OCP Blog
Super DBA
Script generate all user privileges in one report
by Vazha Mantua Monday, May 14, 2012 12:09 PM

Good Day All.

Our task is get all privileges granted for user and create report based on this information. As you know privileges gives on user directly or on his role. Privileges divided by 2 part: system and object.

Let see example, create report for user Scott

1.Create repository table for store data:

create table vm_user_privs(privilege varchar2(100),user_name varchar2(100),object_name varchar2(100));

2. Main script

declare
cursor c_user is
select a.username from dba_users a
where a.username='SCOTT';
p_user varchar2(100);

begin
open c_user;
loop
fetch c_user into p_user;
insert into vm_user_privs
select /*+ rule */ a.privilege,p_user,a.table_name from dba_tab_privs a where a.grantee=p_user
union all
select /*+rule */ b.privilege,p_user,b.table_name from dba_tab_privs b where b.grantee in (select b1.granted_role from dba_role_privs b1 where b1.grantee=p_user)
union all
select /*+ rule */ c.privilege,p_user,null from dba_sys_privs c where c.grantee=p_user
union all
select /*+rule */ d.privilege,p_user,null from dba_sys_privs d where d.grantee in (select b2.granted_role from dba_role_privs b2 where b2.grantee=p_user);
commit;
EXIT WHEN c_user%NOTFOUND;
end loop;
close c_user;
end;

3. See result:

select * from vm_user_privs

How Prevent user with alter user privileges from changing password of sys and system users.
by Vazha Mantua Wednesday, August 17, 2011 10:26 AM

Good Day My friends,

 

Today we will discuss about one small security issue for users which have an alter user privileges. Our Task is avoid from these users privileges changing password of system users.

In metalink we found article about this issue. Note id is 271077.1 , which tell us create system trigger for avoiding this case.

 

SQL> conn  / as sysdba
Connected.

SQL> CREATE or REPLACE TRIGGER prohibit_alter_SYSTEM_SYS_pass
AFTER ALTER on SCOTT.schema
BEGIN
IF ora_sysevent='ALTER' and ora_dict_obj_type = 'USER' and
(ora_dict_obj_name = 'SYSTEM' or ora_dict_obj_name = 'SYS')
THEN
RAISE_APPLICATION_ERROR(-20003,
'You are not allowed to alter SYSTEM/SYS user.');
END IF;
END;
/

Trigger created.

 

Now we can see a result:

SQL> conn scott/tiger
Connected.
SQL>alter user system identified by manager;
alter user system identified by manager
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5
SQL> alter user sys identified by manager;
alter user sys identified by manager
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20003: You are not allowed to alter SYSTEM/SYS user.
ORA-06512: at line 5
SQL> alter user dbsnmp identified by dbsnmp;
User altered.

 

 

But There are one mistake , which found my student Mariam Kupatadze.

 

Password of user system changed. trigger works after alter user user, correct version is before alter for prevent changing password!

 

Finally we give you correct version of trigger:

SQL> CREATE or REPLACE TRIGGER prohibit_alter_SYSTEM_SYS_pass 
BEFORE ALTER on SCOTT.schema
BEGIN
IF ora_sysevent='ALTER' and ora_dict_obj_type = 'USER' and
(ora_dict_obj_name = 'SYSTEM' or ora_dict_obj_name = 'SYS')
THEN
RAISE_APPLICATION_ERROR(-20003,
'You are not allowed to alter SYSTEM/SYS user.');
END IF;
END;
/

Trigger created.

 

 

 

Tags: , , , , , , , , ,

Filter by APML

Calendar

<<  December 2017  >>
MoTuWeThFrSaSu
27282930123
45678910
11121314151617
18192021222324
25262728293031
1234567

View posts in large calendar

TextBox