  Select: Change Check Indicators > Maintain Check Indicators>Maintain 
  Regards,
  Srini Nookala

• About users/workspaces/schemas

  Hi,
  I'm sorry if this question sounds stupid, but i'm not very clear on it.
  At my company, we've developed a client/server app, and we want to migrate it to the web.
  Right now I got 5 different clients working with same database structure: tables, views, sequences,etc... but, of course, data is different.
  I need to know if these scenarios are possible on Apex for my 5 different clients with their 5 different data collection, so i can choose an apex hosting plan.
  a- Having 1 oracle user owning 5 differet workspaces. Each workspace will hold database structure of each client
  b- Having 1 oracle user owning 1 workspaces with 5 different schemas. Each schema will hold database structure for each client
  c- Having 5 oracle user owning 5 differet workspaces. Each workspace
  will hold database structure of each client.
  Please let me know which one is possible or the best (in your opinion).
  Thnx in advance
  Fernando

  Without addressing your problem here is some information:
  1. Workspaces are logical boundaries around developers, nothing more. Workspaces have no corresponding database structures. They are merely a name+number association.
  2. Workspaces can have developer and administrator accounts. People who use those accounts are allowed to develop applications, do admin tasks, and use the database tools like the SQL Workshop. Application Express keeps developers and admins in each workspace "away from" developers and admins in other workspaces.
  3. When you develop an application using your workspace developer account, the application is associated with the workspace in ways that isolate it from other applications associated with other workspaces in the same database. This is the basis of Application Express security.
  4. Applications are allowed to contain SQL and PL/SQL code that is "parsed as" a particular database schema. This schema is one of the schemas that has been associated with the workspace. So you might have a workspace named W1 that has schema S1 associated with it and a workspace named W2 that has schema S2 associated with it. Applications developed in workspace W1 will parse as schema S1, and apps developed in workspace W2 will parse as schema S2. Both workspaces W1 and W2 could have schema S3 associated with them too. Then developers in either workspace could choose to build applications that parse as schema S3.
  5. Workspace developers using tools like the SQL Workshop can see the schemas associated with their workspace.
  Related thread: Re: Priveleges to create procedures/functions in schemas
  Scott

• Developer Security with HTMLDB (Application Express)

  Hi folks. I would appreciate any help I could get with this problem - it's a fairly serious one and I'm hoping for some feedback.
  We are using HTMLDB 2.0 and are using Oracle Applications. We have a rogue developer who has a bit of a control problem - he likes to run UPDATE, DELETE, and INSERT statements against our production database. However, he does develop HTMLDB reports for us and does a good job with that. Is there any way we can limit his developer account in HTMLDB so that he can't run these kinds of queries in the SQL Editor in HTMLDB?
  Any suggestions on how we can limit what kinds of queries he runs?
  Thanks so much!
  Steve

  Are queries run in the SQL Editor logged?
  SQL> desc flows_020000.wwv_flow_sw_sql_cmds
  Name                                      Null?    Type
  ID                                        NOT NULL NUMBER
  COMMAND                                            CLOB
  PARSED_SCHEMA                                      VARCHAR2(30)
  CREATED_BY                                         VARCHAR2(255)
  CREATED_ON                                         DATE
  SECURITY_GROUP_ID                         NOT NULL NUMBERThe security_group_id maps to the workspace.
  To get the security group id for your workspace, run
  select provisioning_company_id,short_name
  from flows_020000.wwv_flow_companies
  where provisioning_company_id>10;Then you can keep an eye for
  select * from flows_020000.wwv_flow_sw_sql_cmds
  where security_group_id=<that long number>
  and lower(command) like '%update%'

• Users / Workspaces / Schemas ?

  Please can someone clarify the relationship between Users, workspaces and schemas . .
  I have 3 schemas (say SchemaA, schemaB and SchemaC) in the database and created three workspaces to correspond to them (WkspA, WkspB and WkspC).
  When it comes to users:
  Manage Application Developers --> create
  Fill in the details and associate userA to SchemaA and workspace wkspA.
  If I also want to allow userA access to WkspB and wkspC how is this achieved?
  Do I have to go back into Manage Application Developers and put in ALL the same info (username, email , first name etc) and associate them to the next schema (WkspB) and then repeat for WkspC.
  Is this correct - Is there no way of creating a user once and then associating him with multiple workspaces?
  Any advice appreciated.
  Thanks
  Jon

  Jon,
  1. Workspaces are completely isolated from one another in all respects. Nothing is shared between workspaces (except site-wide environment settings).
  2. When you login to the service admin application (htmldb_admin) admin you can use that Manage Application Developers link to manage developer accounts in any workspace in the instance. However, you may find it more convenient to manage developers on an individual workspace basis by logging in as the administrator of each workspace and using the administration pages there.
  3. As stated above, user accounts with a given name in one workspace have no relationship to user accounts with the same name in another workspace. User 'JON' in ws A is as separate and distinct from user 'JON' in ws B as User 'X' is from user 'Y' in those two workspaces.
  4. The main reason to create distinct workspaces for different groups of developers is to keep them from seeing/altering/running each other's applications.
  Scott

• Bi Roles (Developer & Security Admin) in Development System

  My requirment is to create 2 Roles in BI Development System...
  1) Developer Role
  Tasks that a new developer can perform (Create,delete,change Info Objects,Info Areas,Data providers,Info sources,Source systems,info sets,process chain.....queries) also
  ABAP...TRANSPORTS..
  2) Security Administrator
  Can Create Roles (PFCG),Authorisation objects,Assign the roles to users...etc transport newly created roles..etc
  Please update me with the list of Authorisation objects i can use
  Thanks

  Hi,
  Here are the steps ...
  A role is a collection of entities (such as the User Menu and a Profile) that gets allocated to a user to provide them with the necessary authorisation to do their job. Formerly referred to as an Activity Group .
  Using transaction PFCG
  1. Give the Role name or Activity Group name (both Role or Activity Group same in below 4.6B version it is called as Activity Group now it is called as Role).
  2. Then click on Create button
  Give description and Click on Save
  3. Then click on Menu tab
  There you will fine button like Transaction, Reports and Web address ……
  a. Click on Transaction Button.
  After clicking on transaction button you will find screen
  Put all transactions you want to assign then click on button Assign Transaction
  say for example transactions SU01 and PFCG to the Administrator.
  b.Then click on the Authorisation tab
  Give profile name related to your role name and description
  c.Click on the Change authorization data button
  Here you need to maintain authorizations.
  Open each Object Class (means at the end you can find names like BC_A, BC_Z these are Object class)
  For example when you open Object Class BC_A
  you will find Authorisation Object (i.e. S_USER_AGR, ……)
  When you open each Authorisation Object you will find Field Names and Activities
  Each object have their own fields here two field names are there (Activity & Activity Group Name)
  Click on the Pencil button and Maintain Activities
  After maintaining all activities
  There is Generate button on Application tool bar click to generate profiles
  Then Press back button
  There is another tab USER click on that and enter user id’s
  then click on User Compare button
  Until the User compare button comes green user never get access for those transactions assigned.
  Hope it helps.
  Assign points if helpful.
  Thanks & Regards
  Hemant Khemani

• SQL Developer security

  Hello,
  Is it possible to "secure" the SQL Developer environment to allow end-users to do queries only? i.e. if an end-user has SQL Developer, potentially data can be modified, inserted, deleted, not to mention tables dropped or even the database.
  Thank you
  Cecilia

  They will have privileges to do whatever you've granted them. SQL Developer has nothing to do with it.

• SOA Application development & Security Standards document template

  Hi,
  I need to create documents on SOA Application development standards and SAO Application Security standards.
  Please share document templates if anyone have them.
  Thank you

  Hmm, interesting comments. Is it really a Standard that you're after? Not wishing to ask if you like salt with your eggs but I assume we know the differences between Standard, Policy, Procedure? You'd be surprised with the number of so called Security experts /Consultants that can't articulate this. I have seen big 4 people who are meant to be delivering Policy but actually documenting a Standard, even Procedures
  So are you looking at delivering a Standard per Application? You should also have a Generic App Security Standard.
  Standard - you're looking to no more than 10-20 pages.
  SAP hooks into several other documents so you should be explicitly referencing O/S and Database Standards.
  Authenticating against SAP - that should be covered in Access Control Policy /Standard.
  Encryption ....? Your encryption doc's and so on. 
  SAP sits on an O/S, so if you're an IBM house then you're looking at AIX. SAP would assume this as a pre-req. Database? You've got Oracle and if again you're an IBM house you follow DB2.
  DB2 inherits numerous priv's from the underlying O/S. So if AIX is poorly configured, then DB2 inherits this. Of course there's a bunch of stuff that you can do from SYS* parameters etc.
  I've just put together a bunch of stuff for an Org. The actual SAP piece is actually not that hard. The Procedure is a little more specific e.g. specific Install Accounts /Passwords that need to be changed, how you secure external interfaces.
  Please let me know if you need anything further.
  Cheers, N

• Guide to developing SECURE TOMCAT/JSP web apps - ??

  Hi,
  It would be very useful to have a checklist or guidelines to ensure a JSP/tomcat web site one develops is secure, in particular for the scenario where the web application is not huge/complex &/or is developed by part-time developers. That is I guess I'm generally asking for the easiest way of ensuring one develops a secure JSP/tomcat app.
  Q1 - Does anyone know of a tutorial/checklist for ensuring a JSP/tomcat web app is secure? The types of things I'm thinking of include the following items, which I've put forward as specific questions to the mail group in their own right.
  Q2 - How do you ensure directory's under doc root can't be viewed? (ie users see a directory listings)
       - is putting in an index.html in each sub-directory a solid answer?
       - can this be handled in one hit via WEB.XML entries? if so an example if possible?
  Above and beyond basic User Authentication checking (eg username/password check at beginning of session) what is an easy but secure way of checking -:
  Q3 check that user (ie specific) is allowed to access a specific JSP page? (assuming the web app is a totally JSP based solution, ie no controller servlet frontend, ie and that all JSP pages are effectively assessable under docroot). Easy way of doing this?
       eg (a) put specific check at beginning of each JSP page?
       (b) other?
  and
  Q4 given that a user is allowed to access that JSP page, check that he is allowed to view the data which he has requested? (ie stop people determining how the URL with parameters is constructed and manually changing the parameters - eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4". Easy way of doing this?
       eg (a) put specific check at beginning of JSP page?
       (b) other
  Q5 Is it generally acceptable, given appropriate precautions are taken, to setup a web site with all JSP files assessable under doc root, and that the manner in which the user navigates around the application is based on direct calls from the browser to the next JSP page with parameters? (again one concern I have is eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4"). If this is not acceptable what is recommended?
       (a) as above put a specific check at the beginning of the JSP page
       (b) for example having to specifically put a controller servlet as a front end, and then direct to JSP pages which are hidden?
  - in this case how can one hide specific directories under doc root?
       (c) other??
  Q6. Regarding image security I assume one really does have to store them outside doc root and develop a small "getImage" servlet so that requests to images can be verified to ensure that (assuming the app lets users load images) the end user can't see another user's image?
  Q7. Any other general checklist items for a simple JSP/tomcat web site re security one should check for???
  Thanks in Advance
  Greg

  Have you ever looked at the Jakarta struts framework for developing web apps? You could then incorporate your custom designed security both into your own extension of the controller servlet (check if particular user has access to certain pages / actions). You can also design your own custom tags which determine whether a particular user has access to certain parts of the page. You cal also perform additional checks in the actions, to ensure that the user does have access to certain actions (i.e. checking parameters etc.)

• HELP - Schema and security principals ?

  Having a great deal of difficulty finding a good description or exposition on the use of SCHEMAS as it pertains to security principals. I've been working with DBs such as AD and Exchange for several years, and am familiar with the concept and use of SCHEMAS in these contexts.
  Specifically ... what and why the necessity to map a (user?) schema to a login/user in SS2k5? Someone please provide a clear (simple ... not too techno-nerd) answer or provide a link to an article/faq/blog/thread where this concept is clearly and FULLY explained.
  Thanks ...

  Thank you for your quick response ... the last two linked articles above helped, but as can always be anticipated, I now have additional questions:
  1)  Clarification ... "SCHEMA" then in the SQL 2k5 context is analogous to "Node" or "sub-domain" as used in a  "schema" (directory actually) such as active directory or DNS?
  2)  An SQL security principal created would then be identified with some sort of FQSN ("fully qualified schema name") such as [DBServer].[DBName].[DBO].[UserName] ... in the case of an SQL user created using the default schema?
  3)  Is there inheritance of properties such as access rights and permissions from parent container to child both on the object(s) themselves as well as rights and permissions granted to the parent schema on other objects anywhere in the [DBServer] tree?
  4)  What is the use and important characteristcs/properties of the "DBO" schema ... more specifically in terms of any SQL sequrity principals contained within DBO?
  5)  Related to #3 and #4 above, does default "membership" in the DBO schema grant DB ownerhip permissions and rights to any SQL sequrity principal created with DBO as the default container? And if so, are those rights and permissions applied "globally" so that any new user with DBO as the default schema would suddenly have DB owner access to all DBs within its parents' schema's scope?
  6)  What is the mechanism that maps NTFS, Windows OS, and Windows AD rights/permissions to SQL Security principals that are added to the DBO or other security principal "schema(s)" for security and DB access administration/management?
  7)  Related to #6 above, what are the rules and mechanisms that govern use of SQL Server (and DB) ROLES, LOGINS, and USER objects mapped to Windows and AD security groups ... what are the policies and best practices? ... how do I manage DB access (such as ownership) using Windows groups? ... How do I grant only the least or specifically required access rights to a group of users be they programmers, admins, users, or whatever using Windows AD security groups?
  8)  Lastly, is there an SSMS wizard or TSQL script that can be used to "browse" or navigate the SQL schema hierarchy similar to ADSIEdit or LDP.EXE for AD?
  Thanks again ... EHammer

• [OBIEE 11g] Enforce star-schema without security filter?

  I have imported my first OLAP cube using the instructions <a href = 'http://www.oracle.com/webfolder/technetwork/tutorials/obe/db/11g/r1/olap/biee/createbieemetadata.htm'>here</a> and have applied the necessary security filter to force the star join between the cube and dimension views. However, the security filter does not apply to users in the BI Administrator user group. Is there any way to do this without a security filter, or somehow apply the security filter even when the user is an administrator?
  Edited by: islan on Jan 22, 2013 7:56 AM
  Edited by: islan on Jan 22, 2013 7:57 AM

  The link in your first posting points to the old-way of creating OBIEE metadata for OLAP objects.
  Starting with OBIEE 11.1.1.5, it is much simpler as Oracle-OLAP is one of the data sources in BI-Admin Tool.
  So do not use the old way.
  Start with this doc:
  http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/bi/bi11115/olap/olap.htm
  For your other issue, you need this troubleshooting doc:
  http://www.oracle.com/technetwork/database/options/olap/troubleshootingbieeconnections-504856.pdf
  Note that even though it says OBIEE 11.1.1.5, the above two docs are applicable to 11.1.1.6 and future releases.
  For security, you should define it in OBIEE instead of doing in OLAP.
  .

• RICEF Security - best practice to develop security specs

  Good Morning All,
  We have new ECC implementation kicked off, my question is how RICEF security is controlled? What are the standard guidelines practised in industry?
  We are encouraging process teams to start use authorizations checks in custom transactions where ever necessary, ABAP team says this is in discreation of BP, ABAP will enforce checks if Business Process(BP) ask.
  I not sure if BP will take that extra time to think on authorization checks for RICEFS, we security team offered help to BP saying we can help on finding appropriate auth objects for their RICEF objects.
  As we cannot really enforce this or push hard, I am trying to think what is best way to get this in place.
  What I think is for some custom tcodes, which are low risk reports there is really no need to induce 2nd level check(1st level being S_TCODE) but my concern is this should not be taken for granted.
  I would like to hear suggestions from group.
  Thank You.
  Edited by: Julius Bussche on Apr 22, 2011 5:46 PM
  Subject title made more meaningful.

  Their job is to make it work and security is very often seen as a barrier
  This is very unfortunate but often true Security can however also offer cool solutions to spagetti code and defunct requirements!
  As you correctly state, the reason is often lack of training, awareness and being under pressure from deadlines and complexity. I also suffer under this but have with time learnt that "right first time" is the best way.
  The ideal solution IMO would be to integrate the authority-check statement into both the external and internal license meaurement.
  - A program without any authority-check is freeware because anyone can run it.
  - A program with a display auth check run by a user with display authorizations costs 1 cents each time.
  - A program with change / create checks run by a user with change / create authorizations costs 2 cents each time.
  - A program with delete checks run by a user with delete authorizations costs 5 cents each time.
  - Any program with any checks run by a user with FROM --> TO ranges in authorizations costs 20 cents each time.
  - A program with a display auth check run by a user with SAP_ALL costs 100 cents each time.
  - etc...
  This way, developers will add as many appropriate checks to their code so that it generates revenue from the application. Business process owners will try to restrict the authority-checks to only those really needed and will restict authorizations as much as possible to exact values when testing their roles.
  Would work like a charm... but I'm sure there is a catch somewhere... 
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 24, 2011 12:07 AM

• Is there any plan to develop secure iPad mirroring over common ports?

  We're very interested in offering our faculty the option of projecting their in-class lectures from their iPads. Unfortunately, the lack of security and the special WIFI ports required are making this very difficult for our facilities and security staff to implement in our wireless infrastructure. We feel there is a real potential benefit in new, more interactive lecturing styles that could come out of this practice. Is Apple aware of the desire for this, and if so, is there any sense of when a secure solution might be available?

  AirPlay is only using pretty standard ports - 80, 443, 554, 3289 and 5353 - so it's not something most sites would have blocked or other normal network functions from most platforms won't work either. Hence is really shouldn't be a security issue. If you're blocking those ports, you may want to revisit that and see if it's really necessary. If you must block those, then AirPlay probably just isn't going to work for you. Changing would probably require Apple to revamp much of its networking structure and use even less common ports.
  A more common issue in large institutions is the problem with dealing with multiple WiFi access points and the need to have the iPad and the Apple TV on the same subnet. Those are often more difficult issues to solve.
  Regards.

• Oracle  grant schema level security

  I am having more schemas for different applications in the same database.
  Each time an object is created it access is granted to the appropriate role.
  I don't like using the SELECT ANY TABLE privedge.
  I would love to see a GRANT SELECT ON SCHEMA XXXX To ZZZZZ;
  This would be almost like the SQL SERVER (YUK) DB_DATAREADER priviledge.
  I have not seen anything to indicate Oracle 11g has this support.

  Are you just complaining or asking a question?
  You can use
  Something like:
  create or replace trigger do_grant
  after CREATE on schema
  declare
      l_str varchar2(255);
      l_job number;
  begin
      if ( ora_dict_obj_type = 'TABLE' )
      then
          l_str := 'execute immediate "grant select on ' ||
                                       ora_dict_obj_name ||
                                      ' to scott";';
          dbms_job.submit( l_job, replace(l_str,'"','''') );
      end if;
  end;
  /as posted here in asktom
  http://asktom.oracle.com/pls/asktom/f?p=100:11:4434422967201937::::P11_QUESTION_ID:646423863863